Professional Documents
Culture Documents
Module
V300R003C05
Configuration Guide
Issue 09
Date 2015-02-28
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Purpose
This document describes the configuration of various services supported by the MA5600. The
description covers the following topics:
l Purpose
l Networking
l Data plan
l Prerequisite(s)
l Precaution
l Configuration flowchart
l Configuration procedure
l Result
This document helps users to know the configuration of various services supported by the
MA5600.
Related Versions
The following table lists the product versions related to this document.
MA5600 V300R003C05
This document considers the MA5600 as an example to describe the configuration and does not
describe the configuration of services supported by the MA5603 because the MA5600 have the
different hardware and the same software functions.
Intended Audience
The intended audience of this document is:
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
General Conventions
Convention Description
Command Conventions
Convention Description
GUI Conventions
Convention Description
Boldface Buttons, menus, parameters, tabs, window, and dialog titles are
in Boldface. For example, click OK.
Keyboard Operation
Format Description
Key Press the key. For example, press Enter and press Tab.
Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt
+A indicates the three keys need to be pressed concurrently.
Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A indicates
the two keys need to be pressed in turn.
Mouse Operation
Action Description
Click Select and release the primary mouse button without moving
the pointer.
Double-click Press the primary mouse button twice continuously and quickly
without moving the pointer.
Drag Press and hold the primary mouse button and move the pointer
to a certain position.
Update History
Updates between document versions are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Issue 09 (2015-02-28)
Based on issue 08 (2013-12-30), the document is updated as follows:
Issue 08 (2013-12-30)
Based on issue 07 (2013-03-26), the document is updated as follows:
Issue 07 (2013-03-26)
Based on issue 06 (2012-01-20), the document is updated as follows:
Issue 06 (2012-01-20)
Based on issue 05 (2010-11-29), the document is updated as follows:
Issue 05 (2010-11-29)
Based on issue 04 (2010-10-25), the document is updated as follows:
Issue 04 (2010-10-25)
Based on issue 03 (2010-03-15), the document is updated as follows:
Issue 03 (2010-03-15)
Based on issue 02 (2009-03-15), the document is updated as follows:
Based on the new design, the file structure is changed according to the customer requirements
to implement the configuration according to the scenario and documentation.
Issue 02 (2009-03-15)
Based on issue 01 (2008-11-20), the document is updated as follows:
Contents
2 Protocol Configuration...............................................................................................................84
2.1 Configuring ARP Proxy...............................................................................................................................................85
2.2 Configuring the Route..................................................................................................................................................88
2.2.1 Configuration Example of the Routing Policy..........................................................................................................88
2.2.2 Configuration Example of the Static Route...............................................................................................................90
2.2.3 Configuration Example of RIP..................................................................................................................................92
2.2.4 Configuration Example of OSPF...............................................................................................................................96
2.3 Configuring the MSTP.................................................................................................................................................99
2.4 Configuring the Ethernet OAM..................................................................................................................................103
2.5 Configuring PIM-SSM Parameters............................................................................................................................106
2.6 Configuring MPLS.....................................................................................................................................................113
2.6.1 Configuring the MPLS LDP....................................................................................................................................113
2.6.2 Configuring the MPLS VPN...................................................................................................................................120
2.6.3 Configuring the MPLS RSVP-TE...........................................................................................................................130
2.6.4 Configuring the MPLS OAM..................................................................................................................................138
A FAQ............................................................................................................................................. 361
A.1 How to Query MAC Addresses of Online Users and Query the Ports that Provide the Access for the Users According
to the MAC Addresses......................................................................................................................................................362
A.2 What Are the Prerequisites for the Link and Protocol Status of the L3 Interface to Be Up......................................362
A.3 How to Prevent System Breakdown or Service Interruption of the MA5600 Caused by Network Attacks Through the
Proper Configuration........................................................................................................................................................362
A.4 How to Change the NMS VLAN...............................................................................................................................363
A.5 How to Change the VLAN Type...............................................................................................................................364
A.6 How to Change the Service VLAN to Which the xDSL Port Belongs.....................................................................364
A.7 How to Change the Line Profile of an xDSL Port.....................................................................................................365
A.8 How to Add a Board on the MA5600........................................................................................................................365
A.9 How to Enable Two xDSL Ports of the MA5600 to Communicate with Each Other...............................................366
A.10 What Are the Differences Between the firewall packet-filter Command and the packet-filter Command.........366
1 Basic Configurations
Basic configurations mainly include certain common configurations, public configurations, and
pre-configurations in service configurations. There is no logical relationship between basic
configurations. You can perform basic configurations according to actual requirements.
Prerequisites
The license platform must be enabled, that is, the license function must be enabled.
Application Context
The license platform provides the registration mechanism for the service modules of the
MA5600. During system initialization, the service modules need to register for the controlled
resource entries or the controlled function entries. After the system starts to work, based on the
controlled entries that are registered, the license client management module obtains the
authentication information about the license controlled entries of the MA5600 from the license
server.
When a service module is configured through the CLI or NMS, the device checks whether the
resource entries of the service module or the function entries of the service module are
overloaded.
l If overload occurs, the system quits the service configuration and displays a prompt of
insufficient license resources.
l If overload does not occur, the system allows the user to continue configuring and using
the service. When the service configuration is deleted, the system automatically releases
the license resources occupied by the service configuration.
Background Information
l The MA5600 adopts the network license solution, that is, a license server is deployed on
the network. The license server software can be installed on the same device with the NMS.
The license server software can also be installed separately on a license server. Each digital
subscriber line access multiplexer (DSLAM) is like a license client and the licenses of all
the clients are managed by the license server in a centralized manner.
l In the management scope of the license server (generally a region or a city), each product
has only one license file that is stored on the license server. The resources of the product
that are controlled by the license are defined by the license file. Because one license server
can manage multiple products, multiple license files can be stored on one license server.
l With the license platform enabled, the license server performs license control over the
function entries and resource entries supported by the MA5600 and provides customized
services, namely, specified function entries and resource entries, for users according to the
requirements.
The control entries of the license platform include function entries and resource entries.
You can run the display license feature command to query the corresponding control
entries.
A function entry refers to the entry whose license is controlled based on the function.
The controllable function entries supported by the MA5600 include:
Precautions
l If you need to use the license platform supported by the MA5600, ensure to consider the
deployment of the license server in network planning.
l It is recommended that you install the license server on the same computer with the NMS
server. If there is no NMS server, you need to separately deploy a license server on the
network.
Procedure
Step 1 Configure the interface that is for communicating between the MA5600 and the license server.
1. Run the vlan command to create a VLAN.
2. Run the port vlan command to add an upstream port to the VLAN.
3. (Optional) Run the native-vlan command to configure the default VLAN of the upstream
port.
Whether the native VLAN needs to be set for the upstream port depends on whether the
upper-layer device connected to the upstream port supports packets carrying a VLAN tag.
The setting on the MA5600 must be the same as that on the upper-layer device.
4. Run the interface vlanif command to enter the VLAN interface mode.
5. Run the ip address command to configure the IP address of the VLAN L3 interface so that
the IP packets in the VLAN are forwarded by using this IP address.
Step 2 Run the license esn command to configure the equipment serial number (ESN) of the device.
Each client of the license server is uniquely identified by the ESN. The ESN needs to be
configured if the user enables the license platform. The ESN can be the NMS IP address of the
device or the IP address of the VLAN L3 interface.
Step 3 Run the license server command to configure the license server.
If the user enables the license platform, configure the IP address and TCP port ID of the license
server so that the license server can communicate with the client.
Step 4 Run the display license info command to query the communication status between the device
and the license server.
----End
Example
To configure the MA5600 to communicate with the server through smart VLAN 10, configure
the IP address of the L3 interface to 10.10.10.10/24, configure the MA5600 to communicate
with the license server (IP address: 10.20.20.2/24) through port 0/7/0, and configure the TCP
port ID to 10010, do as follows:
huawei(config)#vlan 10 smart
huawei(config)#port vlan 10 0/7 0
huawei(config)#interface vlanif 10
huawei(config-if-vlanif10)#ip address 10.10.10.10 24
huawei(config-if-vlanif10)#quit
huawei(config)#ip route-static 0.0.0.0 24 10.10.10.1
huawei(config)#license esn 10.10.10.10
huawei(config)#license server ipaddress 10.20.20.2 tcpport 10010
Background Information
On a digital network comprising the MA5600 and other devices, the primary problem is clock
synchronization. To ensure that the system uses a unified clock standard, you must specify the
clock signals from a certain port as the system clock source.
Procedure
Step 1 Run the clock source command to configure the system clock source.
Specify the clock signals extracted from a certain port as the system clock source.
Step 2 Run the clock priority command to configure the priority of the clock source.
----End
Example
To obtain two clock sources from ports 0/5/0 and 0/5/1 of the SHEB board as clock source 0
and clock source 2 of the system, configure clock source 2 with the highest priority, and configure
clock source 0 with the second highest priority, do as follows:
huawei(config)#clock source 0 0/5/0
huawei(config)#clock source 2 0/5/1
huawei(config)#clock priority sdh 2/0
Background Information
Introduction to the NTP Protocol:
l The Network Time Protocol (NTP) is an application layer protocol defined in RFC 1305,
which is used to synchronize the times of the distributed time server and the client. The
RFC defines the structures, arithmetics, entities, and protocols used in the implementation
of NTP.
l NTP is developed from the time protocol and the ICMP timestamp message protocol, with
special design on the aspects of accuracy and robustness.
l NTP runs over UDP with port number as 123.
l Any local system that runs NTP can be time synchronized by other clock sources, and also
act as a clock source to synchronize other clocks. In addition, mutual synchronization can
be done through NTP packets exchanges.
NTP is applied to the following situations where all the clocks of hosts or routers on a network
need to be consistent:
l In the network management, an analysis of log or debugging information collected from
different routers needs time for reference.
l The charging system requires the clocks of all devices to be consistent.
l Completing certain functions, for example, timing restart of all the routers on a network
requires the clocks of all the routers be consistent.
l When several systems work together on the same complicate event, they have to take the
same clock for reference to ensure correct implementation order.
l Incremental backup between the backup server and clients requires clocks on them be
synchronized.
When all the devices on a network need to be synchronized, it is almost impossible for an
administrator to manually change the system clock by command line. This is because the work
load is heavy and clock accuracy cannot be ensured. NTP can quickly synchronize the clocks
of network devices and ensure their precision.
There are four NTP modes: unicast server, peer, broadcast, and multicast modes. The
MA5600 supports all these modes.
Default Configuration
Table 1-1 provides the default configuration for NTP.
Clock stratum 16
Prerequisites
Before configuring the client/server mode NTP, make sure that the network interface of the
MA5600 and the routing protocol are configured so that the server and the client are reachable
to each other at the network layer.
Background Information
In certain networks that have strict requirements on security, enable NTP authentication when
running the NTP protocol. Configuring NTP authentication is classified into configuring NTP
authentication on the client and configuring NTP authentication on the server.
Precautions
l If NTP authentication is not enabled on the client, the client can synchronize with the server,
regardless of whether NTP authentication is enabled on the server.
l If NTP authentication is enabled, a reliable key needs to be configured.
l The configuration of the server must be the same as that of the client.
l When NTP authentication is enabled on the client, the client can pass the authentication if
the server is configured with the same key as that of the client. In this case, you need not
enable NTP authentication on the server or declare that the key is reliable.
l The client synchronizes with only the server that provides the reliable key. If the key
provided by the server is unreliable, the client does not synchronize with the server.
Procedure
Step 1 Run the ntp-service authentication enable command to enable NTP authentication.
Step 2 Run the ntp-service authentication-keyid command to set an NTP authentication key.
Step 3 Run the ntp-service reliable authentication-keyid command to declare that the key is reliable.
----End
Example
To enable NTP authentication, set the NTP authentication key as aNiceKey with the key number
42, and then define key 42 as a reliable key, do as follows:
huawei(config)#ntp-service authentication enable
huawei(config)#ntp-service authentication-keyid 42 authentication-mode md5
aNiceKey
huawei(config)#ntp-service reliable authentication-keyid 42
Prerequisites
Before configuring the broadcast mode NTP, make sure that the interface and the routing
protocol are configured so that the server and the client are reachable to each other at the network
layer.
Background Information
In the broadcast mode, the server periodically sends clock synchronization packets to the
broadcast address 255.255.255.255, with the mode field set to 5 (indicating the broadcast mode).
The client listens to the broadcast packets sent from the server. After receiving the first broadcast
packet, the client exchanges NTP packet whose mode fields are set to 3 (client mode) and 4
(server mode) with the server to estimate the network delay between the client and the server.
The client then enters the broadcast client mode, continues to listen to the incoming broadcast
packets, and synchronizes the local clock according to the incoming broadcast packets, as shown
in Figure 1-1.
Precautions
1. In the broadcast mode, you need to configure both the NTP server and the NTP client.
2. The clock stratum of the synchronizing device must be higher than or equal to that of the
synchronized device. Otherwise, the clock synchronization fails.
Procedure
l Configure the NTP broadcast server host.
1. Run the ntp-service refclock-master command to configure the local clock as the
master NTP clock, and specify the stratum of the master NTP clock.
2. (Optional) Configure NTP authentication.
In certain networks that have strict requirements on security, it is recommended that
you enable NTP authentication when running the NTP protocol. The configuration of
the server must be the same as that of the client.
a. Run the ntp-service authentication enable command to enable NTP
authentication.
b. Run the ntp-service authentication-keyid command to set an NTP
authentication key.
c. Run the ntp-service reliable authentication-keyid command to declare that the
key is reliable.
3. Add a VLAN L3 interface.
a. Run the vlan command to create a VLAN.
b. Run the port vlan command to add an upstream port to the VLAN so that the
user packets carrying the VLAN tag are transmitted upstream through the
upstream port.
c. In the global config mode, run the interface vlan command to create a VLAN
interface, and then enter the VLAN interface mode to configure the L3 interface.
d. Run the ip address command to configure the IP address and subnet mask of the
VLAN interface so that the IP packets in the VLAN can participate in the L3
forwarding.
4. Run the ntp-service broadcast-server command to configure the NTP broadcast
server mode of the host, and specify the key ID for the server to send packets to the
client.
l Configure the NTP broadcast client host.
1. (Optional) Configure NTP authentication.
In certain networks that have strict requirements on security, it is recommended that
you enable NTP authentication when running the NTP protocol. The configuration of
the server must be the same as that of the client.
a. Run the ntp-service authentication enable command to enable NTP
authentication.
b. Run the ntp-service authentication-keyid command to set an NTP
authentication key.
c. Run the ntp-service reliable authentication-keyid command to declare that the
key is reliable.
Example
Assume the following configurations: MA5600_S uses the local clock as the master NTP clock
on stratum 2 and works in the broadcast mode NTP, sends broadcast clock synchronization
packets periodically through IP address 10.10.10.10/24 of the L3 interface of VLAN 2;
MA5600_C functions as the NTP client, listens to the broadcast packets sent from the server
through IP address 10.10.10.20/24 of the L3 interface of VLAN 2, and synchronizes with the
clock on the broadcast server. To perform these configurations, do as follows:
1. On MA5600_S:
huawei(config)#ntp-service refclock-master 2
huawei(config)#vlan 2 standard
huawei(config)#port vlan 2 0/7 0
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 10.10.10.10 24
huawei(config-if-vlanif2)#ntp-service broadcast-server
huawei(config-if-vlanif2)#quit
2. On MA5600_C:
huawei(config)#vlan 2 standard
huawei(config)#port vlan 2 0/7 0
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 10.10.10.20 24
huawei(config-if-vlanif2)#ntp-service broadcast-client
huawei(config-if-vlanif2)#quit
Prerequisites
Before configuring the multicast mode NTP, make sure that the interface and the routing protocol
are configured so that the server and the client are reachable to each other at the network layer.
Background Information
In the multicast mode, the server periodically sends clock synchronization packets to the
multicast address configured by the user. The default NTP multicast address 224.0.1.1 is used
if the multicast address is not configured. The mode field of clock synchronization packet is set
to 5 (multicast mode). The client listens to the multicast packets sent from the server. After
receiving the first multicast packet, the client exchanges NTP packet whose mode fields are set
to 3 (client mode) and 4 (server mode) with the server to estimate the network delay between
the client and the server. The client then enters the multicast client mode, continues to listen to
the incoming multicast packets, and synchronizes the local clock according to the incoming
multicast packets, as shown in Figure 1-2.
Precautions
1. In the multicast mode, you need to configure both the NTP server and the NTP client.
2. The clock stratum of the synchronizing device must be higher than or equal to that of the
synchronized device. Otherwise, the clock synchronization fails.
Procedure
l Configure the NTP multicast server host.
1. Run the ntp-service refclock-master command to configure the local clock as the
master NTP clock, and specify the stratum of the master NTP clock.
2. (Optional) Configure NTP authentication.
In certain networks that have strict requirements on security, it is recommended that
you enable NTP authentication when running the NTP protocol. The configuration of
the server must be the same as that of the client.
a. Run the ntp-service authentication enable command to enable NTP
authentication.
b. Run the ntp-service authentication-keyid command to set an NTP
authentication key.
c. Run the ntp-service reliable authentication-keyid command to declare that the
key is reliable.
3. Add a VLAN L3 interface.
a. Run the vlan command to create a VLAN.
b. Run the port vlan command to add an upstream port to the VLAN so that the
user packets carrying the VLAN tag are transmitted upstream through the
upstream port.
c. In the global config mode, run the interface vlan command to create a VLAN
interface, and then enter the VLAN interface mode to configure the L3 interface.
d. Run the ip address command to configure the IP address and subnet mask of the
VLAN interface so that the IP packets in the VLAN can participate in the L3
forwarding.
4. Run the ntp-service multicast-server command to configure the NTP multicast
server mode of the host, and specify the key ID for the server to send packets to the
client.
l Configure the NTP multicast client host.
1. (Optional) Configure NTP authentication.
In certain networks that have strict requirements on security, it is recommended that
you enable NTP authentication when running the NTP protocol. The configuration of
the server must be the same as that of the client.
a. Run the ntp-service authentication enable command to enable NTP
authentication.
b. Run the ntp-service authentication-keyid command to set an NTP
authentication key.
c. Run the ntp-service reliable authentication-keyid command to declare that the
key is reliable.
2. Add a VLAN L3 interface.
a. Run the vlan command to create a VLAN.
b. Run the port vlan command to add an upstream port to the VLAN so that the
user packets carrying the VLAN tag are transmitted upstream through the
upstream port.
c. In the global config mode, run the interface vlan command to create a VLAN
interface, and then enter the VLAN interface mode to configure the L3 interface.
d. Run the ip address command to configure the IP address and subnet mask of the
VLAN interface so that the IP packets in the VLAN can participate in the L3
forwarding.
3. Run the ntp-service multicast-client command to configure a host as the NTP
multicast client.
----End
Example
Assume the following configurations: MA5600_S uses the local clock as the master NTP clock
on stratum 2 and works in the multicast mode NTP, sends multicast clock synchronization
packets periodically through IP address 10.10.10.10/24 of the L3 interface of VLAN 2, and is
enabled with the NTP authentication function (the ID of the MD5 authentication key is set to
10, the key is set to BetterKey, and the authentication key is declared to be reliable);
MA5600_C functions as the NTP client, listens to the multicast packets sent from the server
through IP address 10.10.10.20/24 of the L3 interface of VLAN 2, and synchronizes with the
clock on the multicast server. To perform these configurations, do as follows:
1. On MA5600_S:
huawei(config)#ntp-service authentication enable
huawei(config)#ntp-service authentication-keyid 10 authentication-mode md5
BetterKey
2. On MA5600_C:
huawei(config)#vlan 2 standard
huawei(config)#port vlan 2 0/7 0
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 10.10.10.20 24
huawei(config-if-vlanif2)#ntp-service multicast-client
huawei(config-if-vlanif2)#quit
Prerequisites
Before configuring the unicast mode NTP, make sure that the interface and the routing protocol
are configured so that the server and the client are reachable to each other at the network layer.
Background Information
In the unicast server mode, the client sends a clock synchronization packet to the server, with
the mode field set to 3 (client mode). After receiving the packet, the server automatically enters
the server mode and sends a response packet with the mode field set to 4 (server mode). After
receiving the response from the server, the client filters and selects the clock, and synchronizes
with the preferred server, as shown in Figure 1-3.
Precautions
1. In the unicast server mode, you need to configure only the client and need not configure
the server.
2. The clock stratum of the synchronizing device must be higher than or equal to the clock
stratum of the synchronized device. Otherwise, the clock synchronization fails.
Procedure
Step 1 Configure a VLAN L3 interface.
1. Run the vlan command to create a VLAN.
2. Run the port vlan command to add an upstream port to the VLAN so that the user packets
carrying the VLAN tag are transmitted upstream through the upstream port.
3. Run the interface vlan command to create a VLAN interface in the global config mode
and enter the VLAN interface mode to configure the L3 interface.
4. Run the ip address command to configure the IP address and subnet mask of the VLAN
interface so that the IP packets in the VLAN can be forwarded at layer 3.
Step 2 Run the ntp-service unicast-server command to configure the unicast server mode and specify
the IP address of the remote server that functions as the local timer server and the interface for
transmitting and receiving NTP packets.
NOTE
l In this command, ip-address is a unicast address, which cannot be a broadcast address, a multicast address,
or the IP address of a local clock.
l After the source interface of the NTP packets is specified by source-interface, the source IP address of the
NTP packets is configured as the primary IP address of the specified interface.
l A server can function as a time server to synchronize other devices only after its clock is synchronized.
l When the clock stratum of the server is higher than or equal to the clock stratum of the client, the client does
not synchronize with the server.
l You can run the ntp-service unicast-server command for multiple times to configure multiple servers.
Then, the client selects the optimal server according to clock priorities.
----End
Example
Assume the following configurations: One MA5600 functions as the NTP server (IP address:
10.20.20.20/24), the other MA5600 (IP address of the L3 interface of VLAN 2: 10.10.10.10/24,
gateway IP address: 10.10.10.1) functions as the NTP client, the NTP client sends the clock
synchronization request packet through the VLAN L3 interface to the NTP server, the NTP
server responds to the request packet, and ACL rules are configured to allow only IP packets
from the clock server to access the L3 interface. To perform these configurations, do as follows:
huawei(config)#vlan 2 standard
huawei(config)#port vlan 2 0/7 0
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 10.10.10.10 24
huawei(config-if-vlanif2)#quit
huawei(config)#ntp-service unicast-server 10.20.20.20 source-interface vlanif 2
huawei(config)#acl 3010
huawei(config-acl-adv-3010)#rule deny ip source any destination 10.10.10.10
0.0.0.0
huawei(config-acl-adv-3010)#rule permit ip source 10.20.20.20 0.0.0.0 destination
10.10.10.10 0.0.0.0
huawei(config-acl-adv-3010)#quit
huawei(config)#packet-filter inbound ip-group 3010 port 0/7/0
Prerequisites
Before configuring the peer mode NTP, make sure that the interface and the routing protocol
are configured so that the server and the client are reachable to each other at the network layer.
Background Information
In the peer mode, the active peer and the passive peer exchange NTP packets whose mode fields
are set to 3 (client mode) and 4 (server mode). Then, the active peer sends a clock synchronization
packet to the passive peer, with the mode field of the packet set to 1 (active peer). After receiving
the packet, the passive peer automatically works in the passive mode and sends a response packet
with the mode field set to 2 (passive peer). Through packet exchange, the peer mode is set up.
The active peer and the passive peer can synchronize with each other. If both the clock of the
active peer and that of the passive peer are synchronized, the clock on a lower stratum is used,
as shown in Figure 1-4.
Precautions
1. In the peer mode, you need to configure the NTP mode on only the active peer.
2. The peers determine clock synchronization according to the clock stratum instead of
according to whether the peer is an active peer.
Procedure
Step 1 Configure the NTP active peer.
1. Run the ntp-service refclock-master command to configure the local clock as the master
NTP clock, and specify the stratum of the master NTP clock.
2. Run the ntp-service unicast-peer command to configure the peer mode NTP, and specify
the IP address of the remote server that functions as the local timer server and the interface
for transmitting and receiving NTP packets.
NOTE
l In this command, ip-address is a unicast address, which cannot be a broadcast address, a multicast
address, or the IP address of a reference clock.
l After the source interface of the NTP packets is specified by source-interface, the source IP address
of the NTP packets is configured as the primary IP address of the specified interface.
l In the peer mode, the active peer and the passive peer can synchronize with each other.
l The peer with a higher clock stratum is synchronized by the peer with a lower clock stratum.
----End
Example
Assume the following configurations: One MA5600 functions as the NTP active peer (IP address
of the L3 interface of VLAN 2: 10.10.10.10/24) and works on clock stratum 4, the other
MA5600 (IP address: 10.10.10.20/24) functions as the NTP passive peer, the active peer sends
a clock synchronization request packet through the VLAN L3 interface to the passive peer, the
passive peer responds to the request packet, and the peer with a higher clock stratum is
synchronized by the peer with a lower clock stratum. To perform these configurations, do as
follows:
huawei(config)#ntp-service refclock-master 4
huawei(config)#ntp-service unicast-peer 10.10.10.20 source-interface vlanif 2
huawei(config)#vlan 2 standard
huawei(config)#port vlan 2 0/7 0
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 10.10.10.10 24
huawei(config-if-vlanif2)#quit
Background Information
An alarm refers to the notification of the system after a fault is detected. After an alarm is
generated, the system broadcasts the alarm to the terminals, mainly including the NMS and CLI
terminals.
Alarms are classified into fault alarm and clear alarm. After a fault alarm is generated at a certain
time, the fault alarm lasts until the fault is rectified to clear the alarm.
You can modify the alarm settings according to your requirements. The settings are alarm
severity, alarm output mode through the CLI and alarm statistics switch.
Procedure
l You can run the alarm active clear command to clear the alarms that are not recovered in
the system.
Before clearing an alarm, you can run the display alarm active command to query the
currently active alarms.
When an active alarm lasts a long time, you can run this command to clear the alarm.
l Run the alarm alarmlevel command to configure the alarm severity.
Alarm severities are critical, major, minor, and warning.
Parameter default indicates restoring the alarm severity to the default setting.
You can run the display alarm list command to query the alarm severity.
The system specifies the default (also recommended) alarm severity for each alarm. Use
the default alarm severity unless otherwise required.
l Run the alarm output/undo alarm output command to set or shield the output of alarms
to the CLI terminal.
Setting the output mode of alarms does not affect the generating of alarms. The alarms
generated by the system are still recorded. You can run the display alarm history
command to query the alarms that are shielded.
When the new output mode of an alarm conflicts with the previous mode, the new output
mode takes effect.
The output mode of the clear alarm is the same as the output mode of the fault alarm.
When the output mode of the fault alarm is set, the system automatically synchronizes
the output mode of its clear alarm. The reverse is also applicable. That is, when the
output mode of the clear alarm is set, the system automatically synchronizes the output
mode of its fault alarm.
l Run the alarm jitter-proof command to configure the alarm jitter-proof function and the
jitter-proof period.
To prevent a fault alarm and its clear alarm from being displayed frequently, you can
enable the alarm jitter-proof function to filter alarms in the system.
After the alarm jitter-proof function is enabled, the alarm in the system is not reported
to the NMS immediately but is reported to the NMS after an alarm jitter-proof period.
If an alarm is recovered in an alarm jitter-proof period, the alarm is not reported to the
NMS.
You can run the display alarm jitter-proof command to check whether the alarm jitter-
proof function is enabled and whether the alarm jitter-proof period is set.
By default, the alarm jitter-proof function is disabled. You can determine whether to
enable the function according to the running of the device.
l Run the alarm-event statistics period command to set the alarm statistics collection
period.
The system collects the occurrence times of alarms and events according to the set
period. To save the statistical result, run the alarm-event statistics save command to
save the statistics to the flash memory.
You can use the statistical result of alarms and events to locate a problem in the system.
You can run the display alarm statistics command to query the alarm statistical record.
l Run the display alarm configuration command to query the alarm configuration according
to the alarm ID. The alarm configuration that you can query includes the alarm ID, alarm
name, alarm class, alarm type, alarm severity, default alarm severity, number of parameters,
CLI output flag, conversion flag, and detailed alarm description.
l Run the display alarm statistics command to query the alarm statistical record.
When you need to know the frequency in which one alarm occurs within a time range,
and to know the working conditions of the device and analyze the fault that may exist,
run this command.
Currently, you can query the alarm statistics in the current 15 minutes, current 24 hours,
last 15 minutes, and last 24 hours in the system.
----End
Example
Assume the following configurations: The output of all the alarms at level warning are shielded
to the CLI terminal, the alarm jitter-proof function is enabled, the alarm jitter-proof period is set
to 15s, the statistical period of the alarms and events is set to 72 hours, and all the alarms at level
major are saved to the flash memory so that a problem can be located through the alarm statistical
record. To perform these configurations, do as follows:
huawei(config)#undo alarm output alarmlevel warning
huawei(config)#alarm jitter-proof on
huawei(config)#alarm jitter-proof 15
huawei(config)#alarm-event statistics period 72
huawei(config)#alarm alarmlevel 0x0121a001 critical
huawei(config)#alarm alarmlevel 0x02310000 critical
huawei(config)#alarm-event statistics save
Background Information
After the description of a physical port on the board is added, the description has the following
functions:
Procedure
Step 1 In the global config mode, run the port desc command to add port description.
Port description is a character string, used to identify a port on a board in a slot of a shelf.
Step 2 Run the display port desc command to query port description.
----End
Example
Plan the format of user port description as "community ID-building ID-floor ID/shelf ID-slot
ID-port ID". "Community ID-building ID-floor ID" indicates the physical location where the
user terminal is deployed, and shelf ID-slot ID-port ID" indicates the physical port on the local
device that is connected to the user terminal. This plan can present the user terminal location
and the connection between the user terminal and the device, which facilitates query in
maintenance. Assume that the user terminal that is connected to port 0/2/0 of the MA5600 is
deployed in floor 1, building 01 of community A. To add port description according to the plan,
do as follows:
Background Information
The MA5600 supports two auto-save modes:
l Auto-save at preset interval.
l Auto-save at preset time.
l Auto-save at preset time conflicts with auto-save at preset interval. You can enable only
one of them.
l Saving data frequently affects the system. Therefore, an auto-save interval shorter than one
hour is not recommended, and it is recommended that you set the interval equal to or longer
than one day.
l Before the system upgrade operation, run the autosave interval off or autosave time off
command to disable the auto-save function to prevent upgrade failure due to the conflict
between upgrade and auto-save operations.
NOTICE
After the system upgrade is completed, you must re-enable the auto-save function if the
auto-save function is required.
Configuration Flowchart
Figure 1-5 shows the flowchart for configuring the auto-save function.
Procedure
l Configure auto-save at preset interval.
1. In the global config mode, run the autosave interval on command to enable auto-
save at preset interval.
Auto-save at preset interval conflicts with auto-save at preset time. You can enable
only one of them.
2. (Optional) In the global config mode, run the autosave interval configuration
command to set the auto-save interval for modified system data.
Auto-save is performed according to the interval set by the user. The system checks
whether the system data is modified at each interval. If the system data is modified,
the system saves the data. Otherwise, the system does not save the data. By default,
the interval is 30 minutes.
3. (Optional) In the global config mode, run the autosave interval command to set the
auto-save interval.
After the setting, the system data is automatically saved at the set interval regardless
of whether the system data is modified. By default, the interval is 24 hours.
4. (Optional) Set the auto-save file type.
In the global config mode, run the autosave type command to set the auto-save file
type.
l Configure auto-save at preset time.
1. In the global mode, run the autosave time on command to enable auto-save at preset
time.
Auto-save at preset time conflicts with auto-save at preset interval. You can enable
only one of them.
2. (Optional) In the global config mode, run the autosave time command to set the auto-
save time.
After the setting, the system data is automatically saved at the set time regardless of
whether the system data is modified. By default, the time is 00:00:00.
3. (Optional) Set the auto-save file type.
In the global config mode, run the autosave type command to set the auto-save file
type.
----End
Example
To enable auto-save at preset interval on the MA5600, set the auto-save interval to two days
(2880 minutes), and save both the database file and the configuration file, do as follows:
huawei(config)#autosave interval on
huawei(config)#autosave interval 2880
huawei(config)#autosave type all
huawei(config)#save
Prerequisites
The Ethernet board must be configured in the system.
Background Information
The MA5600 needs to be interconnected with the upstream device through the Ethernet port.
Therefore, pay attention to the consistency of port attributes.
Default Configuration
Table 1-2 lists the default settings of the attributes of an Ethernet port.
Procedure
l Configure the physical attributes of an Ethernet port.
1. (Optional) Set the auto-negotiation mode of the Ethernet port.
Run the auto-neg command to set the auto-negotiation mode of the Ethernet port. You
can enable or disable the auto-negotiation mode:
After the auto-negotiation mode is enabled, the port automatically negotiates with
the peer port for the rate and working mode of the Ethernet port.
After the auto-negotiation mode is disabled, the rate and working mode of the port
are in the forced mode (adopt default values or are set through command lines).
2. (Optional) Set the rate of the Ethernet port.
Run the speed command to set the rate of the Ethernet port. After the port rate is set
successfully, the port works at the set rate. Pay attention to the following points:
Make sure that the rate of the Ethernet port is the same as that of the interconnected
port on the peer device. This prevents communication failure.
The auto-negotiation mode needs to be disabled.
3. (Optional) Set the duplex mode of the Ethernet port.
Run the duplex command to set the duplex mode of the Ethernet port. The duplex
mode of an Ethernet port can be full-duplex, half-duplex, or auto negotiation. Pay
attention to the following points:
Make sure that the ports of two interconnected devices work in the same duplex
modes. This prevents communication failure.
The auto-negotiation mode needs to be disabled.
4. (Optional) Configure the network cable adaptation mode of the Ethernet port.
Run the mdi command to configure the network cable adaptation mode of the Ethernet
port to match the actual network cable. The network adaptation modes are as follows:
normal: Specifies the adaptation mode of the network cable as straight-through
cable. In this case, the network cable connecting to the Ethernet port must be a
straight-through cable.
across: Specifies the adaptation mode of the network cable as crossover cable. In
this case, the network cable connecting to the Ethernet port must be a crossover
cable.
auto: Specifies the adaptation mode of the network cable as auto-sensing. The
network cable can be a straight-through cable or crossover cable.
Pay attention to the following points:
The Ethernet optical port does not support the network cable adaptation mode.
If the Ethernet electrical port works in forced mode (auto-negotiation mode
disabled), the network cable type of the port cannot be configured to auto.
l Configure flow control on the Ethernet port.
Run the flow-control command to enable flow control on the Ethernet port. When the flow
of an Ethernet port is heavy, run this command to control the flow to prevent network
congestion, which may cause the loss of data packets. Flow control needs to be supported
on both the local and peer devices. Pay attention to the following points:
If the peer device does not support flow control, generally, enable flow control on the
local device.
If the peer device supports flow control, generally, disable flow control on the local
device.
By default, flow control is disabled.
l Mirror the Ethernet port.
Run the mirror port command to mirror the Ethernet port. When the system is faulty, copy
the traffic of a certain port to the other port and output the traffic for traffic observation,
network fault diagnosis, and data analysis.
----End
Example
Assume that Ethernet port 0/8/0 is an optical port, the port rate is 1000 Mbit/s in duplex mode,
supporting flow control and auto-negotiation function is disabled. To perform the configurations,
do as follows:
Prerequisites
The Ethernet board must be configured in the system.
Context
l The SCU board supports a maximum of three Ethernet port aggregation groups.
l One aggregation group supports a maximum of six Ethernet ports.
l The Link Aggregation Control Protocol (LACP) is supported by the aggregated port with
the static attribute but not supported by the manually aggregated port.
l Multiple physical ports can be aggregated only if they meet the following requirements:
The port must work in the full duplex mode.
The port does not work in the auto negotiation mode.
The rates of all the ports must be the same, and cannot be configured in the auto
negotiation mode.
The attributes, such as the default VLAN (PVID) and VLAN of all the ports must be
the same.
One port belongs to only one aggregation group.
No mirror destination port is included.
Procedure
Step 1 Run the interface scu command to enter the SCU mode.
Step 2 Run the link-aggregation command to configure the Ethernet port aggregation.
Step 3 Run the display link-aggregation command to query the information about the aggregated port.
----End
Example
To aggregate Ethernet ports 0 and 1, do as follows:
huawei(config)#interface scu 0/7
huawei(config-if-scu-0/7)#duplex 0 full
huawei(config-if-scu-0/7)#duplex 1 full
huawei(config-if-scu-0/7)#speed 0 1000
huawei(config-if-scu-0/7)#speed 1 1000
huawei(config-if-scu-0/7)#quit
huawei(config)#link-aggregation 0/7 0-1 ingress
huawei(config)#display link-aggregation all
---------------------------------------------------------------------
Master port Link-aggregation mode Port NUM Work mode
---------------------------------------------------------------------
0/ 7/0 ingress 2 manual
---------------------------------------------------------------------
Total: 1 link-aggregation(s)
Background Information
The MA5600 can work in the L2 DHCP relay mode or L3 DHCP relay mode to forward the
DHCP packets exchanged between the user and the DHCP server. By default, the MA5600
works in the L2 DHCP relay mode. In this mode, the MA5600 transparently transmits the DHCP
packets initiated by the user and configurations are not required. The L3 DHCP relay mode can
be classified into three working modes:
l DHCP standard mode
In this mode, the MA5600 identifies the VLAN to which the user belongs and binds
different VLANs to the corresponding DHCP server groups.
Configure the DHCP standard mode as follows: Configure the working mode of the DHCP
relay. Configure the DHCP server group. Bind VLANs to DHCP server groups.
l DHCP option 60 mode
The MA5600 differentiates the DHCP packets transmitted from the user terminal according
to the DHCP option 60 field in the packets, and binds different DHCP option 60 domains
to the corresponding DHCP server groups.
Configure the DHCP option 60 mode as follows: Configure the working mode of the DHCP
relay. Configure the DHCP server group. Create DHCP option 60 field. Bind DHCP option
60 domains to DHCP server groups.
l Configuration mode of the MAC address segment
The MA5600 differentiates users according to the MAC address segment of the user
terminals, and binds different MAC address segments to the corresponding DHCP server
group.
Configure the MAC address segment mode as follows: Configure the working mode of the
DHCP relay. Configure the DHCP server group. Define the MAC address segment. Bind
MAC address segments to DHCP server groups.
NOTE
The MA5600 supports the DHCP option 82 to ensure the security of the DHCP function. For the
configuration related to the DHCP option 82 feature, see 1.13.2 Configuring Anti-Theft and Roaming
of User Accounts Through DHCP.
Prerequisites
A VLAN must be created. For details, see 1.10 Configuring a VLAN.
Procedure
Step 1 Configure the DHCP forwarding mode.
In the global config mode, run the dhcp mode layer-3 standard command to configure the
DHCP relay mode to standard L3 DHCP relay mode (layer-3, standard). If keyword VLAN is
selected and VLANID is entered, this configuration takes effect only for this VLAN.
NOTICE
The IP address of the DHCP server configured here must be the same as the IP address
of the DHCP server on the network side.
2. (Optional) Run the dhcp server mode command to configure the working mode of the
DHCP server.
The DHCP servers in the DHCP server group can work in the load balancing mode or
active/standby mode. By default, they work in the load balancing mode.
2. In the VLANIF mode, run the ip address command to configure the IP address of the
VLAN L3 interface.
After the configuration is completed, this IP address is used as the source IP address for
forwarding the IP packets in the VLAN at L3.
NOTICE
l If only an L2 device exists between the MA5600 and the DHCP server, the IP address
of the VLAN L3 interface needs to be in the same subnet as the IP address of the DHCP
server.
l If the upper-layer device of the MA5600 is an L3 device, the IP address of the VLAN
L3 interface and the IP address of the DHCP server can be in different subnets; however,
a route must exist between the VLAN L3 interface and the DHCP server. For details,
see 2.2 Configuring the Route.
3. In the VLANIF mode, run the dhcp-server command to bind the DHCP server to the
VLAN.
This command requires parameter group-number, the value of which is the number of the
created DHCP server group.
----End
Example
Assume that server group 1 contains two DHCP servers working in active/standby mode, with
the maximum response time of 20s, the maximum count of response timeout of 10, the IP address
of the primary server 10.1.1.9 and the IP address of the secondary server 10.1.1.10. To bind
server group 1 to users in VLAN 2 (with the IP address of the L3 interface 10.1.1.101), do as
follows:
Prerequisites
A VLAN must be created. For details, see 1.10 Configuring a VLAN.
Before the configuration, determine the option60 domain name of the user terminal.
Background Information
When multiple services are provisioned on the MA5600, such as video multicast and IP
telephone services, the services are provided by different service providers. The service
providers may use different relay IP addresses of the same DHCP server or different DHCP
servers to allocate IP addresses to users. Therefore, configure the users to apply for IP addresses
from the DHCP server in the DHCP option60 mode.
In the DHCP option60 mode, the DHCP server group is selected according to the character string
(namely, domain name) in the option60 of DHCP packets. Here, the option60 domain name and
the DHCP server group to which the domain name is bound need to be configured beforehand.
In this mode, users are differentiated according to the domain information in the packet, and
different service types in the same VLAN can also be differentiated.
Procedure
Step 1 Configure the DHCP forwarding mode.
In the global config mode, run the dhcp mode layer-3 option60 command to configure the
DHCP relay mode to L3 option60 mode (layer-3, option60). If keyword VLAN is selected and
VLANID is entered, this configuration takes effect only for this VLAN.
Step 2 Configure the DHCP server group.
1. In the global config mode, run the dhcp-server command to create a DHCP server group.
l igroup-number: Indicates the number of the DHCP server group. It identifies a server
group. You can run the display dhcp-server all-group command to query the DHCP
server groups that are already configured and select a DHCP server group number that
is not used by the system.
l ip-addr: Indicates the IP address of the DHCP server in the DHCP server group. Up to
four IP addresses can be entered.
NOTICE
The IP address of the DHCP server configured here must be the same as the IP address
of the DHCP server on the network side.
2. (Optional) Run the dhcp server mode command to configure the working mode of the
DHCP server.
The DHCP servers in the DHCP server group can work in the load balancing mode or
active/standby mode. By default, they work in the load balancing mode.
Step 3 Create a DHCP option60 domain.
In the global config mode, run the dhcp domain command to create a DHCP domain, and then
enter the DHCP domain mode. The option60 domain name needs to be configured according to
the type of the terminal connected to the device. For the DHCP client installed with the Windows
98/2000/XP/NT series of OSs, the domain name must be msft.
Step 4 Bind the DHCP option60 domain to the DHCP server group.
In the option60 domain mode, run the dhcp-server command to bind the DHCP domain to the
DHCP server group. After the configuration is completed, the DHCP clients belonging to the
DHCP correspond to the DHCP server group.
Step 5 Configure the IP address of the gateway corresponding to the DHCP domain.
1. In the global config mode, run the interface vlanif command to create a VLAN L3
interface.
The VLAN ID must be the same as the ID of the VLAN described in the prerequisite.
2. In the VLANIF mode, run the ip address command to configure the IP address of the
VLAN L3 interface.
After the configuration is completed, this IP address is used as the source IP address for
forwarding the IP packets in the VLAN at L3.
NOTICE
l If only an L2 device exists between the MA5600 and the DHCP server, the IP address
of the VLAN L3 interface needs to be in the same subnet as the IP address of the DHCP
server.
l If the upper-layer device of the MA5600 is an L3 device, the IP address of the VLAN
L3 interface and the IP address of the DHCP server can be in different subnets; however,
a route must exist between the VLAN L3 interface and the DHCP server. For details,
see 2.2 Configuring the Route.
3. In the VLANIF mode, run the dhcp domain gateway command to configure the IP address
of the gateway corresponding to the DHCP domain.
The IP address of the gateway must be a configured IP address of the VLAN interface.
Under the same VLAN interface, different option60 domains can be configured with
different gateways. Therefore, different DHCP servers can be selected according to the
domain information in the packet.
----End
Example
Assume that server group 2 contains two DHCP servers working the load balancing mode, with
the IP address of the primary server 10.10.10.10 and the IP address of the secondary server
10.10.10.11. To bind server group 2 to users whose option60 domain name is msft in VLAN 2
(with the IP address of the L3 interface 10.1.2.1/24), do as follows:
huawei(config)#dhcp mode layer-3 Option60
huawei(config)#dhcp-server 2 ip 10.10.10.10 10.10.10.11
huawei(config)#dhcp domain msft
huawei(config-dhcp-domain-msft)#dhcp-server 2
huawei(config-dhcp-domain-msft)#quit
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 10.1.2.1 24
huawei(config-if-vlanif2)#dhcp domain msft gateway 10.1.2.1
Prerequisites
A VLAN must be created. For details, see 1.10 Configuring a VLAN.
Background Information
In the networking, devices of various manufacturers may exist on the network. The devices of
each manufacturer have a fixed MAC address segment. In this case, the IP address can be
obtained from the DHCP server through DHCP relay in the MAC address segment configuration
mode.
The MA5600 can select the DHCP server based on the MAC address segment. After the
configuration is completed, clients in this MAC address segment obtain IP addresses from the
corresponding DHCP server.
Procedure
Step 1 Configure the DHCP forwarding mode.
In the global config mode, run the dhcp mode layer-3 mac-range command to configure the
DHCP relay mode to L3 MAC address segment mode (layer-3, mac-range). If keyword
VLAN is selected and VLANID is entered, this configuration takes effect only for this VLAN.
NOTICE
The IP address of the DHCP server configured here must be the same as the IP address
of the DHCP server on the network side.
2. (Optional) Run the dhcp server mode command to configure the working mode of the
DHCP server.
The DHCP servers in the DHCP server group can work in the load balancing mode or
active/standby mode. By default, they work in the load balancing mode.
Step 4 Bind the DHCP server group to the MAC address segment.
In the MAC address segment configuration mode, run the DHCP-server command to bind a
DHCP server group to the MAC address segment.
Step 5 Configure the IP address of the gateway corresponding to the MAC address segment.
1. In the global config mode, run the interface vlanif command to create a VLAN L3
interface.
The VLAN ID must be the same as the ID of the VLAN described in the prerequisite.
2. In the VLANIF mode, run the ip address command to configure the IP address of the
VLAN L3 interface.
After the configuration is completed, this IP address is used as the source IP address for
forwarding the IP packets in the VLAN at L3.
NOTICE
l If only an L2 device exists between the MA5600 and the DHCP server, the IP address
of the VLAN L3 interface needs to be in the same subnet as the IP address of the DHCP
server.
l If the upper-layer device of the MA5600 is an L3 device, the IP address of the VLAN
L3 interface and the IP address of the DHCP server can be in different subnets; however,
a route must exist between the VLAN L3 interface and the DHCP server. For details,
see 2.2 Configuring the Route.
3. In the VLANIF mode, run the dhcp mac-range gateway command to configure the IP
address of the gateway corresponding to the DHCP domain.
The IP address of the gateway must be a configured IP address of the VLAN interface.
Under the same VLAN interface, different MAC address segments can be configured with
different gateways. Therefore, different DHCP servers can be selected according to the
MAC address segment information in the packet.
----End
Example
Assume that server group 2 contains two DHCP servers working the load balancing mode, with
the IP address of the primary server 10.10.10.10 and the IP address of the secondary server
10.10.10.11. To bind server group 2 to certain users (whose MAC address is in the range from
0000-0000-0001 to 0000-0000-0100) in VLAN 2, do as follows:
huawei(config)#dhcp mode layer-3 mac-range
huawei(config)#dhcp-server 2 ip 10.10.10.10 10.10.10.11
huawei(config)#dhcp mac-range huawei
huawei(config-mac-range-huawei)#mac-range 0000-0000-0001 to 0000-0000-0100
huawei(config-mac-range-huawei)#dhcp-server 2
huawei(config-mac-range-huawei)#quit
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 10.1.2.1 24
huawei(config-if-vlanif2)#dhcp mac-range huawei gateway 10.1.2.1
Prerequisites
The VLAN to be added does not exist in the system.
Application Context
VLAN application is specific to user types. For details on the VLAN application, see Table
1-3.
Default Configuration
Table 1-4 lists the default parameter settings of VLAN.
Default VLAN of VLAN ID: 1 You can run the defaultvlan modify
the system Type: MUX VLAN command to modify the VLAN type but
cannot delete the VLAN.
Reserved VLAN VLAN ID range: You can run the vlan reserve command to
of the system 4079-4093 modify the VLAN reserved by the system.
Procedure
Step 1 Create a VLAN.
Run the vlan to create a VLAN. VLANs of different types are applicable to different scenarios.
Smart To add a smart VLAN, One smart VLAN may Smart VLANs are
VLAN run the vlan vlanid contain multiple xDSL applied in residential
smart command. service ports. The traffic communities to provide
streams of the service xDSL access.
ports are isolated from
each other and the traffic
streams in different
VLANs are isolated from
each other. One smart
VLAN provides access
for multiple users and
thus saves VLAN
resources.
MUX To add a MUX VLAN, One MUX VLAN MUX VLANs are
VLAN run the vlan vlanid contains only one xDSL applicable to xDSL
mux command. service port. The traffic service access. For
streams in different example, MUX VLANs
VLANs are isolated from can be used to distinguish
each other. One-to-one users.
mapping can be set up
between a MUX VLAN
and an access user.
Hence, a MUX VLAN
can identify an access
user.
Super To add a super VLAN, The super VLAN is based Super VLANs can be
VLAN run the vlan vlanid on layer 3. One super used for the L3
super command. VLAN contains multiple intercommunication and
sub-VLANs. Through an are applicable to the
ARP proxy, the sub- scenario where saving IP
VLANs in a super VLAN addresses and improving
can be interconnected at the usage of IP addresses
layer 3. are required.
For a super VLAN, sub-
VLANs must be
configured. You can run
the supervlan command
to add a sub-VLAN to a
specified super VLAN. A
sub-VLAN must be a
smart VLAN or a MUX
VLAN.
NOTE
l To add VLANs with consecutive IDs in batches, run the vlan vlanid to end-vlanid command.
l To add VLANs with inconsecutive IDs in batches, run the vlan vlan-list command.
The default attribute for a new VLAN is "common". You can run the vlan attrib command to
configure the attribute of the VLAN.
Com The default The VLAN with A VLAN with the Applicable to the
mon attribute for a new this attribute can common attribute N:1 access
VLAN is be a standard can function as a scenario.
"common". VLAN, smart common layer 2
VLAN, MUX VLAN or function
VLAN, or super for creating a layer
VLAN. 3 interface.
QinQ To configure QinQ The VLAN with The packets from a Applicable to the
VLA as the attribute of a this attribute can QinQ VLAN enterprise private
N VLAN, run the only be a smart contain two VLAN line scenario.
vlan attrib vlanid VLAN or MUX tags, that is, inner
q-in-q command. VLAN. The VLAN tag from
attribute of a sub the private network
VLAN, the and outer VLAN
VLAN with an L3 tag from the
interface, and the MA5600. Through
default VLAN of the outer VLAN,
the system cannot an L2 VPN tunnel
be set to QinQ can be set up to
VLAN. transparently
transmit the
services between
private networks.
VLA To configure The VLAN with The packets from a Applicable to the
N stacking as the this attribute can stacking VLAN 1:1 access scenario
Stacki attribute of a only be a smart contain two VLAN for the wholesale
ng VLAN, run the VLAN or MUX tags, that is, inner service or
vlan attrib vlanid VLAN. The VLAN tag and extension of
stacking attribute of a sub outer VLAN tag VLAN IDs.
command. VLAN, the from the MA5600. In the case of a
VLAN with an L3 The upper-layer stacking VLAN, to
interface, and the BRAS configure the inner
default VLAN of authenticates the tag of the service
the system cannot access users port, run the
be set to VLAN according to the stacking label
Stacking. two VLAN tags. In command.
this manner, the
number of access
users is increased.
On the upper-layer
network in the L2
working mode, a
packet can be
forwarded directly
by the outer VLAN
tag and MAC
address mode to
provide the
wholesale service
for ISPs.
NOTE
l To configure attributes for the VLANs with consecutive IDs in batches, run the vlan attrib vlanid to end-
vlanid command.
l To configure attributes for the VLANs with inconsecutive IDs in batches, run the vlan attrib vlan-list
command.
----End
Example
Assume that a stacking VLAN with ID of 50 is to be configured for extension of the VLAN. A
service port is added to VLAN 50. The outer VLAN tag 50 of the stacking VLAN identifies the
access device and the inner VLAN tag 10 identifies the user with access to the device. For the
VLAN, description needs to be configured for easy maintenance. To configure such a VLAN,
do as follows:
huawei(config)#vlan 50 smart
huawei(config)#vlan attrib 50 stacking
huawei(config)#service-port vlan 50 adsl 0/2/0 vpi 0 vci 39 rx-cttr 2 tx-cttr 2
huawei(config)#stacking label vlan 50 baselabel 10
huawei(config)#vlan desc 50 description stackingvlan/label10
Background Information
l The port can be bound with the ADSL2+ line profile only when it is in the deactivated state.
l Table 1-7 lists the default settings of the ADSL2+ profile.
l Most of the parameters for an ADSL2+ port can be configured in an ADSL2+ line profile.
After the line profile is configured successfully, it can be used when the ports are activated.
Precautions
The ADSL2+ line profile of the MA5600 supports only the downstream seamless rate adaptation
(SRA).
Procedure
l Configure the ADSL2+ line profile.
Run the adsl line-profile quickadd command to quickly add an ADSL2+ line profile, or
run the interactive adsl line-profile add command to add an ADSL2+ line profile.
Main parameters:
transmode: Indicates the line transmission mode. By default, the system supports all
the transmission modes. The user can adopt the default value for auto-adaptation.
rate: Indicates the line rate. During line activation, a proper rate between the preset
maximum rate and minimum rate is determined through automatic negotiation
according to the line condition and the profile configuration. The user rate can be
restricted by this line rate or the rate set in the traffic profile bound to the user. When
both rates function, the lower one is adopted as the user rate.
snr: Indicates the SNR margin, which refers to the idle space for carrying noise,
excluding the space for carrying signals. Generally, the SNR margin of the minimum
tone is considered as the SNR margin of the entire ADSL connection.
l (Optional) Configure the ADSL2+ extended line profile.
Run the adsl extline-profile quickadd command to quickly add an ADSL2+ extended line
profile, or run the interactive adsl extline-profile add command to add an ADSL2+
extended line profile.
Main parameters:
inp: Indicates impulse noise protection. As a parameter that describes the line capability
of resisting impulse interference, INP affects the port rate. If INP is 1, it indicates that
the current channel can resist the impulse noise in 1 DMT character length. The
interleave delay is related to INP. In the fast mode, INP does not apply.
transmode: The line profile also contains the parameter of transmission mode. When
both the extended line profile and the line profile are configured on the port and the
transmission mode is specified in the extended line profile, the port is activated using
the transmission mode specified in the extended line profile.
If the transmission mode and Annex type are specified in the extended line profile, the
transmission mode configured in the line profile does not take effect. The transmission
mode in the extended line profile works. Table 1-8 lists the mapping between the
transmission mode and the Annex type.
Table 1-8 Mapping between the transmission mode and the Annex type
Annex Annex.A Annex.B Annex.J Annex.L Annex.M
Mode
G992.2 Supported - - - -
T1.413 - - - - -
NOTE
Example
Assume that the channel mode of an ADSL2+ line profile is interleaved, the adaptation mode
for the downstream transmission rate is fixed, the maximum downstream delay is 100 ms, the
maximum upstream delay is 100 ms, the minimum downstream transmission rate is 2048 kbit/
s, the maximum downstream transmission rate is 2048 kbit/s, the minimum upstream
transmission rate is 1000 kbit/s, and the maximum upstream transmission rate is 1100 kbit/s. To
configure such an ADSL2+ line profile, do as follows:
huawei(config)#adsl line-profile quickadd basic-para full-rate trellis 1 bitswap
1 1 channel interleaved 100 100 adapt fixed snr 5 4 9 5 4 9 rate 2048 2048 1000
1100
To quickly add an ADSL2+ extended line profile, whose 34-456 sub-carriers are disabled, and
the L2 power management mode is configured, do as follows:
huawei(config)#adsl extline-profile quickadd missingtone section_1 34-456 1 inp
minimum-inp-downstream noProtection(0) minimum-inp-upstream singleSymbol(1) psd
42 l2 l2state enable minimum-L0-time 60 minimum-L2-time 60 maximum-power-per-L2
3 total-maximum-power 9
Assume that the ID of the profile is 4, all the thresholds on the local/remote end are set to 100s,
the difference between the transmission rate in the channel mode and the former transmission
rate is 1000 kbit/s, and the profile name is test-profile. To quickly configure such an ADSL2+
alarm profile, do as follows:
huawei(config)#adsl alarm-profile quickadd 4 atu-c trap enable 100 100 100 100 1
00 100 100 100 interleaved 1000 1000 fast 1000 1000 atu-r 100 100 100 100 100 10
0 interleaved 1000 1000 fast 1000 1000 name test-profile
Background Information
The SHDSL line profile and alarm profile can be directly bound to an SHDSL port.
SHDSL line profile Profile IDs: 1, 100, 101, 102, and 103
Profile 1 is used to activate the 2-wire ATM SHDSL
port. Profile 100 is used to activate the 4-wire ATM
SHDSL port. Profile 101 is used to activate the 6-
wire ATM SHDSL port. Profile 102 is used to
activate the 8-wire ATM SHDSL port. Profile 103
is used to activate the EFM-bonding SHDSL port.
Procedure
l Configure an SHDSL line profile.
Run the shdsl line-profile quickadd command to quickly add an SHDSL line profile, or
run the shdsl line-profile add command to interactively add an SHDSL line profile.
Main parameters:
ptm: If the SHDSL channel mode is the ATM mode, do not select ptm. If the SHDSL
channel mode is the PTM mode, select ptm.
rate: Indicates the line rate. During line activation, a proper rate between the preset
maximum rate and minimum rate is determined through automatic negotiation
according to the line condition and the profile configuration. The user rate can be
restricted by this rate or the rate set in the traffic profile that is bound to the user. When
both rates function, the lower rate is selected as the user rate.
transmission: Indicates the transmission mode. Set the transmission mode according
to line conditions and actual planning. Three transmission modes are supported: annex
A, annex L, and annex A&B.
snr-margin: The larger the SNR margin, the better the line stability, and meanwhile
the lower the physical connection rate of the line after activation. For common Internet
access users, set the target SNR margin to 3; for users with higher priorities, set the
target SNR margin to 5.
NOTE
When the board supports G.SHDSL.bis (including the extended standard annex F), the maximum rate can
reach 5696 kbit/s.
l Configure an SHDSL alarm profile.
Run the shdsl alarm-profile quickadd command to quickly add an SHDSL alarm profile,
or run the shdsl line-profile add command to interactively add an SHDSL alarm profile.
----End
Example
To add SHDSL line profile 3 with the line rate of 4096 kbit/s, which is used to activate the 4-
wire SHDSL port, do as follows:
huawei(config)#shdsl line-profile quickadd 3 line four-wire rate 4096
Assume that the loop attenuation threshold is 10 dB, SNR margin is 0 dB, ES threshold is 100s,
SES threshold is 100s, CRC abnormality duration threshold is 10000, LOSWS threshold is 100s,
UAS threshold is 100s. To quickly add SHDSL line alarm profile 3 with these parameters, do
as follows:
huawei(config)#shdsl alarm-profile quickadd 3 loop-attenuation 10 snr-margin 0 e
s 100 ses 100 crc-anomaly 10000 losws 100 uas 100
Background Information
A VDSL2 line template consists of a VDSL2 line profile and a VDSL2 channel profile. Before
activating a VDSL2 port, bind a VDSL2 line template to the port. A VDSL2 alarm template
consists of a VDSL2 line alarm profile and a VDSL2 channel alarm profile. Bind a VDSL2
alarm template rather than a VDSL2 line alarm profile or a VDSL2 channel alarm profile to a
VDSL2 port. Figure 1-6 provides the configuration flow of a VDSL2 profile.
Configure a Configure a
VDSL2 line profile VDSL2 line alarm profile
Configure a Configure a
VDSL2 line template VDSL2 alarm template
End End
Procedure
l Configure a VDSL2 line template.
1. Run the vdsl line-profile quickadd command to quickly add a VDSL2 line profile,
or run the vdsl line-profile add command to interactively add a VDSL2 line profile.
Main parameters:
transmode: Indicates the line transmission mode. By default, the system supports
all transmission modes. The default setting can be used. Then, the system
automatically adapts to the transmission mode of the peer end.
snr: Indicates the SNR margin. It refers to the remaining space for carrying noise,
excluding the space for carrying signals. In general, the SNR margin of the
minimum tone is used as the SNR margin of the entire VDSL2 connection.
2. Run the vdsl channel-profile quickadd command to quickly add a VDSL2 channel
profile, or run the vdsl channel-profile add command to interactively add a VDSL2
channel profile.
Main parameters:
path-mode: Indicates the path mode. There are two VDSL2 path modes: ATM
mode and PTM mode. By default, the system supports both modes. If the default
mode is used, the system can automatically adapt to the path mode of the peer end
and therefore the setting of the path mode is not required in this case. To set the
ATM mode as the VDSL2 path mode, select atm. To set the PTM mode as the
VDSL2 path mode, select ptm. The default setting both is recommended. When
both is selected, both modes are supported.
interleaved-delay: Indicates the interleave delay. A zero interleave delay
corresponds to the fast mode. In the fast mode, the interleave delay is short, but
the error correction capability is weak. A non-zero interleave delay corresponds
to the interleave mode. The longer the interleave delay, the greater the interleave
depth. In the interleave mode, the greater the interleave depth, the stronger the error
correction capability, but the longer the delay.
inp: Indicates the impulse noise protection. The INP is a parameter that describes
the line capability of resisting impulse interference. The INP affects the port rate.
If the INP is 1, it indicates that the current channel can resist the impulse noise in
1 DMT character length. The interleave delay is related to the INP. In the fast
mode, the INP is meaningless.
rate: Indicates the line rate. During line activation, a proper rate between the preset
maximum rate and minimum rate is determined through automatic negotiation
according to the line condition and the profile configuration. The user rate can be
restricted by this rate or the rate set in the traffic profile bound to the user. When
both rates function, the lower rate is selected as the user rate.
3. Run the vdsl line-template quickadd command to quickly add a VDSL2 line
template, or run the vdsl line-template add command to interactively add a VDSL2
line template.
A VDSL2 line template consists of a VDSL2 line profile and a VDSL2 channel profile.
To activate a VDSL2 port, bind a VDSL2 line template to the port.
l Configure a VDSL2 alarm template.
1. Run the vdsl alarm-profile quickadd command to quickly add a VDSL2 line alarm
profile, or run the vdsl alarm-profile add command to interactively add a VDSL2
line alarm profile.
2. Run the vdsl channel-alarm-profile quickadd command to quickly add a VDSL2
channel alarm profile, or run the vdsl channel-alarm-profile add command to
interactively add a VDSL2 channel alarm profile.
3. Run the vdsl alarm-template quickadd command to quickly add a VDSL2 alarm
template, or run the vdsl alarm-template add command to interactively add a VDSL2
alarm template.
A VDSL2 alarm template consists of a VDSL2 line alarm profile and a VDSL2
channel alarm profile. Bind a VDSL2 alarm template rather than a VDSL2 line alarm
profile or a VDSL2 channel alarm profile to a VDSL port.
----End
Example
Assume that:
l Downstream rate: 2048 kbit/s
l Channel mode: interleave mode
l Downstream maximum interleave delay: 8 ms
l Upstream maximum interleave delay: 2 ms
l SNR margin: 6 dB
l Downstream minimum INP: 4
l Upstream minimum INP: 2
Background Information
With the system security feature, the Background Information can be protected against the
attacks from the network side or user side, and thus the Background Information can run stably
on the network. System security includes the following items:
l ACL/Packet filtering firewall
l Blacklist
l Anti-DoS attack
l Anti-ICMP/IP attack
l Source route filtering
l Source MAC address filtering
l Allowed/Denied address segment
Background Information
Firewall includes the following items:
l Blacklist: The blacklist function can be used to screen the packets sent from a specific IP
address. A major feature of the blacklist function is that blacklist entries can be dynamically
added or deleted. When firewall detects the attack attempt of a specific IP address according
to the characteristics of packets, firewall actively adds an entry to the blacklist and then
filters the packets from this IP address.
l ACL packet filtering firewall: Configure an ACL to filter data packets. To set a port to
allow only one type of packets to go through, use the ACL to implement the packet filtering
function.
For example, to allow only the packets from source IP address 1.1.1.1 to go through a port
in the inbound direction, do as follows:
1. Configure an ACL rule1, which allows the packets with source IP address 1.1.1.1 to
pass.
2. Configure an ACL rule2, which denies all packets.
3. Run the firewall packet-filter command, and bind rule2 first and then rule1 to the
inbound direction.
NOTE
On the MA5600, an ACL can be activated in two modes. In two modes, the execution priorities on
the sub-rules in one ACL are different.
l Run the firewall packet-filter command to activate an ACL. This mode is applied to the NMS.
For the sub-rules in one ACL, the execution priority is implemented by software. The earlier the
execution priority of the sub-rules in one ACL is configured, the higher the priority.
l Run the packet-filter command to activate an ACL. For the sub-rules in one ACL, the execution
priority is implemented by hardware. The later the execution priority of the sub-rules in one
ACL is configured, the higher the priority.
NOTICE
To ensure device security, firewall must be configured. This is to control the packets that go
through the management port of the device.
Procedure
l Configure firewall blacklist.
Two modes are supported: configuring firewall blacklist by using ACLs or by adding the
source IP addresses of untrusted packets. Choose either mode, or both.
When two modes are configured, the priority of the source IP addresses of untrusted packets
function is higher than the priority of ACLs. That is, the system checks the source IP
addresses of untrusted packets first, and then matches ACLs.
NOTE
The firewall blacklist function only takes effect to the service packets that are sent from the user side.
Configure the firewall blacklist function by using advanced ACLs.
1. Run the acl command to create an ACL. Only advanced ACLs can be used when
the blacklist function is enabled. Therefore, the range of the ACL ID is
3000-3999.
2. Run the rule(adv acl) command to create an advanced ACL.
3. Run the quit command to return to the global config mode.
4. Run the firewall blacklist enable acl-number command to enable the firewall
blacklist function.
Configure the firewall blacklist function by adding the source IP addresses of untrusted
packets.
1. Run the firewall blacklist item command to add the source IP addresses of
untrusted packets to the blacklist.
2. Run the firewall blacklist enable command to enable the firewall blacklist
function.
l Configure the firewall (filtering packets based on the ACL).
1. Run the acl command to create an ACL. Only basic ACLs and advanced ACLs can
be used when packet filtering by firewall is configured. Therefore, the range of the
ACL ID is 2000-3999.
2. Run different commands to create different types of ACLs.
Basic ACL: Run the rule(basic acl) command.
Advanced ACL: Run the rule(adv acl) command.
3. Run the quit command to return to the global config mode.
4. Run the firewall enable command to enable the firewall blacklist function. By default,
the firewall blacklist function is disabled.
To filter the packets of a port based on the basic ACL, enable the firewall blacklist
function.
5. Run the interface meth command to enter the METH mode to configure the firewall
packet filtering rules for an METH interface; run the interface vlanif command to
enter the VLANIF mode configure the firewall packet filtering rules for a VLAN
interface.
6. Run the firewall packet-filter command to apply firewall packet filtering rules to an
interface.
----End
Example
To add IP address 192.168.10.18 to the firewall blacklist with the aging time of 100 min, do as
follows:
huawei(config)#firewall blacklist item 192.168.10.18 timeout 100
huawei(config)#firewall blacklist enable
To add the IP addresses in network segment 10.10.10.0 to the firewall blacklist and bind ACL
3000 to these IP addresses, do as follows:
huawei(config)#acl 3000
huawei(config-acl-adv-3000)#rule deny ip source 10.10.10.0 0.0.0.255 destination
huawei(config-acl-adv-3000)#quit
huawei(config)#firewall blacklist enable acl-number 3000
To deny the users in network segment 172.16.25.0 to access the maintenance Ethernet port with
IP address 172.16.25.28 on the device, do as follows:
huawei(config)#acl 3001
huawei(config-acl-adv-3001)#rule 5 deny icmp source 172.16.25.0 0.0.0.255 destin
ation 172.16.25.28 0
huawei(config-acl-adv-3001)#quit
huawei(config)#firewall enable
huawei(config)#interface meth 0
huawei(config-if-meth0)#firewall packet-filter 3001 inbound
ACL applied successfully
Background Information
The MA5600 supports the following measures to prevent malicious users' attack on the system.
Choose measures according to actual requirements.
l Anti-DoS attack: Indicates the defensive measures taken by the system to receive only a
certain number of control packets sent from a user.
l Anti-ICMP attack: Indicates the defensive measures taken by the system to drop the ICMP
packets sent from the user-side device to the MA5600. This is to prevent the user-side
device from pinging the VLAN interface of the MA5600.
l Anti-IP attack: Indicates the defensive measures taken by the system to drop the IP packets
sent from the user-side device to the MA5600.
l Source route filtering: Indicates the defensive measures taken by the system to filter the IP
packets that are sent by the user and carry the routing option field.
l Source MAC address filtering: Indicates the defensive measures taken by the system to
filter the packets that are sent by the user and carry certain source MAC addresses.
l User-side ring network check: Indicates the defensive measures taken by the system to
check user-side ring networks. In this manner, the system can process ring networks to
prevent ring networks from affecting services.
Procedure
l Configure anti-DoS attack.
Run the security anti-dos enable command to enable anti-DoS attack. After the anti-DoS
attack function is enabled, the system adds the user port to the blacklist if the receive rate
of the control packet of the user reaches a preset value. When anti-DoS attack is disabled,
the system deletes the blacklist.
Application scenario: Two PCs (PC1 and PC2) are connected to the network through the
MA5600. If a malicious user (PC1) sends a large number of protocol control packets to
attack the CPU of the MA5600, the CPU usage of the MA5600 will be over high, and then
the MA5600 is unable to process the services of another user (PC2). To implement anti-
DoS attack, shield the attack port to protect the MA5600 from being attacked.
l Configure anti-ICMP attack.
Run the security anti-icmpattack enable command to enable anti-ICMP attack. Anti-
ICMP attack is used to prevent the user-side device from pinging the VLAN interface of
the MA5600.
Application scenario: Two PCs (PC1 and PC2) are connected to the network through the
MA5600. When PC2 sends a large number of ICMP packets to the VLAN interface, the
services of the user (PC1) that obtains the upper-layer DHCP information through the same
VLAN interface will be abnormal. To implement anti-ICMP attack, directly drop the user-
side ICMP packets if the IP address of the VLAN interface on the MA5600 is its destination
IP address.
l Enable anti-IP attack.
Run the security anti-ipattack enable command to enable anti-IP attack. The anti-IP attack
is used to prevent user-side IP packets from attacking the L3 interface of the device or to
prevent illegal users from logging in to the device through telnet.
Application scenario: When a PC sends the packets with the address of VLAN x as the
destination IP address to VLANIF x, it may send a large number of packets to attack the
device, causing the device to fail to process normal services; when a user knows the address
of VLAN x, or the user name and password for logging in to the device, it may log in to
the device through telnet to randomly change the configurations of the device. To prevent
the two preceding cases, the device needs to implement anti-IP attack. With this feature,
the device drops the packets with the address of the device interface as the destination IP
address to prevent the user from attacking the device.
l Enable the source route filtering function.
Run the security source-route enable command to enable the source route filtering
function. This function is used to filter the packets that carry the routing information and
are reported to the L3 switch.
Application scenario: In general, routes are dynamic and application does not control route
selection. The sender can add the routing information to IP packets through the source route
to perform route selection. In this case, packets go along a specific route on the network
according to the intention of the sender. To prevent the preceding cases, enable the source
route filtering function. Then the MA5600 performs validity check on IP packets and drops
the packets that match the source route options.
l Configure the MAC address filtering function.
Run the security mac-filter command to enable the MAC address filtering function.
Application scenario: To prevent users from forging the MAC address of the network-side
device, or forging certain renowned MAC addresses, set the MAC address of the network-
side as the MAC address to be filtered.
----End
Example
To enable the anti-DoS attack function and anti-IP attack function, do as follows:
huawei(config)#security anti-dos enable
huawei(config)#security anti-ipattack enable
Background Information
Each firewall can be configured with up to 10 address segments.
When adding an address segment, ensure that the start address does not repeat an existing start
address.
To delete an address segment, you only need to enter the start address of the address segment.
Procedure
l Configure the permitted/denied IP address segment for the access through Telnet.
1. Run the sysman firewall telnet enable command to enable the firewall function for
the access through Telnet. By default, the firewall function of the system is disabled.
2. Run the sysman ip-access telnet command to configure the IP address segment that
is permitted to access the device through Telnet.
NOTICE
To ensure the device security, apply the minimum authorization principles. That is,
configure the permitted IP address segment, and add only the necessary management
IP address segment. IP addresses other than have been specified are not permitted to
access the device through the management port.
3. Run the sysman ip-refuse telnet command to configure the IP address segment that
is forbidden to access the device through Telnet.
NOTE
The permitted IP address segment and the denied IP address segment are not overlap and only the
user whose IP address is in the permitted address segment and is not in the denied address segment
can access the device.
l Configure the permitted/denied IP address segment for the access through SSH.
1. Run the sysman firewall ssh enable command to enable the firewall function for the
access through SSH. By default, the firewall function of the system is disabled.
2. Run the sysman ip-access ssh command to configure the IP address segment that is
permitted to access the device through SSH.
NOTICE
To ensure the device security, apply the minimum authorization principles. That is,
configure the permitted IP address segment, and add only the necessary management
IP address segment. IP addresses other than have been specified are not permitted to
access the device through the management port.
3. Run the sysman ip-refuse ssh command to configure the IP address segment that is
forbidden to access the device through SSH.
NOTE
The permitted IP address segment and the denied IP address segment are not overlap and only the
user whose IP address is in the permitted address segment and is not in the denied address segment
can access the device.
l Configure the permitted/denied IP address segment for the access through SNMP (NMS).
1. Run the sysman firewall snmp enable command to enable the firewall function for
the access through SNMP. By default, the firewall function of the system is disabled.
2. Run the sysman ip-access snmp command to configure the IP address segment that
is permitted to access the device through SNMP.
NOTICE
To ensure the device security, apply the minimum authorization principles. That is,
configure the permitted IP address segment, and add only the necessary management
IP address segment. IP addresses other than have been specified are not permitted to
access the device through the management port.
3. Run the sysman ip-refuse snmp command to configure the IP address segment that
is forbidden to access the device through SNMP.
NOTE
The permitted IP address segment and the denied IP address segment are not overlap and only the
user whose IP address is in the permitted address segment and is not in the denied address segment
can access the device.
----End
Example
To enable the firewall function for the access through Telnet, and permit only the users of the
IP address segment 10.10.5.1 10.10.5.254to log in to the device through Telnet, do as follows:
huawei(config)#sysman firewall telnet enable
huawei(config)#sysman ip-access telnet 10.10.5.1 10.10.5.254
To enable the firewall function for the access through SSH, and permit only the users of the IP
address segment 10.10.20.1 10.10.20.254to log in to the device through SSH, do as follows:
huawei(config)#sysman firewall ssh enable
huawei(config)#sysman ip-access ssh 10.10.20.1 10.10.20.254
To enable the firewall function for the access through SNMP, and permit only the users of the
IP address segment 10.10.20.110.10.20.254 to log in to the device through SNMP, do as
follows:
huawei(config)#sysman firewall snmp enable
huawei(config)#sysman ip-refuse snmp 10.10.20.1 10.10.20.254
Background Information
The user security mechanism includes:
l PITP: The purpose of the PITP feature is to provide the user physical location information
for the upper-layer authentication server. After the BRAS obtains the user physical location
information, the BRAS binds the information to the user account for authentication, thus
protecting the user account against theft and roaming.
l DHCP option 82: The user physical location information is added to the option 82 field in
the DHCP request sent by the user. The information is used by the upper-layer
authentication server for authenticating the user, thus protecting the user account against
theft and roaming.
l IP address binding: The IP address of the user is bound to the corresponding service port
for authenticating the user, thus ensuring the security of the authentication.
l MAC address binding: The MAC address is bound to the service port, thus preventing the
access of illegal users.
l Anti-MAC spoofing: It is a countermeasure taken by the system to prevent a user from
attacking the system with a forged MAC address.
l Anti-IP spoofing: It is a countermeasure taken by the system to prevent a user from attacking
the system with a forged IP address
l User-side ring network detection.
Table 1-11 lists the default settings of the user security mechanism.
DHCP option Global function: disabled The DHCP option 82 function can
82 Port-level function: enabled be enabled only when the functions
at all levels are enabled.
Application Context
PITP is a member of Huawei Group Management Protocol (HGMP) family. It is used for
providing the user port information for the BRAS. After the BRAS obtains the user port
information, the BRAS binds the user account to the user port, thus protecting the user account
against theft and roaming. PITP has two modes, the PPPoE+ mode (also called the PITP P mode)
and the VBAS mode (also called the PITP V mode).
PITP is applicable to the networking of a standalone MA5600 and the networking of subtended
MA5600s.
l In the networking of a stand-alone MA5600: Two PCs (PC1 and PC2) are connected to
different ports of the MA5600 for the dialup access.
l In the networking of subtended MA5600s: Two PCs (PC1 and PC2) are connected to
different MA5600s (PC1 is connected to the MA5600, and PC2 is connected to the
MA5600 through a subtended device) for the dialup access.
The principles in the two scenarios are similar. The user dials up from PC1 by using the
corresponding user account. The BRAS binds the user account to the user's physical port
information reported by the MA5600. When the user of PC2 dials up by using the user account
of PC1, the BRAS discovers that the user account does not match the physical port information
and thus rejects the dialup access request of PC2.
Default Configuration
Table 1-12 lists the default settings related to PITP.
Procedure
Step 1 Configure the relay agent information option (RAIO). Before using the PITP function, you must
configure RAIO.
l Run the raio-mode mode pitp-pmode command to configure the RAIO mode in the PITP
P mode.
l Run the raio-mode mode pitp-vmode command to configure the RAIO mode in the PITP
V mode.
The PITP P mode supports all the RAIO modes; the PITP V mode currently supports only the
common, cntel, and userdefine modes.
user-defined: Indicates the user-defined mode. In this mode, you need to run the raio-format
command to configure the RAIO format. Select a corresponding keyword for configuring the
RAIO format according to the PITP mode.
l In the PITP P mode, run the raio-format pitp-pmode command to configure the RAIO
format.
l In the PITP V mode, run the raio-format pitp-vmode command to configure the RAIO
format.
In the case of the user-defined RAIO format, configure the circuit ID (CID) and the remote ID
(RID). If the access mode is not selected, the configured format applies to all access modes. If
the access mode is selected, the configured format applies to only this access mode. The CID
format and RID format in the PITP V mode are the same:
In the PITP V mode, run the pitp vmode ether-type command to set the Ethernet protocol
type to be the same as that of the BRAS. Then, run the pitp enable vmode command to
enable global PITP V mode.
NOTE
The Ethernet protocol type of the PITP V mode must be configured when the PITP V mode is disabled.
2. Port-level PITP function: Run the pitp port or pitp board command to configure the port-
level PITP function. By default, the port-level PITP function is enabled.
----End
Example
Assume that:
l RAIO mode: user-defined mode
l CID format for the ATM access mode: shelf ID/slot ID/port ID: VPI.VCI
l CID format for the Ethernet access mode: shelf ID/slot ID/port ID: VLAN ID
To enable the PITP P mode on port 0/2/0, do as follows:
huawei(config)#raio-mode user-defined pitp-pmode
huawei(config)#raio-format pitp-pmode cid atm anid atm frame/slot/port:vpi.vci
huawei(config)#raio-format pitp-pmode cid eth anid eth frame/slot/port:vlanid
huawei(config)#raio-format pitp-pmode rid atm plabel
huawei(config)#raio-format pitp-pmode rid eth plabel
huawei(config)#pitp enable pmode
huawei(config)#pitp port 0/2/0 enable
Assume that:
l RAIO mode: user-defined mode
l CID/RID format for the ATM access mode: shelf ID/slot ID/port ID: VPI.VCI
l CID/RID format for the Ethernet access mode: shelf ID/slot ID/port ID: VLAN ID
To set the Ethernet protocol type of VBRAS packets to be the same as that of the upper-layer
BRAS, namely, 0x8500, and enable the PITP V mode on port 0/3/0, do as follows:
huawei(config)#raio-mode user-defined pitp-vmode
huawei(config)#raio-format pitp-vmode atm anid atm frame/slot/port:vpi.vci
huawei(config)#raio-format pitp-vmode eth anid eth frame/slot/port:vlanid
huawei(config)#pitp vmode ether-type 0x8500
huawei(config)#pitp enable vmode
huawei(config)#pitp port 0/3/0 enable
Background Information
The option 82 field contains the circuit ID (CID), remote ID (RID), and sub-option 90 field
(optional), which provides the information such as the user shelf ID, slot ID, port ID, VPI, and
VCI.
The MA5600 can work in the L2 DHCP forwarding mode or L3 DHCP forwarding mode. In
either mode, anti-theft and roaming of user accounts through DHCP option 82 can be configured,
and the configurations are the same.
Table 1-13 lists the default settings related to DHCP option 82.
Procedure
Step 1 Configure the RAIO. The RAIO is the short form for relay agent information option. Before
using the DHCP function, you must configure the RAIO.
Run the dhcp option82 command to enable the DHCP option 82 function on the system and
port. By default, the DHCP option 82 function is disabled globally.
The DHCP option 82 function can be enabled or disabled at two levels. The DHCP option 82
function takes effect only when it is enabled at the two levels.
1. System level: Run the dhcp option82 command to enable the DHCP option 82 function
globally. By default, the DHCP option 82 function is disabled globally.
2. Port level: Run the dhcp option82 board or dhcp option82 port command to enable the
DHCP option 82 function for a board or port. By default, the DHCP option 82 function for
a board or port is enabled.
----End
Example
Assume that:
l RAIO mode: user-defined mode
l CID format for the ETH access mode: shelf ID/slot ID/sub slot ID/port ID: vlanid
l RID format for all access modes: label of the service port
Background Information
Anti-IP spoofing is to dynamically trigger the IP address binding, thus preventing illegal users
from stealing the IP address of legal users. When anti-IP spoofing is enabled, a user port is bound
to an IP address after the user goes online. Then, the user cannot go online through this port by
using other IP addresses, and any user cannot go online through other ports by using this IP
address.
The major function of anti-MAC spoofing is to prevent illegal users from forging the MAC
address of legal users. The purpose is to ensure that the service of legal users is not affected.
Anti-MAC spoofing is applied to PPPoE and DHCP access users.
IP address binding refers to binding an IP address to a service port. After the binding, the service
port permits only the packet whose source IP address is the bound address to go upstream, and
discards the packets that carry other source IP addresses.
MAC address binding refers to binding a MAC address to a service port. After the binding, only
the user whose MAC address is the bound MAC address can access the network through the
service port. The MA5600 does not support the direct binding of a MAC address. Instead, the
binding between a service port and a MAC address is implemented through setting a static MAC
address entry of a port and setting the maximum number of learnable MAC addresses to 0.
Procedure
l Configure anti-IP spoofing.
Run the security anti-ipspoofing command to configure the anti-IP spoofing function. By
default, the anti-IP spoofing function is disabled.
NOTE
When anti-IP spoofing is enabled after a user is already online, the IP address of this user is not bound by
the system. As a result, the service of this user is interrupted, this user goes offline, and the user needs to
go online again. Only the user who goes online after anti-IP spoofing is enabled can have the IP address
bound.
l Configure anti-MAC spoofing.
NOTICE
To ensure device security, it is recommended that you enable this function.
When anti-MAC spoofing is enabled after a user is already online, the MAC address of this user is not
bound by the system. As a result, the service of this user is interrupted, this user goes offline, and the user
needs to go online again. Only the user who goes online after anti-MAC spoofing is enabled can have the
MAC address bound.
l Bind an IP address.
Run the bind ip command to bind an IP address to a service port.
To permit only the users of certain IP addresses to access the system so that illegal users
cannot access the system by using the IP addresses of legal users, configure the IP address
binding.
l Bind a MAC address.
1. Run the mac-address static command to add a static MAC address.
2. Run the mac-address max-mac-count command to set the maximum number of
learnable MAC addresses to 0. By default, the maximum number of learnable MAC
addresses of a port in the system is 255.
This parameter is to limit the maximum number of the MAC addresses that can be
learned through one account, that is, to limit the maximum number of the PCs that
can access the Internet through one account.
----End
Example
To enable anti-IP spoofing in service VLAN 10, do as follows:
huawei(config)#security anti-ipspoofing enable vlan 10
To enable anti-MAC spoofing for service VLAN 10, and set the maximum number of MAC
addresses that can be bound to service port 0/2/1 in this VLAN to 7, do as follows:
huawei(config)#security anti-macspoofing enable vlan 10
huawei(config)#security anti-macspoofing max-mac-count 0/2/1 user-vlan 10 7
To bind IP address 10.10.10.2 to the ADSL2+ service port whose physical port is 0/3/0, VPI/
VCI is 0/35, and user-side VLAN is 100, do as follows:
huawei(config)#bind ip adsl 0/3/0 vpi 0 vci 35 user-vlan 100 10.10.10.2
To bind static MAC address 1010-1010-1010 to the ADSL2+ service port whose physical port
is 0/3/0, VPI/VCI is 0/35, and user-side VLAN is 100, and set the maximum number of learnable
dynamic MAC addresses to 10, do as follows:
Background Information
l By default, the ring network detection on the user side is disabled.
l After the ring network detection on the user side is enabled, the system automatically detects
the ring network on the user side.
l By default, the ring detection mode on the user side is private BPDU. You can set the ring
detection mode to private Ethernet mode. The private BPDU mode and the private Ethernet
mode are mutually exclusive.
l If you set the ring detection mode to private BPDU:
The ring between ports on the user side can be detected and the packet receive ports are
blocked.
When you need to detect the ring between the user and the upstream port, the STP
function needs to be enabled.
The ring between two devices of the same type can be detected only if the detection
modes of the two devices are set to private BPDU.
l If you set the ring detection mode to private Ethernet:
The ring between ports on the user side can be detected and the packet transmit ports
are blocked.
When you need to detect the ring between the user and the upstream port, the STP
function need not be enabled and the user ports are blocked.
The ring between two devices cannot be detected.
NOTICE
To ensure the device security, it is recommended that you enable the ring network detection on
the user side.
Procedure
Step 1 Run the ring check enable command to enable the ring network detection on the user side.
Step 2 Run the ring check mode command to set the detection mode of the ring network on the user
side.
Step 3 Run the display ring check config command to query the status of the ring network detection
on the user side.
----End
Example
To enable the ring network detection on the user side and set the detection mode to private
Ethernet, do as follows:
hauwei(config)#ring check enable
huawei(config)#ring check mode private-ethtype
huawei(config)#display ring check config
Ring checking function is enabled
Background Information
AAA refers to authentication, authorization, and accounting. In the process that a user accesses
network resources, through AAA, certain rights are authorized to the user if the user passes
authentication, and the original data about the user accessing network resources is recorded.
l Authentication: Checks whether a user is allowed to access network resources.
l Authorization: Determines what network resources a user can access.
l Accounting: Records the original data about the user accessing network resources.
Application Context
AAA is generally applied to the users that access the Internet in the PPPoA, PPPoE, 802.1x,
VLAN, WLAN, ISDN, or Admin Telnet (associating the user name and the password with the
domain name) mode.
NOTE
In the existing network, 802.1x and Admin Telnet correspond to the local AAA, that is, the MA5600
functions as a local AAA server; PPPoE corresponds to the remote AAA, that is, the MA5600 functions
as the client of a remote AAA server.
The preceding figure shows that the AAA function can be implemented on the MA5600 in the
following ways:
l The MA5600 functions as a local AAA server. In this case, the local AAA needs to be
configured. The local AAA does not support accounting.
l The MA5600 functions as the client of a remote AAA server, and is connected to the
RADIUS server through the RADIUS protocol, thus implementing the AAA. The RADIUS
protocol, however, does not support authorization.
Background Information
l What is RADIUS:
RADIUS is short for the remote authentication dial-in user service. It is a distributed
information interaction protocol with the client/server structure. Generally, it is used to
manage a large number of distributed dial-in users.
RADIUS implements the user authentication by managing a simple user database, and
adjusts the user service information according to the user service type and rights.
The authentication request of users can be passed on to the RADIUS server through a
network access server (NAS).
l Principles of RADIUS:
When a user tries to access another network (or some network resources) by setting up
a connection to the NAS through a network, the NAS forwards the user authentication
information to the RADIUS server. The RADIUS protocol specifies the means of
transmitting the user information between the NAS and the RADIUS server.
The RADIUS server receives the connection requests of users sent from the NAS,
authenticates the user account and password contained in the user data, and returns the
required data to the NAS.
l Specification:
For the MA5600, the RADIUS is configured based on each RADIUS server group.
In actual networking, a RADIUS server group can be any of the following:
An independent RADIUS server
A pair of primary/secondary RADIUS servers with the same configuration but
different IP addresses
The following lists the attributes of a RADIUS server template:
IP addresses of primary and secondary servers
Shared key
RADIUS server type
l The configuration of the RADIUS protocol defines only the essential parameters for the
information exchange between the MA5600 and the RADIUS server. To make the essential
parameters take effect, the RADIUS server group needs to be referenced in a certain
domain.
Procedure
Step 1 Configure the AAA authentication scheme.
NOTE
l The authentication scheme specifies how all the users in an ISP domain are authenticated.
l The system supports up to 16 authentication schemes. The system has a default accounting scheme
named default. It can only be modified, but cannot be deleted.
l To guarantee normal communication between the MA5600 and the RADIUS server, before
configuring the IP address and UDP port of the RADIUS server, make sure that the route between the
RADIUS server and the MA5600 is in the normal state.
l Make sure that the configuration of the RADIUS service port of the MA5600 is consistent with the
port configuration of the RADIUS server.
3. (Optional) Run the radius-server shared-key command to configure the shared key of the
RADIUS server.
NOTE
l The RADIUS client (MA5600) and the RADIUS server use the MD5 algorithm to encrypt the RADIUS
packets. They check the validity of the packets by setting the encryption key. They can receive the
packets from each other and can respond to each other only when their keys are the same.
l By default, the shared key of the RADIUS server is huawei.
4. (Optional) Run the radius-server timeout command to set the response timeout time of
the RADIUS server. By default, the timeout time is 5s.
The MA5600 sends the request packets to the RADIUS server. If the RADIUS server does
not respond within the response timeout time, the MA5600 re-transmits the request packets
to the RADIUS to ensure that users can obtain corresponding services from the RADIUS
server.
5. (Optional) Run the radius-server retransmit command to set the maximum re-transmit
times of the RADIUS request packets. By default, the maximum re-transmit times is 3.
When the re-transmit times of the RADIUS request packets to a RADIUS server exceeds
the maximum re-transmit times, the MA5600 considers that its communication with the
RADIUS server is interrupted, and thus transmits the RADIUS request packets to another
RADIUS server.
6. (Optional) Run the (undo)radius-server user-name domain-included command to
configure the user name (not) to carry the domain name when transmitted to the RADIUS
server. By default, the user name of the RADIUS server carries the domain name.
l An access user is named in the format of userid@domain-name, and the part followed
by "@" is the domain name. The MA5600 classifies a user into a domain according to
the domain name.
l If a RADIUS server group rejects the user name carrying the domain name, the RADIUS
server group cannot be set or used in two or more domains. Otherwise, when some
access users in different domains have the same user name, the RADIUS server
considers that these users are the same because the names transmitted to the server are
the same.
7. Run the quit command to return to the global config mode.
You can reference an authentication scheme in a domain only after the authentication scheme is created.
In the domain mode, run the authentication-scheme command to reference the authentication
scheme.
You can reference a RADIUS server template in a domain only after the RADIUS server template is created.
1. In the domain mode, run the radius-server template command to reference the RADIUS
server template.
2. Run the quit command to return to the AAA mode.
----End
Example
User1 in the isp domain adopts the RADIUS protocol for authentication. RADIUS server
10.10.66.66 functions as the primary authentication server, and RADIUS server 10.10.66.67
functions as the secondary authentication server. On the RADIUS server, the authentication port
ID is 1812, and the other parameters adopt the default values. To perform the preceding
configuration, do as follows:
huawei(config)#aaa
huawei(config-aaa)#authentication-scheme newscheme
huawei(config-aaa-authen-newscheme)#authentication-mode radius
huawei(config-aaa-authen-newscheme)#quit
huawei(config-aaa)#quit
Service Requirements
l The RADIUS server performs authentication for user1 in isp1.
l The RADIUS server with the IP address 10.10.66.66 functions as the primary server for
authentication.
l The RADIUS server with the IP address 10.10.66.67 functions as the secondary server for
authentication.
l The authentication port ID is 1812.
l Other parameters adopt the default settings.
Networking
Figure 1-8 shows an example network of the RADIUS authentication.
user1@isp1
user2@isp2
MA5600
user3@isp3
Procedure
Step 1 Configure the authentication scheme.
Create RADIUS server template template1. RADIUS server 10.10.66.66 functions as the
primary authentication server, and RADIUS server 10.10.66.67 functions as the secondary
authentication.
huawei(config)#radius-server template template1
Note: Create a new server template
huawei(config-radius-template1)#radius-server authentication 10.10.66.66 1812
huawei(config-radius-template1)#radius-server authentication 10.10.66.67 1812
secondary
huawei(config-radius-template1)#quit
You can reference an authentication scheme in a domain only after the authentication scheme
is created.
huawei(config-aaa-domain-isp1)#authentication-scheme newscheme
You can reference a RADIUS server template in a domain only after the RADIUS server template
is created.
huawei(config-aaa-domain-isp1)#radius-server template1
huawei(config-aaa-domain-isp1)#quit
----End
Result
User1 in isp1 can be authenticated and can log in to the MA5600.
Configuration Script
aaa
authentication-scheme newscheme
authentication-mode radius
quit
quit
radius-server template radtest
Background Information
An access control list (ACL) is used to filter certain packets by a series of preset rules. In this
manner, the objects that need to be filtered can be identified. After the specific objects are
identified, the corresponding data packets are permitted to pass or prohibited from passing
according to the preset policy. The ACL-based traffic filtering process is a prerequisite for
configuring the QoS or user security.
Basic ACL 2000-2999 The rules of a standard ACL are only defined according
to the L3 source IP address for analyzing and processing
data packets.
Advanced ACL 3000-3999 The rules of an advanced ACL are defined according to
the source IP address, destination IP address, type of the
protocol over IP, and features of the protocol (including
TCP source port, TCP destination port, and ICMP
message type).
Compared with the basic ACL, the advanced ACL
contains more accurate, comprehensive, and flexible
rules.
Link layer ACL 4000-4999 A link-layer ACL allows definition of rules according to
the link-layer information such as the source MAC
address, VLAN ID, link-layer protocol type, and
destination MAC address, and the data is processed
accordingly.
When an arrival packet stream matches two or more ACL rules, the matching sequence is as
follows:
l The priority of a customized rule is higher than the priority of all non-customized rules.
l An ACL rule takes effect only when it is within the period of time-range-name. You can
run the display time-range command to query this period and run the time-range
command to set this period.
l If the rules are all customized rules or non-customized rules, and are issued to the physical
port, the matching sequence is from the rule with a higher priority to the rule with a lower
priority. If a rule is matched, no more rules will be matched.
If the rules of an ACL are activated at the same time, the rule with a greater rule ID has
a higher priority.
If the rules of an ACL are activated one by one, the rule activated later has a higher
priority over the one activated earlier.
If the rules of different ACLs are issued to a port, the rule activated later has a higher
priority over the one activated earlier.
NOTE
For the SCUK control board, the matching sequence is from the rule with a higher priority to the
rule with a lower priority. Every rule will be matched.
l If the rules are all customized rules or non-customized rules, and are issued to the routing
interface or firewall, the rule with a smaller rule ID has a higher priority. It is irrelative to
the activation sequence. The rules are used to match packets by rule ID in an ascending
order. Once the rule with a smaller rule ID matches packets, its subsequent rules are not
used. That is, the rules with a greater rule ID take no effect.
Precautions
The ACL is flexible in use. Therefore, the following suggestions on its configuration are
provided:
l It is recommended that you define a general rule, such as permit any or deny any, in each
ACL, so that each packet has a matching traffic rule that determines to forward or filter the
unspecified packet.
l The activated ACL rules share the hardware resources with the protocol modules (such as
DHCP module and IPoA module). In this case, the hardware resources are limited and may
be insufficient. To prevent the failure of enabling other service functions due to insufficient
hardware resources, it is recommended you enable the protocol module first and then
activate ACL rules in the data configuration. If you fail to enable a protocol module, perform
the following steps:
1. Check whether ACL rules occupy too many resources.
2. If ACL rules occupy too many resources, deactivate or delete the unimportant or
temporarily unused ACL configurations, and then configure and enable the protocol
module.
Context
The number of a basic ACL is in the range of 2000-2999.
A basic ACL is only defined according to the L3 source IP address for analyzing and processing
data packets.
Procedure
Step 1 (Optional) Set a time range.
Run the time-range command to create a time range, which can be used when an ACL rule is
created.
----End
Example
To configure that from 00:00 to 12:00 on Fridays, port 0/0/0 on the MA5600 receives only the
packets from 2.2.2.2, and discards the packets from other addresses, do as follows:
huawei(config)#time-range time1 00:00 to 12:00 fri
huawei(config)#acl 2000
huawei(config-acl-basic-2000)#rule permit source 2.2.2.2 0.0.0.0 time-range time1
huawei(config-acl-basic-2000)#rule deny time-range time1
huawei(config-acl-basic-2000)#quit
huawei(config)#packet-filter inbound ip-group 2000 port 0/0/0
huawei(config)#save
Context
The number of an advanced ACL is in the range of 3000-3999.
Procedure
Step 1 (Optional) Set a time range.
Run the time-range command to create a time range, which can be used when an ACL rule is
created.
l Run the firewall packet-filter command to activate an ACL. For details, see 1.12.1
Configuring Firewall.
l Perform the QoS operation. For details, see 1.16.2 Configuring Traffic Management Based
on ACL.
----End
Example
Assume that the service board of the MA5600 resides in slot 1 and belongs to a VLAN, and the
IP address of the VLAN L3 interface is 10.10.10.101. To prohibit the ICMP (such as ping) and
telnet operations from the user side to the VLAN interface on the device, do as follows:
huawei(config)#acl 3001
huawei(config-acl-basic-3001)rule 1 deny icmp destination 10.10.10.101 0
huawei(config-acl-basic-3001)rule 2 deny tcp destination 10.10.10.101 0
destination-port eq telnet
huawei(config-acl-basic-3001)quit
huawei(config)#packet-filter inbound ip-group 3001 rule 1 port 0/1/0
huawei(config)#packet-filter inbound ip-group 3001 rule 2 port 0/1/0
huawei(config)#save
Context
The number of a link layer ACL is in the range of 4000-4999.
A link layer ACL can classify traffic according to the following link layer information:
1. Protocol type over Ethernet
2. 802.1p priority
3. VLAN ID
4. Source MAC address
5. Destination MAC address
Procedure
Step 1 (Optional) Set a time range.
Run the time-range command to create a time range, which can be used when an ACL rule is
created.
l rule-id: Indicates the ACL rule ID. To create an ACL rule with a specified ID, use this
parameter.
l permit: Indicates the keyword for allowing the data packets that meet related conditions to
pass.
l deny: Indicates the keyword for discarding the data packets that meet related conditions.
l time-range: Indicates the keyword of the time range during which the ACL rule is effective.
Step 4 Activate the ACL.
After an ACL is configured, only an ACL is generated and the ACL does not take effect. You
need to run other commands to activate the ACL. Some common commands are as follows:
l Run the packet-filter command to activate an ACL.
l Perform the QoS operation. For details, see 1.16.2 Configuring Traffic Management Based
on ACL.
----End
Example
To create a link layer ACL rule that allows data packets with protocol type 0x8863 (pppoe-
control message), VLAN ID 12, CoS 1, source MAC address 2222-2222-2222, and destination
MAC address 00e0-fc11-4141 to pass, do as follows:
huawei(config)#acl 4001
huawei(config-acl-link-4001)rule 1 permit type 0x8863 cos 1 source 12
2222-2222-2222 0000-0000-0000 destination 00e0-fc11-4141 0000-0000-0000
huawei(config-acl-basic-4001)quit
huawei(config)#save
Prerequisites
Configuring a user-defined ACL requires a deep understanding of the L2 data frame structure.
Be sure to make a data plan according to the format of the L2 data frame.
Context
The number of a user-defined ACL must be in the range of 5000-5999.
A user-defined ACL rule can be created according to any 32 bytes of the first 80 bytes of a L2
data frame
Table 1-15 lists the meaning of the letters and their offset values.
NOTE
The offset value of each field is the offset value in data frame ETH II+VLAN tag. In a user-defined ACL,
you can use the two parameters of rule mask and offset to extract any bytes from the first 80 bytes of the
data frame. After the comparison with the user-defined rule, the data frame matching the rule is filtered
for related processing.
Procedure
Step 1 (Optional) Set a time range.
Run the time-range command to create a time range, which can be used when an ACL rule is
created.
----End
Example
Assume that the packet sent from port 0/3/0 to the MA5600 is the QinQ packet containing two
VLAN tags. To change the CoS priority in the outer VLAN tag (VLAN ID: 10) to 5, do as
follows:
huawei(config)#acl 5001
huawei(config-acl-user-5001)#rule 1 permit 8100 ffff 16
NOTE
The type value of a QinQ packet varies according to different vendors. Huawei adopts the default 0x8100. As
shown in Figure 1-9, the offset of this type value needs to be 16 bytes.
huawei(config-acl-user-5001)#rule 10 permit 0a ff 19
NOTE
"19" indicates the ADN operation after an offset of 19 bytes with the header of the packet as the base. "0a" refers
to the value of the inner tag field of the QinQ packet. In this example, the second byte of the inner tag field is a
part of the VLAN ID, which is exactly the value of the inner VLAN ID (VLAN 10).
huawei(config-acl-user-5001)#quit
huawei(config)#traffic-priority inbound user-group 5001 cos 5 port 0/3/0
Background Information
Configuring QoS in the system can provide different quality guarantees for different services.
QoS does not have a unified service model. Therefore, make the QoS plan for networkwide
services before making the configuration solution.
On the MA5600, the key points for implementing QoS are as follows:
l Traffic management
Configuring traffic management can limit the traffic for a user service or user port.
l Queue scheduling
For the service packets that are already configured with traffic management, through the
configuration of queue scheduling, the service packets can be placed into queues with
different priorities, thus implementing QoS inside the system.
In the scenario where users have flexible requirements on implementing QoS for traffic streams,
the ACL can be used to implement flexible traffic classification (see Configuring the ACL),
and then QoS can be implemented for traffic streams.
Overview
The MA5600 supports traffic management for the inbound and outbound traffic streams of the
system. Traffic management can be implemented based on the following two granularities:
l Based on traffic profile
NOTE
For details on configuring traffic classification, see 3.4 Creating an xDSL Service Port.
l Based on ACL rule
In addition, the MA5600 supports rate limit on the Ethernet port and traffic suppression on
inbound broadcast packets and unknown (multicast or unicast) packets.
Background Information
Traffic management based on service port is implemented by creating an IP traffic profile and
then binding the IP traffic profile when creating the service port.
l The system has seven default IP traffic profiles with the IDs of 0-6. You can run the display
traffic table command to query the traffic parameters of the default traffic profiles.
l It is recommended that you use the default traffic profiles. A new IP traffic profile is created
only when the default traffic profiles cannot meet the requirements.
Table 1-16 lists the traffic parameters defined in the IP traffic profiles.
Priority policies The priority policies are classified into the following two types:
l user-cos: Copy the 802.1p priority in the outer VLAN tag of the
packet to the 802.1p priority in the VLAN tag of the outbound
packet.
l user-tos: Copy the ToS priority in the VLAN tag of the packet to the
802.1p priority in the VLAN tag of the outbound packet.
Scheduling There are two types of scheduling policies, which are available only to
policies the inbound packet:
l Tag-In-Package: The system performs scheduling according to the
802.1p priority of the packet.
l Local-Setting: It is the local priority. That is, the system performs
scheduling according to the 802.1p priority specified in the traffic
profile bound to the traffic stream.
NOTE
"Outbound" (upstream) in this document refers to the direction from the user side to the network side, and
"inbound" (downstream) refers to the direction from the network side to the user side.
Procedure
Step 1 Run the display traffic table command to query whether there is a proper traffic profile in the
system.
Check whether an existing traffic profile meets the planned traffic management parameters,
priority policy, and scheduling policy to confirm the index of the traffic profile to be used. If a
proper traffic profile does not exist in the system, create an IP traffic profile.
Step 3 Run the service port command to bind a proper traffic profile.
----End
Example
Assume that the CAR is 2048 kbit/s, 802.1p priority of the outbound packet is 6, and the
scheduling policy of the inbound packet is Tag-In-Package. To add such an IP traffic profile, do
as follows:
huawei(config)#traffic table ip car 2048 priority 6 priority-policy tag-In-Package
Create traffic descriptor record successfully
-----------------------------------------------------------------------------
TD Index : 7
Priority : 6
Priority policy : tag-pri
CAR : 2048 kbps
TD Type : NoClpNoScr
Service category : ubr
Referenced Status: not used
EnPPDISC : on
EnEPDISC : on
Clp01Pcr : 2048 kbps
-----------------------------------------------------------------------------
huawei(config)#display traffic table index 7
-----------------------------------------------------------------------------
TD Index : 7
Priority : 6
Priority policy : tag-pri
CAR : 2048 kbps
TD Type : NoClpNoScr
Service category : ubr
Referenced Status: not used
EnPPDISC : on
EnEPDISC : on
Clp01Pcr : 2048 kbps
-----------------------------------------------------------------------------
Background Information
l The MA5600 supports the rate limitation on only the Ethernet upstream port and does not
support the rate limitation on service ports.
l The limited rate must be an integer multiple of 64.
l Traffic streams exceeding the specified rate are discarded.
Procedure
Step 1 In the global config mode, run the line-rate command to configure upstream rate limitation on
a specified Ethernet port.
The main parameters are as follows:
l target-rate: Indicates the limited rate of the port, in the unit of kbit/s.
l port: Indicates the shelf ID/slot ID/port ID.
Step 2 You can run the display qos-info line-rate port command to query the configured rate limitation
on the specified Ethernet port
----End
Example
To limit the rate of Ethernet port 0/7/0 to 6400 kbit/s, do as follows:
line-rate:
port 0/7/0:
Line rate: 6400 Kbps
Background Information
Traffic suppression can be configured based on a board or based on the port on a board.
Procedure
l Select one of the following modes according to the board configured in the system:
Run the interface scu command to enter the SCU mode.
Run the interface eth command to enter the ETH mode.
Example
To suppress the broadcast packets according to traffic suppression level 8 on port 0 on the SCU
board in slot 0/7, do as follows:
huawei(config)#interface scu 0/7
huawei(config-if-scu-0/7)#display traffic-suppress all
Traffic suppression ID definition:
------------------------------------------------------------------------
NO. Min bandwidth(kbps) Max bandwidth(kbps) Package number(pps)
/Jumbo frame enable(kbps)
------------------------------------------------------------------------
1 6 145 / 884 12
2 12 291 / 1769 24
3 24 582 / 3538 48
4 48 1153 / 7004 95
5 97 2319 / 14082 191
6 195 4639 / 28164 382
7 390 9265 / 56254 763
8 781 18531 / 112508 1526
9 1562 37063 / 225017 3052
10 3125 74126 / 450035 6104
11 6249 148241 / 899997 12207
12 12499 296483 / 1799995 24414
------------------------------------------------------------------------
------------------------------------------------------------------------
PortID Broadcast_index Multicast_index Unicast_index
------------------------------------------------------------------------
0 7 -- 7
1 7 -- 7
2 7 -- 7
3 7 -- 7
4 7 -- 7
5 7 -- 7
------------------------------------------------------------------------
huawei(config-if-scu-0/7)#traffic-suppress all broadcast value 8
huawei(config-if-scu-0/7)#display traffic-suppress 0
Traffic suppression ID definition:
------------------------------------------------------------------------
NO. Min bandwidth(kbps) Max bandwidth(kbps) Package number(pps)
/Jumbo frame enable(kbps)
------------------------------------------------------------------------
1 6 145 / 884 12
2 12 291 / 1769 24
3 24 582 / 3538 48
4 48 1153 / 7004 95
Prerequisite
The ACL and the rule of the ACL must be configured and the port for traffic limit must work
in the normal state.
Background Information
l The traffic statistics are only effective for the permit rules of an ACL.
l The limited traffic must be an integer multiple of 64 kbit/s.
Procedure
Step 1 Run the traffic-limit command to limit the traffic matching an ACL rule on a specified port.
Run this command to set the action to be taken when the traffic received on the port exceeds the
limit value. Two options are available:
l drop: Drop the traffic that exceeds the limit value.
l remark-dscp value: To set the DSCP priority for the traffic that exceeds the limit value, use
this parameter.
Step 2 Run the display qos-info traffic-limit port command to query the traffic limit information on
the specified port.
----End
Example
To limit the traffic that matches ACL 2001 received on port 0/2/0 to 512 kbit/s and add the DSCP
priority tag (af1) to packets that exceed the limit, do as follows:
Prerequisite
The ACL and the sub-rule of the ACL must be configured and the port for traffic limit must
work in the normal state.
Background Information
l The traffic statistics are only valid to permit rules of an ACL.
l The ToS and the DSCP priorities are mutually exclusive. Therefore, they cannot be
configured at the same time.
Procedure
Step 1 Run the traffic-priority command to add a priority tag to the traffic matching an ACL rule on
a specified port.
Step 2 Run the display qos-info traffic-priority port command to query the configured priority.
----End
Example
To add a priority tag to the traffic that matches ACL 2001 received on port 0/2/0, and the DSCP
priority and local priority of the traffic are 10 (af1) and 0 respectively, do as follows:
huawei(config)#traffic-priority inbound ip-group 2001 dscp af1 local-precedence 0
port 0/2/0
huawei(config)#display qos-info traffic-priority port 0/2/0
traffic-priority:
port 0/2/0:
Inbound:
Matches: Acl 2001 rule 5 running
Priority action: dscp af1 local-precedence 0
Prerequisite
The ACL and the sub-rule of the ACL must be configured and the port for traffic statistics must
work in the normal state.
Background Information
The traffic statistics are only valid to permit rules of an ACL.
Procedure
Step 1 Run the traffic-statistic command to enable the statistics collection of the traffic matching an
ACL rule on a specified port.
Step 2 Run the display qos-info traffic-mirror port command to query the statistics information about
the traffic matching an ACL rule on a specified port.
----End
Example
To enable the statistics collection of the traffic that matches ACL 2001 received on port 0/7/0,
do as follows:
huawei(config)#traffic-statistic inbound ip-group 2001 port 0/7/0
huawei(config)#display qos-info traffic-statistic port 0/7/0
traffic-statistic:
port 0/7/0:
Inbound:
Matches: Acl 2001 rule 5 running
0 packet
Related Operation
Table 1-17 lists the related operations for enabling the statistics collection of the traffic matching
an ACL rule.
Table 1-17 Related operation for enabling the statistics collection of the traffic matching an
ACL rule
Operation Run the Command...
monitor the traffic of the mirroring source port by analyzing the traffic that passes the mirroring
destination port.
Prerequisite
The ACL and the rule of the ACL must be configured and the port for traffic mirroring must
work in the normal state.
Background Information
l The traffic statistics are only valid to permit rules of an ACL.
l The destination mirroring port cannot be an aggregation port.
l The system supports only one mirroring destination port and the mirroring destination port
must be the upstream port.
Procedure
Step 1 Run the traffic-mirror command to enable the mirroring of the traffic matching an ACL rule
on a specified port.
Step 2 Run the display qos-info traffic-mirror port command to query the mirroring information
about the traffic matching an ACL rule on a specified port.
----End
Example
To mirror the traffic that matches ACL 2001 received on port 0/2/0 to port 0/7/0, do as follows:
huawei(config)#traffic-mirror inbound ip-group 2001 port 0/2/0 to port 0/7/0
huawei(config)#display qos-info traffic-mirror port 0/2/0
traffic-mirror:
port 0/2/0:
Inbound:
Matches: Acl 2001 rule 5 running
Mirror to: port 0/7/0
Prerequisites
The ACL and the rule of the ACL must be configured and the port for redirection must work in
the normal state.
Context
l The traffic statistics are only valid to permit rules of an ACL.
l Currently, the service ports support only redirection of the traffic matching the ACL rule
to upstream ports. The upstream ports support only redirection of the traffic matching the
ACL rule to ports of the same type.
Procedure
Step 1 Run the traffic-redirect command to redirect the traffic matching an ACL rule on a specified
port.
Step 2 Run the display qos-info traffic-redirect port command to query the redirection information
about the traffic matching an ACL rule on a specified port.
----End
Example
To redirect the traffic that matches ACL 2001 received on port 0/7/0 to port 0/7/1, do as follows:
huawei(config)#traffic-redirect inbound ip-group 2001 port 0/7/0 to port 0/7/1
huawei(config)#display qos-info traffic-redirect port 0/7/0
traffic-redirect:
port 0/7/0:
Inbound:
Matches: Acl 2001 rule 5 running
Redirected to: port 0/7/1
Background Information
The MA5600 supports the three queue scheduling modes: strict priority queue (PQ), weighted
round robin (WRR), and PQ+WRR.
l Strict PQ
The strict PQ gives preference to packets in a queue with a higher priority. The packets of
a lower priority queue can be transmitted only when a queue with a higher priority is empty.
By default, the system adopts the strict PQ mode.
l WRR
The system supports WRR for eight queues. Each queue has a weight value (w7, w6, w5,
w4, w3, w2, w1, and w0 in a descending order) for resource acquisition. In the WRR
scheduling mode, the queues are scheduled in turn, which ensures that each queue can be
scheduled.
Table 1-18 lists the mapping between the queue weights and the actual queues.
Table 1-18 Mapping between the queue weights and the actual queues
7 W7 W7 -
6 W6 W6 -
5 W5 W5 -
4 W4 W4 -
3 W3 W3 W7+W6
2 W2 W2 W5+W4
1 W1 W1 W3+W2
0 W0 W0 W1+W0
Wn: Indicates the weight of queue n. The weight sum of the queues (except the queue with
weight value 255) must be equal to 0 or 100, where 0 indicates that the strict PQ scheduling
mode is used and 255 indicates that the queue is not used.
l PQ+WRR
The system schedules some queues by PQ and schedules the other queues by WRR.
When the specified WRR value is 0, it indicates that the queue is scheduled in the PQ
mode.
The queue scheduled in the PQ mode needs to be the queue that has the highest priority.
The weight sum of the scheduled queues must be equal to 100.
Procedure
Step 1 Run the queue-scheduler command to configure the queue scheduling mode.
Step 2 Run the display queue-scheduler command to query the configuration information about the
queue scheduling mode.
----End
Example
To adopt the WRR scheduling mode and set the weight values of the eight queues to 10, 10, 20,
20, 10, 10, 10, and 10 respectively, do as follows:
huawei(config)#queue-scheduler wrr 10 10 20 20 10 10 10 10
huawei(config)#display queue-scheduler
Queue scheduler mode : WRR
---------------------------------
Queue Scheduler Mode WRR Weight
---------------------------------
0 WRR 10
1 WRR 10
2 WRR 20
3 WRR 20
4 WRR 10
5 WRR 10
6 WRR 10
7 WRR 10
---------------------------------
To adopt the PQ+WRR scheduling mode and set the weight values of the six queues to 20, 20,
10, 30, 10, and 10 respectively, do as follows:
huawei(config)#queue-scheduler wrr 20 20 10 30 10 10 0 0
huawei(config)#display queue-scheduler
Queue scheduling mode: weighted round robin + strict-priority
weight of queue 0: 20%
weight of queue 1: 20%
weight of queue 2: 10%
weight of queue 3: 30%
weight of queue 4: 10%
weight of queue 5: 10%
weight of queue 6: 0%
weight of queue 7: 0%
2 Protocol Configuration
Prerequisite
l The network devices and lines must be in the normal state.
l Service boards must be in the normal state.
l The VPI/VCI configured on the modem side must be 0/35.
Networking
Figure 2-1 shows an example network for configuring the ARP proxy.
PC1 and PC2 are in sub VLAN 10, service ports are isolated, and PC3 is in sub VLAN 20. User
packets can be forwarded in the L3 forwarding mode through the super VLAN interface. The
IP address of the super VLAN interface is 10.0.0.254, and the interface is in the same subnet as
PC1, PC2, and PC3. After the ARP proxy function is enabled, PC1 and PC2 can communicate
with each other, and PC3 can communicate with PC1 and PC2.
Router
MA5600
10.0.0.254/24
VLAN 10 VLAN20
Data Plan
Table 2-1 provides the data plan for configuring the ARP proxy.
Item Data
IP address: 10.0.0.254/24
IP address: 10.0.1.254/24
Configuration Flowchart
Figure 2-2 shows the flowchart for configuring the ARP proxy.
Start
End
Procedure
Step 1 Create a super VLAN.
huawei(config)#vlan 100 super
Step 2 Create sub VLANs, and add them to the super VLAN.
huawei(config)#vlan 10 smart
huawei(config)#vlan 20 mux
huawei(config)#supervlan 100 subvlan 10
huawei(config)#supervlan 100 subvlan 20
NOTE
The IP address of the L3 interface of the standard VLAN must be in the same subnet as the IP address of
the upper-layer router.
NOTE
The IP address of the L3 interface of the super VLAN must be in the same subnet as the IP addresses of
PC1-PC3.
NOTE
Skip substep c in step 6 if you only want PCs in different VLANs to communicate with each other.
----End
Result
After the global ARP proxy function and the ARP proxy function of the super VLAN interface
are enabled, PC1, PC2, and PC3 in different VLANs can communicate with each other.
After the global ARP proxy function, the ARP proxy function of the super VLAN interface, and
that of the sub VLAN interface are enabled, PC1 and PC2 in the same VLAN can communicate
with each other.
Service Requirements
l Two MA5600s that have the routing function are adopted, namely MA5600_A and
MA5600_B. Both of them are running the OSPF routing protocol, and within area 0.
l MA5600_A imports static routes, and MA5600_B is configured with the routing filtering
policy.
Static: 20.0.0.1
30.0.0.1
40.0.0.1
Vlanif2 Vlanif2
10.0.0.1/24 10.0.0.2/24
Procedure
Step 1 Configuring MA5600_A.
1. Configure the IP address of the L3 interface.
huawei(config)#vlan 2 smart
huawei(config)#port vlan 2 0/7 0
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 10.0.0.1 24
huawei(config-if-vlanif2)#quit
2. Enable OSPF and specify the area ID to which the interface belongs.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 10.0.0.0 0.0.0.255
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
huawei(config)#router id 1.1.1.1
5. Import static routes into the OSPF routing table to improve its capability of obtaining routes.
huawei(config)#ospf
hawei(config-ospf-1)#import-route static
hawei(config-ospf-1)#quit
3. Enable OSPF and specify the area id to which the interface belongs.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 10.0.0.0 0.0.0.255
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
----End
Result
1. MA5600_A and MA5600_B run OSPF successfully and they can communicate well with
each other.
2. After the routing filtering policy is configured on MA5600_B, parts of the three imported
static routes are available while part of them is screened on MA5600_B. That is, routes
from segments 0.0.0.0 and 40.0.0.0 are available, while the route from segment 30.0.0.0 is
screened.
Configuration Script
Configuration on MA5600_A
interface vlanif 2
ip address 10.0.0.1 24
ospf
area 0
network 10.0.0.0 0.0.0.255
quit
quit
router id 1.1.1.1
ip route-static 20.0.0.1 32 vlanif 2
ip route-static 30.0.0.1 32 vlanif 2
ip route-static 40.0.0.1 32 vlanif 2
ospf
import-route static
quit
save
Configuration on MA5600_B
interface vlanif 2
ip address 10.0.0.1 24
acl 2000
rule deny source 30.0.0.0 255.255.255.0
rule permit source any
quit
ospf
area 0
network 10.0.0.0 0.0.0.255
quit
quit
router id 2.2.2.2
ospf
filter-policy 2000 import
quit
save
Service Requirements
In this example network, MA5600_A, MA5600_B, and MA5600_C have the routing function.
It is expected that after the configuration, any two PCs can communicate with each other.
PC_C 1.1.5.1/24
1.1.5.2/24
1.1.2.2/24
1.1.3.1/24
1.1.2.1/24
MA5600_ C 1.1.3.2/24
1.1.1.2/24 1.1.4.2/24
MA5600_ A MA5600_ B
Prerequisite
Configure a native VLAN of the L3 interface of each MA5600 to ensure a normal communication
between MA5600s.
Procedure
Step 1 Configure the IP address of the L3 interface.
The configurations for the three MA5600s are the same. Here, only the configuration of
MA5600_A is considered as an example.
huawei(config)#vlan 2 smart
huawei(config)#port vlan 2 0/7 0
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 1.1.1.2 24
huawei(config-if-vlanif2)#quit
huawei(config)#vlan 3 smart
huawei(config)#port vlan 3 0/7 0
huawei(config)#interface vlanif 3
huawei(config-if-vlanif3)#ip address 1.1.2.1 24
huawei(config-if-vlanif3)#quit
----End
Result
After the configuration, an interconnection can be set up between all the hosts and between all
the MA5600s.
Configuration Script
Configuration example of MA5600_A.
vlan 2 smart
port vlan 2 0/7 0
interface vlanif 2
ip address 1.1.1.2 24
quit
vlan 3 smart
port vlan 3 0/7 0
interface vlanif 3
ip address 1.1.2.1 24
quit
ip route-static 1.1.5.0 255.255.255.0 1.1.2.2
ip route-static 1.1.4.0 255.255.255.0 1.1.2.2
Service Requirements
l MA5600_A is subtended with MA5600_B through port 0/7/1, and uses port 0/7/0 to
transmit services in the upstream. In addition, it connects to the management center network
through the WAN.
l RIP is enabled on MA5600_A and MA5600_B so that the administrator can access
MA5600_A and MA5600_B through the RIP route. Then, you can operate and maintain
MA5600_A and MA5600_B.
Management
Center
Router
10.13.24.5/22
GE MA5600_A
Loopback ip
10.15.24.1/26
10.13.2.1/24
Data Plan
Table 2-2 provides the data plan for configuring RIP.
Item Data
RIP version: V2
RIP route filtering policy: filtering routes based on the IP address prefix
list "abc". Only the routes with the IP addresses 10.13.2.1 and 10.13.2.2
can be advertised through the L3 interface of VLAN 100.
RIP version: V2
RIP route filtering policy: filtering routes based on the IP address prefix
list "abc". Only the route with the IP address 10.13.2.2 can be advertised
through the L3 interface of VLAN 10.
Procedure
l Configure MA5600_A.
1. Configure the RIP-supported L3 interface.
huawei(config)#vlan 100 smart
huawei(config)#port vlan 100 0/7 0
huawei(config)#interface vlanif 100
huawei(config-if-vlanif100)#ip address 10.13.24.5 22
huawei(config-if-vlanif100)#quit
huawei(config)#interface loopBack 0
huawei(config-if-loopback0)#ip address 10.13.2.1 24
huawei(config-if-loopback0)#quit
2. Enable RIP.
huawei(config)#rip 1
huawei(config-rip-1)#network 10.13.24.0
huawei(config-rip-1)#network 10.13.2.0
huawei(config-rip-1)#version 2
huawei(config-rip-1)#quit
l Configure MA5600_B.
1. Configure the RIP-supported L3 interface.
huawei(config)#vlan 10 smart
huawei(config)#port vlan 10 0/7 0
huawei(config)#interface vlanif 10
huawei(config-if-vlanif10)#ip address 10.15.24.2 26
huawei(config-if-vlanif10)#quit
huawei(config)#interface loopBack 0
huawei(config-if-loopback0)#ip address 10.13.2.2 24
huawei(config-if-loopback0)#quit
2. Enable RIP.
huawei(config)#rip 1
huawei(config-rip-1)#network 10.15.24.0
huawei(config-rip-1)#network 10.13.2.0
huawei(config-rip-1)#version 2
huawei(config-rip-1)#quit
----End
Result
The maintenance terminal of the administration center can access MA5600_A and MA5600_B
for operation and maintenance.
Configuration Script
Configuration on MA5600_A
vlan 100 smart
port vlan 100 0/7 0
interface vlanif 100
ip address 10.13.24.5 22
quit
interface loopBack 0
ip address 10.13.2.1 24
quit
rip 1
network 10.13.24.0
network 10.13.2.0
version 2
quit
ip ip-prefix abc permit 10.13.2.1 32
ip ip-prefix abc permit 10.13.2.2 32
rip 1
filter-policy ip-prefix abc export vlanif 100
quit
save
vlan 10 smart
port vlan 10 0/7 1
native-vlan 1 vlan 10
interface vlanif 10
ip address 10.15.24.1 26
quit
rip 1
network 10.15.24.0
quit
Configuration on MA5600_B
vlan 10 smart
port vlan 10 0/7 0
interface vlanif 10
ip address 10.15.24.2 26
quit
interface loopBack 0
ip address 10.13.2.2 24
quit
rip 1
network 10.15.24.0
network 10.13.2.0
version 2
quit
ip ip-prefix abc permit 10.13.2.2 32
rip 1
filter-policy ip-prefix abc export vlanif 10
quit
save
Prerequisite
l The native VLAN must be configured for each upstream port of the MA5600 to ensure
normal communication.
l The OSPF area IDs of the MA5600s must be the same.
Service Requirements
l OSPF is enabled on the four MA5600s.
l MA5600_A is configured with the highest designated router (DR) priority, MA5600_C is
configured with the second highest DR priority, and MA5600_A, as a DR, broadcasts the
link status of the network.
DR
192.1.1.1/24 192.1.4.4/24
192.1.2.2/24 192.1.3.3/24
BDR
Data Plan
Table 2-3 provides the data plan for configuring OSPF.
Priority: 100 -
VLAN ID: 2 -
Priority: 80 -
VLAN ID: 2 -
Priority: 90 -
VLAN ID: 2 -
VLAN ID: 2 -
Procedure
Step 1 Configure MA5600_A.
1. Configure the IP address of the L3 interface.
huawei(config)#vlan 2 smart
huawei(config)#port vlan 2 0/7 0
huawei(config)#interface vlanif 2
huawei(config-if-vlanif2)#ip address 192.1.1.1 24
huawei(config-if-vlanif2)#quit
3. Enable OSPF.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 192.1.1.0 0.0.0.255
huawei(config-ospf-1-area-0.0.0.0)#network 1.1.1.1 0.0.0.0
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
huawei(config)#save
3. Enable OSPF.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 192.1.2.0 0.0.0.255
huawei(config-ospf-1-area-0.0.0.0)#network 2.2.2.2 0.0.0.0
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
3. Enable OSPF.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 192.1.3.0 0.0.0.255
huawei(config-ospf-1-area-0.0.0.0)#network 3.3.3.3 0.0.0.0
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
3. Enable OSPF.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 192.1.4.0 0.0.0.255
huawei(config-ospf-1-area-0.0.0.0)#network 4.4.4.4 0.0.0.0
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
----End
Result
Run the display ip routing-table command and you can find the learned routing table. Hosts
can communicate with each other.
Configuration Script
Configuration on each MA5600 is similar. Here, the configuration on MA5600_A is considered
as an example.
vlan 2 smart
port vlan 2 0/7 0
interface vlanif 2
ip address 192.1.1.1 24
quit
router id 1.1.1.1
ospf
area 0
network 192.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
quit
quit
interface vlanif 2
ospf dr-priority 100
quit
save
Background Information
l MSTP applies to a redundant network. It makes up for the drawback of STP and RSTP.
MSTP makes the network converge fast and the traffic of different VLANs distributed
along their respective paths, which provides a better load-sharing mechanism.
l MSTP trims a loop network into a loop-free tree network. It prevents the proliferation and
infinite cycling of the packets in the loop network. In addition, MSTP supports load sharing
by VLAN during data transmission.
Procedure
Step 1 Run the stp mode mstp command to set the working mode of MSTP as MSTP compatible.
The MSTP protocol configures the VLAN mapping table (mapping between the VLAN and the
spanning tree), which maps the VLAN to the spanning tree.
1. Run the stp region-configuration command to switch over to MSTP region mode.
2. Run the instance command to map the specified VLAN to the specified MSTP instance.
l By default, all VLANs are mapped to CIST, namely, instance 0.
l One VLAN can be mapped to only one instance. If you re-map a VLAN to another
instance, the original mapping is disabled.
l A maximum of 10 VLAN sections can be configured for an MSTP instance.
NOTE
A VLAN section refers to the consecutive VLAN IDs from the start VLAN ID to the end VLAN ID.
3. Run the check region-configuration command to query the parameters of the current
MSTP region.
1. Run the stp priority command to set the priority of the device in the specified spanning
tree instance.
2. Run the display stp command to query the MSTP configuration of the device.
----End
Example
Configure the MSTP parameters as follows:
Prerequisites
l The router must support Ethernet OAM.
Service Requirements
The two devices on the two ends send detection packets periodically to each other to check the
link connectivity.
Networking
Figure 2-7 shows an example network for configuring Ethernet OAM.
In this example network, the Ethernet OAM mechanism is adopted for the link between
MA5600_A and MA5600_B for detecting link status. The local MEP and remote MEP are
configured on both MA5600_A and MA5600_B. The ID of the local MEP on MA5600_B is the
same as the ID of the remote MEP on MA5600_A, and the ID of the remote MEP on
MA5600_B is the same as the ID of the local MEP on MA5600_A.
Router
0/7/0 0/7/1
MA5600_A MA5600_B
Data Plan
Table 2-4 provides the data plan for configuring Ethernet OAM.
Item Data
Procedure
Step 1 Create a VLAN.
This step is to set the packets of the upstream Ethernet port to or not to carry the VLAN tag.
Whether the native VLAN needs to be set for the upstream port depends on whether the upper-
layer device connected to the upstream port supports packets carrying a VLAN tag. The setting
on the MA5600 must be the same as that on the upper-layer device. In this example, the Ethernet
packets are of the untagged type.
Step 8 (Optional) Set the interval for the MA to transmit CCMs. By default, the interval is one minute.
huawei(config)#cfm ma 2/6 cc-interval 10m
Step 9 Enable the local CFM globally. By default, the local CFM is disabled globally.
huawei(config)#cfm enable
Step 10 Enable the detection function of the remote MEP detection globally. By default, the remote MEP
detection is disabled globally.
huawei(config)#cfm remote-mep-detect enable
NOTE
Configuration on MA5600_B is the same as that on MA5600_A and it is not repeated here.
----End
Result
After the configuration, run the display cfm statistics mep command on MA5600_A or
MA5600_B and you can find packet statistics. Of the statistics, neither "CCM Sent Pkt Num"
nor "CCM Received Pkt Num" values zero.
Configuration Script
vlan 100 smart
port vlan 100 0/7 0
interface scu 0/7
native-vlan 0 100
quit
cfm md 2 name-format string huawei level 3
cfm ma 2/6 name-format string huawei-6 vlan 100
cfm mep 2/6/0 mepid 260 direction outward port 0/7 priority 7
cfm remote-mep-detect enable
cfm ma 2/6 cc-interval 10m
cfm enable
cfm remote-mep-detect enable
save
Prerequisites
l The MA5600 does not support the PIM-SSM and IGMP upstream transmission at the same
time.
l The MA5600 does not support the receiving of PIM messages through an external
subtending port, the receiving of PIM messages through the original BTV subtending port,
or the processing of PIM messages received on the user-side port.
l PIM-SSM of the MA5600 depends on the unicast routing information. Hence, modifying,
deleting, or configuring the unicast routing information affects the availability of the PIM-
SSM function and the unicast routing performance affects the PIM-SSM performance.
l The PIM-SSM function can be used on the MA5600 only after the multicast VLAN is
enabled.
l The multicast routing function must be enabled on the MA5600.
l The multicast mode of the upstream port on the MA5600 must be PIM-SSM.
Background Information
PIM-SSM is applicable to the scenario where multiple multicast users share one multicast source,
and the multicast users know the IP address of the multicast source in advance. The MA5600
applies to the upper-layer multicast router for joining a multicast group (for which the multicast
source is specified) through the PIM-SSM protocol. In this manner, the shortest path tree (SPT)
multicast forwarding tree is created.
Procedure
Step 1 Enable the PIM-SSM function.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim sm command to enable the PIM-SSM function on the VLAN L3 interface.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim hello-option dr-priority command to set the DR priority of the PIM router
on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 3 Set the interval for a PIM router to send hello packets.
l The interval ranges from 1s to 2147483647s. By default, it is 30s.
l The command used for setting the interval for the PIM router to send hello packets in PIM
mode functions the same as the command used in the VLAN interface mode. The difference
lies in that the system prefers the interval for the PIM router to send hello packets set in the
VLAN interface mode. When the interval for the PIM router to send hello packets set in the
VLAN interface mode does not exist, the system uses the interval for the PIM router to send
hello packets set in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim timer hello command to set the interval for a PIM router to send hello packets
in PIM mode.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 4 Set the timeout time for a PIM router to wait for hello packets.
l The timeout time ranges from 1s to 65535s. By default, it is 105s.
l The command used for setting the timeout time for the PIM router to wait for hello packets
in PIM mode functions the same as the command used in the VLAN interface mode. The
difference lies in that the system prefers the timeout time for the PIM router to wait for hello
packets set in the VLAN interface mode. When the timeout time for the PIM router to wait
for hello packets set in the VLAN interface mode does not exist, the system uses the timeout
time for the PIM router to wait for hello packets set in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim hello-option holdtime command to set the timeout time for the PIM router
to wait for hello packets on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 5 Set the longest delay for triggering the transmission of hello packets.
l For example, if the longest delay is N seconds (s), the system randomly selects a value ranging
from 0s to Ns as the delay and sends hello packets to the neighbor after this delay.
l The longest delay ranges from 1s to 5s. By default, it is 5s.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim triggered-hello-delay command to set the longest delay for triggering the
transmission of hello packets.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim timer join-prune command to set the interval for sending Join/Prune packets
on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 8 Set the delay for the PIM router to perform the pruning operation.
l The delay ranges from 1 ms to 32767 ms. By default, it is 500 ms.
l The command used for setting the delay for the PIM router to perform the pruning in PIM
mode functions the same as the command used in the VLAN interface mode. The difference
lies in that the system prefers the delay for the PIM router to perform the pruning set in the
VLAN interface mode. When the delay for the PIM router to perform the pruning set in the
VLAN interface mode does not exist, the system uses the delay for the PIM router to perform
the pruning set in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim hello-option lan-delay command to set the delay for a PIM router to perform
pruning on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 9 Set the interval for the PIM router to override the pruning.
l When a router receives a prune message from the upstream interface, it indicates that other
downstream routers exist in this LAN. If this router still needs to receive the multicast data,
it must send the prune override message to the upstream router during the override interval.
l The interval ranges from 1 ms to 65535 ms. By default, it is 2500 ms.
l The command used for setting the interval for the PIM router to override the pruning in PIM
mode functions the same as the command used in the VLAN interface mode. The difference
lies in that the system prefers the interval for the PIM router to override the pruning set in
the VLAN interface mode. When the interval for the PIM router to override the pruning set
in the VLAN interface mode does not exist, the system uses the interval for the PIM router
to override the pruning set in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim hello-option override-interval command to set the interval for the PIM router
to override the pruning on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 10 Set the holdtime for the PIM router to maintain the join status of the downstream interface.
l The holdtime ranges from 1s to 65535s. By default, it is 210s.
l The command used for setting the holdtime for the PIM router to maintain the join status of
the downstream interface in PIM mode functions the same as the command used in the VLAN
interface mode. The difference lies in that the system prefers the holdtime for the PIM router
to maintain the join status of the downstream interface set in the VLAN interface mode.
When the holdtime for the PIM router to maintain the join status of the downstream interface
set in the VLAN interface mode does not exist, the system uses the holdtime for the PIM
router to maintain the join status of the downstream interface set in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim holdtime join-prune command to set the holdtime for the PIM router to
maintain the join status of the downstream interface on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
The ACL must be a basic ACL, which ranges from 2000 to 2999.
2. Run the rule permit source command to configure the ACL rule in acl-basic mode to
define the IP address range of the PIM-SSM multicast group to be permitted source IP
address.
3. Run the quit command to quit acl-basic mode.
4. Run the pim command to enter PIM mode.
5. Run the ssm-policy command to apply the configured ACL rule to specify the IP address
range of the PIM-SSM multicast group.
----End
Example
Assume that the PIM-SSM function is enabled on VLAN interface 500 and the PIM-SSM
parameters are as follows:
l Set the interval for sending Join/Prune packets to 120s on VLAN interface 500.
l Set the delay for a PIM router to perform pruning to 700 ms on VLAN interface 500.
l Set the interval for a PIM router to override a pruning operation to 3000 ms on VLAN
interface 500.
l Set the holdtime for a PIM router to maintain the join status of the downstream interface
to 215s on VLAN interface 500.
l Set the IP address range of a PIM-SSM multicast group to 232.1.0.0/16.
Networking
Figure 2-8 shows an example network for configuring the basic MPLS functions.
Figure 2-8 Example network for configuring the basic MPLS functions
Data Plan
Table 2-5 provides the data plan for configuring the basic MPLS functions.
Table 2-5 Data plan for configuring the basic MPLS functions
Item Data
Procedure
Step 1 Run the mpls lsr-id command to configure the LSR ID.
To set an LSR ID, disable the MPLS function first (by default, the MPLS function is disabled).
An LSR ID must be unique in an MPLS domain.
Step 2 Run the mpls command to enable the MPLS function globally.
Step 3 Run the quit command to return to the global config mode.
Step 5 Run the mpls vlan command to enable the MPLS function of the VLAN.
Step 6 Run the display mpls vlan command to query the MPLS status of the VLAN.
Step 7 Run the interface vlanif command to enter the VLAN interface mode.
Step 8 Run the mpls command to enable the MPLS function of the interface.
Step 9 Run the quit command to return to the global config mode.
Step 10 Run the display mpls interface command to query the information about the interface whose
MPLS function is enabled.
Step 11 Run the display current-configuration command to query the current LSR ID of the system.
----End
Example
To configure the LSR ID of MA5600_A to 1.1.1.1 and enable MPLS under the VLAN interface
of standard VLAN 200, do as follows:
huawei(config)#mpls lsr-id 1.1.1.1
huawei(config)#mpls
huawei(config-mpls)#quit
huawei(config)#vlan 200 standard
huawei(config)#mpls vlan 200
huawei(config)#display mpls vlan 200
VLAN 200 is enabled MPLS
huawei(config)#interface vlanif 200
huawei(config-if-vlanif200)#mpls
huawei(config-if-vlanif200)#quit
huawei(config)#display mpls interface vlanif 200
{ <cr>|verbose<K> }:
Command:
display mpls interface vlanif 200
Interface Status TE Attr LSP Count CRLSP Count MPLS MTU
Vlanif200 Down Dis 0 0 1500
Command:
display current-configuration section mpls
[MA5600V300R003: 3905]
#
[mpls]
<mpls>
mpls lsr-id 1.1.1.1
mpls
#
return
l The LSPs are classified into static LSPs and dynamic LSPs.
Static LSP is configured manually.
The dynamic LSP is generated by the routing protocol dynamically.
l If the next hop is specified when a static LSP is configured, the next hop must also be
specified when a static IP route is configured. Similarly, if the egress is specified when a
static LSP is configured, the egress must also be specified when a static IP route is
configured.
Networking
Figure 2-9 shows an example network for configuring the static LSP.
Data Plan
Table 2-6 provides the data plan for configuring the static LSP.
Item Data
Item Data
Procedure
Step 1 Run the static-lsp ingress command to configure the ingress parameters of the static LSP.
Step 2 Run the mpls car-lsp static command to configure the LSR CAR.
Step 3 Run the display mpls static-lsp command to query the ingress parameters of the static LSP.
Step 4 Run the display mpls car-lsp command to check whether the LSP CAR is configured
successfully.
----End
Example
To configure the ingress parameters of the static LSP on MA5600_A, do as follows:
huawei(config)#static-lsp ingress staticlsp1 destination 1.31.1.1 32 nexthop
10.1.2.2 out-label 8500
huawei(config)#mpls car-lsp static lspname staticlsp1 burst 0 bandwidth 1000
huawei(config)#display mpls static-lsp staticlsp1
{ <cr>|exclude<K>|include<K>|verbose<K> }:
Command:
display mpls static-lsp staticlsp1
TOTAL : 1 STATIC LSP(S)
UP : 0 STATIC LSP(S)
DOWN : 1 STATIC LSP(S)
Name FEC I/O Label I/O If Stat
staticlsp1 1.1.1.1/32 NULL/8500 -/- Down
l The MPLS LDP function can be enabled only when the MPLS function is enabled by
running the mpls command.
l The MPLS LDP function can be enabled for only the standard VLAN.
Networking
Figure 2-10 shows an example network for configuring the LDP LSP.
Data Plan
Table 2-7 provides the data plan for configuring the LDP LSP.
Item Data
Item Data
Procedure
Step 1 Run the mpls ldp command to enable the MPLS LDP function globally.
Step 2 Run the quit command to return to the global config mode.
Step 3 Run the interface vlanif command to enter the VLAN interface mode.
Step 4 Run the mpls ldp command to enable the MPLS LDP function on the VLAN interface.
Step 5 Run the quit command to quit the VLAN interface mode.
Step 6 Run the display mpls ldp interface command to query the information about the interface whose
MPLS LDP function is enabled.
----End
Example
To configure the LDP LSP on MA5600_A by using the default settings, do as follows:
huawei(config)#mpls ldp
huawei(config-mpls-ldp)#quit
huawei(config)#interface vlanif 140
huawei(config-if-vlanif140)#mpls ldp
huawei(config-if-vlanif140)#quit
huawei(config)#display mpls ldp interface vlanif 140
{ <cr>||<K> }:
Command:
display mpls ldp interface vlanif 140
------------------------------------------------------------------------------
Prerequisites
l An LDP LSP must exist. For details about the configuration of the LDP LSP, see
Configuring the LDP LSP.
l An upstream port must exist. The VLAN to which the upstream port belongs must be a
standard VLAN. For details about how to add an upstream port to a VLAN, see 3.2
Configuring an Upstream Port.
l A route to the peer end must exist. PW has no special requirement for the routing policy.
For details about the configuration of the route, see 2.2 Configuring the Route.
Background Information
l A VPN can be created between the local VLAN and the peer VLAN through binding the
PW and the VLAN together. That is, by switching the labels, packets can transverse the
MPLS network, thus implementing the communication at L2 between the local end and the
remote end.
l Only the standard VLAN supports ETH PWE3.
Networking
Figure 2-11 shows an example network for configuring the ETH PWE3.
Data Plan
Table 2-8 provides the data plan for configuring the ETH PWE3.
Item Data
Procedure
Step 1 Run the mpls l2vpn command to enable MPLS L2VPN.
Step 4 Run the pw-ac-binding vlan command to bind the PW template to the PVC to create the ETH
PW service.
l The ID of the PW bound to the TDM must be the same as the PW ID of the remote peer.
l A PW template can be bound dynamically or statically. To bind a PW template dynamically,
enable MPLS LDP first.
----End
Example
Assume that the PW template to be bound is of the Ethernet tagged type, the IP address of the
peer device is 10.1.3.2, the outgoing label of the PW is 100, and the incoming label of the PW
is 8500. To bind the PW to the VLAN of MA5600_A, and create the ETH PW service, do as
follows:
huawei(config)#mpls l2vpn
huawei(config)#service-port vlan 10 adsl 0/1/0 rx-cttr 10 tx-cttr 10
huawei(config)#pw-template pwprofile
huawei(config-pw-template-pwprofile)#peer-address 10.1.3.2
huawei(config-pw-template-pwprofile)#pw-type ethernet tagged
huawei(config-pw-template-pwprofile)#quit
huawei(config)#pw-ac-binding vlan 10 pw 1 pw-template pwprofile static transmit-
label 100 receive-label 8500
Prerequisites
l An LDP LSP must exist. For details about the configuration of the LDP LSP, see
Configuring the LDP LSP.
l An upstream port must exist. The VLAN to which the upstream port belongs must be a
standard VLAN. For details about the configuration of the upstream port, see 3.2
Configuring an Upstream Port.
l A route to the peer end must exist. PW has no special requirement for the routing policy.
For details about the configuration of the upstream port, see 2.2 Configuring the Route.
Background Information
l A VPN can be created between the local VLAN and the peer VLAN through binding the
PW template and the VLAN together. That is, by switching the labels, packets can traverse
the MPLS network, thus implementing the communication at L2 between the local end and
the remote end.
l Only the standard VLAN supports ATM PWE3.
Networking
Figure 2-12 shows an example network for configuring the ATM PWE3.
Data Plan
Table 2-9 provides the data plan for configuring the ATM PWE3.
Item Data
Item Data
Procedure
Step 1 Run the mpls l2vpn command to enable MPLS L2VPN.
Step 4 Run the pw-ac-binding pvc command to bind the PW template to the PVC to create the ATM
PW service.
l The ID of the PW bound to the TDM must be the same as the PW ID of the remote peer.
l A PW template can be bound dynamically or statically. To bind a PW template dynamically,
enable MPLS LDP first.
----End
Example
Assume that the PW template to be bound is of the ATM sdu type and the IP address of the peer
device is 10.1.3.2. To bind the PW to the PVC of MA5600_A, and create the ATM PW service,
do as follows:
huawei(config)#mpls l2vpn
huawei(config)#service-port vlan 10 atm 0/6/0 vpi 0 vci 35 rx-cttr 10 upc off tx
Service Requirements
l When the MA5600 is subtended with a slave shelf, the slave shelf needs to support the
ATM PWE3 service.
l MPLS is used to carry the L2 service to ensure that the packets can go through the MPLS
domain and that users can be differentiated.
Networking
Figure 2-13 shows an example network for configuring the MPLS based on binding the PVC
with the PW template.
Figure 2-13 Example network for configuring the MPLS based on binding the PVC with the
PW template
Data Plan
Table 2-10 provides the data plan for configuring the MPLS based on binding the PVC with the
PW template.
Table 2-10 Data plan for configuring the MPLS based on binding the PVC with the PW template
(MA5600_A)
Item Data
Item Data
Procedure
Step 1 Configure the route. PWE3 has no special requirement for the routing policy. Here, an open
shortest path first (OSPF) route is considered as an example.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 1.1.1.1 0.0.0.0
huawei(config-ospf-1-area-0.0.0.0)#network 10.1.2.0 0.0.255.255
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
Step 3 Configure the label switch router (LSR) ID for the MPLS.
huawei(config)#mpls lsr-id 1.1.1.1
----End
Result
After the configuration, LDP remote session, LSP, and PW can be set up between the
MA5600 and the router.
Service Requirements
l The user accesses the Internet in the PPPoA mode.
l A traffic profile is adopted for rate limitation. The user access rate is 2048 kbit/s.
l MPLS is used to carry the L2 service to ensure that the packets can go through the MPLS
domain and that users can be differentiated.
Networking
Figure 2-14 shows an example network for configuring the MPLS based on binding the VLAN
with the PW template.
In this example network, the MA5600 is connected to the MPLS network in the upstream
direction through the control board, and the MPLS L2VPN based on binding the VLAN with
the PW template is set up between the MA5600 and the router in the MPLS network.
Figure 2-14 Example network for configuring the MPLS based on binding the VLAN with the
PW template
Data Plan
Table 2-11 provides the data plan for configuring the MPLS based on binding the VLAN with
the PW template.
Table 2-11 Data plan for configuring the MPLS based on binding the VLAN with the PW
template (MA5600_A)
Item Data
Procedure
Step 1 Configure a route. PWE3 has no special requirements for the routing policy. Here, an OSPF
route is considered as an example.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 1.1.1.1 0.0.0.0
huawei(config-ospf-1-area-0.0.0.0)#network 10.1.2.0 0.0.255.255
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
----End
Result
After the configuration, the MA5600 can set up the LDP remote session with the router.
Run the display pw-ac-binding command and you can find that the PW state is up.
NOTE
For details of MPLS TE, refer to the Requirements for Traffic Engineering Over MPLS (RFC2702).
l To provide the MPLS function, the MA5600 can function as only a PE device.
l For the MA5600, to subtend slave shelves,
l Only the master shelf supports MPLS function.
l The master shelf supports the ETH PWE3 and the ATM PWE3 services, and the slave shelf supports
only the ETH PWE3 service. (To support the ATM PWE3 service, a slave shelf must be separately
configured with the AIUG board to function as an independent PE to provide MPLS upstream
function.)
Prerequisite
l The network devices and lines must be in the normal state.
l The IP address and subnet mask for each port must be configured according to the example
network. After the configuration is complete, ensure that each LSR can ping the peer LSR
ID successfully (the LSR ID is recommended to be consistent with the IP address of the
loopback interface of the device).
l The static routing protocol or the OSPF protocol must be configured on all the MA5600s
and routers (the host route of each port must be successfully advertised).
Networking
Figure 2-15 shows an example network for establishing an MPLS TE tunnel by using RSVP-
TE.
Reachable routes exist between MA5600_A and MA5600_B and MPLS RSVP-TE is enabled
on both devices. Establish an MPLS TE tunnel from MA5600_A to MA5600_B.
Figure 2-15 Example network for establishing an MPLS TE tunnel by using RSVP-TE
Router
10.1.1.2/24 10.1.2.1/24
LSR ID
2.2.2.2 /32
LSR ID LSR ID
1.1.1.1 /32 10.1.1.1 /24 10.1.2.2 /24 3.3.3.3 /32
MA5600_A MA5600_B
Data Plan
Table 2-12 provides the data plan for establishing an MPLS TE tunnel by using RSVP-TE.
Table 2-12 Data plan for establishing an MPLS TE tunnel by using RSVP-TE
Item Data
Port: 0/7/2
VLAN: 10
IP address of the L3 interface: 10.1.1.1/24
Port: 0/7/2
VLAN: 20
IP address of the L3 interface (interface connected to router):
10.1.2.2/24
Procedure
Step 1 Configure the basic MPLS functions and enable MPLS TE.
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A except the IP addresses
of the VLAN interface and the MPLS VLAN interface. Therefore, the configuration on MA5600_B is not
described here.
NOTE
Step 3 Configure the MPLS TE attributes of the links on MA5600_A and MA5600_B respectively.
MA5600_A(config)#interface vlanif 10
MA5600_A(config-if-vlanif10)#mpls te max-reservable-bandwidth 1024
MA5600_A(config-if-vlanif10)#quit
MA5600_B(config)#interface vlanif 20
MA5600_B(config-if-vlanif20)#mpls te max-reservable-bandwidth 1024
MA5600_B(config-if-vlanif20)#quit
----End
Result
After the configuration is complete, run the following commands on MA5600_A to query the
configuration:
l Run the display interface tunnel command to query the tunnel interface status. The tunnel
interface needs to be in the UP state.
l Run the display mpls te tunnel-interface tunnel command to query the detailed
configuration of the tunnel.
Prerequisites
l The network devices and lines must be in the normal state.
l The IP address and subnet mask for each port must be configured according to the example
network. After the configuration is complete, ensure that each LSR can ping the peer LSR
ID successfully (the LSR ID is recommended to be consistent with the IP address of the
loopback interface of the device).
l The static routing protocol or the OSPF protocol must be configured on all the MA5600s
and routers (the host route of each port must be successfully advertised).
Networking
Figure 2-16 shows an example network for configuring the static MPLS TE tunnel.
Figure 2-16 Example network for configuring the static MPLS TE tunnel
Router
10.1.1.2/24 10.1.2.1/24
LSR ID
2.2.2.2 /32
MA5600_A MA5600_B
Data Plan
Table 2-13 provides the data plan for configuring the static MPLS TE tunnel.
Table 2-13 Data plan for configuring the static MPLS TE tunnel
Item Data
Port: 0/7/2
VLAN: VLAN 10
IP address of the L3 interface: 10.1.1.1/24
Port: 0/7/2
VLAN: VLAN 20
IP address of the L3 interface: 10.1.2.2/24 (connected to the router)
Procedure
Step 1 Configure the basic MPLS functions and enable MPLS TE.
1. Enable basic MPLS and MPLS TE globally.
MA5600_A(config)#mpls lsr-id 1.1.1.1
MA5600_A(config)#mpls
MA5600_A(config-mpls)#mpls te
MA5600_A(config-mpls)#quit
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the
configuration on MA5600_B is not described here.
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the configuration
on MA5600_B is not described here.
Step 3 Configure the MPLS TE attributes of the links on MA5600_A and MA5600_B respectively.
----End
Result
After the configuration is complete, run the following commands on MA5600_A to query the
configuration:
l Run the display interface tunnel command to query the tunnel interface status. The tunnel
interface needs to be in the UP state.
l Run the display mpls te tunnel-interface tunnel command to query the detailed
configuration of the tunnel.
Prerequisites
l The network devices and lines must be in the normal state.
l The IP address and subnet mask for each port must be configured according to the example
network. After the configuration is complete, ensure that each LSR can ping the peer LSR
ID successfully (the LSR ID is recommended to be consistent with the IP address of the
loopback interface of the device).
l The dynamic routing protocol or the OSPF protocol must be configured on all the
MA5600s and routers (the host route of each port must be successfully advertised).
Context
The dynamic signaling protocol adjusts the path of an MPLS TE tunnel based on dynamic
changes of the network and applies advanced features, such as backup and FR.
Networking
Figure 2-17 shows an example network for configuring the dynamic MPLS TE tunnel.
Figure 2-17 Example network for configuring the dynamic MPLS TE tunnel
Router
10.1.1.2/24 10.1.2.1/24
LSR ID
2.2.2.2 /32
MA5600_A MA5600_B
Data Plan
Table 2-14 provides the data plan for configuring the dynamic MPLS TE tunnel.
Table 2-14 Data plan for configuring the dynamic MPLS TE tunnel
Item Data
Port: 0/7/2
VLAN: 10
IP address of the L3 interface: 10.1.1.1/24
Port: 0/7/2
VLAN: 20
IP address of the L3 interface (interface connected to router):
10.1.2.2/24
Procedure
Step 1 Configure the basic MPLS functions and enable MPLS TE.
1. Enable basic MPLS and MPLS TE globally.
MA5600_A(config)#mpls lsr-id 1.1.1.1
MA5600_A(config)#mpls
MA5600_A(config-mpls)#mpls te
MA5600_A(config-mpls)#quit
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the
configuration on MA5600_B is not described here.
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the configuration
on MA5600_B is not described here.
Step 3 Configure the MPLS TE attributes of the links on MA5600_A and MA5600_B respectively.
MA5600_A(config)#interface vlanif 10
MA5600_A(config-if-vlanif10)#mpls te max-link-bandwidth 2048
MA5600_A(config-if-vlanif10)#mpls te max-reservable-bandwidth 1024
MA5600_A(config-if-vlanif10)#quit
MA5600_B(config)#interface vlanif 20
MA5600_B(config-if-vlanif20)#mpls te max-link-bandwidth 2048
MA5600_B(config-if-vlanif20)#mpls te max-reservable-bandwidth 1024
MA5600_B(config-if-vlanif20)#quit
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the configuration
on MA5600_B is not described here.
----End
Result
After the configuration is complete, run the following commands on MA5600_A to query the
configuration:
l Run the display interface tunnel command to query the tunnel interface status. The tunnel
interface needs to be in the UP state.
l Run the display mpls te tunnel-interface tunnel command to query the detailed
configuration of the tunnel.
Context
MPLS supports multiple layer 2 (L2) and layer 3 (L3) protocols. It provides the OAM mechanism
independent of any upper or lower layer.
By the MPLS OAM mechanism, the MA5600 detects and locates effectively the defects inside
the network at the MPLS layer. Then, it reports and handles the defects. When the fault occurs,
the system triggers the protection switchover.
Configuration Example of the MPLS OAM Detection for Static LSP Connectivity
This topic describes how to configure the function of MPLS OAM to detect the static LSP
connectivity.
Prerequisites
Before the configuration, make sure that:
Networking
Figure 2-18 shows an example network for configuring the MPLS OAM detection for static
LSP connectivity.
Figure 2-18 Example network for configuring the MPLS OAM detection for static LSP
connectivity
Tunnel 10
Tunnel ID 10
LSR ID
4.4.4.4/32
10.1.1.2/24 10.1.4.1/24
Router B
Data Plan
Table 2-15 provides the data plan for configuring the MPLS OAM detection for static LSP
connectivity.
Table 2-15 Data plan for configuring the MPLS OAM detection for static LSP connectivity
Item Data
Port: 0/7/2
VLAN: 10
IP address of the port connecting to router A: 10.1.2.1/24
Port: 0/7/3
VLAN: 11
IP address of the port connecting to router B: 10.1.1.1/24
Port: 0/7/2
VLAN: 30
IP address of the port connecting to router A: 10.1.3.2/24
Item Data
Port: 0/7/3
VLAN: 31
IP address of the port connecting to router B: 10.1.4.2/24
Configuration Flowchart
Figure 2-19 shows the flowchart for configuring the MPLS OAM detection for static LSP
connectivity.
Figure 2-19 Flowchart for configuring the MPLS OAM detection for static LSP connectivity
Start
End
Procedure
Step 1 Enable basic MPLS and MPLS TE.
1. Enable basic MPLS and MPLS TE globally.
MA5600_A(config)#mpls lsr-id 1.1.1.1
MA5600_A(config)#mpls
MA5600_A(config-mpls)#mpls te
MA5600_A(config-mpls)#quit
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the
configuration on MA5600_B is not described here.
Step 2 Configure a static LSP to be detected. To be specific, configure MA5600_A as the ingress, router
A as the intermediate node, and MA5600_B as the egress of the LSP.
1. On MA5600_A, configure an MPLS TE tunnel to MA5600_B by using the static LSP.
MA5600_A(config)#interface tunnel 20
MA5600_A(config-if-tunnel20)#tunnel-protocol mpls te
MA5600_A(config-if-tunnel20)#destination 3.3.3.3
MA5600_A(config-if-tunnel20)#mpls te tunnel-id 20
MA5600_A(config-if-tunnel20)#mpls te signal-protocol static
MA5600_A(config-if-tunnel20)#mpls te commit
MA5600_A(config-if-tunnel20)#quit
3. Configure router A as the intermediate node of the static LSP. (Router-related configuration
is not described here.)
4. Configure MA5600_B as the egress of the static LSP.
MA5600_B(config)#static-lsp egress 200 incoming-interface vlanif 30
in-label 8210
Step 3 Configure a backward static LSP. To be specific, configure MA5600_B as the ingress, router B
as the intermediate node, and MA5600_A as the egress of the LSP.
1. On MA5600_B, configure an MPLS TE tunnel to MA5600_A by using the static LSP.
MA5600_B(config)#interface tunnel 10
MA5600_B(config-if-tunnel10)#tunnel-protocol mpls te
MA5600_B(config-if-tunnel10)#destination 1.1.1.1
MA5600_B(config-if-tunnel10)#mpls te tunnel-id 10
MA5600_B(config-if-tunnel10)#mpls te signal-protocol static
MA5600_B(config-if-tunnel10)#mpls te commit
MA5600_B(config-if-tunnel10)#quit
3. Configure router B as the intermediate node of the static LSP. (Router-related configuration
is not described here.)
4. Configure MA5600_A as the egress of the static LSP.
MA5600_A(config)#static-lsp egress 10 incoming-interface vlanif 10
in-label 8230
----End
Result
After the configuration, run the shutdown command on Router A to disable the port connected
to MA5600_B to simulate the link fault. Run the display mpls oam egress all command on
MA5600_B and you can find that MA5600_B detects the fault.
Prerequisite
l The network devices and lines must be in the normal state.
l The IP address and subnet mask for each port must be configured according to the example
network. After the configuration is complete, ensure that each LSR can ping the peer LSR
ID successfully.
l The static routing protocol or the OSPF protocol must be configured on all the MA5600s
and routers (the host route of each loopback port must be successfully advertised).
Networking
Figure 2-20 shows an example network for configuring the MPLS OAM protection switching
function.
Two LSP tunnels are configured between MA5600_A and MA5600_B, of which the active
tunnel is from router A to MA5600_B and the standby tunnel from router B to MA5600_B. The
MPLS OAM protection switching function is enabled for these two tunnels. Therefore, when
the active tunnel is faulty, the traffic is switched to the standby tunnel. In addition, a backward
tunnel from MA5600_B to MA5600_A through router B is configured, which is used to notify
the ingress (MA5600_A) of a fault.
LSR ID
4.4.4.4/32
10.1.1.2/24 10.1.4.1/24
Router B
Tunnel 10
Tunnel ID 10
10.1.1.1/24
10.1.4.2/24
Router A LSR ID
10.1.2.1/24 10.1.3.2/24 3.3.3.3/32
10.1.2.2/24 10.1.3.1/24
MA5600_A
LSR ID MA5600_B
2.2.2.2/32
Tunnel 20
Tunnel ID 20
Data Plan
Table 2-16 provides the data plan for configuring the MPLS OAM protection switching
function.
Table 2-16 Data plan for configuring the MPLS OAM protection switching function
Item Data
Item Data
Port: 0/7/2
VLAN: 10
IP address of the port connecting to router A: 10.1.2.1/24
Port: 0/7/3
VLAN: 11
IP address of the port connecting to router B: 10.1.1.1/24
Port: 0/7/2
VLAN: 30
IP address of the port connecting to router A: 10.1.3.2/24
Port: 0/7/3
VLAN: 31
IP address of the port connecting to router B: 10.1.4.2/24
Procedure
Step 1 Configure the basic MPLS functions and enable MPLS TE.
1. Enable basic MPLS and MPLS TE globally.
MA5600_A(config)#mpls lsr-id 1.1.1.1
MA5600_A(config)#mpls
MA5600_A(config-mpls)#mpls te
MA5600_A(config-mpls)#mpls rsvp-te
MA5600_A(config-mpls)#mpls te cspf
MA5600_A(config-mpls)#quit
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the
configuration on MA5600_B is not described here.
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the configuration
on MA5600_B is not described here.
NOTE
The configuration on MA5600_B is the same as the configuration on MA5600_A. Therefore, the configuration
on MA5600_B is not described here.
MA5600_A(config-if-tunnel20)#destination 3.3.3.3
MA5600_A(config-if-tunnel20)#mpls te tunnel-id 20
MA5600_A(config-if-tunnel2)#mpls te path explicit-path 1a2
MA5600_A(config-if-tunnel20)#mpls te signal-protocol rsvp-te
MA5600_A(config-if-tunnel20)#mpls te bandwidth bc0 1500
MA5600_A(config-if-tunnel20)#mpls te commit
MA5600_A(config-if-tunnel20)#quit
2. Configure the standby tunnel from MA5600_A to MA5600_B. The intermediate node is
router B.
MA5600_A(config)#interface tunnel 10
MA5600_A(config-if-tunnel10)#tunnel-protocol mpls te
MA5600_A(config-if-tunnel10)#destination 3.3.3.3
MA5600_A(config-if-tunnel10)#mpls te tunnel-id 10
MA5600_A(config-if-tunnel10)#mpls te path explicit-path 1b2
MA5600_A(config-if-tunnel10)#mpls te signal-protocol rsvp-te
MA5600_A(config-if-tunnel10)#mpls te bandwidth bc0 1500
MA5600_A(config-if-tunnel10)#mpls te commit
MA5600_A(config-if-tunnel10)#quit
3. Configure the backward tunnel from MA5600_B to MA5600_A. The intermediate node is
router B.
MA5600_B(config)#interface tunnel 10
MA5600_B(config-if-tunnel10)#tunnel-protocol mpls te
MA5600_B(config-if-tunnel10)#destination 1.1.1.1
MA5600_B(config-if-tunnel10)#mpls te tunnel-id 10
MA5600_B(config-if-tunnel10)#mpls te path explicit-path 2b1
MA5600_B(config-if-tunnel10)#mpls te signal-protocol rsvp-te
MA5600_B(config-if-tunnel10)#mpls te bandwidth bc0 1500
MA5600_B(config-if-tunnel10)#mpls te commit
MA5600_B(config-if-tunnel10)#quit
----End
Result
After the configuration, run the shutdown command on router A to disable the port connected
to MA5600_B to simulate the link fault. Run the display mpls oam egress all command on
MA5600_B, and you can find that MA5600_B detects the fault and implements protection based
on the configuration.
Prerequisites
l Basic MPLS functions must be configured.
l Basic MPLS TE functions must be configured.
l A tunnel must be created by running the interface tunnel command.
Context
l Before configuring the ingress/egress MPLS OAM function, the MPLS OAM function
must be enabled globally. By default, the MPLS OAM function is disabled globally.
l An MPLS OAM instance can be configure only when the MPLS OAM function is enabled
globally.
l On the same LSP, the configuration of the ingress MPLS OAM function must be consistent
with the configuration of the egress MPLS OAM function.
l After the MPLS OAM parameters are configured, the parameters must be enabled to take
effect. The ingress OAM parameters must be enabled first; otherwise, the egress generates
an alarm.
Procedure
Step 1 Run the mpls command to enter the MPLS mode.
Step 2 In MPLS mode, run the mpls oam command to enable the MPLS OAM function globally.
Step 3 In the global mode, run the mpls oam ingress command to configure the ingress MPLS OAM
parameters.
Step 4 In the global mode, run the mpls oam ingress enable command to enable the ingress MPLS
OAM function.
Step 5 In the global mode, run the mpls oam egress command to configure the egress MPLS OAM
parameters.
Step 6 In the global mode, run the mpls oam egress enable command to enable the egress MPLS OAM
function.
Step 7 In the global mode, run the display mpls oam ingress command to query the information about
the ingress MPLS OAM instance of the LSP.
Step 8 In the global mode, run the display mpls oam egress command to query the information about
the egress MPLS OAM instance of the LSP.
----End
Example
To configure the MPLS OAM protection for LSP tunnel 10, detection type to fast failure
detection (FFD), detection frequency to 100 ms, backward LSR ID to 80.80.80.80, and backward
tunnel ID to 20, and then enable all the MPLS OAM ingresses of the system, do as follows:
huawei(config)#mpls
huawei(config-mpls)#mpls oam
huawei(config-mpls)#quit
huawei(config)#mpls oam ingress tunnel 10 type ffd frequency 100 backward-lsp lsr-
id 80.80.80.80 tunnel-id 20
huawei(config)#mpls oam ingress enable all
huawei(config)#mpls oam egress lsr-id 80.80.80.80 tunnel-id 20 type ffd frequency
100 backward-lsp tunnel 10 private
huawei(config)#mpls oam egress enable all
huawei(config)#display mpls oam ingress all
{ <cr>|verbose<K> }:
Command:
display mpls oam ingress all
--------------------------------------------------------------------------------
No. Tunnel-name Ttsi Type Frequency Status
--------------------------------------------------------------------------------
1 tunnel10 -- FFD 100 ms Stop
--------------------------------------------------------------------------------
Total Oam Num: 1
Total Start Oam Num: 0
Total Defect Oam Num: 0
Command:
display mpls oam egress all
--------------------------------------------------------------------------------
No. Lsp-name Ttsi Type Frequency Status
--------------------------------------------------------------------------------
1 -- -- FFD 100 ms Stop
--------------------------------------------------------------------------------
Total Oam Num: 1
Total Start Oam Num: 0
Total Defect Oam Num: 0
Prerequisites
l Basic MPLS functions must be configured.
l Basic MPLS TE functions must be configured.
l Tunnels must be configured.
Context
l When a tunnel protection group is configured, if the parameters are not specified, the default
settings are as follows:
The switching mode is revertive.
The wait to restore (WTR) time is 720s, and the WTR time range is 060 with a step
of 30s.
l Before a protection group is configured, the protocol of the tunnel interface must be
configured as MPLS TE, and the tunnel ID and peer address must also be configured.
l After a protection group is configured or deleted, it must be validated by running the mpls
te commit command.
NOTE
The switching mode of the protection group refers to the mode in which the traffic is switched back to the active
tunnel from the standby tunnel. In the revertive mode, after the traffic is switched to the standby tunnel, the
traffic is switched back to the active tunnel after the WTR expires if the active tunnel recovers to the normal
state.
Procedure
Step 1 Run the interface tunnel command to enter the tunnel interface mode.
Step 2 Run the tunnel-protocol mpls te command to enable the encapsulation protocol of the tunnel
interface.
Step 3 Run the mpls te protection tunnel command to configure the tunnel protection group.
Step 4 Run the mpls te commit command to commit the configuration of the tunnel interface.
Step 5 In the global config mode, run the display mpls te protection tunnel command to query the
status of the tunnel protection group.
----End
Example
To configure a standby tunnel for tunnel 20 with the tunnel ID 10, switching mode revertive,
and WTR time 900s (30 x 30s), do as follows:
huawei(config)#interface tunnel 20
huawei(config-if-tunnel20)#tunnel-protocol mpls te
huawei(config-if-tunnel20)#mpls te protection tunnel 10 mode revertive wtr 30
huawei(config-if-tunnel20)#mpls te commit
huawei(config-if-tunnel20)#quit
huawei(config)#display mpls te protection tunnel 20
{ <cr>|verbose<K> }:verbose
Command:
display mpls te protection tunnel all verbose
----------------------------------------------------------------
Verbose information about the 1th proteciton-group
----------------------------------------------------------------
Work-tunnel id : 20
Protect-tunnel id : 10
Work-tunnel name : tunnel1
Protect-tunnel name : tunnel2
switch result : work-tunnel
work-tunnel defect state : in defect
xDSL broadband Internet access is applicable in the scenario where the Internet service is
provided through the ordinary twisted pairs. In this scenario, a user can access Internet in IPoE,
PPPoE, IPoA, PPPoA, or 802.1X mode. This topic describes how to configure an xDSL Internet
access service on the MA5600.
Prerequisite
The xDSL profile for the Internet access service must be created.
l Configuring the ADSL2+ Profile
l Configuring the SHDSL Profile
l Configuring the VDSL2 Profile
For the PPPoE or PPPoA Internet access mode, the AAA function must be configured.
Data Plan
Before configuring an xDSL Internet access service, plan the data items as listed in Table 3-1.
Table 3-1 Data plan for the xDSL Internet access service
Procedure
1. 3.1 Configuring a VLAN
Configuring VLAN is a prerequisite for configuring a service. Hence, before configuring
a service, make sure that the VLAN configuration based on planning is complete.
2. 3.2 Configuring an Upstream Port
This topic describes how to add an upstream port for an Internet access service to a VLAN.
3. 3.3 Configuring an xDSL Port
An xDSL can transmit services only when it is activated. This topic describes how to
activate an xDSL port and bind the port with an xDSL profile.
4. 3.4 Creating an xDSL Service Port
A service port is a service channel connecting the user side to the network side. To provide
services, a service port must be created.
5. 3.5 (Optional) Configuring the xPoA-xPoE Protocol Conversion
Configuring protocol conversion is required only when the encapsulation mode is IPoA or
PPPoA, it is not required when the encapsulation mode is IPoE or PPPoE.
Prerequisites
The VLAN to be added does not exist in the system.
Application Context
VLAN application is specific to user types. For details on the VLAN application, see Table
3-2.
Default Configuration
Table 3-3 lists the default parameter settings of VLAN.
Default VLAN of VLAN ID: 1 You can run the defaultvlan modify
the system Type: MUX VLAN command to modify the VLAN type but
cannot delete the VLAN.
Reserved VLAN VLAN ID range: You can run the vlan reserve command to
of the system 4079-4093 modify the VLAN reserved by the system.
Procedure
Step 1 Create a VLAN.
Run the vlan to create a VLAN. VLANs of different types are applicable to different scenarios.
Smart To add a smart VLAN, One smart VLAN may Smart VLANs are
VLAN run the vlan vlanid contain multiple xDSL applied in residential
smart command. service ports. The traffic communities to provide
streams of the service xDSL access.
ports are isolated from
each other and the traffic
streams in different
VLANs are isolated from
each other. One smart
VLAN provides access
for multiple users and
thus saves VLAN
resources.
MUX To add a MUX VLAN, One MUX VLAN MUX VLANs are
VLAN run the vlan vlanid contains only one xDSL applicable to xDSL
mux command. service port. The traffic service access. For
streams in different example, MUX VLANs
VLANs are isolated from can be used to distinguish
each other. One-to-one users.
mapping can be set up
between a MUX VLAN
and an access user.
Hence, a MUX VLAN
can identify an access
user.
Super To add a super VLAN, The super VLAN is based Super VLANs can be
VLAN run the vlan vlanid on layer 3. One super used for the L3
super command. VLAN contains multiple intercommunication and
sub-VLANs. Through an are applicable to the
ARP proxy, the sub- scenario where saving IP
VLANs in a super VLAN addresses and improving
can be interconnected at the usage of IP addresses
layer 3. are required.
For a super VLAN, sub-
VLANs must be
configured. You can run
the supervlan command
to add a sub-VLAN to a
specified super VLAN. A
sub-VLAN must be a
smart VLAN or a MUX
VLAN.
NOTE
l To add VLANs with consecutive IDs in batches, run the vlan vlanid to end-vlanid command.
l To add VLANs with inconsecutive IDs in batches, run the vlan vlan-list command.
The default attribute for a new VLAN is "common". You can run the vlan attrib command to
configure the attribute of the VLAN.
Com The default The VLAN with A VLAN with the Applicable to the
mon attribute for a new this attribute can common attribute N:1 access
VLAN is be a standard can function as a scenario.
"common". VLAN, smart common layer 2
VLAN, MUX VLAN or function
VLAN, or super for creating a layer
VLAN. 3 interface.
QinQ To configure QinQ The VLAN with The packets from a Applicable to the
VLA as the attribute of a this attribute can QinQ VLAN enterprise private
N VLAN, run the only be a smart contain two VLAN line scenario.
vlan attrib vlanid VLAN or MUX tags, that is, inner
q-in-q command. VLAN. The VLAN tag from
attribute of a sub the private network
VLAN, the and outer VLAN
VLAN with an L3 tag from the
interface, and the MA5600. Through
default VLAN of the outer VLAN,
the system cannot an L2 VPN tunnel
be set to QinQ can be set up to
VLAN. transparently
transmit the
services between
private networks.
VLA To configure The VLAN with The packets from a Applicable to the
N stacking as the this attribute can stacking VLAN 1:1 access scenario
Stacki attribute of a only be a smart contain two VLAN for the wholesale
ng VLAN, run the VLAN or MUX tags, that is, inner service or
vlan attrib vlanid VLAN. The VLAN tag and extension of
stacking attribute of a sub outer VLAN tag VLAN IDs.
command. VLAN, the from the MA5600. In the case of a
VLAN with an L3 The upper-layer stacking VLAN, to
interface, and the BRAS configure the inner
default VLAN of authenticates the tag of the service
the system cannot access users port, run the
be set to VLAN according to the stacking label
Stacking. two VLAN tags. In command.
this manner, the
number of access
users is increased.
On the upper-layer
network in the L2
working mode, a
packet can be
forwarded directly
by the outer VLAN
tag and MAC
address mode to
provide the
wholesale service
for ISPs.
NOTE
l To configure attributes for the VLANs with consecutive IDs in batches, run the vlan attrib vlanid to end-
vlanid command.
l To configure attributes for the VLANs with inconsecutive IDs in batches, run the vlan attrib vlan-list
command.
----End
Example
Assume that a stacking VLAN with ID of 50 is to be configured for extension of the VLAN. A
service port is added to VLAN 50. The outer VLAN tag 50 of the stacking VLAN identifies the
access device and the inner VLAN tag 10 identifies the user with access to the device. For the
VLAN, description needs to be configured for easy maintenance. To configure such a VLAN,
do as follows:
huawei(config)#vlan 50 smart
huawei(config)#vlan attrib 50 stacking
huawei(config)#service-port vlan 50 adsl 0/2/0 vpi 0 vci 39 rx-cttr 2 tx-cttr 2
huawei(config)#stacking label vlan 50 baselabel 10
huawei(config)#vlan desc 50 description stackingvlan/label10
Procedure
Step 1 Configure an upstream port for the VLAN.
Run port vlan command to add the upstream port to the VLAN.
To ensure reliability of the uplink, two upstream ports must be available. That is, redundancy
backup of the upstream ports needs to be configured. For details, see Configuring the Uplink
Redundancy Backup.
----End
Example
Assume that the 0/7/0 and 0/7/1 upstream ports are to be added to VLAN 50. The 0/7/0 and
0/7/1 need to be configured into an aggregation group for double upstream accesses. For the two
upstream ports, the working mode is full-duplex (full) and the port rate is 100 Mbit/s. To
configure such upstream ports, do as follows:
huawei(config)#port vlan 50 0/7 0
huawei(config)#port vlan 50 0/7 1
huawei(config)#interface scu 0/7
huawei(config-if-scu-0/7)#duplex 0 full
huawei(config-if-scu-0/7)#duplex 1 full
huawei(config-if-scu-0/7)#speed 0 100
huawei(config-if-scu-0/7)#speed 1 100
huawei(config-if-scu-0/7)#quit
huawei(config)#link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
Prerequisites
The xDSL profile is already created.
Background Information
l Activating (or activation) refers to the training between the xTU-C and the xTU-R. During
the training process, the system checks the line distance and conditions and performs a
negotiation between the xTU-C and the xTU-R to determine whether the port can work
under the conditions as preset in the line profile, such as upstream and downstream line
rates and noise margin.
l If the training is successful, the communication connection is set up between the xTU-C
and the xTU-R, and the devices are ready for service transmission. This state is called the
activated state of a port. That is, services can be transmitted between the xDSL port and
the xTU-R.
l If the xTU-R is online (powered on), the activating process is completed after the training
is successful. If the xTU-R is offline (powered on), the communication connection that is
set up during activation is terminated, and the xTU-C is in the listening state. When the
xTU-R goes online again, the training process begins automatically. When the training is
successful, the port is activated.
l An xDSL port may be in the activating, activated, deactivated, or loopback state. Figure
3-1 shows the inter-conversion between xDSL port states.
NOTE
Ensure that the port is deactivated before binding a profile to the port.
Procedure
l ADSL access mode
1. Run the interface adsl command to enter the ADSL mode.
2. Run the activate command to activate an ADSL2+ port and bind the port with an
ADSL2+ line profile.
To activate a port, you must bind the port with a line profile. If you do not specify the
index of the line profile, the system uses the template bound with the port last time to
activate the port.
To activate a port, you must bind the port with a line template. If you do not specify the index
of the line template, the system uses the template bound with the port last time to activate the
port.
3. Run the alarm-config command to bind an alarm template to the port.
----End
Example
To activate ADSL2+ port 0/2/0 and bind line profile 2 and alarm profile 2 to it, do as follows:
huawei(config)#interface adsl 0/2
huawei(config-if-adsl-0/2)#deactivate 0
huawei(config-if-adsl-0/2)#activate 0 profile-index 2
huawei(config-if-adsl-0/2)#alarm-config 0 2
To activate SHDSL port 0/5/0 and bind line profile 2 and alarm profile 2 to it, do as follows:
huawei(config)#interface shl 0/5
huawei(config-if-shl-0/5)#deactivate 0
huawei(config-if-shl-0/5)#activate 0 2
huawei(config-if-shl-0/5)#alarm-config 0 2
In the common VDSL mode, to activate VDSL2 port 0/4/0 and bind line template 2 and alarm
template 2 to it, do as follows:
huawei(config)#interface vdsl 0/4
huawei(config-if-vdsl-0/4)#deactivate 0
huawei(config-if-vdsl-0/4)#activate 0 template-index 2
huawei(config-if-vdsl-0/4)#alarm-config 0 2
Background Information
A service port can carry a single service or multiple services. When a service port carries multiple
services, the MA5600 supports the following modes of traffic classification:
l By user-side VLAN
l By user-side service encapsulation mode
l By VLAN+user-side packet priority
Procedure
Step 1 Add a traffic profile.
Run the traffic table command to add a traffic profile. There are seven default traffic profiles
in the system with the IDs of 0-6.
Before creating a service port, run the display traffic table command to check whether the
traffic profiles in the system meet the requirement. If no traffic profile in the system meets the
requirement, add a traffic profile that meets the requirement. For details about the traffic profile,
see Configuring the Traffic Management Based on the Traffic Profile.
You can choose to create a single service port or multiple service ports in batches according to
requirements.
l Run the service-port command to create a single service port. Service ports are classified
into single-service service ports and multi-service service ports. Multi-service service ports
are generally applied to the triple play service scenario.
Single-service service ports:
Select single-service or do not input multi-service to create a single-service service
port.
Multi-service service port based on the user-side VLAN (only for the SHDSL and
VDSL2 services in PTM mode):
Select multi-service user-vlan { untagged | user-vlanid }.
untagged: When untagged is selected, user-side packets do not carry a tag.
user-vlanid: When user-vlanid is selected, user-side packets carry a tag and the value
of user-vlanid must be the same as the tag carried in user-side packets. The user-
side VLAN is the C-VLAN.
l vlan indicates the S-VLAN. An S-VLAN can only be a MUX VLAN or smart VLAN.
l The access mode can be ATM or PTM. In the ATM access mode, the VPI, VCI, and autosense must
be input and must be the same as the configurations of the access terminal.
l rx-cttr is the same as outbound in terms of meanings and functions. Either of them indicates the index
of the traffic profile from the network side to the user side. tx-cttr is the same as inbound in terms of
meanings and functions. Either of them indicates the index of the traffic profile from the user side to
the network side. The traffic profile bound to the service port is created in Step 1.
l Run the multi-service-port command to create service ports in batches.
Step 3 Configure the attributes of the service port. Configure the attributes of the service port according
to requirements.
l Run the service-port desc command to configure the description of the service port.
Configure description for a service port to facilitate maintenance. In general, configure the
purpose and related service information as the description of a service port.
l Run the mac-address max-mac-count service-port command to set the maximum number
of MAC addresses learned by the service port to restrict the maximum number of PCs that
can access the Internet by using the same account. By default, the maximum number of the
MAC addresses that can be learned by a service port is 255.
----End
Example
The MA5600 provides the Internet access service with the access rate 3072 kbit/s to the user
and a maximum of 2 users can use the same account to access the Internet at the same time. The
query result shows that the system does not have a proper traffic profile. Therefore, a new traffic
profile needs to be created.
To plan data for a household user who accesses the Internet in the ADSL2+ mode, do as follows:
huawei(config)#display traffic table from-index 0
{ <cr>|to-index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
A household user requests the Internet access service with the access rate 2048 kbit/s. To
facilitate service expansion in the future, the MA5600 adopts the ADSL2+ mode to provide the
Internet access service to the user and differentiates users by user-side VLAN (the S-VLAN is
VLAN 50 and the C-VLAN is VLAN 10). Query result shows that the system has a proper traffic
profile. Therefore, the system provisions the Internet access service to the user immediately. To
facilitate maintenance, configure description for the service port.
huawei(config)#display traffic table from-index 0
{ <cr>|to-index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
A household user requests the Internet access service with the access rate 2048 kbit/s. To
facilitate service expansion in the future, the MA5600 adopts the SHDSL mode to provide the
Internet access service to the user. Query result shows that the system has a proper traffic profile.
Therefore, the system provisions the Internet access service to the user immediately. To facilitate
maintenance, configure description for the service port.
huawei(config)#display traffic table from-index 0
{ <cr>|to-index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
A commercial user requests the Internet access service with the access rate 8192 kbit/s. To
facilitate service expansion in the future, the MA5600 adopts the VDSL mode to provide the
Internet access service to the user and differentiates users by user-side VLAN (the S-VLAN is
VLAN 50 and the C-VLAN is VLAN 10). Query result shows that the system does not have a
proper traffic profile. The system needs to provide the Internet access service to the user
immediately. To facilitate maintenance, configure description for the service port.
huawei(config)#display traffic table from-index 0
{ <cr>|to-index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
10 rx-cttr 7 tx-cttr 7
huawei(config)#service-port desc 0/4/0 description HW_vdsl/VlanID:50/uservaln:10
Background Information
In the xPoA access mode, data cannot be directly transmitted in the IP network, and protocol
conversion is required. IPoA data and PPPoA data can be transmitted in the IP network only
after the IPoA-IPoE protocol conversion and the PPPoA-PPPoE protocol conversion are
performed.
The principles of the IPoA protocol are different from the principles of the PPPoA protocol. In
the PPPoA mode, the BRAS automatically allocates a gateway address to the PPPoA user after
the PPPoA user passes the authentication on the BRAS and dialup is successful. Therefore, the
default gateway address need not be configured in the PPPoA mode. IPoA data is forwarded
according to the route to the destination IP address and the next hop IP address needs to be
configured. Therefore, the default gateway address needs to be configured in the IPoA mode.
Figure 3-2 provides the configuration flow for the xPoA-xPoE protocol conversion.
(Optional) Configure
the aging time of the (Optional) Configure the user
IPoA user forwarding entry MAC address allocation mode
End End
Table 3-7 lists the default settings of the xPoA-xPoE protocol conversion.
User MAC address allocation mode for the PPPoA- Multi-MAC mode
PPPoE protocol conversion
Procedure
l Configure the IPoA-IPoE protocol conversion.
A user can access the Internet in the IPoA mode only after the IPoA-IPoE protocol
conversion is enabled.
1. In the global config mode, run the mac-pool command to configure the MAC address
pool, which is used to allocate source MAC addresses to IPoA users. By default, the
number of the MAC addresses in the MAC address pool is 256, which can be changed
by setting parameter scope.
The MAC address encapsulated into packets during the IPoA-IPoE protocol
conversion is the MAC address allocated to the user from the MAC address pool.
2. Run the ipoa enable command to enable the IPoA-IPoE protocol conversion. By
default, the IPoA-IPoE protocol conversion is disabled.
3. Run the encapsulation command to set the user packet encapsulation mode (select
ipoa as the encapsulation mode).
NOTE
l Configure either the ipoa default gateway command or the dstip parameter in the
encapsulation command. If the MA5600 works in the L2 mode, set the IP address of the
upper-layer router as the default gateway. If the MA5600 works in the L3 mode, set the IP
address of the L3 interface corresponding to the MA5600 as the default gateway.
l IPoA encapsulation is not supported in the single-PVC for multiple services application.
l To switch the encapsulation mode from PPPoA to IPoA, you must change the encapsulation
mode to llc bridge first and then perform switching.
4. Run the ipoa expire-time command to set the aging time of the IPoA user forwarding
entry. By default, the aging time of the IPoA user forwarding entry is 1200s. The
default value is recommended.
l Configure the PPPoA-PPPoE protocol conversion.
A user can access the Internet through the PPPoA dialup only after the PPPoA-PPPoE
protocol conversion is enabled.
1. In the global config mode, run the mac-pool command to configure the MAC address
pool, which is used to allocate source MAC addresses to PPPoA users. By default, the
number of the MAC addresses in the MAC address pool is 256, which can be changed
by setting parameter scope.
The MAC address encapsulated into packets during the PPPoA-PPPoE conversion is
the MAC address allocated to the user from the MAC address pool.
2. Run the pppoa enable command to enable the PPPoA-PPPoE protocol conversion.
By default, the PPPoA-PPPoE protocol conversion is disabled.
3. Run the encapsulation command to set the user packet encapsulation mode (select
pppoa as the encapsulation mode).
NOTE
l PPPoA encapsulation is not supported in the single-PVC for multiple service or QinQ VLAN
application.
l To switch the encapsulation mode from IPoA to PPPoA, you must change the encapsulation
mode to llc bridge first and then perform switching.
4. Run the pppoa mru command to enable PPPoA-PPPoE MRU negotiation. By default,
the PPPoA-PPPoE MRU negotiation is disabled. Enable or disable the PPPoA-PPPoE
MRU negotiation according to the packet processing conditions.
When the MRU negotiation is disabled, the PC initiates the PPPoE connection and
negotiates according to the 1492-byte MRU. In this case, packets need to be
segmented and reassembled.
When the MRU negotiation is enabled, the MA5600 identifies the PPPoA-PPPoE
converted packets, adds a tag to the packets and then sends them to the upper-layer
BRAS. Then, the BRAS negotiates with the CPE according to the 1500-byte MRU.
In this manner, the MTU between the CPE and the BRAS is equal to the standard
Ethernet MTU. In this case, the packets need not be segmented or reassembled.
5. Run the pppoa mac-mode command to set the user MAC address allocation mode
for the PPPoA-PPPoE protocol conversion. By default, the user MAC address
allocation mode is the multi-mac mode. The single-mac mode can improve security.
Select this mode according to the MAC address allocation mode of PPPoA users.
In the multi-MAC allocation mode (the multi-mac mode), PPPoE user are
authenticated on the BRAS using their respective MAC address, and PPPoA users
are allocated different MAC addresses and are authenticated on the BRAS using
these MAC addresses as source MAC addresses.
In the single-MAC allocation mode (the single-mac mode), the system replaces
the MAC address of each PPPoE user with the MAC address of the corresponding
board, and allocates the same MAC address to all PPPoA users.
----End
Example
The MA5600 works in the L2 mode, the default gateway is the same as the IP address of the
upper-layer router, which is 10.1.1.1, and the IPoA service encapsulation mode is LLC.
To enable the IPoA-IPoE conversion with the start MAC address 0000-0000-0001 in the MAC
address pool that contains 200 MAC addresses, do as follows:
huawei(config)#mac-pool 0000-0000-0001 200
huawei(config)#ipoa enable
The PPPoA service encapsulation mode is LLC, and, to improve security, the user MAC address
allocation mode is the single-MAC mode.
To enable the PPPoA-PPPoE protocol conversion with the start MAC address 0000-1010-1000
in the MAC address pool that contains 200 MAC addresses, do as follows:
huawei(config)#mac-pool 0000-1010-1000 200
huawei(config)#pppoa enable
huawei(config)#encapsulation 0/2/0 vpi 0 vci 35 type pppoa llc
huawei(config)#pppoa mac-mode single-mac
This topic describes how to configure the multicast service in the MVLAN mode on a standalone
MA5600, and on the MA5600 in a subtending network or in an MSTP network.
The multicast feature of the MA5600 is applied to the live TV and near-video on demand
(NVOD) multicast video services.
In terms of multicast processing mode, the MA5600 supports the IGMP proxy and IGMP
snooping L2 multicast protocols. IGMP proxy and IGMP snooping both support multicast video
data forwarding; however, the two modes have different processing mechanisms.
l In IGMP snooping, the related information for maintaining multicast forwarding entries is
obtained by listening to the IGMP packets between the user and the multicast router.
l IGMP proxy intercepts the IGMP packets between the user and the multicast router,
processes the IGMP packets (the report packets can be sent only when the user requests for
the program for the first time and the leave packets can be sent only when the last user
leaves the group of a program), and then forwards the IGMP packets to the upper-layer
multicast router. For the multicast user, the MA5600 is a multicast router that implements
the router functions in the IGMP protocol; for the multicast router, the MA5600 is a
multicast user.
l Statically configuring a multicast program library: Configure the program list before the
users watch the video programs. In this mode, the rights profile can be used to implement
controllable multicast. The program list and the rights profile, however, need to be
maintained according to the change of the video service. The program host, program
prejoin, and multicast bandwidth management functions are supported.
l Dynamically generating a multicast program library: Dynamically generate the program
list according to the programs requested by the users. In this mode, the program list need
not be configured or maintained; however, the functions such as program management,
user multicast bandwidth management, program preview, and program prejoin are not
supported.
If the multicast modes configured for the MA5600s on a multicast cascading network are
different, that is, multicast VLAN mode for some MA5600s and non-multicast VLAN mode for
other MA5600s, users cannot watch multicast programs normally. Therefore, all the MA5600s
on the same multicast cascading network must be configured with the same multicast mode.
Table 4-1 lists the default settings of the multicast service of the MA5600.
IGMP version V3
Application Context
The multicast feature of the MA5600 is applied to the live TV and near-video on demand
(NVOD) multicast video services. The MA5600 runs the IGMP proxy or IGMP snooping
protocol, and the interconnected device can run the IGMP proxy, IGMP snooping, or multicast
router protocol.
Currently, the multicast application of the MA5600 is oriented to L2, and the MA5600 forwards
data based on VLAN ID+multicast MAC address. A multicast program on the network is
identified by VLAN ID + multicast IP address uniquely. The MA5600 differentiates multicast
sources by VLAN ID. It allocates a unique VLAN ID to each multicast source, controls the
multicast domain and the user right based on the multicast VLAN ID, and provides a platform
for different ISPs to implement different multicast video services.
Prerequisites
The license for the multicast program or the multicast user is already requested and
installed.
Data Plan
Before configuring the multicast video service, plan the data items as listed in Table 4-2.
Table 4-2 Data plan for configuring the multicast service on a standalone MA5600
Program list -
Procedure
----End
Context
The multicast global parameters include general query, group-specific query, and the policy of
processing multicast packets.
l Purpose: A general query packet is periodically sent by the MA5600 to check whether there
is any multicast user who leaves the multicast group without sending the leave packet.
Based on the query result, the MA5600 periodically updates the multicast forwarding table
and releases the bandwidth of the multicast user that has left the multicast group.
l Principles: The MA5600 periodically sends the general query packet to all online IGMP
users. If the MA5600 does not receive the response packet from a multicast user within a
specified time (Robustness variable x General query interval + Maximum response time
of a general query), it regards the user as having left the multicast group and deletes the
user from the multicast group.
l Purpose: A group-specific query packet is sent by the MA5600 after a multicast user that
is not configured with the quick leave attribute sends the leave packet. The group-specific
query packet is used to check whether the multicast user has left the multicast group.
l Principles: When a multicast user leaves a multicast group, for example, switches to another
channel, the user unsolicitedly sends a leave packet to the MA5600. If the multicast user
is not configured with the quick leave attribute, the MA5600 sends a group-specific query
packet to the multicast group. If the MA5600 does not receive the response packet from
the multicast user within a specified duration (Robustness variable x Group-specific query
interval + Maximum response time of a group-specific query), it deletes the multicast user
from the multicast group.
Table 4-3 lists the default settings of the multicast global parameters. In the actual application,
you can modify the values according to the data plan.
Procedure
Step 1 Configure the general query parameters.
1. Run the igmp proxy router gen-query-interval command to set the general query interval.
By default, the general query interval is 125s.
2. Run the igmp proxy router gen-response-time command to set the maximum response
time of the general query. By default, the maximum response time of the general query is
10s.
3. Run the igmp proxy router robustness command to set the robustness variable (query
times) of the general query. By default, the robustness variable (query times) is 2.
Step 3 Run the display igmp config global command to check whether the values of the multicast
parameters are correct.
----End
Example
To configure the multicast general query parameters by setting the query interval to 150s,
maximum response time to 20s, and number of queries to 3, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp proxy router gen-query-interval 150
huawei(config-btv)#igmp proxy router gen-response-time v3 200
huawei(config-btv)#igmp proxy router robustness 3
To configure the multicast group-specific query parameters by setting the query interval to 20s,
maximum response time to 10s, and number of queries to 3, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp proxy router sp-query-interval 200
huawei(config-btv)#igmp proxy router sp-response-time v3 100
huawei(config-btv)#igmp proxy router sp-query-number 3
Context
To create a multicast VLAN, a common VLAN must be created first. The multicast VLAN can
be the same as the unicast VLAN. In this case, the two VLANs can share the same service stream
channel. The multicast VLAN can be different from the unicast VLAN. In this case, the two
VLANs use different service stream channels.
One user port can be added to multiple multicast VLANs under the following restrictions:
l Among all the multicast VLANs of a user port, only one multicast VLAN is allowed to
have dynamically generated programs.
l The IGMP versions supported by all the multicast VLANs of the user port must be the
same.
l One user port is not allowed to belong to multiple multicast VLANs that are in the IGMP
V3 snooping mode.
Table 4-4 lists the default settings of the multicast VLAN attributes, including the L2 multicast
protocol, IGMP version, multicast program, and multicast upstream port.
IGMP version v3
Procedure
Step 1 Create a multicast VLAN.
1. Run the vlan command to create a VLAN, and set the VLAN type according to the actual
application. For details on the VLAN configuration, see Configuring VLAN.
2. Run the multicast-vlan command to set the created VLAN to a multicast VLAN.
l Static configuration mode: Configure a program list for the multicast VLAN beforehand,
and bind the program to a rights profile to implement program right management.
1. Run the igmp match mode enable command to set the static configuration mode. By
default, the system adopts the static configuration mode.
2. Run the igmp program add [name name ] ip ip-addr [ sourceip ip-addr ] [ hostip ip-
addr ] command to add a multicast program.
NOTE
If the IGMP version of a multicast VLAN is V3, the program must be configured with a source IP
address. If the IGMP version of a multicast VLAN is V2, the program must not be configured with
a source IP address.
3. Add a rights profile.
In the BTV mode, run the igmp profile add command to add a rights profile.
4. Bind the program to the rights profile.
In the BTV mode, run the igmp profile command to bind the program to the rights profile,
and set the right to watch.
NOTE
When a user is bound to multiple rights profiles, and the rights profiles have different rights to a
program, the right with the highest priority prevails. You can run the igmp right-priority command
to adjust the priorities of the four rights: watch, preview, forbidden, and idle. By default, the priorities
of the four rights are forbidden > preview > watch > idle.
l Dynamic generation mode: A program list is dynamically generated according to the
programs requested by users. In this mode, the program list need not be configured or
maintained; however, the functions such as program management, user multicast
bandwidth management, program preview, and program prejoin are not supported.
1. Run the igmp match mode disable command to set the dynamic generation mode.
NOTICE
The igmp match mode command can be executed only when the IGMP mode is disabled.
2. Run the igmp match group command to configure the IP address range of the program
group that can be dynamically generated. Users can request only the programs whose IP
addresses are within the specified range.
Run the igmp mode { proxy | snooping } command to select the L2 multicast mode. By default,
the multicast mode is disabled.
In the IGMP snooping mode, proxy can be enabled for the report packet and the leave packet.
When a multicast user joins or leaves a multicast program, the MA5600 can implement IGMP
proxy. IGMP snooping and IGMP proxy are controlled separately.
l Run the igmp report-proxy enable command to enable the proxy of the snooping report
packet. When the first user requests to join a program, after authenticating the user, the
MA5600 sends the user report packet to the network side and receives a corresponding
multicast stream from the multicast router. The report packets of the users that follow the
first user are not sent by the MA5600 to the network side.
l Run the igmp leave-proxy enable command to enable the proxy of the snooping leave
packet. When the last user requests to leave the program, the MA5600 sends the user leave
packet to the network side to request the upper-layer device to stop sending multicast streams.
The leave packets of the users that precede the last user are not sent by the MA5600 to the
network side.
Run the igmp version{ v2 | v3 } command to set the IGMP version. By default, IGMP V3 is
enabled in the system. If the upper-layer and lower-layer devices oh0630n the network are IGMP
V2 devices and cannot recognize the IGMP V3 packets, run this command to change the IGMP
version.
Run the igmp priority command to change the priority for forwarding the IGMP packets by the
upstream port. By default, the priority is 6 and need not be changed.
l In the IGMP proxy mode, the IGMP packets sent from the upstream port to the network side
adopt the priority set through the preceding command in the multicast VLAN.
l In the IGMP snooping mode, the IGMP packets forwarded to the network side adopt the
priority of the user service stream. The priority of the service stream is set through the traffic
profile.
l Run the display igmp program vlan command to query the information about the program
of the multicast VLAN.
----End
Example
Assume the following configurations: Multicast VLAN 101 is created, the program is configured
with the static attribute, the IP address of the program is 224.1.1.1, the upstream port of the
multicast VLAN is 0/7/0, the IGMP proxy is used, and the IGMP version is IGMP V3. To
perform these configurations, do as follows:
huawei(config)#vlan 101 smart
huawei(config)#multicast-vlan 101
huawei(config-mvlan101)#igmp match mode enable
huawei(config-mvlan101)#igmp program add name movie ip 224.1.1.1 sourceip 10.10.
10.1 hostip 10.0.0.2
huawei(config-mvlan101)#igmp uplink-port 0/7/0
huawei(config-mvlan101)#igmp mode proxy
Are you sure to change IGMP mode?(y/n)[n]:y
huawei(config-mvlan101)#igmp version v3
Assume the following configurations: Multicast VLAN 101 is created, the program is configured
with the dynamic attribute, the upstream port of the multicast VLAN is 0/7/0, the IGMP proxy
is used, and the IGMP version is IGMP V3. To perform these configurations, do as follows:
huawei(config)#vlan 101 smart
huawei(config)#multicast-vlan 101
huawei(config-mvlan101)#igmp match mode disable
This operation will delete all the programs in current multicast vlan
Are you sure to change current match mode? (y/n)[n]: y
Command is being executed, please wait...
Command has been executed successfully
huawei(config-mvlan101)#igmp uplink-port 0/7/0
huawei(config-mvlan101)#igmp mode proxy
Are you sure to change IGMP mode?(y/n)[n]:y
huawei(config-mvlan101)#igmp version v3
Prerequisites
Before configuring a multicast user, create a service channel. The procedure is as follows:
1. Add a VLAN.
2. Configure the upstream port.
3. Configure the xDSL port.
4. Create an xDSL service port.
NOTE
l The multicast service supports the IPoE and PPPoE user access modes, but does not support the IPoA
or PPPoA user access mode.
l When the multicast user adopts the PPPoE access mode, and the L2 multicast protocol adopts the IGMP
spoofing, run the igmp echo enable command to enable IGMP echo in the BTV mode. This is because,
in the IGMP snooping mode, only the IGMP server can recognize the IGMP over PPP packet, which
generally cannot be recognized by other IGMP sources. When the IGMP echo function is enabled, the
IGMP over PPP and IGMP over IP packets can be sent to the upper-layer device at the same time. In
this manner, the disadvantage that the IGMP source cannot recognize the IGMP over PPP packet is
avoided.
Context
Add a multicast user and bind the multicast user to the multicast VLAN to create a multicast
member.
Table 4-5 lists the default settings of the attributes related to the multicast user.
Table 4-5 Default settings of the attributes related to the multicast user
Procedure
Step 1 In the global config mode, run the btv command to enter the BTV mode.
Step 2 Configure a multicast user and the multicast user attributes.
1. Add a multicast user.
Run the igmp user add command to add a multicast user.
2. Configure the maximum number of programs that can be watched by the multicast user.
l Run the igmp user add portframeid/slotid/portidindex max-program { max-
program-num | no-limit } command to configure the maximum number of programs
that can be watched by the multicast user concurrently. Up to eight programs can be
watched by the multicast user concurrently. By default, the system supports eight
programs.
l Run the igmp user watch-limit portframeid/slotid/portid { hdtv | sdtv | streaming-
video } command to configure the maximum number of programs of different priorities
that can be watched by the multicast user.
3. Set the quick leave mode of the multicast user.
Run the igmp user add portframeid/slotid/portidindex quickleave { immediate |
disable | mac-based } command to configure the quick leave mode of the multicast user.
By default, the quick leave mode is the MAC-based mode.
l Immediate: After receiving the leave packet of the multicast user, the system
immediately deletes the multicast user from the multicast group.
l Disable: After receiving the leave packet of the multicast user, the system sends an ACK
packet to confirm that the multicast user leaves, and then deletes the multicast user from
the multicast group.
l MAC-based: It is the quick leave mode based on the MAC address. The system checks
the MAC address in the leave packet of the user. If it is the same as the MAC address
in the report packet of the user, the system immediately deletes the multicast user from
the multicast group. Otherwise, the system does not delete the multicast user. This mode
is applied to the scenario with multiple terminals.
NOTE
After configuring multicast user authentication, you need to enable the global authentication function
to make the configuration take effect. By default, the global authentication function is enabled. You
can run the igmp proxy authorization command to change the configuration.
2. Bind the multicast user to the rights profile. This operation is to implement user
authentication.
Run the igmp user bind-profile command to bind the user to a rights profile. After the
binding, the multicast user has the rights to the programs as configured in the profile.
In the multicast VLAN mode, run the igmp multicast-vlan member command to bind the user
to the multicast VLAN. Then, the multicast user becomes a multicast member of the multicast
VLAN and can request the programs configured in the multicast VLAN.
Step 5 Run the display igmp user command to check whether the related multicast user information
is correctly configured.
----End
Example
To add multicast user (port) 0/1/1 to multicast VLAN 101, enable user authentication, enable
log report, set the maximum bandwidth to 10 Mbit/s, and bind the user to rights profile music,
do as follows:
huawei(config)#service-port vlan 101 adsl 0/1/1 vpi 0 vci 35 rx-cttr 2 tx-cttr 2
huawei(config)#btv
huawei(config-btv)#igmp user add port 0/1/1 auth log enable max-bandwidth 10240
huawei(config-btv)#igmp user bind-profile port 0/1/1 profile-name music
huawei(config-btv)#quit
huawei(config)#multicast-vlan 101
huawei(config-mvlan101)#igmp multicast-vlan member port 0/1/1
Prerequisites
The program matching mode of the multicast VLAN must be the static configuration mode.
Context
If the CAC function is enabled and a user requests a multicast program, the system compares
the remaining bandwidth of the user (bandwidth configured for the user total bandwidth of the
online programs of the user) with the bandwidth of the multicast program. If the remaining
bandwidth of the user is sufficient, the system adds the user to the multicast group. If the
bandwidth is insufficient, the system does not respond to the request of the user.
If the CAC function is disabled, the system does not guarantee the bandwidth of the multicast
program. When the bandwidth is not guaranteed, problems such as mosaic and delay occur in
the multicast program.
Procedure
Step 1 In the global config mode, run the btv command to enter the BTV mode.
By default, the global CAC function is already enabled. You can run the igmp bandwidthCAC
{ enable | disable } command to change the setting.
Run the igmp user add port frameid/slotid/portid { auth | no-auth } max-bandwidth command
to allocate the maximum bandwidth of the multicast user.
Run the multicast-vlan command to enter MVLAN mode, and then run the igmp program add
ip ip-addr bandwidth command to configure the bandwidth of a multicast program.
----End
Example
To enable bandwidth management for multicast users, set the user bandwidth to 10 Mbit/s when
adding multicast user 0/1/1, and configure the program bandwidth to 1 Mbit/s when adding
multicast program 224.1.1.1, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp bandwidthcAC enable
huawei(config-btv)#igmp user add port 0/1/1 adsl 0 35 auth max-bandwidth 10240
huawei(config-btv)#quit
huawei(config)#multicast-vlan 101
huawei(config-mvlan101)#igmp program add ip 224.1.1.1 bandwidth 1024
Prerequisites
The program matching mode of the multicast VLAN must be the static configuration mode.
Context
The difference between program preview and normal program watching is that, after the user
goes online, the duration of the preview is restricted. When the duration expires, the user goes
offline. The user can request the program again only after the preview interval expires. The count
by which the user can request the program within a day (the start time can be configured) is
restricted by the preview count of the user.
Multicast preview parameters are managed through the preview profile. One program can be
bound to only one preview profile, but one preview profile can be referenced by multiple
programs.
Table 4-7 lists the default settings of the multicast preview parameters.
Procedure
Step 1 In the global config mode, run the btv command to enter the BTV mode.
By default, the global multicast preview function is enabled. You can run the igmp preview{
enable | disable } command to change the setting.
Run the igmp preview-profile add command to configure the preview profile, and set the
parameters: maximum preview duration, maximum preview count, and minimum interval
between two previews. The system has a default preview profile with index 0.
In the multicast VLAN mode, run the igmp program add ip ip-addr preview-profile index
command to bind the program to be previewed to the preview profile so that the program has
the preview attributes as defined in the preview profile. By default, the program is bound to the
preview profile with index 0.
Run the igmp preview auto-reset-time command to change the time for resetting the preview
record. The preview record of the user remains valid within one day. On the second day, the
preview record is reset. By default, the system resets the preview record at 4:00:00 a.m.
Run the igmp proxy recognition-time command to modify the valid duration of multicast
preview. If the actual preview duration of the user is shorter than the valid duration, the preview
is not regarded as a valid one and is not added to the preview count. By default, the valid duration
of multicast preview is 30s.
Step 7 Run the display igmp config global command to check whether the values of the multicast
preview parameters are correct.
----End
Example
To enable preview of multicast programs by using the system default preview profile, do as
follows:
huawei(config)#btv
huawei(config-btv)#igmp preview enable
To enable preview of multicast programs, create preview profile 1, set the maximum preview
time to 150s, the maximum preview count to 10, and apply this preview profile when adding
program 224.1.1.1, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp preview enable
huawei(config-btv)#igmp preview-profile add index 1 duration 150 times 10
huawei(config-btv)#quit
huawei(config)#multicast-vlan 101
huawei(config-mvlan101)#igmp program add ip 224.1.1.1 preview-profile 1
Prerequisites
The program matching mode of the multicast VLAN must be the static configuration mode.
Context
Multicast program prejoin is the same as program request. The MA5600 plays the role of a user
and sends the report packet for receiving in advance the multicast stream from the upper-layer
multicast router to the upstream port.
After the prejoin function is enabled, if the upper-layer multicast router does not support static
multicast entry forwarding, the unsolicited report function needs to be enabled so that the user
can request the program quickly. Generally, the upper-layer multicast router processes the user
request by responding to the group-specific query and the general query.
Procedure
Step 1 Enable the prejoin function.
Run the igmp program add ip ip-addr prejoin enable command to enable the prejoin function
of a program. By default, the prejoin function is disabled.
Step 2 After the prejoin function is enabled, if the upper-layer multicast router does not support static
multicast entry forwarding, the unsolicited report function needs to be enabled for IGMP packets.
l Run the igmp program add ip ip-addr unsolicited enable command to enable the
unsolicited report function for IGMP packets. By default, the unsolicited report function is
disabled.
l Run the igmp unsolicited-report interval command to modify the interval for unsolicitedly
reporting IGMP packets. By default, the interval is 10s.
----End
Example
To enable the prejoin function when adding program 224.1.1.1, do as follows:
huawei(config-mvlan101)#igmp program add ip 224.1.1.1 prejoin enable
Prerequisites
If the syslog is used for reporting multicast logs, the syslog server must be properly configured.
Context
Multicast logs have three control levels: multicast VLAN level, multicast user level, and
multicast program level. The system generates logs only when the logging functions at the three
levels are enabled.
When the user stays online for longer than the valid time for generating logs, the system generates
logs in any of the following conditions:
l The user goes offline naturally, by force, or abnormally.
l The user is blocked or deleted.
l The program is deleted.
l The program priority is changed.
l The upstream port to which the program is bound changes.
l The VLAN of the upstream port to which the program is bound changes.
l The right mode is switched.
l The user preview times out.
The system supports up to 32K logs. When the user goes online, the system records only the
online date and time. The system generates a complete log only when the user goes offline.
The MA5600 can report the multicast log to the log server in the syslog mode and the call detailed
record (CDR) mode. By default, the MA5600 reports the log in the syslog mode.
l Syslog mode: Logs are reported to the syslog server in the form of a single log.
l CDR mode: Logs are reported to the log server in the form of a log file (.cvs). One log file
contains multiple logs.
Table 4-9 lists the default settings of the multicast logging parameters.
Procedure
l Configure the parameters of the logging function of the multicast host.
1. Enable the multicast logging functions.
Multicast logs have three control levels: multicast VLAN level, multicast user level,
and multicast program level. The system generates logs only when the logging
functions at the three levels are enabled. By default, the three functions are enabled.
Run the igmp log { enable | disable } command to configure the logging function
at the multicast VLAN level.
Run the igmp user add port frameid/slotid/portid { auth | no-auth } log
{ enable | disable } command to configure the logging function at the multicast
user level.
Run the igmp program add ip ip-addr log { enable | disable } command to
configure the logging function at the multicast program level.
2. Modify the interval for automatically logging.
Run the igmp proxy log-interval command to modify the interval for automatically
logging. When the user stays online for a long time, the system generates logs at the
preset interval. This is to prevent the problem that a log is not generated when the user
leaves the multicast group without sending a leave packet, which can affect the
accounting. By default, the interval is two hours.
3. Modify the minimum online duration for generating a valid log.
Run the igmp proxy recognition-time command to modify the minimum online
duration for generating a valid log. If the user is in a multicast group (such as to preview
a program) for shorter than the preset duration, the user operation is not regarded as
a valid one and a log is not generated. A log is generated only when a user stays online
for longer than the specified duration. By default, the minimum online duration is 30s.
l Configure the function of CDR-mode log report.
1. Enable the function of CDR-mode log report.
Run the igmp cdr { enable | disable } command to configure the function of CDR-
mode log report. After the function is enabled, the MA5600 reports the local multicast
logs to the multicast log server in the form of a file. After the function is disabled, the
MA5600 reports each single log to the syslog server in the default syslog mode.
2. Configure the multicast log server and the data transmission mode for the CDR-mode
log report.
Run the file-server auto-backup cdr command to configure the active and standby
multicast log servers.
3. Configure the parameters of the log report in the CDR mode.
Run the igmp cdr-interval command to set the report interval. By default, the
interval is 600s.
Run the igmp cdr-number command to set the maximum number of logs that can
be reported each time. When the number of the multicast logs in the CDR file
reaches the preset value, the MA5600 reports the logs. By default, the maximum
number is 200.
4. Check whether the configuration is correct.
Run the display file-server command to query the configuration of the CDR
multicast log server.
Run the display igmp config global command to query the status and other
parameters of the function of CDR-mode log report.
----End
Example
To configure the multicast log to be reported to log server 10.10.10.1 in the CDR mode and use
the TFTP transmission mode, do as follows:
Prerequisites
l The MA5600 does not support the PIM-SSM and IGMP upstream transmission at the same
time.
l The MA5600 does not support the specific multicast source as the upstream multicast
source to serve the entire network.
l The MA5600 does not support the receiving of PIM messages through an external
subtending port, the receiving of PIM messages through the original BTV subtending port,
or the processing of PIM messages received on the user-side port.
l PIM-SSM of the MA5600 depends on the unicast routing information. Hence, modifying,
deleting, or configuring the unicast routing information affects the availability of the PIM-
SSM function and the unicast routing performance affects the PIM-SSM performance.
l The PIM-SSM function can be used on the MA5600 only after the multicast routing
function is enabled.
Background Information
The PIM-SSM model provides a solution to the specific multicast source. In this solution, the
exchange of messages between an access device and a router can be maintained through the
IGMP V3 protocol.
Procedure
Step 1 Enable the PIM-SSM function.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim sm command to enable the PIM-SSM function on the VLAN L3 interface.
priority set in the VLAN interface mode does not exist, the system uses the DR priority set
in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim hello-option dr-priority command to set the DR priority of the PIM router
on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 3 Set the interval for a PIM router to send hello packets.
l The multicast mode of the upstream port must be PIM-SSM.
l The multicast routing function must be enabled.
l The interval ranges from 1s to 2147483647s. By default, it is 30s.
l The command used for setting the interval for the PIM router to send hello packets in PIM
mode functions the same as the command used in the VLAN interface mode. The difference
lies in that the system prefers the interval for the PIM router to send hello packets set in the
VLAN interface mode. When the interval for the PIM router to send hello packets set in the
VLAN interface mode does not exist, the system uses the interval for the PIM router to send
hello packets set in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim timer hello command to set the interval for a PIM router to send hello packets
in PIM mode.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 4 Set the timeout time for a PIM router to wait for hello packets.
l The multicast mode of the upstream port must be PIM-SSM.
l The multicast routing function must be enabled.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim hello-option holdtime command to set the timeout time for the PIM router
to wait for hello packets on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 5 Set the longest delay for triggering the transmission of hello packets.
l The multicast mode of the upstream port must be PIM-SSM.
l The multicast routing function must be enabled.
l For example, if the longest delay is N seconds (s), the system randomly selects a value ranging
from 0s to Ns as the delay and sends hello packets to the neighbor after this delay.
l The longest delay ranges from 1s to 5s. By default, it is 5s.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim triggered-hello-delay command to set the longest delay for triggering the
transmission of hello packets.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
l Set the number of (S, G) entries contained in the packets sent every second.
Run the pim command to enter PIM mode.
Run the jp-queue-size command to set the length of the Join/Prune packets to be sent.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim timer join-prune command to set the interval for sending Join/Prune packets
on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 8 Set the delay for the PIM router to perform the pruning operation.
l The multicast mode of the upstream port must be PIM-SSM.
l The multicast routing function must be enabled.
l The delay ranges from 1 ms to 32767 ms. By default, it is 500 ms.
l The command used for setting the delay for the PIM router to perform the pruning in PIM
mode functions the same as the command used in the VLAN interface mode. The difference
lies in that the system prefers the delay for the PIM router to perform the pruning set in the
VLAN interface mode. When the delay for the PIM router to perform the pruning set in the
VLAN interface mode does not exist, the system uses the delay for the PIM router to perform
the pruning set in PIM mode.
4. Run the display pim interface command to query the PIM information of the interface.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim hello-option lan-delay command to set the delay for a PIM router to perform
pruning on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 9 Set the interval for the PIM router to override the pruning.
l The multicast mode of the upstream port must be PIM-SSM.
l The multicast routing function must be enabled.
l When a router receives a prune message from the upstream interface, it indicates that other
downstream routers exist in this LAN. If this router still needs to receive the multicast data,
it must send the prune override message to the upstream router during the override interval.
l The interval ranges from 1 ms to 65535 ms. By default, it is 2500 ms.
l The command used for setting the interval for the PIM router to override the pruning in PIM
mode functions the same as the command used in the VLAN interface mode. The difference
lies in that the system prefers the interval for the PIM router to override the pruning set in
the VLAN interface mode. When the interval for the PIM router to override the pruning set
in the VLAN interface mode does not exist, the system uses the interval for the PIM router
to override the pruning set in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim hello-option override-interval command to set the interval for the PIM router
to override the pruning on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
Step 10 Set the holdtime for the PIM router to maintain the join status of the downstream interface.
l The multicast mode of the upstream port must be PIM-SSM.
l The multicast routing function must be enabled.
l The holdtime ranges from 1s to 65535s. By default, it is 210s.
l The command used for setting the holdtime for the PIM router to maintain the join status of
the downstream interface in PIM mode functions the same as the command used in the VLAN
interface mode. The difference lies in that the system prefers the holdtime for the PIM router
to maintain the join status of the downstream interface set in the VLAN interface mode.
When the holdtime for the PIM router to maintain the join status of the downstream interface
set in the VLAN interface mode does not exist, the system uses the holdtime for the PIM
router to maintain the join status of the downstream interface set in PIM mode.
1. Run the interface vlanif command to enter the VLAN interface mode.
2. Run the pim holdtime join-prune command to set the holdtime for the PIM router to
maintain the join status of the downstream interface on a specified interface.
3. Run the quit command to quit the VLAN interface mode.
4. Run the display pim interface command to query the PIM information of the interface.
The ACL must be a basic ACL, which ranges from 2000 to 2999.
2. Run the rule permit source command to configure the ACL rule in acl-basic mode to
define the IP address range of the PIM-SSM multicast group to be permitted source IP
address.
3. Run the quit command to quit acl-basic mode.
4. Run the pim command to enter PIM mode.
5. Run the ssm-policy command to apply the configured ACL rule to specify the IP address
range of the PIM-SSM multicast group.
----End
Example
Assume that the PIM-SSM function is enabled on VLAN interface 500 and the PIM-SSM
parameters are as follows:
l Set the longest delay for triggering hello packets to 4s on VLAN interface 500.
l Set the length of the Join/Prune packets to be sent to 1100 bytes.
l Set the interval for sending Join/Prune packets to 120s on VLAN interface 500.
l Set the delay for a PIM router to perform pruning to 700 ms on VLAN interface 500.
l Set the interval for a PIM router to override a pruning operation to 3000 ms on VLAN
interface 500.
l Set the holdtime for a PIM router to maintain the join status of the downstream interface
to 215s on VLAN interface 500.
l Set the IP address range of a PIM-SSM multicast group to 232.1.0.0/16.
Application Context
Figure 4-1 shows an example network of the multicast service in a subtending network. When
a subtended device needs to provide the multicast service, the subtending port on the subtending
device needs to be configured as a multicast subtending port. In this manner, the subtended
device regards the subtending device as an IGMP user.
Multicast Server
Router
CON
ETH
MON
GE0/7/0
GE0/7/1
MA5600_ A
A CON
D ETH
MON
G
E
GE0/7/0
GE0/7/1
MA5600_B
Modem Modem
PC PC
Precautions
l The multicast program of the subtending device must contain the multicast program of the
subtended device.
l In this network, the MA5600 functions as a DSLAM, and the multicast VLANs of the
subtending device and the subtended device must be the same.
Procedure
The procedure for configuring the subtending device is the same as the procedure described in
Configuring the Multicast Service on a Single-NE Network.
The procedure of configuring the subtended device is as follows:
1. For details on configuring the multicast service, see Configuring the Multicast Service
on a Single-NE Network.
2. Configure the multicast subtending port.
Run the igmp cascade-port frameid/slotid/portid command to configure the subtending
port as the multicast subtending port. The multicast upstream port cannot be configured as
the multicast subtending port.
3. Configure the mode for processing unknown multicast packets by the multicast subtending
port.
By default, the system transparently transmits the unknown multicast packets sent from the
multicast subtending port to lower-layer devices. This applies to the situation that the lower-
layer devices may require the transparent transmission of unknown multicast packets.
When multicast service is provided with preference, it is recommended that you run the
igmp cascade-port frameid/slotid/portid mismatch { transparent | discard } command
to enable the quick leave function on the multicast subtending port.
4. When the quick leave function of the multicast user needs to be enabled on the subtending
device, run the igmp cascade-port frameid/slotid/portid quickleave enable command to
enable the quick leave function on the multicast subtending port.
NOTICE
If the lower-layer device does not support the proxy of the IGMP leave packet, all the users
requesting for the program may go offline when a user requesting for the same program
goes offline. Therefore, when the quick leave function is enabled on the multicast
subtending port, it is recommended that you use the IGMP proxy mode on the lower-layer
device or enable the proxy of the IGMP leave packet in the IGMP snooping mode.
Application Context
Figure 4-2 shows an example network of the multicast service in an MSTP network. When the
multicast service is provided in an MSTP ring network, the multicast upstream port and the
subtending port need to be added to the multicast VLAN. According to the running result of the
MSTP protocol, the multicast request packets are sent from the root port or the default port (when
the device is a root bridge), and the other ports in the VLAN serve as subtending ports.
Multicast Server
Router
SCU MA5600_A
A
A A 0 0
D
D D 1
1 G
G G 2
E
E E 2 3
0/2 0/7
A 0
D
G
E
SCU MA5600_ D
Modem
PC
Procedure
The procedures for configuring the devices that comprise the MSTP ring network are the same.
1. For details on configuring the MSTP ring network, see Configuring the MSTP.
2. For details on configuring the multicast service, see Configuring the Multicast Service
on a Single-NE Network.
3. Configure the MSTP multicast upstream port.
When the multicast service is provided in an MSTP ring network, the multicast upstream
port needs to be set in the MSTP mode, and the default upstream port of the multicast VLAN
can be specified. After the configuration is complete, multicast packets are forwarded by
the root port or default port in the multicast VLAN.
l Run the igmp uplink-port-mode mstp command to set the upstream port in the MSTP
mode.
l Run the igmp default uplink-port command to specify the default upstream port of
the multicast VLAN. When the upstream port is set in the MSTP mode and an MSTP
root port is unavailable in the multicast VLAN, the multicast VLAN by default adopts
the upstream port as the multicast upstream port.
4. Configure the multicast subtending port.
Run the igmp cascade-port command to configure the subtending port as the multicast
subtending port.
5. Configure multicast quick convergence in the case of an MSTP network topology change.
Multicast quick convergence means that the device can quickly join the multicast group
through a new upstream port when the MSTP network topology changes. The device can
send the IGMP join packet for an online program to the new upstream port in an unsolicited
manner so that the device joins all the multicast groups; or the device can send the IGMP
global leave packet to the upstream port. Then, the upper-layer querier sends a query packet
for generating a new multicast forwarding tree.
Run the igmp send global-leave command to enable the function of sending the IGMP
global leave packet. When this function is enabled, the device sends the IGMP global leave
packet to the upper-layer multicast router. When this function is disabled, the device sends
the IGMP join packet to the upper-layer multicast router. By default, the function of sending
the IGMP global leave packet is enabled.
This topic describes how to configure the multicast service in the non-multicast VLAN (non-
MVLAN) mode on a standalone MA5600, and on the MA5600 in a subtending network or in
an MSTP network.
The multicast service of the MA5600 is widely used in streaming media, distance learning, video
conferencing, video multicasting, Web TV, online game, Internet data center (IDC), and other
point-to-multipoint data transmission.
In terms of multicast processing mode, the MA5600 supports the IGMP proxy and IGMP
snooping L2 multicast protocols. IGMP proxy and IGMP snooping both support multicast video
data forwarding; however, the two modes have different processing mechanisms.
l IGMP snooping obtains related information and maintains the multicast forwarding entries
by listening to the IGMP packets in the communication between the user and the multicast
router.
l IGMP proxy intercepts the IGMP packets between the user and the multicast router,
processes the IGMP packets, and then forwards the IGMP packets to the upper-layer
multicast router. For the multicast user, the MA5600 is a multicast router that implements
the router functions in the IGMP protocol; for the multicast router, the MA5600 is a
multicast user.
If the multicast modes configured for the MA5600s on a multicast cascading network are
different, that is, multicast VLAN mode for some MA5600s and non-multicast VLAN mode for
other MA5600s, users cannot watch multicast programs normally. Therefore, all the MA5600s
on the same multicast cascading network must be configured with the same multicast mode.
This topic describes how to configure the multicast service for an xDSL user of a standalone
MA5600.
Table 5-1 lists the default settings of the multicast service of the MA5600.
Application Context
The multicast service of the MA5600 is widely used in streaming media, distance learning, video
conferencing, video multicasting (Web TV), online game, Internet data center (IDC), and other
point-to-multipoint data transmission.
Currently, the multicast application of the MA5600 is oriented to L2, and the MA5600 forwards
data based on VLAN ID + multicast MAC address. A multicast program on the network is
identified by VLAN ID + multicast IP address uniquely. The MA5600 differentiates multicast
sources by VLAN ID. It allocates a unique VLAN ID to each multicast source, controls the
multicast domain and the user rights based on the multicast VLAN ID, and provides a platform
for different ISPs to implement different multicast video services.
Prerequisites
The license for the multicast program or the multicast user must be applied for and installed.
Data Plan
Before configuring the multicast video service, plan the data items as listed in Table 5-2.
Table 5-2 Data plan for configuring the multicast service on a standalone MA5600
Multicast general query and group- The default values are adopted. For
specific query parameters the default settings, see
Configuring Global Multicast
Parameters.
Program list -
Procedure
----End
Context
Table 5-3 lists the global multicast parameters.
Proxy function of the report packet disable (Configure this parameter in the
listening mode.)
Proxy function of the leave packet disable (Configure this parameter in the
listening mode.)
The purposes and principles of the general query and the group-specific query are as follows:
l Purpose: A general query packet is periodically sent by the MA5600 to check whether there
is any multicast user who leaves the multicast group without sending the leave packet.
Based on the query result, the MA5600 periodically updates the multicast forwarding table
and releases the bandwidth of the multicast user who has left the multicast group.
l Principles: The MA5600 periodically sends the general query packet to all the online IGMP
users. If the MA5600 does not receive the response packet from a multicast user within a
specified time (robustness variable x interval of the general query + maximum response
time of the general query), it regards the user as having left the multicast group and deletes
the user from the multicast group.
l Purpose: A group-specific query packet is sent by the MA5600 after a multicast user who
is not configured with the quick leave attribute sends the leave packet. The group-specific
query packet is used to check whether the multicast user has left the multicast group.
l Principles: When a multicast user leaves a multicast group, for example, switches to another
channel, the user sends a leave packet to the MA5600 in an unsolicited manner. If the
multicast user is not configured with the quick leave attribute, the MA5600 sends a group-
specific query packet to the multicast group. If the MA5600 does not receive the response
packet from the multicast user within a specified time (robustness variable x interval of the
group-specific query + maximum response time of the group-specific query), it deletes the
multicast user from the multicast group.
For the general query, the MA5600 queries the multicast packets of all the users. For the group-
specified query, the MA5600 queries the multicast packets of the user who watches the specified
multicast program.
Table 5-4 lists the default settings of global multicast parameters. In actual application, you can
change the settings according to your data plan.
Table 5-4 Default settings of general query and group-specific query parameters
Procedure
Step 1 Configure general query parameters.
1. Run the igmp proxy router gen-query-interval command to set the interval of the general
query. By default, the interval is 125s.
2. Run the igmp proxy router gen-response-time command to set the maximum response
time of the general query. By default, the time is 10s.
3. Run the igmp proxy router robustness command to set the count of the general query.
By default, the count is 2.
Step 3 Run the display igmp proxy command to check whether the parameters are configured
correctly.
----End
Example
To configure the multicast general query parameters by setting the query interval to 150s,
maximum response time to 20s, and query count to 3, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp proxy router gen-query-interval 150
huawei(config-btv)#igmp proxy router gen-response-time v3 200
huawei(config-btv)#igmp proxy router robustness 3
To configure the multicast group-specific query parameters by setting the query interval to 20s,
maximum response time to 10s, and query count to 3, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp proxy router sp-query-interval 200
huawei(config-btv)#igmp proxy router sp-response-time v3 100
huawei(config-btv)#igmp proxy router sp-query-number 3
Context
l The source IP address of a multicast program is a unicast IP address and the source IP
addresses of different multicast programs can be the same.
l Table 5-5 lists the default settings of multicast parameters, such as the multicast upstream
port mode, L2 multicast mode, and IGMP version.
IGMP version v3
Procedure
Step 1 Create a program VLAN.
1. Run the vlan command to create a program VLAN and set the VLAN type according to
application requirements. For details, see Configuring the VLAN.
2. Run the port vlan command to add the upstream port to the VLAN.
Run the igmp profile command to bind the rights profile to the program and set the rights
to watch the program.
NOTE
If a user is bound with multiple rights profiles but the rights to a program vary in these profiles, the
user uses the rights with the highest priority. You can run the igmp right-priority command to adjust
the priorities of the four rights: watch, preview, forbidden, and idle. By default, the priorities of the
four rights are forbidden > preview > watch > idle.
l mstp: Indicates the MSTP mode. The upstream port is determined by the upper-layer
device running the MSTP protocol and the protocol packets are sent upstream through
the root port.
l broadcast: Indicates the broadcast mode. The upstream port is determined by the upper-
layer device and protocol packets are sent to all the upstream ports in the VLAN that is
bound to the program.
Run the igmp mode { proxy | snooping | off } command to select the L2 multicast mode. By
default, the IGMP proxy mode is used.
In the IGMP snooping mode, proxy can be enabled for the report packet and the leave packet.
When a multicast user joins or leaves a multicast program, the MA5600 can implement IGMP
proxy. IGMP snooping and IGMP proxy are controlled separately.
l Run the igmp report-proxy enable command to enable the proxy of the snooping report
packet. When the first user requests for a program, after authenticating the user, the
MA5600 sends the user report packet to the network side and obtains a corresponding
multicast stream from the multicast router. The MA5600 does not send the report packets
from the subsequent users for joining the same program to the network side any more.
l Run the igmp leave-proxy enable command to enable the proxy of the snooping leave
packet. When the last user requests for leaving a program, the MA5600 sends the user leave
packet to the network side and notifies the upper-layer device of stopping sending multicast
streams. The MA5600 does not send the leave packets from the users before the last user to
the network side. If the offline user is not the last user, the upper-layer device keeps sending
multicast streams.
Run the igmp uplink-port force-to-v2 { enable | disable } command to set the IGMP version.
By default, IGMP V3 is enabled in the system. If the upper-layer and lower-layer devices on the
network are of the IGMP V2 version and cannot recognize the IGMP V3 packets, run this
command to switch the IGMP version.
----End
Example
Assume that the VLAN ID is 101, the IP address of the program is 224.1.1.1, the program
bandwidth is 5000 kbit/s, the multicast upstream port is 0/7/2, the IGMP proxy is enabled, and
the IGMP version is IGMP V3. To configure a program with these attributes, do as follows:
huawei(config)#vlan 101 smart
huawei(config)#port vlan 101 0/7 2
huawei(config)#btv
huawei(config-btv)#igmp program add name movie ip 224.1.1.1 sourceip 10.10.10.1
vlan 101 bind 0/7/2 bandwidth 5000 hostip 10.0.0.254
huawei(config-btv)#igmp uplink-port 0/7/2
huawei(config-btv)#igmp mode proxy
Are you sure to change IGMP mode?(y/n)[n]:y
huawei(config-btv)#igmp uplink-port force-to-v2
disable
Prerequisites
Before configuring the multicast user, you must create a service channel. The procedure is as
follows:
In the IGMP proxy mode, you need not add the upstream port to the user-side VLAN.
3. Run the interface xDSL frameid/slotid command to enter the board mode to configure
xDSL port.
NOTE
In the interface xDSL frameid/slotid command, keyword xDSL can be adsl, shdsl, or vdsl.
4. Run the service-port command to create an xDSL traffic stream.
NOTE
l The multicast service supports the IPoE and PPPoE user access modes but does not support the IPoEoA
or PPPoEoA user access mode.
l In the PPPoE access mode, if the L2 multicast protocol is IGMP snooping, whether to enable the IGMP
echo function by running the igmp echo enable command is determined according to whether the
upper-layer device forwarding the IGMP packet supports the IGMP over PPP packet.
Context
Add a multicast user and bind the multicast user with the multicast source IP address to create
a multicast member. Bind the rights profile to the multicast user to implement multicast user
authentication.
Table 5-6 lists the default settings of the attributes related to the multicast user.
Table 5-6 Default settings of the attributes related to the multicast user
Limitation on the number of programs Maximum number of programs that can be watched
that can be watched by the multicast concurrently: 8
user
Procedure
Step 1 In the global config mode, run the btv command to enter the BTV mode.
Step 2 Configure the multicast user and the multicast user attributes.
1. Add a multicast user.
Run the igmp user add command to add a multicast user.
2. Configure the maximum number of programs that can be watched by the multicast user.
Run the igmp user add port frameId/slotId/portId { auth | no-auth } [ max-
programmax-program-num ] command to set the maximum number of programs that can
be watched by the multicast user concurrently. A maximum of eight programs can be
watched by the multicast user concurrently. By default, the system supports eight programs.
3. Set the quick leave mode of the multicast user.
Run the igmp user add port frameId/slotId/portId { auth | no-auth } quickleave
{ disable | immediate | mac-based } command to set the leave mode of the multicast user.
By default, the leave mode is the mac-based mode.
l disable: After receiving the leave request packet of the multicast user, the system sends
ACK packets to confirm that the multicast user leaves, and then deletes the multicast
user from the multicast group.
l immediate: After receiving the leave request packet of the multicast user, the system
immediately deletes the multicast user from the multicast group.
l mac-based: Indicates the quick leave mode based on the MAC address. The system
detects the MAC address in the leave packet of the user. If it is the same as the MAC
address in the report packet of the user and the user is the last one who watches the
multicast program in the multicast group, the system immediately deletes the multicast
user from the multicast group. Otherwise, the system does not delete the multicast user.
In this mode, the application scenario with multiple terminals is supported.
Step 3 Configure the multicast user authentication.
By default, the system does not authenticate the multicast user. To control the rights of a multicast
user, you can enable the multicast user authentication function.
1. Configure the multicast user authentication function.
Run the igmp user add port frameId/slotId/portId { auth | no-auth } command to
configure whether to authenticate a multicast user.
NOTE
After configuring multicast user authentication, you need to enable the global authentication function
to make the configuration take effect. By default, the global authentication function of multicast user
is enabled. You can run the igmp proxy authorization command to change the configuration.
2. Bind the rights profile to the multicast user. Binding the rights profile to the multicast user
implements user authentication.
Run the igmp user bind-profile command to bind the rights profile to the multicast user.
After the binding, the multicast user has the rights to the programs as configured in the
profile.
Step 4 Run the display igmp user command to check whether the related multicast user is configured
correctly.
----End
Example
Assume that multicast user (port) 0/11/1 is added to multicast VLAN 101, the user authentication
and the log report are enabled, the maximum number of programs that can be watched is set to
6, rights profile music is bound to the user, and the leave mode of the user is mac-based. To
perform the configurations, do as follows:
huawei(config)#service-port vlan 101 adsl 0/11/1 vpi 0 vci 35 rx-cttr 2 tx-cttr 2
huawei(config)#btv
huawei(config-btv)#igmp user add port 0/11/0 auth max-program 6 quickleave mac-
based
huawei(config-btv)#igmp user add smart-vlan 101 auth log enable
huawei(config-btv)#igmp user bind-profile smart-vlan 101 profile-name music
Context
If the multicast bandwidth management function is enabled and a user requests a multicast
program, the system compares the remaining bandwidth of the user (bandwidth configured for
the user - total bandwidth of the online programs of the user) with the bandwidth of the multicast
program. If the remaining bandwidth of the user is sufficient, the system adds the user to the
multicast group. If the bandwidth is insufficient, the system does not respond to the request of
the user.
If the multicast bandwidth management function is disabled, the system does not guarantee the
bandwidth of the multicast program. When the bandwidth is not guaranteed, problems such as
mosaic and delay occur in the multicast program.
Table 5-7 lists the default settings of the multicast bandwidth management parameters.
Procedure
Step 1 In the global config mode, run the btv command to enter the BTV mode.
By default, the global CAC function is already enabled. You can run the igmp bandwidthCAC
{ enable | disable } command to change the setting.
Run the igmp program add ip ip-addr bandwidth command to configure the bandwidth of a
multicast program.
----End
Example
To enable the bandwidth management function of the multicast user, add multicast user 0/11/1
with maximum number of programs that can be watched concurrently to 6, and set the bandwidth
of program 224.1.1.1 to 1 Mbit/s, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp bandwidthcAC enable
huawei(config-btv)#igmp user add port 0/11/1 auth max-program 6
huawei(config-btv)#igmp program add ip 224.1.1.1 vlan 101 bandwidth 1024
Prerequisites
The program matching mode of the user VLAN must be the static configuration mode.
Context
The difference between program preview and normal program watching is that, after the user
goes online, the duration of the preview is restricted. When the duration expires, the user goes
offline. The user can request the program again only after the preview interval expires. The count
by which the user can request the program within a day (the start time can be configured) is
restricted by the preview count of the user.
Table 5-8 lists the default settings of the multicast preview parameters.
Procedure
Step 1 In the global config mode, run the btv command to enter the BTV mode.
By default, the global multicast preview function is enabled. You can run the igmp preview {
enable | disable } command to change the setting.
Run the igmp preview auto-reset-time command to change the time for resetting the preview
record. The preview record of the user remains valid within one day. On the second day, the
preview record is reset. By default, the system resets the preview record at 4:00:00 a.m.
Run the igmp proxy recognition-time command to modify the valid duration of multicast
preview. If the actual preview duration of the user is shorter than the valid duration, the preview
is not regarded as a valid one and is not added to the preview count. By default, the valid duration
of multicast preview is 30s.
Step 5 Run the display igmp proxy command to check whether the values of the multicast preview
parameters are correct.
----End
Example
To enable the multicast preview function, set the time for resetting the preview record to 5:00:00,
and set the valid duration of multicast preview to 40s, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp preview enable
huawei(config-btv)#igmp preview auto-reset-time 5:00:00
huawei(config-btv)#igmp proxy recognition-time 40
Prerequisites
The multicast source must exist on the network and the IP address of the multicast source must
be known.
Context
Multicast program prejoin is the same as program request. The MA5600 plays the role of a user
and sends the report packet for receiving in advance the multicast stream from the upper-layer
multicast router to the upstream port.
After the prejoin function is enabled, if the upper-layer multicast router does not support static
multicast entry forwarding, the unsolicited report function needs to be enabled so that the user
can request for the program quickly. Generally, the upper-layer multicast router processes the
user request by responding to the group-specific query and the general query.
Procedure
Step 1 Enable the program prejoin function.
Run the igmp program add ip ip-addr [ sourceip ip-addr ] vlan vlanid [ bind frameid/slotid/
portid ] prejoin enable command to enable the program prejoin function. By default, this
function is disabled.
Step 2 After the program prejoin function is enabled, if the upper-layer multicast router does not support
static multicast entry forwarding, the unsolicited report function of IGMP packets needs to be
enabled.
l Run the igmp program add ip ip-addr [ sourceip ip-addr ] vlan vlanid [ bind frameid/
slotid/portid ] unsolicited enable command to enable the unsolicited report function of
IGMP packets. By default, this function is disabled.
l Run the igmp proxy router report-interval command to change the interval of the
unsolicited report of IGMP packets. By default, the interval is 10s.
----End
Example
To enable the program prejoin function when adding a program whose IP address is 224.1.1.1,
do as follows:
huawei(config-btv)#igmp program add ip 224.1.1.1 sourceip 10.10.10.10 vlan 101
prejoin enable
Prerequisites
If the multicast log is reported in the syslog mode, the syslog server must be configured properly.
Context
The multicast log involves the multicast log of the multicast user and the multicast log of the
multicast program. The system generates logs only when the log functions of both the multicast
user and the multicast program are enabled.
If the user stays online longer than the valid log generation time, the system generates logs in
any of the following conditions: when the user goes offline naturally, forcibly, or abnormally;
when the user is blocked or deleted; when the program is deleted; when the program priority is
changed; when the upstream port to which the program is bound is changed; when the VLAN
of the upstream port to which the program is bound is changed; when the user preview times
out; when the IGMP mode is switched; when the rights mode is switched; when the bandwidth
CAC fails.
The system supports a maximum of 10240 logs. When the user goes online, the system records
only the online date and time. The system generates a complete log only when the user goes
offline.
The MA5600 can report the multicast log to the log server in the syslog mode and the call detailed
record (CDR) mode. By default, the MA5600 reports the log in the syslog mode.
l syslog mode: Logs are reported to the syslog server in the form of a single log.
l CDR mode: Logs are reported to the log server in the form of a log file (.cvs). One log file
contains multiple logs.
Procedure
l Configure the parameters of the log generation function of the multicast host.
1. Enable the multicast log generation function.
The multicast log involves the multicast log of the multicast user and the multicast
log of the multicast program. The system generates logs only when the log functions
of both the multicast user and the multicast program are enabled. By default, the log
functions of both the multicast user and the multicast program are enabled.
Run the igmp user add port frameId/slotId/portId { auth | no-auth } log
{ enable | disable } command to enable the log function of the multicast user.
Run the igmp program add ip ip-addr [ sourceip ip-addr ] vlan vlanid log
{ enable | disable } command to enable the log function of the multicast program.
2. Change the interval of automatic log generation.
Run the igmp proxy log-interval command to change the interval of automatic log
generation. When the user stays online for a long time, the system generates logs at
preset intervals. This prevents the problem that a log is not generated when the user
leaves the multicast group without sending the leave packet, which can affect the
accounting. By default, the interval is two hours.
3. Change the minimum online duration for generating a valid log.
Run the igmp proxy recognition-time command to change the minimum online
duration for generating a valid log. If the user is in a multicast group (such as to preview
a program) for shorter than the preset duration, the user operation is not regarded as
a valid one and a log is not generated. A log is generated only when a user stays online
for longer than the specified duration. By default, the duration is 30s.
Run the igmp cdr { enable | disable } command to enable the multicast log report
function in the CDR mode. After the function is enabled, the MA5600 reports local
multicast logs to the multicast log server in the form of a file. After the function is
disabled, the MA5600 reports each single log to the syslog server in the default syslog
mode.
2. Configure the multicast log server and the data transmission mode for the multicast
log report in the CDR mode.
Run the file-server auto-backup cdr command to configure the active and standby
multicast log servers.
3. Configure the parameters of the multicast log report in the CDR mode.
Run the igmp cdr-interval command to set the interval of the multicast log report
in the CDR mode. By default, the interval is 600s.
Run the igmp cdr-number command to set the maximum number of logs that can
be reported each time. When the number of multicast logs in the CDR file reaches
the preset value, the MA5600 reports the logs. By default, the maximum number
is 200.
4. Check whether the configuration is correct.
Run the display igmp proxy command to query the status and other parameters of
the multicast log report in the CDR mode.
----End
Example
To configure the multicast log to be reported to log server 10.10.10.1 in the CDR mode through
the TFTP transmission, do as follows:
huawei(config)#file-server auto-backup cdr primary 10.10.10.1 tftp
huawei(config)#btv
huawei(config-btv)#igmp cdr enable
Application Context
Figure 5-1 shows an example network of the multicast service in a subtending network. When
a subtended device needs to provide the multicast service, the subtending port on the subtending
device needs to be configured as a multicast subtending port. In this manner, the subtended
device regards the subtending device as an IGMP user.
Multicast Server
Router
CON
ETH
MON
GE0/7/0
GE0/7/1
MA5600_ A
A CON
D ETH
MON
G
E
GE0/7/0
GE0/7/1
MA5600_B
Modem Modem
PC PC
Precautions
l The multicast program of the subtending device must contain the multicast program of the
subtended device.
l In this network, the MA5600 functions as a subtending device, and the program VLANs
of the subtending device and the subtended device must be the same.
Procedure
The procedure for configuring the subtending device is the same as the procedure described in
Configuring the Multicast Service on a Single-NE Network.
The procedure of configuring the subtended device is as follows:
1. For details on configuring the multicast service, see Configuring the Multicast Service
on a Single-NE Network.
2. Configure the multicast subtending port.
Run the igmp cascade-port frameid/slotid/portid command to configure the subtending
port as the multicast subtending port. The multicast upstream port cannot be configured as
the multicast subtending port.
3. When the quick leave function of the multicast user needs to be enabled on the subtending
device, run the igmp cascade-port frameid/slotid/portid quickleave enable command to
enable the quick leave function on the multicast subtending port.
NOTICE
If the lower-layer device does not support the proxy of the IGMP leave packet, all the users
requesting for the program may go offline when a user requesting for the same program
goes offline. Therefore, when the quick leave function is enabled on the multicast
subtending port, it is recommended that you use the IGMP proxy mode on the lower-layer
device or enable the proxy of the IGMP leave packet in the IGMP snooping mode.
Application Context
Figure 5-2 shows an example network of the multicast service in an MSTP network. When the
multicast service is provided in an MSTP ring network, the multicast upstream port and the
subtending port need to be added to the user VLAN. According to the running result of the MSTP
protocol, the multicast request packets are sent from the root port or the default port (when the
device is a root bridge), and the other ports in the VLAN serve as subtending ports.
Multicast Server
Router
SCU MA5600_A
A
A A 0 0
D
D D 1
1 G
G G 2
E
E E 2 3
0/2 0/7
A 0
D
G
E
SCU MA5600_ D
Modem
PC
Procedure
The procedures for configuring the devices that comprise the MSTP ring network are the same.
1. For details on configuring the MSTP ring network, see Configuring the MSTP.
2. For details on configuring the multicast service, see Configuring the Multicast Service
on a Single-NE Network.
3. Configure the MSTP multicast upstream port.
When the multicast service is provided in an MSTP ring network, the multicast upstream
port needs to be set in the MSTP mode, and the default upstream port of the multicast VLAN
can be specified. After the configuration is complete, multicast packets are forwarded by
the root port or default port in the multicast VLAN.
Run the igmp uplink-port-mode mstp command to set the upstream port in the MSTP
mode.
4. Configure the multicast subtending port.
Run the igmp cascade-port command to configure the subtending port as the multicast
subtending port.
6.3 Configuration Example of the Multicast Video Service in the Non-MVLAN Mode
This topic describes how to configure the multicast video service in the static configuration
mode.
Service Requirements
l The user accesses the Internet through the PPPoE dialup.
l PITP is enabled to protect the user account against theft and roaming.
l A traffic profile is adopted for rate limitation. The user access rate is 2048 kbit/s.
l To ensure reliability, dual GE ports are adopted for upstream transmission, and link
aggregation is configured for the two upstream ports.
Figure 6-1 shows an example network for configuring the xDSL Internet access service through
the PPPoA dialup.
Figure 6-1 Example network for configuring the xDSL Internet access service through the
PPPoA dialup
LSW BRAS
A CON
ETH
D MON
G
E
GE0/7/0
SCU MA5600
PPPoE/IPoE
Modem
PC
Prerequisite
The number of xDSL ports is under the control of licenses. Make sure that sufficient licenses
are already requested.
l If the AAA function is implemented by the BRAS, a connection to the BRAS must be
established. The BRAS can identify the VLAN tag of the MA5600 in the upstream
direction. For the identification purpose, the user name and password for dial-up Internet
access must be configured on the BRAS.
Procedure
Step 1 Configure a VLAN.
Configure service VLAN 50 with the stacking attribute. The user packet goes upstream carrying
two VLAN tags. The outer VLAN tag identifies the service and the inner VLAN tag identifies
the user. The service of each user is identified by unique S-VLAN+C-VLAN, and the VLAN
forwarding mode is the S-VLAN+C-VLAN mode.
huawei(config)#vlan 50 smart
huawei(config)#vlan attrib 50 stacking
To aggregate the two upstream ports as one aggregation group, set the packet forwarding mode
of the aggregation group to egress-ingress, and set the aggregation group to work in the LACP
static mode, do as follows:
huawei(config)#link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
NOTE
By default, an ADSL port is in the activated state. Before binding a template to the port, you must deactivate
the port.
In the ADSL access mode, bind the default ADSL2+ line profile 1 and ADSL2+ alarm
profile 1 to ADSL port 0/2/0.
huawei(config)#interface adsl 0/2
huawei(config-if-adsl-0/2)#deactivate 0
huawei(config-if-adsl-0/2)#activate 0 profile-index 1
huawei(config-if-adsl-0/2)#alarm-config 0 1
huawei(config-if-adsl-0/2)#quit
3. Run the display traffic table command to query the existing traffic profiles in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirements, the user access rate is 2048 kbit/s. The query result
shows that traffic profile 5 meets the requirements.
NOTE
l If a matched traffic profile is not available in the system, run the traffic table command to configure
a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or an ADSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port, adopt traffic profile 5, and set the
S-VLAN ID to 50. The VPI and VCI of the service port must be the same as the management
VPI and VCI of the peer modem. Assume that the management VPI and VCI of the modem
are 1 and 39, and the access port ID is 0/2/0. To facilitate the maintenance of the service
port, configure the service port description.
huawei(config)#service-port vlan 50 adsl 0/2/0 vpi 1 vci 39 rx-cttr 5 tx-cttr
5
huawei(config)#service-port desc 0/2/0 vpi 1 vci 39 description Vlanid:50/adsl/
v
pi:1vci:39/stacking
5. Set the C-VLAN ID of the preset service port with VPI/VCI 1/39 to 10 for identifying the
user. Configure the important user packet with a higher priority so that the user packet can
be processed with precedence, and set the priority of the inner VLAN to 4.
huawei(config)#stacking label 0/2/0 vpi 1 vci 39 10
huawei(config)#stacking inner-priority 0/2/0 vpi 1 vci 39 4
2. Activate SHDSL port 0/5/0, and bind the preset SHDSL line profile 3 and the default
SHDSL alarm template (alarm template 1) to the port.
NOTE
By default, an SHDSL port is in the activated state. Before binding a profile or template to the port, you
must deactivate the port.
huawei(config)#interface shl 0/5
huawei(config-if-shl-0/5)#deactivate 0
huawei(config-if-shl-0/5)#activate 0 3
huawei(config-if-shl-0/5)#alarm-config 0 1
huawei(config-if-shl-0/5)#quit
3. Run the display traffic table command to query the existing traffic profiles in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirements, the user access rate is 2048 kbit/s. The query result
shows that traffic profile 5 meets the requirements.
NOTE
l If a matched traffic profile is not available in the system, run the traffic table command to configure
a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or an SHDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port, adopt traffic profile 5, and set the
S-VLAN ID to 50. Set the SHDSL channel mode to PTM and the service port is 0/5/0. To
facilitate the maintenance of the service port, configure the service port description.
huawei(config)#service-port vlan 50 shdsl mode ptm 0/5/0 rx-cttr 5 tx-cttr 5
huawei(config)#service-port desc 0/5/0 description Vlanid:50/shdsl/vpi:1vci:
39/stacking
5. Set the C-VLAN ID of the preset service port 0/5/0 to 10 for identifying the user. Configure
the important user packet with a higher priority so that the user packet can be processed
with precedence, and set the priority of the inner VLAN to 4.
huawei(config)#stacking label 0/5/0 10
huawei(config)#stacking inner-priority 0/5/0 4
2. Activate VDSL port 0/4/0, and bind the preset VDSL line template 3 and the default VDSL
alarm template (alarm template 1) to the port.
NOTE
By default, a VDSL port is in the activated state. Before binding a template to the port, you must deactivate
the port.
3. Run the display traffic table command to query the existing traffic profiles in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirements, the user access rate is 2048 kbit/s. The query result
shows that traffic profile 5 meets the requirements.
NOTE
l If a matched traffic profile is not available in the system, run the traffic table command to configure
a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or a VDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port, adopt traffic profile 5, and set the
S-VLAN ID to 50. Set the VDSL channel mode to PTM, and the service port is 0/4/0. To
facilitate the maintenance of the service port, configure the service port description.
huawei(config)#service-port vlan 50 vdsl mode ptm 0/4/0 rx-cttr 5 tx-cttr 5
huawei(config)#service-port desc 0/4/0 description Vlanid:50/vdsl/vpi:1vci:39/
stacking
5. Set the C-VLAN ID of the preset service port 0/4/0 to 10 for identifying the user. Configure
the important user packet with a higher priority so that the user packet can be processed
with precedence, and set the priority of the inner VLAN to 4.
huawei(config)#stacking label 0/4/0 10
huawei(config)#stacking inner-priority 0/4/0 4
NOTE
For details about the PITP configuration for the user account security, see 1.13.1 Configuring Anti-Theft and
Roaming of User Account Through PITP.
----End
Verification
l Step 1: Configure the user name and password for the dialup on the modem (the user name
and password must be the same as those configured on the BRAS).
l Step 2: Dial up on the PC by using the PPPoE dialup software. After the dialup is successful,
the user can access the Internet.
l Step 3: When FTP is used to download files, after the dialup is performed on the PPPoE
dialup software, the PPPoE dialup software displays a message indicating that the dialup
is successful. Then, the PC can access the Internet in the PPPoE mode.
l Step 4: When downloading files through FTP, you can open Task Manager in Windows
and click Networking to check the link speed. Then, you can calculate the Internet access
rate by the following formula: Attainable Internet access rate = Computer network adapter
rate/48 x 53 x 8. The calculation result approximates to the planned 2048 kbit/s.
Configuration Script
Configuration Script in the ADSL access mode:
vlan 50 smart
vlan attrib 50 stacking
port vlan 50 0/7 0
port vlan 50 0/7 1
link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
interface adsl 0/2
deactivate 0
activate 0 profile-index 1
alarm-config 0 1
quit
service-port vlan 50 adsl 0/2/0 vpi 1 vci 39 rx-cttr 5 tx-cttr 5
service-port desc 0/2/0 vpi 1 vci 39 description Vlanid:50/adsl/vpi:1vci:39/
stacking
stacking label 0/2/0 vpi 1 vci 39 10
stacking inner-priority 0/2/0 vpi 1 vci 39 4
pitp enable pmode
raio-mode cntel pitp-pmode
save
Service Requirements
l The user accesses the Internet in the IPoE mode. The account authentication is implemented
through the DHCP option 82 field.
l Double VLAN tags are added to user packets for upstream transmission, where the outer
VLAN tag identifies the service and the inner VLAN tag identifies the user. The service
of each user is identified by a unique S-VLAN+C-VLAN. This is called the 1:1 access.
l A traffic profile is adopted for rate limitation. The user access rate is 2048 kbit/s.
l Dual GE ports are adopted for upstream transmission to ensure reliability. Link aggregation
is configured for the two upstream ports.
Figure 6-2 shows an example network for configuring the xDSL IPoE Internet access service.
Figure 6-2 Example network for configuring the xDSL IPoE Internet access service
LSW BRAS
A CON
ETH
D MON
G
E
GE0/7/0
SCU MA5600
PPPoE/IPoE
Modem
PC
Prerequisite
The number of xDSL ports is under the control of licenses. Make sure that sufficient licenses
are already requested.
Procedure
Step 1 Configure a VLAN.
Configure service VLAN 50 with the stacking attribute. The user packet goes upstream carrying
two VLAN tags. The outer VLAN tag identifies the service and the inner VLAN tag identifies
the user. The service of each user is identified by unique S-VLAN+C-VLAN, and the VLAN
forwarding mode is the S-VLAN+C-VLAN mode.
huawei(config)#vlan 50 smart
huawei(config)#vlan attrib 50 stacking
To aggregate the two upstream ports as one aggregation group, set the packet forwarding mode
of the aggregation group to egress-ingress, and set the aggregation group to work in the LACP
static mode, do as follows:
huawei(config)#link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
NOTE
By default, an ADSL port is in the activated state. Before binding a template to the port, you must deactivate
the port.
In the ADSL access mode, bind the default ADSL2+ line profile 1 and ADSL2+ alarm
profile 1 to ADSL port 0/2/0.
huawei(config)#interface adsl 0/2
huawei(config-if-adsl-0/2)#deactivate 0
huawei(config-if-adsl-0/2)#activate 0 profile-index 1
huawei(config-if-adsl-0/2)#alarm-config 0 1
huawei(config-if-adsl-0/2)#quit
3. Run the display traffic table command to query the existing traffic profiles in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirements, the user access rate is 2048 kbit/s. The query result
shows that traffic profile 5 meets the requirements.
NOTE
l If a matched traffic profile is not available in the system, run the traffic table command to configure
a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or an ADSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port, adopt traffic profile 5, and set the
S-VLAN ID to 50. The VPI and VCI of the service port must be the same as the management
VPI and VCI of the peer modem. Assume that the management VPI and VCI of the modem
are 1 and 39, and the access port ID is 0/2/0. To facilitate the maintenance of the service
port, configure the service port description.
huawei(config)#service-port vlan 50 adsl 0/2/0 vpi 1 vci 39 rx-cttr 5 tx-cttr
5
huawei(config)#service-port desc 0/2/0 vpi 1 vci 39 description Vlanid:50/adsl/
v
pi:1vci:39/stacking
5. Set the C-VLAN ID of the preset service port with VPI/VCI 1/39 to 10 for identifying the
user. Configure the important user packet with a higher priority so that the user packet can
be processed with precedence, and set the priority of the inner VLAN to 4.
2. Activate SHDSL port 0/5/0, and bind the preset SHDSL line profile 3 and the default
SHDSL alarm template (alarm template 1) to the port.
NOTE
By default, an SHDSL port is in the activated state. Before binding a profile or template to the port, you
must deactivate the port.
huawei(config)#interface shl 0/5
huawei(config-if-shl-0/5)#deactivate 0
huawei(config-if-shl-0/5)#activate 0 3
huawei(config-if-shl-0/5)#alarm-config 0 1
huawei(config-if-shl-0/5)#quit
3. Run the display traffic table command to query the existing traffic profiles in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
-----------------------------------------------------------------------------
According to service requirements, the user access rate is 2048 kbit/s. The query result
shows that traffic profile 5 meets the requirements.
NOTE
l If a matched traffic profile is not available in the system, run the traffic table command to configure
a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or an SHDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port, adopt traffic profile 5, and set the
S-VLAN ID to 50. Set the SHDSL channel mode to PTM and the service port is 0/5/0. To
facilitate the maintenance of the service port, configure the service port description.
huawei(config)#service-port vlan 50 shdsl mode ptm 0/5/0 rx-cttr 5 tx-cttr 5
huawei(config)#service-port desc 0/5/0 description Vlanid:50/shdsl/vpi:1vci:
39/stacking
5. Set the C-VLAN ID of the preset service port 0/5/0 to 10 for identifying the user. Configure
the important user packet with a higher priority so that the user packet can be processed
with precedence, and set the priority of the inner VLAN to 4.
huawei(config)#stacking label 0/5/0 10
huawei(config)#stacking inner-priority 0/5/0 4
2. Activate VDSL port 0/4/0, and bind the preset VDSL line template 3 and the default VDSL
alarm template (alarm template 1) to the port.
NOTE
By default, a VDSL port is in the activated state. Before binding a template to the port, you must deactivate
the port.
huawei(config)#interface vdsl 0/4
huawei(config-if-vdsl-0/4)#deactivate 0
huawei(config-if-vdsl-0/4)#activate 0 profile-index 3
huawei(config-if-vdsl-0/4)#alarm-config 0 1
huawei(config-if-vdsl-0/4)#quit
3. Run the display traffic table command to query the existing traffic profiles in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirements, the user access rate is 2048 kbit/s. The query result
shows that traffic profile 5 meets the requirements.
NOTE
l If a matched traffic profile is not available in the system, run the traffic table command to configure
a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or a VDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port, adopt traffic profile 5, and set the
S-VLAN ID to 50. Set the VDSL channel mode to PTM, and the service port is 0/4/0. To
facilitate the maintenance of the service port, configure the service port description.
huawei(config)#service-port vlan 50 vdsl mode ptm 0/4/0 rx-cttr 5 tx-cttr 5
huawei(config)#service-port desc 0/4/0 description Vlanid:50/vdsl/vpi:1vci:39/
stacking
5. Set the C-VLAN ID of the preset service port 0/4/0 to 10 for identifying the user. Configure
the important user packet with a higher priority so that the user packet can be processed
with precedence, and set the priority of the inner VLAN to 4.
l In this example, the MA5600 works in the L2 DHCP mode. Therefore, the DHCP-related configurations
are not required. If the MA5600 works in the L3 DHCP mode, the DHCP-related configurations on the
MA5600 are required. For details, see Configuring DHCP.
l For the details about the security of DHCP accounts, see Configuring Anti-Theft or Roaming of User
Accounts Through DHCP.
Assume that the RAIO mode is the user-defined mode, the CID is the access node name frame/
slot/port:vlanid, the RID is the label of the service port where the user is connected. To enable
the DHCP option 82 function with these parameters, do as follows:
huawei(config)#dhcp option82 enable
huawei(config)#raio-mode user-defined dhcp-option82
huawei(config)#raio-format dhcp-option82 cid anid frame/slot/port:vlanid
huawei(config)#raio-format dhcp-option82 rid splabel
----End
Verification
l Step 1: After the PC NIC automatically obtains an IP address and a connection to the
Internet is set up, the user can access the Internet.
l Step 2: To download a file through FTP, open Windows Task Manager and then click
Networking to observe the link rate. Calculate the Internet access rate by the formula:
attainable Internet access rate = computer NIC rate/48 x 53 x 8. The calculated result
approximates to the planned 2048 kbit/s.
Configuration Script
Configuration Script for the ADSL access mode:
vlan 50 smart
vlan attrib 50 stacking
port vlan 50 0/7 0
port vlan 50 0/7 1
link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
interface adsl 0/2
deactivate 0
activate 0 profile-index 1
alarm-config 0 1
quit
service-port vlan 50 adsl 0/2/0 vpi 1 vci 39 rx-cttr 5 tx-cttr 5
service-port desc 0/2/0 vpi 1 vci 39 description Vlanid:50/adsl/vpi:1vci:39/
stacking
stacking label 0/2/0 vpi 1 vci 39 10
stacking inner-priority 0/2/0 vpi 1 vci 39 4
dhcp option82 enable
raio-mode user-defined dhcp-option82
raio-format dhcp-option82 cid anid frame/slot/port:vlanid
raio-format dhcp-option82 rid splabel
save
vlan 50 smart
vlan attrib 50 stacking
port vlan 50 0/7 0
port vlan 50 0/7 1
link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
shdsl line-profile quickadd 3 ptm rate 512 2048
interface shl 0/5
interface shl 0/5
activate 0 3
alarm-config 0 1
quit
service-port vlan 50 shdsl mode ptm 0/5/0 rx-cttr 5 tx-cttr 5
service-port desc 0/5/0 description Vlanid:50/shdsl/vpi:1vci:39/stacking
stacking label 0/5/0 10
stacking inner-priority 0/5/0 4
dhcp option82 enable
raio-mode user-defined dhcp-option82
raio-format dhcp-option82 cid anid frame/slot/port:vlanid
raio-format dhcp-option82 rid splabel
save
Service Requirements
l The user accesses the Internet in the IPoA mode and obtains an IP address from the DHCP
server. The MA5600 works in the DHCP L2 mode.
l One VLAN tag is added to user packets for upstream transmission and the services of
multiple users are aggregated into one VLAN.
l DHCP option 82 is enabled to protect user accounts from theft and roaming.
l A traffic profile is adopted for rate limitation. The user access rate is 2048 kbit/s.
l Dual GE ports are adopted for upstream transmission to ensure reliability. Link aggregation
is configured for the two upstream ports.
Figure 6-3 shows an example network for configuring the xDSL IPoA Internet access service.
Figure 6-3 Example network for configuring the xDSL IPoA Internet access service
LSW BRAS
A CON
ETH
D MON
G
E
GE0/7/0
SVLAN50
SCU MA5600
PPPoA/IPoA
Modem Modem
PC PC
Prerequisite
The number of xDSL ports is under the control of licenses. Make sure that sufficient licenses
are already requested.
Procedure
Step 1 Create a VLAN.
To aggregate the two upstream ports as one aggregation group, set the packet forwarding mode
of the aggregation group to egress-ingress, and set the aggregation group to work in the LACP
static mode.
huawei(config)#link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
NOTE
The aggregated ports must meet the following requirements: The ports must work in the full-duplex mode; the
port rates must be the same and the rate of an electrical port must not be of the auto-negotiation type; the attributes
of the ports, such as the default VLAN ID (PVID) and VLAN, must be the same; one port can belong to only
one aggregation group; the port must not be a mirroring destination port; the port must not be in the auto-
negotiation mode; the start port ID must be smaller than the end port ID.
Step 3 In the case of the ADSL access mode, follow this procedure.
1. Configure an ADSL2+ profile. For details, see 1.11.1 Configuring the ADSL2+ Profile.
The ID of the ADSL2+ line profile is 3, the downstream rate is 2048 kbit/s, the channel
mode is the interleave mode, the maximum interleave delay is 10 ms, and the SNR margin
is 6 dB.
huawei(config)#adsl line-profile quickadd basic-para full-rate trellis 1
bitswap
1 1 channel interleaved 100 100 adapt fixed snr 5 4 9 5 4 9 rate 2048 2048
1000 1100
2. Activate the ADSL port. The port is port 0/2/0, and ADSL line profile 3 and the default
alarm profile (alarm profile 1) are bound to the port.
NOTE
By default, a port is in the activated state. Before binding a profile to a port, you must deactivate the port.
huawei(config)#interface adsl 0/2/0
huawei(config-if-adsl-0/2/0)#deactivate 0
huawei(config-if-adsl-0/2/0)#activate 0 profile-index 3
huawei(config-if-adsl-0/2/0)#alarm-config 0 1
huawei(config-if-adsl-0/2/0)#quit
3. Run the display traffic table command to query the traffic profiles that exist in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirement, the user access rate is 2048 kbit/s. The query result shows
that traffic profile 5 meets the requirement.
NOTE
l If no traffic profile in the system meets the service requirement, run the traffic table command to
configure a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or an xDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port. The index of the new service port
is 1, the access port is port 0/2/0, traffic profile 5 meets the service requirement, and the S-
VLAN is VLAN 50. The VPI and VCI must be the same as the management VPI and VCI
of the peer modem. Assume that the management VPI and VCI of the modem are 1 and
39. To facilitate the maintenance of the service port, configure description for the service
port.
huawei(config)#service-port vlan 50 adsl 0/2/0 vpi 1 vci 39 rx-cttr 5 tx-cttr
5
huawei(config)#service-port desc 0/2/0 description MA5600HW/Vlanid:50/adsl/
smart
5. Set the maximum number of MAC addresses that can be learned by the service port is 16.
This parameter is to limit the maximum number of the MAC addresses that can be learned
by one account, namely, the maximum number of the PCs that can access the Internet
through one account.
huawei(config)#mac-address max-mac-count adsl 0/2/0 vpi 1 vci 39 16
Step 4 In the case of the SHDSL access mode, follow this procedure.
1. Configure an SHDSL profile. For details, see 1.11.2 Configuring SHDSL Profiles. The
ID of the SHDSL line profile is 3, the line rate is 2048 kbit/s, and the profile is used to
activate 4-wire ports.
huawei(config)#shdsl line-profile quickadd 3 line four-wire rate 2048
2. Activate the SHDSL port. The port is port 0/5/0, and SHDSL line profile 3 and the default
alarm profile (alarm profile 1) are bound to the port.
NOTE
By default, a port is in the activated state. Before binding a profile to a port, you must deactivate the port.
huawei(config)#interface shl 0/5
huawei(config-if-shl-0/5)#deactivate 0
huawei(config-if-shl-0/5)#activate 0 3
huawei(config-if-shl-0/5)#alarm-config 0 1
huawei(config-if-shl-0/5)#quit
3. Run the display traffic table command to query the traffic profiles that exist in the system.
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirement, the user access rate is 2048 kbit/s. The query result shows
that traffic profile 5 meets the requirement.
NOTE
l If no traffic profile in the system meets the service requirement, run the traffic table command to
configure a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or an SHDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port. The index of the new service port
is 2, the access port is port 0/5/0, traffic profile 5 meets the service requirement, and the S-
VLAN is VLAN 50. The VPI and VCI must be the same as the management VPI and VCI
of the peer modem. Assume that the management VPI and VCI of the modem are 1 and
39. To facilitate the maintenance of the service port, configure description for the service
port.
huawei(config)#service-port vlan 50 shdsl mode atm 0/5/0 vpi 1 vci 39 rx-cttr
5 tx-cttr 5
huawei(config)#service-port desc 0/5/0 description MA5600HW/Vlanid:50/shdsl/
smart
5. Set the maximum number of MAC addresses that can be learned by the service port to 16.
This parameter is to limit the maximum number of the MAC addresses that can be learned
by one account, namely, the maximum number of the PCs that can access the Internet
through one account.
huawei(config)#mac-address max-mac-count shdsl 0/5/0 vpi 1 vci 39 16
Step 5 In the case of the VDSL access mode, follow this procedure.
1. Configure a VDSL profile. For details, see Configuring the VDSL2 Profile. Configure
the VDSL profile with the following parameters: Profile ID: 3; The minimum reserved
transmission rate in the downstream: 2048 kbit/s; Channel mode: interleave mode;
Downstream maximum interleave delay: 8 ms; Upstream maximum interleave delay: 2 ms;
SNR margin: 6 dB; Downstream minimum INP: 4; Upstream minimum INP: 2.
huawei(config)#vdsl line-profile quickadd 3 snr 60 0 300 60 0 300
huawei(config)#vdsl channel-profile quickadd 3 path-mode atm interleaved-delay
8 2 inp 4 2 rate
128 10000 128 10000 2048 2048
huawei(config)#vdsl line-template quickadd 3 line 3 channel1 3 100 100
2. Activate VDSL port 0/4/0, and bind the preset VDSL line template 3 and the default VDSL
alarm template (alarm template 1) to the port.
NOTE
By default, a port is in the activated state. Before binding a profile to a port, you must deactivate the port.
huawei(config)#interface vdsl 0/4
huawei(config-if-vdsl-0/4)#deactivate 0
huawei(config-if-vdsl-0/4)#activate 0 profile-index 3
huawei(config-if-vdsl-0/4)#alarm-config 0 1
huawei(config-if-vdsl-0/4)#quit
3. Run the display traffic table command to query the traffic profiles that exist in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirement, the user access rate is 2048 kbit/s. The query result shows
that traffic profile 5 meets the requirement.
NOTE
l If no traffic profile in the system meets the service requirement, run the traffic table command to
configure a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or a VDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port. The index of the new service port
is 3, the access port is port 0/4/0, traffic profile 5 meets the service requirement, and the S-
VLAN is VLAN 50. The VPI and VCI must be the same as the management VPI and VCI
of the peer modem. Assume that the management VPI and VCI of the modem are 1 and
39. To facilitate the maintenance of the service port, configure description for the service
port.
huawei(config)#service-port vlan 50 vdsl mode atm 0/4/0 vpi 1 vci 39 rx-cttr 5
tx-cttr 5
huawei(config)#service-port desc 0/4/0 description MA5600HW/Vlanid:50/vdsl/
smart
5. Set the maximum number of MAC addresses that can be learned by the service port to 16.
This parameter is to limit the maximum number of the MAC addresses that can be learned
by one account, namely, the maximum number of the PCs that can access the Internet
through one account.
huawei(config)#mac-address max-mac-count vdsl 0/4/0 vpi 1 vci 39 16
----End
Verification
l Step 1: Set the VPI/VCI of the modem to 1/39, encapsulation mode to llc-ipoa, and IP
address to 192.168.1.1.
l Step 2: After the settings on the modem are completed, the network connection is
automatically set up and the user can access the Internet.
l Step 3: To download a file through FTP, open Windows Task Manager, and then click
Networking to observe the link rate. Calculate the Internet access rate by the formula:
attainable Internet access rate = computer NIC rate/48 x 53 x 8. The calculated result
approximates to the planned 2048 kbit/s.
Configuration Script
Configuration Script for the ADSL access mode:
vlan 50 smart
port vlan 50 0/7 0
port vlan 50 0/7 1
link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
adsl line-profile quickadd basic-para full-rate trellis 1 bitswap
1 1 channel interleaved 100 100 adapt fixed snr 5 4 9 5 4 9 rate 2048 2048 1000
1100
interface adsl 0/2
deactivate 0
activate 0 profile-index 3
alarm-config 0 1
quit
service-port vlan 50 adsl 0/2/0 vpi 1 vci 39 rx-cttr 5 tx-cttr 5
service-port desc 0/2/0 description MA5600HW/Vlanid:50/adsl/smart
mac-address max-mac-count adsl 0/2/0 vpi 1 vci 39 16
mac-pool 0 0000-1111-1010 300
ipoa enable
ipoa default gateway 192.168.1.20
encapsulation 0/2/0 vpi 1 vci 39 type ipoa llc srcIP 192.168.1.1
save
Service Requirements
l The user accesses the Internet in the PPPoA mode.
l User packets, which carry a single VLAN tag, are transmitted in the upstream direction,
and the services of multiple users are converged into one VLAN. This is called the N:1
access.
l PITP is enabled to protect user accounts from theft and roaming.
l A traffic profile is adopted for rate limitation. The user access rate is 2048 kbit/s.
l Dual GE ports are adopted for upstream transmission to ensure reliability. Link aggregation
is configured for the two upstream ports.
Figure 6-4 shows an example network for configuring the xDSL PPPoA Internet access service.
Figure 6-4 Example network for configuring the xDSL PPPoA Internet access service
LSW BRAS
A CON
ETH
D MON
G
E
GE0/7/0
SVLAN50
SCU MA5600
PPPoA/IPoA
Modem Modem
PC PC
Prerequisite
The number of xDSL ports is under the control of licenses. Make sure that sufficient licenses
are already requested.
Procedure
Step 1 Create a VLAN.
To aggregate the two upstream ports as one aggregation group, set the packet forwarding mode
of the aggregation group to egress-ingress, and set the aggregation group to work in the LACP
static mode, do as follows:
huawei(config)#link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
NOTE
Step 3 In the case of the ADSL access mode, follow this procedure.
1. Configure an ADSL2+ profile. For details, see 1.11.1 Configuring the ADSL2+ Profile.
The ID of the ADSL2+ line profile is 3, the downstream rate is 2048 kbit/s, the channel
mode is the interleave mode, the maximum interleave delay is 10 ms, and the SNR margin
is 6 dB.
huawei(config)#adsl line-profile quickadd basic-para full-rate trellis 1
bitswap
1 1 channel interleaved 100 100 adapt fixed snr 5 4 9 5 4 9 rate 2048 2048
1000 1100
2. Activate the ADSL port. The port is port 0/2/0, and ADSL line profile 3 and the default
alarm profile (alarm profile 1) are bound to the port.
NOTE
By default, a port is in the activated state. Before binding a profile to a port, you must deactivate the port.
huawei(config)#interface adsl 0/2/0
huawei(config-if-adsl-0/2/0)#deactivate 0
huawei(config-if-adsl-0/2/0)#activate 0 profile-index 3
huawei(config-if-adsl-0/2/0)#alarm-config 0 1
huawei(config-if-adsl-0/2/0)#quit
3. Run the display traffic table command to query the traffic profiles that exist in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirement, the user access rate is 2048 kbit/s. The query result shows
that traffic profile 5 meets the requirement.
NOTE
l If no traffic profile in the system meets the service requirement, run the traffic table command to
configure a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or an xDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port. The index of the new service port
is 1, the access port is port 0/2/0, traffic profile 5 meets the service requirement, and the S-
VLAN is VLAN 50. The VPI and VCI must be the same as the management VPI and VCI
of the peer modem. Assume that the management VPI and VCI of the modem are 1 and
39. To facilitate the maintenance of the service port, configure description for the service
port.
huawei(config)#service-port vlan 50 adsl 0/2/0 vpi 1 vci 39 rx-cttr 5 tx-cttr
5
huawei(config)#service-port desc 0/2/0 description MA5600HW/Vlanid:50/adsl/
smart
5. Set the maximum number of MAC addresses that can be learned by the service port is 16.
This parameter is to limit the maximum number of the MAC addresses that can be learned
by one account, namely, the maximum number of the PCs that can access the Internet
through one account.
huawei(config)#mac-address max-mac-count adsl 0/2/0 vpi 1 vci 39 16
Step 4 In the case of the SHDSL access mode, follow this procedure.
1. Configure an SHDSL profile. For details, see 1.11.2 Configuring SHDSL Profiles. The
ID of the SHDSL line profile is 3, the line rate is 2048 kbit/s, and the profile is used to
activate 4-wire ports.
huawei(config)#shdsl line-profile quickadd 3 line four-wire rate 2048
2. Activate the SHDSL port. The port is port 0/5/0, and SHDSL line profile 3 and the default
alarm profile (alarm profile 1) are bound to the port.
NOTE
By default, a port is in the activated state. Before binding a profile to a port, you must deactivate the port.
huawei(config)#interface shl 0/5
huawei(config-if-shl-0/5)#deactivate 0
huawei(config-if-shl-0/5)#activate 0 3
huawei(config-if-shl-0/5)#alarm-config 0 1
huawei(config-if-shl-0/5)#quit
3. Run the display traffic table command to query the traffic profiles that exist in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirement, the user access rate is 2048 kbit/s. The query result shows
that traffic profile 5 meets the requirement.
NOTE
l If no traffic profile in the system meets the service requirement, run the traffic table command to
configure a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or an SHDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port. The index of the new service port
is 2, the access port is port 0/5/0, traffic profile 5 meets the service requirement, and the S-
VLAN is VLAN 50. The VPI and VCI must be the same as the management VPI and VCI
of the peer modem. Assume that the management VPI and VCI of the modem are 1 and
39. To facilitate the maintenance of the service port, configure description for the service
port.
huawei(config)#service-port vlan 50 shdsl mode atm 0/5/0 vpi 1 vci 39 rx-cttr
5 tx-cttr 5
huawei(config)#service-port desc 0/5/0 description MA5600HW/Vlanid:50/shdsl/
smart
5. Set the maximum number of MAC addresses that can be learned by the service port to 16.
This parameter is to limit the maximum number of the MAC addresses that can be learned
by one account, namely, the maximum number of the PCs that can access the Internet
through one account.
huawei(config)#mac-address max-mac-count shdsl 0/5/0 vpi 1 vci 39 16
Step 5 In the case of the VDSL access mode, follow this procedure.
1. Configure a VDSL profile. For details, see Configuring the VDSL2 Profile. Configure
the VDSL profile with the following parameters: Profile ID: 3; The minimum reserved
transmission rate in the downstream: 2048 kbit/s; Channel mode: interleave mode;
Downstream maximum interleave delay: 8 ms; Upstream maximum interleave delay: 2 ms;
SNR margin: 6 dB; Downstream minimum INP: 4; Upstream minimum INP: 2.
huawei(config)#vdsl line-profile quickadd 3 snr 60 0 300 60 0 300
huawei(config)#vdsl channel-profile quickadd 3 path-mode atm interleaved-delay
8 2 inp 4 2 rate
128 10000 128 10000 2048 2048
huawei(config)#vdsl line-template quickadd 3 line 3 channel1 3 100 100
2. Activate VDSL port 0/4/0, and bind the preset VDSL line template 3 and the default VDSL
alarm template (alarm template 1) to the port.
NOTE
By default, a port is in the activated state. Before binding a profile to a port, you must deactivate the port.
huawei(config)#interface vdsl 0/4
huawei(config-if-vdsl-0/4)#deactivate 0
huawei(config-if-vdsl-0/4)#activate 0 profile-index 3
huawei(config-if-vdsl-0/4)#alarm-config 0 1
huawei(config-if-vdsl-0/4)#quit
3. Run the display traffic table command to query the traffic profiles that exist in the system.
huawei(config)#display traffic table from-index 0
{ <cr>|to-
index<K> }:
Command:
display traffic table from-index 0
Traffic parameters for IP service:
-----------------------------------------------------------------------------
TID CAR(kbps) Priority Pri-Policy
-----------------------------------------------------------------------------
0 1024 6 tag-pri
1 2496 6 tag-pri
2 512 0 tag-pri
3 576 2 tag-pri
4 64 4 tag-pri
5 2048 0 tag-pri
6 -- 0 tag-pri
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
TID Service Traf CLP01PCR CLP0PCR CLP01SCR CLP0SCR MBS CDVT PPD/EPD/
SHAPE
Type Type kbps kbps kbps kbps cells 1/10us
-----------------------------------------------------------------------------
0 cbr 2 1024 -- -- -- -- -- off/off/--
1 cbr 2 2500 -- -- -- -- -- off/off/--
2 ubr 2 512 -- -- -- -- -- on /on /--
3 nrt-vbr 5 1200 -- 600 -- 250 -- on /on /--
4 rt-vbr 15 128 -- -- 64 300 10000000 on /on /
off
5 ubr 2 2048 -- -- -- -- -- on /on /--
6 ubr 1 -- -- -- -- -- -- off/off/--
-----------------------------------------------------------------------------
Total Num : 7
Traffic type definition:
1:NoTrafficDescriptor 2:NoClpNoScr 3:ClpNoTaggingNoScr
4:ClpTaggingNoScr 5:NoClpScr 6:ClpNoTaggingScr
7:ClpTaggingScr 8:ClpNoTaggingMcr 9:ClpTransparentNoScr
10:ClpTransparentScr 11:NoClpTaggingNoScr 12:NoClpNoScrCdvt
13:NoClpScrCdvt 14:ClpNoTaggingScrCdvt 15:ClpTaggingScrCdvt
-----------------------------------------------------------------------------
According to service requirement, the user access rate is 2048 kbit/s. The query result shows
that traffic profile 5 meets the requirement.
NOTE
l If no traffic profile in the system meets the service requirement, run the traffic table command to
configure a new traffic profile.
l On the MA5600, the user access rate can be limited by either a traffic profile or a VDSL line profile.
When both profiles are configured, the smaller one of the two rates configured in the profiles is adopted
as the user bandwidth. In this example, the traffic profile is used to limit the user access rate.
4. Run the service-port command to create a service port. The index of the new service port
is 3, the access port is port 0/4/0, traffic profile 5 meets the service requirement, and the S-
VLAN is VLAN 50. The VPI and VCI must be the same as the management VPI and VCI
of the peer modem. Assume that the management VPI and VCI of the modem are 1 and
39. To facilitate the maintenance of the service port, configure description for the service
port.
huawei(config)#service-port vlan 50 vdsl mode atm 0/4/0 vpi 1 vci 39 rx-cttr 5
tx-cttr 5
huawei(config)#service-port desc 0/4/0 description MA5600HW/Vlanid:50/vdsl/
smart
5. Set the maximum number of MAC addresses that can be learned by the service port to 16.
This parameter is to limit the maximum number of the MAC addresses that can be learned
by one account, namely, the maximum number of the PCs that can access the Internet
through one account.
huawei(config)#mac-address max-mac-count vdsl 0/4/0 vpi 1 vci 39 16
NOTE
For details about the PITP configuration for the user account security, see 1.13.1 Configuring Anti-Theft and
Roaming of User Account Through PITP.
----End
Verification
l Step 1: Set the VPI/VCI of the modem to 1/39 and encapsulation mode to llc-pppoa.
Configure the user name and password used for dialing (the user name and password must
be the same as those configured on the BRAS.)
l Step 2: After the settings on the modem are completed, dialing is initialized, a network
connection is automatically set up, and the user can access the Internet.
l Step 3: To download a file through FTP, open Windows Task Manager and then click
Networking to observe the link rate. Calculate the Internet access rate by the formula:
attainable Internet access rate = computer NIC rate/48 x 53 x 8. The calculated result
approximates to the planned 2048 kbit/s.
Configuration Script
Configuration Script for the ADSL access mode:
vlan 50 smart
port vlan 50 0/7 0
port vlan 50 0/7 1
link-aggregation 0/7 0 0/7 1 egress-ingress workmode lacp-static
adsl line-profile quickadd basic-para full-rate trellis 1 bitswap
1 1 channel interleaved 100 100 adapt fixed snr 5 4 9 5 4 9 rate 2048 2048 1000
1100
interface adsl 0/2
deactivate 0
activate 0 profile-index 3
alarm-config 0 1
quit
service-port vlan 50 adsl 0/2/0 vpi 1 vci 39 rx-cttr 5 tx-cttr 5
service-port desc 0/2/0 description MA5600HW/Vlanid:50/adsl/smart
mac-address max-mac-count adsl 0/2/0 vpi 1 vci 39 16
mac-pool 0 0000-1111-1010 300
pppoa enable
encapsulation 0/2/0 vpi 1 vci 39 type pppoa llc
pitp enable pmode
raio-mode cntel pitp-pmode
save
Service Requirements
l The MA5600 adopts the IGMP proxy L2 snooping protocol.
l Multicast programs are configured statically and multicast users are authenticated.
l The multicast bandwidth control is required.
l The users access the programs provided by ISP 1 and ISP 2 in the VDSL2 IPoE mode.
l The H565VDEB2 board supports the VDSL2 fall back feature, namely, the VDSL2/
ADSL2+/ADSL mode auto-sensing. In this manner, the user terminal can be connected to
the ADSL modem or the VDSL modem, and different services are provided according to
the type of the configured modem.
Figure 6-5 shows an example network for configuring the multicast service.
ISP 1 ISP 2
10.10.10.10 10.10.10.11
Router
VLAN10
0/7/1 VLAN20
V V CON
D D ETH
MON
E E
B B
GE
0/7/1
STB STB
TV TV
Prerequisites
The license for the multicast program or the multicast user is already requested and installed.
Procedure
Step 1 Configure multicast VLANs.
Configure smart VLAN 10 as the multicast domain of ISP 1, and smart VLAN 20 as the multicast
domain of ISP 2.
1. Configure the protocol, multicast upstream port, and program list of multicast VLAN 10.
Multicast VLAN 10 adopts IGMP snooping, IGMP V3 (system default value), upstream
port 0/7/1, and statically configured programs 224.1.1.1 and 224.1.1.2.
huawei(config)#vlan 10 smart
huawei(config)#multicast-vlan 10
huawei(config-mvlan10)#igmp mode snooping
huawei(config-mvlan10)#igmp uplink-port 0/7/1
huawei(config-mvlan10)#igmp program add name program1 ip 224.1.1.1 sourceip
10.10.10.10 hostip 10.0.0.254 log enable
huawei(config-mvlan10)#igmp program add name program2 ip 224.1.1.2 sourceip
10.10.10.10 hostip 10.0.0.254 log enable
huawei(config-mvlan20)#quit
2. Configure the protocol, multicast upstream port, and program list of multicast VLAN 20.
Multicast VLAN 20 adopts IGMP snooping, IGMP V3 (system default value), upstream
port 0/7/1, and statically configured programs 224.1.1.3 and 224.1.1.4.
huawei(config)#vlan 20 smart
huawei(config)#multicast-vlan 20
huawei(config-mvlan20)#igmp mode snooping
huawei(config-mvlan20)#igmp uplink-port 0/7/1
huawei(config-mvlan20)#igmp program add name program3 ip 224.1.1.3 sourceip
10.10.10.11 hostip 10.0.0.254 log enable
huawei(config-mvlan20)#igmp program add name program4 ip 224.1.1.4 sourceip
10.10.10.11 hostip 10.0.0.254 log enable
Step 2 Configure rights profiles named music and movie with the watch right, and bind the rights
profiles to the programs.
huawei(config)#btv
huawei(config-btv)#igmp profile add profile-name music
huawei(config-btv)#igmp profile profile-name music program-name program1 watch
huawei(config-btv)#igmp profile profile-name music program-name program2 watch
huawei(config-btv)#igmp profile profile-name music program-name program3 watch
huawei(config-btv)#igmp profile add profile-name movie
huawei(config-btv)#igmp profile profile-name movie program-name program4 watch
huawei(config-btv)#quit
For the ATM and PTM traffic streams configured on the same service port, the parameters of the ATM
traffic stream must be the same as the parameters of the PTM traffic stream.
huawei(config)#port vlan 10 0/7 1
huawei(config)#port vlan 20 0/7 1
huawei(config)#service-port vlan 10 vdsl mode atm 0/1/0 vpi 0 vci 35 rx-cttr 2
tx-cttr 2
huawei(config)#service-port vlan 20 vdsl mode atm 0/2/0 vpi 0 vci 35 rx-cttr 2
tx-cttr 2
huawei(config)#service-port vlan 10 vdsl mode ptm 0/1/0 rx-cttr 2 tx-cttr 2
huawei(config)#service-port vlan 20 vdsl mode ptm 0/2/0 rx-cttr 2 tx-cttr 2
Configure multicast user 0/1/0 as the authentication type, with log reporting enabled, and
with the maximum bandwidth 10 Mbit/s. Configure multicast user 0/2/0 as the
authentication type, with log reporting enabled, and with the maximum bandwidth 5 Mbit/
s.
huawei(config)#btv
huawei(config-btv)#igmp user add port 0/1/0 vdsl mode atm 0 35 auth log enable
m
ax-bandwidth 10240 max-program 8
huawei(config-btv)#igmp user add port 0/1/0 vdsl mode ptm auth log enable max-
bandwidth 10240 max-program 8
huawei(config-btv)#igmp user add port 0/2/0 vdsl mode atm 0 35 auth log enable
m
ax-bandwidth 5120 max-program 8
huawei(config-btv)#igmp user add port 0/2/0 vdsl mode ptm auth log enable max-
bandwidth 5120 max-program 8
Bind VDSL user 0/1/0 to rights profile music, and VDSL user 0/2/0 to rights profile
movie.
huawei(config-btv)#igmp user bind-profile port 0/1/0 stream profile-name music
huawei(config-btv)#igmp user bind-profile port 0/1/0 0 35 profile-name music
huawei(config-btv)#igmp user bind-profile port 0/2/0 stream profile-name movie
huawei(config-btv)#igmp user bind-profile port 0/2/0 0 35 profile-name movie
huawei(config-btv)#quit
4. Add the ADSL users to the multicast VLANs so that the ADSL users are multicast
members.
huawei(config)#multicast-vlan 10
huawei(config-mvlan10)#igmp multicast-vlan member port 0/1/0
huawei(config-mvlan10)#quit
huawei(config-btv)#multicast-vlan 20
huawei(config-mvlan20)#igmp multicast-vlan member port 0/2/0
huawei(config-mvlan20)#quit
5. Activate the ADSL ports, and bind the ports to the line template and alarm profile.
Bind VDSL port 0/1/0 and VDSL port 0/2/0 to the default line template (line template 1)
and the default alarm profile (alarm profile 1).
huawei(config)#interface vdsl 0/1
huawei(config-if-vdsl-0/1)#deactivate 0
huawei(config-if-vdsl-0/1)#activate 0 template-index 1
huawei(config-if-vdsl-0/1)#alarm-config 0 1
huawei(config-if-vdsl-0/1)#quit
huawei(config)#interface vdsl 0/2
huawei(config-if-vdsl-0/2)#deactivate 0
huawei(config-if-vdsl-0/2)#activate 0 template-index 1
huawei(config-if-vdsl-0/2)#alarm-config 0 1
huawei(config-if-vdsl-0/2)#quit
----End
Result
The cases are as follows regardless of whether the data channel type of the modem to which the
user is connected is ATM or PTM:
l Through multicast VLAN 10, ADSL user 0/1/0 can watch the programs with IP addresses
224.1.1.1 and 224.1.1.2 that are provided by ISP 1 and that are bound to rights profile
music, but ADSL user 0/1/0 cannot watch the program with IP address 224.1.1.3.
l Through multicast VLAN 20, ADSL user 0/2/0 can watch the program with IP address
224.1.1.4 that is provided by ISP 2 and that is bound to rights profile movie.
Configuration Script
#
[config]
vlan 10 smart
multicast-vlan 10
igmp mode snooping
igmp uplink-port 0/7/1
igmp program add name program1 ip 224.1.1.1 sourceip 10.10.10.10 hostip 10.0.0.254
log enable
igmp program add name program2 ip 224.1.1.2 sourceip 10.10.10.10 hostip 10.0.0.254
log enable
quit
vlan 20 smart
multicast-vlan 20
igmp mode snooping
igmp uplink-port 0/7/1
igmp program add name program3 ip 224.1.1.3 sourceip 10.10.10.11 hostip 10.0.0.254
log enable
igmp program add name program4 ip 224.1.1.4 sourceip 10.10.10.11 hostip 10.0.0.254
log enable
btv
igmp profile add profile-name music
igmp profile profile-name music program-name program1 watch
igmp profile profile-name music program-name program2 watch
igmp profile profile-name music program-name program3 watch
igmp profile add profile-name movie
igmp profile profile-name movie program-name program4 watch
quit
port vlan 10 0/7 1
port vlan 20 0/7 1
service-port vlan 10 vdsl mode atm 0/1/0 vpi 0 vci 35 rx-cttr 2 tx-cttr 2
service-port vlan 20 vdsl mode atm 0/2/0 vpi 0 vci 35 rx-cttr 2 tx-cttr 2
service-port vlan 10 vdsl mode ptm 0/1/0 rx-cttr 2 tx-cttr 2
service-port vlan 20 vdsl mode ptm 0/2/0 rx-cttr 2 tx-cttr 2
btv
igmp user add port 0/1/0 vdsl mode atm 0 35 auth log enable max-bandwidth 10240 max-
program 8
igmp user add port 0/1/0 vdsl mode ptm auth log enable max-bandwidth 10240 max-
program 8
igmp user add port 0/2/0 vdsl mode atm 0 35 auth log enable max-bandwidth 5120 max-
program 8
igmp user add port 0/2/0 vdsl mode ptm auth log enable max-bandwidth 5120 max-
program 8
igmp user bind-profile port 0/1/0 stream profile-name music
igmp user bind-profile port 0/1/0 0 35 profile-name music
igmp user bind-profile port 0/2/0 stream profile-name movie
igmp user bind-profile port 0/2/0 0 35 profile-name movie
quit
multicast-vlan 10
igmp multicast-vlan member port 0/1/0
quit
multicast-vlan 20
igmp multicast-vlan member port 0/2/0
quit
interface vdsl 0/1
deactivate 0
activate 0 template-index 1
alarm-config 0 1
quit
interface vdsl 0/2
deactivate 0
activate 0 template-index 1
alarm-config 0 1
quit
save
Service Requirements
l The MA5600 adopts the L2 multicast protocol IGMP proxy.
l Multicast programs are generated in the dynamic mode.
l The users access the programs provided by ISP 1 and ISP 2 in the VDSL2 IPoE mode.
l The H565VDEB2 board supports the VDSL2 fall back feature, namely, the VDSL2/
ADSL2+/ADSL mode auto-sensing. In this manner, the user terminal can be connected to
the ADSL modem or the VDSL modem, and different services are provided according to
the type of the configured modem.
Figure 6-6 shows an example network for configuring the multicast service.
ISP 1 ISP 2
10.10.10.10 10.10.10.11
Router
VLAN10
0/7/1 VLAN20
V V CON
D D ETH
MON
E E
B B
GE
0/7/1
STB STB
TV TV
Prerequisites
The license for the multicast program or the multicast user is already requested and installed.
Procedure
Step 1 Configure multicast VLANs.
Configure smart VLAN 10 as the multicast domain of ISP 1, and smart VLAN 20 as the multicast
domain of ISP 2.
1. Configure the protocol, multicast upstream port, and program list of multicast VLAN 10.
Configure multicast VLAN 10 with the dynamic program generation mode, and specify
the range of the IP addresses of the programs that can be requested by the users in multicast
VLAN 10 as 224.1.1.1 to 224.1.1.100. Multicast VLAN 10 adopts IGMP proxy, IGMP V3
(system default value), and multicast upstream port 0/9/1.
NOTICE
Changing the IGMP match mode causes the user to go offline. Therefore, the IGMP match
mode must be configured beforehand. It can be changed only when the IGMP mode is off.
huawei(config)#vlan 10 smart
huawei(config)#multicast-vlan 10
huawei(config-mvlan10)#igmp match mode disable
huawei(config-mvlan10)#igmp match group ip 224.1.1.1 to-ip 224.1.1.100
huawei(config-mvlan10)#igmp uplink-port 0/7/1
huawei(config-mvlan10)#igmp mode proxy
huawei(config-mvlan10)#quit
2. Configure the protocol, multicast upstream port, and program list of multicast VLAN 20.
Configure multicast VLAN 20 with the dynamic program generation mode, and specify
the range of the IP addresses of the programs that can be requested by the users in multicast
VLAN 10 as 224.1.1.1 to 224.1.1.100. Multicast VLAN 20 adopts IGMP proxy, IGMP V3
(system default value), and multicast upstream port 0/7/1.
huawei(config)#vlan 20 smart
huawei(config)#multicast-vlan 20
huawei(config-mvlan20)#igmp match mode disable
huawei(config-mvlan20)#igmp match group ip 224.1.1.1 to-ip 224.1.1.100
huawei(config-mvlan20)#igmp uplink-port 0/7/1
huawei(config-mvlan20)#igmp mode proxy
huawei(config-mvlan20)#quit
For the ATM and PTM traffic streams configured on the same service port, the parameters of the ATM
traffic stream must be the same as the parameters of the PTM traffic stream.
huawei(config)#port vlan 10 0/7 1
huawei(config)#port vlan 20 0/7 1
huawei(config)#service-port vlan 10 vdsl mode atm 0/1/0 vpi 0 vci 35 rx-cttr 2
tx-cttr 2
Enable the log reporting for multicast users 0/1/0 and 0/2/0. The authentication status and
multicast bandwidth of the multicast users need not be configured.
huawei(config)#btv
huawei(config-btv)#igmp user add port 0/1/0 vdsl mode atm 0 35 auth log enable
huawei(config-btv)#igmp user add port 0/1/0 vdsl mode ptm auth log enable
huawei(config-btv)#igmp user add port 0/2/0 vdsl mode atm 0 35 auth log enable
huawei(config-btv)#igmp user add port 0/2/0 vdsl mode ptm auth log enable
huawei(config-btv)#quit
3. Add the ADSL users to the multicast VLANs so that the ADSL users are multicast
members.
huawei(config)#multicast-vlan 10
huawei(config-mvlan10)#igmp multicast-vlan member port 0/1/0 stream
huawei(config-mvlan10)#igmp multicast-vlan member port 0/1/0 0 35
huawei(config-mvlan10)#multicast-vlan 20
huawei(config-mvlan20)#igmp multicast-vlan member port 0/2/0 stream
huawei(config-mvlan20)#igmp multicast-vlan member port 0/2/0 0 35
huawei(config-mvlan20)#quit
4. Activate the ADSL ports, and bind the ports to the line template and alarm profile.
Bind VDSL port 0/1/0 and VDSL port 0/2/0 to the default line template (line template 1)
and the default alarm profile (alarm profile 1).
huawei(config)#interface vdsl 0/1
huawei(config-if-vdsl-0/1)#deactivate 0
huawei(config-if-vdsl-0/1)#activate 0 template-index 1
huawei(config-if-vdsl-0/1)#alarm-config 0 1
huawei(config-if-vdsl-0/1)#quit
huawei(config)#interface vdsl 0/2
huawei(config-if-vdsl-0/2)#deactivate 0
huawei(config-if-vdsl-0/2)#activate 0 template-index 1
huawei(config-if-vdsl-0/2)#alarm-config 0 1
huawei(config-if-vdsl-0/2)#quit
----End
Result
The cases are as follows regardless of whether the data channel type of the modem to which the
user is connected is ATM or PTM:
l Through multicast VLAN 10, ADSL user 0/1/0 can watch the programs with IP addresses
224.1.1.1 and 224.1.1.2 that are provided by ISP 1.
l Through multicast VLAN 20, ADSL user 0/1/0 can watch the programs with IP addresses
224.1.1.3 and 224.1.1.4 that are provided by ISP 2.
Configuration Script
#
[config]
vlan 10 smart
multicast-vlan 10
igmp match mode disable
igmp match group ip 224.1.1.1 to-ip 224.1.1.100
igmp uplink-port 0/7/1
igmp mode proxy
quit
vlan 20 smart
multicast-vlan 20
igmp match mode disable
igmp match group ip 224.1.1.1 to-ip 224.1.1.100
igmp uplink-port 0/7/1
igmp mode proxy
quit
port vlan 10 0/7 1
port vlan 20 0/7 1
service-port vlan 10 vdsl mode atm 0/1/0 vpi 0 vci 35 rx-cttr 2 tx-cttr 2
service-port vlan 20 vdsl mode atm 0/2/0 vpi 0 vci 35 rx-cttr 2 tx-cttr 2
service-port vlan 10 vdsl mode ptm 0/1/0 rx-cttr 2 tx-cttr 2
service-port vlan 20 vdsl mode ptm 0/2/0 rx-cttr 2 tx-cttr 2
btv
igmp user add port 0/1/0 vdsl mode atm 0 35 auth log enable
igmp user add port 0/1/0 vdsl mode ptm auth log enable
igmp user add port 0/2/0 vdsl mode atm 0 35 auth log enable
igmp user add port 0/2/0 vdsl mode ptm auth log enable
quit
multicast-vlan 10
igmp multicast-vlan member port 0/1/0 stream
igmp multicast-vlan member port 0/1/0 0 35
multicast-vlan 20
igmp multicast-vlan member port 0/2/0 stream
igmp multicast-vlan member port 0/2/0 0 35
quit
interface vdsl 0/1
deactivate 0
activate 0 template-index 1
alarm-config 0 1
quit
interface vdsl 0/2
deactivate 0
activate 0 template-index 1
alarm-config 0 1
quit
save
Service Requirements
l The MA5600 adopts the IGMP proxy L2 multicast protocol.
l Multicast programs are configured statically and multicast users are authenticated.
l The multicast bandwidth control is required.
l The users access the programs provided by ISP 1 and ISP 2 in the ADSL2+ IPoE mode.
Figure 6-7 shows an example network for configuring the multicast service.
ISP 1 ISP 2
10.10.10.10 10.10.10.11
Router
0/7/1 VLAN10
V V CON
D D ETH
MON
E E
B B
GE
0/7/1
STB STB
TV TV
Prerequisites
The license for the multicast program or the multicast user is already requested and installed.
Procedure
Step 1 Configure the multicast program and multicast source.
Configure the multicast source IP address of ISP1 to 10.10.10.10 and configure the multicast
source IP address of ISP2 to 10.10.10.11.
1. Configure the multicast protocol, multicast upstream port, and program list for ISP1 on the
MA5600.
Multicast adopts IGMP proxy, IGMP V3 (system default value), and upstream port 0/7/1.
Add the upstream port to VLAN 10. Statically configure programs 224.1.1.1 and 224.1.1.2.
Program bandwidth is 6000 kbit/s.
huawei(config)#vlan 10 smart
huawei(config)#port vlan 10 0/7 1
huawei(config)#btv
huawei(config-btv)#igmp mode proxy
Step 2 Configure rights profiles named music and movie with the watch rights, and bind the rights
profiles to the programs.
huawei(config)#btv
huawei(config-btv)#igmp profile rename profile1 music
huawei(config-btv)#igmp profile profile-name music program-name program1 watch
huawei(config-btv)#igmp profile profile-name music program-name program2 watch
huawei(config-btv)#igmp profile profile-name music program-name program3 watch
huawei(config-btv)#igmp profile rename profile2 movie
huawei(config-btv)#igmp profile profile-name movie program-name program4 watch
huawei(config-btv)#quit
Create service channels that belong to VLAN 10 on ADSL2+ ports 0/1/0 and 0/2/0 and use
traffic profile 2.
huawei(config)#service-port vlan 10 adsl 0/1/0 vpi 0 vci 35 rx-cttr 2 tx-cttr
2
huawei(config)#service-port vlan 10 adsl 0/2/0 vpi 0 vci 35 rx-cttr 2 tx-cttr
2
Configure multicast user 0/1/0 as the authentication type and with log reporting enabled.
Configure multicast user 0/2/0 as the authentication type and with log reporting enabled.
huawei(config)#btv
huawei(config-btv)#igmp user add port 0/1/0 adsl 0 35 auth log enable
huawei(config-btv)#igmp user add port 0/2/0 adsl 0 35 auth log enable
Bind multicast user 0/1/0 to rights profile music, and multicast user 0/2/0 to rights profile
movie.
huawei(config-btv)#igmp user bind-profile port 0/1/0 profile-name music
huawei(config-btv)#igmp user bind-profile port 0/2/0 profile-name movie
huawei(config-btv)#quit
4. Activate the ports, and bind the ports to the line profile and alarm profile.
Bind ADSL2+ port 0/1/0 and port 0/2/0 to the default line profile (line profile 1) and the
default alarm profile (alarm profile 1).
huawei(config)#interface adsl 0/1
huawei(config-if-adsl-0/1)#deactivate 0
huawei(config-if-adsl-0/1)#activate 0 profile-index 1
huawei(config-if-adsl-0/1)#alarm-config 0 1
huawei(config-if-adsl-0/1)#quit
----End
Result
l Through IP addresses of multicast source ISP1, user 1 can watch the programs with IP
addresses 224.1.1.1 and 224.1.1.2 that are provided by ISP1 and that are bound to rights
profile music, but user 1 cannot watch the program with IP address 224.1.1.3.
l Through IP addresses of multicast source ISP2, user 2 can watch the program with IP
address 224.1.1.4 that is provided by ISP2 and that is bound to rights profile movie.
Configuration Script
(config)#
vlan 10 smart
btv
igmp mode proxy
y
igmp uplink-port 0/7/1 100
igmp program add name program1 ip 224.1.1.1 sourceip 10.10.10.10 vlan 10 bind 0/7/1
bandwidth 6000 hostip 10.0.0.254 log enable
igmp program add name program2 ip 224.1.1.2 sourceip 10.10.10.10 vlan 10 bind 0/7/1
bandwidth 6000 hostip 10.0.0.254 log enable
igmp program add name program3 ip 224.1.1.20 sourceip 10.10.10.11 vlan 10 bind
0/7/1 bandwidth 5000 hostip 10.0.0.254 log enable
igmp program add name program4 ip 224.1.1.21 sourceip 10.10.10.11 vlan 10 bind
0/7/1 bandwidth 5000 hostip 10.0.0.254 log enable
igmp profile rename profile1 music
igmp profile profile-name music program-name program1 watch
igmp profile profile-name music program-name program2 watch
igmp profile profile-name music program-name program3 watch
igmp profile rename profile2 movie
igmp profile profile-name movie program-name program4 watch
quit
service-port vlan 10 adsl 0/1/0 vpi 0 vci 35 rx-cttr 2 tx-cttr 2
service-port vlan 10 adsl 0/2/0 vpi 0 vci 35 rx-cttr 2 tx-cttr 2
btv
igmp user add port 0/1/0 adsl 0 35 auth log enable
igmp user add port 0/2/0 adsl 0 35 auth log enable
igmp user bind-profile port 0/1/0 profile-name music
igmp user bind-profile port 0/2/0 profile-name movie
quit
interface adsl 0/1
deactivate 0
activate 0 profile-index 1
alarm-config 0 1
quit
interface adsl 0/2
deactivate 0
activate 0 profile-index 1
alarm-config 0 1
quit
save
Prerequisites
The upper-layer network must work in the L2 mode, and must forward packets according to the
VLAN and the MAC address.
Service Requirements
l The user accesses the Internet in the PPPoE dialing mode.
l The user bandwidth is 2 Mbit/s.
l User packets carry two VLAN tags, of which the outer VLAN tag identifies the ISP and
the inner VLAN tag identifies the user.
Networking
Figure 6-8 shows an example network for configuring the VLAN stacking multi-ISP wholesale
access.
Users 1 and 2 belong to one ISP, and users 3 and 4 belong to another ISP. Based on the VLAN
stacking feature, the MA5600 adds the outer VLAN tag to differentiate ISPs and inner VLAN
tag to differentiate users and forwards the user packet to the L2 network. Then the L2 LAN
switch forwards the user packets to the specified ISP BRAS based on the outer VLAN tag. The
ISP BRASs remove the outer VLAN tag and identify the users based on the inner VLAN tag.
After passing the authentication, the users can obtain various services provided by the ISP.
Figure 6-8 Example network for configuring the VLAN stacking multi-ISP wholesale access
LSW
ISP1 VLAN ID:60 VLAN ID:61 ISP2
BRAS BRAS
MA5600
Modem
Procedure
Step 1 Create VLANs.
The outer VLAN IDs are 60 and 61, and the VLANs are smart VLANs.
huawei(config)#vlan 60-61 smart
It will take several minutes, and console may be timeout, please use command
idle-timeout to set time limit
Are you sure to add VLANs? (y/n)[n]:y
----End
Result
After passing the authentication by the ISP1 BRAS, user 1 and user 2 can obtain the service
provided by ISP1.
After passing the authentication by the ISP2 BRAS, user 3 and user 4 can obtain the service
provided by ISP2.
Configuration Script
[global-config]
<global-config>
vlan 60-61 smart
y
vlan attrib 60-61 stacking
y
port vlan 60-61 0/7 0
y
traffic table index 10 ip car 2048 priority user-cos priority-policy tag-In-
Package
service-port vlan 60 adsl 0/2/0 vpi 0 vci 35 rx-cttr 10 tx-cttr 10
service-port vlan 60 adsl 0/2/1 vpi 0 vci 35 rx-cttr 10 tx-cttr 10
service-port vlan 61 adsl 0/3/0 vpi 0 vci 35 rx-cttr 10 tx-cttr 10
service-port vlan 61 adsl 0/3/1 vpi 0 vci 35 rx-cttr 10 tx-cttr 10
stacking label 0/2/0 11
stacking label 0/2/1 12
stacking label 0/3/0 11
stacking label 0/3/1 12
save
Networking
Figure 6-9 shows an example network for configuring the VLAN ID extension.
Broadband users that access the WAN through multiple MA5600s are authenticated on the
BRAS to obtain the broadband service provided by the operator. The BRAS supports the user
identification through L2 VLAN. The outer VLAN tag identifies the MA5600 that is accessed
with users, and the inner VLAN tag identifies the users of the device.
BRAS
MA5600_A MA5600_B
Modem Modem
Procedure
l Configure MA5600_A.
1. Create a VLAN.
The VLAN ID is 60, and the VLAN is a smart VLAN.
huawei(config)#vlan 60 smart
l Configure MA5600_B.
----End
Result
After passing the authentication by the BRAS, the users on MA5600_A and MA5600_B can
access the Internet.
Prerequisites
The upper-layer network must work in the L2 mode, and must forward packets according to the
VLAN and the MAC address.
Service Requirements
The private networks of enterprise A distributed in two places can communicate with each other
in the normal state.
Networking
shows an example network for configuring the private line service.
The two branches of enterprise A are connected to the MAN through the MA5600. On the
MA5600, the attribute of the upstream VLAN of user packets is configured as QinQ private line
service. In this manner, services and BPDU packets from the private network of the enterprise
can be transparently transmitted to the peer private network.
Figure 6-10 Example network for configuring the private line service
MAN
L2/L3 L2/L3
CON CON
S ETH S ETH
H ESC H ESC
E E
B B
GE 0/7/0 GE 0/7/0
LSW LSW
corporation A corporation B
The configuration on MA5600_A is the same as the configuration on MA5600_B. The following
uses the configuration on MA5600_A as an example to describe how to configure the private
line service implemented through a QinQ VLAN.
Procedure
Step 1 Create a VLAN.
The VLAN ID is 50, and the VLAN is a smart VLAN.
huawei(config)#vlan 50 smart
----End
Result
After the configuration, the two branches of enterprise A can communicate with each other, and
various services between private networks are implemented.
Triple play is a service provisioning mode in which integrated services can be provided to a user.
Currently, the prevailing integrated services include the high-speed Internet access service, voice
over IP (VoIP) service, and IPTV service.
The early broadband access provides only the high-speed Internet access service. As the Internet
is rapidly developing, it can offer much richer services, such as video (IPTV) services. The
development of multiple access modes such as ADSL2+ and VDSL2 access, and the
improvement of broadband access also lay a solid foundation for provisioning the video service.
The early voice signals are transmitted over the narrowband public switched telephone network
(PSTN). Because the PSTN is no longer developed, the services over the PSTN are shifting to
the IP network. Providing the VoIP service over broadband lines can also reduce the equipment
maintenance cost.
For the xDSL access, the MA5600 supports the following triple play modes:
l Single-PVC for multiple services: Single-PVC for multiple services is a triple play mode
in which a single PVC is adopted for carrying multiple services from the access device to
each DSL user terminal. The different services are differentiated by the Ethernet
encapsulation mode (IPoE/PPPoE), VLAN IDs carried in the packets from the DSL user
terminal and so on.
l Multi-PVC for multiple services: Multi-PVC for multiple services is a triple play mode in
which multiple PVCs are adopted for carrying multiple services from the access device to
each DSL user terminal. The Internet access service, VoIP, and IPTV services are carried
by a single PVC to the user. That is, each xDSL port is configured with at least three PVCs.
On the network side, three VLANs are created for the upstream interface to carry different
types of services.
The different services have different request on the bandwidth and priority.
l The bandwidth and delay of the VoIP service are low. High delay may cause problems such
echo, which affects the voice quality. Therefore, the priority of the VoIP service is the
highest among the triple play services.
l The bandwidth occupied by the IPTV service is relatively high, and the bit error ratio/packet
loss ratio is relatively low. If the bit error ratio/packet loss ratio is high, the video frame is
lost so that mosaic images occur or even erratic display occurs, which affects the user
experience. Therefore, the priority of the IPTV service is lower than that of the VoIP service,
but is higher than that of the Internet access service.
l The common Internet access service, such as web browsing, has low requirements on real-
time performance and lower requirements on packet loss ratio than the IPTV service
because the reliability of the transmission is ensured through the retransmission
mechanism. Therefore, the priority of the high-speed Internet access service is the lowest
among the triple play services.
Service Requirements
l ADSL user 1 and ADSL user 2 are connected to the MA5600 to implement the triple play
application.
l The Internet service is provided in the PPPoE mode.
l The VoIP service and the IPTV service are provided in the DHCP mode, obtaining IP
addresses from the DHCP server in the standard DHCP mode.
l After receiving different traffic streams, the MA5600 provides different QoS guarantees
to the traffic streams according to the traffic priorities in the PVC.
Figure 6-11 shows an example network for configuring the triple play application in the multi-
PVC for multiple services mode.
Figure 6-11 Example network for configuring the triple play application in the multi-PVC for
multiple services mode
Program1:224.1.1.1
Program2:224.1.1.2
Muticast source
OSS & RADIUS Server/RADIUS Proxy
BMS
GW
IPTV DHCP IP1:20.2.2.2
Server IP2:20.2.2.3
MA5600
Home Gateway 2
Ephone PC TV Ephone PC TV
User 1 User 2
Procedure
l Configure the Internet service.
1. Create a VLAN and add an upstream port to the VLAN.
huawei(config)#vlan 2 smart
huawei(config)#port vlan 2 0/7 0
Because the VoIP, IPTV, and Internet services are provided through the same port, you must set the
802.1p priority of each service. Generally, the priorities are in a descending order for the VoIP
service, IPTV service, and Internet service.
Add traffic profile 7, set the committed information rate (CIR) to 2 Mbit/s, and set the
802.1p priority of the Internet service to 1.
Add a service port to the VLAN and use the traffic profile added in the preceding step.
huawei(config)#service-port vlan 2 adsl 0/2/0 vpi 0 vci 37 rx-cttr 7 tx-
cttr 7
huawei(config)#service-port vlan 2 adsl 0/3/0 vpi 0 vci 37 rx-cttr 7 tx-
cttr 7
Add traffic profile 8, set the CIR to 1 Mbit/s, and set the 802.1p priority of the voice
service to 6.
huawei(config)#traffic table index 8 ip car 1024 priority 6 priority-
policy tag-In-Package
Add a service port to the VLAN 3 and use the traffic profile 8 added in the preceding
step.
huawei(config)#service-port vlan 3 adsl 0/2/0 vpi 0 vci 36 rx-cttr 8 tx-
cttr 8
huawei(config)#service-port vlan 3 adsl 0/3/0 vpi 0 vci 36 rx-cttr 8 tx-
cttr 8
Add traffic profile 9 without limiting the rate of the packet, and set the 802.1p priority
of the IPTV service to 5.
huawei(config)#traffic table index 9 ip car off priority 5 priority-policy
Tag-In-Package
NOTICE
On the MA5600, if the PVC is configured with a priority, the priority of the multicast
packets carried by the PVC does not take effect.
huawei(config)#save
----End
Result
After the related upstream device and downstream device are configured, the triple play
application (Internet, VoIP, and IPTV services) is available.
l The Internet user can access the Internet through PPPoE dialup.
l VoIP users can call each other.
l The IPTV user connected to port 0/2/0 can watch all the programs, and the IPTV user
connected to port 0/3/0 can watch only program BTV-1.
Configuration Script
Internet:
vlan 2 smart
port vlan 2 0/7 0
traffic table index 7 ip car 2048 priority 1 priority-policy tag-In-Package
service-port vlan 2 adsl 0/2/0 vpi 0 vci 37 rx-cttr 7 tx-cttr 7
service-port vlan 2 adsl 0/3/0 vpi 0 vci 37 rx-cttr 7 tx-cttr 7
dhcp mode layer-3 standard
dhcp-server 1 ip 20.1.1.2 20.1.1.3
save
VoIP:
vlan 3 smart
port vlan 3 0/7 0
traffic table index 8 ip car 1024 priority 6 priority-policy tag-In-Package
service-port vlan 3 adsl 0/2/0 vpi 0 vci 36 rx-cttr 8 tx-cttr 8
service-port vlan 3 adsl 0/3/0 vpi 0 vci 36 rx-cttr 8 tx-cttr 8
dhcp mode layer-3 standard
dhcp-server 1 ip 20.1.1.2 20.1.1.3
interface vlanif 3
ip address 10.1.1.1 24
dhcp-server 1
quit
save
IPTV:
vlan 4 smart
port vlan 4 0/7 0
traffic table index 9 ip car off priority 5 priority-policy tag-In-Package
service-port vlan 4 adsl 0/2/0 vpi 0 vci 35 rx-cttr 9 tx-cttr 9
service-port vlan 4 adsl 0/3/0 vpi 0 vci 35 rx-cttr 9 tx-cttr 9
dhcp mode layer-3 standard
dhcp-server 2 ip 20.2.2.2 20.2.2.3
interface vlanif 4
ip address 10.2.2.1 24
dhcp-server 2
quit
multicast-vlan 4
igmp mode proxy
igmp uplink-port 0/7/0
btv
igmp uplink-port-mode default
multicast-vlan 4
igmp program add name BTV-1 ip 224.1.1.1 sourceip 10.10.10.10
igmp program add name BTV-2 ip 224.1.1.2 sourceip 10.10.10.10
btv
igmp profile profile-name profile0 program-name BTV-1 watch
igmp user add port 0/2/0 adsl 0 35 no-auth
igmp user add port 0/3/0 adsl 0 35 auth
igmp user bind-profile port 0/3/0 profile-name profile0
multicast-vlan 4
igmp multicast-vlan member port 0/2/0
igmp multicast-vlan member port 0/3/0
quit
save
Prerequisite
The service board and the upstream board must be added properly.
Service Requirements
l ADSL user 1 and ADSL user 2 are connected to the MA5600 to implement the triple play
application.
l The Internet service is accessed in the PPPoE mode.
l The VoIP service and the IPTV service are provided in the DHCP mode, obtaining IP
addresses from the DHCP server in the standard DHCP mode.
l After receiving different traffic streams through the same PVC, the MA5600 provides
different QoS guarantees to the traffic streams according to the user-side VLANs.
NOTE
The MA5600 can differentiate services by the following means:
l Ethernet type (IPoE/PPPoE)
l User-side VLAN ID
l User-side 802.1p value
Figure 6-12 shows an example network for configuring the triple play application in the single-
PVC for multiple services mode.
Figure 6-12 Example network for configuring the triple play application in the single-PVC for
multiple services mode
Program1:224.1.1.1
Program2:224.1.1.2
Muticast source
OSS & RADIUS Server/RADIUS Proxy
BMS
GW
IPTV DHCP IP1:20.2.2.2
Server IP2:20.2.2.3
MA5600
Home Gateway 2
Ephone PC TV Ephone PC TV
User 1 User 2
Procedure
l Configure the Internet service.
1. Create a VLAN and add an upstream port to the VLAN.
huawei(config)#vlan 2 smart
huawei(config)#port vlan 2 0/7 0
Because the VoIP, IPTV, and Internet services are provided through the same port, you must set the
802.1p priority of each service. Generally, the priorities are in a descending order for the VoIP
service, IPTV service, and Internet service.
Add traffic profile 7, set the committed information rate (CIR) to 2 Mbit/s, and set the
802.1p priority of the Internet service to 1.
Add a service port to VLAN 2 and use the traffic profile added in the preceding step.
huawei(config)#service-port vlan 2 adsl 0/2/0 vpi 0 vci 35 multi-service
user-vlan 20 rx-cttr 7 tx-cttr 7
huawei(config)#service-port vlan 2 adsl 0/3/0 vpi 0 vci 35 multi-service
user-vlan 20 rx-cttr 7 tx-cttr 7
Add traffic profile 8, set the CIR to 1 Mbit/s, and set the 802.1p priority of the voice
service to 6.
huawei(config)#traffic table index 8 ip car 1024 priority 6 priority-
policy tag-In-Package
Add a service port to the VLAN 3 and use the traffic profile 8 added in the preceding
step.
huawei(config)#service-port vlan 3 adsl 0/2/0 vpi 0 vci 35 multi-service
user-vlan 30 rx-cttr 8 tx-cttr 8
huawei(config)#service-port vlan 3 adsl 0/3/0 vpi 0 vci 35 multi-service
user-vlan 30 rx-cttr 8 tx-cttr 8
Add traffic profile 9 without limiting the rate of the packet, and set the 802.1p priority
of the IPTV service to 5.
huawei(config)#traffic table index 9 ip car off priority 5 priority-policy
Tag-In-Package
NOTICE
On the MA5600, if the PVC is configured with a priority, the priority of the multicast
packets carried by the PVC does not take effect.
huawei(config)#save
----End
Result
After the related upstream device and downstream device are configured, the triple play
application (Internet, VoIP, and IPTV services) is available.
l The Internet user can access the Internet through PPPoE dialup.
l VoIP users can call each other.
l The IPTV user connected to port 0/2/0 can watch all the programs, and the IPTV user
connected to port 0/3/0 can watch only program BTV-1.
Configuration Script
Internet:
vlan 2 smart
port vlan 2 0/7 0
traffic table index 7 ip car 2048 priority 1 priority-policy tag-In-Package
service-port vlan 2 adsl 0/2/0 vpi 0 vci 35 multi-service user-vlan 20 rx-cttr 7 tx-
cttr 7
service-port vlan 2 adsl 0/3/0 vpi 0 vci 35 multi-service user-vlan 20 rx-cttr 7 tx-
cttr 7
dhcp mode layer-3 standard
dhcp-server 1 ip 20.1.1.2 20.1.1.3
save
VoIP:
vlan 3 smart
port vlan 3 0/7 0
traffic table index 8 ip car 1024 priority 6 priority-policy tag-In-Package
service-port vlan 3 adsl 0/2/0 vpi 0 vci 35 multi-service user-vlan 30 rx-cttr 8 tx-
cttr 8
service-port vlan 3 adsl 0/3/0 vpi 0 vci 35 multi-service user-vlan 30 rx-cttr 8 tx-
cttr 8
dhcp mode layer-3 standard
dhcp-server 1 ip 20.1.1.2 20.1.1.3
interface vlanif 3
ip address 10.1.1.1 24
dhcp-server 1
quit
save
IPTV:
vlan 4 smart
port vlan 4 0/7 0
traffic table index 9 ip car off priority 5 priority-policy Tag-In-Package
service-port vlan 4 adsl 0/2/0 vpi 0 vci 35 multi-service user-vlan 40 rx-cttr 9 tx-
cttr 9
service-port vlan 4 adsl 0/3/0 vpi 0 vci 35 multi-service user-vlan 40 rx-cttr 9 tx-
cttr 9
dhcp mode layer-3 standard
dhcp-server 2 ip 20.2.2.2 20.2.2.3
interface vlanif 4
ip address 10.2.2.1 24
dhcp-server 2
quit
multicast-vlan 4
igmp mode proxy
Background Information
Uplink Redundancy backup includes the following information:
l Uplink aggregation group: Aggregate multiple Ethernet ports as an aggregation group to
expand the bandwidth and balance the input and output load among member ports. In
addition, the ports in an aggregation group back up each other, which enhances the link
security.
NOTE
1. The ETH and SCU boards support the configuration of the aggregation group.
2. Inter-board aggregation is supported between two SCU boards. The ETH board, however, does not
support inter-board aggregation.
3. Link Aggregation Control Protocol (LACP) detection mode: In this mode, the MA5600 detects port
faults and triggers the switchover through the LACP protocol.
l Upstream port protection group: An upstream port protection group contains a working
port and a protection port. In the normal state, the working port carries services. When the
link of the working port fails, the system automatically switches the service on the working
port to the protection port to ensure normal service transmission, thus protecting the uplink.
NOTE
A protection group works in either of the following modes:
1. Port status detection mode
l Two ports of the protection group or the transmit ports on two boards are enabled. You can
determine whether to perform a switchover according to the port status.
l When the number of ports that are in the up state on the standby board is greater than the number
of ports that are in the up state on the active board, a switchover is triggered.
2. Delay detection mode
l Only one transmit port of the protection group is enabled and the other is disabled.
l When the enabled transmit port is in the down state, disable the transmit port and enable the other
transmit port.
l If the second port is in the up state, a switchover is performed. Otherwise, the detection continues.
3. Enhanced delay detection mode
l Only one transmit port of the protection group is enabled and the other is disabled.
l If the port on the active board is in the down state, directly enable the port on the standby board
without disabling the port on the active board.
l Check whether to perform the switchover according to the weight.
Procedure
l Configure the uplink redundancy backup by configuring an aggregation group.
1. Create an Ethernet port aggregation group.
Run the link-aggregation command to add multiple upstream Ethernet ports to the
same aggregation group to implement protection and load balancing between ports.
The GIU slot supports the inter-board port aggregation. When you run the link-
aggregation command, if frameid/slotid is entered twice, inter-board aggregation is
configured; if frameid/slotid is entered only once, intra-board aggregation is
configured.
2. Query the information about the aggregation group.
Run the display link-aggregation command to query the types, number, and working
modes of aggregated Ethernet ports.
l Configure the uplink redundancy backup by configuring an upstream port protection group.
1. Create an upstream port protection group.
In the protect mode, run the protect-group command to create an upstream port
protection group. After the protection group is configured successfully, the system
switches the service to the standby port to protect the uplink if the connection between
the active port and the upper-layer device is broken.
When you run the protect-group command to create a protection group, if frameid/
slotid/portid is entered, a port-level protection group is created; if frameid/slotid is
entered, a board-level protection group is created.
2. Query the information about the protection group.
Run the display protect-group command to query the information about the
protection group and all the members in the protection group.
----End
Example
Assume the following configurations: The MA5600 transmits services upstream through the
control board, upstream ports 0/7/0 and 0/8/0 on two control boards are configured as an inter-
board aggregation group, packets are distributed to the member ports of the aggregation group
according to the source MAC address, and the working mode is the LACP static aggregation
mode. To perform these configurations, do as follows:
huawei(config)#link-aggregation 0/7 0 0/8 0 egress-ingress workmode lacp-static
Assume the following configurations: The MA5600 transmits services upstream through the
SCU board, the ports on the active and standby SCU boards are configured as a board-level
protection group, the port in slot 0/7 functions as the active port, the port in slot 0/8 functions
as the protection port, and the working mode is the port status detection mode. To perform these
configurations, do as follows:
huawei(config)#protect
huawei(config-protect)#protect-group first 0/7 second 0/8 eth workmode portstate
Multiple MA5600s (NEs) can be connected to each other through the FE or GE port. This topic
also describes the ATM DSLAM access service. Subtending saves the upstream optical fibers
and simplifies networking and service configuration.
Background Information
The two ports to be subtended must be the same in the port type, port rate, and port duplex mode.
Procedure
Step 1 Configure the VLAN of the master NE.
The VLAN type is smart, and the VLAN attribute is common. For details about the configuration,
see Configuring the VLAN.
Step 2 Add an upstream port to the VLAN of the master NE.
Run the port vlan command to add an upstream port to the VLAN.
Step 3 Add a subtending port to the VLAN of the master NE.
Run the port vlan command to add a subtending port to the VLAN.
Step 4 Configure the VLAN of the slave NE. The VLAN of the slave NE is the same as the VLAN of
the master VLAN.
The VLAN type is smart and the VLAN attribute is common. For details about the configuration,
see Configuring the VLAN.
Step 5 Add an upstream port to the VLAN of the slave NE.
Run the port vlan command to add an upstream port to the VLAN.
Step 6 Isolate the upstream port of the slave NE.
Run the isolate command to isolate the upstream port.
NOTE
l When you subtend slave shelves through the upstream Ethernet port, run this command to isolate the
upstream Ethernet port used for subtending from service boards, subtending boards, and subtending ports
to enable the isolation of all the access services at layer 2.
l When you subtend slave shelves through the ETH subtending board, run this command to isolate the ETH
subtending board used for subtending from service boards, subtending boards, and subtending ports to enable
the isolation of all the access services at layer 2.
----End
Example
Assume that master NE huawei_A and slave NE huawei_B are subtended through the SCU
board. To add upstream port 0/7/0 and subtending port 0/7/1 of huawei_A to VLAN 100, and
add upstream port 0/7/0 of huawei_B to VLAN 100, do as follows:
Assume that master NE huawei_A and slave NE huawei_B are subtended through the ETHA
board. To add upstream port 0/7/0 and subtending port 0/6/0 of huawei_A to VLAN 100, and
add upstream port 0/7/0 of huawei_B to VLAN 100, do as follows:
huawei_A(config)#vlan 100 smart
huawei_A(config)#port vlan 100 0/7 0
huawei_A(config)#port vlan 100 0/6 0
Background Information
In the evolution from ATM networks to IP networks, carriers will replace their ATM-DSLAM
network devices in the access layer with IP network devices. In this evolution, a large number
of ATM network devices still exist on the network for a long time. To protect the investment of
carriers and the network stability, the MA5600 provides ATM ports for ATM network devices
to access the network.
The MA5600 provides four ATM optical ports (STM-1) through the AIUG board for connecting
to the ATM-DSLAM, and also provides the common Ethernet upstream or MPLS upstream
service, as shown in Figure 8-1.
GE BUS
ATM access
module
Service stream A
ATM-DSLAM
Service stream B device
The MA5600 can provide two upstream transmission modes: direct Ethernet upstream
transmission mode and MPLS upstream transmission mode.
Background Information
The attributes of an ATM port include clock type, interface type, maximum available VPIs of a
VC, and port loopback. The system provides default settings of the attributes. You can change
the attributes of an ATM port according to actual requirements.
Procedure
Step 1 Run the interface aiu command to enter the AIU interface configuration mode.
Step 2 Run the sub-interface optic command to enter the optical sub-interface mode.
You should complete the STM-1 optical port related configurations in the optical sub-interface
mode.
Step 3 Run the tx clock command to configure the type of the transmit clock of the port.
The clock includes two types: system clock and line clock. By default, the system clock is used.
l System clock: Indicates that the transmit clock of the port is the same as the system clock.
The clock precision is higher when the system clock is adopted.
l Line clock: Indicates that the transmit clock of the port is the same as the line clock. That is,
restore the clock from the received data and use this clock to transmit data. The transmit
clock can synchronize well with the peer clock when the line clock is used.
Step 4 Run the uni-nni-set command to set the interface type of an ATM port.
NOTE
The latest configuration takes effect after the board is reset.
l The interface type can be UNI or NNI.
l The default interface type is UNI.
l The interface type can be set without referring to the network location, but it must be the
same as that of the peer port.
l When the port is of the UNI type, the VPI value ranges from 0 to 255.
l When the port is of the NNI type, the VPI value ranges from 0 to 4095.
Step 5 Run the vpi-num-for-vcc command to set maximum number of available VPIs of the VC.
Proportion of VPIs and VCIs: VCIs x Maximum available VPIs of the VC = 16K. The more
VPIs, the less the matching VCIs.
Step 6 Run the loopback command to configure the loopback type of a specified port.
When a PVC is not available, you can locate the fault from segment to segment through loopback.
l Loopback is classified into local loopback and remote loopback.
l Local loopback is performed from the port side towards inside. In the local loopback, the
cells sent from a board to a port are sent back to the board when they arrive at the port, instead
of being sent out. Local loopback can be used to detect the internal forwarding fault.
l Remote loopback is performed from the port side towards outside. In remote loopback, the
cells sent from the line are sent directly from the port instead of being processed by the board.
Remote loopback can be used to detect the line fault.
l After setting the loopback type, you can run the bip-insert and event-insert commands to
insert specified error codec event or alarm to the line, thus checking the line condition.
Step 7 Run the display resource command display resource to query the configured resources of the
specified ATM port.
----End
Example
To configure the clock type of ATM port 0/5/0 to line clock, the interface type to UNI, and the
loopback type to remote loopback, do as follows:
huawei(config)#interface aiu 0/5
huawei(config-if-aiu-0/5)#sub-interface optic
huawei(config-if-aiu-0/5.optic)#tx clock 0 line
huawei(config-if-aiu-0/5.optic)#uni-nni-set 0 uni
Note: The new configuration will take effect after the board is reset
huawei(config-if-aiu-0/5.optic)#loopback 0 remote
huawei(config-if-aiu-0/5.optic)#display resource 0
The total VPIs supported by the port is 256
The number of available VPIs of VC connection supported by the port is 16
Max VP connection support on this port is 240
Max VC connection support on this port is 15872
huawei(config-if-aiu-0/5.optic)#
Prerequisites
l The VLAN must be configured: 1.10 Configuring a VLAN.
l The IP traffic profile must be configured: Configuring Traffic Management Based on
Traffic Profile.
Background Information
The MA5600 supports three different upstream transmission modes:
l Directly ETH upstream transmission
l Upstream transmission after the ETH PWE3 encapsulation
l Upstream transmission after the ATM PWE3 encapsulation
In the first two upstream transmission modes, you need to create an ETH service port based on
the ATM port. After reaching the AIUG board, ATM cells are terminated, segmented, and re-
organized into ETH packets. The difference is that, in the upstream transmission after the ETH
PWE3 encapsulation, the ETH packets need to be forwarded to the MPLS service board for
processing to complete the mapping of VLAN and PW.
In the upstream transmission after the ATM PWE3 encapsulation, you need to create an ATM
over Ethernet (AOE) service port based on the ATM port. After reaching the AIUG board, ATM
cells are not fragmented or re-organized, but directly encapsulated into Ethernet frames. Each
cell corresponds to an Ethernet frame, reserving the ATM PVC information. Then, the Ethernet
frames are forwarded to the MPLS service board for process to complete the mapping of PVC
and PW.
NOTE
In different application scenarios, the parameters for creating a service port vary greatly. You can select the
parameters according to actual requirements.
Procedure
Step 1 Create an ATM service port.
Run the service-port command to configure an ATM service port according to actual
requirements.
l To create an ETH service port based on the ATM port, run the following command:
service-port vlan vlanid shdsl mode atmframeid/slotid/portid autosense rx-cttr rx-
index tx-cttr tx-index
service-port vlan vlanid shdsl mode atm frameid/slotid/portid vpi vpi vci vci multi-
service { user-vlan user-vlanid | user-encap user-encap }rx-cttr rx-index tx-cttr tx-index
service-port vlan vlanid atm frameid/slotid/portid [ vpi vpi [ vci vci single-service ] ] rx-
cttr rx-index upc upc tx-cttr tx-index upc upc
l To create an AOE service port based on the ATM port, run the following command:
service-port vlan aoe shdsl mode atm frameid/slotid/portid [ vpi vpi [ vci vci [ single-
service ] ] ] rx-cttr rx-index tx-cttr tx-index
service-port vlan aoe atm frameid/slotid/portid [ vpi vpi [ vci vci ] ] rx-cttr rx-index
upc upc tx-cttr tx-index upc upc
service-port vlan aoe vdsl mode atm frameid/slotid/portid [vpi vpi [vci vci single-
service] ] rx-cttr rx-index tx-cttr tx-index
Step 3 Run the display service-port command to query the configuration of the service port.
Step 4 Run the display service-port desc command to query the description of the service port.
----End
Example
To create service port based on ATM port 0/5/0, add it to S-VLAN 10, set the service type to
single-PVC for single service, set the VPI/VCI to 0/35, bind traffic profile 6 to the port, and
configure the description of the service port to facilitate maintenance, do as follows:
huawei(config)#service-port vlan 10 atm 0/5/0 vpi 0 vci 35 single-service rx-cttr
6 upc on tx-cttr 6 upc on
huawei(config)#service-port desc 0/5/0 vpi 0 vci 35 description
"atm_0/5/0_vlan10_0/35_single_rx6/tx6"
To create AOE service port based on ATM port 0/5/0, set the service type to single-PVC for
single service, set the VPI/VCI to 0/35, bind traffic profile 6 to the port, and configure the
description of the service port to facilitate maintenance, do as follows:
huawei(config)#service-port vlan aoe atm 0/5/0 vpi 0 vci 35 single-service rx-cttr
6 upc on tx-cttr 6 upc on
huawei(config)#service-port desc 0/5/0 vpi 0 vci 35 description
"atm_0/5/0_aoe_0/35_single_rx6/tx6"
Prerequisites
The service port whose encapsulation mode is configured must exist.
Background Information
In the xPoA access mode, data cannot be directly transmitted in the IP network, and protocol
conversion is required. IPoA data and PPPoA data can be transmitted in the IP network only
after the IPoA-IPoE protocol conversion and the PPPoA-PPPoE protocol conversion are
performed.
The principles of the IPoA protocol are different from the principles of the PPPoA protocol. In
the PPPoA mode, the BRAS automatically allocates a gateway address to the PPPoA user after
the PPPoA user passes the authentication on the BRAS and the dialup is successful. Therefore,
the default gateway address need not be configured in the PPPoA mode. In IPoA mode, the data
is forwarded according to the route to the destination IP address and the next hop IP address
needs to be configured. Therefore, the default gateway address needs to be configured in the
IPoA mode.
Figure 8-2 shows the flowchart for configuring the xPoA-xPoE protocol conversion.
(Optional) Configure
the aging time of the (Optional) Configure the user
IPoA user forwarding entry MAC address allocation mode
End End
Table 8-1 lists the default settings of the xPoA-xPoE protocol conversion.
Parameter Default
Parameter Default
Procedure
l Enable the IPoA-IPoE protocol conversion.
A user can access the Internet in the IPoA mode only after the IPoA-IPoE protocol
conversion is enabled.
1. In the global config mode, run the mac-pool command to configure the MAC address
pool, which is used to allocate source MAC addresses to IPoA users. By default, the
number of MAC addresses in the MAC address pool is 256, which can be changed by
setting parameter scope.
The MAC address encapsulated into packets during the IPoA-IPoE conversion is the
MAC address allocated to the user from the MAC address pool.
2. Run the ipoa enable command to enable the IPoA-IPoE protocol conversion. By
default, the IPoA-IPoE protocol conversion is disabled.
3. Run the encapsulation command to set the user packet encapsulation mode (select
ipoa as the encapsulation mode).
NOTE
l You only need to configure parameter dstip in either the ipoa default gateway or
encapsulation command. If the MA5600 works in the L2 mode, set the IP address of the
upper-layer router as the default gateway. If the MA5600 works in the L3 mode, set the IP
address of the L3 interface corresponding to the MA5600 as the default gateway.
l IPoA encapsulation is not supported in the single-PVC for multiple services application.
l To convert the encapsulation mode from PPPoA to IPoA, you must change the
encapsulation mode to llc bridge and then perform conversion.
4. Run the ipoa expire-time command to set the aging time of the IPoA user forwarding
entry. By default, the aging time of the IPoA user forwarding entry is 1200s. The
default value is recommended.
l Configure the PPPoA-PPPoE protocol conversion.
A user can access the Internet in the PPPoA mode only after the PPPoA-PPPoE protocol
conversion is enabled.
1. In the global config mode, run the mac-pool command to configure the MAC address
pool, which is used to allocate source MAC addresses to PPPoA users. By default, the
number of MAC addresses in the MAC address pool is 256, which can be changed by
setting parameter scope.
The MAC address encapsulated into packets during the PPPoA-PPPoE conversion is
the MAC address allocated to the user from the MAC address pool.
2. Run the pppoa enable command to enable the PPPoA-PPPoE protocol conversion.
By default, the PPPoA-PPPoE protocol conversion is disabled.
3. Run the encapsulation command to set the user packet encapsulation mode (select
pppoa as the encapsulation mode).
NOTE
l PPPoA encapsulation is not supported in the single-PVC for multiple services or QinQ VLAN
application.
l To convert the encapsulation mode from IPoA to PPPoA, you must change the encapsulation
mode to llc bridge and then perform conversion.
4. Run the pppoa mru command to enable PPPoA-PPPoE MRU negotiation. By default,
the PPPoA-PPPoE MRU negotiation is disabled. Enable or disable the PPPoA-PPPoE
MRU negotiation according to the packet processing conditions.
When the MRU negotiation is disabled, the PC initiates the PPPoE connection and
performs the negotiation according to the MRU of 1492 bytes. In this case, packets
need to be segmented and reassembled.
When the MRU negotiation is enabled, the MA5600 identifies the PPPoA-PPPoE
packets, adds a tag to the packets, and then sends them to the BRAS. Then, the
BRAS negotiates with the CPE according to the MRU of 1500 bytes. In this
manner, the MTU between the CPE and the BRAS is equal to the standard Ethernet
MTU. In this case, the packets need not be segmented or reassembled.
5. Run the pppoa mac-mode command to set the user MAC address allocation mode
for the PPPoA-PPPoE protocol conversion. By default, the user MAC address
allocation mode is multi-mac. The single-mac mode can improve security. Select the
mode according to the MAC address allocation mode of PPPoA users.
In the multi-MAC allocation mode (the multi-mac mode), PPPoE users are
authenticated on the BRAS using their respective MAC address, and PPPoA users
are allocated with different MAC addresses and are authenticated on the BRAS
using these MAC addresses as source MAC addresses.
In the single-MAC allocation mode (the single-mac mode), the system replaces
the MAC address of each PPPoE user with the MAC address of the corresponding
board and allocates the same MAC address to all the PPPoA users.
----End
Example
Assume that the MA5600 works in the L2 mode, the default gateway is the same as the IP address
of the upper-layer router, which is 10.1.1.1, and the IPoA service encapsulation mode is LLC.
To enable the IPoA-IPoE conversion with start MAC address 0000-0000-0001 in the MAC
address pool that contains 200 MAC addresses, do as follows:
huawei(config)#mac-pool 0 0000-0000-0001 200
huawei(config)#ipoa enable
huawei(config)#ipoa default gateway 10.1.1.1
huawei(config)#encapsulation 0/2/0 vpi 0 vci 35 type ipoa llc srcIP 10.1.1.20
Assume that the PPPoA service encapsulation mode is LLC, and, to improve security, the user
MAC address allocation mode is the single-MAC mode. To enable the PPPoA-PPPoE
conversion with start MAC address 0000-1010-1000 in the MAC address pool that contains 200
MAC addresses, do as follows:
Prerequisites
l An LDP LSP must exist. For details about the configuration of the LDP LSP, see
Configuring the LDP LSP.
l An upstream port must exist. The VLAN to which the upstream port belongs must be a
standard VLAN. For details about how to add an upstream port to a VLAN, see 3.2
Configuring an Upstream Port.
l A route to the peer end must exist. PW has no special requirement for the routing policy.
For details about the configuration of the route, see 2.2 Configuring the Route.
Background Information
l A VPN can be created between the local VLAN and the peer VLAN through binding the
PW and the VLAN together. That is, by switching the labels, packets can transverse the
MPLS network, thus implementing the communication at L2 between the local end and the
remote end.
l Only the standard VLAN supports ETH PWE3.
Networking
Figure 8-3 shows an example network for configuring the ETH PWE3.
Data Plan
Table 8-2 provides the data plan for configuring the ETH PWE3.
Item Data
Procedure
Step 1 Run the mpls l2vpn command to enable MPLS L2VPN.
2. Run the peer-address command to configure the IP address of the peer device in the PW
template.
The configuration of the IP address is mandatory. If the IP address is not configured, a PW
template cannot be directly referenced when the PW template is bound to a PVC.
3. Run the pw-type command to configure the PW template type.
The MA5600 supports only the PW template of the tagged type. In the tagged type, after
receiving the PW packets, the peer PE can change, remove, or remain the tag of the PW
packets according to the configuration.
4. Run the quit command to quit the PW-template mode.
Step 4 Run the pw-ac-binding vlan command to bind the PW template to the PVC to create the ETH
PW service.
l The ID of the PW bound to the TDM must be the same as the PW ID of the remote peer.
l A PW template can be bound dynamically or statically. To bind a PW template dynamically,
enable MPLS LDP first.
----End
Example
Assume that the PW template to be bound is of the Ethernet tagged type, the IP address of the
peer device is 10.1.3.2, the outgoing label of the PW is 100, and the incoming label of the PW
is 8500. To bind the PW to the VLAN of MA5600_A, and create the ETH PW service, do as
follows:
huawei(config)#mpls l2vpn
huawei(config)#service-port vlan 10 adsl 0/1/0 rx-cttr 10 tx-cttr 10
huawei(config)#pw-template pwprofile
huawei(config-pw-template-pwprofile)#peer-address 10.1.3.2
huawei(config-pw-template-pwprofile)#pw-type ethernet tagged
huawei(config-pw-template-pwprofile)#quit
huawei(config)#pw-ac-binding vlan 10 pw 1 pw-template pwprofile static transmit-
label 100 receive-label 8500
Prerequisites
l An LDP LSP must exist. For details about the configuration of the LDP LSP, see
Configuring the LDP LSP.
l An upstream port must exist. The VLAN to which the upstream port belongs must be a
standard VLAN. For details about the configuration of the upstream port, see 3.2
Configuring an Upstream Port.
l A route to the peer end must exist. PW has no special requirement for the routing policy.
For details about the configuration of the upstream port, see 2.2 Configuring the Route.
Background Information
l A VPN can be created between the local VLAN and the peer VLAN through binding the
PW template and the VLAN together. That is, by switching the labels, packets can traverse
the MPLS network, thus implementing the communication at L2 between the local end and
the remote end.
l Only the standard VLAN supports ATM PWE3.
Networking
Figure 8-4 shows an example network for configuring the ATM PWE3.
Data Plan
Table 8-3 provides the data plan for configuring the ATM PWE3.
Item Data
Item Data
Procedure
Step 1 Run the mpls l2vpn command to enable MPLS L2VPN.
Step 4 Run the pw-ac-binding pvc command to bind the PW template to the PVC to create the ATM
PW service.
l The ID of the PW bound to the TDM must be the same as the PW ID of the remote peer.
l A PW template can be bound dynamically or statically. To bind a PW template dynamically,
enable MPLS LDP first.
----End
Example
Assume that the PW template to be bound is of the ATM sdu type and the IP address of the peer
device is 10.1.3.2. To bind the PW to the PVC of MA5600_A, and create the ATM PW service,
do as follows:
huawei(config)#mpls l2vpn
huawei(config)#service-port vlan 10 atm 0/6/0 vpi 0 vci 35 rx-cttr 10 upc off tx
This topic describes how to configure the integrated services on the MA5600s in the MSTP ring
network.
9.1 Networking
This topic describes the typical networking in the MSTP mode.
9.8 Verification
All the services configured on all the DSLAMs run in the normal state.
9.1 Networking
This topic describes the typical networking in the MSTP mode.
Three MA5600s (MA5600-1, MA5600-2, and MA5600-3) form an MSTP ring network.
l MA5600-1 is connected to the IP network.
l MA5600-3, through whose GE port, is subtended with MA5600-4.
l MA5600-1 works with MA5600-5 to provide the QinQ service through the IP network.
LAN Switch
BRAS
7 7
0 0
1 1
2 2
2 7 3 7
A A S
0 0
D D H
G 1 G E 1
E E B
2 2
A
Home Gateway 0
D
G 1
STB E 2
SCU MA5600-4
ADSL2
Ephone TV PC +
Modem
PC
NOTE
This network is for reference only. The actual network is determined according to the scenario.
Table 9-1 provides the service and the data plan for the MA5600 in Figure 9-1.
User PVC VPI/VCI VPI/VCI of the PVC VPI/ PVC VPI/ PVC VPI/
PVC of all the triple play VCI of all VCI of all the VCI of all the
users: 0/35 service: the users: users: 0/35 users: 0/35
Line profile l Video 0/35
ID: 10 service: 0/35 Line profile
Alarm profile l Internet ID: 10
ID: 10 service: 0/36 Alarm
Traffic profile l Voice profile ID:
ID: 6 service: 0/37 10
Alarm profile
ID: 10
Traffic profile
ID: 6
NOTE
Procedure
Step 1 Confirm the board.
huawei>enable
huawei#config
huawei(config)#board confirm 0
NOTE
Here, the SNMP version must be the same as the SNMP version of the NMS. In this example,
the NMS SNMP version is set to SNMP V2C.
5. Enable the trap sending.
huawei(config)#snmp-agent trap enable standard
<ATU-C >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Link Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]
> Enable and disable the initial failure trap 0-disable 1-enable (0~1)[0]:1
> The number of failed fast retrain seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
<ATU-R >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
Add profile 10 successfully
The configuration of the upstream port of the SCU board needs to be the same as
that of the peer device.
Run the auto-neg command to set the port to work in the auto-negotiation mode.
If the port does not work in the auto-negotiation mode, change to the SCU config
mode and run the speed command to change the port rate, and run the duplex
command to change the port duplex mode.
l Configure the VLAN.
The ADSL2+ users of MA5600-1 use the VLAN authentication. In this case, the
MUX VLAN is used to identify the users.
huawei(config)#vlan 1000 to 1031 mux
huawei(config)#port vlan 1000 to 1031 0/7 0-2
l The user on port 0/2/2 needs to be authenticated, who can watch two programs and preview
one program.
l The user on port 0/2/3 need not be authenticated.
1. Configure the line profile.
In this example, the ADSL port adopts the default line profile (profile 1002). Therefore,
you need not configure the line profile.
2. Configure the VLAN.
l Create a VLAN.
huawei(config)#vlan 100 smart
You can run the igmp preview auto-reset-time command to set the time for
automatically clearing the preview counts. In this example, the system clears the
preview counts of all the subscribers at 00:00:00 every day.
huawei(config-btv)#igmp preview auto-reset-time 00:00:00
In the MSTP ring network, MA5600-1 is subtended with MA5600-3, and MA5600-3 is
subtended with MA5600-4. According to the data plan, MA5600-4 provides the multicast
service. In this manner, it is necessary to configure the multicast subtending on MA5600-1 first.
----End
Procedure
Step 1 Confirm the board.
huawei>enable
huawei#config
huawei(config)#board confirm 0
4. Configure SNMP.
l Configure the community name and access rights.
huawei(config)#snmp-agent community read public
huawei(config)#snmp-agent community write private
Here, the SNMP version must be the same as that of NMS. In this example, the NMS
SNMP version is set to SNMP V2C.
huawei(config)#snmp-agent sys-info version v2c
The MA5600 supports the ADSL2+ Internet access service in multiple encapsulation modes,
such as IPoA, PPPoA, IPoE, and PPPoE. This topic uses the PPPoE mode as an example to
describe how to configure the ADSL2+ service.
> Please choose default value type 0-adsl 1-adsl2+ (0~1) [0]:1
> Will you set basic configuration for modem? (y/n)[n]:n
> Please select channel mode 0-interleaved 1-fast (0~1) [0]:
> Will you set interleaved delay? (y/n)[n]:n
>Please select form of transmit rate adaptation in downstream:
> 0-fixed 1-adaptAtStartup 2-adaptAtRuntime (0~2) [1]:
> Will you set SNR margin for modem? (y/n)[n]:n
> Will you set parameters for rate? (y/n)[n]:y
> Minimum transmit rate in downstream (32~32000 Kbps) [32]:
> Maximum transmit rate in downstream (32~32000 Kbps) [24544]:8000
> Minimum transmit rate in upstream (32~3000 Kbps) [32]:
> Maximum transmit rate in upstream (32~3000 Kbps) [1024]:
Add profile 10 successfully
The configuration of the upstream port of the SCU board needs to be the same as
the configuration of the peer device.
Run the auto-neg command to set the port to work in the auto-negotiation mode.
If the port does not work in the auto-negotiation mode, change to the SCU config
mode and run the speed command to change the port rate, and run the duplex
command to change the port duplex mode.
l Configure the VLAN.
The ADSL2+ users of MA5600-2 use the PPPoE authentication. In this case, the
smart VLAN is used to identify the users.
huawei(config)#vlan 1000 smart
huawei(config)#port vlan 1000 0/7 0-1
The MA5600 supports the SHDSL Internet access service in multiple encapsulation modes, such
as IPoA, PPPoA, IPoE, and PPPoE. This topic uses the PPPoE mode as an example to describe
how to configure the SHDSL service.
ISP1 provides users of ports 0-10 on the board in slot 0/2 with the stacking wholesale service.
ISP2 provides users of ports 11-20 to with the stacking wholesale service. ISP3 provides users
of port 21-30 with the stacking wholesale service.
After the configuration, the following results need to be achieved: The user of port 0/2/31 can
watch the programs with IP addresses 224.1.1.1 and 224.1.1.2 and can only preview the program
with IP address 224.1.1.3.
----End
Procedure
Step 1 Confirm the board.
huawei>enable
huawei#config
huawei(config)#board confirm 0
4. Configure SNMP.
l Configure the community name and access rights.
huawei(config)#snmp-agent community read public
huawei(config)#snmp-agent community write private
Here, the SNMP version must be the same as the SNMP version of the NMS. In this
example, the NMS SNMP version is set to SNMP V2C.
huawei(config)#snmp-agent sys-info version v2c
huawei(config-if-power4845-0)#power module-num 2 1 2
huawei(config-if-power4845-0)#quit
The MA5600 supports the ADSL2+ Internet access service in multiple encapsulation modes,
such as IPoA, PPPoA, IPoE, and PPPoE. This topic uses the PPPoE mode as an example to
describe how to configure the ADSL2+ service.
<ATU-C >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Link Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]
> Enable and disable the initial failure trap 0-disable 1-enable (0~1)[0]:1
> The number of failed fast retrain seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
<ATU-R >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
Add profile 10 successfully
The configuration of the upstream port of the SCU board needs to be the same as
that of the peer device.
Run the auto-neg command to set the port to work in the auto-negotiation mode.
If the port does not work in the auto-negotiation mode, change to the SCU config
mode and run the speed command to change the port rate, and run the duplex
command to change the port duplex mode.
The ADSL2+ users of MA5600-3 use the VLAN authentication. In this case, the
MUX VLAN is used to identify the users.
huawei(config)#vlan 1000 to 1031 mux
huawei(config)#port vlan 1000 to 1031 0/7 0-1
The MA5600 supports the SHDSL service of multiple encapsulation modes, such as IPoA,
PPPoA, IPoE, and PPPoE. This topic uses the PPPoE mode as an example to describe how to
configure the SHDSL service.
----End
Procedure
Step 1 Confirm the board.
huawei>enable
huawei#config
huawei(config)#board confirm 0
Here, the SNMP version must be the same as that of NMS. In this example, the NMS
SNMP version is set to SNMP V2C.
huawei(config)#snmp-agent sys-info version v2c
<ATU-C >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Link Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]
> Enable and disable the initial failure trap 0-disable 1-enable (0~1)[0]:1
> The number of failed fast retrain seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
<ATU-R >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
Add profile 10 successfully
The configuration of the upstream port of the SCU board needs to be the same as
the configuration of the peer device.
Run the auto-neg command to set the port to work in the auto-negotiation mode.
If the port does not work in the auto-negotiation mode, change to the SCU config
mode and run the speed command to change the port rate, and run the duplex
command to change the port duplex mode.
l Configure the VLAN.
The ADSL2+ users of MA5600-4 use the PPPoE authentication. In this case, the
smart VLAN is used to identify the users.
huawei(config)#vlan 1000 smart
huawei(config)#port vlan 1000 0/7 0
The MA5600 supports the SHDSL Internet access service in multiple encapsulation modes, such
as IPoA, PPPoA, IPoE, and PPPoE. This topic uses the PPPoE mode as an example to describe
how to configure the SHDSL service.
You can run the igmp preview auto-reset-time command to set the time for
automatically clearing the preview counts. In this example, the system clears the
preview counts of all the subscribers at 00:00:00 every day.
huawei(config-btv)#igmp preview auto-reset-time 00:00:00
----End
Procedure
Step 1 Confirm the board.
huawei>enable
huawei#config
huawei(config)#board confirm 0
4. Configure SNMP.
l Configure the community name and access rights.
huawei(config)#snmp-agent community read public
huawei(config)#snmp-agent community write private
Here, the SNMP version must be the same as the SNMP version of the NMS. In this
example, the NMS SNMP version is set to SNMP V2C.
huawei(config)#snmp-agent sys-info version v2c
MA5600-1 and MA5600-5 belong to two representative offices of the same enterprise and they
can communicate with each other normally through the QinQ private line.
----End
9.8 Verification
All the services configured on all the DSLAMs run in the normal state.
MA5600-1:
l All the users of the ADSL2 port on the board in slot 0/3 can access the Internet normally.
l All the users of the SHDSL port on the board in slot 0/5 can access the Internet normally.
l Multicast users on port 0/2/2 and 0/2/3 can watch program1 and program2 and preview
program3.
l The multicast user on port 0/2/2 needs to be authenticated. The multicast user on port
0/2/3 need not be authenticated.
MA5600-2:
l All the users of the ADSL2 port on the board in slot 0/3 can access the Internet normally.
l All the users of the SHDSL port on the board in slot 0/5 can access the Internet normally.
l ISP1 provides users of ports 0-10 on the board in slot 0/2 with the stacking wholesale
service. ISP2 provides users of ports 11-20 to with the stacking wholesale service. ISP3
provides users of port 21-30 with the stacking wholesale service.
l The multicast user on port 0/2/31 can watch programs with IP addresses 224.1.1.1 and
224.1.1.2 and preview the program with IP address 224.1.1.3.
MA5600-3:
l All the users of the ADSL2 port on the board in slot 0/3 can access the Internet normally.
l All the users of the SHDSL port on the board in slot 0/5 can access the Internet normally.
MA5600-4:
l All the users of the ADSL2 port on the board in slot 0/3 can access the Internet normally.
l All the users of the SHDSL port on the board in slot 0/5 can access the Internet normally.
l Multicast users on port 0/2/2 and 0/2/3 can watch program1 and program2 and preview
program3.
l The multicast user on port 0/2/2 needs to be authenticated. The multicast user on port
0/2/3 need not be authenticated.
The user on port 0/5/31 of MA5600-1 and the user on port 0/5/31 of MA5600-5 belong to two
representative offices of the same enterprise and they can communicate with each other normally
through the QinQ private line.
This topic describes how to configure the integrated services on the MA5600s in the multi-tier
subtending network.
10.1 Networking
This topic describes an example of the subtending network.
10.6 Verification
All the services configured on all the DSLAMs run in the normal state.
10.1 Networking
This topic describes an example of the subtending network.
As shown in Figure 10-1, MA5600-1 is subtended with MA5600-2 through the GE port on the
SCU board.
LAN Switch
BRAS
2 3 5 6 7 5 7
0 0
A A S A S
1
D D H I H
G G E U E
E E A G A
SCU SCU
MA5600-1 MA5600-3
7 2 3 5 7
0 0
A A S
1 1
D D H
G G E
E E A
ADSL2+ Modem
Home Gateway
STB
PC
E phone TV PC
Table 10-1 provides the service and the data plan for the MA5600 in Figure 10-1.
Slot ADSL2+: 0/2 and ADSL2+: 0/3 QinQ: 0/5/31 ADSL: 0/14
planning 0/3 SHDSL: 0/5
SHDSL: 0/5 Stacking:
ATM subtending: 0/2/0-10
0/6 (corresponding to
QinQ: 0/5/31 VLAN 60, ISP1)
Multicast: 0/2/2 0/2/11-20
and 0/2/3 (corresponding to
VLAN 61, ISP2)
0/2/21-30
(corresponding to
VLAN 62, ISP3)
Triple play:
0/2/31
Multicast: 0/2/2
and 0/2/3
NOTE
Procedure
Step 1 Confirm the board.
huawei>enable
huawei#config
huawei(config)#board confirm 0
Here, the SNMP version must be the same as the SNMP version of the NMS. In this
example, the NMS SNMP version is set to SNMP V2C.
huawei(config)#snmp-agent sys-info version v2c
> Enable and disable the initial failure trap 0-disable 1-enable (0~1)[0]:1
> The number of failed fast retrain seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
<ATU-R >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
Add profile 10 successfully
Generally, the GE optical port uses the default GE full duplex mode.
In the SCU config mode, to change the port rate, run the speed command; to change
the port duplex mode, run the duplex command.
The configuration of the SCU board needs to be the same as that of the peer device.
l Configure the VLAN.
The ADSL2+ users of MA5600-1 use the VLAN authentication. In this case, the
MUX VLAN is used to identify the users.
huawei(config)#vlan 1000 to 1031 mux
huawei(config)#port vlan 1000 0/7 0-1
huawei(config)#port vlan 1001 to 1031 0/7 0
The MA5600 supports the SHDSL service of multiple encapsulation modes, such as IPoA,
PPPoA, IPoE, and PPPoE. This topic takes the PPPoE mode as an example to describe how to
configure the SHDSL service.
MA5600-1 and MA5600-3 belong to two representative offices of the same enterprise and they
can communicate with each other normally through the QinQ private line.
l The user on port 0/2/2 needs to be authenticated, who can watch two programs and preview
one program.
l The user on port 0/2/3 need not be authenticated.
1. Configure the line profile.
In this example, the ADSL port adopts the default line profile (profile 1002). Therefore,
you need not configure the line profile.
2. Configure the VLAN.
l Create a VLAN.
huawei(config)#vlan 100 smart
You can run the igmp preview auto-reset-time command to set the time for
automatically clearing the preview counts. In this example, the system clears the
preview counts of all the subscribers at 00:00:00 every day.
huawei(config-btv)#igmp preview auto-reset-time 00:00:00
5. Create a VLAN.
huawei(config-if-aiu-0/6.ima)#quit
huawei(config-if-aiu-0/6)#quit
huawei(config)#vlan 11 mux
----End
Procedure
Step 1 Confirm the board.
huawei>enable
huawei#config
huawei(config)#board confirm 0
Here, the SNMP version must be the same as the SNMP version of the NMS. In this
example, the NMS SNMP version is set to SNMP V2C.
huawei(config)#snmp-agent sys-info version v2c
<ATU-C >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Link Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]
> Enable and disable the initial failure trap 0-disable 1-enable (0~1)[0]:1
> The number of failed fast retrain seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~31968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~31968kbps) [0]:
<ATU-R >
> The number of Loss of Frame Seconds (0~900) [0]:
> The number of Loss of Signal Seconds (0~900) [0]:
> The number of Loss of Power Seconds (0~900) [0]:
> The number of Errored Seconds (0~900) [0]:
> The number of severely errored seconds (0~900) [0]:
> The number of unavailable seconds (0~900) [0]:
> Threshold of positive difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of positive difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in fast mode (0~2968kbps) [0]:
> Threshold of negative difference between the current and the past transmit
rate in interleaved mode (0~2968kbps) [0]:
Add profile 10 successfully
Generally, the GE optical port uses the default GE full duplex mode.
In the SCU config mode, to change the port rate, run the speed command; to change
the port duplex mode, run the duplex command.
The configuration of the SCU board needs to be the same as that of the peer device.
l Configure the VLAN.
The ADSL2+ users of MA5600-2 use the PPPoE authentication. In this case, the
smart VLAN is used to identify the users.
huawei(config)#vlan 1000 smart
huawei(config)#port vlan 1000 0/7 0-1
----End
Procedure
Step 1 Confirm the board.
huawei>enable
huawei#config
huawei(config)#board confirm 0
4. Configure SNMP.
l Configure the community name and access rights.
huawei(config)#snmp-agent community read public
huawei(config)#snmp-agent community write private
Here, the SNMP version must be the same as the SNMP version of the NMS. In this
example, the NMS SNMP version is set to SNMP V2C.
huawei(config)#snmp-agent sys-info version v2c
MA5600-1 and MA5600-3 belong to two representative offices of the same enterprise and they
can communicate with each other normally through the QinQ private line.
----End
10.6 Verification
All the services configured on all the DSLAMs run in the normal state.
MA5600-1:
l All the users of the ADSL2 port on the board in slot 0/3 can access the Internet normally.
l All the users of the SHDSL port on the board in slot 0/5 can access the Internet normally.
l Multicast users on port 0/2/2 and 0/2/3 can watch program1 and program2 and preview
program3.
l The multicast user on port 0/2/2 needs to be authenticated. The multicast user on port
0/2/3 need not be authenticated.
MA5600-2:
l All the users of the ADSL2 port on the board in slot 0/3 can access the Internet normally.
l All the users of the SHDSL port on the board in slot 0/5 can access the Internet normally.
l ISP1 provides users of ports 0-10 on the board in slot 0/2 with the stacking wholesale
service. ISP2 provides users of ports 11-20 to with the stacking wholesale service. ISP3
provides users of port 21-30 with the stacking wholesale service.
l The multicast user on port 0/2/31 can watch programs with IP addresses 224.1.1.1 and
224.1.1.2 and preview the program with IP address 224.1.1.3.
The user on port 0/5/31 of MA5600-1 and the user on port 0/5/31 of MA5600-3 belong to two
representative offices of the same enterprise and they can communicate with each other normally
through the QinQ private line.
A FAQ
This topic describes the FAQs and the corresponding solutions during the service configuration
on the MA5600.
A.1 How to Query MAC Addresses of Online Users and Query the Ports that Provide the Access
for the Users According to the MAC Addresses
A.2 What Are the Prerequisites for the Link and Protocol Status of the L3 Interface to Be Up
A.3 How to Prevent System Breakdown or Service Interruption of the MA5600 Caused by
Network Attacks Through the Proper Configuration
A.6 How to Change the Service VLAN to Which the xDSL Port Belongs
A.9 How to Enable Two xDSL Ports of the MA5600 to Communicate with Each Other
A.10 What Are the Differences Between the firewall packet-filter Command and the packet-
filter Command
Answer
Run the display mac-address all command to query the MAC addresses of all the online users,
and then run the display location command to query the ports that provide the access for the
users according to the specified MAC addresses.
A.2 What Are the Prerequisites for the Link and Protocol
Status of the L3 Interface to Be Up
Question
What are the prerequisites for the link and protocol status of the L3 interface to be Up?
Answer
The link status depends on the status of the port in the VLAN corresponding to the L3 interface.
If the status of an Ethernet port in the VLAN corresponding to the L3 interface is up, the link
status of the L3 interface is up.
Three prerequisites determine whether the protocol status of an L3 interface is up, which are the
link status, IP address of the L3 interface, and management status of the L3 interface. The
protocol status of an L3 interface is up only when the L3 interface is configured with an IP
address, the link status is up, and the management status of the L3 interface is up.
Answer
The common improper configurations that affect the system security are as follows:
l The ring network detection function and the anti-MAC address-spoofing function or anti-
IP address-spoofing function are disabled. When the anti-MAC address-spoofing function
or the anti-IP address-spoofing function is disabled, the illegal user sends the PPPoE and
DHCP control packets by forging the MAC address or IP address of a legal user. In this
case, the security of the system is affected.
Run the ring check command to enable the ring network detection function on the user
side.
Run the security anti-macspoofing enable command to enable the anti-MAC address-
spoofing function.
Run the security anti-ipspoofing enable command to enable the anti-IP address-spoofing
function.
l The devices are managed by IP addresses of the public network and the access rights are
not limited strictly when the ACL rule is configured. In this case, the network is attacked.
To ensure the security of devices, manage the devices by using the IP addresses of the
private network. When configuring the ACL rule, you must comply with the principle of
the minimum authorization to configure the accessible address segment. The accessible
address segment can contain only the mandatory IP addresses of the management network
segment. Other IP addresses cannot access the device management interface.
Run the acl command to create a basic ACL and enter the ACL mode. The number of a
basic ACL can only be in the range of 2000-2999.
In the basic ACL mode, run the rule command to create a basic ACL rule. The
parameters are as follows:
rule-id: Indicates the ACL rule ID. To create an ACL rule with a specified ID, use
this parameter.
permit: Indicates the keyword for allowing the data packets that meet the related
conditions to pass.
deny: Indicates the keyword for discarding the data packets that meet the related
conditions.
time-range: Indicates the keyword of the time range during which the ACL rule is
effective.
l The packets that access the device management interface are not controlled so that the
device is attacked by the packets. In this case, the system is caused to be busy and the
services are affected.
Run the firewall packet-filter command to apply the packet filtering rules of the firewall
to the interface to filter the packets that access the interface. In this case, the packet attack
is prevented.
Answer
Step 1 Delete the L3 interface and the upstream port of the original NMS VLAN and delete the original
NMS VLAN.
l Run the undo interface vlanif command to delete the L3 interface of the original NMS
VLAN.
l Run the undo port vlan command to delete the upstream port of the original NMS VLAN.
l Run the undo vlan command to delete the original NMS VLAN.
Step 2 Create an NMS VLAN, upstream port, L3 interface of the NMS VLAN, and management IP
address.
1. Run the vlan command to create an NMS VLAN.
2. Run the port vlan command to add an upstream port to the VLAN.
3. Run the interface vlanif command to enable the L3 interface of the VLAN.
4. Run the ip address command to configure the management IP address.
Step 3 Run the save command to save the data, and then exit.
----End
Answer
Delete the original VLAN, and then run the vlan command to configure a new VLAN.
NOTE
Answer
Changing the service VLAN to which an xDSL port belongs means changing the service port
configuration, namely, the PVC configuration, of an xDSL port. To change the service VLAN,
run the undo service-port command to delete the service ports (PVCs), and then configure a
new VLAN for the xDSL port.
NOTE
Answer
l For the ADSL port, run the deactivate command to deactivate the ADSL port, and then
run the activate command to activate the ADSL port by using a new line profile.
l For the VDSL port, create a line template that contains the new line profile, run the
deactivate command to deactivate the VDSL port, and then run the activate command to
activate the VDSL port by using the created line template.
l For the SHDSL port, run the deactivate command to deactivate the SHDSL port, and then
run the activate command to activate the SHDSL port by using a new line profile.
NOTICE
Exercise caution when deactivating a port because it interrupts the service on the port. The
operations of changing other profiles of an xDSL port are the same as the operations of changing
the line profile of the xDSL port.
Answer
You can add a board in the following two ways:
l Adding a board offline: Run the board add command to add a board to an vacant slot (in
this case, the system generates the "Board Fault" alarm). Then, insert a board to the slot (in
this case, if the type of the inserted board is the same as the type of the board added offline,
the system generates the "Board Recovery" alarm; if the type of the inserted board is
different from the type of the board added offline, the system generates the "Type
Mismatch" alarm).
l Automatically discovering a board: Insert a board to an vacant slot (in this case, the system
displays a message indicating that a board is automatically discovered, and the board is in
the auto-find state). Then, run the board confirm command to confirm the board that is
automatically discovered.
Answer
Two xDSL ports of the MA5600 communicate with each other through service ports.
l If the two xDSL ports are on different boards, establish a standard VLAN, create one service
port for each xDSL port, and then add the created two service ports to the established
standard VLAN.
NOTICE
The service ports can be added to the standard VLAN only when the attribute of the VLAN
is QinQ.
l If the two xDSL ports are on the same board, establish a super VLAN, create one service
port for each xDSL port, and then add the created two service ports to the sub VLAN of
the established super VLAN.
Answer
The similarity is that both the firewall packet-filter and packet-filter commands can be used
only when the ACL function is enabled.
l The packet-filter command is used to filter the packets of the LSW port by using an LSW
hardware-based ACL. The matching mode for this command is searching all the ACLs and
adopting the latest one, that is, if a packet matches multiple ACL rules, the last rule takes
effect.
l The firewall packet-filter command is used to filter the packets received on the CPU by
using a software-based ACL. The matching mode for this command is searching for and
adopting the first ACL, that is, when the first rule is matched, this rule takes effect regardless
of the subsequent rules.
This topic lists the acronyms and abbreviations used in this document.
BTV Broadband TV
CC Connection Confirm
DHCP
DHCP relay agent option 82
option82
DR Designated Router
DU Downstream Unsolicited
FE Fast Ethernet
GE Gigabit Ethernet
IP Internet Protocol
MA Maintenance Association
MD Maintenance Domain
PQ Priority Queuing
VT Virtual Terminal