S7700 and S9700 V200R008C00 Configuration Guide - Device Management PDF
S7700 and S9700 V200R008C00 Configuration Guide - Device Management PDF
S7700 and S9700 V200R008C00 Configuration Guide - Device Management PDF
V200R008C00
Issue 07
Date 2017-11-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the device management feature supported by
the device.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Security Conventions
l Password setting
Declaration
This manual is only a reference for you to configure your devices. The contents in the manual,
such as web pages, command line syntax, and command outputs, are based on the device
conditions in the lab. The manual provides instructions for general scenarios, but do not cover
all usage scenarios of all product models. The contents in the manual may be different from
your actual device situations due to the differences in software versions, models, and
configuration files. The manual will not list every possible difference. You should configure
your devices according to actual situations.
The specifications provided in this manual are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Contents
2 Hardware Management.............................................................................................................. 55
2.1 Configuring the Device MAC Address........................................................................................................................ 55
2.2 Backing Up Electronic Labels...................................................................................................................................... 56
2.3 Managing Device Resources........................................................................................................................................ 57
2.3.1 Configuring the SRU Hardware Engine.................................................................................................................... 57
2.3.2 Configuring the Internal Forwarding Resource Allocation Mode.............................................................................58
2.3.3 Configuring the Resource Mode of Extended Entry Space.......................................................................................59
2.3.4 Configuring the Fabric Mode.................................................................................................................................... 68
2.4 Managing the Active and Standby MPUs.................................................................................................................... 69
2.4.1 Resetting the Standby MPU...................................................................................................................................... 69
2.4.2 Configuring Active/Standby Switchover...................................................................................................................69
2.5 Managing a Card and Subcard......................................................................................................................................71
2.5.1 Resetting a Card.........................................................................................................................................................71
2.5.2 Powering On or Off a Card........................................................................................................................................72
2.5.3 Starting, Shutting Down, and Resetting the X86 Subcard on an OSP Card..............................................................72
2.6 Configuring the Alarm Function or Setting Alarm Thresholds....................................................................................73
2.6.1 Configuring Temperature Thresholds for Fan Speed Adjustment.............................................................................73
2.6.2 Configuring the CPU Usage Alarm Threshold..........................................................................................................74
2.6.3 Configuring the Memory Usage Alarm Threshold....................................................................................................74
2.6.4 Setting Optical Power Alarm Thresholds.................................................................................................................. 75
2.6.5 Configuring the Alarm Function for Non-Huawei-Certified switch Optical Modules............................................. 76
4 NTP Configuration....................................................................................................................129
4.1 Overview.................................................................................................................................................................... 129
4.2 Principles.................................................................................................................................................................... 131
4.2.1 Principles................................................................................................................................................................. 131
4.2.2 Network Architecture.............................................................................................................................................. 132
4.2.3 Operating Mode....................................................................................................................................................... 133
4.2.4 NTP Access Control................................................................................................................................................ 138
4.3 Application................................................................................................................................................................. 139
5.4.5.4 Setting the Priority of the Clock Signal That an Interface Sends to the Clock Board..........................................199
5.4.5.5 Locking a Clock Source....................................................................................................................................... 200
5.4.5.6 Configuring Frequency Offset Check...................................................................................................................200
5.4.5.7 Setting the Delay Time for the System to Consider a Clock Source Lost............................................................201
5.4.5.8 Setting the WTR Time of a Clock Source............................................................................................................ 202
5.4.5.9 Enable the Permanent Holding Mode of the Clock Module................................................................................ 202
5.4.5.10 Configuring the Non-Retrieve Mode of the Clock Source.................................................................................202
5.4.5.11 Checking the Configuration................................................................................................................................203
5.5 Configuration Examples............................................................................................................................................. 204
5.5.1 Example for Selecting the Clock Source Based on the Priority.............................................................................. 204
5.5.2 Example for Selecting the Clock Source Based on the SSM Quality Level........................................................... 208
5.5.3 Example for Selecting the Clock Source Based on the SSM Quality Level in Extended Mode.............................213
This chapter describes the functions of display commands and how to use the display
commands to view the device running status.
Context
When the device becomes faulty, you can view device information to check whether the status
of device components is normal.
Procedure
l Run the display device [ slot slot-id ] command to view component information and
status of the device.
l Run the display device manufacture-info [ slot slot-id | backplane ] command to view
manufacturing information about the device.
----End
FAQ
The status indicates the hardware management status excluding the service running status.
<HUAWEI> display device
S7712's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
4 - ES0D0G48TA00 Present PowerOn Registered Normal NA
5 - LE0D0VAMPA00 Present PowerOn Registered Normal NA
8 - Present PowerOn Registered Normal NA
9 - ES0D0X12SA00 Present PowerOn Registered Normal NA
14 - ES0D00SRUB00 Present PowerOn Registered Normal Master
PWR1 - - Present PowerOn Registered Normal NA
CMU1 - LE0DCMUA0000 Present PowerOn Registered Normal Slave
CMU2 - LE0DCMUA0000 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
1.1.1.2 How Can I View the Card Type and Subcard Type?
Run the display device [ slot slot-id ] command to view component information and device
status. The Type field indicates the card type and subcard type.
<HUAWEI> display device
S7712's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
2 - - Present PowerOn Registered Normal NA
4 - ES0D0G48TA00 Present PowerOn Registered Normal NA
5 - LE0D0VAMPA00 Present PowerOn Registered Normal NA
8 - Present PowerOn Registered Normal NA
9 - ES0D0X12SA00 Present PowerOn Registered Normal NA
14 - ES0D00SRUB00 Present PowerOn Registered Normal Master
PWR1 - - Present PowerOn Registered Normal NA
CMU1 - LE0DCMUA0000 Present PowerOn Registered Normal Slave
CMU2 - LE0DCMUA0000 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
-------------------------------------------------------------------------------
Port Port Optic MDI Speed Duplex Flow- Port POE
Type Status (Mbps) Ctrl State State
-------------------------------------------------------------------------------
0 GE(C) - auto 1000 full disable down -
1 GE(C) - auto 1000 full disable down -
2 GE(C) - auto 1000 full disable down -
3 GE(C) - auto 1000 full disable down -
4 GE(C) - auto 10 full disable up -
5 GE(C) - auto 1000 full disable *down -
6 GE(C) - auto 1000 full disable up -
7 GE(C) - auto 1000 full disable down -
8 GE(C) - auto 1000 full disable down -
9 GE(C) - auto 1000 full disable down -
10 GE(C) - auto 1000 full disable down -
11 GE(C) - auto 1000 full disable *down -
12 GE(C) - auto 1000 full disable down -
13 GE(C) - auto 1000 full disable down -
14 GE(C) - auto 1000 full disable *down -
15 GE(C) - auto 1000 full disable down -
16 GE(C) - auto 1000 full disable down -
17 GE(C) - auto 1000 full disable down -
18 GE(C) - auto 1000 full disable *down -
19 GE(C) - auto 1000 full disable down -
20 GE(C) - auto 1000 full disable down -
21 GE(C) - auto 1000 full disable down -
22 GE(C) - auto 1000 full disable down -
23 GE(C) - auto 1000 full disable down -
24 GE(C) - auto 1000 full disable down -
25 GE(C) - auto 1000 full disable down -
26 GE(C) - auto 1000 full disable down -
27 GE(C) - auto 1000 full disable down -
28 GE(C) - auto 1000 full disable down -
29 GE(C) - auto 1000 full disable down -
30 GE(C) - auto 1000 full disable down -
31 GE(C) - auto 1000 full disable down -
32 GE(C) - auto 100 full disable up -
33 GE(C) - auto 1000 full disable down -
34 GE(C) - auto 1000 full disable *down -
35 GE(C) - auto 1000 full disable down -
36 GE(C) - auto 1000 full disable down -
37 GE(C) - auto 1000 full disable down -
38 GE(C) - auto 1000 full disable down -
39 GE(C) - auto 1000 full disable up -
40 GE(C) - auto 1000 full disable down -
41 GE(C) - auto 100 full disable up -
42 GE(C) - auto 1000 full disable down -
43 GE(C) - auto 1000 full disable down -
44 GE(C) - auto 1000 full disable down -
45 GE(C) - auto 1000 full disable down -
46 GE(C) - auto 1000 full disable down -
47 GE(C) - auto 1000 full disable down -
-------------------------------------------------------------------------------
2. Check whether the standby and active MPUs are the same hardware model and have the
same type of subcards installed or do not have any subcard installed.
3. Connect to the standby MPU through the console port to check whether the standby
MPU uses the same system software as the active MPU. If not, replace the system
software of the standby MPU to the one running on the active MPU.
4. Run the display reset-reason command to check why the card restarts. For details, see
"A Card Resets Unexpectedly" in the Troubleshooting - Hardware Troubleshooting.
5. Collect log information, alarm information, and configuration information, and then
contact Huawei technical support personnel to confirm whether a hardware fault occurs.
1.1.1.5 What Does PowerOff Mean and Why Is PowerOff Displayed in an LPU's
Status Information?
If the LPU status displays PowerOff, the LPU is powered off. Perform the following
operations to check why the LPU is powered off:
1. Check whether the power off slot slot-id command has been executed to power off the
LPU according to the current environment and planning requirements. If so, no action is
required. If not, run the power on slot slot-id command to power on the LPU.
2. If the LPU fails to be powered on, run the display power system command to view the
system power and card power. According to the information, you can determine whether
the LPU cannot be powered on because of insufficient power. If the remaining system
power is insufficient, add a system power module to increase the system power.
3. Check whether the LPU matches the running system version. For the mapping between
LPUs and software versions, see "Version Mapping" of the specific card in the Hardware
Description - Cards.
4. Run the display reset-reason command to check the reason why the LPU is powered
off. For details, see "A Card Resets Unexpectedly" in the Troubleshooting - Hardware
Troubleshooting.
5. If you still cannot determine why the LPU is powered off, collect log information, alarm
information, and configuration information, and then contact Huawei technical support
personnel to confirm whether a hardware fault occurs.
Run the display reset-reason command to view the reason why the LPU restarts. For details,
see "A Card Resets Unexpectedly" in the Troubleshooting - Hardware Troubleshooting.
Context
Electronic labels identify hardware information about a device, including the serial number,
manufacturing date, device model, and hardware description. You can view electronic labels
to learn about the serial number when the hardware is returned for repair or to learn about
hardware information such as the hardware manufacturing date.
Procedure
l Run the display elabel [ chassis-id[/slot-id][/subcard-id ] ] [ brief ] command to view
the electronic labels of a device.
l Run the display elabel backplane [ chassis chassis-id ] command to view the backplane
electronic label.
NOTE
----End
FAQ
[BackPlane_1]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=ES0B17712
BarCode=2102113308P0AC000021
Item=02113308
Description=Quidway S7712,ES0B17712,S7712 POE Assembly Chassis
Manufactured=2010-12-31
VendorName=Huawei
IssueNumber=00
CLEICode=
BOM=
[Slot_4]
/$[Board Integration
Version]
/
$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board
Properties]
BoardType=ES02G24SC
BarCode=030MQN10AB000014
Item=03030MQN
Description=Quidway S7700,ES02G24SC,24-Port 100/1000BASE-X Interface Card(EC,SFP
),128K MAC
Manufactured=2010-11-27
VendorName=Huawei
IssueNumber=00
CLEICode=
BOM=
[Slot_13]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
DATE=10_11_04
SN=2102130859210B010005
TYPE=LE02PSA08
[Slot_17]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=LE0E2FBX
BarCode=2102120554P0AB001580
Item=02120554
Description=Wide Voltage Fan Box
Manufactured=2010-12-03
VendorName=Huawei
IssueNumber=00
CLEICode=
BOM=
[Board Properties]
BoardType=PLRXPLSCS4322N
BarCode=CB02UF1SW
Item=
Description=10300Mb/sec-850nm-LC-33(OM1),82(OM2),300(OM3),400(OM4)
Manufactured=2011-01-09
/$VendorName=JDSU
IssueNumber=
CLEICode=
BOM=
......
1.1.2.6 How Can I View the Part Number and What Is the Relationship Between
the Part Number and BarCode?
BarCode is the serial number, while the part number is the value of Item in an electronic
label.
The BarCode and part number identify a hardware component. Each component has a unique
serial number. The part number indicates the basic component number and often identifies a
type of components.
To apply for a license, authenticate a device, replace a device, or return a device for repair,
you need to provide the device's serial number to the manufacturer.
To return a card or subcard for repair or replace it, you need to provide the card or subcard
part number to the manufacturer.
<HUAWEI> display elabel 1/13
Info: It is executing, please wait...
[Slot_13]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=ET1D2MPUA000
BarCode=03030RPE10AC000007 //Indicate the serial number.
Item=03030RPE //Indicate the part number.
Description=
Manufactured=2010-12-04
VendorName=Huawei
IssueNumber=00
CLEICode=
BOM=
Context
Each device has a unique equipment serial number (ESN). When you require technical
assistance or need to apply for a license, you need to provide the device serial number.
Procedure
l Run the display esn command to view the serial number of a device.
l Run the display device manufacture-info [ slot slot-id | backplane ] command to view
manufacturing information about the device, including the serial number and
manufacturing date.
----End
FAQ
Run the display elabel backplane command to view electronic label information. In the
command output, BarCode specifies the chassis serial number. The command format may
vary according to versions. You can enter a question mark (?) to obtain the command prompt
information and select the corresponding chassis parameters.
<HUAWEI> display elabel backplane
Info: It is executing, please wait...
[BackPlane_1]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=EH02BAKK
BarCode=2102113089P0BB000881
Item=02113089
......
In a CSS
Log in to the master switch through Telnet or the Console port, and run the display elabel
backplane chassis chassis-id command in the user view to view electronic label information.
chassis-id specifies the chassis ID, and BarCode specifies the chassis serial number. The
command format may vary according to versions. You can enter a question mark (?) to obtain
the command prompt information and select the corresponding chassis parameters.
<HUAWEI> display elabel backplane chassis ?
INTEGER<1-2> Chassis ID
[BackPlane_2]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=EH02BAKK
BarCode=2102113089P0BB000881
Item=02113549
......
NOTE
You can run the display device manufacture-info command to check the serial number obtained from
the electronic label. Only V200R003 and later versions support this command.
Method 2: Obtain the Chassis Serial Number Through the Web System
When the web system is enabled on a device, view the chassis serial number through the web
system.
Log in to a device through the web system and click Monitor on the toolbar to enter the
Monitor page. You can view device information, including the chassis serial number, as
shown in Figure 1-1.
Figure 1-3 Location of the serial number label (An S9706 chassis is used as an example.)
Serial number label
RUN/ALM
06
-LE0BSA10
EH1D2
00738 Y
G48TEA0
P0AB
2102113090
4647
44 45
42 43
40 41 RUN/ALM
S9706
38 39
36 37
34 35
32 33
26 27
28 29
30 31 05
24 25
EH1D2
22 23
G48TEA0
20 21
18 19
16 17
14 15
12 13
10 11 4647
EH1D2
8 9 44 45
G48TEA0
6 7 42 43
2
4 5 38 39
40 41 RUN/ALM
3 36 37
1
34 35
32 33
30 31
26 27
28 29 04
24 25
EH1D2
22 23
G48TEA0
20 21
18 19
16 17
14 15
12 13
10 11 4647
EH1D2
8 9 44 45
G48TEA0
6 7 42 43
4 5 40 41
2 3 38 39
1 36 37
34 35
32 33
30 31
26 27
28 29 ETH 08
EH1D2
24 25 CON
SRUDC00
22 23 M
20 21 CLK2 ACT RUN/AL
18 19 CLK1
16 17
14 15
12 13 RST
10 11
EH1D2
8 9
G48TEA0
6 7 SYNC
4 5
2 3
1
ETH 07
EH1D2
CON
SRUDC00
M
CLK2 ACT RUN/AL
CLK1
RST
EH1D2
SRUDC00
SYNC RUN/ALM
03
EH1D2
G48TEA0
4647
EH1D2
44 45
42 43
SRUDC00
40 41 RUN/ALM
38 39
36 37
34 35
32 33
30 31
28 29
24 25
26 27 02
EH1D2
22 23
20 21
G48TEA0
18 19
16 17
14 15
12 13
10 11 4647
EH1D2
8 9 44 45
G48TEA0
6 7 42 43
4 40 41
2 3
5 38 39 RUN/ALM
1 36 37
34 35
32 33
30 31
26 27
28 29 01
24 25
EH1D2
22 23
20 21
G48TEA0
18 19
16 17
14 15
12 13
10 11
EH1D2
8 4647
9 44 45
G48TEA0
6 7 42 43
4 5 40 41
2 3 38 39
1 36 37
34 35
32 33
30 31
28 29
26 27
24 25
22 23
20 21
18 19
16 17 CMU
14 15
12 13
10 11 PWR4
EH1D2
8 9
G48TEA0
6 7
2 3
4 5 PWR3
1
PWR2
RUN/ALM
RUN/ALM
PWR1
ACT
ACT
MON
MON
≤45
kg(99
lb)
RS485
RS485
CMUA
CMUA
ON
RUN
ON
RUN
ALM 2
ON
RUN 1
ON ALM
RUN FAULT
ALM
FAULT OFF
ALM
FAULT OFF
FAULT OFF
OFF
[Slot_6]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=EH1D2S08SX1E
BarCode=020LVF6TBB000043
Item=03020LVF
......
NOTE
You can run the display device manufacture-info command to check the serial number obtained from
the electronic label. Only V200R003 and later versions support this command.
Method 2: Obtain the Board Serial Number Through the Web System (Supported
only on MPUs and LPUs)
When the web system is enabled on a device, view the board serial number through the web
system.
EasyOperation web system (supported only in V200R005 and later versions)
Log in to the switch through the web system, and click Monitor on the toolbar to enter the
Monitor page. You can view board information. When you move the mouse on a board, basic
information about the board is displayed, including port, version, and serial number, as shown
in Figure 1-4.
Log in to the switch through the web system, and click Device Summary on the toolbard to
enter the Device Summary page. Click the corresponding board on the switch to enter the
Board Information page. You can view the Slot Basic Information tab. On this tab, you can
view basic board information, including the board serial number, as shown in Figure 1-5.
l The serial number label is on the upper left corner of the board panel, as shown in Table
1-2.
Serial number label
SN:21021209
9510DA000256
Y ET1MFBX00000
l The serial number label is on the PCB of the board, as shown in Table 1-3.
Table 1-1 List of boards (The serial number label is on the upper right corner of the board
panel.)
Switch Series Serial Board Model
Number
Label Type
Table 1-2 List of boards (The serial number label is on the upper left corner of the board
panel.)
Switch Series Serial Board Model
Number
Label Type
Table 1-3 List of boards (The serial number label is on the PCB of the board panel.)
Switch Series Serial Board Model
Number
Label Type
[Slot_21]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
DATE=13_02_08
SN=2102310JFA6TGC907205
NOTE
The command format may vary according to versions. You can enter a question mark (?) to obtain the
command prompt information and select the corresponding power module parameters.
l 1600 W DC The serial number label is attached on the power module panel, as
power module shown in Figure 1-6.
l 2200 W DC
power module
l 800 W AC The serial number label is attached on the right shell, as shown in
power module Figure 1-7.
l 2200 W AC
power module
Figure 1-6 Location of the serial number label (A 2200 W DC power module is used as an
example.)
RTN(+)
NEG(-)
21022700998NC60000001 Y W2PSD2201
RUN
ON ALM
OFF FAULT
V; 60 A MAX
-48 -60
Serial number label
Figure 1-7 Location of the serial number label (A 2200 W AC power module is used as an
example.)
21023168676TB3000137
ON
RUN
ALM
OFF
FAULT
Serial number label
[Slot_18]
/$[Board Integration Version]
/$BoardIntegrationVersion=3.0
[Main_Board]
/$[ArchivesInfo Version]
/$ArchivesInfoVersion=3.0
[Board Properties]
BoardType=LE02FCMC
BarCode=2103010JTF0123456789
Item=02120995
......
NOTE
The command format may vary according to versions. You can enter a question mark (?) to obtain the
command prompt information and select the corresponding fan module parameters.
Figure 1-8 Location of the serial number label (A fan module on the S9700 is used as an
example.)
Serial number label
00FBX000
Y EH1H
10C9000059
2102120666
fingers
parts, keeping
us moving
Hazardo
away.
body parts
and other ਬ⡽έ
䀜
ᰁ䖢ᰬ
ћ⾷൞伄
RUN/ALM
[Board Properties]
BoardType=PLRXPLSCS4322N
BarCode=CB02UF1SW
Item=
Description=10300Mb/sec-850nm-LC-33(OM1),82(OM2),300(OM3),400(OM4)
Manufactured=2011-01-09
/$VendorName=JDSU
IssueNumber=
CLEICode=
BOM=
......
-------------------------------------------------------------
Common information:
Transceiver Type :UNKNOWN_SFP
Connector Type :LC
Wavelength(nm) :850
Transfer Distance(m) :80(50um),30(62.5um),300(OM3)
Digital Diagnostic Monitoring :YES
Vendor Name :JDSU
Vendor Part Number :PLRXPLSCS4322N
Ordering Name :
-------------------------------------------------------------
Manufacture information:
Manu. Serial Number :CB02UF1SW
Manufacturing Date :2011-01-09
Vendor Name :JDSU
-------------------------------------------------------------
Alarm information:
RX loss of signal
RX power low
-------------------------------------------------------------
Method 2: View the Label Attached on an Optical Module to View the Serial
Number
You can check the label attached on the optical module to obtain the serial number.
Context
When a power supply fault occurs on a device, you can run the following display commands
to view power supply and power information.
Procedure
l Run the display power command to view power supply information.
l Run the display power system command to view system power information.
----End
FAQ
1.1.4.1 How Can I Determine Whether the Power Supply Status Is Abnormal?
The power supply status is abnormal in either of the following situations:
1. Run the display power command to view the power supply status. If the State field
displays NotSupply, the power module does not supply power. Check whether the
power module is installed properly and whether the power switch is turned on.
<HUAWEI> display power
--------------------------------------------------------------------------
PowerID Online Mode State Current(A) Voltage(V) RealPwr(W)
--------------------------------------------------------------------------
PWR1 Present AC NotSupply - - -
PWR2 Present AC Supply 0.82 53.40 43.79
PWR3 Present AC Supply 0.97 53.51 51.90
PWR4 Present AC Supply 0.95 53.51 50.83
PWR5 Absent - - - - -
PWR6 Absent - - - - -
2. Run the display device command to view the power supply status. If the State field
displays Unregistered or Abnormal, the power supply status is abnormal. You can run
the display alarm all command to check whether there are any power supply alarms.
<HUAWEI> display alarm all
----------------------------------------------------------------------------
Level Date Time Info
Context
Fans must operate normally to ensure normal operation of a device. Inefficient heat
dissipation will increase the device temperature and may damage the hardware. You can use
the following commands to view the fan status and check whether fans are operating
normally.
Procedure
l Run the display fan command to view the fan status.
l Run the display fan-para { all | slot slot-id } command to view the rated power and
speed adjustment policy of fans.
----End
Context
When the optical module on an interface is faulty, you can run the display commands to view
information about the optical module.
Procedure
l Run the display transceiver [ interface interface-type interface-number | slot slot-id ]
[ verbose ] command to view information about the optical module on a specified
interface.
----End
FAQ
l The optical module register is set incorrectly. Consequently, parameters and diagnostic
information cannot be read or read incorrectly.
The A0 registers of some non-Huawei-certified optical modules are set incorrectly. As a
result, parameters and diagnostic information cannot be read or read incorrectly by the
data bus.
l The optical module design does not comply with the EMC, its anti-electromagnetic
interference capability is low, and the optical module brings electromagnetic interference
to surrounding devices.
l The working temperature range of the optical module does not meet requirements,
causing the optical power to be reduced at a high temperature. Subsequently, services are
interrupted.
NOTE
The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
For details about how to check the electronic label of an optical module, see 1.1.2.5 How Can
I View the Optical Module Electronic Label?.
Fault Description
Optical power alarms occur when two optical interfaces connect to each other.
Possible Causes
l The local and remote optical modules have different types and wavelengths.
l The optical module is incorrectly installed or the optical fiber fails.
l The fiber connected to the interface is too long or the fiber attenuation is high.
l The remote transmit power is not within the allowed range.
l The optical module fails.
Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide technical support personnel.
1. Check whether the local and remote optical modules have the same wavelength.
Run the display transceiver [ interface interface-type interface-number | slot slot-id ]
[ verbose ] command to check optical module information on the interface. The
Wavelength(nm) field in the command output indicates the wavelength of an optical
module. If the two optical modules have different wavelengths, replace one optical
module to ensure that the two optical modules have the same wavelength.
If the fault persists, go to step 2.
2. Check the link connection.
Remove and install the fiber and optical module to ensure that the fiber and optical
module are properly connected. Check whether the fiber connector is damaged or dirty.
If so, replace the fiber.
If the fault persists, go to step 3.
3. Check the fiber length.
The fiber length must be shorter than the maximum transmission distance of an optical
module. For the maximum transmission distance supported by different optical modules,
see Pluggable Modules for Interfaces in the hardware description. If the fiber length
exceeds the maximum transmission distance of the optical modules, shorten the fiber
length or use optical modules with a longer transmission distance.
If the fault persists, go to step 4.
4. Check the transmit optical power on the remote device.
Ensure that the transmit optical power on the remote device exceeds the lower threshold.
If the fault persists, go to step 5.
5. Check whether the fiber type matches the optical module.
Determine whether the fiber type matches the optical module type according to the
following information:
– A multimode fiber can be used together with multimode fiber.
– A single-mode fiber can only be used with a single-mode optical module. A single-
mode fiber is generally yellow, and a multimode fiber is generally orange.
– Two connected optical modules must have the same wavelength.
If the fault persists, go to step 6.
6. Check the optical module type and vendor.
Check whether the local and remote devices use optical modules of the same type but
from different vendors. If the connected optical modules have the same wavelength and
provide short-distance transmission but alarms indicating low or high optical power
occur, the two optical modules may be from different vendors. Although these optical
modules have the same wavelength, optical power alarms occur because different
vendors design different optical power indicators for these optical modules. To rectify
the fault, use optical modules of the same vendor.
The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
You can run the display transceiver interface interface-type interface-number verbose
command to view power information of a specified optical module.
<HUAWEI> display transceiver interface gigabitethernet 3/0/0 verbose
GigabitEthernet3/0/0 transceiver information:
-------------------------------------------------------------
Common information:
Transceiver Type :1000_BASE_SX_SFP
Connector Type :LC
Wavelength(nm) :850
Transfer Distance(m) :500(50um),300(62.5um)
Digital Diagnostic Monitoring :YES
Vendor Name :FINISAR CORP.
Vendor Part Number :FTLF8519P2BNL-HW
Ordering Name :
-------------------------------------------------------------
Manufacture information:
Manu. Serial Number :PEP3L5D
Manufacturing Date :2008-12-05
Vendor Name :FINISAR CORP.
-------------------------------------------------------------
Alarm information:
TX power low
-------------------------------------------------------------
Diagnostic information:
Temperature(°C) :39
Voltage(V) :3.31
Bias Current(mA) :6.59
Bias High Threshold(mA) :10.50
Bias Low Threshold(mA) :2.50
Current Rx Power(dBM) :-2.23 //Indicate the current
receive power of the optical module.
Default Rx Power High Threshold(dBM) :3.01 //Indicate the default
receive power upper alarm threshold of the optical module.
Default Rx Power Low Threshold(dBM) :-15.02 //Indicate the default
receive power lower alarm threshold of the optical module.
Current Tx Power(dBM) :-2.45 //Indicate the current
transmit power of the optical module.
Default Tx Power High Threshold(dBM) :3.01 //Indicate the default
transmit power upper alarm threshold of the optical module.
Default Tx Power Low Threshold(dBM) :-9.00 //Indicate the default
transmit power lower alarm threshold of the optical module.
User Set Rx Power High Threshold(dBM) :3.01 //Indicate the
configured receive power upper alarm threshold of the optical
module.
User Set Rx Power Low Threshold(dBM) :-15.02 //Indicate the
configured receive power lower alarm threshold of the optical
module.
When the current optical module power is between the upper and lower thresholds, the optical
power is normal. When the current optical power exceeds the configured upper alarm
threshold, a high optical power alarm is generated. When the current optical power falls
below the configured lower alarm threshold, a low optical power alarm is generated.
The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
Two optical modules on the transmit and receive ends must have the same wavelength. You are advised to use
the same type of optical modules on the transmit and receive ends.
You can run the display transceiver interface interface-type interface-number command to
view wavelength of a specified optical module.
<HUAWEI> display transceiver interface gigabitethernet 3/0/0
GigabitEthernet3/0/0 transceiver information:
-------------------------------------------------------------
Common information:
Transceiver Type :1000_BASE_SX_SFP
Connector Type :LC
Wavelength(nm) :850
Transfer Distance(m) :500(50um),300(62.5um)
Digital Diagnostic Monitoring :YES
Vendor Name :FINISAR CORP.
Vendor Part Number :FTLF8519P2BNL-HW
Ordering Name :
-------------------------------------------------------------
Manufacture information:
Manu. Serial Number :PEP3L5D
Manufacturing Date :2008-12-05
Vendor Name :FINISAR CORP.
-------------------------------------------------------------
Alarm information:
TX power low
-------------------------------------------------------------
The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
Optical signals sent from different types of sources can transmit over different distances due to negative
effects of optical fibers, such as dispersion and attenuation. When connecting optical interfaces, select optical
modules and fibers according to the longest signal transmission distance.
You can run the display transceiver interface interface-type interface-number command to
view the transmission distance of a specified optical module.
<HUAWEI> display transceiver interface gigabitethernet 3/0/0
GigabitEthernet3/0/0 transceiver information:
-------------------------------------------------------------
Common information:
Transceiver Type :1000_BASE_SX_SFP
1.1.6.7 How Can I View the Temperature, Voltage, and Current of an Optical
Module?
NOTE
The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
You can run the display transceiver interface interface-type interface-number verbose
command to view the temperature, voltage, and current of a specified optical module.
<HUAWEI> display transceiver interface gigabitethernet 3/0/0 verbose
GigabitEthernet3/0/0 transceiver information:
-------------------------------------------------------------
Common information:
Transceiver Type :UNKNOWN_SFP
Connector Type :LC
Wavelength(nm) :850
Transfer Distance(m) :80(50um),30(62.5um),300(OM3)
Digital Diagnostic Monitoring :YES
Vendor Name :JDSU
Vendor Part Number :PLRXPLSCS4322N
Ordering Name :
-------------------------------------------------------------
Manufacture information:
Manu. Serial Number :CB02UF1SW
Manufacturing Date :2011-01-09
Vendor Name :JDSU
-------------------------------------------------------------
Alarm information:
RX loss of signal
RX power low
-------------------------------------------------------------
Diagnostic information:
Temperature(°C) :33 //Indicate the current
temperature of the optical module.
Voltage(V) :3.32 //Indicate the current voltage
of the optical module.
Bias Current(mA) :7.31 //Indicate the bias current of
the optical module.
Bias High Threshold(mA) :10.00 //Indicate the bias current
higher threshold of the optical module.
Bias Low Threshold(mA) :2.60 //Indicate the bias current
lower threshold of the optical module.
Current Rx Power(dBM) :-29.21
Default Rx Power High Threshold(dBM) :1.50
Default Rx Power Low Threshold(dBM) :-14.00
Current Tx Power(dBM) :-1.82
Default Tx Power High Threshold(dBM) :-1.00
Default Tx Power Low Threshold(dBM) :-8.00
User Set Rx Power High Threshold(dBM) :1.50
NOTE
The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
You can run the display transceiver interface interface-type interface-number command to
view information about a specified optical module. The displayed transmission distance
contains fiber diameter information. In the following command output, 50 um and 62.5 um
are fiber diameters, indicating multi-mode fibers. Fibers with a diameter of 9 um are single-
mode fibers. You can determine whether an optical module is single-mode or multi-mode
optical module based on the fiber diameter.
<HUAWEI> display transceiver interface gigabitethernet 3/0/0
Transceiver info I/O error Module information read and write error
occurs.
Transceiver type not supported by port An interface does not support the module
hardware type.
The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
GigabitEthernet3/1/12 transceiver
information:
-------------------------------------------------------------
Common
information:
Transceiver Type :
1000_BASE_SX_SFP
Connector
Type :LC
Wavelength(nm) :
0
Vendor
Name :AGILENT
Vendor Part
Number :HFBR-5710L
Ordering
Name :
-------------------------------------------------------------
Manufacture
information:
Manu. Serial
Number :AJ051801EK
Manufacturing Date :
2005-05-03
Vendor
Name :AGILENT
-------------------------------------------------------------
Alarm
information:
RX loss of
signal
-------------------------------------------------------------
GigabitEthernet3/1/13 transceiver
information:
-------------------------------------------------------------
Common
information:
Transceiver Type :
1000_BASE_SX_SFP
Connector
Type :LC
Wavelength(nm) :
0
1000(OM3)
Digital Diagnostic
Monitoring :NO
Vendor
Name :AVAGO
Vendor Part
Number :HFBR-5710L
Ordering
Name :
-------------------------------------------------------------
Manufacture
information:
Manu. Serial
Number :AM070864WZ
Manufacturing Date :
2007-02-25
Vendor
Name :AVAGO
-------------------------------------------------------------
Alarm
information:
RX loss of
signal
-------------------------------------------------------------
Context
When the voltage of a card is abnormal, you can run the following command to view the
voltage of the card.
Procedure
l Run the display voltage { all | slot slot-id } command to view the voltage of a specified
card.
----End
FAQ
1.1.7.1 Why Is a Voltage Alarm Generated and What Can I Do to Clear the
Alarm?
Voltage Alarms
BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.2.9 hwVoltRisingAlarm //The voltage
exceeds the upper threshold.
BASETRAP/1/VOLTRISING: OID [oid] Voltage exceeded the upper pre-alarm limit.
(Index=[INTEGER], BaseThresholdPhyIndex=[INTEGER],
ThresholdType=[INTEGER], ThresholdIndex=[INTEGER], Severity=[INTEGER],
ProbableCause=[INTEGER], EventType=[INTEGER],PhysicalNa
me=[OCTET], ThresholdValue=[INTEGER], ThresholdUnit=[INTEGER],
ThresholdHighWarning=[INTEGER], ThresholdHighCritical= [INTEGER])
BASETRAP_1.3.6.1.4.1.2011.5.25.129.2.2.11 hwVoltFallingAlarm //The voltage
falls below the lower threshold.
BASETRAP/1/VOLTFALLING: OID [oid] Voltage has fallen below the lower pre-alarm
limit.(Index=[INTEGER], BaseThresholdPhyIndex=
[INTEGER], ThresholdType=[INTEGER], ThresholdIndex=[INTEGER], Severity=[INTEGER],
ProbableCause=[INTEGER], EventType=[INTEGER],
PhysicalName=[OCTET], ThresholdValue=[INTEGER], ThresholdUnit=[INTEGER],
ThresholdLowWarning=[INTEGER], ThresholdLowCritical=
[INTEGER])
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.10.5 hwVoltAlarm 141056 //The voltage
exceeds the upper threshold.
ENTITYTRAP/1/ENTITYVOLTALARM: OID [oid] Voltage of power rise over or fall below
the alarm threshold.(EntityPhysicalIndex=[INT
EGER],
EntityThresholdType=[INTEGER],EntityThresholdValue=[INTEGER],EntityThresholdCurren
t=[INTEGER], EntityTrapFaultID=[INTEGER])
ENTITYTRAP_1.3.6.1.4.1.2011.5.25.219.2.10.5 hwVoltAlarm 141057 //The voltage
falls below the lower threshold.
ENTITYTRAP/1/ENTITYVOLTALARM: OID [oid] Voltage of power rise over or fall below
the alarm threshold.(EntityPhysicalIndex=[INTE
GER],
EntityThresholdType=[INTEGER],EntityThresholdValue=[INTEGER],EntityThresholdCurren
t=[INTEGER], EntityTrapFaultID=[INTEGER])
1.1.7.2 How Can I Determine Whether and Why the Voltage Is Abnormal?
-------------------------------------------------------------------------------
Solution: See 1.1.7.1 Why Is a Voltage Alarm Generated and What Can I Do to Clear the
Alarm?.
-------------------------------------------------------------------------------
9 - 5 3.3V Normal 0 0
0
- 6 1.8V Normal 0 0
0
- 7 1.5V Normal 0 0
0
- 8 1.0V_NP Normal 0 0
0
- 9 1.0V_CPU Normal 0 0
0
- 10 1.0V_NP_A Normal 0 0
0
- 11 1.2V Normal 0 0
0
- 12 1.5V_NPDDR Normal 0 0
0
- 13 5.0V Normal 0 0
0
- 14 0.9V_TCAM Normal 0 0
0
- 15 0.9V_TCAM_A Normal 0 0
0
- 16 0.9V_PHY Normal 0 0
0
- 17 12.0V Normal 0 0
0
13 - 5 3.3V Normal 3.3516 2.6460
3.9592
- 6 1.0V Normal 1.0192 0.8036
1.1956
- 7 1.2V Normal 1.1956 0.9604
1.4406
- 8 1.5V Normal 1.5190 1.1956
1.8032
- 9 1.8V Normal 1.8130 1.4406
2.1560
- 10 2.5V Normal 2.5480 1.9992
2.9988
- 11 5.0V Normal 4.9590 3.9440
5.9160
- 12 3.3V_LSW Normal 3.3320 2.6460
3.9592
- 13 1.2V_OAM Normal 1.1858 0.9604
1.4406
- 14 2.0V_OAM Normal 2.0139 1.6023
2.3961
- 15 2.5V_OAM Normal 2.5284 1.9992
2.9988
- 16 3.3V_OAM Normal 3.3320 2.6460
3.9592
-------------------------------------------------------------------------------
Context
When the device temperature is too high or too low, the hardware may be damaged. To learn
about the current device temperature, use the following command to view the device
temperature.
Procedure
l Run the display temperature { all | slot slot-id } command to view the device
temperature.
----End
FAQ
1.1.8.1 How Can I Determine Whether the Card Temperature Is too High?
Generally, the recommended operating temperature of a card ranges from 0°C to 45°C.
Each type of cards has its temperature range, and fans can automatically adjust the speed
according to the temperature range to ensure that the card temperature is within the normal
range. The card temperature is within the normal range if no high temperature alarm is
generated on the card.
1.1.8.2 Why Is a High Temperature Alarm Generated and How Can This Alarm
Be Cleared?
1.1.8.3 How Can I Determine Whether and Why the Temperature Is Abnormal?
---------------------------------------------------------------
9 - 1 Minor 70 0
64
- 2 Normal 30 0
60
13 - 1 Normal 31 0
60
- 2 Normal 34 0
63
14 - 1 Normal 34 0
60
- 2 Normal 37 0
63
18 - 1 Normal 44 0
72
- 2 Normal 38 0
64
1 1 Normal 28 0 55
Solution: See 1.1.8.2 Why Is a High Temperature Alarm Generated and How Can This
Alarm Be Cleared?.
Context
You can view current version information about the device to determine whether the device
needs to be upgraded or is upgraded successfully.
Procedure
l Run the display version [ slot slot-id | cmu cmu-id ] command to view version
information about the device.
----End
FAQ
2. MAB Version : 1
3. Board Type : ES0D0G48TA00
4. BootROM Version : 0207.00d3
5. BootLoad Version : 0207.00fb
1.2.1.2 How Can I View the Running Time of a Device and Card?
Run the display version command to view version information about the device. uptime
indicates the running time of the device and card.
<HUAWEI> display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.150 (S7700 V200R007C00SPC100)
Copyright (C) 2000-2013 HUAWEI TECH CO., LTD
HUAWEI S7703 Terabit Routing Switch uptime is 0 week, 0 day, 1 hour, 3 minutes
BKP 0 version information:
1. PCB Version : LE02BAKB VER.A
2. Support PoE : No
3. Board Type : ES0B017712P0
4. MPU Slot Quantity : 2
5. LPU Slot Quantity : 3
Context
The card monitoring module (CANBUS) and system management software (SMS) are used to
implement basic management and maintenance on cards, for example, monitoring the
environment such as the temperature, power supply, and voltage. You can run the following
command to check the software version of the CANBUS and SMS.
Procedure
l Run the display environment version command to view the CANBUS version of a
specified card and system management software (SMS).
----End
Context
To learn about the services running on a device, run the following command to view the
device configuration.
Procedure
l Run the display current-configuration command to view the current device
configuration.
----End
FAQ
1.2.3.1 How Can I Determine Whether a Device Starts Using the Initial
Configuration?
When a device just finishes starting, you can run the display startup command to view the
startup configuration file. If the startup configuration file is NULL, the device has started
using the initial configuration.
NOTE
If the device configuration has been deleted using the reset saved-configuration command after startup, you
cannot determine whether the device has started using the initial configuration.
<HUAWEI> display startup
MainBoard:
default
1.2.3.2 How Can Low-Level Users View the Current Device Configuration?
The system defines a level for each command and manages commands based on command
levels. The system administrator (at level 3 or higher) can run the command-privilege level
level view view-name command-key command in the system view to change the command
level according to user requirements. This configuration can enable a low-level user to use
some high-level commands or raises the command level to improve device security.
Users lower than level 3 (management level) cannot run the display current-configuration
command to view the current device configuration. To view the device configuration, low-
level users need to apply to the administrator. The administrator then determines whether to
lower the command level according to requirements.
You are not advised to change the default command level without the guidance of
professionals. Otherwise, it may result in inconvenience for operation and maintenance and
bring about security problems.
Context
When the system experiences a fault or during routine maintenance, you can view diagnostic
information to collect the running information of all modules.
Diagnostic information is mainly used for fault location. Collecting diagnostic information
may affect system performance. For example, it may cause a high CPU usage. Therefore,
collecting diagnostic information is not recommended when the system is running normally.
Procedure
l Run the display diagnostic-information [ acl | css | arp | bfd | defend | dhcp | l2adp |
l3adp | lldp | mcast | mpls | rrpp | sdk | sep | smlk | srm | stat | stp | ucm ] [ file-name ]
command to view the device diagnostic information.
----End
Context
You can run the following command to view the voltage, temperature, power supply
information, fan information, CPU usage, and memory usage of a device.
Procedure
l Run the display health command to view the device health status.
----End
Context
You can run the following command to view the current system MAC address.
Procedure
l Run the display system-mac command to view the system MAC address.
----End
Context
When a device becomes faulty, you can run the following commands to view historical alarms
and existing alarms for locating faults or learning about the device running status.
Procedure
l Run the display trapbuffer command to view the alarms recently generated on the
device. Alarms are recorded into a log file. You can view the log file to check historical
alarms.
l Run the display alarm active command to view the alarms that are not cleared after the
device starts.
l Run the display alarm history command to view the historical alarms that are recorded
after the device starts.
l Run the display alarm [ slot slot-id | all ] command to view alarms about hardware
management on all cards or a specified card.
----End
Context
CPU usage is an important indicator to evaluate device performance. A high CPU usage will
cause service faults, for example, Border Gateway Protocol (BGP) route flapping, frequent
Virtual Router Redundancy Protocol (VRRP) switchovers, or even user login failures. You
can use the following commands to view CPU usage statistics and configurations in real time
and verify that the device is running stably.
You can view CPU usage configurations to learn about the CPU usage alarm threshold and
CPU usage alarm recovery threshold.
l When the CPU usage reaches the alarm threshold, the system generates a CPU usage
alarm.
l When the CPU usage falls below the recovery threshold, the system generates a clear
alarm.
Procedure
l Run the display cpu-usage [ slave | slot slot-id ] command to view CPU usage statistics.
l Run the display cpu-usage configuration [ slave | slot slot-id ] command to view CPU
usage configurations.
----End
FAQ
For more details about CPU processes, see the description of the display cpu-usage [ slave |
slot slot-id ] command output.
5. Check whether network management operations are frequently performed on the device.
6. Check whether STP flaps or routing protocols flap.
7. Check whether the network structure changes and whether a loop occurs on the network.
8. Check whether malicious attacks exist.
For details about how to locate a high CPU usage, see "CPU Usage of a Device Is High" in
the Troubleshooting.
Context
Memory usage is an important performance indicator of a device. A high memory usage will
cause service faults. You can view the memory usage of a device in real time to determine
whether the device is running stably.
You can view the memory usage threshold to check the alarm generation conditions.
l When memory usage reaches the alarm threshold, the system generates a memory usage
alarm.
l When memory usage falls below the recovery threshold, the system generates a clear
alarm.
Procedure
l Run the display memory-usage [ slave | slot slot-id ] command to view memory usage
statistics.
l Run the display memory-usage threshold [ slot slot-id ] command to view the memory
usage threshold.
----End
FAQ
If the memory usage of a device meets the preceding conditions but still displays a large value
(larger than 60% for example), possible causes are as follows:
l The device is a low-end product with a small memory, and so its memory usage is high
during the device operation.
l The device is transmitting many services, occupying much memory.
2 Hardware Management
This chapter describes how to configure hardware management to operate and manage the
hardware resources of devices.
Context
Billions of devices exist on global networks, and each device has a MAC address. MAC
addresses are managed and allocated by the IEEE. Theoretically, each device has a unique
MAC address. However, MAC address conflicts may occur because of incorrect
configuration. In addition, you may need to use a specified MAC address for a device to suit
your network requirements. To avoid address conflicts and ensure configurations match rules,
you may need to change the MAC address on a device.
NOTE
Each device is assigned a global unique identifier from the manufacturer. Do not change the MAC
address of a device unless the change is absolutely necessary. If you change a MAC address, the
modification takes effect only after the device restarts.
When changing the MAC address, pay attention to the following points:
l The MAC address cannot be all 0s or all 1s.
l The MAC address cannot be a multicast MAC address.
l If a device supports 16 MAC addresses, the last hexadecimal digit of the MAC address must be 0.
If a device supports 256 MAC addresses, the last two hexadecimal digits of the MAC address must
be 0.
Procedure
Step 1 (Optional) Run:
display system-mac
The current and default MAC addresses of the device are displayed.
Step 2 Run:
set system-mac current hex-string [ chassis chassis-id ] ( The chassis chassis-id
parameter is valid only in a CSS. )
After configuring the device MAC address, restart the device for the configuration to take
effect.
----End
Context
Information in electronic labels helps locate network faults and replace hardware in batches.
Therefore, backing up electronic labels is important to improving maintenance efficiency.
l If a network fault occurs, you can rapidly learn about hardware information using
electronic labels, thereby improving hardware maintenance efficiency. In addition, you
can efficiently analyze and trace hardware defects by analyzing information in electronic
labels of the faulty hardware.
l Before replacing hardware in batches, you can obtain accurate hardware deployment
information based on information in the electronic labels recorded in the archive systems
of customers' devices. Then you can evaluate the impact of hardware replacement and
define policies to efficiently replace hardware in batches.
Electronic labels can be backed up to a file server or the local memory. Before backing up
electronic labels to the file server, ensure that there are reachable routes between the device
and file server. The file server can be an FTP, SFTP or TFTP server. FTP or TFTP cannot
ensure secure file transfer, therefore, an SFTP server is recommended for users requiring high
network security.
Procedure
l Run:
backup elabel filename [ chassis-id[/slot-id ] ]
----End
Context
The EH1D2SRUDC00 and EH1D2SRUDC01 integrate the OAM, BFD, NQA-RTP functions
and reserve a certain amount of bandwidth for these functions. If these functions are not used,
the reserved bandwidth is wasted. When the SRU hardware engine is disabled, the OAM,
BFD, and NQA-RTP functions are unavailable and bandwidth reserved for these functions is
allocated to a specific slot to improve the forwarding performance of the LPU in the slot.
NOTE
Prerequisites
Before disabling the SRU hardware engine, ensure that the EH1D2SRUDC00 or
EH1D2SRUDC01 has been installed on the switch.
Procedure
Step 1 (Optional) Run:
display detect-engine configuration
Step 2 Run:
system-view
Step 3 Run:
undo detect-engine enable
----End
Context
A switch completes internal forwarding using limited resources. An S7706 or S7712
dynamically allocates internal forwarding resources to LPUs based on LPU types by default.
A standalone switch or a CSS system has a total of 64 internal forwarding resources. In
dynamic resource allocation mode, a standalone switch not running the CSS function provides
54 internal forwarding resources for LPUs, and a standalone switch running the CSS function
or a CSS system provides 46 internal forwarding resources for LPUs. In this mode, some
LPUs occupy a large number of internal forwarding resources. Therefore, if the CSS function
is enabled on a switch, allocatable internal forwarding resources may be insufficient for
LPUs. In this case, LPUs not allocated internal forwarding resources or allocated insufficient
internal forwarding resources fail to register and cannot provide services.
The static resource allocation mode prevents this problem. When this mode is configured, the
system allocates only two internal forwarding resources to each LPU, regardless of the LPU
type.
NOTE
Only the S7706 and S7712 support the configuration of the internal forwarding resource allocation
mode. The S9700 supports only the configuration of the static resource allocation mode for LPUs.
If the CSS function is not enabled on the switch, the internal forwarding resources are sufficient and you
do not need to configure the static resource allocation mode.
When the static resource allocation mode is used, SA series LPUs of the S7700 cannot register with the
system.
Procedure
Step 1 (Optional) Run:
display system-resource-mode configuration
The static resource allocation mode is configured. In this mode, the system allocates only two
internal forwarding resources to each LPU, regardless of the LPU type.
By default, the S7700 dynamically allocates internal forwarding resources to LPUs based on
LPU type.
----End
Context
A core device processes a large number of services and therefore maintains many MAC
address entries, IP address entries, and ACL entries. However, the number of the entries
supported by the device is limited. If these entries cannot meet service requirements, the
service processing efficiency degrades. Some LPUs provide extended entry space resources.
You can configure the resource mode of the extended entry space to increase the number of
MAC address entries, ACL entries, and IP address entries supported by the LPU.
You can use the assign resource-mode command to increase the MAC address entries and IP
address entries supported on X1E series LPUs. To increase the ACL entries supported on X1E
series LPUs, run the assign acl-mode command.
Procedure
Step 1 (Optional) Run:
display resource-assign configuration [ slot slot-id ]
The configuration of the resource mode of the extended entry space is displayed.
Step 2 Run:
system-view
The resource mode of the extended entry space of an LPU is configured. The resource mode
determines the specifications of the MAC address entries, ACL entries, and IP address entries
stored in the entry space.
By default, the resource allocation mode is enhanced-ipv4 for X1E series LPUs, ipv4-ipv6-acl
for EE series LPUs, and enhanced-mac for EC, BC and ED series LPUs.
NOTE
l Only the EE, EC, BC, ED, and X1E series LPUs support this command.
l After setting the resource allocation mode for extended entry register space of an LPU, save the
configuration and reset the LPU for the configuration to take effect.
l Among the EC series LPUs, the EH1D2X48SEC0 for the S9700 supports only the close-all,
enhanced-mac, enhanced-ipv4, and ipv4-ipv6 modes, among which close-all is the default mode.
The following table lists the entry space specifications obtained by different LPU series when
the resource mode for extended entry register space is configured. In the table,
l K indicates 1024, for example, 32K indicates 32 x 1024.
l Default indicates the default LPU mode, for example, enhanced-mac (Default).
l or, Share indicates that the current specification shares resources with another
specification, for example, 16K IPv4 or 8K IPv6 and 128000 (shared with FIB6).
l 64-bit indicates IPv6 entries with the mask length less than or equal to 64 bits, for
example: (12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit.
l 128-bit indicates IPv6 entries with the mask length longer than 64 bits, for example:
(12K IPv4 or 6K IPv6 64-bit) + 1K IPv6 128-bit.
l BC/EC series LPU ( excluding the EH1D2X48SEC0 )
Mod Specification
e
MAC FIBv FIBv ARP ND Multi Mult ACL ACL
4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
Mod Specification
e
MAC FIBv FIBv ARP ND Multi Mult ACL ACL
4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
Mod Specification
e
MAC FIBv FIBv ARP ND Multi Mult ACL ACL
4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
l ED series LPU
Mod Specification
e
MA FIBv FIBv ARP ND Multi Mult ACL ACL
C 4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
Mod Specification
e
MA FIBv FIBv ARP ND Multi Mult ACL ACL
C 4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
Mod Specification
e
MA FIBv FIBv ARP ND Multi Mult ACL ACL
C 4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
l EE series LPU
Mode Specification
Mode Specification
Mod Specification
e
MAC FIBv4 FIBv6 ARP ND Mul Mul ACL ACL
ticas ticas (Ingr (Egr
t t ess) ess)
IPv4 IPv6
l EH1D2X48SEC0
Mod Specification
e
MAC FIBv FIBv ARP ND Multi Mult ACL ACL
4 6 cast icast (Ingr (Egre
IPv4 IPv6 ess) ss)
Step 4 Run:
assign acl-mode mode-id slot slot-id
NOTE
l2 0 0 64K
ipv4 64K 0 0
----End
Context
The actual forwarding capability of an LPU depends on the amount of bandwidth resources
allocated to it by the SRU. An LPU can forward data at line speed only when it has sufficient
bandwidth resources. An SRU provides limited bandwidth resources. In common fabric
mode, the SRU allocates equal amounts of bandwidth resources to each LPU. The allocated
bandwidth resources are sufficient for line-speed forwarding on most LPUs but cannot
support line-speed forwarding on some high-performance LPUs. When these high-
performance LPUs cannot realize line-speed forwarding, their forwarding capabilities are
wasted.
A device supports extended fabric mode of the SRU. In this mode, LPUs in slot 6 and slot 7
can obtain more bandwidth resources to ensure line-speed forwarding.
NOTE
In common fabric mode, the following LPUs cannot realize line-speed forwarding:
l EH1D2X12SSA0 (S9712)
l EH1D2L08QFC0 (S9712)
l EH1D2X08SED4/EH1D2X08SED5 (S9712)
l EH1D2X40SFC0 (S9712)
l EH1D2X16SFC0 (S9712)
l EH1D2X32SSC0 (S9712)
l EH1D2C02FEE0 (S9712)
l EH1D2X48SEC0 (S9712)
l ES0D0X12SA00 (S7712)
l ES1D2X16SFC0 (S7712)
l ES1D2X40SFC0 (S7712)
l ES1D2X32SSC0 (S7712)
l ES1D2X08SED4 (S7712)
l ES1D2C02FEE0 (S7712)
Pre-configuration Tasks
Before configuring the fabric mode on an S9712 switch, ensure that the switch is equipped
with an EH1D2SRUDC00/EH1D2SRUDC01 main control unit.
Before configuring the fabric mode on an S7712 switch, ensure that the switch is equipped
with an ES1D2SRUH000 main control unit, and the chassis type is SWC02BAKG000 (Use
the display version command to check the chassis type.).
Procedure
Step 1 (Optional) Run:
display fabric-mode configuration
----End
Context
When the standby MPU is not working normally, you can reset it to restore its functions
without affecting the existing services.
Procedure
Step 1 Run:
system-view
----End
Context
If the system active MPU becomes faulty, you can switch the active and standby MPUs.
After a command is executed to perform an active/standby switchover on a standalone device,
the standby MPU becomes the new active MPU, and the active MPU restarts and then
becomes the new standby MPU.
Figure 2-1 shows change of roles after a active/standby switchover in a CSS is triggered by
commands.
Active/standby switchover is
triggered by a command
l The original standby switch becomes the master switch, and the original system standby
MPU becomes the system master MPU.
l The original system master MPU becomes a candidate system standby MPU, and the
original master switch becomes the standby switch.
l The standby MPU of the original master switch becomes the system standby MPU and
synchronizes data with the system master MPU.
NOTE
Before running a command to perform an active/standby switchover in a CSS, ensure that the master switch
in the CSS has two MPUs.
During an active/standby switchover, do not insert, remove, or reset active and standby
MPUs, LPUs, power modules, or fan modules. Otherwise, the device may restart or become
faulty.
Procedure
Step 1 (Optional) Run:
display switchover state
The active/standby switchover status is displayed. According to the status, you can determine
whether the active and standby MPUs meet switchover requirements.
Step 2 Run:
system-view
Step 3 Run:
slave switchover enable
Step 4 Run:
slave switchover
----End
Context
When an LPU needs to be upgraded or cannot work normally, you can reset the LPU to
update the version or restore the LPU to the normal state.
Resetting a card will interrupt services on the card. When a card is not working normally,
rectify the fault rather than reset the card to prevent services from being affected.
Procedure
Step 1 (Optional) Run:
display device [ slot slot-id ]
Step 2 Run:
reset slot slot-id [ all | master ]
The all and master parameters are displayed in the command if slot-id specifies an NGFW,
ACU2, or IPS card.
An NGFW, ACU2, or IPS card has two CPUs: one for the value-added service and one for
the switching service. If you specify all, both CPUs are reset. If you specify master, the CPU
of the value-added service is reset.
----End
Context
When a card is idle, you can power off the card without affecting services to ensure stable
system operation and save energy. You can also power on a specified card if service volume
increases.
NOTE
Procedure
Step 1 (Optional) Run:
display device [ slot slot-id ]
----End
Context
An X86 subcard uses an Intel X86 processor. A card with an X86 subcard is an Open Service
Platform (OSP) card. An OSP card can have an independent operating system and service
software. You can configure the OSP card and deploy services on its operating system. When
using an OSP card, you can start, shut down, or reset the X86 subcard on the OSP card to suit
service requirements.
Procedure
Step 1 (Optional) Run:
display osp status
The status of X86 subcards on all OSP cards is displayed in the system.
Step 2 Start, shut down, and reset the X86 subcard on an OSP card.
l Run:
startup osp slot-id
----End
Context
The device uses fixed temperature thresholds to increase and decrease the fan speed by
default. The fan speed increases when the device temperature exceeds the upper threshold and
decreases when the device temperature falls below the lower threshold. If you want to keep
the device working at a lower temperature, you can set lower fixed temperature thresholds.
Procedure
Step 1 (Optional) Run:
display fan speed-adjust threshold minus
The default temperature thresholds and the adjusted thresholds are displayed
Step 2 Run:
system-view
----End
Context
The CPU is the core of a device. When the system has a large number of routes, many CPU
resources will be used. This degrades system performance and results in the delay in
processing data or causes high packet loss. During data processing, if the device can generate
an alarm when high CPU usage occurs, you can effectively monitor CPU usage and optimize
system performance to ensure system stability.
l CPU usage alarm threshold
When CPU usage reaches this threshold, the system generates an alarm.
l CPU usage alarm recovery threshold
When CPU usage falls below this threshold, the system clears the alarm.
Procedure
Step 1 (Optional) Run:
display cpu-usage configuration [ slave | slot slot-id ]
The CPU usage alarm threshold and CPU usage alarm recovery threshold are set.
By default, the CPU usage alarm threshold is 95% and the CPU usage alarm recovery
threshold is 80%.
----End
Context
Memory usage is an important indicator used to evaluate device performance. A high memory
usage will cause service faults. During data processing, if the device can generate an alarm
when high memory usage occurs, you can effectively monitor memory usage and optimize
system performance to ensure system stability.
Procedure
Step 1 (Optional) Run:
display memory-usage threshold [ slot slot-id ]
Step 2 Run:
system-view
Step 3 Run:
set memory-usage threshold threshold-value [ slot slot-id ]
----End
Context
You can set optical power alarm thresholds using commands. When the transmit or receive
power of an optical module exceeds the alarm threshold, an alarm is generated, indicating that
the optical module may be faulty.
An optical module has default optical power alarm thresholds, which are fixed and cannot be
changed. The configured optical power alarm thresholds must be within the default range. It is
not recommended to change optical power alarm thresholds of optical modules. When an
optical power alarm is generated, check the optical module and connected fibers first.
NOTE
l The system may fail to obtain information about non-Huawei-certified switch optical modules or obtain
incorrect information. You are advised to use Huawei-certified switch optical modules.
l Only enhanced optical modules support the query of optical power information.
l The XGE interfaces connected to the ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01, and
ET1D2FW00S02 cards do not support the configuration of optical power alarm thresholds.
l The XGE interface connected to the ACU2 card does not support the configuration of optical power
alarm thresholds.
Procedure
Step 1 (Optional) Run:
display transceiver [ interface interface-type interface-number | slot slot-id ]
[ verbose ]
Conventional, manufacturing, and alarm information about the optical module on a specified
interface is displayed.
Step 2 Run:
system-view
Upper and lower alarm thresholds are set for the transmit and receive power of the optical
module on the interface. When the transmit or receive power of an optical module exceeds the
upper alarm threshold or falls below the lower alarm threshold, an alarm is generated.
----End
Context
Non-Huawei-Certified switch optical modules may fail to work normally. If non-Huawei-
Certified switch optical modules are used on devices produced after July 1, 2013(January 1,
2016 for QSFP+ 40GE optical modules, CFP 40GE optical modules and CFP 100GE optical
modules), the devices generate a large number of alarms to prompt users to replace these
optical modules with Huawei-Certified switch optical modules. However, vendor information
of Huawei early-delivered optical modules may not be recorded. Therefore, non-Huawei-
Certified switch optical module alarms are generated. These optical modules can still be used
to protect customer investment. In this case, you can disable the alarm function for non-
Huawei-Certified switch optical modules.
Procedure
Step 1 Run:
system-view
----End
This chapter describes how to configure the information center. It works as the information
hub and records system running information in real time, which helps the network
administrator and developers monitor network operation and analyze network faults.
3.1 Information Center Overview
3.2 Principles
3.3 Applications
3.4 Licensing Requirements and Limitations for the Information Center
3.5 Configuring Information Center
3.6 Maintaining the Information Center
3.7 Configuration Examples
Definition
The information center works as the information hub. Logs, traps, and debugging messages
generated by the device are sent to the information center for unified management and
flexible output.
Purpose
When an exception or a fault occurs on the device, users need to immediately and accurately
collect information generated during device running. The information center records
information generated by each module during device running, including logs, traps, and
debugging messages. You can configure the information center to classify and filter
information based on information types and severities so that information can be flexibly
output to different destinations such as the console, user terminal, and log host. By doing this,
users or network administrators can collect device information from different destinations so
that they can easily monitor the device running status and locate faults.
3.2 Principles
The information center receives information generated by the device and controls information
output based on defined severity.
When information filtering based on severity levels is enabled, only the information whose
severity level threshold is less than or equal to the configured value is output.For example, if
the severity level value is configured to 6, only information with a severity level ranging from
0 to 6 is output.
6 channel6
7 channel7
By default, logs, traps, and debugging messages are output from default channels. You can
change channel names or relationships between channels and output directions as required.
For example, the name of channel 6 is user1 and channel 6 is used to send information to the
log host. The information sent to the log host is output from channel 6 but not channel 2.
Table 3-3 lists relationships between default channels and output directions.
2 loghost Log host Outputs logs, debugging messages, and traps. The
information is saved to the log host in file format for
easy reference.
The information center filters information in a channel through the information filtering table.
The information filtering table is used to filter information output to different directions based
on information types, severities, and sources.
1 2 3 4 5 6 7 8 9 10 11 12
Leading Timestamp Time Host Huawei Version Module Log Summary Log SequenceDetails
character Zome name identifier number name level type number
1 2 3 4 5 6 7 8
Information Timestamp Time Host Module Trap Summary Details
type Zone name name level
# Information type. The number sign (#) indicates a trap and only
appears in the trapbuffer.
HostName Host name. The host name and module name are separated
by a space.
The switch can write logs to a log file in binary format. A binary log file consists of two parts:
3.3 Applications
Network
Log Host 1
Log Host 2
Network
Switch
Log Host 3
Log Host 4
Network
Switch
NMS
Console
Switch PC
l Run a command to view logs in the log buffer. Only the latest logs are saved in the log
buffer.
l Run a command to view logs in the storage device.
l Export logs to a log server and view logs on the server.
The first two methods do not require other network elements. To use the third method, you
need a server to save logs.
Licensing Requirements
Information center is a basic feature of a switch and is not under license control.
Version Requirements
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
None
Pre-configuration Tasks
Before enabling log output, start the Switch.
Configuration Process
Table 3-7 lists the configuration process for enabling log output.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center enable
----End
Context
You can rename channels, which facilitates memorization and usage.
NOTE
Channel names must be unique. It is recommended that channel names represent channel functions.
0 console
1 monitor
2 loghost
3 trapbuffer
4 logbuffer
5 snmpagent
6 channel6
7 channel7
8 channel8
9 channel9
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center channel channel-number name channel-name
A name is configured for the information channel with the specified number.
----End
Context
If some logs are unnecessary, configure the device not to output these logs. When the filtering
function is enabled, the information center does not send the specified logs that satisfy the
filtering condition to any channel. As a result, all output directions cannot receive the
specified logs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center filter-id { id | bymodule-alias modname alias } &<1-50>
or
info-center filter-id { id | bymodule-alias modname alias } [ bytime interval |
bynumber number ]
NOTE
l Currently, the device can filter logs or modules with a maximum of 50 log IDs or modules. If there
are more than 50 log IDs or modules, the system displays a message indicating that the filtering table
is full. To configure the filtering function, run the undo info-center filter-id { id | bymodule-alias
modname alias } &<1-50>, undo info-center filter-id { id | bymodule-alias modname alias }
[ bytime interval | bynumber number ], or undo info-center filter-id all command to delete
original IDs or modules, and reconfigure the log ID or module.
l To add multiple IDs or modules at a time, use a space to separate IDs or modules. The system
displays a message to report the result of adding each ID or module.
l You cannot add the same ID or module repeatedly.
l When you add an unregistered or nonexistent log ID or alias name, the system displays a message
indicating that the system fails to filter the log with the specified log ID or alias name.
----End
Context
To adjust the time format and time precision for information output, configure the timestamp.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center timestamp log { { date | format-date | short-date } [ precision-time
{ second | tenth-second | millisecond } ] | boot | none }
----End
Context
Logs generated on the Switch contain sequence numbers. That is, the log counter function is
enabled by default. For example, you can run the display logbuffer command to view the
sequence numbers of logs.
<HUAWEI> display logbuffer
Logging buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 5
Current messages : 512
If the Switch has been running for a long time, many logs may be generated.
l To enable the Switch not to encapsulate sequence numbers in logs sent to the log buffer,
log file, console, or terminal, disable the log counter function.
l To re-collect statistics on logs sent to the log buffer, log file, console, or terminal, disable
the log counter function, disable the log counter function, and then enable the log counter
function.
l To view logs sent to the log buffer, log file, console, or terminal, disable the log counter
function, enable the log counter function so that logs contain sequence numbers in
ascending order.
NOTE
l If logs are sent to the console, log file, or terminal, logs are counted independently and sequence
numbers in the logs are in ascending order. That is, the sequence number of the log that was
generated first is 0 and the log that is generated later has a larger sequence number.
l If logs are sent to the log buffer, sequence numbers in logs are in descending order. That is, the
sequence number in the log that is generated recently is 0 and the log that was generated earlier has a
larger sequence number.
Procedure
Step 1 Run:
system-view
----End
Context
During the running of a device, if too many logs with the same log ID are generated, the
information center is too busy processing these logs to process logs with other log IDs, which
may even affect the running service. The information center monitors the traffic of logs with
different log IDs. When the traffic of logs with a specific log ID repeatedly exceeds the
threshold during the monitoring period, the information center suppresses the processing rate
of these specified logs by processing only the conforming traffic and discarding the non-
conforming traffic; when the traffic of logs with the specific log ID falls below the threshold
and remains below the threshold for five monitoring periods, the suppression is removed.
Procedure
Step 1 Run:
system-view
The maximum number of logs with the same log ID that the information center can process
every second is set.
By default, the information center processes a maximum of 30 logs with the same log ID in
every second. In certain application scenarios, by default, the information center needs to
process more than 50 logs with the same log ID in every second. You can set thresholds for
logs with different log IDs.
NOTE
Step 3 Run:
info-center rate-limit global-threshold value
The total number of logs that the information center can process each second is set.
Step 4 Run:
info-center rate-limit monitor-period value
The period for the information center to limit the log processing rate is set.
Step 5 (Optional) Run:
info-center rate-limit except { byinfoid infoID | bymodule-alias modname alias }
Cancel the log processing rate limit for logs with the specified ID or module name.
If logs with the specified ID or module name will never be generated in a huge number, you
can run this command to cancel the log processing rate limit for the logs. After this command
is run, the configured log processing rate limit will not be effective for logs with the specified
ID or module name.
----End
Context
On the system, service modules generate logs and control the volume of generated logs. The
information center processes the received logs.
When an ARP attack or route link failure occurs, service modules, such as ARP and VRRP,
generate a large number of repeated logs within a short period. In this situation, you can
enable suppression of statistics about consecutive repeated logs to protect the information
center against the impact of a large number of repeated logs.
Logs that are generated consecutively and have identical log IDs and parameters can be
regarded as repeated logs.
Procedure
Step 1 Run:
system-view
----End
Context
To view logs in the log buffer, configure the device to output logs to the log buffer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center logbuffer
Step 3 Run:
info-center logbuffer channel { channel-number | channel-name }
The channel used by the device to output logs to the log buffer is specified.
By default, the device uses channel 4 to output logs to the log buffer.
Step 4 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } log { state { off | on } | level severity } *
By default, channel 4 is enabled to output logs and the lowest log severity is warning.
----End
Context
After logs are output to a log file, you can view the log file anytime to monitor device running
based on the logs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center logfile channel { channel-number | channel-name }
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } log { state { off | on } | level severity } *
By default, channel 9 is enabled to output logs and the lowest log severity is debugging.
NOTE
If the size of a log file generated on the device exceeds the configured log file size, the system
decompresses the log file into a zip file.
If the number of log files generated on the Switch exceeds the limit, the system deletes the
oldest log file.
If the remaining flash memory or CF card space is less than 30 MB, earlier compressed log
files are deleted. If no compressed log files can be deleted and the remaining flash memory or
CF card space is less than 30 MB, no log files will be generated.
The system saves logs in the log buffer to a log file periodically or when the log buffer is full.
To view current log information, run this command to save the logs in the log buffer to a log
file.
Logs in the log buffer can be manually saved to a log file. These logs will also be saved in a
log file in the following situations:
l Since the device starts, logs in the log buffer will be automatically saved to a log file
every 24 hours, and this saving interval cannot be configured.
l When the 64 KB log buffer is full, logs in the log buffer will be automatically saved to a
log file, and the log buffer size cannot be configured.
----End
Context
After logs are output to the console, you can view logs on the console (host from which you
can log in to the device through the console interface) to monitor device running.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center console channel { channel-number | channel-name }
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } log { state { off | on } | level severity } *
By default, channel 0 is enabled to output logs and the lowest log severity is warning.
Step 4 Run:
quit
Step 5 Run:
terminal monitor
Display of logs, traps, and debugging message output is enabled on the user terminal.
Step 6 Run:
terminal logging
----End
Context
After logs are output to a user terminal, you can view logs on the user terminal (host from
which you log in to the device through Telnet) to monitor device running.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center monitor channel { channel-number | channel-name }
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } log { state { off | on } | level severity } *
By default, channel 1 is enabled to output logs and the lowest log severity is warning.
Step 4 Run:
quit
Step 5 Run:
terminal monitor
Display of logs, traps, and debugging message output is enabled on the user terminal.
Step 6 Run:
terminal logging
----End
Context
After configuring the device to output logs to a log host, you can view logs saved on the log
host to monitor device running.
Pre-configuration Tasks
There is a reachable route between the device and the log host.
Procedure
Step 1 Run:
system-view
The device is configured to output logs to the log host with the specified domain name.
By default, the device does not output logs to a log host.
The device can output logs to eight log hosts (IPv4 and IPv6 hosts) to implement backup
among log hosts.
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } log { state { off | on } | level severity } *
The source interface used by the device to send messages to a log host is specified.
By default, the source interface for a device to send messages to a log host is the actual
interface that sends the messages.
After the source interface is specified, the log host determines the device that sends messages.
The log host then can easily retrieve received messages.
Step 5 (Optional) Run:
info-center loghost source-port source-port
The source interface number used by the device to send messages to a log host is configured.
By default, the device sends messages to a log host using interface 38514.
----End
Procedure
l Run the display channel [ channel-number | channel-name ] command to view the
channel configuration.
l Run the display info-center filter-id [ id | bymodule-alias modname alias ] command
to view information filtered by the information center.
l Run the display logbuffer command to check logs recorded in the log buffer.
l Run the display logfile file-name [ offset | hex ] * command to check the log file.
----End
Pre-configuration Tasks
Before enabling trap output, start the Switch.
Configuration Process
Table 3-9 lists the configuration process for enabling trap output.
1 3.5.2.1 Enabling the You can configure the Steps 2 to 4 are optional
Information Center information center only and can be performed in
after the information any sequence.
center is enabled.
By default, the
information center is
enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center enable
----End
Context
You can rename channels, which facilitates memorization and usage.
NOTE
Channel names must be unique. It is recommended that channel names represent channel functions.
0 console
1 monitor
2 loghost
3 trapbuffer
4 logbuffer
5 snmpagent
6 channel6
7 channel7
8 channel8
9 channel9
Procedure
Step 1 Run:
system-view
A name is configured for the information channel with the specified number.
----End
Context
If some traps are unnecessary, configure the device not to output these traps. When the
filtering function is enabled, the information center does not send the specified traps that
satisfy the filtering condition to any channel. As a result, all output directions cannot receive
the specified traps.
Procedure
Step 1 Run:
system-view
NOTE
l Currently, the device can filter logs or modules with a maximum of 50 log IDs or modules. If there
are more than 50 log IDs or modules, the system displays a message indicating that the filtering table
is full. To configure the filtering function, run the undo info-center filter-id { id | bymodule-alias
modname alias } &<1-50>, undo info-center filter-id { id | bymodule-alias modname alias }
[ bytime interval | bynumber number ], or undo info-center filter-id all command to delete
original IDs or modules, and reconfigure the log ID or module.
l To add multiple IDs or modules at a time, use a space to separate IDs or modules. The system
displays a message to report the result of adding each ID or module.
l You cannot add the same ID or module repeatedly.
l When you add an unregistered or nonexistent ID or alias name, the system displays a message
indicating that the system fails to filter the trap with the specified ID or alias name.
----End
Context
To adjust the time format and time precision for information output, configure the timestamp.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center timestamp trap { { date | format-date | short-date } [ precision-time
{ second | tenth-second | millisecond } ] | boot | none }
----End
Context
To view traps in the trap buffer, configure the device to output traps to the trap buffer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center trapbuffer
The channel used by the device to output traps to the trap buffer is specified.
By default, the device uses channel 3 to output traps to the trap buffer.
Step 4 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } trap { state { off | on } | level severity } *
----End
Context
After traps are output to a log file, you can view the log file anytime to monitor device
running based on the traps.
Procedure
Step 1 Run:
system-view
----End
Context
After traps are output to the console, you can view traps on the console (host from which you
can log in to the device through the console interface) to monitor device running.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center console channel { channel-number | channel-name }
Display of logs, traps, and debugging message output is enabled on the user terminal.
By default, console display is enabled and terminal display is disabled.
Step 6 Run:
terminal trapping
----End
Context
After traps are output to a user terminal, you can view traps on the user terminal (host from
which you log in to the device through Telnet) to monitor device running.
Procedure
Step 1 Run:
system-view
Display of logs, traps, and debugging message output is enabled on the user terminal.
By default, console display is enabled and terminal display is disabled.
Step 6 Run:
terminal trapping
----End
Context
After configuring the device to output traps to a log host, you can view traps saved on the log
host to monitor device running.
Pre-configuration Tasks
There is a reachable route between the device and the log host.
Procedure
Step 1 Run:
system-view
l Run:
info-center loghost domain domain-name [ channel { channel-number | channel-
name } | facility local-number | language language-name } | log-counter
{ disable | enable } | local-time | port port | transport { udp | tcp ssl-
policy policy-name } ] *
The device is configured to output traps to the log host with the specified domain name.
The device can output traps to eight log hosts (IPv4 and IPv6 hosts) to implement backup
among log hosts.
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } trap { state { off | on } | level severity } *
By default, channel 2 is enabled to output traps and the lowest severity is debugging.
The source interface used by the device to send messages to a log host is specified.
By default, the source interface for a device to send messages to a log host is the actual
interface that sends the messages.
After the source interface is specified, the log host determines the device that sends messages.
The log host then can easily retrieve received messages.
The source interface number used by the device to send messages to a log host is configured.
By default, the device sends messages to a log host using interface 38514.
----End
Context
When an exception or a fault occurs on the device, the network administrator needs to learn
the device running status. You can configure the device to output traps to an NMS server so
that the network administrator can monitor the device in real time and locate faults
immediately. Before configuring the device to output traps to an NMS server, configure the
device to output traps to an SNMP agent. Then the SNMP agent sends traps to the NMS
server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center snmp channel { channel-number | channel-name }
The channel used by the device to output traps to an SNMP agent is specified.
By default, the device uses channel 5 to output traps to an SNMP agent.
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } trap { state { off | on } | level severity } *
----End
Procedure
l Run the display channel [ channel-number | channel-name ] command to view the
channel configuration.
l Run the display info-center filter-id [ id | bymodule-alias modname alias ] command
to view information filtered by the information center.
l Run the display logfile file-name [ offset | hex ] * command to check the log file.
l Run the display trapbuffer [ size value ] command to check traps recorded in the trap
buffer.
----End
Pre-configuration Tasks
Before enabling debugging message output, start the Switch.
Debugging occupies CPU resources on the device, affecting system running. After debugging,
run the undo debugging all command to disable it immediately.
Configuration Process
Table 3-11 lists the configuration process for enabling debugging message output.
1 3.5.3.1 Enabling the You can configure the Steps 2 and 3 are optional
Information Center information center only and can be performed in
after the information any sequence.
center is enabled.
By default, the
information center is
enabled.
Procedure
Step 1 Run:
system-view
Step 2 Run:
info-center enable
----End
Context
You can rename channels, which facilitates memorization and usage.
NOTE
Channel names must be unique. It is recommended that channel names represent channel functions.
0 console
1 monitor
2 loghost
3 trapbuffer
4 logbuffer
5 snmpagent
6 channel6
7 channel7
8 channel8
9 channel9
Procedure
Step 1 Run:
system-view
A name is configured for the information channel with the specified number.
----End
Context
To adjust the time format and time precision for information output, configure the timestamp.
Procedure
Step 1 Run:
system-view
----End
3.5.3.4 Configuring the Device to Output Debugging Messages to the Log File
Context
After debugging messages are output to a log file, you can download the log file anytime to
monitor device running based on debugging messages.
Procedure
Step 1 Run:
system-view
The channel used by the device to output debugging messages to a log file is specified.
By default, the device uses channel 9 to output debugging messages into a log file.
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } debug { state { off | on } | level severity } *
NOTE
If the size of a log file generated on the device exceeds the configured log file size, the system
decompresses the log file into a zip file.
l Since the device starts, logs in the log buffer will be automatically saved to a log file
every 24 hours, and this saving interval cannot be configured.
l When the 64 KB log buffer is full, logs in the log buffer will be automatically saved to a
log file, and the log buffer size cannot be configured.
----End
Context
After debugging messages are output to the console, you can view debugging messages on the
console (host from which you can log in to the device through the console interface) to
monitor device running.
Procedure
Step 1 Run:
system-view
A channel used by the device to output debugging messages to the console is specified.
By default, the device uses channel 0 to output debugging messages to the console.
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } debug { state { off | on } | level severity } *
Display of logs, traps, and debugging message output is enabled on the user terminal.
By default, console display is enabled and terminal display is disabled.
Step 6 Run:
terminal debugging
----End
Context
After debugging messages are output to a user terminal, you can view debugging messages on
the user terminal (host from which you log in to the device through STelnet) to monitor
device running.
Procedure
Step 1 Run:
system-view
A channel used by the device to output debugging messages to a user terminal is specified.
By default, the device uses channel 1 to output debugging messages to a user terminal.
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } debug { state { off | on } | level severity } *
Display of logs, traps, and debugging message output is enabled on the user terminal.
By default, console display is enabled and terminal display is disabled.
Step 6 Run:
terminal debugging
----End
3.5.3.7 Configuring the Device to Output Debugging Messages to the Log Host
Context
After configuring the device to output debugging messages to a log host, you can view
debugging messages saved on the log host to monitor device running.
Pre-configuration Tasks
There is a reachable route between the device and the log host.
Procedure
Step 1 Run:
system-view
The device is configured to output debugging messages to the IPv4 log host.
l Run:
info-center loghost ipv6 ipv6-address [ channel { channel-number | channel-
name } | facility local-number | language language-name | local-time | log-
counter { disable | enable } | port port | transport { udp | tcp ssl-policy
policy-name } ] *
The device is configured to output debugging messages to the IPv6 log host.
l Run:
info-center loghost domain domain-name [ channel { channel-number | channel-
name } | facility local-number | language language-name } | log-counter
{ disable | enable } | local-time | port port | transport { udp | tcp ssl-
policy policy-name } ] *
The device is configured to output debugging messages to the log host with the specified
domain name.
By default, the device does not output debugging messages to a log host.
The device can output debugging messages to eight log hosts (IPv4 and IPv6 hosts) to
implement backup among log hosts.
Step 3 Run:
info-center source { module-name | default } channel { channel-number | channel-
name } debug { state { off | on } | level severity } *
The source interface used by the device to send messages to a log host is specified.
By default, the source interface for a device to send messages to a log host is the actual
interface that sends the messages.
After the source interface is specified, the log host determines the device that sends messages.
The log host then can easily retrieve received messages.
The source interface number used by the device to send messages to a log host is configured.
By default, the device sends messages to a log host using interface 38514.
----End
Procedure
l Run the display channel [ channel-number | channel-name ] command to view the
channel configuration.
l Run the display info-center filter-id [ id | bymodule-alias modname alias ] command
to view information filtered by the information center.
l Run the display logfile file-name [ offset | hex ] * command to check the log file.
----End
Statistics of the information center cannot be restored after you clear them. Exercise caution
when running the commands.
Procedure
l To clear the statistics of the information center, run the reset info-center statistics
command in the user view.
l To clear the statistics in the log buffer, run the reset logbuffer command in the user
view.
l To clear the statistics in the trap buffer, run the reset trapbuffer command in the user
view.
----End
l Run the display info-center statistics command to view statistics of the information
center.
l Run the display logbuffer command to view logs recorded in the log buffer.
l Run the display logfile file-name [ offset | hex ] * command to view the log file.
l Run the display trapbuffer [ size value ] command to view traps recorded in the trap
buffer.
----End
NOTE
FTP is not a secure protocol. SFTP is recommended on networks that require high security.
Figure 3-8 Networking diagram for outputting logs to the log file
Network
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the information center.
2. Configure a channel and a rule for outputting logs to a log file so that logs are saved in
the log file.
3. Configure SwitchA to transfer the log file to the FTP server so that the network
administrator can use the FTP server to view logs generated by SwitchA.
Procedure
Step 1 Enable the information center.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] info-center enable
Step 2 Configure a channel and a rule for outputting logs to a log file.
NOTE
By default, channel 9 is used to send logs to a log file. If the default setting is used, skip this step.
Step 3 Configure SwitchA to transfer the log file to the FTP server.
# Log in to the FTP server with user name user1 and password huawei2012.
<SwitchA> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):user1
331 Password required for user1.
Enter password:
230 User logged in.
# View the received log file on the FTP server. The configuration details are not mentioned
here.
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
info-center source default channel 6 log level warning
info-center logfile channel 6
#
return
Networking Requirements
As shown in Figure 3-9, SwitchA connects to four log hosts. Log hosts are required to have
reliability and receive logs of different types so that the network administrator can monitor
logs generated by different modules on SwitchA.
10.1.1.2/24 10.1.1.1/24
Server 3 Server1
VLANIF100
172.16.0.1/24
10GE1/0/1
SwitchA
Server 4 Server 2
10.2.1.2/24 10.2.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Enable the information center.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] info-center enable
Step 2 Configure a channel and a rule for outputting logs to a log host.
# Name a channel.
[SwitchA] info-center channel 6 name loghost1
[SwitchA] info-center channel 7 name loghost2
Step 3 Configure an IP address for the interface that sends log information.
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 100
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif100
[SwitchA-Vlanif100] ip address 172.16.0.1 255.255.255.0
[SwitchA-Vlanif100] return
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 26, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 0
Trap buffer:
enabled,max buffer size 1024, current buffer size 256,
current messages 11, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 0
logfile:
channel number : 9, channel name : channel9, language : English
Information timestamp setting:
log - date, trap - date, debug - date millisecond
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
info-center channel 6 name loghost1
info-center channel 7 name loghost2
info-center source ARP channel 6 log level notification
info-center source AAA channel 7 log level warning
info-center loghost 10.1.1.1 channel 6
info-center loghost 10.1.1.2 channel 6
info-center loghost 10.2.1.1 channel 7
info-center loghost 10.2.1.2 channel 7
#
vlan batch 100
#
interface Vlanif100
ip address 172.16.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return
Figure 3-10 Networking diagram for outputting traps to the SNMP agent
10.1.1.2/24
VLANIF2
GE1/0/1
NM Station SwitchA
10.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the information center.
2. Configure a channel and a rule for outputting traps to the SNMP agent so that the SNMP
agent can receive traps generated by SwitchA.
3. Configure SwitchA to output traps to the NMS station so that the NMS station can
receive traps generated by SwitchA.
Procedure
Step 1 Enable the information center.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] info-center enable
Step 2 Configure a channel and a rule for outputting traps to the SNMP agent.
# Configure a channel for outputting traps to the SNMP agent.
[SwitchA] info-center snmp channel channel7
NOTE
By default, the device uses the SNMP agent to output traps of all modules.
Step 3 Configure an IP address for the interface used to send trap messages.
[SwitchA] vlan batch 2
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.1.1.2 24
[SwitchA-Vlanif2] quit
Step 4 Configure the SNMP agent to output traps to the NMS station.
# Enable the SNMP agent and set the SNMP version to SNMPv2c.
[SwitchA] snmp-agent sys-info version v2c
# View traps output through the channel used by the SNMP agent.
<SwitchA> display channel 7
channel number:7, channel name:channel7
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y debugging Y debugging N debugging
416e0000 ARP Y debugging Y informational N debugging
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
info-center source ARP channel 7 trap level informational
info-center snmp channel 7
#
vlan batch 2
#
interface Vlanif2
Networking Requirements
As shown in Figure 3-11, the PC connects to SwitchA through a console interface. It is
required that debugging messages of the ARP module be displayed on the PC.
Figure 3-11 Networking diagram for outputting debugging messages to the console
Console
SwitchA PC
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Enable the information center.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] info-center enable
Step 2 Configure a channel and a rule for outputting debugging messages to the console.
[SwitchA] info-center source arp channel console debug level debugging state on
[SwitchA] quit
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
info-center source ARP channel 0
#
return
4 NTP Configuration
This chapter describes how to configure Network Time Protocol (NTP) to synchronize time
among a set of distributed time servers and clients.
NOTE
4.1 Overview
4.2 Principles
4.3 Application
This section describes the usage scenarios of NTP.
4.4 Licensing Requirements and Limitations for NTP
4.5 Configuring the NTP
4.6 Maintaining NTP
4.7 Configuration Examples
4.8 Reference
This section lists references of NTP.
4.1 Overview
Definition
The Network Time Protocol (NTP) is an application layer protocol in the TCP/IP protocol
suite. NTP is used to synchronize the time among a set of distributed time servers and clients.
NTP is implemented based on the Internet Protocol (IP) and User Datagram Protocol (UDP).
NTP packets are transmitted using UDP port 123.
Purpose
As network topologies become increasingly complex, clock synchronization becomes more
important for devices on the entire network. If a system clock is modified manually by
network administrators, the workload is heavy and the modification is error-prone, which
affects clock precision. NTP is formulated as a networking protocol for clock synchronization
between devices on a network.
NTP applies to the following situations where all the clocks of the devices on a network need
to be consistent:
l In network management, analysis of logs or debugging messages collected from different
routers requires time for reference.
l An accounting system requires that the clocks of all the devices be consistent.
l When several systems work together to process a complicated event, they have to refer
to the same clock to ensure a correct execution order.
l Incremental backup between a backup server and clients requires that their clocks be
synchronized.
l Some applications need to obtain the time in which a user logs in a system and a
document is modified.
Version Evolution
NTP is evolved from a time protocol and the ICMP Timestamp message, but is specifically
designed to maintain time accuracy and clock robustness. Table 4-1 shows the NTP version
evolution.
N June RFC NTPv1 puts forward complete NTP rules and algorithms for the
T 1988 1059 first time, but it does not support authentication and control
Pv messages.
1
N March RFC NTPv3 uses correctness principles and improves clock selection
T 1992 1305 and filter algorithms, and it is widely used.
Pv
3
N June RFC NTPv3 only applies to an IPv4 network. As IPv6 develops and
T 2010 5905 network security requirements grow, NTPv4 is produced.
Pv NTPv4, an extension of NTPv3, is compatible with NTPv3.
4 l NTPv4 applies to both IPv4 and IPv6 networks.
l NTPv4 provides a complete encryption and authentication
system so it is more secure than NTPv3.
4.2 Principles
4.2.1 Principles
In Figure 4-1, the NTP client and server are connected. They are independent clock systems,
and synchronize system clock through NTP.
l Before the NTP client and server synchronizes their system clocks, the NTP client's
clock is set to Ta and NTP server's clock is set to Tb.
l The NTP server functions as NTP clock server, and NTP client needs to synchronize
clock with the NTP server.
l Assume that the precision of system clocks on NTP client and server is 0, that is, exactly
precise.
Sent NTP
request packet
at T1
NTP server
T1
T1 T2 T3
Received NTP
reply packet at T4
NTP packet
NOTE
In the preceding description, the clocks are precise. However, there may be time difference between the
clocks of client and server. Therefore, RFC 1305 defines complicated algorithms for NTP to ensure
clock synchronization precision.
SwitchB SwitchD
Primary time server
Secondary time server Secondary time server
stratum1
stratum2 stratum2
Under normal circumstances, the primary time server and the secondary time servers in a
synchronization subnet are arranged in a hierarchical-master-slave structure. In this structure,
the primary time server is located at the root, and the secondary time servers are arranged
close to leaf nodes. As their strata increase, the precision decreases accordingly. The extent to
which the precision of the secondary time servers decreases depends on stability of network
paths and the local clock.
NOTE
When the synchronization subnet has multiple primary time servers, the optimal server can be selected
using an algorithm.
l Broadcast Mode
l Multicast Mode
l Manycast Mode
You can select an appropriate operating mode as required.
l Client: A host running in client mode (client for short) periodically sends packets to the
server. The Mode field in the packets is set to 3, indicating that the packets are coming
from a client. After receiving a reply packet, the client filters and selects clock signals,
and synchronizes its clock with the server that provides the optimal clock. A client does
not check the reachability and stratum of the server. Usually, a host running in this mode
is a workstation on a network. It synchronizes its clock with the clock of a server but
does not change the clock of the server.
l Server: A host running in server mode (server for short) receives the packets from clients
and responds to the packets received. The Mode field in reply packets is set to 4,
indicating that the packets are coming from a server. Usually, the host running in server
mode is a clock server on a network. It provides synchronization information for clients
but does not change its own clock.
During and after the restart, the host operating in client mode periodically sends NTP request
messages to the host operating in server mode. After receiving the NTP request message, the
server swaps the position of destination IP address and source IP address, and the source port
number and destination port number, fills in the necessary information, and sends the message
to the client. The server does not need to retain state information. The client freely adjusts the
interval for sending NTP request messages according to the local conditions.
Peer Mode
The peer mode runs on a lower stratum on a synchronous subnet. In this mode, a active peer
and a passive peer can synchronize with each other. The peer with a higher stratum (a lower
level) synchronizes with a peer with a lower stratum (a higher level).
In peer mode, the active peer initiates an NTP packet with the Mode field set to 3 (the client
mode), and the passive peer responds with an NTP packet with the Mode field set to 4 (the
server mode). This interaction creates a network delay so that devices at both ends enter the
peer mode.
l Active peer: A host that functions as a active peer sends packets periodically. The value
of the Mode field in a packet is set to 1. This indicates that the packet is sent by a active
peer, without considering whether its peer is reachable and which stratum its peer is on.
The active peer can provide time information about the local clock for its peer, or
synchronize the time information about the local clock based on that of the peer clock.
l Passive peer: A host that functions as a passive peer receives packets from the active
peer and sends reply packets. The value of the Mode field in a reply packet is set to 2.
This indicates that the packer is sent by a passive peer. The passive peer can provide time
information about the local clock for its peer, or synchronize the time information about
the local clock based on that of the peer clock.
NOTE
The passive peer does not need to be configured. A host sets up a connection and sets relevant state
variables only when it receives an NTP packet.
Broadcast Mode
The broadcast mode is applied to the high speed network that has multiple workstations and
does not require high accuracy. In a typical scenario, one or more clock servers on the
network periodically send broadcast packets to the workstations. The delay of packet
transmission in a LAN is at the milliseconds level.
l Broadcast server: A host that runs in broadcast mode sends clock synchronization
packets to the broadcast address 255.255.255.255 periodically. The value of the Mode
field in a packet is set to 5. This indicates that the packet is sent by a host that runs in
broadcast or multicast mode, without considering whether its peer is reachable and
which stratum its peer is on. The host running in broadcast mode is usually a clock
server running high-speed broadcast media on the network, which provides
synchronization information for all of its peers but does not alter the clock of its own.
l Broadcast client: The client listens to the clock synchronization packets sent from the
server. When the client receives the first clock synchronization packet, the client and
server exchange NTP packets whose values of Mode fields are 3 (sent by the client) and
the NTP packets whose values of Mode fields are 4 (sent by the server). In this process,
the client enables the server/client mode for a short time to exchange information with
the remote server. This allows the client to obtain the network delay between the client
and the server. Then, the client returns the broadcast mode, and continues to sense the
incoming clock synchronization packets to synchronize the local clock.
Multicast Mode
Multicast mode is useful when there are large numbers of clients distributed in a network.
This normally results in large number of NTP packets in the network. In the multicast mode, a
single NTP multicast packet can potentially reach all the clients on the network and reduce the
control traffic on the network.
Manycast Mode
Manycast mode is applied to a small set of servers scattered over the network. Clients can
discover and synchronize to the closest manycast server. Manycast can especially be used
where the identity of the server is not fixed and a change of server does not require
reconfiguration of all the clients in the network.
l Manycast server: The manycast server continuously listens to the packets. If a server can
be synchronized, the server returns a packet (the Mode field is set to 4) by using the
unicast address of the client as the destination address.
l Manycast client: The client in manycast mode periodically sends request packets (the
Mode field is set to 3) to an IPv4/IPv6 multicast address. After receiving a reply packet,
the client filters and selects clock signals, and synchronizes its clock with the server that
provides the optimal clock.
To prevent the client from constantly sending NTP request packets to the manycast server and
reduce the load of the server, the NTP protocol defines a minimum number of connections. In
manycast mode, the client records the number of connections established every time it
synchronizes clock with the server. The minimum number of connections is the minimum
number of connections called during a synchronization process. If the number of connections
called by the client reaches the minimum number during subsequent synchronization
processes and the synchronization is completed, the client considers that the synchronization
is completed. After that, the client sends a packet every time a timeout period expires to
maintain the connection. The NTP protocol uses the time to live (TTL) mechanism to ensure
that the client can successfully synchronize with the server. Every time the client sends an
NTP packet, the TTL of the packet increases (the initial value as 1) until the minimum
number of connections is reached or the TTL value reaches the upper limit. If the TTL
reaches the upper limit or the number of connections called by the client reaches the minimum
number, but connections called by the client still cannot complete the synchronizing process,
the client stops data transmission in a timeout period to eliminate all connections. Then the
client repeats the preceding process.
NOTE
In NTP implementation, a peer structure is established for each synchronization source, and these peer
structures are stored in a chain in a Hash form. Each peer structure is corresponding to a connection.
Client Server
Access Authority
A device provides access authority, which is simpler and more secure, to protect a local clock.
NTP access control is implemented based on an access control list (ACL). NTP supports five
levels of access authority, and a corresponding ACL rule can be specified for each level. If an
NTP access request hits the ACL rule for a level of access authority, they are successfully
matched and the access request enjoys the access authority at this level.
When an NTP access request reaches the local end, the access request is successively matched
with the access authority from the maximum one to the minimum one. The first successfully
matched access authority takes effect. The matching order is as follows:
1. peer: indicates that a time request may be made for the local clock and a control query
may be performed on the local clock. The local clock can also be synchronized to a
remote server.
2. server: indicates that a time request may be made for the local clock and a control query
may be performed on the local clock, but the local clock cannot be synchronized with the
clock of the remote server.
3. synchronization: indicates that only a time request can be made for the local clock.
4. query: indicates that only a control query can be performed on the local clock.
5. limited: When the rate of NTP packets exceeds the upper limit, the incoming NTP
packets are discarded, and a Kiss code is sent if the KOD function is enabled.
KOD
When a server receives a large number of client access packets within a specified period of
time and cannot bear the load, the KOD function can be enabled on the server to perform
access control. KOD is a brand new access control technology that is put forward in NTPv4,
and it is used by the server to provide information, such as a status report and access control,
for the client.
A KOD packet is a special NTP packet. When the Stratum field in an NTP packet is 0, the
packet is called a KOD packet and the ASCII message it conveys is called kiss code and
represents access control information. Currently, only two types of kiss codes are supported:
DENY and RATE.
After the KOD function is enabled on the server, the server sends kiss code DENY or RATE
to the client based on the configuration.
NOTE
After the KOD function is enabled, the corresponding ACL rule needs to be configured. When the ACL
rule is configured as deny, the server sends the deny kiss code. When the ACL rule is configured as
permit and the rate of NTP packets received reaches the configured upper limit, the server sends the rate
kiss code.
l When the client receives kiss code DENY, the client terminates all connections to the
server and stops sending packets to the server.
l When the client receives kiss code RATE, the client immediately reduces its polling
interval to the server and continues to reduce the interval each time it receives a RATE
kiss code.
Authentication
The NTP authentication function can be enabled on networks demanding high security.
Different keys may be configured in different operating modes.
When a user enables the NTP authentication function in a certain NTP operating mode, the
system records the key ID in this operating mode.
l Sending process
The system determines whether authentication is required in this operating mode. If
authentication is not required, the system directly sends a packet. If authentication is
required, the system encrypts the packet using the key ID and an encryption algorithm
and sends it.
l Receiving process
After receiving a packet, the system determines whether the packet needs to be
authenticated. If the packet does not need to be authenticated, the system directly
performs subsequent processing on the packet. If the packet needs to be authenticated,
the system authenticates the packet using the key ID and a decryption algorithm. If the
authentication fails, the system directly discards the packet. If the authentication
succeeds, the system processes the received packet.
4.3 Application
This section describes the usage scenarios of NTP.
Typical Application
On the network as shown in Figure 4-8, SwitchA accessing a standard clock is used as the
NTP master clock server to achieve synchronization of clocks on the entire network. SwitchA
is configured as the unicast server, and SwitchB, SwitchC and SwitchD are configured as
unicast clients. SwitchE acts as a symmetric peer of the upstream SwitchB and downstream
SwitchF.
SwitchE
SwitchF
Workstations
Workstations
PE P PE
CE A CE B
VPN2 VPN2
NTP Client NTP Server
CE C CE D
VPN1 VPN1
Licensing Requirements
NTP is a basic feature of a switch and is not under license control.
Version Requirements
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
l The existing configuration will not be deleted when the NTP service is disabled.
l The XGE interface connected to ACU2 does not support NTP.
l The XGE interface connected to ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01,
or ET1D2FW00S02 does not support NTP.
Pre-configuration Tasks
Before configuring basic NTP functions, configure the network layer address and routing
protocol of an interface to ensure that NTP packets can reach the destination.
Configuration Procedure
Basic NTP configuration contains the configuration of the NTP primary clock and operating
mode.
Context
A device on the network can synchronize its clock in the following manners.
l Synchronizing with the local clock: The local clock is used as the reference clock.
l Synchronizing with another device on the network: This device is used as an NTP clock
server to provide a reference clock for the local clock.
If both manners are configured, the device selects an optimal clock source by comparing the
clocks determined in the two manners. The clock of a lower stratum is preferred.
An authoritative clock is used as a reference time source for a synchronization subnet, and is
located at the top of a hierarchical structure on the synchronization subnet. The authoritative
clock is stratum0. The current authoritative clock is mostly a Radio Clock or the Global
Positioning System. The time of the authoritative clock is synchronized through the broadcast
UTC time code other than NTP.
In actual circumstances, the NTP server synchronized with the authoritative clock is set as
stratum1, and is used as a master reference clock source. Other devices on the network
synchronize their clocks with the clock of the NTP server, which means the local clock of the
NTP server is configured as the NTP primary clock. The NTP distance from a device on the
network to the master reference clock source, that is, the number of NTP servers on the NTP
synchronization chain, determines the stratum of the clock on the device.
As shown in Figure 4-10, SwitchA is the primary clock, and the clock stratum is 1. The clock
synchronization direction is from SwitchA to SwitchB, and further to SwitchC. Only after the
SwitchB is synchronized with SwitchA, SwitchC can synchronize its clock with the clock of
SwitchB. After all the devices on the synchronization subnet are synchronized, SwitchB and
SwitchC are respectively stratum2 and stratum3.
SwitchA
Stratum1
SwitchB
Stratum2
SwitchC
Stratum3
Synchronization direction
NOTE
After the local clock is configured as the reference clock, the local device can be used as the clock
source to synchronize other devices on the network. Confirm before this configuration, so as avoid clock
errors on the network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service refclock-master [ ip-address ] [ stratum ]
----End
Context
The following NTP operating modes are supported by a device:
Unicast The unicast client/server mode is used on a You need to configure only
client/server higher stratum on a synchronization subnet. the client. The server needs
mode In this mode, the IP address of the server to be configured with only
needs to be obtained in advance. an NTP primary clock.
Note that the client can be
synchronized to the server
but the server cannot be
synchronized to the client.
Symmetric The symmetric peer mode is used on a You need to configure only
peer mode lower stratum on the synchronization the symmetric active peer.
subnet. In this mode, a symmetric active The symmetric passive peer
peer and a symmetric passive peer can be does not need to be
synchronized with each other. configured with an NTP
command.
In symmetric peer mode, a
symmetric peer of a higher
stratum is synchronized to a
symmetric peer of a lower
stratum.
Multicast The multicast mode applies to the high- Relevant commands need to
mode speed network that has multiple clients and be run on the server and the
does not require high precision. In a typical client.
scenario, one or more clock servers on the Note that the client can be
network periodically send multicast packets synchronized to the server
to clients, and the clients synchronize time but the server cannot be
based on the multicast packets. synchronized to the client.
Manycast The manycast mode applies to the scenario Relevant commands need to
mode where servers are scattered on a network. be run on the server and the
The client can discover and synchronize to client.
the closest manycast server. The manycast Note that the client can be
mode applies to the scenario where the synchronized to the server
servers are not stable and clients on the but the server cannot be
entire network need not to be configured synchronized to the client.
again due to a change of the server.
NOTE
If a source address from which NTP packets are sent is specified on the server, the address must be the
same as the server IP address configured on the client. Otherwise, the client cannot process the NTP
packets sent by the server, resulting in failed clock synchronization.
Procedure
l Unicast Client/Server Mode
NOTE
In the unicast client/server mode, you need to configure only the client. Only an NTP primary
clock needs to be configured on the server.
Only after the clock on the server is synchronized, the server can function as a clock server to
which other devices can be synchronized. When the clock stratum of the server is greater than or
equal to the clock stratum of the client, the client is not synchronized to the server.
You can run the ntp-service unicast-server command repeatedly to configure multiple servers.
The client selects the optimal clock source by selecting a preferred clock.
a. Run:
system-view
The value of ip-address or ipv6-address is the IP address of the NTP server. It can
be the address of a host but cannot be a broadcast address or a multicast address.
If the port parameter is specified, you must specify the same port number on the
server by using the ntp-service port port-value command.
l Symmetric Peer Mode
NOTE
You only need to specify the IP address of the symmetric passive peer on the symmetric active
peer, and both symmetric peers use this IP address to exchange NTP packets.
Either of the symmetric active peer or the symmetric passive peer must be in the synchronized
state. Otherwise, they cannot be synchronized.
You can run the ntp-service unicast-peer command repeatedly to configure multiple symmetric
passive peers. When a symmetric active peer has multiple symmetric passive peers configured, the
synchronization direction follows the principle that a symmetric peer of a larger stratum is
synchronized with a symmetric peer of a smaller stratum.
a. Run:
system-view
If the port parameter is specified, you must specify the same port number on the
passive peer by using the ntp-service port port-value command.
l Broadcast Mode
NOTE
The broadcast mode can be used only on a local area network (LAN).
Only after the clock of the broadcast server is synchronized, the broadcast client can be
synchronized with the broadcast server.
Configure the NTP broadcast server.
a. Run:
system-view
The interface for sending NTP broadcast packets is specified, and the interface view
is displayed.
c. Run:
ntp-service broadcast-server [ version number | authentication-keyid key-
id | port port-number ] *
If the port parameter is specified, you must specify the same port number on the
broadcast client by using the ntp-service port port-value command.
Configure the NTP broadcast client.
a. Run:
system-view
The interface for receiving NTP broadcast packets is specified, and the interface
view is displayed.
c. Run:
ntp-service broadcast-client
Only after the clock of the multicast server is synchronized, the multicast client can be
synchronized with the multicast server. You can configure a maximum of 128 multicast servers on
the device.
Currently a maximum of 1024 multicast clients can be configured, but a maximum of 128
multicast clients can work simultaneously.
Configure the NTP multicast server.
a. Run:
system-view
The interface for sending NTP multicast packets is specified, and the interface view
is displayed.
c. Run:
n ntp-service multicast-server [ ip-address ] [ version number |
authentication-keyid key-id | ttl ttl-number | port port-number ] *
The interface for receiving NTP multicast packets is specified, and the interface
view is displayed.
c. Run:
ntp-service multicast-client [ ip-address | ipv6 [ ipv6-address ] ]
The interface for receiving NTP manycast packets is specified, and the interface
view is displayed.
c. Run:
ntp-service manycast-server [ ip-address | ipv6 [ ipv6-address ] ]
The interface for sending NTP manycast packets is specified, and the interface view
is displayed.
c. Run:
ntp-service manycast-client [ ip-address | ipv6 [ ipv6-address ] ]
[ authentication-keyid key-id | ttl ttl-number | port port-number ] *
Context
After NTP-related commands are configured on a device, the device automatically disables
the NTP server function to prevent external devices from synchronizing their clocks with the
device's clock. In addition, the device also generates the ntp-service server disable and ntp-
service ipv6 server disable commands in its configuration file. If you want to use the device
as an NTP server, enable the NTP server function on the device.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
All configurations of basic NTP functions are completed.
Procedure
l Run the display ntp-service status command to check the NTP service status.
l Run the display ntp-service sessions [ verbose ] command to check the NTP session
status.
l Run the display ntp-service trace command to check the path from the local device to
the reference clock source.
l Run the display ntp-service statistics packet [ ipv6 | peer [ ip-address [ vpn-instance
vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance vpn-instance-name ] ] ] ]
command to check the statistical information about NTP packets or symmetric peers.
----End
Procedure
Step 1 Run:
system-view
The maximum polling interval, the timestamp difference between packets sent by the clock
server and received by the client, the interval at which the clock of the client is synchronized
is configured.
By default, the maximum polling interval is 217s, the timestamp difference between packets
sent by the clock server and received by the client is 128ms, the interval at which the clock of
the client is synchronized is 600 seconds.
Step 3 Run:
ntp-service max-distance max-distance-value
----End
Prerequisites
All configurations of basic NTP functions have been completed.
NOTE
If the ntp-service unicast-server or the ntp-service unicast-peer command specifies the source
interface of NTP packets, the specified source interface takes effect.
Procedure
Step 1 Run:
system-view
The local source interface for sending and receiving NTP packets is configured.
By default, the local source interface for sending NTP packets is not specified. The source IP
address of an NTP packet is selected according to the route.
In the broadcast, multicast, and manycast modes, the NTP service is performed on the source
interface and the ntp-service source-interface command does not take effect.
If the specified NTP source interface is in Down state, the source IP address of a sent NTP
packet is the primary IP address of the packet's outbound interface.
----End
Prerequisites
All configurations of basic NTP functions have been completed.
Context
In both unicast client/server mode and symmetric peer mode, command lines are used to
establish a connection, which is a static session. Dynamic sessions are established in
broadcast mode, manycast mode and multicast mode, so that the limit on the number of local
dynamic sessions takes effect.
NOTE
The ntp-service max-dynamic-sessions command runs without affecting the existing NTP sessions. When
the number of local dynamic NTP sessions exceeds the maximum number, a new session cannot be
established.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service max-dynamic-sessions number
----End
Prerequisites
All configurations of basic NTP functions have been completed.
Configuration Order
You can perform the following configuration tasks in any sequence as required.
Context
You can disable the interface connected to external devices from receiving NTP packets in the
following scenarios:
l An unreliable clock server exists on the interface. After the NTP function is enabled, all
interfaces can receive NTP packets by default. However, an unreliable clock source
makes NTP clock data inaccurate.
l The NTP clock data is modified when the interface is attacked maliciously.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ntp-service [ ipv6 ] in-interface disable
----End
Context
NTP access control is a simple security measure. When an access request reaches the local
end, the access request is successively matched with the access authority from the highest one
to the lowest one. The first successfully matched access authority takes effect. The matching
order is: peer, server, synchronization, query and limited.
l peer: The remote end can send time requests and control queries to the local NTP
service. The local clock can also be synchronized with the clock of the remote server.
l server: The remote end can send time requests and control queries to the local end. The
local clock, however, cannot be synchronized with the clock of the remote server.
l synchronization: The remote end can send only time requests to the local end.
l query: The remote end can send only control queries to the local end.
l limited: When the rate of NTP packets exceeds the upper limit, the incoming NTP
packets are discarded.
The access control authority is configured on different devices in different NTP operating
modes, as described in Table 4-3.
Procedure
Step 1 Run:
system-view
NOTE
Check the configuration of the ACL rule before configuring the NTP access control authority in the ACL.
When the ACL rule is permit, the peer device with the source IP address specified in this rule can access the
NTP service on the local device. The access right of the peer device is configured using the ntp-service
access command. When the ACL rule is deny, the peer device with the source IP address specified in this
rule cannot access the NTP service on the local device.
Step 4 Run:
ntp-service discard { min-interval min-interval-val | avg-interval avg-interval-
val } *
The minimum inter-packet interval and the average inter-packet interval of NTP are
configured.
By default, the minimum inter-packet interval of NTP is set to the first power of 2 in seconds,
namely, 2 seconds, and the average inter-packet interval of NTP is set to the fifth power of 2
in seconds, namely, 32 seconds.
----End
Context
The Kiss-o'-Death (KOD) is a brand new access control technology put forward by NTPv4,
and the KOD is mainly used for a server to provide information, such as a status report and
access control, for a client.
After the KOD is enabled on the server, the server sends the kiss code DENY or the kiss code
RATE to the client according to the operating status of the system.
l When receiving the kiss code DENY, the client terminates all connections with the
server, and stops sending packets to the server.
l When receiving the kiss code RATE, the client immediately shortens a poll interval with
the server. Every time the kiss code RATE is received after the first shortening operation,
the poll interval is further shortened.
NOTE
The KOD supports the unicast client/server mode, symmetric peer mode, and manycast mode.
The KOD only functions in NTPv4.
The following configuration is performed on the server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service kod-enable
Before configuring the access control authority, you must create a basic ACL. For the creation
procedure, see "ACL Configuration" in the S7700 and S9700 Series Switches Configuration
Guide-Security.
Step 4 Run:
ntp-service access limited { acl-number | ipv6 acl6-number } *
NOTE
Before enabling control on the rate of incoming NTP packets, check the ACL rule configuration. When
the ACL rule is deny, the server sends the kiss code DENY. When the ACL is permit and the rate of
incoming NTP packets reaches the upper threshold, the server sends the kiss code RATE.
Step 5 Run:
ntp-service discard { min-interval min-interval-val | avg-interval avg-interval-
val } *
The minimum inter-packet interval and the average inter-packet interval of NTP are
configured.
By default, the minimum inter-packet interval of NTP is set to the first power of 2 in seconds,
namely, 2 seconds, and the average inter-packet interval of NTP is set to the fifth power of 2
in seconds, namely, 32 seconds.
----End
Context
In some networks demanding high security, the authentication function needs to be enabled
when you use the NTP protocol. Password authentication of a client and a server ensures that
the client only synchronizes with a device that has been authenticated, improving the network
security.
When configuring the NTP authentication function, note the following rules:
l The NTP authentication function must be enabled first; otherwise, authentication cannot
be implemented.
l The NTP authentication function needs to be configured on both the client and the
server. Otherwise, the NTP authentication function does not take effect.
l If the NTP authentication function is enabled, a trusted key is configured on the client.
l Keys configured on the server and the client must be identical.
l The device that wants to synchronize its clock should declare its key as reliable.
Otherwise, NTP authentication will fail.
NOTE
In NTP symmetric peer mode, the symmetric active peer functions as a client and the symmetric passive
peer functions as a server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ntp-service authentication enable
Step 3 Run:
ntp-service authentication-keyid key-id authentication-mode { md5 | hmac-
sha256 } [ cipher ] password
Step 4 Run:
ntp-service reliable authentication-keyid key-id
----End
Follow-up Procedure
After the configuration of the NTP authentication is completed, apply the NTP authentication
key in Configuring NTP Operating Modes. That is, specify the parameter authentication-
keyid.
Prerequisites
The configuration of NTP access control is completed.
Procedure
l Run the display current-configuration | include ntp command to check the NTP
configuration.
l Run the display ntp-service status command to check the NTP service status.
l Run the display ntp-service sessions [ verbose ] command to check the NTP session
status.
----End
Context
NOTE
After NTP statistics are cleared by using the reset ntp-service statistics packet command, the statistics
cannot be recovered. Confirm the action before running this command.
Procedure
l Run the reset ntp-service statistics packet [ ipv6 | peer [ ip-address [ vpn-instance
vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance vpn-instance-name ] ] ] ]
command to clear statistics on NTP packets or symmetric peers.
----End
Context
To monitor the NTP running status after configurations of NTP are complete, run the
following commands in any view.
Procedure
l Run the display ntp-service statistics packet [ ipv6 | peer [ ip-address [ vpn-instance
vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance vpn-instance-name ] ] ] ]
command to check statistics on NTP packets or symmetric peers.
l Run the display ntp-service status command to check the NTP status.
l Run the display ntp-service sessions [ verbose ] command to check all session
information maintained by the local NTP service.
l Run the display ntp-service trace command to check the path from the local device to
the reference clock source.
l Run the display ntp-service event clock-unsync command to check the reasons of the
last 10 clock synchronization failures.
----End
Networking Requirements
As shown in Figure 4-11, SwitchA, SwitchB, and SwitchC are connected. SwitchA has
synchronized its clock with an authoritative clock, the Global Positioning System (GPS).
It is required that SwitchB and SwitchC synchronize their clocks with the clock of SwitchA to
ensure accounting accuracy.
Figure 4-11 Networking diagram for configuring the NTP unicast server/client mode with
NTP authentication enabled
GE1/0/1 GE1/0/1
SwitchA VLANIF100 SwitchB VLANIF10 SwitchC
10.1.1.1/24 10.1.2.2/24
GE1/0/1 GE1/0/2
VLANIF100 VLANIF10
10.1.1.2/24 10.1.2.1/24
Configuration Roadmap
You can configure the NTP unicast server/client mode with NTP authentication enabled to
meet the clock synchronization requirement on the LAN. The configuration roadmap is as
follows:
1. Configure SwitchA as the NTP master clock server.
2. Configure the NTP unicast server/client mode to synchronize the clocks of SwitchA,
SwitchB, and SwitchC. Configure SwitchA as the NTP server and SwitchB and SwitchC
as NTP clients.
3. Enable NTP authentication to ensure NTP clock synchronization security.
NOTE
When configuring NTP authentication in the unicast server/client mode, enable NTP authentication on
the client, and specify the NTP server's IP address and the authentication key sent to the server.
Otherwise, NTP authentication is not performed, and the NTP server and client directly synchronize
their clocks.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC and ensure that they have
reachable routes to each other.
# Configure an IP address and a route on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] ip route-static 10.1.2.0 24 10.1.1.2
Step 2 On SwitchA, configure the NTP master clock and enable NTP authentication.
# Configure the local clock of SwitchA as the master clock, and set the clock stratum to 2.
[SwitchA] ntp-service refclock-master 2
# Enable NTP authentication, configure the authentication key, and declare that the key is
reliable.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
cipher Hello123
[SwitchA] ntp-service reliable authentication-keyid 42
Step 3 On SwitchB, enable NTP authentication, configure the authentication key, declare that the key
is reliable, and specify SwitchA as the NTP server.
[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
cipher Hello123
[SwitchB] ntp-service reliable authentication-keyid 42
[SwitchB] ntp-service unicast-server 10.1.1.1 authentication-keyid 42
Step 4 On SwitchC, enable NTP authentication, configure the authentication key, declare that the key
is reliable, and specify SwitchA as the NTP server.
[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
cipher Hello123
[SwitchC] ntp-service reliable authentication-keyid 42
[SwitchC] ntp-service unicast-server 10.1.1.1 authentication-keyid 42
# Check the NTP status of SwitchB. The clock status is synchronized, indicating that the
clock synchronization is complete. The clock stratum is 3, which is one stratum lower than
that of the NTP server SwitchA.
[SwitchB] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.1.1
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^18
clock offset: -1.6796 ms
root delay: 2.71 ms
root dispersion: 21.87 ms
peer dispersion: 10.94 ms
reference time: 08:54:44.160 UTC Nov 22 2013(D6399A54.29247CB7)
synchronization state: clock synchronized
# Check the NTP status of SwitchC. The clock status is synchronized, indicating that the
clock synchronization is complete. The clock stratum is 3, which is one stratum lower than
that of the NTP server SwitchA.
[SwitchC] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.1.1
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^18
clock offset: 13.6320 ms
root delay: 2.71 ms
root dispersion: 2.76 ms
peer dispersion: 10.94 ms
reference time: 08:57:44.160 UTC Nov 22 2013(D6399E4E.052B2BFD)
synchronization state: clock synchronized
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
ntp-service ipv6 server disable
ntp-service authentication enable
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %^
%#uLLi;!VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT2,.T%^%#
ntp-service reliable authentication-keyid
42
ntp-service refclock-master 2
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.1.1.0 255.255.255.0 10.1.2.1
#
return
Networking Requirements
As shown in Figure 4-12, SwitchA, SwitchB, and SwitchC are located on the same LAN.
All devices on the LAN need to synchronize their clocks to facilitate device management.
SwitchA has synchronized its clock with an authoritative clock, the Global Positioning
System (GPS), through a network. It is required that SwitchB and SwitchC synchronize their
clocks with the clock of SwitchA.
Figure 4-12 Networking diagram for configuring the NTP symmetric peer mode
SwitchA
GE1/0/1
VLANIF10
10.0.0.1/24
GE1/0/1 GE1/0/1
VLANIF10 GE1/0/1 VLANIF10
10.0.0.2/24 10.0.0.3/24
GE1/0/3 GE1/0/2
SwitchB Switch SwitchC
Configuration Roadmap
You can use NTP to synchronize time and configure the NTP symmetric peer mode to meet
the clock synchronization requirement. The configuration roadmap is as follows:
1. Configure the local clock of SwitchA as the NTP master clock.
2. Configure the NTP unicast server/client mode to synchronize the clocks of SwitchB and
SwitchA. Configure SwitchA as the NTP server and SwitchB as the NTP client.
3. Configure the NTP symmetric peer mode to synchronize the clocks of SwitchB and
SwitchC. Configure SwitchC as the symmetric active peer that sends a clock
synchronization request to SwitchB.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC.
Configure an IP address for each interface according to Figure 4-12. After the configuration
is complete, SwitchA, SwitchB, and SwitchC can ping each other.
# Configure an IP address for SwitchA. The configurations of SwitchB and SwitchC are
similar to the configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.0.0.1 24
[SwitchA-Vlanif10] quit
# Configure the local clock of SwitchA as the NTP master clock, and set the clock stratum to
2.
[SwitchA] ntp-service refclock-master 2
After the configuration is complete, SwitchB can synchronize its clock with the clock of
SwitchA.
Check the NTP status of SwitchB. The clock status is synchronized, indicating that the clock
synchronization is complete. The clock stratum is 3, which is one stratum lower than that of
SwitchA.
[SwitchB] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.0.0.1
nominal frequency: 64.0029 Hz
actual frequency: 64.0029 Hz
clock precision: 2^7
clock offset: 0.0000 ms
root delay: 62.50 ms
root dispersion: 0.20 ms
peer dispersion: 7.81 ms
reference time: 06:52:33.465 UTC Mar 7 2006(C7B7AC31.773E89A8)
synchronization state: clock set
Because SwitchC is not configured with a master clock and its clock stratum is lower than
that of SwitchB, SwitchC synchronizes its clock with the clock of SwitchB.
Step 5 Verify the configuration.
# Check the clock status of SwitchC. SwitchThe clock status is synchronized, indicating that
the clock synchronization is complete. The clock stratum of SwitchC is 4, which is one
stratum lower than that of the symmetric passive peer SwitchB.
[SwitchC] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 10.0.0.2
nominal frequency: 64.0029 Hz
actual frequency: 64.0029 Hz
clock precision: 2^7
clock offset: 0.0000 ms
root delay: 124.98 ms
root dispersion: 0.15 ms
peer dispersion: 10.96 ms
reference time: 06:55:50.784 UTC Mar 7 2006(C7B7ACF6.C8D002E2)
synchronization state: clock set but frequency not determined
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
ntp-service ipv6 server disable
ntp-service refclock-master 2
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
4.7.3 Example for Configuring the NTP Broadcast Mode with NTP
Authentication Enabled
Networking Requirements
As shown in Figure 4-13, SwitchA, SwitchB, and SwitchC are located on the same LAN.
SwitchA synchronizes its clock with an authoritative clock, the Global Positioning System
(GPS), through the radio.
It is required that all switches in Figure 4-13 synchronize their clocks with the clock of
SwitchA to ensure accounting accuracy.
Figure 4-13 Networking diagram for configuring the NTP broadcast mode with NTP
authentication enabled
SwitchA
GE1/0/1
VLANIF10
10.0.0.1/24
GE1/0/1 GE1/0/1
VLANIF10 GE1/0/1 VLANIF10
10.0.0.2/24 10.0.0.3/24
GE1/0/3 GE1/0/2
SwitchB Switch SwitchC
Configuration Roadmap
You can use NTP to synchronize time and configure the NTP broadcast mode with NTP
authentication enabled to meet the clock synchronization requirement. The configuration
roadmap is as follows:
1. Configure SwitchA as the master clock server, use its local clock as the NTP master
clock, and set the clock stratum to 3.
2. Configure SwitchA as the NTP broadcast server that sends broadcast packets through
VLANIF 10 (the corresponding physical interface is GE1/0/1).
3. Configure SwitchB and SwitchC as NTP broadcast clients.
4. Enable NTP authentication to ensure NTP clock synchronization security.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC.
# Configure an IP address for SwitchA. The configurations of SwitchB and SwitchC are
similar to the configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.0.0.1 24
[SwitchA-Vlanif10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type hybrid
[Switch-GigabitEthernet1/0/2] port hybrid untagged vlan 10
[Switch-GigabitEthernet1/0/2] port hybrid pvid vlan 10
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type hybrid
[Switch-GigabitEthernet1/0/3] port hybrid untagged vlan 10
[Switch-GigabitEthernet1/0/3] port hybrid pvid vlan 10
[Switch-GigabitEthernet1/0/3] quit
Step 3 Configure the NTP broadcast server and enable NTP authentication.
# Configure the local clock of SwitchA as the NTP master clock, and set the clock stratum to
3.
[SwitchA] ntp-service refclock-master 3
# Configure SwitchA as the NTP broadcast server that sends NTP broadcast packets from
VLANIF 10, and specify key 16 for encryption.
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ntp-service broadcast-server authentication-keyid 16
[SwitchA-Vlanif10] quit
Step 4 Configure SwitchB as an NTP broadcast client, which is on the same network segment as the
NTP server.
# Configure SwitchB as an NTP broadcast client that listens to NTP broadcast packets on
VLANIF 10.
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ntp-service broadcast-client
[SwitchB-Vlanif10] quit
Step 5 Configure SwitchC as an NTP broadcast client, which is on the same network segment as the
NTP server.
# Configure SwitchC as an NTP broadcast client that listens to NTP broadcast packets on
VLANIF 10.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
ntp-service ipv6 server disable
ntp-service authentication enable
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %^
%#uLLi;!VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT2,.T%^%#
ntp-service reliable authentication-keyid 16
ntp-service refclock-master 3
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
ntp-service broadcast-server authentication-keyid 16
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
#
interface Vlanif10
ip address 10.0.0.2 255.255.255.0
ntp-service broadcast-client
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10
#
ntp-service server disable
ntp-service ipv6 server disable
ntp-service authentication enable
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %^
%#vLLi;!VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT3,.T%^%#
ntp-service reliable authentication-keyid 16
#
interface Vlanif10
ip address 10.0.0.3 255.255.255.0
ntp-service broadcast-client
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
l Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
To ensure accounting accuracy, all switches on the LAN require clock synchronization with
the clock of SwitchC.
GE1/0/1
VLANIF10
GE1/0/2 10.1.3.2/24 GE1/0/1
VLANIF10 GE1/0/3 VLANIF10
10.1.3.1/24 10.1.3.3/24
GE1/0/1 GE1/0/2
SwitchA Switch SwitchB
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SwitchC as the master clock server, use its local clock as the NTP master
clock, and set the clock stratum to 2.
2. Configure SwitchC as the NTP multicast server that sends multicast packets through
VLANIF 10 (the corresponding physical interface is GE1/0/1).
3. Configure SwitchA and SwitchB as NTP multicast clients. Configure SwitchA to listen
to multicast packets on VLANIF 10 (the corresponding physical interface is GE1/0/2).
Configure SwitchB to listen to multicast packets on VLANIF 10 (the corresponding
physical interface is GE1/0/1).
Procedure
Step 1 Configure an IP address for each interface according to Figure 4-14 and ensure that the
switches have reachable routes to each other.
# Configure an IP address and a routing protocol on SwitchB. The configurations of SwitchC
and SwitchA are similar to the configuration of SwitchB, and are not mentioned here. For
details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type hybrid
[SwitchB-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.1.1.1 24
[SwitchB-Vlanif10] quit
[SwitchB] ospf 1
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type hybrid
[Switch-GigabitEthernet1/0/2] port hybrid untagged vlan 10
[Switch-GigabitEthernet1/0/2] port hybrid pvid vlan 10
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type hybrid
[Switch-GigabitEthernet1/0/3] port hybrid untagged vlan 10
[Switch-GigabitEthernet1/0/3] port hybrid pvid vlan 10
[Switch-GigabitEthernet1/0/3] quit
# Configure SwitchC as the NTP multicast server that sends NTP multicast packets through
VLANIF 10.
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ntp-service multicast-server
[SwitchC-Vlanif10] quit
Step 4 Configure SwitchA and SwitchB as NTP multicast clients, which are on the same network
segment as the NTP multicast server.
# Configure SwitchA as an NTP multicast client that listens to NTP multicast packets on
VLANIF 10.
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ntp-service multicast-client
[SwitchA-Vlanif10] quit
# Configure SwitchB as an NTP multicast client that listens to NTP multicast packets on
VLANIF 10.
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ntp-service multicast-client
[SwitchB-Vlanif10] quit
# Check the NTP status of SwitchA. The clock status is synchronized, indicating that the
clock synchronization is complete. The clock stratum is 3, which is one stratum lower than
that of the NTP server SwitchC.
[SwitchA] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.3.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 40.00 ms
root dispersion: 4.38 ms
peer dispersion: 34.30 ms
reference time: 12:17:21.773 UTC Mar 7 2013(C7B7F851.C5EAF25B)
synchronization state: clock synchronized
# Check the NTP status of SwitchB. The clock status is synchronized, indicating that the
clock synchronization is complete. The clock stratum is 3, which is one stratum lower than
that of the NTP server SwitchC.
[SwitchB] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.3.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.42 ms
peer dispersion: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2013(C7B7F851.C5EAF25B)
synchronization state: clock synchronized
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
ntp-service server disable
ntp-service ipv6 server disable
#
interface Vlanif10
ip address 10.1.3.1 255.255.255.0
ntp-service multicast-client
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.3.0 0.0.0.255
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10
#
ntp-service server disable
ntp-service ipv6 server disable
#
interface Vlanif10
ip address 10.1.3.3 255.255.255.0
ntp-service multicast-client
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10
#
ntp-service ipv6 server disable
ntp-service refclock-master 2
#
interface Vlanif10
ip address 10.1.3.2 255.255.255.0
ntp-service multicast-server
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
#
return
l Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
4.8 Reference
This section lists references of NTP.
The following table provides reference standards and protocols for NTP.
This chapter describes how to configure Ethernet clock synchronization. This technology
synchronizes clocks through the Ethernet.
5.1 Overview
5.2 Principles
5.3 Licensing Requirements and Limitations for Ethernet Clock Synchronization
5.4 Configuring Ethernet Clock Synchronization
5.5 Configuration Examples
5.1 Overview
Definition
The Ethernet clock synchronization feature is used to synchronize the clock frequency on the
Ethernet. The clock signal can be obtained from the circuit or received from the external BITS
interface and transmitted to the downstream network through the Ethernet. After this function
is enabled, the clock frequency is synchronized through the Ethernet.
Purpose
Rapid development and wide application of telecommunications technologies require high
precision clock frequency synchronization. Table 5-1 describes the requirements for clock
frequency synchronization in telecommunications services. In the past, to synchronize the
clock frequency on the telecommunications network, the sites on the network obtained
accurate clock signals from the Global Positioning System (GPS). Antennas need to be
installed to receive clock signals from the GPS, which causes high construction and security
costs. Ethernet clock synchronization enables the device to synchronize clock frequency from
another site through an Ethernet network or obtain the optimal clock signals from lines.
Benefits
Using the Ethernet clock synchronization feature, carriers do not need to install antennas to
obtain the clock frequency from the GPS. Clock signals can be transmitted from other sites
through the Ethernet. This reduces costs of network construction and maintenance. As
Ethernet clock synchronization allows clock synchronization without the GPS, this
technology protects national security.
5.2 Principles
On the synchronization Ethernet, clock signals are transmitted at the physical layer, as shown
in Figure 5-1. The device requires a clock module, that is, a clock pinch board, to send high-
accuracy system clock signals to all the Ethernet interface line cards.
l In the receiving direction, the PHY chip of an Ethernet interface line card restores and
abstracts the clock signals sent from the circuit, divides the frequency, and sends the
clock signals to the clock pinch board. The clock pinch board selects the clock with the
highest accuracy as the reference clock source according to the SSM protocol and other
related information, and then sends the clock source system phase-locked loop (PLL).
The PLL traces this reference clock source and sends high-accuracy clock signals to each
interface line card.
l In the sending direction, the PLL on an Ethernet interface line card traces the clock
source sent from the clock pinch board and generates the reference clock for data
sending of the PHY chip.
Through the preceding process, clock frequency signals can be transmitted at the
physical layer. The SSM quality level of the Ethernet clock is transmitted through
dedicated SSM frames.
System clock
PLL
Ethernet interface
line card
Ethernet interface line
card
1. Clock signals from different clock sources are sent to the clock pinch board.
The clock pinch board of the device can obtain clock signals from the following
components:
– Circuit clock
The switching chip on the LPU of the device can obtain clock signals from an
optical interface, and then sends the clock signals to the clock pinch board on the
main control board through the circuit on the backplane.
– External clocks, such as the building integrated timing supply (BITS) clocks
– The high-accuracy oscillator of the clock pinch board, which is used in emergencies
when neither the LPUs nor the external clocks can provide the clock source
2. The clock pinch board selects the best clock source from the received clock signals, and
then sends 19.44 MHz clock signals to all LPUs through the downlink circuits on the
backplane.
3. The switching chip of each LPU uses the this clock signal as the drive clock signal to
send and receive packets.
0011 Reserved.
0101 Reserved.
0110 Reserved.
0111 Reserved.
1001 Reserved.
1010 Reserved.
1100 Reserved.
1101 Reserved.
1110 Reserved.
NOTE
The S1 byte is transmitted through frames on the BITS interface and through SSM messages on the
Ethernet.
Table 5-3 shows the mappings between International clock classes and Chinese clock classes.
Table 5-3 Mappings between international clock classes and Chinese clock classes
International Clock Class Chinese Clock Class
BITS
The BITS clock is an accurate external clock.
The accuracy levels of clocks in descending order are: BITS clock, circuit clock, and clock
generated by the local oscillator of the clock pinch board.
The clock pinch board provides two BITS interfaces, which can receive clock signals from
two sources or obtain clock signals from the circuit.
Without the SSM quality l This mode is used when the circuit clock or external clock
level does not provide the SSM quality level or when the quality
level of each circuit clock source is already known. For
example, if you know that the quality level of clock A is
higher than the quality level of clock B, you can set a higher
priority for clock A.
l The system selects the clock source according to the priority
that you set for each clock source. The clock source with the
highest priority is selected.
With the SSM quality l This mode is used when most of the circuit clock sources
level have SSM quality levels.
l The system selects the clock source with the highest SSM
quality level. When two clock sources have the same SSM
quality level, the one with higher priority is selected.
Mode Description
Extended mode with the l The system selects the clock source in the same way as the
SSM quality second mode.
l The lower four bits of the S1 byte indicate the SSM quality
level.
The higher four bits are used to transmit the clock source ID.
The clock source ID prevents timing loops, where the output
timing signal is sent back to the sender.
In the preceding modes, through running related commands, you can perform manual
switchover or forcible switchover to select a specifically clock.
l Through manual switchover, you can change the clock source regardless of the priority
of the clock source.
l Through forcible switchover, you can change the clock source regardless of the priority
and SSM quality of the clock source.
The selected clock signal is then sent to all LPUs through circuits on the backplane so that all
LPUs obtain an accurate clock signal. The clock signal is then sent to the downstream
network through interfaces on the LPUs.
Circuit clock transmitted l The clock module obtains high-accuracy clock signals from
downstream the circuit and sends the clock signals to the downstream
network.
l The equipment uses the high-accuracy clock signals
obtained from the circuit.
Circuit clock to BITS l The clock module obtains high-accuracy clock signals from
clock the circuit.
l A BITS clock generates high-accuracy clock signals.
l The equipment uses the high-accuracy clock signals
obtained from the circuit.
Bit 1 to bit 8
Sub-multiframe Frame No.
1 2 3 4 5 6 7 8
C1 0 0 1 1 0 1 1
0 1 A Sa Sa Sa Sa Sa
0 C2 0 0 4 5 6 7 8
1 0 1 A 1 1 0 1 1
2 C3 0 0 Sa Sa Sa Sa Sa
3 1 1 A 4 5 6 7 8
I
4 C4 0 0 1 1 0 1 1
5 0 1 A Sa Sa Sa Sa Sa
6 4 5 6 7 8
7 1 1 0 1 1
Sa Sa Sa Sa Sa
4 5 6 7 8
C1 0 0 1 1 0 1 1
1 1 A Sa Sa Sa Sa Sa
Multiframe
8 C2 0 0 4 5 6 7 8
9 1 1 A 1 1 0 1 1
10 C3 0 0 Sa Sa Sa Sa Sa
11 E 1 A 4 5 6 7 8
II
12 C4 0 0 1 1 0 1 1
13 E 1 A Sa Sa Sa Sa Sa
14 4 5 6 7 8
15 1 1 0 1 1
Sa Sa Sa Sa Sa
4 5 6 7 8
Sa4-Sa8 are spare bits. Sa4 bit of the first frame in the sub-multiframe of a PCM
CRC multiframe is the first bit of the SSM quality level.
A multiframe consists of eight sub-multiframes. If the SA4 bit is used to transmit the SSM
quality level, each sub-multiframe transmits an SA4 bit. The eight sub-multiframes jointly
carry a byte, which is called the S1 byte. The fifth to eighth bits of the S1 byte indicate the
SSM quality level. You can specify the bit from which the clock module obtains the S1 byte.
Switch
Circuit clock Another
device
DNU
l Use the extended clock source selection mode with the SSM quality level.
This mode is developed by Huawei and has been used as a standard in China.
Implementation of this mode is as follows:
– On the synchronization Ethernet, the SSM quality level occupies only the lower
four bits of the S1 byte and the higher four bits are idle. The ID of the clock source
is transmitted through the higher four bits of the S1 byte.
– In a simple ring network, the reverse path of the ring network will transmit clock
signals if the path of the ring network is down. The ID of the clock source can
prevent timing loops by signing the primary clock source so that the clock source is
protected.
On a complicated network, however, clock source IDs cannot completely eliminate
timing loops because there are only 16 clock source IDs. In addition, the timing
loops generated on a subnet that does not contain the origin clock source cannot be
prevented. To prevent timing loops more effectively, you can use the clock source
IDs to separate the subnets.
– A complicated network can be divided into two or more subnets. On a subnet, the
clock source IDs are allocated by the network designer. The following is an
example of subnet division.
Master BITS
A C
a
B b D
Slave BITS
Figure 5-6 shows a common networking mode, in which two rings are connected through two
links. There are two available reference clock sources on the entire network. If you set IDs
only for the two reference clock sources, the IDs cannot be terminated on the right ring when
the links between the two rings fail because the IDs come from the left ring. In this case, a
timing loop occurs.
Divide the network into two subnets, namely, left ring and right ring.
l Specify the master and slave BITS clocks on the left ring and set IDs for the BITS
clocks.
l Specify the two links as the master and slave reference clock sources for the right ring.
By setting clock source IDs, you can separate the left and right rings logically. On network
element C on the right ring, set an ID for link a. Similarly, set an ID for link b on network
element D. If faults occur on link a and link b, no timing loop is generated because the right
ring has clock source IDs.
NOTE
The clock source IDs set on the right ring identify the reference clock sources and separate the right ring
from the left ring. The clock source IDs set on the left ring cannot be sent to the right ring through link a
and link b, and the right ring can receive only the SSM quality level from the left ring.
The clock source IDs set on the right ring can be the same as the IDs set on the left ring,
solving the problem of a limited number of IDs.
Licensing Requirements
Ethernet clock synchronization is not under license control.
Version Requirements
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
Constraints on Ethernet Clock Synchronization
l To use the Ethernet clock synchronization feature, you must install the CKM-clock
daughter card on the switch.
l Only the EH1D2S24CEA0, X series (except the EH1D2G48TX1E card) support
Ethernet clock synchronization. On the X1E series cards, the function takes effect only
after the enhanced working mode is configured using the set service-mode command.
l Ethernet clock synchronization is not supported on GE electrical interfaces, including
GE combo interfaces that work in electrical interface mode.
Clock Sources Supported by the Switch
The device can transmit clock signals on the Ethernet or synchronous digital hierarchy (SDH)
network. Table 5-7 lists types of clock sources supported by the switch.
0 Inner Clock Clock signal generated by the local oscillator of the clock
daughter card.
3 Slave Board Clock signal sent or received by the BITS0 interface of the
BITS0 slave main control board on local device.
4 Slave Board Clock signal sent or received by the BITS1 interface of the
BITS1 slave main control board on local device.
5 Left Frame Clock signal sent from the left side of the frame by the
Clock LPUs with smaller slot IDs.
l On the S7703 and S9703, LPUs in slot 1 to slot 3 send
clock signals from the left side of the frame.
l On the S7706 and S9706, LPUs in slot 1 to slot 3 send
clock signals from the left side of the frame.
l On the S7712 and S9712, LPUs in slot 1 to slot 6 send
clock signals from the left side of the frame.
6 Right Frame Clock signal sent from the right side of the frame by the
Clock LPUs with greater slot IDs.
l S7703 and S9703 do not have this clock.
l On the S7706 and S9706, LPUs in slot 4 to slot 6 send
clock signals from the right side of the frame.
l On the S7712 and S9712, LPUs in slot 7 to slot 12 send
clock signals from the right side of the frame.
7 FSU Clock source on the flexible service unit (FSU). This clock
source is reserved.
8 Slave Board Clock source on the FSU of the peer board (MPU). This
FSU clock source is reserved.
l The system clock, BITS0 clock, and BITS1 clock are external clocks used to
synchronize clock signals. Only external clocks need to select the clock source.
l An external clock can function as the reference clock source of other clocks or send
clock signals. Other clocks can function only as the reference clock of external clocks.
l The system clock can select the reference clock source among clocks 0 to 8.
l The BITS clocks can select clocks 5 to 9 as the reference clock source.
l Free running
– Non-SSM mode: The clock source is selected based on the priority. A smaller
priority level indicates a higher priority.
– SSM mode: The clock source is selected based on the SSM quality level and
priority.
The SSM quality level takes precedence over the priority in clock source selection.
The clock source with the highest SSM quality level is selected first.
When two clock sources have the same SSM quality level, the one with higher
priority is selected.
– SSM extended mode: This mode is based on the SSM mode, and you can set the
clock ID in this mode.
l Forcible mode
l Manual mode
The SSM quality level takes precedence over the priority when the SSM quality level is used
in clock source selection. In forcible mode, you can specify a clock source regardless of the
SSM quality level and priority of the clock source. In manual mode, you can specify a clock
source regardless of the priority of the clock source, but the SSM quality level still affects the
selection result.
If you enable the result of frequency offset check to affect clock source selection, the selection
result also depends on the result of frequency offset check. If the frequency offset of a clock is
out of the specified range, the signal of the clock is considered invalid (Signal-fail), and the
clock cannot be selected as the clock source.
Context
Generally, the system selects the clock source automatically. You can forcibly select the clock
source of a clock in special situations.
You can forcibly specify a clock source regardless of the SSM quality level and priority of the
clock source. Different from the manual mode, you can specify a clock source in Signal-fail
state in forcible mode.
l When you forcibly specify a clock source to replace the original clock source of the
system clock:
– If the specified clock source is in Signal-fail state, the system automatically uses the
inner clock as the reference clock source.
– When the specified clock source recovers, the system automatically uses this clock
source as the reference clock source.
l When you forcibly specify a clock source to replace the original clock source of a BITS
clock:
– If the specified clock source is in Signal-fail state, the BITS clock automatically
uses the system clock as the reference clock source.
– When the specified clock source recovers, the BITS clock automatically uses this
clock as the reference clock source.
Pre-configuration Tasks
Before forcibly specifying a reference clock source, complete the following tasks:
l Set parameters of the link layer protocol and IP addresses for the interfaces to ensure that
the link layer protocol on the interfaces is in Up state.
l Configure the routing protocol to make the IP routes between the nodes reachable.
l Ensure that the clock to be configured meets the following conditions:
– All clock sources provide valid clock signals.
– The result of frequency offset check does not affect clock source selection or the
frequency offset of the clock sources is within the specified range.
– The clock sources are not locked.
– The priority of the clock is other than 255 (DIS) so that the clock can function as
the clock source.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock force-switch source source { system | bits0 | bits1 }
A new reference clock source is forcibly specified for the system clock, BITS0 clock, or
BITS1 clock.
l The number of the clock source for the system clock ranges from 0 to 8.
l The number of the clock source for the BITS clocks ranges from 5 to 9.
Table 5-8 shows the mappings between the clock source numbers and clock sources.
Table 5-8 Mappings between the clock source numbers and clock sources
0 Inner Clock
1 BITS0
2 BITS1
7 FSU (reserved)
9 System Clock
----End
l Run the display clock mode [ slave ] command to view the mode of clock source
selection.
l Run the display clock selection [ slave ] command to view the current clock sources of
the external clocks.
Context
When clock sources are configured with priorities but not configured with SSM quality levels,
you can manually specify a clock source if you need to select a clock with a lower priority as
the clock source.
NOTE
Pre-configuration Tasks
Before manually specifying a clock source, complete the following tasks:
l Set parameters of the link layer protocol and IP addresses for the interfaces to ensure that
the link layer protocol on the interfaces is in Up state.
l Configure the routing protocol to make the IP routes between the nodes reachable.
l Ensure that the clock to be configured meets the following conditions:
– All clock sources provide valid clock signals.
– The result of frequency offset check does not affect clock source selection or the
frequency offset of the clock sources is within the specified range.
– The clock sources are not locked.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock manual-switch source source { system | bits0 | bits1 }
A new reference clock source is manually specified for the system clock, BITS0, or BITS1
clock.
l The number of the clock source for the system clock ranges from 0 to 8.
l The number of the clock source for the BITS clocks ranges from 5 to 9.
Table 5-9 shows the mappings between the clock source numbers and clock sources.
Table 5-9 Mappings between the clock source numbers and clock sources
Clock No. Clock Source
0 Inner Clock
1 BITS0
2 BITS1
7 FSU (reserved)
9 System Clock
----End
Context
When there are multiple clock sources, you can set different priorities for them. In normal
situations, a clock board uses the clock source of the highest priority. If no clock source is
specified forcibly or manually and the SSM quality level is not used in clock source selection,
when the clock source of the highest priority fails, the clock board uses the clock source of the
second highest priority.
To implement clock synchronization on the entire network, you can set priorities of clock
sources to ensure that the clock source on the input line of the primary reference clock has the
highest priority on each device.
The primary reference clock must be stable. When configuring multiple clock sources, you
need to configure a backup clock transmission path. When clock signals are lost on the
original clock transmission path, a new clock source is selected and clock signals are
transmitted on the backup path.
Pre-configuration Tasks
Before selecting the clock source based on the priority, complete the following tasks:
l Set parameters of the link layer protocol and IP addresses for the interfaces to ensure that
the link layer protocol on the interfaces is in Up state.
l Configure the routing protocol to make the IP routes between the nodes reachable.
l Disable the SSM from being used in clock source selection.
l Cancel the configuration of forcible or manual clock source selection.
l Ensure the clock that will be configured to meet the following conditions:
– All clock sources provide valid clock signals.
– The result of frequency offset check does not affect clock source selection or the
frequency offset of the clock sources is within the specified range.
– The clock sources are not locked.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock priority priority source source { system | bits0 | bits1 }
By default, the priority of the inner clock source and system clock source is 254, and the
priority of other clock sources is 255. A smaller priority value indicates a higher priority.
l The number of the clock source for the system clock ranges from 0 to 8.
l The number of the clock source for the BITS clocks ranges from 5 to 9.
Table 5-10 shows the mappings between the clock source numbers and clock sources.
Table 5-10 Mappings between the clock source numbers and clock sources
Clock No. Clock Source
0 Inner Clock
1 BITS0
2 BITS1
7 FSU (reserved)
9 System Clock
----End
Example
l Run the display clock mode [ slave ] command to view the mode of clock source
selection.
l Run the display clock selection [ slave ] command to view the current clock sources of
the external clocks.
5.4.4 Selecting the Clock Source Based on the SSM Quality Level
If the SSM quality level is used in clock source selection, the device selects the clock source
based on the SSM quality level and then based on the priority.
Applicable Environment
If multiple clock sources can obtain their SSM quality levels, the system can select the
reference clock source based on the SSM quality level. If no reference clock source is
specified forcibly, the clock board uses the clock source of the highest SSM quality level. If
this clock source fails, the clock source uses the clock source of the second highest SSM
quality level. The SSM quality level of the external clock source will change to the SSM
quality level of the clock source selected by the system.
The SSM quality level takes precedence over the priority in clock source selection; therefore,
the SSM quality level of the primary reference clock source must be the highest so that clock
synchronization can be implemented on the entire network.
The SSM quality levels, in descending order, are Primary Reference Clock (PRC),
Synchronization Supply Unit-T (SSU-T), Synchronization Supply Unit-L (SSU-L), SDH
Equipment Clock (SEC), and Do Not Use (DNU). If the SSM level of a clock source is DNU,
and the SSM level is used in clock source selection, this clock source will not be selected as
the reference clock source. The default SSM quality level of the inner clock and system clock
(19.44 MHz) is SEC.
The primary reference clock must be stable. When configuring multiple clock sources, you
need to clock a backup clock transmission path. When clock signals are lost on the original
clock transmission path, a new clock source is selected and clock signals are transmitted on
the backup path.
Pre-configuration Tasks
Before selecting the clock source based on the SSM quality level, complete the following
tasks:
l Set parameters of the link layer protocol and IP addresses for the interfaces to ensure that
the link layer protocol on the interfaces is in Up state.
l Configure the routing protocol to make the IP routes between the nodes reachable.
Configuration Process
Complete the following tasks to configure clock source selection based on the SSM quality
level.
5.4.4.1 Enabling the SSM Quality Level to Be Used in Clock Source Selection
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock ql-enable [ extend ]
By default, the SSM quality level is not used in clock source selection. To set clock source
IDs to prevent timing loops, you must enable the SSM quality level to extended SSM mode.
----End
Context
l If the SSM quality level is used in clock source selection but the SSM quality level of a
clock source cannot be obtained, you can specify the SSM quality level of the clock
source by using the clock ssm-config command.
l If the S1 byte of a clock source obtained from the system is 0, the system considers the
SSM quality level of the clock source as the unknown level. By default, the unknown
level maps the DNU level and the clock source of this level is not selected. You can use
the clock ql-unknown command to set the unknown level to a higher level so that the
clock source can participate in clock source selection.
l When the BITS interface selects the clock source based on the SSM quality level:
– If the BITS clock works in BPS mode, the BITS interface obtains the SSM quality
level from the received SSM message. If the SSM quality level can be obtained
from the system, you do not need to run the clock ql-unknown and clock ssm-
config commands. If the SSM quality level cannot be obtained, you can run the
clock ql-unknown and clock ssm-config commands to specify the SSM quality
level.
– When the BITS clock works in 2 MHz mode, the clock does not have an SSM
quality level. If the SSM quality level needs to be used in clock source selection,
run the clock ssm-config command to set an SSM quality level for the clock.
Complete the following tasks according to the preceding description and actual situation.
Procedure
l Setting the SSM quality level of a clock source
a. Run:
system-view
NOTE
This command is applicable to the clock source whose SSM value is 0. The device considers
the SSM quality level of such a clock source as the value set in this command.
----End
Context
The device supports bidirectional communication on a BITS interface.
When the SSM quality level is used in clock source selection, unidirectional communication
causes loops because the SSM quality level returned from the remote end may be the same as
the SSM quality level sent from the local end. In this case, clock source selection for the BITS
interface is affected. The loops can be avoided through configurations.
Do as follows on the remote device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock force-out-s1 s1-dnu { bits0 | bits1 }
The S1 byte of the SSM message sent to the local BITS interface is set to DNU so that this
clock does not participate in clock source selection. This prevents timing loops between
interconnected devices.
----End
Procedure
l Run the display clock mode [ slave ] command to view the mode of clock source
selection.
l Run the display clock selection [ slave ] command to view the current clock sources of
the external clocks.
----End
Applicable Environment
To control clock synchronization more effectively, perform the following operations:
l Set the transmission mode of clock synchronization and time synchronization of a BITS
clock.
l Set the ID of a clock source to prevent timing loops generated in the SSM extended
mode.
l Set the priorities of the clock sources provided by different interfaces to specify the
sequence of the clock source signals sent from different interfaces to the main control
board. Only the interface of the highest priority can send the clock source signal to the
main control board.
l Lock a clock source to prevent the clock source from being selected.
l Enable the result of frequency offset check to affect clock source selection. The clock
sources with greater frequency offset have lower priority in clock source selection.
l Set the delay time for the system to consider a clock source lost and the wait-to-restore
(WTR) time of the clock source to prevent frequent switchover of clock sources caused
by network flapping.
l Set the permanent holding mode. In this mode, when all the clock sources are lost, the
clock module enters the holding state and retains the original frequency offset according
to the clock information traced before.
NOTE
Pre-configuration Tasks
Before configuring the attributes of a clock source, complete the following tasks:
l Set parameters of the link layer protocol and IP addresses for the interfaces to ensure that
the link layer protocol on the interfaces is in Up state.
l Configure the routing protocol to make the IP routes between the nodes reachable.
l Set the mode of clock source selection, that is, based on the SSM quality level or
priority.
Configuration Process
The following configuration tasks are optional and can be performed at any sequence as
required.
Context
The BITS clock refers to the clock signal sent from the BITS interface to a network element.
The signal would be clock signal or time signal. The signal that a BITS clock receives
depends on the signal that the BITS interface sends and receives.
Do as follows on the device as required.
NOTE
The interconnected devices must use the same transmission mode of the BITS clock.
Procedure
Step 1 Run:
system-view
----End
Context
If the clock signals sent from a clock source are looped back to the sender directly or through
the network, it indicates that a timing loop occurs. Timing loops should be avoided in network
design. In extended SSM mode, the higher four bits of the S1 bytes are used to transmit the
clock source ID, which reduces timing loops on the network.
Do as follows on the device.
Procedure
Step 1 Run:
system-view
The BITS0 or BITS1 interface is disabled from sending the ID of the clock source.
Step 4 (Optional) Run:
interface interface-type interface-number
----End
Context
A multiframe transmitted between BITS interfaces consists of eight sub-multiframes. Each
sub-multiframe contains five spare bits, namely, SA4 bit to SA8 bit. You can select any one of
the spare SA bits to transmit the SDH synchronization code (S1 byte). The eight sub-
multiframes jointly carry the eight bits of the S1 byte.
You can specify the SA bit that is used to transmit the S1 byte.
In special scenarios, you need to manually set the S1 byte that an interface sends to adjust the
SSM.
Do as follows on the device according to the actual situation.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock recv-sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } { bits0 | bits1 }
The bit of the SA bits from which the SDH synchronization status code (S1 byte) is received
is specified.
NOTE
If the sender and the receiver are of the same model, you do not need to perform this step because the
device can identify the S1 byte no matter which bit transmits it.
This step is performed when the device synchronizes the clock with another type of device through the
BITS interface. In this case, you need to specify the same bit that transmits the S1 byte on both ends to
ensure that both ends can identify the S1 byte.
Step 3 Run:
clock send-sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } { bits0 | bits1 }
The bit of the SA packet that is used to transmit the SDH synchronization status code (S1
byte) is specified.
Step 4 Run:
clock force-out-s1 { s1-prc | s1-ssu-t | s1-ssu-l | s1-sec | s1-dnu | else-s1-
byte } { bits0 | bits1 }
The content of the S1 byte sent from the BITS0 or BITS1 interface is set.
By default, the S1 byte is set automatically according to the SSM level of the selected clock
source.
Step 5 Run:
interface interface-type interface-number
Step 6 Run:
clock force-out-s1 { s1-prc | s1-ssu-t | s1-ssu-l | s1-sec | s1-dnu | else-s1-
byte }
By default, the S1 byte is set automatically according to the SSM level of the selected clock
source.
----End
5.4.5.4 Setting the Priority of the Clock Signal That an Interface Sends to the
Clock Board
Context
You can set priorities of the clock signals sent to the clock board from the interfaces that the
clock signals enter to determine the direction of clock synchronization.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
clock left-frame priority
The priority of the clock signal that the interface sends to the main control board from the left
side of the frame is set.
Or run:
clock right-frame priority
The priority of the clock signal that the interface sends to the main control board from the
right side of the frame is set.
The greater the value is, the lower the priority is.
----End
Context
By locking a clock source, you can prevent the clock source from being selected.
Do as follows on the device where you need prevent a clock source from being selected.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock lockout source source { system | bits0 | bits1 }
A clock source is locked and cannot be selected as the reference clock source.
----End
Context
If the frequency offset of a clock source is out of the valid range, the clock source is
considered unavailable.
You can affect the result of clock source selection by setting the valid range of frequency
offset.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock freq-check
By default, the result of frequency offset check does not affect clock source selection.
Step 3 Run:
clock freq-check-range left-range right-range
The valid range of the frequency offset is set. If the frequency offset of a clock source is out
of the specified range, the frequency offset is too high.
By default, the maximum left frequency offset is -9.2 ppm, and the maximum right frequency
offset is 9.2 ppm.
----End
5.4.5.7 Setting the Delay Time for the System to Consider a Clock Source Lost
Context
Setting the delay time for the system to consider a clock source lost can avoid some mistakes
in determining the clock source caused by occasional signal jitter on the network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock hold-off-time hold-off-time source source
The delay time for the system to consider a clock source lost is set.
By default, the delay time for the system to consider a clock source lost is 500 ms.
----End
Context
Setting the WTR time of a clock source can avoid some mistakes in determining the clock
source caused by occasional signal jitter on the network. The default WTR time of a clock
source is 1 minute. Generally, you do not need to change the default value. If you want to see
the clock source switching result during debugging, set the WTR time to 0.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock wait-to-restore wait-to-restore-time source source
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock hold-for-ever
The permanent holding mode of the clock module is enabled. That is, the clock module holds
the clock information permanently after the clock source is lost.
By default, the clock module retains the clock information for 24 hours after the clock source
is lost.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock no-retrieve
By default, the retrieve mode is used. That is, if a better clock source is found, the system
selects this clock source automatically.
----End
Procedure
l Run the display clock { bits0 | bits1 } [ slave ] command to view the configuration of
the BITS clock, including the mode of the BITS clock, bit used to transmit the SDH
synchronization status code (S1 byte), content of the S1 byte that is set forcibly, and
whether the ID of the clock source is sent, and so on.
l Run the display clock source command to view information about clock sources,
including the validity of clock signals, SSM quality level, and ID of each clock source,
and so on.
l Run the display clock state interface interface-type interface-number command to view
the clock status on an interface. You can use this command to query all the clock
configurations on an interface.
l Run the display clock freq-check-range command to view the valid range of the clock
frequency offset.
l Run the display clock freq-check-result command to view the result of frequency offset
check.
l Run the display clock hold-off-time command to view the delay time for the system to
consider a clock source lost.
l Run the display clock wait-to-restore command to view the WTR time of each clock
source.
l Run the display clock mode [ slave ] command to view whether the SSM quality level
is used in clock source selection, whether the result of frequency offset check affects
clock source selection, retrieve mode, holding mode, and running status of the clock
module, and clock selection results of the external clocks, and so on.
l Run the display clock { left-frame | right-frame } command to view the priorities of
the clock signals that different interfaces send from the left side or right side of the
frame.
l Run the display clock lockout command to check whether a clock source is locked.
l Run the display clock priority command to view the priorities of clock sources.
l Run the display clock ql-unknown command to view the SSM quality level mapping
the unknown level.
l Run the display clock selection [ slave ] command to view the clock source selected by
each external clock.
l Run the display clock ssm-config command to view the SSM quality levels of clock
sources.
----End
5.5.1 Example for Selecting the Clock Source Based on the Priority
Networking Requirements
On a ring network, the clock of a switch is configured as the primary reference clock. You can
set the priorities of clock sources so that the clock source is selected based on priorities. In
addition, timing loops must be prevented. A timing loop occurs when the device where the
primary reference clock is located receives clock signals from a clock source with higher
priority and the clock source of the primary reference clock is re-selected.
As shown in Figure 5-7, three switches form a ring network. The clock of SwitchA is the
primary reference clock. The switches obtain clock signals from the LPUs and select clock
sources based on priorities. Normally, the clock synchronization direction is shown by the red
arrows. If the clock signal fails to be transmitted in this direction, the switches can quickly
change the clock synchronization direction, as shown by the blue arrows. SwitchA is always
the reference clock source.
Figure 5-7 Networking diagram for Selecting the Clock Source Based on the Priority
SwitchA SwitchC
GE 2/0/0 GE 2/0/0
3
BITS 0/
G
2/
E
E
2/
G
0/
7
G
3
E
0/
5/
5/
0/
E
7
G
SwitchB
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the routing protocol to make the IP routes between the nodes reachable.
2. Configure the BITS0 interface of SwitchA to use the BITS clock as the input primary
reference clock.
3. Set the mode of clock source selection on SwitchB and SwitchC. Make sure that the
priority of the clock signals sent from the left side of the frame is higher than that of the
clock signals sent from the right side of the frame on each switch. Clock source selection
proceeds in the direction shown by the red arrows.
Procedure
Step 1 Verify that the clock of SwitchA is the primary reference clock.
# Set the priority of the BITS0 clock on SwitchA to 1.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] clock priority 1 source 1 system
# Verify that the SSM quality level is not used in clock source selection.
[SwitchA] display clock mode
QL-Enable : No.
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Free.
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 1: BITS0.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Verify that the system clock selects the BITS0 clock as the clock source and that the system
clock sends the clock signal to the LPUs as the output clock signal.
[SwitchA] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 1. BITS0
bits0 9. System Clock
bits1 9. System Clock
If you want to see the clock source switching result during debugging, set the WTR time to 0.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] interface gigabitethernet 5/0/7
[SwitchB-GigabitEthernet5/0/7] clock right-frame 10
[SwitchB-GigabitEthernet5/0/7] quit
[SwitchB] interface gigabitethernet 5/0/3
# View information about the clock sources sent from the right side of the frame. You can see
that the clock source of GigabitEthernet5/0/7 is sent to the clock board, and the clock
synchronization direction is shown by the red arrows in Figure 5-7.
[SwitchB] display clock right-frame
Interface Priority Clock Signal Selected
---------------------------------------------------------------------
GigabitEthernet5/0/3 20 N
GigabitEthernet5/0/7 10 Y
# View the clock information on SwitchB, and you can see that the inner clock, Right Frame
Clock, and system clock provide clock signals normally.
# Verify that the SSM quality level is not used in clock source selection.
[SwitchB] display clock mode
QL-Enable : No.
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Trace.(SyncOK, Locked)
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 6: Right Frame Clock.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Verify that the system clock selects the clock source sent from the right side of the frame as
the clock source and that the system clock sends the clock signal to the LPUs as the output
clock signal.
[SwitchB] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 6. Right Frame Clock
bits0 9. System Clock
bits1 9. System Clock
If you want to see the clock source switching result during debugging, set the WTR time to 0.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
# View information about the clock sources sent from the left side of the frame. You can see
that the clock source of GigabitEthernet2/0/3 is sent to the clock board, and the clock
synchronization direction is shown by the red arrows in Figure 5-7.
[SwitchC] display clock left-frame
Interface Priority Clock Signal Selected
---------------------------------------------------------------------
GigabitEthernet2/0/0 40 N
GigabitEthernet2/0/3 30 Y
# View the clock information on SwitchC. You can see that the inner clock, Left Frame Clock,
and system clock provide clock signals normally.
# Verify that the SSM quality level is not used in clock source selection.
[SwitchC] display clock mode
QL-Enable : No.
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Trace.(SyncOK, Locked)
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 5: Left Frame Clock.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Verify that the system clock selects the clock source sent from the left side of the frame as
the clock source and that the system clock sends the clock signal to the LPUs as the output
clock signal.
[SwitchC] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 5. Left Frame Clock
bits0 9. System Clock
bits1 9. System Clock
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
clock priority 1 source 1 system
#
5.5.2 Example for Selecting the Clock Source Based on the SSM
Quality Level
Networking Requirements
On a ring network, the clock of a switch is configured as the primary reference clock. You can
set the priorities of clock sources so that the clock source is selected based on the SSM quality
level. Timing loops must be prevented.
As shown in Figure 5-8, three switches form a ring network. The clock of SwitchA is the
primary reference clock. The switches obtain clock signals from the LPUs and select the clock
source based on the SSM quality level. The normal clock synchronization direction is shown
by the red arrows. If the clock signal fails to be transmitted in this direction, the switches can
quickly change the clock synchronization direction, as shown by the blue arrows.
Figure 5-8 Networking diagram for Selecting the Clock Source Based on the SSM Quality
Level
SwitchA SwitchC
GE 2/0/0 GE 2/0/0
3
BITS 0/
G
2/
E
E
2/
G
0/
7
G
3
E
0/
5/
5/
0/
E
7
G
SwitchB
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the routing protocol to make the IP routes between the nodes reachable.
2. Configure the BITS0 interface of SwitchA to use the BITS clock as the input primary
reference clock. (The SSM quality level of the BITS0 clock is PRC.)
3. Set the mode of clock source selection on SwitchA, SwitchB and SwitchC.
Procedure
Step 1 Verify that the clock of SwitchA is the primary reference clock and enable the SSM quality
level to be used in clock source selection.
# On SwitchA, enable the SSM quality level to be used in clock source selection and set the
priority of the BITS0 clock to 1.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] clock ql-enable
[SwitchA] clock priority 1 source 1 system
# View the clock information on SwitchA, and you can see that the inner clock and system
clock provide clock signals normally.
[SwitchA] display clock source
Reference Clock Source Signal Fail S1 Byte ID SSM
---------------------------------------------------------------------
0 Inner Clock No -- - SEC
1 BITS0 No -- - PRC
2 BITS1 Yes -- - DNU
3 Slave Board BITS0 Yes -- - DNU
4 Slave Board BITS1 Yes -- - DNU
5 Left Frame Clock Yes -- - DNU
# Verify that the SSM quality level is used in clock source selection.
[SwitchA] display clock mode
QL-Enable : Yes.
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Free.
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 1: BITS0.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Verify that the system clock selects the BITS0 clock as the clock source and that the system
clock sends clock signal to the LPUs as the output clock signal.
[SwitchA] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 1. BITS0
bits0 9. System Clock
bits1 9. System Clock
If you want to see the clock source switching result during debugging, set the WTR time to 0.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] clock ql-enable
[SwitchB] interface gigabitethernet 5/0/7
[SwitchB-GigabitEthernet5/0/7] clock right-frame 10
[SwitchB-GigabitEthernet5/0/7] quit
[SwitchB] interface gigabitethernet 5/0/3
[SwitchB-GigabitEthernet5/0/3] clock right-frame 20
[SwitchB-GigabitEthernet5/0/3] quit
[SwitchB] clock priority 6 source 6 system
# View information about the clock sources sent from the right side of the frame. You can see
that the clock source of GigabitEthernet5/0/7 is sent to the clock board, and the clock
synchronization direction is shown by the red arrows in Figure 5-8.
[SwitchB] display clock right-frame
Interface Priority Clock Signal Selected
---------------------------------------------------------------------
GigabitEthernet5/0/3 20 N
GigabitEthernet5/0/7 10 Y
# View the clock information on SwitchB, and you can see that the inner clock, Right Frame
Clock, and system clock provide clock signals normally.
# Verify that the SSM quality level is used in clock source selection.
[SwitchB] display clock mode
QL-Enable : Yes.
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Trace.(SyncOK, Locked)
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 6: Right Frame Clock.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Ensure that the system clock selects the clock source sent from the right side of the frame as
the clock source and that the system clock sends clock signal to the LPUs as the output clock
signal.
[SwitchB] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 6. Right Frame Clock
bits0 9. System Clock
bits1 9. System Clock
If you want to see the clock source switching result during debugging, set the WTR time to 0.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] clock ql-enable
[SwitchC] interface gigabitethernet 2/0/3
[SwitchC-GigabitEthernet2/0/3] clock left-frame 30
[SwitchC-GigabitEthernet2/0/3] quit
[SwitchC] interface gigabitethernet 2/0/0
[SwitchC-GigabitEthernet2/0/0] clock left-frame 40
[SwitchC-GigabitEthernet2/0/0] quit
[SwitchC] clock priority 5 source 5 system
# View information about the clock sources sent from the left side of the frame. You can see
that the clock source of GigabitEthernet 2/0/3 is sent to the clock board, and the clock
synchronization direction is shown by the red arrows in Figure 5-8.
[SwitchC] display clock left-frame
Interface Priority Clock Signal Selected
---------------------------------------------------------------------
GigabitEthernet2/0/0 40 N
GigabitEthernet2/0/3 30 Y
# View the clock information on SwitchC, and you can see that the inner clock, Left Frame
Clock, and system clock provide clock signals normally.
# Verify that the SSM quality level is used in clock source selection.
[SwitchC] display clock mode
QL-Enable : Yes.
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Trace.(SyncOK, Locked)
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 5: Left Frame Clock.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Ensure that the system clock selects the clock source sent from the left side of the frame as
the clock source and that the system clock sends clock signal to the LPUs as the output clock
signal.
[SwitchC] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 5. Left Frame Clock
bits0 9. System Clock
bits1 9. System Clock
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
clock ql-enable
clock priority 1 source 1 system
#
#
sysname SwitchC
#
clock ql-enable
clock priority 5 source 5 system
#
interface GigabitEthernet2/0/0
clock left-frame 40
#
interface GigabitEthernet2/0/3
clock left-frame 30
#
5.5.3 Example for Selecting the Clock Source Based on the SSM
Quality Level in Extended Mode
Networking Requirements
If the clock signal sent from the local device is sent back to the local device directly or
through the network, a timing loop occurs. In extended SSM mode, you can set IDs for the
circuit or external clock sources to prevent timing loops.
As shown in Figure 5-9, three switches form a ring network. SwitchC is connected to the
primary clock. The Switches synchronize their clocks with the primary clock. Timing loops
must be prevented through configuration.
Figure 5-9 Networking diagram for Selecting the Clock Source Based on the SSM Quality
Level in Extended Mode
SwitchA SwitchC
GE 2/0/0 GE 2/0/0
3
BITS 0/
G
2/
E
E
2/
G
0/
7
G
3
E
0/
5/
5/
0/
E
7
G
SwitchB
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the routing protocol to make the IP routes between the nodes reachable.
2. Configure the primary clock as the input clock source of SwitchA and set the ID of the
reference clock source.
3. Set the mode of clock source selection on SwitchB and SwitchC.
Procedure
Step 1 On SwitchA, enable the extended SSM mode and set the ID of the BITS clock source.
# Enable the extended SSM mode. Set the ID of the BITS0 clock to 1 and the priority of the
BITS0 clock to 1.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] clock ql-enable extend
[SwitchA] clock id 1 source 1
[SwitchA] clock priority 1 source 1 system
# View the clock information on SwitchA, and you can see that the inner clock and system
clock provide clock signals normally.
[SwitchA] display clock priority
Reference Clock Source System bits0 bits1
---------------------------------------------------------------------
0 Inner Clock 254 - -
1 BITS0 1 - -
2 BITS1 255 - -
3 Slave Board BITS0 255 - -
4 Slave Board BITS1 255 - -
5 Left Frame Clock 255 255 255
6 Right Frame Clock 255 255 255
7 System Clock - 254 254
# Verify that the SSM quality level is used in clock source selection.
[SwitchA] display clock mode
QL-Enable : Yes (Extend Mode).
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Free.
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 1: BITS0.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Verify that the system clock selects the inner clock as the clock source and that the system
clock sends the clock signal to the LPUs as the output clock signal.
[SwitchA] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 1. BITS0
bits0 9. System Clock
bits1 9. System Clock
# On SwitchB, set the priority of the clock signal that GigabitEthernet5/0/7 sends from the
right side of the frame to 10, and set priority of the clock signal that GigabitEthernet5/0/3
sends from the right side of the frame to 20. Retain the default WTR time. Set the priority of
the clock signal sent from the right side of the frame to 6.
NOTE
If you want to see the clock source switching result during debugging, set the WTR time to 0.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] clock ql-enable extend
[SwitchB] interface gigabitethernet 5/0/7
[SwitchB-GigabitEthernet5/0/7] clock right-frame 10
[SwitchB-GigabitEthernet5/0/7] quit
[SwitchB] interface gigabitethernet 5/0/3
[SwitchB-GigabitEthernet5/0/3] clock right-frame 20
[SwitchB-GigabitEthernet5/0/3] quit
[SwitchB] clock priority 6 source 6 system
# View information about the clock sources sent from the right side of the frame. You can see
that the clock source of GigabitEthernet5/0/7 is sent to the clock board, and the clock
synchronization direction is shown by the red arrows in Figure 5-9.
[SwitchB] display clock right-frame
Interface Priority Clock Signal Selected
---------------------------------------------------------------------
GigabitEthernet5/0/3 20 N
GigabitEthernet5/0/7 10 Y
# View the clock information on SwitchB, and you can see that the inner clock, Right Frame
Clock, and system clock provide clock signals normally.
[SwitchB] display clock source
Reference Clock Source Signal Fail S1 Byte ID SSM
---------------------------------------------------------------------
0 Inner Clock No -- - SEC
1 BITS0 Yes -- - DNU
2 BITS1 Yes -- - DNU
3 Slave Board BITS0 Yes -- - DNU
4 Slave Board BITS1 Yes -- - DNU
5 Left Frame Clock Yes -- - DNU
6 Right Frame Clock No 12 - PRC
7 System Clock No -- - PRC
# Verify that the SSM quality level is used in clock source selection.
[SwitchB] display clock mode
QL-Enable : Yes (Extend Mode).
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Trace.(SyncOK, Locked)
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 6: Right Frame Clock.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Ensure that the system clock selects the clock source sent from the right side of the frame as
the clock source and that the system clock sends clock signal to the LPUs as the output clock
signal.
[SwitchB] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 6. Right Frame Clock
bits0 9. System Clock
bits1 9. System Clock
from the left side of the frame to 40. Retain the default WTR time. Set the priority of the
clock signal sent from the left side of the frame to 5.
NOTE
If you want to see the clock source switching result during debugging, set the WTR time to 0.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] clock ql-enable extend
[SwitchC] interface gigabitethernet 2/0/3
[SwitchC-GigabitEthernet2/0/3] clock left-frame 30
[SwitchC-GigabitEthernet2/0/3] quit
[SwitchC] interface gigabitethernet 2/0/0
[SwitchC-GigabitEthernet2/0/0] clock left-frame 40
[SwitchC-GigabitEthernet2/0/0] quit
[SwitchC] clock priority 5 source 5 system
# View information about the clock sources sent from the left side of the frame. You can see
that the clock source of GigabitEthernet2/0/3 is sent to the clock board, and the clock
synchronization direction is shown by the red arrows in Figure 5-9.
[SwitchC] display clock left-frame
Interface Priority Clock Signal Selected
---------------------------------------------------------------------
GigabitEthernet2/0/0 40 N
GigabitEthernet2/0/3 30 Y
# View the clock information on SwitchC, and you can see that the inner clock, Left Frame
Clock, and system clock provide clock signals normally.
[SwitchC] display clock source
Reference Clock Source Signal Fail S1 Byte ID SSM
---------------------------------------------------------------------
0 Inner Clock No -- - SEC
1 BITS0 Yes -- - DNU
2 BITS1 Yes -- - DNU
3 Slave Board BITS0 Yes -- - DNU
4 Slave Board BITS1 Yes -- - DNU
5 Left Frame Clock No 12 - PRC
6 Right Frame Clock Yes -- - DNU
7 System Clock No -- - PRC
# Verify that the SSM quality level is used in clock source selection.
[SwitchC] display clock mode
QL-Enable : Yes (Extend Mode).
Freq-Check : No.
Retrieve : Yes.
Hold Type : Hold 24 hours.
Run Mode : Trace.(SyncOK, Locked)
Bits0 : Locked.
Bits1 : Locked.
System mode: Auto select clock source 5: Left Frame Clock.
Bits0 mode : Auto select clock source 9: System Clock.
Bits1 mode : Auto select clock source 9: System Clock.
Clock time : Free-run
# Ensure that the system clock selects the clock source sent from the left side of the frame as
the clock source and that the system clock sends clock signal to the LPUs as the output clock
signal.
[SwitchC] display clock selection
Type Clock Source Selected
---------------------------------------------------------------------
system 5. Left Frame Clock
bits0 9. System Clock
bits1 9. System Clock
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
clock ql-enable extend
clock id 1 source 1
clock priority 1 source 1 system
#
6 Energy-Saving Management
6.1 Overview
6.2 Licensing Requirements and Limitations for Energy-Saving Management
6.3 Configuring Energy-Saving Management
6.4 Configuration Examples
6.1 Overview
Purpose
As network scale enlarges, device power consumption increases enterprise operating expense.
Energy saving becomes the major concern in network construction. Devices use multiple
energy-saving technologies to reduce power consumption.
The automatic laser shutdown (ALS) mechanism controls the pulse of the laser of an
optical module by detecting the Loss of Signal (LOS) on an optical interface. The ALS
mechanism protects operators against laser injury and saves energy.
When ALS is disabled, if the optical fiber link fails, data communication is interrupted.
However, the optical interface and the laser of an optical module are enabled. If the laser
of an optical module still sends pulses after data communication is interrupted, energy is
wasted and eyes of operators may be hurt.
When ALS is enabled, if the optical fiber link fails, the system automatically disables the
laser of an optical module from sending pulses on the optical interface after detecting the
LOS on the optical interface. When the faulty optical fiber link is recovered, the system
detects that the LOS of the optical interface is cleared and enables the laser to send
pulses.
l EEE
Energy Efficient Ethernet (EEE) dynamically adjusts the electrical interface power
according to network traffic volume.
When the EEE function is not configured on the electrical interface, the system provides
power for each interface. Even though an interface is idle, it consumes the same power
as working interfaces. After the EEE function is configured, the system reduces the
power on an interface when the interface is idle and restores the power when the
interface starts to transmit data. This reduces power consumption in the system.
l Port Dormancy
In port dormancy mode, the physical layer (PHY) chip on the electrical interface enters
the low energy consumption mode to reduce power consumption. When interfaces are
not connected, major data transmission channels of the chip enter the dormancy state to
save energy. When interfaces are connected and traffic on the cable is detected, the PHY
chip restores to normal working state.
l Powering off Redundant Power Modules
The device powers off redundant power modules based on rated power consumption or
real-time power consumption. This does not affect system power supply and saves
energy. When the rated power or real-time power increases, the device automatically
powers on redundant power modules. This ensures stable power supply.
l Energy-saving Mode
Besides intelligent fan speed adjustment and ALS, the device saves energy through the
energy-saving mode.
The device supports the following energy-saving modes:
– Standard mode: Factory mode and default power saving mode.
– Basic energy saving mode: Components not in use are shut down or switched to the
sleeping state when no services are configured or users are not online.
– Deep mode: Power consumption is dynamically adjusted for running services, and
components not in use are shut down or switched to the sleeping state according to
the actual situation of services.
NOTE
l The ALS, EEE, and port sleeping functions are disabled by default in the standard energy
saving mode.
l The ALS, EEE, and port sleeping functions are enabled by default in the basic or deep energy
saving mode.
l Redundant power modules can be powered off to save energy only in basic or deep energy
saving mode. In basic energy saving mode, redundant power modules are powered off
according to the rated power consumption of a device. In deep energy saving mode, redundant
power modules are powered off according to the real-time power consumption of a device.
After redundant power modules are powered off, the power module status displays Normal in
the display device command output and NotSupply in the display power command output,
indicating that the power modules are not providing power; the power of the power modules
displays 0 in the display power system command output.
Licensing Requirements
Energy-saving management is a basic feature of a switch and is not under license control.
Version Requirements
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
None
Context
The device adjusts fan speed by monitoring the optical module temperature on the board.
When the temperature of an optical module exceeds the upper threshold, the fan speed
increases. When the temperature of optical modules falls below the lower threshold, the fan
speed is reduced.
Procedure
Step 1 Run:
system-view
The upper and lower temperature thresholds for fan speed adjustment are configured.
By default, the fan speed is reduced when the temperature falls below 60°C and is increased
when the temperature exceeds 65°C.
NOTE
----End
Context
The constraints on ALS are as follows:
l Only optical interfaces support ALS. Electrical interfaces do not support ALS.
l When optical interfaces transmit services unidirectionally, they do not support ALS.
Procedure
Step 1 Run:
system-view
----End
Context
After ALS is enabled, the laser is automatically shut down when a fiber is not properly
installed on an interface or the connected optical link fails. However, the laser still needs to
send pulses at a certain interval. When a fiber is installed on an interface or the connected
optical link recovers, the laser is automatically restored to set up a connection for data
communication. Therefore, you need to configure the restart mode of the laser after ALS is
enabled.
The laser of an optical module works in automatic restart mode or manual restart mode.
l Automatic restart mode: The laser automatically sends a pulse at an interval to detect
whether the link recovers.
l Manual restart mode: After the laser is manually started using a command, the laser
sends a pulse to detect whether the optical link recovers.
By default, a laser works in automatic restart mode.
After the optical link recovers, the laser is started after a certain interval if the restart mode is
automatic restart. To start the laser immediately after the optical link recovers, set the restart
mode of the laser to manual restart and run the als restart command.
NOTE
After ALS is enabled on an interface, the laser may send a pulse if the attributes (for example, auto-
negotiation) of the interface is changed or the optical module of the interface is removed and then inserted.
Procedure
l Configure automatic restart mode
a. Run:
system-view
The laser of the optical module is configured to work in automatic restart mode.
By default, a laser works in automatic restart mode.
l Configure manual restart mode
a. Run:
system-view
The laser of the optical module is configured to work in manual restart mode.
d. (Optional) Run:
als restart
6.3.2.3 Setting the ALS Pulse Interval and Width of the Laser
Context
The ALS pulse interval indicates the time between two consecutive pulse transmissions and
applies to the automatic restart mode. The ALS pulse width indicates the pulse period and
applies to the automatic restart mode and manual restart mode.
l In automatic restart mode, a small pulse width and a long pulse interval save more
energy but cannot ensure that optical link recovery can be detected in a timely manner.
l In manual restart mode, a small ALS pulse width saves energy but cannot ensure that
optical link recovery can be detected in a timely manner. In contrary, a large ALS pulse
width ensures that optical link recovery can be detected in a timely manner but wastes
energy.
You can set a proper laser pulse interval and width to ensure energy conservation and timely
detection of optical link recovery.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display als configuration slot slot-id command to check ALS configurations on
all interfaces of a specified slot.
l Run the display als configuration interface interface-type interface-number command
to check ALS configuration on a specified interface.
----End
Context
A device provides power for each interface. Even though an interface is idle, it consumes the
same power as working interfaces. This wastes power. After the Energy Efficient Ethernet
(EEE) function is configured on an electrical interface, the system reduces the power on the
interface when the interface is idle and restores the power when the interface starts to transmit
data. This reduces power consumption in the system.
NOTE
Only electrical interfaces support the EEE function. Optical interfaces do not support the EEE function.
If an electronic interface works at 10 Mbit/s after auto-negotiation, the EEE function does not take
effect.
Only the ES1D2G48TX1E, ES0DG24TFA00 on the S7700 and EH1D2G48TX1E, EH1D2G24TFA0 on
the S9700 support the EEE function.
Procedure
Step 1 Run:
system-view
NOTE
The EEE function takes effect only when it is configured on both ends of a link.
----End
Procedure
Step 1 Run:
system-view
----End
Context
The device supports the following energy-saving modes:
NOTE
l The ALS, EEE, and port sleeping functions are disabled by default in the standard energy saving
mode.
l The ALS, EEE, and port sleeping functions are enabled by default in the basic or deep energy saving
mode.
l Redundant power modules can be powered off to save energy only in basic or deep energy saving
mode. In basic energy saving mode, redundant power modules are powered off according to the
rated power consumption of a device. In deep energy saving mode, redundant power modules are
powered off according to the real-time power consumption of a device. After redundant power
modules are powered off, the power module status displays Normal in the display device command
output and NotSupply in the display power command output, indicating that the power modules are
not providing power; the power of the power modules displays 0 in the display power system
command output.
Procedure
Step 1 Run:
system-view
Step 2 Run:
set power manage mode mode-id
NOTE
After the energy-saving mode is set to basic or deep mode, loopback test on interfaces is disabled.
Therefore, before performing a loopback test, set the energy-saving mode to standard mode.
----End
Networking Requirements
As shown in Figure 6-1, GigabitEthernet1/0/1 on SwitchA connects to GigabitEthernet1/0/1
on SwitchB through optical fibers.
When a link fails, the laser on the optical module is required to automatically stop sending
pulses and recover pulse sending after the link is recovered.
SwitchA SwitchB
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable ALS on the interface so that the laser automatically stops sending pulses when a
link fails.
2. Set the restart mode of the laser to automatic restart mode so that the laser sends pulses
again after the link is recovered.
Procedure
Step 1 Configure ALS on the interface and the restart mode of the laser.
# Enable ALS on interfaces GigabitEthernet1/0/1 of SwitchA and set the restart mode of the
laser to automatic restart. By default, a laser works in automatic restart mode.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] als enable
[SwitchA-GigabitEthernet1/0/1] undo als restart mode manual
[SwitchA-GigabitEthernet1/0/1] return
# Enable ALS on interfaces GigabitEthernet1/0/1 of SwitchB and set the restart mode of the
laser to automatic restart. By default, a laser works in automatic restart mode.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] als enable
[SwitchB-GigabitEthernet1/0/1] undo als restart mode manual
[SwitchB-GigabitEthernet1/0/1] return
----End
Configuration file
l SwitchA configuration file
#
sysname SwitchA
#
interface GigabitEthernet1/0/1
als enable
#
return
#
sysname SwitchB
#
interface GigabitEthernet1/0/1
als enable
#
return
7 PoE Configuration
This chapter describes how to configure PoE. PDs, such as wireless telephones and APs, are
provided with power when the devices are configured with PoE.
Definition
Power over Ethernet (PoE) provides power through the Ethernet. It is also called Power over
LAN (PoL) or active Ethernet.
Purpose
As IP phones, network video monitoring, and wireless Ethernet networks are widely applied,
the power supply requirements on the Ethernet become urgent. In most situations, access
point devices need DC power supply, but access point devices are often installed outdoors or
on the ceiling that has a long distance from the ground. The nearby proper power socket is
difficult to find. Even if the proper power socket is available, the network administrator finds
it hard to install the AC/DC converter required by access point devices. On many large-scale
LANs, administrators need to manage multiple access point devices that require uniform
power supply and management. In this case, power supply management is difficult. The PoE
function addresses this problem.
The PoE technology is used on the wired Ethernet and is most widely used on local LANs.
The PoE function transmits power together with data to terminals over cables or transmits
power without data over idle lines. This technology provides power on the 10Base-T,
100Base-TX, or 1000Base-T Ethernet at a distance of up to 100 m. PoE can be used to
effectively provide centralized power for terminals such as IP phones, Access Points (APs),
chargers of portable devices, POS machines, cameras, and data collection devices. Terminals
are provided with power when they access the network. Therefore, indoor cabling of power
supply is not required.
The PoE has the following advantages:
l Reliable: Multiple PDs are powered by one device, facilitating power backup.
l Easy to deploy: Network terminals can be powered over network cables, without a need
for external power sources.
l Standard: The PoE function complies with IEEE 802.3af and 802.3at, and all PoE
devices use uniform power sources.
Benefits
l Saves the costs on the cabling of power supply and facilitates power module installation.
l Works with the Uninterruptible Power Supply (UPS) to provide backup power supply for
IP cameras, video servers, and IP phones, and prevents power-off.
7.2 Principles
Introduction to PoE
PoE involves the following devices:
l Power-sourcing Equipment (PSE): The PSE provides power for Powered Devices (PDs)
on the Ethernet and supports detection, analysis, and intelligent power management.
l PD: PDs are provided with power, such as the wireless AP, portable device charger, POS
machine, and camera. According to whether a PD conforms to IEEE standard, PDs are
classified into standard and non-standard PDs.
l PoE power supply: The PoE power supply provides power for the PoE system. The
number of PDs connected to the PSE is limited by power of the PoE power supply.
According to whether a PoE power supply is swappable, PoE power supplies are
classified into built-in and external power supplies.
Pr
oc
ed Item Description
ur
e
Power
supply
The PSE classifies PDs and supports power supply capability negotiation.
capabil
2 Power supply capability negotiation is classified into two modes: analysis
ity
of detected resistance and LLDP Power Capability Negotiation.
negotia
tion
Power-
In a period shorter than 15 μs, the PSE provides low voltage for PDs, and
3 on
then the voltage is increased to 48 V.
starting
Power- The PSE provides 48 V DC power supply for PDs and the power
4
on consumption of the PDs is smaller than 37 W.
During the power supply process, the PSE detects the input current of the
PD continuously. The PSE cuts off the power supply and repeats detection
when the current of the PD is reduced to the minimum value or increased
Power- sharply in any of the following situations:
5
off l The PD is removed.
l The power consumption of the PD is overloaded or short-circuited.
l The power consumption of the PD exceeds the power supply load.
l Automatic mode: The PSE automatically powers on or powers off PDs based on power
priorities. You can configure a power priority of each interface as Critical, High, or Low
based on the importance of the PD connected to each interface. When providing power
nearly at full capacity, the PSE provides power first for the PD connected to the interface
of Critical priority and then provides power for the PD connected to the interface of High
priority. If multiple PoE interfaces have the same priority, the system first supplies power
to the PDs connected to the interfaces with smaller interface numbers.
l Manual mode: You can manually power on or power off interfaces. In manual mode, the
PSE provides power for an interface without considering the priority. Powering on or
powering off a single interface does not affect the power supply status. When providing
power nearly at full capacity, the PSE cannot continue to power on a new PD.
TLV Extended
TLV
information TIA OUT Power via MDI PSE Power Power Power Power
Type= Power Power Power
String 00-12-OF MDI Class Type Source Priotity Value
127
Length=12 Subtype=2 Support Pair
7bits 9bits 3bytes 1byte 1byte 1byte 1byte 2bits 2bits 4bits 4bytes
4-7 Reserved. -
2 17 to 20 7 Low power
l Type/source/priority
Field Functions Description
l Power value: contains PD requested power value and PSE allocated power value. When
the PoE power is sufficient, the two values are the same. The value is an integer that
ranges from 1 to 255. Exchange power = 0.1 x Hexadecimal value of the field. For
example, if the value of the field is 255, the exchange power is 25.5 W.
7.3 Applications
Terminals such as IP phones, cameras, and data collectors require DC power. These terminals
are usually installed in corridors or on the ceilings where power sockets are unavailable. On
most large-scale LANs, administrators manage many access point devices that require
centralized power supply; therefore, power supply management is difficult.
As shown in Figure 7-2, the device, which has the PoE function, provides power for access
devices, such as IP phones and cameras. The PoE function reduces power cables, saves
network construction costs, and facilitates access device management because external power
supplies are not required.
Internet
PD
Licensing Requirements
PoE is a basic feature of a switch and is not under license control.
Version Requirements
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
PoE power supplies supported by the switch
l A switch supports three types of PoE power modules: 800 W AC, 2200 W AC, and 2200
W DC. 2200 W DC power modules can be used as PoE power modules only in
V200R006C00 and later versions. With 220 V input voltage, 800 W AC and 2200 W AC
power modules provide maximum output power of 800 W and 2200 W, respectively.
With 110 V input voltage, they provide maximum output power of 400 W and 1100 W,
respectively.S7712 does not support inputting 110 V voltage.
l S7706 and S7712 provide four PoE power supply slots that can be installed with four
PoE power supplies simultaneously. The PoE power supplies can work in redundancy
mode. S7703 supports only one PoE power supply slot. The PoE power supply cannot
work in redundancy mode.
l The maximum output power of the system is determined by the number, type, and
voltage of PoE power supplies. For the maximum PoE power of each switch, see "PoE
power modules" in the Hardware Description - Power Supply Slot Configuration.
PoE function
l The switch supports power supply capability negotiation using the Link Layer Discovery
Protocol (LLDP).
l The switch supports perpetual power supply and fast power-on.
l If a switch supports PoE, its PoE feature is not affected after it joins a CSS.
l The maximum PoE power supply distance is 100 m.
Pre-configuration Tasks
Before configuring PoE, complete the following tasks:
l Ensure that the ES0D0G48VA00 has been installed because only the ES0D0G48VA00
board supports PoE currently.
l Install the PoE power module and power on.
l Connect the interfaces on the PSE to PD to ensure that the status of the link layer
protocol of the interface is Up.
Generally, the device can detect whether a PD connected to it needs power supply and
provides PoE function. If you need to modify the PoE configuration or manually power on the
PD, see the following configuration.
Context
Ensure that the PoE function on the interface is enabled before powering on a PD connected
to the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
poe enable
----End
Context
You can configure the TLV in LLDP so that the device can classify PDs through the LLDP
function enabled on the device. The device that is not configured with the LLDP function
detects and classifies PDs through analyzing current and resistance between the device and
PDs. Compared with current and resistance analysis, the LLDP function provides a more
comprehensive and accurate analysis.
Procedure
Step 1 Run:
system-view
Step 2 Run:
lldp enable
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
lldp enable
Step 5 Run:
lldp tlv-enable dot3-tlv power
NOTE
After LLDP is configured advertise Power Via MDI TLV, the device can analyze the interface type,
whether the PSE supports MDI, status of MDI power supply, whether the PSE can control the line pairs
and analyze the line pairs and power priority.
Step 6 Run:
lldp tlv-enable med-tlv power-over-ethernet
----End
Procedure
l Configure the PoE power supply backup mode.
When a chassis PoE device is equipped with multiple power supplies and the power is
sufficient, configure some of power supplies as backup power supplies. If the active
power supply is faulty, the backup power supply continues to provide power for PDs,
ensuring system stability.
a. Run:
system-view
system-view
By default, the maximum power of each card is the average power that is allocated
from the maximum power of the device.
l Configure the maximum output power for an interface.
The PD power negotiation result may be different from the power required by some non-
standard PDs or PDs that cannot be classified. You can configure the maximum output
power of an interface to prevent power overload for PDs and save energy.
a. Run:
system-view
The percentage of the reserved PoE power to the maximum output power is
configured.
system generates an alarm so that administrators can take measures to reduce the power
consumption.
a. Run:
system-view
By default, the alarm threshold is 90%. That is, an alarm is generated when the
consumed power accounts for 90% of the total power.
----End
Context
High inrush current is generated when a non-standard PD is powered on. In this case, the
device cuts off the power of the PD to protect itself. If the device is required to provide power
for the PD, the PSE must allow high inrush current.
If high inrush current is allowed, the self-protection of the device is disabled. This may
damage components of the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
poe high-inrush enable slot slot-id
By default, the device does not allow high inrush power during power-on.
----End
Context
The device supports two power-on and power-off modes: automatic and manual.
l In automatic mode, the interface power supply priority can be configured as critical,
high, or low. When the remaining power is insufficient, PDs with higher power supply
priority are first provided with power.
l In manual mode, you can power on or power off the specified interface as required.
When the remaining power is insufficient, PDs cannot be powered on.
Besides powering on PDs in the automatic and manual modes, the interface PoE power
management provides the following functions:
l Configuring the power-on and power-off time range.
l Being compatible with non-standard PDs.
Procedure
l Configure the PoE power management mode.
a. Run:
system-view
Within the power-off time range, if the power management mode is changed, the set
power-off time range becomes invalid. PDs are powered on according to the newly
set power management mode. For example, if the manual mode is changed into the
automatic mode within the power-off time range, the power-off time range becomes
invalid and PDs power on automatically.
Procedure
l Run the display poe-power command to view the status of the PoE power supply.
l Run the display lldp tlv-config command to view the TLV types supported by the
interface.
l Run the display lldp local command to view the status of the LLDP on the interfaces
and device.
l Run the display lldp neighbor command to view the information of the interface
neighbors.
l Run the display lldp neighbor brief command to view the information of the device
neighbors.
l Run the display poe device command to display the information about the devices that
support the PoE function.
l Run the display poe information [ slot slot-id ] command to view the information about
the PoE function.
l Run the display poe power { slot slot-id | interface interface-type interface-number }
command to view the current power of the interface.
l Run the display poe power-state { slot slot-id | interface interface-type interface-
number } command to view the PoE power supply status on the interface.
----End
Networking Requirements
Figure 7-3 shows that switches are deployed at the access layer on the network. The IP phone
connected to the switch is deployed outdoors and the AP is deployed on the external wall of
the office. It is difficult to connect power supplies to these devices. The user wants the switch
to provide power for these devices and save the deployment costs.
As the office network of a bank, AP1 cannot be powered off and should be configured with
the highest power supply priority. IP Phone1 with a large amount of services need to obtain
power supply with high priority and generally cannot be powered off.
GE2/0/1 GE2/0/2
IP Phone1 AP1
IP Phone2 AP2
Configuration Roadmap
The switch supporting PoE and installed with the PoE power supply is required.
The configuration roadmap is as follows:
1. Configure the power management mode as automatic mode so that PDs can be flexibly
managed.
2. Configure the maximum output power of the board in slot 1 to ensure that the board in
slot 1 provided with stable power when the power of the device is insufficient.
3. Configure the power supply priority on GigabitEthernet1/0/2 and GigabitEthernet1/0/1
so that AP1 and IP phone1 are provided with power preferentially.
4. Configure the maximum output power on GigabitEthernet1/0/1, GigabitEthernet2/0/1,
and GigabitEthernet1/0/2 to limit the power of the corresponding interface and ensure
security of the device.
Procedure
Step 1 Configure the power management mode of the device as automatic mode.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] poe power-management auto slot 1
[Switch] poe power-management auto slot 2
Step 2 Configure the maximum output power of the PoE board in slot 1 as 200 W.
[Switch] poe max-power 200000 slot 1
Warning: This operation may power off some PD. Continue?[Y/N]:y
# Display the PoE power supply status of the interface on the board in slot 2.
[Switch] display poe power-state slot 2
PORTNAME POWERON/OFF ENABLED PRIORITY STATUS
--------------------------------------------------------------------------------
GigabitEthernet2/0/0 off enable Low Detecting
GigabitEthernet2/0/1 on enable Low Delivering-power
GigabitEthernet2/0/2 on enable Low Delivering-power
GigabitEthernet2/0/3 off enable Low Detecting
GigabitEthernet2/0/4 off enable Low Detecting
GigabitEthernet2/0/5 off enable Low Detecting
GigabitEthernet2/0/6 off enable Low Detecting
GigabitEthernet2/0/7 off enable Low Detecting
GigabitEthernet2/0/8 off enable Low Detecting
GigabitEthernet2/0/9 off enable Low Detecting
GigabitEthernet2/0/10 off enable Low Detecting
----End
Configuration Files
#
sysname
Switch
#
#
poe max-power 200000 slot 1
#
interface GigabitEthernet1/0/1
poe priority high
poe power 15000
#
interface GigabitEthernet1/0/2
poe priority critical
poe power 20000
#
interface GigabitEthernet2/0/1
poe power 15000
#
return
8 CSS Configuration
This chapter describes how to configure Cluster Switch System (CSS) to improve forwarding
performance and reliability.
8.1 Using the CSS Assistant Tool to Quickly Obtain Information
8.2 Introduction to CSS
8.3 Principles
8.4 Applications
8.5 CSS Connection Modes
8.6 Configuration Task Summary
8.7 CSS Support and Version Requirements
8.8 Default Configuration
8.9 Establishing a CSS by Connecting CSS Cards
8.10 Establishing a CSS Using Service Port Connections
8.11 Configuring Enhanced CSS Functions
This section describes how to configure enhanced CSS functions that improve CSS system
reliability and make operations easier.
8.12 Maintaining the CSS
8.13 Splitting a CSS
8.14 Configuration Examples
8.15 FAQ
Click behind each select box to get detailed information and figures.
2. Click Submit after finishing the selection. The CSS precautions, connection rules, and
software configuration are displayed. Set up a CSS according to these information.
Definition
A Cluster Switch System (CSS) is a logical switch consisting of two clustering-capable
switches. A CSS is also called a cluster. Figure 8-3 shows the topology of a CSS.
CSS link
Link aggregation
Eth-Trunk
Purpose
In addition to high forwarding performance, CSS technology provides high network reliability
and high scalability, while simplifying network management.
l High reliability: Member switches in a CSS work in redundancy mode. Link redundancy
can also be implemented between member switches through link aggregation.
l High scalability: Switches can set up a CSS to increase the number of ports, bandwidth,
and packet processing capabilities.
l Simplified configuration and management: After two switches set up a CSS, they are
virtualized into a single device. You can log in to the CSS from either member switch to
configure and manage the entire CSS.
8.3 Principles
CSS
SwitchA SwitchB
(Master) (Standby)
CSS link
CSS ID = 1 CSS ID = 2
CSS priority = 200 CSS priority =100
A CSS is set up automatically after you use cluster cables to connect two switches, enable the
CSS function on the two switches, and restart the switches. The member switches then send
CSS competition packets to each other. After the competition, one switch becomes the master
switch to manage the entire CSS, and the other becomes the standby switch.
Role Election
The master switch of a CSS is elected based on the following rules:
1. The switch that starts and enters the single-chassis CSS state first becomes the master
switch.
2. If the two switches startup at the same time, the switch with a higher priority becomes
the master switch.
3. If the two switches startup at the same time and have the same priority, the switch with a
smaller MAC address becomes the master switch.
4. If the two switches startup at the same time and have the same priority and MAC
address, the switch with a smaller CSS ID becomes the master switch.
NOTE
If the master switch is elected because it starts and enters the single-chassis CSS state first, the other
joins the CSS using the process described in 8.3.5 New Member Join and CSS Merge.
After a CSS is set up, the master MPU of the master switch works as the system master MPU
to manage the entire CSS. The master MPU of the standby switch works as the system
standby MPU. The standby MPUs of the master and standby switches work as candidate
system standby MPUs. Figure 8-5 shows the role election result after a CSS is set up. In this
example, SwitchA is elected as the master switch.
CSS
System master
MPU
Candidate system Master
standby MPU SwitchA
LPU
:
System standby
MPU
Candidate system Standby
standby MPU SwitchB
LPU
:
CSSs with the same configuration. In this situation, if a member switch restarts, its unsaved
configuration is lost. For details about a CSS split, see 8.3.6 CSS Split and MAD.
If you want to restore the original configuration of a switch after disabling the CSS function,
delete the extension .bak from the backup configuration file name, specify this configuration
file for next startup, and then restart the switch.
Two switches in a CSS set up a virtual device on the network. The interface numbering rules,
system login methods, and file system access methods used in the CSS are different from
those used on standalone switches.
On a standalone switch without CSS enabled, interfaces are numbered in the slot ID/subcard
ID/port sequence number format. In a CSS, member switches are identified by their CSS IDs
and their interfaces are numbered in the CSS ID/slot ID/subcard ID/port sequence number
format.
NOTE
After you enable CSS on a standalone switch and restart it, the switch becomes a single-chassis CSS and
its interfaces are also numbered in the CSS ID/slot ID/subcard ID/port sequence number format.
After CSS is disabled on a switch, the interface numbering format on the switch must be
manually changed from CSS ID/slot ID/subcard ID/port sequence number to slot ID/subcard
ID/port sequence number. The procedure is as follows:
1. After CSS is enabled on the switch, the switch automatically backs up the configuration
file used in standalone state by adding the extension .bak to the configuration file name.
2. Before CSS is disabled on the switch, specify this configuration file for next startup.
3. Disable CSS and then restart the switch.
l Local login: Log in through the console interface on any MPU of the CSS.
l Remote login: Log in through the management interface or another Layer 3 interface of
any MPU in the CSS. You can remotely log in to the CSS using Telnet, STelnet, web, or
SNMP if your operation terminal has a reachable route to the CSS.
After logging in to a CSS, you have actually logged in to the master switch, no matter which
member switch you log in through. After you perform configurations in the CSS, the master
switch issues the configurations to the standby switch. In this way, resources of member
switches are managed uniformly.
File system access refers to operations performed on the storage device, including file/
directory creation, deletion, and modification, and file display. The S7700 and S9700 use CF
card and flash memory as storage devices.
The location of a file is identified by drive + path + filename:
l drive indicates the storage device.
l path indicates a directory and its sub-directories.
l filename indicates the file name.
For details, see File System Overview.
The value of drive varies depending on whether the switch is a standalone switch or joins a
CSS:
l The switch is a standalone switch:
– To access the root directory of the CF card or flash memory on the system master
MPU, set drive to cfcard: or flash:.
– To access the root directory of the CF card or flash memory on the standby MPU,
set drive to slave#cfcard: or slave#flash:.
l The switch joins a CSS:
– To access the root directory of the CF card or flash memory on the system master
MPU, set drive to cfcard: or flash:.
– To access the root directory of the CF card or flash memory on the system standby
MPU or candidate system standby MPU, set drive to chassis ID/slot ID#cfcard: or
chassis ID/slot ID#flash:. (The chassis ID is the CSS ID.)
For example, 1/8#cfcard: means the root directory of the CF card in slot 8 of
chassis 1.
As shown in Figure 8-6, traffic sent to the core device on the network is equally distributed to
member links of an Eth-Trunk set up between CSS member switches. When a member link
fails, traffic on this link is distributed to the other link through the cluster cables between the
member switches. This link backup mechanism improves network reliability.
Network Network
CSS CSS
As shown in Figure 8-7, traffic sent to the core device on the network is equally distributed to
member links of an Eth-Trunk set up between CSS member switches. When a member switch
fails, traffic toward this switch is distributed to the other switch. This device backup
mechanism improves network reliability.
Network Network
CSS CSS
Network Network
NOTE
CSS
SwitchA SwitchB
(Master) (Standby)
CSS link
CSS ID = 1 CSS ID = 2
A new member switch joins a single-chassis CSS in either of the following situations:
l After two switches are connected using cluster cables, one switch is configured with the
CSS function and restarted. This switch enters the single-chassis CSS state. After the
other switch is configured with the CSS function and restarted, it joins the CSS as the
standby switch.
l In a running two-chassis CSS, one switch is restarted. Then this switch joins the CSS
again as the standby switch.
CSS Merge
Two single-chassis CSS systems can merge into one CSS. As shown in Figure 8-10, two
single-chassis CSS systems merge into one and elect a master switch. The master switch
retains its original configuration and its standby MPU resets, without affecting services. The
standby switch restarts, joins the new CSS as the standby switch, and synchronizes the
configuration file with the master switch. Original services on this standby switch are
interrupted.
CSS ID = 1 CSS ID = 2
Priority = 100 Priority = 200
Merge
CSS
SwitchA SwitchB
(Standby) (Master)
CSS link
CSS ID = 1 CSS ID = 2
NOTE
Ensure that the two chassis have different CSS IDs in both new member join and CSS merge scenarios.
If the CSS IDs are the same, modify the CSS ID of one switch first.
CSS Split
After a CSS is set up, the master and standby MPUs of the CSS periodically send heartbeat
packets to each other to maintain the CSS status. If a cluster cable or a CSS card fails or one
switch is powered off or restarted, communication between the two switches is interrupted.
When the heartbeat timeout timer (8s) expires, the CSS splits into two single-chassis CSS
systems, as shown in Figure 8-11.
Multi-Active Detection
After a CSS splits, the two switches use the same global configuration if they are running
normally. In this case, the two switches use the same IP address and MAC address (that is, the
MAC address of the stack) to communicate with other network devices, because the switches
run the same configuration file (configuration file of the previous CSS). The address collision
causes a communication failure on the entire network. To prevent this problem, multi-active
detection (MAD) can be configured to ensure that only one master switch exists after the CSS
splits.
Multi-active detection (MAD) is a CSS split detection protocol. When a link failure causes a
CSS split, MAD provides split detection, multi-active handling, and fault recovery
mechanisms to minimize the impact on services.
MAD Modes
MAD can be implemented in direct or relay mode. The direct and relay modes cannot be
configured together in the same CSS.
l Direct mode
In direct mode, CSS member switches use direct links over ordinary network cables as
dedicated MAD links. When the CSS is running normally, member switches do not send
MAD packets. After the CSS splits, the member switches send a MAD packet every 1s
over the MAD link to check whether multiple master switches exist.
In direct mode, CSS member switches can be directly connected to an intermediate
device or directly connected to each other:
– Directly connected to an intermediate device (Figure 8-12): Each member switch
has at least one MAD link connected to the intermediate device. This deployment
can be used when member switches are far from each other.
– Directly connected to each other (Figure 8-13): No intermediate device is
deployed, preventing MAD from being affected by intermediate device failures.
NOTE
l After configuring MAD in direct mode on an interface, do not configure other services on the
interface.
l A maximum of four direct MAD links can be configured between member switches to ensure
reliability.
l MAD packets are bridge protocol data units (BPDUs), so the intermediate device must be able
to forward BPDUs. For details on how to configure this function, see Configuring Interface-
based Layer 2 Protocol Transparent Transmission.
l Relay mode
In relay mode, MAD relay detection is configured on an Eth-Trunk interface in the CSS,
and the MAD detection function is enabled on an agent. Every member switch must have
a link to the agent and these links must be added to the same Eth-Trunk. In contrast to
the direct mode, the relay mode does not require additional interfaces because the Eth-
Trunk interface can run other services while performing MAD relay detection.
In relay mode, when the CSS is running normally, member switches send MAD packets
at an interval of 30s over the MAD links and do not process received MAD packets.
After the CSS splits, member switches send MAD packets at an interval of 1s over the
MAD links to check whether multiple master switches exist.
You can use an independent relay agent (Figure 8-14) or use two CSS systems as each
other's relay agents (Figure 8-15).
NOTE
l The relay agent is a switch that supports the MAD relay function. Currently, all the S7700 and
S9700 series switches support this function.
l To implement MAD relay detection by using two CSS systems as each other's relay agent,
configure different domain IDs for the two CSS systems. Member switches of a CSS form a CSS
domain. A network may have multiple CSS domains, with different domain IDs.
Figure 8-15 Two CSS systems as MAD relay agents of each other
Multi-Active Handling
After a CSS splits, the MAD mechanism sets the new single-chassis CSS systems to Detect or
Recovery state. The CSS in Detect state still works, whereas the CSS in Recovery state is
disabled.
MAD handles a multi-active situation in the following way: When MAD detects two CSS
systems (two master switches) in Detect state, MAD allows only the switch with a higher CSS
priority to work. (If the two switches have the same CSS priority, their MAC addresses and
CSS IDs are compared in turn.) Then the other switch enters the Recovery state, and all its
physical ports except the excluded ones are shut down to prevent the switch from forwarding
service packets.
Fault Recovery
After the faulty link recovers, the CSS systems merge into one in either of the following
ways:
l The CSS in Recovery state restarts and merges with the CSS in Detect state. The service
ports that have been shut down are restored to Up state, and the entire CSS recovers.
l If the CSS in Detect state is also faulty before the faulty link recovers, remove this CSS
from the network, start the CSS in Recovery state to switch service traffic to this CSS,
and rectify the CSS system fault. After the CSS recovers, connect it to the network so
that it can merge with the other CSS.
Many factors can cause master/standby switchover events in a CSS. The following describes
master/standby switchover events triggered by MPU failures and those triggered using
commands.
Figure 8-16 Changes of roles after a failure of the system master MPU
A master/standby switchover
occurs in the CSS
– The original standby switch becomes the master switch, and the original system
standby MPU becomes the system master MPU.
– The original master switch becomes the standby switch.
– The standby MPU of the original master switch becomes the system standby MPU
and synchronizes data with the system master MPU.
l The system standby MPU fails.
Figure 8-17 shows how the roles in both chassis 1 and 2 change after the system standby
MPU fails.
Figure 8-17 Change of roles after a failure of the system standby MPU
A master/standby switchover
occurs in the chassis
Master/standby switchover
is triggered by a command
System standby
l The original standby switch becomes the master switch, and the original system standby
MPU becomes the system master MPU.
l The original system master MPU becomes a candidate system standby MPU, and the
original master switch becomes the standby switch.
l The standby MPU of the original master switch becomes the system standby MPU and
synchronizes data with the system master MPU.
A CSS can be upgraded using the traditional upgrade method (specifying the next-startup files
and restarting the entire CSS) or the fast upgrade function.
The traditional upgrade method causes service interruption for a relatively long time and is
therefore not applicable to scenarios requiring short service interruption time. The fast
upgrade function is more suited to these scenarios.
In a fast upgrade, the standby switch first restarts with the new system software. Data traffic is
forwarded by the master switch during this period. After the standby switch completes the
upgrade, it becomes the master switch and starts to forward data traffic. Then the original
switch restarts with the new system software. After the original switch completes the upgrade,
it becomes the standby switch. If the standby switch fails in the upgrade, it restarts and rolls
back to the old version, and the CSS upgrade fails.
To minimize traffic loss during an upgrade, bundle uplinks and downlinks of the CSS to Eth-
Trunks to implement link redundancy.
8.4 Applications
CSS
CSS Link
Eth-Trunk
CSS
CSS Link
Eth-Trunk
Long-Distance Clustering
Long-distance clustering enables switches far from each other to form a CSS. As shown in
Figure 8-21, users on each floor of two buildings connect to the aggregation switches through
respective corridor switches. The aggregation switches connect users to the external network.
The aggregation switches in the two buildings can be connected using cluster cables to form a
CSS. The two aggregation switches then work like one device, simplifying the network
structure. The device management and maintenance costs are therefore reduced. In addition,
two links to the external network are available to users in each building, which greatly
improves service reliability.
Network
Building Building
A CSS B
CSS Link
Eth-Trunk
CSS link
NOTE
l For details about CSS connection modes, see 8.9 Establishing a CSS by Connecting CSS Cards
and 8.10 Establishing a CSS Using Service Port Connections.
l Two member switches in a CSS must be directly connected. That is, there are only the two member
switches on the CSS link.
MPU Both the master The master and The CSS card connection mode
configuratio and standby standby switches has higher hardware
n switches must can have one or requirements.
requirement have two MPUs two MPUs
s installed. installed.
Cluster CSS ports on the The switches can The service port connection
cable CSS cards of the set up a CSS as mode is more flexible:
connection S7700 must be long as they are l Even if multiple cluster cables
requirement connected. CSS connected by one fail, the CSS can still work, as
s ports on the CSS cluster cable. It is long as one cluster cable is
cards of the S9700 recommended that working normally.
must be connected the switches be
using at least one connected by at l Cabling in CSS card
cluster cable in a least two cluster connection mode is complex
group. cables. and there is a limit on the
number of faulty cluster
cables. CSS card connection
on the S7700s allows only one
faulty cluster cable. When
CSS ports are fully connected,
CSS card connection on the
S9700s allows three faulty
cluster cables at most.
Establishin The two CSS connection modes Use one of the following methods:
g a CSS have different hardware and l 8.9 Establishing a CSS by
software requirements. Select an Connecting CSS Cards
appropriate mode to set up a CSS
based on device resources or l 8.10 Establishing a CSS Using
network requirements. Service Port Connections
NOTE
To set up a CSS, confirm the When establishing a CSS, select either
software and hardware requirements, CSS connection mode as required.
complete hardware installation, and
software configuration. After that,
check whether the CSS is set up
successfully.
8.12 You can perform the following tasks 8.12 Maintaining the CSS
Maintaini during CSS maintenance:
ng the l 8.12.1 Monitoring the CSS
CSS Status
l 8.12.2 Enabling/Disabling CSS
Traps
l 8.12.3 Performing a Master/
Standby Switchover
l 8.12.4 Upgrading CSS
Software
l 8.12.5 Checking Connectivity
of CSS Links (Applicable to
S9700 CSS Card Connection
Mode)
The preceding tasks are optional and
can be configured based on your
needs.
8.13 If the CSS is not required, split the 8.13 Splitting a CSS
Splitting a CSS to restore the member switches
CSS to standalone switches.
the switch for the configuration to take effect), and then configure the CSS function. If
SRU hardware engine is not disabled on the switch using SRUDs, the two switches may
restart repeatedly or the CSS may split and merge.
l Avoid deploying inter-chassis forwarding services on the LPUs that provide service ports
for clustering. Such LPUs preferentially forward received traffic from local ports, so
inter-card load balancing cannot be implemented.
l If a load balancing profile is configured on the LPUs that provide service ports for
clustering, traffic distribution among cluster links is affected, or even traffic loss may
occur. The load balancing profile configured using the load-balance-profile command
controls the load balancing mode used on cluster links. (If the specified profile does not
exist, the default load balancing mode is used.) When configuring the load balancing
mode for a specific type of packets using the mpls field, l2 field, ipv4 field, or ipv6
field command, you are advised to specify multiple keywords in the command so that
traffic can be load balanced properly.
l If the capwap source interface command has been executed to specify the source
interface used by the AC to establish a CAPWAP tunnel with an AP, the port interface
enable command configuration may fail because of insufficient ACL resources. The
port interface enable command is used to add physical member ports to a logical CSS
port.
l After a service port is configured as a physical member port of a logical CSS port, the
service port can transmit only CSS-related traffic and cannot be configured with any
other services. Most commands are unavailable in the corresponding interface view,
except the following
– set flow-stat interval
– description (interface view)
– log-threshold input-rate output-rate
– trap-threshold
– display interface
– display interface brief
– display interface description
– display counters
– reset counters interface
– reset counters if-mib interface
– set flow-statistics include-interframe
Version Rollback:
If a member switch has FSUs installed and uses the service port connection mode, it cannot
be degraded to a version that does not support the service port connection mode. Therefore,
before degrading the system version to such a version, delete the configuration of the service
port connection.
The Stack & SVF Assistant is provided to help configure CSS on switches. To obtain the assistant, click
CSS Assistant.
Licensing Requirements
CSS is not under license control.
Version Requirements
CSS Card and l CSS card: ES02VSTSA (All l CSS card: ES1D2VS04000
Installation Slot ports on the CSS cards must (CSS ports on the CSS cards
be connected.) must have at least one cable
l Installation slot: subcard connected and ports on both
slots of ES1D2SRUAC00, ends of the cable must use the
ES0D00SRUA00 (non- same port number.)
VER.A) and l Installation slot: subcard slots
ES0D00SRUB00 (non- of ES1D2SRUH000 and
VER.A) ES1D2SRUE000
CSS card and MPU models are CSS card and MPU models are abbreviated to
abbreviated to VSTSA and SRUA (or VS04 and SRUH (or SRUE) respectively.
SRUB) respectively.
Number of CSS 2 2
Cards Supported
by Each Chassis
Hardware l Two S7706s, one S7706 and l Two S7706s, one S7706 and
Configuration one S7712, or two S7712s one S7712, or two S7712s can
can set up a CSS. set up a CSS.
l Each chassis must have both l Each chassis can have only one
active and standby MPUs SRU installed, and a CSS card
installed, and the two MPUs can be installed in any MPU
must have stack cards slot. To ensure reliability, you
installed. are advised to install two
l MPUs in a single chassis MPUs in each chassis.
must be the same model. l MPUs in a single chassis must
Two chassis with different be the same model. Two
SRUs can set up a CSS only chassis with different SRUs can
in one case: SRUA in one set up a CSS only in one case:
chassis and SRUB in the SRUH in one chassis and
other. SRUE in the other and both
chassis run V200R010C00 or a
later version.
License Required No
CSS Card and CSS card: EH1D2VS08000 (Eight ports on a CSS card are divided
Installation Slot into two groups, each of which must have at least one cable
connected.)
Installation slot: subcard slot of EH1D2SRUC000
CSS card and MPU models are abbreviated to VS08 and SRUC respectively.
Number of CSS 2
Cards Supported
by Each Chassis
Hardware l Two S9706s, one S9706 and one S9712, or two S9712s can set up
Configuration a CSS.
l Switches to set up a CSS must have both active and standby
MPUs installed, and the two MPUs must have stack cards
installed.
License Required No
Hardware l Only two S7706 switches, two S7712 switches, or one S7706 and one
Configuration S7712 can set up a CSS.
l MPUs in one chassis must be the same model. MPUs in the local and
remote chassis can be the same model or different models; however,
the same MPU model is recommended. Two chassis with different
SRUs can set up a CSS only in two cases: (1) SRUA in one chassis
and SRUB in the other; (2) SRUH in one chassis and SRUE in the
other and both chassis run V200R010C00 or a later version.
l Each chassis can have at most two LPUs for CSS connection. It is
recommended that you use the same type of LPUs in a chassis for
CSS connection. The two chassis must use the same type of ports for
CSS connection, for example, 10GE SFP+ optical ports.
l Each LPU allows only one logical CSS port. Each logical CSS port
supports a maximum of 32 physical member ports.
l Some ports on an LPU can function as CSS ports, while other ports
on the LPU function as service ports.
License No
Required
Hardware l Only two S9706 switches, two S9712 switches, or one S9706 and one
Configuration S9712 can set up a CSS.
l MPUs in one chassis must be the same model. MPUs in the local and
peer chassis can be different models but are recommended to be the
same model.
l Each chassis can have at most two LPUs for CSS connection. It is
recommended that you use the same type of LPUs in a chassis for
CSS connection. The two chassis must use the same type of ports for
CSS connection, for example, 10GE SFP+ optical ports.
l Each LPU allows only one logical CSS port. Each logical CSS port
supports a maximum of 32 physical member ports.
l Some ports on an LPU can function as CSS ports, while other ports
on the LPU function as service ports.
License No
Required
CSS ID 1
CSS priority 1
Hardware Software
Verification
installation configuration
Mandatory
Optional
NOTE
To load a license for a CSS, see FAQ "How Do I Install a License File for a CSS?".
Precautions
The CSS card is not hot swappable. When the switch has an MPU installed and powered on,
power off the MPU before you install or remove a CSS card.
l Do not place the card in a humid environment or direct sunlight. Ensure that the
environment where the card is temporarily stored is suitable for storage.
l Do not stack multiple cards together for transportation. Handle one card each time.
l Take ESD protection measures and do not touch the surface of the printed circuit board
(PCB).
l Push or pull the card slowly and horizontally along the guide rail. Avoid short circuits
caused by metal objects and place tools in proper locations.
Installation Procedure
1. Wear an ESD wrist strap and connect the ground terminal to the ESD jack on the chassis.
2. Install the CSS card on an MPU according to Figure 8-24.
4. View the RUN/ALM indicator on the new MPU and CSS card.
NOTE
After a new MPU is installed in the chassis, it starts and registers automatically. The start and
registration process takes less than 5 minutes.
– If the RUN/ALM indicator blinks green fast, the MPU or CSS card is starting.
– If the RUN/ALM indicator blinks green slowly, the MPU or CSS card is running
normally.
Precautions
When removing or connecting an optical fiber, do not look into the optical port without eye
protection. The laser emitted from the optical port can injure your eyes.
Installation Procedure
1. Wear an ESD wrist strap and connect the ground terminal to the ESD jack on the chassis.
2. Attach labels to both ends of a cluster cable according to Figure 8-26 and number these
labels starting from 1.
3. Connect cluster cables according to the connection rule shown in Figure 8-27 or Figure
8-28.
– When you hear a click, the electrical cable, optical module, or optical fiber is
installed properly.
– When removing the electrical cable, optical module, or optical fiber, push the
connector or handle inward first, and then pull it out.
NOTE
Follow these rules when connecting VSTSA CSS cards: Each VSTSA CSS card has four ports.
All ports with the same port number and color must be connected, as shown in the preceding
figure. For example, port 1 in blue on the left chassis must be connected to port 1 in blue on the
right chassis.
The CSS set up using VSTSA CSS cards allows at most one faulty cluster cable.
NOTE
Follow these rules when connecting VS08 CSS cards: Each VS08 CSS card provides eight ports,
which are divided into two groups. Ports in the groups with the same ID and color must be
connected. For example, ports in group 1 in blue on the left and right chassis must be connected,
and ports in group 2 in blue on the left and right chassis must be connected. See the preceding
figure to connect cables between groups. Ports in a group can be connected in any sequence, but
each group must have at least one cable connected. Full-mesh connections are recommended.
4. Arrange the cables in order and bundle the cables with a cable divider.
5. To power on the switches, ensure that power cables and ground cables are correctly
connected and then switch on the external power modules and built-in power modules in
turn.
Context
Table 8-6 lists software configurations for establishing a CSS by connecting CSS cards.
Table 8-6 Software configurations for establishing a CSS by connecting CSS cards
Item Description Remarks
(Optional) Specifying the Generally, the master switch If this step is performed on
Master Switch Forcibly of a CSS is elected when the two switches before they set
CSS is set up. You can also up a CSS, the configuration
forcibly specify one switch does not take effect after the
as the master switch of a CSS is set up. The master
CSS. switch of the CSS is elected
through competition.
NOTICE
After a switch is manually
specified as the master switch,
a forcible master/standby
switchover may occur when
both switches run normally. If
a master/standby switchover
occurs, network services may
be affected. Therefore,
specifying the master switch
forcibly is not recommended.
Enabling the CSS Function By default, the CSS function You can run the display css
and Restarting Switches is disabled on a switch. status [ saved ] command to
The CSS function must be check whether the CSS
enabled on both two function is enabled on the
member switches. current switch. If the
parameter saved is set, you
can view the saved CSS
configuration.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the set css mode css-card command to set the connection mode to CSS card connection.
Step 3 Run the set css id new-id command to set a CSS ID for the switch.
Step 4 (Optional) Run the set css priority priority command to set a CSS priority for the switch.
Step 5 (Optional) Run the css master force command to specify a switch as the master switch.
Step 6 Run the css enable command to enable the CSS function on the switch.
After you enable the CSS function, the system prompts you to restart the switches. Enter Y to
restart the switches; otherwise, configurations cannot take effect, and the CSS cannot be
established.
----End
Background
After a CSS is set up, you can review indicators on the member switches to check CSS state
information, including the master/standby state of switches and link status.
Follow-Up Process
l If the indicator status is normal, log in to the CSS and run commands to check CSS state
information and configure enhanced CSS functions.
l If the indicator status is abnormal, locate the fault according to Table 8-7 or log in to the
CSS and run commands to locate and rectify the faults.
Context
You can log in to a CSS and run display commands to check whether the CSS is established
successfully. If the CSS fails to be established, you can locate the faults according to the
command output.
Procedure
Step 1 Log in to the CSS.
l Local login: Log in to the CSS from the console port on any MPU.
l Remote login: After reachable routes are configured, you can remotely log in to the CSS
from a management interface on any MPU or a Layer 3 interface using Telnet, STelnet,
web, or SNMP.
NOTE
l After a CSS is established successfully, the configuration file of the master switch takes effect.
When logging in to a CSS remotely, access the IP address of the master switch.
l If a CSS is not established, log in to the two member switches respectively for troubleshooting.
Alternatively, run the display css status command to check the CSS status. If CSS status of
two member switches is displayed, the CSS is established successfully.
<HUAWEI> display css status
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 255 Off
2 On Standby CSS card 1 Off
l If the command output contains no DOWN NA or !, all the cluster links are running
normally and a CSS is established successfully.
l If the command output contains DOWN NA or !, rectify the fault according to
Rectifying a CSS Link Fault.
If two S9700 switches are connected using EH1D2VS08000 CSS cards, check whether the
cluster link connections and status are consistent with actual hardware connections.
<HUAWEI> display css channel
Chassis 1 || Chassis 2
================================================================================
Num [SRUC HG] [VS08 Port(Status)] || [VS08 Port(Status)] [SRUC HG]
1 1/7 0/12 -- 1/7/0/1(UP 10G) ---||--- 2/7/0/1(UP 10G) -- 2/7 0/12
2 1/7 0/16 -- 1/7/0/2(UP 10G) ---||--- 2/7/0/2(UP 10G) -- 2/7 0/16
3 1/7 0/13 -- 1/7/0/3(UP 10G) ---||--- 2/7/0/3(UP 10G) -- 2/7 0/13
4 1/7 0/17 -- 1/7/0/4(UP 10G) ---||--- 2/7/0/4(UP 10G) -- 2/7 0/17
5 1/7 0/14 -- 1/7/0/5(UP 10G) ---||--- 2/8/0/5(UP 10G) -- 2/8 0/14
6 1/7 0/18 -- 1/7/0/6(UP 10G) ---||--- 2/8/0/6(UP 10G) -- 2/8 0/18
7 1/7 0/15 -- 1/7/0/7(UP 10G) ---||--- 2/8/0/7(UP 10G) -- 2/8 0/15
8 1/7 0/19 -- 1/7/0/8(UP 10G) ---||--- 2/8/0/8(UP 10G) -- 2/8 0/19
9 1/8 0/12 -- 1/8/0/1(UP 10G) ---||--- 2/8/0/1(UP 10G) -- 2/8 0/12
10 1/8 0/16 -- 1/8/0/2(UP 10G) ---||--- 2/8/0/2(UP 10G) -- 2/8 0/16
11 1/8 0/13 -- 1/8/0/3(UP 10G) ---||--- 2/8/0/3(UP 10G) -- 2/8 0/13
12 1/8 0/17 -- 1/8/0/4(UP 10G) ---||--- 2/8/0/4(UP 10G) -- 2/8 0/17
13 1/8 0/14 -- 1/8/0/5(UP 10G) ---||--- 2/7/0/5(UP 10G) -- 2/7 0/14
14 1/8 0/18 -- 1/8/0/6(UP 10G) ---||--- 2/7/0/6(UP 10G) -- 2/7 0/18
15 1/8 0/15 -- 1/8/0/7(UP 10G) ---||--- 2/7/0/7(UP 10G) -- 2/7 0/15
16 1/8 0/19 -- 1/8/0/8(UP 10G) ---||--- 2/7/0/8(UP 10G) -- 2/7 0/19
l If the displayed cluster link connections and status are consistent with actual hardware
connections, all the cluster links are running normally and a CSS is established
successfully.
l If some cluster links are not displayed (abnormal cluster links), run the display css port
all command to check the status of all CSS ports.
<HUAWEI> display css port all
*down: administratively down
(e): ERROR down
VS08 Port status InUit OutUit inErrors outErrors
1/7/0/1 down 0% 0% 0 0
1/7/0/2 down 0% 0% 0 0
1/7/0/3 down 0% 0% 0 0
1/7/0/4 up 0% 0% 0 0
1/7/0/5 up 0% 0% 0 0
1/7/0/6 up 0% 0% 0 0
1/7/0/7 up 0% 0% 0 0
1/7/0/8 up 0% 0% 0 0
1/8/0/1 up 0% 0% 0 0
1/8/0/2 up 0% 0% 0 0
1/8/0/3 up 0% 0% 0 0
1/8/0/4 up 0% 0% 0 0
1/8/0/5 up 0% 0% 0 0
1/8/0/6 up 0% 0% 0 0
1/8/0/7 up 0% 0% 0 0
1/8/0/8 up 0% 0% 0 0
2/7/0/1 down 0% 0% 0 0
2/7/0/2 down 0% 0% 0 0
2/7/0/3 down 0% 0% 0 0
2/7/0/4 up 0% 0% 0 0
2/7/0/5 up 0% 0% 0 0
2/7/0/6 up 0% 0% 0 0
2/7/0/7 up 0% 0% 0 0
2/7/0/8 up 0% 0% 0 0
2/8/0/1 up 0% 0% 0 0
2/8/0/2 up 0% 0% 0 0
2/8/0/3 up 0% 0% 0 0
2/8/0/4 up 0% 0% 0 0
2/8/0/5 up 0% 0% 0 0
2/8/0/6 up 0% 0% 0 0
2/8/0/7 up 0% 0% 0 0
2/8/0/8 up 0% 0% 0 0
l If the CSS ports with abnormal cluster links are Up, the cluster cables may be connected
incorrectly. Rectify the fault according to Checking Whether Cables Are Correctly
Connected.
l If the CSS ports with abnormal cluster links are Down, check whether the cluster cables
on the ports are loose or damaged. If so, reconnect or replace the cluster cables.
----End
ES02VSTSA CSS card: Some or all cluster If two devices have been
The connection between cables are incorrectly in the single-chassis CSS
CSS port 1/7/0/1 and connected. state before cluster
1/14/0/1 is incorrect. cables are connected, the
two devices remain in
this state. If two devices
are connected through
cluster cables and then
have the CSS function
enabled, the master
chassis will be in the
single-chassis CSS state,
while the standby chassis
will restart repeatedly.
Reconnect the cluster
cables according to the
rules and ensure that the
cable connectors are
securely connected to the
ports. After the cables
are correctly connected,
two switches merge into
a CSS.
Figure 8-29 Process of establishing a CSS using service port connections (recommended)
Configure logical
CSS ports
Install LPUs
Configure CSS Check whether the CSS
priorities is set up successfully
Optional
NOTE
To load a license for a CSS, see FAQ "How Do I Install a License File for a CSS?".
Precautions
Card storage and transportation:
l Handle a card carefully when it is outside the cabinet (chassis). Take ESD protection
measures. Place the card horizontally. Keep the side with electronic components facing
upward. Do not place any objects on the card.
l Do not place the card in a humid environment or direct sunlight. Ensure that the card is
stored in an environment suitable for storage.
l Do not stack multiple cards together for transportation. Handle one card each time.
Card installation and removal:
l Take ESD protection measures and do not touch the surface of the printed circuit board
(PCB).
l Push or pull the card slowly and horizontally along the guide rail. Avoid short circuits
caused by metal objects and place tools in proper locations.
Suggestion
If two service cards need to be installed in a switch for CSS setup, install the service cards
symmetrically besides the MPUs, for example, in slots 6 and 7, slots 5 and 8, or slots 1 and
12. You are advised to install the service cards on the same slot of the two member switches.
Installation Procedure
1. Wear an ESD wrist strap and connect the ground terminal to the ESD jack on the chassis.
2. Install the service card on the chassis in the same way as installing an MPU. For details,
see Installing an MPU in the chassis.
Precautions
When removing or connecting an optical fiber, do not look into the optical port without eye
protection. The laser emitted from the optical port can injure your eyes.
Installation Procedure
1. Wear an ESD wrist strap and connect the ground terminal to the ESD jack on the chassis.
2. Attach labels to both ends of a cluster cable according to Figure 8-30 and number these
labels starting from 1.
3. Connect cluster cables according to the connection rule shown in Figure 8-31.
– When you hear a click, the electrical cable, optical module, or optical fiber is
installed properly.
– When removing the electrical cable, optical module, or optical fiber, push the
connector or handle inward first, and then pull it out.
…… …… …… ……
…… …… …… ……
SwitchA SwitchB
Physical
Logical CSS port Cluster cable
member port
5. To power on the switches, ensure that power cables and ground cables are correctly
connected and then switch on the external power modules and built-in power modules in
turn.
Context
Table 8-9 lists the software configuration for establishing a CSS using service port
connections.
Table 8-9 Software configuration for establishing a CSS using service port connections
Item Description Remarks
Setting the Before connecting two switches to The S7700 supports SRUA,
connection mode establish a CSS, set the SRUB and SRUH.
to service port connection mode to service port The S9700 supports SRUC and
connection connection on both switches. SRUD.
When the switches use SRUA,
SRUB, SRUC or SRUH, the
default connection mode is CSS
card connection. When the
switches use SRUD, the default
connection mode is service port
connection.
NOTE
In V200R008, switches using SRUHs
do not support the CSS card
connection mode (but the related
keyword is reserved in the CSS
connection mode configuration
command for function expansion). To
enable these switches to set up a CSS,
set the CSS connection mode to
service port connection.
Configuring When the service port connection l A physical member port can be
logical CSS mode is used, you need to added to only one logical CSS
ports configure ports on two switches as port.
physical member ports and add l Physical member ports of the
them to logical CSS ports. You same logical CSS port must be
can then connect the logical CSS on the same card.
ports to set up a CSS after the
switches start. Each switch in the l Physical member ports of a
CSS supports two logical CSS logical CSS port on one switch
ports. must connect to physical
member ports of a logical CSS
Configure logical CSS ports for port on the other switch.
the two switches according to
connections between them. In 1+0 l XGE ports derived from a
networking, configure one logical 40GE port cannot be added to
CSS port for each switch. In 1+1 a logical CSS port.
networking, configure two logical l When a service port is
CSS ports for each switch. configured as a physical
member port, CRC errors may
occur on the port. To avoid this
problem, run the shutdown
command to shut down the
port before configuring it as a
physical member port.
(Optional) The CSS priority determines the However, if a switch with the
Configuring a role of member switches during highest priority starts slowly, it
CSS priority role election. A larger value cannot be the master switch. If
indicates a higher priority and you want a switch to be the master
higher probability that the switch, start the switch first.
member switch is elected as the When two switches complete the
master switch. start at the same time, the switch
By default, the CSS priority of a with the higher CSS priority
switch is 1. becomes the master switch.
Enabling the By default, the CSS function is You can run the display css status
CSS function disabled on a switch. [ saved ] command to check
and restarting The CSS function must be enabled whether the CSS function is
switches on both two member switches. enabled on the current switch. If
the parameter saved is set, you
can view the saved CSS
configuration.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the set css mode lpu command to set the connection mode to service port connection.
Step 3 Run the set css id new-id command to set a CSS ID for the switch.
Step 4 Run the interface css-port port-id command to enter the logical CSS port view.
Step 5 Run the port interface { interface-type interface-number1 [ to interface-type interface-
number2 ] } &<1-10> enable command to configure a service port as a physical member port
and add it to a logical CSS port.
After a port is configured as a physical member port of a logical CSS port, this port is no
longer used for service forwarding. All the CSS-irrelevant commands on the port are deleted
and only basic interface configuration commands, such as description (interface view) are
saved on the port.
After you enable the CSS function, the system prompts you to restart the switches. Enter Y to
restart the switches; otherwise, configurations cannot take effect, and the CSS cannot be
established.
----End
run commands to confirm the CSS state information and configure enhanced CSS functions.
If a CSS has not been established, check the indicator abnormalities or log in to the CSS and
run commands to locate and rectify faults.
Background
After a CSS is set up, you can review indicators on the member switches to check CSS state
information, including the master/standby state of switches and link status.
Follow-Up Process
l If the indicator status is normal, log in to the CSS and run commands to check CSS state
information and configure enhanced CSS functions.
l If the indicator status is abnormal, locate the fault according to Table 8-10 or log in to
the CSS and run commands to locate and rectify the faults.
Service card LINK: port status indicator l Steady green: The port is
Up, and cable connection
on the port is correct.
l Blinking green: Cable
connection on the port is
incorrect.
l Off: The link status of
the port is Down.
Context
You can log in to a CSS and run display commands to check whether the CSS is established
successfully. If the CSS fails to be established, you can locate the faults according to the
command output.
Procedure
Step 1 Log in to the CSS.
l Local login: Log in to the CSS from the console port on any MPU.
l Remote login: After reachable routes are configured, you can remotely log in to the CSS
from a management interface on any MPU or a Layer 3 interface using Telnet, STelnet,
web, or SNMP.
NOTE
l After a CSS is established successfully, the configuration file of the master switch takes effect.
When logging in to a CSS remotely, access the IP address of the master switch.
l If a CSS is not established, log in to the two member switches respectively for troubleshooting.
Alternatively, run the display css status command to check the CSS status. If the CSS status
of two member switches is displayed, the CSS is established successfully.
<HUAWEI> display css status
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master LPU 100 Off
2 On Standby LPU 10 Off
Chassis 1 || Chassis 2
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 1/1 XGigabitEthernet1/10/0/3 XGigabitEthernet2/10/0/3 2/1
2 1/1 XGigabitEthernet1/10/0/4 XGigabitEthernet2/10/0/5 2/1
Chassis 2 || Chassis 1
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
3 2/1 XGigabitEthernet2/10/0/3 XGigabitEthernet1/10/0/3 1/1
4 2/1 XGigabitEthernet2/10/0/5 XGigabitEthernet1/10/0/4 1/1
l If the displayed cluster link connections are the same as the actual hardware connections,
all the cluster links are running normally and a CSS is established successfully.
l If some cluster links are not displayed, run the display css css-port all command to
check the status of all CSS ports.
<HUAWEI> display css css-port all
B : broadcast *down : administratively down
Logic Port Num Phy Port Status
(B)css-port1/1 6 XGigabitEthernet1/10/0/0 down
XGigabitEthernet1/10/0/1 down
XGigabitEthernet1/10/0/2 down
XGigabitEthernet1/10/0/3 up
XGigabitEthernet1/10/0/4 up
XGigabitEthernet1/10/0/5 down
css-port1/2 0
Logic Port Num Phy Port Status
(B)css-port2/1 6 XGigabitEthernet2/10/0/0 down
XGigabitEthernet2/10/0/1 down
XGigabitEthernet2/10/0/2 down
XGigabitEthernet2/10/0/3 up
XGigabitEthernet2/10/0/4 down
XGigabitEthernet2/10/0/5 up
css-port2/2 0
l If the CSS ports with abnormal cluster links are Up, the cluster cables may be connected
incorrectly. Rectify the fault according to Checking Whether Cables Are Correctly
Connected.
l If the CSS ports with abnormal cluster links are Down, check whether the physical
member ports have been shut down (*down in Status field) and whether cluster cables on
the ports are loose or damaged.
----End
Run the terminal monitor and terminal trapping commands in the user view to enable the
alarm function. Check whether an alarm on incorrect cluster cable connection is displayed.
(The OID is 1.3.6.1.4.1.2011.5.25.183.3.3.2.8 hwCssPhyCsuConnectError.)
l If no alarm is generated, check the LINK indicator. If the indicator is off, check whether
the optical modules, optical fibers, and cables are working normally.
l If such an alarm is displayed, connect cluster cables correctly according to the alarm
message. You can obtain the following information from the alarm message:
– Incorrect connection information. You can find the incorrectly connected cluster
cable according to the CSS ID, logical CSS port number, and physical member port
number displayed in the alarm message.
– Correct connection of the cluster cable.
Table 8-11 describes how to rectify a fault according to the alarm message.
A cluster cable connects CSS IDs are correctly Connect the cluster cable
two switches with different configured but the cluster to the correct ports
CSS IDs. For example, cable is connected to an according to the alarm
The connection between incorrect port. message and ensure that
CSS port 1/10/0/9 and the cable connectors are
2/1/0/1 is incorrect. securely connected to the
Reason: 1 To 2 ports. After the cables are
correctly connected, two
switches merge into a
CSS.
A cluster cable connects The possible causes are: Run the display css status
two switches with the l The cluster cable command to check the
same CSS ID. For connects two CSS ports CSS IDs of the two
example, The connection on the same switch. switches.
between CSS port 1/10/0/9 l If they are different, the
and 1/1/0/1 is incorrect. l The connected ports
are on different CSS IDs are configured
Reason: Chassis ID correctly. This alarm
conflict or self-loop. switches, but the
switches are configured message indicates that
with the same CSS ID. the cluster cable
connects two CSS ports
on the same switch.
Connect the cluster
cable correctly
according to the alarm
message.
l If they are the same,
run the set css id
command to change the
CSS ID of one switch
and then restart the
switch.
Background
MAD detects multiple master switches after a CSS splits.
NOTE
You are advised to configure MAD to minimize the impact of a CSS split on services.
Configuration Process
Table 8-12 describes the MAD configuration process.
Context
Configure MAD in direct mode when member switches in a CSS have idle ports. Use
common cables to connect these ports and use the ports for MAD only.
NOTE
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the interface interface-type interface-number command to enter the interface view.
Step 3 Run the mad detect mode direct command to configure MAD in direct mode.
By default, MAD in direct mode is disabled.
NOTE
l After MAD in direct mode is configured on a port, you cannot configure other services on the port.
l MAD packets are bridge protocol data units (BPDUs). If MAD is performed through dedicated direct
links between member switches and an intermediate device, configure port-based Layer 2 protocol
transparent transmission on the intermediate device. For details, see Configuring Interface-based Layer 2
Protocol Transparent Transmission.
l After MAD in direct mode is configured on an interface, the STP status of the interface becomes
Discarding, affecting the transmission of data packets and some protocol packets. Therefore, do not
configure other services on this interface.
----End
Context
Configure MAD in relay mode when an Eth-Trunk is configured in a CSS. In relay mode, the
MAD relay detection is set on Eth-Trunk ports of the CSS, and the MAD relay function is
enabled on a relay agent. In contrast with the direct mode, the relay mode does not occupy
additional ports.
The relay mode can be implemented in two ways: configure a single switch as the MAD relay
agent or configure two CSS systems as MAD relay agents for each other.
NOTE
Procedure
l Switch functioning as the relay device
– In the CSS
a. Run the system-view command to enter the system view.
b. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk interface
view.
c. Run the mad detect mode relay command to configure MAD in relay mode on the
Eth-Trunk.
By default, MAD in relay mode is disabled on the Eth-Trunk.
– On the specified relay device
a. Run the system-view command to enter the system view.
b. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk interface
view.
c. Run the mad relay command to enable the relay function on the Eth-Trunk.
By default, the relay function is disabled on the Eth-Trunk.
l Two CSS systems functioning as relay of each other
– In each CSS
a. Run the system-view command to enter the system view.
b. Run the mad domain domain-id command to specify the MAD domain ID for a
CSS.
By default, the MAD domain ID of a CSS is 0.
NOTE
Two CSS systems can function as proxy of each other to implement MAD. The two CSS
systems must be configured with different MAD domain IDs.
c. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk interface
view.
d. Run the mad relay command to enable the relay function on the Eth-Trunk.
By default, the relay function is disabled on the Eth-Trunk.
e. Run the mad detect mode relay command to configure MAD in relay mode on the
Eth-Trunk.
By default, MAD in relay mode is disabled on the Eth-Trunk.
----End
Context
When MAD detects a CSS split, multiple CSS systems compete with each other. You must
shut down all service ports on member switches that fail in the competition, to avoid MAC
address or IP address conflict. The ports that only transparently transmit packets do not affect
network operations when a CSS splits. You can configure these ports as reserved ports to
ensure normal packet transmission on them. MAD does not shut down service transmission
on these ports when it detects a CSS split.
Procedure
Step 1 Run the system-view command to enter the system view.
----End
Context
When MAD detects a CSS split, two member switches compete with each other. The switch
that wins the competition remains in the Detect state (normal working state) and the other
switch that fails in the competition enters the Recovery state (disabled state). In the Recovery
state, all the service ports except reserved ports on the switch are shut down, so the switch
does not forward service packets. You can restore shutdown ports to Up state so that the
switch in the Recovery state can work again. For example, if the switch in the Detect state
fails or is removed from the network before the CSS fault is rectified, restore the shutdown
ports on the switch in the Recovery state to the Up state, so that the switch in the Recovery
state can take over services from the original active switch. This minimizes the impact of a
CSS fault on services.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the mad restore command to restore shutdown ports to the Up state.
NOTE
You are advised not to run this command when the switch in the Detect state is working normally. Otherwise,
there will be multiple master switches on the network after the switch in the Recovery state is enabled.
----End
Procedure
l Run the display mad [ proxy | verbose ] command to view the MAD configuration.
----End
Context
The MAC address of the master switch is used as the system MAC address of the CSS when
the CSS is set up. If you restart the CSS or remove and replace an MPU in the CSS, the
system MAC address may change, resulting in service interruption. To avoid this problem, set
the system MAC address to the MAC address of a member switch which remains unchanged
after the CSS restarts.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the set css system-mac chassis chassis-id command to set the system MAC address of
the CSS to the MAC address of a member switch.
NOTE
If the specified MAC address is the same as the current system MAC address of the CSS, the
configuration takes effect immediately. Otherwise, you need to restart the CSS to make the configuration
take effect.
----End
Context
After a standby switch completes a restart, it synchronizes its configuration to the master
switch and restores all ports to the Up state. During the process, the CPU usage is very high.
To prevent service interruption caused by a high CPU usage, you can set the delay time before
service ports restore to the Up state.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the css standby port delay time command to set a delay time before service ports restore
to the Up state.
By default, the delay time is 0. That is, the ports restore to the Up state immediately after the
switch completes a restart.
----End
Context
In a CSS, CSS ports may continuously receive CRC-error packets or alternate between Up
and Down states because CSS cards are swapped or the voltage is unstable. When this occurs,
data packets are dropped on the CSS ports. The CSS port error-down function shuts down a
CSS port if the number of CRC-error packets received per minute or the number of Up/Down
transitions on the CSS port in a specified period reaches the threshold.
NOTE
This function is supported only when a CSS is established by connecting the EH1D2VS08000 CSS
cards on the S9700s.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the css port error-down enable command to enable the CSS port error-down function.
By default, the CSS port error-down function is disabled.
Step 3 (Optional) Run the css port diagnose-mode crc { interval time | error-number number }
command to configure the CRC-error packet detection thresholds for CSS ports.
By default, the threshold on the period during which CRC-error packets are received on a
CSS port is 10 minutes, and the threshold on the number of CRC-error packets received per
minute is 10.
Step 4 (Optional) Run the css port diagnose-mode link-flap { interval time | threshold number }
command to configure the flapping detection thresholds for CSS ports.
By default, the threshold on the period during which a CSS port alternates between Up and
Down states is 10 minutes, and the threshold on the number of Up/Down transitions per
minute is 10.
Step 5 (Optional) Run the css port error-down auto-recovery interval time command to enable the
error-down recovery function for CSS ports.
By default, the error-down recovery function is disabled for CSS ports.
To enable CSS ports that are shut down by the error-down function to automatically go Up,
enable the error-down recovery function for CSS ports.
----End
Context
In long-distance clustering, there may be a transmission device between two devices in a CSS.
When an active/standby switchover is performed on the transmission device, physical
member ports on both ends will become Down, causing the CSS to split. After the CSS
physical port-Down delay function is configured, the event that physical member ports
become Down for a short period within 500 ms will not be reported to the control plane,
preventing the CSS from splitting.
l This command is valid only for service port clustering and requires service card models on
both ends to be ES1D2X16SFC0 (S7700) and EH1D2X16SFC0 (S9700).
l During the delay after which physical member ports become Down, if the configured
response time of 802.1ag, BFD, and MPLS_OAM is short, these protocols will flap. For
example, if the configured response time of BFD is within 100 ms, temporary packet loss
may cause BFD to flap.
l During the delay after which physical member ports become Down, some packets
forwarded between chassis will be lost.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the css link-down-delay command to configure the CSS physical port-Down delay
function.
----End
Context
You can monitor the CSS status to help locate faults.
Procedure
l Run the display css status [ saved ] command to check the CSS status.
l Run the display css channel [ chassis chassis-id | all ] command to check cluster link
connections and status.
The chassis and all parameters are unavailable if the CSS is established using CSS card
connections.
l Run the display css port [ port-id | all ] command to check status of CSS ports in CSS
card connection mode.
The all parameter is supported only when the S9700s set up a CSS in CSS card
connection mode.
NOTE
When two switches set up a CSS using CSS cards, you can monitor the packet forwarding status
by collecting statistics on packets forwarded on each CSS port. If the switch collects packet
statistics for a long time, much storage space will be used. In this situation, you can run the reset
counters css port [ port-id ] command in the user view to clear existing packet statistics.
l Run the display css css-port [ saved ] [ all | chassis chassis-id ] command to check the
configuration of logical CSS ports and physical member ports when the CSS is set up
through service port connections.
----End
Context
After you enable CSS traps on the switch, the switch sends trap messages to the network
management system (NMS) when the CSS status changes. By default, all CSS traps are
enabled. You can use commands to disable all or specified CSS traps. Then the switch no
longer sends these traps to the NMS.
To check the status (enabled or disabled) of CSS traps, run the display snmp-agent trap
feature-name css all command.
NOTE
Procedure
l Enable CSS traps.
Run the snmp-agent trap enable feature-name css [ trap-name trap-name ] command
to enable a specified CSS trap or all CSS traps.
l Disable CSS traps.
Run the undo snmp-agent trap enable feature-name css [ trap-name trap-name ]
command to disable a specified CSS trap or all CSS traps.
----End
Context
If you want to adjust the roles of member switches in a CSS or restore the roles of member
switches after a quick upgrade, you can perform a master/standby switchover to change a
standby switch to the new master switch.
Figure 8-32 shows how the roles in both chassis 1 and 2 change after a master/standby
switchover is triggered using commands.
Master/standby switchover
is triggered by a command
System standby
l The original standby switch becomes the master switch, and the original system standby
MPU becomes the system master MPU.
l The original system master MPU becomes a candidate system standby MPU, and the
original master switch becomes the standby switch.
l The standby MPU of the original master switch becomes the system standby MPU and
synchronizes data with the system master MPU.
NOTE
Before running a command to perform a master/standby switchover, ensure that the master switch in the
CSS has two MPUs.
Procedure
Step 1 (Optional) Run the display switchover state command to check whether the CSS meets
requirements for a switchover.
Step 3 Run the slave switchover enable command to enable master/standby switchover.
----End
Context
Two methods are available to upgrade CSS software: system restart and quick upgrade.
Quick upgrade css fast upgrade The quick upgrade l The original
minimizes the standby switch
impact of the becomes the
upgrade on services. master switch.
This upgrade l The original
method is master switch
appropriate for use becomes the
in scenarios standby switch.
sensitive to the
service interruption
time.
NOTICE
To minimize traffic
loss during an
upgrade, bundle
uplinks and
downlinks of the CSS
to Eth-Trunks to
implement link
redundancy.
During a quick upgrade, if one of the following situations occurs, the upgrade will fail and
then the system automatically finishes version and patch rollback:
l Boards do not register for a long period during the upgrade of the standby chassis.
l Configurations cannot restored or backed up in a batch for a long period during the
upgrade of the standby chassis.
To view information about preceding quick upgrade failures, check the log CSSM/6/
FASTUPGRADEROLLBACK.
In CSS card clustering mode, if the quick upgrade fails, the standby chassis will roll back to
the old version and join the master chassis to set up a CSS. In service port clustering mode, if
the quick upgrade fails, the standby chassis will roll back to the old version and start, enter the
single-chassis CSS state, restart and then join the CSS after the boards on the standby chassis
register. The rollback process lasts at most 1 hour. During the rollback, ports and services on
the master chassis will be working normally, and the ports on the standby chassis will remain
Down. During the rollback, do not perform operations on the standby chassis hardware, for
example, install, remove, reset, or power off the boards on the standby chassis.
Procedure
Step 1 Load the new system software version to the master MPU of the CSS. For details on how to
load the file, see File Management.
Step 2 Run the startup system-software system-file all command to configure the software file
name all the MPUs use for next startup.
In this process, the system software is copied from the CSS master MPU to all the MPUs.
Step 3 Run the reboot command to upgrade the CSS using the system restart method.
Or:
Run the css fast upgrade command to quickly upgrade the CSS.
----End
Context
If a cluster link is Up, but packet loss or error packets are found on the cluster link or the CSS
status is unstable, you can check connectivity of the cluster link to analyze the cause. By
performing a loopback test on a cluster link, you can determine whether the cluster link is
working normally.
NOTE
l Cluster link connectivity check can be performed only in a CSS of S9700 switches set up using
EH1D2VS08000 CSS cards.
l When this command is executed on a CSS port to perform a loopback test on the CSS link, traffic on this
link is switched to other CSS links. Therefore, a loopback test can be performed only when at least two
links are available between the CSS cards. If bandwidth on the CSS links is low, performing a loopback
test may affect running services.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the css link port port test [ times times | package-size package-size | interval interval |
verbose ] * command to perform a loopback test on a cluster link and determine connectivity
of the cluster link according to the test result.
----End
Context
If the current CSS system no longer transmits services, you can split the CSS into standalone
switches.
The procedure for splitting a CSS is as follows:
1. Back up the CSS configuration file.
2. Delete the system MAC address of the CSS if configured.
3. Disable the CSS function.
4. Restore physical member ports to service ports. (This step is required only in the service
port connection mode.)
5. Power off the switches and remove the cluster cables.
Procedure
Step 1 Back up the configuration file.
1. Run the save command to save the configuration.
2. Run the copy source-filename destination-filename all command to back up the
configuration file to the standby switch.
NOTE
Back up the current configuration file to the storage medium of the standby switch before you split the
CSS. You can use the configuration file when you set up a CSS next time.
NOTE
l To restore a physical member port to a service port on a standalone switch, run the undo interface
css-port command.
l To restore a physical member port to a service port in a CSS, run the shutdown interface command
in the logical CSS port view to shut down the physical member port and then run the undo port
interface enable command.
Step 5 Power off the switches and remove the cluster cables.
You can also remove the cluster cables when the switches are running.
----End
Networking Requirements
An enterprise network requires high reliability on the core layer, but a simple network
structure is required to facilitate configuration and maintenance.
As shown in Figure 8-33, SwitchA and SwitchB at the core layer set up a CSS through CSS
card connections. SwitchA and SwitchB are the master switch and standby switch
respectively. Switches at the aggregation layer connect to the CSS through Eth-Trunks and the
CSS connects to the upstream network through an Eth-Trunk. In this example, the core
switches are the S9706 switches.
Network
Router
CSS
Aggregation
layer
Switch Switch Switch Switch
CSS Link
Eth-Trunk
Configuration Roadmap
The configuration roadmap is as follows:
1. Install CSS cards on SwitchA and SwitchB, and connect cluster cables.
2. Set the connection mode to CSS card connection on SwitchA and SwitchB, and set their
CSS IDs and priorities to 1 and 2, 100 and 10 respectively so SwitchA has a higher
probability to be the master switch.
3. Enable the CSS function on SwitchA and then on SwitchB to ensure that SwitchA
becomes the master switch.
4. Check whether a CSS is established successfully.
5. Configure downlink Eth-Trunks for the CSS to improve forwarding bandwidth and
reliability. (The detailed configuration is omitted in this example. For details about how
to configure Eth-Trunks, see 8.14.3 Example for Configuring Cluster Eth-Trunks.)
Procedure
Step 1 Install hardware.
Install CSS cards on SwitchA and SwitchB, and connect cluster cables. For details about how
to install the hardware, see 8.9.1 Installing Hardware.
Step 2 Configure the CSS ID, CSS priority, and CSS connection mode for SwitchA and SwitchB.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] set css mode css-card
[SwitchA] set css id 1
[SwitchA] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection
for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10
NOTE
After the configuration is complete, run the display css status saved command to check the CSS
configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 - EH1D2SRUC000 Present PowerOn Registered Normal Master
1 EH1D2VS08000 Present PowerOn Registered Normal NA
8 - EH1D2SRUC000 Present PowerOn Registered Normal Slave
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present - Unregistered - NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Abnormal NA
FAN2 - - Present - Unregistered - NA
Chassis 2 (Standby Switch)
S9706's Device status:
Slot Sub Type Online Power Register Status Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 - EH1D2SRUC000 Present PowerOn Registered Normal Master
1 EH1D2VS08000 Present PowerOn Registered Normal NA
8 - EH1D2SRUC000 Present PowerOn Registered Normal Slave
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
If the command output displays card status of both member switches, the CSS is established
successfully.
If all the cluster links are in Up state, the CSS has been established successfully.
Step 5 Configure downlink Eth-Trunks for the CSS. (The detailed configuration is omitted here.)
----End
Configuration Files
None
Networking Requirements
An enterprise network requires high reliability on the core layer, but a simple network
structure is required to facilitate configuration and management and reduce deployment costs.
As shown in Figure 8-34, SwitchA and SwitchB at the core layer set up a CSS through
service port connections. SwitchA and SwitchB are the master switch and standby switch
respectively. Switches at the aggregation layer connect to the CSS through Eth-Trunks and the
CSS connects to the upstream network through an Eth-Trunk. In this example, the core
switches are the S9706 switches.
Network
Router
CSS
XGE1/0/1~2 XGE1/0/1~2
Core layer SwitchA SwitchB
XGE2/0/1~2 XGE2/0/1~2
Aggregation
layer
Switch Switch Switch Switch
CSS Link
Eth-Trunk
Configuration Roadmap
The configuration roadmap is as follows:
1. Install service cards on SwitchA and SwitchB, and connect cluster cables. Connect four
service ports of two service cards on two switches to improve bandwidth and reliability.
2. Set the connection mode to service port connection on SwitchA and SwitchB, and set
their CSS IDs and priorities to 1 and 2, 100 and 10 respectively so SwitchA has a higher
probability to be the master switch.
3. Configure two logical CSS ports for SwitchA and SwitchB respectively and add two
physical member ports to each logical CSS port.
4. Enable the CSS function on SwitchA and then on SwitchB to ensure that SwitchA
becomes the master switch.
5. Check whether a CSS is established successfully.
6. Configure downlink Eth-Trunks for the CSS to improve forwarding bandwidth and
reliability. (The detailed configuration is omitted in this example. For details about how
to configure Eth-Trunks, see 8.14.3 Example for Configuring Cluster Eth-Trunks.)
Procedure
Step 1 Install hardware.
Install service cards on SwitchA and SwitchB, and connect cluster cables. For details about
how to install the hardware, see 8.10.1 Installing Hardware.
Step 2 Configure the CSS ID, CSS priority, and CSS connection mode for SwitchA and SwitchB.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and service port
connection for SwitchA. If the default CSS ID 1 is used, you do not need to set the CSS ID.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] set css mode lpu
[SwitchA] set css id 1
[SwitchA] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and service port
connection for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode lpu
[SwitchB] set css id 2
[SwitchB] set css priority 10
NOTE
After the configuration is complete, run the display css status saved command to check the CSS
configuration.
# Configure service ports XGE1/0/1 and XGE1/0/2 on SwitchB as physical member ports and
add them to CSS port 1, and configure service ports XGE2/0/1 and XGE2/0/2 on SwitchB as
physical member ports and add them to CSS port 2.
[SwitchB] interface css-port 1
[SwitchB-css-port1] port interface xgigabitethernet 1/0/1 to xgigabitethernet
1/0/2 enable
[SwitchB-css-port1] quit
[SwitchB] interface css-port 2
[SwitchB-css-port2] port interface xgigabitethernet 2/0/1 to xgigabitethernet
2/0/2 enable
[SwitchB-css-port2] quit
NOTE
After the configuration is complete, run the display css css-port saved command to check whether the
ports are Up.
If the command output displays card status of both member switches, the CSS is established
successfully.
# Check whether the cluster link topology is the same as the actual hardware connection.
<SwitchA> display css channel all
CSS link-down-delay: 500ms
Chassis 1 || Chassis 2
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 1/1 XGigabitEthernet1/1/0/1 XGigabitEthernet2/1/0/1 2/1
2 1/1 XGigabitEthernet1/1/0/2 XGigabitEthernet2/1/0/2 2/1
3 1/2 XGigabitEthernet1/2/0/1 XGigabitEthernet2/2/0/1 2/2
4 1/2 XGigabitEthernet1/2/0/2 XGigabitEthernet2/2/0/2 2/2
Chassis 2 || Chassis 1
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 2/1 XGigabitEthernet2/1/0/1 XGigabitEthernet1/1/0/1 1/1
2 2/1 XGigabitEthernet2/1/0/2 XGigabitEthernet1/1/0/2 1/1
3 2/2 XGigabitEthernet2/2/0/1 XGigabitEthernet1/2/0/1 1/2
4 2/2 XGigabitEthernet2/2/0/2 XGigabitEthernet1/2/0/2 1/2
If the command output shows that the cluster link topology is the same as the actual hardware
connection, the CSS is established successfully.
Step 6 Configure downlink Eth-Trunks for the CSS. (The detailed configuration is omitted here.)
----End
Configuration Files
None
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a cluster Eth-Trunk between the CSS and its upstream device and add physical
member ports to the Eth-Trunk to expand the uplink bandwidth.
2. Configure cluster Eth-Trunks between the CSS and its downstream devices and add
physical member ports to the Eth-Trunks, so that the member switches work in
redundancy mode to improve network reliability.
3. Enable Eth-Trunks to forward traffic from local ports first to improve forwarding
efficiency and reduce the load on the stack cable between member switches. When an
Eth-Trunk member port of a local device is working normally or when the traffic is not
heavy, traffic is forwarded preferentially through the local member port.
Procedure
Step 1 Configure an Eth-Trunk between the CSS and its upstream device.
# Configure an Eth-Trunk on the CSS and add uplink ports to the Eth-Trunk.
<HUAWEI> system-view
[HUAWEI] sysname CSS
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 10
[CSS-GigabitEthernet1/1/0/4] quit
[CSS] interface gigabitethernet 2/1/0/4
[CSS-GigabitEthernet2/1/0/4] eth-trunk 10
[CSS-GigabitEthernet2/1/0/4] quit
Step 2 Configure Eth-Trunks between the CSS and its downstream devices.
# Configure an Eth-Trunk on the CSS and add the downlink ports connected to SwitchC to the
Eth-Trunk.
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] quit
[CSS] interface gigabitethernet 1/1/0/3
[CSS-GigabitEthernet1/1/0/3] eth-trunk 20
[CSS-GigabitEthernet1/1/0/3] quit
[CSS] interface gigabitethernet 2/1/0/5
[CSS-GigabitEthernet2/1/0/5] eth-trunk 20
[CSS-GigabitEthernet2/1/0/5] quit
# Configure an Eth-Trunk on the CSS and add the downlink ports connected to SwitchD to
the Eth-Trunk.
[CSS] interface eth-trunk 30
[CSS-Eth-Trunk30] quit
[CSS] interface gigabitethernet 1/1/0/5
[CSS-GigabitEthernet1/1/0/5] eth-trunk 30
[CSS-GigabitEthernet1/1/0/5] quit
[CSS] interface gigabitethernet 2/1/0/3
[CSS-GigabitEthernet2/1/0/3] eth-trunk 30
[CSS-GigabitEthernet2/1/0/3] quit
Step 3 Enable local preferential forwarding on the Eth-Trunks. By default, local preferential
forwarding is enabled on an Eth-Trunk.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] local-preference enable
[CSS-Eth-Trunk10] quit
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] local-preference enable
[CSS-Eth-Trunk20] quit
[CSS] interface eth-trunk 30
[CSS-Eth-Trunk30] local-preference enable
[CSS-Eth-Trunk30] quit
[CSS] quit
----End
Configuration Files
l CSS configuration file
#
sysname CSS
#
interface Eth-Trunk10
#
interface Eth-Trunk20
#
interface Eth-Trunk30
#
interface GigabitEthernet1/1/0/3
eth-trunk 20
#
interface GigabitEthernet1/1/0/4
eth-trunk 10
#
interface GigabitEthernet1/1/0/5
eth-trunk 30
#
interface GigabitEthernet2/1/0/3
eth-trunk 30
#
interface GigabitEthernet2/1/0/4
eth-trunk 10
#
interface GigabitEthernet2/1/0/5
eth-trunk 20
#
return
Networking Requirements
As shown in Figure 8-36, SwitchA and SwitchB set up a CSS.
MAD can be used to detect dual master switches with the same configuration on the network
to reduce the impact of a CSS split on the network.
Network
CSS
GE1/2/0/0 GE2/10/0/0
SwitchA SwitchB
SwitchC SwitchD
CSS Link
MAD Link
Eth-Trunk
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure MAD in direct mode on a specified port.
Procedure
Step 1 Configure MAD in direct mode on a specified port.
3. Make the CSS split by shutting down all the physical CSS ports or removing all the
cluster cables. (The following procedure shuts down all the physical CSS ports in a CSS
that is set up using service port connection mode.)
# Check information about the service ports used for CSS connection.
<HUAWEI> display css css-port all
B : broadcast *down : administratively down
4. Check whether the following alarm is displayed on the terminal screen: MAD/4/
MULTIACTIVEDETECTED(t):OID 1.3.6.1.4.1.2011.5.25.246.1.1 Multi-active scenario
is detected.
5. Check the CSS status, MAD information, and port status.
# Check the status of the CSS. The command output shows that the two-chassis CSS has
changed into a single-chassis CSS.
<HUAWEI> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Single LPU 100 Off
# Check MAD information in the current CSS (chassis 1). The command output shows
that the MAD status is Detect.
<HUAWEI> display mad verbose
Current MAD domain: 0
Current MAD status: Detect
Mad direct detect interfaces configured:
GigabitEthernet1/2/0/0
Mad relay detect interfaces configured:
Excluded ports(configurable):
Excluded ports(can not be configured):
40GE1/4/0/0
40GE1/4/0/1
40GE1/5/0/0
40GE1/5/0/1
# Check information about Up ports in the current CSS (chassis 1). The command output
shows that the status of common service ports remains unchanged.
<HUAWEI> display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
# Check MAD information in chassis 2. The command output shows that the MAD
status is Recovery.
<HUAWEI> display mad verbose
Current MAD domain: 0
Current MAD status: Recovery
Mad direct detect interfaces configured:
GigabitEthernet2/10/0/0
Mad relay detect interfaces configured:
Excluded ports(configurable):
Excluded ports(can not be configured):
40GE2/7/0/1
40GE2/7/0/0
40GE2/11/0/0
40GE2/11/0/1
# Check information about Up ports in chassis 2. The command output shows that all
ports in this chassis are Down.
<HUAWEI> display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
NULL0 up up(s) 0% 0% 0 0
7. The preceding operations verify that the MAD function is configured successfully.
8. Restore all the physical member ports to the Up state or insert cluster cables to the ports,
and then configure services.
----End
Configuration Files
#
interface GigabitEthernet1/2/0/0
mad detect mode direct
#
interface GigabitEthernet2/10/0/0
mad detect mode direct
#
return
Networking Requirements
As shown in Figure 8-37, SwitchA and SwitchB set up a CSS and connect to the upstream
and downstream devices through Eth-Trunks.
MAD can be used to detect dual master switches with the same configuration on the network
to reduce the impact of a CSS split on the network.
Network
CSS
SwitchA SwitchB
GE2/9/0/5
GE1/2/0/5
Eth-Trunk1
GE1/0/19
SwitchC GE1/0/21 SwitchD
CSS Link
MAD Link
Eth-Trunk
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SwitchC as the relay agent and configure MAD in relay mode on Eth-Trunk
member ports connected to SwitchC.
2. On SwitchC, configure the MAD relay function so that MAD packets can be forwarded
through the Eth-Trunk.
Procedure
Step 1 On the CSS, configure MAD in relay mode for the inter-device Eth-Trunk.
<HUAWEI> system-view
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] trunkport gigabitethernet 1/2/0/5
[HUAWEI-Eth-Trunk1] trunkport gigabitethernet 2/9/0/5
40GE1/4/0/1 up up 0% 0% 0 0
40GE1/5/0/0 up up 0% 0% 0 0
40GE1/5/0/1 up up 0% 0% 0 0
40GE2/7/0/0 up up 0% 0% 0 0
40GE2/7/0/1 up up 0% 0% 0 0
40GE2/11/0/0 up up 0% 0% 0 0
40GE2/11/0/1 up up 0% 0% 0
0
3. Make the CSS split by shutting down all the physical CSS ports or removing all the
cluster cables. (The following procedure shuts down all the physical CSS ports in a CSS
that is set up using service port connection mode.)
# Check information about the service ports used for CSS connection.
<HUAWEI> display css css-port all
B : broadcast *down : administratively down
Logic Port Num Phy Port Status
css-port1/1 2 40GE1/4/0/0 up
40GE1/4/0/1 up
(B)css-port1/2 2 40GE1/5/0/0 up
40GE1/5/0/1 up
4. Check whether the following alarm is displayed on the terminal screen: MAD/4/
MULTIACTIVEDETECTED(t):OID 1.3.6.1.4.1.2011.5.25.246.1.1 Multi-active scenario
is detected.
5. Check the CSS status, MAD information, and port status.
# Check the status of the CSS. The command output shows that the two-chassis CSS has
changed into a single-chassis CSS.
<HUAWEI> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Single LPU 100
Off
# Check MAD information in the current CSS (chassis 1). The command output shows
that the MAD status is Detect.
<HUAWEI> display mad verbose
Current MAD domain: 0
# Check information about Up ports in the current CSS (chassis 1). The command output
shows that the status of common service ports remains unchanged.
<HUAWEI> display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk1 up up 0% 0% 0 0
GigabitEthernet1/2/0/5 up up 0% 0% 0 0
Ethernet0/0/0/0 up up 0.02% 0.01% 0 0
GigabitEthernet1/2/0/0 up up 0% 0% 0 0
NULL0 up up(s) 0% 0% 0
0
6. Log in to chassis 2 through its serial port.
# Check MAD information in chassis 2. The command output shows that the MAD
status is Recovery.
<HUAWEI> display mad verbose
Current MAD domain: 0
Current MAD status: Recovery
Mad direct detect interfaces configured:
Mad relay detect interfaces configured:
Eth-Trunk1
Excluded ports(configurable):
Excluded ports(can not be configured):
40GE2/7/0/1
40GE2/7/0/0
40GE2/11/0/0
40GE2/11/0/1
# Check information about Up ports in chassis 2. The command output shows that all
ports in this chassis are Down.
<HUAWEI> display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
NULL0 up up(s) 0% 0% 0
0
7. The preceding operations verify that the MAD function is configured successfully.
8. Restore all the physical member ports to the Up state or insert cluster cables to the ports,
and then configure services.
----End
Configuration Files
l CSS configuration file
#
interface GigabitEthernet1/2/0/5
eth-trunk 1
#
interface GigabitEthernet2/9/0/5
eth-trunk 1
#
interface Eth-Trunk1
mad detect mode relay
#
return
8.15 FAQ
After you connect cluster cables between two member switches, set the CSS priority of the
intended master switch to a larger value and enable the CSS function on it first. This ensures
that the switch with the higher CSS priority becomes the master switch.
If you want the other switch in the CSS to be the master switch, run the slave switchover
command to perform a master/standby switchover if the original master switch has two
MPUs. If the original master switch has only one MPU, power off the switch, and power it on
after the standby switch is elected as the new master switch. If you specify a new master
switch when the CSS is running, services will be interrupted.
You can know which switch is the master in a CSS by checking indicators or running
commands.
l Checking indicators
– CSS card clustering: If the MASTER indicator on a CSS card is steady green, the
MPU with the CSS card installed is the master MPU of the CSS, and the switch is
the master in the CSS.
– Service port clustering: If the ACT indicator on an MPU is steady green, the MPU
is the master MPU of the CSS, and the switch is the master in the CSS.
l Running commands
You can run the display device or display css status command to view the master
switch.
– If the display device command output contains information such as Chassis 1
(Master Switch), the switch is the master in the CSS.
– In the display css status command output, the CSS status field indicates the role of
the switch.
8.15.4 Can the CSS Card Connection Mode and Service Port
Connection Mode Be Used Together on the S7700s or S9700s?
The CSS card connection mode and service port connection mode cannot be used together.
Both devices do Apply for a license using the ESNs The license must contain
not apply for of the two devices. the ESNs of the two
and install a devices. Therefore, you
license file. must apply for a new
license using the ESNs of
Both devices l If the control items of the two the two devices.
have applied for license files are the same, split
a license but do the CSS, load the two standalone
not have a devices with their respective
license loaded. licenses, and then set up a CSS
of the two devices again.
Alternatively, apply for a license
that contains the ESNs of the
two devices through the ESN
change process.
l If the control items of the two
license files are different, apply
for a license that contains the
ESNs of the two devices through
the ESN change process.
After the CSS splits, the license is still valid on the two member switches.
NOTE
l You must have permissions to perform operations on the license self-service system. For details about
rights and how to apply for rights, see the License Use Guide.
l The following provides more details about the license for a CSS:
l In versions earlier than V200R009, you must apply for one license for the two ESNs. If the license
has only the ESN of the master chassis, the license status is normal, and the license-controlled
features can take effect; however, the license status becomes Trial (with a 60-day trial period) after
an active/standby switchover. If the license has only the ESN of the standby chassis, the license
status is also Trial.
l In V200R009 and later versions, you can apply for one license for the two ESNs; alternatively, you
can apply for and install one license file for each of the two ESNs before setting up a CSS and
ensure that the control items of the two licenses are the same.
l If the control items of the license files on the master and standby chassis are the same, the
standby chassis uses its own license file without synchronizing with that of the master chassis.
The license file of the CSS can still be used after an active/standby switchover.
l If the control items of the license files on the master and standby chassis are different, the
standby chassis synchronizes its license file with that of the master chassis. If the license file
on the master chassis contains the ESN of the standby chassis, the license status of the
standby chassis is normal, and the license file of the CSS can still be used after an active/
standby switchover. If the license file on the master chassis does not contain the ESN of the
standby chassis, the ESN in the synchronized license file of the standby chassis is different
from that in the existing license file of the standby chassis. As a result, the license status of
the standby chassis becomes Trial (with a 60-day trial period). After an active/standby
switchover, the license status for the CSS becomes Trial.
9 SVF Configuration
This chapter describes how to configure Super Virtual Fabric (SVF) to simplify management
and configuration at the campus network access layer.
CSS
Aggregation
layer
Access layer
Wired access
Wireless access
Compared with the traditional access layer networking, the SVF networking has the following
advantages:
l Unified device management: SVF virtualizes aggregation and access devices into one
logical device and allows aggregation devices to manage and configure access devices.
l Unified configuration: SVF implements batch configuration of access devices based on
profiles, removing the need to configure access devices one by one.
l Unified user management: SVF manages wired and wireless access users in a unified
manner.
9.2 Principles
NOTE
In the following SVF principles, a switch functions as a wired access device (AS). When a wireless device
(AP) accesses an SVF system, the parent functions as a wireless access controller (AC). For details about the
SVF principles in wireless access, see S7700 and S9700 V200R008C00 Configuration Guide - WLAN-AC
Configuration Guide.
Parent
1 3 Fabric port
2
Level-1 Layer2
Network
AS
5
AP
6 4
Client Level-2 Level-1
AS AS
AP AP
In Figure 9-2, an SVF system consists of the parent and client, which are connected through
fabric ports. For the roles in an SVF system, see Table 9-1.
Fabric-port A fabric port is a logical port that connects the parent and a
level-1 AS or connects a level-1 AS and a level-2 AS. One or
more member ports can be added to a fabric port, and one
fabric port can connect to only one AS.
Parent CSS/Stack
1 3 Fabric port
CAPWAP 2
link
Layer2
Level-1 Network
AS 5
AP
6 4
Level-2 Level-1
Client AS AS
AP AP
In Figure 9-3, SVF allows the parent and client to establish a Control And Provisioning of
Wireless Access Points (CAPWAP) link as the control channel for unified client configuration
and management. This process is similar to AP management by an AC in WLANs. During
SVF setup, some operations need to be performed on the parent and client to establish a
CAPWAP link.
The parent is directly connected to level-1 ASs, but level-1 ASs are not connected to level-2
ASs.
l N Role Operations
o.
N Role Operations
o.
The parent is directly connected to level-1 ASs, and level-1 ASs are connected to level-2 ASs.
l N Role Operations
o.
N Role Operations
o.
N Role Operations
o.
DHCP server is
deployed on
the parent
AS DHCP server Parent
Collect and calculate 6. The parent determines that the AS version needs to be updated.
the topology
7. The AS version is updated and then the AS restarts.
Deliver the
configuration 8. The AS reports topology information to the parent through the CAPWAP channel
9. The parent
generates the
Associate the topology and
policy (optional) determines port roles.
10. In direct configuration mode, the parent sends service configurations to ASs
over CAPWAP links. In independent configuration mode, service configurations are
performed on ASs independently
11. Users connect to the AS, and user entries are set up and synchronized on
the AS and parent through the CAPWAP channel.
12. The parent delivers the policy after users pass the authentication.
Centralized Mode
In centralized mode, all service configurations for ASs are performed on the parent.
Therefore, which services can be configured on ASs depends on the services that can be
configured on the parent, but not depend on the services supported by a standalone access
switch. AS-supported services apply to most access switches.
In centralized mode, you can deliver service configurations to multiple ASs using profiles or
global batch configuration or configure a single AS directly. The global batch configuration
mode supports only a few functions. The following describes profile-based configuration and
direct configuration.
Profile-based Configuration
In profile-based configuration, service profiles on the parent are bound to specified device and
port groups to delivery service configurations to ASs. Profile-based configuration involves
two concepts:
AS port group Port that connects An AS port group is a set of AS ports that
an AS to a user connect to user terminals. The group
terminal implements batch configuration of AS ports
with the same configuration.
AP port group Port that connects An AP port group is a set of AS ports that
an AS to an AP connect to APs. All the ports that connect ASs
to APs need to be added to an AP port group.
l Service Profiles
A service profile is a set of service configurations. You can bind service profiles to
specified device and port groups to deliver the service profiles to corresponding ASs,
which then parse and execute services configured in the service profiles.
Table 9-3 lists the service profile types in an SVF system.
Direct Configuration
Service configurations can be delivered to ASs through service profiles. Apart from this
method, you can also run the direct-command command on the parent to directly deliver
some service configurations to ASs.
An SVF system can be configured and managed on a switch or eSight. Configuring and managing an SVF
system on eSight is visualized and more convenient. For the SVF configuration on eSight, see "SVF
Management" in the eSight V200R005C00 User Guide.
Connect level-1 and level-2 You can connect ASs to the 9.6.1 Connecting an AS to
ASs to the parent directly to parent directly to allow the Parent Directly
set up an SVF system. wired user terminals to
connect to an SVF system.
When only a small number
of user terminals exist, you
only need to configure
level-1 ASs. When a large
number of user terminals
exist, you can also configure
level-2 ASs.
Connect ASs to the parent You can connect ASs to the 9.6.2 Connecting an AS to
through a network to set up parent through a network to the Parent Through a
an SVF system. allow wired user terminals Network
to connect to an SVF
system.
Connect APs to the parent to SVF can implement unified 9.6.3 Connecting an AP to
set up an SVF system. management on wired an AS
access and wireless access.
You can connect APs to the
parent to allow wireless user
terminals to connect to an
SVF system. APs can
connect to the parent or
ASs.
The license controls only the SVF function but not the SVF service specifications and only
needs to be loaded on the parent.
For details about how to apply for a license, see S Series Switch License Use Guide.
9.4.4 Specifications
NOTE
In an SVF system, ASs and APs share the CAPWAP link specifications. That is, the maximum number of
ASs and APs cannot exceed the maximum number of CAPWAP links. For example, when an S9706 functions
as the parent in an SVF system and 64 ASs have connected to the SVF system, a maximum of 1984
(2048-64) APs can connect to the SVF system.
If DTLS encryption is configured for packets transmitted in a CAPWAP tunnel, recommendations on the
maximum number of ASs and APs supported on the parent are as follows:
l The maximum numbers of ASs and APs do not exceed 16 and 48 respectively.
l The preceding AS or AP specifications apply to scenarios where all ASs or APs go online. If both ASs
and APs go online, it is recommended that the value of AS*3+AP do not exceed the maximum number
of APs.
l When the number of ASs or APs exceeds the maximum value, a high CPU usage may occur, affecting
existing services.
AS administrator 16
profile
Network 16
enhanced profile
User access 16
profile
Configure the SVF An SVF system supports two forwarding modes: centralized
forwarding mode. forwarding and distributed forwarding.
l In centralized forwarding mode, traffic forwarded by the local
AS and forwarded between ASs is sent to the parent for
forwarding.
l In distributed forwarding mode, an AS directly forwards local
traffic and the parent forwards traffic between ASs.
NOTE
l In centralized forwarding mode, ports of the ASs connected to the same
fabric port of the parent are isolated and so cannot communicate at
Layer 2, and need to have proxy ARP in the corresponding VLAN
configured using the arp-proxy inner-sub-vlan-proxy enable
command to communicate at Layer 3.
l After an AS goes offline, downlink ports of the AS are automatically
shut down. As a result, traffic of the AS attached network will be
interrupted.
By default, the forwarding mode of an SVF system is distributed
forwarding.
Configure the URL To improve web application security, data from untrustworthy
encoding function sources must be encoded before being sent to clients. URL
for an AS (This encoding is most commonly used in web applications. After URL
function is supported encoding is enabled for ASs, special characters in redirected URLs
in V200R009 and are converted to secure formats, preventing clients from mistaking
later versions). them for syntax signs or instructions and unexpectedly modifying
the original syntax. In this way, cross-site scripting attacks and
injection attacks are prevented. By default, URL encoding is
enabled in ASs. This function can be disabled using the portal url-
encode disable command.
Table 9-6 Commands not supported in the user view and diagnostic view of ASs
Command View
Command View
l Commands that are supported in other views are used for service diagnosis and fault
location. In V200R009 and earlier versions, the uni-mng diag-mode enable command
must be executed first to enable the diagnostic mode.
l These commands vary depending on the AS device type. For details, see the command
reference of these devices.
l In independent mode, configuring some commands may cause an AS's failure to go
online. To prevent this problem, some commands listed in the following table are not
supported. If an unsupported command is executed on an AS, an error message is
displayed.
Function Command
Function Command
Function Command
Pare l The parent can be a standalone device, a stack system, or a cluster switch
nt system (CSS).
l ASs or APs connecting to an SVF system can be different models.
AP l If an AP has been connected to the parent before the SVF function is enabled,
the parent cannot collect topology information about the AP after the uni-
mnguni-mng command is used to enable the SVF function. You need to run the
commit { all | ap ap-id } command in the WLAN view to commit the AP
configuration. Subsequently, the parent can collect topology information about
the AP.
l From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
l If APs need to connect to an SVF system with an S9700/S7700 functioning as
the parent, X series cards must be installed on the parent to manage APs.
Fabri l Service ports of fixed switches are classified into uplink and downlink service
c ports. For details about uplink and downlink service ports, see the "Naming
port Conventions" section in the Hardware Description - Chassis.
l If downlink service ports of an AS are configured as member ports of an uplink
fabric port, all the downlink ports of the AS cannot be configured as stack
member ports.
l When GE optical interfaces are connected to XGE optical interfaces to connect
level-1 ASs to the parent or connect level-2 ASs to level-1 ASs, these interfaces
must use GE instead of XGE optical modules.
l When an AS connects to APs, all member ports of the Eth-Trunk bound to the
fabric port that connects the parent to the AS must be ports on X series cards or
ports on non-X series cards. Otherwise, APs cannot go online.
l In V200R008 and earlier versions, an AS can only connect to the upstream
parent or AS using fixed uplink ports or ports on an extension card. Since
V200R009, downlink service ports of an AS can also be connected to the
upstream parent or AS after you configure them as member ports of an
upstream fabric port using the uni-mng up-direction fabric-port member
interface interface-type interface-number [ to interface-number ] command.
l A downlink service port of an AS cannot be configured as a member port of
upstream and downstream fabric ports simultaneously. If this configuration is
performed, the AS will be unable to go online after a reboot. If the reset slot
command is executed in the slot of the AS, the AS will reset repeatedly.
l Ports on an AS subcard and uplink service port on an AS can only be used as
member ports of a fabric port or as stack member ports and cannot be used as
service ports.
l From V200R009C00, AS uplink ports can be used to connect to the parent or
level-1 AS or set up a stack and be configured as downlink fabric ports to
connect to other ASs.
l On the S6720EI, S6720S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI,
40GE ports and 10GE ports split from 40GE ports cannot be configured as
downlink fabric ports.
CAP l Configured CAPWAP tunnel parameters apply to the SVF system. To ensure
WAP that the CAPWAP tunnel of the SVF system works normally, you are advised to
retain the default CAPWAP tunnel parameters. For details on how to configure
CAPWAP tunnel parameters, see Configuring CAPWAP Tunnel Parameters.
l In versions earlier than V200R011C10, Eth-Trunk can be manually created and deleted
on an AS in centralized mode. In V200R011C10 and later versions, Eth-Trunk cannot be
manually created and deleted on an AS in centralized mode and must be created and
deleted on the parent.
l In an SVF system, the maximum frame length allowed by interfaces cannot be
configured on an AS. Therefore, the maximum frame length is the default value 9216
(including the CRC field).
l After an AS goes online, a static ARP entry in which the IP address is the management
address of the parent is generated on the AS. Deleting the static ARP entry is not
allowed. Otherwise, the AS may be forcibly removed from the SVF system.
l Internal attacks in the management VLAN will cause an AS to go offline. You need to
identify the attack source and then shut down the attacked port or remove the port from
the management VLAN.
l After an AS goes offline, all downlink ports of the AS are shut down.
l When an AS goes offline and needs to go online again, and the AS configuration is
changed on the parent after the AS goes offline, the AS restarts and then goes online
again.
l After an AS is changed to the independent mode, it is recommended that you just add or
remove the fabric port of the AS to or from a VLAN. If you perform other configurations
on the fabric port, the AS may go offline. For details, see the description of the port
connect independent-as command.
When an AS connects to the parent across a Layer 2 network, pay attention to the
following points
l Automatic AS discovery is not supported, and fabric ports of the parent and AS need to
be manually configured.
l The indirectly-connected fabric port of the parent and configured uplink fabric port of
the AS do not support connection error check. The administrator needs to ensure the
connection correctness of the Eth-Trunk, and the AS can only connect to third-party
network devices through Eth-Trunks in manual load balancing mode.
l The administrator needs to ensure that the downlink fabric port of the parent and the
intermediate Layer 2 network are correctly configured, the SVF management VLAN and
service VLAN between the parent and AS are correctly connected, and the intermediate
network transparently transmits data traffic between the parent and AS. Therefore, the
intermediate network must be a pure Layer 2 network.
l The AS does not support the MAD function because this function requires that third-
party devices support the MAD relay function.
l In centralized forwarding mode, traffic from the network segment where the AS resides
may be forwarded by the intermediate network but not the parent.
l After the AS is configured to work in client mode, the AS can only be manually
configured to return to the standalone mode and must be restarted. If the AS is a stack,
new stack member devices will be automatically configured to work in client mode after
the AS is configured to work in client mode.
Context
As shown in Figure 9-5, ASs in an SVF system are classified into level-1 and level-2 ASs.
When connecting ASs to the parent, you can connect a level-1 AS to the parent and then a
level-2 AS to the level-1 AS.
By default, you do not need to configure the ports that connect a level-1 AS to the parent and
a level-2 AS to the level-1 AS because ASs are plug-and-play. You only need to configure
fabric ports that connect the parent to a level-1 AS and a level-1 AS to a level-2 AS.
Parent
Require manual
configuration
iStack
Do not need to
Level -1 AS
be configured
Level-2 AS
Pre-configuration Tasks
Before connecting an AS to the parent, complete the following task:
l Powering on the related devices and ensuring that they finish self check successfully
Configuration Process
The following tasks are performed on the parent. You are advised to perform the tasks in the
following sequence.
Context
An SVF system can use a single switch or a CSS of two switches as the parent. Using a CSS
of two switches can provide redundancy for the SVF system, improving reliability of the SVF
system.
NOTE
To ensure high reliability of an SVF system, you are advised to use a CSS of two switches as the parent.
Procedure
Step 1 For the procedure for and notes about configuring a CSS, see "CSS Configuration" in the
S7700&S9700 Series Ethernet Switches Configuration Guide - Device Management
Configuration.
----End
Context
Before setting up an SVF system, you must enable the SVF function on the parent, configure
the management VLAN for the SVF system, and configure DHCP on the parent so that the
parent and ASs can set up CAPWAP links.
Procedure
Step 1 Run:
system-view
The management VLAN is created for the SVF system. The management VLAN cannot be
configured as VLAN 1 or VLAN 4093.
Step 4 Run:
interface vlanif vlan-id
Step 5 Run:
ip address ip-address { mask | mask-length }
The DHCP server function is configured to assign IP addresses from the interface address
pool to clients.
The DHCP server function enables an AS to obtain an IP address from the parent.
Step 7 (Optional) Run:
dhcp server option 43 ip-address ip-address
The parent is configured to send its IP address in the Option 43 field to an AS.
The parent can send its IP address in the Option 43 field to an AS. The IP address must be the
same as that configured in step 5.
If the Option 43 field is not configured, an AS obtains the IP address of the parent in
broadcast mode. If the Option 43 field is configured, an AS sets up a CAPWAP link with only
a specified IP address, and does not obtain the IP address of the parent in broadcast mode.
NOTE
To improve service reliability, you are advised to configure the parent to send its IP address in the Option 43
field to an AS.
Step 8 Run:
quit
The source interface on which the parent sets up a CAPWAP link with an AS is configured.
vlan-id must be consistent with that specified in step 4.
NOTE
You are not advised to configure other services except the preceding configurations in the management
VLAN and corresponding VLANIF interface of the SVF system. Otherwise, ASs or APs cannot go online
normally.
If the SVF function is enabled, only one source interface can be configured.
Step 10 Run:
authentication unified-mode
NOTE
After changing the NAC configuration mode, save the configuration and then restart the device to make the
configuration take effect.
Step 11 Run:
stp mode { rstp | stp }
NOTE
After changing the Eth-Trunk specifications, save the configuration and then restart the device to make the
configuration take effect.
After the SVF function is enabled, changing the Eth-Trunk specifications is not allowed.
Step 15 Run:
undo stp process process-id
You can run the display current-configuration command to check whether the MSTP
process configuration exists. If so, perform this step to delete the configuration. If not, ignore
this step.
Step 16 Run:
aaa
Step 17 Run:
service-scheme service-scheme-name
Step 18 Run:
undo remote-authorize
When enabling the SVF function, ensure that remote authorization is not configured. You can
run the display current-configuration command to check whether remote authorization is
configured. If remote authorization is not configured, ignore this step. If remote authorization
is configured, disable remote authorization.
Step 19 Run:
quit
Step 20 Run:
quit
Step 21 Run:
uni-mng
By default, the interval for collecting SVF network topology information is 10 minutes. If
interval interval is not specified, SVF network topology collection is triggered immediately.
You can adjust the interval for collecting SVF network topology information based on SVF
network stability. When the network topology is stable, you can increase the interval or
disable periodic topology information collection. When the network topology is unstable, you
can shorten the interval.
----End
Context
The parent connects to an AS through a fabric port. The parent-side fabric port needs to be
manually configured, while the AS-side fabric port is auto-negotiated between the AS and
parent.
A fabric port must be bound to an Eth-Trunk. Before binding a fabric port to an Eth-Trunk,
ensure that the Eth-Trunk is not created.
Procedure
Step 1 Run:
system-view
Step 9 Run:
eth-trunk trunk-id
You can perform steps 8 and 9 multiple times to add multiple interfaces to an Eth-Trunk.
After an Eth-Trunk is bound to a fabric port, the configuration of the Eth-Trunk will be
automatically generated according to the services configured on the AS to which the Eth-
Trunk is connected. For this reason, the Eth-Trunk interface view cannot be displayed.
NOTE
Before removing an Up member port from a fabric port, run the shutdown command in the interface view to
shut down the member port.
When a port joins a downlink fabric port of the parent, the port enters the blocking state. When the port
negotiates with the peer port successfully, the port is unblocked.
----End
Context
You can configure a name for an AS and use the name to uniquely identify the AS. This
configuration facilitates AS identification and management.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name model as-model mac-address mac-address
An AS name is configured.
By default, an AS uses its system default name-device MAC address as its name after going
online.
NOTE
l Ensure that the model as-model and mac-address mac-address settings are consistent with the actual
settings.
l If no AS name is pre-configured before an AS goes online, you can also run this command to modify the
AS name after an AS goes online. In this situation, the AS must meet the following conditions:
1. The AS is not bound to any service profile.
2. The AS is not added to any AS group.
3. Ports of the AS are not added to any port group.
----End
9.6.1.1.5 (Optional) Configuring the Fabric Port That Connects a Level-1 AS to a Level-2
AS
Context
When a level-1 AS needs to connect to a level-2 AS, you need to configure a fabric port on
the level-1 AS to connect to the level-2 AS. A downlink port of a level-1 AS becomes Up
only after the parent finishes delivering the configuration. A level-2 AS begins to go online
only after the downlink port of the level-1 AS becomes Up.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name
Step 4 Run:
down-direction fabric-port port-id member-group interface eth-trunk trunk-id
Step 5 Run:
port eth-trunk trunk-id trunkmember interface interface-type interface-number1
[ to interface-number2 ]
Member ports are added to the Eth-Trunk to which the fabric port is bound.
NOTE
Before removing an Up member port from a fabric port, you must run the shutdown interface interface-type
interface-number command in the AS view to shut down the member port.
When a port joins a downlink fabric port of a level-1 AS, the port enters the blocking state. When the port
negotiates with the peer port successfully, the port is unblocked.
----End
Context
An AS needs to be authenticated before connecting to an SVF system by default. An AS is
authenticated using a blacklist or whitelist. An AS in the blacklist cannot connect to an SVF
system, but an AS in the whitelist can connect to an SVF system. An AS that is neither in the
blacklist nor in the whitelist fails the authentication. You can run the confirm { all | mac-
address mac-address } command to allow all ASs or a specified AS to pass the
authentication.
You can also configure no authentication for ASs. In this situation, an AS can connect to an
SVF system regardless of whether it is in a blacklist or whitelist. Non-authentication has
security risks, while authentication is recommended.
Procedure
l Configure authentication when an AS connects to an SVF system.
a. Run:
system-view
Context
The parent and an AS transmit management packets through a CAPWAP tunnel. To ensure
tunnel confidentiality and security, you can use Datagram Transport Layer Security (DTLS) to
encrypt packets transmitted in the CAPWAP tunnel.
The parent and AS encrypt packets transmitted in the CAPWAP tunnel using the pre-shared
key. That is, a key is pre-configured on the parent and AS. When the pre-shared keys of the
parent and AS are the same, the parent and AS can negotiate successfully and set up a
CAPWAP tunnel.
NOTE
The parent and an AS cannot support the HA and CAPWAP tunnel DTLS encryption functions
simultaneously. If the two functions are enabled simultaneously, the AS waits until the original CAPWAP
tunnel ages before it can re-establish a CAPWAP tunnel when an active/standby switchover occurs on the
parent, causing service interruption. When an active/standby switchover occurs on the AS, the AS needs to
re-establish a link and go online again, causing service interruption. Therefore, you are advised to disable
CAPWAP tunnel DTLS encryption in a networking with the HA function.
Procedure
l Configure a pre-shared key on the parent.
a. Run:
system-view
An AS is allowed to establish a DTLS session with the parent using the default pre-
shared key.
By default, an AS uses the default pre-shared key to establish a DTLS session with
the parent.
When an AS is allowed to establish a DTLS session with the parent using the
default pre-shared key, the AS first uses the pre-shared key configured using the as
access dtls psk psk-value command to establish a DTLS session with the parent. If
the DTLS session cannot be established, the AS uses the default pre-shared key to
establish a DTLS session with the parent (it also uses the default pre-shared key).
d. Run:
capwap dtls control-link encrypt
NOTE
When the parent switches the status of CAPWAP tunnel DTLS encryption, ASs connected to the
parent will restart.
When an AS is being upgraded, the parent cannot switch the status of CAPWAP tunnel DTLS
encryption.
l Configure a pre-shared key on an AS.
a. Run:
as access dtls psk psk-value
NOTE
When CAPWAP tunnel DTLS encryption is enabled on the parent and an AS has connected to the
parent, the pre-shared key is automatically delivered to the AS if the pre-shared key is modified
on the parent. You are advised not to repeatedly modify the pre-shared key in 10 minutes.
----End
Context
When an AS is a stack of multiple member switches, the system pre-configures only stack ID
0 by default. You can only pre-configure services for the member switch with stack ID 0.
Before pre-configuring services for another member switch, pre-configure a stack ID for the
member switch.
The pre-configured stack ID does not affect the actual stack ID. For example, the pre-
configured stack ID is 0 (default value), but the actual stack IDs are 0 and 2. The actual stack
IDs remain 0 and 2 except that no services are configured on the device with stack ID 2.
NOTE
If an AS is a single device but its stack ID is not 0 and no stack ID is configured on the parent, the parent
changes the stack ID of the AS to 0 and restarts the AS when the AS connects to the parent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name
Step 4 Run:
slot slot-id1 [ to slot-id2 ]
----End
Context
During online automatic upgrade, an AS checks whether its software version is consistent
with that of the parent. If not, the AS searches for and downloads the system software from
the parent to upgrade its software version.
The AS first searches for the software version with the same V, R, C, and SPC versions as the
parent. If such version is unavailable, the AS searches for the software version with the same
V, R, and C versions as the parent and selects the one with the latest SPC version. If no
version meets the preceding requirements, the AS does not upgrade its software version.
Additionally, a version upgrade failure alarm is generated when the AS runs a software
version with a different V, R, or C version than the parent.
NOTE
l The files used to upgrade an AS must be saved in the root directory unimng/ of the parent.
l To upgrade an AS, you must configure the FTP or SFTP server function on the parent so that the AS can
download the related upgrade files from the parent.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
upgrade { local-ftp-server | local-sftp-server } username username password
password
NOTE
l If the local file server is not configured, an AS cannot download upgrade files from the parent and so
cannot be upgraded.
l FTP has potential security risks, and so SFTP is recommended. If you want to use FTP, you are advised to
configure ACLs to improve security. For details, see Configure the FTP ACL.
l When the file server is an FTP server, the FTP service is automatically enabled and an FTP user is created
on the parent, removing the need to perform the FTP configuration. If the same user name has been
configured on the parent but the access type is not FTP, the system changes the access type of the user
name to FTP.
l When the file server type is set to SFTP, the SFTP service is not automatically enabled and no SFTP user
is created on the parent. You need to manually pre-configure SFTP on the parent.
For more details about the SFTP configuration, see "File Management" in the S7700 and S9700 Series
Switches Configuration Guide - Basic Configuration.
l After the upgrade { local-ftp-server | local-sftp-server } command is executed, the same user name and
password configuration is also generated in the AAA view. If you modify the configured local user
information (the user password for example) in AAA view, the version management function does not
take effect.
l If information about a user already exists in the AAA view, running this command to create the same user
will change the user password in the AAA view to the configured password and change the user level to
level 3. Changing the user password is allowed only when the user level of the user running this
command is higher or equal to the user level configured in the AAA view. Otherwise, the command does
not take effect.
l Running this command multiple times to create new users will delete previous user information. Previous
user information can be deleted only when the user level of the user running this command is higher or
equal to the user level configured in the AAA view. Otherwise, the command does not take effect.
If files to be loaded on an AS are specified, the AS downloads the specified files when
connecting to an SVF system without searching for the upgrade files, even though the
matching system software version exists on the parent.
----End
Configuration Process
All the following tasks are performed on an AS according to networking requirements.
Context
In an SVF system, an AS can be a single switch or a stack of multiple switches. If an AS
needs to be configured as a stack, you must configure the stack on the AS and then connect
the AS to the SVF system.
NOTE
l An AS contains a maximum of three stack member switches of which the stack ID ranges from 0 to 2. If
the number of member switches exceeds 3 or the stack ID is larger than 2, the AS cannot go online to
connect to the SVF system.
l When a new member switch needs to join an AS that has connected to the SVF system, the switch with
the stack ID larger than 2 restarts repeatedly.
l Stack member switches in an AS must be the same model.
Procedure
Step 1 For the procedure for and notes about configuring a stack, see "Stack Configuration" in the
S7700 and S9700 Series Switches Configuration Guide - Device Management Configuration.
----End
Context
In a Super Virtual Fabric (SVF) system, each AS has a unique management MAC address to
identify itself. By default, an AS uses its system MAC address as the management MAC
address to connect to an SVF system. When the management MAC address of an AS conflicts
with that of another AS, you can run the as access manage-mac command to change the
management MAC address so as to prevent MAC address conflicts.
NOTE
Use of this command is not recommended when no MAC address conflict occurs.
management MAC address is the same as the pre-configured MAC address by default,
and no management MAC address needs to be configured.
l If the AS name and MAC address are configured after the AS connects to an SVF
system, the management MAC address does not need to be configured.
Procedure
Step 1 Run:
as access manage-mac mac-address
By default, an AS uses the system MAC address as the management MAC address.
NOTE
This command can be used only before an AS connects an SVF system. If an AS has connected to an SVF
system, use of this command is not allowed.
----End
Context
After the software configurations are complete, clear the AS configuration, restart the AS, and
then connect the AS and parent using cables. The AS then can connect to an SVF system.
NOTE
l An AS can connect to an SVF system only when it has no configuration file or input on the console port.
l If a device functions as a VLAN Central Management Protocol (VCMP) client and has synchronized
VLANs before connecting to an SVF system, you must run the reset vcmp command to clear VCMP
information and restart the device. In this manner, the device can function as an AS to connect to the SVF
system.
l Configuring the software and connecting cables can be performed in any sequence. That is, you can also
connect cables before configuring the software.
Procedure
l Run the display as { all | name as-name | mac-address mac-address | vpn-instance
information } command on the parent to check AS information.
l Run the display as { name as-name | mac-address mac-address } run-info command
on the parent to check the AS running status.
l Run the display uni-mng topology information [ by-name ] command on the parent to
check SVF network topology information.
----End
Context
As shown in Figure 9-6, when ASs connect to an SVF system through a Layer 2 network,
only level-1 ASs are supported and APs can connect to ASs.
The fabric-port that connects the parent to an AS through a Layer 2 network is called an
indirectly connected fabric port. Indirectly connected fabric ports on the parent and fabric
ports that connect ASs to an SVF system need to be manually configured.
CSS
Parent
Require manual
Layer2
Network
configuration
iStack
Level-1 AS
AP
Pre-configuration Tasks
Before connecting an AS to the parent through a network, complete the following task:
l Powering on the related devices and ensuring that they finish self check successfully
Configuration Process
The following tasks are performed on the parent. You are advised to perform the tasks in the
following sequence.
Context
An SVF system can use a single switch or a CSS of two switches as the parent. Using a CSS
of two switches can provide redundancy for the SVF system, improving reliability of the SVF
system.
NOTE
To ensure high reliability of an SVF system, you are advised to use a CSS of two switches as the parent.
Procedure
Step 1 For the procedure for and notes about configuring a CSS, see "CSS Configuration" in the
S7700&S9700 Series Ethernet Switches Configuration Guide - Device Management
Configuration.
----End
Context
Before setting up an SVF system, you must enable the SVF function on the parent, configure
the management VLAN for the SVF system, and configure DHCP on the parent so that the
parent and ASs can set up CAPWAP links.
Procedure
Step 1 Run:
system-view
The management VLAN is created for the SVF system. The management VLAN cannot be
configured as VLAN 1 or VLAN 4093.
Step 4 Run:
interface vlanif vlan-id
The DHCP server function is configured to assign IP addresses from the interface address
pool to clients.
The DHCP server function enables an AS to obtain an IP address from the parent.
Step 7 (Optional) Run:
dhcp server option 43 ip-address ip-address
The parent is configured to send its IP address in the Option 43 field to an AS.
The parent can send its IP address in the Option 43 field to an AS. The IP address must be the
same as that configured in step 5.
If the Option 43 field is not configured, an AS obtains the IP address of the parent in
broadcast mode. If the Option 43 field is configured, an AS sets up a CAPWAP link with only
a specified IP address, and does not obtain the IP address of the parent in broadcast mode.
NOTE
To improve service reliability, you are advised to configure the parent to send its IP address in the Option 43
field to an AS.
Step 8 Run:
quit
The source interface on which the parent sets up a CAPWAP link with an AS is configured.
vlan-id must be consistent with that specified in step 4.
NOTE
You are not advised to configure other services except the preceding configurations in the management
VLAN and corresponding VLANIF interface of the SVF system. Otherwise, ASs or APs cannot go online
normally.
If the SVF function is enabled, only one source interface can be configured.
Step 10 Run:
authentication unified-mode
After changing the NAC configuration mode, save the configuration and then restart the device to make the
configuration take effect.
Step 11 Run:
stp mode { rstp | stp }
NOTE
After changing the Eth-Trunk specifications, save the configuration and then restart the device to make the
configuration take effect.
After the SVF function is enabled, changing the Eth-Trunk specifications is not allowed.
Step 15 Run:
undo stp process process-id
----End
Context
The parent connects to an AS through a fabric port. When they connect through a network,
you must configure the indirect connection mode for the fabric port.
A fabric port must be bound to an Eth-Trunk. Before binding a fabric port to an Eth-Trunk,
ensure that the Eth-Trunk is not created.
Procedure
Step 1 Run:
system-view
uni-mng
Step 3 Run:
interface fabric-port port-id
Step 4 Run:
port connect-type indirect
Step 5 Run:
port member-group interface eth-trunk trunk-id
A fabric port can be bound to only the Eth-Trunk that has not been created. When a fabric
port is bound to an Eth-Trunk, the system creates the Eth-Trunk.
To facilitate fabric port management and identification, you can configure descriptions for
fabric ports. For example, you can describe the name of an AS that connects to a fabric port.
Step 7 Run:
quit
Step 8 Run:
quit
Step 9 Run:
interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed. The Eth-Trunk is the one bound in step 5.
Step 10 Run:
port link-type hybrid
Step 11 Run:
port hybrid tagged vlan vlan-id
The hybrid interface is added to a specified VLAN. The VLAN is the management VLAN
configured on the parent.
Step 12 Run:
stp root-protection
NOTE
The Eth-Trunk working mode configuration must be consistent on the member port in the indirectly
connected fabric port of the parent and the Layer 2 network port connected to the member port. If the Eth-
Trunk working mode on the Layer 2 network port is set to LACP, the Eth-Trunk working mode on the
member port must also be set to LACP.
Step 14 Run:
quit
NOTE
Before removing an Up member port from a fabric port, run the shutdown command in the interface view to
shut down the member port.
When a port joins a downlink fabric port of the parent, the port enters the blocking state. When the port
negotiates with the peer port successfully, the port is unblocked.
----End
Context
You can configure a name for an AS and use the name to uniquely identify the AS. This
configuration facilitates AS identification and management.
If no AS name is configured, system default name-device MAC address is used as the AS
name after the AS connects to an SVF system.
Procedure
Step 1 Run:
system-view
An AS name is configured.
By default, an AS uses its system default name-device MAC address as its name after going
online.
NOTE
l Ensure that the model as-model and mac-address mac-address settings are consistent with the actual
settings.
l If no AS name is pre-configured before an AS goes online, you can also run this command to modify the
AS name after an AS goes online. In this situation, the AS must meet the following conditions:
1. The AS is not bound to any service profile.
2. The AS is not added to any AS group.
3. Ports of the AS are not added to any port group.
----End
Context
An AS needs to be authenticated before connecting to an SVF system by default. An AS is
authenticated using a blacklist or whitelist. An AS in the blacklist cannot connect to an SVF
system, but an AS in the whitelist can connect to an SVF system. An AS that is neither in the
blacklist nor in the whitelist fails the authentication. You can run the confirm { all | mac-
address mac-address } command to allow all ASs or a specified AS to pass the
authentication.
You can also configure no authentication for ASs. In this situation, an AS can connect to an
SVF system regardless of whether it is in a blacklist or whitelist. Non-authentication has
security risks, while authentication is recommended.
Procedure
l Configure authentication when an AS connects to an SVF system.
a. Run:
system-view
Context
The parent and an AS transmit management packets through a CAPWAP tunnel. To ensure
tunnel confidentiality and security, you can use Datagram Transport Layer Security (DTLS) to
encrypt packets transmitted in the CAPWAP tunnel.
The parent and AS encrypt packets transmitted in the CAPWAP tunnel using the pre-shared
key. That is, a key is pre-configured on the parent and AS. When the pre-shared keys of the
parent and AS are the same, the parent and AS can negotiate successfully and set up a
CAPWAP tunnel.
NOTE
The parent and an AS cannot support the HA and CAPWAP tunnel DTLS encryption functions
simultaneously. If the two functions are enabled simultaneously, the AS waits until the original CAPWAP
tunnel ages before it can re-establish a CAPWAP tunnel when an active/standby switchover occurs on the
parent, causing service interruption. When an active/standby switchover occurs on the AS, the AS needs to
re-establish a link and go online again, causing service interruption. Therefore, you are advised to disable
CAPWAP tunnel DTLS encryption in a networking with the HA function.
Procedure
l Configure a pre-shared key on the parent.
a. Run:
system-view
An AS is allowed to establish a DTLS session with the parent using the default pre-
shared key.
By default, an AS uses the default pre-shared key to establish a DTLS session with
the parent.
When an AS is allowed to establish a DTLS session with the parent using the
default pre-shared key, the AS first uses the pre-shared key configured using the as
access dtls psk psk-value command to establish a DTLS session with the parent. If
the DTLS session cannot be established, the AS uses the default pre-shared key to
establish a DTLS session with the parent (it also uses the default pre-shared key).
d. Run:
capwap dtls control-link encrypt
NOTE
When the parent switches the status of CAPWAP tunnel DTLS encryption, ASs connected to the
parent will restart.
When an AS is being upgraded, the parent cannot switch the status of CAPWAP tunnel DTLS
encryption.
l Configure a pre-shared key on an AS.
a. Run:
as access dtls psk psk-value
NOTE
When CAPWAP tunnel DTLS encryption is enabled on the parent and an AS has connected to the
parent, the pre-shared key is automatically delivered to the AS if the pre-shared key is modified
on the parent. You are advised not to repeatedly modify the pre-shared key in 10 minutes.
----End
Context
When an AS is a stack of multiple member switches, the system pre-configures only stack ID
0 by default. You can only pre-configure services for the member switch with stack ID 0.
Before pre-configuring services for another member switch, pre-configure a stack ID for the
member switch.
The pre-configured stack ID does not affect the actual stack ID. For example, the pre-
configured stack ID is 0 (default value), but the actual stack IDs are 0 and 2. The actual stack
IDs remain 0 and 2 except that no services are configured on the device with stack ID 2.
NOTE
When an AS connects to an SVF system across a network, the parent does not change the slot ID of the AS to
0 if the AS is a standalone device and has no stack ID pre-configured on the parent. When the slot ID of the
AS is valid (the slot ID is 1 or 2), the AS can join the SVF system and the configuration related to the slot ID
is automatically generated on the parent. When the slot ID of the AS is invalid (the slot ID is larger than 2),
the AS cannot join the SVF system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name
Step 4 Run:
slot slot-id1 [ to slot-id2 ]
----End
Context
During online automatic upgrade, an AS checks whether its software version is consistent
with that of the parent. If not, the AS searches for and downloads the system software from
the parent to upgrade its software version.
The AS first searches for the software version with the same V, R, C, and SPC versions as the
parent. If such version is unavailable, the AS searches for the software version with the same
V, R, and C versions as the parent and selects the one with the latest SPC version. If no
version meets the preceding requirements, the AS does not upgrade its software version.
Additionally, a version upgrade failure alarm is generated when the AS runs a software
version with a different V, R, or C version than the parent.
NOTE
l The files used to upgrade an AS must be saved in the root directory unimng/ of the parent.
l To upgrade an AS, you must configure the FTP or SFTP server function on the parent so that the AS can
download the related upgrade files from the parent.
Procedure
Step 1 Run:
system-view
NOTE
l If the local file server is not configured, an AS cannot download upgrade files from the parent and so
cannot be upgraded.
l FTP has potential security risks, and so SFTP is recommended. If you want to use FTP, you are advised to
configure ACLs to improve security. For details, see Configure the FTP ACL.
l When the file server is an FTP server, the FTP service is automatically enabled and an FTP user is created
on the parent, removing the need to perform the FTP configuration. If the same user name has been
configured on the parent but the access type is not FTP, the system changes the access type of the user
name to FTP.
l When the file server type is set to SFTP, the SFTP service is not automatically enabled and no SFTP user
is created on the parent. You need to manually pre-configure SFTP on the parent.
For more details about the SFTP configuration, see "File Management" in the S7700 and S9700 Series
Switches Configuration Guide - Basic Configuration.
l After the upgrade { local-ftp-server | local-sftp-server } command is executed, the same user name and
password configuration is also generated in the AAA view. If you modify the configured local user
information (the user password for example) in AAA view, the version management function does not
take effect.
l If information about a user already exists in the AAA view, running this command to create the same user
will change the user password in the AAA view to the configured password and change the user level to
level 3. Changing the user password is allowed only when the user level of the user running this
command is higher or equal to the user level configured in the AAA view. Otherwise, the command does
not take effect.
l Running this command multiple times to create new users will delete previous user information. Previous
user information can be deleted only when the user level of the user running this command is higher or
equal to the user level configured in the AAA view. Otherwise, the command does not take effect.
If files to be loaded on an AS are specified, the AS downloads the specified files when
connecting to an SVF system without searching for the upgrade files, even though the
matching system software version exists on the parent.
----End
Configuration Process
All the following tasks are performed on an AS according to networking requirements.
Context
In an SVF system, an AS can be a single switch or a stack of multiple switches. If an AS
needs to be configured as a stack, you must configure the stack on the AS and then connect
the AS to the SVF system.
NOTE
l An AS contains a maximum of three stack member switches of which the stack ID ranges from 0 to 2. If
the number of member switches exceeds 3 or the stack ID is larger than 2, the AS cannot go online to
connect to the SVF system.
l When a new member switch needs to join an AS that has connected to the SVF system, the switch with
the stack ID larger than 2 restarts repeatedly.
l Stack member switches in an AS must be the same model.
Procedure
Step 1 For the procedure for and notes about configuring a stack, see "Stack Configuration" in the
S7700 and S9700 Series Switches Configuration Guide - Device Management Configuration.
----End
Context
In a Super Virtual Fabric (SVF) system, each AS has a unique management MAC address to
identify itself. By default, an AS uses its system MAC address as the management MAC
address to connect to an SVF system. When the management MAC address of an AS conflicts
with that of another AS, you can run the as access manage-mac command to change the
management MAC address so as to prevent MAC address conflicts.
NOTE
Use of this command is not recommended when no MAC address conflict occurs.
Procedure
Step 1 Run:
as access manage-mac mac-address
NOTE
This command can be used only before an AS connects an SVF system. If an AS has connected to an SVF
system, use of this command is not allowed.
----End
Context
When an AS connects to an SVF system through a Layer 2 network, you must configure the
device to work in client mode, configure a management VLAN and an uplink fabric port for
the AS, and add member ports to the fabric port.
NOTE
l The management VLAN of the AS must be consistent with the management VLAN configured on the
parent.
l The VCMP role switching command is mutually exclusive with the command that configures a device to
work in client mode. If the current device is not a silent switch in a VCMP domain, the device cannot be
configured to work in client mode. You must run the vcmp role silent command in the system view to set
the VCMP role of the device to silent. After a device is configured to work in client mode, the VCMP
role switching command cannot be executed. That is, the device cannot change from the silent role to
another role.
l The command that configures the stack ID is mutually exclusive with the command that configures a
member port for a fabric port:
l After the stack slot slot-id renumber new-slot-id command is executed in a specified slot, the port
in the slot cannot be configured as a member port of a fabric port.
l After a port in a slot is configured as a member port of a fabric port, the stack ID of the slot cannot
be configured using the stack slot slot-id renumber new-slot-id command.
l You need to configure a member port of a fabric port according to the network configuration. A member
port needs to be reconfigured if the stack ID changes because the stack changes, for example, the stacking
function is disabled, or existing stack IDs conflict after member devices are added to the stack.
Procedure
Step 1 (Optional) Set the role of the device in a VCMP domain to silent.
1. Run:
system-view
Step 2 Run:
uni-mng enable mng-vlan vlan-id
The device is configured to work in client mode and a management VLAN is configured.
Step 3 Run:
uni-mng enable fabric-port member interface interface-type interface-number
A member port is configured for the uplink fabric port that connects an AS to the parent
through a network.
By default, no member port is configured for an uplink fabric port that connects an AS to the
parent through a network.
NOTE
l You can run this command multiple times to add multiple member ports to the fabric port. A maximum of
eight member ports can be added to a fabric port.
l Member ports of a fabric port are added to Eth-Trunk0 by default.
l Only AS uplink ports or ports provided by an extended card can be added to uplink fabric ports.
l Ports used to set up a stack cannot be configured as member ports of a fabric port.
----End
Context
After the software configuration is complete, connect the AS and parent to a Layer 2 network
so that the AS can connect to the SVF system.
NOTE
l An AS can connect to an SVF system only when it has no configuration file or input on the console port.
l Configuring the software and connecting cables can be performed in any sequence. That is, you can also
connect cables before configuring the software.
l The administrator needs to ensure that the downlink fabric port of the parent and the intermediate Layer 2
network are correctly configured, the SVF management VLAN and service VLAN between the parent
and AS are correctly connected, and the intermediate network transparently transmits data traffic between
the parent and AS. Therefore, the intermediate network must be a pure Layer 2 network.
Procedure
l Run the display as { all | name as-name | mac-address mac-address | vpn-instance
information } command on the parent to check AS information.
l Run the display as { name as-name | mac-address mac-address } run-info command
on the parent to check the AS running status.
l Run the display uni-mng topology information [ by-name ] command on the parent to
check SVF network topology information.
----End
9.6.3 Connecting an AP to an AS
Context
In an SVF system, the parent functions as an AC to manage APs in a centralized manner. As
shown in Figure 9-7, APs can connect to the parent, level-1 AS, and level-2 AS.
CSS
Parent
Layer2
Level-1 AS Level-1 AS Network
AP
Level-2 AS AP
Level-1 AS
AP
AP
When an AP connects to the parent, the access configuration performed on the parent is the
same as that on an AC. For details about connecting an AP to an AC, see the S7700 and
S9700 Series Switches Configuration Guide - WLAN-AC Configuration.
When an AP needs to connect to an AS, you must add the port that connects the AS to the AP
to an AP port group.
NOTE
l If APs need to connect to an SVF system with an S9700, or S7700 functioning as the parent, X1E cards
must be configured on the parent.
l When an S9700/S7700 functions as the parent and APs connect to a non-X1E card, you must add the non-
X1E card and X1E card of the parent to the same WLAN work group. By default, all interface cards
automatically join the default WLAN work group named default. For details, see Connecting AP to a
Non-X1E Interface Card.
l If an AP has connected to the parent before the SVF function is enabled, the parent cannot collect
topology information about the AP after the uni-mng command is used to enable the SVF function. You
need to run the commit { all | ap ap-id } command in the WLAN view to commit the AP configuration.
Subsequently, the parent can collect topology information about the AP.
Procedure
Step 1 For the procedure for connecting an AS to the parent, see 9.6.1 Connecting an AS to the
Parent Directly or 9.6.2 Connecting an AS to the Parent Through a Network.
Step 2 Run:
system-view
Step 3 Run:
uni-mng
Step 4 Run:
port-group connect-ap name group-name
Step 5 Add the ports that connect ASs to APs to the AP port group.
l Run:
as name as-name interface { { interface-type interface-number1 [ to interface-
number2 ] } &<1-10> | all }
Ports of the AS with a specified name are added to the AP port group.
l Run:
as name-include string interface all
Ports of ASs of which the name contains a specified string are added to the AP port
group.
Step 6 Run:
quit
Step 7 Run:
commit as { name as-name | all }
----End
Context
Two methods are available for delivering service configurations to ASs.
l Service profiles: The configuration on the parent can be delivered to ASs through service
profiles. After service profiles are delivered to an AS, the AS parses and executes the
services configured in the service profiles. The AS service configuration through service
profiles includes two modes: the pre-configured or non-pre-configured mode.
– Pre-configured mode: Before an AS connects to an SVF system, pre-configure
service profiles, bind them to the AS, save the configuration of the parent, and then
run the commit as { name as-name | all } command to commit the configuration.
When the AS connects to the SVF system, the configurations in service profiles are
automatically delivered to the AS.
– Non-pre-configured mode: After an AS connects to an SVF system, configure
service profiles, bind them to the AS, and then run the commit as { name as-name |
all } command to commit the configuration so that the configurations in service
profiles can be delivered to the AS.
l Direct configuration: You can run the direct-command command on the parent to
directly deliver some service configurations to ASs.
Context
An SVF system has two packet forwarding modes:
l In centralized forwarding mode, traffic forwarded by the local AS and forwarded
between ASs is sent to the parent for forwarding.
NOTE
In centralized forwarding mode, ports of the ASs connected to the same fabric port of the parent are
isolated and so cannot communicate at Layer 2, and need to have proxy ARP in the corresponding
VLAN configured using the arp-proxy inner-sub-vlan-proxy enable command to communicate at
Layer 3.
l In distributed forwarding mode, an AS directly forwards local traffic and the parent
forwards traffic between ASs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
forward-mode centralized
Step 4 Run:
commit as { name as-name | all }
After changing the forwarding mode of an SVF system, you need to commit the configuration
to deliver the configuration to an AS.
----End
Context
In an SVF system, the parent delivers the configuration to ASs using service profiles. Service
profiles are a set of service configurations. After service profiles are delivered to an AS, the
AS parses and executes the services configured in the service profiles.
Table 9-10 lists the configurable services on an AS.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Create service profiles and configure services in the service profiles.
Create Service Configure Services Service Description
Profile in Service Profiles
By default, no service profile is created, and no service is configured in new service profiles.
Step 4 Run:
quit
By default, no group is created in the system, and new groups have no members and are not
bound to service profiles.
Step 6 Run:
quit
NOTE
When an AS goes offline and then goes online again, the AS restarts if the global configuration of the AS is
changed on the parent and the changed configuration is committed.
----End
Context
Service configurations can be delivered to ASs through service profiles. Apart from this
method, you can also run the direct-command command on the parent to deliver some
service configurations directly to ASs.
Table 9-11 lists the commands that can be directly delivered to ASs.
NOTE
l When you configure a directly delivered command on the parent, enter the complete and correct
command instead of the abbreviated form. No info message is displayed for confirming your input.
l A directly delivered command supports the help and typeahead functions but not real-time check during
input. The system checks the input only after you complete typing a command and press Enter. No
detailed description is provided in help information. If you fail to configure a command for an AS, an info
message is displayed.
l When you configure a directly delivered command, the AS to which the command is to be delivered must
be online. If you need to specify a port or slot-id in a command, the corresponding member device must
be available. If the AS is offline, run the clear direct-command command to delete the completed
configuration on the parent.
l If a port has the configuration directly delivered using commands, the port cannot be configured as a
member port of the Eth-Trunk to which a fabric port is bound. If a port has been configured as a member
port of the Eth-Trunk to which a fabric port is bound, the configuration cannot be directly delivered to the
port using commands.
l Directly delivering configuration using commands and delivering configuration using service profiles are
mutually exclusive and cannot be performed simultaneously.
Procedure
Step 1 Run:
system-view
Context
In addition to the configurations in service profiles, the parent delivers the configured Portal
authentication-free rules to ASs. Authentication-free rules 0 to 127 can be delivered to ASs of
the S5720EI model; authentication-free rules 0 to 31 can be delivered to ASs of other models;
authentication-free rules outside the two ranges will not be delivered to ASs.
Procedure
Step 1 Configure authentication-free rules. For details, see "Configuring Basic NAC Functions" in
the S7700 and S9700 Series Switches Configuration Guide - NAC Configuration (Unified
Mode).
NOTE
You cannot specify the interface parameter when the parent delivers authentication-free rules to an AS.
Step 2 Run:
system-view
Step 3 Run:
uni-mng
Step 4 Run:
commit as { name as-name | all }
After configuring authentication-free rules, you need to commit the configuration to deliver
the configuration to an AS.
----End
Context
You can monitor the running status of an SVF system to ensure normal system operations and
locate faults.
Procedure
l Run the display as { all | name as-name | mac-address mac-address | vpn-instance
information } command on the parent to check AS information.
l Run the display as access configuration command on an AS to check the AS access
configuration.
Context
You can upgrade the software of an AS connected to an SVF system.
NOTE
l The files used to upgrade an AS must be saved in the root directory unimng/ of the parent.
l To upgrade an AS, you must configure the FTP or SFTP server function on the parent so that the AS can
download the related upgrade files from the parent.
Procedure
Step 1 Run:
system-view
NOTE
l If the local file server is not configured, an AS cannot download upgrade files from the parent and so
cannot be upgraded.
l FTP has potential security risks, and so SFTP is recommended. If you want to use FTP, you are advised to
configure ACLs to improve security. For details, see Configure the FTP ACL.
l When the file server is an FTP server, the FTP service is automatically enabled and an FTP user is created
on the parent, removing the need to perform the FTP configuration. If the same user name has been
configured on the parent but the access type is not FTP, the system changes the access type of the user
name to FTP.
l When the file server type is set to SFTP, the SFTP service is not automatically enabled and no SFTP user
is created on the parent. You need to manually pre-configure SFTP on the parent.
For more details about the SFTP configuration, see "File Management" in the S7700 and S9700 Series
Switches Configuration Guide - Basic Configuration.
l After the upgrade { local-ftp-server | local-sftp-server } command is executed, the same user name and
password configuration is also generated in the AAA view. If you modify the configured local user
information (the user password for example) in AAA view, the version management function does not
take effect.
l If information about a user already exists in the AAA view, running this command to create the same user
will change the user password in the AAA view to the configured password and change the user level to
level 3. Changing the user password is allowed only when the user level of the user running this
command is higher or equal to the user level configured in the AAA view. Otherwise, the command does
not take effect.
l Running this command multiple times to create new users will delete previous user information. Previous
user information can be deleted only when the user level of the user running this command is higher or
equal to the user level configured in the AAA view. Otherwise, the command does not take effect.
Step 4 Run:
as type as-type { system-software system-software | patch patch } *
NOTE
l The system software file name or patch file name specified using the as type command cannot be the
same as the current or next startup system software file or patch file of an AS. Otherwise, the AS cannot
be upgraded using the upgrade as command.
l If reload is not specified during the upgrade of an AS:
– If you specify patch patch but not system-software system-software in the as type command, the
patch file is activated online immediately.
– If you specify both patch patch and system-software system-software in the as type command and
the specified system software file version is the version running on the AS, the patch file is
activated online immediately.
– If you specify both patchpatch and system-softwaresystem-software in the as type command and
the specified system software file version is earlier or later than the version running on the AS, the
specified system software file and patch file will be set as next startup files.
l If reload is specified but in time is not specified, the AS restarts immediately after downloading upgrade
files.
l If reload and in time are specified, the AS restarts at the time specified by time.
----End
9.8.3 Restarting an AS
Context
When an AS is upgraded or working abnormally, you can restart the AS.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as reset { all | name as-name }
----End
9.8.4 Replacing an AS
Context
In an SVF system, each AS is identified by its MAC address by default. When a new device is
used to replace an AS, the SVF system considers the new device as a new AS because their
MAC addresses are different. As a result, the new AS does not inherit services on the
previous AS.
You can enable AS automatic replacement to solve this problem. When an AS is replaced by a
new device connected to the same fabric port, the SVF system replaces the AS MAC address
with the MAC address of the new device in the configuration. Consequently, the new device
can inherit services on the AS.
NOTE
l An AS can only be replaced by a device of the same model. If the new device is a different model, the
SVF system considers it as a new AS, which then cannot inherit services on the previous AS.
l Only a standalone AS can be replaced, and a stacked AS cannot be replaced.
l AS automatic replacement is not supported when an AS connects to the parent through a network.
Procedure
Step 1 Run:
system-view
----End
Context
In addition to logging in to an AS through the console port, you can log in to the AS from the
parent. After logging in to the AS, you can enter the user or diagnostic view but cannot enter
the system view or perform service configurations: such as restart the AS or specify the
startup file.
NOTE
l Before logging in to an AS from the parent, you need to bind an AS administrator profile to the AS and
configure a user name and password for the AS.
l After an AS user name and password are configured, you need to enter the correct user name and
password when logging in to an AS through the console port. When you log in to an AS from the parent
using the attach as name as-name command, you can log in to the AS without entering the user name or
password.
l When no AS user name and password are configured, you need to enter the default password
[email protected] when logging in to an AS through the console port.
The default password has security risks. You are advised to change the login password.
To facilitate maintenance and provide more fault diagnosis measures, you can run the
diagnose-command command in the user view to directly enter the diagnostic view and
perform diagnostic commands.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
An AS administrator is configured.
3. Run:
quit
ASs of which the name contains a specified string are added to the AS group.
6. Run:
as-admin-profile profile-name
Step 4 Run:
commit as { name as-name | all }
After configuring service profiles and binding them to an AS, you must run this command to
commit the configuration so that the configuration can be delivered to the AS.
Step 5 Run:
attach as name as-name
Step 6 Run:
diagnose-command
----End
Context
After enabling the diagnostic mode on an AS, you can run the system-view command on the
AS to enter the system view. In the system view, you can run some commands (for example,
the mirroring and packet header obtaining functions) as shown in Table 9-12 to help locate
AS faults. Table 9-12 lists these commands. For details on the command format, parameters,
view, and description, see the command reference of the ASs. You are advised to run these
commands under instruction of Huawei technical support personnel.
Table 9-12 Commands that can be configured on an AS after the diagnostic mode is enabled
Procedure
l Log in to an AS and run the uni-mng diag-mode enable command to enable the
diagnostic mode on the AS.
----End
Context
In an SVF system, you cannot directly enter the interface view on an AS and disable the
interface. You need to run the shutdown interface interface-type interface-number command
on the parent to disable the specified AS port.
NOTE
Running this command can disable only an AS downlink port but not an AS uplink port.
Procedure
Step 1 Run:
system-view
Step 2 Run:
uni-mng
Step 3 Run:
as name as-name
Step 4 Run:
shutdown interface interface-type interface-number
----End
Context
Before collecting AS Discovery packet statistics in an SVF system, clear the existing statistics
and then run the display uni-mng as-discover packet statistics interface fabric-port port-id
command to check AS Discovery packet statistics.
Procedure
Step 1 Run the reset uni-mng as-discover packet statistics interface fabric-port port-id command
to clear AS Discovery packet statistics.
----End
Context
If an SVF system does not need to transmit services and needs to be split, perform the
following operations to split the SVF system:
1. Back up the SVF configuration file on the parent in case the SVF system needs to be set
up again.
2. Remove the cables between ASs and the parent. Log in to ASs and run the undo uni-
mng enable command in the user view to restore the ASs to the standalone mode. After
this command is executed, the AS restarts.
3. Delete the SVF configuration on the parent.
Networking Requirements
A new wired campus network has many access devices. The widely distributed access devices
complicate management and configuration of the access layer. Unified management and
configuration of access devices are required to reduce the management cost.
As shown in Figure 9-8, two aggregation switches set up a CSS and function as the parent to
connect to multiple ASs.
In this example, the S7700 functions as the parent, the S5700-28P-LI functions as a level-1
AS, and the S2750-28TP-EI functions as a level-2 AS.
CSS
Parent
GE1/1/0/1-GE1/1/0/3 GE2/1/0/1-GE2/1/0/3
GE0/0/1-GE0/0/2 GE0/0/1-GE0/0/2
Level-2 AS
S2750-28TP-EI as4 as5
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the parent as a CSS to ensure high reliability of the SVF system.
2. Enable the SVF function on the parent.
3. Configure AS access parameters, including the AS name, authentication mode, and
fabric ports that connect the parent to level-1 ASs and level-1 ASs to level-2 ASs.
4. Connect the parent to level-1 ASs and level-1 ASs to level-2 ASs using cables.
5. Configure service profiles and bind them to ASs.
Procedure
Step 1 Configure two switches in the parent to set up a CSS. For the procedure for and notes about
setting up a CSS, see "Stack Configuration" in the S7700&S9700 Series Ethernet Switches
Configuration Guide - Device Management Configuration.
# Configure the management VLAN in the SVF system and enable the SVF function on the
parent.
<HUAWEI> system-view
[HUAWEI] vlan batch 11
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 11
[HUAWEI-Vlanif11] ip address 192.168.11.1 24
[HUAWEI-Vlanif11] dhcp select interface
[HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1
[HUAWEI-Vlanif11] quit
[HUAWEI] capwap source interface vlanif 11
[HUAWEI] stp mode rstp
[HUAWEI] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP
calculation may be triggered and service traffic will be affected. Continue?
[Y/N]:y
# Configure fabric ports that connect the parent to level-1 ASs. The following uses fabric port
1 that connects the parent to AS 1 as an example.
[HUAWEI-um] interface fabric-port 1
[HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1
[HUAWEI-um-fabric-port-1] quit
[HUAWEI-um] quit
[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet1/1/0/1] quit
[HUAWEI] interface gigabitethernet 2/1/0/1
[HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet2/1/0/1] quit
The configurations of fabric ports 2 and 3 that connect the parent to AS 2 and AS 3
respectively are similar to the configuration of fabric port 1, and are not mentioned here.
# Configure the fabric ports that connect level-1 ASs to level-2 ASs.
[HUAWEI] uni-mng
[HUAWEI-um] as name as1
[HUAWEI-um-as-as1] down-direction fabric-port 4 member-group interface eth-trunk 4
[HUAWEI-um-as-as1] port eth-trunk 4 trunkmember interface gigabitethernet 0/0/23
to 0/0/24
[HUAWEI-um-as-as1] quit
[HUAWEI-um] as name as3
[HUAWEI-um-as-as3] down-direction fabric-port 5 member-group interface eth-trunk 5
[HUAWEI-um-as-as3] port eth-trunk 5 trunkmember interface gigabitethernet 0/0/23
to 0/0/24
[HUAWEI-um-as-as3] quit
[HUAWEI-um] quit
# Configure ASs to be authenticated using a whitelist when they connect to the SVF system.
[HUAWEI] as-auth
[HUAWEI-as-auth] undo auth-mode
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0011
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0022
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0033
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0044
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0055
[HUAWEI-as-auth] quit
Step 4 Connect the parent to level-1 ASs and level-1 ASs to level-2 ASs using cables.
# Clear the configurations of ASs, restart the ASs, and then connect the parent to level-1 ASs
and level-1 ASs to level-2 ASs using cables. Subsequently, an SVF system is set up.
NOTE
Before connecting an AS to the parent, ensure that the AS has no configuration file and no input on the
console port.
# After connecting cables, run the display as all command to check whether ASs have
connected to the SVF system.
[HUAWEI] display as all
Total: 5, Normal: 5, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5700-P-LI 0200-0000-0011 192.168.11.254 normal as1
1 S5700-P-LI 0200-0000-0022 192.168.11.253 normal as2
2 S5700-P-LI 0200-0000-0033 192.168.11.252 normal as3
3 S2750-EI 0200-0000-0044 192.168.11.251 normal as4
4 S2750-EI 0200-0000-0055 192.168.11.250 normal as5
--------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS has
connected to the SVF system.
# Run the display uni-mng commit-result profile command to check whether the
configurations in service profiles have been delivered to ASs.
When the Commit/Execute Result field in the command output displays Success/Success for
an AS, the configurations in service profiles have been delivered to the AS.
----End
Configuration Files
l SVF system configuration file
#
vlan batch 11
#
stp mode rstp
stp instance 0 priority 28672
#
lldp enable
#
dhcp enable
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
dhcp select interface
dhcp server option 43 ip-address 192.168.11.1
#
interface Eth-Trunk1
port link-type hybrid
port hybrid tagged vlan 1 10 to 11
stp root-protection
authentication control-point open
authentication dot1x
mode lacp
mad relay
#
interface Eth-Trunk2
port link-type hybrid
port hybrid tagged vlan 1 10 to 11
stp root-protection
authentication control-point open
authentication dot1x
mode lacp
mad relay
#
interface Eth-Trunk3
port link-type hybrid
port hybrid tagged vlan 1 11 20
stp root-protection
authentication control-point open
authentication dot1x
mode lacp
mad relay
#
interface GigabitEthernet1/1/0/1
eth-trunk 1
#
interface GigabitEthernet1/1/0/2
eth-trunk 2
#
interface GigabitEthernet1/1/0/3
eth-trunk 3
#
interface GigabitEthernet2/1/0/1
eth-trunk 1
#
interface GigabitEthernet2/1/0/2
eth-trunk 2
#
interface GigabitEthernet2/1/0/3
eth-trunk 3
#
capwap source interface vlanif11
#
wlan
wlan ap lldp enable
wlan work-group default
#
as-auth
whitelist mac-address 0200-0000-0011
whitelist mac-address 0200-0000-0022
whitelist mac-address 0200-0000-0033
whitelist mac-address 0200-0000-0044
whitelist mac-address 0200-0000-0055
#
uni-mng
as name as1 model S5700-28P-LI-AC mac-address 0200-0000-0011
down-direction fabric-port 4 member-group interface Eth-Trunk 4
port Eth-Trunk 4 trunkmember interface GigabitEthernet 0/0/23
port Eth-Trunk 4 trunkmember interface GigabitEthernet 0/0/24
as name as2 model S5700-28P-LI-AC mac-address 0200-0000-0022
as name as3 model S5700-28P-LI-AC mac-address 0200-0000-0033
down-direction fabric-port 5 member-group interface Eth-Trunk 5
port Eth-Trunk 5 trunkmember interface GigabitEthernet 0/0/23
port Eth-Trunk 5 trunkmember interface GigabitEthernet 0/0/24
as name as4 model S2750-28TP-EI-AC mac-address 0200-0000-0044
as name as5 model S2750-28TP-EI-AC mac-address 0200-0000-0055
interface fabric-port 1
port member-group interface Eth-Trunk 1
interface fabric-port 2
port member-group interface Eth-Trunk 2
interface fabric-port 3
port member-group interface Eth-Trunk 3
as-admin-profile name admin_profile
user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%#
network-basic-profile name basic_profile_1
user-vlan 10
network-basic-profile name basic_profile_2
user-vlan 20
user-access-profile name access_profile
authentication dot1x
as-group name admin_group
as-admin-profile admin_profile
as name as1
as name as2
as name as3
as name as4
as name as5
port-group name port_group_1
network-basic-profile basic_profile_1
user-access-profile access_profile
as name as1 interface GigabitEthernet 0/0/1 to 0/0/22
as name as2 interface GigabitEthernet 0/0/1 to 0/0/24
as name as4 interface Ethernet 0/0/1 to 0/0/24
port-group name port_group_2
network-basic-profile basic_profile_2
user-access-profile access_profile
as name as3 interface GigabitEthernet 0/0/1 to 0/0/22
as name as5 interface Ethernet 0/0/1 to 0/0/24
#
return
Networking Requirements
A new campus network has a large number of wired and wireless access devices. The widely
distributed access devices complicate management and configuration of the access layer.
Unified management and configuration of wired and wireless access devices are required to
reduce the management cost.
As shown in Figure 9-9, two aggregation switches set up a CSS and function as the parent to
connect to multiple ASs and APs.
In this example, the S7700 functions as the parent, the S5700-28P-LI functions as an AS, and
the AP5010DN-AGN functions as an AP.
Figure 9-9 Configuring a wired and wireless converged campus network access layer
CSS
Parent
GE1/1/0/1-GE1/1/0/3 GE2/1/0/1-GE2/1/0/3
ap1 ap2
AP5010DN-AGN AP5010DN-AGN
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure wired access devices to enable ASs to connect to the SVF system successfully.
2. Configure the ports that connect ASs to APs to enable wireless access devices to connect
to the SVF system successfully.
NOTE
Procedure
Step 1 Connect ASs to the parent.
1. Configure two switches in the parent to set up a CSS. For the procedure for and notes
about setting up a CSS, see "Stack Configuration" in the S7700&S9700 Series Ethernet
Switches Configuration Guide - Device Management Configuration.
2. Log in to the CSS and enable the SVF function.
# Configure the management VLAN in the SVF system and enable the SVF function on
the parent.
<HUAWEI> system-view
[HUAWEI] vlan batch 11
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 11
[HUAWEI-Vlanif11] ip address 192.168.11.1 24
[HUAWEI-Vlanif11] dhcp select interface
[HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1
[HUAWEI-Vlanif11] quit
[HUAWEI] capwap source interface vlanif 11
[HUAWEI] stp mode rstp
[HUAWEI] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs.
STP calculation may be triggered and service traffic will be affected.
Continue? [Y/N]:y
# Configure fabric ports that connect the parent to level-1 ASs. The following uses fabric
port 1 that connects the parent to AS 1 as an example.
[HUAWEI-um] interface fabric-port 1
[HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1
[HUAWEI-um-fabric-port-1] quit
[HUAWEI-um] quit
[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet1/1/0/1] quit
[HUAWEI] interface gigabitethernet 2/1/0/1
[HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet2/1/0/1] quit
The configurations of fabric ports 2 and 3 that connect the parent to AS 2 and AS 3
respectively are similar to the configuration of fabric port 1, and are not mentioned here.
# Configure ASs to be authenticated using a whitelist when they connect to the SVF
system.
[HUAWEI] as-auth
[HUAWEI-as-auth] undo auth-mode
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0011
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0022
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0033
[HUAWEI-as-auth] quit
NOTE
Before connecting an AS to the parent, ensure that the AS has no configuration file and no input on the
console port.
[HUAWEI] display as all
Total: 3, Normal: 3, Fault: 0, Idle: 0, Version mismatch: 0
------------------------------------------------------------------------------
--
No. Type MAC IP State Name
------------------------------------------------------------------------------
--
0 S5700-P-LI 0200-0000-0011 192.168.11.254 normal as1
1 S5700-P-LI 0200-0000-0022 192.168.11.253 normal as2
2 S5700-P-LI 0200-0000-0033 192.168.11.252 normal as3
------------------------------------------------------------------------------
--
Normal[2],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP5010DN-AGN ac85-3da6-a420 0/0 normal ap-1
2 AP5010DN-AGN 1051-7225-80a0 0/0 normal ap-2
------------------------------------------------------------------------------
Total number: 2,printed: 2
----End
Configuration Files
l SVF system configuration file
#
vlan batch 11
#
stp mode rstp
stp instance 0 priority 28672
#
lldp enable
#
dhcp enable
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
dhcp select interface
dhcp server option 43 ip-address 192.168.11.1
#
interface Eth-Trunk1
port link-type hybrid
port hybrid tagged vlan 1 11
stp root-protection
mode lacp
mad relay
#
interface Eth-Trunk2
port link-type hybrid
port hybrid tagged vlan 1 11
stp root-protection
mode lacp
mad relay
#
interface Eth-Trunk3
port link-type hybrid
port hybrid tagged vlan 1 11
stp root-protection
mode lacp
mad relay
#
interface GigabitEthernet1/1/0/1
eth-trunk 1
#
interface GigabitEthernet1/1/0/2
eth-trunk 2
#
interface GigabitEthernet1/1/0/3
eth-trunk 3
#
interface GigabitEthernet2/1/0/1
eth-trunk 1
#
interface GigabitEthernet2/1/0/2
eth-trunk 2
#
interface GigabitEthernet2/1/0/3
eth-trunk 3
#
capwap source interface vlanif11
#
wlan
wlan ap lldp enable
ap-auth-mode no-auth
ap id 1 type-id 30 mac ac85-3da6-a420 sn 2102355547W0E3000316
ap id 2 type-id 30 mac 1051-7225-80a0 sn 2102355547W0E1232287
wlan work-group default
#
as-auth
whitelist mac-address 0200-0000-0011
whitelist mac-address 0200-0000-0022
whitelist mac-address 0200-0000-0033
#
uni-mng
as name as1 model S5700-28P-LI-AC mac-address 0200-0000-0011
as name as2 model S5700-28P-LI-AC mac-address 0200-0000-0022
as name as3 model S5700-28P-LI-AC mac-address 0200-0000-0033
interface fabric-port 1
port member-group interface Eth-Trunk 1
interface fabric-port 2
port member-group interface Eth-Trunk 2
interface fabric-port 3
port member-group interface Eth-Trunk 3
port-group connect-ap name ap
as name as1 interface GigabitEthernet 0/0/24
as name as3 interface GigabitEthernet 0/0/24
#
return
Networking Requirements
A new wired campus network has many access devices. The widely distributed access devices
complicate management and configuration of the access layer. Unified management and
configuration of access devices are required to reduce the management cost.
As shown in Figure 9-10, two aggregation switches set up a CSS, which then functions as the
parent to connect to multiple ASs.
In this example, the S7700 functions as the parent, and S5700-28P-LI and S2750-28TP-EI
function as ASs.
NOTE
The administrator needs to ensure that the downlink fabric port of the parent and the intermediate Layer 2
network are correctly configured, the SVF management VLAN and service VLAN between the parent and
AS are correctly connected, and the intermediate network transparently transmits data traffic between the
parent and AS. Therefore, the intermediate network must be a pure Layer 2 network.
Figure 9-10 Configuring an SVF system across a Layer 2 network on a wired campus
network access layer
CSS
Parent
GE1/1/0/1~GE1/1/0/2 GE2/1/0/1~GE2/1/0/2
Layer2 Network
GE0/0/27~GE0/0/28 GE0/0/1~GE0/0/2
S5700-28P-LI S2750-28TP-EI
as1 as2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the parent as a CSS to ensure high reliability of the SVF system.
2. Enable the SVF function on the parent.
3. Configure AS access parameters on the parent, including the AS name, authentication
mode, and fabric port that connects the parent to an AS.
NOTE
If the parent connects to multiple devices on the Layer 2 intermediate network, on the parent, you
need to configure a different fabric port to connect to each intermediate device and bind each
fabric port to a different Eth-Trunk. If the parent connects to only one device on the Layer 2
intermediate network, on the parent, you need to configure only one fabric port and bind this fabric
port to one Eth-Trunk. In this example, if the parent connects to only one device on the Layer 2
intermediate network, on the parent, you need to configure only one fabric port (Fabric-port1) and
bind this fabric port to one Eth-Trunk (Eth-Trunk1).
4. Configure an uplink fabric port that connects an AS to the parent.
5. Connect the parent and ASs to the Layer 2 network using cables. Clear the
configurations of ASs and restart the ASs.
6. Configure service profiles and bind them to ASs.
Procedure
Step 1 Configure two switches in the parent to set up a CSS. For the procedure and notes for
configuring a CSS, see "CSS Configuration" in the S7700&S9700 Series Ethernet Switches
Configuration Guide - Device Management Configuration.
Step 2 Log in to the CSS and enable the SVF function.
# Configure the management VLAN in the SVF system and enable the SVF function on the
parent.
<HUAWEI> system-view
[HUAWEI] vlan batch 11
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 11
[HUAWEI-Vlanif11] ip address 192.168.11.1 24
[HUAWEI-Vlanif11] dhcp select interface
[HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1
[HUAWEI-Vlanif11] quit
[HUAWEI] capwap source interface vlanif 11
[HUAWEI] stp mode rstp
[HUAWEI] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP
calculation may be triggered and service traffic will be affected. Continue?
[Y/N]:y
The Eth-Trunk working mode configuration must be consistent on the member port in the indirectly
connected fabric port of the parent and the Layer 2 network port connected to the member port. If the Eth-
Trunk working mode on the Layer 2 network port is set to LACP, the Eth-Trunk working mode on the
member port must also be set to LACP.
[HUAWEI-um] interface fabric-port 1
[HUAWEI-um-fabric-port-1] port connect-type indirect
[HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1
[HUAWEI-um-fabric-port-1] quit
[HUAWEI-um] quit
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] port link-type hybrid
[HUAWEI-Eth-Trunk1] port hybrid tagged vlan 11
[HUAWEI-Eth-Trunk1] stp root-protection
[HUAWEI-Eth-Trunk1] mode lacp //In this example, the Eth-Trunk working mode
on the Layer 2 network interface is set to LACP.
[HUAWEI-Eth-Trunk1] quit
[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet1/1/0/1] quit
[HUAWEI] interface gigabitethernet 2/1/0/1
[HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet2/1/0/1] quit
The configuration of fabric port 2 that connects the parent to AS 2 is similar to the
configuration of fabric port 1, and is not mentioned here.
# Configure ASs to be authenticated using a whitelist when they connect to the SVF system.
[HUAWEI] as-auth
[HUAWEI-as-auth] undo auth-mode
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0011
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0022
[HUAWEI-as-auth] quit
Step 5 Clear the configurations of ASs and restart the ASs. Connect the parent and ASs to the Layer
2 network using cables.
# Clear the configurations of ASs, restart the ASs, and then connect the parent and ASs to the
Layer 2 network using cables. Subsequently, an SVF system is set up.
NOTE
Before connecting an AS to the parent, ensure that the AS has no configuration file and no input on the
console port.
# After connecting cables, run the display as all command to check whether ASs have
connected to the SVF system.
[HUAWEI] display as all
Total: 2, Normal: 2, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5700-P-LI 0200-0000-0011 192.168.11.254 normal as1
1 S2750-EI 0200-0000-0022 192.168.11.250 normal as2
--------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS has
connected to the SVF system.
# Run the display uni-mng commit-result profile command to check whether the
configurations in service profiles have been delivered to ASs.
[HUAWEI-um] display uni-mng commit-result profile
Result of profile:
--------------------------------------------------------------------------------
AS Name Commit Time Commit/Execute Result
--------------------------------------------------------------------------------
as1 2014-08-25 22:29:18 Success/Success
as2 2014-08-25 22:29:18 Success/Success
--------------------------------------------------------------------------------
When the Commit/Execute Result field in the command output displays Success/Success for
an AS, the configurations in service profiles have been delivered to the AS.
----End
Configuration Files
l SVF system configuration file
#
vlan batch 11
#
stp mode rstp
stp instance 0 priority 28672
#
lldp enable
#
dhcp enable
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
dhcp select interface
dhcp server option 43 ip-address 192.168.11.1
#
interface Eth-Trunk1
port link-type hybrid
port hybrid tagged vlan 11
stp root-protection
mode lacp
#
interface Eth-Trunk2
port link-type hybrid
port hybrid tagged vlan 11
stp root-protection
mode lacp
#
interface GigabitEthernet1/1/0/1
eth-trunk 1
#
interface GigabitEthernet1/1/0/2
eth-trunk 2
#
interface GigabitEthernet2/1/0/1
eth-trunk 1
#
interface GigabitEthernet2/1/0/2
eth-trunk 2
#
capwap source interface vlanif11
#
as-auth
whitelist mac-address 0200-0000-0011
whitelist mac-address 0200-0000-0022
#
uni-mng
as name as1 model S5700-28P-LI-AC mac-address 0200-0000-0011
as name as2 model S2750-28TP-EI-AC mac-address 0200-0000-0022
interface fabric-port 1
port connect-type indirect
port member-group interface Eth-Trunk 1
interface fabric-port 2
port connect-type indirect
port member-group interface Eth-Trunk 2
as-admin-profile name admin_profile
user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%#
network-basic-profile name basic_profile_1
user-vlan 10
network-basic-profile name basic_profile_2
user-vlan 20
user-access-profile name access_profile
authentication dot1x
as-group name admin_group
as-admin-profile admin_profile
as name as1
as name as2
port-group name port_group_1
network-basic-profile basic_profile_1
user-access-profile access_profile
as name as1 interface GigabitEthernet 0/0/1 to 0/0/24
port-group name port_group_2
network-basic-profile basic_profile_2
user-access-profile access_profile
as name as2 interface Ethernet 0/0/1 to 0/0/24
#
return
Prerequisites
l Devices have been added to eSight, and can successfully communicate with eSight.
l Telnet parameters have been configured on eSight.
l The LLDP protocol has been enabled on SVF-capable devices.
Networking Requirements
Company M has constructed a wired campus network on which many access devices are
deployed sparsely. It is difficult to manage and configure these access devices. The network
administrator Jack requires that he can uniformly manage and configure the access devices to
reduce management costs.
As shown in Figure 9-11, two switches at the aggregation layer form a cluster and function as
the parent devices to connect to multiple access switches (ASs).
In this example, the S7712, S5700-28P-LI, and S2750-28TP-EI are used as the parent device,
level-1 AS, and level-2 AS respectively.
Figure 9-11 Configuring the access layer for a wired campus network
Parent CSS
S7712
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure CSS on the parent devices to ensure high reliability of the super virtual fabric
(SVF) system.
2. Configure SVF system capabilities.
a. Create an SVF enabling template to enable SVF on the parent and configure the
SVF client management IP address pool, file server, and forwarding mode.
b. Create an AS predeployment template to predeploy ASs on the SVF parent before
powering on them and add the ASs to a whitelist. After the ASs are powered on, the
SVF parent permits the ASs to access the SVF network.
c. Create a level-1 AS fabric port template to set parameters for the fabric ports that
connect the SVF parent to level-1 ASs.
d. Create a level-2 AS fabric port template to set parameters for the fabric ports that
connect level-1 ASs to level-2 ASs.
e. Create a system configuration matrix to deploy the template instances to the SVF
parent.
3. Clear the configurations of ASs, restart the ASs, and then connect the parent to level-1
ASs and level-1 ASs to level-2 ASs using cables.
4. Configure SVF service capabilities.
a. Create port groups.
b. Create user interface VLAN templates to set pass VLANs for user-side ports.
c. Create a user interface service template to set network security parameters for user-
side ports.
d. Create a service configuration matrix to deploy the template instances to the port
groups.
Data Plan
Temp1 11 192.168.11.1 24
ParentToL1as 1 1 1/1/0/1
1 1 2/1/0/1
2 2 1/1/0/2
2 2 2/1/0/2
3 3 1/1/0/3
3 3 2/1/0/3
L2AS 1 4 4 0/0/23
1 4 4 0/0/24
3 5 5 0/0/23
3 5 5 0/0/24
VLAN10 10
VLAN20 20
AccessTemp ON
Procedure
Step 1 For details on how to set up a cluster on the two switches that function as the parent devices,
see "CSS Configuration" in the S7700&S9700 Series Ethernet Switches Configuration Guide
- Device Management.
Step 2 Create a template instance and enable SVF on the parent device.
1. Choose Configuration > Configuration Management > Service Configuration
Management from the main menu.
2. Choose Template Management > Predefined from the navigation tree, choose SVF
Device Templates > SVF System Config > Enable SVF in Template, and click
Create.
3. Set Instance Name to Temp1, set VLAN ID, IP Address, and Mask in the Configure
SVF Client Management Address Pool area to 11, 192.168.11.1, and 24 respectively,
and click Confirm. The Enable SVF template is displayed on the page.
2. Set Instance Name to ASTemp and set other parameters as shown in the following
figure.
2. Set Instance Name to ParentToL1as, set other parameters as shown in the following
figure, and click Confirm. The Level-1 AS Fabric Port template is displayed on the
page.
2. Set Instance Name to L2AS, set other parameters as shown in the following figure, and
click Confirm. The Level-2 AS Fabric Port template is displayed on the page.
2. Click next to Resources and select SVF-S77 as the default SVF Parent.
3. In the service configuration matrix, place the mouse in each blank cell, click to
select the created template instances one by one, and click Confirm.
4. In the system configuration matrix, place the mouse in the lower right corner of each cell
with a template instance, and click to deploy the template instance to the parent
device.
Step 7 After logging in to each AS through the CLI, you can run the reset saved-configuration
command to delete the AS configuration and then run the reboot command to restart the AS.
If a message is displayed asking whether you want to save the configuration, select N. And
then connect the parent to level-1 ASs and level-1 ASs to level-2 ASs using cables.
Step 8 Create port groups.
1. Choose Resource > Resource Management > Equipment Resources from the main
menu. Device resources on the entire network are displayed on the page.
2. Click in the upper right corner of the page and set IP Address to 10.137.217.203.
The SVF device with the specified IP address is displayed on the page.
3. Click the device name link in Name to access the NE Manager of the device.
4. Choose SVF Feature > AS Port from the navigation tree, and click Create Group.
8. Repeat the preceding step to add ports of as2 and as4 to PortGroup1, and ports of as3
and as5 to PortGroup2.
Step 9 Create user interface VLAN templates.
3. Set Instance Name to VLAN10, set other parameters as shown in the following figure,
and click Confirm. The user interface VLAN template VLAN10 is displayed on the
page.
4. Click Create, set Instance Name to VLAN20, set other parameters as shown in the
following figure, and click Confirm. The user interface VLAN template VLAN20 is
displayed on the page.
2. Set Instance Name to AccessTemp, set other parameters as shown in the following
figure, and click Confirm. The user interface service template AccessTemp is displayed
on the page.
Step 11 Deploy the SVF user interface VLAN and service templates to port groups.
1. Choose Service Config > SVF Port Config from the navigation tree. The default
service configuration matrix is displayed.
2. Click next to Resources, select PortGroup1 and PortGroup2, and click Confirm.
3. In the service configuration matrix, place the mouse in each blank cell, click to
select the created template instances one by one, and click Confirm.
4. In the service configuration matrix, place the mouse in the lower right corner of each cell
with a template instance, and click to deploy the template instance to the port group.
----End
Result
After the SVF access layer configuration is complete, verify the configuration as follows:
l Choose Monitor > Topology > Topology Management from the main menu. The SVF
l Choose Resource > Resource Management > Access Users Management from the
main menu. You can view the list of online users on the page that is displayed.