Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
i
Configuring static, dynamic, and destination blackhole MAC address entries ······················································ 31
Adding or modifying a static or dynamic MAC address entry in system view ·············································· 31
Adding or modifying a static or dynamic MAC address entry in interface view··········································· 31
Configuring a destination blackhole MAC address entry ························································································· 32
Disabling MAC address learning ································································································································· 32
Disabling global MAC address learning ············································································································ 32
Disabling MAC address learning on interfaces ································································································· 32
Configuring the aging timer for dynamic MAC address entries ··············································································· 33
Configuring the MAC learning limit on interfaces······································································································ 34
Displaying and maintaining MAC address tables ····································································································· 34
MAC address table configuration example ················································································································ 35
Network requirements ··········································································································································· 35
Configuration procedure ······································································································································ 35
ii
Subscription service ·············································································································································· 53
Related information ························································································································································ 53
Documents ······························································································································································ 53
Websites································································································································································· 53
Conventions ···································································································································································· 54
iii
Configuring Ethernet interfaces
All configuration tasks in this chapter are independent and optional. You can perform these
configuration tasks in any order.
Overview
Ethernet is the most widespread wired LAN technology due to its flexibility, simplicity, and easy
implementation. The AC side of your device supports Layer 2 Ethernet interfaces, which are physical
Ethernet interfaces operating at the data link layer (Layer 2) to forward traffic within a subnet between
hosts.
Optional.
Optional.
By default, the duplex mode is full for
10-GE interfaces, and is auto for other
Ethernet interfaces.
4. Set the duplex mode of
duplex auto Support for the command depends on the
the interface.
interface card model. For more
information, see About the HP 830 Series
PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN
Module Command References.
1
Step Command Remarks
Optional.
Support for the command depends on your
device model. For more information, see
5. Set the port speed. speed 1000 About the HP 830 Series PoE+ Unified
Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN
Module Command References.
6. Restore the default
default Optional.
settings for the interface.
CAUTION:
Use this command with caution. After you manually shut down an Ethernet interface, the Ethernet interface
cannot forward packets even if it is physically connected.
You might need to shut down and then bring up an Ethernet interface or subinterface to activate some
configuration changes.
The access controller module of the device communicates with the switching engine through the internal
interfaces. Do not shut down these internal interfaces. Otherwise, the device might fail to operate
correctly.
To shut down an Ethernet interface:
2
If the interface fails to receive any test packets, the hardware of the interface is faulty. The external
loopback testing is not supported. The type is reserved for future support.
Configuration procedure
To enable loopback testing on an Ethernet interface:
interface interface-type
2. Enter Ethernet interface view. N/A
interface-number
3
Setting a statistics polling interval
You can configure an interface statistics polling interval. To display the interface statistics collected in the
last polling interval, use the display interface command.
In Ethernet interface view, you can configure an interface statistics polling interval.
To set the statistics polling interval on an Ethernet interface:
4
Configuring storm suppression
You can use the storm suppression function to limit the size of a particular type of traffic (broadcast,
multicast, or unknown unicast traffic) that can be received on a per-interface basis in Ethernet interface
view.
In interface or port group view, you set the maximum size of broadcast, multicast, or unknown unicast
traffic allowed to be received on an interface or each interface in a port group. When the broadcast,
multicast, or unknown unicast traffic received on the interface exceeds this threshold, the system discards
packets until the traffic drops below this threshold.
For an Ethernet interface that belongs to a port group, if you set a traffic suppression threshold for the
interface in both Ethernet interface view and port group view, the threshold configured most recently
takes effect.
To set storm suppression thresholds on one or multiple Ethernet interfaces:
Optional.
By default, broadcast traffic is allowed to pass
through an interface.
3. Set the broadcast
broadcast-suppression The value range for the pps keyword depends on
suppression
{ ratio | pps max-pps } your device model. For more information, see About
threshold ratio.
the HP 830 Series PoE+ Unified Wired-WLAN
Switch and HP 10500/7500 20G Unified
Wired-WLAN Module Command References.
Optional.
By default, multicast traffic is allowed to pass
through an interface.
4. Set the multicast
multicast-suppression The value range for the pps keyword depends on
suppression
{ ratio | pps max-pps } your device model. For more information, see About
threshold ratio.
the HP 830 Series PoE+ Unified Wired-WLAN
Switch and HP 10500/7500 20G Unified
Wired-WLAN Module Configuration Guides.
Optional.
By default, unknown unicast traffic is allowed to
pass through an interface.
5. Set the unknown
unicast-suppression { ratio The value range for the pps keyword depends on
unicast suppression
| pps max-pps } your device model. For more information, see About
threshold ratio.
the HP 830 Series PoE+ Unified Wired-WLAN
Switch and HP 10500/7500 20G Unified
Wired-WLAN Module Command References.
5
Displaying and maintaining an Ethernet interface or
subinterface
Task Command Remarks
display interface [ interface-type ] [ brief [ down ] ]
[ | { begin | exclude | include } regular-expression ]
Display Ethernet interface
display interface interface-type [ interface-number ] Available in any view.
or subinterface information.
[ brief ] [ | { begin | exclude | include }
regular-expression ]
6
Configuring loopback and null interfaces
Configuration procedure
To configure a loopback interface:
Optional.
3. Set the interface description. description text By default, the description of a loopback
interface is interface name Interface.
You can configure settings such as IP addresses and IP routes on loopback interfaces. For more
information, see Layer 3 Configuration Guide.
7
Configuring the null interface
Introduction
A null interface is a completely software-based logical interface, and is always up. However, you cannot
use it to forward data packets or configure an IP address or link layer protocol on it. With a null interface
specified as the next hop of a static route to a specific network segment, any packets routed to the
network segment are dropped. The null interface provides a simpler way to filter packets than ACL. You
can filter uninteresting traffic by transmitting it to a null interface instead of applying an ACL.
For example, by executing the ip route-static 92.101.0.0 255.255.0.0 null 0 command (which configures
a static route leading to null interface 0), you can have all the packets destined to the network segment
92.101.0.0/16 discarded.
Only one null interface, Null 0, is supported on your device. You cannot remove or create a null
interface.
Configuration procedure
To enter null interface view:
Optional.
3. Set the interface
description text By default, the description of a null interface is
description.
interface name Interface.
4. Restore the default
settings for the null default Optional.
interface.
8
Task Command Remarks
display interface [ null ] [ brief [ down ] ] [ |
Display information about { begin | exclude | include } regular-expression ]
Available in any view.
the null interface. display interface null 0 [ brief ] [ | { begin |
exclude | include } regular-expression ]
9
Configuring VLANs
Overview
Ethernet is a shared-media network based on the CSMA/CD mechanism. A LAN built by using Ethernet
is both a collision domain and a broadcast domain. In a LAN with plenty of hosts, the LAN might be full
of collisions and broadcasts. As a result, the LAN performance is degraded or the LAN becomes
unavailable. You can deploy bridges or Layer 2 switches in the LAN to reduce collisions, but this cannot
confine broadcasts. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into
separate VLANs. Hosts in the same VLAN can directly communicate, and hosts of different VLANs
cannot directly communicate. For example, hosts in VLAN 2 can communicate with each other, but
cannot communicate with the hosts in VLAN 5. A VLAN is a broadcast domain, and contains all
broadcast traffic within it, as shown in Figure 1.
Figure 1 A VLAN diagram
VLAN 2
Switch A Switch B
Router
VLAN 5
A VLAN is logically divided on an organizational basis rather than on a physical basis. For example,
using VLAN, all workstations and servers that a particular workgroup uses can be assigned to the same
VLAN, regardless of their physical locations.
VLAN technology delivers the following benefits:
• Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves
network performance.
• Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer
2. To enable communication between VLANs, routers or Layer 3 switches are required.
• Creating flexible virtual workgroups. Because users from the same workgroup can be assigned to
the same VLAN regardless of their physical locations, network construction and maintenance are
much easier and more flexible.
10
VLAN frame encapsulation
In order that a network device can identify frames of different VLANs, a VLAN tag field is inserted into
the data link layer encapsulation.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued in 1999.
As shown in Figure 2, in the header of a traditional Ethernet data frame, the field after the destination
MAC address and the source MAC address (DA&SA) field is the Type field, which indicates the upper
layer protocol type.
Figure 2 Traditional Ethernet frame format
IEEE 802.1Q inserts a four-byte VLAN tag between the DA&SA field and the Type field to identify the
VLAN information, as shown in Figure 3.
Figure 3 Position and format of VLAN tag
VLAN Tag
11
VLAN types
You can implement VLANs based on the following criteria:
• Port
• MAC address
• Protocol
• IP subnet
• Policy
• Other criteria
The device supports port-based VLAN and MAC-based VLAN. This chapter covers port-based VLAN
and MAC-based VLAN.
You can configure the two types of VLANs on a port at the same time. When the device is determining
which VLAN a packet that passes through the port should be assigned to, it looks up VLANs in the default
order of MAC-based VLAN and port-based VLAN.
Configuration procedure
To configure basic VLAN settings:
12
Step Command Remarks
Optional.
4. Configure a name for The default name is VLAN vlan-id, which is the ID
name text
the VLAN. of the VLAN. For example, the name of VLAN 100
is VLAN 0100 by default.
Optional.
5. Configure a description The default description is VLAN vlan-id, which is
description text
for the VLAN. the ID of the VLAN. For example, the description of
VLAN 100 is VLAN 0100 by default.
Configuration procedure
Before you create a VLAN interface for a VLAN, make sure the VLAN already exists.
To configure basic settings of a VLAN interface:
Optional.
3. Assign an IP address to the ip address ip-address { mask |
VLAN interface. mask-length } [ sub ] By default, no IP address is assigned to
any VLAN interface.
Optional.
4. Configure the description By default, the description of a VLAN is
description text
of the VLAN interface. the VLAN interface name. For example,
Vlan-interface1 Interface.
Optional.
13
VLAN interface configuration example
The configuration example was created on the 10500/7500 20G unified wired-WLAN module and
may vary with device models.
When configuring the 10500/7500 20G unified wired-WLAN module, make sure the settings are
correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch.
For more information, see HP 10500 & 7500 20G Unified Wired-WLAN Module Fundamentals
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 series PoE+ unified wired-WLAN switch are Access interfaces in VLAN 1. When configuring the
two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting
their link type to be the same.
Network requirements
As shown in Figure 4, Client is assigned to VLAN 5, and Client 2 is assigned to VLAN 10. The clients
belong to different IP subnets and cannot communicate with each other.
Configure VLAN interfaces on the AC and configure the clients to enable Layer 3 communication
between the clients.
Figure 4 Network diagram
Configuration procedure
1. Configure the AC:
# Create interface WLAN-ESS 1 and VLAN 5, and assign interface WLAN-ESS 1 to VLAN 5.
<AC> system-view
[AC] interface WLAN-ESS 1
[AC-WLAN-ESS1] quit
[AC] vlan 5
[AC-vlan5] port WLAN-ESS 1
[AC-vlan5] quit
14
# Create interface WLAN-ESS 2 and VLAN 10, and assign interface WLAN-ESS 2 to VLAN 10.
[AC] interface WLAN-ESS 2
[AC-WLAN-ESS2] quit
[AC] vlan 10
[AC-vlan10] port WLAN-ESS 2
[AC-vlan10] quit
# Create VLAN-interface 5 and configure its IP address as 192.168.0.10/24.
[AC] interface vlan-interface 5
[AC-Vlan-interface5] ip address 192.168.0.10 24
[AC-Vlan-interface5] quit
# Create VLAN-interface 10 and configure its IP address as 192.168.1.20/24.
[AC] interface vlan-interface 10
[AC-Vlan-interface10] ip address 192.168.1.20 24
[AC-Vlan-interface10] return
# Create service template 2, and configure its SSID as vlan5.
[AC]wlan service-template 2 clear
[AC-wlan-st-2]ssid vlan5
[AC-wlan-st-2]bind wlan-ess 1
[AC-wlan-st-2]authentication-method open-system
[AC-wlan-st-2]service-template enable
[AC-wlan-st-2]quit
# Create an AP template named ap1.
[AC]wlan ap ap1 model E-MSM460-WW
[AC-wlan-ap-ap1]serial-id CN2AD330S8
[AC-wlan-ap-ap1]radio 1
# Bind service template 2 to interface radio 1 of AP template ap1.
[AC-wlan-ap-ap1-radio-1]service-template 2
[AC-wlan-ap-ap1-radio-1]radio enable
[AC-wlan-ap-ap1-radio-1]quit
# Create service template 3, and configure its SSID as vlan10.
[AC]wlan service-template 3 clear
[AC-wlan-st-3]ssid vlan10
[AC-wlan-st-3]bind wlan-ess 2
[AC-wlan-st-3]authentication-method open-system
[AC-wlan-st-3]service-template enable
[AC-wlan-st-3]quit
# Create an AP template named ap2.
[AC]wlan ap ap2 model E-MSM460-WW
[AC-wlan-ap-ap2]serial-id CN2AD330S7
[AC-wlan-ap-ap2]radio 1
# Bind service template 3 to interface radio 1 of AP template ap2.
[AC1-wlan-ap-ap2-radio-1]service-template 3
[AC1-wlan-ap-ap2-radio-1]radio enable
[AC1-wlan-ap-ap2-radio-1]quit
# Configure Layer 2 aggregate interface 1 as a trunk interface, and assign the interface to VLANs
5 and 10, so that Client 1 and Client 2 on different IP subnets can communicate at Layer 3.
15
[AC] interface Bridge-Aggregation 1
[AC-Bridge-Aggregation1] port link-type trunk
[AC-Bridge-Aggregation1] port trunk permit vlan 5 10
2. Configure the default gateway of Client 1 as 192.168.0.10.
3. Configure the default gateway of Client 2 as 192.168.1.20.
16
Figure 5 Network diagram
VLAN 2
VLAN 2
PVID
By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as
required.
When you configure the PVID on a port, use the following guidelines:
• An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of
the port.
• A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.
• You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port.
After you use the undo vlan command to remove the VLAN where an access port resides, the PVID
of the port changes to VLAN 1. The removal of the VLAN specified as the PVID of a trunk or hybrid
port, however, does not affect the PVID setting on the port.
• H3C recommends setting the same PVID for local and remote ports.
• Make sure a port permits the traffic from its PVID to pass through. Otherwise, when the port receives
frames tagged with the PVID or untagged frames, the port drops these frames.
17
Actions Access Trunk Hybrid
• Receives the frame if
its VLAN ID is the
Incoming same as the PVID. • Receives the frame if its VLAN is permitted on the port.
tagged frame • Drops the frame if its • Drops the frame if its VLAN is not permitted on the port.
VLAN ID is different
from the PVID.
• Removes the tag and sends
the frame if the frame carries Sends the frame if its VLAN is
the PVID tag and the port permitted on the port. The frame
belongs to the PVID. is sent with the VLAN tag
Outgoing Removes the VLAN tag
removed or intact depending on
frames and sends the frame. • Sends the frame without
your configuration with the port
removing the tag if its VLAN
hybrid vlan command. This is
is carried on the port but is
true of the PVID.
different from the PVID.
18
Step Command Remarks
• The configuration made in WLAN-ESS
interface view or Layer 2 Ethernet interface
view applies only to the port.
• Enter interface view:
interface interface-type • The configuration made in port group view
interface-number applies to all ports in the port group.
• Enter Layer 2 aggregate • The configuration made in Layer 2
interface view: aggregate interface view applies to the
2. Enter interface view or aggregate interface and its aggregation
interface
port group view. member ports. If the system fails to apply
bridge-aggregation
interface-number the configuration to the aggregate
interface, it stops applying the
• Enter port group view:
configuration to aggregation member
port-group manual
ports. If the system fails to apply the
port-group-name
configuration to an aggregation member
port, it skips the port and moves to the next
member port.
19
Step Command Remarks
5. Configure the PVID of the Optional.
port trunk pvid vlan vlan-id
trunk ports. By default, the PVID is VLAN 1.
To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type
to access first.
After configuring the PVID for a trunk port, you must use the port trunk permit vlan command to configure
the trunk port to allow packets from the PVID to pass through.
To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type
to access first.
After you configure the PVID for a hybrid port, you must use the port hybrid vlan command to configure
the hybrid port to allow packets from the PVID to pass through.
20
Port-based VLAN configuration example
The configuration example was created on the 10500/7500 20G unified wired-WLAN module and
may vary with device models.
When configuring the 10500/7500 20G unified wired-WLAN module, make sure the settings are
correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch.
For more information, see HP 10500 & 7500 20G Unified Wired-WLAN Module Fundamentals
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make
sure their permitted VLANs are the same. HP also recommends setting their link type to be the same.
Network requirements
As shown in Figure 6:
• Client 1 and Client 3 belong to Department A, and access the enterprise network through different
devices. Client 2 and Client 4 belong to Department B, and access the enterprise network through
different devices.
• To ensure communication security and avoid broadcast storms, VLANs are configured in the
enterprise network to isolate Layer 2 traffic of different departments. VLAN 100 is assigned to
Department A, and VLAN 200 is assigned to Department B.
• Make sure that hosts within the same VLAN can communicate with each other. Client 1 can
communicate with Client 3, and Client 2 can communicate with Client 4.
Figure 6 Network diagram
Configuration procedure
1. Configure AC 1:
# Create interface WLAN-ESS 1 and VLAN 100, and assign interface WLAN-ESS 1 to VLAN 100.
<AC1> system-view
[AC1] interface WLAN-ESS 1
[AC1-WLAN-ESS1] quit
21
[AC1] vlan 100
[AC1-vlan100] port WLAN-ESS 1
[AC1-vlan100] quit
# Create interface WLAN-ESS 2 and VLAN 200, and assign interface WLAN-ESS 2 to VLAN 200.
[AC1] vlan 200
[AC1] interface WLAN-ESS 2
[AC1-WLAN-ESS2] quit
[AC1-vlan200] port WLAN-ESS 2
[AC1-vlan200] quit
# Create service template 2, and configure its SSID as vlan100.
[AC1]wlan service-template 2 clear
[AC1-wlan-st-2]ssid vlan100
[AC1-wlan-st-2]bind wlan-ess 1
[AC1-wlan-st-2]authentication-method open-system
[AC1-wlan-st-2]service-template enable
[AC1-wlan-st-2]quit
# Create an AP template named ap1.
[AC1]wlan ap ap1 model E-MSM460-WW
[AC1-wlan-ap-ap1]serial-id CN2AD330S8
[AC1-wlan-ap-ap1]radio 1
# Bind service template 2 to interface radio 1 of AP template ap1.
[AC1-wlan-ap-ap1-radio-1]service-template 2
[AC1-wlan-ap-ap1-radio-1]radio enable
[AC1-wlan-ap-ap1-radio-1]quit
# Create service template 3, and configure its SSID as vlan200.
[AC1]wlan service-template 3 clear
[AC1-wlan-st-3]ssid vlan200
[AC1-wlan-st-3]bind wlan-ess 2
[AC1-wlan-st-3]authentication-method open-system
[AC1-wlan-st-3]service-template enable
[AC1-wlan-st-3]quit
# Create an AP template named ap2.
[AC1]wlan ap ap2 model E-MSM460-WW
[AC1-wlan-ap-ap2]serial-id CN2AD330S7
[AC1-wlan-ap-ap2]radio 1
# Bind service template 3 to interface radio 1 of AP template ap2.
[AC1-wlan-ap-ap2-radio-1]service-template 3
[AC1-wlan-ap-ap2-radio-1]radio enable
[AC1-wlan-ap-ap2-radio-1]quit
# Configure Layer 2 aggregate interface 1 as a trunk interface, and assign the interface to VLANs
100 and 200, so that the packets from VLAN 100 and VLAN 200 on AC 1 can be forwarded to
AC 2.
[AC] interface Bridge-Aggregation 1
[AC-Bridge-Aggregation1] port link-type trunk
[AC-Bridge-Aggregation1] port trunk permit vlan 100 200
2. Configure AC 2 as you configured AC 1.
22
3. Configure Client 1 and Client 3 to be on the same IP subnet, for example, 192.168.100.0/24.
Configure Client 2 and Client 4 to be on the same IP subnet, for example, 192.168.200.0/24.
Verification
1. Client 1 and Client 3 can ping each other successfully, but they both fail to ping Client 2. Client 2
and Client 4 can ping each other successfully, but they both fail to ping Client 1.
2. Check whether the configuration is successful by displaying relevant VLAN information:
# Display information about VLANs 100 and 200 on AC 1.
[AC1 display vlan 100
VLAN ID: 100
VLAN Type: static
Route Interface: not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged Ports:
Bridge-Aggregation1
Ten-GigabitEthernet1/0/1
Ten-GigabitEthernet1/0/2
Untagged Ports:
WLAN-ESS1
[AC1] display vlan 200
VLAN ID: 200
VLAN Type: static
Route Interface: not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged Ports:
Bridge-Aggregation1
Ten-GigabitEthernet1/0/1
Ten-GigabitEthernet1/0/2
Untagged Ports:
WLAN-ESS2
23
With static MAC-based VLAN assignment configured on a port, the device processes received frames by
using the following guidelines:
• When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map
based on the source MAC address of the frame for a match.
{ The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC
address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on
the source MAC address and each mask. If the result of an AND operation matches the
corresponding MAC address, the device tags the frame with the corresponding VLAN ID.
{ If the fuzzy match fails, the device performs an exact match. In the exact match, the device
searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a
MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the
device tags the frame with the corresponding VLAN ID.
{ When a frame that matches the MAC address-to-VLAN entry is forwarded, the forwarding
policy for the frame is determined by the priority of the MAC-based VLAN (the 802.1p priority
of the VLAN corresponding to the MAC address).
{ If no match is found, the device assigns a VLAN to the frame by using other criteria, such as IP
subnet or protocol, and forwards the frame.
{ If no VLAN is available, the device tags the frame with the PVID of the receiving port and
forwards the frame.
• When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is
permitted by the port, and otherwise it drops the frame.
When you configure static MAC-based VLAN assignment, follow these guidelines:
• When a port is assigned to the corresponding VLAN in a MAC address-to-VLAN entry, but has not
been assigned to the VLAN by using the port hybrid vlan command, the port sends packets from
the VLAN with VLAN tags removed.
• When a packet matches a MAC address-to-VLAN entry, the device picks a forwarding policy for
the packet according to the 802.1p priority mapped to the MAC address.
24
Configuration procedure
To configure static MAC-based VLAN assignment:
3. Configure the link type of the By default, all ports are access
port link-type hybrid
ports as hybrid. ports.
4. Configure the hybrid ports to
By default, a hybrid port only
permit packets from specific port hybrid vlan vlan-list { tagged
permits the packets of VLAN 1 to
MAC-based VLANs to pass | untagged }
pass through.
through.
5. Enable the MAC-based VLAN By default, MAC-based VLAN is
mac-vlan enable
feature. disabled.
6. Configure 802.1X, MAC,
For more information, see
portal authentication, or any N/A
Security Command Reference.
combination.
25
MAC-based VLAN configuration example
The configuration example was created on the 10500/7500 20G unified wired-WLAN module and
may vary with device models.
When configuring the 10500/7500 20G unified wired-WLAN module, make sure the settings are
correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch.
For more information, see HP 10500 & 7500 20G Unified Wired-WLAN Module Fundamentals
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make
sure their permitted VLANs are the same. HP also recommends setting their link type to be the same.
Network requirements
As shown in Figure 7:
• WLAN-ESS 1 of AC 1 and AC 2 are each connected to a meeting room. Client 1 and Client 2 are
used for meeting and may be used in either of the two meeting rooms.
• Client 1 and Client 2 are owned by different departments. The two departments use VLAN 100 and
VLAN 200 respectively. Each client can access only its own department server no matter which
meeting room it is used in.
• The MAC address of Client 1 is 000D-88F8-4E71, and that of Client 2 is 0014-222C-AA69.
Figure 7 Network diagram
Configuration consideration
• Create VLANs 100 and 200.
26
• Configure the uplink ports of AC 1 and AC 2 as trunk ports, and assign them to VLANs 100 and
200.
• Configure the downlink ports of Device as trunk ports, and assign them to VLANs 100 and 200.
Assign the uplink ports of Device to VLANs 100 and 200.
• Associate the MAC address of Client 1 with VLAN 100, and the MAC address of Client 2 with
VLAN 200.
Configuration procedure
1. Configure AC 1:
# Create VLANs 100 and 200.
<AC1> system-view
[AC1] vlan 100
[AC1-vlan100] quit
[AC1] vlan 200
[AC1-vlan200] quit
# Associate the MAC address of Client 1 with VLAN 100, and the MAC address of Client 2 with
VLAN 200.
[AC1] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[AC1] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure Client 1 and Client 2 to access the network through WLAN-ESS 1. Configure
WLAN-ESS 1 as a hybrid port that sends packets of VLANs 100 and 200 untagged, and enable
the MAC-based VLAN feature on it.
[AC1] interface wlan-ess 1
[AC1-WLAN-ESS1] port link-type hybrid
[AC1-WLAN-ESS1] port hybrid vlan 100 200 untagged
Please wait... Done.
[AC1-WLAN-ESS1] mac-vlan enable
[AC1-WLAN-ESS1] quit
# Create service template 2, and set its SSID to vlan100.
[AC1]wlan service-template 2 clear
[AC1-wlan-st-2]ssid vlan100
[AC1-wlan-st-2]bind wlan-ess 1
[AC1-wlan-st-2]authentication-method open-system
[AC1-wlan-st-2]service-template enable
[AC1-wlan-st-2]quit
# Create an AP template named ap1.
[AC1]wlan ap ap1 model E-MSM460-WW
[AC1-wlan-ap-ap1]serial-id CN2AD330S8
[AC1-wlan-ap-ap1]radio 1
# Bind service template 2 to interface radio1 of AP 1.
[AC1-wlan-ap-ap1-radio-1]service-template 2
[AC1-wlan-ap-ap1-radio-1]radio enable
[AC1-wlan-ap-ap1-radio-1]quit
# Configure Layer 2 aggregate interface 1 as a hybrid interface, and assign the interface to
VLANs 100 and 200 as a tagged member, so that the packets from VLANs 100 and 200 on AC
1 can be forwarded to AC 2.
[AC1] interface Bridge-Aggregation 1
27
[AC1-Bridge-Aggregation1] port link-type hybrid
[AC1-Bridge-Aggregation1] port hybrid vlan 100 200 tagged
2. Configure Device:
# Create VLANs 100 and 200. Assign Ethernet 1/13 to VLAN 100, and Ethernet 1/14 to VLAN
200.
<Device> system-view
[Device] vlan 100
[Device-vlan100] port ethernet 1/13
[Device-vlan100] quit
[Device] vlan 200
[Device-vlan200] port ethernet 1/14
[Device-vlan200] quit
# Configure Ethernet 1/3 and Ethernet 1/4 as trunk ports, and assign them to VLANs 100 and
200.
[Device] interface ethernet 1/3
[Device-Ethernet1/3] port link-type trunk
[Device-Ethernet1/3] port trunk permit vlan 100 200
[Device-Ethernet1/3] quit
[Device] interface ethernet 1/4
[Device-Ethernet1/4] port link-type trunk
[Device-Ethernet1/4] port trunk permit vlan 100 200
[Device-Ethernet1/4] quit
3. Configure AC 2 as you configured AC 1.
Verification
1. Client 1 can access Server 1 only, and Client 2 can access Server 2 only.
2. On AC 1 and AC 2, you can see that VLAN 100 is associated with the MAC address of Client 1,
and VLAN 200 is associated with the MAC address of Client 2.
[AC1] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC ADDR MASK VLAN ID PRIO STATE
--------------------------------------------------------
000d-88f8-4e71 ffff-ffff-ffff 100 0 S&D
0014-222c-aa69 ffff-ffff-ffff 200 0 S&D
Configuration guidelines
• The MAC-based VLAN feature can be configured only on hybrid ports.
• The MAC-based VLAN feature is usually configured on the downlink ports of access layer devices,
and it cannot be configured together with the link aggregation function.
28
Displaying and maintaining VLAN
Task Command Remarks
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic |
Available in any
Display VLAN information. reserved | static ] [ | { begin | exclude | include }
view.
regular-expression ]
Display hybrid ports or trunk display port { hybrid | trunk } [ | { begin | exclude | Available in any
ports on the device. include } regular-expression ] view.
Display all interfaces with display mac-vlan interface [ | { begin | exclude | Available in any
MAC-based VLAN enabled. include } regular-expression ] view.
29
Configuring the MAC address table
This document covers only the configuration of unicast MAC address entries, including static, dynamic,
and destination blackhole MAC address entries.
The MAC address table configuration tasks can be performed in any order.
Overview
To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address
table for forwarding frames. This table describes from which interface a MAC address (or host) can be
reached. When forwarding a single-destination frame, the device first looks up the destination MAC
address of the frame in the MAC address table for a match. If the device finds an entry, it forwards the
frame out of the outgoing interface in the entry. If the device does not find an entry, it floods the frame out
of all but the incoming interface.
To view MAC address table information, use the display mac-address command, as follows:
<Sysname> display mac-address
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e201-0101 1 Learned Bridge-Aggregation1 AGING
30
To improve interface security, you can bind specific user devices to the interface by manually adding
MAC address entries to the MAC address table of the device.
31
Step Command Remarks
2. Enter Layer 2 Ethernet or interface interface-type
N/A
aggregate interface view. interface-number
32
Step Command Remarks
1. Enter system view. system-view N/A
Optional.
2. Enable global MAC address undo mac-address mac-learning
learning. disable By default, global MAC address
learning is enabled.
Optional.
2. Configure the aging timer for mac-address timer
By default, the aging timer is 300 seconds.
dynamic MAC address { aging seconds |
entries. no-aging } The no-aging keyword disables the aging
timer.
You can reduce floods on a stable network by disabling the aging timer to prevent dynamic entries from
unnecessarily aging out. By reducing floods, you improve not only network performance, but also
security, because you reduce the chances that a data packet will reach unintended destinations.
33
Configuring the MAC learning limit on interfaces
As the MAC address table grows, the forwarding performance of your device might degrade. To prevent
the MAC address table from getting so large that the forwarding performance degrades, you can limit
the number of MAC addresses that an interface can learn.
To configure the MAC learning limit on a Layer 2 Ethernet interface, Layer 2 aggregate interface, or all
interfaces in a port group:
Display MAC address display mac-address statistics [ | { begin | exclude | Available in any
statistics. include } regular-expression ] view.
34
MAC address table configuration example
The configuration example was created on the 10500/7500 20G unified wired-WLAN module and
may vary with device models.
When configuring the 10500/7500 20G unified wired-WLAN module, make sure the settings are
correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch.
For more information, see HP 10500 & 7500 20G Unified Wired-WLAN Module Fundamentals
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make
sure their permitted VLANs are the same. HP also recommends setting their link type to be the same.
Network requirements
As shown in Figure 8:
• The MAC address of Client 1 is 000f-e235-dc71 and belongs to VLAN 1. It is connected to
Ten-GigabitEthernet 1/0/1 of the device. To prevent MAC address spoofing, add a static entry to
the MAC address table of the device for the host.
• The MAC address of Client 2 is 000f-e235-abcd and belongs to VLAN 1. Because this host once
behaved suspiciously on the network, you can add a destination blackhole MAC address entry for
the MAC address to drop all packets destined for the host.
• Set the aging timer for dynamic MAC address entries to 500 seconds.
Figure 8 Network diagram
Configuration procedure
# Add a static MAC address entry.
<AC> system-view
[AC] mac-address static 000f-e235-dc71 interface Ten-Gigabitethernet 1/0/1 vlan 1
35
# Add a destination blackhole MAC address entry.
[AC] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[AC] mac-address timer aging 500
36
Configuring Ethernet link aggregation
Overview
Ethernet link aggregation, or simply link aggregation, combines multiple physical Ethernet ports into one
logical link called an "aggregate link." Link aggregation delivers the following benefits:
• Increases bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed
across the member ports.
• Improves link reliability. The member ports back up one another dynamically. When a member port
fails, its traffic is switched automatically to other member ports.
As shown in Figure 9, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link, Link Aggregation 1. The bandwidth of this
aggregate link is as high as the total bandwidth of the three physical Ethernet links. At the same time, the
three Ethernet links back up one another.
Figure 9 Ethernet link aggregation
Eth1/1 Eth1/1
Eth1/2 Eth1/2
Link aggregation 1
Eth1/3 Eth1/3
Device A Device B
Basic concepts
This section describes some basic link aggregation concepts.
37
Operational key
When aggregating ports, the system automatically assigns each port an operational key based on port
information such as port rate and duplex mode. Any change to this information triggers a recalculation
of the operational key.
In an aggregation group, all selected member ports are assigned the same operational key.
Configuration classes
Every configuration setting on a port might affect its aggregation state. Port configurations include the
following classes:
• Port attribute configurations—Include port rate, duplex mode, and link status (up or down). These
are the most basic port configurations.
• Class 2 configurations—A member port can be placed in Selected state only if it has the same
Class 2 configurations as the aggregate interface. Class 2 configurations made on an aggregate
interface are automatically synchronized to all its member ports. These configurations are retained
on the member ports even after the aggregate interface is removed.
Table 1 Class 2 configurations
Feature Considerations
VLAN Permitted VLAN IDs, PVID, and link type (trunk, hybrid, or access).
NOTE:
Any Class 2 configuration change might affect the aggregation state of link aggregation member ports
and ongoing traffic. To be sure that you are aware of the risk, the system displays a warning message
every time you try to change a Class 2 configuration setting on a member port.
Reference port
When setting the aggregation state of the ports in an aggregation group, the system automatically picks
a member port as the reference port. A Selected port must have the same port attributes and Class 2
configurations as the reference port. For information about how a reference port is chosen in a static link
aggregation group, see "Choosing a reference port" in the section "Aggregating links in static mode."
38
• Half duplex/low speed
The one at the top is chosen as the reference port. If two ports have the same aggregation priority, duplex
mode, and speed, the one with the lower port number is chosen.
Yes
Is there any hardware restriction?
No
No
Is the port up?
Yes
No
Port attribute/class 2 configurations
same as the reference port?
Yes
No Yes
39
• To ensure stable aggregation state and service continuity, do not change port attributes or Class 2
configurations on any member port. If you must, make sure you understand its impact on the live
network. Any port attribute or Class 2 configuration change might affect the aggregation state of
link aggregation member ports and ongoing traffic.
• Avoid assigning ports to a static aggregation group that has reached the limit on Selected ports.
These ports will be placed in Unselected state to avoid traffic interruption on the current Selected
ports. However, a device reboot can cause the aggregation state of member ports to change.
40
Step Command Remarks
Optional.
By default, the aggregation priority
of a port is 32768.
When the number of ports eligible
5. Assign the port an link-aggregation port-priority for Selected ports exceeds the
aggregation priority. port-priority maximum number of Selected ports
allowed in a static aggregation
group, changing the aggregation
priority of a port might affect the
aggregation state of the ports in
the static aggregation group.
Optional.
3. Configure the
description of the description text By default, the description of an interface is
aggregate interface. in the format of interface-name Interface,
such as Bridge-Aggregation1 Interface.
41
Step Command Remarks
Optional.
2. Enable the trap function snmp-agent trap enable [ standard
globally. [ linkdown | linkup ] * ] By default, link state trapping is
enabled globally and on all interfaces.
3. Enter Layer 2 aggregate interface bridge-aggregation
N/A
interface view. interface-number
Step Command
1. Enter system view. system-view
2. Enter Layer 2 aggregate interface view. interface bridge-aggregation interface-number
3. Restore the default settings for the aggregate interface. default
42
A link aggregation group preferentially uses the group-specific load-sharing criteria. If no group-specific
load-sharing criteria is available, the group uses the global load-sharing criteria.
43
Task Command Remarks
Display detailed information about display link-aggregation verbose
Available in any
a specific or all aggregation [ bridge-aggregation [ interface-number ] ] [ |
view.
groups. { begin | exclude | include } regular-expression ]
Clear statistics for a specific or all reset counters interface [ bridge-aggregation Available in user
aggregate interfaces. [ interface-number ] ] view.
44
Configuring Layer 2 forwarding
Configuration procedure
Normal Layer 2 forwarding is enabled by default.
Configuration procedure
To configure fast Layer 2 forwarding:
45
Step Command Remarks
1. Enter system view. system-view N/A
Configuration procedure
To enable Layer 2 FPGA fast forwarding:
46
Step Command Remarks
1. Enter system view. system-view N/A
2. Enable Layer 2 FPGA By default, Layer 2 FPGA fast
fpga work-mode fast-forwarding
fast forwarding. forwarding is disabled.
47
Configuring PPPoE
Support for this feature depends on the device model. For more information, see About the HP 830 Series
PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module
Configuration Guides.
Overview
Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP packets encapsulated in
Ethernet over point-to-point links.
PPPoE can provide access to the Internet for the hosts in an Ethernet through a remote access device and
implement access control and accounting on a per-host basis. Integrating the low cost of Ethernet and
scalability and management functions of PPP, PPPoE gained popularity in various application
environments, such as residential networks.
Modem
Client device
48
• As shown in Figure 12, the PPP session is established between each host (PPPoE client) and the
carrier router (PPPoE server). The service provider assigns an account to each host for billing and
control. The host must be installed with PPPoE client dialup software. This network structure is
applicable to campus and residential environments.
Figure 12 Network structure 2
PPPoE client
Host A
PPPoE server
Internet
PPPoE client
Router
Host B
interface interface-type
3. Enter VLAN interface view. N/A
interface-number
4. Enable PPPoE on the VLAN
interface and bind this pppoe-server bind virtual-template
Disabled by default.
interface to a specified VT number
interface.
5. Return to system view. quit N/A
6. Set the maximum number of
pppoe-server max-sessions Optional.
PPPoE sessions allowed for a
remote-mac number 100 by default.
peer MAC address.
7. Set the maximum number of
pppoe-server max-sessions Optional.
PPPoE sessions allowed for a
local-mac number 100 by default.
local MAC address.
8. Set the maximum number of
pppoe-server max-sessions total Optional.
PPPoE sessions allowed on the
number The default setting is 4096.
device.
49
Step Command Remarks
Optional.
65535 by default.
9. Set the upper threshold for the pppoe-server
PPPoE abnormal offline event abnormal-offline-count threshold If the PPPoE abnormal offline event
count. number count in the last 5 minutes exceeds
this threshold, the system outputs a
trap message.
Optional.
100 by default.
10. Set the upper threshold for the pppoe-server
PPPoE abnormal offline event abnormal-offline-percent threshold If the PPPoE abnormal offline event
percentage. number percentage in the last 5 minutes
exceeds this threshold, the system
outputs a trap message.
Optional.
0 by default.
11. Set the lower threshold for the pppoe-server
PPPoE normal offline event normal-offline-percent threshold If the PPPoE normal offline event
percentage. number percentage in the last 5 minutes is
lower than this threshold, the
system outputs a trap message.
12. Configure authentication and
See Security Configuration Guide. Optional.
accounting on PPP users.
Optional.
13. Disable PPP log displaying. pppoe-server log-information off
Enabled by default.
When you configure a static route on a VT interface, specify the next hop instead of the outgoing
interface. If the outgoing interface is required, make sure the physical interface bound to the VT interface
is effective to ensure normal transport of packets.
50
For more information, see HP 10500 & 7500 20G Unified Wired-WLAN Module Fundamentals
Configuration Guide.
By default, the aggregate interfaces between the access controller engine and the switching engine on
an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make
sure their permitted VLANs are the same. HP also recommends setting their link type to be the same.
Network requirements
As shown in Figure 13, Clients 1, 2, and, 3 (PPPoE clients), access the Internet through AC (PPPoE server),
which performs local authentication and assigns IP addresses to the users.
AC provides Internet access for PPPoE clients through VLAN-interface 1. It connects to the Internet through
VLAN-interface 2.
Figure 13 Network diagram
Client 1 AP 1
AC
Internet
Client 2 AP 2 L2 switch
AP 3
Client 3
Configuration procedure
(Approach 1) Configuring CHAP authentication
# Add a PPPoE user.
<AC> system-view
[AC] local-user user1
[AC-luser-user1] password simple pass1
[AC-luser-user1] service-type ppp
[AC-luser-user1] quit
51
[AC- Vlan-interface1] quit
# Configure local authentication for the users in the default ISP domain system.
[AC] domain system
[AC-isp-system] authentication ppp local
# Configure local authentication for the users in the default ISP domain system.
[AC] domain system
[AC-isp-system] authentication ppp local
52
Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
• For related documentation, navigate to the Networking section, and select a networking category.
• For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.
Websites
• HP.com http://www.hp.com
• HP Networking http://www.hp.com/go/networking
• HP manuals http://www.hp.com/support/manuals
• HP download drivers and software http://www.hp.com/support/downloads
• HP software depot http://www.software.hp.com
• HP Education http://www.hp.com/learn
53
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.
The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.
GUI conventions
Convention Description
Window names, button names, field names, and menu items are in bold text. For
Boldface
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.
An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.
54
Network topology icons
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
55
Index
CDEMOPR
C Disabling MAC address learning,32
Displaying and maintaining an Ethernet interface or
Configuration restrictions and guidelines,39
subinterface,6
Configuring a destination blackhole MAC address
Displaying and maintaining Ethernet link
entry,32
aggregation,43
Configuring a Layer 2 Ethernet interface,4
Displaying and maintaining loopback and null
Configuring a Layer 2 static aggregation group,40 interfaces,8
Configuring a loopback interface,7 Displaying and maintaining MAC address tables,34
Configuring a PPPoE server,49 Displaying and maintaining PPPoE,50
Configuring an aggregate interface,41 Displaying and maintaining VLAN,29
Configuring basic settings of a VLAN interface,13
E
Configuring basic VLAN settings,12
Configuring fast Layer 2 forwarding,45 Ethernet link aggregation configuration task list,40
Configuring Layer 2 FPGA fast forwarding,46 M
Configuring load sharing for link aggregation MAC address table configuration example,35
groups,42
O
Configuring MAC-based VLANs,23
Configuring normal Layer 2 forwarding,45 Overview,10
Configuring port-based VLANs,16 Overview,1
Configuring static, dynamic, and destination blackhole Overview,30
MAC address entries,31 Overview,37
Configuring the aging timer for dynamic MAC address Overview,48
entries,33
P
Configuring the MAC learning limit on interfaces,34
Configuring the null interface,8 Performing general configurations,1
Contacting HP,53 PPPoE server configuration example,50
Conventions,54 R
D Related information,53
56