ZXR102900ESeriesnova-minsk.com/ZTE/29E/SJ-20130731155059-002-ZXR10 2900E... · 2016-09-30 ·...
Transcript of ZXR102900ESeriesnova-minsk.com/ZTE/29E/SJ-20130731155059-002-ZXR10 2900E... · 2016-09-30 ·...
ZXR10 2900E SeriesEasy-Maintenance Secure Switch
Configuration Guide
Version: 2.05.11
ZTE CORPORATIONNo. 55, Hi-tech Road South, ShenZhen, P.R.ChinaPostcode: 518057Tel: +86-755-26771900Fax: +86-755-26770801URL: http://ensupport.zte.com.cnE-mail: [email protected]
LEGAL INFORMATIONCopyright © 2013 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Revision No. Revision Date Revision Reason
R1.0 2013-11-27 First edition
Serial Number: SJ-20130731155059-002
Publishing Date: 2013-11-27 (R1.0)
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ContentsAbout This Manual ......................................................................................... I
Chapter 1 Safety Instructions.................................................................... 1-11.1 Safety Instructions.............................................................................................. 1-1
1.2 Safety Signs ...................................................................................................... 1-1
Chapter 2 System Overview ...................................................................... 2-1
Chapter 3 Usage and Operation................................................................ 3-13.1 Configuration Modes .......................................................................................... 3-1
3.2 Command Modes............................................................................................... 3-6
3.3 Common Command Parameters ........................................................................3-11
3.4 Usage of Command Line .................................................................................. 3-12
Chapter 4 System Management ................................................................ 4-14.1 File System Management ................................................................................... 4-1
4.2 Configuring the TFTP Server............................................................................... 4-3
4.3 Configuring the FTP Server................................................................................. 4-4
4.4 Importing and Exporting the Configuration File ..................................................... 4-7
4.5 Backing Up and Recovering Files........................................................................ 4-7
4.6 Downloading the Software Version Automatically ................................................. 4-8
4.7 Configuring Automatic Saving of a Configuration File.......................................... 4-10
4.8 Upgrading the Software Version .........................................................................4-11
4.9 File System Configuration Commands ............................................................... 4-15
Chapter 5 Service Configuration............................................................... 5-15.1 Management Configuration ................................................................................. 5-2
5.2 Port Configuration .............................................................................................. 5-6
5.3 PoE Configuration .............................................................................................. 5-8
5.4 Port Mirroring ....................................................................................................5-11
5.5 MAC Address Table Operation .......................................................................... 5-13
5.6 LACP Configuration.......................................................................................... 5-17
5.7 IGMP Snooping Configuration........................................................................... 5-20
5.8 MLD Snooping Configuration ............................................................................ 5-24
5.9 IPTV Configuration ........................................................................................... 5-27
5.10 STP Configuration .......................................................................................... 5-34
5.11 ACL Configuration .......................................................................................... 5-43
5.12 QoS Configuration.......................................................................................... 5-53
I
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
5.13 PVLAN Configuration...................................................................................... 5-60
5.14 Layer 2 Protocol Transparent Transmission Configuration................................. 5-63
5.15 IPv4 Layer 3 Configuration.............................................................................. 5-65
5.16 IPv6 Layer 3 Configuration.............................................................................. 5-68
5.17 DAI Configuration ........................................................................................... 5-69
5.18 Access Service Configuration.......................................................................... 5-71
5.19 MAC Authentication Configuration ................................................................... 5-79
5.20 QinQ Configuration......................................................................................... 5-80
5.21 SQinQ Configuration....................................................................................... 5-82
5.22 VLAN Configuration........................................................................................ 5-84
5.23 VLAN Mapping Configuration .......................................................................... 5-87
5.24 Syslog Configuration....................................................................................... 5-89
5.25 NTP Configuration.......................................................................................... 5-91
5.26 GARP/GVRP Configuration............................................................................. 5-93
5.27 DHCP Configuration ....................................................................................... 5-95
5.28 DHCPv6 Configuration...................................................................................5-101
5.29 VBAS Configuration.......................................................................................5-104
5.30 PPPoE-PLUS Configuration ...........................................................................5-106
5.31 ZESR Configuration.......................................................................................5-108
5.32 ZESS Configuration.......................................................................................5-121
5.33 OAM Configuration ........................................................................................5-126
5.34 sFlow Configuration.......................................................................................5-132
5.35 PP Configuration ...........................................................................................5-133
5.36 LLDP Configuration .......................................................................................5-135
5.37 Single Port Loop Detection Configuration........................................................5-137
5.38 UDLD Configuration ......................................................................................5-140
5.39 TACACS+ Configuration ................................................................................5-143
5.40 Time Range Configuration .............................................................................5-145
5.41 Voice VLAN Configuration..............................................................................5-146
5.42 802.1ag Configuration ...................................................................................5-148
5.43 Y.1731 Configuration .....................................................................................5-154
5.44 MAC-based VLAN Command Configuration ....................................................5-159
5.45 DHCP Relay Configuration.............................................................................5-160
5.46 MFF Configuration.........................................................................................5-164
5.47 SSL Configuration .........................................................................................5-167
5.48 ERPS Configuration ......................................................................................5-171
5.49 Debug Module Configuration..........................................................................5-178
II
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management .............................................................................. 6-16.1 Remote-Access.................................................................................................. 6-1
6.2 SSH .................................................................................................................. 6-3
6.3 Privilege ...........................................................................................................6-11
6.4 SNMP ............................................................................................................. 6-13
6.5 RMON............................................................................................................. 6-18
6.6 ZGMP ............................................................................................................. 6-21
6.7 sFlow .............................................................................................................. 6-28
6.8 Web ................................................................................................................ 6-29
6.9 M_Button......................................................................................................... 6-49
6.10 Telnet ............................................................................................................ 6-52
Chapter 7 Maintenance .............................................................................. 7-17.1 Routine Maintenance.......................................................................................... 7-1
7.2 Virtual Circuit Tester ........................................................................................... 7-2
7.3 Common Fault Handling ..................................................................................... 7-3
7.3.1 Overview ................................................................................................. 7-3
7.3.2 Configuration Through the Console Port Failed .......................................... 7-3
7.3.3 Telnet Connection Failed .......................................................................... 7-4
7.3.4 Web Management Failed .......................................................................... 7-4
7.3.5 Login Username or Password Lost ............................................................ 7-5
7.3.6 Enable Password Lost .............................................................................. 7-6
7.3.7 Two Devices in the Same VLAN Cannot Communicate............................... 7-7
7.3.8 Authentication Timed Out in Campus Network............................................ 7-7
7.3.9 Solution to ARP Attacks in Campus Network.............................................. 7-9
Figures............................................................................................................. I
Tables ...........................................................................................................VII
Glossary ........................................................................................................IX
III
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
IV
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
About This ManualPurposeThis manual is applicable to the ZXR10 2900E (V2.05.11) series easy-maintenance secureswitches, which include the following products:
l ZXR10 2910E-PS easy-maintenance secure switchl ZXR10 2918E-PS easy-maintenance secure switchl ZXR10 2918E easy-maintenance secure switchl ZXR10 2928E easy-maintenance secure switchl ZXR10 2928E-PS easy-maintenance secure switchl ZXR10 2952E easy-maintenance secure switch
Intended AudienceThis document is intended for:l Software debugging engineersl Date configure engineersl Maintenance engineers
What Is in This ManualThis manual contains the following chapters:
Chapter Summary
1, Safety Instructions Describes safety instructions and signs.
2, System Overview Provides an overview about the ZXR10 2900E series switches.
3, Usage and Operation Describes configuration modes, command modes and usage of
command line.
4, System Management Describes system management.
5, Service Configuration Describes service configuration.
6, Management Describes management configuration.
7, Maintenance Describes routine maintenance, virtual line detection and common
fault handling.
ConventionsThis manual uses the following typographical conventions:
Typeface Meaning
Italics Variables in commands. It may also refer to other related manuals and documents.
I
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Typeface Meaning
Bold Menus, menu options, function names, input fields, option button names, check boxes,
drop-down lists, dialog box names, window names, parameters, and commands.
Constant
width
Text that you type, program codes, filenames, directory names, and function names.
[ ] Optional parameters.
{ } Mandatory parameters.
| Separates individual parameters in a series of parameters.
Caution: indicates a potentially hazardous situation. Failure to comply can result in
moderate injury, equipment damage, or interruption of minor services.
Note: provides additional information about a certain topic.
II
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 1Safety InstructionsTable of Contents
Safety Instructions......................................................................................................1-1Safety Signs...............................................................................................................1-1
1.1 Safety InstructionsOnly duly trained and qualified personnel can install, operate and maintain the devices.
During the device installation, operation and maintenance, please abide the local safetyspecifications and related operation instructions, otherwise physical injury may occuror devices may be broken. The safety precautions mentioned in this manual are onlysupplement of local safety specifications.
ZTE Corporation will assume no responsibility for consequences resulting from violationof general specifications for safety operations or of safety rules for design, production anduse of the devices.
1.2 Safety SignsThe contents that users should pay attention to when they install, operate and maintaindevices are explained in the following formats:
Warning!
Indicates the matters needing close attention. If this is ignored, serious injury accidentsmay happen or devices may be damaged.
Caution!
Indicates the matters needing attention during configuration.
1-1
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Note:
Indicates the description, hint, tip and so on for configuration operations.
1-2
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 2System OverviewThe ZXR10 2900E series switches are an important part of the ZXR10 series Ethernetswitches. The ZXR10 2900E series products are Gigabit L2+ (between layer 2 and layer 3)Ethernet switches used for Gigabit network access and convergence, and 1 Gb is availablefor uplinks. The ZXR10 2900E provides different types of Ethernet access ports, thusproviding a high-speed, effective, and cost-effective access and convergence scheme.The switches are used in the access layer of the carrier and enterprise networks.
For the ports that the ZXR10 2900E supports, refer to the following table.
Switch Type Fixed Port Description
ZXR10 2918E 16 10/100 BASE-TX Ethernet
ports
Two 10/100/1000BASE-T
Ethernet ports
Two 100/1000BASE-FX ports
Two 10/100/1000BASE-T Ethernet
ports and two 100/1000BASE-FX
ports are combo electro-optic
multiplex ports.
ZXR10 2928E 24 10/100 BASE-TX Ethernet
ports
Two 10/100/1000BASE-T
Ethernet ports
Two 100/1000BASE-FX ports
Two 1000BASE-FX interfaces
Two 10/100/1000BASE-T Ethernet
ports and two 100/1000BASE-FX
ports are combo optical-electrical
multiplexing ports.
ZXR10 2952E 48 10/100BASE-TX Ethernet
ports
Four 1000BASE-FX ports
-
ZXR10 2910E-PS Eight 10/100 BASE-TX Ethernet
ports
Two 10/100/1000BASE-T
Ethernet ports
Two 100/1000BASE-FX ports
Two 10/100/1000BASE-T Ethernet
ports and two 100/1000BASE-FX
ports are combo optical-electrical
multiplexing ports.
ZXR10 2918E-PS 16 10/100 BASE-TX Ethernet
ports
Two 10/100/1000BASE-T
Ethernet ports
Two 100/1000BASE-FX ports
Two 10/100/1000BASE-T Ethernet
ports and two 100/1000BASE-FX
ports are combo optical-electrical
multiplexing ports.
2-1
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Switch Type Fixed Port Description
ZXR10 2928E-PS 24 10/100 BASE-TX Ethernet
ports
One subcard slot
RS-29EC-4GE-SFP subcards,
RS-29EC-4GE-RJ45 subcards, and
RS-29EC-4FE-SFP subcards are
supported.
Switching CapabilityThe ZXR10 2900E series switches support layer-2 wire-speed switching on all ports. Thedata packets can be forwarded at wire-speed after being filtered and classified. The portsprovide high throughput, low packet loss rate, and low time delay and jitter, which satisfyapplication requirements of key services.
Reliabilityl The ZXR10 2900E supports the Spanning Tree Protocol (STP), Rapid Spanning
Tree Protocol (RSTP), and Multiple Spanning Tree Protocol MSTP, and implementsredundancy backup and fast switching of links.
l The ZXR10 2900E supports the 802.3ad Link Aggregation Control Protocol (LACP)function, and provides load balancing and link backup.
l The ZXR10 2900E supports the ZTE Ethernet Switch Ring (ZESR) to provide fastprotection switching, which ensures that user services are not interrupted.
Service FeaturesThe ZXR10 2900E provides the following service features:
l Provides a flexible Virtual Local AreaNetwork (VLAN) classificationmode. The VLANscan be classified by port or protocol type.
l Provides a layer-2 Virtual Private Network (VPN) through QinQ to control outer-layerlabels flexibly.
l Supports user port locating technologies, such as Virtual Broadband Access Server(VBAS), Dynamic Host Configuration Protocol (DHCP) Option82, and Point to PointProtocol over Ethernet (PPPoE)+.
l Provides layer-2 multicast technologies, including Internet Group ManagementProtocol (IGMP)-snooping and its proxy function, the fast-leaving feature, and theMulticast VLAN Switching (MVS) function, which provide a support for enabling theInternet Protocol Television (IPTV) service.
Security ControlThe ZXR10 2900E provides the following security control functions:
l User-level security control
à It supports IEEE 802.1x, which implements dynamic and port-based security andprovides the user ID authentication function.
2-2
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 2 System Overview
à It supports MAC/IP/VLAN/Port combination at random, which effectively preventsillegal users from accessing the network.
à Port isolation ensures that a user can neither monitor traffic of another user onthe same switch nor obtain the user's information.
à It supports the GuestVlan and anti-proxy function, which facilitates its applicationsin educational networks and other complex network environments.
à Dynamic Host Configuration Protocol (DHCP) monitoring prevents malicioususers from deceiving the DHCP server and sending spurious address information.It can also enable IP source protection and create a binding table for the IPaddress, MAC address, and port of the client and the VLAN to prevent a userfrom accessing or using the IP address of another user.
l Equipment-level security control
à The CPU security control technology prevents Denial of Service (DoS) attacks.
à The Secure Shell (SSH)/Simple Network Management Protocol (SNMP)v3ensures network management security.
à Multi-level access security of the console prevents unauthorized users fromchanging the switch configuration.
à The Remote Authentication Dial In User Service (RADIUS)/Terminal AccessController Access-Control System Plus (TACACS+) identification authenticationputs the switch under centralized control and prevents unauthorized users frommodifying the configuration.
l Network security control
à The Access Control List (ACL) based on ports and VLANs makes it possible forusers to apply security strategies to each port or trunk of the switch.
à MAC address binding and source- or destination-based filtering provide effectiveaddress-based traffic control.
à The port mirroring function provides an effective tool for network managementanalysis.
QoS GuaranteeThe ZXR10 2900E provides the following applications of Quality of Service (QoS):
l Provides Standard 802.1p Class of Service (CoS) and Differentiated Services CodePoint (DSCP) field sorting. Single group-based labeling and re-sorting can beperformed by using source and destination IP addresses, source and destinationMAC addresses, and Transfer Control Protocol (TCP)/User Datagram Protocol(UDP) port numbers.
l Provides queue scheduling algorithms including Strict Priority (SP) and WeightedRound Robin (WRR).
l Supports the Committed Access Rate (CAR) function. It manages asynchronousuplink and downlink data flows from uplinks by ingress strategy control and egress
2-3
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
shaping. The ingress strategy control provides bandwidth control with the minimumincrement of 8 kbps. It can satisfy QoS requirements of packet loss, time delay andjitter even if network congestion occurs, thus avoiding queue congestion effectively.
Management ModesThe ZXR10 2900E provides the following management modes:
l Supports the SNMPv1/v2c/v3 and Remote Monitoring (RMON).l Supports the ZXNM01 unified network management platform.l Supports accessing the switches through CLI command lines, including Console,
Telnet and SSH.l Supports network management through Web.l Supports the ZTE Group Manage Protocol (ZGMP).
FunctionsThe ZXR10 2900E uses the Store and Forward mode, and supports layer 2 wire-speedswitching. Full wire-speed switching is implemented on all ports.
The ZXR10 2900E provides the following functions:
1. The 100 M ports support 10/100 M auto-sensing and Media-DependentInterface/Media-Dependent Interface-crossover (MDI/MDIX) auto-sensing.
2. The Gigabit electrical ports support 10/100/1000 M auto-sensing and MDI/MDIXauto-sensing.
3. It supports port-based 802.3x traffic control (full duplex) and back-pressure trafficcontrol (half duplex).
4. It supports Virtual Circuit Tester (VCT) function.5. It supports 802.1q VLANs. The maximum number of VLANs is 4094.6. It supports the VLAN stack function (QinQ), and outer labels are optional (Selective
QinQ (SQinQ)).7. It supports GARP VLAN Registration Protocol (GVRP) dynamic VLANs. The full name
GARP of is Generic Attribute Registration Protocol.8. It has the capability of MAC address self-learning. The maximum size of the MAC
address table is 16 KB.9. It supports port MAC address binding and addresses filtering.10. It supports the automatic fixing function of MAC addresses. The MAC addresses can
be recovered if the device is powered off.11. It supports port security and port isolation.12. It supports the 802.1d STP, 802.1w RSTP, and 802.1s MSTP. The MSTP provides at
most four instances.13. It supports the ZESR technology and the linkhello/linkdown mechanism.14. It supports 802.3ad LACP port binding and static port binding. At most 15 port groups
can be bound and each group contains at most eight ports.15. It supports 1,024 multicast groups, cross-VLAN IGMP snooping and Multicast VLAN
Switching (MVS).16. It supports the single port loop test.
2-4
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 2 System Overview
17. It supports 802.1x user authentication.18. It supports the VBAS, DHCP-OPTION82 and PPPOE+.19. It supports the DHCP-SNOOPING.20. It supports the DHCP client function to request amanagement interface from theDHCP
server automatically.21. It supports the DHCP relay function, which allows an access device to request the
DHCP server for a host address across different network segments.22. It supports the Dynamic ARP Inspection (DAI) technology, which prevents Address
Resolution Protocol (ARP) attacks.23. It supports broadcast storm suppression.24. It supports port ingress and egress mirroring, and flow-based ingress mirroring and
statistics.25. It supports the Remote Switched Port Analyzer (RSPAN).26. It supports the ACL function based on ports and VLANs. The ACL rules take effect in
specified time periods.27. It supports the IETF-DiffServ and IEEE-802.1p. Queues of eight priorities are provided
on all ports. The ingress supports the CAR function and the egress supports shapingand tail drop. The queue scheduling supports SP and WRR.
28. It supports port-based speed control, including ingress speed limit and egress speedlimit. The ingress speed limit supports flow rate limit of multiple buckets, and the speedlimit types of each bucket are configurable. The minimal granularity of speed limit is 8Kbps.
29. It provides detailed port flow statistics.30. It supports 802.3ah Ethernet Operation, Administration and Maintenance (OAM).31. It supports the sFlow.32. It supports layer-2 transparent protocol transmission.33. It supports the syslog function.34. It supports the Network Time Protocol (NTP) client function.35. It supports the network management static route configuration.36. It supports the ZGMP.37. It supports the SNMPv1/v2c/v3 and RMON.38. It supports configuration through the Console and remote login through Telnet.39. It supports the SSHv2.0.40. It supports the Web function.41. It supports the ZXNM01 unified network management.42. It supports version/configuration upload and download through the Trivial File Transfer
Protocol (TFTP).43. It supports version/configuration upload and download through the FTP .44. The ZXR10 2910E-PS/2918E-PS/2928E-PS supports the 802.3af Power over
Ethernet (PoE) function. The power supply of at most 30 W is supported.
2-5
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
This page intentionally left blank.
2-6
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 3Usage and OperationTable of Contents
Configuration Modes ..................................................................................................3-1Command Modes.......................................................................................................3-6Common Command Parameters ..............................................................................3-11Usage of Command Line..........................................................................................3-12
3.1 Configuration ModesThe ZXR10 2900E supports various configuration modes, see Figure 3-1. A user shouldselect a proper configuration mode based on the network that the user accesses.
Figure 3-1 ZXR10 2900E's Configuration Modes
The configuration modes are as follows:1. Console port mode: This mode is used as a primary mode for configuring a switch.2. Telnet/SSH mode: This mode is used to configure the ZXR10 2900E at any place of
a network.3. Network management workstation mode: This mode requires the use of the
SNMP-capable network management software.4. FTP/TFTP/WEB mode: This mode is used to manage the file system of a switch.
Configuration Through the Console PortA serial configuration cable is delivered along with the ZXR10 2900E. One end of the cableis connected to the Console port of the ZXR10 2900E, and the other end is connected tothe serial port of a debugging PC. The VT100 terminal mode is applied in the Console portconnection configuration. The following use the Windows HyperTerminal configuration asan example to illustrate the connection configuration.
1. Start the HyperTerminal program on the PC.
3-1
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Select Start > All programs > Accessories > Communications > HyperTerminalin the Windows operating system to start the HyperTerminal program.
2. Establish a connection.
Enter a name and select an icon for the connection, and then clickOK, see Figure 3-2.
Figure 3-2 Connection Description Dialog Box
3. Set the interconnection port.
In the Connect To dialog box, select desired options from the Connect using list andthen click OK, see Figure 3-3.
Figure 3-3 Connect To Dialog Box
4. Set communication parameters.
In theCOM1Properties dialog box, click theRestore Defaults button to set the COM1property, and then click OK, see Figure 3-4.
3-2
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 3 Usage and Operation
Figure 3-4 COM1 Properties Dialog Box
5. Click the OK button. After the ZXR10 2900E is powered on, enter the configurationmode for further operations.
Configuration Through TelnetThe Telnet mode is often used for configuring a remote switch. A user can log in to aremote switch through an Ethernet port of the local computer. The login username andpassword for the switch must be configured and the IP address of the layer-3 port on theswitch can be pinged successfully from the local computer, refer to Table 3-1.
For configuration of the IP address of the layer-3 port, refer to 5.15 IPv4 Layer 3Configuration and 5.16 IPv6 Layer 3 Configuration.
Table 3-1 Configuration Command
Command Function
create user <name>{admin | guest}[<0-15>] Create a new user, The user <name> parameter
value consists of at most 15 characters.
set user local <name> login-password [<string>] Set the login password, The login-password
<string> parameter value consists of at most 16
characters.
set user {local | radius| tacacs-plus}<name>
admin-password <string>
Set the administrator password, The
admin-password <string> parameter value
consists of at most 16 characters.
3-3
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Note:
The default username is admin and the password is zhongxing. The default administratorpassword is empty.
It is assumed that the IP address of the layer-3 port is 192.168.3.1 and this address can bepinged successfully from the local computer. Perform the following remote configurationoperations:
1. Select Start > Run on the local computer. Run the Telnet command in the displayedRun dialog box, see Figure 3-5.
Figure 3-5 Running Telnet
2. Click OK. A Telnet window is displayed, see Figure 3-6.
Figure 3-6 Telnet Window
3. Enter the username and password to enter user mode of the switch.
Configuration Through the SNMP ConnectionThe SNMP is the most popular network management protocol at present. With thisprotocol, all devices in the network can be managed by a network management server.
3-4
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 3 Usage and Operation
TheSNMPuses the server/client managementmode. The back-end networkmanagementserver serves as the SNMP server. The front-end network device serves as the SNMPclient. The front end and back end share one Management Information Base (MIB) andcommunicate with each other through SNMP.
The back-end network management server must be installed with the networkmanagement software supporting SNMP. The switch is configured and managed by thenetwork management software. For the detailed SNMP configuration on the ZXR102900E, refer to 6.4 SNMP.
Configuration Through the Web ConnectionWeb is another way to implement remote switches management and is similar to Telnet.A user can log in to a remote switch through an Ethernet port of the local computer. Thelogin username, login password and administrator password must be configured and theWeb function must be enabled. The IP address of the layer-3 port on the switch can alsobe pinged successfully from the local computer. For configuration of the IP address of thelayer-3 port, refer to 5.15 IPv4 Layer 3 Configuration and 5.16 IPv6 Layer 3 Configuration.
1. Create a new management user.
Command Function
create user <name>{admin | guest}[<0-15>] The user <name> parameter value consists of
at most 15 characters.
2. Set a login password.
Command Function
set user local <name> login-password <string> The login-password <string> parameter value
consists of at most 16 characters.
3. Set an administrator password.
Command Function
set user {local|radius}<name> admin-password<string>
The admin-password <string> parameter value
consists of at most 16 characters.
4. Enable the web network management function (by default, this function is disabled)and set a listening port.
Command Function
set web enable Enable the web network management function
(by default, this function is disabled).
set web listen-port < 80,1025-49151 > Set a listening port.
3-5
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Note:
The default username is admin and the password is zhongxing. The administratorpassword is empty. If you log in as the administrator, the administrator password cannotbe empty. Set the administrator password in advance. The default HTTP listening portis 80.
For the detailed remote login and configuration through Web, refer to 6.8 Web.
3.2 Command ModesTo facilitate the configuration and management of the switch, the commands of theZXR10 2900E series switches are allocated to different modes according to functions andpermissions. A command can be executed only in the specified mode.
The command modes are listed as follows:
User ModeAfter logging in to the switch through HyperTerminal, Telnet or SSH, you can enter usermode after entering your login username and password. The prompt in user mode is thehost name followed by “>”, which is shown as follows:
zte>
The default host name is zte. You can modify the host name by running the hostname<name> command. The name length consists of at most 200 characters.
In user mode, you can run the exit command to exit the switch configuration or run theshow command to view the system configuration and operation information.
Note:
The show command can be executed in any mode.
Global Configuration ModeIn user mode, you can enter the enable command and the corresponding password to enterglobal configuration mode, which is shown as follows:
zte>enable
Password:***
zte(cfg)#
3-6
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 3 Usage and Operation
In global configuration mode, you can configure various functions of the switch. Thepassword for entering global configuration mode must be set by running the set user local<name> admin-password [<string>] command to prevent login of unauthorized users.
To return to user mode from global configuration mode, run the exit command.
SNMP Configuration ModeIn global configuration mode, you can run the config snmp command to enter SNMPconfiguration mode, which is shown as follows:
zte(cfg)#config snmp
zte(cfg-snmp)#
In SNMP configuration mode, you can set the SNMP and RMON parameters.
To return to global configuration mode from SNMP configuration mode, run the exitcommand or press Ctrl+Z.
Layer-3 Configuration ModeIn global configuration mode, you can run the config router command to enter layer-3configuration mode, which is shown as follows:
zte(cfg)#config router
zte(cfg-router)#
In layer-3 configuration mode, you can configure the layer-3 port, static router, and ARPentity.
To return to global configuration mode from layer-3 configuration mode, run the exitcommand or press Ctrl+Z.
File System Configuration ModeIn global configuration mode, you can run the config tffs command to enter file systemconfiguration mode, which is shown as follows:
zte(cfg)#config tffs
zte(cfg-tffs)#
In file system configuration mode, you can perform the following operations on the filesystem of the switch, including
l adding files or directoriesl deleting files or directoriesl modifying file namesl displaying files or directoriesl changing file directoriesl uploading/downloading files through TFTPl uploading/downloading files through FTPl copying filesl formatting the Flash memory
3-7
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
l upgrading firmware
To return to global configuration mode from file system configuration mode, run the exitcommand or press Ctrl+Z.
NAS Configuration ModeIn global configuration mode, you can run the config nas command to enter NASconfiguration mode, which is shown as follows:
zte(cfg)#config nas
zte(cfg-nas)#
In NAS configuration mode, you can configure the access service of the switch, includinguser access authentication and management.
To return to global configurationmode fromNAS configurationmode, run the exit commandor press Ctrl+Z.
Cluster Management Configuration ModeIn global configuration mode, you can run the config group command to enter clustermanagement configuration mode, which is shown as follows:
zte(cfg)#config group
zte(cfg-group)#
In cluster management configuration mode, you can configure the cluster managementservice of the switch.
To return to global configuration mode from cluster management configuration mode, runthe exit command or press Ctrl+Z.
Basic Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl basic number <1-99>command to enter basic ingress ACL configuration mode, which is shown as follows:
zte(cfg)#config ingress-acl basic number 10
zte(ingress-basic-acl)#
In basic ingress ACL configuration mode, you can add, delete and move rules for aspecified basic ingress ACL.
To return to global configuration mode from basic ingress ACL configuration mode, run theexit command or press Ctrl+Z.
Extended Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl extend number <100-199>command to enter extended ingress ACL configuration mode, which is shown as follows:
zte(cfg)#config ingress-acl extend number 100
zte(ingress-extend-acl)#
3-8
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 3 Usage and Operation
In extended ingress ACL configuration mode, you can add, delete and move rules for aspecified extended ingress ACL.
To return to global configuration mode from extended ingress ACL configuration mode, runthe exit command or press Ctrl+Z.
Layer-2 Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl link number <200-299>command to enter layer-2 ingress ACL configuration mode, which is shown as follows:
zte(cfg)#config ingress-acl link number 200
zte(ingress-link-acl)#
In layer-2 ingress ACL configuration mode, you can add, delete and move rules for aspecified layer-2 ingress ACL.
To return to global configuration mode from layer-2 ingress ACL configuration mode, runthe exit command or press Ctrl+Z.
Hybrid Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl hybrid number <300-399>command to enter hybrid ingress ACL configuration mode, which is shown as follows:
zte(cfg)#config ingress-acl hybrid number 333
zte(ingress-hybrid-acl)#
In hybrid ingress ACL configuration mode, you can add, delete and move rules for aspecified hybrid ingress ACL.
To return to global configuration mode from hybrid ingress ACL configuration mode, runthe exit command or press Ctrl+Z.
Global Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl global command to enterglobal ingress ACL configuration mode, which is shown as follows:
zte(cfg)#config ingress-acl global
zte(ingress-global-acl)#
In global ingress ACL configuration mode, you can add, delete and move rules for aspecified global ingress ACL.
To return to global configuration mode from global ingress ACL configuration mode, runthe exit command or press Ctrl+Z.
Basic Egress ACL Configuration ModeIn global configuration mode, you can run the config egress-acl basic number <400-499>command to enter basic egress ACL configuration mode, which is shown as follows:
zte(cfg)#config egress-acl basic number 400
zte(egress-basic-acl)#
3-9
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
In basic egress ACL configuration mode, you can add, delete and move rules for a basicegress ACL.
To return to global configuration mode from basic egress ACL configuration mode, run theexit command or press Ctrl+Z.
Extended Egress ACL Configuration ModeIn global configuration mode, you can run the config egress-acl extend number <500-599>command to enter extended egress ACL configuration mode, which is shown as follows:
zte(cfg)#config egress-acl extend number 500
zte(egress-extend-acl)#
In extended egress ACL configuration mode, you can add, delete and move rules for aspecified extended egress ACL.
To return to global configuration mode from extended egress ACL configuration mode, runthe exit command or press Ctrl+Z.
Layer-2 Egress ACL Configuration ModeIn global configuration mode, you can run the config egress-acl link number <600-699>command to enter layer-2 egress ACL configuration mode, which is shown as follows:
zte(cfg)#config egress-acl link number 600
zte(egress-link-acl)#
In layer-2 egress ACL configuration mode, you can add, delete and move rules for aspecified layer-2 egress ACL.
To return to global configuration mode from layer-2 egress ACL configuration mode, runthe exit command or press Ctrl+Z.
Hybrid Egress ACL Configuration ModeIn global configuration mode, you can run the config egress-acl hybrid number <700-799>command to enter hybrid egress ACL configuration mode, which is shown as follows:
zte(cfg)#config egress-acl hybrid number 700
zte(egress-hybrid-acl)#
In hybrid egress ACL configuration mode, you can add, delete and move rules for aspecified hybrid egress ACL.
To return to global configuration mode from hybrid egress ACL configuration mode, runthe exit command or press Ctrl+Z.
Mac-Based-Vlan Configuration ModeIn global configuration mode, you can run the config mac-based-vlan session <1-64>command to enter Mac-Based-Vlan configuration mode, which is shown as follows:
zte(cfg)#config mac-based-vlan session 1
zte(mac-based-vlan)#
3-10
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 3 Usage and Operation
In Mac-Based-Vlan configurationmode, you can add or delete rules for a specified session.
To return to global configuration mode from Mac-Based-Vlan configuration mode, run theexit command or press Ctrl+Z.
User-Defined Ingress ACL Configuration ModeIn global configuration mode, you can run the config ingress-acl user-define number <801-828> command to enter user-defined ingress ACL configuration mode, which is shown asfollows:
zte(cfg)#config ingress-acl user-define number 811
zte(ingress-user-define-acl)#
In user-defined ingress ACL configuration mode, you can add, delete, or move the rulesof ACLs with the specified ACL numbers.
To return to global configuration mode from user-defined ingress ACL configuration mode,run the exit command or press Ctrl+Z.
3.3 Common Command ParametersFor common command parameters of the ZXR10 2900E, refer to Table 3-2.
Table 3-2 Common Command Parameters
Parameter Description
<portlist> Port number, port name or port number range separated by a
comma, for example:
l 1, 2, 4-8, 18
l p1, pp2, 4-8, port18
The p1, pp2, port18 are port names created by users.
Slot ID is added before the port ID of the devices supporting
subcards. For example, for the ZXR10 2928E-PS device, the
port list is as follows:
l 1/1, 1/2, 1/4-8, 1/18
l 2/1, 2/2
<vlanlist> VLAN ID, VLAN name or VLAN range separated by a comma,
for example:
l 1-19,77,88,100-900
l vlan1,v1,10,100-200
<trunklist> Trunk ID or trunk range separated by a comma, for example,
1-5, 7, 10.
<portname> One port number or port name can be entered once.
<vlanname> One VLAN ID or VLAN name can be entered once.
<trunkid> One trunk ID can be entered once.
3-11
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Parameter Description
<HH.HH.HH.HH.HH.HH> MAC address, for example, 00.22.33.44.55.66.
<A.B.C.D> IP address, for example, 10.40.47.254.
<A.B.C.D/M> IP address and mask bits. M must be an integer from 1 to 32,
for example, 10.40.47.254/24.
<string> String without spaces.
<mib-oid> Dotted decimal numeral with a variable length, for example,
1.3.6.2.19.2.
<name> String without spaces.
<sessionlist> Session list.
3.4 Usage of Command LineOnline HelpIn any command mode, enter a question mark (?) at the system prompt. A list of availablecommands in the command mode will be displayed. You can also use the online help toget keywords and parameters of any command.
1. In any command mode, enter a question mark "?" at the system prompt. A list of allcommands in the mode and a brief description of the commands are displayed. Forexample,zte>?
enable enable configure mode
exit exit from user mode
help description of the interactive help system
show show config information
list print command list
zte>
2. Enter a question mark (?) after a character or string. A list of commands or keywordsstarting with the character or string is displayed. It is noted that there is no spacebetween the character (string) and the question mark. For example,zte(cfg)#c?
cfm clear config cpu-threshold createconfig clear create
zte(cfg)#c
3. Enter a question mark (?) after a command, keyword or parameter. The next keywordor parameter to be entered is listed, and its brief description is also displayed. Forexample,zte(cfg)#config ?
egress-acl enter egress acl config mode
group enter group management config mode
ingress-acl enter ingress acl config mode
3-12
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 3 Usage and Operation
mac-based-vlan enter mac-based vlan config mode
nas enter nas config mode
router enter router config mode
snmp enter SNMP config mode
tffs enter file system config mode
Note:
A space must be entered before the question mark (?).
4. If a wrong command, keyword, or parameter is entered, and the Enter key is pressed,a message “Command not found” is displayed. For example,zte(cfg)#conf ter
% Command not found (0x40000034)
In the following example, the online help is used to create a username.
zte(cfg)#cre?
zte(cfg)#create ?
acl create descriptive name for acl
cfm create CFM information
port create descriptive name for port
protocol-protect create a rule for protocol protect
user create a user
vlan create descriptive name for vlan
zte(cfg)#create user
% Parameter not enough (0x4000003f)
zte(cfg)#create user ?
<string>
user name(maxsize:15)
zte(cfg)#create user houyx ?
admin create an administrator
guest create a guest
zte(cfg)#create user houyx guest ?
<cr>
<0-15> specify user's priviledge
zte(cfg)#create user houyx guest
zte(cfg)#
<cr>
Command AbbreviationsIn the ZXR10 2900E, a command or keyword can be abbreviated as a character or stringthat uniquely identifies this command or keyword. For example, the command exit can beabbreviated as ex, and the command show port abbreviated as sh por.
3-13
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command HistoryThe user interface supports the function of recording entered commands. A maximum of20 historical commands can be recorded. The function is very useful for recalling a longor complicated command.
To recall commands from the history buffer, perform one of the following actions.
Keystroke Function
Ctrl+P or the up arrow key Recall commands in the history buffer, beginning with the most
recent command. Repeat the key sequence to recall successive
older commands.
Ctrl+N or the down arrow key Return to more recent commands in the history buffer after
recalling commands with Ctrl+P or the up arrow key. Repeat the
key sequence to recall successively more recent commands.
Editing Commands Through KeystrokesFor the keystrokes that you need to edit command lines, refer to Table 3-3.
Table 3-3 Editing Commands Through Keystrokes
Keystroke Purpose
Ctrl+P or the up arrow key Recall commands in the history buffer, beginning with the
most recent command. Repeat the key sequence to recall
successive older commands.
Ctrl+N or the down arrow key Return to more recent commands in the history buffer
after recalling commands with Ctrl+P or the up arrow key.
Repeat the key sequence to recall successively more recent
commands.
Ctrl+B or the left arrow key Move the cursor back one character.
Ctrl+F or the right arrow key Move the cursor forward one character.
Tab After entering a character or string, if there is only one
command starting with the character or string, pressing this
key will show the complete command.
Ctrl+A Move the cursor to the beginning of the command line.
Ctrl+E Move the cursor to the end of the command line.
Ctrl+K Delete all characters from the cursor to the end of the
command line.
Backspace or Ctrl+H Delete the character on the left of the cursor.
Ctrl+C Cancel the command and display the prompt.
Ctrl+L Redisplay the current command line.
Ctrl+Y Recall the most recent entry in the buffer.
3-14
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 3 Usage and Operation
Keystroke Purpose
Ctrl+H Return to global configuration mode.
If the command output has more lines than can be displayed on the terminal screen, theoutput is split into several pages automatically and the prompt “—– more —– Press Q or<Ctrl+C> to break —–” is displayed at the bottom of the current page. You can pressReturn to scroll down one line, or Space to scroll down one screen. To stop the output,press Q or Ctrl+C.
3-15
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
This page intentionally left blank.
3-16
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 4System ManagementTable of Contents
File System Management...........................................................................................4-1Configuring the TFTP Server......................................................................................4-3Configuring the FTP Server ........................................................................................4-4Importing and Exporting the Configuration File ...........................................................4-7Backing Up and Recovering Files...............................................................................4-7Downloading the Software Version Automatically .......................................................4-8Configuring Automatic Saving of a Configuration File ...............................................4-10Upgrading the Software Version ...............................................................................4-11File System Configuration Commands......................................................................4-15
4.1 File System ManagementIn the ZXR10 2900E, the Flash memory is the major storage device. Both the version fileand configuration file of the switch are saved in the Flash memory. Operations, such asversion upgrade and configuration saving, should be conducted in the Flash memory.
l The name of the version file is zImage. By default, it is saved in the /img directory.l The name of the configuration file is startrun.dat. By default, it is saved in the
/cfg directory.
The ZXR10 2900E supports backing up and restoring versions and configuration filesthrough TFTP, FTP and SFTP. For SFTP configuration and operation, refer to 6.2 SSH.
When the zImage file is downloaded or uploaded), or when the zImage_bak file isrestored to the ZXR10 2900E, CRC is performed after file transmission is completed. If afile does not pass the check, the file is deleted.
Directory ManagementThe file system can be used to create and delete directories, display the current workingdirectory, and display the information about subdirectories or files under a specifieddirectory.
For the procedure to manage file system directories, refer to the table below:
Step Command Function
1 zte(cfg)#config tffs Enters file system
configuration mode.
2 zte(cfg-tffs)#md <directory name> Creates a directory.
4-1
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Step Command Function
3 zte(cfg-tffs)#rename <file-name> <file-name> Modifies the directory name.
4 zte(cfg-tffs)#cd <directory name> Changes the current directory,
and opens this directory.
5 zte(cfg-tffs)#ls Lists the current directories.
You can run the remove <file-name> command to delete a specified directory. The img, cfg, and data directories created by default and all non-empty directories cannot be deleted.
File ManagementThe file system can be used to delete a specified file, rename a file name, copy a file anddisplay the file information.
For the procedure to manage file system files, refer to the table below:
Step Command Function
1 zte(cfg)#config tffs Enters file system
configuration mode.
2 zte(cfg-tffs)#rename <file-name> <file-name> Changes a file name.
3 zte(cfg-tffs)#copy <source-pathname> <dest-pathname> Copies a file.
4 zte(cfg-tffs)#ls Lists current files.
You can run the remove <file-name> command to delete a specified file.
Version Download/Upload Through TFTPStart the TFTP server, enter file system configuration mode, and back up or recover theversion file and configuration file of the switch through TFTP.
For the procedure to download or upload a version file through TFTP, refer to the tablebelow:
Step Command Function
1 zte(cfg)#config tffs Enters file system
configuration mode.
2 zte(cfg-tffs)#cd <directory name> Enters the directory.
zte(cfg-tffs)#tftp <A.B.C.D> download<remote-file-name>[<local-file-name>]
3
zte(cfg-tffs)#tftp <A.B.C.D> upload <local-file-name
>[<remote-file-name>]
Downloads or uploads the
version file through TFTP.
4-2
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 4 System Management
Version Download/Upload Through FTPStart the FTP server, enter file system configuration mode, and back up or recover theversion file and configuration file of the switch through FTP.
For the procedure to download or upload a version file through FTP, refer to the tablebelow:
Step Command Function
1 zte(cfg)#config tffs Enters file system
configuration mode.
2 zte(cfg-tffs)#cd <directory name> Enters the directory.
3 zte(cfg-tffs)#ftp <A.B.C.D><remote-file-name>{do
wnload|upload}<local-file-name> username <string>
password <string>
Downloads or uploads the
version file through FTP.
Flash Formatting
Caution!
After the Flashmemory is formatted, all system software and configurations will be cleared.
For the procedure to format the Flash memory, refer to the table below:
Step Command Function
1 zte(cfg)#config tffs Enters file system configuration mode.
2 zte(cfg-tffs)#format Formats the Flash.
4.2 Configuring the TFTP Server
The switch version file and configuration file can be backed up or recovered through TFTP.The TFTP server application software is started at the back end to communicate with theswitch (TFTP client) to implement file backup and recovery. This procedure describeshow to configure the back-end TFTP server using TFTP server software (TFTPD) as anexample.
Steps1. Run the Tftpd software at the back-end computer. The TFTP server window is
displayed, see Figure 4-1.
4-3
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 4-1 TFTP Server
2. Select Tftpd > Configure. The Tftpd Settings dialog box is displayed, see Figure4-2.
Figure 4-2 Tftpd Settings Dialog Box
3. Click the Browse button on the upper side of the dialog box and select a directory tosave the version file or configuration file.
4. Click the Browse button on the lower side of the dialog box to select a log file, andthen click OK to complete the configuration.
– End of Steps –
4.3 Configuring the FTP Server
4-4
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 4 System Management
The switch version file and configuration file can be backed up or recovered through FTP.The FTP server application software is started at the back end to communicate with theswitch (FTP client) to implement file backup and recovery. This procedure describes howto configure the back-end FTP server using FileZilla Server (FTP server software) as anexample.
Steps1. Run the FileZilla Server software on the back-end computer. The Connect to Server
dialog box is displayed, see Figure 4-3.
Figure 4-3 Connect to Server Dialog Box
2. SetServer Address, Port andAdministration password, and clickOK. The FileZillaServer window is displayed, see Figure 4-4.
Figure 4-4 FileZilla Server Window
3. Select Edit > Users. The Users dialog box is displayed, see Figure 4-5. Create auser name and password.
4-5
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 4-5 Users Dialog Box
4. Select Shared folders in the left area and set a primary directory for the new user,see Figure 4-6.
Figure 4-6 Directory Setting
4-6
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 4 System Management
Note:
The application scenarios for FTP and TFTP are the same, including configuration fileimport and export, and automatic software version download.
– End of Steps –
4.4 Importing and Exporting the Configuration FileThe ZXR10 2900E switch provides the configuration import/export function, whichfacilitates the switch configuration and management.
Exporting the ConfigurationIn global configuration mode, use the write command to export the current systemconfiguration to startrun.dat and save it in the Flash memory. This file can also beuploaded to the TFTP server for view, modification and bulk configuration.
zte(cfg-tffs)#cd cfg
zte(cfg-tffs)#tftp 192.168.1.102 upload startrun.dat
zte(cfg-tffs)#cd ..
Importing the Configurationstartrun.dat is a configuration file. It can be edited manually as needed anddownloaded to the /cfg directory of the ZXR10 2900E switch by using the tftp command.After the configuration file is downloaded to the Flash memory of the switch, reboot theswitch to import the configuration.
zte(cfg-tffs)#cd cfg
zte(cfg-tffs)#tftp 192.168.1.102 download startrun.dat
zte(cfg-tffs)#cd ..
4.5 Backing Up and Recovering FilesThe files mentioned in this topic refer to the configuration file and version file in the Flashmemory.
Backing Up the Configuration FileIf the switch configuration is modified, the data is running in the memory in real-time. If theswitch is restarted, all the new configuration data will be lost. To avoid this, use the writecommand to save the current configuration in the Flash memory. The following shows thewrite command:
zte(cfg)#write
4-7
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
To prevent damage to the configuration data, back up the configuration data by using thetftp command.
Run the following commands to upload the configuration file in the Flash memory to theback-end TFTP server:
zte(cfg-tffs)#cd cfg
zte(cfg-tffs)#tftp 192.168.1.102 upload startrun.dat
zte(cfg-tffs)#cd ..
Recovering the Configuration FileRun the following commands to download the configuration file in the back-end TFTPserver to the Flash memory:
zte(cfg-tffs)#cd cfg
zte(cfg-tffs)#tftp 192.168.1.102 download startrun.dat
zte(cfg-tffs)#cd ..
Backing Up the Version FileSimilar to the configuration file, you can use the tftp command to upload the front-endversion file to the back-end TFTP server. For example:
zte(cfg-tffs)#cd img
zte(cfg-tffs)#tftp 192.168.1.102 upload zImage
zte(cfg-tffs)#cd ..
Recovering the Version FileVersion file recovery is used to retransmit the back-end backup version file to the frontend through TFTP. Recovery is very important in the case of upgrade failure. The versionrecovery operation is basically the same as the version upgrade procedure.
4.6 Downloading the Software Version AutomaticallyThe automatic software version download function is used for an un-deployed device.
When the switch is powered on for the first time, it identifies that the automatic downloadflag is set (factory default setting) in the NVRAM and no configuration file exists, soautomatic download is triggered.
The switch obtains the version file name and/or the configuration file name by interactingwith a DHCP server, and downloads the files by interacting with a TFTP server. If thedownload succeeds (even if one file is downloaded successfully), the automatic downloadflag in the NVRAM is cleared and the switch is restarted.
For the relation between the file names transferred by the DHCP server and the triggereddownload operations, refer to the table below:
4-8
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 4 System Management
Name of the File to beDownloaded
Whether to Download theVersion File
Whether to Download theConfiguration File
zImage Yes No
config.dat No Yes
startrun.dat No Yes
*.dat No Yes
config.dat@zImage Yes Yes
startrun.dat@zImage Yes Yes
*.dat@zImage Yes Yes
In the above table, “*” is a wildcard indicating a device type. This means the configurationfile automatically adapts according to the device type.
The name of the file to be downloaded is a character string configured on the DHCP server,and it cannot be modified on the local computer.
By executing the show dhcp command, you can see the configuration file to be downloadedto the current device. For example, the ZXR10 2928E downloads the ZXR10_2928E.datfile from the TFTP server.
zte(cfg)#show dhcp
DHCP download flag is disabled, config file is found.
DHCP download will not startup, when system reboot.
DHCP config file(option-67) *.dat will be translated to ZXR10_2928E.dat.
DHCP snooping-and-option82 is disabled.
DHCP client is enabled.
DHCP client broadcast-flag is enabled.
The following table lists the complete adaptation relation:
ID Device Configuration File Name
1 ZXR10 2910E-PS ZXR10_2910E-PS.dat
2 ZXR10 2918E-PS ZXR10_2918E-PS.dat
3 ZXR10 2918E ZXR10_2918E.dat
4 ZXR10 2928E-PS ZXR10_2928E-PS.dat
5 ZXR10 2928E ZXR10_2928E.dat
6 ZXR10 2952E ZXR10_2952E.dat
4-9
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 4-7 Network Architecture for Automatic Configuration File Download
The network architecture is shown in Figure 4-7. Set the TFTP server address and versionfile name on the DHCP server. For example, set the TFTP server address to 10.40.89.78,and the file name to *.dat@zImage. After being powered on, the switch downloads ZXR102918E.dat (assuming that the device type is ZXR10 2918E) and zImage from the TFTPserver. After downloading the files successfully, the switch is restarted automatically.
4.7 Configuring Automatic Saving of a ConfigurationFile
The function of automatic saving of a configuration file helps you to upload the switchconfiguration to the back-end server.
The uploaded configuration files include startrun.dat and toPmac.dat. When thetime set by period is counted down to 0, the switch uploads the startrun.dat file to theTFTP server at a local time between 00:00 and 00:01, and uploads the toPmac.dat fileafter one minute. The automatically uploaded files are stored in the flash sub-folder inthe theupload/download directory configured by the TFTP server. The names of thefiles respectively are startrun mm_dd_yy.dat and toPmac mm_dd_yy.dat, where“mm”, “dd”, and “yy” indicate the date on which the upload occurs.
Figure 4-8 Network Structure for Automatic Configuration File Upload
4-10
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 4 System Management
The network is shown in Figure 4-8. Before configuring the following commands, makesure that the switch can ping the server successfully. Assume that the IP address of theTFTP server is 10.40.89.78, and the configuration is saved to the server every 10 days.The configuration commands are as follows:
zte(cfg)#set auto-saveconfig serverip 10.40.89.78
zte(cfg)#set auto-saveconfig period 10
zte(cfg)#set auto-saveconfig enable
Caution!
The enable command should be configured after serverip is configured. If serverip is notconfigured, the system displays a message, prompting that the automatic upload functioncannot be enabled. If a communication exception occurred between the switch and theserver when the upload function was triggered last time, the configuration file cannot beuploaded successfully this time. The system uploads the configuration files when the nexttriggering time comes.
4.8 Upgrading the Software Version
Note:
Normally, version upgrade is needed only when the original version does not support somefunctions or the switch operates abnormally due to some special causes. Improper versionupgrade operations may result in upgrade failure and startup failure of the system. So,before version upgrade, get familiar with the principles and operations of the ZXR10 2900Eand master the upgrade procedure.
Version upgrade operations performed in proper and improper switch systems aredifferent.
Displaying the Version InformationIf the system status allows, check the version information before and after the upgrade.
In global configuration mode, use the show version command to display the systemhardware and software version information.
The displayed contents are as follows:
zte(cfg)#show version
ZXR10 Router Operating System Software, ZTE Corporation:
ZXR10 2928E Version Number : 2928E Series V2.05.11B04
4-11
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Copyright (c) 2001-2013 By ZTE Corporation
Compiled: 11:14:25 Aug 27 2013
System uptime is 0 years 1 days 13 hours 20 minutes 46 seconds
Main processor : arm926ejs
Bootrom Version : v2.03 Creation Date : Aug 27 2013
System Memory : 128 M bytes System Flash : 256 M bytes
EPLD Version (Dno.) : V1.0
PCB Version (Dno.) : V1.0
Product Version(Dno.): V1.0
Image Down From : Flash
Image Down Username : N/A
Image Down Time : N/A
Image Down Size : 10262580 bytes
Onboard temperature : 38.0 degree centigrade(100.0 degree fahrenheit)
Startup From : /img/zImage
Switch's Mac Address : 00.d0.d0.ff.00.86
Module 0: ZXR10 2928E; fasteth: 0; gbit: 48;
Upgrading the Version When the System is NormalIf the switch operates properly, upgrade the version as follows:
1. Connect the console port of the switch to the serial port of the back-end computer byusing a provided configuration cable. Connect an Ethernet port of the switch to thenetwork port of the back-end computer by using a network cable. Ensure that theconnections are correct.
2. Set the IP address of the Ethernet port on the switch. Set the IP address of theback-end computer used for upgrade. The two IP addresses must be in the samenetwork segment so that the computer can ping the switch successfully.
3. Start the TFTP server software on the back-end computer and configure it by referringto 4.2 Configuring the TFTP Server.
4. On the switch, use the show version command to check the information of currentoperating version.
5. Enter file system configuration mode and use the remove command to delete the oldversion file in the Flash memory. If the Flash memory has sufficient space, change thename of the old version file and keep it in the Flash memory.zte(cfg)#config tffs
zte(cfg-tffs)#cd img
zte(cfg-tffs)#remove zImage
zte(cfg-tffs)#cd ..
6. Use the tftp command to upgrade the version. The following shows how to downloadthe version file from the TFTP server to the Flash memory:zte(cfg-tffs)#cd img
zte(cfg-tffs)#tftp 10.40.89.78 download zImage
.................................................
4-12
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 4 System Management
.................................................
.................................................
7,384,016 bytes downloaded
zte(cfg-tffs)#ls
zte(cfg-tffs)#ls
/img/
. <DIR>
.. <DIR>
zImage 7,536,884 bytes
240,568,768 bytes free
7. Restart the switch. After successful startup, check the operating version and confirmwhether the upgrade is successful.
Upgrading the Version When the System is AbnormalIf the switch cannot be started normally or runs abnormally, upgrade the version as follows:
1. Connect the console port of the switch to the serial port of the back-end computer byusing a provided configuration cable. Connect an Ethernet port of the switch to thenetwork port of the back-end computer by using a network cable. Ensure that theconnections are correct.
2. Restart the switch. On the HyperTerminal, press any key as prompted to enter ZXR10Boot status.ZXR10 2928E BootRom Version v1.08
Compiled Feb 27 2012 10:32:29
Copyright (c) 2010 by ZTE Corporation.
boot location [0:Net,1:Flash] : 0
actport : 1
serverip : 10.40.89.78
netmask : 255.255.255.0
ipaddr : 10.40.89.100
bootfile : /img/zImage
username : ZXR10
password : 123456
MAC : 00:d0:d0:3c:3b:00
[ZXR10 Boot]
3. Enter c in ZX10 Boot status and pressEnter to enter the parameter modification status.Set the IP addresses of the Ethernet port and the TFTP server. The two addressesare set to be in the same network segment.[ZXR10 Boot]: c
boot location [0:Net,1:Flash] : 0
/*start by tftp or Flash */
actport : 1
/*select the port enabled by tftp*/
serverip : 10.40.89.78
/*ftp/tftp server address*/
4-13
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
netmask : 255.255.255.0
/*subnet mask*/
ipaddr : 10.40.89.79
/*local interface address*/
bootfile : /img/zImage
/*version file location*/
username : ZXR10
/*username used when the file is downloaded through ftp*/
password : ZXR10
/*password used when the file is downloaded through ftp*/
MAC : 00:d0:d0:30:20:10
/*MAC address of the switch*/
4. Set the IP address of the back-end computer to be the same as that of the TFTP server.5. Start the TFTP server software on the back-end computer and configure the TFTP by
referring to 4.2 Configuring the TFTP Server.6. In ZX10 Boot status, enter zte to enter BootManager status of the switch. Enter ? to
display the command list for this status.[ZXR10 Boot]:zte
[bootManager]: ?
? - alias for 'help'
cd - change current path
exit - exit from bootManager mode
format - format flash
ftp - get/put file from/to FTP server
help - print online help
l - load zImage
ls - list files in current directory
mv - change [source] name to [destination] name
reboot - perform REBOOT of the CPU
rm - remove file
setBOOTpassword - set password for BOOT mode
setPtype- set packaged type
show - show board information
update - update boot or firmware
[bootManager]:
7. In BootManager status, run the reboot command to restart the switch and load thenew version file. The following shows how to download the version file from the TFTPserver to the Flash memory:
FTP directory format: ftp get<filename>. The file will be downloaded to the currentdirectory. If you want to check the current directory, use the ls command. The portaddress used by FTP and port information can be modified in the c directory in ZX10Boot. Take port 1 as an example.
boot location [0:Net,1:Flash] : 1
actport : 1
4-14
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 4 System Management
serverip : 10.40.89.78
netmask : 255.255.255.0
ipaddr : 10.40.89.79
bootfile : /img/zImage
username : ZXR10
password : ZXR10
MAC : 00:d0:d0:30:20:10
Hit any key to stop autoboot: 0
[ZXR10 Boot]:
[ZXR10 Boot]:zte
[bootManager]: cd img
[bootManager]: ftp get zImage
............................................
............................................
............................................
Ftp get zImage successfully, 7397428 bytes received.
[bootManager]:
8. In BootManager status, use the reboot command to restart the switch by using the newversion. If the switch is started normally, use the show version command to verify thatthe new version is operating in the memory. If the switch cannot be started normally, itindicates that the version upgrade has failed. In this case, repeat the above upgradeprocedure from step 1.
4.9 File System Configuration CommandsFile system configuration includes the following commands:
Command Function
zte(cfg-tffs)#md <directory name> Creates a directory.
zte(cfg-tffs)#remove <file-name> Deletes a file or directory.
zte(cfg-tffs)#rename <file-name><file-name> Modifies a file or directory name.
zte(cfg-tffs)#ls Displays a sub-directory and file.
zte(cfg-tffs)#cd <directory name> Changes the current directory.
zte(cfg-tffs)#tftp <A.B.C.D>{download | upload}<remote-file-n
ame>[<local-file-name>]
Uploads or downloads files to/from
the TFTP server.
zte(cfg-tffs)#tftp commander {download | upload}<remote
-file-name>[<local-file-name>]
Uploads or downloads files to/from
the cluster commander.
zte(cfg-tffs)#copy <source-pathname><dest-pathname> Copies files.
zte(cfg-tffs)#format Formats the Flash memory.
zte(cfg-tffs)#update bootrom Updates the bootrom.
4-15
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set dhcp download{enable | disable} Enables or disables the automatic
download function of a DHCP
client.
zte(cfg)#set auto-saveconfig {enable | disable} Enables or disables the system
to automatically upload the
configuration file to a TFTP server.
zte(cfg)#set auto-saveconfig serverip <A.B.C.D> Sets the IP address of the
TFTP server to which the
system automatically uploads the
configuration file.
zte(cfg)#set auto-saveconfig period <1-30> Sets the interval for automatically
uploading the configuration file
(unit: day).
show auto-saveconfig (all configuration modes) Displays the status of the
automatic upload function.
4-16
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5Service ConfigurationTable of Contents
Management Configuration ........................................................................................5-2Port Configuration ......................................................................................................5-6PoE Configuration ......................................................................................................5-8Port Mirroring ...........................................................................................................5-11MAC Address Table Operation .................................................................................5-13LACP Configuration..................................................................................................5-17IGMP Snooping Configuration ..................................................................................5-20MLD Snooping Configuration....................................................................................5-24IPTV Configuration ...................................................................................................5-27STP Configuration....................................................................................................5-34ACL Configuration....................................................................................................5-43QoS Configuration....................................................................................................5-53PVLAN Configuration ...............................................................................................5-60Layer 2 Protocol Transparent Transmission Configuration........................................5-63IPv4 Layer 3 Configuration .......................................................................................5-65IPv6 Layer 3 Configuration .......................................................................................5-68DAI Configuration.....................................................................................................5-69Access Service Configuration...................................................................................5-71MAC Authentication Configuration............................................................................5-79QinQ Configuration...................................................................................................5-80SQinQ Configuration ................................................................................................5-82VLAN Configuration..................................................................................................5-84VLAN Mapping Configuration ...................................................................................5-87Syslog Configuration ................................................................................................5-89NTP Configuration....................................................................................................5-91GARP/GVRP Configuration......................................................................................5-93DHCP Configuration.................................................................................................5-95DHCPv6 Configuration ...........................................................................................5-101VBAS Configuration ...............................................................................................5-104PPPoE-PLUS Configuration ...................................................................................5-106ZESR Configuration ...............................................................................................5-108ZESS Configuration................................................................................................5-121OAM Configuration.................................................................................................5-126sFlow Configuration................................................................................................5-132PP Configuration ....................................................................................................5-133LLDP Configuration ................................................................................................5-135Single Port Loop Detection Configuration ...............................................................5-137
5-1
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
UDLD Configuration ...............................................................................................5-140TACACS+ Configuration.........................................................................................5-143Time Range Configuration......................................................................................5-145Voice VLAN Configuration ......................................................................................5-146802.1ag Configuration ............................................................................................5-148Y.1731 Configuration ..............................................................................................5-154MAC-based VLAN Command Configuration ...........................................................5-159DHCP Relay Configuration.....................................................................................5-160MFF Configuration..................................................................................................5-164SSL Configuration ..................................................................................................5-167ERPS Configuration ...............................................................................................5-171Debug Module Configuration ..................................................................................5-178
5.1 Management ConfigurationManagement Configuration OverviewManagement configuration includes the following configurations:
1. Mode switching configuration2. Console attribute configuration3. Global information configuration4. Switch user access configuration
Configuring the Management ServiceThe configuration of management service includes the following commands:
Command Function
zte(cfg)#config group Enters cluster management configuration mode
zte(cfg)#config router Enters layer-3 interface configuration mode.
zte(cfg)#config snmp Enters SNMP configuration mode.
zte(cfg)#config tffs Enters file system configuration mode.
zte(cfg)#config nas Enters service configuration mode.
zte(cfg)#config mac-based-vlan Enters MAC-based VLAN configuration mode.
exit (All configuration mode) Returns to the original command line mode.
zte>enable Enters global configuration mode from user
configuration mode.
list (all configuration modes) Lists all valid configuration commands in the current
mode.
zte(cfg)#set auto-reset <2-120> Sets automatic logout time of the switch console.
zte(cfg)#line-vty timeout <1-12> Sets login timeout time of the Telnet user.
5-2
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set date <yyyy-mm-dd> time<hh:mm:ss>
Sets date and time of the switch.
zte(cfg)#set date summer-time {one-year |
repeating}{date <yyyy-mm-dd><hh:mm:ss><yyyy-mm-dd><hh:mm:ss>| week <week><day><month><year><hh:mm:ss><week><day><mo
nth><year><hh:mm:ss>}[<60-1440>]
Sets the period when the daylight saving time is used.
zte(cfg)#clear summer-time Deletes the configuration of the daylight saving time.
zte(cfg)#hostname <name> Sets or changes the host name.
zte(cfg)#promptlen <0-48> Sets the length of the host name.
zte(cfg)#sysLocation <string> Sets the location information of the switch.
zte(cfg)#reboot Reboots the switch immediately.
zte(cfg)#reboot-time <hh:mm> Sets the time when the switch is rebooted.
zte(cfg)#telnet <A.B.C.D>[<A.B.C.D>] Logs in to the Telnet server. You can select the source
address.
zte(cfg)#create user <name>{admin |
guest}[<0-15>]
Creates a new local user.
zte(cfg)#set loginauth {local |
radius|local+radius|radius+local|tacacs-plus|
local+tacacs-plus | tacacs-plus+local}
Sets the login authentication mode.
zte(cfg)#set user local <name>
login-password [<string>]
Sets the login password for the local user.
zte(cfg)#set adminauth {local|radius|lo
cal+radius|radius+local|none|tacacs-plus|
local+tacacs-plus|tacacs-plus+local}
Sets the management authentication mode.
zte(cfg)#set user local <name>
admin-password [<string>]
Sets the management password for the local user.
zte(cfg)#set user radius purview {admin |
guest}
Sets the RADIUS authentication user login authority.
zte(cfg)#set user radius admin-password
[<string>]
Sets the management password for the RADIUS user.
zte(cfg)#set user tacacs-plus purview
{admin | guest}
Sets login permissions for the TACACS+
authentication user.
zte(cfg)#set user tacacs-plus
admin-password [<string>]
Sets the management password for the TACACS+
user.
zte(cfg)#set user multi-user {enable |
disable}
Sets the multi-user login function.
5-3
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#cpu-threshold <30-90> Sets the CPU usage threshold.
zte(cfg)#mem-threshold <60-90> Sets the memory usage threshold.
zte(cfg)#write Saves the current configuration information to the
Flash memory and recovers the information when the
switch is rebooted.
zte(cfg)#clear user <name> Deletes a user.
zte(cfg)#clear reboot-time Clears automatic reboot configuration.
zte(cfg)#terminal monitor {on | off} Allows or forbids printing the real-time alarm log
information to the terminal.
zte(cfg)#terminal log {on | off} Allows or forbids writing logs.
zte(cfg)#terminal log toFile Saves logs in the RAM to the Flash memory.
zte(cfg)#terminal log timer {enable | disable
| interval <1-720>}Sets automatic saving of log information.
zte(cfg)#set bootpassword to <string> Sets the password for logging in to boot mode.
zte(cfg)#set bootpassword clear Deletes the password for logging in to boot mode.
zte(cfg)#set fan mode {auto | manual} Sets the fan operating mode.
zte(cfg)#set fan speed Sets the fan operating speed.
zte(cfg)#readconfig <filename> Reads the local file on the device as the configuration.
zte(cfg)#set temperature-alarm <0-100> Sets the threshold for over-temperature alarms on
the switch.
zte(cfg)#clear terminal-log Clears log information.
zte(cfg)#terminal log module
{all|arp-inspection|dhcp|radius|AAA }{
off | on }
Allows/forbids writing logs of a module.
zte(cfg)#terminal monitor module {all|
arp-inspection|dhcp|radius|AAA }{ off | on }
Allows/forbids printing real-time alarm logs of a
module for the terminal.
show reset-time (all configuration modes) Displays automatic logout time setting of the switch
console.
show line-vty (all configuration modes) Displays Telnet user login timeout time setting.
show loginauth (all configuration mode) Displays login authentication mode.
show adminauth (all configuration modes) Displays management authentication state and
authentication mode.
show terminal (all configuration modes) Displays terminal log configuration information.
show terminal log (all configuration modes) Displays the terminal log information in RAM.
5-4
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show user (all configuration modes) Displays the user configured on the switch and current
login user information.
show version (all configuration modes) Displays the system information.
show running-config [{include | begin}<string>]
(all configuration modes)
Displays all non-default configuration of the current
system.
show start-config (all configuration modes) Displays all non-default configuration when the
system is written at last.
show date-time (all configuration modes) Displays the current date and time.
show reboot-time (all configuration modes) Displays automatic reboot configuration.
show cpu (all configuration modes) Displays CPU usage at the duration of 5 s, 30 s and 2
m.
show memory (all configuration modes) Displays the current RAM usage.
show fan (all configuration modes) Displays the fan status.
show summer-time (all configuration modes) Displays DST configuration.
show bootpassword (all configuration modes) Displays the password for logging in to boot mode.
show Etag (all configuration modes) Displays the electronic labels of devices.
show temperature (all configuration modes) Displays the device temperature.
list include <string> (all configuration modes) Displays the commands including a specific string.
show terminal log include <string> (all
configuration modes)
Displays alarm log information including a specific
string.
zte(cfg)#clear login session <sessionlist> Deletes sessions based on a session list.
zte(cfg)#clear running-config Deletes configuration except the device management
IP address configuration (configuration of all
layer-3 interfaces), log configuration, user account
configuration and banner configuration, saves the
modification, and restarts the system.
zte(cfg)#set banner filename Sets the banner displayed on the welcome screen.
The banner is stored in the system file, and spaces
are supported.
zte(cfg)#set banner endwith Sets the end identifier of the banner.
zte(cfg)#clear banner Clears the banner displayed on the welcome screen.
5-5
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
5.2 Port ConfigurationPort Configuration OverviewThe port parameters can be configured on the ZXR10 2900E. They includeauto-negotiation, duplex mode, rate and line detection. The commands include thefollowing types:
1. Port basic parameters configuration2. Port diagnosis3. Port information view
Configuring a PortThe port configuration includes the following commands:
Command Function
zte(cfg)#set port <portlist>{enable | disable} Enables or disables the port.
zte(cfg)#set port <portlist> work-mode {fiber |
copper | auto [ prefer {first-up | fiber | copper}]}
Sets the combo port to switch between the
electrical mode and the optical mode.
zte(cfg)#set port <portlist> phy-mode
{1000base-x | sgmii}]}
Controls switchover between 1000 Mbps optical
ports and electrical internal ports.
zte(cfg)#set port <portlist> speedadvertise
maxspeed
Sets the advertisement of the maximum port speed
duplex information.
zte(cfg)#set port <portlist> speedadvertise
{speed10 | speed100 | speed1000}{fullduplex |
halfduplex}
Sets the advertisement of the port speed duplex
information.
zte(cfg)#set port <portlist> duplex {full | half |
auto}
Sets the working mode of the port to full duplex
or half duplex.
zte(cfg)#set port <portlist> speed {10 | 100 |
1000 | auto}
Sets the speed of the port to 10 Mbps, 100 Mbps,
or 1000 Mbps, or auto.
zte(cfg)#set port <portlist>mdix {auto | normal
| crossover}
Sets the line sequence identification function.
zte(cfg)#set port <portlist> flowcontrol {enable
| disable}
Enables or disables the port flow control function.
zte(cfg)#set port <portlist> description<string>
Sets port description information.
zte(cfg)#set port <portlist> accept-frame {tag |
untag | all}
Sets the packet type that the port allows to accept.
zte(cfg)#set jumbo port <portlist>{enable |
disable }
Enables or disables the port jumbo function.
zte(cfg)#set port <portlist> pvid <1-4094> Sets a default port PVID.
5-6
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set port statistics mode {ingress |
egress | both}
Sets packet statistics mode.
zte(cfg)#set sleep-mode {enable | disable} Enables or disables the port sleep mode.
zte(cfg)#create port <portid> name <string> Creates a port name.
zte(cfg)#clear port <portlist>{name | statistics |
description| multicast-filter}
Clears the port name, port statistics data, port
description, and the multicast filter flag.
show port (all configuration modes) Displays the configuration and status information
of all ports.
show port [<portlist>] (all configuration modes) Displays port configuration and status information.
show port <portlist> statistics (all configuration
modes)
Displays the statistics of the current port.
show port <portlist> statistics [1min_unit |
5min_unit] (all configuration modes)
Displays port statistics data.
show port <portlist> utilization (all configuration
modes)
Displays port bandwidth utilization.
show port <portlist> brief (all configuration
modes)
Displays port brief information.
show port <portlist> vlan (all configuration
modes)
Displays the location of VLAN.
show jumbo (all configuration modes) Displays the jumbo configuration of all ports.
show jumbo [<portlist>] (all configuration modes) Displays port jumbo configuration information.
show vct port <portid> (all configuration modes) Displays port virtual line detection result.
show cable-diag (all configuration modes) Displays the up/down status of each port and VCT
detection result.
zte(cfg)#set port <portlist> protect {enable |
disable }
Enables or disables the port protection function.
zte(cfg)#set port <portlist> protect time<1-10>
Sets the port protection period in port protection
status.
zte(cfg)#set cable-diag {enable | disable } Enables or disables the function of virtual cables
detecting logs.
zte(cfg)#set mac protect port <portlist>{enable
| disable}
Enables or disables the port protection function.
zte(cfg)#set mac protect port <portlist> action
{shutdown | restrict | protect}
Sets the port protection action.
zte(cfg)#show mac protect port <portlist> Displays the port protection state.
5-7
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
5.3 PoE ConfigurationPoE Configuration OverviewPower over Ethernet (PoE) is an extended feature that supports network devices withEthernet electrical ports. The network devices (switches or routers) supporting the PoEfunction can provide power supply through Twisted Pair for remote Powered Devices(PDs) such as IP phones, WLAN Access Points (APs), or network cameras, whichrealizes remote power supply.
Ethernet remote power supply sometimes is named as network power supply. It is a typeof technology that delivers a little electricity and provides power supply through 10 BASE-Tand 100 BASE-TX.When the current Ethernet Cat.5 cabling basic structure is not changed,PoE can provide DC power supply for IP-based devices (such as IP phones, WLAN APs,or network cameras) when its data signals are transmitted. PoE technology can reducethe cost mostly when the current structural cabling security is ensured. Figure 5-1 showsa typical PoE application.
Figure 5-1 PoE Application
The ZXR10 2900E-PS series switch supports the following PoE features:
5-8
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
l The ZXR10 2900E-PS series switch includes ZXR10 2910E-PS, ZXR10 2918E-PSand ZXR10 2928E-PS. The device can provide power supply for the PD complyingwith 802.3af/802.3at standard, and the single port can provide up to 30 watts of power.
l The ZXR10 2900E-PS series switch supports both DC and AC power input. Whenthe ZXR10 2900E-PS series switch acts as the power supply, the maximum outputpower depends on the Redundant Power System (RPS) if the switch uses DC powerinput, or the maximum output power is 250 W if the switch uses AC power input. Apower module provides 400 W output power. To replace a power module, read theinstructions or name plate of the power module.
l The ZXR10 2900E-PS series switch provides the following configuration andmanagement functions for convenient use.1. Sets integrated device maximum output power.2. Sets port maximum output power.3. Sets port power supply priority. The system provides three types of priorities for
each port. When the total power of all ports exceeds themaximum output power ofthe ZXR10 2900E switch, the switch will decide which devices are to be poweredon according to port power supply priority. The port with a high power supplypriority will provide power in advance. The port with the lowest priority will stoppower supply. If the two ports have the same power supply priority, the priority ofport will be decided by its port number. The less the port number is, the higherthe priority is and the port is powered in advance.
4. Provides the monitoring function for fans.5. Provides various alarm information and exception monitoring and alarm report
mechanisms such as Terminal log, SNMP Trap and Syslog.
Configuring PoEThe PoE configuration includes the following commands:
Command Function
zte(cfg)#set poe port <portlist>{enable | disable} Enables or disables the port
function.
zte(cfg)#set poe port <portlist> pd-max-power {15.4 | 4.0 | 7.0
| ext.18 | ext.27 | ext.30}
Sets the maximum power supply
of the port.
zte(cfg)#set poe port <portlist> priority {critical | high | low} Sets the port power supply priority.
zte(cfg)#set poe port <portlist> forcepower {enable |disable} Enables or disables the port
force-power function.
zte(cfg)#set poe port <portlist> extend-detection {enable |disable} Enables or disables the port
extended detection function.
zte(cfg)#set poe power maxvalue <1–500>[threshold <0-30>] Sets device maximum output
power and protection threshold.
zte(cfg)#set poe port <port list> enable time-range <word> Enables the port PoE.
5-9
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
show poe device (all configuration modes) Displays the PoE status of the
device.
show poe status [port <portlist>] (all configuration modes) Displays the PoE status of the
port.
show poe config [port <portlist>] (all configuration modes) Displays PoE configuration
information.
PoE Configuration Instancel Configuration Description
A DUT device is directly connected to a PD.
Configure a power supply device of PS type. The ZXR10 2910E-PS, ZXR102918E-PS and ZXR10 2928E-PS can be used as a power supply. Take ZXR102918E-PS as an example. It provides 15.4 watts of power supply complying with AFstandard for 16 ports, and provides about 13 watts of power to each PD.
l Configuration Procedurezte(cfg)#set poe port 1-16 pd-max-power 15.4
zte(cfg)#set poe port 1-16 priority low
zte(cfg)#set poe port 1-16 enable
l Configuration Verificationzte(cfg)#show poe status port 12
port: 12
power up : on
power device : delivering power
power device type : standard power device
802.3af classification : class 0
current-power : 12.9 watt
avgerage-power : 12.9 watt
peak-power : 13.0 watt
zte(cfg)#show poe status port 13
port: 13
power up : on
power device : delivering power
power device type : standard power device
802.3af classification : class 0
current-power : 13.2 watt
avgerage-power : 13.2 watt
peak-power : 13.2 watt
zte(cfg)#show poe device
PSE firmware version : ZTE 3.3
PSE max power : 250 watt
5-10
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
PSE power threshold : 10 watt
PSE current power : 207.1 watt
PSE average-power : 207.1 watt
PSE peak-power : 207.2 watt
PSE critical-power : 0 watt
From the results, we can see that the DUT device provides a power supply for the PDstably.
5.4 Port MirroringPort Mirroring OverviewPort mirroring is used to mirror data packets of the switch port (ingress mirroring port) to aningress destination port (ingress monitoring port), or mirror the data packets of the switchport (egress mirroring port) to an egress destination port (egress monitoring port).
By using mirroring, data packets flowing in or out of a certain port can be monitored. Portmirroring provides an effective tool for the maintenance and monitoring of the switch.
The ZXR10 2900E switch provides the Remote Switched Port Analyzer (RSPAN) function,that is, when the packet is sent from the destination port, the specified tag such as priorityor VID can be added, which provides support for remote mirroring.
Note:
By default, switches do not have mirroring ports or monitoring ports. The correct datapackets received by the ingress mirroring port are mirrored onto the monitoring ports, butdata packets directly discarded on the ingress port (for example, because of CRC errors)are not mirrored.
Configuring Port MirroringThe port mirroring configuration includes the following commands:
Command Function
zte(cfg)#set mirror session <1-3> add source-port<portlist>{ingress | egress}
Adds an egress or ingress
mirroring source port according to
the session.
zte(cfg)#set mirror session <1-3> add dest-port <1-28>{ingress| egress| rspan}
Adds an egress or ingress
mirroring destination port
according to the session.
5-11
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set mirror session <1-3> delete source-port<portlist>{ingress | egress}
Deletes an egress or ingress
monitoring port according to the
session.
zte(cfg)#set mirror session <1-3> delete dest-port<1-28>{ingress | egress| rspan}
Deletes an egress or ingress
monitoring (destination) port
according to the session.
zte(cfg)#set mirror rspan-tag vlan-id <1-4094> priority<0-7>{ingress | egress}
Sets RSPAN tag format including
VLAN-ID and priority.
zte(cfg)#set mirror statistic sample-interval <1-2047>{ingress |
egress}
Sets ingress or egress port
mirroring sample frequency.
zte(cfg)#clear mirror session <1-3> Clears the configuration of mirror
in the session .
show mirror [session <1-3>] (all configuration modes) Displays the configuration
information of mirror session.
show mirror rspan (all configuration modes) Displays the ingress or egress
RSPAN configuration information.
show mirror statistical (all configuration modes) Displays ingress or egress
sample frequency configuration
information.
Port Mirroring Configuration Instancel Configuration Description
This instance describes how to configure port mirroring on a switch, and port 2 canmonitor the packets on port 1, see Figure 5-2.
Figure 5-2 Port Mirroring Configuration Instance
l Configuration Procedure1. The following example describes how to set port mirroring in ingress direction.
zte(cfg)#set mirror session 1 add source-port 1 ingress
zte(cfg)#set mirror session 1 add dest-port 2 ingress
zte(cfg)#set mirror statistical sample-interval 100 ingress
/*set the port sample-interval of mirror statistic*/
zte(cfg)#set mirror rspan-tag vlan-id 100 priority 7 ingress
/*set VLAN tag added after port mirroring*/
5-12
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
2. The following example describes how to set port mirroring in egress direction.zte(cfg)#set mirror add source-port 1 egress
zte(cfg)#set mirror add dest-port 2 egress
zte(cfg)#set mirror statistical sample-interval 100 egress
/*set the port sample-interval of mirror statistic*/
zte(cfg)#set mirror rspan-tag vlan-id 100 priority 7 engress
/*set VLAN tag added after port mirroring*/
l Configuration Verification
Check port mirroring configuration.
zte(cfg)#show mirror session 1
Session 1:
Ingress mirror information:
---------------------------
Source port : 1
Destination port: 2
Egress mirror information:
---------------------------
Source port : 1
Destination port: 2
zte(cfg)#show mirror rspan
Ingress Rspan VLAN tag: priority 7, vlan 100
Egress Rspan VLAN tag: priority 7, vlan 100
zte(cfg)#show mirror statistical
Ingress statistical mirror: sample-interval 100
Egress statistical mirror: sample-interval 100
5.5 MAC Address Table OperationMAC Address Table OverviewMAC address table operations mainly include MAC addition/deletion, MAC aging timeconfiguration, MAC filtering function, MAC learning control, MAC learning number limit,MAC alarm control, MAC fixed function and MAC related information display.
MAC address tableoperation
Function
MAC addition/deletion Users can manually add static and fixed MAC addresses and delete
dynamic, static and fixed MAC address table entry through a command
line.
MAC table aging time MAC table aging time refers to the period from the latest update of
dynamic MAC address in the FDB table to the deletion of this address.
5-13
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
MAC address tableoperation
Function
MAC filtering function When the switch receives the packets with specified source address
or destination address, it drops them according to the source MAC
address and the destination MAC address.
MAC address learning
control
MAC address learning control means MAC learning can provide
three types of learning modes including hardware wire-speed
learning, CPU controlled learning and non learning to satisfy various
user requirements. In addition, MAC learning can provide global,
port-based, Trunk-based and VLAN-based independent switches.
MAC learning number limit MAC learning number limit can configure the maximum learning MAC
address number based on global, port, TRUNK and VLAN. When the
value is reached, the new MAC address cannot be learnt.
MAC alarm control MAC alarm control can configure the output of the common alarm
information of MAC function, for example, the number of learnt MAC
addresses is exceeded or the address is drifted.
MAC address fixed function MAC address fixed function can transform a dynamic MAC address
entry to a static or fixed MAC entry in batches. After transformation,
the static entry cannot drift. When the device is rebooted, a fixed MAC
address entry can recover and cannot disappear.
MAC information display MAC information display means the current MAC function configuration
and state information can be checked.
MAC protection function The MAC protection function limits port access. When the number
of MAC addresses learned on a port exceeds the limit, packets with
unknown source MAC addresses are dropped. The protection action
can be set to shutdown, restrict (stopping MAC address learning,
dropping packets with unknown MAC addresses, and sending an
alarm), or protect (stopping MAC address learning, and dropping
packets with unknown MAC addresses).
The MAC address of Ethernet NIC is 48 bits. The 48 bits include two parts. The first24 bits are used to represent the manufacturer indicating Ethernet NIC. The remaining24 bits are a group of sequence numbers designated by the manufacturer and named asOrganizationally Unique Identifier (OUI). The lowest bit (the most left bit in the structure)is named as a private or group bit. If this bit is set to 0, the remaining address is a privateaddress.
If this bit is set to 1, the remaining address domain identifies the group address requiringmore resolution. If the whole OUI is set to 1, each site of the whole network is a destination.That is the special engagement supported by OUI.
Configuring a MAC Address TableThe MAC table configuration includes the following commands:
5-14
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set port <portlist> security {enable | disable} Enables or disables the security function
of a port.
zte(cfg)#set port <portlist> multicast-filter {enable |
disable}
Enables or disables the unregistered
multicast filter function of a port.
zte(cfg)#set port <trunklist> multicast-filter {enable |
disable}
Enables or disables the unregistered
multicast filtering function of a trunk.
zte(cfg)#set mac add static <HH.HH.HH.HH.HH.HH>
port <1-28> vlan <1-4094>
Adds a static MAC address entry based
on the port and the VLAN.
zte(cfg)#set mac add static <HH.HH.HH.HH.HH.HH>
trunk <1-15> vlan <1-4094>
Adds a static MAC address entry based
on the trunk and the VLAN.
zte(cfg)#set mac add permanent <HH.HH.HH.HH.HH.
HH> port <1-28> vlan <1-4094>
Adds a permanent MAC address entry
based on the port and the VLAN.
zte(cfg)#set mac add permanent <HH.HH.HH.HH.HH.
HH> trunk <1-15> vlan <1-4094>
Adds a permanent MAC address entry
based on the trunk and the VLAN.
zte(cfg)#set mac delete Deletes all MAC address entries.
zte(cfg)#set mac delete mac-address <HH.HH.HH.HH.H
H.HH> vlan <1-4094>
Deletes a MAC address entry.
zte(cfg)#set mac delete {port <1-28>| trunk <1-15>|vlan <1-4094>}[dynamic | static | permanent]
Deletes all dynamic/static/permanent MAC
address entries based on port/trunk/VLAN.
zte(cfg)#set mac delete dynamic Deletes all dynamic MAC address entries.
zte(cfg)#set mac delete permanent Deletes all permanent MAC address
entries.
zte(cfg)#set mac delete static Deletes all static MAC address entries.
zte(cfg)#set mac aging-time <60-600> Sets device MAC address aging time.
zte(cfg)#set mac filter {source | destination |
both}<HH.HH.HH.HH.HH.HH> vlan <1-4094>
Sets the source MAC address or
destination MAC address filter function.
zte(cfg)#set mac learning {global | port <1-28>| trunk<1-15>| vlan <1-4094>}{enable | disable |mode {automatic
| cpu-controlled}}
Sets MAC address learning mode based
on global/port/trunk/VLAN.
zte(cfg)#set mac limit {global | port <1-28>| trunk<1-15>| vlan <1-4094>} limit-num <0-16384>
Sets the MAC address number limit
function based on global/port/trunk/VLAN.
zte(cfg)#set mac unknown-filter {global | port <1-28>|trunk <1-15>} limit-num <0-16384>
Sets the function of filtering unknown
source packets based on global/port/trunk.
zte(cfg)#set mac to permanent {port <1-28>| trunk<1-15>}{enable | disable | max-number <1-128>}
Sets the function of converting MAC
addresses as permanent in batches.
5-15
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set mac to permanent auto-save-time
<300-7200>
Sets the time when MAC addresses
converted to permanent ones are
automatically saved.
zte(cfg)#set mac to static {port <1-28>| trunk <1-15>|vlan <1-4094>}{enable | disable}
Sets the function of converting MAC
address to static ones in batches.
zte(cfg)#set mac logging-alarm {station-move |
threshold-state}{enable | disable}
Enables or disables the MAC event alarm
function.
zte(cfg)#set mac logging-alarm interval <1-256> Sets the MAC event alarm output interval.
zte(cfg)#set mac protect port <1-28> action {shutdown |
restrict | protect}
Sets the MAC protection action.
zte(cfg)#set mac protect port <1-28>{enable | disable} Enables or disables the MAC protection
function.
show mac (all configuration modes) Displays MAC address entry content.
show mac running-config (all configuration modes) Displays MAC configuration information.
show mac all-type {port <1-28>| trunk <1-15>| vlan<1-4094>} (all configuration modes)
Displays MAC address entry content
based on port/trunk/VLAN.
show mac {dynamic | learning | limit | permanent |
static}[port <1-28>| trunk <1-15>| vlan <1-4094>] (all
configuration modes)
Displays various MAC function
configurations and MAC address
entries based on global/port/trunk/VLAN.
show mac mac-address <HH.HH.HH.HH.HH.HH> (all
configuration modes)
Displays the MAC address entry content
of a specified MAC address.
show mac unknown-filter [port <1-28>| trunk <1-15>](all configuration modes)
Displays the filter function of the packet
with an unknown source based on
global/port/trunk.
show mac aging-time (all configuration modes) Displays device MAC address aging time.
show mac filter (all configuration modes) Displays source MAC address or
destination MAC address filtering function.
show mac logging-alarm (all configuration modes) Displays MAC event alarm configuration.
zte(cfg)#set mac learning except session <1-100>{clear
|mac-address <HH.HH.HH.HH.HH.HH.HH> mac-mask<HH.HH.HH.HH.HH.HH.HH>[vlan <1-4094>]}
Sets the function of not learning specified
MAC addresses
zte(cfg)#set mac learning except {port <portlist>| trunk<trunklist>}session unbind
Unbinds ports/trunks and all sessions.
zte(cfg)#set mac learning except {port <portlist>| trunk<trunklist>}session <1-100>{bind|unbind}
Sets the binding relation between
ports/trunks and all sessions.
5-16
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show mac learning except session [<1-100>] Displays the configuration of sessions for
which specified source MAC learning is
not needed.
show mac learning except {port <portlist>|trunk<trunklist>}
Displays the binding relation between
ports/trunks and sessions.
show mac protect [portlist] Displays the MAC protection state to check
whether MAC protection is triggered.
5.6 LACP ConfigurationLACP OverviewThe Link Aggregation Control Protocol (LACP) is a standard protocol defined in IEEE802.3ad.
Link aggregation means that physical links with the same transmission media andtransmission rate are “bound” together, making them look like one link logically. Thisconcept is also known as Trunk. It allows simultaneous multiplied increase of thebandwidths of parallel physical links between the switches or between the switch and theserver. As a result, it becomes an important technology in increasing the link bandwidthand creating link transmission flexibility and redundancy.
An aggregated link is also called trunk. If a port of the trunk is blocked or faulty, the datapackets will be distributed to other ports of this trunk for transmission. If this port recovers,the data packets will be redistributed to all the normal ports of this trunk for transmission.
The ZXR10 2900E supports up to 15 aggregation groups. In each aggregation group, thenumber of aggregated links does not exceed eight.
Configuring LACPThe LACP configuration includes the following commands:
Command Function
zte(cfg)#set trunk <trunklist> pvid <1-4094> Sets the default trunk VID.
zte(cfg)#set lacp {enable | disable} Enables or disables the LACP
function.
zte(cfg)#set lacp aggregator <1-15>{add | delete} port <portlist> Adds or deletes a specified port
to/from an LACP aggregation
group.
zte(cfg)#set lacp aggregator <1-15> mode {dynamic | static |
mixed }
Sets aggregation mode of an
LACP aggregation group.
5-17
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set lacp port <portlist> mode {active | passive} Sets the mode used by the port to
participate in the aggregation.
zte(cfg)#set lacp port <portlist> timeout {long | short} Sets the timeout information
of the port participating in the
aggregation.
zte(cfg)#set lacp priority <1-65535> Sets the priority of LACP.
zte(cfg)#set lacp load-balance {port | packet {L2 | L3 | L4}} Sets LACP load balancing mode.
show trunk (all configuration modes) Displays the Port VLAN IDs
(PVIDs) of all trunks and
unregistered multicast filtering
configuration.
show trunk [<trunklist>] (all configuration modes) Displays the trunk PVID and
unregistered multicast filtering
configuration.
show trunk <trunklist> vlan (all configuration modes) Displays the VLAN configuration
of trunk.
show lacp (all configuration modes) Displays the LACP global
configuration information.
show lacp aggregator (all configuration modes) Displays brief information of all
LACP aggregation groups.
show lacp aggregator <1-15> (all configuration modes) Displays detailed information of an
LACP aggregation group.
show lacp port (all configuration modes) Displays aggregation status
information of all the LACP
member ports.
show lacp port [<portlist >] (all configuration modes) Displays aggregation status
information of LACP member
ports.
zte(cfg)#clear trunk <trunklist>{ multicast-filter} Clears the flag of the port multicast
filter.
LACP Configuration Instancel Configuration Description
Switch A and switch B are connected through the aggregation port (binding the port15 and port 16). Port 1 of switch A and port 2 of switch B belong to VLAN2. Port 3 ofswitch A and port 4 of switch B belong to VLAN3. Members of the same VLAN cancommunicate with each other. See Figure 5-3.
5-18
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-3 LACP Configuration Instance
l Configuration Procedure1. The detailed configuration of switch A is as follows:
zte(cfg)#set lacp enable
zte(cfg)#set lacp aggregator 3 add port 15-16
zte(cfg)#set lacp aggregator 3 mode dynamic
zte(cfg)#set lacp load-balance packet L2
zte(cfg)#set vlan 2 add trunk 3 tag
zte(cfg)#set vlan 2 add port 1 untag
zte(cfg)#set vlan 3 add trunk 3 tag
zte(cfg)#set vlan 3 add port 3 untag
zte(cfg)#set port 1 pvid 2
zte(cfg)#set port 3 pvid 3
zte(cfg)#set vlan 2-3 enable
2. The detailed configuration of switch B is as follows:zte(cfg)#set lacp enable
zte(cfg)#set lacp aggregator 3 add port 15-16
zte(cfg)#set lacp aggregator 3 mode dynamic
zte(cfg)#set lacp load-balance packet L2
zte(cfg)#set vlan 2 add trunk 3 tag
zte(cfg)#set vlan 2 add port 2 untag
zte(cfg)#set vlan 3 add trunk 3 tag
zte(cfg)#set vlan 3 add port 4 untag
zte(cfg)#set port 2 pvid 2
zte(cfg)#set port 4 pvid 3
zte(cfg)#set vlan 2-3 enable
l Configuration Verification
The results of implementing the following command on the two switches are similar.
zte(cfg)#show lacp
Lacp is enabled.
Lacp priority is 32768.
Load-balance is based on L2 hash mode.
5-19
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
PortNum GroupNum GroupMode LacpTime LacpActive
----------- ----------- ----------- ----------- -----------
15 3 Dynamic Long True
16 3 Dynamic Long True
zte(cfg)#show lacp aggregator 3
Group 3
Actor Partner
---------------------------- ----------------------------
Priority : 32768 32768
Mac : 00.d0.d0.fa.29.20 00.d0.d0.fc.88.63
Key : 258 258
Ports : 16, 15 16, 15
The above displayed result proves that the link aggregation is successful. If it is notsuccessful, the result is shown as follows after executing the show lacp aggregator 3command.
zte(cfg)#show lacp aggregator 3
% Group 3 is not active!
The above result is due to physical link failure. It is recommended to check the physicallink status.
5.7 IGMP Snooping ConfigurationIGMP Snooping OverviewBecause the multicast address is not in the source address of the packet, the switch cannotlearn the multicast address. When the switch receives a multicast message, it sends themessage to all the ports in the same VLAN. If no measure is taken, unwanted multicastmessages may be spread to each node of the network, causing a great waste of networkbandwidth resource.
With the IGMP Snooping function, the IGMP communication between the host and routeris snooped, so that the multicast packets are sent to the ports in the multicast forwardingtable, instead of all ports. This restricts the flooding of multicast messages in the LANswitch, reduces the waste of network bandwidth, and improves the utilization rate of theswitch.
Configuring IGMP SnoopingThe IGMP Snooping configuration includes the following commands:
Command Function
zte(cfg)#set igmp snooping {enable | disable} Enables or disables the IGMP
Snooping function.
5-20
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set igmp snooping {add | delete} vlan <vlanlist> Adds or deletes the IGMP
Snooping function to/from the
specified VLAN.
zte(cfg)#set igmp snooping {add | delete} maxnum<1-1024>{vlan <vlanlist>| port <portlist>[replace]
Sets or clears the maximum
multicast group number on the
specified VLAN/port. The replace
keyword means to replace the
query group which does not
respond for the longest period.
zte(cfg)#set igmp snooping delete host Deletes all dynamic multicast
users.
zte(cfg)#set igmp snooping monitor-ring {enable | disable} Enables or disables the IGMP ring
monitoring function.
zte(cfg)#set igmp snooping vlan <1-4094>{add | delete} group<A.B.C.D>[port <portlist>| trunk <trunklist>]
Adds or deletes static multicast
group based on the VLAN.
zte(cfg)#set igmp snooping vlan <1-4094>{add | delete} smr
{port <portlist>| trunk <trunklist>}Adds or deletes routing port or
trunk on the specified VLAN.
zte(cfg)#set igmp snooping private-group {<A.B.C.D>| enable |
disable}
Adds private multicast group
and enables or disables private
multicast group function.
zte(cfg)#set igmp snooping timeout {host | router}<time> Sets multicast member or route
time-out.
The value of the <time> parameter
is 0 means no aging. A value
between 100 and 2147483647
(unit: 100 milliseconds).
zte(cfg)#set igmp snooping query-interval <10-2147483647> Sets the snooping interval, unit:
100 milliseconds.
zte(cfg)#set igmp snooping response-interval <10-250> Sets the snooping response
interval, unit: 100 milliseconds.
zte(cfg)#set igmp snooping last-member-query <10-250> Sets the snooping interval for
the last member, unit: 100
milliseconds.
zte(cfg)#set igmp snooping query vlan <vlanlist>{enable |
disable}
Enables or disables the query
function on the specified VLAN.
zte(cfg)#set igmp snooping query version {v2 | v3} Sets the IGMP version of the query
packet sent by the switch.
zte(cfg)#set igmp snooping fastleave {enable | disable} Enables or disables the fast leave
function.
5-21
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set igmp snooping v3 {enable | disable} Enables or disables the IGMP V3
function.
zte(cfg)#set igmp snooping proxy version {v2 | auto} Sets the IGMP version of the
query message that the switch
responses to the router.
zte(cfg)#set igmp snooping crossvlan {enable | disable} Enables or disables the switch
cross-VLAN function.
zte(cfg)#set igmp filter {enable | disable} Enables or disables the filtering
function.
zte(cfg)#set igmp filter {add | delete} groupip <A.B.C.D.> vlan<vlanlist>
Adds or deletes the filtering of
group in the specified VLAN.
zte(cfg)#set igmp filter {add | delete} sourceip <A.B.C.D.> vlan<vlanlist>
Adds or deletes the filter of source
in the specified VLAN.
zte(cfg)#set igmp filter {add | delete} query port < portlist>vlan <vlanlist>
Adds or deletes the query packet
filter for the specified port.
zte(cfg)#set igmp filter {add | delete} query trunk < trunklist>vlan <vlanlist>
Adds or deletes the query packet
filter for the specified trunk port.
show igmp snooping (global configuration modes) Displays IGMP Snooping global
configuration information.
show igmp snooping vlan [<1-4094>[host | route]] (global
configuration modes)
Displays the configuration of the
IGMP snooping result.
show igmp snooping port [<portlist>] (global configuration modes) Displays the maximum and current
multicast group numbers for the
port.
show igmp snooping v3 {port <1-28>| trunk <1-15>} (global
configuration modes)
Displays the v3 multicast snooping
results of the port or the trunk.
show igmp filter report (global configuration modes) Displays the configuration of the
IGMP filter.
show igmp filter vlan <vlanlist> (global configuration modes) Displays the specified VLAN
multicast group filtering
configuration.
show igmp filter query (global configuration modes)Displays the configuration of the
query packet filter.
show igmp filter query vlan <vlanlist> (global configuration
modes)
Displays the configuration of the
query packet filter for the specified
VLAN.
zte(cfg)#set igmp filter {add | delete} grouplist <A.B.C.D.>mask <A.B.C.D.> vlan <vlanlist>
Adds/removes the group list filter
to/from the specified VLAN.
5-22
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set igmp snooping multicast-ring {enable | disable} Enables or disables the IGMP
multicast ring network function.
zte(cfg)#set igmp snooping multicast-ring {add | delete}
cascade port <portlist>Adds or deletes cascaded ports in
a multicast ring network.
IGMP Snooping Configuration Instancel Configuration Description
Ports 1, 3, and 5 are connected to the host, port 10 is connected to the router, addports 10, 1, 3, and 5 to VLAN200, and users on ports 1, 3, and 5 send multicastjoin request packets with multicast addresses 230.44.45.167 and 230.44.45.157respectively. Add multicast filter group address 230.44.45.167 on VLAN200. TheIGMP Snooping function and IGMP Filter function are enabled and the snoopingresults are displayed. See Figure 5-4.
Figure 5-4 Network Topology of IGMP Snooping Configuration Instance
l Configuration Procedurezte(cfg)#set vlan 200 add port 1, 3, 5, 10 untag
zte(cfg)#set port 1, 3, 5, 10 pvid 200
zte(cfg)#set vlan 200 enable
zte(cfg)#set igmp snooping enable
zte(cfg)#set igmp snooping add vlan 200
zte(cfg)#set igmp snooping vlan 200 add smr port 10
zte(cfg)#set igmp filter enable
zte(cfg)#set igmp filter add groupip 230.44.45.167 vlan 200
l Configuration Verification
Display multicast listening and filtering result.
5-23
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg)#show igmp snooping vlan
Maximal group number: 1024
Current group number: 1
Num VlanId Group Last_Report PortMember
---- ------- --------------- --------------- ----------------
1 200 230.44.45.157 194.85.1.3 1,3,5,10
zte(cfg)#show igmp filter report
IGMP Filter: enabled
Index Type IpAddress IpMask VlanList
----- -------- ---------------- ---------------- ---------------------
1 Groupip 230.44.45.167 255.255.255.255 200
zte(cfg)#show igmp filter report vlan 200
Index FilterIpAddress FilterIpMask Vlan Type
----- ---------------- ---------------- ----- --------
1 230.44.45.167 255.255.255.255 200 Groupip
5.8 MLD Snooping ConfigurationMLD Snooping OverviewCorresponding to the IGMP protocol, MLD is a multicast management protocol in IPv6environment. MLD v1/v2 is supported.
It is impossible to use a multicast address as a source address in a packet, so a switchcannot learn the multicast address. When receiving a multicast message, a switchbroadcasts the message on all ports in the same VLAN. If no measure is taken, unwantedmulticast messages may be spread to each node of the network, causing a great wasteof network bandwidth resource.
Multicast Listener Discovery (MLD) snooping monitors MLD protocol communicationbetween a host and a router. In this way, a multicast message is sent to the ports in themulticast forwarding table instead of all ports. This limits multicast message spread onLAN switches, reduces network bandwidth waste, and enhances switch usage.
Configuring MLD SnoopingThe MLD snooping configuration includes the following commands:
Command Function
zte(cfg)#set mld snooping {enable | disable} Enables or disables the MLD snooping function
globally.
zte(cfg)#set mld snooping {add | delete} vlan<vlanlist>
Adds or deletes an MLD snooping VLAN.
5-24
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set mld snooping add maxnum <1-256>
vlan <vlanlist>
Sets the maximum number of multicast groups
of a specific VLAN.
zte(cfg)#set mld snooping vlan <1-4094> addgroup <ipv6-address> port <portlist>
Adds a static group to a specific VLAN and adds
a port to the static group.
zte(cfg)#set mld snooping vlan <1-4094> deletegroup <ipv6-address>[port <portlist>]
Clears static groups in a specific VLAN and
clears the ports in the static groups.
zte(cfg)#set mld snooping vlan <1-4094>{add |
delete} mrouter port <port-id>Adds or clears a routing portsin a specific VLAN.
zte(cfg)#set mld snooping { host-time-out |
mrouter-time-out }<30-65535>
Sets the time-out period between the router port
and the host port.
zte(cfg)#set mld snooping query-interval
<30-65535>
Sets the interval for sending query packets.
zte(cfg)#set mld snooping query-response-inter
val <1000-25000>
Sets the interval for sending report packets.
zte(cfg)#set mld snooping last-member-query
<1-25>
Sets the time of waiting for a query response
when the last member leaves.
zte(cfg)#set mld snooping query vlan
<vlanlist>{enable | disable}
Enables or disables the query function in a
specific VLAN.
zte(cfg)#set mld snooping query vlan <vlanlist>
version <1-2>
Sets the MLD version of query packets.
zte(cfg)#set mld snooping query {enable |
disable}
Enables or disables the query function.
zte(cfg)#set mld snooping fastleave {enable |
disable}
Enables or disables the fast leave function.
zte(cfg)#set mld snooping robustness <1-7> Sets the MLD robustness value.
zte(cfg)#set mld filter {enable | disable} Enables or disables the filter function globally.
zte(cfg)#set mld filter {add | delete} query port< portlist> vlan <vlanlist>
Adds or deletes the query packet filter for the
specified port.
zte(cfg)#set mld filter {add | delete} query trunk< trunklist> vlan <vlanlist>
Adds or deletes the query packet filter for the
specified trunk port.
show mld snooping (all configuration modes) Displays global MLD snooping configuration
information.
show mld snooping vlan <1-4094>[group<ipv6-address>| port-info | group-source-filter |
host-source-filter ] (all configuration modes)
Displays the MLD snooping result.
show mld snooping mr-port-info (all configuration
modes)
Displays MLD router port information.
5-25
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
show mld filter query (all configuration modes) Displays the configuration of the query packet
filter.
show mld filter query vlan <vlanlist> (all
configuration modes)
Displays the configuration of the query packet
filter for the specified VLAN.
MLD Snooping Configuration Instancel Configuration Description
See Figure 5-5. Port 1, Port 3 and Port 5 are connected to hosts, Port 10 is connectedto a router, ports 10, 1, 3 and 5 are in VLAN 200, users connected to Ports 1, 3 and 5send multicast join requests to join the groups ff1e::22 and ff1e::11. Enable the MLDsnooping function on the switch and display the snooping result.
Figure 5-5 MLD Snooping Configuration Instance
l Configuration Procedurezte(cfg)#set vlan 200 add port 1, 3, 5, 10 untag
zte(cfg)#set port 1, 3, 5, 10 pvid 200
zte(cfg)#set vlan 200 enable
zte(cfg)#set mld snooping enable
zte(cfg)#set mld snooping add vlan 200
zte(cfg)#set mld snooping vlan 200 add mr port 10
l Configuration Verification
Display the snooping result:
zte(cfg)#show mld snooping vlan 200
MLD Snooping : enable
Querier : disable
Working Mode : proxy
5-26
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Max Group Number : 256
Total Group Number : 2
Exist Host Group Number : 2
Index Vlan Group ID Prejoin LiveTime Ports
----- ---- -------------- ------- ---------- --------
1 200 ff1e::11 0 0:00:00:14 D:1,3, 5
2 200 ff1e::22 0 0:00:00:09 D:1,3,
5.9 IPTV ConfigurationIPTV OverviewInternet Protocol television (IPTV) is also called Interactive Network TV. IPTV is a methodof distributing television content over IP that enables a more customized and interactiveuser experience. IPTV can allow people who are separated geographically to watch amovie together, while chatting and exchanging files simultaneously. IPTV uses a two-waybroadcast signal sent through the provider's backbone network and servers, allowingviewers to select content on demand, and take advantage of other interactive TV options.IPTV can be used through PC or “IP Set-top Box (SBT) + TV”.
Configuring IPTVThe IPTV configuration mainly includes the following contents:
l Configure channel attributesl Configure package attributesl Configure preview-related attributesl Configure CDR-related attributesl Configure port-related attributes
The IPTV configuration includes the following commands:
Command Function
zte(cfg-nas)#iptv control {enable | disable} Enables or disables the IPTV
function.
zte(cfg-nas)#iptv channel mvlan <1-4094> groupip<A.B.C.D>[name <channel-name>[id <0-1031>]]
Adds one channel (multicast
group) to the specified VLAN and
names the channel and allocates
ID.
zte(cfg-nas)#iptv channel mvlan <1-4094> groupip <A.B.C.D>
count <1-1032>[prename <prename>]Adds channel (multicast group) to
the specified VLAN in batch and
names channels in batch.
zte(cfg-nas)#iptv channel name <channel-name> rename<new-name>
Modifies channel name.
5-27
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg-nas)#iptv channel {name <channel-name>| id-list <channel-list>} cdr {enable | disable}
Enables or disables channel log
function.
zte(cfg-nas)#iptv channel {name <channel-name>| id-list<channel-list>}{viewfile-name <viewfile-name>| viewfile-id<0-1023>}
Specifies the preview configuration
file of the channel.
zte(cfg-nas)#iptv sms-server <A.B.C.D> Sets the IP address of the Service
Management System (SMS)
server.
zte(cfg-nas)#iptv sms-server-port <1025-65535> Sets SMS server TCP port.
zte(cfg-nas)#iptv cdr {enable | disable} Enables or disables CDR log
function globally.
zte(cfg-nas)#iptv cdr report Manually triggers CDR log report
at one time.
zte(cfg-nas)#iptv cdr create-period <1-65535> Sets the interval for creating CDRs
when users watch programs for a
long time.
zte(cfg-nas)#iptv cdr deny-right {enable | disable} Enables or disables CDR function
when the access authorization is
deny.
zte(cfg-nas)#iptv cdr prv-right {enable | disable} Enables or disables CDR function
when the access authorization is
preview.
zte(cfg-nas)#iptv cdr report-threshold <1-32> Sets the number of CDRs in each
reported packet.
zte(cfg-nas)#iptv cdr report-interval <1-65535> Sets the time interval for CDR
report.
zte(cfg-nas)#iptv cdr max-records <100-5000> Sets CDR maximum record items.
zte(cfg-nas)#iptv cdr warning-threshold <1-100> Sets CDR buffer alarm threshold.
zte(cfg-nas)#iptv package name <package-name>[id<package-id>]
Creates multicast package.
zte(cfg-nas)#iptv package name <package-name> channel
{id-list <channel-list>| name <channel-name>}{deny | order |
preview}
Adds channels to the package
and configures the authority of the
channels in the package.
zte(cfg-nas)#iptv prv {enable | disable} Enables or disables the preview
function.
zte(cfg-nas)#iptv prv reset Resets the preview function.
5-28
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg-nas)#iptv prv autoreset-time <HH:MM:SS> Automatically resets the preview
function.
zte(cfg-nas)#iptv prv recognition-time <1-65534> Sets recognition time. A short time
preview is not counted.
zte(cfg-nas)#iptv prv overcount-cdr {enable | disable} Enables or disables the IPTV
preview overcount-cdr function.
zte(cfg-nas)#iptv view-profile name < viewfile-name>[id<1-1023>]
Creates IPTV preview
configuration files.
zte(cfg-nas)#iptv view-profile name <viewfile-name>{count
<1-65535>| duration <2-65535>| blackout<2-65535>}
Creates IPTV preview
configuration files.
zte(cfg-nas)#iptv cac-rule {enable | disable} Enables or disables the CAC
control.
zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] service {start |
remove | pause | resume}
Sets user service state.
zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] control-mode
{package | channel}
Sets user multicast control mode.
zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] package
{name <package-name>| id-list <package-list>}Allocates packages for the user.
zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] channel
{name <channel-name>| id-list <channel-list>}{deny | order |preview | query}
Allocates the access permission of
the channel for the user.
zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] cdr {enable |
disable}
Enables or disables the user CDR
log record function.
zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] mac-base
{enable | disable}
Enables or disables the
management mode based on
the MAC address.
zte(cfg-nas)#iptv port <portlist>{add|delete} mvlan <1-4094>
uvlan <1-4094>
Adds or deletes a duplicate rule.
zte(cfg-nas)#clear iptv channel {name <channel-name>| id-list<channel-list>| all}
Deletes a channel.
zte(cfg-nas)#clear iptv package {name <package-name>| id-list< package-idlist >| all}
Deletes a package.
zte(cfg-nas)#clear iptv view-profile{name <viewfile-name>|id-list <viewfile-lis>| all}
Deletes a preview configuration
file.
zte(cfg-nas)#clear iptv port <portlist>[vlan <1-4094>] package
{name <package-name>| id-llist <package-idlist>}Deletes the package allocated for
users.
5-29
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg-nas)#clear iptv client [index <0-255>| mac<HH.HH.HH.HH.HH.HH>| port <portlist>[vlan <1-4094>]]
Deletes an IPTV user.
show iptv control (all configuration modes) Displays IPTV global configuration.
show iptv channel [name <channel-name>| id <channel-id>] (all
configuration modes)
Displays channel information (all
channels or some channel detailed
information).
show iptv package [name<package-name>| id <0-127>] (all
configuration modes)
Without parameters, displays the
package names. With parameters,
this displays all channel lists in the
package.
show iptv prv (all configuration modes) Displays IPTV preview global
configuration information.
show iptv view-profile [name <viewfile-name>| id <0-1023>] (all
configuration modes)
Displays preview configuration file
information.
show iptv cdr (all configuration modes) Displays global CDR configuration
information.
show iptv client [{channel <0-1031>| index <0-255>| mac<HH.HH.HH.HH.HH.HH>| port <portid>| vlan <1-4094>}] (all
configuration modes)
Displays IPTV user information.
show iptv rule [ port <portid>][vlan <1-4094>][channel | package]
(all configuration modes)
Displays IPTV rule information.
show iptv duplicate (all configuration modes) Displays duplicate configuration
information.
zte(cfg-nas)#clear iptv channel-group {name<channel-group-name>| id-list <channel-group-list>|all}
Deletes a channel group.
zte(cfg-nas)#iptv channel-group mvlan <1-4094>
groupiplist <A.B.C.D>{<A.B.C.D>| mask <A.B.C.D>}}[name<channel-group-name>[id <0-255>]]
Adds a channel group to a
specified VLAN, names the
channel group, and allocates an
ID to each channel.
zte(cfg-nas)#iptv channel-group name <channel-group-name>
rename <new-name>Modifies the channel group name.
zte(cfg-nas)#iptv channel-group {name <channel-group-name>|id-list < channel-group-list>} cdr {enable | disable}
Enables/disables the channel
group log function.
zte(cfg-nas)#iptv channel-group {name <channel-group-name>|id-list <channel-group-list>}{viewfile-name <viewfile-name>|
viewfile-id <0-1023>}
Specifies the preview configuration
file for the channel group.
5-30
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg-nas)#iptv port <portlist>[vlan <1-4094>] channel-group
{name <channel-group-name>| id-list <channel-group-list>}{deny |order | preview | query}
Allocates an access permission to
the channel group for users.
show iptv channel-group [name <channe-groupl-name>| id<channel-group-id>] (all configuration modes)
Displays channel group
information (details of one or
all channel groups).
IPTV Configuration Example Onel Configuration Description
Port 1 connects to the user and it subscribes to channel 225.1.1.1. The user vlanis 100. The multicast vlan is 4000. Router sends data stream of multicast group225.1.1.1. PC sends request for entering into channel 225.1.1.1. See Figure 5-6.
Figure 5-6 IPTV Configuration Instance 1
l Configuration Procedure1. Configure VLAN
zte(cfg)#set vlan 100 add port 1
zte(cfg)#set vlan 4000 add port 1, 4
zte(cfg)#set vlan 100, 4000 enable
zte(cfg)#set port 1 pvid 100
zte(cfg)#set port 4 pvid 4000
/*IGMP Snooping*/
zte(cfg)#set igmp snooping enable
zte(cfg)#set igmp snooping add vlan 100, 4000
zte(cfg)#set igmp snooping fastleave enable
2. Configure IPTVzte(cfg)#config nas
zte(cfg-nas)#iptv control enable
zte(cfg-nas)#iptv cac-rule enable
3. Configure a rule on the portzte(cfg-nas)#iptv channel mvlan 4000 group 225.1.1.1
name CCTV1 id 1
zte(cfg-nas)#iptv port 1 service start
zte(cfg-nas)#iptv port 1 control-mode channel
zte(cfg-nas)#iptv port 1 channel id-list 1 order
zte(cfg-nas)#iptv port 1 add mvlan 4000 uvlan 100
l Configuration Verification
5-31
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Check configuration
zte(cfg-nas)#show iptv rule
MaxRuleNum:64
CurRuleNum:1
HisRuleNum:1
Id Port Vlan Mbase Mode Service Cdr Order Preview Query PkgNum
-- ---- ---- ----- ------- ------- -------- ----- ------- ----- ------
1 1 false channel in disabled 1 0 0 0
/*view the user online state when the user is online*/
zte(cfg-nas)#show igmp snooping vlan
Maximal group number: 1024
Current group number: 1
Num VlanId Group Last_Report PortMember
---- ------- --------------- --------------- ----------------
1 4000 225.1.1.1 192.85.1.3 1
zte(cfg-nas)#show iptv client index 0
Index :0
Rule :1 Vlan :100
Port :1 ChNum :1
Mac :00.10.94.00.00.01 Ip :192.85.1.3
Channel UserType MultiAddress ElapsedTime
------- ---------- ---------------- --------------
1 order 225.1.1.1 0:0:1:7
IPTV Configuration Example Twol Configuration Description
Port 1 connects with the user and it is the preview user of channel 225.1.1.1. Themaximum preview time is 20 seconds, the interval is at least 10 seconds and themaximum preview time is 2. The user vlan is 100. The multicast vlan is 4000. Routersends data stream of multicast group 225.1.1.1. PC sends request for entering intochannel 225.1.1.1. See Figure 5-7.
Figure 5-7 IPTV Configuration Instance 2
l Configuration Procedure
5-32
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
1. Configure VLANzte(cfg)#set vlan 100 add port 1
zte(cfg)#set vlan 4000 add port 1, 4
zte(cfg)#set vlan 100, 4000 enable
zte(cfg)#set port 1 pvid 100
zte(cfg)#set port 4 pvid 4000
/*IGMP Snooping*/
zte(cfg)#set igmp snooping enable
zte(cfg)#set igmp snooping add vlan 100, 4000
zte(cfg)#set igmp snooping fastleave enable
2. Configure IPTVzte(cfg)#config nas
zte(cfg-nas)#iptv control enable
zte(cfg-nas)#iptv cac-rule enable
zte(cfg-nas)#iptv prv enable
3. Configure a rule on the portzte(cfg-nas)#iptv channel mvlan 4000 group 225.1.1.1
name CCTV1 id 1
zte(cfg-nas)#iptv port 1 service start
zte(cfg-nas)#iptv port 1 control-mode channel
zte(cfg-nas)#iptv port 1 channel id 1 preview
4. Configure the preview templatezte(cfg-nas)#iptv view-profile name VPF1.PRF
zte(cfg-nas)#iptv view-profile name VPF1.PRF count 2
zte(cfg-nas)#iptv view-profile name VPF1.PRF blackout 10
zte(cfg-nas)#iptv view-profile name VPF1.PRF duration 20
zte(cfg-nas)#iptv channel id 1 viewfile-name VPF1.PRF
l Configuration Verification
Check configuration
/*check the configuration of preview template*/
zte(cfg-nas)#show iptv view-profile name VPF1
ViewProfile Id :1
MaxPrvCount :2
MaxPrvDuration :20
BlackoutInterval :10
/*view the user online state when the user is online*/
zte(cfg-nas)#show iptv client index 0
Index :0
Rule :1 Vlan :100
Port :1 ChNum :1
Mac :00.10.94.00.00.01 Ip :192.85.1.3
Channel UserType MultiAddress ElapsedTime
------- ---------- ---------------- --------------
5-33
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
1 preview 225.1.1.1 0:0:0:16
5.10 STP ConfigurationSTP OverviewThe Spanning Tree Protocol (STP) is applicable to the network with data loops. It usescertain algorithms to block some redundant links, thus preventing possible network loops.
The Rapid Spanning Tree Protocol (RSTP) is developed on the basis of common STP,and provides a faster spanning tree convergence by using a mechanism in which the portstate can be rapidly changed from Blocking to Forwarding.
TheMultiple Spanning Tree Protocol (MSTP) is developed on the basis of RSTP and STP. Itintroduces domains and instances, and recognizes VLAN ID. The whole network topologystructure can be planned into a Common and Internal Spanning Tree (CIST), which isdivided into Common Spanning Tree (CST) and Internal Spanning Tree (IST).
Many devices enabling MSTP construct Multiple Spanning Tree (MST) areas in theswitching network. When the devices satisfy the following conditions, they can beconsidered to exist in an MST area. A switching network can cover many MST areas.Users can divide the switches into an MST area by using MSTP commands.
l Same area name.l Same reversion level.l Same mapping relationship between a VLAN and an instance.l Switches should be connected directly.
Multiple spanning trees can be configured in each MSTP area, and they are independentfrom each other. Each spanning tree is an Internal Spanning Tree (IST), and it can becalled as Multiple Spanning Tree Instance (MSTI). Common Spanning Tree connects allMST areas in the switching network. An MST area can be considered as a switch, a CSTis a spanning tree which is generated by STP and RSTP protocol calculation. All ISTsand CSTs are called as Common and Internal Spanning Tree (CIST). A CIST is a singlespanning tree used to connect all switches.
In this MSTP topology structure, an IST can serve as a single bridge (switch). In thisway, a CTS can serve as an RSTP for the interaction of configuration information (BPDU).Multiple instances can be created in an IST area and these instances are valid only in thisarea. An instance is equivalent to an RSTP, except that the instance needs to performBPDU interaction with bridges outside this area.
For the MSTP topological structure, see Figure 5-8.
5-34
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-8 MSTP Topological Structure
The ports have different roles:
l Master: The port type is introduced in the MSTP protocol. When multiple differentareas exist, the master port is the port with the minimal cost to the root.
l Root: The port that has the minimal cost to the root bridge and takes charge inforwarding data to the root node. When multiple ports have the same cost to the rootbridge, the port with the lowest port priority becomes to the root port.
l Designated: The port transmits data to the switch downward, and sends the STPprotocol message to maintain the state of STP.
l Backup: The port receives the STP message, which proves that there exists a loopto the port itself.
l Alternate: The port receives excess STP protocol messages from other equipment.However, when the original link fails, the port becomes transmitting and maintains thenetwork taking the place of the faulty port.
l Edged: The port is used to connect the terminal equipment, for example, PC. Theport does not participate in the calculation before the STP is stable, and the state canbe switched fast.
According to the port role, the port state is different after the calculation becomes steady.For the relationships between the port role and the port state, refer to Table 5-1.
Table 5-1 Port Role and Port State
Port Role Port State
Master Forward
Root Forward
Designated Forward
Backup Discard
5-35
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Port Role Port State
Alternate Discard
Edged Forward
Protection Feature OverviewBPDU Protection on a Port
A boundary port is not expected to receive any BPDUs. Receipt of any BPDUs indicatesa failure in the network. To avoid this situation, BPDU protection can be configured on aboundary port.
After being configured with BPDU protection, if a port receives a BPDU, the port will beshut down and a warning message will be displayed. The system waits for some secondsof user configured and then tries to re-open the port. If it still receives BPDUs, the port willbe shut down again. By doing so, the network can be protected from being attacked byabnormal BPDUs to maintain the stability of the topology.
Loopback Protection on a Port
When a non-designated ports other than port breaks down and cannot receive any BPDUs,STP will transit the port to a designated port and its state to Forwarding state, which leadsto loops. To avoid this situation, port loopback protection can be configured on a blockedport.
After being configured with port loopback protection, if a blocked port no longer receivesany BPDUs, it will enter Loop_Inconsistent state, under which no data will be forwardedfrom this port. When it receives BPDUs again, the port will automatically recover to ablocked port.
Root Protection on a Port
After the network has completed the spanning tree calculation, if a new switch is involvedand the numerical value for its bridge ID is lower than that for the root bridge, the newswitch will become the new root bridge to replace the old root bridge, which causes theentire network to recalculate the spanning tree. To avoid this situation, port root protectioncan be configured on the port where a new switch accesses the network.
The port root protection feature is used to protect the root bridge. After being configuredwith root protection, if a port receives a BPDU in which the numerical value for the bridgeID is lower, the port will enter RootGuard state to avoid spanning tree recalculation. Inthis state, no data will be forwarded from this port. Once the port no longer receives anyBPDU in which the numerical value for the bridge ID is lower, it will go through the transitorystates, that is, Listening state and Learning state, and finally transit to Forwarding state.The recovery is automatic, without any human intervention.
Configuring STPIn the default configuration, the MSTP only has the instance with ins_id being 0. Thisinstance always exists and users cannot manually delete it. This instance is mapped withVLANs 1 to 4094.
5-36
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
The STP configuration includes the following commands:
Command Function
zte(cfg)#set stp {enable | disable} Enables or disables the STP.
zte(cfg)#set stp forceversion {mstp | rstp | stp} Sets the forced STP type to
MSTP/RSTP/STP.
zte(cfg)#set stp port <portlist>{enable | disable} Enables or disables the port STP
function.
zte(cfg)#set stp port <portlist> linktype {point-point | shared} Sets port connection type.
zte(cfg)#set stp port <portlist> packettype {IEEE | CISCO |
HUAWEI | HAMMER | extend }
Sets instance port packet type.
zte(cfg)#set stp port <portlist> pcheck Checks the current STP protocol
type and selects the best protocol.
zte(cfg)#set stp port <portlist> bpdu-guard {enable | disable} Enables or disables the BPDU
packet protection function on the
port.
zte(cfg)#set stp bpdu-interval <10-65535> Sets an interval for BPDU
protection recovery.
zte(cfg)#set stp trunk <trunklist>{enable | disable} Enables trunk/disables the STP
function.
zte(cfg)#set stp trunk <trunklist> linktype {point-point | shared} Sets trunk connection type.
zte(cfg)#set stp trunk <trunklist> packettype {IEEE | CISCO |
HUAWEI | HAMMER | extend }
Sets packet types sent and
received by the trunk.
zte(cfg)#set stp edge-port {add | delete} port <portlist> Adds/deletes STP edge port.
zte(cfg)#set stp {hmd5-digest | hmd5-key}{CISCO |
HUAWEI}<0x00..0-0xff..f>
Sets hmd5 parameter when the
device is connected with CISCO
or HUAWEI.
zte(cfg)#set stp hellotime <1-10> Sets STP notification interval.
zte(cfg)#set stp forwarddelay <4-30> Sets STP forwarding delay time.
zte(cfg)#set stp agemax <6-40> Sets STP aging time
zte(cfg)#set stp hopmax <1-40> Sets the maximum number of hops
between edge equipment and root
switch of MSTP.
zte(cfg)#set stp name <name> Sets the name of the MSTP
domain.
zte(cfg)#set stp revision <0-65535> Sets the revision level of the
MSTP.
5-37
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set stp instance <0-63>{add | delete} vlan <vlanlist> Adds or deletes the VLAN to/from
the MSTP instance.
zte(cfg)#set stp instance <0-63>{port <1-28>| trunk < trunklist>} priority <0-240>
Sets the priority of the port/trunk
in the instance.
zte(cfg)#set stp instance <0-63>{port <1-28>| trunk <trunklist>}cost <1-200000000>
Sets the path cost of the port/trunk
in the instance.
zte(cfg)#set stp instance <0-63>{port <1-28>| trunk <trunklist>}root-guard {enable | disable}
Enables or disables the root
protection of port/trunk in the
instance.
zte(cfg)#set stp instance <0-63>{port <1-28>| trunk <trunklist>}loop-guard {enable | disable}
Enables or disables the loop
protection of port/trunk in the
instance.
zte(cfg)#set stp instance <0-63> priority <0-61440> Sets the priority of the bridge in
the instance, which is used for root
bridge selection.
zte(cfg)#clear stp instance <0-63> Deletes the instance.
zte(cfg)#clear stp instance <0-63>{port <1-28>| trunk <1-15>}cost
Sets the path cost of the port/trunk
in the instance as the default
value.
zte(cfg)#clear stp name Deletes the MSTP domain name.
show stp (all configuration modes) Displays STP global configuration
information.
show stp instance [<0-63>] (all configuration modes) Displays the state information of
the instance.
show stp port [<portlist>] (all configuration modes) Displays the STP port
configuration information.
show stp trunk <trunklist> (all configuration modes) Displays STP trunk configuration
information.
STP Configuration Instancel Configuration Description
Configure the STP function of switch 1 and switch 2, take switch 1 as the root bridgeand block a redundant port in the loop. This realizes loop protection and link backupbetween switches. See Figure 5-9.
5-38
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-9 STP Configuration Instance
l Configuration Procedurezte(cfg)#set stp enable
/*enable the stp protocol of switch1 and switch2*/
zte(cfg)#set stp forceversion stp
/*set STP forceversion as stp*/
l Configuration Verification1. Check the STP state of switch 1 in the system view.
zte(cfg)#show stp instance
Spanning tree enabled protocol stp
RootID:
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15
Reg RootID:
Priority : 32768 Address : 00.d0.d0.02.00.54
RemainHops : 20
BridgeID:
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15 MaxHops : 20
Interface PortId Cost Status Role Bound GuardStatus
--------- ------ ------- ------- ---------- ----- -----------
1 128.1 200000 Forward Designated SSTP None
2 128.2 200000 Forward Designated SSTP None
2. Check the STP state of switch 2 in the system view.zte(cfg)#show stp instance
Spanning tree enabled protocol stp
RootID:
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s):15
Reg RootID:
Priority : 32768 Address : 00.d0.d0.29.52.06
RemainHops : 20
BridgeID:
Priority : 32768 Address : 00.d0.d0.29.52.06
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15 MaxHops : 20
Interface PortId Cost Status Role Bound GuardStatus
--------- ------ ------- ------- ---------- ----- -----------
5-39
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
1 128.1 200000 Forward Root SSTP None
2 128.2 200000 Discard Alternate SSTP None
RSTP Configuration Instancel Configuration Description
Configure the RSTP function of switch 1 and switch 2, take switch 1 as the root bridgeand block a redundant port in the loop. This realizes loop protection and link backupbetween switches. See Figure 5-10.
Figure 5-10 RSTP Configuration Instance
l Configuration Procedurezte(cfg)#set stp enable
/*enable STP protocol of switch1 and switch2*/
zte(cfg)#set stp forceversion rstp
/*set forceversion of stp as rstp*/
l Configuration Verification1. Check the STP state of switch 1 in the system view.
zte(cfg)#show stp instance
Spanning tree enabled protocol rstp
RootID:
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15
Reg RootID:
Priority : 32768 Address : 00.d0.d0.02.00.54
RemainHops : 20
BridgeID:
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15 MaxHops : 20
Interface PortId Cost Status Role Bound GuardStatus
--------- ------ -------- ------- ---------- ----- -----------
1 128.1 200000 Forward Designated RSTP None
2 128.2 200000 Forward Designated RSTP None
2. Check the STP state of switch 2 in the system view.zte(cfg)#show stp instance
Spanning tree enabled protocol rstp
RootID:
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
5-40
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
ForwardDelay(s):15
Reg RootID:
Priority : 32768 Address : 00.d0.d0.29.52.06
RemainHops : 20
BridgeID:
Priority : 32768 Address : 00.d0.d0.29.52.06
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15 MaxHops : 20
Interface PortId Cost Status Role Bound GuardStatus
--------- ------ --------- ------- ---------- ----- -----------
1 128.1 200000 Forward Root RSTP None
2 128.2 200000 Discard Alternate RSTP None
MSTP Configuration Instancel Configuration Description
Configure the MSTP of switch1 and switch2 (they are in the same MST area) torealize link backup and block the loop in the network. The configuration is as follows:establish mapping between instance 1 and service VLAN10-20; set Name to zte andRevision to 10. Take switch 1 as the root bridge in instance 1. See Figure 5-11.
Figure 5-11 MSTP Configuration Instance
l Configuration Procedurezte(cfg)#set stp enable
/*enable the stp protocol of switch1 and switch2*/
zte(cfg)#set stp forceversion mstp
/*set the STP forceversion as mstp*/
zte (cfg)#set stp name zte
/*set switch1 and switch2 in the same area*/
zte(cfg)#set stp revision 10
zte(cfg)#set stp instance 1 add vlan 10-20
l Configuration Verification1. Check the STP state of switch 1 and switch 2 in the system view.
zte(cfg)#show stp
The spanning_tree protocol is enabled!
The STP ForceVersion is MSTP !
Revision: 10
Name: zte
Bpdu interval: 100
Cisco key: 0x13ac06a62e47fd51f95d2ba243cd0346
5-41
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Cisco digest: 0x00000000000000000000000000000000
Huawei key: 0x13ac06a62e47fd51f95d2ba243cd0346
Huawei digest: 0x00000000000000000000000000000000
Instance VlanMap
-------- -------------------
0 1-9,21-199,211-4094
1 10-20,200-210
2. Check the STP state of switch 1 in the system view.zte(cfg)#show stp instance
MST00
Spanning tree enabled protocol mstp
RootID:
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15
Reg RootID:
Priority : 32768 Address : 00.d0.d0.02.00.54
RemainHops : 20
BridgeID:
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15 MaxHops : 20
Interface PortId Cost Status Role Bound GuardStatus
--------- ------ ------- ------- ---------- ----- -----------
1 128.1 200000 Forward Designated MSTP None
2 128.2 200000 Forward Designated MSTP None
MST01
Spanning tree enabled protocol mstp
RootID:
Priority : 32769 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s) : 20
ForwardDelay(s): 15 RemainHops : 20
BridgeID:
Priority : 32769 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s) : 20
ForwardDelay(s): 15 MaxHops : 20
Interface PortId Cost Status Role GuardStatus
--------- ------ ------- ------- ---------- -----------
1 128.1 200000 Forward Designated None
2 128.2 200000 Forward Designated None
3. Check the STP state of switch 2 in the system view.zte(cfg)#show stp instance
MST00
Spanning tree enabled protocol mstp
RootID:
5-42
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Priority : 32768 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s):15
Reg RootID:
Priority : 32768 Address : 00.d0.d0.29.52.06
RemainHops : 19
BridgeID:
Priority : 32768 Address : 00.d0.d0.29.52.06
HelloTime(s) : 2 MaxAge(s): 20
ForwardDelay(s): 15 MaxHops : 20
Interface PortId Cost Status Role Bound GuardStatus
--------- ------ ------- ------- ---------- ----- ---------
1 128.1 200000 Forward Root MSTP None
2 128.2 200000 Discard Alternate MSTP None
ST01
Spanning tree enabled protocol mstp
RootID:
Priority : 32769 Address : 00.d0.d0.02.00.54
HelloTime(s) : 2 MaxAge(s) : 20
ForwardDelay(s):15 RemainHops : 19
BridgeID:
Priority : 32769 Address : 00.d0.d0.29.52.06
HelloTime(s) : 2 MaxAge(s) : 20
ForwardDelay(s): 15 MaxHops : 20
Interface PortId Cost Status Role GuardStatus
--------- ------ ------- ------- ---------- ------------
1 128.1 200000 Forward Root None
2 128.2 200000 Discard Alternate None
5.11 ACL ConfigurationACL OverviewAn Access Control List (ACL) is a sequential collection of permissions that apply topackets. When a packet is received on an interface, the switch compares the fields inthe packet against applied ACLs to verify that the packet has the required permissions tobe forwarded, based on the criteria specified in the access lists. It tests packets againstthe conditions in an access list one by one. The first match determines whether theswitch accepts or rejects the packets because the switch stops testing conditions afterthe first match. The order of conditions in the list is critical. If no conditions match, theswitch rejects the packets. If there are no restrictions, the switch forwards the packet.Otherwise, the switch drops the packet.
The ZXR10 2900E supports the following functions.
l The ZXR10 2900E provides two binding types, including physical port and VLAN port.
5-43
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
l ACL rules can be added, deleted, and sorted.1. Rules can be added to a configured ACL. Regular ID number range is 1-500.2. Configured ACL can be deleted regularly. If the specified ACL instance number
or rule number is not configured, a false message will return.3. Many rules of an ACL can be sorted. It is necessary to specify the position where
a rule number should be moved.l An ACL can become valid according to the configured time range. After configuring
absolute or relative time range on the switch, the time range can be applied to the ruleof the ACL. This causes the rule to be valid according to the time range specification.
l The ZXR10 2900E provides the following ten types of ACLs:1. Basic ACL: Only matches the source IP address.2. Extended ACL: Matches the source IP address, destination IP address, IP
protocol type, TCP source port number, TCP destination port number, UDPsource port number, UDP destination port number, ICMP type, ICMP Code andDiffServ Code Point (DSCP).
3. L2 ingress ACL: Matches the source MAC address, destination MAC address,source VLAN ID and 802. 1p priority value, Ethernet network type andDSAP/SSAP.
4. Hybrid ingress ACL: Matches source IPv4/IPv6 address, destination IPv4/IPv6address, IP protocol type, TCP source port number, TCP destination port number,UDP source port number, UDP destination port number, DiffServ Code Point(DSCP), source MAC address, destination MAC address, source VLAN ID and802. 1p priority value.
5. Global ACL: Matches the source IP address, destination IP address, IP protocoltype, TCP source port number, TCP destination port number, UDP source portnumber, UDP destination port number, DiffServ Code Point (DSCP), source MACaddress, destination MAC address, source VLAN ID and 802. 1p priority value.
6. Basic egress ACL: Only matches source IP address.7. Extended egress ACL: Matches the source IP address, destination IP address,
IP protocol type, TCP source port number, TCP destination port number, UDPsource port number, UDP destination port number, ICMP type, ICMP Code andDiffServ Code Point (DSCP).
8. L2 egress ACL: Matches the destination MAC address, source VLAN ID and 802.1p priority value, Ethernet network type and DSAP/SSAP.
9. Hybrid egress ACL: Matches the Source IPv4/IPv6 address, destinationIPv4/IPv6 address, IP protocol type, TCP source port number, TCP destinationport number, UDP source port number, UDP destination port number, DiffServCode Point (DSCP), source MAC address, destination MAC address, sourceVLAN ID and 802. 1p priority value.
10. User-defined ingress ACL: Only matches the bytes defined by users.l Each ACL has an access list number to identify, which is a digit. The access list
number ranges of different types of ACL are shown below:1. Basic ingress ACL: 1–992. Extended ingress ACL: 100–1993. L2 ingress ACL: 200–299
5-44
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
4. Hybrid ingress ACL: 300–399, support IPv65. Basic egress ACL: 400–4996. Extended egress ACL: 500–5997. L2 egress ACL: 600-6998. Hybrid egress ACL:700–799, supports IPv69. Global ACL: 80010. User-defined ingress ACL: 801–828
l Each ACL has at most 500 rules and the range is 1–500.
Configuring ACLThe ACL configuration includes the following commands:
Command Function
zte(cfg)#set port <portlist> acl mode {port | vlan} Sets port ACL binding mode.
zte(cfg)#set port <portlist> acl <1-799, 801–828>{enable |
disable}
Binds ACL instance to the port.
zte(cfg)#set vlan <vlanlist> acl <1-399, 801–828>{enable |
disable}
Binds ACL instance to the VLAN.
zte(cfg)#set acl <1-799,801-828> rule <1-500> time-range<word>{enable|disable}
Executes an ACL action in a
specific time range.
zte(cfg)#create acl <1-828> name <name> Creates an ACL name.
zte(cfg)#clear acl<1-828> name Clears an ACL name.
zte(cfg)#show port <portlist> acl-mode Displays port ACL binding mode.
zte(cfg)#config ingress-acl basic number <1-99> Creates and configures a basic
ingress ACL instance.
zte(basic-acl-group)#rule <1-500>{permit | deny}{<source-ipa
ddr><sip-mask>| any}[fragment]
Sets a basic ingress ACL rule.
zte(cfg)#clear ingress-acl basic number <1-99> Clears a basic ingress ACL
instance.
zte(cfg)#config ingress-acl extend number <100-199> Creates and configures an
extended port ACL instance.
zte(extend-acl-group)#rule <1-500>{permit |
deny}<ip-protocol>{<source-ipaddr><sip-mask>| any}{<des
tination-ipaddr><dip-mask>| any}[dscp <0-63>][fragment]
Sets the rule that an extended
ingress ACL is used to match
specified fields of IPv4 packets.
zte(extend-acl-group)#rule <1-500>{permit | deny} icmp
{<source-ipaddr><sip-mask>| any}{<destination-ipaddr><dip-mask>|
any}[icmp-type <0-254><icmp-code>][dscp <0-63>][fragment]
Sets the rule that an extended
ingress ACL is used to match
ICMP packets.
zte(extend-acl-group)#rule <1-500>{permit | deny} ip
{<source-ipaddr><sip-mask>| any}{<destination-ipaddr><dip-mask>|
any}[dscp <0-63>][fragment]
Sets the rule that an extended
ingress ACL is used to match IP
packets.
5-45
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(extend-acl-group)#rule <1-500>{permit | deny}
tcp {<source-ipaddr><sip-mask>| any}[source-port<0-65535><sport-mask>]{<destination-ipaddr><dip-mask>|
any}[dest-port <0-65535><dport-mask>][establishing |established][dscp <0-63>][fragment]
Sets the rule that an extended
ingress ACL is used to match TCP
packets.
zte(extend-acl-group)#rule <1-500>{permit | deny}
udp {<source-ipaddr><sip-mask>| any}[source-port<0-65535><sport-mask>]{<destination-ipaddr><dip-mask>|
any}[dest-port <0-65535><dport-mask>][dscp <0-63>][fragment]
Sets the rule that an extended
ingress ACL is used to match UDP
packets.
zte(extend-acl-group)#rule <1-500>{permit | deny} arp
{<sender-ipaddr><sip-mask>| any}{<target-ipaddr><tip-mask>| any}
Sets the rule that an extended
ingress ACL is used to match ARP
packets.
zte(cfg)#clear ingress-acl extend number <100-199> Clears an extended port ACL
instance.
zte(cfg)#config ingress-acl link number <200-299> Creates and configures a layer-2
ingress ACL instance.
zte(link-acl-group)#rule <1-500>{permit | deny} ip {[cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]}
Sets the rule that a layer-2 ingress
ACL is used to match IP packets.
zte(link-acl-group)#rule <1-500>{permit | deny} arp {[cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]}
Sets the rule that a layer-2 ingress
ACL is used to match ARP
packets.
zte(link-acl-group)#rule <1-500>{permit | deny} other
{[ether-type <1501-65535>| dsap-ssap <0-65535>][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]}
Sets the rule that a layer-2 ingress
ACL is used to match packets
except IP/ARP packets.
zte(link-acl-group)#rule <1-500>{permit | deny} any [cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]
Sets the rule that a layer-2 ingress
ACL is used to match packets with
specified cos, VLAN id, smac, and
dmac flags.
zte(cfg)#clear ingress-acl link number <200-299> Clears a layer-2 ingress ACL
instance.
zte(cfg)#config ingress-acl hybrid number <300-399> Creates and configures a hybrid
ingress ACL instance.
zte(hybrid-acl-group)#rule <1-500>{permit |
deny}<ip-protocol>{<source-ipaddr><sip-mask>| any}{<des
tination-ipaddr><dip-mask>| any}[dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]
Sets the rule that a hybrid ingress
ACL is used to match specified
fields of IPv4 packets.
5-46
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(hybrid-acl-group)#rule <1-500>{permit | deny} ip
{<source-ipaddr><sip-mask>| any}{<destination-ipaddr><dip-mask>|
any}[dscp <0-63>][fragment][cos <0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>| any][<dest-mac><dmac-mask>| any]
Sets the rule that a hybrid ingress
ACL is used to match IPv4
packets.
zte(hybrid-acl-group)#rule <1-500>{permit | deny} tcp
{<source-ipaddr><sip-mask>| any}[source-port <0-65535><sport-mask>]{<destination-ipaddr><dip-mask>| any}[dest-port<0-65535><dport-mask>][dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]
Sets the rule that a hybrid ingress
ACL is used to match IPv4-TCP
packets.
zte(hybrid-acl-group)#rule <1-500>{permit | deny} udp
{<source-ipaddr><sip-mask>| any}[source-port <0-65535><sport-mask>]{<destination-ipaddr><dip-mask>| any}[dest-port<0-65535><dport-mask>][dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]
Sets the rule that a hybrid ingress
ACL is used to match IPv4-UDP
packets.
zte(hybrid-acl-group)#rule <1-500>{permit | deny} arp
{<sender-ipaddr><sip-mask>| any}{<target-ipaddr><tip-mask>|
any}[cos <0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>| any][<dest-mac><dmac-mask>| any]
Sets the rule that a hybrid ingress
ACL is used to match ARP
packets.
zte(hybrid-acl-group)#rule <1-500>{permit | deny} any
{[ether-type <1501-65535>][cos <0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>| any][<dest-mac><dmac-mask>|
any]}
Sets the rule that a hybrid ingress
ACL is used to match non-IPv6
packets.
zte(hybrid-acl-group)#rule <1-500>{permit | deny}
ipv6 <ip-protocol>{<source-ipv6addr><sipv6-mask>|
any}[<destination-ipv6addr><dipv6-mask>| any][<vlan-id>]
Sets the rule that a hybrid ingress
ACL is used to match specified
fields of IPv6 packets.
zte(hybrid-acl-group)#rule <1-500>{permit | deny}
ipv6 tcp {<source-ipv6addr><sipv6-mask>| any}[source-port<0-65535><sport-mask>][<destination-ipv6addr><dipv6-mask>|
any][dest-port <0-65535><dport-mask>][<vlan-id>]
Sets the rule that a hybrid ingress
ACL is used to match IPv6-TCP
packets.
zte(hybrid-acl-group)#rule <1-500>{permit | deny} ipv6
udp {<source-ipv6addr><sipv6-mask>| any}[source-port<0-65535><sport-mask>][<destination-ipv6addr><dipv6-mask>|
any][dest-port <0-65535><dport-mask>][<vlan-id>]
Sets the rule that a hybrid ingress
ACL is used to match IPv6-UDP
packets.
zte(hybrid-acl-group)#rule <1-500>{permit |
deny} ipv6 any {<source-ipv6addr><sipv6-mask>|
any}[<destination-ipv6addr><dipv6-mask>| any][<vlan-id>]
Sets the rule that a hybrid ingress
ACL is used to match IPv6
packets.
5-47
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(hybrid-acl-group)#rule <1-500>{permit |
deny} ipv6 icmp {<source-ipv6addr><sipv6-mask>|
any}[<destination-ipv6addr><dipv6-mask>| any][<vlan-id>]
Sets the rule that a hybrid ingress
ACL is used to match IPv6 ICMP
packets.
zte(hybrid-acl-group)#rule <1-500>{permit | deny} all Sets the rule that a hybrid ingress
ACL is used to match any packet.
zte(cfg)#clear ingress-acl hybrid number <300-399> Clears a hybrid ingress ACL
instance.
zte(cfg)#config ingress-acl user-define number <801-828>
Creates and configures a
user-defined ingress ACL
instance.
zte(ingress-user-define-acl)#rule <1-500>{permit |
deny}[ udb1 <udb-value>< udb-mask>][ udb2 <udb-value><
udb-mask>][ udb3 <udb-value>< udb-mask>][ udb4 <udb-value><udb-mask>][ udb5 <udb-value>< udb-mask>][ udb6 <udb-value><udb-mask>][ udb7 <udb-value>< udb-mask>][ udb8<udb-value><udb-mask>][ udb9 <udb-value>< udb-mask>][ udb10 <udb-value><udb-mask>][ udb11 <udb-value>< udb-mask>][ udb12<udb-value>< udb-mask>][ udb13 <udb-value>< udb-mask>][
udb14 <udb-value>< udb-mask>][ udb15 <udb-value>< udb-mask>]
Defines a rule in a user-defined
ingress ACL.
zte(cfg)#clear ingress-acl user-define number <801-828>Deletes a user-defined ingress
ACL instance.
zte(cfg)#config ingress-acl global Enters and configures a global
ingress ACL instance.
zte(global-acl-group)#rule <1-16>{permit | deny} port
{<1-28>| any}<ip-protocol>{<source-ipaddr><sip-mask>| any}{<d
estination-ipaddr><dip-mask>| any}[dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]
Sets the rule that a global ingress
ACL matches specified fields of
IPv4 packets.
zte(global-acl-group)#rule <1-500>{permit | deny} port
{<1-28>| any} ip {<source-ipaddr><sip-mask>| any}{<destina
tion-ipaddr><dip-mask>| any}[dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]
Sets the rule that a global ingress
ACL matches IPv4 packets.
zte(global-acl-group)#rule <1-500>{permit | deny} port
{<1-28>| any} tcp {<source-ipaddr><sip-mask>| any}[source-port<0-65535><sport-mask>]{<destination-ipaddr><dip-mask>| any}[dest-port <0-65535><dport-mask>][dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]
Sets the rule that a global ingress
ACL matches IPv4–TCP packets.
5-48
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(global-acl-group)#rule <1-500>{permit | deny} port
{<1-28>| any} udp {<source-ipaddr><sip-mask>| any}[source-port<0-65535><sport-mask>]{<destination-ipaddr><dip-mask>| any}[dest-port <0-65535><dport-mask>][dscp <0-63>][fragment][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]
Sets the rule that a global ingress
ACL matches IPv4–UDP packets.
zte(global-acl-group)#rule <1-500>{permit | deny}
port {<1-28>| any} arp {<sender-ipaddr><sip-mask>|
any}{<target-ipaddr><tip-mask>| any}[cos <0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>| any][<dest-mac><dmac-mask>|
any]
Sets the rule that a global ingress
ACL is used to match ARP
packets.
zte(global-acl-group)#rule <1-500>{permit | deny}
port {<1-28>| any} any {[ether-type <1501-65535>][cos<0-7>][<vlan-id>[<vlan-mask>]][<source-mac><smac-mask>|
any][<dest-mac><dmac-mask>| any]}
Sets the rule that a global ingress
ACL is used to match non IPv6
packets.
zte(cfg)#config egress-acl basic number < 400-499> Creates a basic egress ACL
instance and configures it.
zte(egress-basic-acl)#rule < 1-500>{ permit | deny}{<
source-ipaddr>< sip-mask>| any}[ fragment]
Sets a basic egress ACL.
zte(cfg)#clear egress-acl basic number < 400-499> Clears a basic egress ACL
instance.
zte(cfg)#config egress-acl extend number < 500-599> Creates an extended egress ACL
instance and configures it.
zte(egress-extend-acl)#rule < 1-500>{ permit |
deny}< ip-protocol>{< source-ipaddr>< sip-mask>| any}{<
destination-ipaddr>< dip-mask>| any}[ dsscp < 0-63>][ fragment]
Sets an extended egress ACL that
matches specified fields of IPv4
packets.
zte(egress-extend-acl)#rule < 1-500>{ permit | deny} icmp {<
source-ipaddr>< sip-mask>| any}{< destination-ipaddr>< dip-mask>|
any}[ iicmp-ttype < 0-254>< icmp-code>][ dsscp < 0-63>][
fragment]
Sets an extended egress ACL that
matches ICMP packets.
zte(egress-extend-acl)#rule < 1-500>{ permit | deny} ip {<
source-ipaddr>< sip-mask>| any}{< destination-ipaddr>< dip-mask>|
any}[ dsscp < 0-63>][ fragment]
Sets an extended egress ACL that
matches IP packets.
zte(egress-extend-acl)#rule < 1-500>{ permit | deny} tcp {<
source-ipaddr>< sip-mask>| any}[ ssourrce-porrtt < 0-65535><sport-mask>]{< destination-ipaddr>< dip-mask>| any}[ desstt-porrtt< 0-65535>< dport-mask>][ establishing | established][ dsscp <
0-63>][ fragment]
Sets an extended egress ACL that
matches TCP packets.
5-49
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(egress-extend-acl)#rule < 1-500>{ permit | deny} udp {<
source-ipaddr>< sip-mask>| any}[ ssourrce-porrtt < 0-65535><sport-mask>]{< destination-ipaddr>< dip-mask>| any}[ desstt-porrtt< 0-65535>< dport-mask>][ dsscp < 0-63>][ fragment]
Sets an extended egress ACL that
matches UDP packets.
zte(egress-extend-acl)#rule < 1-500>{ permit | deny} arp {<
sender-ipaddr>< sip-mask>| any}{< target-ipaddr>< tip-mask>| any}
Sets an extended egress ACL that
matches ARP packets.
zte(cfg)#clear egress-acl extend number < 500-599> Clears an extended egress ACL
instance.
zte(cfg)#config egress-acl link number < 600-699> Creates a layer-2 egress ACL
instance and configures it.
zte(egress-link-acl)#rule < 1-500>{ permit | deny} ip {[ coss< 0-7>][< vlan-id>[< vlan-mask>]][< dest-mac>< dmac-mask>| any]}
Sets a layer-2 egress ACL that
matches IP packets.
zte(egress-link-acl)#rule < 1-500>{ permit | deny} arp {[ coss< 0-7>][< vlan-id>[< vlan-mask>]][< dest-mac>< dmac-mask>| any]}
Sets a layer-2 egress ACL that
matches ARP packets.
zte(egress-link-acl)#rule < 1-500>{ permit | deny} other
{[ ether-type < 1501-65535>| dsap-ssap < 0-65535>][ coss< 0-7>][< vlan-id>[< vlan-mask>]][< source-mac>< smac-mask>|
any][< dest-mac>< dmac-mask>| any]}
Sets a layer-2 egress ACL that
matches packets except IP/ARP
packets.
zte(egress-link-acl)#rule <1-500>{permit | deny} any
[<vlan-id>[<vlan-mask>]][cos <0-7>][<dest-mac><dmac-mask>|any]
Sets the rule that a layer-2 egress
ACL is used to match packets with
specified cos, VLAN id, and dmac
flags.
zte(cfg)#clear egress-acl link number < 600-699> Clears a layer-2 egress ACL
instance.
zte(cfg)#config egress-acl hybrid number < 700-799> Creates a hybrid egress ACL
instance and configures it.
zte(egress-hybrid-acl)#rule < 1-500>{ permit |
deny}< ip-protocol>{< source-ipaddr>< sip-mask>| any}{<
destination-ipaddr>< dip-mask>| any}[ dsscp < 0-63>][ fragment][
coss < 0-7>][< vlan-id>[< vlan-mask>]][< source-mac><
smac-mask>| any][< dest-mac>< dmac-mask>| any]
Sets a hybrid egress ACL that
matches specified fields of IPv4
packets.
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} ip {<
source-ipaddr>< sip-mask>| any}{< destination-ipaddr>< dip-mask>|
any}[ dsscp < 0-63>][ fragment][ coss < 0-7>][< vlan-id>[<
vlan-mask>]][< source-mac>< smac-mask>| any][< dest-mac><
dmac-mask>| any]
Sets a hybrid egress ACL that
matches IPv4 packets.
5-50
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} tcp {<
source-ipaddr>< sip-mask>| any}[ ssourrce-porrtt < 0-65535><sport-mask>]{< destination-ipaddr>< dip-mask>| any}[ desstt-porrtt< 0-65535>< dport-mask>][ dsscp < 0-63>][ fragment][ coss< 0-7>][< vlan-id>[< vlan-mask>]][< source-mac>< smac-mask>|
any][< dest-mac>< dmac-mask>| any]
Sets a hybrid egress ACL that
matches IPv4-TCP packets.
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} udp {<
source-ipaddr>< sip-mask>| any}[ ssourrce-porrtt < 0-65535><sport-mask>]{< destination-ipaddr>< dip-mask>| any}[ desstt-porrtt< 0-65535>< dport-mask>][ dsscp < 0-63>][ fragment][ coss< 0-7>][< vlan-id>[< vlan-mask>]][< source-mac>< smac-mask>|
any][< dest-mac>< dmac-mask>| any]
Sets a hybrid egress ACL that
matches IPv4-UDP packet.
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} arp
{< sender-ipaddr>< sip-mask>| any}{< target-ipaddr>< tip-mask>|
any}[ coss < 0-7>][< vlan-id>[< vlan-mask>]][< source-mac><
smac-mask>| any][< dest-mac>< dmac-mask>| any]
Sets a hybrid egress ACL that
matches ARP packets.
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} any
{[ ettherr-ttype < 1501-65535>][ coss < 0-7>][< vlan-id>[<
vlan-mask>]][< source-mac>< smac-mask>| any][< dest-mac><
dmac-mask>| any]}
Sets a hybrid egress ACL that
matches non-IPv6 packet
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny}
iipv6 < ip-protocol>{< source-ipv6addr>< sipv6-mask>| any}[<
destination-ipv6addr>< dipv6-mask>| any][< vlan-id>]
Sets a hybrid egress ACL that
matches specified fields of IPv6
packets.
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} ipv6
tcp {< source-ipv6addr>< sipv6-mask>| any}[ ssourrce-porrtt <0-65535>< sport-mask>][< destination-ipv6addr>< dipv6-mask>|
any][ desstt-porrtt < 0-65535>< dport-mask>][< vlan-id>]
Sets a hybrid egress ACL that
matches IPv6-TCP packets.
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} ipv6
udp {< source-ipv6addr>< sipv6-mask>| any}[ ssourrce-porrtt <0-65535>< sport-mask>][< destination-ipv6addr>< dipv6-mask>|
any][ desstt-porrtt < 0-65535>< dport-mask>][< vlan-id>]
Sets a hybrid egress ACL that
matches IPv6-UDP packets.
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} ipv6 any
{< source-ipv6addr>< sipv6-mask>| any}[< destination-ipv6addr><
dipv6-mask>| any][< vlan-id>]
Sets a hybrid egress ACL that
matches IPv6 packets.
zte(egress-hybrid-acl)#rule < 1-500>{ permit | deny} all Sets a hybrid egress ACL that
matches any packet.
zte(cfg)#clear egress-acl hybrid number < 700-799> Clears a hybrid egress ACL
instance.
zte(cfg)#config ingress-acl user-define udb <1-15> anchor<0-3>[offset <0-31>][data-length<1-6>]
Sets a user-defined anchor and
offset.
5-51
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#config ingress-acl user-define udb <1-15> description<string>
Sets a description for a
user-defined byte.
zte(cfg)#clear acl udb <1-15> descriptionClears the description of a
user-defined byte.
move <1-500>{after | before}<1-500> (all ACL configuration
modes)
Sorts rules in ACL instance.
clear rule <1-500> (all ACL configuration modes) Clears one rule in ACL instance.
zte(cfg)#show vlan-range <vlan-range> Displays the best mask
configuration when VLAN ID
is matched in batch.
zte(cfg)#show acl binding {all | port [<portlist>]| vlan [<vlanlist>]} Displays the configuration
information that ACL is bound to
the interface.
zte(cfg)#show acl config Displays ACL summary
configuration.
zte(cfg)#show acl config [<1-828>| name <word>][ active |
command | deny | passive | permit | policy | rule <1-500>| snmp| time-range ]
Displays the detailed configuration
of ACL instance.
zte(cfg)#show acl udb Displays detailed configurations of
user-defined bytes.
zte(cfg)#create acl <1-828> description <description> Sets ACL descriptions.
zte(cfg)#clear acl <1-828> description Deletes ACL descriptions.
ACL Configuration Instancel Configuration Description
Configure ACL in the switch to realize the following functions. Forbid the users toaccess the external network through the gateway from 9:00 to 18:00. The gatewayconnects with the switch on port 26. The client PC connects the switch on ports 1-24.All the users access the external network through the gateway 192.168.0.1. SeeFigure 5-12.
5-52
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-12 ACL Configuration Instance
l Configuration Procedurezte(cfg)#config ingress-acl hybrid number 300
zte(ingress-hybrid-acl)#rule 1 deny ip any 192.168.0.1 255.255.255.255
zte(ingress-hybrid-acl)#rule 2 deny arp any 192.168.0.1 255.255.255.255
zte(ingress-hybrid-acl)#exit
zte(cfg)#set port 1-24 acl 300 enable
zte(cfg)#set time-range worktime range period 09:00 to 18:00 daily
zte(cfg)#set time-range worktime acl 300 rule 1 enable
zte(cfg)#set time-range worktime acl 300 rule 2 enable
5.12 QoS ConfigurationQoS OverviewQoS can provide end-to-end data exchange with a high quality. The content includes thefollowing parts:
l Port ingress rate limitl Port egress shapingl Port queue schedule algorithml Port priority mappingl QoS profile configurationl Traffic Classification (TC)l Flow rate limitl Flow statistics, count the packet with the special color based on the flow rate limit.l Flow mapping, flow redirection.l Specified field modification for specified packets.
QoS includes port QoS, global QoS and flow-based QoS.
5-53
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
For the data packet QoS handling method on the network edge device on the access side,there are the following conditions:
l The switch can select whether to trust the packet and which fields of the packet, suchas UP or DSCP, can be trusted when receiving the packet. It allocates the QoS serviceaccording to trusted fields.
l When the data packet received by the switch is not trusted, the QoS service isallocated according to the related QoS configuration on the receiving port.
l QoS service defines the internal processing method and external processing methodof the packet. The internal processing method includes TC, and the externalprocessing method includes modifying the 802.1p user priority of a data packet orthe DSCP domain of an IP header.
For the following network core device, implement the service similar to the previous serviceaccording to 802.1p of the packet or DSCP mark. This way, a set of end-to-end QoSservice is provided. When the flow exceeds the configuration, the network device canmodify the QoS service level such as dropping packets or allocating the lower-level QoSservice.
When a data packet enters the port, the switch will perform the QoS initialization markwhich mainly includes the initialization of TC QoS parameters.
In the direction of switch egress, the QoS is used to put the packet into the suitable queueaccording to marked TC and perform the corresponding queue scheduling algorithm andcongestion control algorithm according to the current queue configuration and modify itaccording to 802.1p user priority or IP DSCP field of the data packet.
Configuring QoSThe QoS configurations on the ZXR10 2900E includes global-based QoS configurationand port-based QoS configuration. Part of QoS configuration is related to ACL. The QoSconfiguration includes the following commands:
Command Function
zte(cfg)#set qos priority-mapping port <1-28> default-up <0-7> Sets the default port UP priority.
zte(cfg)#set qos priority-mapping port <1-28> trust-mode
{dscp-priority | port-profile | user-priority}
Sets the port trusted mode.
zte(cfg)#set qos priority-mapping port <1-28>{remapping-dscp
| remark {dscp-priority | user-priority}}{enable | disable}
Sets packet UP/DSCP
remark/remapping based on
the port.
zte(cfg)#set qos priority-mapping qos-profile dscp-to-dscp
<0-63> to <0-63>
Sets the mapping relation between
DSCPs .
zte(cfg)#set qos priority-mapping port <1-28> port-to-profileqos-profile <0-127>
Sets the mapping relation between
the port and the QoS profile.
zte(cfg)#set qos priority-mapping qos-profile {up-to-profile<0-7>| dscp-to-profile <0-63>} qos-profile <0-127>
Sets the mapping relation between
the DSCP/UP and the QoS profile.
5-54
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set qos priority-mapping qos-profile <0-127>{drop-pri
ority {red | yellow | green}| dscp-priority <0-63>| user-priority<0-7>| traffic-class <0-7>}
Sets the QoS profile template.
zte(cfg)#set qos priority-mapping qos-profile default Sets 128 QoS profiles to recover
default values.
zte(cfg)#set qos queue-schedule enhance {disable| enable} Sets the optimized queue
scheduling mode.
zte(cfg)#set qos queue-schedule mode {byte | packet} Sets the QoS queue scheduling
unit.
zte(cfg)#set qos queue-schedule port <1-28>{session <1-7>|
default}
Sets the scheduling policy of each
queue of the port.
zte(cfg)#set qos queue-schedule session <1-7><0-255><0-255><0
-255><0-255><0-255><0-255><0-255><0-255>[single-wrrgroup]
Sets scheduling policy template.
zte(cfg)#set qos traffic-limit mode {byte|packet} Sets the speed limit mode of the
global Ingress port.
zte(cfg)#set qos traffic-limit fe-port <1-24>{data-rate<0-100000>| disable}
Sets 100 M port ingress rate
limit, in which <0-100000> is the
maximum of data transmission
rate.
zte(cfg)#set qos traffic-limit fe-port <1-24>{packet-rate<0-148810>[packet-lenth <64-10240>]| disable}
Sets 100 M port ingress rate
limit, in which <0-148810> is the
maximum of packet transmission
rate.
zte(cfg)#set qos traffic-limit port <1-28> packet-type {broadcast
| known-uc | multicast | tcp-syn | unknown-uc}{enable | disable}
Sets the packet type that the rate
limit function limits.
zte(cfg)#set qos traffic-limit port <1-28> percent <1-100> Sets the ingress rate limit based
on the port bandwidth percentage.
zte(cfg)#set qos traffic-limit port <1-28> protect {enable|disable} Sets the port rate limiting function.
zte(cfg)#set qos traffic-limit port <1-28> protect time <1-10> Sets the port shutdown time
when the port rate limit function is
enabled.
zte(cfg)#set qos traffic-limit port <1-28> trap {enable | disable} Enables or disables the trap
function for a port.
zte(cfg)#set qos traffic-limit ge-port <25-28>{data-rate<32-1000000>| disable}
Sets 1000 M port ingress rate
limit, in which, <32-100000> is the
maximum of data transmission
rate.
5-55
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set qos traffic-limit ge-port <25-28>{packet-rate<0-14881000>[packet-lenth <64-10240>]| disable}
Sets 1000 M port ingress rate limit.
zte(cfg)#set qos traffic-limit xge-port <2/1-2/4>{data-rate<0-10000000>| disable}
Sets the ingress rate limit for
the 10000 M port, in which,
<0-100000> is the maximum of
data transmission rate
zte(cfg)#set qos traffic-limit ge-port <2/1-2/4>{packet-rate<0-14881000>[packet-lenth <64-10240>]| disable}
Sets the ingress rate limit for
the 10000 M port, in which,
<0-148810> is the maximum of
packet transmission rate.
zte(cfg)#set qos traffic-shaping fe-port <1-24>{data-rate<32-100000> burst-size <8-4094>| disable}
Sets 100M egress shaping rate.
zte(cfg)#set qos traffic-shaping fe-port <1-24> queue<0-7>{data-rate <32-100000> burst-size <8-4094>| disable}
Sets 100M egress shaping rate
based on the queue.
zte(cfg)#set qos traffic-shaping ge-port <25-28>{data-rate<2-1000> burst-size <8-4094>| disable}
Sets 1000M egress shaping rate.
zte(cfg)#set qos traffic-shaping ge-port <25-28> queue<0-7>{data-rate <2-1000> burst-size <8-4094>| disable}
Sets 1000M egress shaping rate
based on the queue.
zte(cfg)#set qos traffic-shaping xge-port <2/1-2/4>{data-rate<2-10000> burst-size <8-4094>| disable}
Sets the Egress shaping rate for
the 10000 M port.
zte(cfg)#set qos traffic-shaping xge-port <2/1-2/4> queue<0-7>{data-rate <2-10000> burst-size <8-4094>| disable}
Sets the queue-based Egress
shaping rate for the 10000 M port.
zte(cfg)#set anti-DoS {enable | disable} Enables or disables the DOS
anti-attack function.
show qos priority-mapping port [<1-28>] (all configuration modes) Displays priority mapping
configuration based on the
port.
show qos priority-mapping qos-profile [<0-127>| dscp-to-dscp |
dscp-to-profile | up-to-profile] (all configuration modes)
Displays various priority-mapping
configuration related to the QoS
profile.
show qos queue-schedule mode (all configuration modes) Displays QoS queue scheduling
unit.
show qos queue-schedule port <1-28> (all configuration modes) Displays the queue scheduling
policy of each queue of the port.
show qos queue-schedule session [<1-7>] (all configuration modes) Displays the configuration of
scheduling policy template.
show qos traffic-limit [port <1-28>] protect (all configurationmodes)
Displays the egress rate limiting
configuration of the port.
5-56
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show qos traffic-limit [port <1-28>] trap (all configuration modes) Displays trap function
configuration.
show qos traffic-limit [port <1-28>] (all configuration modes) Displays ingress rate limit
configuration.
show qos traffic-shaping [port <1-28>] (all configuration modes) Displays egress shaping
configuration.
show anti-dos (all configuration modes) Displays the DOS anti-attack
configuration.
show qos traffic-limit [protect | port <1-28> protect] Displays the port protection
configuration.
zte(cfg)#set qos policer <0-383> mode {aware | blind} cir<32-10485760> cbs <20000-268435456>{ebs <20000-268435456>|pir <32-10485760> pbs <20000-268435456>}
Sets the flow policer.
zte(cfg)#set qos policer <0-383> exceed-action red {no-operation
| drop | remark} yellow {no-operation | drop | remark}
Sets flow policing action.
zte(cfg)#set qos policer <0-383> exceed-action remark profile<0-127> up {no-change | enable-modify | disable-modify} dscp {
no-change | enable-modify | disable-modify }
Sets the binding and action
implementation mode between the
flow policer and the QoS profile.
zte(cfg)#set qos policer counter-mode {L1 | L2 | L3} Sets the flow policer statistics
mode.
zte(cfg)#set qos policer <0-383> counter <0-255>{enable |disable}
Enables or disables the flow
policer statistics function and
configures the binding between
the flow policer and the counter.
zte(cfg)#set policy policing in acl <1-828> rule <1-500> policer<0-383>
Enables the flow policer and
handles the special flow by the
flow policer.
zte(cfg)#set policy remark in ingress-acl <1-399,800-828>
rule <1-500> profile <0-127> up {no-change | enable-modify |
disable-modify} dscp {no-change | enable-modify | disable-modify}
Uses the QoS profile to modify the
specified flow UP/DSCP field that
the ingress ACL matches.
zte(cfg)#set policy remark in egress-acl < 400-799> rrulle <1-500> up { no-change |< 0-7>} dscp { no-change |< 0-63>}
Uses the QoS profile to modify the
specified flow UP/DSCP field that
the egress ACL matches.
zte(cfg)#set mirror analyze-port session <1-3>{enable | disable} Sets the session between flow
mapping port and port mapping .
zte(cfg)#set policy mirror in acl <1-399,800-828> rule<1-500>{cpu | analyze-port}
Copies the specified data flow to
the monitor port.
5-57
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set policy redirect in acl <1-399,800-828> rule<1-500>{cpu | port <1-28>}
Redirects the specified data flow
to the user-specified egress port.
zte(cfg)#set policy statistics in acl <1-828> rule <1-500>
counter <0-1023>Implements flow statistic for the
data flow matching ACL rule.
zte(cfg)#set policy vlan-remark in acl <1-828> rule<1-500><1-4094>{nested | replace {untagged | tagged | all}}
Modifies the VLAN remark of the
specified flow.
zte(cfg)#set policy harddrop in acl <1-828> rule <1-500> Sets harddrop.
zte(cfg)#clear policy remark in acl <1-828> rule <1-500> Clears the configuration of the
specified flow UP/DSCP field
modified by QoS profile.
zte(cfg)#clear policy policing in acl <1-828> rule <1-500> Clears the configuration that
the flow policer processes the
specified flow.
zte(cfg)#clear policy mirror in acl <1-399,800-828> rule <1-500> Clears the configuration that
the specified flow mirrors to the
specified port.
zte(cfg)#clear policy statistics in acl <1-828> rule <1-500> Clears the configuration of
collecting statistics of packets of
the specified flow.
zte(cfg)#clear policy redirect in acl <1-399,800-828> rule<1-500>
Clears the configuration that the
specified flow is redirected to the
specified port.
zte(cfg)#clear policy vlan-remark in acl <1-828> rule <1-500> Clears the configuration of
modifying the specified flow VLAN
tag.
zte(cfg)#clear policy harddrop in acl <1-828> rule <1-500> Clears the configuration that
the specified flow implements
harddrop operation.
zte(cfg)#clear qos policy-counter <counterlist> Clears the counter that counts the
specified flow.
zte(cfg)#clear qos policer-counter <counterlist> Clears the flow policer statistics
value.
zte(cfg)#clear qos policer <0-383> Clears the flow policer
configuration.
show qos policer [<0-383>] (all configuration modes) Displays the flow policer
configuration.
show qos policy-counter [<0-1023>] (all configuration modes) Displays the counter value of the
specified flow.
5-58
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show qos policer-counter [<0-383>] (all configuration modes) Displays the flow policer statistics
value.
show policy [mirror | redirect | statistics | policing [<0-383>]|
vlan-remark | remark | harddrop] (all configuration modes)
Displays various binding
configuration of the specified
flow.
zte(cfg)#set icmp protect {enable|disable} Sets the ICMP protection function.
QoS Configuration Instancel Configuration Description
Use the 2928E as an example, set the uplink bandwidth of all the user-interface to 2Mbps. The uplink bandwidth of the switch is 20 Mbps. The uplink port is port 26 andthe client PC accesses the network through port 24. See Figure 5-13.
Figure 5-13 QoS Configuration Instance
l Configuration Procedurezte(cfg)#set qos traffic-limit fe-port 1 data-rate 2000
zte(cfg)#set qos traffic-limit fe-port 2 data-rate 2000
/*Omitted*/
zte(cfg)#set qos traffic-limit fe-port 24 data-rate 2000
zte(cfg)#set qos traffic-shaping ge-port 26 data-rate 20 burst-size 10
l Configuration Verificationzte(cfg)#show qos traffic-shaping port 26
Port Egress Traffic Shaping Table:
Port ID : 26
Port Shaping Rate (Kbps) : 20000 The Burst Size : 10
Queue 0 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A
Queue 1 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A
5-59
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Queue 2 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A
Queue 3 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A
Queue 4 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A
Queue 5 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A
Queue 6 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A
Queue 7 Shaping Rate (Kbps) : No-Limit The Burst Size : N/A
zte(cfg)#sho qos traffic-limit port 1
Port Ingress Traffic Limit Table:
Flags: DataRate - traffic limit rate (Kbps), BcEn - Enable Broadcast Limit
KucEn - Enable Known unicast Limit, McEn - Enable Multicast Limit
TcpSynEn - Enable TCP SYN Limit, UucEn - Enable Unknown unicast Limit
PORT DataRate(Kbps) BcEn KucEn McEn TcpSynEn UucEn
------- -------------- ----- ------ ----- --------- ------
port-1 2000 1 1 1 1 1
5.13 PVLAN ConfigurationPVLAN OverviewTo enhance network security, it is necessary to isolate users’ packets. A traditional solutionis to allocate a VLAN for a user. This solution has obvious limits, as described below.
1. IEEE 802.1Q standard supports 4094 VLANs at most. The number of users is limited,which is not good for network extension.
2. Each VLAN corresponds to an IP subnet. Too many subnets bring IP address waste.3. Too many VLANs and IP subnets make it difficult to manage networks.
The Private VLAN (PVLAN) technology solves these problems.
A PVLAN divides ports in a VLAN into hybrid ports, isolated ports, and community ports.l A hybrid port can communicate with any port.l An isolated port can communicate only with a hybrid port, and it cannot communicate
with other isolated ports.l A community port can communicate with a hybrid port or another community port in
the same session.
The ports within a VLAN are separated. Users can only communicate with their defaultgateways, and the network security is guaranteed.
The ZXR10 2900E series switches support four PVLAN sessions. Each PVLAN sessionsupports an unlimited number of hybrid ports. Each PVLAN supports an unlimited numberof isolated or community ports.
Configuring PVLANThe PVLAN configuration includes the following commands:
5-60
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set vlan pvlan session <1-4>{promise-port<portlist>|promise-trunk<trunklist>}{isolate-port<portlist>|isolate-trunk<trunklist>}{communi-port<portlist>|communi-trunk<trunklist>}
Sets the PVLAN function.
clear vlan pvlan [session<1-4>] Clears the PVLAN configuration.
show vlan pvlan [session<1-4>] (all configuration modes) Displays the PVLAN configuration.
zte(cfg)#set vlan pvlan session <1-4>{promise-port<portlist>|promise-trunk<trunklist>|isolate-port<portlist>|isolate-trunk<trunklist>|communi-port <portlist>| communi-trunk<trunklist>}
Configures a type of PVLAN port.
PVLAN Configuration Example Onel Configuration Description
Add a hybrid port 26 and isolated ports 1, 2, and 3 to session 1. See Figure 5-14.
Figure 5-14 PVLAN Configuration Example 1
l Configuration Procedurezte(cfg)#set vlan pvlan session 1 promis-port 26 isolate-port 1-3
l Configuration Verificationzte(cfg)#show vlan pvlan
pvlan session : 1
promis-ports : 26
promis-trunks :
isolate-ports : 1-3
5-61
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
isolate-trunks :
community-ports :
community-trunks :
PVLAN Configuration Example Twol Configuration Description
Add a trunk 1 and isolated ports 4, 5 and 6 into session 2. See Figure 5-15.
Figure 5-15 PVLAN Configuration Example 2
l Configuration Procedure1. Configuration of switch A:
zte(cfg)#set lacp enable
zte(cfg)#set lacp aggregator 1 add port 1-3
zte(cfg)#set lacp sggregator 1 mode dynamic
2. Configuration of switch B:zte(cfg)#set lacp enable
zte(cfg)#set lacp aggregator 1 add port 1-3
zte(cfg)#set lacp aggregator 1 mode dynamic
zte(cfg)#set vlan pvlan session 2 promis-trunk 1 isolate-port 4-6
l Configuration Verificationzte(cfg)#show vlan pvlan
pvlan session : 1
promis-ports : 16
promis-trunks :
isolate-ports : 1-3
isolate-trunks :
5-62
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
community-ports :
community-trunks :
pvlan session : 2
promis-ports :
promis-trunks : 1
isolate-ports : 4-6
isolate-trunks :
community-ports :
community-trunks :
5.14 Layer 2 Protocol Transparent TransmissionConfiguration
Layer 2 Protocol Transparent Transmission OverviewIEEE 802.1x is a Port-Based Network Access Control protocol. Port-based networkaccess control is a way to authenticate and authorize the users to be connected tothe LAN equipment. This type of authentication provides a point-to-pint subscriberidentification method in the LAN.
The ZXR10 2900E provides 802.1x transparent transmission function which transparentlytransmits 802.1x protocol packets from the client to the authentication server forauthentication.
The ZXR10 2900E provides 802.1x transparent transmission function. It also provideslayer-2 transparent transmission function such as STP, LACP/OAM, ZGMP,LLDP andGVRP. The protocol range is 0x00, 0x02-0x2f.
The common layer-2 protocols are shown below.
Protocol Number Protocol
0x00 STP
0x02 LACP/OAM
0x03 802.1x
0x09 ZGMP
0x0E LLDP
0x21 GVRP
Configuring Layer 2 Protocol Transparent TransmissionThe configuration of layer-2 protocol transparent transmission includes the followingcommands:
5-63
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set l2pt <protocol-list>{enable | disable | invalid} Enables or disables L2pt
transparent transmission function.
show l2pt (all configuration modes) Displays the configuration of L2pt
transparent transmission.
Layer 2 Protocol Transparent Transmission Configuration Instancel Configuration Description
Set the LACP transparent transmission function of L2pt of Switch 1 to implement thelink aggregation between Switch 2 and Switch 3. The configuration increases the linkbandwidth and realizes a redundant backup. See Figure 5-16.
Figure 5-16 Layer 2 Protocol Transparent Transmission Configuration Topology
l Configuration Procedurezte(cfg)#set l2pt 0x02 enable
zte(cfg)#set vlan 100 enable
zte(cfg)#set vlan 100 add port 1, 3
zte(cfg)#set port 1,3 pvid 100
zte(cfg)#set vlan 200 enable
zte(cfg)#set vlan 200 add port 2, 4
zte(cfg)#set port 2,4 pvid 200
l Configuration Verification
Display the aggregation state of Switch 2 and Switch 3:
zte(cfg)#show lacp aggregator 1
Group 1
Actor Partner
------------------------------- ----------------------------
Priority : 32768 32768
5-64
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Mac : 00.d0.d0.02.00.54 00.d0.d0.29.52.06
Key : 258 258
Ports : 2, 1 2, 1
5.15 IPv4 Layer 3 ConfigurationIPv4 Layer 3 OverviewThe ZXR10 2900E provides a few IPv4 layer-3 functions for the remote configuration andmanagement. To realize the remote access, an IP port must be configured on the switch.If the IP port of the remote configuration host and that of the switch are not in the samenetwork segment, it is also necessary to configure the static route.
Static route is a simple unicast route protocol. The next-hop address to a destinationnetwork segment is specified by a user, where next hop is also called gateway. Static routeinvolves destination address, destination address mask, next-hop address, and egressinterface. Destination address and destination address mask describe the destinationnetwork information. The next-hop address and egress interface describe the way thatswitch forwards destination packets.
The ZXR10 2900E allows adding and deleting the static ARP table. The ARP table recordsmapping relationship between the IP address and the MAC address of each node in thesame network. When sending IP packets, the switch first checks whether the destinationIP address is in the same network segment. If yes, the switch checks whether there is apeer end IP address and MAC address mapping entry in the ARP table.
1. If yes, the switch directly sends the IP packets to this MAC address.2. If the MAC address corresponding to peer end IP address cannot be found in the ARP
table, an ARP Request broadcast packet will be sent to the network to query peer endMAC address.
Entries of the ARP table on the switch are dynamic. Static ARP table entry needs to beconfigured only when the connected host cannot respond the ARP Request.
Switch layer-3 configuration includes the following commands:
l Connectivity testl Layer 3 interface related configurationl ARP related configurationl Static route related configuration
The ZXR10 2900E series system supports the hardware routing function to increase IPpackets forwarding speed.
To configure the IPv4 layer-3 function, use the config router command to enter the layer-3configuration mode first.
Configuring IPv4 Layer 3 FunctionsThe configuration of the IPv4 L3 functions includes the following contents:
5-65
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#ping <A.B.C.D>[<0-65535>[<28-65535>[<1-255>[<0-65
535>[<A.B.C.D>]]]]]
Detects the network connectivity.
zte(cfg)#trace <A.B.C.D>[max-ttl <1-255>[min-ttl<1-255>[repeat <1-65535>[source <A.B.C.D>[timeout<1-60>[udp-port <1-65535>]]]]]]
Router trace, which is used
to determine the path of IP
data messages to access the
destination.
zte(cfg-router)#set ipport <0-63>{enable | disable} Enables or disables a layer-3
interface.
zte(cfg-router)#set ipport <0-63> ipaddress {<A.B.C.D/M>|<A.
B.C.D>< A.B.C.D>}
Sets the IP address and submask
of a layer-3 port.
zte(cfg-router)#set ipport <0-63> mac <HH.HH.HH.HH.HH.HH>
Sets the MAC address of layer-3
port.
zte(cfg-router)#set ipport <0-63> vlan <1-4094> Sets the VLAN binding with layer-3
port.
zte(cfg-router)#iproute {<A.B.C.D/M>|<A.B.C.D>< A.B.C.D>}<
A.B.C.D>[<1-15>][description <string>]
Adds a static route.
zte(cfg-router)#arp add <A.B.C.D><HH.HH.HH.HH.HH.HH
><0-63>
Adds a static ARP.
zte(cfg-router)#arp delete <A.B.C.D> Deletes a static ARP.
zte(cfg-router)#arp ipport <0-63> timeout <1-1000> Sets ARP entry aging time based
on layer-3 interface.
zte(cfg-router)#arp gratuitous-send <5-4294967295> Enables the free ARP function and
sets the period for sending free
ARP messages.
zte(cfg-router)#clear arp Clears dynamic ARP entry in
batches.
zte(cfg-router)#clear iproute [{<A.B.C.D/M>|<A.B.C.D><A.B.
C.D>}<A.B.C.D>]
Clears static routing entry.
zte(cfg-router)#clear ipport <0-63>[mac | ipaddress | vlan |
dhcp ]
Deletes ipport configuration.
zte(cfg-router)#clear gratuitous-send Disable the free ARP function.
zte(cfg-router)#hardware-iproute {enable | disable} Enables or disables the hardware
routing function.
zte(cfg-router)#show arp [static | dynamic | invalid | ipport<0-63>[static | dynamic | invalid]| ipaddress <A.B.C.D>]
Displays the ARP table item
information and free ARP function
status according to various rules.
5-66
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show ipport [<0-63>](all configuration modes) Displays ipport layer-3 interface
configuration.
show iproute (all configuration modes) Displays all routing information.
show hardware-iproute (all configuration modes) Displays hardware routing
configuration.
IPv4 Layer 3 Configuration Instancel Configuration Description
Set the layer-3 IP address to 192.168.1.2 on the switch. The IP address 192.168.1.2can ping the IP address 192.168.1.1 successfully. Bind vlan100 with 192.168.1.2.Port 1 on switch connects with PC. See Figure 5-17.
Figure 5-17 Layer-3 Configuration Instance
l Configuration Procedurezte(cfg)#set vlan 100 enable
zte(cfg)#set vlan 100 add port 1
zte(cfg)#set port 1 pvid 100
zte(cfg)#config route
zte(cfg-router)#set ipport 0 ipaddress 192.168.1.2 255.255.255.0
zte(cfg-router)#set ipport 0 vlan 100
zte(cfg-router)#set ipport 0 enable
l Configuration Verificationzte(cfg-router)#show ipport
IpPort En/Disable IpAddress Mask MacAddress VlanId
------ ---------- ------------ -------------- ----------------- ------
0 enabled 192.168.1.2 255.255.255.0 00.d0.d0.fa.29.20 100
zte(cfg-router)#exit
Use the ping command to check whether the layer-3 port is available.
zte(cfg)#ping 192.168.1.1
zte(cfg)#ping 192.168.1.1
Reply from 192.168.1.1 : bytes=28 time<1ms TTL=64
Reply from 192.168.1.1 : bytes=28 time<1ms TTL=64
Reply from 192.168.1.1 : bytes=28 time<1ms TTL=64
Reply from 192.168.1.1 : bytes=28 time<1ms TTL=64
Reply from 192.168.1.1 : bytes=28 time<1ms TTL=64
5-67
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
5.16 IPv6 Layer 3 ConfigurationIPv6 Layer 3 Function OverviewThe ZXR10 2900E supports IPv6 layer-3 functions for remote configuration andmanagement. The Layer 3 functions are as follows:
1. IPv6 interface configuration2. Ping v6 for checking network connectivity3. Telnet v6 server for remote login and configuration
Configuring IPv6 Layer 3 FunctionsThe configuration of IPv6 Layer 3 functions includes the following commands:
Command Function
zte(cfg-router)#set ipv6port <0> vlan <1-4094> Sets a VLAN associated with an
IPv6 Layer 3 interface.
zte(cfg-router)#set ipv6port <0> ipv6address
{<ipv6Addr/M>|<ipv6Addr><wildcard>}
Sets an IPv6 address and address
prefix length of an IPv6 Layer 3
interface.
zte(cfg-router)#set ipv6port <0>{enable | disable} Enables or disables an IPv6 Layer
3 interface.
zte(cfg-router)#ipv6route default <ipv6Addr> Adds an IPv6 static route.
zte(cfg-router)#clear ipv6port <0>[ipv6address<ipv6Addr/M>]
Clears IPv6 Layer 3 interface
configuration.
zte(cfg-router)#clear ipv6route default Clears the IPv6 default route.
show ipv6port (all configuration modes) Displays IPv6 Layer 3 interface
configuration.
show ipv6route(all configuration modes) Displays IPv6 route configuration.
show ipv6port <0> nd (all configuration modes) Displays IPv6 device neighbor
information, similar to the function
of the show arp command in IPv4.
zte(cfg)#ping6 <ipv6Addr>[<0-65535>[<48-1280>[<1-255>[<0-
65535>]]]]
Checks network connectivity,
similar to the function of the ping
command in IPv4.
Layer-3 IPv6 Configuration Instancel Configuration Description
On a switch, configure IPv6 address 12:12::c055:40, bind VLAN 300, configure thegateway, and set the port connected to the PC to port 10. On a PC, configure an IPv6address and interface route. See Figure 5-18.
5-68
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-18 Layer-3 IPv6 Configuration Instance
l Configuration Procedurezte(cfg)#set vlan 300 enable
zte(cfg)#set vlan 300 add port 10
zte(cfg)#set port 10 pvid 300
zte(cfg)#config route
zte(cfg-router)#set ipv6port 0 ipv6address 12:12::c055:40/128
zte(cfg-router)#set ipv6port 0 vlan 300
zte(cfg-router)#set ipv6port 0 enable
zte(cfg-router)#set ipv6port 0 enable
zte(cfg-router)#ipv6route default 12:12::c055:12
l Configuration Verificatiozte(cfg-router)#show ipv6port
IpPort Status Ipv6AddrNum MacAddress VlanId IpMode
------ ------ --------------- ----------------- ------ ------
0 up 1 00.22.93.63.4f.70 300 static
Use the ping command to check whether the layer-3 port is available.
zte(cfg)#ping6 12:12::c055:40
Reply from 12:12::c055:40 : bytes=48 time<1ms TTL=64
Reply from 12:12::c055:40 : bytes=48 time<1ms TTL=64
Reply from 12:12::c055:40 : bytes=48 time<1ms TTL=64
Reply from 12:12::c055:40 : bytes=48 time<1ms TTL=64
Reply from 12:12::c055:40 : bytes=48 time<1ms TTL=64
5.17 DAI ConfigurationDAI OverviewBecause so many ARP middle-man-attacks happen, Dynamic ARP Inspection (DAI) isintroduced in the ZXR10 2900E. DAI checks the ARP packet received by the switch. If thepacket meets the condition, it will be forwarded. Otherwise it will be dropped.
DAI is related to the trusted state of the port of the switch. If an ARP packet is receivedon a trusted port, shield all DAI detections. If an ARP packet is received on a non-trustedport, it must pass the DAI validity test.
Configuring DAIThe DAI configuration includes the following commands:
5-69
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set arp-inspection validate {ip | dst-mac |
src-mac}{enable | disable}
Enables or disables the inspection
of each field of an ARP packet.
zte(cfg)#set arp-inspection vlan <vlanlist>{enable | disable} Enables or disables DAI function
based on the VLAN.
zte(cfg)#set arp-inspection port <portlist>{trust | untrust} Sets a port to a trusted or untrusted
port.
zte(cfg)#set arp-inspection port <portlist> limit {<1-100>|
infinite}
Sets the maximum number of ARP
packets in the unit time.
show arp-inspection (all configuration modes) Displays DAI function configuration
information.
DAI Configuration Instancel Configuration Description
When DHCP snooping is enabled, check ARP packet validity and the correspondingrelation between MAC, IP and VLAN. An illegal packet is dropped, and the speed ofsending ARP packets on a non-trusted port to the CPU is limited. See Figure 5-19.
Figure 5-19 DAI Configuration InstanceTopology
l Configuration Procedurezte(cfg)#set dhcp snooping-and-option82 enable
zte(cfg)#set dhcp snooping add port 49,50
zte(cfg)#set dhcp port 49 client
zte(cfg)#set dhcp port 50 server
zte(cfg)#show dhcp snooping
DHCP snooping is enabled on the following port(s):
PortId PortType
------ --------
49 Client
50 Server
zte(cfg)#set arp-inspection vlan 1 enable
zte(cfg)#set arp-inspection port 49 untrust
5-70
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
zte(cfg)#set arp-inspection port 49 limit 15
zte(cfg)#set arp-inspection validate ip enable
zte(cfg)#set arp-inspection validate dst-mac enable
zte(cfg)#set arp-inspection validate src-mac enable
Note:
DAI detection condition: the port sending packets is a non-trusted port, and the DAIfunction is enabled on the VLAN. When DHCP Snooping is enabled and a non-trustedport is added into DHCP Snooping, DAI detection is valid.
l Configuration Verificationzte(cfg)#show arp-inspection
Enabled validation: ip,dst-mac,src-mac
Enabled vlanlist : 1
PortId TrustType Limit(pps)
------ --------- ----------
49 Untrust 15
50 Trust -
51 Trust -
52 Trust -
5.18 Access Service ConfigurationAccess Service OverviewWith the rapid expansion of Ethernet, to meet the fast increase of subscribers andrequirement of diversified broadband services, a Network Access Service (NAS) isembedded on the switch to improve the authentication and management of accesssubscribers and better support the billing, security, operation, and management of thebroadband network.
NAS uses the 802.1x protocol and RADIUS protocol to realize the authentication andmanagement of access subscribers. It is highly efficient, safe, and easy to operate.
IEEE 802.1x is called port-based network access control protocol. Its protocol systemincludes three key parts: client system, authentication system, and authentication server.
l The client system is a user terminal system installed with the client software. Asubscriber originates the IEEE802.1x protocol authentication process through thisclient software. To support the port-based network access control, the client systemmust support the Extensible Authentication Protocol Over LAN (EAPOL).
l The authentication system is network equipment that supports the IEEE802.1xprotocol. Corresponding to the ports of different subscribers (the ports can be
5-71
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
physical ports or MAC address, VLAN, or IP address of the user equipment), theauthentication system has two logical ports: controlled port and uncontrolled port.1. The uncontrolled port is always in the state that the bidirectional connections are
available. It is used to transfer the EAPOL frames and can ensure that the clientcan always send or receive the authentication.
2. The control port is enabled only when the authentication is passed. It is used totransfer the network resource and services. The controlled port can be configuredas bidirectional controlled or input controlled to meet the requirement of differentapplications. If the subscriber authentication is not passed, this subscriber cannotvisit the services provided by the authentication system.
3. The controlled port and uncontrolled port in the IEEE 802.1x protocol are logicalports. There are no such physical ports on the equipment. The IEEE 802.1xprotocol sets up a local authentication channel for each subscriber and othersubscribers cannot use it. Thus, preventing the port from being used by othersubscribers after the port is enabled.
l The authentication server is a RADIUS server. This server can store a lot ofsubscriber information, such as the VLAN that the subscriber belongs to, CARparameters, priority, and subscriber access control list. After the authenticationof a subscriber is passed, the authentication server will pass the information ofthis subscriber to the authentication system, which will create a dynamic accesscontrol list. The subsequent flow of the subscriber will be monitored by the aboveparameters. The authentication system communicates with the RADIUS serverthrough the RADIUS protocol.
RADIUS is a protocol standard used for the authentication, authorization, and exchangeof configuration data between the Radius server and Radius client.
RADIUS uses the Client/Server mode. The Client runs on the NAS. It is responsiblefor sending the subscriber information to the specified Radius server and carrying outoperations according to the result returned by the server.
The Radius Authentication Server is responsible for receiving the subscriber connectionrequest, verifying the subscriber identity, and returning the configuration informationrequired by the customer. A Radius Authentication Server can serve as a RADIUScustomer proxy to connect to another Radius Authentication Server.
The Radius Accounting Server is responsible for receiving the subscriber billing startrequest and subscriber billing stop request, and completing the billing function.
The NAS communicates with the Radius Server through RADIUS packets. Attributes inthe RADIUS packets are used to transfer the detailed authentication, authorization, andbilling information.
The EAP protocol is used between the switch and the subscriber. Three types of identityauthentication methods are provided between the RADIUS servers: PAP, CHAP, andEAP-MD5. Any of the methods can be used according to different service operationrequirements.
l Password Authentication Protocol (PAP)
5-72
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
PAP is a simple plain text authentication mode. NAS requires the subscriber toprovide the username and password and the subscriber returns the subscriberinformation in the form of plain text. The server checks whether this subscriberis available and whether the password is correct according to the subscriberconfiguration and returns different responses. This authentication mode featurespoor security and the username and password transferred may be easily stolen.
For the process of using the PAP mode for identity authentication, see Figure 5-20.
Figure 5-20 Using PAP Mode for Identity Authentication
l Challenge Handshake Authentication Protocol (CHAP)
CHAP is an encrypted authentication mode and avoids the transmission of the user’sreal password upon connection setup. NAS sends a randomly generated Challengestring to the user. The user encrypts the Challenge string by using the user’spassword and MD5 algorithm and returns the username and encrypted Challengestring (encrypted password).
The server uses the user password it stores and the MD5 algorithm to encrypt theChallenge string. Then it compares this Challenge string with the encrypted passwordof the server and returns a response accordingly.
For the process of using the CHAP mode for identity authentication, see Figure 5-21.
5-73
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 5-21 Using Chap Mode for Identity Authentication
l Extensible Authentication Protocol - Message Digest 5 (EAP-MD5)
EAP is a type of authentication mode of transmitting EAP message transparentlyincluding EAP-MD5 and PEAP. The following example is about EAP-MD5 description.
EAP-MD5 is a CHAP identity authentication mechanism used in the EAP frameworkstructure. For the process of using the EAP-MD5 mode for identity authentication,see Figure 5-22.
Figure 5-22 Using EAP Mode for Identity Authentication
Configuring Access ServiceThe access service configuration includes the following commands:
Command Function
zte(cfg)#set port <portlist> vlanjump {enable [defaultauthvlan<1-4094>]| disable]}
Enables or disables the vlan jump
after user 802.1x authentication.
5-74
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg-nas)#dot1x re-authenticate {enable | disable} Enables or disables
re-authentication function.
zte(cfg-nas)#dot1x re-authenticate period <1-4294967295> Sets the time interval for
re-authentication.
zte(cfg-nas)#dot1x quiet-period <0-65535> Sets quiet period of authentication.
zte(cfg-nas)#dot1x tx-period <1-65535> Sets the time that the
authentication system needs
to wait before it can retransmit
the EAPOL data packet because
it does not receive the response
from the client.
zte(cfg-nas)#dot1x supplicant-timeout <1-65535> Sets the time-out time for the
authentication system to receive
the data packets from the
authentication client system.
zte(cfg-nas)#dot1x server-timeout <1-65535> Sets the time-out time for the
authentication system to receive
the data packets from the
authentication server.
zte(cfg-nas)#dot1x max-request <1-10> Sets the maximum times of
request retransmission when
the timer expires before the
authentication system receives
the Challenge response from the
client.
zte(cfg-nas)#dot1x add vlan <1-4094>[mac <HH.HH.HH.HH.HH.HH>]
Sets the private MAC address that
DOT1X protocol can use.
zte(cfg-nas)#dot1x delete vlan <1-4094> Deletes the private MAC address
that DOT1X protocol can use.
zte(cfg-nas)#clear client Deletes all clients.
zte(cfg-nas)#clear client index <0-255> Clears the specified client.
zte(cfg-nas)#clear client {port <portlist>| vlan <vlanlist>} Deletes the client end user of
specified port/VLAN.
show dot1x (all configuration modes) Displays 802.1x configuration
information.
show client (all configuration modes) Displays the information of all
access users.
5-75
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
show client index <0-255> (all configuration modes) Displays the information of an
access user.
show client mac <HH.HH.HH.HH.HH.HH> (all configuration
modes)
Displays access user information
on the specified MAC address.
show client port <portlist> (all configuration modes) Displays access user information
on the specified port.
zte(cfg-nas)#aaa-control port <portlist> dot1x {enable | disable} Enables or disables port 802.1x
access authentication function.
zte(cfg-nas)#aaa-control port <portlist> port-mode {auto |
force-unauthorized | force-authorized}
Sets the authentication control
mode of the port.
zte(cfg-nas)#aaa-control port <portlist> protocol {pap | chap
| eap }
Sets the authentication mode of
the port.
zte(cfg-nas)#aaa-control port <portlist> accounting {enable |
disable}
Enables or disables port
accounting function.
zte(cfg-nas)#aaa-control port <portlist>multiple-hosts {enable |
disable}
This allows or prohibits
multi-subscriber access of
the port.
zte(cfg-nas)#aaa-control port <portlist> max-hosts <0-256> Sets the maximum number of
subscribers connected through the
port.
zte(cfg-nas)#aaa-control port <portlist> keepalive {enable |
disable}
Enables or disables the abnormal
off-line detection mechanism of
the port.
zte(cfg-nas)#aaa-control port <portlist> keepalive period<1-3600>
Sets the abnormal off-line
detection period of the port.
zte(cfg-nas)#aaa-control port <portlist> keepalive antiproxy
{add | delete}{character-detect | ip-modified | multi-card |
multi-ipaddress | packet-analyse | port-detect | service-detect |
tcp-session <1-65535>| udp-session <1-65535>}
Enables or disables the port
anti-deception rule.
zte(cfg-nas)#aaa-control port <portlist> keepalive antidhcp
{enable | disable}
Enables or disables the port
anti-DHCP-deception rule.
zte(cfg-nas)#aaa-control port <portlist> keepalive client-ip
{enable | disable}
Enables or disables the function of
acquiring the user’s IP address.
show aaa-control port [<portlist>] (all configuration modes) Displays port AAA configuration
information.
zte(cfg-nas)#radius isp <ispname>{enable | disable} Adds or deletes one ISP domain.
zte(cfg-nas)#radius isp <ispname>{add | delete}accounting<A.B.C.D>[<0-65535>]
Adds or deletes accounting server
in the ISP.
5-76
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg-nas)#radius isp <ispname>{add | delete} authenticate<A.B.C.D>[<0-65535>]
Adds or deletes authentication
server in the ISP.
zte(cfg-nas)#radius isp <ispname> client <A.B.C.D> Sets RADIUS client end address.
zte(cfg-nas)#radius isp <ispname> sharedsecret <string> Sets the shared password of the
ISP domain (public key).
zte(cfg-nas)#radius isp <ispname> sharedsecret-encrypt<string>
Sets the shared password encrypt
of the ISP domain (public key).
zte(cfg-nas)#radius isp <ispname> fullaccount {enable | disable} Sets or deletes the full account of
the domain.
zte(cfg-nas)#radius isp <ispname> defaultisp {enable | disable} This specifies a default domain.
zte(cfg-nas)#radius isp <ispname> description <string> Sets the domain description.
zte(cfg-nas)#radius nasname <nasname> Sets the NAS server name.
zte(cfg-nas)#radius delimiter <ispdelimiter> Sets Radius authentication domain
name delimiter.
zte(cfg-nas)#radius keep-time <0-4294967295> Sets keep time of radius
accounting packets failed to
be sent.
zte(cfg-nas)#radius timeout <1-255> Sets the server response time-out
time.
zte(cfg-nas)#radius retransmit <1-255> Sets the number of
retransmissions upon server
response time-out.
zte(cfg-nas)#radius vendor-id <3902,10008> Sets the vendor ID of the NAS
device.
zte(cfg-nas)#clear accounting-stop {session-id <session-id>|
user-name <user-name>| isp-name <isp-name>| server-ip<A.B.C.D>}
Deletes radius accounting packets
failed to be sent.
show radius [ispname <ispname>] (all configuration modes) Displays radius configuration
information.
show radius accounting-stop [{ session-id <session-id>|
user-name <user-name>| isp-name <isp-name>| server-ip<A.B.C.D>}] (all configuration modes)
Displays RADIUS accounting
packets failed to be sent.
Access Service Configuration Instancel Configuration Description
The user installs a radius client on a PC. The switch connects the radius server andthe user’s PC through a network cable. The user can log in to the switch through the
5-77
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
console port and configure the access server, and then enable client software on theuser PC to originate authentication request. See Figure 5-23.
Figure 5-23 Access Authentication Configuration Instance
l Configuration Procedure1. Configure layer-3 interface commands
zte(cfg-router)#set ipport 0 ip 10.40.89.106/24
zte(cfg-router)#set ipport 0 vlan 1
zte(cfg-router)#set ipport 0 enable
2. Configure 802.1X commandszte(cfg)#set port 2 security enable
zte(cfg)#config nas
zte(cfg-nas)#aaa-control port 2 dot1x enable
zte(cfg-nas)#aaa-control port 2 keepalive enable
zte(cfg-nas)#aaa-control port 2 accounting enable
3. Configure radius commandszte(zte)#config nas
zte(cfg-nas)#radius isp zte enable
zte(cfg-nas)#radius isp zte defaultisp enable
zte(cfg-nas)#radius isp zte sharedsecret 1234
zte(cfg-nas)#radius isp zte client 10.40.89.106
zte(cfg-nas)#radius isp zte add accounting 10.40.89.78
zte(cfg-nas)#radius isp zte add authentication 10.40.89.78
4. Enable radius client software on the PC and input a correct username andpassword. Then the authentication request is sent.
Note:
Disable the security proxy such as Sygate before the user PC sending theauthentication request.
l Configuration Verification
5-78
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
When the authentication request succeeds, view the user information by using theshow client command.
zte(cfg)#show client
MaxClients : 256 HistoryAccessClientsTotal : 1
OnlineClients: 1 HistoryFailureClientsTotal: 0
Flags:I-Index,Au-Authorized,P-PortId,US-UpSpeed,DS-DownSpeed,Y-yes,N-no
I UserName Au P Vlan MacAddress US DS ElapsedTime
--- ------------- -- ---- ---- ----------------- ------ ------ ------------
0 liushujie Y 2 1 00.19.e0.1a.97.dd 0 0 0:0:0:22
5.19 MAC Authentication ConfigurationMAC Authentication OverviewOn current networks, many devices (such as IP phones and printers) do not support theauthentication client. When connected to networks, the devices cannot initiate D0T1Xauthentication.
MAC authentication means that, with a MAC address segment configured on a device,when the device detects that a MAC address belongs to the address segment, a switchagent initiates authentication. The user's MAC address is used as a username andpassword. If a RADIUS server returns a message indicating that the authenticationsucceeded, the device can access the network.
Configuring MAC AuthenticationThe MAC authentication configuration includes the following commands:
Command Function
zte(cfg-nas)#aaa-control mac-authentication {enable | disable } Enables or disables the MAC
authentication function.
zte(cfg-nas)#aaa-control mac-authentication session <1-3>
range <HH.HH.HH.HH.HH.HH><HH.HH.HH.HH.HH.HH>Adds the range of MAC addresses
that need authentication in unit of
session.
zte(cfg-nas)#clear mac-authentication session <1-3> Clears the range of MAC
addresses in unit of session.
zte(cfg-nas)#clear mac-authentication client Clears all clients with authenticated
MAC addresses.
zte(cfg-nas)#clear mac-authentication client mac
<HH.HH.HH.HH.HH.HH>
Clears a specific MAC
authentication client.
zte(cfg-nas)#clear mac-authentication client {port <portlist>|vlan <vlanlist>}
Clears clients on a specific port or
in a specific VLAN.
5-79
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
show aaa mac-authentication (all configuration modes) Displays MAC authentication
configuration information.
show aaa mac-authentication client (all configuration modes) Displays information of all MAC
authentication clients.
5.20 QinQ ConfigurationQinQ OverviewA QinQ is the IEEE 802.1Q tunneling protocol and is also called VLAN stacking. The QinQtechnology is the addition of one more VLAN tag (outer tag) to the original VLAN tag (innertag). The outer tag can shield the inner tag.
A QinQ does not need any protocol support. The simple Layer 2 Virtual Private Network(L2VPN) can be realized through QinQ. The QinQ is especially suitable for the small-sizedLAN that takes the layer-3 switch as its backbone.
For the typical network of the QinQ technology, see Figure 5-24. The port connected tothe user network is called Customer port. The port connected to the ISP network is calledUplink port. The edge access equipment of the ISP network is called Provider Edge (PE).
Figure 5-24 Typical QinQ Network
The user network is connected to the PE through the Trunk VLAN mode. The internalUplink ports of the ISP network are symmetrically connected through the Trunk VLANmode.
1. When a packet is sent form user network 1 to the customer port of switch A, becausethe PORTBASE VLAN-based customer port does not identify the tag when receivingthe packet, the customer port processes the packet as an untagged packet no matterwhether this data packet is attached with the VLAN tag or not. The packet is forwardedby the VLAN 10, which is determined by the PVID.
2. The uplink port of switch A inserts the outer tag (VLAN ID: 10) when forwarding thedata packet received from the customer port. The tpid of this tag can be configured
5-80
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
on the switch. Inside the ISP network, the packet is broadcast along the port of VLAN10 until it reaches the switch B.
3. Switch B finds out that the port connected to user network 2 is a customer port. Thus, itremoves the outer tag in compliance with the conventional 802.1Q protocol to recoverthe original packet and sends the packet to user network 2.
4. In this way, data between user network 1 and user network 2 can be transmittedtransparently. The VLAN ID of the user network can be planned regardless of theconflict with the VLAN ID in the ISP network.
Configuring QinQThe QinQ configuration includes the following commands:
Command Function
zte(cfg)#set vlan qinq customer port <portlist>{enable | disable} Adds or deletes a customer port.
zte(cfg)#set vlan qinq uplink port <portlist>{enable | disable} Adds or deletes an uplink port.
zte(cfg)#set vlan egress-tpid session <1-7> tpid-value<0xHHHH>
Sets an egress TPID template.
zte(cfg)#set port <portlist> egress-tpid {default | session <1-7>} Sets the binding between the port
and the template.
show vlan egress-tpid (all configuration modes) Displays the egress-tpid value of
each template.
zte(cfg)#set vlan ingress-tpid session <1-7> tpid-value<0xHHHH>
Configures an ingress-tpid
template.
zte(cfg)#set port <portlist> ingress-tpid session <sessionlist> Sets the binding between the port
and the template.
show vlan ingress-tpid (all configuration modes) Displays ingress-tpid values
configured in templates.
show vlan qinq (all configuration modes) Displays customer/uplink port of
QinQ.
QinQ Configuration Instancel Configuration Description
Encapsulate an exterior label in Switch1 (ZXR10 2952E) for the packet from Switch2.The VLAN number is 100. The port connecting upstream BRAS in Switch1 is port 24.The port connecting the downstream Switch2 is port 1. The NM vlan of Switch1 is 999and the management IP address is 192.168.0.1/24. See Figure 5-25.
5-81
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 5-25 QinQ Configuration Instance
l Configuration Procedure/*set qinq, the outer label is 100*/
zte(cfg)#set vlan 100 enable
zte(cfg)#set vlan 100 add port 1 untag
zte(cfg)#set vlan 100 add port 24 tag
zte(cfg)#set port 1 pvid 100
zte(cfg)#set vlan qinq customer port 1 enable
zte(cfg)#set vlan qinq uplink port 24 enable
zte(cfg)#set vlan 999 enable
zte(cfg)#config router
zte(cfg-router)#set ipport 1 ipaddress 192.168.0.1/24
zte(cfg-router)#set ipport 1 vlan 999
zte(cfg-router)#set ipport 1 enable
zte(cfg-router)#exit
5.21 SQinQ ConfigurationSQinQ OverviewThe SQinQ is a type of VLAN tunnel technology. It provides multi-point to multi-point VLANtransparent transportation service and simple Layer 2 VPN tunnel by means of adding aVLAN tag outside original 802.1Q tag and getting rid of outside VLAN tag when the packetis transported to edge switch.
The SQinQ provides the function of providing SPVLAN tag according to traffic, whichis different from that ordinary QinQ adds SPVLAN tag based on ports. That is, in thesame Customer port, according to difference between traffic carried CVLAN tags, providecorresponding SPVLAN tag based on user demands.
5-82
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Configuring SQinQThe SQinQ configuration includes the following commands:
Command Function
zte(cfg)#set vlan sqinq session <1-400> customer-port<port-id> customer-vlan <vlan-list> uplink-vlan <vlan-id>
Enables SVLAN function.
When the SQinQ function is
enabled, the uplink traffic is
normally forwarded in SPVLAN.
The downlink traffic is normally
forwarded in SPVLAN. Because
the UNI port belongs to SPVLAN
in untagged mode, the SPVLAN
tag of downlink packets will be
removed.
zte(cfg)#clear vlan sqinq Deletes all SQinQ sessions.
zte(cfg)#clear vlan sqinq session <1-400> Deletes the specified SQinQ
session.
show vlan sqinq (all configuration modes) Displays all SQinQ sessions.
show vlan sqinq session <1-400> (all configuration modes) Displays the specified SQinQ
session.
SQinQ Configuration Instancel Configuration Description
Port 1 is a customer port, and port 2 is an uplink port. When CVLAN is 10 and 12, thepacket from port 1 SPVLAN is 997 and 998 respectively. See Figure 5-26.
Figure 5-26 SQinQ Configuration Instance
l Configuration Procedure
Configure the SVLAN instance.
zte(cfg)#set vlan 10,12 add port 1 tag
zte(cfg)#set vlan 997,998 add port 1 untag
zte(cfg)#set vlan 997,998 add port 2 tag
zte(cfg)#set vlan 10,12,997,998 enable
zte(cfg)#set vlan sqinq session 1 customer-port 1 customer-vlan 10 uplink-vlan 997
zte(cfg)#set vlan sqinq session 2 customer-port 1 customer-vlan 12 uplink-vlan 998
l Configuration Verification
The following example shows how to show the SVLAN instance.
5-83
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg)#show vlan sqinq
Session number : 1
Customer Port : 1
Customer Vlan List : 10
Uplink Vlan : 997
Session number : 2
Customer Port : 1
Customer Vlan List : 12
Uplink Vlan : 998
5.22 VLAN ConfigurationVLAN OverviewThe Virtual Local Area Network (VLAN) protocol is a basic protocol of layer-2 switchingequipment, which enables the administrator to divide a physical LAN into multiple VLANs.Each VLAN has a VLAN ID to identify it uniquely in the entire LAN. Multiple VLANs sharethe switching equipment and links of the physical LAN.
Logically, a VLAN is like an independent LAN. All frame flows in the same VLAN arerestricted in this VLAN. Cross-VLAN visit can only be implemented through forwardingon layer 3. In this way, the network performance is improved, and the overall flow in thephysical LAN is effectively lowered.
The VLAN has the following functions:
l Reduces the broadcast storms of network.l Enhances the network security.l Provides centralized management and control.
The ZXR10 2900E also supports the tagged-based VLAN. This is a mode defined in IEEE802.1Q and is a universal working mode. In this mode, the division of VLAN is basedon the VLAN information about the port (PVID: port VLAN ID) or the information in theVLAN tag. Also, the ZXR10 2900E supports the division of VLAN according to the packetprotocol type, that is, protocol VLAN.
Configuring a VLANThe VLAN configuration includes the following commands:
Command Function
zte(cfg)#set vlan <vlanlist>{enable | disable} Enables or disables a VLAN.
zte(cfg)#set vlan <vlanlist> add port <portlist>[untag | tag] Adds a port to a VLAN and
configures the location in the
VLAN.
zte(cfg)#set vlan <vlanlist> delete port <portlist> Deletes the port from a VLAN.
5-84
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set vlan <vlanlist> add trunk <trunklist>[tag | untag] Adds a trunk to a VLAN and
configures the trunk location in the
VLAN.
zte(cfg)#set vlan <vlanlist> delete trunk <trunklist> Deletes a trunk from a VLAN.
zte(cfg)#set port <portlist> protocol-vlan {enable | disable} Enables or disables the protocol
VLAN function.
zte(cfg)#set vlan protocol-mapping session-no <1-8>{ethernet2 |
llc | snap}<0xHHHH> vlan <1-4094>
Sets a protocol VLAN template.
zte(cfg)#create vlan <1-4094> name <name> Creates a VLAN name.
zte(cfg)#clear vlan <vlanlist> name Clears a VLAN name.
zte(cfg)#clear vlan protocol-mapping session-no <1-8> Clears the VLAN template
configuration of the protocol.
show vlan [<vlanlist>] (all configuration modes) Displays the basic VLAN
information.
show vlan protocol-mapping (all configuration modes) Displays the VLAN configuration
of the protocol.
VLAN Configuration Example Onel Configuration Description
Configure VLAN 100. Add untagged ports 1 and 2 and tagged ports 7 and 8. Thedetailed configuration is as follows:
Note:
By default, VLAN1 is enabled, all ports are in VLAN1 and in untag mode.
l Configuration Procedurezte(cfg)#set vlan 100 add port 1, 2 untag
zte(cfg)#set vlan 100 add port 7, 8 tag
zte(cfg)#set port 1, 2 pvid 100
zte(cfg)#set vlan 100 enable
l Configuration Verificationzte(cfg)#show vlan 100
VlanId : 100 VlanStatus: enabled
VlanName:
VlanMode: Static
Tagged ports : 7-8
5-85
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Untagged ports: 1-2
Forbidden ports:
VLAN Configuration Example Twol Configuration Description
Switch A is connected to switch B through port 16. Port 1 of switch A and port 2of switch B are members of VLAN 2. Port 3 of switch A and port 4 of switch B aremembers of VLAN 3. The members in the same VLAN can communicate with eachother. See Figure 5-27.
Figure 5-27 VLAN Transparent Transmission Configuration Instance
l Configuration Procedure1. Configuration of switch A
zte(cfg)#set vlan 2 add port 16 tag
zte(cfg)#set vlan 2 add port 1 untag
zte(cfg)#set vlan 3 add port 16 tag
zte(cfg)#set vlan 3 add port 3 untag
zte(cfg)#set port 1 pvid 2
zte(cfg)#set port 3 pvid 3
zte(cfg)#set vlan 2-3 enable
2. Configuration of switch Bzte(cfg)#set vlan 2 add port 16 tag
zte(cfg)#set vlan 2 add port 2 untag
zte(cfg)#set vlan 3 add port 16 tag
zte(cfg)#set vlan 3 add port 4 untag
zte(cfg)#set port 2 pvid 2
zte(cfg)#set port 4 pvid 3
zte(cfg)#set vlan 2-3 enable
5-86
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
5.23 VLAN Mapping ConfigurationVLAN Mapping OverviewThe VLANMapping, namely N to One VLANmapping, implements the VLAN convergencefunction by establishing mapping between customer VLAN and service provider VLAN byreplacing the outer VLAN tags in the data frames. This way, customer services can betransmitted according to operator’s network planning.
Due to the limited VLAN resource, the VLANs of service provider network and customernetwork are planned separately. The “customer VLAN” mentioned in this chapter refers toCVLAN used in customer network, while the “service provider VLAN” is the SVLAN usedin service provider’s network.
Different services of home users (Internet, IPTV, VoIP) are transferred through differentVLANs in the access networks of MAN, see Figure 5-28. As there are limited VLANs inoperator’s network, the VLAN convergence function needs to be fulfilled in the switchesin access layer to transmit the same service, which is transferred by different users indifferent VLANs, through one VLAN.
Figure 5-28 VLAN Mapping Network Diagram
5-87
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Mapping Modes:Uplink: replace the CVLAN with SVLAN based on “Interface+customer VLAN”.
Downlink: replace the SVLAN in the outermost layer with CVLAN based on “SVLAN +Destination MAC address”.
The whole system supports 400 sessions, and up to 400 CVLANs can be supported.
Configuring VLAN MappingThe VLAN mapping configuration includes the following commands:
Command Function
zte(cfg)#set vlan mapping session <session_id> customer-port<port-id> customer-vlan <vlan-list> uplink-vlan <vlan-id>
Sets the VLAN Mapping function.
When the VLAN Mapping is
enabled, the uplink traffic is
normally forwarded in SPVLAN.
The downlink traffic is normally
forwarded in SPVLAN. When
reaching the user port, it is
transformed to the corresponding
CVLAN tag.
zte(cfg)#clear vlan mapping Deletes all VLAN Mapping
sessions.
zte(cfg)#clear vlan mapping session <1-400> Deletes the specified VLAN
Mapping session.
zte(cfg)#clear vlan mapping user Deletes the user information of all
VLAN Mapping sessions.
zte(cfg)#clear vlan mapping user session <1-400> Deletes the user information of the
specified VLAN Mapping session.
show vlan mapping (all configuration modes) Displays all VLAN Mapping
sessions.
show vlan mapping session <1-400> (all configuration modes) Displays the specified VLAN
Mapping session.
show vlan mapping user-table (all configuration modes) Displays the user information of all
VLAN Mapping sessions.
show vlan mapping user-table session <1-400> (all configuration
modes)
Displays the user information
of the specified VLAN Mapping
session.
VLAN Mapping Configuration Instancel Configuration Description
5-88
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
The port 1 is on customer network, and the port 24 is on service provider network, seeFigure 5-29. Map the packets received from port 1, and whose CVLANs are between1-100, to SPVLAN 1000.
Figure 5-29 VLAN Mapping Configuration Instance
Switch1 and Switch2 are configured in the same way. Use Switch1 as an example.
l Configuration Procedure
The following example shows how to configure the VLAN Mapping instance.
zte(cfg)#set vlan 1-100,1000 add port 1,24 tag
zte(cfg)#set vlan 1-100,1000 enable
zte(cfg)#set vlan mapping session 1 customer-port 1 customer-vlan 1-100
uplink-vlan 1000
l Configuration Verification
The following example shows how to show the SVLAN instance.
zte(cfg)#show vlan mapping
Session number : 1
Customer Port : 1
Customer Vlan List : 1-100
Uplink Vlan : 1000
5.24 Syslog ConfigurationSyslog OverviewThe Syslog protocol is an important part of Ethernet switch and is the information junctioncenter of system software module. Syslog manages most of important information outputand classifies them in detail, which filters the information effectively and provides a strongsupport for network administrators and development engineers in monitoring networkoperation status and diagnosing network faults.
5-89
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
The Syslog protocol is classified by information source and the information is filtered byfunction module, which satisfies customized user demands.
The Syslog protocol can classify the log information into eight levels from the highest tothe lowest level of importance. For a description of the levels, refer to Table 5-2.
Table 5-2 Syslog Log Information
Severity Level Description
Emergencies Crucial fault.
Alerts Fault that must be corrected quickly.
Critical Key fault.
Errors Fault that needs to be noticed but not important
Warnings Warning, indicating a potential fault.
Notifications Information that needs to be noticed.
Informational General prompt information.
Debugging Debug information.
Configuring SyslogThe Syslog configuration includes the following commands:
Command Function
zte(cfg)#set syslog module {all | arp-inspection | commandlog |
dhcp| radius | AAA}{enable | disable}
Enables or disables the syslog
module.
zte(cfg)#set syslog level {emergencies | alerts | critical | errors |
warnings | notifications | informational | debugging }
Defines the syslog information
level.
zte(cfg)#set syslog add server <1-5 > ipaddress<A.B.C.D>[name <name>][<0-65535>]
Sets the syslog server.
zte(cfg)#set syslog delete server <1-5> Deletes the syslog server.
zte(cfg)#set syslog {enable | disable} Enables or disables the syslog
function globally.
show syslog status (all configuration modes) Displays the syslog configuration.
Syslog Configuration Instancel Configuration Description
Suppose that the syslog function of the switch is enabled, information level isinformational, all function modules are enabled, the server IP address is 192.168.1.1,and the name is Srv1.
l Configuration Procedurezte(cfg)#set syslog enable
zte(cfg)#set syslog level informational
5-90
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
zte(cfg)#set syslog module all disable
zte(cfg)#set syslog module radius enable
zte(cfg)#set syslog module aaa enable
zte(cfg)#set syslog module commandlog enable
zte(cfg)#set syslog add server 1 ipaddress 192.168.1.1 name server1
l Configuration Verificationzte(cfg)#show syslog status
Syslog status: enable
Syslog level: informational
Syslog enabled modules:
commandlog AAA radius
Syslog disabled modules:
all-others
Syslog server IP UDP port Name
1 192.168.1.1 514 server1
5.25 NTP ConfigurationNTP OverviewNetwork Time Protocol (NTP) is the protocol used to synchronize the clocks betweennetwork devices. The ZXR10 2900E provides NTP client function and synchronizes theclock with other NTP servers, the ZXR10 2900E also supports second-server function, sothat the two servers get the time at the same time.
Configuring NTPThe NTP configuration includes the following commands:
Command Function
zte(cfg)#set ntp add authentication-key <1-255> md5 <string> Sets the NTP authentication key.
zte(cfg)#set ntp delete authentication-key <1-255> Deletes the NTP authentication
key.
zte(cfg)#set ntp {add | delete} trusted-key <1-255> Adds or deletes the NTP trusted
key.
zte(cfg)#set ntp authenticate {enable | disable} Enables or disables the NTP
authentication function.
zte(cfg)#set ntp server <A.B.C.D>[version <1,2,3>| key<1-255>]
Sets the NTP server.
zte(cfg)#set ntp second-server <A.B.C.D>[version <1,2,3>| key<1-255>]
Sets the NTP second server.
5-91
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set ntp source <A.B.C.D> Sets the source IP address that is
used for the switch to send NTP
packets.
zte(cfg)#set ntp clock-period <5-2147483647> Sets the period of NTP
synchronization.
zte(cfg)#set ntp timezone <(-12)-(+13)> Sets NTP time-zone.
zte(cfg)#set ntp {enable | disable} Enables or disables NTP.
zte(cfg)#set ntp src-udp-port {123 | 1000} Sets the ID of the udp port through
which NTP messages are sent.
show ntp (all configuration modes) Displays NTP configuration.
NTP Configuration Instancel Configuration Description
Suppose that the switch and NTP server 1 (IP address is 202.10.10.10) and NTPserver 2 (IP address is 201.10.10.10) implement time synchronization. Make surethat the switch and NTP server can ping each other successfully. The NTP module isconfigured as follows:
l Configuration Procedurezte(cfg)#set ntp server 202.10.10.10
zte(cfg)#set ntp second-server 201.10.10.10
zte(cfg)#set ntp enable
l Configuration Verificationzte(cfg)#show ntp
ntp protocol is enable
ntp server address : 202.10.10.10
ntp source address : None
ntp source udp port : 1000
ntp is_synchronized for second server : Yes
ntp rcv stratum : 16
no reference clock.
ntp time zone : 0
In the displayed information, “ntp is_synchronized for second server” means thecurrent switch time is synchronized with that of the server 2.
5-92
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
5.26 GARP/GVRP ConfigurationGARP/GVRP OverviewThe Generic Attribute Registration Protocol (GARP) is a type of generic attributeregistration protocol, which distributes VLAN and multicast MAC address dynamically tothe member in the same switching network by applying the different application protocols.
GARP VLAN Registration Protocol (GVRP) is a type of application protocol definedby the GARP, which maintains VLAN information in the switch dynamically basedon the GARP protocol mechanism. All switches supporting GVRP can receive theVLAN registration information from other switches and update local VLAN registrationinformation dynamically including the current VLAN on this switch and the ports inthis VLAN. All switches supporting GVRP can broadcast the local VLAN registrationinformation to other switches, so that, the VLAN configurations of all devices with theGVRP in the same switching network have a consistent interworking according to thedemand.
Configuring GARP/GVRPThe GARP/GVRP configuration includes the following commands:
Command Function
zte(cfg)#set vlan <vlanlist>{permit | forbid}{port <portlist>|trunk <trunklist>}
Permits or forbids adding/deleting
port/trunk in the specified VLAN.
zte(cfg)#set garp {enable | disable} Enables or disables the GARP
function.
zte(cfg)#set garp timer {hold | join | leave | learvall}<timer_value> Sets various GARP timers.
show garp (all configuration modes) Displays GARP configuration.
zte(cfg)#set gvrp {enable | disable} Enables or disables GVRP.
zte(cfg)#set gvrp {port <portlist>| trunk <trunklist>}{enable |disable}
Enables or disables GVRP on the
port/trunk.
zte(cfg)#set gvrp {port <portlist>| trunk <trunklist>} registration{normal | fixed | forbidden}
Sets GVRP registration type on
Trunk port.
show gvrp (all configuration modes) Displays GVRP configuration and
state.
GARP/GVRP Configuration Instancel Configuration Description
Switch A connects with switch B through port 1. By configuring GVRP, the twoswitches can register each other and refresh their VLAN table. See Figure 5-30.
5-93
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 5-30 GVRP Configuration Instance
l Configuration Procedure1. Configuration of switch A:
zte(cfg)#set garp enable
zte(cfg)#set gvrp enable
zte(cfg)#set gvrp port 1 enable
zte(cfg)#set vlan 10-20 enable
zte(cfg)#set vlan 10-20 add port 1
2. Configuration of switch B:zte(cfg)#set garp enable
zte(cfg)#set gvrp enable
zte(cfg)#set gvrp port 1 enable
zte(cfg)#set vlan 30-40 enable
zte(cfg)#set vlan 30-40 add port 1
Note:1. The GARP function must be enabled first before the GVRP function is enabled.2. Enabling GVRP can enable up to 512 vlans.3. Timer of Garp uses the default value. If it is modified, the value must be the same
as the one configured in the network.4. Gvrp port registration type uses default Normal value. If it is modified to other
types, vlan learning cannot be implemented.
l Configuration VerificationSwitchA(cfg)#show garp /*View GARP configuration*/
GARP is enabled!
GARP Timers:
Hold Timeout :100 milliseconds
Join Timeout :200 milliseconds
Leave Timeout :600 milliseconds
LeaveAll Timeout :10000 milliseconds
SwitchA(cfg)#show gvrp /*View GV RP configuration*/
GVRP is enabled!
PortId Status Registration LastPduOrigin
------ -------- ------------ -----------------
1 Enabled Normal 00.d0.d0.f2.51.24
SwitchA(cfg)#show port 1 vlan
PortId : 1
5-94
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Tagged in vlan : 30-40
Untagged in vlan : 1, 10-20
SwitchB(cfg)#show port 1 vlan
PortId : 1
Tagged in vlan : 10-20
Untagged in vlan : 1, 30-40
SwitchA(cfg)#show vlan 30
VlanId : 30 VlanStatus: enabled
VlanName:
VlanMode: Dynamic
Tagged ports : 1
Untagged ports :
Forbidden ports :
SwitchB(cfg)#show vlan 10
VlanId : 10 VlanStatus: enabled
VlanName:
VlanMode: Dynamic
Tagged ports :1
Untagged ports :
Forbidden ports :
5.27 DHCP ConfigurationDHCP OverviewThe Dynamic Host Configuration Protocol (DHCP) enables the host to request dynamicaddresses from the server.
The ZXR10 2900E DHCP function includes the following contents:
The DHCP snooping function prevents bogus DHCP servers from being deployed in thenetwork, and in this case, the port connecting to DHCP server must be set to a trustedport. Besides, the dynamic ARP inspection technology can be used together to preventillegal IP and MAC address binding, thus ensuring normal assignment of IP addressesby the DHCP server. DHCP Snooping and Option82 are designed to solve these safetyproblems. DHCP Snooping, namely DHCP packet filtering, is to detect legality of DHCPpackets based on some special rules and filter illegal packets. Use Option82 technique toprovide more additional information, and then strengthen the network safety ability.
In the DHCP service system, the ZXR10 2900E series switches are provided with a lotof automatically deployed functions. For details, see Downloading the Software VersionAutomatically.
Configuring DHCPThe DHCP configuration includes the following commands:
5-95
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set dhcp snooping-and-option82 {enable | disable} Enables or disables DHCP
snooping and Option82 globally.
zte(cfg)#set dhcp snooping {add | delete}{port <portlist>| trunk<trunklist>}
Enables or disables the DHCP
Snooping function based on the
port/trunk.
zte(cfg)#set dhcp port <portlist>{server | cascade | client} Sets DHCP attribute of the port.
zte(cfg)#set dhcp trunk <trunklist>{server | default} Sets trunk attribute in DHCP
snooping.
zte(cfg)#set dhcp ip-source-guard {{add | delete} port <portlist>|quota <0-400>}
Enables or disables port
ip-source-guard function.
zte(cfg)#set dhcp snooping bind-entry mac <HH.HH.HH.HH.HH
.HH> ip <A.B.C.D> vlan <1-4094> port <1-28>Adds static user information
binding entry.
zte(cfg)#set dhcp snooping bind-entry mode port <portlist>{hold
| drop}
Sets the binding mode of the
dynamic user information binding
entry on the port.
zte(cfg)#set dhcp option82 {add | delete}{port <portlist>| trunk<trunklist>}
Enables or disables DHCP
Option82 function based on the
port/trunk.
zte(cfg)#set dhcp option82 sub-option device { ani< string >|remote-ID {cisco | key < string >| manual < string >}}
Configures the device information
of Switch.
zte(cfg)#set dhcp option82 sub-option port < portlist >{circuit-ID
{on {cisco | china-tel | dsl-forum| henan-rtf | key <string>| manual<string>}| off}| subscriber-ID {on <string>| off}| reserve {on tag<1-255> value <string>| off}}
Sets option82 sub-option.
zte(cfg)#set dhcp option82 mode port <portlist>{default | drop |
modify | append}
Sets the binding mode of the
dynamic user binding entry on the
port.
zte(cfg)#clear dhcp snp-bind-entry {mac <HH.HH.HH.HH.HH.HH>| port <1-28>| all}
Clears DHCP binding entry.
zte(cfg)#clear dhcp option82 sub-option device ani Deletes device identifier
information.
show dhcp (all configuration modes) Displays the configuration of
DHCP snooping-and-option82 and
DHCP client.
show dhcp snooping (all configuration modes) Displays DHCP snooping global
configuration information.
show dhcp snooping binding[port <1-28>] (all configurationmodes)
Displays DHCP snooping entry
information.
5-96
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show dhcp ip-source-guard (all configuration modes) Displays port ip-source-guard
configuration.
show dhcp option82 (all configuration modes) Displays DHCP option82
configuration information.
show dhcp option82 port (all configuration modes) Displays the configuration
information of DHCP option82.
show dhcp option82 device (all configuration modes) Displays the configuration
information of the device.
zte(cfg)#set dhcp client {enable | disable} Enables or disables the DHCP
client function.
zte(cfg)#set dhcp client broadcast-flag {enable | disable} Sets whether the packet that
DHCP server returns is a
broadcast packet.
show dhcp client (all configuration modes) Displays DHCP client configuration
information.
zte(cfg-router)#set ipport <0-63> ipaddress dhcp Sets the IP address of layer-3
interface acquired by DHCP
protocol.
zte(cfg-router)#set ipport <0-63> ipaddress dhcp {release |
renew}
Releases or renews layer-3
interface IP address.
zte(cfg-router)#set ipport <0-63> dhcp client {class-id
{characters <string>| hex-numbers <hex-string>}| client-id mac |hostname <string>| lease {<0-365><0-23><0-59>| infinite}}
Sets available messages when
the DHCP client interacts with the
server.
zte(cfg-router)#set ipport <0-63> dhcp client request
{dns-server | domain-name | route | static-route | tftp-server-name}
Sets message type sent by the
server when the DHCP client
interacts with the server.
zte(cfg-router)#set ipport <0-63> dhcp relay agent Sets a layer-3 IP port as a DHCP
relay agent. If the port is an inside
port, the address of the port is
used as the source addresses of
DHCP packets sent to the server.
zte(cfg-router)#set ipport <0-63> dhcp relay server<A.B.C.D>
Sets the address of the DHCP
relay server onthe IP port. When
DHCP packets are forwarded to a
server, this server is preferred.
5-97
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set dhcp relay global-ipport <0-63>{enable | disable} Enables the DHCP relay function
on an IP port globally. When
the DHCP relay selects a source
IP address, if no IP address is
configured for the VLAN, the IP
address of the IP port is used as
the source address.
zte(cfg-router)#clear ipport < 0-63> dhcp client { class-id |
client-id | hostname | lease }
Clears DHCP client optional
sending information configuration.
zte(cfg-router)#clear ipport <0-63> dhcp client request
{dns-server | domain-name | route | static-route | tftp-server-name}
Clears the configuration requesting
DHCP server to return various
information.
zte(cfg)#set dhcp snooping bind-entry database read Reads DHCP binding entry from
the Flash memory.
zte(cfg)#set dhcp snooping bind-entry database recovery{
disable | enable }
Recovers binding entry from the
Flash memory after restarted.
zte(cfg)#set dhcp snooping bind-entry database time-write
{disable | enable | time <30-65535>}Writes DHCP binding entry into
the Flash memory at regular time.
zte(cfg)#set dhcp snooping bind-entry database write Writes DHCP binding entry into
the Flash memory.
show dhcp snooping database (all configuration modes) Displays configuration related to
DHCP database.
zte(cfg)#set dhcp special udp-light-check {enable | disable} Enables/Disables DHCP
udp-check function globally.
zte(cfg)#set dhcp snooping vlan <vlanlist>{ disable | enable } Enables/Disables snooping
function of a VLAN globally.
zte(cfg)#set dhcp snooping quota <0-8191>
Sets the quota of a DHCP binding
table globally. The value 0 means
that the quota is not limited.
zte(cfg)#set dhcp snooping vlan <vlanlist> quota <0-8191>
Sets the quota of a DHCP binding
table based on a VLAN. The value
0 means that the quota is not
limited.
zte(cfg)#set dhcp snooping port <portlist> quota <0-8191>Sets the quota of a DHCP binding
table based on a port. The value 0
means that the quota is not limited.
5-98
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
zte(cfg)#set dhcp snooping vlan <vlanlist> port <1-28> quota<0-8191>
Sets the quota of a DHCP binding
table based on a VLAN and port.
The value 0 means that the quota
is not limited.
show dhcp snooping quota [<1-8191>] (all configuration modes)Displays configuration related to
a DHCP quota.
zte(cfg)#set dhcp relay vlan <vlanlist>{enable | disable}Enables the DHCP relay function
for a VLAN.
zte(cfg)#set dhcp relay server ip <A.B.C.D>Sets the address of the global
DHCP relay server.
zte(cfg)#set dhcp relay server mode {ipport | vc-class id}
Sets the mode of selecting a
server for the DHCP relay. If a
vc-class ID is configured, vc-class
mode is preferred.
zte(cfg)#set dhcp relay server retry <5-1000>
Sets the number of times that
the DHCP relay retries to send a
packet. Default: 10.
zte(cfg)#set dhcp hop <1-16>Sets the hop limit of the DHCP
relay.
Configuring DHCP snooping/Option82l Configuration Description
The PC can get its IP address from the specified DHCP server and prevent otherillegal DHCP servers from affecting hosts in the network. See Figure 5-31.
Figure 5-31 DHCP Snooping/Option82 Configuration Instance Topology
l Configuration Procedurezte(cfg)#set dhcp snooping-and-option82 enable
zte(cfg)#set dhcp snooping add port 49,50
zte(cfg)#set dhcp port 49 client
zte(cfg)#set dhcp port 50 server
5-99
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg)#set dhcp ip-source-guard add port 49
zte(cfg)#set dhcp option82 add port 49,50
l Configuration Verificationzte(cfg)#show dhcp snooping
DHCP snooping is enabled on the following port(s):
PortId PortType
------ --------
49 Client
50 Server
DHCP snooping disabled vlan: none
zte(cfg)#show dhcp option82
DHCP option82 is enabled on the following port(s):
PortId PortType
------ --------
49 Client
50 Server
zte(cfg)#show dhcp
DHCP download flag is disabled, config file is found.
DHCP download will not startup, when system reboot.
DHCP config file(option-67) *.dat will be translated to ZXR10_2952E.dat.
DHCP snooping-and-option82 is enabled.
PortId PortType Snooping Option82
------ -------- -------- --------
49 Client Enabled Enabled
50 Server Enabled Enabled
51 Client Disabled Disabled
52 Client Disabled Disabled
DHCP client is disabled.
zte(cfg)#show dhcp ip-source-guard
Ip source guard is configured on the following port(s): 49
Configuring DHCP Clientl Configuration Description
The PC can get an IP address from the specified DHCP server. See Figure 5-32.
5-100
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-32 DHCP Client Configuration Instance Topology
l Configuration Procedurezte(cfg)#set dhcp client enable
zte(cfg)#set vlan 10 add port 49 untag
zte(cfg)#set vlan 10 enable
zte(cfg)#set port 49 pvid 10
zte(cfg)#config router
zte(cfg-router)#set ipport 0 vlan 10
zte(cfg-router)#set ipport 0 ipaddress dhcp
zte(cfg-router)#set ipport 0 enable
l Configuration Verificationzte(cfg-router)#show ipport
IpPort Status IpAddress Mask MacAddress VlanId IpMode
------ ------ ---------- ------------ ----------------- ------ ------
0 up 100.1.1.5 255.255.0.0 00.00.00.00.00.02 10 dhcp
5.28 DHCPv6 ConfigurationDHCPv6 OverviewThe Dynamic Host Configuration Protocol of IPv6 (DHCPv6) is used by a network host todynamically request host configuration from a server.
The ZXR10 2900E series system supports the following DHCPv6 functions:
l DHCPv6 snooping function: DHCPv6 servers and clients do not supportauthentication mechanism. Illegally and privately created DHCPv6 servers bringconfusion to address allocation, gateway and DNS parameters of some hosts. As aresult, these hosts cannot connect to external networks properly. In addition, thereare problems such as IP spoofing, MAC address spoofing and user ID spoofing fromillegal clients, and DHCPv6 server address exhaustion. On the basis of DHCPv6snooping, the Option82 technology can solve these security problems effectively.
l IP source guard function: By listening to the DHCPv6 interaction procedure betweena client and a server, the system records the IP address allocated to the client by the
5-101
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
server. The system filters out packets with other source IP addresses on ports, thuspreventing spoofing.
Configuring DHCPv6The DHCPv6 configuration includes the following commands:
Command Function
zte(cfg)#set dhcpv6 snooping {enable | disable} Enables or disables the DHCPv6
snooping function globally.
zte(cfg)#set dhcpv6 snooping {add | delete} port <portlist> Enables or disables the DHCPv6
snooping function on a port.
zte(cfg)#set dhcpv6 port <portlist>{server | cascade | client} Sets the attribute of a port in the
DHCPv6 snooping function.
zte(cfg)#set dhcpv6 ip-source-guard {add | delete} port<portlist>
Enables or disables the
ip-source-guard function on a
port.
zte(cfg)#set dhcpv6 option18 {enable | disable} Enables or disables the DHCPv6
Option18 function globally.
zte(cfg)#set dhcpv6 option18 {add | delete} port <portlist> Enables or disables the DHCPv6
Option18 function on a port.
zte(cfg)#set dhcpv6 option37 {enable | disable} Enables or disables the DHCPv6
snooping function globally.
zte(cfg)#set dhcpv6 option37{add | delete} port <portlist> Enables or disables the DHCPv6
Option37 function on a port.
zte(cfg)#set dhcpv6 option82 {enable | disable} Enables or disables the DHCPv6
Option82 function globally.
zte(cfg)#set dhcpv6 option82 {add | delete} port <portlist> Enables or disables the DHCPv6
Option18 function on a port.
zte(cfg)#set dhcpv6 option82 ani <string> Sets the device identifier of a
switch node.
zte(cfg)#set dhcpv6 option82 sub-option port < portlist
>{circuit-ID {on {cisco | china-tel | dsl-forum|key <string>}| off}|subscriber-ID {on <string>| off}| reserve {on tag <1-255> value<string>| off}}
Sets the sub-option port for
Option82 function.
zte(cfg)#clear dhcpv6 snp-bind-entry {mac <HH.HH.HH.HH.HH.HH>| port <1-28>| all}
Clears ip-source-guard entities.
zte(cfg)#clear dhcpv6 ani Clears device identifiers.
show dhcpv6 (all configuration modes) Displays DHCPv6 snooping and
option configuration.
5-102
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show dhcpv6 snooping (all configuration modes) Displays global DHCPv6 snooping
configuration information.
show dhcpv6 snooping binding (all configuration modes) Displays information about
DHCPv6 snooping entries.
show dhcpv6 snooping [port <1-28>] (all configuration modes) Displays DHCPv6 snooping
entities.
show dhcpv6 ip-source-guard (all configuration modes) Displays port ip-source-guard
configuration.
show dhcpv6 option82 (all configuration modes) Displays DHCPv6 Option82
configuration information.
show dhcpv6 option82 port (all configuration modes) Displays DHCPv6 Option82
configuration information on ports.
show dhcpv6 option82 ani (all configuration modes) Displays device identifiers.
show dhcpv6 option18 (all configuration modes) Displays DHCPv6 Option18
configuration information.
show dhcpv6 option37 (all configuration modes) Displays DHCPv6 Option37
configuration information.
DHCPv6 Configuration Instancel Configuration Description
This configuration example describes how to configure DHCPv6 snooping/Option82.See Figure 5-33, the PCs can obtain IP addresses from the DHCP server. Option82is used to improve the security performance. It is required to prevent illegal DHCPserver from affecting the PCs on the network.
Figure 5-33 DHCPv6 Snooping/Option82 Configuration Instance
l Configuration Procedurezte(cfg)#set dhcpv6 snooping enable
zte(cfg)#set dhcpv6 snooping add port 49,50
5-103
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg)#set dhcpv6 port 49 client
zte(cfg)#set dhcpv6 port 50 server
zte(cfg)#set dhcpv6 ip-source-guard add port 49
zte(cfg)#set dhcpv6 option82 enable
zte(cfg)#set dhcpv6 option82 add port 49,50
l Configuration Verificationzte(cfg)#show dhcpv6 snooping
DHCP v6 snooping is enabled on the following port(s):
PortId PortType
------ --------
49 Client
50 Server
zte(cfg)#show dhcpv6 option82
DHCP v6 option82 is enabled on the following port(s):
PortId PortType
------ --------
49 Client
50 Server
zte(cfg)#show dhcpv6 ip-source-guard
Ip source guard is configured on the following port(s): 49
5.29 VBAS ConfigurationVBAS OverviewThe Virtual Broadband Access Server (VBAS) is not physical equipment but a protocolstandard, which is developed by China Telecom. The VBAS is used to solve the problemof wide-band user identifier. When the Broadband Access Server (BAS) gets useridentifier by inquiring corresponding relationship between MAC of users dialing to theswitch and port, then sends user name, password and identifier information to RADIUS, itcan determine the position of the user.
Layer 2 communication mode is implemented between BAS and switches, that is,information query and response data packets of VBAS are encapsulated into Ethernetdata frames of layer-2 directly, and use protocol number 0x8200 for identification.
Note:
Only trust ports can receive VBAS packets and VBAS response packets only can be sentfrom trust ports.
5-104
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Port connecting to user network is called cascade port and port connecting to BAS serveris called trust port. For the typical network of VBAS, see Figure 5-34.
Figure 5-34 VBAS Typical Network
Configuring VBASThe VBAS configuration includes the following commands:
Command Function
zte(cfg)#set vbas trust-port <portlist>{enable | disable} Enables or disables the global
VBAS trust-port.
zte(cfg)#set vbas cascade-port <portlist>{enable | disable} Enables or disables the cascade
port VBAS function.
zte(cfg)#set vbas {enable | disable} Enables or disables the global
VBAS function.
show vbas (all configuration modes) Displays the VBAS configuration.
VBAS Configuration Instancel Configuration Description
See Figure 5-35, this example describes how to set trust port of switch A as port 1,cascade port as port 2, trust port of switch B as port 1.
5-105
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 5-35 VBAS Configuration Instance Topology
l Configuration Procedure1. Configuration of switch A:
zte(cfg)#set vbas enable
zte(cfg)#set vbas trust-port 1 enable
zte(cfg)#set vbas cascade-port 2 enable
2. Configuration of switch B:zte(cfg)#set vbas enable
zte(cfg)#set vbas trust-port 1 enable
3. Configuration Verification
Check switch A
zte(cfg)#show vbas
vbas: enabled
trust port : 1
cascade port : 2
Check switch B
zte(cfg)#show vbas
vbas: enabled
trust port : 1
cascade port : none
5.30 PPPoE-PLUS ConfigurationPPPoE-PLUS OverviewThe typical user location technology has PPPoE-PLUS (PPPoE+) besides VBAS andDHCP OPTION82. PPPOE+ technology inserts user location information in PADI/PADRmessage by monitoring the PAD packet interacting procedure between PC and BASserver. PPPoE+ is divided into three types based on the format of the inserted userinformation, China Telecom format, DSL BBS format, and CISCO format. The ZXR102900E also supports user-defined formats.
5-106
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Configuring PPPoE-PLUSThe configuration of PPPoE-PLUS (PPPoE+) includes the following contents:
Command Function
zte(cfg)#set pppoe-plus {enable | disable} Enables or disables the PPPoE+
function.
zte(cfg)#set pppoe-plus tag-format port <portlist>{dsl-forum |
cisco | china-tel | manual <string>| key <string>}Sets the PPPoE+ location
message format.
zte(cfg)#set pppoe-plus rid <portlist>[<string>] Adds or deletes port rid
information.
show pppoe-plus (all configuration modes) Displays PPPoE+ global
configuration.
show pppoe-plus port <1-28> (all configuration modes) Displays port rid configuration.
zte(cfg)#set pppoe-plus mode port <portlist>{default | drop |
modify }
Sets the mode for dynamic user
information processing at the port.
PPPoE-PLUS Configuration Instancel Configuration Description
Configure the user information format of switch A as DSL forum format. See Figure5-36.
Figure 5-36 PPPOE-PLUS Configuration Instance Topology
l Configuration Procedure
Configure switch A
zte(cfg)#set pppoe-plus enable
zte(cfg)#set pppoe-plus tag-format port 1 dsl-forum
l Configuration Verificationzte(cfg)#show pppoe-plus
PPPoE plus is enabled.
zte(cfg)#show pppoe-plus port 1
PPPoE Vendor-Specific Tag format on port 1:DSL-Forum
PPPoE-PLUS option mode information on port 1: Default
PPPoE VST remote ID on port 1 has not been set.
5-107
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
5.31 ZESR ConfigurationZESR OverviewZESR is a private ring network protection technology developed by ZTE Corporation.Evolved from EAPS, ZESR ensures that there is only one logically connected pathbetween any two nodes in the ring network.
Basic ZESR ConceptsFor a description of the basic ZESR concepts, see Table 5-3.
Table 5-3 Basic ZESR Concepts
Name Description
ZESR Domain and
ZESR Node
A ZESR domain consists of a control VLAN and a protection instance.
The device that is configured with ZESR is called a ZESR node. All ZESR
nodes in the same ZESR domain must be configured with the same control
VLAN and protection instance.
Control VLAN The control VLAN of a ZESR domain forwards ZESR protocol packets. A
control VLAN is required for a ZESR domain.
Protection Instance
and Service VLAN
An instance in MSTP is used as the protection instance of a ZESR domain.
The VLAN in a protection instance (that is, service VLAN) is used for service
data transmission.
Major ZESR Ring
and Secondary
ZESR Ring
A ZESR domain supports ring-based hierarchy with three levels, including
level 0, level 1, and level 2. Among them, level 0 is the highest level and level
2 is the lowest level.
A ring with level 0 is called a primary ring, while a ring with level 1 or level
2 is called a secondary ring.
ZESR Ring State There are two states for a ZESR ring: UP and DOWN.
l UP indicates that each link in a ring operates properly.
l DOWN indicates that there is one or more disconnected links in a ring.
ZESR Node Role A ZESR node can act as a master node, a transit node, an edge control node,
or an edge assistant node.
l A master node implements the control function and transmits data in a ring.
l A transit node transmits data in a ring.
l An edge control node implements the control function and transmits data
in a secondary ring.
l An edge assistant node transmits data in a secondary ring.
5-108
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Name Description
Primary Port and
Secondary Port
When a device is configured as a master node or a transit node, two ports need
to be designated for it, that is, a primary port and a secondary port. The primary
port and secondary port of a transit node have the same functions, while the
primary port and secondary port of a master node have the following differences:
l When a ring is in UP state, the primary port of a master node is in
Forwarding state, and the secondary port is in Blocking state to block
logical loops.
l When a ring is in DOWN state, ZESR rapidly transits the secondary port
of a master node from Blocking state to Forwarding state to switch the
logical path quickly.
Boundary Port When a device is configured as an edge control node or an edge assistant
node, one port needs to be designated for it, that is, a boundary port.
ZESR Link Switching IntroductionZESR eliminates logical loops by blocking some particular ports in a ring; and when thestates of some links in a ring change (from on to off, or from off to on), ZESR can rapidlyswitch the logical paths.
Figure 5-37 shows the diagram of the master node blocking its secondary port when thering is in UP state.Figure 5-38 shows the diagram of themaster node opening its secondaryport when the ring is in DOWN state. In both diagrams, switches A, B, C and D areconfigured with a ZESR domain, in which switch A is the master node with port 1/1 asits primary port and port 1/2 as its secondary port, and switches B, C and D are the transitnodes.
PC 1 interchanges service data traffic with PC 2. The arrows in the diagrams indicate theflow of the service data.
Figure 5-37 Diagram of the Master Node Blocking its Secondary Port When the Ringis in UP State
5-109
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 5-38 Diagram of the Master Node Opening its Secondary Port When the Ringis in DOWN State
As shown in Figure 5-37, all links operate properly, the ring is in UP state, the secondaryport of the master node is blocked, and traffic needs to go through switch C and switch D.
As shown in Figure 5-38, the link between switch B and switch C is disconnected, the ringstate is changed to DOWN, ZESR rapidly transits the secondary port of the master nodeto Forwarding state, and traffic is switched quickly to switch A without going through switchC and switch D.
When the link between switch B and switch C recovers from disconnection, the secondaryport of the master node is blocked again, the ring is switched to UP state, and the entireZESR region returns to the state shown in Figure 5-37.
link-hello Link Connectivity Detection OverviewFigure 5-39 shows the transmission link fault diagram. Switch C does not have a directconnection with switch D. They are interconnected with each other through transmissionlinks.
When the transmission link marked in red in the middle of the transmission linksencounters a bidirectional connectivity failure, switch C and switch D are still in UP state.If the bidirectional connectivity detection function is not enabled for the transmission link,switch C and switch D will not be able to perceive this failure and for this reason ZESRlink switching will not be triggered.
If the link-hello link connectivity detection function is enabled on the ports through whichswitch C and switch D are interconnected with each other, these ports will periodically sendlink-hello detection packets to each other. If a port does not receive the link-hello detectionpacket from the peer port within a specified time period, the switch will consider this as alink failure. The device will immediately block the ports on the link and inform the masternode to implement link switching.
5-110
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-39 Transmission Link Fault Diagram
Configuring ZESR
The ZESR configuration includes the following commands:
Step Command Function
1 ZXR10(config)#set zesr ctrl-vlan <1-4094>
protect-instance <1-16>Create a ZESR domain.
The control VLAN of a ZESR domain
cannot be a service VLAN. It cannot
have any conflict with a service VLAN
or a Network Management VLAN. The
PVID of a port cannot be used as the
control VLAN.
ZXR10(config)#set zesr ctrl-vlan <cvlan
id> major-level role {master | transit |
zess-master | zess-transit}{primary-port <port1>|primary-trunk <trunkId>}{secondary-port<port2>| secondary-trunk <trunkId>}
Configures a node as the node on the
primary ring.
ZXR10(config)#set zesr ctrl-vlan <1-4094>
level <1-2> seg <1-10> role {master |
transit}{primary-port <port1>| primary-trunk<trunkId>}{secondary-port <port2>|secondary-trunk <trunkId>}
Configures a node as the master node
or a transit node on a secondary ring.
2
5-111
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Step Command Function
ZXR10(config)#set zesr ctrl-vlan <1-4094>
level <1-2> seg <1-10> role {edge-assistant |
edge-control}{edge-port <port>| edge-trunk<trunkId>}
Configures a node as an edge assistant
node or an edge control node on a
secondary ring.
ZXR10(config)#set zesr ctrl-vlan <1-4094>
major-level preforward <10-600>[preup <
0-500>]
Configures the preforward time and the
preup time for a node on the primary
ring.
The default value for the preforward time
is 10 seconds, and the default value for
the preup time is 0 second.
The configuration of the preforward time
and the preup time is required to satisfy
the following condition: preforward >
preup + link recovery time (10 seconds).
3
ZXR10(config)#set zesr ctrl-vlan <1-4094> level<1-2> seg <1-10> preforward <10-600>[ preup<0-500>]
Configures the preforward time and the
preup time for a node on a secondary
ring.
l The preforward time: takes effect
during link failure recovery. During
the failure recovery, the faulty port
still remains blocked for some
time for the master node to block
the secondary port first to avoid
temporary loops.
After the master node blocks
the secondary port, it will inform
the node where the faulty port is
located to unblock the faulty port
immediately. If the node where
the faulty port is located does not
receive any notification from the
master node, the faulty port will
unblock itself when the preforward
time expires.
l The preup time: takes effect during
link failure recovery. During the
failure recovery, the master node
waits for the preup time before it
blocks the secondary port again,
to prevent the ring state from
repeatedly switching due to the
5-112
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Step Command Function
instability of the link state during the
failure recovery.
ZXR10(config)#set zesr link-hello <port-id>{
normal | special}
Configures whether to enable the
link-hello function on a port. specialindicates enabling the hello-link function,
while normal indicates disabling the
hello-link function. The default value is
normal.Link-hello, the bidirectional link
connectivity detection function of the
ZXR10 2900E applies to the scenario
where two nodes are interconnected
with each other not through a direct
connection but through transmission
links.
4
ZXR10(config)#set zesr link-hello hello-interval
<10-10000> fail-times <3-10>Configures the interval to send link-hello
packets and the number of timeout
packets. The default values are 1000
ms and 5 timeout packets.
When the link-hello function is enabled
on a link, the devices at both ends of the
link must be enabled to send link-hello
packets, and the transmission intervals
of both ends should be set to the same.
The ZXR10 2900E supports enabling
the link-hello function on the Smartgroup
port.
5 ZXR10(config)#set zesr protocol-mac { normal |
special}
Configures the destination MAC mode
used in a ZESR protocol packet. The
default value is special mode.
The ZXR10 2900E supports configuring
the MAC address used in a ZESR
protocol packet. The modes of all nodes
in a ZESR region must have the same
configuration, that is, all nodes must be
configured to Normal mode or Special
mode.
l Normal mode: the destination
MAC address of a ZESR
protocol packet uses the address
00-E0-2B-00-00-04.
5-113
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Step Command Function
l Special mode: the destination MAC
address of a ZESR protocol packet
uses a ZTE-defined address.
6 ZXR10(config)#set zesr restart-time <30-600> Configures the ZESR restart time (s).
Default: 120.
Restart-time: the ZESR initialization
time during the device startup. During
this period, all ports in the ZESR ring are
in Blocking state.
ZXR10(config)#set zesr ctrl-vlan <1-4094>
tcn-sending {enable | disable }
Configures not to send a TCN packet in
a designated ZESR domain. By default,
a ZESR domain is configured to send
TCN packets.
A TCN packet is a packet sent when the
topology changes in the STP network.
Currently it is ZESR that triggers STP
to send TCN packets. In the ZESR and
STP hybrid networking environment, in
order for the STP network to perceive
the topology change of the ZESR
network, ZESR is required to send TCN
packets to the STP network when it
detects the topology change.
7
ZXR10(config)#set zesr tcn-sending {port<portlist>| trunk <trunklist>}{enable | disable }
Configures to enable or disable the TCN
packet sending function on a port. By
default, a port is configured not to send
TCN packets.
Only in the condition that the TCN packet
sending function is enabled both in a
ZESR region and on the corresponding
port in that region, the corresponding
port will send out TCN packets when the
ZESR ring state changes.
ZESR Single-Domain Multi-Ring Configuration ExampleFigure 5-40 shows the ZESR single-domain multi-ring configuration example. Switches Ato F are configured with a ZESR domain, which contains a primary ring and a secondaryring. This is called single-domain multi-ring configuration.
Purposel The control VLAN of the ZESR domain is VLAN 4000, and the protection instance is
instance 1 (including VLANs 100 to 110).
5-114
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
l Switch A is the master node of the primary ring with Trunk1 as its primary port andport 1/2 as its secondary port.
l Switches B to D are the transit nodes of the primary ring.l Switch E is the master node of the secondary ring with port 1/1 as its primary port and
port 1/2 as its secondary port.l Switch F is the transit node of the secondary ring. Switches A and B are the edge
assistant nodes of the secondary ring.
Figure 5-40 ZESR Single-Domain Multi-Ring Configuration Example
Configurations on switch A:/*Run the following commands to configure the spanning tree instance.*/
Switch_A(config)#set stp enable
Switch_A(config)#set stp forceversion mstp
Switch_A(config)#set stp instance 1 add vlan 100-110
/*Run the following command to configure the ZESR domain with VLAN 4000 as
the control VLAN and protection instance 1 as the protection instance.*/
Switch_A(config)#set zesr ctrl-vlan 4000 protect-instance 1
/*Run the following command to configure switch A as the master node of the
primary ring with Smartgroup1 as its primary port and port 1/2 as its
secondary port.*/
Switch_A(config)#set zesr ctrl-vlan 4000 major-level role master
primary-trunk 1 secondary-port 1/2
/*Run the following command to configure switch A as the edge assistant
node of the secondary ring Level1Seg1 with port 1/4 as its boundary port.*/
Switch_A(config)#set zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant port 1/4
5-115
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Configurations on switch B:/*Run the following commands to configure the spanning tree instance.*/
Switch_B(config)#set stp enable
Switch_B(config)#set stp forceversion mstp
Switch_B(config)#set stp instance 1 add vlan 100-110
/*Run the following command to configure the ZESR domain with VLAN 4000 as
the control VLAN and protection instance 1 as the protection instance.*/
Switch_B(config)#set zesr ctrl-vlan 4000 protect-instance 1
/*Run the following command to configure switch B as the transit node of the
primary ring with port 1/1 as its primary port and port 1/2 as its
secondary port.*/
Switch_B(config)#set zesr ctrl-vlan 4000 major-level role transit
primary-port 1/1 secondary-port 1/2
/*Run the following command to configure switch B as the edge assistant
node of the secondary ring Level1Seg1 with port 1/3 as its boundary port.*/
Switch_A(config)#set zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant port 1/3
Configurations on switch C:/*Run the following commands to configure the spanning tree instance.*/
Switch_C(config)#set stp enable
Switch_C(config)#set stp forceversion mstp
Switch_C(config)#set stp instance 1 add vlan 100-110
/*Run the following command to configure the ZESR domain with VLAN 4000 as
the control VLAN and protection instance 1 as the protection instance.*/
Switch_C(config)#set zesr ctrl-vlan 4000 protect-instance 1
/*Run the following command to configure switch C as the transit node of the
primary ring with port 1/1 as its primary port and port 1/2 as its
secondary port.*/
Switch_C(config)#set zesr ctrl-vlan 4000 major-level role transit
primary-port 1/1 secondary-port 1/2
Configurations on switch D:/*Run the following commands to configure the spanning tree instance.*/
Switch_D(config)#set stp enable
Switch_D(config)#set stp forceversion mstp
Switch_D(config)#set stp instance 1 add vlan 100-110t
/*Run the following command to configure the ZESR domain with VLAN 4000 as
the control VLAN and protection instance 1 as the protection instance.*/
Switch_D(config)#set zesr ctrl-vlan 4000 protect-instance
5-116
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
/*Run the following command to configure switch D as the transit node of the
primary ring with Trunk1 as its primary port and port 1/2 as its secondary port.*/
Switch_D(config)#set zesr ctrl-vlan 4000 major-level role transit
primary-trunk 1 secondary-port 1/2
Configurations on switch E:/*Run the following commands to configure the spanning tree instance.*/
Switch_E(config)#set stp enable
Switch_E(config)#set stp forceversion mstp
Switch_E(config)#set stp instance 1 add vlan 100-110
/*Run the following command to configure the ZESR domain with VLAN 4000 as
the control VLAN and protection instance 1 as the protection instance.*/
Switch_E(config)#set zesr ctrl-vlan 4000 protect-instance 1
/*Run the following command to configure switch E as the master node of the
secondary ring Level1Seg1 with port 1/1 as its primary port and port 1/2
as its secondary port.*/
Switch_E(config)#set zesr ctrl-vlan 4000 level 1 seg 1 role master
primary-port 1/1 secondary-port 1/2
Configurations on switch F:/*Run the following commands to configure the spanning tree instance.*/
Switch_F(config)#set stp enable
Switch_F(config)#set stp forceversion mstp
Switch_F(config)#set stp instance 1 add vlan 100-11
/*Run the following command to configure the ZESR domain with VLAN 4000 as
the control VLAN and protection instance 1 as the protection instance.*/
Switch_F(config)#set zesr ctrl-vlan 4000 protect-instance 1
/*Run the following command to configure switch F as the transit node of the
secondary ring Level1Seg1 with port 1/1 as its primary port and port 1/2
as its secondary port.*/
Switch_F(config)#set zesr ctrl-vlan 4000 level 1 seg 1 role transit
primary-port 1/1 secondary-port 1/2
ZESR Single-Ring Multi-Domain Configuration ExampleFigure 5-41 shows the ZESR single-ring multi-domain configuration example. SwitchesA to D are configured with two ZESR domains. This is called single-ring multi-domainconfiguration.
Purposel The control VLAN of ZESR domain 1 is VLAN 4000, and the protection instance is
instance 1 (including VLANs 100 to 110). The control VLAN of ZESR domain 2 isVLAN 4001, and the protection instance is instance 2 (including VLANs 200 to 210).
5-117
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
l Switch A is the master node in ZESR domain 1 with port 1/1 as its primary port andport 1/2 as its secondary port. Switch A is also the master node in ZESR domain 2with port 1/2 as its primary port and port 1/1 as its secondary port.
l Switches B to D are the transit nodes in both ZESR domains.
Note:
When multiple ZESR domains are configured on a physical ring, service data traffic indifferent ZESR domains can be planned to go through different paths by proper settingsto achieve load balancing.
Figure 5-41 ZESR Single-Ring Multi-Domain Configuration Example
Configurations on switch A:/*Run the following commands to configure the spanning tree instance.*/
Switch_A(config)#set stp enable
Switch_A(config)#set stp forceversion mstp
Switch_A(config)#set stp instance 1 add vlan 100-110
Switch_A(config)#set stp instance 2 add vlan 200-210
/*Run the following commands to configure the ZESR domains with
protection instance 1 as the protection instance of ZESR domain 1
and protection instance 2 as the protection instance of ZESR domain 2.*/
Switch_A(config)#set zesr ctrl-vlan 4000 protect-instance 1
Switch_A(config)#set zesr ctrl-vlan 4001 protect-instance 2
/*Run the following command to configure node roles, that is, switch A
is the master node in ZESR domain 1 with port 1/1 as its primary port
and port 1/2 as its secondary port.*/
Switch_A(config)#set zesr ctrl-vlan 4000 major-level role master
primary-port 1/1 secondary-port 1/2
5-118
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
/*Run the following command to configure node roles, that is, switch A
is the master node in ZESR domain 2 with port 1/2 as its primary port
and port 1/1 as its secondary port.*/
Switch_A(config)#set zesr ctrl-vlan 4001 major-level role master
primary-port 1/2 secondary-port 1/1
Configurations on switch B:/*Run the following commands to configure the spanning tree instance.*/
Switch_B(config)#set stp enable
Switch_B(config)#set stp forceversion mstp
Switch_B(config)#set stp instance 1 add vlan 100-110
Switch_B(config)#set stp instance 2 add vlan 200-210
/*Run the following commands to configure the ZESR domains with
protection instance 1 as the protection instance of ZESR domain 1
and protection instance 2 as the protection instance of ZESR domain 2.*/
Switch_B(config)#set zesr ctrl-vlan 4000 protect-instance 1
Switch_B(config)#set zesr ctrl-vlan 4001 protect-instance 2
/*Run the following command to configure node roles, that is, switch B
is the transit node in ZESR domain 1 with port 1/1 as its primary port
and port 1/2 as its secondary port.*/
Switch_B(config)#zesr ctrl-vlan 4000 major-level role transit
primary-port 1/1 secondary-port 1/2
/*Run the following command to configure node roles, that is, switch B
is the transit node in ZESR domain 2 with port 1/1 as its primary port
and port 1/2 as its secondary port.*/
Switch_B(config)#zesr ctrl-vlan 4001 major-level role transit
primary-port 1/1 secondary-port 1/2
Configurations on switch C and switch D are the same as those on switch B.
ZESR Dual-Node Dual-Uplink Configuration ExampleFigure 5-42 shows the ZESR dual-node dual-uplink configuration example. The third partdevice switch C that does not support ZESR acts as an uplink node and connects with thetop network through STP. Switches A and B are configured with a ZESR domain. This iscalled a dual-node dual-uplink topology.
Purposel The control VLAN of the ZESR domain is VLAN 4000, and the service VLANs are
VLANs 100 to 110.l Switch A is the master node with port 1/2 as its primary port and port 1/1 as its
secondary port. Switch B is the transit node.
5-119
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
l In order for switch C and the top network to perceive the topology change of theunderlying network, port 1/1 of switch A and port 1/1 of switch B are enabled with theTCN packet sending function to notify the network topology change upwards.
Figure 5-42 ZESR Dual-Node Dual-Uplink Configuration Example
Configurations on switch A:/*Run the following commands to configure the spanning tree instance.*/
Switch_A(config)#set stp enable
Switch_A(config)#set stp forceversion mstp
Switch_A(config)#set stp instance 1 add vlan 100-110
/*Run the following command to configure the ZESR domain with VLAN 4000
as the control VLAN and protection instance 1 as the protection instance.*/
Switch_A(config)#set zesr ctrl-vlan 4000 protect-instance 1
/*Run the following command to configure switch A as the master node of the
primary ring with port 1/2 as its primary port and port 1/1 as its
secondary port.*/
Switch_A(config)#set zesr ctrl-vlan 4000 major-level role zess-master
primary-port 1/2 secondary-port 1/1
/*Run the following commands to enable the TCN packet sending function
on port 1/1.*/
Switch_A(config)#set zesr tcn-sending port 1/1 enable
Configurations on switch B:/*Run the following commands to configure the spanning tree instance.*/
Switch_B(config)#set stp enable
Switch_B(config)#set stp forceversion mstp
Switch_B(config)#set stp instance 1 add vlan 100-11
5-120
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
/*Run the following command to configure the ZESR domain with VLAN 4000
as the control VLAN and protection instance 1 as the protection instance.*/
Switch_B(config)#set zesr ctrl-vlan 4000 protect-instance 1
/*Run the following command to configure switch B as the transit node of the
primary ring with port 1/1 as its primary port and port 1/2 as its
secondary port.*/
Switch_B(config)#set zesr ctrl-vlan 4000 major-level role zess-transit
primary-port 1/1 secondary-port 1/2
/*Run the following commands to enable the TCN packet sending function
on port 1/1.*/
Switch_B(config)#set zesr tcn-sending port 1/1 enable
Configurations on switch C:/*Run the following commands to configure the spanning tree
instance: the configuration commands from vendors differ.
Refer to the user guides published by respective vendors.*/
Switch_C(config)#set stp enable
Switch_C(config)#set stp forceversion mstp
Switch_C(config)#set stp instance 1 add vlan 100-110
5.32 ZESS ConfigurationZESS is an efficient link switching mechanism, which allows two links on a device to backup each other and always elect one of them for data transmission. If the link in currentuse fails, ZESS can switch to the backup link rapidly and automatically to guarantee thenormal service data transmission.
Basic ZESS ConceptsFor a description of the basic ZESS concepts, refer to Table 5-4:
Table 5-4 Basic ZESS Concepts
Name Description
ZESS Domain A ZESS domain consists of a control VLAN and a protection instance.
There are two states for a ZESS domain:
l UP indicates that each link in a ZESS domain operates properly.
l DOWN indicates that at least one link in a ZESS domain is disconnected.
ZESS Node A device that is configured with a ZESS domain is called a ZESS node.
5-121
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Name Description
Control VLAN The control VLAN of a ZESS domain forwards ZESS protocol packets (Flush
packets).
A Flush packet is sent from a ZESS node during ZESS link switching to inform
the relevant devices to refresh the MAC address table. The control VLAN is not
required for a ZESS domain. If the control VLAN is not configured, no Flush
packets will be sent during ZESS link switching.
Receive-VLAN A Receive-VLAN can be configured on the device that is connected with a
ZESS node and should have the same VLAN ID as that of the control VLAN
of a ZESS node.
Only after a node is configured with a Receive-VLAN will it refresh the MAC
address table when it receives a Flush packet from this VLAN to accelerate
link convergence.
Protection
Instance and
Service VLAN
An instance in MSTP is used as the protection instance of a ZESS domain.
The VLAN in a protection instance (that is, service VLAN) is used for service
data transmission.
Primary/Sec-
ondary Port and
Primary/Sec-
ondary Link
When a device is configured with a ZESS domain, the primary port and the
secondary port are designated to it. The link where the primary port is located is
called the primary link and the link where the secondary port is located is called
the secondary link. Both links can back up each other.
Reversal Mode
and Non-Reversal
Mode
In the condition that the primary link is disconnected and the secondary link is in
use for data transmission, if the primary link recovers from disconnection, there
are two modes of processing: reversal mode and non-reversal mode.
l In reversal mode, ZESS switches data traffic to the primary link and blocks
the secondary link.
l In non-reversal mode, ZESS continues to use the secondary link for data
transmission and blocks the primary link.
ZESS Operating FlowFigure 5-43 shows the ZESS network topology. Switch A is configured with a ZESS domainwith port_1/1 as the primary port and port_1/2 as the secondary port.
5-122
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-43 ZESS Network Topology
Here is a description of the ZESS operating flow:1. In the initial state, both the primary link and the secondary link operate properly. Then
ZESS blocks the secondary link and uses the primary link for data forwarding.2. When the primary link is disconnected, ZESS rapidly switches the secondary link to
Forwarding state and blocks the primary link.3. When the primary link recovers from disconnection, if reversal mode is enabled,
ZESS will set the primary link to Forwarding state and blocks the secondary link; ifnon-reversal mode is enabled, ZESS will block the primary link and continues to usethe secondary link for data transmission.
Note:
In reversal mode, when the primary link recovers from disconnection, the link is notswitched immediately but after a period of the preup time.
Configuring ZESSThe ZESS configuration includes the following commands:
Step Command Function
1 ZXR10(config)#set zess domain <1-4>
protect-instance <1-16> primary {port<port-name>| trunk <trunk-name>} secondary{port <port-name>| trunk <trunk-name>}
Creates a ZESS domain.
The control VLAN must be elected from
idle VLANs. It cannot have any conflict with
service VLANs or Network Management
VLANs.
5-123
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Step Command Function
2 ZXR10(config)#set zess domain <1-4>mode
{revertive | non_revertive}
Configures the ZESS switching mode. The
default value is reversal mode.
Here are two ZESS switching modes:
l Revertive: reversal mode.
l Non_revertive: non-reversal mode.
3 ZXR10(config)#set zess domain <1-4>
ctrl-vlan <1-4094>
Configures the control VLAN.
4 ZXR10(config)#set zess domain < 1-4>
preup <1-600>
Configures the preup time (s). Default: 5.
The preup time is used in reversal mode.
In the condition that the primary link is
disconnected and the secondary link is in
use for data forwarding, if the primary link
recovers from disconnection, ZESS does
not switch the data traffic to the primary
link immediately. It waits for the preup
time before it implements the switching, to
prevent the switching from occurring when
the primary link recovery is still unstable.
5 ZXR10(config)#set zess receive-vlan
<1-4094>{port <port-name>| trunk<trunk-name>}
Configures a port to enable the capability of
receiving Flush packets from a designated
control VLAN.
6 ZXR10(config)#clear zess receive-vlan
{<1-4094>| all}
Clears the Flush packet receiving capability
of a port.
ZESS Configuration ExampleFigure 5-44 shows the ZESS networking configuration. Switch B and switch C are in thetop network. Switch A is configured as a ZESS node. Here, ZESS is used for single-devicedual-uplink backup to achieve the Ethernet smart switch function.
Switch A is configured with two ZESS domains. To achieve load balancing, the primaryand secondary ports of one domain operate as the secondary and primary ports of theother domain, respectively.l In ZESS domain 1, the control VLAN is VLAN4000, the protection instance is instance
1, the primary port is port_1/1 and the secondary port is port_1/2.l In ZESS domain 2, the control VLAN is VLAN4001, the protection instance is instance
2, the primary port is port_1/2 and the secondary port is port_1/1.
The capability of receiving Flush packets from the control VLANs VLAN4000 andVLAN4001 is enabled on relevant ports of switch B and switch C.
5-124
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-44 ZESS Networking Configuration
Configurations on switch A:/*Run the following commands to configure a protection instance.*/
Switch_A(config)#set stp enable
Switch_A(config)#set stp instance 1 add vlan 100-110
/*Run the following commands to configure a ZESS domain.*/
Switch_A(config)#set zess domain 1 protect-instance 1 primary port_1/1 secondary port_1/2
Switch_A(config)#set zess domain 2 protect-instance 2 primary port_1/2 secondary port_1/1
/*Run the following commands to configure the control VLAN.*/
Switch_A(config)#set zess domain 1 ctrl-vlan 4000
Switch_A(config)#set zess domain 2 ctrl-vlan 4001
Configurations on switch B:/*Run the following commands to configure a protection instance.*/
Switch_B(config)#set stp enable
Switch_B(config)#set stp instance 1 add vlan 100-110
/*Run the following commands to configure receive-vlans.*/
Switch_B(config)#set zess receive-vlan 4000 port 1/2
Switch_B(config)#set zess receive-vlan 4001 port 1/2
Switch_B(config)#exit
Configurations on switch C:/*Run the following commands to configure a protection instance.*/
Switch_C(config)#set stp enable
Switch_C(config)#set stp instance 1 add vlan 100-110
5-125
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
/*Run the following commands to configure receive-vlans.*/
Switch_C(config)#set zess receive-vlan 4000 port 1/1
Switch_C(config)#set zess receive-vlan 4001 port 1/1
Switch_C(config)#exit
5.33 OAM ConfigurationOAM OverviewWith the rapid development of Ethernet technology, Ethernet network proportion graduallyincreases in network structure. Ethernet devices replacing ATM network devices and otherdevices are widely used in access, convergence layer and backbone network. Due to thegreat application, Operation, Administration and Maintenance (OAM) function of Ethernetdevices receive much concern. The main Ethernet OAM protocols are shown below.
l IEEE 802.3ah (Operations, Administration, and Maintenance-OAM)l IEEE 802.1ag (Connectivity Fault Management) (Draft)l ITU-Y 1731 (OAM functions and mechanisms for Ethernet based networks ) (Draft)
IEEE 802.3ah operations, administration andmaintenance standard is the formal standard,which aims at the management of link level. It monitors and troubleshoots the point topoint (virtual point to point) Ethernet link. It has the important meaning for connectionmanagement of Last One Mile. The faults take place constantly on Last One Mile.
The ZXR10 2900E series switch supports IEEE 802.3ah.
Ethernet OAM Main Function
l OAM Discovery Function: After enabling Ethernet OAM function, the ZXR10 2900Eseries switch can detect the remote DTE device which has OAM function. Aftercoordinating with the peer OAM, enter normal Ethernet OAM interaction process .
l Remote Link Event Alarm: OAM function inspects the events of remote link, andadopts the corresponding responding methods. When the fault takes place on remotelink, OAM defines the event and announces it to remote OAM client. The detailedevents announcement packet is also provided.
OAM defines the following link events.
1. Link Failure: The physical layer locates the failure that take place on receivingdirection of local DTE.
2. Emergency Failure: The local failure event has happened, and this failure cannotbe recovered.
3. Emergency Events: The un-defined emergency event happens.l OAM Remote Loopback: The ZXR10 2900E series switch provides optional data link
layer frame level loopback mode by OAM function. OAM remote loopback is used tolocate failure and examine the link performance. When remote DTE is on the OAMremote loopback mode, the statistic data of local and remote DTE can be inquired andcompared at any time. OAM loopback frame can be analyzed to obtain the additionalinformation of link health (frame discard due to the link failure).
5-126
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
l Link Monitoring: The ZXR10 2900E series switch monitors and examines the linkstate, and announces the specified frame events by OAM function. The specifiedframe events can be classified into four types: error symbol period event, errorframe event and error frame period event, error frame-second statistic event. Afterinspecting the error, OAM will respond and alarm the peer device by announcementmechanism.
The link monitoring events are classified into four types: error symbol monitor event, errorframe monitor event, error frame-period monitor event and error frame-second statisticmonitor event. When the link monitoring information is viewed, the related error symbol,the statistic of error frame and the statistic of local and peer link events will be shown oneach event.
Configuring OAMThe OAM configuration includes the following commands:
Command Function
zte(cfg)#set ethernet-oam {enable | disable} Enables or disables the global
OAM function.
zte(cfg)#set ethernet-oam port <portlist>{enable | disable} Enables or disables the OAM
function on the port.
zte(cfg)#set ethernet-oam port <portlist> period <1-10>
timeout <2-20> mode {active | passive}Sets the OAM period, timeout time
and mode of the port.
zte(cfg)#set ethernet-oam remote-loopback timeout <1-10> Sets remote-loopback timeout
value on port.
zte(cfg)#set ethernet-oam remote-loopback port <portlist>{start
| stop}
Starts or stops OAM
remote-loopback function on
port.
zte(cfg)#set ethernet-oam org-specific {oui <XX-XX-XX>|time-stamp <1-10>}
Sets the specified content in
OAMPDU packet.
zte(cfg)#set ethernet-oam port <portlist> link-monitor {enable |
disable}
Enables or disables link monitor
function.
zte(cfg)#set ethernet-oam port <portlist> link-monitorsymbol-period threshold <1-65535> window <1-65535>
Sets the symbol period event
which is used for link monitor.
zte(cfg)#set ethernet-oam port <portlist> link-monitor framethreshold <1-65535> window <1-60>
Sets the error frame.
zte(cfg)#set ethernet-oam port <portlist> link-monitorframe-period threshold <1-65535> window <1-600000>
Sets the period of error frame.
zte(cfg)#set ethernet-oam port <portlist> link-monitorframe-seconds threshold <1-900> window <10-900>
Sets error frame summary.
5-127
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
show ethernet-oam (all configuration modes) Displays OAM global configuration
information.
show ethernet-oam port (all configuration modes) Displays OAM port summary
information.
show ethernet-oam port <portlist> discovery (all configuration
modes)
Displays port OAM discovery
state.
show ethernet-oam port <portlist> statistics (all configuration
modes)
Displays port OAM statistics
information.
show ethernet-oam port <portlist> link-monitor (all configuration
modes)
Displays port OAM link event
configuration and state.
OAM Remote Loopback Configuration Instancel Configuration Description
OAM remote loopback is used to locate failure and examine the link performance.The function is based on OAM discovery. See Figure 5-45, the user logs in to theswitch A through console port and configures OAM, Enable OAM and the port remoteloopback of the other end. When remote switch B is on the OAM remote loopbackmode, the statistic data of local and remote switch can be inquired and compared atany time. OAM loopback frame can be analyzed to obtain the additional informationof link health (frame discard due to the link failure).
Figure 5-45 Remote Loop Network
l Configuration Procedure1. Configuration of switch A:
zte(cfg)#set ethernet-oam en
zte(cfg)#set ethernet-oam port 1 en
2. Configuration of switch B:zte(cfg)#set ethernet-oam enable
zte(cfg)#set ethernet-oam port 2 enable
zte(cfg)#show Ethernet-oam port 2 discovery
PortId 2: ethernet oam enabled
Local DTE /*the local device information*/
-----------
Config:
Mode : active
/*the port mode must be active, or the discovery is failure*/
5-128
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Period : 10*100(ms)
Link TimeOut : 5(s)
Unidirection : nonsupport
PDU max size : 1518
Status:
Parser : forward
Multiplexer : forward
Stable : yes
/*yes represents that discovery succeeds. no represents discovery fails.*/
Discovery : done
/*discovery succeeds. “undone”represents that discovery fails*/
Loopback : off
PDU Revision : 92
Remote DTE /*the remote device information*/
-----------
Config:
Mode : active
Link Monitor : support
Unidirection : nonsupport
Remote Loopback : support
Mib Retrieval : nonsupport
PDU max size : 1518
Status:
Parser : forward
Multiplexer : forward
Stable : yes
Mac Address : 00.d0.d0.29.28.02
/*the system MAC of the remote device.
The MAC address is 00.00.00.00.00.00 when discovery fails.*/
PDU Revision : 967
zte(cfg)#set ethernet-oam remote-loopback port 2 start
zte(cfg)#show ethernet-oam port 2 discovery
PortId 2: ethernet oam enabled
Local DTE
-----------
Config:
Mode : active
Period : 10*100(ms)
Link TimeOut : 5(s)
Unidirection : nonsupport
PDU max size : 1518
Status:
Parser : discard /*the parser state is discard*/
Multiplexer : forward
5-129
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Stable : yes
Discovery : done
Loopback : on(Master)
/*the local is the active originator (Master).
The other end displays as slave.*/
PDU Revision : 1431
Remote DTE
-----------
Config:
Mode : active
Link Monitor : support
Unidirection : nonsupport
Remote Loopback : support
Mib Retrieval : nonsupport
PDU max size : 1518
Status:
Parser : loopback /*the parser state is loopback*/
Multiplexer : discard /*the multiplexer state is discard*/
Stable : yes
Mac Address : 00.d0.d0.29.28.02
PDU Revision : 28
zte(cfg)#set ethernet-oam remote-loopback port 2 stop
/*disable OAM remote-loopback on port2.
The switch replies OAM discovery success.*/
Key points of configuration:
The switch gives the following prompts when OAM discovery failure occurs, or startingand stopping remote loopback.
OAM discovery is completed successfully on port 2, the following information appears.
SAT JUL 03 23:30:00 2004 ETH-OAM port 2's discovery process is successful.
Disconnect the network cable between switches, the following information appears.
SAT JUL 03 23:33:00 2004 ETH-OAM port 2 deteced
a fault in the local receive direction.
OAM Link Control Event Configuration Instancel Configuration Description
OAM monitor function can notify the abnormal frame of the link receiver to the local.The function is based on OAM discovery. See Figure 5-46, the user logs in to theswitch A through console port and configures OAM. Enable OAM and the port linkmonitor of the switch B. Then the error frame and the error symbol can be detectedand announced to local switch A.
5-130
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-46 Link Control Network
l Configuration Procedure1. Configuration of switch A:
zte(cfg)#set ethernet-oam enable
zte(cfg)#set ethernet-oam port 2 enable
2. Configuration of switch B:zte(cfg)#set ethernet-oam enable
zte(cfg)#set ethernet-oam port 1 enable
zte(cfg)#set ethernet-oam port 1 link-monitor enable
zte(cfg)#set ethernet-oam port 1 lin symbol-period threshold 10 window 10
zte(cfg)#set ethernet-oam port 1 lin frame threshold 10 window 20
zte(cfg)#set ethernet-oam port 1 link-monitor frame-period threshold 5
window 1000
zte(cfg)#set ethernet-oam port 1 link-monitor frame-seconds threshold 10
window 30
zte(cfg)#show eth port 1 link-monitor
Link Monitoring of Port: 1 enabled
Errored Symbol Period Event:
Symbol Window : 10(million symbols)
Errored Symbol Threshold : 10
Total Errored Symbols : 0
Local Total Errored Events : 0
Remote Total Errored Events : 0
Errored Frame Event:
Period Window : 20(s)
Errored Frame Threshold : 10
Total Errored Frames : 0
Local Total Errored Events : 0
Remote Total Errored Events : 0
Errored Frame Period Event:
Frame Window : 1000(ten thousand frames)
Errored Frame Threshold : 5
Total Errored Frames : 0
Local Total Errored Events : 0
Remote Total Errored Events : 0
Errored Frame Seconds Event:
Errored Seconds Window : 30(s)
5-131
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Errored Seconds Threshold : 10(s)
Total Errored Frame Seconds : 0(s)
Local Total Errored Frame Seconds Events : 0
Remote Total Errored Frame Seconds Events : 0
5.34 sFlow ConfigurationThe sFlow configuration includes the following commands:
Command Function
zte(cfg)#set sflow agent-address <A.B.C.D>[udp-port<1-65535>]
Sets the IP address of an sFlow
agent.
zte(cfg)#set sflow collector-address <A.B.C.D>[udp-port<1-65535>]
Sets the IP address of an sFlow
collector.
zte(cfg)#set sflow version <number> Sets the format version of sFlow
sampling packets.
zte(cfg)#set sflow {ingress | egress}{enable | disable} Enables or disables the sFlow
function on an ingress or an
egress.
zte(cfg)#set sflow {ingress | egress} reload-mode { continue | cpu} Sets the reloading mode on an
sFlow ingress or egress.
zte(cfg)#set sflow ingress sample-mode {all | forward} Sets the sampling mode on an
sFlow ingress or egress.
zte(cfg)#set sflow {ingress | egress} port <portlist> packet-sampleoff
Disables port-based sFlow
sampling.
zte(cfg)#set sflow {ingress | egress} port <portlist>packet-sample on frequency <2-16000000>[time-range<word>]
Enables port-based sFlow
sampling or associates with a time
range.
zte(cfg)#clear sflow config [{agent | collector}] Clears sFlow configuration on
ports.
zte(cfg)#clear sflow statistic Clears statistics information on
ports.
show sflow (all configuration modes) Displays all sFlow configuration.
5-132
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
5.35 PP ConfigurationPP OverviewProtocol Protect (PP) maintains and monitors the rate of packets forwarded to the CPU,thus preventing viruses or spiteful attacks to the switch. In this way, the switch providesself-protection ability and ensures network security.
PP takes the following measures: limiting the rates of related services, filtering unsuitablepackets, sending alarms when there are packets sent at an abnormal rate, and remindingNMS that there may be packets attacking the CPU.
To enhance flexibility and compatibility of the switch, PP provides the function of configuringpriority users for the protocol packets sent by the switch.
Configuring PPThe PP configuration includes the following commands:
Command Function
zte(cfg)#create protocol-protect mac-drop rule
<1-128> src-mac <HH.HH.HH.HH.HH.HH> mask<HH.HH.HH.HH.HH.HH>
Creates a mac drop rule.
zte(cfg)#set protocol-protect alarm port <portlist>{enable |
disable}
Enables or disables the PP alarm
function on a port.
zte(cfg)#set protocol-protect alarm port <portlist>{protocol-na
me}<0-18000>
Sets PP 30 second-protocol alarm
threshold.
zte(cfg)#set protocol-protect limit {group-name}<0-800> Sets the rate limit of sending
packets to the CPU.
zte(cfg)#set protocol-protect priority{protocol-name|all}{<0-7
>|default}
Sets PP protocol priority.
zte(cfg)#set protocol-protect mac-drop {disable | enable} Enables the mac drop function.
zte(cfg)#set protocol-protect mac-drop rule <1-128> bind port<portlist>
Binds the mac drop rule with the
port.
zte(cfg)#clear protocol-protect mac-drop counter [port<portlist>]
Clears the number of messages
dropped by the mac drop function.
zte(cfg)#clear protocol-protect mac-drop port <portlist>[rule<1-128>]
Clears the mac drop rules for
specified or all ports.
zte(cfg)#clear protocol-protect mac-drop rule [<1-128>] Clears specified mac drop rules.
show protocol-protect statistic [port <portlist>] (all configurationmodes)
Displays statistics information of
protocol packet alarms on a PP
port.
show protocol-protect limit (all configuration modes) Displays PP rate limit information.
5-133
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
show protocol-protect priority (all configuration modes) Displays packet priority
configuration information.
show protocol-protect mac-drop port [<portlist>](all configuration
modes)
Displays the rules and statistics
bound with a specified port.
show protocol-protect mac-drop rule [<1-128>](all configuration
modes)
Displays specified mac drop rules.
PP Configuration Instancel Configuration Description
See Figure 5-47, Host 1 sends DHCP attack packets. Users can view the deviceoperating status and alarm information. Users also can view IGMP operating statusunder DHCP packet attacks. The router sends IGMP query packets periodically.
Figure 5-47 PP Configuration Instance
l Configuration Procedurezte(cfg)#set igmp snooping enable
zte(cfg)#set igmp snooping add vlan 1
zte(cfg)#set dhcp snooping-and-option82 enable
zte(cfg)#set dhcp snooping add port 1-3
l Configuration Verification
Use Host 1 to send DHCP Discover packets. View alarm information on the switch.
Thu Jul 1 17:53:18 2004 Receive too many packets of 'dhcp' from port 1
Use Host 2 to request joining the multicast group 225.0.0.1. View the multicast entityon the device.
zte(cfg)#show igmp snooping vlan
Maximal group number: 1024
Current group number: 1
5-134
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Num VlanId Group Last_Report PortMember
---- ------- --------------- --------------- -------------------
1 1 225.0.0.1 10.40.1.10 2-3
5.36 LLDP ConfigurationLLDP OverviewThe Link Layer Discovery Protocol (LLDP) is a new protocol defined in the 802.1ab. Thisprotocol allows neighboring devices to send messages to each other to update physicaltopology information and establish Management Information Bases (MIBs). The LLDPworkflow is described below:
1. The local device sends its link and management information to a neighbor device.2. The local device receives the network management information of a neighbor device.3. The MIB of the local device stores the network management information of all
neighbor devices, and a network management program can query layer-2 connectioninformation in the MIB.
The LLDP is not a configuration protocol of the remote system or a signaling controlprotocol used between two ports. The LLDP discovers layer-2 protocol configurationconflicts between neighbor devices, but it only reports the problem to an upper-layernetwork management device, without providing any mechanism to solve the problem.
The LLDP is simply a neighbor discovery protocol that defines a standard for networkdevices (such as switches, routers, and WLAN access points) in the Ethernet to advertisetheir identities to other nodes in the network and store discovery information of all neighbordevices. For example, device configuration and device IDs can be advertised by the LLDP.
The LLDP defines a universal advertisement information set, a protocol for sendingthe advertisement information, and a method for storing the received advertisementinformation. The device that wants to advertise its information can place multiple piecesof advertisement information into a Link Layer Discovery Protocol Data Unit (LLDPDU).The LLDPDU contains a variable-length message unit (called TLVs), which are describedbelow:
l Type: indicates the type of the message to be sent.l Length: indicates the number of bytes in the message.l Value: indicates the contents to be sent.
Each LLDPDU contains four mandatory TLVs and one optional TLV:
l Chassis ID TLV and Port ID TLV: identify the sender.l TLL TLV: notifies the receiver of the storage period of a message. If the receiver does
not receive any update message within the specified period, the receiver discards allthe related messages. A recommended update frequency is defined by the IEEE, thatis, to send messages at 30-second intervals.
5-135
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
l Optional TLVs: includes a basic management TLV set (such as port description TLV),a special TLV set defined by IEEE 802.1, a special TLV set defined by IEEE 802.3,and an LLDP-MED TLV set defined by TIA.
l End of LLDPDU TLV: indicates the end of an LLDPDU.
Configuring LLDPThe LLDP configuration includes the following commands:
Command Function
zte(cfg)#lldp hellotime <5-32768> Sets the interval for sending LLDP
neighbor discovery messages.
zte(cfg)#lldp holdtime <2-10> Sets the LLDP neighbor holding
time.
zte(cfg)#lldp max-neighbor <1-31> Sets the maximum number of
neighbors that can be discovered
by LLDP.
zte(cfg)#lldp port <portlist>{enable | disable} Enables or disables all LLDP
functions on a specific port.
zte(cfg)#lldp port <portlist>{txenable | txdisable} Enables or disables the LLDP
sending function on a specific port.
zte(cfg)#lldp port <portlist>{rxenable | rxdisable} Enables or disables the LLDP
receiving function on a specific
port.
zte(cfg)#lldp port <portlist> med-tlv-select {capabilities-tlv
| extended-power-tlv | inventory-tlv | location-tlv |
network-policy-tlv}{enable | disable}
Sets the optional MED TLV type
sent on a port.
zte(cfg)#lldp port <portlist> max-neighbor <1-8> Sets the maximum number of
neighbors that can be discovered
on a specific LLDP port.
zte(cfg)#clear lldp neighbor port <portlist> Clears LLDP neighbors with whom
neighbor relationships have been
established.
zte(cfg)#clear lldp statistic port <portlist> Clears statistics information of
LLDP neighbors.
show lldp config port <portlist> (all configuration modes) Displays LLDP configuration
information.
show lldp neighbor port <portlist> (all configuration modes) Displays summary information of
LLDP neighbors.
show lldp entry port <portlist> (all configuration modes) Displays detailed information of
LLDP neighbors.
5-136
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show lldp statistic port <portlist> (all configuration modes) Displays statistics information of
LLDP neighbors.
LLDP Configuration Instancel Configuration Description
See Figure 5-48, two switches are connected to each other through a twisted-pair. Bydefault, the LLDP function is enabled, and all parameters use the default values. Usethe show command to view neighbor establishment information.
Figure 5-48 LLDP Configuration Instance
l Configuration Verificationzte(cfg)#show lldp neighbor
Capability Codes:
P-Repeater, B-Bridge, W-WLAN Access Point, R-Router, T-Telephone
C-DOCSIS Cable Device, s-Station, S-Switch, O-Other
Interface DeviceID Hdtm Capability Platform PortID
---------- ----------------- ----- ---------- ------------------ --------------
port-19 00.d0.d0.09.29.18 110 B S ZXR10 2918E-PS port-9
Version V2.05.11B06
zte(cfg)#show lldp entry
--------------------------------------------------------
Local Port:port-1/1
Chassis ID:00.55.43.33.33.59 (MAC Address)
Port ID :port-1/48 (Interface Name)
TTL ID :102 (Time to live)
Port Description :port-1/48 status is up,media-type is 1000BaseT,pvid is 4094.
System Name :52PM
System Description:ZXR10 2918E-PS Version V2.05.11B06
System Capability :Bridge, Switch
Management Address:IPv4 - 192.168.100.100, ifIndex - 63, OID - Null
5.37 Single Port Loop Detection ConfigurationSingle Port Loop Detection OverviewSingle port loop detection is to check whether a loop exists in the ports of the switch. If sucha loop exists, it may result in errors in learning MAC addresses and may easily cause abroadcast storm. In severe case, switch and network may be down. Starting the single port
5-137
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
loop detection and disabling the port with loop can efficiently avoid the influence causedby port loop.
The switch sends a test packet through a port. If this test packet is received through theport without any change (or only a tag is attached), it indicates that a loop exists in thisport.
The test packet sent by the switch includes the following three parameters:
l Source MAC address: It indicates the MAC address of the switch. The MAC addressof each switch is unique.
l Port Number: Port numbers correspond to the numbers of the ports on the switch oneby one.
l Discrimination Field: For each switch, the digital signature of each port is different.
When three parameters in the receiving and sending test packets are same, the loopdefinitely exists on this port.
Configuring Single Port Loop DetectionThe configuration of single port loop detection includes the following contents:
Command Function
zte(cfg)#set loopdetect sendpktinterval <5-60> Sets the interval for sending loop
detection packet.
zte(cfg)#set loopdetect blockdelay <1-1080> Sets interval for blocking port with
loop.
zte(cfg)#set loopdetect port <portlist>{enable|disable} Enables or disables loop detection
on a port.
zte(cfg)#set loopdetect port <portlist> vlan <vlanlist>{enable|d
isable}
Enables or disables loop detection
on a port in a specific VLAN.
zte(cfg)#set loopdetect port <portlist> protect {enable | disable} Enables or disables port protection
when a loop occurs on a port.
zte(cfg)#set loopdetect extend port <portlist>{enable | disable} Enables or disables cross-device
loop detection on a port.
zte(cfg)#set loopdetect trunk <trunklist>{enable|disable} Enables or disables loop detection
on a trunk port.
zte(cfg)#set loopdetect trunk <trunklist> vlan<vlanlist>{enable|disable}
Enables or disables loop detection
on a trunk port in a specific VLAN.
zte(cfg)#set loopdetect trunk <trunklist> protect {enable |
disable}
Enables or disables trunk port
protection when a loop occurs on
a trunk port.
zte(cfg)#set loopdetect extend trunk <trunklist>{enable | disable} Enables or disables cross-device
loop detection on a trunk port.
5-138
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
show loopdetect (all configuration modes) Displays loop detection
information.
show loopdetect port [<portlist>] (all configuration modes) Displays port information of loop
detection.
show loopdetect trunk [<trunklist>] (all configuration modes) Displays trunk information of loop
detection.
zte(cfg)#clear loopdetect Clears loop detection configuration
information.
Single Port Loop Detection Configuration Instancel Configuration Description
See Figure 5-49, configure the single port loop detection function so that Port 1 onSwitch 1 can detect the loop on Switch 2 and block Port 1.
Figure 5-49 Single Port Loop Detection Configuration Topology
l Configuration Procedurezte(cfg)#set loopdetect port 1 enable
l Configuration Verification
Check the loop detection state of Switch 2:
zte(cfg)#show loopdetect
The block-delay of loopdetect : 5 (min)
The packet interval of loopdetect : 15 (sec)
PortId isUp isStp isProtect isExtend loopVlanNum loopType
------ ---- ----- --------- -------- ----------- ---------
1 Up No Yes No 1 Port
zte(cfg)#show loopdetect port 1
PortId : 1
VlanId isLoop isBlock
------ ------ -------
1 Yes Yes
5-139
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Double Ports Loop Detection Configuration Instancel Configuration Description
See Figure 5-50, configure the double ports loop detection function of loop-detect ofswitch2 to suppress broadcast storm of network under switch2.
Figure 5-50 Double Ports Loop Detection Configuration Topology
l Configuration ProcedureSwitch2(cfg)#set loopdetect port 1,2 enable
Switch2(cfg)#set loopdetect extend port 1 enable
l Configuration Verification
Check the loop detection state of switch2.
Switch2(cfg)#show loopdetect
The block-delay of loopdetect : 5 (min)
The packet interval of loopdetect : 15 (sec)
PortId isUp isStp isProtect isExtend loopVlanNum loopType
------ ---- ----- --------- -------- ----------- ---------
1 Up No Yes Yes 1 Port
2 Up No Yes No 0 Port
5.38 UDLD ConfigurationUDLD OverviewUniDirectional Link Detection (UDLD) is a Layer 2 logical link detection protocol. It candetect logical connectivity of Ethernet links and verify physical connectivity. Different fromphysical connectivity detection, UDLD is neighbor-based detection. Layer 1 devices aretransparent for UDLD.
UDLD needs to establish neighbor relationship between Layer 2 devices first, A portsupports a maximum number of 12 neighbors. When the UDLD function is enabled onan Ethernet port whose status is up, the port sends a Probe message inviting a neighbordevice to join. The port on which the UDLD function is enabled on the neighbor devicereceives the Probe message and sends an Echo message. If the port receives the Echomessage, the connection between the devices works properly in both directions in theview of the local device. Neighbor relationship is established with the peer device on thelocal device. The local devices sends an Echo message. After the peer device receivesthe Echo message, the neighbor relationship is established between the devices.
After neighbor relationship is established, the devices send Hello messages periodicallyto detect whether the link is operating properly. When receiving a Hello message from theneighbor, a device updates the neighbor information saved locally and resets the time-out
5-140
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
period of the neighbor. If the device does not receives a Hello message when the time-outperiod expires, it is considered that the a fault occurs to the neighbor and the neighbor isaged. If the last neighbor is deleted due to aging, it is considered that the link is not innormal operating state. It is necessary to handle the problem according to working mode.
There are two UDLD working modes: normal mode and aggressive mode.
l In normal mode, only when the device receives a protocol message confirming thatthe link is connected incorrectly will the port be shut down. If the device does notreceive the related message or cannot confirm that the link is working properly in onedirection, the device does not operate the port.
l In aggressive mode, if the device cannot confirm that the link is working properly inboth directions (such as the link is connected incorrectly, the link is working properlyonly in one direction or the link is a self-loop), the port is shut down. It is necessary touse the reset or recovery command to recover the communication ability of the port.
UDLD shuts down a port in the following situations.
l In both modes, when an Echo message is sent, the device detects that the neighborof the peer port is not the device itself during the final neighbor detection.
l In aggressive mode, the status becomes PROBE because the last neighbor is aged,and multiple Probe messages are sent continuously without any response.
l In aggressive mode, the port receives the UDLD message sent by itself and there isa self-loop.
To prevent a neighbor from being aged by mistake, a local device sends Flush messageson its own initiative to the port on which the UDLD function is enabled in the followingsituations.
l The port is down administratively.l UDLD is down on the port.l The device is restarted.
Configuring UDLDThe UDLD configuration includes the following commands:
Command Function
zte(cfg)#udld port <portlist>{enable|disable} Enables or disables UDLD on a
port.
zte(cfg)#udld port <portlist> mode {aggressive | normal} Sets the mode of a port in UDLD.
zte(cfg)#udld port <portlist> message timer <7-90> Sets the interval of sending
messages after UDLD enters the
BiDirectional status and the port is
steady.
zte(cfg)#udld port <portlist> recovery {enable | disable} Enables or disables the UDLD
recovery function.
zte(cfg)#udld port <portlist> recovery timer <10-600> Sets the recovery interval.
5-141
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#udld port <portlist> reset Recovers the link establishment
function on a port manually.
zte(cfg)#udld <portlist> force-check {enable | disable} Enables or disables the forced
monologue detection function.
zte(cfg)#udld <portlist> force-check timer <15-300> Sets the forced monologue
detection period.
show udld (all configuration modes) Displays UDLD configuration on
all ports.
show udld port [<portlist>] (all configuration modes) Displays port configuration, status
and detailed neighbor information.
UDLD Configuration Instancel Configuration Description
See Figure 5-51, it is required that the switch can detect the connection error, sendalarm information and shut down the ports.
Figure 5-51 UDLD Configuration Instance
l Configuration ProcedurezteA(cfg)#udld port 17,18 enable
zteB(cfg)#udld port 17,18 enable
l Configuration VerificationThu Jul 1 16:07:09 2004 Udld Port : 17 link failure
Thu Jul 1 16:07:09 2004 Udld Port : 18 link failure
Thu Jul 1 16:07:10 2004 Port : 17 linkdown
Thu Jul 1 16:07:10 2004 Host Topology changed
Thu Jul 1 16:07:10 2004 Port : 18 linkdown
5-142
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Thu Jul 1 16:07:10 2004 Host Topology changed
zteA(cfg)#show udld port 17
Port 17
Administrative configuration: Enable
Port mode: Aggressive(Aggr)
Current state: Unidirectional - Detected link failure
Recovery configuration: Disable
Recovery time interval: 30s
Message time interval: 15s
Force check configuration: Disable
Force check time: 30s, Remaining: 0s
No neighbour information stored
5.39 TACACS+ ConfigurationTACACS+ OverviewTerminal Access Controller Access-Control System Plus (TACACS+) is developed fromTACACS and XTACACS. It is the latest version of TACACS (not compatible with theprevious two versions). It is a popular AAA protocol at present.
TACACS+ supports separate authentication, authorization, and accounting. DifferentTACACS+ servers can act respectively as the authentication, authorization, andaccounting servers.
Configuring TACACS+The TACACS+ configuration includes the following commands:
Command Function
zte(cfg-nas)#tacacs-plus group <group-name>{enable|disable} Enables or disables a server
group.
zte(cfg-nas)#tacacs-plus group <group-name>{add|delete} host<A.B.C.D>[<49,1025-65535>|<4-180>|<string>]
Adds or deletes a server
in/from a TACACS+ server
group.
zte(cfg-nas)#tacacs-plus loginauthen default group <group-name> Sets the default TACACS+
login authentication server
group.
zte(cfg-nas)#tacacs-plus loginauthor default group <group-name> Sets the default server group
authorized for TACACS+
login.
5-143
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg-nas)#tacacs-plus adminauthen default group <group-name> Sets the default server group
authenticated for TACACS+
management.
zte(cfg-nas)#tacacs-plus accounting commands default group
<group-name>
Sets the default server
group for TACACS+ MML
accounting.
zte(cfg-nas)#tacacs-plus accounting exec default group
<group-name>
Sets the default server
group for TACACS+ user
accounting.
zte(cfg-nas)#tacacs-plus accounting update period <1-2147483647> Sets the refresh period for
TACACS+ user accounting.
zte(cfg-nas)#clear tacacs-plus loginauthen default Clears the default TACACS+
login authentication server
group.
zte(cfg-nas)#clear tacacs-plus loginauthor default Clears the default TACACS+
login authorization server
group.
zte(cfg-nas)#clear tacacs-plus adminauthen default Clears the default server
group authenticated for
TACACS+ management.
zte(cfg-nas)#clear tacacs-plus accounting commands default Clears the default server
group for TACACS+ MML
accounting.
zte(cfg-nas)#clear tacacs-plus accounting exec default Clears the default server
group for TACACS+ user
accounting.
zte(cfg-nas)#clear tacacs-plus accounting update Clears the refresh period for
TACACS+ user accounting.
show tacacs-plus (all configuration modes) Displays TACACS+
configuration information.
TACACS+ Configuration Instancel Configuration Description
See Figure 5-52, the switch works as a TACACS+ client and its IP address is192.168.1.1/24. The Windows server works as a TACACS+ server and its IP addressis 192.168.1.100/24.
5-144
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-52 TACACS+ Configuration Instance
l Configuration Procedurezte(cfg)#set loginauth tacacs-plus+local
zte(cfg)#set adminauth tacacs-plus+local
zte(cfg)#config router
zte(cfg-router)#set ipport 1 ipaddress 192.168.1.1 255.255.255.0
zte(cfg-router)#set ipport 1 vlan 1
zte(cfg-router)#set ipport 1 enable
zte(cfg-router)#exit
zte(cfg)#config nas
zte(cfg-nas)#tacacs-plus group zte enable
zte(cfg-nas)#tacacs-plus group zte add host 192.168.1.100
zte(cfg-nas)#tacacs-plus loginauthen default group zte
zte(cfg-nas)#tacacs-plus loginauthor default group zte
zte(cfg-nas)#tacacs-plus adminauthen default group zte
zte(cfg-nas)#tacacs-plus accounting commands default group zte
zte(cfg-nas)#tacacs-plus accounting exec default group zte
zte(cfg-nas)#tacacs-plus accounting update period 10
5.40 Time Range ConfigurationTime Range OverviewThere are several conditions in the time range configuration.
l Configure a time range for each day: Specify the exact start time and end time. If thestart time and the end time are not configured, the time range is a full day.
l Configure a period: Specify the period to be a certain day of a week.l Configure a date range: Specify the start date and end date. If the start date and the
end date are not configured, the start date is the day when the configuration takeseffect and the end date is the day when the configuration is invalid.
5-145
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Configuring a Time RangeThe time range configuration includes the following commands:
Command Function
zte(cfg)#set time-range <word> period <hh:mm> to<hh:mm>{daily | day-off | day-working | monday | tuesday |
wednesday | thursday | friday | saturday | sunday}
Sets a periodic time range.
zte(cfg)#set time-range <word> absolute <hh:mm><yyyy-mm-dd>[to <hh:mm><yyyy-mm-dd>]
Sets an absolute time range.
zte(cfg)#clear time-range [<word>] Clears time range configuration.
show time-range [<word>] (all configuration modes) Displays time range configuration.
5.41 Voice VLAN ConfigurationVoice VLAN OverviewThe Voice VLAN is a VLAN specially allocated for voice data of users. It provides a voiceVLAN and adds interfaces of voice devices to the voice VLAN. The user can configurethe CoS and DSCP for voice data to increase the priority of voice data transmission andensure the call quality.
Voice data can be added to the voice VLAN in two modes: dynamic mode and manualmode.
In dynamic mode, if the interface fails to be added to or removed from the voice VLAN, thesystem will send an alarm to notify the user.
To prevent common service packets from occupying the bandwidth of the voice VLAN andensure the quality of voice communication, the voice VLAN provides the security mode.The security mode is classified into the strict security mode and non-strict security mode.
Configuring a Voice VLANThe voice VLAN configuration includes the following commands:
Command Function
zte(cfg)#set vlan voice-vlan port <port-id> ingress-vlan<vlanlist> voice-vlan <1-4094>
Sets the voice VLAN function on
a port.
zte(cfg)#set vlan voice-vlan port <port-id> oui-id<1-32> mac-addr <HH.HH.HH.HH.HH.HH> mac-mask<HH.HH.HH.HH.HH.HH>
Adds an OUI to a port.
zte(cfg)#set vlan voice-vlan <1-4094> qos-profile <0-127>modify {up|dscp|all}
Sets to modify either up or dscpor both.
5-146
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set vlan voice-vlan <1-4094> qos-profile disable Disables the association between
a QoS profile and a voice VLAN.
zte(cfg)#clear vlan voice-vlan port <port-id> Clears all voice VLAN information
configured on a port.
zte(cfg)#clear vlan voice-vlan port <port-id> oui-id Clears all OUIs configured on a
port.
zte(cfg)#clear vlan voice-vlan port <port-id> oui-id <1-32> Clears a specific OUI configured
on a port.
show vlan voice-vlan (all configuration modes) Displays voice configuration on all
ports.
show vlan voice-vlan port <port-id> (all configuration modes) Displays voice configuration on a
port.
show vlan voice-vlan default-oui (all configuration modes) Displays the default OUI of a
device.
show vlan voice-vlan user-table port <port-id> (all configuration
modes)
Displays the user table on a port.
show vlan voice-vlan <vlanlist> qos (all configuration modes) Displays voice VLAN QoS
configuration.
Voice VLAN Configuration Instancel Configuration Description
See Figure 5-53, the two IP Phones are in VLAN 10 and VLAN 20, respectively. Thevoice VLAN is VLAN 100.
Figure 5-53 Voice VLAN Configuration Instance
l Configuration Procedurezte(cfg)#set vlan 10,20,100 add port 1-3 tag
zte(cfg)#set vlan 10,20,100 enable
zte(cfg)#set vlan voice-vlan port 1 oui-id 1 mac-addr 00.00.01.00.00.01
5-147
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
mac-mask FF.FF.FF.FF.FF.FF
zte(cfg)#set vlan voice-vlan port 2 oui-id 1 mac-addr 00.00.01.00.00.02
mac-mask FF.FF.FF.FF.FF.FF
zte(cfg)#set vlan voice-vlan port 1 ingress-vlan 10 voice-vlan 100
zte(cfg)#set vlan voice-vlan port 2 ingress-vlan 20 voice-vlan 100
l Configuration Verificationzte(cfg)#show vlan voice-vlan
Port Id: 1
Customer Vlan List: 10
Voice-vlan : 100
Oui configed :
oui-id: 1 mac: 00.00.01.00.00.01 mask: FF.FF.FF.FF.FF.FF
Port Id: 2
Customer Vlan List: 20
Voice-vlan : 100
Oui configed :
oui-id: 1 mac: 00.00.01.00.00.02 mask: FF.FF.FF.FF.FF.FF
5.42 802.1ag Configuration802.1ag OverviewFor IEEE802.1ag, the Connectivity Fault Management (CFM) function checks, separatesand reports connectivity faults of the virtual bridge LAN. It is used in operators’ networkand also valid for the Customer VLAN (C-VLAN) network.
The network manager performs planning on network services and levels for themanagement and maintenance purposes. The entire network is divided into multipleManagement Domains (MDs). For a single management domain, see Figure 5-54.
5-148
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-54 Single Management Domain
In the domain in Figure 5-54, a series of ports are defined on peripheral and internaldevices.l The grey ports on the peripheral devices are service ports connected to the external
devices and therefore are named Maintenance association End Point (MEP).l The other black ports (including those on intermediate devices) connect internal
devices and therefore are named Maintenance Domain Intermediate Point (MIP).
The management function is implemented through the defined MEP and MIP.
A network is divided into a customer domain, provider domain, and operator domain.A level between 0-7 is designated for each domain. The domain level determines theinclusion relation between domains. A domain with a higher level can include domainswith lower levels but not vice versa. The domains with the same level cannot include eachother. This means that all domains can be tangential (internally or externally) and inclusivebut cannot be intersecting.
The message types defined in the CFM protocol include:
l Continuity Check Message (CCM): A multicast CFM protocol data unit. It isperiodically sent by an MEP to confirm the connectivity of MEP in the same MA. AnMEP receiving a CCM message does not reply to this message.
l Link Trace Message (LTM): A multicast CFM protocol data unit. It is sent by an MEPto trace the path from the MEP to the MP. Each MP along the path generates an LRTas a response. This ends until the message reaches the destination or cannot befurther forwarded.
l Link TraceReply (LTR): A unicast CFMprotocol data unit. It is sent by theMP receivingan LTM to reply to the LTM.
5-149
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
l Loopback Message (LBM): A unicast CFM protocol data unit. It is sent to a specifiedMP from an MEP, expected to receive an LBR message.
l Loopback Reply (LBR): A unicast CFM protocol data unit. It is sent by theMP receivingan LBM as the reply to the LBM.
With the five protocol messages listed above, CFM implements the following functions:
l Detecting faults: MEP detects network connectivity faults by periodically sendingand receiving CCM messages. The faults include connection failure and unwelcomeconnection (error connection).
l Notifying faults: After MEP detects a connectivity fault, it sends a proper alarm to thespecified management system, for example, trap messages of SNMP.
l Locating a path: MEP locates and traces a path from anMEP to another MP (includingMEP and MIP) by using LTM/LTR messages.
l Confirming and separating a fault: This is an administrative function. The networkmanager confirms the fault through LBM/LBR messages and separates the fault.
Configuring a 802.1AG Command802.1AG configuration includes the following commands:
Command Function
zte(cfg)#cfm {disable|enable}Enables/disables the CFM
function.
zte(cfg)#create cfm md-session <1-16> name <string> level<0-7>
Creates a CFM md.
zte(cfg)#create cfm md-session <1-16> ma-session <1-32>
name <string>
Creates a CFM ma.
zte(cfg)#create cfm md-session <1-16> ma-session <1-32>
mep-session <1-64> mep-id <1-8191> direction {down|up}
Creates a CFM local mep.
zte(cfg)#create cfm md-session <1-16> ma-session <1-32>
mip-session <1-64> name <string>Creates a CFM mip.
zte(cfg)#create cfm md-session <1-16> ma-session <1-32>
rmep-session <1-64> rmep-id <1-8191> remote-mac<hh.hh.hh.hh.hh.hh>
Creates a CFM remote mep.
zte(cfg)#cfm md-session <1-16> ma-session <1-32>
primary-vlan {<1-4094>| delete}
Sets or delete the primary VLAN
within cfm ma.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> ccmtime-interval <4-7>
Sets the interval that ccm packets
of mep within cfm ma are sent.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> ccm
md-name {absent | disable | present}
Sets the way to fill in the MEG ID
field in a cfm ccm messages.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> state {disable|enable}
Sets the status of the cfm mep
protocol.
5-150
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> ccm-send {disable|enable}
Sets the status of cfm mep ccm
sending packets.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> ccm-receive {disable|enable}
Sets the status of cfm mep ccm
receiving packets.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> priority <0-7>
Sets the priority of packets sent by
cfm mep ccm.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> alarm-lowest-pri <1-5>
Sets the lowest alarm priority of
cfm mep.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> assign {delete | port <portid>| trunk <trunkid>}
Allocates a port or aggregation
port for mep.
zte(cfg)#cfm md-session <1-16> ma-session <1-32>
mip-session <1-64> assign {delete | port <portid>| trunk<trunkid>}
Allocates port or aggregation port
for mip.
zte(cfg)#clear cfm md-session [<1-16>] Clears all configuration of cfm md.
zte(cfg)#clear cfm md-session <1-16> ma-session [<1-32>] Clears all configuration of cfm ma.
zte(cfg)#clear cfm md-session <1-16> ma-session<1-32>{mep-id [<1-8191>]| mep-session [<1-64>]}
Clears all configuration of cfm
mep.
zte(cfg)#clear cfm md-session <1-16> ma-session <1-32>
mip-session [<1-64>]
Clears all configuration of cfm mip.
show cfm md-session [<1-16>] (all confiuration modes)Displays all configuration of cfm
md.
show cfm md-session <1-16> ma-session [<1-32>] (all confiuration
modes)
Displays all configuration of cfm
ma.
show cfm md-session <1-16> ma-session <1-32> mp-session
[<1-64>] (all confiuration modes)
Displays all configuration of cfm
mp.
show cfm (all confiuration modes)Displays global protocol status of
cfm.
zte(cfg)#cfm lbm md-session <1-16> ma-session<1-32> smep-id <1-8191>{dmep-id <1-8191>| dmep-mac<hh.hh.hh.hh.hh.hh>| dmip-mac <hh.hh.hh.hh.hh.hh>}[repeat<1-200>[size <0-400>[timeout <1-10>]]]
Detects lbm.
zte(cfg)#cfm ltm md-session <1-16> ma-session <1-32>
smep-id <1-8191>{dmep-id <1-8191>| dmep-mac<hh.hh.hh.hh.hh.hh>| dmip-mac <hh.hh.hh.hh.hh.hh>}[ttl<1-64>[timeout <5-10>]]
Detects ltm.
zte(cfg)#cfm read trans-id <1-4294967295> Reads the ltm path tree.
5-151
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Network Configuration Without MIPl Configuration Description
For device connection, see Figure 5-55.
Figure 5-55 Single-Domain CFM Network Without MIP
l Configuration Procedure
Configuration on S1:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 1
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 assign port 1
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 2
remote-mac 00.d0.d0.c0.00.02
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
Configuration on S2:
zte(cfg)# cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 2
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 assign port 2
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 1
remote-mac 00.d0.d0.c0.00.01
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
Network Configuration With MIPl Configuration Description
5-152
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
For device connection, see Figure 5-56.
Figure 5-56 Single-Domain CFM Network With MIP
l Configuration Procedure
Configuration on S1:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 1
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 assign port 1
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 2
remote-mac 00.d0.d0.c0.00.03
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
Configuration on S2:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mip-session 1 name zte_mip_1
zte(cfg)#cfm md-session 1 ma-session 2 mip-session 1 assign port 2
zte(cfg)#create cfm md-session 1 ma-session 1 mip-session 2 name zte_mip_1
zte(cfg)#cfm md-session 1 ma-session 2 mip-session 2 assign port 3
Configuration on S3:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 2
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 assign port 4
5-153
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 1
remote-mac 00.d0.d0.c0.00.01
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
5.43 Y.1731 ConfigurationY.1731 OverviewThe Y.1731 protocol complements the 802.1ag protocol. It defines a series of extensionsin which CFM is used to measure the network link status and performance.
The Y.1731 protocol is used in:
l The error management OAM: Alarm Indication Signal (AIS), Locked (LCK), RemoteDefect Indication (RDI) and functions mentioned in 802.1ag (CCM, LB, LT).
l The performance management OAM: Loss Measurement (LM), and DelayMeasurement (DM).
Y.1731 ConfigurationY.1731 configuration includes the following commands:
Command Function
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> one-lm {enable | disable}
Enables the LM function at one
end.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> two-lm {enable | disable}
Enables the LM function at both
ends.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> two-dm {enable | disable}
Enables the DM function in both
directions.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> ais {enable | disable}
Enables the AIS function.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> lck {enable | disable}
Enables the LCK function.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> client-level <0-7>
Sets the level that sending the
AIS/LCK function to outer layers.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> relate-to rmep-id <1-8191>
Sets the remote MEP related to
local MEP.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> one-lm send-packet [continue-time <60-600> interval<1-60>]
Starts LM detection at one end.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> one-lm send-packet stop
Stops LM detection at one end.
5-154
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> two-dm send-packet [continue-time <60-600> interval<1-60>]
Starts DM detection at both ends.
zte(cfg)#cfm md-session <1-16> ma-session <1-32> mep-id<1-8191> two-dm send-packet stop
Stops DM detection at both ends.
zte(cfg)#clear cfm md-session <1-16> ma-session <1-32>
mep-id <1-8191>{ one-lm | two-lm | two-dm }
Clears the results of LM detection
at one end and at both ends, as
well as the result of DM detection
in both directions.
zte(cfg)#clear cfm md-session <1-16> ma-session <1-32>
mep-id <1-8191> relate-rmep
Clears the related remote MEP.
LM Network Configurationl Configuration Description
The network configuration is illustrated by using the network instance in Figure 5-57.
Figure 5-57 LM Network Configuration Instance
l Configuration Procedure
Configuration on S1:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 1
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 assign port 1
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 2
remote-mac 00.d0.d0.c0.00.02
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 relate-to rmep-id 2
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 one-lm (two-lm) enable
Configuration on S2:
5-155
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 2
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 assign port 4
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 1
remote-mac 00.d0.d0.c0.00.01
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 relate-to rmep-id 1
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 one-lm (two-lm) enable
l Configuration Verification
LM on both ends is automatically performed based on the CCM configuration. WhileLM on one end is performed after manually triggering on S1 or S2:
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 (2) one-lm send-packet
View the measurement result by using the command for displaying MEP informationthat is provided by 802.1ag.
DM Network Configurationl Configuration Description
The network configuration is illustrated by using the network instance in Figure 5-58.
Figure 5-58 DM Network Configuration Instance
l Configuration Procedure
Configuration on S1:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 1
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-send enable
5-156
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 assign port 1
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 2
remote-mac 00.d0.d0.c0.00.02
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 relate-to rmep-id 2
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 two-dm enable
Configuration on S2:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 2
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 assign port 4
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 1
remote-mac 00.d0.d0.c0.00.01
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 relate-to rmep-id 1
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 two-dm enable
l Configuration Verification
Manually trigger the test on S1 or S2:
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 (2) one-lm send-packet
View the measurement result by using the command for displaying MEP informationthat is provided by 802.1ag.
AIS/LCK Network Configurationl Configuration Description
The network configuration is illustrated by using the network instance in Figure 5-59.
Figure 5-59 AIS/LCK Network Configuration Instance
l Configuration Procedure
Configuration on S1:
zte(cfg)#cfm enable
5-157
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 1
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 assign port 1
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 2
remote-mac 00.d0.d0.c0.00.04
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ais (lck) enable
Configuration on S2:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 10 name zte level 4
zte(cfg)#create cfm md-session 10 ma-session 10 name zte_zte
zte(cfg)#cfm md-session 10 ma-session 10 primary-vlan 100
zte(cfg)#create cfm md-session 10 ma-session 10 mep-session 10 mep-id 10
direction down
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 10 state enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 10 ccm-send enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 10 ccm-receive enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 10 assign port 3
zte(cfg)#create cfm md-session 10 ma-session 10 rmep-session 20 rmep-id 20
remote-mac 00.d0.d0.c0.00.03
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 20 ccm-receive enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 10 ais (lck) enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 10 client-level 5
Configuration on S3:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 10 name zte4 level 4
zte(cfg)#create cfm md-session 10 ma-session 10 name zte_zte
zte(cfg)#cfm md-session 10 ma-session 10 primary-vlan 100
zte(cfg)#create cfm md-session 10 ma-session 10 mep-session 20 mep-id 20
direction down
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 20 state enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 20 ccm-send enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 20 ccm-receive enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 20 assign port 5
zte(cfg)#create cfm md-session 10 ma-session 10 rmep-session 10 rmep-id 10
remote-mac 00.d0.d0.c0.00.02
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 10 ccm-receive enable
5-158
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 20 ais (lck) enable
zte(cfg)#cfm md-session 10 ma-session 10 mep-id 20 client-level 5
Configuration on S4:
zte(cfg)#cfm enable
zte(cfg)#create cfm md-session 1 name zte_1 level 5
zte(cfg)#create cfm md-session 1 ma-session 1 name zte_zte_1
zte(cfg)#cfm md-session 1 ma-session 1 primary-vlan 100
zte(cfg)#create cfm md-session 1 ma-session 1 mep-session 1 mep-id 2
direction down
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 state enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-send enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 2 assign port 6
zte(cfg)#create cfm md-session 1 ma-session 1 rmep-session 2 rmep-id 1
remote-mac 00.d0.d0.c0.00.01
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ccm-receive enable
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 ais (lck) enable
l Configuration Verification
Disconnect the link between S2 and S3. After that, alarms occur on only S2 and S3,and unrelated alarms on S1 and S4 are restricted due to the AIS function.
zte(cfg)#cfm md-session 1 ma-session 1 mep-id 1 (2) one-lm send-packet
View the measurement result by using the command for displaying MEP informationthat is provided by 802.1ag.
5.44 MAC-based VLAN Command ConfigurationMAC-based VLAN OverviewThe MAC-based VLAN decides the VLAN for forwarding an untagged frame based on thesource MAC address of the frame. This technology allows packets to be transmitted indifferent VLANs and provides different services to different users.
Configuring MAC-based VLANThe MAC-based VLAN configuration includes the following commands:
Command Function
zte(mac-based-vlan)#rule <1-1024> mac-address<HH.HH.HH.HH.HH.HH>mac-mask <HH.HH.HH.HH.HH.HH>vlan <1-4094>
Sets a rule for MAC-based VLAN.
zte(mac-based-vlan)#clear rule <1-1024>Clears a rule for MAC-based
VLAN.
5-159
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#set vlan mac-based {global |port <portlist>} session<1-64>{bind|unbind}
Sets the binding relation between
global/port and sessions of
MAC-based VLAN.
show vlan mac-based session [<1-64>]
Displays all rules of all or
one session configured for a
MAC-based VLAN.
show vlan mac-based session [<1-64>] bind
Displays the binding relations
between a port and all or
one session configured for a
MAC-based VLAN.
MAC-Based VLAN Configuration Instancel Configuration Description
Set the following MAC-based VLAN rule for port 1: Assign the VLAN "vlan100"to all untagged frames whose source MAC address is 00.00.00.00.00.01 andassign the VLAN "vlan200" to all untagged frames whose source MAC address is00.d0.d0.00.00.00.
l Configuration Procedure
Configure a MAC-based VLAN instance:
zte(cfg)#set vlan 100,200 enable
zte(cfg)#set vlan 100,200 add port 1 untag
zte(cfg)#set vlan 10,12 add port 1 tag
zte(cfg)#config mac-based-vlan session 1
zte(mac-based-vlan)#rule 1 mac-address 00.00.00.00.00.01 mac-mask
ff.ff.ff.ff.ff.ff vlan 100
zte(mac-based-vlan)#rule 2 mac-address 00.d0.d0.00.00.00 mac-mask
ff.ff.ff.00.00.00 vlan 200
zte(cfg)#set vlan mac-based port 1 session 1 bind
5.45 DHCP Relay ConfigurationDHCP Relay OverviewDHCP Relay interacts with both the Client and the Server, acting different roles. From theview of the DHCP Client, the DHCP Relay Agent can be considered as its DHCP Serverand the DHCP Relay implements the response to the IP address requests from the Client.For this, the DHCP Relay Agent needs to intercept on the interception port of the DHCPServer. From the view of the DHCP Server, the DHCP Relay Agent can be consideredas its DHCP Client and the DHCP Relay initiates IP address requests. For this, the IPaddress of the interface through which messages are received must be filled in the RelayAgent field of the DHCP request messages forwarded by the DHCP Relay.
5-160
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
The DHCP Server checks the validity of the Relay Agent domain and allocates an IPaddress to the DHCP Client that is in the same subnet as the IP address in accordancewith the domain value. This means that the allocated IP address and the IP address ofthe interface through which the Relay receives request messages are in the same networksegment. At the same time, the DHCP Relay implements the forwarding of the responsesfrom the DHCP Server to the Client.
Configuring the DHCP RelayDHCP relay configuration includes the following commands:
Command Function
zte(cfg)#set dhcp relay{enable | disable}Globally enables/disables the
DHCP relay function.
zte(cfg)#set dhcp relay option82{enable | disable}Globally enables/disables the
DHCP relay option82 function.
zte(cfg)#set dhcp relay option82 sub-option device { ani< string>| remote-ID {cisco | manual < string >| key < string >}}
Sets the switch node device ID.
zte(cfg)#set dhcp relay option82 sub-option port <portlist>
circuit-ID {on {cisco | china-tel | dsl-forum| henan-rft| key < string>| manual < string >}| off}
Sets the relay option82 suboption.
zte(cfg)#set dhcp relay option82 mode port <portlist>{default |
drop | modify | append}
Sets the mode in binding the
dynamic user information binding
table options for the port.
zte(cfg)#set dhcp relay server mode {ipport | vclass-id}
Sets the DHCP Relay mode, sets
the DHCP server depending on
ipport or vclass-id.
zte(cfg)#set dhcp relay server retry <5-1000>
Sets the DHCP Relay retry, that is,
the number of times that message
resending to the server is tried.
zte(cfg)#set dhcp relay vclass-id {characters <string>|
hex-numbers < hex-string>} server <A.B.C.D>
Sets the server IP address
corresponding to the class-id
domain of the server.
zte(cfg)#clear dhcp relay vclass-id {characters <string>{ serverA.B.C.D}| hex-numbers <hex-string>{ server A.B.C.D}}
Clears the configured dhcp relay
vclass-id.
zte(cfg)#clear dhcp relay option82 device ani Clears the device ID information.
show dhcp relayDisplays the DHCP relay
configuration.
show dhcp vclass-idDisplays the DHCP Relay option60
configuration.
zte(cfg)#clear dhcp option82 sub-option device ani Clears the device ID information.
5-161
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
show dhcp relay binding [port <1-28>| trunk <1-15>] (all
configuration modes)
Displays the DHCP relay binding
information.
show dhcp relay option82 port<1-28> (all configuration modes)Displays the DHCP relay option82
configuration of the port.
show dhcp relay option82 device (all configuration modes)
Displays device-related
information, including ANI
and remote-ID.
zte(cfg-router)#set ipport <0-63> dhcp relay {agent | server<A.B.C.D>}
Sets the DHCP relay information
of ipport.
zte(cfg-router)#clear ipport <0-63> dhcp relay {agent | server<A.B.C.D>}
Clears the DHCP relay information
of ipport.
zte(cfg-router)#set dhcp relay server <A.B.C.D> Sets a global DHCP server.
zte(cfg-router)#set dhcp relay global-ipport <0-63>Sets a global ipport for a DHCP
relay.
zte(cfg)#set dhcp relay vlan{enable | disable}
Enables or disables the DHCP
relay function based on VLANs.
If the DHCP function is enabled
globally, the device provides
the relay function when either
this command or the relay agent
command is used.
show dhcp relay vlan (all configuration modes) Displays VLANs for which the
DHCP relay function is enabled.
DHCP Configuration Instancel Configuration Description
See Figure 5-60, switch port 1 is connected to the DHCP client, and switch port 2 isconnected to the DHCP server of the IP network.
Figure 5-60 DHCP Relay Configuration Instance
5-162
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Note:
The DHCP client and the DHCP server are in different network segments.
l Configuration Procedure1. Assign a specified VLAN to the port:
set vlan 1000 add port 2 tag
set vlan 1000 enable
2. Configure the DHCP relay by using the following commands:zte(cfg)#set dhcp relay enable
zte(cfg-router)#set ipport 0 ipaddress 169.1.15.1 255.255.0.0
zte(cfg-router)#set ipport 0 vlan 1
zte(cfg-router)#set ipport 0 enable
zte(cfg-router)#set ipport 0 dhcp relay agent
zte(cfg-router)#set ipport 0 dhcp relay server 10.230.72.2
zte(cfg-router)#set ipport 63 ipaddress 10.230.72.1 255.255.255.0
zte(cfg-router)#set ipport 63 vlan 1000
zte(cfg-router)#set ipport 63 enable
l Configuration Verificationzte(cfg)#show dhcp relay
DHCP relay status : enable
DHCP server mode : ipport
DHCP server retry : 10
DHCP relay option82: disable
zte(cfg)#show dhcp relay option82 port 1
DHCP option82 sub-option information on port 1:
Circuit-ID: Disabled
Remote-ID: Enabled
Format: Cisco
DHCP option82 mode information on port 1: Default
zte(cfg)#show ipport 0
Status : up IpAddress : 169.1.15.1
VlanId : 1 Mask : 255.255.0.0
ArpProxy : disabled MacAddress: 00.00.00.11.22.33
Timeout : 600(s) IpMode : static
En/Disable: enabled
Dhcp client configuration as follows:
Class-id : -
Client-id : -
Hostname : -
5-163
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Lease : -
Clear request: -
Dhcp relay configuration as follows:
Relay agent : enable
Server IP : 10.230.72.2
5.46 MFF ConfigurationMFF OverviewThe MFF function is used on a user access device to isolate users at the access side. Itimplements layer-2 isolation and layer-3 interworking between users in a broadcast domainwithout any extra VLAN being created. When an access switch configured with the MFFfunction receives an ARP request from a user, the switch replies with an ARP responsecontaining the gateway MAC address through the ARP proxy mechanism. In this way, allusers' traffic (including the traffic between users in the same subnet) is sent to the gatewayaccess router compulsively. The gateway can monitor traffic and prevent attacks amongusers, which improves network security.
There are two types of MFF ports: user ports and network ports. MFF user ports areconnected to terminal users. When receiving an ARP packet from a user port, the switchmaintains an MFF user table, and replies with a response. MFF network ports areconnected to uplink devices or gateways.
There are two MFF operation modes: static mode and dynamic mode.l Static mode: The IP address of a user is configured manually. The switch generates
the MFF user table by listening to ARP packets on MFF user ports.l Dynamic mode: The IP address and gateway address of a user are allocated through
DHCP. The switch generates the MFF user table by capturing ACK packets returnedby the DHCP server and parsing the option3 field.
An MFF user table can be added manually.
A gateway can be configured in a VLAN for ARP proxy, or a global gateway can beconfigured. When performing ARP proxy, the gateway in an MFF entry is preferredthan the intra-VLAN gateway, and the intra-VLAN gateway is preferred than the globalgateway. The gateway address can be an IP address or a MAC address. If the gatewayaddress is an IP address, the switch sends an ARP request to the gateway to obtain theMAC address. If the gateway address is a MAC address, the switch directly uses theMAC address in ARP responses. Therefore, it is necessary to manually configure a staticMAC entry directing to the gateway for the switch.
Configuring MFFThe MFF configuration includes the following commands:
5-164
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Command Function
zte(cfg)#set mff vlan <vlanlist> add port<portlist>{userport | network}
Sets the MFF attributes for ports and VLANs.
zte(cfg)#set mff vlan <vlanlist> delete port<portlist>
Deletes the MFF attributes for ports and VLANs.
zte(cfg)#set mff vlan <vlanlist> gateway {ip |
mac}<address>
Sets an intra-VLAN MFF gateway.
zte(cfg)#set mff user ip <ip-addr> mac<mac-addr> vlan <vlan-id> gateway {ip |
mac}<address>
Adds an MFF user entry manually.
zte(cfg)#set mff gateway {ip | mac}<address> Sets a global MFF gateway.
zte(cfg)#set mff gateway-arp-keepalive add-port
{<portlist>| all}{timeout <value>}{enable | disable}Sets the ARP keep-alive parameter for the MFF
gateway, and enables or disables the keep-alive
function.
zte(cfg)#set mff gateway-user-keepalive add-port
{<portlist>| all}{timeout <value>}{enable | disable}Sets the ARP keep-alive parameter for users
connected to the gateway device that sends
gratuitous ARP keep-alive packets, and enables
or disables the keep-alive function.
zte(cfg)#clear mff gateway Deletes the global MFF gateway.
zte(cfg)#clear mff gateway arp-keepalive-port Clears the ports that send gateway ARP
keep-alive packets.
zte(cfg)#clear mff gateway user-keepalive-port Clears the ports that send user ARP keep-alive
packets.
zte(cfg)#clear mff vlan <vlanlist> gateway Deletes the intra-VLAN MFF gateway.
zte(cfg)#clear mff user ip <ip-addr> vlan<vlan-id>
Deletes the specified MFF user entry.
zte(cfg)#show mff user-table Displays information about the MFF user table.
zte(cfg)#show mff interface Displays information about MFF port
configuration.
zte(cfg)#show mff gateway Displays information about MFF gateway
configuration.
zte(cfg)#show mff gateway -keepalive-info {port} Displays information about ARP keep-alive
configuration, including gateway ARP keep-alive
configuration and user ARP keep-alive
configuration.
MFF Configuration Instancel Configuration Description
5-165
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
See Figure 5-61, ports 1 and 2 of the switch are connected to PCs, port 4 is connectedto the gateway, and port 6 is connected to the DHCP server. The following proceduredescribes how to configure static MFF. The configuration for dynamic MFF is similar,but it is necessary to configure the DHCP snooping function. For details, refer to 5.27DHCP Configuration.
Figure 5-61 MFF Configuration Instance
l Configuration Procedure
à Configure a VLAN for the ports:zte(cfg)#set vlan 400 add port 1/1,1/2,1/4 untag
zte(cfg)#set port 1/1,1/2,1/4 pvid 400
à Configure the MFF attributes for the ports and VLAN:zte(cfg)#set mff vlan 400 add port 1/1 userport
zte(cfg)#set mff vlan 400 add port 1/2 userport
zte(cfg)#set mff vlan 400 add port 1/4 network
à Configure an intra-VLAN gateway:zte(cfg)#set mff vlan 400 gateway ip 197.1.23.15
l Configuration Verification
When an ARP request is received on a user port, the switch searches the ARP tablefirst. If the gateway ARP entry is not contained in the ARP table, the switch replacesthe user to send an ARP request to the gateway, and then adds an MFF user entry.The MFF user entry is as follows:
zte(cfg)#show mff user-table
MFF user entry total count: 1
Type: born way of MFF user entry.
'M',manual configure; 'A',ARP packet; 'D',DHCP snooping packet.
VlanId IpAddress Type MacAddress Gateway(IpOrMac)
------ --------------- ---- ----------------- ----------
400 197.1.23.3 A 00.10.94.00.00.03 197.1.23.15
5-166
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
5.47 SSL ConfigurationSSL OverviewThe SSL protocol is an intermediate protocol. It is located between the application layerand transport layer in the network model. Through the data encryption, identificationauthentication, and message integrity validation mechanisms, SSL ensures security forconnections established based on reliable application layer protocols (for example, TCP).
The SSL functional module enables the ZXR10 2900E to operate as an SSL server andcomplete interaction with a client. The interaction procedure includes SSL handshaking,and packet monitoring, receiving, parsing and sending. The SSL handshaking procedureincludes negotiating an encryption algorithm, verifying the local certificate on the server,exchanging keys, and verifying a MAC address. The encryption algorithm, local certificateon the server, keys, and MAC address are used for data encryption and decryption,identification authentication, and message integrity validation in a subsequent session.
Encryption certificate management is the prerequisite for SSL handshaking. Certificatemanagement includes key generation management, local certificate generation on theserver, and root certificate generation on the client.
Users can access the ZXR10 2900E by using browsers and HTTPS to performWeb-basedconfiguration and management.
Configuring SSLThe SSL configuration includes the following commands:
Command Function
zte(cfg)#set ssl {enable | disable} Enables or disables the SSL function.
zte(cfg)#create ca {<A.B.C.D/M>|<A.B.C.D><n
etwork mask>}
Manages the encryption certificate, and creates
an RSA key, a local certificate on the server and
a root certificate on the client.
show ssl (all configuration modes) Displays the SSL configuration and state.
SSL Configuration Instancel Configuration Description
See Figure 5-62, a layer-3 port is configured on the switch, and the IP address is setto 192.168.100.110/24. The IP address of the PC is set to 192.168.100.109/24. Theswitch operates as the SSL server, and the browser on the PC operates as the SSLclient.
5-167
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 5-62 SSL Configuration Instance
l Configuration Procedure
Configure the switch:
zte(cfg)#create ca 192.168.100.110/24
ca is creating ,please wait......
Rootcafile /flash/data/root.cer, has created!
Servercafile /flash/data/server.pem, has created!
Serverkeyfile /flash/data/server.key, has created!
FS is releasing ,please wait......
Done!
zte(cfg)#set ssl en
The current ca is for ipaddress 192.168.100.110,
Please make sure ip of the switch matches.
Then upload /flash/data/root.cer, and import to explore,the ssl is availible.
zte(cfg)#config tffs
zte(cfg-tffs)#cd data
zte(cfg-tffs)#tftp 192.168.100.109 upload root.cer
Set the browser:
Set the browser as the SSL client on the PC, so that you can access the switch throughHTTPS to perform Web-based management.
1. Import the root.cer file in the browser.
a. Open the browser, and select Tools > Internet Options from the menu bar.The Internet Options dialog box is displayed, see Figure 5-63.
5-168
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-63 Internet Options Dialog Box
b. Click the Content tab, and then click Certificates. The Certificates dialogbox is displayed, see Figure 5-64.
Figure 5-64 Certificates Dialog Box
5-169
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
c. Click the Trusted Root Certification Authorities tab, and then clickImport…, see Figure 5-65. The dialog box for certificate import wizard isdisplayed.
Figure 5-65 Certificates Dialog Box—Importing a Certificate
d. Based on the wizard, clickNext, a dialog box is displayed. Select the root.cerfile. Complete the certificate import procedure. Close the dialog boxes, andrestart the browser.
2. Open the SSL login page.
After the SSL function is enabled for the switch, enter https://<ip address
of the switch> in the address bar of the browser. The SSL login page isdisplayed, see Figure 5-66.
Figure 5-66 SSL Login Page
3. Open the main page for Web-based management.
Enter your username, login password and administration password in the textboxes. Themain page for Web-basedmanagement is displayed, see Figure 5-67.
5-170
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-67 Main Page for Web-Based Management
5.48 ERPS ConfigurationERPS OverviewThe ERPS mechanism is as follows:
l When the network is a ring network that is operating properly, some links in the networkare blocked to prevent loops between switches.
l If the network becomes faulty, the backup links are unblocked to protect the inter-nodecommunication.
The basic concepts in ERPS are as follows:
l RPL
An RPL is a link blocked to prevent a loop in the case of no fault or request.
l RPL owner node (RPL primary node)
An RPL owner node is a node on an RPL. It is used to block the port that has RPLenabled.
l RPL neighbor node (RPL neighbor node)
An RPL neighbor node is used to block one end of an RPL. The other end of the RPLis blocked by the RPL owner node.
l Manual switching commands
The ERPS protocol supports triggering the protocol calculation by using manualswitching commands: Forced Switch (FS) and Manual Switch (MS).
l WTR timer
In revertive mode, the WTR timer is used to prevent the frequent operation of theprotection switch due to an intermittent defect.
l WTB timer
When the corresponding function of the device is restored after an operation command(such as the FS or MS command) is executed, the delay time (called WTB time, guardtimer time plus five seconds) must be set long enough to receive potential FS, SF, orMS requests from the remote end. This time is long enough for an Ethernet ring
5-171
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
node to consecutively send two R-APS messages, and it is also the condition fordetermining that the Ethernet ring node exists.
Note:
The WTB timer is valid for the RPL owner node only, and the value range depends onthe guard timer.
l Guard timer
The guard timer is used to prevent expired R-APS packets.
An Ethernet ring node can send multiple R-APS packets simultaneously. In this case,the node can still send expired R-APS packets until it receives a new R-APS packet.If the ring node receives an R-APS (SF) packet that is the same as the messagepreviously sent by the node, the node determines that an SF occurs. Due to theabove reason, the guard timer is used to forcedly prevent loops.
l Ring statuses
A ring may be in idle, pending, protection, FS, or MS status.
Link Switching Procedure in ERPSERPS eliminates logical loops by blocking some ports on the ring. When some links in thering have their status changed (from up to down or from down to up), ERPS can switch alogical path immediately.
As shown in Figure 5-68 and Figure 5-69, an ERPS domain is configured on switches A,B, C, and D. Switch A is the owner node, and its port 1/2 is an RPL port. Switch B is theneighbor node. The port that switch B uses to connect to switch A is also an RPL port.Both switch C and switch D are none nodes.
Service traffic arises between PC1 and PC2, and the arrows in Figure 5-68 indicate thedirection in which service data flows.
5-172
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-68 Example of the Primary Node Blocking the Secondary Port (Ring Status:UP)
Figure 5-69 Example of the Primary Node Enabling the Secondary Port (Ring status:DOWN)
Figure 5-68 shows that each link is operating properly, the ring is in idle status, and thesecondary port of the primary node is blocked. Traffic passes through switches C and D.
Figure 5-69 shows that the link between switches B and C is disconnected. The link statuschanges to Protection, and ERPS immediately switches the RPL port of the owner nodeto forwarding status. After the switching, traffic does not pass through switches C and D.
After the link between switches C and D is restored, the RPL port of the owner node isblocked again, and the ring status changes to pending as shown in Figure 5-68.
Configuring ERPSTo configure ERPS, perform the following steps.
5-173
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Step Command Function
1 ZXR10(config)#set ERPS domain <1-4>
protect-instance <1-16>Creates an ERPS domain.
2 ZXR10(config)#set erps domain
<1-4> ring-id <1-239> raps-vlan<1-4094>{ring-east {port <portid>| trunk<portid>} ring-west {port <portid>| trunk<portid>}}[ rpl-role {owner | neighbour}
rpl-port {east | west}]
Configures an ERPS ring node.
The raps-vlan parameter should specify a
service-unrelated VLAN (not conflicted with
any of the VLANs for services and network
management). The port PVID must not be
the same as the setting of the raps-vlanparameter.
The setting of the ring-id parameter is
carried in the protocol message, varying
with the ERPS instance.
3 ZXR10(config)#set erps domain <1-4>
ring-mel <1-7>Configures the mel for the ring node.
4 ZXR10(config)#set erps domain <1-4>
behaviour {revertive | non-revertive}
Specifies the reverive or non-revertive
mode for the ring.
5 ZXR10(config)#set erps domain <1-4>
timer wtr-time <1-12>Configures the WTR time (in minutes) of
the ERPS ring.
The WTR timer (in minutes) is valid for the
RPL owner node only, range: 1–12, default:
5.
6 ZXR10(config)#set erps domain <1-4>
timer guard-time <1-200>Configures the guard timer time (in units of
10 ms) for the ERPS ring,
Range: 1–200, default: 50.
7 ZXR10(config)#set erps domain <1-4>
switch {{fs | ms east | west}|clear}
Configures the manual switching command
for the ERPS ring.
After the FS/MS command is executed, the
corresponding port is set to block status.
8 show ERPS brief Displays the primary configuration of each
ERPS domain.
9 show ERPS domain <1-4> Displays detailed information about the
ERPS domain.
Configuration Example of a Single ERPS DomainFigure 5-70 shows that an ERPS domain is configured on switches A to D. This type ofconfiguration is called single-domain, single-ring. The configuration is as follows:l Protection instance 1 is configured for the ERPS domain. In this instance, the
dedicated VLAN (VLAN 4000) is used to protect VLANs 100 to 110.l Switch A is the owner node, and its port 1/2 is an RPL port.l Switch B is the neighbor node, and its port 1/2 is an RPL port.
5-174
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
l Switches C and D are none nodes.
Figure 5-70 Configuration Example of a Single ERPS Domain with Multiple Loops
The configuration on switch A is as follows:
/*The following commands configure a spanning tree instance:*/
Switch_A(config)#set stp enable
Switch_A(config)#set stp instance 1 add vlan 100-110
/*The following command configures protection instance 1 for the ERPS domain*/
Switch_A(config)#set ERPS domain 1 protect-instance 1
/*The following command configures the owner node. The RPL port is port 1/2. */
Switch_A(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east trunk 1
ring-west port 1/2 rpl-role owner rpl-port west
The configuration on switch B is as follows:
/*The following commands configure a spanning tree instance:*/
Switch_B(config)#set stp enable
Switch_B(config)#set stp instance 1 add vlan 100-110
/*The following command configures protection instance 1 for the ERPS domain:*/
Switch_B(config)#set ERPS domain 1 protect-instance 1
/*The following command configures switch B to be a neighbor node*/
/*and its port1/2 to be an RPL port:*/
Switch_B(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east port 1/1
ring-west port 1/2 rpl-role neighbour rpl-port west
The configuration on switch C is as follows:
/*The following commands configure a spanning tree instance:*/
Switch_C(config)#set stp enable
Switch_C(config)#set stp instance 1 add vlan 100-110
5-175
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
/*The following command configures protection instance 1 for the ERPS domain:*/
Switch_C(config)#set ERPS domain 1 protect-instance 1
/*The following command configures switch C to be a none node: */
Switch_C(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east port 1/1
ring-west port 1/2
The configuration on switch D is as follows:
/*The following commands configure a spanning tree instance:*/
Switch_D(config)#set stp enable
Switch_D(config)#set stp instance 1 add vlan 100-110
/*The following command configures protection instance 1 for the ERPS domain:*/
Switch_D(config)#set ERPS domain 1 protect-instance 1
/*The following command configures switch D to be a none node: */
Switch_D(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east trunk
1 ring-west port 1/2
Configuration Example of Multiple ERPS DomainsFigure 5-71 shows that two ERPS domains are configured on switches A to D, calledsingle-ring, multiple-domain. The configuration is as follows:
l Protection instance 1 is configured for ERPS domain 1. In this instance, the dedicatedVLAN (VLAN 4000) protects VLANs 100 to 110. Protection instance 2 is configured forERPS domain 2. In this instance, the dedicated VLAN (VLAN 4001) protects VLANs200 to 210.
l Switch A is an owner node in domain 1 (the related ports are ports 1/1 and 1/2, whereport 1/2 is an RPL port), and it is a neighbor node in domain 2 (the related ports areports 1/1 and 1/2, where port 1/2 is also an RPL port).
l Switch B is a neighbor node in domain 1 (the related ports are port 1/1 and port 1/2,where port 1/2 is an RPL port), and it is an owner node in domain 2 (the related portsare ports 1/1 and 1/2, where port 1/2 is also an RPL port).
l Both switches C and D are none nodes in domains 1 and 2.
Note:
If a physical ring has multiple ERPS domains, you can plan different paths for the servicetraffic related to different ERPS domains through the proper configuration, so that loadbalancing can be implemented.
5-176
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Figure 5-71 Configuration Example of Multiple ERPS Domains
The configuration on switch A is as follows:
/*The following commands configure a spanning tree instance:*/
Switch_A(config)#set stp enable
Switch_A(config)#set stp instance 1 add vlan 100-110
Switch_A(config)#set stp instance 2 add vlan 200-210
/*The following commands configure protection instance 1 for*/
/*ERPS domain 1 and protection instance 2 for ERPS domain 2:*/
Switch_A(config)#set ERPS domain 1 protect-instance 1
Switch_A(config)#set ERPS domain 2 protect-instance 2
/*The following command configures switch A to be the owner node*/
/*in domain 1 and its port 1/2 to be an RPL port:*/
Switch_A(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east port 1/1
ring-west port 1/2 rpl-role owner rpl-port west
/*The following command configures switch A to be a neighbor node in domain 2 and*/
/*its port 1/2 to be an RPL port:*/
Switch_A(config)#set ERPS domain 2 ring-id 2 raps-vlan 4001 ring-east port 1/1
ring-west port 1/2 rpl-role neighbour rpl-port west
The configuration on switch B is as follows:
/*The following commands configure a spanning tree instance:*/
Switch_B(config)#set stp enable
Switch_B(config)#set stp instance 1 add vlan 100-110
Switch_B(config)#set stp instance 2 add vlan 200-210
/*The following commands configure protection instance 1 for ERPS domain 1*/
/*and protection instance 2 for ERPS domain 2:*/
Switch_B(config)#set ERPS domain 1 protect-instance 1
Switch_B(config)#set ERPS domain 2 protect-instance 2
5-177
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
/*The following command configures switch B to be a neighbor node in domain 1*/
/*and its port 1/2 to be an RPL port:*/
Switch_B(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east port 1/1
ring-west port 1/2 rpl-role neighbour rpl-port west
/*The following command configures switch B to be the owner node in domain 2*/
/*and its port 1/2 to be an RPL port:*/
Switch_B(config)#set ERPS domain 2 ring-id 2 raps-vlan 4001 ring-east port 1/1
ring-west port 1/2 rpl-role owner rpl-port west
The configuration on switch C is as follows:
/*The following commands configure a spanning tree instance:*/
Switch_C(config)#set stp enable
Switch_C(config)#set stp instance 1 add vlan 100-110
Switch_C(config)#set stp instance 2 add vlan 200-210
/*The following commands configure protection instance 1 for ERPS domain 1*/
/*and protection instance 2 for ERPS domain 2:*/
Switch_C(config)#set ERPS domain 1 protect-instance 1
Switch_C(config)#set ERPS domain 2 protect-instance 2
/*The following command configures switch C to be a none node in domain 1: */
Switch_C(config)#set ERPS domain 1 ring-id 1 raps-vlan 4000 ring-east port 1/1
ring-west port 1/2
/*The following command configures switch C to be a none node in domain 2:*/
Switch_C(config)#set ERPS domain 2 ring-id 2 raps-vlan 4001 ring-east port 1/1
ring-west port 1/2
The configuration on switch D is the same as that on switch C.
5.49 Debug Module ConfigurationIntroduction to the Debug ModuleThe Debug module is added for debugging the DHCP, dot1x, IP, ARP, and SNMPprotocols. This module configures the commands for locating faults in message sendingand receiving, message statistics, and procedure printing.
By using these commands, a user can easily trace the process of sending and receivingmessages, display statistical data of messages, and observe common printing errors.Thus, the user can preliminarily position the faults, including protocol abnormality andfunction failures.
5-178
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
Debug Module ConfigurationThe following commands need to be configured for the Debug module.
Command Function
zte(cfg)#debug protocol dhcp client disable Disables the debug function of the DHCP client.
zte(cfg)#debug protocol dhcp client enable Enables the debug function of the DHCP client.
zte(cfg)#debug protocol dhcp client state ipport
<0-63>
Shows statistical data of an ip port on the DHCP
client.
zte(cfg)#debug protocol dhcp download Shows the downloaded information of the DHCP.
zte(cfg)#debug protocol dhcp relay disable Disables the debug function of the DHCP Relay
module.
zte(cfg)#debug protocol dhcp relay enable Enables the debug function of the DHCP Relay
module.
zte(cfg)#debug protocol dhcp snooping-and-opt
ion82 disable
Disables the debug function of the DHCP
snooping-and-option82 module.
zte(cfg)#debug protocol dhcp snooping-and-op
tion82 enable
Enables the debug function of the DHCP
snooping-and-option82 module.
zte(cfg)#debug protocol dhcp statistics clear Deletes DHCP statistical data of all ports.
zte(cfg)#debug protocol dhcp statistics port
<1/1-24>
Shows DHCP statistical data of a port.
zte(cfg)#debug protocol dhcp statistics port
<1/1-24> clear
Deletes DHCP statistical data of a port.
zte(cfg)#debug protocol dhcp statistics trunk
<1-15>
Shows DHCP statistical data of a trunk port.
zte(cfg)#debug protocol dhcp statistics trunk
<1-15> clear
Deletes DHCP statistical data of a trunk port.
zte(cfg)#debug protocol dhcpv6 disable Disables the debug function of the DHCPv6
module.
zte(cfg)#debug protocol dhcpv6 enable Enables the debug function of the DHCPv6
module.
zte(cfg)#debug protocol dot1x disable Disables the debug function for the dot1x
protocol.
zte(cfg)#debug protocol dot1x enable Enables the debug function for the dot1x protocol.
zte(cfg)#debug protocol layer3 ip disable Disables the debug function of layer 3 IP
messages.
zte(cfg)#debug protocol layer3 ip enable Enables the debug function of layer 3 IP
messages.
zte(cfg)#debug protocol layer3 ip port Shows statistical data of all ip ports.
5-179
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#debug protocol layer3 ip port <0-63> Shows statistical data of an ip port.
zte(cfg)#debug protocol layer3 arp disable Disables the debug function of ARP messages.
zte(cfg)#debug protocol layer3 arp enable Enables the debug function of ARP messages.
zte(cfg)#debug protocol snmp disable Disables the debug function for the SNMP
protocol.
zte(cfg)#debug protocol snmp enable Enables the debug function for the SNMP
protocol.
Debug Module Configuration ExampleThe ZXR10 2900E provides debug commands to check the status of protocol messagesending and receiving.
1. Run the debug protocol layer3 arp enable command to check the debug information ofARP messages.
The following information is an example of the host receiving or sending ARPmessages:
zte(cfg)#ARP: received request scr 168.1.23.5 0000.0000.0001, dst 168.1.23.218 ipport 1
Enter disable to disable the debug function.
2. Run the debug protocol layer3 ip enable command to the debug information of IPmessages, including the link-mtu parameter of IP ports, MAC addresses for receivingmessages, and size of IP messages.
This command shows the information of the process during which the messagesare sent to the protocol layer, for example, host messages. If the messages areforwarded through fast routing, the messages cannot be debugged by this command.The following information is an example of execution results of this command.
zte(cfg)#IP: received packet mac:002421738150 --> mac:002293634f70 on port 1
IP: pointer to allocated buffer for port 0001, 2112840, bytes: 114
IP: pointer to send packet for port 0001, 211284c
IP: size of packet: 60, link mtu: 1500
IP: received packet mac:002421738150 --> mac:002293634f70 on port 1
IP: pointer to allocated buffer for port 0001, 2113040, bytes: 114
IP: pointer to send packet for port 0001, 211304c
IP: size of packet: 60, link mtu: 1500
IP: size of packet: 40, link mtu: 1500
Abnormal information during message processing is also printed. The followingexample shows the TTL expired in transit error:
IP: route has been cached: hash value 1
IP: size of packet: 76, link mtu: 800
IP: pointer to allocated buffer for port 0001, 209b840, bytes: 42
IP: pointer to send packet for port 0001, 209b84c
5-180
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 5 Service Configuration
IP: packet could not be forwarded by router: 168.1.23.177 --> 197.1.23.22
IP: received packet mac:000000000022 --> mac:002293634f70 on port 1
IP: received packet src ip:168.1.23.177 , dst ip:197.1.23.22 , protocol 17 on port 1
IP: dropped packet due to time-to-live from 168.1.23.177 to 197.1.23.22
IP: Allocated buffer at 209c040 of length 218
IP: bptr_offset : 209c080, new_offset : 209c080, bptr_new_offset : 209c080
IP: Pointer to send packet 209c0c0
The debug function is disabled after you enter disable.
3. Run the debug protocol layer3 ip port 1 command to check statistical data oflayer3–based ip port 1.
The following information is an example of statistical data of ip port 1.
Ip port number: 1
num_of_ip_packets_rxed: 124 num_of_ip_packets_txed: 196
num_of_udp_packets_rxed: 0 num_of_udp_packets_txed: 0
num_of_tcp_packets_rxed: 121 num_of_tcp_packets_txed: 193
num_of_rip_packets_rxed: 0 num_of_rip_packets_txed: 0
num_of_arp_packets_rxed: 4 num_of_arp_packets_txed: 0
num_of_rarp_packets_rxed: 0 num_of_rarp_packets_txed: 0
num_of_icmp_packets_rxed: 3 num_of_icmp_packets_txed: 3
num_of_unrecog_packets_rxed: 0 num_of_unrecog_packets_txed: 0
num_of_non_ip_packets_rxed: 0 num_of_rxed_packets_fwded: 0
num_of_rxed_udp_pkts_fwded: 0 num_of_rxed_icmp_pkts_fwded: 0
num_of_packets_not_fwded: 124 num_of_rxed_tcp_pkts_fwded: 0
num_of_packets_redirected: 0 num_of_short_ip_pkts_rxed: 0
num_of_pkts_rxed_down_port: 0 num_of_pkts_rxed_dis_port: 0
4. Run the debug protocol snmp v3 command to view printing prompts.
The following information is an example of printing prompts.
somthing wrong happen when generate ku
somthing wrong happen when generate kul
error to create group
unsupport sec level
sha: param not correct!!!
***decoding!!!***
can not get the security name
can not find the group in securitytogroup table
can not find the mib view
vacm check ok
the user has not been cloned from another user !!!
user not find, can't send trap!
decode msg header successfully!!!
decode msg context successfully!!!
***encode successfully !!!***
5-181
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
This page intentionally left blank.
5-182
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6ManagementTable of Contents
Remote-Access..........................................................................................................6-1SSH ...........................................................................................................................6-3Privilege ...................................................................................................................6-11SNMP ......................................................................................................................6-13RMON......................................................................................................................6-18ZGMP ......................................................................................................................6-21sFlow .......................................................................................................................6-28Web .........................................................................................................................6-29M_Button..................................................................................................................6-49Telnet .......................................................................................................................6-52
6.1 Remote-AccessRemote-Access OverviewRemote-Access is a mechanism for limiting network management users to manage theswitch through Telnet, SSH, SNMP and Web, that is, it is used to restrict the access. Thisfunction is to enhance the security of the network management system.
After this function is enabled, specify a network management user to access the switchonly from a specified IP address, the user cannot access the switch from other IPaddresses. When this function is disabled, the network management user can access theswitch through Telnet, SSH, SNMP and Web from any IP address.
Configuring Remote-AccessThe Remote-Access configuration includes the following commands:
Command Function
zte(cfg)#set remote-access {any | specific} Enables or disables the remote
access control function.
zte(cfg)#set remote-access ipaddress <A.B.C.D>[<A.B.C.D>][{s
nmp | telnet | ssh | web}{permit | deny}]
Permits or denies switch access
from a specified IP address
or network segment through
SSH/SNMP/Telnet/Web.
zte(cfg)#clear remote-access all Deletes all IP address
configurations.
6-1
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#clear remote-access ipaddress <A.B.C.D>[<A.B.C.D>] Deletes the configuration of a
specified IP address and network
segment.
show remote-access (all configuration modes) Displays the configuration
information of Remote-Access.
Remote-Access Configuration Instance 1l Configuration Description
Only allow the network management user to access the switch from 192.168.1.0/24through Telnet, SSH, SNMP, and Web.
l Configuration Procedurezte(cfg)#set remote-access specific
zte(cfg)#set remote-access ipaddress 192.168.1.0 255.255.255.0
zte(cfg)#show remote-access
Whether check remote manage address: YES
Allowable remote manage address(es) and application(s):
192.168.1.0/255.255.255.0 snmp, telnet, ssh, web
Remote-Access Configuration Instance 2l Configuration Description
Only allow the network management user to access the switch from 192.168.1.1through Telnet, SSH, SNMP, and Web.
l Configuration Procedurezte(cfg)#set remote-access specific
zte(cfg)#set remote-access ipaddress 192.168.1.1
zte(cfg)#show remote-access
Whether check remote manage address: YES
Allowable remote manage address(es) and application(s):
192.168.1.1/255.255.255.255 snmp, telnet, ssh, web
Remote-Access Configuration Instance 3l Configuration Description
Only allow the network management user to access the switch from 192.168.1.1through Telnet and SSH.
l Configuration Procedurezte(cfg)#set remote-access specific
zte(cfg)#set remote-access ipaddress 192.168.1.1
zte(cfg)#show remote-access
Whether check remote manage address: YES
Allowable remote manage address(es) and application(s):
6-2
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
192.168.1.1/255.255.255.255 snmp, telnet, ssh, web
zte(cfg)#set remote-access ipaddress 192.168.1.1 255.255.255.255 snmp deny
zte(cfg)#set remote-access ipaddress 192.168.1.1 255.255.255.255 web deny
zte(cfg)#show remote-access
Whether check remote manage address: YES
Allowable remote manage address(es) and application(s):
192.168.1.1/255.255.255.255 telnet,ssh
6.2 SSHSSH OverviewThe Secure Shell (SSH) is a protocol created by the NetworkWorking Group of the InternetEngineering Task Force (IETF), which is used to offer secure remote access and othersecure network services over an insecure network.
The initial purpose of the SSH protocol is to solve the security problems in interconnectednetworks, and to offer a securer substitute for Telnet and Rlogin, although the presentdevelopment of the SSH protocol has far exceeded remote access. So, the SSHconnection protocol should support interactive sessions.
The SSH can be used to encrypt all transmitted data. Even if these data is intercepted, nouseful information can be obtained.
At present, the SSH protocol has two incompatible versions: SSH v1.x and SSH v2.x. TheZXR10 2900E only supports SSH v2.0 and uses the password authentication mode. TheSSH uses TCP port 22.
Configuring SSHThe SSH configuration includes the following commands:
Command Function
zte(cfg)#set ssh {enable | disable} Enables or disables SSH.
zte(cfg)#set ssh regenerate Generates a new SSH key.
zte(cfg)#set ssh sftp {enable | disable} Enables or disables the SFTP
server function.
show ssh (all configuration modes) Displays the SSH configuration
and status.
SSH Configuration Instancel Configuration Description
See Figure 6-1, one computer attempts to access the switch through SSH. The switchis configured with a layer-3 port. The IP address of the port is 192.168.1.1/24, andthe IP address of the computer is 192.168.1.100/24.
6-3
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-1 SSH Remote Login Example
l Configuration Procedure1. Switch configuration
zte(cfg)#set ssh enable
zte(cfg)#show ssh
SSH is enabled.
There's no ssh user logging in this system.
2. Software configuration
The SSH v2.0 client can use the free software PuTTY developed by SimonTatham. The current version supports the client of multiple versions. The settingswhen using PuTTY to log in to the switch are as follows.
a. Set the IP address and port number of the SSH server, see Figure 6-2.
Figure 6-2 Setting IP Address and Port Number of the SSH Server
b. Set the SSH version number, see Figure 6-3.
6-4
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-3 Setting the SSH Version Number
c. For the first time to log in, user confirmation is needed, see Figure 6-4.
Figure 6-4 User Confirmation Dialog Box
d. The SSH login result is displayed, see Figure 6-5.
6-5
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-5 SSH Login Result
SFTP Configuration Instancel Configuration Description
See Figure 6-6, a layer-3 port is configured on the switch, and the IP address is192.168.1.1/24. The IP address of the PC is 192.168.1.100/24. The SSH and SFTPserver functions are enabled on the switch. The PC downloads files from the switchor uploads files to the switch through an SFTP client.
Figure 6-6 SFTP File Upload and Download Instance
l Configuration Procedure
Configure the switch:
zte(cfg)#set ssh enable
zte(cfg)#show ssh
SSH is enabled.
There's no ssh user logging in this system.
zte(cfg)#set ssh sftp enable
zte(cfg)#show sftp
SFTP is enabled.
There's no sftp user logging in this system.
6-6
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Configure the PC:
Before logging in to the switch through an SFTP client, set the client on the PC.Different types of client software provide different SSH and SFTP supports, so thesettings vary. It is recommended that you use SFTP client software such as WinSCPand Secure FX. WinSCP is SSH open-source graphic SFTP client software operatingin the Windows operating system. The following procedure uses WinSCP as anexample to describe the settings.
1. Set the IP address and port number for the SSH server. SFTP uses port 22. Seta username and password. See Figure 6-7.
Figure 6-7 WinSCP Login Dialog Box—Creating a Session
2. From the left navigation tree, select Environment > SFTP, and then set theparameters (you can use the default settings), see Figure 6-8.
6-7
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-8 WinSCP Login Dialog Box—Setting SFTP Parameters
3. From the left navigation tree, select Preferences. The Preferences dialog box isdisplayed, see Figure 6-9.
By default, WinSCP fragments large-size files and adds filepart postfix names.The ZXR10 2900E does not support extra-long file postfix names, so you mustclick Disable in the Enable transfer resume/transfer to temporary filenamefor area.
6-8
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-9 Preferences Dialog Box
4. Click OK. The WinSCP Login dialog box is displayed. Click Login. When youlog in to the SFTP server for the first time, the Warning dialog box is displayed,see Figure 6-10.
Figure 6-10 Warning Dialog Box
5. Click Yes. The system starts authentication, see Figure 6-11.
6-9
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-11 Authentication Banner Dialog Box
6. Click Continue. Enter your password, see Figure 6-12.
Figure 6-12 Password Dialog Box
7. ClickOK. A message indicating successful authentication is displayed, see Figure6-13.
6-10
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-13 Authentication Banner Dialog Box—Successful Authentication
8. Click Continue. The WinSCP desktop window is displayed, see Figure 6-14.
In the WinSCP desktop window, you can upload or download files.
Figure 6-14 WinSCP Desktop Window
6.3 PrivilegePrivilege OverviewThe command level function, that is, the privilege function, refers to leveling the commandlines available for the switch and granting different permissions. With this function, usersof different levels can access the commands of different scopes. This protects switchconfiguration from being modified by any user with any permission.
Privilege ConfigurationThe Privilege configuration includes the following commands:
Command Function
zte(cfg)#privilege {enable | disable} Enables/disables the command
level function.
6-11
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg)#privilege <0-15> session <1-1024>{all |
part}<mode><key1-string>[<key2-string>[... <key10-string>]]Sets the command permission.
zte(cfg)#clear privilege session [<1-1024>] Clears a specified command
permission rule.
show privilege {default | level [<0-15>]| session [<1-1024>]} (for
all configuration modes)
Displays a specified command
permission rule.
Privilege Configuration Instancel Configuration Description
Users can perform this configuration only when logging in to the switch with the highestpermission (level 15).
l Configuration Procedure
Configure the switch:
/*Enable the privilege function*/
zte(cfg)#privilege enable
/*Grant level-12 permission to all functions of the set node*/
zte(cfg)#privilege 12 session 1 part cfg set
l Configuration Verification1. Execute the following commands to check the command permission rule.
zte(cfg)#show privilege session
State: Enable
User level: 15
Session Level Type Mode Key
------- ----- ---- ------------- -----------------
1 12 part cfg set
2. Log in to the switch and execute the related set command as a user with a lowerpermission (for example, level 11).
Execute the zte(cfg)#set stp enable command. The system will prompt that theuser is disallowed to execute the command.
The user privilege(level 11) is less than command privilege(level 12 rule 1).
% Command cannot be performed because of insufficient privilege. (0x40000aab)
Log in to the switch as a user with a permission higher than or equal to thepermission (for example, level 13) and execute the same command. Thecommand can be properly executed, without the prompt mentioned above.
6-12
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
6.4 SNMPSNMP OverviewThe SNMP is themost popular network management protocol currently. It involves a seriesof protocols and specifications:
l MIB: Management Information Basel SMI: Structure of Management Informationl SNMP: Simple Network Management Protocol
They offer the means to collect network management information from networkdevices. The SNMP also enables the devices to report problems and errors to NetworkManagement Systems (NMSs). Any network administrator can use the SNMP to managethe switch. The ZXR10 2900E supports SNMPv1, v2c and v3 (v3 strengthens SNMPmanagement security based on v1 and v2c).
The SNMP uses the “Management process–Agent process” model to monitor and controlall types of managed network devices. The SNMP network management needs three keyelements:
1. Managed devices. They can communicate over the Internet. Each device contains anagent.
2. NMS. The network management process should be able to communicate over theInternet.
3. The protocol used to exchange management information between the agent processand the NMS, that is, the SNMP.
The NMSs collect data by polling the agents that reside in the managed devices. Theagents in the managed devices can report errors to NMSs at any time before the NMSspoll them. These errors are called traps. When a trap occurs on a device, the NMSs canbe used to query the device (suppose it is reachable) and obtain more information. SNMPv2c and v3 also support an inform message (an SNMPv2 Trap that needs a response)to inform abnormal events to the NMSs. After an NMS receives the inform message,it sends an acknowledgement message to the switch. If the switch does not receivethe acknowledgement message from the NMS in a period, it resends the original informmessage twice.
All variables in the network are stored in MIBs. The SNMP monitors the network devicestatus by querying the related object values in the agent MIBs.
SNMP ConfigurationThe SNMP configuration includes the following commands:
Command Function
zte(cfg-snmp)#set engineID Sets the SNMP engine ID of a
device.
6-13
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg-snmp)#set recvpacket <0-100> Sets the number of SNMP
messages that the SNMP protocol
stack can handle in a unit time.
zte(cfg-snmp)#set src-ipport <0-63> Sets the source IP address of
SNMP.
zte(cfg-snmp)#create community <string>{public |
private}[ingress-acl-basic-number <1-99>]Creates a community, sets the
access authority, and binds a basic
ACL ID with the community.
zte(cfg-snmp)#create view < string >[{include |
exclude}<mib-oid>]
Creates a view and specifies
whether the view includes a MIB
subtree.
zte(cfg-snmp)#set community <string> view <string> Sets a community and a view
containing the community name.
zte(cfg-snmp)#set community <string> ingress-acl-basic-number <1-99>
Sets the basic ACL ID bound to
the specified community.
zte(cfg-snmp)#clear community <string> ingress-acl-basic-n
umber
Deletes the basic ACL ID bound to
the specified community.
zte(cfg-snmp)#set mib1493compatible {enable | disable} Enables or disables the 1493
compatible mode.
zte(cfg-snmp)#set host <A.B.C.D> trap {v1 <string>| v2c<string>| v3 <string>{auth | noauth | priv}}
Sets the IP address, community
name, username, version, and
security level of the computer
receiving trap information.
zte(cfg-snmp)#set host <A.B.C.D> inform { v2c <string>| v3<string>{auth | noauth | priv}}
Sets the IP address, community
name, username, version, and
security level of the computer
receiving inform messages.
zte(cfg-snmp)#set trap {linkdown | linkup | authenticationfail
| coldstart | warmstart | topologychange | memberupdown
| portloopdetect | trunkloopdetect | linkMonitorStatus |
remoteLinkStatus | dyingGaspStatus | remoteDiscovery |
powerDown | dhcpCharCheck | cpuUserationThreshold |
memUserationThreshold | fanStatusCheck | macNotification |
udldUnidirectional | protocolProtect | dismanpingnotifications|
adminPasswordNoChange | arpOverload | bootfileLost
| cfmFaultAlarm | fanSpeed | fileTransfer | ipConflict |
MacOverload | poe | StpBridgeRoleChange | StpPortStateChange
| trafficLimitProtect | trafficLimit | temperature | all}{enable |
disable}
Enables/disables trap functions
of link connection/disconnection,
authentication failure, cool/hot
startup, topology change,
cluster member UP/DOWN,
loop detected at port/Trunk,
MAC number exceeding the
threshold, link monitor event
alarm, remote link event alarm,
event detection alarms, MAC
list change notification, and ping
notification.
6-14
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Command Function
zte(cfg-snmp)#set group <string> v3 {auth | noauth | priv}[read<string>[write <string>[notify <string>]]]
Sets an SNMP V3 group name
and the group security level.
zte(cfg-snmp)#set user <string><string> v3 [md5-auth <string>|
sha-auth <string>[des56-priv <string>]]Sets an SNMP V3 user name,
authentication mode and
password.
zte(cfg-snmp)#set trap macnotification {port<1-51>|trunk<1-15>}{enable|disable}
Enables or disables the trap
function of MAC change
notification on a specific port
or trunk.
zte(cfg-snmp)#set trap macnotification {history-size<1-256>|interval<1-3600>}
Sets the threshold of the number
and interval of MAC change
notifications.
zte(cfg-snmp)#clear host <A.B.C.D>{trap | inform}<string> Clears a host configuration.
zte(cfg-snmp)#clear community <string> Clears a community name.
zte(cfg-snmp)#clear view <string> Clears a view.
zte(cfg-snmp)#clear group <string> v3 {auth | noauth | priv} Clears a group.
zte(cfg-snmp)#clear user <string> v3 Clears a user.
zte(cfg-snmp)#clear engineID Clears an SNMP engine identifier
and recovers to the default value.
show snmp (all configuration modes) Displays all SNMP configuration
information.
show snmp {community | engineID | group | host | trap | user |
view} (all configuration modes)
Displays each element of SNMP
V1, V2C and V3.
SNMP Configuration Instance 1l Configuration Description
Assume that the IP address of the network management server is 10.40.92.105,the switch has a layer-3 port with the IP address of 10.40.92.200, and the switch ismanaged through the network management server.
Create a community named “zte” with the read/write permission and a view named“vvv”, and then associate the community “zte” with the view “vvv”. Set the IP addressof the computer receiving traps to 10.40.92.105, and the community to “zte”.
The DUT device is directly connected to network management server.
l Configuration Procedurezte(cfg)#config router
zte(cfg-router)#set ipport 0 ipaddress 10.40.92.200 255.255.255.0
zte(cfg-router)#set ipport 0 vlan 2
zte(cfg-router)#set ipport 0 enable
6-15
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg-router)#exit
zte(cfg)#config snmp
zte(cfg-snmp)#create community zte private
zte(cfg-snmp)#create view vvv
zte(cfg-snmp)#set community zte view vvv
zte(cfg-snmp)#set host 10.40.92.105 trap v2 zte
zte(cfg-snmp)#show snmp community
CommunityName Level ViewName Acl
-------------- ------- ------------ ---
zte private vvv -
zte(cfg-snmp)#show snmp view
ViewName Exc/Inc MibFamily
--------- -------- ------------------------
vvv Include 1.3.6.1
zte(cfg-snmp)#show snmp host
HostIpAddress Comm/User Version type SecurityLevel
-------------- ---------- ------- ------ -------------
10.40.92.105 zte Ver.2c Trap
SNMP Configuration Instance 2l Configuration Description
Assume that the IP address of the network management server is 10.40.92.77, theswitch has a layer-3 port with the IP address of 10.40.92.11, and the switch is managedthrough the network management server in the User Security Model (USM).
Create a user named “zteuser” and its group named “ztegroup”. The security level ofthe group is private (that is authentication and encryption). Set the IP address of thecomputer receiving trap or inform information to 10.40.92.77, and the user to “zteuser”.
l Configuration Procedurezte(cfg)#config router
zte(cfg-router)#set ipport 1 ipaddress 10.40.92.11/24
zte(cfg-router)#set ipport 1 vlan 1
zte(cfg-router)#set ipport 1 enable
zte(cfg-router)#exit
zte(cfg)#config snmp
zte(cfg-snmp)#set group ztegroup v3 priv
zte(cfg-snmp)#set user zteuser ztegroup v3 md5-auth zte des56-priv zte
zte(cfg-snmp)#set host 10.40.92.77 inform v3 zteuser priv
6-16
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
zte(cfg-snmp)#show snmp group
groupName: ztegroup
secModel : v3 readView : zteView
secLevel : AuthAndPriv writeView : zteView
rowStatus: Active notifyView: zteView
zte(cfg-snmp)#show snmp user
UserName : zteuser
GroupName : ztegroup(v3)
EngineID : 830900020300010289d64401
AuthType : Md5 StorageType: NonVolatile
EncryptType: Des_Cbc RowStatus : Active
zte(cfg-snmp)#show snmp host
HostIpAddress Comm/User Version type SecurityLevel
---------------- ----------- ------- ------ -------------
10.40.92.77 zteuser Ver.3 Inform AuthAndPriv
l Configuration Verification
When the configuration is completed, use the mibbrowser software to log in.
SNMP Configuration Instance 3l Configuration Description
This example describes how to configure the MAC change notification function.
See Figure 6-15, configure the SNMP first so that the switch can be managed throughthe network management server. Configure the MAC notification function so thatthe MAC change information on Port 1 can be reported to the network managementserver. The report condition is: The number of changed MAC entries reaches 50, orthe time is one minute (that is, 60 seconds).
Figure 6-15 MAC Change Notification Configuration Network
l Configuration Procedurezte(cfg-snmp)#set trap macnotification enable
zte(cfg-snmp)#set trap macnotification port 1 enable
zte(cfg-snmp)#set trap macnotification history-size 50
zte(cfg-snmp)#set trap macnotification interval 60
l Configuration Verification
If the number of changed MAC entries reaches 50 within one minute, the switch sendstrap information when the number reaches 50 instead of waiting until one minute. The
6-17
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
number of sent entries is 50. If the number of changed MAC entries does not reach50 within one minute, the switch sends trap information when one minute expires.The number of sent entries is less than or equal to 50. By default, the MAC changenotification function is disabled. So, if the MAC change notification function is enabledglobally but it is not enabled on a port, the network management server cannot receivetrap information. In this example, if the MAC entries change on another port insteadof Port 1, trap information is not sent.
6.5 RMONRMON OverviewThe Remote Monitoring (RMON) defines the standard network monitoring function and acommunication interface between the management console and the remote monitor. TheRMON offers an efficient method to monitor the behaviors of subnets while reducing theload of other agents and management stations.
The RMON specifications refer to the definition of RMONMIB. The ZXR10 2900E supportsfour groups of RMON MIB.
l History: records the periodic statistics sample of the information that can be obtainedfrom the statistics group.
l Statistics: maintains the basic application and error statistics of each subnet that theagent monitors.
l Event: a table related to all events generated by RMON agents.l Alarm: allows operators of the management console to set sampling interval and
alarm threshold for any count or integer recorded by RMON agents.
All these groups are used to store the data collected by the monitor and derived data andstatistics data. The alarm group is based on the implementation of the event group. Thesedata can be obtained through the MIB browser.
The RMON control information can be configured through the MIB browser, orHyperTerminal or remote Telnet command lines. The RMON sampling information andstatistics data is obtained through the MIB browser.
RMON ConfigurationThe RMON configuration includes the following commands:
Command Function
zte(cfg-snmp)#set rmon {enable | disable} Enables or disables the RMON
function.
zte(cfg-snmp)#set statistics <1-65535>{datasource <1-28>|owner <name>| status {valid | underCreation | createRequest| invalid}}
Sets a statistics group.
6-18
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Command Function
zte(cfg-snmp)#set alarm <1-65535>{interval <1-65535>|variable <mib-oid>| sampletype {absolute | delta}| startup
{rising | falling | both}| threshold <1-65535> eventindex<1-65535>{rising | falling}| owner <name>| status {valid |underCreation | createRequest | invalid}}
Sets an alarm group.
zte(cfg-snmp)#set event <1-65535>{description <string>| type
{none | log | snmptrap | logandtrap}| owner <name>| community<name>| status {valid | underCreation | createRequest | invalid}}
Sets an event group.
zte(cfg-snmp)#set history <1-65535>{datasource <1-28>|
bucketRequested <1-65535>| owner <name>| interval<1-3600>| status {valid | underCreation | createRequest | invalid}}
Sets a history group.
show rmon (all configuration modes) Displays RMON global
configuration.
show statistics [<1-65535>] (all configuration modes) Displays configuration information
of the statistics group.
show alarm [<1-65535>] (all configuration modes) Displays configuration information
of the alarm group.
show event [<1-65535>] ( all configuration modes) Displays configuration information
of the event group.
show history [<1-65535>] (all configuration modes) Displays configuration information
of the history group.
RMON Configuration Instancel Configuration Description
The instance describes how to set event 2, history 2, alarm 2 and statistics 1respectively.
The DUT device is directly connected to the network management server.
l Switch Configurationzte(cfg-snmp)#set event 2 description It'sJustForTest!!
zte(cfg-snmp)#set event 2 type logandtrap
zte(cfg-snmp)#set event 2 community public
zte(cfg-snmp)#set event 2 owner zteNj
zte(cfg-snmp)#set event 2 status valid
zte(cfg-snmp)#set history 2 datasource 16
zte(cfg-snmp)#set history 2 bucket 3
zte(cfg-snmp)#set history 2 interval 10
zte(cfg-snmp)#set history 2 owner zteNj
zte(cfg-snmp)#set history 2 status valid
6-19
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
zte(cfg-snmp)#set rmon enable
zte(cfg-snmp)#set alarm 2 interval 10
zte(cfg-snmp)#set alarm 2 variable 1.3.6.1.2.1.16.2.2.1.6.2.1
zte(cfg-snmp)#set alarm 2 sample absolute
zte(cfg-snmp)#set alarm 2 startup rising
zte(cfg-snmp)#set alarm 2 threshold 8 eventindex 2 rising
zte(cfg-snmp)#set alarm 2 threshold 15 eventindex 2 falling
zte(cfg-snmp)#set alarm 2 owner zteNj
zte(cfg-snmp)#set alarm 2 status valid
zte(cfg-snmp)#set statistics 1 datasource 16
zte(cfg-snmp)#set statistics 1 owner zteNj
zte(cfg-snmp)#set statistics 1 status valid
l Configuration Verification1. View configuration information about event 2:
zte(cfg-snmp)#show event 2
EventIndex : 2 Type : log-and-trap
Community : public Status : valid
Owner : zteNj
Description :It'sJustForTest!!
2. View configuration information about history 2:zte(cfg-snmp)#show history 2
ControlIndex : 2 BucketsRequest: 3
Interval : 10 BucketsGranted: 3
ControlStatus: valid ControlOwner : zteNj
DataSource : 1.3.6.1.2.1.2.2.1.1.16
3. View configuration information about alarm 2:zte(cfg-snmp)#show alarm 2
AlarmIndex : 2 SampleType: absolute
Interval : 10 Value : 16
Threshold(R) : 8 Startup : risingAlarm
Threshold(F) : 15 Status : valid
EventIndex(R): 2 Variable : 1.3.6.1.2.1.16.2.2.1.6.2.1
EventIndex(F): 2 Owner : zteNj
4. View configuration information about statistics 1:zte(cfg-snmp)#show statistics 1
StatsIndex: 1
DropEvents : 0 BroadcastPkts : 0
Octets : 0 MulticastPkts : 0
Pkts : 0 Pkts64Octets : 0
Fragments : 0 Pkts65to127Octets : 0
Jabbers : 0 Pkts128to255Octets : 0
Collisions :0 Pkts256to511Octets : 0
CRCAlignErrors :0 Pkts512to1023Octets : 0
6-20
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
UndersizePkts :0 Pkts1024to1518Octets: 0
OversizePkts :0 DataSource(port) : 1.3.6.1.2.1.2.2.1.1.16
Status : valid Owner : zteNj
l Configuration Result
After the above configuration, when the number of etherHistoryPkts packets of thefirst bucket on port 16 rises over 8 or the number falls below 15, the event with index2 is triggered. The event with index 2 sends a trap to the management station.
6.6 ZGMPZGMP OverviewZGMP is ZTE Group Manage Protocol. A cluster is a set of switches in a specific broadcastdomain. The switches form a unified management domain, providing an external publicnetwork IP address andmanagement interface, and the ability to manage and access eachmember in the cluster.
The management switch which is configured with a public network IP address is called acommand switch. Other switches serve as member switches. In normal cases, a memberswitch is not configured with a public network IP address. A private address is allocated toeach member switch through the DHCP function of the command switch. The commandswitch and member switches form a cluster (private network).
In general, the broadcast domain where a cluster is located consists of switches of fourroles: command switch, member switches, candidate switches and independent switches.
One cluster has only one command switch. The command switch can automatically collectthe device topology and set up a cluster. After a cluster is set up, the command switchprovides a cluster management channel to manage member switches. Member switchesserve as candidate switches before they join the cluster. The switches that do not supportcluster management are called independent switches.
It is recommended that you isolate the broadcast domain between the public networkand the private network on the command switch and shield direct access to the privateaddress. The command switch provides an external management and maintenancechannel to manage the cluster in a centralized manner.
For the cluster management network, see Figure 6-16.
6-21
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-16 Cluster Management Network
For changeover rules of the four roles of switches within a cluster, see Figure 6-17.
6-22
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-17 Changeover Rules of Roles
ZGMP ConfigurationThe ZGMP configuration includes the following commands:
Command Function
zte(cfg-group)#set zdp {enable | disable} Enables or disables the ZTE
Discovery Protocol (ZDP) function.
zte(cfg-group)#set zdp {port <portlist>| trunk<trunklist>}{enable | disable}
Enables or disables the ZDP
function based on port/trunk.
zte(cfg-group)#set zdp timer <5-255> Sets a time interval for sending
ZDP packets.
zte(cfg-group)#set zdp holdtime <10-255> Sets ZDP hold time.
show zdp (all configuration modes) Displays ZDP global configuration.
show zdp neighbour (all configuration modes) Displays ZDP neighbor
information.
show zdp neighbour detail (all configuration modes) Displays detailed ZDP neighbor
information.
zte(cfg-group)#set ztp {enable | disable} Enables or disables the global ZTE
Topology Protocol (ZTP) function.
zte(cfg-group)#set ztp {port <portlist>| trunk<trunklist>}{enable | disable}
Enables or disables the ZTP
function based on port/trunk.
zte(cfg-group)#set ztp vlan <1-4094> Sets a VLAN for collecting
topology information.
6-23
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Command Function
zte(cfg-group)#set ztp hop <1-128> Sets a range (hop count) of
collecting topology information.
zte(cfg-group)#set ztp timer<0-60> Sets a time interval for collecting
topology information automatically.
zte(cfg-group)#set ztp portdelay <1-100> Sets a port delay for forwarding
topology requests.
zte(cfg-group)#set ztp hopdelay <1-1000> Sets a hop delay for forwarding
topology requests.
zte(cfg-group)#ztp start Starts collecting topology
information.
show ztp (all configuration modes) Displays ZTP global configuration.
show ztp device [<idlist>](all configuration modes) Displays the configuration
information according to the
device ID.
show ztp topology (all configuration modes) Displays network topology in a
simple graph.
show ztp mac <HH.HH.HH.HH.HH.HH> (all configuration modes) Displays detailed information of
a device according to the MAC
address.
zte(cfg-group)#set group commander ipport <0-63>[ip-pool<A.B.C.D/M>]
Sets a command switch, specifies
a layer-3 port number for cluster
management and sets an IP
address pool for cluster members.
zte(cfg-group)#set group candidate Sets a switch to be a candidate
switch.
zte(cfg-group)#set group independent Sets a switch to be an independent
switch.
zte(cfg-group)#set group add {mac <HH.HH.HH.HH.HH.HH>[<1-253>]| device <idlist>}
Adds a switch to a cluster.
zte(cfg-group)#set group delete member <idlist> Deletes a switch from a cluster.
zte(cfg-group)#set group handtime <1-300> Sets a time interval for handshake
between the command switch and
the member switch.
zte(cfg-group)#set group holdtime <1-300> Sets hold time of information about
switches in a cluster.
zte(cfg-group)#set group name <name> Sets a cluster name.
6-24
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Command Function
zte(cfg-group)#set group mac-mode {standard | extend [mac<HH.HH.HH.HH.HH.HH>]}
Sets a protocol multicast address
of cluster management.
zte(cfg-group)#set group syslogsvr <A.B.C.D> Sets an IP address of the SYSLOG
server in a cluster.
zte(cfg-group)#set group tftpsvr <A.B.C.D> Sets an IP address of the TFTP
server in a cluster.
show group (all configuration modes) Displays cluster configuration
information.
show group candidate (all configuration modes) Displays candidate switches.
show group member [<1-253>] (all configuration modes) Displays a member switch or all
member switches.
zte(cfg-group)#save member {<idlist>| all} Saves the configuration of a
member switch to a file.
zte(cfg-group)#erase member {<idlist>| all} Deletes the configuration of a
member switch.
zte(cfg-group)#reboot member {<idlist>| all} Restarts a member switch.
rlogin {commander | member <1-253>}(all configuration modes) Remotely logs in to the cluster
device.
ZGMP Configuration Instancel Configuration Description
See Figure 6-18, the initial configuration of the switches is the default configuration.Here, set the VLAN where the public network IP address of the command switch inthe cluster resides to 2525, the IP address to 100.1.1.10/24, the gateway addressto 100.1.1.1, the cluster management VLAN to 4000, the private address pool to192.168.1.0/24, and the IP address of the TFTP Server in the cluster to 110.1.1.2.
6-25
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-18 Cluster Management Network
l Configuration Procedure1. Configure the public network IP address of the command switch and the gateway.
zte(cfg)#set vlan 2525 enable
zte(cfg)#set vlan 2525 add port 1-24 tag
zte(cfg)#config router
zte(cfg-router)#set ipport 25 ipaddress 100.1.1.10/24
zte(cfg-router)#set ipport 25 vlan 2525
zte(cfg-router)#set ipport 25 enable
zte(cfg-router)#iproute 0.0.0.0/0 100.1.1.1
2. Create a cluster on layer-3 port 1 of the command switch and VLAN 1 (defaultVLAN).zte(cfg)#config group
zte(cfg-group)#set group commander ipport 1
Cmdr.zte(cfg-group)#ztp start
Cmdr.zte(cfg-group)#show ztp device
Last collection vlan : 1
Last collection time : 210 ms
Id MacAddress Hop Role HostName Platform
6-26
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
-- ------------------ ---- ------ --------- ---------------
0 00.00.00.00.00.01 0 cmdr Cmdr.zte ZXR10 2928E
1 00.0d.0d.f1.e2.00 1 candi zte ZXR10 2918E
2 00.50.43.3c.3b.5d 1 candi zte ZXR10 2910E-PS
3 00.00.00.00.33.33 2 candi zte ZXR10 2918E
Cmdr.zte(cfg-group)#set group add device 1-3
Adding device id : 1 ... Successed to add member!
Adding device id : 2 ... Successed to add member!
Adding device id : 3 ... Successed to add member!
Cmdr.zte(cfg-group)#show group member
Id MacAddress IpAddress HostName State
-- ------------------ --------------- --------- -----
1 00.0d.0d.f1.e2.00 192.168.1.2/24 Mem1.zte Up
2 00.50.43.3c.3b.5d 192.168.1.3/24 Mem2.zte Up
3 00.00.00.00.33.33 192.168.1.4/24 Mem3.zte Up
3. Switch to each member switch and add all ports to VLAN 4000 (taking member 1as an example).Cmdr.zte(cfg)#set vlan 4000 enable
Cmdr.zte(cfg)#set vlan 4000 add port 1-16 tag
Cmdr.zte(cfg)#rlogin member 1
Trying ...Open
Connecting ...
Mem1.zte>
Mem1.zte>enable
password:
Mem1.zte (cfg)#set vlan 4000 enable
Mem1.zte (cfg)#set vlan 4000 add port 1-16 tag
4. Delete the cluster created on VLAN 1.Cmdr.ZTE(cfg-group)#set group delete member 1-3
Deleting member id : 1 ... Successed to del member!
Deleting member id : 2 ... Successed to del member!
Deleting member id : 3 ... Successed to del member!
Cmdr.zte(cfg-group)#set group candidate
zte(cfg-group)#
5. Create a cluster on VLAN 4000.zte(cfg-group)#set ztp vlan 4000
zte(cfg-group)#set group commander ipport 1
Cmdr.zte(cfg-group)#ztp start
Cmdr.zte(cfg-group)#show ztp device
Last collection vlan : 4000
Last collection time : 230 ms
Id MacAddress Hop Role HostName Platform
-- ------------------ ---- ------ --------- --------------
0 00.00.00.00.00.01 0 cmdr Cmdr.zte ZXR10 2928E
1 00.0d.0d.f1.e2.00 1 candi zte ZXR10 2918E
6-27
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
2 00.50.43.3c.3b.5d 1 candi zte ZXR10 2910E-PS
3 00.00.00.00.33.33 2 candi zte ZXR10 2918E
Cmdr.zte(cfg-group)#set group add device 1-3
Adding device id : 1 ... Successed to add member!
Adding device id : 2 ... Successed to add member!
Adding device id : 3 ... Successed to add member!
Cmdr.zte(cfg-group)#show group member
Id MacAddress IpAddress HostName State
-- ------------------ --------------- --------- -----
1 00.0d.0d.f1.e2.00 192.168.1.2/24 Mem1.zte Up
2 00.50.43.3c.3b.5d 192.168.1.3/24 Mem2.zte Up
3 00.00.00.00.33.33 192.168.1.4/24 Mem3.zte Up
6. Set the IP address of the TFTP server in the cluster to 110.1.1.2.Cmdr.zte(cfg-group)#set group tftpsvr 110.1.1.2
7. Set the IP address of the SYSLOG server in the cluster to 110.1.1.2.Cmdr.zte(cfg-group)#set group syslogsvr 110.1.1.2
8. Download version zImage on member 1.Mem1.zte(cfg-tffs)#tftp commander download zImage
6.7 sFlowsFlow OverviewThe sFlow is a technique to monitor high-speed data transmission network. It uses ansFlow proxy embedded in network equipment to send sampled data packets to sFlowcollectors.
The sFlow implements the following functions:
l Provide the correct statistics about client flow.l Monitor intrusion and police violation to make the network more safer.l Monitor the network traffic and application visually.l Provide the correct data suitable for capacity deployment.l Ensure the priority of traffic across core network.l Recognize the network application flow from the remote site to ensure the effect on
server.
sFlow ConfigurationThe sFlow configuration includes the following commands:
Command Function
zte(cfg)#set sflow agent-address <A.B.C.D>[udp-port<1-65535>]
Sets an IP address of the sFlow
proxy.
zte(cfg)#set sflow collector-address <A.B.C.D>[udp-port<1-65535>]
Sets an IP address of the sFlow
collector.
6-28
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Command Function
zte(cfg)#set sFlow version<number> Sets a format version of sFlow
sampling packets.
zte(cfg)#set sFlow {ingress | egress}{enable | disable} Enables or disables the
ingress/egress sFlow function.
zte(cfg)#set sFlow ingress sample-mode {all | forward} Sets the sFlow ingress sampling
mode.
zte(cfg)#set sflow {ingress | egress} port <portlist> packet-sampleoff
Disables sFlow sampling on a port
or ports.
zte(cfg)#set sflow {ingress | egress} port <portlist>packet-sample on frequency <2-16000000>[time-range<word>]
Enables sFlow sampling based
on ports, or binds a time range to
ports.
zte(cfg)#clear sflow config [{agent | collector}] Deletes sFlow configuration on
ports.
zte(cfg)#clear sFlow statistic Clears sFlow port sampling
statistics.
show sFlow (all configuration modes) Displays sFlow configuration
information.
6.8 WebWeb Management OverviewThe ZXR10 2900E provides an embedded Web server stored in the Flash memory, whichallows user to use a standard Web browser (it is recommended to use IE6.0 above and1024×768 resolution) for managing the remote switch.
Configuring System LoginOn the condition that Web connection has been configured on the switch.
1. Open Microsoft Internet Explorer.2. Enter the IP address of the switch in the address bar (this address is that switch can
connect). The system login interface is displayed, see Figure 6-19.
6-29
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-19 System Login Interface
3. Enter a username and a password, and select a user privilege. The Admin user needsto enter a login password and a management password. Guest users only need toenter a login password. Click Login to log in to the system main page, see Figure6-20.
Figure 6-20 System Main Interface
Web Configuration Managementl Web Configuration Management
System Information Check
Click the directory tree on the left of the system main page, Configuration > System.The system information page (by default, Configuration directory is expansive) isdisplayed, see Figure 6-21.
6-30
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-21 System Information Page
This page displays the following system information:
Parameter Description
VersionNumber Version number
SwitchType Switch type
VersionMakeTime Version making time
MacAddress Switch hardware address
HostName System name
SysLocation System location
SysUpTime Running time after the system is started.
Both “HostName” and “SysLocation” can be configured. After configuration, clickthe Apply button to complete the configuration.
l Port Management
Port State Information Check
Click the directory tree on the left of the system main page, Configuration > Port >Port State. The port state information page is displayed, see Figure 6-22.
6-31
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-22 Port State Information Page
This page displays the following port information:
Parameter Description
PortClass Port class
LinkState Port linkup/linkdown state
Duplex Duplex working state of the port
Speed Working speed of the port
Note:
Port linkdown means that port hasn’t a physical connection. The displayed values of“Duplex” and “Speed” are meaningless.
Port Configuration Information Check
Click the directory tree on the left of the main page, Configuration > Port > PortParameter. The port configuration information page is displayed, see Figure 6-23.
6-32
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-23 Port Configuration Information Page
This page displays the following port information:
Parameter Description
MediaType Port media type
Name Port name
AdminStatus Port enabled
AutoNeg Port working mode, that is, working speed and
duplex mode
PVID Default VLAN ID of the port
FlowControl Port flow control enabled
MultiFilter Port multicast filter enabled
MacLimit Port Mac address learning limit
Security Port security enabled
SpeedAdvertise Port speed advertisement
Single Port Configuration
Click the Config button in the line of the port to be configured on the port configurationinformation page. The configuration page of this port is displayed, see Figure 6-24.
6-33
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-24 Single Port Configuration Page
Configure the attribute of the selected port on this page. After configuration, click theApply button to complete the configuration.
Note:
“Security” and “MacLimit” are conflicting. The two attributes cannot be set to beenabled at the same time.
Caution!
If the port connected to the network management computer is disabled, the networkmanagement is interrupted.
Bulk port configuration
Select multiple ports on the port configuration information page (select Select All toselect all ports), and then click Apply. The bulk port configuration page is displayed,see Figure 6-25.
6-34
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-25 Bulk Port Configuration Page
Set the attributes on this page, and then click Apply to complete the configuration.
l VLAN Management
VLAN Information Check
Click the directory tree on the left of the main page, Configuration > VLAN > VlanOverview. The VLAN information page is displayed, displaying the VLAN informationthat is operated currently. If the VLAN hasn't been operated, the default VLAN will bedisplayed. See Figure 6-26.
Figure 6-26 VLAN Information Page
If the number of VLANs to be displayed is more than 20, they will be displayed by pageand page number is displayed at the bottom right corner. You can click previous ornext to turn pages or select a page number from the GO drop-down list box.
This page displays the following information:
6-35
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Parameter Description
VlanName VLAN name
AdminStatus VLAN enabled or not
Tag Ports Port with a tag in the VLAN
UntagPorts Port without a tag in the VLAN
TagTrunks Trunk with a tag in the VLAN
UntagTrunks Trunk without a tag in the VLAN
Checking the Specified VLAN Information
1. Click Configuration > VLAN > Vlan Configure on the left of the main page. AVLAN number entering page is displayed, see Figure 6-27.
Figure 6-27 VLAN Number Entering Page
2. Enter a VLAN number (for example, “1, 3-5"), and click Apply. A single VLANconfiguration page or bulk VLAN configuration page is displayed.
à For the single VLAN configuration page, see Figure 6-28.
6-36
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-28 Single VLAN Configuration Page
After setting some attributes of the VLAN on this page, click Apply tocomplete the configuration.
Note:
When configuring port/trunk in the VLAN, you can enter port/trunk number inthe text box with the format "1, 3-5". You can also select the correspondingcheck boxes to add them into the VLAN.
à For the bulk VLAN configuration page, see Figure 6-29.
Figure 6-29 Bulk VLAN Configuration Page
Admin of Select items is used to enable the VLAN. Port is ordinary port ofbulk VLAN configuration. Trunk is trunk group of bulk VLAN configuration.
6-37
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
After setting some attributes on this page, click Apply to complete theconfiguration.
l PLAN Management
PVLAN Information Check
Click Configuration > PVLAN > Pvlan Overview on the left of the main page. ThePVLAN information page is displayed, see Figure 6-30.
Figure 6-30 PVLAN Information Page
This page displays the following information:
Parameter Description
Pvlan Session PVLAN instance
Promiscuous Port Hybrid physical port
Promiscuous Trunk Hybrid trunk port
Isolated Port Isolated physical port
Isolated Trunk Isolated trunk port
Community Port Community physical port
Community Trunk Community trunk port
PVLAN Configuration
Click Configuration > PVLAN > Pvlan Configure on the left of the main page. ThePVLAN configuration page is displayed, see Figure 6-31.
6-38
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-31 PVLAN Configuration Page
This page displays the following information:
Parameter Description
Pvlan Session PVLAN instance
Promiscuous Port Hybrid physical port
Promiscuous Trunk Hybrid trunk port
Isolated Port Isolated physical port
Isolated Trunk Isolated trunk port
Community Port Community physical port
Community Trunk Community trunk port
After setting some attributes on this page, click Apply to submit. When system isconfigured successfully, the configured information page will be displayed.
l Port Mirroring Management
Port Mirroring Information Check
Click Configuration > MIRROR > Mirror Overview on the left of the main page. Themirror information page is displayed, see Figure 6-32.
6-39
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-32 Mirror Information Page
This page displays the following information:
Parameter Description
Source port Mirroring source port
Destination port Mirroring destination port
Port Mirroring Configuration
Click Configuration > MIRROR > Mirror Configure on the left of the main page. Themirroring port configuration page is displayed, see Figure 6-33.
Figure 6-33 Mirroring Port Configuration Page
The source port and destination port can be configured on this page. After setting,click Apply to complete the configuration.
l LACP Management
6-40
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
LACP Basic Information Check
Click Configuration > Lacp > Lacp Port on the left of the main page. The LACPbasic information page is displayed, see Figure 6-34.
Figure 6-34 LACP Basic Attribute Page
The displayed information is as follows:
Parameter Description
AdminStatus LACP enabled or not
LacpPriority LACP priority
The aggregation port information is as follows:
Parameter Description
GroupNum Aggregation group number that the
aggregation port belongs to
GroupMode Aggregation group aggregation mode that the
port belongs to
LacpTime Aggregation port timeout mode
LacpActive Aggregation port active/passive mode
Set basic attributes of "AdminStatus" and "LacpPriority" on this page and set attributesof "LacpTime" and "LacpActive" of the aggregation port. After setting, click Apply tocomplete the configuration.
When setting the same configuration of bulk aggregation port attribute, click thecorresponding check box to select multiple aggregation ports (select Select All toselect all ports), and then click Set. The configuration page of bulk aggregation portis displayed, see Figure 6-35.
6-41
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-35 Bulk Aggregation Port Configuration Page
After setting attributes of the aggregation port on this page, click Apply to submit.
Aggregation Group Information Check
Click Configuration > Lacp > Lacp State on the left of the main page. Theaggregation group information page is displayed, see Figure 6-36.
Figure 6-36 Aggregation Group Information Page
This page displays the following information:
Parameter Description
Attached Ports Attached ports in the aggregation group
Active Ports Active ports in the aggregation group
GroupMode Aggregation mode of the aggregation group
6-42
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Click Config of the right column. The corresponding aggregation group configurationpage is displayed, see Figure 6-37.
Figure 6-37 Aggregation Group Configuration Page
You can configure the "Aggregator Mode" attribute of the aggregation group onthis page, bind ports with the aggregation group (select ports in the port available
column, and click ) and release ports from the aggregation group (select ports inthe aggregation port column, and click ).
Note:
Only the ports with the same attribute can be bound into the same aggregation group.Each aggregation group can bind up to 8 ports.
Caution!
Do not bind the port connected to the network management computer to anaggregation group. Otherwise, the network management will be interrupted.
Monitoring Informationl Terminal Log Check
Click Monitoring > Terminal Log on the left of the main page. The terminal loginformation page is displayed, see Figure 6-38.
6-43
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-38 Terminal Log Information Page
Click the Refresh button to update terminal log information.
l Port Statistics Information Check
Click Monitoring > Port Statistics on the left of the main page. The port statisticsinformation page is displayed, see Figure 6-39.
Figure 6-39 Port Statistics Information Page
Click the Refresh button to update port statistics information.
Select a port from the PortNumber drop-down list box to get the port statistics data.
l Statistics data
Parameter Description
ReceivedBytes Received bytes
ReceivedFrames Number of received frames
6-44
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Parameter Description
ReceivedBroadcastFrames Number of received broadcast frames
ReceivedMulticastFrames Number of received multicast frames
OversizeFrames Number of oversize frames
UndersizeFrames Number of undersize frames
CrcError Number of CRC errors
SendBytes Sent bytes
SendFrames Number of sent frames
SendBroadcastFrames Number of sent broadcast frames
SendMulticastFrames Number of sent multicast frames
l Configuration Information Check
Click Monitoring > Running config on the left of the main page. The configurationinformation page is displayed, see Figure 6-40.
Figure 6-40 Configuration Information Page
This page displays configuration information of switch.
System Maintenancel Configuration Saving Page
Click Maintenance > Save on the left of the main page. The saving configurationinformation page is displayed, see Figure 6-41.
6-45
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-41 Saving Configuration Page
Click Ok to save configuration or click Cancel to cancel configuration.
Caution!
Saving configuration will cover the original configuration file. Make sure that theconfiguration need to be covered before clicking Ok.
l Configuring Reboot
Click Maintenance > Reboot on the left of the main page. The reboot function pageis displayed, see Figure 6-42.
Figure 6-42 Reboot Function Page
Click Ok to reboot the switch or click Cancel to cancel reboot.
6-46
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
l Uploading File
à Click Maintenance > Upload on the left of the main page. The file upload pageis displayed, see Figure 6-43.
Figure 6-43 File Upload Page
à Click Browse... to browse and select the file to be uploaded. Click OK to uploadthe file.
Note:
For safety and application, only “zImage”, “zImage.bak”, “bootrom.bin”, “startrun.dat” and “to_permmac.dat” can be uploaded.
Caution!
Make sure the legality and validity of files to be uploaded. The uploaded file will coverthe original file. If the operation is not correct, the switch cannot work. Unprofessionalpersonnel are not recommended to use this function.
l User Management
Click Maintenance > User Manager on the left of the main page. The usermanagement page is displayed, see Figure 6-44.
6-47
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-44 User Management Page
By default, the Modify tab is displayed. Modify the login password and managementpassword of the user, and then click Apply to submit.
l Adding User
Click the add button on the user management page. The adding user page isdisplayed, see Figure 6-45.
Figure 6-45 Adding User Page
Click the add button on the user management page. The adding user page isdisplayed, see Figure 6-45.
6-48
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-46 Adding User Page
Enter the password of the current user on this page, enter the information about theuser to be added, and then click Apply to submit.
l Deleting User
Click the Delete button on the user management page. The deleting user page isdisplayed, see Figure 6-47.
Figure 6-47 Deleting User Page
Select the user to be deleted, and then click Apply to submit.
6.9 M_ButtonIntroduction to the M_Button FunctionThe M_button function is used to display the key statistics data and indicate the key eventsthrough the panel indicators, which facilitates device maintenance.
6-49
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
For a description of the port indicators on the ZXR10 2900E, refer to Table 6-1.
Table 6-1 ZXR10 2900E Port Indicator Descriptions
Indicator State Description
Off No link.
On (green) Indicator for the physical link on an optical port.
After the system is started, a physical link is
established.
LINK
Flashing (green) Indicator for data sending and receiving a
the port. When data is sent or received, the
indicator flashes at the fixed frequency.
On (green) The port speed is the same as the default port
speed.
SPD
On (yellow) The port speed is not the same as the default
port speed.
On (green) The port is in full-duplex mode.DUP
On (yellow) The port is in half-duplex mode.
On (green) The STP status of the port is Forward.
On (yellow) In other statuses.
STA
Off The STP status of the port is Disable.
CPU% On (green) A port indicator displays the current CPU
usage.
For the 2910E-PS, the first 8 ports display
the current usage, each of which represents
12.5%. For other devices, the first 10 ports
display the current usage, each of which
represents 10%.
MEM% On (green) In this mode, a port indicator displays the
current memory usage.
For the 2910E-PS, the first 8 ports display
the current usage, each of which represents
12.5%. For other devices, the first 10 ports
display the current usage, each of which
represents 10%.
↑BW% On (green) In this mode, a port indicator displays the
current occupation rate of uplink port outbound
bandwidth. The current speed on the uplink
interface is used as the base.
6-50
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Indicator State Description
↓BW% On (green) In this mode, a port indicator displays the
current occupation rate of uplink port inbound
bandwidth. The current speed on the uplink
interface is used as the base.
On (green) The device sends five ICMP to the network
management center. Each ICMP packet
corresponds to an indicator of a port (port 1–5).
If an indicator is on (green), a response of the
corresponding packet is received.
On (yellow) The device sends five ICMP to the network
management center. Each ICMP packet
corresponds to an indicator of a port (port 1–5).
If an indicator is on (yellow), no response of the
corresponding packet is received.
PING
Off No IP address is configured for the network
management center.
CRC On (yellow) There is a CRC error frame on the port.
STORM On (yellow) The port is a storm port.
The storm threshold is set to 80 percent of the
automatically negotiated speed on the port.
If the traffic sent and received on the port
exceeds the threshold, the port is a storm port.
NoMAC On (yellow) The port does not learn a MAC address.
On (green) PoE is normal.
On (yellow) PoE is abnormal.
PoE (valid only for
devices that support
PoE)Off No power.
Note:
In STA mode, if a port is added to multiple instances, the indicator of the port indicates theSTA state in the first instance.
M_Button Function Mode Switch1. There is a mode button on the panel. Press it once, and then the indicator for the next
mode (based on the sequence on the switch panel) begins flashing for 2 seconds. Ifthe button is not pressed in 2 seconds, the mode indicator is off. The device enters thismode and executes the function of this mode. If the button is pressed in 2 seconds,the next mode indicator begins flashing. The previous process is repeated.
6-51
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
2. In a mode, if the mode button is not pressed in 3 minutes, the device exits from thismode automatically to the LINK mode. If the button is pressed, the device enters thenext mode. The corresponding mode indicator begins flashing, which is as describedin 1.
3. In the PING mode, a ping packet is sent once per 20 seconds. In other modes, thestatuses are updated in real time.
6.10 TelnetTelnet OverviewAs a member of the TCP/IP protocol family, the Telnet protocol is the standard protocol forthe remote Internet login service. With this protocol, users can perform operations on aremote switch through a local PC.
A ZTE switch can be used as both a Telnet client and a Telnet server.
User can set the listening port number when the device is logged in to through Telnet, alsouser can set the port number and source IP address when the device is used as a Telnetclient to log in to another device.
Telnet ConfigurationThe Telnet configuration includes the following commands:
Command Function
zte(cfg)#set Telnet server {enable | disable}
Enables or disables the Telnet
server function, which is enabled
by default.
zte(cfg)#telnet <dest ip-addr> destination-port <port-num><srcip-addr>
Sets the port number and source
IP address when the device is
used as a Telnet client to log in to
another device.
zte(cfg)#set telnet listen-port <port>
Sets the listening port number
when the device is logged in to
through Telnet. The value is 23 or
between 1025 and 49151.
show Telnet (for all configuration modes)Displays the Telnet configuration
and status.
Telnet Configuration Instancel Configuration Description
See Figure 6-48, a switch has a layer-3 port with the IP address 192.168.1.1/24, andthe IP address of the PC is 192.168.1.100/24. The PC remotely logs in to the switchthrough Telnet.
6-52
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 6 Management
Figure 6-48 Telnet Login Instance
l Configuration Procedure1. Configure the switch
By default, the Telnet server function is enabled. You can use the followingcommand to make sure that the function is enabled.
zte(cfg)#show Telnet
Telnet server is enable
Telnet server is listening on port 23
2. Configure the PC
Note:
Windows 2000 provides the Telnet client and server programs. Telnet.exe
is the client program and tlntsvr.exe is the server program. In addition,Windows 2000 provides the Telnet server management program tlntadmn.exe.By default, the Telnet service is installed in Windows 2000.
Execute the Telnet command on the PC, see Figure 6-49.
Figure 6-49 Executing the Telnet Command on the PC
For the Telnet login result, see Figure 6-50.
6-53
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-50 Telnet Login Result
6-54
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 7MaintenanceTable of Contents
Routine Maintenance .................................................................................................7-1Virtual Circuit Tester ...................................................................................................7-2Common Fault Handling.............................................................................................7-3
7.1 Routine MaintenanceDaily Maintenance Items1. Checking the operation state of the switch.
a. Verifying that the interface of the back-end terminal can be operated.
b. Verifying that each indicator of the switch is in the normal state.
c. Verifying that the fans of the switch operate properly.
d. Verifying that the temperature of the switch is normal and there is no abnormalsmell in the equipment room.
e. Checking the system alarms.
2. Checking the communication between the switch and each connected device.
Log in to the switch through HyperTerminal or Telnet. Run the ping command to testvarious network segments for connectivity check.
3. Verifying the services related to the switch are normal.4. Recording operations and phenomena on the current day.
The operations are those performed on the switch. The phenomena include the switchstate and equipment room environment.
Monthly Maintenance Items1. Summarizing daily operations every month.
a. Summarizing problems encountered during daily operation. If necessary, discusswith ZTE maintenance engineers.
b. Summarizing daily maintenance experience to performmore efficient maintenancein the future.
2. Cleaning the equipment room.
a. Cleaning the air conditioner and check its performance.
7-1
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
b. Cleaning cable troughs and secure loosened wires.
3. Cleaning the switch.
Ensuring that the cloth is not too wet and that the operation does not affect interfaces.
4. Backing up alarm information, statistics information, and configuration information.
Maintenance PeriodFor the maintenance period of the Ethernet switch, refer to Table 7-1.
Table 7-1 Maintenance Period of the Ethernet Switch
No. Maintenance Item Maintenance Period
1 Checking the switch running state Day
2 Checking the equipment room temperature and
humidity, and power supply
Day
3 Checking the communication state between the
switch and each connected device
Day
4 Checking service state Day
5 Monthly summary of daily problems Month
6 Monthly summary of daily maintenance
experience
Month
7 Cleaning the equipment room Month
8 Cleaning the switch Month
9 Yearly summary Year
10 Full maintenance and check of devices in the
monitoring room
Year
7.2 Virtual Circuit TesterThe Virtual Circuit Tester (VCT) uses a Time Domain Reflectometry (TDR) to diagnose theline state, such as Open, Short, Impedance Mismatch and Good termination, and calculatethe location of a faulty line using a fitting formula.
Run the show vct port <1-28> command to check the VCT detection result of the specifiedport.
Example 1zte(cfg)#show vct port 1
Cable Test Result for Port 1
RX PAIR : /* Wiring pair for receiving data in the twisted pair cable */
Cable Test Passed. No problem found.
7-2
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 7 Maintenance
Cable Length is unknown.
TX PAIR : /* Wiring pair for sending data in the twisted pair cable */
Cable Test Passed. No problem found.
Cable Length is unknown.
Example 2zte(cfg)#show vct port 8
Cable Test Result for Port 8
RX PAIR :
Cable Test Passed. Cable is open.
Approximately 7 meters from the tested port.
TX PAIR :
Cable Test Passed. Cable is open.
Approximately 6 meters from the tested port.
7.3 Common Fault Handling
7.3.1 OverviewFaults include hardware faults and software faults. Hardware faults can be removed bychanging hardware if the faults are correctly located. Software and configuration faultscan be removed by correct operations.
During handling faults, first of all, you should verify that the device configurations arecorrect, the device cables are connected properly, and the device environment satisfiesrequirements.
7.3.2 Configuration Through the Console Port Failed
SymptomFailed to configure the switch through the console port.
Related Component CheckCheck the configuration cable, serial port of HyperTerminal, and console port of the switch.
Fault Analysis1. The configuration cable is incorrect.2. The serial port attributes of HyperTerminal are incorrect, or the serial port is faulty.3. The console port of the switch is faulty.
7-3
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Solution1. Use a correct configuration cable.2. Check the serial port attributes of HyperTerminal. The correct settings are as follows:
Bits per Second (baud rate) is 9600, Data bit is 8, Parity is None, and Flow controlis None. Verify that the serial port is normal and replace the terminal if necessary.
3. Verity that the Console port of the switch is normal.
7.3.3 Telnet Connection Failed
SymptomFailed to connect the Switch through Telnet.
Fault Analysis1. The port PVID is incorrect.2. The port is disabled.3. The VLAN bound to the IP port is disabled.4. The IP address, subnet mask or default gateway of the switch is incorrect.5. The IP address of the switch conflicted with the IP address of another device.6. The wrongREMOTEACCESS setting of the switch caused the IP address to be filtered
out.
Solution1. Set the port PVID to be the same as the VLAN ID to which the port belongs.2. Enable the port.3. Enable the VLAN bound to the IP port.4. Configure a valid IP address, subnet mask and default gateway for the switch.5. Modify the IP address of the switch or another device to remove the IP address conflict.6. Set REMOTE ACCESS to “any”.
7.3.4 Web Management Failed
SymptomWhen the Web browser was opened on the local computer, the Web management pagesfailed to be opened.
Fault Analysis1. The browser version is too low.2. An incorrect address or port number was entered in the address bar.3. The communication between the local computer and the switch failed.4. The switch did not configure a management port or the IP address of the switch is
incorrect.
7-4
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 7 Maintenance
5. The switch did not enable the Web management function.
Solution1. Upgrade the browser version on the local computer to at least IE 6.0.2. Check the switch configuration to obtain a correct IP address and port number.3. Check the line between the local computer and the switch to ensure that the
communication is normal.4. Configure a correct management port and IP address for the switch.5. Enable the Web management function of the switch and set a port number.
7.3.5 Login Username or Password Lost
SymptomA user cannot log in to the switch after entering the username and password.
Fault AnalysisThe username or password used to log in to the switch is incorrect.
SolutionFirst of all, confirm whether the system administrator can find the original username andpassword. If the system administrator cannot find the original username and password,reboot the switch and delete the configuration file. The operation procedure is as follows:
1. Reboot the switch and press any key on the HyperTerminal to enter the boot state.ZXR10 2928E BootRom Version v1.15
Compiled May 21 2012 08:57:22
Copyright (c) 2010 by ZTE Corporation.
boot location [0:Net,1:Flash] : 1
actport : 1
serverip : 10.40.89.78
netmask : 255.255.255.0
ipaddr : 10.40.89.79
bootfile : /img/zImage.B10
username : ZXR10
password : ZXR10
MAC : 00:d0:d0:29:28:01
Press any key to stop autoboot: 2
[ZXR10 Boot]:
2. In [ZXR10 Boot] state, enter [ZXR10 Boot]:zte to enter [BootManager] state of theswitch. Enter <?> for command help.[BootManager]: ?
? - alias for 'help'
7-5
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
cd - change current path
exit - exit from BootManager mode
format - format flash
ftp - get/put file from/to FTP server
help - print online help
load - load zImage
ls - list files in current directory
mv - change [source] name to [destination] name
poever - get poe firmware version
reboot - perform REBOOT of the CPU
rm - remove file
setBOOTpassword - set password for BOOT mode
setPtype- set packaged type
show - show board information
update - update boot or firmware
[BootManager]:
3. Run the rm command to delete the startrun.dat configuration file. Reboot theswitch.[bootManager]:cd cfg
[bootManager]: ls
/cfg/
startrun.dat 671
to_permmac.dat 98304
[bootManager]: rm startrun.dat
[bootManager]: ls
/cfg/
to_permmac.dat 98304
[bootManager]:
4. After the switch is rebooted, use the default username and password to log in to theswitch.
7.3.6 Enable Password Lost
SymptomA login user failed to enter global configuration mode after entering a password.
Fault AnalysisAn incorrect password was used when the user tried to enter global configuration mode.
SolutionFor the handling method, refer to 7.3.5 Login Username or Password Lost.
7-6
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 7 Maintenance
NoteBefore the switch is rebooted, record the current configuration for reconfiguration.
7.3.7 Two Devices in the Same VLAN Cannot Communicate
SymptomTwo devices connected to two ports in the same one VLAN of the switch cannotcommunicate.
Fault Analysis1. The port PVID is incorrect.2. The ports are disabled.3. The VLAN bound to the ports is disabled.4. When the ports were added in the VLAN, tag was selected.5. IP addresses of the devices were not set or not in the same network segment.
Solution1. Set the port PVID to be the same as the VLAN ID to which the ports belong.2. Enable all the ports used.3. Enable the VLAN used.4. Add the ports in the VLAN again, and select untag.5. Set correct IP addresses for the devices.
7.3.8 Authentication Timed Out in Campus Network
SymptomThere were six buildings in the student dormitory of school A. If students wanted to accessthe Internet, their computers must pass the authentication and accounting system. TheRadius server software and Bras hardware devices of the authentication and accountingsystem were provided by company B. The DOT1X port authentication function must beenabled on the access layer device ZXR10 2900E and it works with the authenticationand accounting system of company B to provide authentication and accounting servicesfor the students.
Company B completed the debugging of the Radius server and Bras devices andallocated the authentication and accounting clients to each building for installation. Moststudents registered and activated their accounts. After the preparation was completed,ZTE’s maintenance engineers enabled the DOT1X function on the access layer devicesof the six buildings, as required by the customer. The configuration of the ZXR10 2900Ewas as follows:
Two devices connected to two ports in the same VLAN cannot ping each other.
set port 1-24 security enable
7-7
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
config nas
radius isp test defaultisp enable
radius isp test sharedsecret amtium
/*Shared key negotiated with company B*/
radius isp test add accounting 10.150.12.101
/*Address of the authentication and accounting server of company B*/
radius isp test add authentication 10.150.12.101
/*Address of the authentication and accounting server of company B*/
radius isp test client 172.16.0.181
/*ISP name and IP address accessing the switch*/
aaa-control port 1-24 dot1x enable
aaa-control port 1-24 accounting enable
aaa-control port 1-24 port-mode auto
When the configuration was completed, the authentication of some computers in B1, B2and B3 timed out.
Fault AnalysisThe students’ accounts and configuration were correct, and the configuration of the ZXR102900E was correct. Even if ZTE’s maintenance engineers replaced the faulty switch witha new one, the problem still existed. The diagnosis result was that the interconnectionbetween devices of ZTE and company B was faulty.
By capturing packets, ZTE’s maintenance engineers found that the ZXR10 2900E sent aRadius Access Request message to the authentication and accounting server of companyB, but did not receive a response message. In normal circumstance, the Radius messagereceiving and sending procedure is as follows:
1. When the server accesses the switch, the switch sends an Access Request message.2. The server returns an Access Challenge message.3. The switch sends an Access Request message again.4. The server returns an Access Accept message.5. The switch sends an Accounting Request message.6. The server returns an Accounting Response message.
Because the authentication data packet flows captured on the two same ZXR10 2900Edevices were not the same, the diagnosis result was that the configuration of theauthentication and accounting server of company B was incorrect. Engineers of companyB checked alarms on the authentication and accounting server, and an alarm " AP notsupport user auth type” was located. That is, authentication types of the server andthe switch were different. When the back-end configuration of the authentication andaccounting server was checked, it was found that the shared key on the switches ofbuildings B1, B2 and B3 was set to “antium”, but the negotiated key was "amtium".
7-8
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Chapter 7 Maintenance
SolutionThe engineers of company B change the shared key to “amtium”, and the problem is solvedcompletely.
7.3.9 Solution to ARP Attacks in Campus Network
SymptomEleven access layer switches ZXR10 2900E in the same VLAN in a student dormitorybuilding cannot connect the network. 40% of users in this building failed to access theInternet.
Fault AnalysisAfter checking the network management system, maintenance engineers found that theeleven switches were disconnected and failed to be pinged. The maintenance engineersarrived at the weak electricity well in which four switches were installed, accessed theswitch whose IP address was 172.168.0.123 through HyperTerminal, and found its CPUusage reached 93%–100%. The maintenance engineers checked the alarm informationand configuration information, but no exception was found. The maintenance engineersthen accessed the convergence layer switch T40G and found an alarm “port 4 receivestoo many ARP broadcast packets”. After checking the traffic on this port, the maintenanceengineers found that about 100,000 broadcast packets were added every ten seconds.
After analyzing the ZXR10 2900E connected to the port, the maintenance engineers foundthe following conditions:
1. There was a loop on the user side.2. A user’s computer was infected by a virus and sent broadcast packets continuously.3. A user’s computer was installed with the ARP attack software and sent ARP attack
packets continuously.
The IP address of the ZXR10 2900E connected to the port was 172.168.0.111. Themaintenance engineers connected the switch through a network cable and capturedpackets. After analyzing the packets, the maintenance engineers found that a computerwith the MAC address “00:19:e0:a9:5a:fc” sent ARP broadcast packets continuously.Based on the label on the network cable, the computer was in room 2606. After themaintenance engineers removed its network cable, the eleven switches recovered normaland CPU utilization was no more than 5%.
Solution1. Filter out the MAC address of the computer on the access layer switch and prohibit it
from accessing the Internet.2. Notify the central equipment room of the school to prohibit the computer from
accessing the Internet before its hard disk is formatted and the system is reinstalled.3. Install an ARP virus kill tool on all computers.
7-9
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
This page intentionally left blank.
7-10
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
FiguresFigure 3-1 ZXR10 2900E's Configuration Modes ...................................................... 3-1
Figure 3-2 Connection Description Dialog Box .......................................................... 3-2
Figure 3-3 Connect To Dialog Box ............................................................................ 3-2
Figure 3-4 COM1 Properties Dialog Box ................................................................... 3-3
Figure 3-5 Running Telnet......................................................................................... 3-4
Figure 3-6 Telnet Window ......................................................................................... 3-4
Figure 4-1 TFTP Server ............................................................................................ 4-4
Figure 4-2 Tftpd Settings Dialog Box......................................................................... 4-4
Figure 4-3 Connect to Server Dialog Box .................................................................. 4-5
Figure 4-4 FileZilla Server Window ........................................................................... 4-5
Figure 4-5 Users Dialog Box ..................................................................................... 4-6
Figure 4-6 Directory Setting ...................................................................................... 4-6
Figure 4-7 Network Architecture for Automatic Configuration File Download ........... 4-10
Figure 4-8 Network Structure for Automatic Configuration File Upload .................... 4-10
Figure 5-1 PoE Application ....................................................................................... 5-8
Figure 5-2 Port Mirroring Configuration Instance..................................................... 5-12
Figure 5-3 LACP Configuration Instance................................................................. 5-19
Figure 5-4 Network Topology of IGMP Snooping Configuration Instance................. 5-23
Figure 5-5 MLD Snooping Configuration Instance................................................... 5-26
Figure 5-6 IPTV Configuration Instance 1 ............................................................... 5-31
Figure 5-7 IPTV Configuration Instance 2 ............................................................... 5-32
Figure 5-8 MSTP Topological Structure................................................................... 5-35
Figure 5-9 STP Configuration Instance ................................................................... 5-39
Figure 5-10 RSTP Configuration Instance............................................................... 5-40
Figure 5-11 MSTP Configuration Instance............................................................... 5-41
Figure 5-12 ACL Configuration Instance ................................................................. 5-53
Figure 5-13 QoS Configuration Instance ................................................................. 5-59
Figure 5-14 PVLAN Configuration Example 1 ......................................................... 5-61
Figure 5-15 PVLAN Configuration Example 2 ......................................................... 5-62
Figure 5-16 Layer 2 Protocol Transparent Transmission ConfigurationTopology ............................................................................................... 5-64
Figure 5-17 Layer-3 Configuration Instance ............................................................ 5-67
I
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 5-18 Layer-3 IPv6 Configuration Instance .................................................... 5-69
Figure 5-19 DAI Configuration InstanceTopology .................................................... 5-70
Figure 5-20 Using PAP Mode for Identity Authentication ......................................... 5-73
Figure 5-21 Using Chap Mode for Identity Authentication ....................................... 5-74
Figure 5-22 Using EAP Mode for Identity Authentication ......................................... 5-74
Figure 5-23 Access Authentication Configuration Instance...................................... 5-78
Figure 5-24 Typical QinQ Network .......................................................................... 5-80
Figure 5-25 QinQ Configuration Instance ................................................................ 5-82
Figure 5-26 SQinQ Configuration Instance.............................................................. 5-83
Figure 5-27 VLAN Transparent Transmission Configuration Instance...................... 5-86
Figure 5-28 VLAN Mapping Network Diagram......................................................... 5-87
Figure 5-29 VLAN Mapping Configuration Instance................................................. 5-89
Figure 5-30 GVRP Configuration Instance .............................................................. 5-94
Figure 5-31 DHCP Snooping/Option82 Configuration Instance Topology ................ 5-99
Figure 5-32 DHCP Client Configuration Instance Topology ................................... 5-101
Figure 5-33 DHCPv6 Snooping/Option82 Configuration Instance.......................... 5-103
Figure 5-34 VBAS Typical Network ...................................................................... 5-105
Figure 5-35 VBAS Configuration Instance Topology.............................................. 5-106
Figure 5-36 PPPOE-PLUS Configuration Instance Topology................................. 5-107
Figure 5-37 Diagram of the Master Node Blocking its Secondary Port When theRing is in UP State.............................................................................. 5-109
Figure 5-38 Diagram of the Master Node Opening its Secondary Port When theRing is in DOWN State ....................................................................... 5-110
Figure 5-39 Transmission Link Fault Diagram ........................................................5-111
Figure 5-40 ZESR Single-Domain Multi-Ring Configuration Example.................... 5-115
Figure 5-41 ZESR Single-Ring Multi-Domain Configuration Example.................... 5-118
Figure 5-42 ZESR Dual-Node Dual-Uplink Configuration Example........................ 5-120
Figure 5-43 ZESS Network Topology .................................................................... 5-123
Figure 5-44 ZESS Networking Configuration......................................................... 5-125
Figure 5-45 Remote Loop Network ....................................................................... 5-128
Figure 5-46 Link Control Network.......................................................................... 5-131
Figure 5-47 PP Configuration Instance ................................................................. 5-134
Figure 5-48 LLDP Configuration Instance ............................................................. 5-137
Figure 5-49 Single Port Loop Detection Configuration Topology............................ 5-139
Figure 5-50 Double Ports Loop Detection Configuration Topology......................... 5-140
Figure 5-51 UDLD Configuration Instance............................................................. 5-142
II
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Figures
Figure 5-52 TACACS+ Configuration Instance ...................................................... 5-145
Figure 5-53 Voice VLAN Configuration Instance ................................................... 5-147
Figure 5-54 Single Management Domain .............................................................. 5-149
Figure 5-55 Single-Domain CFM Network Without MIP......................................... 5-152
Figure 5-56 Single-Domain CFM Network With MIP.............................................. 5-153
Figure 5-57 LM Network Configuration Instance ................................................... 5-155
Figure 5-58 DM Network Configuration Instance................................................... 5-156
Figure 5-59 AIS/LCK Network Configuration Instance........................................... 5-157
Figure 5-60 DHCP Relay Configuration Instance .................................................. 5-162
Figure 5-61 MFF Configuration Instance............................................................... 5-166
Figure 5-62 SSL Configuration Instance ............................................................... 5-168
Figure 5-63 Internet Options Dialog Box ............................................................... 5-169
Figure 5-64 Certificates Dialog Box....................................................................... 5-169
Figure 5-65 Certificates Dialog Box—Importing a Certificate ................................. 5-170
Figure 5-66 SSL Login Page................................................................................. 5-170
Figure 5-67 Main Page for Web-Based Management............................................ 5-171
Figure 5-68 Example of the Primary Node Blocking the Secondary Port (RingStatus: UP)......................................................................................... 5-173
Figure 5-69 Example of the Primary Node Enabling the Secondary Port (Ringstatus: DOWN) ................................................................................... 5-173
Figure 5-70 Configuration Example of a Single ERPS Domain with MultipleLoops ................................................................................................. 5-175
Figure 5-71 Configuration Example of Multiple ERPS Domains ............................ 5-177
Figure 6-1 SSH Remote Login Example.................................................................... 6-4
Figure 6-2 Setting IP Address and Port Number of the SSH Server .......................... 6-4
Figure 6-3 Setting the SSH Version Number ............................................................. 6-5
Figure 6-4 User Confirmation Dialog Box .................................................................. 6-5
Figure 6-5 SSH Login Result .................................................................................... 6-6
Figure 6-6 SFTP File Upload and Download Instance............................................... 6-6
Figure 6-7 WinSCP Login Dialog Box—Creating a Session ...................................... 6-7
Figure 6-8 WinSCP Login Dialog Box—Setting SFTP Parameters ............................ 6-8
Figure 6-9 Preferences Dialog Box ........................................................................... 6-9
Figure 6-10 Warning Dialog Box ............................................................................... 6-9
Figure 6-11 Authentication Banner Dialog Box ........................................................ 6-10
Figure 6-12 Password Dialog Box........................................................................... 6-10
Figure 6-13 Authentication Banner Dialog Box—Successful Authentication ............ 6-11
III
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
Figure 6-14 WinSCP Desktop Window.................................................................... 6-11
Figure 6-15 MAC Change Notification Configuration Network ................................. 6-17
Figure 6-16 Cluster Management Network.............................................................. 6-22
Figure 6-17 Changeover Rules of Roles ................................................................. 6-23
Figure 6-18 Cluster Management Network.............................................................. 6-26
Figure 6-19 System Login Interface ........................................................................ 6-30
Figure 6-20 System Main Interface ......................................................................... 6-30
Figure 6-21 System Information Page..................................................................... 6-31
Figure 6-22 Port State Information Page................................................................. 6-32
Figure 6-23 Port Configuration Information Page .................................................... 6-33
Figure 6-24 Single Port Configuration Page ............................................................ 6-34
Figure 6-25 Bulk Port Configuration Page ............................................................... 6-35
Figure 6-26 VLAN Information Page ....................................................................... 6-35
Figure 6-27 VLAN Number Entering Page .............................................................. 6-36
Figure 6-28 Single VLAN Configuration Page ......................................................... 6-37
Figure 6-29 Bulk VLAN Configuration Page ............................................................ 6-37
Figure 6-30 PVLAN Information Page ..................................................................... 6-38
Figure 6-31 PVLAN Configuration Page.................................................................. 6-39
Figure 6-32 Mirror Information Page ....................................................................... 6-40
Figure 6-33 Mirroring Port Configuration Page ........................................................ 6-40
Figure 6-34 LACP Basic Attribute Page .................................................................. 6-41
Figure 6-35 Bulk Aggregation Port Configuration Page ........................................... 6-42
Figure 6-36 Aggregation Group Information Page................................................... 6-42
Figure 6-37 Aggregation Group Configuration Page................................................ 6-43
Figure 6-38 Terminal Log Information Page ............................................................ 6-44
Figure 6-39 Port Statistics Information Page ........................................................... 6-44
Figure 6-40 Configuration Information Page............................................................ 6-45
Figure 6-41 Saving Configuration Page .................................................................. 6-46
Figure 6-42 Reboot Function Page ......................................................................... 6-46
Figure 6-43 File Upload Page ................................................................................. 6-47
Figure 6-44 User Management Page ...................................................................... 6-48
Figure 6-45 Adding User Page................................................................................ 6-48
Figure 6-46 Adding User Page................................................................................ 6-49
Figure 6-47 Deleting User Page.............................................................................. 6-49
Figure 6-48 Telnet Login Instance ........................................................................... 6-53
IV
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Figures
Figure 6-49 Executing the Telnet Command on the PC........................................... 6-53
Figure 6-50 Telnet Login Result .............................................................................. 6-54
V
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Figures
This page intentionally left blank.
VI
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
TablesTable 3-1 Configuration Command............................................................................ 3-3
Table 3-2 Common Command Parameters ............................................................. 3-11
Table 3-3 Editing Commands Through Keystrokes.................................................. 3-14
Table 5-1 Port Role and Port State.......................................................................... 5-35
Table 5-2 Syslog Log Information............................................................................ 5-90
Table 5-3 Basic ZESR Concepts ........................................................................... 5-108
Table 5-4 Basic ZESS Concepts ........................................................................... 5-121
Table 6-1 ZXR10 2900E Port Indicator Descriptions................................................ 6-50
Table 7-1 Maintenance Period of the Ethernet Switch ............................................... 7-2
VII
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Tables
This page intentionally left blank.
VIII
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
GlossaryACL- Access Control List
AIS- Alarm Indication Signal
AP- Access Point
ARP- Address Resolution Protocol
BAS- Broadband Access Server
BPDU- Bridge Protocol Data Unit
CAR- Committed Access Rate
CCM- Continuity Check Message
CFM- Connectivity Fault Management
CIST- Common and Internal Spanning Tree
CoS- Class of Service
CST- Common Spanning Tree
C-VLAN- Customer VLAN
DAI- Dynamic ARP Inspection
DHCP- Dynamic Host Configuration Protocol
DM- Delay Measurement
DoS- Denial of Service
IX
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
DSCP- Differentiated Services Code Point
EAPOL- Extensible Authentication Protocol Over LAN
EAPS- Ethernet Automatic Protection Switching
ERPS- Ethernet Ring Protection Switching
FTP- File Transfer Protocol
GARP- Generic Attribute Registration Protocol
GVRP- GARP VLAN Registration Protocol
IETF- Internet Engineering Task Force
IGMP- Internet Group Management Protocol
IP- Internet Protocol
IPTV- Internet Protocol Television
IST- Internal Spanning Tree
LACP- Link Aggregation Control Protocol
LBM- Loopback Message
LBR- Loopback Reply
LCK- Locked
LLDP- Link Layer Discovery Protocol
LM- Loss Measurement
LTM- Link Trace Message
X
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Glossary
LTR- Link Trace Reply
MDI/MDIX- Media-Dependent Interface/Media-Dependent Interface-crossover
MEP- Maintenance association End Point
MFF- MAC-Forced Forwarding
MIB- Management Information Base
MIP- Maintenance domain Intermediate Point
MLD- Multicast Listener Discovery
MST- Multiple Spanning Tree
MSTP- Multiple Spanning Tree Protocol
NAS- Network Access Service
NMS- Network Management System
NTP- Network Time Protocol
OAM- Operation, Administration and Maintenance
OUI- Organizationally Unique Identifier
PE- Provider Edge
PoE- Power over Ethernet
PPPoE- Point to Point Protocol over Ethernet
PVLAN- Private Virtual Local Area Network
QoS- Quality of Service
XI
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
ZXR10 2900E Series Configuration Guide
RADIUS- Remote Authentication Dial In User Service
RDI- Remote Defect Indication
RMON- Remote Monitoring
RPL- Ring Protection Link
RSTP- Rapid Spanning Tree Protocol
SBT- Side Smart Bias Tee
SNMP- Simple Network Management Protocol
SP- Strict Priority
SQinQ- Selective QinQ
SSH- Secure Shell
SSL- Secure Sockets Layer
STP- Spanning Tree Protocol
TACACS+- Terminal Access Controller Access-Control System Plus
TC- Traffic Classification
TCP- Transmission Control Protocol
TDR- Time Domain Reflectometry
TFTP- Trivial File Transfer Protocol
UDLD- Unidirectional Link Detection
UDP- User Datagram Protocol
XII
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential
Glossary
VBAS- Virtual Broadband Access Server
VLAN- Virtual Local Area Network
VPN- Virtual Private Network
WRR- Weighted Round Robin
ZDP- ZTE Discovery Protocol
ZESR- ZTE Ethernet Switch Ring
ZESS- ZTE Ethernet Smart Switch
ZTP- ZTE Topology Protocol
XIII
SJ-20130731155059-002|2013-11-27 (R1.0) ZTE Proprietary and Confidential