HP 830 Series PoE+ Unified Wired-WLAN Layer 2 Configuration Guide

HP 830 Series PoE+ Unified Wired-WLAN
Switch and HP 10500/7500 20G Unified

Wired-WLAN Module
Layer 2 Configuration Guide
Part number: 5998-3906

Software version:
3308P29 (HP 830 Series PoE+ Unified Wired-WLAN Switch)
2308P29 (HP 10500/7500 20G Unified Wired-WLAN
Module)
Document version: 6W102-20131112
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.

No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
Contents
Configuring Ethernet interfaces ··································································································································· 1

Overview············································································································································································ 1
Performing general configurations ·································································································································· 1
Configuring basic settings of an Ethernet interface ······························································································ 1
Shutting down an Ethernet interface ······················································································································ 2
Configuring loopback testing on an Ethernet interface ························································································ 2
Configuring jumbo frame support ·························································································································· 3
Setting a statistics polling interval ···························································································································4
Configuring a Layer 2 Ethernet interface ······················································································································· 4
Configuring a port group ········································································································································ 4
Configuring storm suppression ······························································································································· 5
Displaying and maintaining an Ethernet interface or subinterface·············································································· 6
Configuring loopback and null interfaces ·················································································································· 7

Configuring a loopback interface ··································································································································· 7
Introduction ······························································································································································· 7
Configuration procedure ········································································································································· 7
Configuring the null interface ·········································································································································· 8
Introduction ······························································································································································· 8
Configuration procedure ········································································································································· 8
Displaying and maintaining loopback and null interfaces ··························································································· 8
Configuring VLANs ···················································································································································· 10

Overview········································································································································································· 10
VLAN frame encapsulation ·································································································································· 11
VLAN types ···························································································································································· 12
Protocols and standards ······································································································································· 12
Configuring basic VLAN settings·································································································································· 12
Configuration restrictions and guidelines ··········································································································· 12
Configuration procedure ······································································································································ 12
Configuring basic settings of a VLAN interface ········································································································· 13
VLAN interface configuration example ··············································································································· 14
Configuring port-based VLANs ····································································································································· 16
Introduction to port-based VLAN ························································································································· 16
Assigning an access port to a VLAN ·················································································································· 18
Assigning a trunk port to a VLAN························································································································ 19
Assigning a hybrid port to a VLAN ····················································································································· 20
Port-based VLAN configuration example ············································································································ 21
Configuring MAC-based VLANs ·································································································································· 23
Introduction to MAC-based VLAN ······················································································································· 23
Configuration restrictions and guidelines ··········································································································· 24
MAC-based VLAN configuration example ········································································································· 26
Displaying and maintaining VLAN ······························································································································ 29
Configuring the MAC address table ························································································································ 30

Overview········································································································································································· 30
How a MAC address entry is created ················································································································ 30
Types of MAC address entries ····························································································································· 31
i
Configuring static, dynamic, and destination blackhole MAC address entries ······················································ 31
Adding or modifying a static or dynamic MAC address entry in system view ·············································· 31
Adding or modifying a static or dynamic MAC address entry in interface view··········································· 31
Configuring a destination blackhole MAC address entry ························································································· 32
Disabling MAC address learning ································································································································· 32
Disabling global MAC address learning ············································································································ 32
Disabling MAC address learning on interfaces ································································································· 32
Configuring the aging timer for dynamic MAC address entries ··············································································· 33
Configuring the MAC learning limit on interfaces······································································································ 34
Displaying and maintaining MAC address tables ····································································································· 34
MAC address table configuration example ················································································································ 35
Network requirements ··········································································································································· 35
Configuring Ethernet link aggregation ····················································································································· 37

Overview········································································································································································· 37
Basic concepts ······················································································································································· 37
Aggregating links in static mode ························································································································· 38
Load-sharing criteria for link aggregation groups ····························································································· 39
Configuration restrictions and guidelines ···················································································································· 39
Ethernet link aggregation configuration task list ········································································································· 40
Configuring a Layer 2 static aggregation group ········································································································ 40
Configuring an aggregate interface ···························································································································· 41
Configuring the description of an aggregate interface ····················································································· 41
Enabling link state traps for an aggregate interface ························································································· 41
Shutting down an aggregate interface ··············································································································· 42
Restoring the default settings for an aggregate interface ················································································· 42
Configuring load sharing for link aggregation groups ······························································································ 42
Configuring the global link-aggregation load-sharing criteria ········································································· 43
Configuring group-specific load-sharing criteria ······························································································· 43
Displaying and maintaining Ethernet link aggregation ····························································································· 43
Configuring Layer 2 forwarding ······························································································································· 45

Configuring normal Layer 2 forwarding······················································································································ 45
Displaying and maintaining normal Layer 2 forwarding ·················································································· 45
Configuring fast Layer 2 forwarding ··························································································································· 45
Displaying and maintaining fast Layer 2 forwarding ························································································ 46
Configuring Layer 2 FPGA fast forwarding ················································································································ 46
Displaying and maintaining Layer 2 FPGA fast forwarding············································································· 47
Configuring PPPoE ····················································································································································· 48

Overview········································································································································································· 48
PPPoE network structure ········································································································································ 48
Protocols and standards ······································································································································· 49
Configuring a PPPoE server ·········································································································································· 49
Displaying and maintaining PPPoE ······························································································································ 50
PPPoE server configuration example ···························································································································· 50
Network requirements ··········································································································································· 51
Verifying the configuration ··································································································································· 52
Support and other resources ····································································································································· 53

Contacting HP ································································································································································ 53
ii
Subscription service ·············································································································································· 53
Related information ························································································································································ 53
Documents ······························································································································································ 53
Websites································································································································································· 53
Conventions ···································································································································································· 54
Index ··········································································································································································· 56
iii
Configuring Ethernet interfaces
All configuration tasks in this chapter are independent and optional. You can perform these
configuration tasks in any order.
Overview
Ethernet is the most widespread wired LAN technology due to its flexibility, simplicity, and easy
implementation. The AC side of your device supports Layer 2 Ethernet interfaces, which are physical
Ethernet interfaces operating at the data link layer (Layer 2) to forward traffic within a subnet between
hosts.
Performing general configurations

Configuring basic settings of an Ethernet interface
You can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its
peer.
To configure an Ethernet interface:
Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
N/A
view. interface-number
Optional.
3. Set the interface By default, the description of an interface is

description text in the format of interface-name Interface.
description.
For example, Ten-GigabitEthernet1/0/1
Interface.
Optional.
By default, the duplex mode is full for
10-GE interfaces, and is auto for other
Ethernet interfaces.
4. Set the duplex mode of
duplex auto Support for the command depends on the
the interface.
interface card model. For more
information, see About the HP 830 Series
PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN
Module Command References.
1
Optional.
Support for the command depends on your
device model. For more information, see
5. Set the port speed. speed 1000 About the HP 830 Series PoE+ Unified
Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN
Module Command References.
6. Restore the default
default Optional.
settings for the interface.
Shutting down an Ethernet interface
CAUTION:
Use this command with caution. After you manually shut down an Ethernet interface, the Ethernet interface
cannot forward packets even if it is physically connected.
You might need to shut down and then bring up an Ethernet interface or subinterface to activate some
configuration changes.
The access controller module of the device communicates with the switching engine through the internal
interfaces. Do not shut down these internal interfaces. Otherwise, the device might fail to operate
correctly.
To shut down an Ethernet interface:

• Enter Ethernet interface view:
interface interface-type To shut down an Ethernet interface,
2. Enter Ethernet interface interface-number enter Ethernet interface view. To shut
view or port group view. • Enter port group view: down all Ethernet interfaces in a port
port-group manual group, enter port group view.
port-group-name
3. Shut down the Ethernet By default, Ethernet interfaces and
shutdown
interface or subinterface. subinterfaces are up.
Configuring loopback testing on an Ethernet interface

If an Ethernet interface does not work correctly, you can enable loopback testing on it to identify the
problem. An Ethernet interface in a loopback test does not forward data traffic.
Loopback testing has the following types:
• Internal loopback testing—Tests all on-chip functions related to Ethernet interfaces.
• External loopback testing—Tests hardware of Ethernet interfaces. To perform external loopback
testing on an Ethernet interface, connect a loopback plug to the Ethernet interface. The device sends
test packets out of the interface, which are expected to loop over the plug and back to the interface.
2
If the interface fails to receive any test packets, the hardware of the interface is faulty. The external
loopback testing is not supported. The type is reserved for future support.
Configuration restrictions and guidelines

• On an interface that is physically down, you can only perform internal loopback testing.
• The speed 1000 and shutdown commands are not available during internal loopback testing.
• During internal loopback testing, the Ethernet interface operates in full duplex mode. When you
disable internal loopback testing, the port returns to its duplex setting.
Configuration procedure
To enable loopback testing on an Ethernet interface:

interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
By default, loopback testing is

3. Enable loopback testing. loopback internal
disabled.
Configuring jumbo frame support

An Ethernet interface might receive some frames larger than the standard Ethernet frame size (called
"jumbo frames") during high-throughput data exchanges such as file transfers. Usually, an Ethernet
interface discards jumbo frames. With jumbo frame support enabled, the interface can process frames
larger than the standard Ethernet frame size yet within the specified range.
In interface configuration mode (Ethernet interface view or port group view), you can set the length of
jumbo frames that are allowed to pass through Ethernet interfaces, as follows:
• If you execute the command in Ethernet interface view, the configuration takes effect only on the
interface.
• If you execute the command in port group view, the configuration takes effect on all ports in the port
group.
To configure jumbo frame support in interface view or port group view:

• (Method 1) In port group view:
a. port-group manual port-group-name If you set the value
2. Configure jumbo b. jumboframe enable argument multiple times,
frame support. • (Method 2) In Ethernet interface view: the latest configuration
a. interface interface-type interface-number takes effect.
b. jumboframe enable [ value ]
3
Setting a statistics polling interval
You can configure an interface statistics polling interval. To display the interface statistics collected in the
last polling interval, use the display interface command.
In Ethernet interface view, you can configure an interface statistics polling interval.
To set the statistics polling interval on an Ethernet interface:

2. Enter interface view. interface interface-type interface-number N/A
3. Set the statistics polling The default setting is 300
flow-interval interval
interval. seconds.
Configuring a Layer 2 Ethernet interface

Configuring a port group
Some interfaces on your device might use the same set of settings. To configure these interfaces in bulk
rather than one by one, you can assign them to a port group.
You create port groups manually. All settings made for a port group apply to all the member ports of the
group. For example, you can configure a traffic suppression threshold (see "Configuring storm
suppression") for multiple interfaces in bulk by assigning these interfaces to a port group.
Even though the settings are made on the port group, they are saved on each interface basis rather than
on a port group basis. You can only view the settings in the view of each interface by using the display
current-configuration or display this command.
To configure a manual port group:

2. Create a manual port
port-group manual
group and enter manual N/A
port-group-name
port group view.
If you use the group-member interface-type

interface-start-number to interface-type
interface-end-number command to add multiple
3. Assign Ethernet interfaces group-member ports in batch to the specified port group, make
to the manual port group. interface-list sure all these ports are of the same type and on
the same interface card, and the
interface-end-number argument must be greater
than the interface-start-number argument.
4
Configuring storm suppression
You can use the storm suppression function to limit the size of a particular type of traffic (broadcast,
multicast, or unknown unicast traffic) that can be received on a per-interface basis in Ethernet interface
view.
In interface or port group view, you set the maximum size of broadcast, multicast, or unknown unicast
traffic allowed to be received on an interface or each interface in a port group. When the broadcast,
multicast, or unknown unicast traffic received on the interface exceeds this threshold, the system discards
packets until the traffic drops below this threshold.
For an Ethernet interface that belongs to a port group, if you set a traffic suppression threshold for the
interface in both Ethernet interface view and port group view, the threshold configured most recently
takes effect.
To set storm suppression thresholds on one or multiple Ethernet interfaces:

• Enter Ethernet interface
view:
To configure storm suppression on an Ethernet
2. Enter Ethernet interface interface-type
interface, enter Ethernet interface view.
interface view or port interface-number
group view. To configure storm suppression on a group of
• Enter port group view:
Ethernet interfaces, enter port group view.
port-group manual
port-group-name
Optional.
By default, broadcast traffic is allowed to pass
through an interface.
3. Set the broadcast
broadcast-suppression The value range for the pps keyword depends on
suppression
{ ratio | pps max-pps } your device model. For more information, see About
threshold ratio.
the HP 830 Series PoE+ Unified Wired-WLAN
Wired-WLAN Module Command References.
Optional.
By default, multicast traffic is allowed to pass
through an interface.
4. Set the multicast
multicast-suppression The value range for the pps keyword depends on
suppression
{ ratio | pps max-pps } your device model. For more information, see About
threshold ratio.
Wired-WLAN Module Configuration Guides.
Optional.
By default, unknown unicast traffic is allowed to
pass through an interface.
5. Set the unknown
unicast-suppression { ratio The value range for the pps keyword depends on
unicast suppression
| pps max-pps } your device model. For more information, see About
threshold ratio.
Wired-WLAN Module Command References.
5
Displaying and maintaining an Ethernet interface or
subinterface
Task Command Remarks
display interface [ interface-type ] [ brief [ down ] ]
[ | { begin | exclude | include } regular-expression ]
Display Ethernet interface
display interface interface-type [ interface-number ] Available in any view.
or subinterface information.
[ brief ] [ | { begin | exclude | include }
regular-expression ]
Display information about a display port-group manual [ all | name

manual port group or all port-group-name ] [ | { begin | exclude | include } Available in any view.
manual port groups. regular-expression ]
reset counters interface [ interface-type

Clear the interface or
[ interface-number | Available in user view.
subinterface statistics.
interface-number.subnumber ] ]
6
Configuring loopback and null interfaces
Configuring a loopback interface

Introduction
A loopback interface is a virtual interface. The physical layer state and link layer protocols of a loopback
interface are always up unless the loopback interface is manually shut down.
A loopback interface address can be configured as the source address of the IP packets that the device
generates. Because loopback interface addresses are stable unicast addresses, they are usually used as
device identifications. When you configure a rule on an authentication or security server to permit or
deny packets that a device generates, you can simplify the rule by configuring it to permit or deny
packets carrying the loopback interface address that identifies the device. When you use a loopback
interface address as the source address of IP packets, make sure the peer is reachable through routes by
performing routing configuration. All data packets sent to the loopback interface are considered as
packets sent to the device itself, so the device does not forward these packets.
To configure a loopback interface:

2. Create a loopback interface
interface loopback
and enter loopback interface N/A
interface-number
view.
Optional.
3. Set the interface description. description text By default, the description of a loopback
interface is interface name Interface.
4. Shut down the loopback Optional.

shutdown
interface. By default, a loopback interface is up.
5. Restore the default settings for
default Optional.
the loopback interface.
You can configure settings such as IP addresses and IP routes on loopback interfaces. For more
information, see Layer 3 Configuration Guide.
7
Configuring the null interface
Introduction
A null interface is a completely software-based logical interface, and is always up. However, you cannot
use it to forward data packets or configure an IP address or link layer protocol on it. With a null interface
specified as the next hop of a static route to a specific network segment, any packets routed to the
network segment are dropped. The null interface provides a simpler way to filter packets than ACL. You
can filter uninteresting traffic by transmitting it to a null interface instead of applying an ACL.
For example, by executing the ip route-static 92.101.0.0 255.255.0.0 null 0 command (which configures
a static route leading to null interface 0), you can have all the packets destined to the network segment
92.101.0.0/16 discarded.
Only one null interface, Null 0, is supported on your device. You cannot remove or create a null
interface.
To enter null interface view:

The Null 0 interface is the default null interface

2. Enter null interface
interface null 0 on your device. It cannot be manually created
view.
or removed.
Optional.
3. Set the interface
description text By default, the description of a null interface is
description.
interface name Interface.
4. Restore the default
settings for the null default Optional.
interface.
Displaying and maintaining loopback and null

interfaces
display interface [ loopback ] [ brief [ down ] ] [ |
{ begin | exclude | include } regular-expression ]
Display information about
display interface loopback interface-number Available in any view.
loopback interfaces.
8
display interface [ null ] [ brief [ down ] ] [ |
Display information about { begin | exclude | include } regular-expression ]
Available in any view.
the null interface. display interface null 0 [ brief ] [ | { begin |
exclude | include } regular-expression ]
Clear the statistics on a reset counters interface [ loopback

Available in user view.
loopback interface. [ interface-number ] ]
Clear the statistics on the

reset counters interface [ null [ 0 ] ] Available in user view.
null interface.
9
Configuring VLANs
Overview
Ethernet is a shared-media network based on the CSMA/CD mechanism. A LAN built by using Ethernet
is both a collision domain and a broadcast domain. In a LAN with plenty of hosts, the LAN might be full
of collisions and broadcasts. As a result, the LAN performance is degraded or the LAN becomes
unavailable. You can deploy bridges or Layer 2 switches in the LAN to reduce collisions, but this cannot
confine broadcasts. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into
separate VLANs. Hosts in the same VLAN can directly communicate, and hosts of different VLANs
cannot directly communicate. For example, hosts in VLAN 2 can communicate with each other, but
cannot communicate with the hosts in VLAN 5. A VLAN is a broadcast domain, and contains all
broadcast traffic within it, as shown in Figure 1.
Figure 1 A VLAN diagram
VLAN 2
Switch A Switch B
Router
VLAN 5
A VLAN is logically divided on an organizational basis rather than on a physical basis. For example,
using VLAN, all workstations and servers that a particular workgroup uses can be assigned to the same
VLAN, regardless of their physical locations.
VLAN technology delivers the following benefits:
• Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves
network performance.
• Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer
2. To enable communication between VLANs, routers or Layer 3 switches are required.
• Creating flexible virtual workgroups. Because users from the same workgroup can be assigned to
the same VLAN regardless of their physical locations, network construction and maintenance are
much easier and more flexible.
10
VLAN frame encapsulation
In order that a network device can identify frames of different VLANs, a VLAN tag field is inserted into
the data link layer encapsulation.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued in 1999.
As shown in Figure 2, in the header of a traditional Ethernet data frame, the field after the destination
MAC address and the source MAC address (DA&SA) field is the Type field, which indicates the upper
layer protocol type.
Figure 2 Traditional Ethernet frame format
IEEE 802.1Q inserts a four-byte VLAN tag between the DA&SA field and the Type field to identify the
VLAN information, as shown in Figure 3.
Figure 3 Position and format of VLAN tag
VLAN Tag
DA&SA TPID Priority CFI VLAN ID Type Data FCS
The fields of a VLAN tag are as follows:

• TPID—The 16-bit TPID field indicates whether a frame is VLAN-tagged. By default, the TPID value is
0x8100, which indicates that the frame is VLAN-tagged. Devices vendors can set the TPID to
different values. For compatibility with these devices, modify the TPID value so that frames carry a
TPID value identical to the value of a particular vendor, allowing interoperability with devices from
that vendor. The device determines whether a received frame carries a VLAN tag by checking the
TPID value. When the TPID value of a frame is the configured value or 0x8100, the frame is
considered as a VLAN-tagged frame.
• Priority—The 3-bit priority field indicates the 802.1p priority of the frame. For more information, see
ACL and QoS Configuration Guide.
• CFI—The 1-bit CFI field indicates whether the MAC addresses are encapsulated in standard format
when packets are transmitted across different media. A value of 0 indicates that MAC addresses
are encapsulated in standard format. A value of 1 indicates that MAC addresses are encapsulated
in a non-standard format. The value of this field is 0 by default.
• VLAN ID—The 12-bit VLAN ID field identifies the VLAN that the frame belongs to. The VLAN ID
range is 0 to 4095. Because 0 and 4095 are reserved, user-configurable VLAN IDs are in the
range of 1 to 4094.
A network device handles an incoming frame depending on whether the frame is VLAN tagged and the
value of the VLAN tag, if any. For more information, see "Introduction to port-based VLAN."
Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and 802.3
raw. The Ethernet II encapsulation format is used here. For how the VLAN tag fields are added to frames
encapsulated in these formats for VLAN identification, see related protocols and standards.
When a frame carrying multiple VLAN tags passes through, the device processes the frame according to
its outer VLAN tag, and transmits the inner tags as payload.
11
VLAN types
You can implement VLANs based on the following criteria:
• Port
• MAC address
• Protocol
• IP subnet
• Policy
• Other criteria
The device supports port-based VLAN and MAC-based VLAN. This chapter covers port-based VLAN
and MAC-based VLAN.
You can configure the two types of VLANs on a port at the same time. When the device is determining
which VLAN a packet that passes through the port should be assigned to, it looks up VLANs in the default
order of MAC-based VLAN and port-based VLAN.
Protocols and standards

IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks
Configuring basic VLAN settings

• As the default VLAN, VLAN 1 cannot be created or removed.
• You cannot manually create or remove VLANs reserved for special purposes.
• To remove a protocol reserved VLAN, management VLAN, dynamic VLAN, and VLAN with a QoS
policy applied, remove the configuration from the VLAN first, and execute the undo vlan command.
• You can configure broadcast suppression to limit the size of broadcast traffic permitted to pass
through a VLAN. When the broadcast traffic exceeds the upper threshold, the exceeding broadcast
traffic will be dropped.
To configure basic VLAN settings:

2. Create a VLAN and Optional.

vlan { vlan-id1 [ to
enter its view, or create By default, only the default VLAN (VLAN 1) exists
vlan-id2 ] | all }
VLANs in batch. in the system.
3. Enter VLAN view. vlan vlan-id Required only when you create VLANs in bulk.
12
Optional.
4. Configure a name for The default name is VLAN vlan-id, which is the ID
name text
the VLAN. of the VLAN. For example, the name of VLAN 100
is VLAN 0100 by default.
Optional.
5. Configure a description The default description is VLAN vlan-id, which is
description text
for the VLAN. the ID of the VLAN. For example, the description of
VLAN 100 is VLAN 0100 by default.
Configuring basic settings of a VLAN interface

You can use VLAN interfaces to provide Layer 3 communication between hosts of different VLANs. VLAN
interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not
exist as physical entities on devices. For each VLAN, you can create one VLAN interface. You can assign
the VLAN interface an IP address and specify the IP address as the gateway address for the devices in
the VLAN, so that traffic can be routed to other IP subnets.
Before you create a VLAN interface for a VLAN, make sure the VLAN already exists.
To configure basic settings of a VLAN interface:

2. Create a VLAN interface
interface vlan-interface If the specified VLAN interface already
and enter VLAN interface
vlan-interface-id exists, you enter its view directly.
view.
Optional.
3. Assign an IP address to the ip address ip-address { mask |
VLAN interface. mask-length } [ sub ] By default, no IP address is assigned to
any VLAN interface.
Optional.
4. Configure the description By default, the description of a VLAN is
description text
of the VLAN interface. the VLAN interface name. For example,
Vlan-interface1 Interface.
5. Set the MTU for the VLAN Optional.

mtu size
interface. By default, the MTU is 1500 bytes.
6. Restore the default settings
default Optional.
for the VLAN interface.
Optional.
7. Cancel the action of By default, a VLAN interface is not

manually shutting down the undo shutdown manually shut down. The VLAN interface
VLAN interface. is up if one or more ports in the VLAN is
up, and goes down if all ports in the
VLAN go down.
13
VLAN interface configuration example
The configuration example was created on the 10500/7500 20G unified wired-WLAN module and
may vary with device models.
When configuring the 10500/7500 20G unified wired-WLAN module, make sure the settings are
correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch.
For more information, see HP 10500 & 7500 20G Unified Wired-WLAN Module Fundamentals
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 series PoE+ unified wired-WLAN switch are Access interfaces in VLAN 1. When configuring the
two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting
their link type to be the same.
Network requirements
As shown in Figure 4, Client is assigned to VLAN 5, and Client 2 is assigned to VLAN 10. The clients
belong to different IP subnets and cannot communicate with each other.
Configure VLAN interfaces on the AC and configure the clients to enable Layer 3 communication
between the clients.
Figure 4 Network diagram
1. Configure the AC:
# Create interface WLAN-ESS 1 and VLAN 5, and assign interface WLAN-ESS 1 to VLAN 5.
<AC> system-view
[AC] interface WLAN-ESS 1
[AC-WLAN-ESS1] quit
[AC] vlan 5
[AC-vlan5] port WLAN-ESS 1
[AC-vlan5] quit
14
[AC] interface WLAN-ESS 2
[AC-WLAN-ESS2] quit
[AC] vlan 10
[AC-vlan10] port WLAN-ESS 2
[AC-vlan10] quit
# Create VLAN-interface 5 and configure its IP address as 192.168.0.10/24.
[AC] interface vlan-interface 5
[AC-Vlan-interface5] ip address 192.168.0.10 24
[AC-Vlan-interface5] quit
# Create VLAN-interface 10 and configure its IP address as 192.168.1.20/24.
[AC] interface vlan-interface 10
[AC-Vlan-interface10] ip address 192.168.1.20 24
[AC-Vlan-interface10] return
# Create service template 2, and configure its SSID as vlan5.
[AC]wlan service-template 2 clear
[AC-wlan-st-2]ssid vlan5
[AC-wlan-st-2]bind wlan-ess 1
[AC-wlan-st-2]authentication-method open-system
[AC-wlan-st-2]service-template enable
[AC-wlan-st-2]quit
# Create an AP template named ap1.
[AC]wlan ap ap1 model E-MSM460-WW
[AC-wlan-ap-ap1]serial-id CN2AD330S8
[AC-wlan-ap-ap1]radio 1
# Bind service template 2 to interface radio 1 of AP template ap1.
[AC-wlan-ap-ap1-radio-1]service-template 2
[AC-wlan-ap-ap1-radio-1]radio enable
[AC-wlan-ap-ap1-radio-1]quit
[AC]wlan service-template 3 clear
[AC-wlan-st-3]ssid vlan10
[AC-wlan-st-3]bind wlan-ess 2
[AC-wlan-st-3]authentication-method open-system
[AC-wlan-st-3]service-template enable
[AC-wlan-st-3]quit
[AC]wlan ap ap2 model E-MSM460-WW
[AC-wlan-ap-ap2]serial-id CN2AD330S7
[AC-wlan-ap-ap2]radio 1
[AC1-wlan-ap-ap2-radio-1]service-template 3
[AC1-wlan-ap-ap2-radio-1]radio enable
[AC1-wlan-ap-ap2-radio-1]quit
# Configure Layer 2 aggregate interface 1 as a trunk interface, and assign the interface to VLANs
5 and 10, so that Client 1 and Client 2 on different IP subnets can communicate at Layer 3.
15
[AC] interface Bridge-Aggregation 1
[AC-Bridge-Aggregation1] port link-type trunk
[AC-Bridge-Aggregation1] port trunk permit vlan 5 10
2. Configure the default gateway of Client 1 as 192.168.0.10.
3. Configure the default gateway of Client 2 as 192.168.1.20.
Verifying the configuration

1. The clients can ping each other.
2. Display brief information about Layer 3 interfaces on the AC to verify the configuration.
<AC> display ip interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IP Address Description
Vlan5 up up 192.168.0.10 Vlan-inte...
Vlan10 up up 192.168.1.20 Vlan-inte...
Configuring port-based VLANs

Introduction to port-based VLAN
Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is
assigned to the VLAN.
Port link type

You can configure the link type of a port as access, trunk, or hybrid. The link types use the following
VLAN tag handling methods:
• Access port—Belongs to only one VLAN and sends traffic untagged. Access ports are usually used
to connect a terminal device unable to identify VLAN-tagged packets, or are used when separating
different VLAN members is unnecessary. As shown in Figure 5, Device A is connected to common
PCs that cannot recognize VLAN-tagged packets, and you must configure Device A's ports that
connect to the PCs as access ports.
• Trunk port—Carries multiple VLANs to receive and send traffic for them. Except for traffic from the
port VLAN ID (PVID), traffic sent through a trunk port will be VLAN-tagged. Usually, ports that
connect network devices are configured as trunk ports. As shown in Figure 5, Device A and Device
B need to transmit packets of VLAN 2 and VLAN 3, and you must configure the ports
interconnecting Device A and Device B as trunk ports and assign them to VLAN 2 and VLAN 3.
• Hybrid port—A hybrid port allows traffic of some VLANs to pass through untagged and traffic of
other VLANs to pass through tagged. Usually, hybrid ports are configured to connect devices
whose support for VLAN-tagged packets you are uncertain about. As shown in Figure 5, Device C
connects to a small-sized LAN in which some PCs belong to VLAN 2 and other PCs belong to VLAN
3, and Device B is uncertain about whether Device C supports VLAN-tagged packets. On Device
B, configure the port connecting to Device C as a hybrid port to allow packets from VLAN 2 and
VLAN 3 to pass through untagged.
16
VLAN 2
VLAN 2
VLAN 3 Device A Device B Device C
Access links are required

Trunk links are reuqired
VLAN 3
Hybrid links are required
PVID
By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as
required.
When you configure the PVID on a port, use the following guidelines:
• An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of
the port.
• A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.
• You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port.
After you use the undo vlan command to remove the VLAN where an access port resides, the PVID
of the port changes to VLAN 1. The removal of the VLAN specified as the PVID of a trunk or hybrid
port, however, does not affect the PVID setting on the port.
• H3C recommends setting the same PVID for local and remote ports.
• Make sure a port permits the traffic from its PVID to pass through. Otherwise, when the port receives
frames tagged with the PVID or untagged frames, the port drops these frames.
Frame handling on a port

The following table shows how ports of different link types handle frames:
Actions Access Trunk Hybrid

Incoming Determines whether the PVID is permitted on the port, as follows:
Tags the frame with the
untagged • If yes, tags the frame with the PVID tag.
PVID tag.
frame • If not, drops the frame.
17
Actions Access Trunk Hybrid
• Receives the frame if
its VLAN ID is the
Incoming same as the PVID. • Receives the frame if its VLAN is permitted on the port.
tagged frame • Drops the frame if its • Drops the frame if its VLAN is not permitted on the port.
VLAN ID is different
from the PVID.
• Removes the tag and sends
the frame if the frame carries Sends the frame if its VLAN is
the PVID tag and the port permitted on the port. The frame
belongs to the PVID. is sent with the VLAN tag
Outgoing Removes the VLAN tag
removed or intact depending on
frames and sends the frame. • Sends the frame without
your configuration with the port
removing the tag if its VLAN
hybrid vlan command. This is
is carried on the port but is
true of the PVID.
different from the PVID.
Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view or interface view. Before you assign an access
port to a VLAN, create the VLAN.
In VLAN view, you can assign only Layer 2 Ethernet interfaces to the VLAN.
To assign one or multiple access ports to a VLAN in VLAN view:

2. Enter VLAN view. vlan vlan-id N/A
3. Assign one or a group of
port interface-list By default, all ports belong to VLAN 1.
access ports to the VLAN.
To assign an access port to a VLAN in interface view:

18
• The configuration made in WLAN-ESS
interface view or Layer 2 Ethernet interface
view applies only to the port.
• Enter interface view:
interface interface-type • The configuration made in port group view
interface-number applies to all ports in the port group.
• Enter Layer 2 aggregate • The configuration made in Layer 2
interface view: aggregate interface view applies to the
2. Enter interface view or aggregate interface and its aggregation
interface
port group view. member ports. If the system fails to apply
bridge-aggregation
interface-number the configuration to the aggregate
interface, it stops applying the
• Enter port group view:
configuration to aggregation member
port-group manual
ports. If the system fails to apply the
port-group-name
configuration to an aggregation member
port, it skips the port and moves to the next
member port.
3. Configure the link type of Optional.

port link-type access
the ports as access. By default, all ports are access ports.
4. Assign the access ports Optional.

port access vlan vlan-id
to a VLAN. By default, all access ports belong to VLAN 1.
Assigning a trunk port to a VLAN

A trunk port can carry multiple VLANs. You can assign it to a VLAN in interface view.
To assign a trunk port to one or multiple VLANs:

• The configuration made in Layer 2
Ethernet interface view applies only to the
• Enter Layer 2 Ethernet port.
interface view: • The configuration made in port group
interface interface-type view applies to all ports in the port group.
interface-number
• Enter Layer 2 aggregate aggregate interface view applies to the
2. Enter interface view or interface view: aggregate interface and its aggregation
port group view. interface member ports. If the system fails to apply
bridge-aggregation the configuration to the aggregate
interface-number interface, it stops applying the
• Enter port group view: configuration to aggregation member
port-group manual ports. If the system fails to apply the
port-group-name configuration to an aggregation member
port, it skips the port and moves to the
next member port.
3. Configure the link type of
port link-type trunk By default, all ports are access ports.
the ports as trunk.
4. Assign the trunk ports to port trunk permit vlan
By default, a trunk port carries only VLAN 1.
the specified VLANs. { vlan-list | all }
19
5. Configure the PVID of the Optional.
port trunk pvid vlan vlan-id
trunk ports. By default, the PVID is VLAN 1.
To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type
to access first.
After configuring the PVID for a trunk port, you must use the port trunk permit vlan command to configure
the trunk port to allow packets from the PVID to pass through.
Assigning a hybrid port to a VLAN

A hybrid port can carry multiple VLANs. You can assign it to a VLAN in interface view. Before assigning
a hybrid port to a VLAN, create the VLAN first.
To assign a hybrid port to one or multiple VLANs:

Ethernet or WLAN-ESS interface
view applies only to the port.
• The configuration made in port
• Enter interface view: group view applies to all ports in the
interface interface-type port group.
interface-number
• Enter Layer 2 aggregate aggregate interface view applies to
interface view: the aggregate interface and its
2. Enter interface view or port
interface aggregation member ports. If the
group view.
bridge-aggregation system fails to apply the
interface-number configuration to the aggregate
• Enter port group view: interface, it stops applying the
port-group manual configuration to aggregation
port-group-name member ports. If the system fails to
apply the configuration to an
aggregation member port, it skips
the port and moves to the next
member port.
port link-type hybrid By default, all ports are access ports.
the ports as hybrid.
By default, a hybrid port allows only

4. Assign the hybrid ports to port hybrid vlan vlan-list
packets of VLAN 1 to pass through
the specified VLANs. { tagged | untagged }
untagged.
5. Configure the PVID of the Optional.

port hybrid pvid vlan vlan-id
hybrid ports. By default, the PVID is VLAN 1.
To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type
to access first.
After you configure the PVID for a hybrid port, you must use the port hybrid vlan command to configure
the hybrid port to allow packets from the PVID to pass through.
20
Port-based VLAN configuration example
an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make
sure their permitted VLANs are the same. HP also recommends setting their link type to be the same.
As shown in Figure 6:
• Client 1 and Client 3 belong to Department A, and access the enterprise network through different
devices. Client 2 and Client 4 belong to Department B, and access the enterprise network through
different devices.
• To ensure communication security and avoid broadcast storms, VLANs are configured in the
enterprise network to isolate Layer 2 traffic of different departments. VLAN 100 is assigned to
Department A, and VLAN 200 is assigned to Department B.
• Make sure that hosts within the same VLAN can communicate with each other. Client 1 can
communicate with Client 3, and Client 2 can communicate with Client 4.
1. Configure AC 1:
<AC1> system-view
[AC1] interface WLAN-ESS 1
[AC1-WLAN-ESS1] quit
21
[AC1] vlan 100
[AC1-vlan100] port WLAN-ESS 1
[AC1-vlan100] quit
[AC1] vlan 200
[AC1] interface WLAN-ESS 2
[AC1-vlan200] port WLAN-ESS 2
[AC1-vlan200] quit
[AC1]wlan service-template 2 clear
[AC1-wlan-st-2]ssid vlan100
[AC1-wlan-st-2]bind wlan-ess 1
[AC1-wlan-st-2]authentication-method open-system
[AC1-wlan-st-2]service-template enable
[AC1-wlan-st-2]quit
[AC1]wlan ap ap1 model E-MSM460-WW
[AC1-wlan-ap-ap1]serial-id CN2AD330S8
[AC1-wlan-ap-ap1]radio 1
[AC1-wlan-st-3]quit
# Configure Layer 2 aggregate interface 1 as a trunk interface, and assign the interface to VLANs
100 and 200, so that the packets from VLAN 100 and VLAN 200 on AC 1 can be forwarded to
AC 2.
[AC] interface Bridge-Aggregation 1
[AC-Bridge-Aggregation1] port link-type trunk
[AC-Bridge-Aggregation1] port trunk permit vlan 100 200
2. Configure AC 2 as you configured AC 1.
22
3. Configure Client 1 and Client 3 to be on the same IP subnet, for example, 192.168.100.0/24.
Configure Client 2 and Client 4 to be on the same IP subnet, for example, 192.168.200.0/24.
Verification
1. Client 1 and Client 3 can ping each other successfully, but they both fail to ping Client 2. Client 2
and Client 4 can ping each other successfully, but they both fail to ping Client 1.
2. Check whether the configuration is successful by displaying relevant VLAN information:
# Display information about VLANs 100 and 200 on AC 1.
[AC1 display vlan 100
VLAN ID: 100
VLAN Type: static
Route Interface: not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged Ports:
Bridge-Aggregation1
Ten-GigabitEthernet1/0/1
Untagged Ports:
WLAN-ESS1
[AC1] display vlan 200
VLAN ID: 200
VLAN Type: static
Route Interface: not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged Ports:
Bridge-Aggregation1
Untagged Ports:
WLAN-ESS2
Configuring MAC-based VLANs

Introduction to MAC-based VLAN
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is
usually used in conjunction with security technologies such as 802.1X to provide secure, flexible network
access for terminal devices.
Static MAC-based VLAN assignment

Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In
such a network, you can create a MAC address-to-VLAN map containing multiple MAC
address-to-VLAN entries on a port, enable the MAC-based VLAN feature on the port, and assign the port
to MAC-based VLANs.
23
With static MAC-based VLAN assignment configured on a port, the device processes received frames by
using the following guidelines:
• When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map
based on the source MAC address of the frame for a match.
{ The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC
address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on
the source MAC address and each mask. If the result of an AND operation matches the
corresponding MAC address, the device tags the frame with the corresponding VLAN ID.
{ If the fuzzy match fails, the device performs an exact match. In the exact match, the device
searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a
MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the
device tags the frame with the corresponding VLAN ID.
{ When a frame that matches the MAC address-to-VLAN entry is forwarded, the forwarding
policy for the frame is determined by the priority of the MAC-based VLAN (the 802.1p priority
of the VLAN corresponding to the MAC address).
{ If no match is found, the device assigns a VLAN to the frame by using other criteria, such as IP
subnet or protocol, and forwards the frame.
{ If no VLAN is available, the device tags the frame with the PVID of the receiving port and
forwards the frame.
• When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is
permitted by the port, and otherwise it drops the frame.
When you configure static MAC-based VLAN assignment, follow these guidelines:
• When a port is assigned to the corresponding VLAN in a MAC address-to-VLAN entry, but has not
been assigned to the VLAN by using the port hybrid vlan command, the port sends packets from
the VLAN with VLAN tags removed.
• When a packet matches a MAC address-to-VLAN entry, the device picks a forwarding policy for
the packet according to the 802.1p priority mapped to the MAC address.
Dynamic MAC-based VLAN

You can use dynamic MAC-based VLAN with access authentication (such as 802.1X authentication
based on MAC addresses) to implement secure, flexible terminal access. After configuring dynamic
MAC-based VLAN on the device, you must configure the username-to-VLAN entries on the access
authentication server.
When a user passes authentication of the access authentication server, the device obtains VLAN
information from the server, generates a MAC address-to-VLAN entry by using the source MAC address
of the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When the
user goes offline, the device automatically deletes the MAC address-to-VLAN entry, and removes the port
from the MAC-based VLAN. For more information about 802.1X, MAC, and portal authentication, see
Security Configuration Guide.

The following guidelines apply for MAC-based VLAN configuration:
• MAC-based VLANs are available only on hybrid ports.
• The MAC-based VLAN feature is mainly configured on downlink ports of user access devices. Do
not enable this function together with link aggregation.
24
To configure static MAC-based VLAN assignment:

mac-vlan mac-address mac-address

2. Associate a specific MAC
[ mask mac-mask ] vlan vlan-id N/A
address with a VLAN.
[ priority priority ]
• The configuration made in
Ethernet interface or WLAN-ESS
interface view applies only to the
3. Enter interface view or interface-number
port.
port group view. • Enter port group view:
port-group manual
group view applies to all ports in
port-group-name
the port group.
port link-type hybrid By default, all ports are access ports.
the ports as hybrid.
5. Configure the hybrid
By default, a hybrid port only permits
ports to permit packets port hybrid vlan vlan-list { tagged |
packets from VLAN 1 to pass
from specific MAC-based untagged }
through.
VLANs to pass through.
6. Enable the MAC-based By default, MAC-based VLAN is
mac-vlan enable
VLAN feature. disabled.
To configure dynamic MAC-based VLAN:

• The configuration made in

Ethernet interface or WLAN-ESS
interface view applies only to the
2. Enter interface view or port interface-number
port.
group view. • Enter port group view:
port-group manual
group view applies to all ports in
port-group-name
the port group.
3. Configure the link type of the By default, all ports are access
port link-type hybrid
ports as hybrid. ports.
4. Configure the hybrid ports to
By default, a hybrid port only
permit packets from specific port hybrid vlan vlan-list { tagged
permits the packets of VLAN 1 to
MAC-based VLANs to pass | untagged }
pass through.
through.
5. Enable the MAC-based VLAN By default, MAC-based VLAN is
mac-vlan enable
feature. disabled.
6. Configure 802.1X, MAC,
For more information, see
portal authentication, or any N/A
Security Command Reference.
combination.
25
MAC-based VLAN configuration example
• WLAN-ESS 1 of AC 1 and AC 2 are each connected to a meeting room. Client 1 and Client 2 are
used for meeting and may be used in either of the two meeting rooms.
• Client 1 and Client 2 are owned by different departments. The two departments use VLAN 100 and
VLAN 200 respectively. Each client can access only its own department server no matter which
meeting room it is used in.
• The MAC address of Client 1 is 000D-88F8-4E71, and that of Client 2 is 0014-222C-AA69.
Configuration consideration
• Create VLANs 100 and 200.
26
• Configure the uplink ports of AC 1 and AC 2 as trunk ports, and assign them to VLANs 100 and
200.
• Configure the downlink ports of Device as trunk ports, and assign them to VLANs 100 and 200.
Assign the uplink ports of Device to VLANs 100 and 200.
• Associate the MAC address of Client 1 with VLAN 100, and the MAC address of Client 2 with
VLAN 200.
1. Configure AC 1:
# Create VLANs 100 and 200.
<AC1> system-view
[AC1] vlan 100
[AC1-vlan100] quit
[AC1] vlan 200
[AC1-vlan200] quit
# Associate the MAC address of Client 1 with VLAN 100, and the MAC address of Client 2 with
VLAN 200.
[AC1] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[AC1] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure Client 1 and Client 2 to access the network through WLAN-ESS 1. Configure
WLAN-ESS 1 as a hybrid port that sends packets of VLANs 100 and 200 untagged, and enable
the MAC-based VLAN feature on it.
[AC1] interface wlan-ess 1
[AC1-WLAN-ESS1] port link-type hybrid
[AC1-WLAN-ESS1] port hybrid vlan 100 200 untagged
Please wait... Done.
[AC1-WLAN-ESS1] mac-vlan enable
# Create service template 2, and set its SSID to vlan100.
[AC1-wlan-st-2]quit
# Bind service template 2 to interface radio1 of AP 1.
# Configure Layer 2 aggregate interface 1 as a hybrid interface, and assign the interface to
VLANs 100 and 200 as a tagged member, so that the packets from VLANs 100 and 200 on AC
1 can be forwarded to AC 2.
[AC1] interface Bridge-Aggregation 1
27
[AC1-Bridge-Aggregation1] port link-type hybrid
[AC1-Bridge-Aggregation1] port hybrid vlan 100 200 tagged
2. Configure Device:
# Create VLANs 100 and 200. Assign Ethernet 1/13 to VLAN 100, and Ethernet 1/14 to VLAN
200.
<Device> system-view
[Device] vlan 100
[Device-vlan100] port ethernet 1/13
[Device-vlan100] quit
[Device] vlan 200
[Device-vlan200] port ethernet 1/14
[Device-vlan200] quit
# Configure Ethernet 1/3 and Ethernet 1/4 as trunk ports, and assign them to VLANs 100 and
200.
[Device] interface ethernet 1/3
[Device-Ethernet1/3] port link-type trunk
[Device-Ethernet1/3] port trunk permit vlan 100 200
[Device-Ethernet1/3] quit
[Device] interface ethernet 1/4
[Device-Ethernet1/4] port link-type trunk
[Device-Ethernet1/4] port trunk permit vlan 100 200
[Device-Ethernet1/4] quit
3. Configure AC 2 as you configured AC 1.
Verification
1. Client 1 can access Server 1 only, and Client 2 can access Server 2 only.
2. On AC 1 and AC 2, you can see that VLAN 100 is associated with the MAC address of Client 1,
and VLAN 200 is associated with the MAC address of Client 2.
[AC1] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC ADDR MASK VLAN ID PRIO STATE
--------------------------------------------------------
000d-88f8-4e71 ffff-ffff-ffff 100 0 S&D
0014-222c-aa69 ffff-ffff-ffff 200 0 S&D
Total MAC VLAN address count:2
Configuration guidelines
• The MAC-based VLAN feature can be configured only on hybrid ports.
• The MAC-based VLAN feature is usually configured on the downlink ports of access layer devices,
and it cannot be configured together with the link aggregation function.
28
Displaying and maintaining VLAN
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic |
Available in any
Display VLAN information. reserved | static ] [ | { begin | exclude | include }
view.
display interface [ vlan-interface ] [ brief [ down ] ] [ |

Display VLAN interface Available in any
information. display interface vlan-interface vlan-interface-id view.
Display hybrid ports or trunk display port { hybrid | trunk } [ | { begin | exclude | Available in any
ports on the device. include } regular-expression ] view.
display mac-vlan { all | dynamic | mac-address

Display MAC Available in any
mac-address [ mask mac-mask ] | static | vlan vlan-id }
address-to-VLAN entries. view.
[ | { begin | exclude | include } regular-expression ]
Display all interfaces with display mac-vlan interface [ | { begin | exclude | Available in any
MAC-based VLAN enabled. include } regular-expression ] view.
reset counters interface vlan-interface Available in user

Clear statistics on a port.
[ vlan-interface-id ] view.
29
Configuring the MAC address table
This document covers only the configuration of unicast MAC address entries, including static, dynamic,
and destination blackhole MAC address entries.
The MAC address table configuration tasks can be performed in any order.
Overview
To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address
table for forwarding frames. This table describes from which interface a MAC address (or host) can be
reached. When forwarding a single-destination frame, the device first looks up the destination MAC
address of the frame in the MAC address table for a match. If the device finds an entry, it forwards the
frame out of the outgoing interface in the entry. If the device does not find an entry, it floods the frame out
of all but the incoming interface.
To view MAC address table information, use the display mac-address command, as follows:
<Sysname> display mac-address
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e201-0101 1 Learned Bridge-Aggregation1 AGING
--- 1 mac address(es) found ---
How a MAC address entry is created

The device automatically learns entries in the MAC address table, or you can add them manually.
MAC address learning

The device can automatically populate its MAC address table by learning the source MAC addresses of
incoming frames on each interface.
When a frame arrives at an interface, Port A, for example, the device performs the following tasks:
1. Verifies the source MAC address (for example, MAC-SOURCE) of the frame.
2. Looks up the source MAC address in the MAC address table.
3. Updates an entry if it finds one. If the device does not find an entry, it adds an entry for
MAC-SOURCE and Port A.
The device performs this learning process each time it receives a frame from an unknown source MAC
address, until the MAC address table is fully populated.
After learning a source MAC address, when the device receives a frame destined for MAC-SOURCE, the
device finds the MAC-SOURCE entry in the MAC address table and forwards the frame out of Port A.
Manually configuring MAC address entries

With dynamic MAC address learning, a device does not distinguish between illegitimate and legitimate
frames. For example, when a hacker sends frames with a forged source MAC address to an interface
different from the one with which the real MAC address is associated, the device creates an entry for the
forged MAC address, and forwards frames destined for the legal user to the hacker instead.
30
To improve interface security, you can bind specific user devices to the interface by manually adding
MAC address entries to the MAC address table of the device.
Types of MAC address entries

A MAC address table can contain the following types of entries:
• Static entries—Manually added and never age out.
• Dynamic entries—Manually added or dynamically learned, and might age out.
• Destination blackhole entries—Manually configured and never age out. They are configured for
filtering out frames with specific destination MAC addresses. For example, to block all packets
destined for a specific user for security concerns, you can configure the MAC address of this user
as a destination blackhole MAC address entry.
A static or destination blackhole MAC address entry can overwrite a dynamic MAC address entry, but
not vice versa.
Configuring static, dynamic, and destination

blackhole MAC address entries
To prevent MAC address spoofing attacks and improve interface security, manually add MAC address
entries to bind interfaces with MAC addresses. You can also configure destination blackhole MAC
address entries to filter out packets with certain destination MAC addresses.
The MAC address table can contain only Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.
Adding or modifying a static or dynamic MAC address entry in

system view

2. Add or modify a By default, no MAC address entry is

mac-address { dynamic | static } configured.
dynamic or static
mac-address interface interface-type
MAC address Make sure you have created the VLAN and
interface-number vlan vlan-id
entry. assigned the interface to the VLAN.
Adding or modifying a static or dynamic MAC address entry in

interface view

31
2. Enter Layer 2 Ethernet or interface interface-type
N/A
aggregate interface view. interface-number
By default, no MAC address entry

is configured.
3. Add or modify a static or mac-address { dynamic | static }
dynamic MAC address entry. mac-address vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.
Configuring a destination blackhole MAC address

entry
2. Add or modify a By default, no MAC address entry is

mac-address blackhole configured.
destination blackhole
mac-address vlan vlan-id
MAC address entry. Make sure you have created the VLAN.
Disabling MAC address learning

Sometimes, you might need to disable MAC address learning to prevent the MAC address table from
being saturated, for example, when your device is being attacked by a large volume of packets with
different source MAC addresses.
You can disable MAC address learning globally or on an interface.
Disabling global MAC address learning

Disabling global MAC address learning disables the learning function on all interfaces.
To disable global MAC address learning:

2. Disable global MAC address By default, global MAC address
mac-address mac-learning disable
learning. learning is enabled.
Disabling MAC address learning on interfaces

You can disable MAC address learning on a single interface, or on all interfaces in a port group.
To disable MAC address learning on an interface or a port group:
32
Optional.
2. Enable global MAC address undo mac-address mac-learning
learning. disable By default, global MAC address
learning is enabled.
Use either command.

• Enter Layer 2 Ethernet or Settings in interface view take
aggregate interface view: effect only on the current interface.
interface interface-type Settings in port group view take
interface-number effect on all member interfaces in
group view.
• Enter port group view: the port group.
port-group manual For more information about port
port-group-name groups, see "Configuring Ethernet
interfaces."
4. Disable MAC address By default, MAC address learning
mac-address mac-learning disable
learning. is enabled on each interface.
Configuring the aging timer for dynamic MAC

address entries
The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient
use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires,
the device deletes that entry. This aging mechanism makes sure the MAC address table can promptly
update to accommodate the latest network changes.
Set the aging timer appropriately. Too long an aging interval might cause the MAC address table to
retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to
accommodate the latest network changes. Too short an interval might result in removal of valid entries,
causing unnecessary floods, which could affect device performance.
To configure the aging timer for dynamic MAC address entries:

Optional.
2. Configure the aging timer for mac-address timer
By default, the aging timer is 300 seconds.
dynamic MAC address { aging seconds |
entries. no-aging } The no-aging keyword disables the aging
timer.
You can reduce floods on a stable network by disabling the aging timer to prevent dynamic entries from
unnecessarily aging out. By reducing floods, you improve not only network performance, but also
security, because you reduce the chances that a data packet will reach unintended destinations.
33
Configuring the MAC learning limit on interfaces
As the MAC address table grows, the forwarding performance of your device might degrade. To prevent
the MAC address table from getting so large that the forwarding performance degrades, you can limit
the number of MAC addresses that an interface can learn.
To configure the MAC learning limit on a Layer 2 Ethernet interface, Layer 2 aggregate interface, or all
interfaces in a port group:

• Enter Layer 2 Ethernet or
aggregate interface view: Settings in interface view take
interface interface-type effect only on the specific interface.
interface-number Settings in port group view take
group view.
• Enter port group view: effect on all member interfaces in
port-group manual the port group.
port-group-name
3. Configure the MAC learning
The default MAC learning limit
limit on the interface or port
varies with devices.
group, and configure whether
mac-address max-mac-count By default, frames with unknown
or not frames with unknown
{ count | disable-forwarding } source MAC addresses are
source MAC addresses can
be forwarded when the MAC forwarded when the MAC learning
learning limit is reached. limit is reached.
Displaying and maintaining MAC address tables

display mac-address [ mac-address [ vlan vlan-id ] |
[ [ dynamic | static ] [ interface interface-type
Display MAC address table Available in any
interface-number ] | blackhole ] [ vlan vlan-id ]
information. view.
[ count ] ] [ | { begin | exclude | include }
Display the aging timer for

display mac-address aging-time [ | { begin | Available in any
dynamic MAC address
exclude | include } regular-expression ] view.
entries.
display mac-address mac-learning [ interface-type

Display the system or interface Available in any
interface-number ] [ | { begin | exclude | include }
MAC address learning state. view.
Display MAC address display mac-address statistics [ | { begin | exclude | Available in any
statistics. include } regular-expression ] view.
34
MAC address table configuration example
• The MAC address of Client 1 is 000f-e235-dc71 and belongs to VLAN 1. It is connected to
Ten-GigabitEthernet 1/0/1 of the device. To prevent MAC address spoofing, add a static entry to
the MAC address table of the device for the host.
• The MAC address of Client 2 is 000f-e235-abcd and belongs to VLAN 1. Because this host once
behaved suspiciously on the network, you can add a destination blackhole MAC address entry for
the MAC address to drop all packets destined for the host.
• Set the aging timer for dynamic MAC address entries to 500 seconds.
# Add a static MAC address entry.
<AC> system-view
[AC] mac-address static 000f-e235-dc71 interface Ten-Gigabitethernet 1/0/1 vlan 1
35
# Add a destination blackhole MAC address entry.
[AC] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[AC] mac-address timer aging 500
# Display MAC address entries on Ten-GigabitEthernet 1/0/1.

[AC] display mac-address interface Ten-Gigabitethernet 1/0/1
000f-e235-dc71 1 Config static Ten-GigabitEthernet 1/0/1 NOAGED
# Display information about the destination blackhole MAC address table.

[AC] display mac-address blackhole
000f-e235-abcd 1 blackhole N/A NOAGED
# View the aging time of dynamic MAC address entries.

[AC] display mac-address aging-time
Mac address aging time: 500s
36
Configuring Ethernet link aggregation
Overview
Ethernet link aggregation, or simply link aggregation, combines multiple physical Ethernet ports into one
logical link called an "aggregate link." Link aggregation delivers the following benefits:
• Increases bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed
across the member ports.
• Improves link reliability. The member ports back up one another dynamically. When a member port
fails, its traffic is switched automatically to other member ports.
As shown in Figure 9, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link, Link Aggregation 1. The bandwidth of this
aggregate link is as high as the total bandwidth of the three physical Ethernet links. At the same time, the
three Ethernet links back up one another.
Figure 9 Ethernet link aggregation
Eth1/1 Eth1/1
Eth1/2 Eth1/2
Link aggregation 1
Eth1/3 Eth1/3
Device A Device B
Basic concepts
This section describes some basic link aggregation concepts.
Aggregation group, member port, and aggregate interface

Link aggregation is implemented by combining Ethernet interfaces into a link aggregation group. Each
link aggregation group has one logical aggregate interface. To an upper layer entity, a link aggregation
group appears to be a single logical link and data traffic is transmitted through the aggregate interface.
The rate of an aggregate interface equals the total rate of its member ports in Selected state, and its
duplex mode is the same as the selected member ports. For more information about the states of member
ports in an aggregation group, see "Aggregation states of member ports in an aggregation group."
When you create an aggregate interface, the switch automatically creates an aggregation group of the
same type and number as the aggregate interface. For example, when you create interface
Bridge-Aggregation 1, Layer 2 aggregation group 1 is created automatically.
Only Layer 2 aggregate interfaces are supported. You can assign Layer 2 Ethernet interfaces only to a
Layer 2 aggregation group.
Aggregation states of member ports in an aggregation group

A member port in an aggregation group can be in either of the following aggregation states:
• Selected—A Selected port can forward user traffic.
• Unselected—An Unselected port cannot forward user traffic.
When a Selected port fails, an Unselected port might become a Selected port and forward user traffic.
37
Operational key
When aggregating ports, the system automatically assigns each port an operational key based on port
information such as port rate and duplex mode. Any change to this information triggers a recalculation
of the operational key.
In an aggregation group, all selected member ports are assigned the same operational key.
Configuration classes
Every configuration setting on a port might affect its aggregation state. Port configurations include the
following classes:
• Port attribute configurations—Include port rate, duplex mode, and link status (up or down). These
are the most basic port configurations.
• Class 2 configurations—A member port can be placed in Selected state only if it has the same
Class 2 configurations as the aggregate interface. Class 2 configurations made on an aggregate
interface are automatically synchronized to all its member ports. These configurations are retained
on the member ports even after the aggregate interface is removed.
Table 1 Class 2 configurations
Feature Considerations
VLAN Permitted VLAN IDs, PVID, and link type (trunk, hybrid, or access).
MAC address learning capability, MAC address learning limit, forwarding of

MAC address learning frames with unknown destination MAC addresses after the MAC address
learning limit is reached.
NOTE:
Any Class 2 configuration change might affect the aggregation state of link aggregation member ports
and ongoing traffic. To be sure that you are aware of the risk, the system displays a warning message
every time you try to change a Class 2 configuration setting on a member port.
Reference port
When setting the aggregation state of the ports in an aggregation group, the system automatically picks
a member port as the reference port. A Selected port must have the same port attributes and Class 2
configurations as the reference port. For information about how a reference port is chosen in a static link
aggregation group, see "Choosing a reference port" in the section "Aggregating links in static mode."
Aggregating links in static mode

In static mode, you must manually maintain the aggregation state of member ports.
Choosing a reference port

The system chooses a reference port from the UP member ports that have the same Class 2 configurations
as the aggregate interface.
The candidate ports are sorted by aggregation priority, duplex, and speed in the following order:
• Lowest aggregation priority value
• Full duplex/high speed
• Full duplex/low speed
• Half duplex/high speed
38
• Half duplex/low speed
The one at the top is chosen as the reference port. If two ports have the same aggregation priority, duplex
mode, and speed, the one with the lower port number is chosen.
Setting the aggregation state of each member port

After choosing the reference port, the static aggregation group sets the aggregation state of each
member port, as shown in Figure 10. After the static aggregation group has reached the limit on Selected
ports, any port assigned to the group is placed in Unselected state to avoid traffic interruption on the
current Selected ports.
Figure 10 Setting the aggregation state of a member port in a static aggregation group
Set the aggregation state
of a member port
Yes
Is there any hardware restriction?
No
No
Is the port up?
Yes
No
Port attribute/class 2 configurations
same as the reference port?
Yes
Yes Port number as low as to set No

More candidate ports than max. the port in the Selected state?
number of Selected ports?
No Yes
Set the port in the

Set the port in the Selected state
Unselected state
Load-sharing criteria for link aggregation groups

In a link aggregation group, traffic can be load-shared across the selected member ports based on a set
of criteria, depending on your configuration.
You can choose one or any combination of the following criteria for load sharing:
• Source/destination MAC addresses
• Source/destination IP addresses

Follow these guidelines when you configure a link aggregation group:
39
• To ensure stable aggregation state and service continuity, do not change port attributes or Class 2
configurations on any member port. If you must, make sure you understand its impact on the live
network. Any port attribute or Class 2 configuration change might affect the aggregation state of
link aggregation member ports and ongoing traffic.
• Avoid assigning ports to a static aggregation group that has reached the limit on Selected ports.
These ports will be placed in Unselected state to avoid traffic interruption on the current Selected
ports. However, a device reboot can cause the aggregation state of member ports to change.
Ethernet link aggregation configuration task list

Task Remarks
Configuring a Layer 2 static aggregation group Required.
Configuring an aggregate interface:

• Configuring the description of an aggregate interface
• Enabling link state traps for an aggregate interface Optional.
• Shutting down an aggregate interface
• Restoring the default settings for an aggregate interface
Configuring the global link-aggregation load-sharing criteria Optional.
Configuring a Layer 2 static aggregation group

To guarantee a successful static aggregation, make sure the ports at both ends of each link are in the
same aggregation state.
Removing an aggregate interface also removes its aggregation group. At the same time, all member
ports leave the aggregation group.
To configure a Layer 2 static aggregation group:

When you create a Layer 2

2. Create a Layer 2 aggregate aggregate interface, the system
interface bridge-aggregation
interface and enter Layer 2 automatically creates a Layer 2
interface-number
aggregate interface view. static aggregation group
numbered the same.
3. Exit to system view. quit N/A
a. interface interface-type Repeat these two sub-steps to
4. Assign a Layer 2 Ethernet
interface-number assign more Layer 2 Ethernet
interface to the aggregation
b. port link-aggregation interfaces to the aggregation
group.
group number group.
40
Optional.
By default, the aggregation priority
of a port is 32768.
When the number of ports eligible
5. Assign the port an link-aggregation port-priority for Selected ports exceeds the
aggregation priority. port-priority maximum number of Selected ports
allowed in a static aggregation
group, changing the aggregation
priority of a port might affect the
aggregation state of the ports in
the static aggregation group.
Configuring an aggregate interface

Most of the configurations that can be performed on Layer 2 Ethernet interfaces can also be performed
on Layer 2 aggregate interfaces.
Configuring the description of an aggregate interface

You can configure the description of an aggregate interface for administration purposes such as
describing the purpose of the interface.
To configure the description of an aggregate interface:

2. Enter Layer 2 aggregate interface bridge-aggregation
N/A
interface view. interface-number
Optional.
3. Configure the
description of the description text By default, the description of an interface is
aggregate interface. in the format of interface-name Interface,
such as Bridge-Aggregation1 Interface.
Enabling link state traps for an aggregate interface

You can configure an aggregate interface to generate linkUp trap messages when its link goes up and
linkDown trap messages when its link goes down. For more information, see Network Management and
Monitoring Configuration Guide.
To enable link state traps on an aggregate interface:

41
Optional.
2. Enable the trap function snmp-agent trap enable [ standard
globally. [ linkdown | linkup ] * ] By default, link state trapping is
enabled globally and on all interfaces.
N/A
4. Enable link state traps for Optional.

enable snmp trap updown
the aggregate interface. Enabled by default.
Shutting down an aggregate interface

Shutting down or bringing up an aggregate interface affects the aggregation state and link state of
aggregated member ports in the following ways:
• When an aggregate interface is shut down, all Selected member ports become unselected and
their link state becomes down.
• When an aggregate interface is brought up, the aggregation state of member ports is recalculated
and their link state becomes up.
To shut down an aggregate interface:

N/A
3. Shut down the Layer 2 By default, Layer 2 aggregate
shutdown
aggregate interface. interfaces are up.
Restoring the default settings for an aggregate interface
Step Command
1. Enter system view. system-view
2. Enter Layer 2 aggregate interface view. interface bridge-aggregation interface-number
3. Restore the default settings for the aggregate interface. default
Configuring load sharing for link aggregation

groups
You can determine how traffic is load-shared in a link aggregation group by configuring load-sharing
criteria. The criteria can be source/destination MAC addresses or source/destination IP addresses
carried in packets, or any combination. You can configure global or group-specific load-sharing criteria.
42
A link aggregation group preferentially uses the group-specific load-sharing criteria. If no group-specific
load-sharing criteria is available, the group uses the global load-sharing criteria.
Configuring the global link-aggregation load-sharing criteria

2. Configure the global link-aggregation load-sharing mode
The default setting is source and
link-aggregation { destination-ip | destination-mac |
destination MAC addresses.
load-sharing criteria. source-ip | source-mac } *
Configuring group-specific load-sharing criteria

N/A
3. Configure the load-sharing link-aggregation load-sharing mode
The default setting is source and
criteria for the Layer 2 { destination-ip | destination-mac |
destination MAC addresses.
aggregation group. source-ip | source-mac } *
Displaying and maintaining Ethernet link

aggregation
display interface [ bridge-aggregation ] [ brief
[ down ] ] [ | { begin | exclude | include }
Display information about Layer 2 regular-expression ] Available in any
aggregate interfaces. display interface bridge-aggregation view.
interface-number [ brief ] [ | { begin | exclude |
include } regular-expression ]
display link-aggregation load-sharing mode

Display the global or
[ interface [ bridge-aggregation Available in any
group-specific link-aggregation
interface-number ] ] [ | { begin | exclude | view.
load-sharing criteria.
include } regular-expression ]
Display detailed link aggregation display link-aggregation member-port

Available in any
information for link aggregation [ interface-list ] [ | { begin | exclude | include }
view.
member ports. regular-expression ]
Display summary information display link-aggregation summary [ | { begin | Available in any

about all aggregation groups. exclude | include } regular-expression ] view.
43
Display detailed information about display link-aggregation verbose
Available in any
a specific or all aggregation [ bridge-aggregation [ interface-number ] ] [ |
view.
groups. { begin | exclude | include } regular-expression ]
Clear statistics for a specific or all reset counters interface [ bridge-aggregation Available in user
aggregate interfaces. [ interface-number ] ] view.
44
Configuring Layer 2 forwarding
Layer 2 forwarding falls into the following categories:

• Normal
• Fast
Configuring normal Layer 2 forwarding

If the destination MAC address of an incoming packet matches the MAC address of the receiving Layer
3 interface, the device forwards the packet through that interface. If not, the device performs normal
Layer 2 forwarding through a Layer 2 interface. The device looks up the MAC address table according
to the destination MAC address of the incoming packet, obtains the outgoing interface, and then
forwards the packet through the interface.
Normal Layer 2 forwarding is enabled by default.
Displaying and maintaining normal Layer 2 forwarding

display mac-forwarding statistics [ interface
Display normal and inline Layer 2
interface-type interface-number ] [ | { begin | Available in any view.
forwarding statistics.
exclude | include } regular-expression ]
Clear all normal and inline Layer 2

reset mac-forwarding statistics Available in user view.
forwarding statistics.
Configuring fast Layer 2 forwarding

Fast Layer 2 forwarding uses caches to process packets. Based on data flows, fast Layer 2 forwarding
can greatly improve forwarding efficiency. In fast Layer 2 forwarding, a data flow is described by source
MAC address, destination MAC address, and VLAN ID. After a packet of a data flow is forwarded, its
forwarding information is stored as a fast forwarding entry in the cache. The device forwards subsequent
packets by searching the fast forwarding table, which is faster and more efficient than looking it up again
in the MAC address table.
To configure fast Layer 2 forwarding:
45
2. Enable fast Layer 2 Optional.

mac-fast-forwarding
forwarding. Enabled by default.
Displaying and maintaining fast Layer 2 forwarding

display mac-fast-forwarding cache { all |
Display fast Layer 2 { destination-mac mac-address | source-mac
forwarding information. mac-address | vlan vlan-id }* } [ verbose ] [ |
reset mac-fast-forwarding cache { all |

Clear fast Layer 2 forwarding
{ destination-mac mac-address | source-mac Available in user view.
entries.
mac-address | vlan vlan-id }* }
Configuring Layer 2 FPGA fast forwarding

Support for this feature depends on the device model. For more information, see About the HP 830 Series
PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module
Configuration Guides.
Layer 2 FPGA fast forwarding greatly improves an AC's forwarding efficiency by performing hardware
forwarding with an FPGA card, which forwards wireless packets according to fast forwarding entries.
Wireless packets of the following categories are forwarded by software:
• Packets matching no fast forwarding entries.
• ARP and DHCP packets.
• Packets on interfaces to which QoS policies, CAR policies, or PQ lists are applied.
• Packets to which ACLs or user profiles are deployed.
• Other packets that cannot be forwarded by FPGA cards.
When Layer 2 FPGA fast forwarding is enabled, IPsec, portal user-based rate limitation, portal-forbidden
rules (see Security Configuration Guide), and WMM CAC do not take effect.
To configure the previous features, use the undo fpga work-mode fast-forwarding command to disable
Layer 2 FPGA fast forwarding first.
The undo fpga work-mode fast-forwarding command takes effect after you save the configuration and
reboot the device.
To enable Layer 2 FPGA fast forwarding:
46
2. Enable Layer 2 FPGA By default, Layer 2 FPGA fast
fpga work-mode fast-forwarding
fast forwarding. forwarding is disabled.
Displaying and maintaining Layer 2 FPGA fast forwarding

Display the FPGA operating display fpga status [ | { begin | exclude | include }
mode. regular-expression ]
47
Configuring PPPoE
Support for this feature depends on the device model. For more information, see About the HP 830 Series
PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module
Configuration Guides.
Overview
Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP packets encapsulated in
Ethernet over point-to-point links.
PPPoE can provide access to the Internet for the hosts in an Ethernet through a remote access device and
implement access control and accounting on a per-host basis. Integrating the low cost of Ethernet and
scalability and management functions of PPP, PPPoE gained popularity in various application
environments, such as residential networks.
PPPoE network structure

PPPoE uses the client/server model. The PPPoE client initiates a connection request to the PPPoE server.
After session negotiation between them is complete, the PPPoE server provides access control and
authentication to the PPPoE client.
The following network structures are available:
• As shown in Figure 11, the PPP session is established between devices (Router A and Router B). All
hosts share one PPP session for data transmission without being installed with PPPoE client dialup
software. Typically, enterprises use this network structure.
Figure 11 Network structure 1
Carrier device DSLAM PPPoE server

Internet
Router B
Modem
Client device
Router A PPPoE client
Host A Host B Host C
48
• As shown in Figure 12, the PPP session is established between each host (PPPoE client) and the
carrier router (PPPoE server). The service provider assigns an account to each host for billing and
control. The host must be installed with PPPoE client dialup software. This network structure is
applicable to campus and residential environments.
Figure 12 Network structure 2
PPPoE client
Host A
PPPoE server
Internet
PPPoE client
Router
Host B
Protocols and standards

RFC 2516, A Method for Transmitting PPP Over Ethernet (PPPoE)
Configuring a PPPoE server

2. Create a virtual template (VT) This operation also leads you to VT
interface virtual-template number
interface. interface view.
3. Enter VLAN interface view. N/A
interface-number
4. Enable PPPoE on the VLAN
interface and bind this pppoe-server bind virtual-template
Disabled by default.
interface to a specified VT number
interface.
5. Return to system view. quit N/A
6. Set the maximum number of
pppoe-server max-sessions Optional.
PPPoE sessions allowed for a
remote-mac number 100 by default.
peer MAC address.
pppoe-server max-sessions Optional.
PPPoE sessions allowed for a
local-mac number 100 by default.
local MAC address.
pppoe-server max-sessions total Optional.
PPPoE sessions allowed on the
number The default setting is 4096.
device.
49
Optional.
65535 by default.
9. Set the upper threshold for the pppoe-server
PPPoE abnormal offline event abnormal-offline-count threshold If the PPPoE abnormal offline event
count. number count in the last 5 minutes exceeds
this threshold, the system outputs a
trap message.
Optional.
100 by default.
10. Set the upper threshold for the pppoe-server
PPPoE abnormal offline event abnormal-offline-percent threshold If the PPPoE abnormal offline event
percentage. number percentage in the last 5 minutes
exceeds this threshold, the system
outputs a trap message.
Optional.
0 by default.
11. Set the lower threshold for the pppoe-server
PPPoE normal offline event normal-offline-percent threshold If the PPPoE normal offline event
percentage. number percentage in the last 5 minutes is
lower than this threshold, the
system outputs a trap message.
12. Configure authentication and
See Security Configuration Guide. Optional.
accounting on PPP users.
Optional.
13. Disable PPP log displaying. pppoe-server log-information off
Enabled by default.
When you configure a static route on a VT interface, specify the next hop instead of the outgoing
interface. If the outgoing interface is required, make sure the physical interface bound to the VT interface
is effective to ensure normal transport of packets.
Displaying and maintaining PPPoE

display pppoe-server session all [ |
Display the statistics and state
{ begin | exclude | include } Available in any view.
information about a PPPoE server.
reset pppoe-server { all | interface
Clear PPP sessions on the PPPoE
interface-type interface-number | Available in user view.
server.
virtual-template number }
PPPoE server configuration example

The configuration example was created on the 10500/7500 20G unified wired-WLAN module, and
50
As shown in Figure 13, Clients 1, 2, and, 3 (PPPoE clients), access the Internet through AC (PPPoE server),
which performs local authentication and assigns IP addresses to the users.
AC provides Internet access for PPPoE clients through VLAN-interface 1. It connects to the Internet through
VLAN-interface 2.
Client 1 AP 1
AC
Internet
Client 2 AP 2 L2 switch
AP 3
Client 3
(Approach 1) Configuring CHAP authentication
# Add a PPPoE user.
<AC> system-view
[AC] local-user user1
[AC-luser-user1] password simple pass1
[AC-luser-user1] service-type ppp
[AC-luser-user1] quit
# Configure virtual-template 1 on the AC.

[AC] interface virtual-template 1
[AC-Virtual-Template1] ppp authentication-mode chap domain system
[AC-Virtual-Template1] ppp chap user user1
[AC-Virtual-Template1] remote address pool 1
[AC-Virtual-Template1] ip address 1.1.1.1 255.0.0.0
[AC-Virtual-Template1] quit
# Configure PPPoE server on the AC.

[AC] interface Vlan-interface1
[AC- Vlan-interface1] pppoe-server bind virtual-template 1
51
[AC- Vlan-interface1] quit
# Configure local authentication for the users in the default ISP domain system.
[AC] domain system
[AC-isp-system] authentication ppp local
# Add a local IP address pool.

[AC-isp-system] ip pool 1 1.1.1.2 1.1.1.10
(Approach 2) Configuring MS-CHAP authentication

# Add a PPPoE user.
<AC> system-view
[AC] local-user user1
[AC-luser-user1] password simple pass1
[AC-luser-user1] service-type ppp
[AC-luser-user1] quit
# Configure virtual-template 1 on the AC.

[AC] interface virtual-template 1
[AC-Virtual-Template1] ppp authentication-mode ms-chap domain system
[AC-Virtual-Template1] remote address pool 1
[AC-Virtual-Template1] ip address 1.1.1.1 255.0.0.0
[AC-Virtual-Template1] quit
# Configure the PPPoE server on the AC.

[AC] interface Vlan-interface1
[AC-Vlan-interface1] pppoe-server bind virtual-template 1
[AC-Vlan-interface1] quit
# Configure local authentication for the users in the default ISP domain system.
[AC] domain system
[AC-isp-system] authentication ppp local
# Add a local IP address pool.

[AC-isp-system] ip pool 1 1.1.1.2 1.1.1.10
Verifying the configuration

After the configuration, the PPPoE clients can access the Internet by using the username user1 and
password pass1 through the AC if they have PPPoE client software installed.
If you specify the authentication scheme as radius-scheme or hwtacacs-scheme by using the
authentication ppp command, you also need to configure RADIUS/HWTACACS settings to enable AAA.
For detailed configuration procedures, see Security Configuration Guide.
52
Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
• For related documentation, navigate to the Networking section, and select a networking category.
• For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.
Websites
• HP.com http://www.hp.com
• HP Networking http://www.hp.com/go/networking
• HP manuals http://www.hp.com/support/manuals
• HP download drivers and software http://www.hp.com/support/downloads
• HP software depot http://www.software.hp.com
• HP Education http://www.hp.com/learn
53
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.
Asterisk-marked braces enclose a set of required syntax choices separated by vertical

{ x | y | ... } *
bars, from which you select at least one.
Asterisk-marked square brackets enclose optional syntax choices separated by vertical

[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Window names, button names, field names, and menu items are in bold text. For
Boldface
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.
An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.
IMPORTANT An alert that calls attention to essential information.
NOTE An alert that contains additional or supplementary information.
TIP An alert that provides helpful information.
54
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the switching engine

on a unified wired-WLAN switch.
Represents an access point.
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.
55
Index
CDEMOPR
C Disabling MAC address learning,32
Displaying and maintaining an Ethernet interface or
Configuration restrictions and guidelines,39
subinterface,6
Configuring a destination blackhole MAC address
Displaying and maintaining Ethernet link
entry,32
aggregation,43
Configuring a Layer 2 Ethernet interface,4
Displaying and maintaining loopback and null
Configuring a Layer 2 static aggregation group,40 interfaces,8
Configuring a loopback interface,7 Displaying and maintaining MAC address tables,34
Configuring a PPPoE server,49 Displaying and maintaining PPPoE,50
Configuring an aggregate interface,41 Displaying and maintaining VLAN,29
Configuring basic settings of a VLAN interface,13
E
Configuring basic VLAN settings,12
Configuring fast Layer 2 forwarding,45 Ethernet link aggregation configuration task list,40
Configuring Layer 2 FPGA fast forwarding,46 M
Configuring load sharing for link aggregation MAC address table configuration example,35
groups,42
O
Configuring MAC-based VLANs,23
Configuring normal Layer 2 forwarding,45 Overview,10
Configuring port-based VLANs,16 Overview,1
Configuring static, dynamic, and destination blackhole Overview,30
MAC address entries,31 Overview,37
Configuring the aging timer for dynamic MAC address Overview,48
entries,33
P
Configuring the MAC learning limit on interfaces,34
Configuring the null interface,8 Performing general configurations,1
Contacting HP,53 PPPoE server configuration example,50
Conventions,54 R
D Related information,53
56

HP 830 Series PoE+ Unified Wired-WLAN Layer 2 Configuration Guide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

HP 830 Series PoE+ Unified Wired-WLAN Layer 2 Configuration Guide

Caricato da

Copyright:

Formati disponibili

HP 830 Series PoE+ Unified Wired-WLAN

Switch and HP 10500/7500 20G Unified

Part number: 5998-3906

© Copyright 2013 Hewlett-Packard Development Company, L.P.

Configuring Ethernet interfaces ··································································································································· 1

Configuring loopback and null interfaces ·················································································································· 7

Configuring the MAC address table ························································································································ 30

Configuring Ethernet link aggregation ····················································································································· 37

Configuring Layer 2 forwarding ······························································································································· 45

Support and other resources ····································································································································· 53

Performing general configurations

Step Command Remarks

3. Set the interface By default, the description of an interface is

Shutting down an Ethernet interface

Step Command Remarks

Configuring loopback testing on an Ethernet interface

Configuration restrictions and guidelines

Step Command Remarks

By default, loopback testing is

Configuring jumbo frame support

Step Command Remarks

Step Command Remarks

Configuring a Layer 2 Ethernet interface

Step Command Remarks

If you use the group-member interface-type

Step Command Remarks

Display information about a display port-group manual [ all | name

reset counters interface [ interface-type

Configuring a loopback interface

Step Command Remarks

4. Shut down the loopback Optional.

Step Command Remarks

The Null 0 interface is the default null interface

Displaying and maintaining loopback and null

Clear the statistics on a reset counters interface [ loopback

Clear the statistics on the

DA&SA TPID Priority CFI VLAN ID Type Data FCS

The fields of a VLAN tag are as follows:

Protocols and standards

Configuring basic VLAN settings

Step Command Remarks

2. Create a VLAN and Optional.

Configuring basic settings of a VLAN interface

Step Command Remarks

5. Set the MTU for the VLAN Optional.

7. Cancel the action of By default, a VLAN interface is not

Verifying the configuration

Configuring port-based VLANs

Port link type

VLAN 3 Device A Device B Device C

Access links are required

Frame handling on a port

Actions Access Trunk Hybrid

Assigning an access port to a VLAN

Step Command Remarks

To assign an access port to a VLAN in interface view:

Step Command Remarks

3. Configure the link type of Optional.

4. Assign the access ports Optional.

Assigning a trunk port to a VLAN

Step Command Remarks

Assigning a hybrid port to a VLAN

Step Command Remarks

By default, a hybrid port allows only