EPON OLT Operation Manual V1.2 20211102
EPON OLT Operation Manual V1.2 20211102
EPON OLT Operation Manual V1.2 20211102
Version:V1.3
Content
1.1 CLI
1.Perform local configuration through the Console port, the serial port baud rate is 115200, set
1
EPON OLT Operation Manual V1.3
3、Provide FTP, TFTP, Xmodem services to facilitate users to upload and download files。
The login verification of the system console of this OLT is mainly used to verify the identity of
the operating user. The matching identification of the name and password to allow or deny the
user's login.
Step 1: When entering the command line interface, the following login prompt appears:
Login:
Please enter the login user name, press Enter, and then enter the password:
*****
After entering the correct login password, you can enter the normal user view:
EPON>
There are two different permissions, one for administrator permissions and the other for
Ordinary users can only view and have no right to modify, but the administrator can manage
If you log in as a system administrator, you will enter the privileged user view:
EPON>enable
E.g:
[EPON]quit
2
EPON OLT Operation Manual V1.3
"quit" is a command without parameters. After typing this command, press Enter to execute the
command.
[EPON]vlan 100
There is a built-in syntax help in the command line interface. In any command mode, type "?"
or use the help command to get all the commands in the command mode and their brief
descriptions.
E.g:
<EPON>?
----------------------------------------------
-----------------------------------------------
[EPON]interf?
interface
3
EPON OLT Operation Manual V1.3
3.Type a space after the command line string and add "?"
[EPON]stp ?
[EPON]stp forward-time ?
[EPON] stp ?
Command line interface provides the function similar to that of DosKey. The commands
entered by users can be automatically saved by the command line interface and you can
invoke and execute them at any time later. History command buffer is defaulted as 100. That is,
the command line interface can store 100 history commands for each user, you can type "up
arrow" or "Ctrl+P", and access the next command can type "down arrow" or "Ctrl+N".
4
EPON OLT Operation Manual V1.3
-Admin administrator
-Normal user
The normal users can only be in the user's mode after logging in the switch so they can only
check the basic information about operation and statistics; administrator can enter each
superior priority in the switch to manage both the users and the switch.
The username of Super-administrator is admin and its initial password is admin. It is suggested
modifying the password after the initial-logging in. This username and its administrator
5
EPON OLT Operation Manual V1.3
privilege:User authority, the value range is 0~15. 0~1 means normal user; 2~15 means
administrator
encryption-type:The value is 0 or 7, 0 means that the password is set in plain text, and 7
Example:
!Create the administrator user “test”, the password is test, and the privilege level is 15
Notice:
Only the system administrator admin user can delete user accounts, other users cannot delete
users;
The system administrator admin can modify the password of himself or other users, and other
Example:
6
EPON OLT Operation Manual V1.3
Example:
!Modify the privilege of the existed user “test” to 1, and the password totest
Example:
7
EPON OLT Operation Manual V1.3
【Example】
【Example】
[EPON]display login-users
【Example】
8
EPON OLT Operation Manual V1.3
<EPON>remote-stop test
User accounts can be stored in the local database of the switch or in RADIUS/TACACS+
Notice:
The admin user only supports the authentication method of the local database.
9
EPON OLT Operation Manual V1.3
[ timeout timevalue ]
10
EPON OLT Operation Manual V1.3
【Example】
[EPON]display version
11
EPON OLT Operation Manual V1.3
【Example】
configuration mode
name
【Example】
[EPON]sysname EPON-ABCD
[EPON-ABCD]
Support tracert command and check network connection. The tracert command can be
12
EPON OLT Operation Manual V1.3
【Parameter Description】
-p udpport:The destination port , the value range is 1-65535, the default port is 62929;
-f first_ttl:The initial ttl value, the value range is 1-255, the default value is 1;
-h maximum_hops:The maximum ttl value, the value range is 1-255, the default value is 30;
-w time_out:The timeout period for waiting for a response, the value range is 10-60 seconds,
【Example】
<EPON>tracert 192.168.1.2
The system supports port loopback test function, used to test the internal and external
13
EPON OLT Operation Manual V1.3
interface-num } | interface-name }
VCT is used to detect network cable normal (NORMAL), open circuit (OPEN), short circuit
The normal connection of the network cable is NORMAL, the disconnection of the network
cable is OPEN, and the short circuit of the network cable is SHORT. Impedance mismatch
(IMPEDANCE MISMATCH) generally occurs when two network cables with different
impedances are connected together. If an error is found, the location of the error can be
detected. The longest detection distance of VCT is 181 meters for 100M ports and 175 meters
mode
ports
| interface-name }
single port
14
EPON OLT Operation Manual V1.3
【Example】
[EPON-ethernet-0/1]vct run
Notice:
VCT detection is only for Cat 5 Ethernet ports and does not support VCT detection on optical
fiber ports.
You can restrict the host IP address or a certain network segment that log in to the switch's
web, telnet, snmp agent, and other IP addresses other than the matching configuration cannot
mode
address restriction
configuration information
【Example】
15
EPON OLT Operation Manual V1.3
[EPON]display login-acl
mode
Telnet users
Telnet
configuration information
【Example】
!Configure to allow only two Telnet users to enter privileged user view at the same time
16
EPON OLT Operation Manual V1.3
CPU-CAR is mainly used to set the rate at which the CPU receives packets to limit the number
mode
CPU-CAR Value
【Example】
[EPON]cpu-car 100
After modified the configurations, you should same them so that these configurations can take
effect next time it restarts. Use the following commands to save configurations.
Operation Command Remarks
17
EPON OLT Operation Manual V1.3
If you need to reset to factory default, you can use the following commands to erase all
configuration
Use the following command to display the configurations you have saved.
Operation Command Remarks
【Example】
<EPON>display startup-config
!Display the contents of GARP and OAM modules in the configuration file
18
EPON OLT Operation Manual V1.3
configurations [ perlinesnum ]
【Example】
<EPON>display current-config
19
EPON OLT Operation Manual V1.3
tftpserver-ip is the IP address of the TFTP server, and filename is the name of the file to be
uploaded. Before entering the command, open the TFTP server and set the destination path
【Example】
!Upload the configuration file by TFTP and name the configuration file config.txt
After the upload is successful, the file config.txt in the computer with the IP address of
After downloading successfully and restarting the system, the system will use the new
!Upload the log file by TFTP and name the log file log.txt
After downloading successfully and restarting the system, host.bin will run.
20
EPON OLT Operation Manual V1.3
view
ftpserver-ip is the IP address of the FTP server, and filename is the name of the file to be
uploaded. username and userpassword are the username and password set in the FTP
server. Before entering the command, you should open the FTP server, and set the user
【Example】
!Upload the configuration file by FTP and name the configuration file config.txt
!Upload the log file by FTP and name the log file log.txt
21
EPON OLT Operation Manual V1.3
After entering the command, select "Transfer" ->"Send File" in the HyperTerminal menu, and
enter the full path and file name of the file in the "File Name" column of the "Send File" dialog
box that pops up, and the "Protocol" drop-down Select Xmodem in the list, and then click the
[Send] button.
【Example】
hh:mm:ssweekday weekly } }
22
EPON OLT Operation Manual V1.3
restart
【Example】
23
EPON OLT Operation Manual V1.3
The gigabit port of the OLT supports 10/100/1000Base-T. The port can work in half-duplex and
full-duplex modes. It can negotiate with other network equipment to determine the working
mode and rate, and automatically select the most suitable working mode and rate. Simplified
system configuration and management. The 10G optical port supports 1000M, 10000Mbps
full-duplex speed mode. The PON port has a fixed rate and does not support rate configuration
Enter global
system-view
configuration mode
24
EPON OLT Operation Manual V1.3
mode.
interface-list } | interface-name }
【Example】
!Enter interface range configuration mode, this range includes Ethernet 1~3
[EPON-port-range]
interface-name }
25
EPON OLT Operation Manual V1.3
interface-num ]
Access: An access port only belongs to one VLAN, normally used to connect user device.
Trunk: A trunk port can belong to more than one VLAN. It can receive/send packets from/to
multiple VLANs and is generally used to connect another switch. The packet sent from this port
Hybrid: A hybrid port can belong to multiple VLANs, can receive, or send packets for multiple
VLANs, used to connect either user or network devices. It allows packets of multiple VLANs to
26
EPON OLT Operation Manual V1.3
port type is
Hybrid
【Example】
【Example】
27
EPON OLT Operation Manual V1.3
interface-name }
Configure the port mode as access
port mode access
Add the Access port to the specified port default vlan vlan-id
vlan
ports
28
EPON OLT Operation Manual V1.3
interface-num } ]
interface-num } ]
interface-name }
29
EPON OLT Operation Manual V1.3
Mirroring refers to the process of copying packets that meet the specified rules to a destination
port. Generally, a destination port is connected to a data detect device, which users can use to
analyze the mirrored packets for monitoring and troubleshooting the network.
The source port is specified and whether the packets to be mirrored are ingress or egress is
specified: ingress: only mirrors the packets received via the port; egress: only mirrors the
packets sent by the port; both: mirrors the packets received and sent by the port at the same
time.
30
EPON OLT Operation Manual V1.3
interface-num
destination-interface ethernet
interface-num }
egress | ingress }
【Example】
31
EPON OLT Operation Manual V1.3
【Example】
32
EPON OLT Operation Manual V1.3
Link aggregation means aggregating several ports together to form an aggregation group, so
as to implement outgoing/incoming load sharing among the member ports in the group and to
Depending on different aggregation modes, aggregation groups fall into two types: static LACP
and dynamic LACP. Depending on whether or not load sharing is implemented, aggregation
For the member ports in an aggregation group, their basic configuration must be the same.
The basic configuration includes STP, QoS, VLAN, port attributes, and other associated
settings.
STP configuration, including STP status (enabled or disabled), link attribute (point-to-point
33
EPON OLT Operation Manual V1.3
QoS configuration, including traffic limiting, priority marking, default 802.1p priority, traffic
VLAN configuration, including permitted VLANs, and default VLAN ID, tag vlan list for
Port attribute configuration, including port rate, duplex mode, and link type (Trunk, Hybrid or
Access). The ports for a static aggregation group must have the same rate and link type, and
the ports for a dynamic aggregation group must have the same rate, duplex mode (full duplex)
The purpose of link aggregation control protocol (LACP) is to implement dynamic link
aggregation and disaggregation. This protocol is based on IEEE802.3ad and uses LACPDUs
(link aggregation control protocol data units) to interact with its peer.
After LACP is enabled on a port, LACP notifies the following information of the port to its peer
by sending LACPDUs: priority and MAC address of this system, priority, number and operation
key (it is so called O-Key) of the port. Upon receiving the information, the peer compares the
information with the information of other ports on the peer device to determine the ports that
can be aggregated with the receiving port. In this way, the two parties can reach an agreement
34
EPON OLT Operation Manual V1.3
depending on the configurations of the port (rate, duplex mode, other basic configuration, and
1) The ports in the same aggregation group must have the same operation key (O-Key) and
2) The administrative key (A-Key) and operation key (O-Key) of an LACP-enable aggregation
3) The administrative key (A-Key) and operation key (O-Key) of an LACP-enable aggregation
A static aggregation group is manually created. All its member ports are manually added and
can be manually removed. Each static aggregation group must contain at least one port. When
a static aggregation group contains only one port, you cannot remove the whole aggregation
LACP is disabled on the member ports of static aggregation groups, and enabling LACP on
A port in a static aggregation group is only in one state: on, which means the port in a static
35
EPON OLT Operation Manual V1.3
aggregation group must transceive packets. There can be at most 8 ports in a static
aggregation group.
A dynamic LACP aggregation group is also manually created. All its member ports are
manually added and can be manually removed. Each dynamic aggregation group must
contain at least one port. When a dynamic aggregation group contains only one port, you
cannot remove the whole aggregation group unless you remove the port.
LACP is enabled on the member ports of dynamic aggregation groups, and disabling LACP on
The mode of dynamic aggregation group can be active or passive. It is manually set by users.
The dynamic aggregation group in active mode will actively send LACPDUs; group in passive
mode will only response LACPDUs passively. When interconnecting with another device, static
mode can only interconnect with static mode; active mode can interconnect with both active
and passive mode, but passive mode can only interconnect with active mode. The default
mode is ACTIVE.
A port in a dynamic aggregation group can be in one of the three states: bundle (bndl), standby,
and no-bundle (no-bndl). In dynamic aggregation group, only bundled ports can transceive
36
EPON OLT Operation Manual V1.3
Note:
In an aggregation group, the bundled port with the minimum port number serves
as the master port of the group, and other bundled ports serve as member ports of
the group.
No-bundled ports are the ports which fail to form link aggregation with other ports
There is a limit on the number of bundled ports in an aggregation group. Therefore, if the
number of the member ports that can be set as bundled ports in an aggregation group exceeds
the maximum number supported by the device, the system will negotiate with its peer end, to
determine the states of the member ports according to the port IDs of the preferred device (that
is, the device with smaller system ID). The following is the negotiation procedure:
1) Compare device IDs (system priority + system MAC address) between the two parties.
First compare the two system priorities, then the two system MAC addresses if the system
priorities are equal. The device with smaller device ID will be considered as the preferred one.
2) Compare port IDs (port priority + port number) on the preferred device. The comparison
between two port IDs is as follows: First compare the two port priorities, then the two port
numbers if the two port priorities are equal; the port with the smallest port ID is the bundled port
LACP determines the bundled and standby states of the dynamic aggregation group members
according to the priority of the port ID on the end with the preferred device ID.
37
EPON OLT Operation Manual V1.3
The device ID consists of system priority and system MAC address, that is, device ID = system
When two device IDs are compared, the system priorities are compared first, and the system
MAC addresses are compared when the system priorities are the same. The device with
Note:
Changing the system priority of a device may change the preferred device
between the two parties, and may further change the states (bundled or standby)
LACP determines the bundled and standby states of the dynamic aggregation group members
according to the port IDs on the device with the preferred device ID. When the number of
members in an aggregation group exceeds the number of bundled ports supported by the
device in each group, LACP determines the bundled and standby states of the ports according
to the port IDs. The ports with superior port IDs will be set to bundled state and the ports with
The port ID consists of port priority and port number, that is, port ID = port priority + port
number. When two port IDs are compared, the port priorities are compared first, and the port
numbers are compared if the port priorities are the same. The port with smaller port ID is
38
EPON OLT Operation Manual V1.3
LACP provides link redundancy mechanism to guarantee the redundancy conformity of the two
interconnected devices and user can configure the redundant link which is realized by system
Step 1 Selection reference. The two devices know the LACP sys-id and system MAC
address of each other through LACPDUs exchanges. The system priorities are compared first,
and the system MAC addresses are compared when the system priorities are the same. The
Step 2 Redundant link. The port priorities are compared first, and the port numbers are
compared if the port priorities are the same. The port with smaller port ID is considered as the
preferred one.
Load-balancing policy is specific physical link selection strategy when sending packets, which
can be source MAC, destination MAC, source and destination MAC, source IP, destination IP,
and source and destination IP. The default strategy is source MAC.
39
EPON OLT Operation Manual V1.3
You can create a static aggregation group, or remove an existing static aggregation group
(before that, all the member ports in the group are removed).
You can manually add/remove a port to/from a static aggregation group, and a port can only be
40
EPON OLT Operation Manual V1.3
You can manually add/remove a port to/from a dynamic aggregation group, and a port can only
41
EPON OLT Operation Manual V1.3
After the above configuration, execute the display command in any mode to display the
running status after the link aggregation configuration and verify your configuration.
Operation Command Remarks
consists of 16-bit
system priority
and 48-bit
system MAC.
aggregation group
42
EPON OLT Operation Manual V1.3
aggregation group
43
EPON OLT Operation Manual V1.3
To implement Layer 2 isolation, you can add different ports to different VLANs. However, this
will waste the limited VLAN resource. With port isolation, the ports can be isolated within the
same VLAN. Thus, you need only to add the ports to the isolation group to implement Layer 2
isolation. This provides you with more secure and flexible networking schemes.
When a port in an aggregation group is configured as the member of isolation group, the other
Add a port to port-isolation group. The isolated port members cannot communicate with each
other, but can only communicate with un-isolated port.
44
EPON OLT Operation Manual V1.3
Display
Display isolate-port configuration display port-isolation isolate-port
configuration
45
EPON OLT Operation Manual V1.3
Chapter 7 Storm-Control
When there is loop or malicious attacker in the network, there will be plenty of packets, which
occupy the bandwidth and even affect the network. Storm-control will avoid too much packets
appear in the network. Restrict the speed rate of port receiving broadcast/multicast/unknown
unicast packets and unknown unicast packets received by all ports. By default, Broadcast
storm control is Enable; Multicast storm control is Disable; Unicast storm control is Disable.
unicast }
46
EPON OLT Operation Manual V1.3
interface-list ] ]
47
EPON OLT Operation Manual V1.3
Chapter 8 VLAN
Virtual Local Area Network (VLAN) groups the devices of a LAN logically but not physically into
segments to implement the virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which
Through VLAN technology, network managers can logically divide the physical LAN into
different broadcast domains. Every VLAN contains a group of workstations with the same
demands. The workstations of a VLAN do not have to belong to the same physical LAN
segment.
With VLAN technology, the broadcast and unicast traffic within a VLAN will not be forwarded to
other VLANs, therefore, it is very helpful in controlling network traffic, saving device investment,
48
EPON OLT Operation Manual V1.3
A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN to
be dispersed in a looser way. That is, hosts in a VLAN can belong to different physical network
segment.
Compared with the traditional Ethernet, VLAN enjoys the following advantages.
1) Broadcasts are confined to VLANs. This decreases bandwidth utilization and improves
network performance.
2) Network security is improved. VLANs cannot communicate with each other directly. That is,
a host in a VLAN cannot access resources in another VLAN directly, unless routers or Layer 3
3) Network configuration workload for the host is reduced. VLAN can be used to group specific
hosts. When the physical position of a host changes within the range of the VLAN, you need
VLAN tags in the packets are necessary for the switch to identify packets of different VLANs.
The switch works at Layer 2 (Layer 3 switches are not discussed in this chapter) and it can
identify the data link layer encapsulation of the packet only, so you can add the VLAN tag field
In 1999, IEEE issues the IEEE 802.1Q protocol to standardize VLAN implementation, defining
IEEE 802.1Q protocol defines that a 4-byte VLAN tag is encapsulated after the destination
MAC address and source MAC address to display the information about VLAN.
49
EPON OLT Operation Manual V1.3
As shown in Figure 1-2, a VLAN tag contains four fields, including TPID (Tag Protocol
Identifier), priority, CFI (Canonical Format Indicator), and VID (VLAN ID).
TPID is a 16-bit field, indicating that this data frame is VLAN-tagged. By default, it is 0x8100.
Priority is a 3-bit field, referring to 802.1p priority. Refer to section “QoS & QoS profile” for
details.
CFI is a 1-bit field, indicating whether the MAC address is encapsulated in the standard format
in different transmission media. This field is not described in detail in this chapter.
VID (VLAN ID) is a 12-bit field, indicating the ID of the VLAN to which this packet belongs. It is
in the range of 0 to 4,095. Generally, 0 and 4,095 is not used, so the field is in the range of 1 to
4,094.
VLAN ID identifies the VLAN to which a packet belongs. When the switch receives an
un-VLAN-tagged packet, it will encapsulate a VLAN tag with the default VLAN ID of the
inbound port for the packet, and the packet will be assigned to the default VLAN of the inbound
port for transmission. For the details about setting the default VLAN of a port, refer to section
“02-Port Configuration”
50
EPON OLT Operation Manual V1.3
51
EPON OLT Operation Manual V1.3
Note:If the VLAN to be created exists, enter the VLAN mode directly. Otherwise, create the
Vlan-id allowed to configure is in the range of 1 to 4094. Vlan-list can be in the form of discrete
number, a sequence number, or the combination of discrete and sequence number, discrete
Delete port member from VLAN undo port { all | ethernet interface-num }
52
EPON OLT Operation Manual V1.3
about VLAN
Configure interface default pvid undo port default vlan Vlan1 by default
53
EPON OLT Operation Manual V1.3
Interface VLAN mode can be divided into three types according to the different process modes
Access: the interface only belongs to one vlan, and it usually is used to connect the terminal
device.
Trunk: the interface can be able to receive and forward multiple vlans. When the packet is
forwarded, the default vlan packet will not carry the tag whereas the other vlan will carry the
Hybrid: the interface can be able to receive and forward multiple vlans, and it allows multiple
54
EPON OLT Operation Manual V1.3
Hybrid by
Configure interface vlan mode port mode { access | hybrid | trunk }
default.
55
EPON OLT Operation Manual V1.3
“tagged” means
packet carries
Allow the specified vlan to pass port hybrid { tagged | untagged } vlan tag;
{ vlan-list | all }
through this hybrid port “untagged”
56
EPON OLT Operation Manual V1.3
Do not allow the specified vlan to undo port trunk allowed vlan { vlan-list |
all }
pass through this trunk port
If switch receives a untagged packet, system will add a vlan tag to the packet in which the vid
value in the tag is the PVID value and the priority value is the port priority value.
Operation Command Remarks
Enter global configuration mode system-view
By default, interface will check whether the receiving packet belongs to the vlan, if it does, the
57
EPON OLT Operation Manual V1.3
interface will perform the forward processing. Otherwise, it will discard the packet. This
process is called ingress filtering. Switch will enable this function by default and this function is
allowed to be disabled.
Operation Command Remarks
Enter global configuration mode system-view
Enabled by
Configure ingress filtering [ undo ] ingress filtering
default
By default, regardless of any type of packet (tag or untag) received by the switch, it is allowed
untag packets;
58
EPON OLT Operation Manual V1.3
“tagged” means
it can only
packets.
As noted earlier, a single port in the campus network has multiple services, and each service
belongs to different VLANs. So the flexible configuration of VLAN under the switch port to
identify different services has become a key issue of the campus network management.
In order to solve the above-mentioned problems, the MAC-based VLAN is proposed. MAC
(Media Access Control) address is burnt on a Network Interface Card (NIC), also known as the
59
EPON OLT Operation Manual V1.3
MAC-based VLAN is another way to distinguish VLAN that tag of VLAN is added to packet
according to the source MAC address. This is often in combination with security technologies
(such as 802.1X) to achieve the purpose of the terminal’s safety and flexible access.
Users should bind the terminal MAC address with VLAN via the command line, and the device
The implementation of this approach is simple, only involved in access equipment. But in this
way, it is necessary to manually configure the MAC VLAN of the terminal on terminal
Protocol-based VLAN: the packet distributes different VLAN ID according to the receiving
60
EPON OLT Operation Manual V1.3
protocol types and encapsulation formats. “Protocol types + encapsulation formats” is also
called model agreement. One protocol vlan can be able to bind multiple model agreements.
Different model agreements can be distinguished by the vlan-protocol table index. Agreement
template is referenced to the port, and then you can modify the packet vlan according to the
model agreements.
1. If the packet protocol types and encapsulation formats are conform to the model
2. If the packet protocol types and encapsulation formats are not conforming to the model
1. If the packet protocol types and encapsulation formats are conform to the model
agreements, the outer vlan information will be modified to be the protocol vlan-id.
2. If the packet protocol types and encapsulation formats are not conform to the model
agreements, the processing mode will be the same as the port-based vlan.
This feature is mainly applied to bind the service type with VLAN, providing convenient
There are two types’ configuration modes of protocol-based VLAN. Please choose the suitable
61
EPON OLT Operation Manual V1.3
IP subnet-based vlan is divided according to packet source IP address and subnet mask. After
device received packets from the interface, it will confirm the packets belonging to which VLAN
62
EPON OLT Operation Manual V1.3
63
EPON OLT Operation Manual V1.3
Chapter 9 QinQ
In the VLAN tag field defined in IEEE 802.1Q, only 12 bits are used for VLAN IDs, so a switch
can support a maximum of 4,094 VLANs. In actual applications, however, a large number of
VLANs are required to isolate users, especially in metropolitan area networks (MANs), and
4,094 VLANs are far from satisfying such requirements. shows the structure of 802.1Q-tagged
and double-tagged Ethernet frames. The QinQ feature enables a device to support up to 4,094
x 4,094 VLANs to satisfy the requirement for the amount of VLANs in the MAN.
The port QinQ feature is a flexible, easy-to-implement Layer 2 VPN technique, which enables
the access point to encapsulate an outer VLAN tag in Ethernet frames from customer networks
(private networks), so that the Ethernet frames will travel across the service provider’s
backbone network (public network) with double VLAN tags. The inner VLAN tag is the
customer network VLAN tag while the outer one is the VLAN tag assigned by the service
64
EPON OLT Operation Manual V1.3
provider to the customer. In the public network, frames are forwarded based on the outer
VLAN tag only, with the source MAC address learned as a MAC address table entry for the
VLAN indicated by the outer tag, while the customer network VLAN tag is transmitted as part of
There are two types of QinQ implementations: basic QinQ and Flexible QinQ.
1) Basic QinQ
With the VLAN VPN feature enabled on a port, when a frame arrives at the port, the switch will
tag it with the port’s default VLAN tag, regardless of whether the frame is tagged or untagged.
65
EPON OLT Operation Manual V1.3
If the received frame is already tagged, this frame becomes a double-tagged frame; if it is an
2) Flexible QinQ
Flexible QinQ is a more flexible, VLAN-based implementation of QinQ. If Flexible QinQ on port
For QinQ-enabled port, there are different handlings for different port type:
Uplink port: The Tag judgment on uplink port is based on the consistency between packet VID
Custom port: The Tag judgment on customer port is based on the consistency between
A VLAN tag uses the tag protocol identifier (TPID) field to identify the protocol type of the tag.
The value of this field, as defined in IEEE 802.1Q, is 0x8100. The device can identify whether
there is corresponded VLAN Tag according to TPID. If configured TPID is the same as the
The systems of different vendors may set the TPID of the outer VLAN tag of QinQ frames to
different values. For compatibility with these systems, the S3750-48 series switches allow you
to modify the TPID value so that the QinQ frames, when sent to the public network, carry the
66
EPON OLT Operation Manual V1.3
TPID value identical to the value of a particular vendor to allow interoperability with the devices
of that vendor.
The TPID in an Ethernet frame has the same position with the protocol type field in a frame
without a VLAN tag. To avoid problems in packet forwarding and handling in the network, you
cannot set the TPID value to any of the values in the table below.
ARP 0x0806
PUP 0x0200
RARP 0x8035
IP 0x0800
IPv6 0x86DD
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
IS-IS 0x8000
LACP 0x8809
802.1x 0x888E
GnLink 0x0765
GSTP 0X5524
67
EPON OLT Operation Manual V1.3
Add different outer VLAN Tag for flexible-vlan insert start-vlan-id end-vlan-id
different inner VID service-vlan-idpriority
68
EPON OLT Operation Manual V1.3
interface-list ]
69
EPON OLT Operation Manual V1.3
The system maintains a MAC address table for forwarding packets. The entries in this table
contain the device MAC addresses, VLAN IDs, and Switch port numbers. When a packet
enters the Switch, the Switch looks up the MAC address table based on the destination MAC
address of the packet and the VLAN ID of the packet. If the packet is found, the Switch sends
the packets to the specified ports. Otherwise, Switch will broadcast the packets in this VLAN.
The system can be able to learn MAC address table. If the source MAC address of a received
packet does not exist in the MAC address table, the system will add the source MAC address,
VLAN ID, and port number of the received packet as a new entry to the MAC address table.
You can manually configure MAC address entries. The administrator can configure the MAC
address table based on the actual network condition, that is, the administrator can add or
System provides MAC address aging function. If a device does not send any packets for a
certain period of time, the system deletes the MAC address entries associated with the device.
MAC address aging only takes effect on the learned MAC address or the MAC address entries
70
EPON OLT Operation Manual V1.3
71
EPON OLT Operation Manual V1.3
vlan vlan-id
interface-num
72
EPON OLT Operation Manual V1.3
vlan-id ]
vlan-id ]
You can configure whether the device learns MAC addresses dynamically or not。
If MAC address learning is disabled under global configuration mode, all ports cannot learn
MAC address; If you want to disable mac address learning on some ports, just enable MAC
address learning under global configuration mode and disable MAC address learning on the
73
EPON OLT Operation Manual V1.3
Under port configuration mode, you can configure the maximum number of learned MAC
addresses on a port. By default, the number of MAC addresses learning table are unlimited.
Operation Command Remarks
Enter global configuration mode system-view
mac-address-table max-mac-count
Configure max-mac-count
max-mac-count
Configure the default
undo mac-address-table max-mac-count
max-mac-count
mac-address-table max-mac-count
Configure max-mac-count
max-mac-count
Configure the default
undo mac-address-table max-mac-count
max-mac-count
vlan-id }
74
EPON OLT Operation Manual V1.3
Chapter 11 STP
Spanning Tree Protocol (STP) is applied in loop network to block some undesirable redundant
paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the
STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its
protocol packets.
STP identifies the network topology by transmitting BPDUs between STP-compliant network
devices. BPDUs contain sufficient information for the network devices to complete the
Configuration BPDUs, used for calculating spanning trees and Maintain the spanning tree
topology.
Topology change notification (TCN) BPDUs, used for notifying concerned devices of network
75
EPON OLT Operation Manual V1.3
Root Bridge
A tree network must have a root; hence the concept of “root bridge” has been introduced in
STP.
There is one and only one root bridge in the entire network, and the root bridge can change
alone with changes of the network topology. Therefore, the root bridge is not fixed.
Upon network convergence, the root bridge generates and sends out configuration BPDUs at
a certain interval, and other devices just forward the BPDUs. This mechanism ensures
topological stability.
Root Port
On a non-root bridge device, the root port is the port nearest to the root bridge. The root port is
responsible for communication with the root bridge. A non-root-bridge device has one and only
Designated Bridge
For a device, Designated Bridge is the device directly connected with this device and
responsible for forwarding BPDUs; For a LAN, Designated Bridge is the device responsible for
Designated Port
For a device, Designated Port is the port through which the designated bridge forwards
BPDUs to this device; For a LAN, Designated Port is the port through which the designated
Path cost
Path cost is a reference value used for link selection in STP. By calculating the path cost, STP
76
EPON OLT Operation Manual V1.3
selects relatively “robust” links and blocks redundant links, and finally prunes the network into
Each Layer 2 interface on a switch using spanning tree exists in one of these states:
Disabled
The interface is not participating in spanning tree because of a shutdown port, no link on the
Blocking
Listening
The first transitional state after the blocking state when the spanning tree determines that the
Learning
Forwarding
77
EPON OLT Operation Manual V1.3
When you power up the switch, spanning tree is enabled by default, and every interface in the
switch, VLAN, or network goes through the blocking state and the transitory states of listening
and learning. Spanning tree stabilizes each interface at the forwarding or blocking state.
When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this
process occurs:
1)The interface is in the listening state while spanning tree waits for protocol information to
2)While spanning tree waits the forward-delay timer to expire, it moves the interface to the
3)In the learning state, the interface continues to block frame forwarding as the switch learns
4)When the forward-delay timer expires, spanning tree moves the interface to the forwarding
78
EPON OLT Operation Manual V1.3
network devices. Configuration BPDUs contain sufficient information for network devices to
complete the spanning tree calculation. Important fields in a configuration BPDU include:
Root bridge ID: consisting of root bridge priority and MAC address.
Root path cost: the cost of the shortest path to the root bridge.
Message age: age of the configuration BPDU while it propagates in the network.
Max age: maximum age of the configuration BPDU maintained in the device.
Initial state
Upon initialization of a device, each port generates a BPDU with itself as the root bridge, in
which the root path cost is 0, designated bridge ID is the device ID, and the designated port is
Each device sends out its configuration BPDU and receives configuration BPDUs from other
devices.
79
EPON OLT Operation Manual V1.3
Step Description
1 Upon receiving a configuration BPDU on a port, the device performs the following processing:
If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by
the port, the device will discard the received configuration BPDU without doing any processing on the
If the received configuration BPDU has a higher priority than that of the configuration BPDU generated
by the port, the device will replace the content of the configuration BPDU generated by the port with the
2 The device compares the configuration BPDUs of all the ports and chooses the optimum configuration
BPDU.
At network initialization, each STP-compliant device on the network assumes itself to be the
root bridge, with the root bridge ID being its own device ID. By exchanging configuration
BPDUs, the devices compare one another’s root bridge ID. The device with the smallest root
The process of selecting the root port and designated ports is as follows:
Step Description
1 A non-root-ridge device regards the port on which it received the optimum configuration BPDU as the
root port.
80
EPON OLT Operation Manual V1.3
2 Based on the configuration BPDU and the path cost of the root port, the device calculates a designated
The root bridge ID is replaced with that of the configuration BPDU of the root port.
The root path cost is replaced with that of the configuration BPDU of the root port plus the path
3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of
which the port role is to be defined, and does different things according to the comparison result:
If the calculated configuration BPDU is superior, the device will consider this port as the
designated port, and the configuration BPDU on the port will be replaced with the calculated
If the configuration BPDU on the port is superior, the device will block this port without
updating its configuration BPDU, so that the port will only receive BPDUs, but not send any, and will
Once the root bridge, the root port on each non-root bridge and designated ports have been
Upon network initiation, every switch regards itself as the root bridge, generates configuration
BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello
time.
If it is the root port that received the configuration BPDU and the received configuration
81
EPON OLT Operation Manual V1.3
BPDU is superior to the configuration BPDU of the port, the device will increase message
age carried in the configuration BPDU by a certain rule and start a timer to time the
configuration BPDU while it sends out this configuration BPDU through the designated
port.
If the configuration BPDU received on the designated port has a lower priority than the
configuration BPDU of the local port, the port will immediately send out its better
If a path becomes faulty, the root port on this path will no longer receive new configuration
BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the
device will generate a configuration BPDU with itself as the root and sends out the BPDU.
This triggers a new spanning tree calculation process so that a new path is established to
However, the newly calculated configuration BPDU will not be propagated throughout the
network immediately, so the old root ports and designated ports that have not detected the
topology change continue forwarding data along the old path. If the new root port and
designated port begin to forward data as soon as they are elected, a temporary loop may
occur.
3) STP timers
STP calculations need three important timing parameters: forward delay, hello time, and max
age.
Forward delay is the delay time for device state transition. A path failure will cause
re-calculation of the spanning tree, and the spanning tree structure will change
82
EPON OLT Operation Manual V1.3
accordingly. However, the new configuration BPDU as the calculation result cannot be
propagated throughout the network immediately. If the newly elected root port and
designated ports start to forward data right away, a temporary loop is likely to occur. For
this reason, as a mechanism for state transition in STP, a newly elected root port or
designated port requires twice the forward delay time before transitioning to the
forwarding state, when the new configuration BPDU has been propagated throughout the
network.
Hello time is the time interval at which a device sends hello packets to the
Max age is a parameter used to determine whether a configuration BPDU held by the
device has expired. A configuration BPDU beyond the max age will be discarded.
The Ethernet Switch implements the Rapid Spanning Tree Protocol (RSTP), i.e., the
enhancement of STP. The Forward Delay for the root ports and designated ports to enter
forwarding state is greatly reduced in certain conditions, thereby shortening the time period for
To achieve the rapid transition of the root port state, the following requirement should be met:
The old root port on this switch has stopped data forwarding and the designated port in the
The conditions for rapid state transition of the designated port are:
83
EPON OLT Operation Manual V1.3
The port is an Edge port that does not connect with any switch directly or
The port is connected with the point-to-point link, that is, it is the master port
the point-to-point link, it can enter the forwarding state right after handshaking
The switch that uses RSTP is compatible with the one using STP. Both protocol packets can
be identified by the switch running RSTP and used in spanning tree calculation.
84
EPON OLT Operation Manual V1.3
After enabling STP globally, all ports will be defaulted to join the STP topology calculating by
default. If some port is not allowed to take part in the STP calculation, administrator can use
undo stp command in interface configuration mode to disable STP on this port.
Operation Command Remarks
Enter global configuration mode system-view
Note:
When enable STP globally, the system is working under RSTP mode.
The priority of bridge determines this switch can be root or not. If this switch is needed to be
85
EPON OLT Operation Manual V1.3
There are three time parameters: Forward Delay, Hello Time and Max Age.
Note:
Too long Hello Time may cause link failure thought by network bridge for losing packets of the
link to restart accounting STP; too smaller Hello Time may cause network bridge frequently to
send configuration packet to strengthen the load of network and CPU. Hello Time ranges from
1 to 10 seconds. It is suggested to use the default time of 2 seconds. Hello Time ≤ Forward
Delay-2.
If Forward Delay is configured too small, temporary redundancy will be caused; if Forward
Delay is configured too large, network will not be restored linking for a long time. Forward
Delay ranges from 4 to 30 seconds. The default forward delay time, 15 seconds is suggested
Max Age is used to configure the longest aging interval of STP. Lose packet when over-timing.
The STP will be frequently accounts and take crowded network to be link fault, if the value is
too small. If the value is too large, the link fault cannot be known timely. Max Age is determined
by diameter of network, and the default time of 20 seconds is suggested. 2*(Hello Time + 1) ≤
86
EPON OLT Operation Manual V1.3
Max Age ≤ 2*(ForwardDelay – 1) When enable STP globally, the system is working under
RSTP mode.
Configure interface STP path cost and choose the path with the smallest path cost to be the
effective path.
The path cost is related to the link speed rate. The larger the speed rate is, the less the cost is.
STP can auto-detect the link speed rate of current interface and converse it to be the cost.
Configure port path cost will make STP re-calculating. The value of the path cost is 1-65535. It
is suggested using the default vaule, which makes the STP to calculate the current port cost by
itself. By default, the path cost is determined by the current port speed.
When the port is 10M, the default cost is 200,000; when the port is 100M, the default cost is
Specify specified port in STP by Configure port priority. Generally, the smaller the value is, the
superior the priority is, and the port will be more possible to be included in STP. If the priorities
The smaller the value is, the superior the priority is, and the port is easier to be the root
87
EPON OLT Operation Manual V1.3
interface. Change the port priority may cause the re-calculating of the STP. The port priority
Switch working under RSTP mode can be connected to switch with STP. But when the
neighbor is working under RSTP, the two connected ports are still work under STP mode.
Mcheck is for force port sending RSTP packet to make sure the two neighbor ports can be
working under RSTP. If yes, the working mode will turn to be RSTP.
Operation Command Remarks
Enter global configuration mode system-view
In rstp, the requirement of interface quickly in transmission status is that the interface must be
point to point link not media sharing link. It can be specified interface link mode manually and
88
EPON OLT Operation Manual V1.3
Edge port is the port connecting to the host which can be in transmission status in very short
time after linkup, but once the port receiving STP packet, it will shift to be non-edge port.
Operation Command Remarks
Enter global configuration mode system-view
Restrict STP occupying bandwidth by restricting the speed of sending BPDU packet. The
By default, port will send 3 BPDU packets in every Hello time interval.
Operation Command Remarks
Enter global configuration mode system-view
89
EPON OLT Operation Manual V1.3
After finishing above configuration, user can check the configurations by command below.
Operation Command Remarks
display stp interface [ brief [ ethernet
Display STP interface
interface-num ] ]
90
EPON OLT Operation Manual V1.3
Chapter 12 MSTP
The multiple spanning tree protocol (MSTP) overcomes the shortcomings of STP and RSTP. In
addition to support for rapid network convergence, it also allows data flows of different VLANs
to be forwarded along their own paths, thus providing a better load sharing mechanism for
After the tree starts to give birth to a global default for all ports will participate in the spanning
tree topology is calculated, if an administrator wants some of the port does not participate in
the calculation of the production tree, or go to the specified port configuration mode, use the
undo stp to disable the port Spanning Tree function.
Operation Command Remarks
91
EPON OLT Operation Manual V1.3
MSTP timers include: forwarding delay, contracting cycle hello time, maximum aging time, and
the maximum hops. Users can configure these three parameters on the switch for MSTP
spanning tree.
Operation Command Remarks
Notes:
The Hello Time value is too long will lead to packet loss due to leaving the bridge that links
the link failure, began to re-calculate the spanning tree; too short can cause the bridge Hello
Time value configured to send messages frequently to increase the network and CPU burden.
Hello Time value range is 1 to 10 seconds, recommended default value of 2 seconds. Hello
If the Forward Delay configuration is too small, may introduce temporary redundant paths;
if the Forward Delay configuration is too large, the network may not be a long time to restore
default value of 15 seconds. Forward Delay time must be greater than equal to the Hello Time
+ 2.
Max Age is used to set the MSTP protocol packet aging longest interval, if the timeout, it
92
EPON OLT Operation Manual V1.3
discards the packet. If this value is too small, spanning tree will be more frequent, there may
be network congestion mistaken link failure; If this value is too large, is not conducive to timely
detection of link failures. Max Age of the range is 6 to 40 seconds. Max Age time value and the
exchange of the network diameter. Recommended default value of 20 seconds. Max Age time
must be greater than equal to 2 * (Hello Time + 1), less than or equal 2 * (Forward Delay-1).
MSTP configuration identifiers include: MSTP configuration name, MSTP revision level, and
the MSTP instance and VLAN mapping, MSTP will have the same configuration identifier and
the bridge connected to each other logically be treated as a virtual bridge.
Operation Command Remarks
configuration and VLAN identifier stp mst instance instance-num vlan vlan-list
mapping
In MSTP, the bridge priority is based on the parameters of MSTI, the bridge priority together
with port priority and port path cost determines the topology of each spanning tree instance,
constitute the basis for link load balancing.
Switch bridge priority determines the size of this switch is able to be selected as the spanning
tree root bridge. By Configure the bridge priority of the smaller, you can specify a switch to
93
EPON OLT Operation Manual V1.3
As the maintenance of configuration errors or malicious network attacks, network valid root
bridge may receive a higher priority configuration information, so the root bridge will lose the
current status of the root bridge, causing changes in network topology errors .Assuming the
original traffic is forwarded through the high-speed links, this is not legally change will lead to
the original high-speed links are to low-speed traffic links, resulting in network congestion.
Root protection function to prevent this from happening.
Root-protection function of the port, the port can only be kept for a specified port. Once this
port received a high priority on the configuration information, status of the ports will be set to
the Discarding state, not forwarding packets (equivalent to the link connected to this port is
disconnected).When a long enough period of time does not receive better configuration
message, the port will revert to the original state.
In MSTP, this function works for all instances.
Operation Command Remarks
94
EPON OLT Operation Manual V1.3
When a switch port uses a proprietary spanning tree with Cisco and other switch is connected,
these manufacturers' switches configured with the proprietary spanning tree protocol, even if
the same MST region configuration, the switch can’t be achieved between the MSTP domain
interoperability. Digest snooping feature such a situation. With the use of proprietary spanning
tree protocol of the manufacturer's switches connected to the port on the digest snooping
feature, when receiving the manufacturer's switches over to send a BPDU, the switch that is
from the same packet in an MST region, while the configuration summary record; when BPDU
packets sent to these manufacturer's switches, the switch configuration summary to
supplement it. This switch is realized and the manufacturer's switches in the MSTP region
exchange.
Operation Command Remarks
In order to flexibly control MSTP, you can open the DISABLE INSTANCE features, disable
instance STP mode operating results with the implementation of no spanning-tree similar to
the instance of the VLAN mapping of all connections on port forwarding state.
Operation Command Remarks
Note:
mcheck function is a prerequisite for the port must send BPDU packets, so only works on the
95
EPON OLT Operation Manual V1.3
specified port.
In order to flexibly control MSTP, you can open the DISABLE INSTANCE features, disable
instance STP mode operating results with the implementation of no spanning-tree similar to
the instance of the VLAN mapping of all connections on port forwarding state.
Operation Command Remarks
After completing the above configuration, can use the following command to view configuration.
RSTP.
Operation Command Remarks
96
EPON OLT Operation Manual V1.3
Chapter 13 Remote-loop-detect
The device is connected with the client. If there is a loop in the client network, which will affect
the entire network. Remote-loop-detect is to solve this problem. After the Remote-loop-detectis
enabled on the switch port, the switch periodically sends a detection message. If the client
network has a loop, the switch receives the detection message from the switch. In this case,
the switch considers that the client network exists loop, and the port connected to the client
Some people may ask, the spanning tree can also be remote loop detection, why need
Remote-loop-detect? This is because if the client network also has equipment to open
spanning tree, the client network topology change easily affects the network of the room. The
general networking is to connect the client port which does not open the spanning tree, with
remote-loop-detectalternative.
97
EPON OLT Operation Manual V1.3
mode. interface-name }
When Remote-loop-detectdetects the existence of loop, there are two ways: one is discarding
the port, the other is the port shutdown, and then periodically restores the port; the default use
discarding.
Operation Command Remarks
98
EPON OLT Operation Manual V1.3
When Remote-loop-detectdetects that a loop exists and the shutdown command is used, the
shutdown port periodically recovers the corresponding port. The default recovery period is 20
seconds and can be modified as needed. If it is configured as 60s, it means that it will not be
automatically restored. User needs to manually run the shutdown / no shutdown command on
port recover-time
99
EPON OLT Operation Manual V1.3
Chapter 14 ACL
As network scale and network traffic are increasingly growing, network security and bandwidth
allocation become more and more critical to network management. Packet filtering can be
used to efficiently prevent illegal users from accessing networks and to control network traffic
and save network resources. Access control lists (ACL) are often used to filter packets with
ACLs are sets of rules (or sets of permit or deny statements) that decide what packets can
pass and what should be rejected based on matching criteria such as source MAC address,
destination MAC address, source IP address, destination IP address, and port number.
When an ACL is assigned to a piece of hardware and referenced by a QoS policy for traffic
classification, the switch does not take action according to the traffic behavior definition on a
ACL according to application identified by ACL numbers, fall into three categories,
Extended ACL: Source IP address, destination IP address, protocol carried on IP, and other
100
EPON OLT Operation Manual V1.3
Layer 2 ACL: Layer 2 protocol header fields such as source MAC address, destination MAC
An ACL consists of multiple rules, each of which specifies different matching criteria. These
criteria may have overlapping or conflicting parts. This is where the order in which a packet is
101
EPON OLT Operation Manual V1.3
config: where packets are compared against ACL rules in the order in which they are
configured.
auto: where depth-first match is performed. The term depth-first match has different meanings
1) If it is the configuration mode, sub-item 0 is the first command. You can see as below
configuration:
0 deny any
2) If it is the auto mode, sub-item 0 is the longest ACL match rule. You can see as below
configuration:
1 deny any
102
EPON OLT Operation Manual V1.3
Notes, ACL must enable. Switches must obey “first enable then active. Please refer to Chapter
There are two kinds of configuration: configure absolute time range and periodic time range.
Configure absolute is in the form of year, month, date, hour and minute. Configure periodic
periodic days-of-the-weekhh:mm:ss to
Configure periodic start
[ day-of-the-week ] hh:mm:ss
Note:
Periodic time range created using the time-range time-name start-time to end-time days
command. A time range thus created recurs periodically on the day or days of the week.
Absolute time range created using the time-range time-name {from time1 date1 [ to time2
date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created
does not recur. For example, to create an absolute time range that is active between January 1,
2004 00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00
103
EPON OLT Operation Manual V1.3
Compound time range created using the time-range time-name start-time to end-time days
{ from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created
recurs on the day or days of the week only within the specified period. For example, to create a
time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00
and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 Wednesday
You may create individual time ranges identified with the same name. They are regarded as
one time range whose active period is the result of ORing periodic ones, ORing absolute ones,
With no start time specified, the time range is from the earliest time that the system can
express (that is, 00:00 01/01/1970) to the end time. With no end time specified, the time range
is from the time the configuration takes effect to the latest time that the system can express
Configuration Examples
Create an absolute time range from 16:00, Jan 3, 2009 to 16:00, Jan 5, 2009
<Switch>system-view
[Switch]time-range b
104
EPON OLT Operation Manual V1.3
<Switch>system-view
[Switch]time-range b
time-range: b ( Inactive )
1)Basic ACL
2)Extended ACL
3)Layer 2 AC
Basic ACLs filter packets based on source IP address. They are numbered in the range 1 to 99.
At most 99 ACL with number mark and at most 1000 ACL with name mark. At most 128 rules
for each ACL at the same time. If you want to reference a time range to a rule, define it with the
105
EPON OLT Operation Manual V1.3
Bydefault ,syste
Define sub-item match rule acl num match-order { config | auto }
m is config
acl num { permit | deny } { source-IPv4/v6
by
acl standard name match-order { config |
Define sub-item match rule default,system is
auto }
config
106
EPON OLT Operation Manual V1.3
[Switch-std-nacl-stdacl]deny 10.0.0.2 0
Switch can define at most 100 extended ACL with the number ID (the number is in the range of
100 to 199), at most 1000 extended ACL with the name ID. It can define 128 sub-rules for an
ACL (this rule can suit both ACL with name ID and number ID).
by
Define sub-item match rule acl num match-order { config | auto } default ,system
is config
acl num { permit | deny } [ protocol ]
[ established ] { source-IPv4/v6
source-wildcard | any | ipv6any } [ port
by
107
EPON OLT Operation Manual V1.3
default ,system
is config
to 255.
Represented by name,
protocol IP protocol type carried
you can select GRE,
source-IPv4/v6 used to
108
EPON OLT Operation Manual V1.3
dest-IPv4/v6 used to
address;
dest-wildcard | any
Any is any destination
address.
IP precedence values
precedence priority precedence message
range from 0 to 7
Configuration Examples
!Create extended ACL based on digital identification to deny the FTP packets with source
109
EPON OLT Operation Manual V1.3
address 10.0.0.1 .
<Switch>system-view
!Create extended ACL based on name identification to deny the FTP packets with source
address 10.0.0.1.
<Switch>system-view
[Switch]acl extended extacl
Switch can define at most 100 layer 2 ACL with the number ID (the number is in the range of
200 to 299), at most 1000 layer 2 ACL with the name ID. It can define 128 sub-rules for an ACL
(this rule can suit both ACL with name ID and number ID). Layer 2 ACL only classifies data
packet according to the source MAC address, source VLAN ID, layer protocol type, layer
packet received and retransmission interface and destination MAC address of layer 2 frame
by
Define sub-item match rule acl num match-order { config | auto } default ,system
is config
110
EPON OLT Operation Manual V1.3
By default ,
Define sub-item match rule acl link name match-order { config | auto }
system is config
!Create Layer 2 ACL based on digital identification to deny the MAC with ARP address
00:00:00:00:00:01.
<Switch>system-view
!Create Layer 2 ACL based on name identification to deny the MAC with ARP address
00:00:00:00:00:02.
111
EPON OLT Operation Manual V1.3
<Switch>system-view
[Switch]acl link lnkacl
[Switch-link-nacl-lnkacl] deny arp ingress 00:00:00:00:00:02 0 egress any
[ subitem num ]
Configuration Examples
Switches only permit with source IP address 1.1.1.1
!Before configuration
0 deny any
!Configuration steps
112
EPON OLT Operation Manual V1.3
!Before configuration
1 deny any
!Configuration steps
[Switch]access-group ip-group 1
!Configuration request
MAC is 00:00:00:00:00:01, IP address of 1.1.1.1,the user can only enter from e0/0/1 mouth.
!Configuration steps
[Switch]acl 200 permit ingress 00:00:00:00:00:01 0 interface ethernet 0/0/1 egress any
After finishing above configuration, you can see configuration as below commands.
Operation Command Remarks
113
EPON OLT Operation Manual V1.3
114
EPON OLT Operation Manual V1.3
Chapter 15 QOS
In traditional IP networks, packets are treated equally. That is, the FIFO (first in first out) policy
is adopted for packet processing. Network resources required for packet forwarding is
determined by the order in which packets arrive. All the packets share the resources of the
network. Network resources available to the packets completely depend on the time they
arrive. This service policy is known as Best-effort, which delivers the packets to their
destination with the best effort, with no assurance and guarantee for delivery delay, jitter,
With the fast development of computer networks, more and more networks are connected into
Internet. Users hope to get better services, such as dedicated bandwidth, transfer delay, jitter
voice, image, important data which enrich network service resources and always face network
congestion. Internet users bring forward higher requirements for QoS. Ethernet technology is
the widest network technology in the world recently. Now, Ethernet becomes the leading
technology in every independent LAN, and many LAN in the form of Ethernet have become a
part of internet. With the development of Ethernet technology, Ethernet connecting will
become one of main connecting for internet users. To execute end-to-end QoS solution has to
consider the service guarantee of Ethernet QoS, which needs Ethernet device applies to
115
EPON OLT Operation Manual V1.3
Ethernet technology to provide different levels of QoS guarantee for different types of service
flow, especially the service flow highly requiring delay and jitter.
15.1.1 Traffic
rules. It is the basis and prerequisite for proving differentiated services. A traffic classification
rule can use the precedence bits in the type of service (ToS) field of the IP packet header to
identify traffic with different precedence characteristics. A traffic classification rule can also
classify traffic according to the traffic classification policy set by the network administrator, such
as the combination of source address, destination address, MAC address, IP protocol, or the
port numbers of the application. Traffic classification is generally based on the information in
the packet header and rarely based on the content of the packet.
15.1.3 Priority
1) 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the
Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. As shown
in the chapter of VLAN configuration. Each host supported 802.1Q protocol forwards packets
which are from Ethernet frame source address add a 4-byte tag header.
116
EPON OLT Operation Manual V1.3
As shown in the figure above, PRI segment is 802.1p priority. It consists of 3bits whose range
from 0~7. The three bits point the frame priority. The tag including 8 formats gives the
The TOS field in the IP header contains eight bits: the first three bits represent IP precedence;
the subsequent four bits represent a ToS value and 1 bit with currently unused defaults 0. The
four bits of TOS packets are grouped into four classes: the smallest time delay, maximum rate,
highly reliability, minimum cost. Only 1 bit can be set, if the DSCP values equal 0, that means
normal service.
117
EPON OLT Operation Manual V1.3
According to RFC 2474, the ToS field is redefined as the differentiated services (DS) field,
where a DSCP value is represented by the first six bits (0 to 5) and ranges from 0 to 63. The
In a network in the Diff-Serve model, traffic is grouped into the following classes, and packets
Expedited forwarding (EF) class: In this class, packets are forwarded regardless of link
share of other traffic. The class is suitable for preferential services requiring low delay, low
118
EPON OLT Operation Manual V1.3
Assured forwarding (AF) class: This class is divided into four subclasses (AF 1 to AF 4),
each containing three drop priorities for more granular classification. The QoS level of the AF
Class selector (CS) class: This class is derived from the IP ToS field and includes eight
subclasses.
Best effort (BE) class: This class is a special CS class that does not provide any assurance.
AF traffic exceeding the limit is degraded to the BE class. All IP network traffic belongs to this
class by default.
DSCP (decimal) DSCP (binary) keys
0 000000 be
46 101110 ef
10 001010 af1
18 010010 af2
26 011010 af3
34 100010 af4
8 001000 cs1
16 010000 cs2
24 011000 cs3
32 100000 cs4
40 cs5
101000
48 110000 cs6
56 111000 cs7
119
EPON OLT Operation Manual V1.3
distributing. To adopt which kind of flow control is related to the stage it is in and the current
load of the network. For example: monitor packet according to the promised average speed
rate when the packet is in the network and queue scheduling manage the packet before it is
Packet filtration is to filtrate service flow, such as deny, that is, deny the service flow which is
matching the traffic classification, and permit other flows to pass. System adopts complicated
flow classification to filtrate all kinds of information of service layer 2 packets to deny useless,
In order to serve customers better with the limited network resources, QoS can monitor service
flow of specified user in ingress interface, which can adapt to the distributed network
resources.
120
EPON OLT Operation Manual V1.3
Interface speed limitation is the speed limit based on interface which limits the total speed rate
15.1.8 Redirection
User can re-specify the packet transmission interface based on the need of its own QoS
strategies.
Ethernet switch can provide priority mark service for specified packet, which includes: TOS,
DSCP, 802.1p. These priority marks can adapt different QoS model and can be defined in
Ethernet switch can choose corresponding outputting queue for specified packets.
It adopts queue scheduler to solve the problem of resource contention of many packets when
network congestion. There are three queue scheduler matchings: Strict-Priority Queue (PQ),
1) PQ
PQ (Priority Queuing) is designed for key service application. Key service possesses an
important feature, that is, require the precedent service to reduce the response delay when
121
EPON OLT Operation Manual V1.3
network congestion. Priority queue divides all packets into 4 levels, that is, superior priority,
middle priority, normal priority and inferior priority (3, 2, 1, 0), and their priority levels reduce in
turn.
When queue scheduler, PQ precedently transmits the packets in superior priority according to
the priority level. Transmit packet in inferior priority when the superior one is empty. Put the key
service in the superior one, and non-key service (such as email)in inferior one to guarantee the
packets in superior group can be first transmitted and non-key service can be transmitted in
The shortage of PQ is: when there is network congestion, there are more packets in superior
group for a long time, the packets in inferior priority will wait longer.
2) WRR
WRR queue scheduler divides a port into 4 or 8 outputting queues (S2926V-O has 4 queues,
that is, 3, 2, 1, 0) and each scheduler is in turn to guarantee the service time for each queue.
WRR can configure a weighted value (that is, w3, w2, w1, w0 in turn) which means the
percentage of obtaining the resources. For example: There is a port of 100M. Configure its
WRR queue scheduler value to be 50, 30, 10, 10 (corresponding w3, w2, w1, w0 in turn) to
guarantee the inferior priority queue to gain at least 10Mbit/s bandwidth, to avoid the shortage
WRR possesses another advantage. The scheduler of many queues is in turn, but the time for
service is not fixed-if some queue is free, it will change to the next queue scheduler to make
122
EPON OLT Operation Manual V1.3
3) SP+ WRR
Superior priority or less priority use SP algorithm, others use WRR algorithm.
System will map between 802.1p protocol priority of packet and hardware queue priority. For
each packet, system will map it to specified hardware queue priority according to 802.1p
Flow mirror means coping specified data packet to monitor interface to detect network and
exclude failure.
Statistics based on flow can statistic and analyze the packets customer interested in.
User can copy specified packet to CPU according to the need of its QoS strategies.
System realizes QoS function according to accessing control list, which includes: flow monitor,
interface speed limit, packet redirection, priority mark, queue scheduler, flow mirror, flow
123
EPON OLT Operation Manual V1.3
124
EPON OLT Operation Manual V1.3
Flow monitor is restriction to flow rate which can monitor the speed of a flow entering switch. If
the flow is beyond specified specification, it will take actions, such as dropping packet or
Two Rate Three Color Marker is defined in RFC 2698. There is 4 parameter for it: CIR, CBS,
PIR and PBS.
Operation Command Remarks
Enter globally configuration mode system-view
Configure Two Rate Three Color two-rate-policer mode { color-aware |
Mode color-blind }
Configure Two Rate Three Color two-rate-policer set-pre-color dscp-value
pre-color { green | red | yellow }
rate-limit input { [ ip-group { acl-number |
acl-name } [ subitem subitem ] ] [ link-group
{ acl-number | acl-name } [ subitem
Configure Two Rate Three Color subitem ] ] } target-rate two-rate-policercir
Marker cir cbs cbs pir pir pbs pbs conform-action
{ copy-to-cpu | drop | set_dscp_value dscp |
transmit exceed-action { copy-to-cpu | drop |
set_dscp_value dscp | transmit } }
125
EPON OLT Operation Manual V1.3
Line-limit is the speed limit based on interface which restricts the total speed of packet
outputting.
Operation Command Remarks
126
EPON OLT Operation Manual V1.3
Traffic priority configuration is the strategy of remark priority for matching packet in ACL, and
the marked priority can be filled in the domain which reflects priority in packet head.
Operation Command Remarks
When network congestion, it must use queue-scheduler to solve the problem of resource
competition. System supports 3 kinds of queue-scheduler, that is SP, WRR and full SP+WRR.
By default is SP in system.
Operation Command Remarks
queue-scheduler group-number
Configure SP
strict-priority
127
EPON OLT Operation Manual V1.3
queue1-weight queue2-weight
queue5-weight queue6-weight
queue7-weight queue8-weight
queue1-weight queue2-weight
queue5-weight queue6-weight
queue7-weight queue8-weight
Configure queue-scheduler on
queue-scheduler group-number
interface
The cos-map relationship of hardware priority queue and priority of IEEE802.1p protocol is one
queue and priority of IEEE802.1p protocol timely when the one-to-one correspondence
shifting.
By default, the cos-map relationship of hardware priority queue and priority of IEEE802.1p
protocol as below:
128
EPON OLT Operation Manual V1.3
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
Administrators also change the cos-map relationship of hardware priority queue and priority of
129
EPON OLT Operation Manual V1.3
The same situation as 1.2.7, by default, the relation between DSCP and 8 priority in IEEE
802.1p as below:
0 0 16 2 32 4 48 6
1 0 17 2 33 4 49 6
2 0 18 2 34 4 50 6
3 0 19 2 35 4 51 6
4 0 20 2 36 4 52 6
5 0 21 2 37 4 53 6
6 0 22 2 38 4 54 6
7 0 23 2 39 4 55 6
8 1 24 3 40 5 56 7
9 1 25 3 41 5 57 7
10 1 26 3 42 5 58 7
11 1 27 3 43 5 59 7
12 1 28 3 44 5 60 7
13 1 29 3 45 5 61 7
14 1 30 3 46 5 62 7
15 1 31 3 47 5 63 7
130
EPON OLT Operation Manual V1.3
Administrators also change the mapping relationship between DSCP and 8 priority in IEEE
Flow statistic configuration is used to statistic specified service flow packet. The statistic is
131
EPON OLT Operation Manual V1.3
Flow mirror is copying the service flow which matches ACL rules to specified monitor interface
After finishing above configuration, please use below commands to display the configuration.
Operation Command Remarks
of IEEE802.1p protocol
132
EPON OLT Operation Manual V1.3
interface-num ] all
parameters interface-num ]
133
EPON OLT Operation Manual V1.3
Chapter 16 SSH
Secure Shell (SSH) can provide information security and powerful authentication to prevent
such assaults as IP address spoofing, plain-text password interception when users log on to
SSH can take the place of the Telnet to provide safe management and configuration.
A Switch, as a SSH server, can connect to multiple SSH clients. SSH clients can be both LAN
users and WAN users. XXXX switches can only SSH server and support SSH v2.
Configure the default key ssh-server key create { rsa | dss | ecdsa }
ssh-server function is
disabled.
134
EPON OLT Operation Manual V1.3
135
EPON OLT Operation Manual V1.3
Chapter 17 SNMP
network. The SNMP protocol provides the possibility of centralized management of large
networks. Its goal is to ensure the management information is transmitted between any two
points. SNMP is convenient for the network administrator to retrieve information from any node
on the network, make modifications, find faults, and complete fault diagnosis, capacity
SNMP structure is divided into two parts: NMS and Agent. NMS (Network Management Station)
is a workstation that runs client programs while Agent is a server-side software running on a
network device. The NMS can forward GetRequest, GetNextRequest, and SetRequest
packets to the Agent. Upon receiving the NMS request message, the agent performs Read or
Write operations according to the packet type and generates a Response packet to return to
the NMS. On the other hand, when the device encounters an abnormal event such as hot /
cold start, the agent will forward a trap packet to NMS to report the events.
The system supports SNMP v1, SNMP v2c and SNMP v3. SNMP V1 provides a simple
and v1 Trap has no confirmation mechanism. V2c enhanced v1 management model (on
136
EPON OLT Operation Manual V1.3
ability between managers to increase the creation and deletion of the table, the communication
ability between managers, reducing the storage side of the agent. V3 implements the user
authentication mechanism and packet encryption mechanism, which greatly improves the
This function cooperates with the network management software to log on to the switch and
137
EPON OLT Operation Manual V1.3
[ notifytype-list ] ]
138
EPON OLT Operation Manual V1.3
SNMP adopts the community name authentication scheme. SNMP packets that do not match
the community name will be discarded. SNMP community is named by a string, known as the
community name. Different communities can have read-only or read-write access permission.
A community with read-only access can only query system information. However, in addition to
query the system information, the community with read-write access permission can perform
It is used to configure the views available to access control and the subtrees that they contain.
The iso, internet, and sysview exist by default. Delete and modify the internet is not supported.
139
EPON OLT Operation Manual V1.3
This configuration task can be used to configure an access control group. By default, there are
two snmpv3 groups: (1) The initial group with the security level of auth; (2) The initial group
required).
Operation Command Remarks
context-name ] }
140
EPON OLT Operation Manual V1.3
It is used to configure the user for the local engine or for the remote engine that can be
identified. By default, the following users exist: (1)initialmd5, (2) initialsha, (3) initialnone.
The above three users are reserved for the system and cannot be used by the user. When
Configure a user, you need to ensure that the engine to which this user belongs is identifiable.
When an identifiable engine is deleted, the users it contains are also deleted.
Operation Command Remarks
{ encrypt-privpassword privpassword |
privkey | privkey } } ]
141
EPON OLT Operation Manual V1.3
configuration
configuration
142
EPON OLT Operation Manual V1.3
Chapter 18 Info-center
As the information center of the system, the Info-center processes and outputs information in a
unified manner.
Other modules in the system send information to be outputted to the Info-center. The
Info-center determines the output format based on user configurations and outputs information
to the specified display device based on information output functions and filtering rules in user
configurations.
the console, telnet terminal, or log host (Info-center server). Information consumers (the
console, telnet terminal, history buffer, log host, and SNMP agent) can select the desired
information and discard the unwanted information based on their demands, on condition that
143
EPON OLT Operation Manual V1.3
In global configuration mode, enable or disable the Info-center function. When the Info-center
144
EPON OLT Operation Manual V1.3
on the equipment.
Operation Command Remarks
In global configuration mode, set to or not to display the global sequence number in Info-center
outputs.
Operation Command Remarks
145
EPON OLT Operation Manual V1.3
In global configuration mode, configure the time stamp type in Info-center outputs. The time
In global configuration mode, configure the information output function, information display
function, and filtering rules for outputting Info-center information to terminals. By default,
Info-center information is outputted only to the buffer and not outputted to the console or
terminal.
Operation Command Remarks
146
EPON OLT Operation Manual V1.3
When
monitor-num is
outputted to the
Enable the log output function and
info-center monitor { all | monitor-num } console. When
output logs to the specified terminal.
monitor-num is
are outputted to
telnet terminals.
Enabled by
default,The
setting affects
other terminals
147
EPON OLT Operation Manual V1.3
of the current
terminal.
The setting
current login of
Disable the function of Display
the current
system information to prevent
undo terminal monitor terminal and is
outputting any logs to the current
invalid for other
terminal.
terminals or the
current terminal.
configuration.
148
EPON OLT Operation Manual V1.3
In global configuration mode, configure the information output function and filtering rules for
outputting Info-center information to the history buffer. By default, the function is enabled.
Operation Command Remarks
configuration.
149
EPON OLT Operation Manual V1.3
In global configuration mode, configure the information output function and filtering rules for
outputting Info-center information to the flash storage. By default, Info-center information is not
saved to the flash storage. In addition, the interval of saving Info-center information to the flash
storage cannot be configured and the system saves Info-center information once every 30
minutes by default.
Operation Command Remarks
Specify the level and module whose { level [ to level ] } & < 1-8 > } [ module { xxx
storage.
configuration.
150
EPON OLT Operation Manual V1.3
In global configuration mode, configure the server address, information output function,
filtering rules, info-center tool, and fixed source address for outputting Info-center information
A maximum of
be configured.
151
EPON OLT Operation Manual V1.3
outputted to the host in the system undo info-center host { all | ip-address }
configuration.
setting (localuse7).
equipment.
152
EPON OLT Operation Manual V1.3
existing IP
interface
addresses in the
system.
In global configuration mode, configure the information output function and filtering rules for
To send Info-center information to the SNMP workstation as Trap packets, you must configure
to be outputted to the SNMP agent. level-list { level [ to level ] } & < 1-8 > }
153
EPON OLT Operation Manual V1.3
agent.
configuration.
In global configuration mode, enable/disable the module debugging function. By default, the
specified module.
154
EPON OLT Operation Manual V1.3
information.
155
EPON OLT Operation Manual V1.3
OLT is a 10-Gigabit intelligent routing switch olt based on the application specific integrated
circuit (ASIC) technology and supports layer 2 (L2) and layer 3 (L3) forwarding. It performs L2
forwarding when hosts in the same virtual local area network (VLAN) access each other and
156
EPON OLT Operation Manual V1.3
host on interfaces
L3 interfaces are classified into common VLAN interfaces and superVLAN interfaces.
Common VLAN interfaces are created on VLANs and superVLAN interfaces on superVLANs
The L3 switch supports stream forwarding and network topology-based forwarding. In stream
forwarding mode, The L3 switch identifies the failed route or the unreachable destination host
route and sends packets to the CPU for further processing. In network topology-based
forwarding mode, The L3 switch directly discards the packets. By default, The L3 switch works
157
EPON OLT Operation Manual V1.3
topology-based forwarding.
A VLAN interface needs to be configured for each VLAN that performs L3 forwarding or the
158
EPON OLT Operation Manual V1.3
SuperVLAN interfaces are used for communication between hosts in different VLANs in the
same network segment. SuperVLAN interfaces are implemented through the ARP proxy.
Operation Command Remarks
configuration mode.
159
EPON OLT Operation Manual V1.3
and the IP addresses of VLAN or superVLAN interfaces cannot be in the same network
segment. The first IP address of an interface will be automatically selected as the primary IP
address. When the primary IP address is deleted, the interface automatically selects another
the primary IP address. For example, if the IP address of VLAN interface 1 is 10.11.0.1/16, the
IP addresses of other interfaces must not be in the 10.11.0.0/16 network segment (such as
10.11.1.1/24).
Operation Command Remarks
160
EPON OLT Operation Manual V1.3
the interface.
Each VLAN or superVLAN interface can be configured with a maximum of eight IP address
ranges. After an IP address range is configured, only the ARP entries within this range can be
learnt so as to restrict user access. When a VLAN or superVLAN interface is deleted, relevant
For superVLAN interfaces, sub VLANs can be specified at the same time so that the set
161
EPON OLT Operation Manual V1.3
Delete the IP address ranges of the undo ip address range startip endip vlan
ARP request packets are broadcast packets and cannot pass through VLANs. If the ARP proxy
function is enabled, ARP interaction is supported between hosts in sub VLANs of the same
superVLAN. When the ARP proxy is disabled, the hosts of the sub VLANs in the superVLAN
By default, the ARP request packets from all sub VLANs are processed in the preceding
manner. In addition, relevant commands can be used to prevent the ARP request packets from
a sub VLAN from being broadcast to other sub VLANs when they are processed by the ARP
proxy.
Operation Command Remarks
162
EPON OLT Operation Manual V1.3
VLAN.
in the system.
The L3 switch integrates VLAN interface information and superVLAN interface information.
163
EPON OLT Operation Manual V1.3
URPF aims to prevent network attack behaviors based on source address spoofing. URPF
obtains the source address and ingress interface of a packet and uses the source address as
the destination address to query the routing table for the matching route. The packet is
forwarded if it meets conditions and discarded if it does not meet conditions. Two URPF modes
are supported:
Strict mode: In this mode, the source address must exist in the routing table and the egress
interface of the source address of the packet is the same as the ingress interface of the packet.
Loose mode: In this mode, the system only checks whether the source address of the packet
164
EPON OLT Operation Manual V1.3
To avoid attacks from address scanning software similar to ip-scan, users can disable the
unreachable destination
unreachable destination
165
EPON OLT Operation Manual V1.3
Chapter 20 ARP
Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer
address.
An IP address is the address of a host at the network layer. To send a network layer packet to a
destination host, the device must know the data link layer address (such as the MAC address)
of the destination host. To this end, the IP address must be resolved into the corresponding
Unless otherwise stated, the data link layer addresses that appear in this chapter refer to the
166
EPON OLT Operation Manual V1.3
port interface-num
supervlan-interface vlan-id } }
167
EPON OLT Operation Manual V1.3
default
168
EPON OLT Operation Manual V1.3
ARP provides no security mechanism and thus is prone to network attacks. An attacker can
The sender MAC address or target MAC address in the ARP message is inconsistent with
the source MAC or destination MAC address in the Ethernet frame.
The mapping between the sender IP address and the sender MAC address in the forged
ARP message is not the true IP-to-MAC address binding of a valid client.
ARP attacks bring many malicious effects. Network communications become unstable, users
cannot access the Internet, and serious industrial accidents may even occur. ARP attacks may
also intercept accounts and passwords of services such as games, network banks, and file
services.
ARP spoofing attacks to protection, the key is to identify and prohibit forwarding spoofed ARP
packets. From the principle of ARP spoofing, we can see, to prevent ARP spoofing attack
requires two ways, first to prevent the virus disguised as the gateway host, it will cause the
entire segment of the user can not access; followed by preventing the virus from the host
masquerade as another host, eavesdropping data or cause the same network segment can’t
169
EPON OLT Operation Manual V1.3
Switches provide active defense ARP spoofing function, in practical applications, the network
hosts the first communication, the switch will record the ARP table entries, entries in the
To prevent the above mentioned ARP attacks, the switches launches a comprehensive ARP
An access switch is a critical point to prevent ARP attacks, as ARP attacks generally arise from
the host side. To prevent ARP attacks, the access switches must be able to
Establish correct ARP entries, detect and filter out forged ARP packets, and ensure the
validity of ARP packets it forwards
After Configure the access switches properly, you do not need to deploy ARP attack protection
configuration on the gateway. This relieves the burden from the gateway.
If the access switches do not support ARP attack protection, or the hosts are connected to a
Create correct ARP entries and prevent them from being modified.
Suppress the burst impact of ARP packets or the IP packets that will trigger sending of
ARP requests.
The merits of Configure ARP attack protection on the gateway are that this gateway
configuration hardly affects the switches and can properly support the existing network, thus
170
EPON OLT Operation Manual V1.3
Flood attacks are based on the principle of the general flow of a large number of attack
packets in the network equipment such as routers, switches, and servers, leading to depletion
Flood attacks are based on the principle of the general flow of a large number of attack
packets in the network equipment such as routers, switches and servers, leading to depletion
ARP flood attack is aimed mainly at the impact of network device's CPU, the core CPU
resources leading to depletion. To defend this type of attack, the switch must determine in
Switches 's ARP anti-flood function to identify each ARP traffic, according to the ARP rate
setting security thresholds to determine whether the ARP flood attack, when a host's ARP
traffic exceeds a set threshold, the switch will be considered a flood attack , immediately pulled
into the black host of the virus, banned from the host and all packet forwarding.
In order to facilitate the management of the network administrator to maintain, the switches,
while the automatic protection will be saved in the system log related to alarms. For disabled
Enable ARP anti-flood function will be broadcast ARP packets received on the CPU,
according to an ARP packet source MAC address to identify the different streams.
171
EPON OLT Operation Manual V1.3
Set security ARP rate, if the rate exceeds the threshold, the switch that is ARP attack.
If you select the above command deny-all, when an ARP traffic exceeds the threshold set,
the switch will determine the source MAC address, the MAC address to the black hole list
If you select the above command deny-arp, ARP traffic when more than a set threshold,
the switch will be judged based on the source MAC address, the address against all
For recovery to be disabled in the user's forwarding, administrators can set up automatic or
172
EPON OLT Operation Manual V1.3
173
EPON OLT Operation Manual V1.3
174
EPON OLT Operation Manual V1.3
Chapter 22 DHCP-Relay
Since the packets are broadcasted in the process of obtaining IP addresses, DHCP is only
applicable to the situation that DHCP clients and DHCP servers are in the same network
segment, that is, you need to deploy at least one DHCP server for each network segment,
DHCP Relay is designed to address this problem. It enables DHCP clients in a subnet to
communicate with the DHCP server in another subnet so that the DHCP clients can obtain IP
addresses. In this case, the DHCP clients in multiple networks can use the same DHCP server,
DHCP relays can transparently transmit broadcast packets on DHCP clients or servers to the
175
EPON OLT Operation Manual V1.3
In the process of dynamic IP address assignment through the DHCP relay, the DHCP client
and DHCP server interoperate with each other in a similar way as they do without the DHCP
relay. The following sections only describe the forwarding process of the DHCP relay.
After receiving the packets, the network device providing the DHCP relay function unicasts the
The DHCP server assigns IP addresses, and then broadcasts the configuration information to
the client through the DHCP relay. The sending mode is determined by the flag in the
176
EPON OLT Operation Manual V1.3
To improve reliability, you can set up multiple DHCP servers in a network. Each DHCP server
DHCP server group, it forwards the DHCP packets from the client to all the servers in the
server group.
DHCP relay supports the processing of DHCP packets with option 60 option fields.On the
VLAN interfaces or super VLAN configuration option 60 options, when the interface receives a
177
EPON OLT Operation Manual V1.3
DHCP packet from the client, if the option60 option field is included in the packet, it will be
If a match is found, the gateway uses the gateway address in the match to relay the packet
and forwards the DHCP packet to the server address in the match.
If the DHCP server and the DHCP client are not on the same subnet or the device is
configured as a DHCP server, you need to enable the DHCP relay function.
Sometimes, for network security considerations, network administrators do not want the DHCP
client to know the address of the DHCP server. In order to meet such requirements, a device
that enables a DHCP relay can be configured to hide the address of a real DHCP server. In
178
EPON OLT Operation Manual V1.3
this way, the DHCP client regards the device which enables the DHCP relay as a DHCP server
to hide the real DHCP server. Of course, if the device that enables the DHCP relay is also a
The DHCP Option 82 function must be used together with DHCP relay or DHCP snooping.
After the DHCP message received by the switch already has the Option 82 field, the following
drop: Drop all DHCP packets that carry the Option 82 field.
replace: Replace the existing Option 82 in the packet with the new option82 and forward it
179
EPON OLT Operation Manual V1.3
180
EPON OLT Operation Manual V1.3
Configure Remote Option for DHCP dhcp option82 remote-id string { string |
hostname }
Option82
configuration
181
EPON OLT Operation Manual V1.3
For the sake of security, the IP addresses used by online DHCP clients need to be tracked for
the administrator to verify the corresponding relationship between the IP addresses the DHCP
clients obtained from DHCP servers and the MAC addresses of the DHCP clients. Switches
can track DHCP client IP addresses through the DHCP snooping function, which monitors
DHCP snooping monitors the following two types of packets to retrieve the IP addresses the
DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients:
DHCP-ACK packet
DHCP-REQUEST packet
When an unauthorized DHCP server exists in the network, a DHCP client may obtains an
illegal IP address. To ensure that the DHCP clients obtain IP addresses from valid DHCP
servers, you can specify a port to be a trust port or an untrusted port by the DHCP snooping
function:
Trusted ports can be used to connect DHCP servers or ports of other Switches. Untrusted
182
EPON OLT Operation Manual V1.3
Untrusted ports drop the DHCP-ACK and DHCP-OFFER packets received from DHCP servers.
Trusted ports forward any received DHCP packets to ensure that DHCP clients can obtain IP
Trusted vlan: untrusted port will not drop the DHCP-ACK and DHCP-Offer.
183
EPON OLT Operation Manual V1.3
default
If the attacker exists, it will disguise as multiple users to ask DHCP Server for address to use
up the Server allocable address. As a consequence, Server has no address to allocate to the
user who needs the IP address. For this problem, network administrator can take the following
measures:
Restrict the DHCP-Client number connected to Switch port. In this case, only the clients
connected to the same port with the attacker will suffer the attack.
Restrict the DHCP-Client number in specified VLAN. In this case, only the clients in the same
184
EPON OLT Operation Manual V1.3
vlan vlan-id
Enter vlan configuration mode
in specified VLAN
When the link is down, you can perform the following actions on the dynamic entries which
enable fast-remove to delete Dhcp-snooping dynamic entries immediately when the port is
down.
disable fast-remove to normally age the dynamic entries according to the tenancy term instead
of deleting the Dhcp-snooping dynamic entries immediately when the port is down.
185
EPON OLT Operation Manual V1.3
port fast-remove
port fast-remove
IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious
host from impersonating a legitimate host by assuming the legitimate host's IP address. The
feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to
hosts on untrusted Layer 2 access ports. When using IP-Source-Guard, pay attention:
After enabling IP-Source-Guard, all traffic with that IP source address is permitted from that
trusted client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the
network by claiming a neighbor host's IP address. The filtering info can be source MAC, source
186
EPON OLT Operation Manual V1.3
on port is
disabled.
187
EPON OLT Operation Manual V1.3
Chapter 24 DHCP-Server
In the following cases, the DHCP server is usually used to complete the IP address allocation:
Due to the large scale of the network, manual configuration requires a lot of work and it is
Since the number of hosts in the network is larger than the number of IP addresses supported
by the network, it is impossible to allocate a fixed IP address to each host. Moreover, there are
also restrictions on the number of users accessing the network(for example, service providers
of Internet access). Therefore, a large number of users must obtain their own IP address
Only a few hosts on the network need fixed IP addresses. Most hosts do not have a fixed IP
address.
188
EPON OLT Operation Manual V1.3
189
EPON OLT Operation Manual V1.3
190
EPON OLT Operation Manual V1.3
ip-address
second-ip }
191
EPON OLT Operation Manual V1.3
[ section-num ] ]
Some clients (FTP servers, Web servers, etc.) need fixed IP addresses, which can be
implemented by binding the MAC address of the client to the IP address. When a client with
this MAC address requests an IP address, the DHCP server searches for the corresponding IP
address based on the MAC address of the client and assigns that IP address to the client.
192
EPON OLT Operation Manual V1.3
193
EPON OLT Operation Manual V1.3
IGMP (Internet Group Management Protocol) is a part of IP protocol which is used to support
and manage the IP multicast between host and multicast router. IP multicast allows
transferring IP data to a host collection formed by multicast group. The relationship of multicast
group member is dynamic and host can dynamically add or exit this group to reduce network
IGMP Snooping is used to monitor IGMP packet between host and routers. It can dynamically
create, maintain, and delete multicast address table according to the adding and leaving of the
group members. At that time, multicast frame can transfer packet according to his own
194
EPON OLT Operation Manual V1.3
195
EPON OLT Operation Manual V1.3
disabled by default.
max-response-time seconds
Under normal circumstances, IGMP-Snooping on IGMP leave message is received directly will
not remove the port from the multicast group, but to wait some time before the port from the
multicast group.
Enabling quickly delete function, IGMP-Snooping IGMP leave packet received, directly to the
port from the multicast group. When the port is only one user, can be quickly removed to save
bandwidth.
196
EPON OLT Operation Manual V1.3
interface-num } | interface-name }
Use igmp-snooping group-limit command to configure the number of the multicast group
allowed learning.
interface-num } | interface-name }
responsible for sending IGMP general queries, so that all Layer 3 multicast devices can
establish and maintain multicast forwarding entries, thus to forward multicast traffic correctly at
the network layer .This router or Layer 3 switch is called IGMP querier.
However, a Layer 2 multicast switch does not support IGMP, and therefore cannot send
general queries by default. By enabling IGMP Snooping on a Layer 2 switch in a VLAN where
multicast traffic needs to be Layer-2 switched only and no multicast routers are present, the
197
EPON OLT Operation Manual V1.3
Layer 2 switch will act as the IGMP Snooping querier to send IGMP queries, thus allowing
multicast forwarding entries to be established and maintained at the data link layer.
Operation Command Remarks
By default, not
list in the
Configuration is not black and white
igmp-snooping { permit | deny } { group all multicast group
list in the multicast group to learn the
| vlan vlan-id } to learn the rules
rules of the default
for the learning
of all multicast
group
Configure the
mac multicast
groups
Configure the port multicast black igmp-snooping { permit | deny } group By default, any
list
multicast-mac-address vlan vlan-id multicast group
198
EPON OLT Operation Manual V1.3
added
Configured multicast learning strategies, the administrator can control the router only to learn
the specific multicast group. If a multicast group is added to the blacklist, then the router will
not learn the multicast group; the contrary, in the white list in the router can learn multicast
group.
Operation Command Remarks
message
199
EPON OLT Operation Manual V1.3
You can configure the router port will be automatically added to the dynamic IGMP Snooping
Multicast learn to make routing port also has a multicast packet forwarding capability.
When the switch receives a host membership report sent packets, the port will be forwarded to
the route.
Operation Command Remarks
Multicast VLAN on the port function, regardless of the port receiving the IGMP messages
200
EPON OLT Operation Manual V1.3
When this feature is enabled on the port, the switch will record the source packet IGMP report
MAC address.
Operation Command Remarks
When this feature is enabled on a port, the switch drops the IGMP query message. Default
When this feature is enabled on a port, the switch drops the IGMP report message. Default
201
EPON OLT Operation Manual V1.3
Multicast IGMP Snooping provides preview feature, users can configure the multicast channel
preview, you can configure a single multicast length preview, preview interval, duration, and
interface-num
202
EPON OLT Operation Manual V1.3
IGMP Snooping provides the way black and white list feature profile, first in global
configuration mode to create a number of profile, then the port configuration mode to configure
the port reference profile list. Users can configure the IGMP Snooping profile of the type and
scope, which refers to the type of permit / deny, you can use the multicast IP address range or
MAC address to configure. IGMP Snooping profile only the port referenced to take effect, the
configuration port reference profile, the more the type of profile must be the same between that
port can only refer to the same type (permit or deny) the profile. When the port is referenced
permit the profile, the profile can only learn the definition of the corresponding multicast group;
when the port reference deny the profile, the profile can be defined in addition to learning
outside of all multicast group; when the port does not refer to any profile, in accordance with
Range of configuration profile mac mac range start-mac end-mac [ vlan vlan-id ]
203
EPON OLT Operation Manual V1.3
After completing the above configuration, can use the following command to view
configuration.
Operation Command Remarks
204
EPON OLT Operation Manual V1.3
MLD (Multicast Listener Discovery) Internet Group Management Protocol is part of the IPv6
protocol, to support and manage hosts and multicast routers IP multicast. IP Multicast allows
the transmission of IP packets to a multicast group constitutes a set of host, multicast group
membership relationship is dynamic, host can dynamically join or leave the group, so to
MLD Snooping is used to monitor hosts and routers between the MLD messages, according to
group members join, leave, and dynamically create, maintain and delete the multicast address
table, this time, multicast frames based on their respective multicast address table be
forwarded.
205
EPON OLT Operation Manual V1.3
206
EPON OLT Operation Manual V1.3
Under normal circumstances, MLD-Snooping in MLD leave message is received directly will
not remove the port from the multicast group, but to wait some time before the port from the
multicast group.
Start quickly delete function, MLD-Snooping received MLD leave message, the direct port from
the multicast group. When the port is only one user, it can be quickly removed to save
bandwidth.
Operation Command Remarks
You can use the following command to set up each port can learn the number of multicast.
Operation Command Remarks
By default, the
maximum
number
NUM_MULTICA
207
EPON OLT Operation Manual V1.3
ST_GROUPS
Caution:
other ports can learn the number of multicast will be occupied. In other words, all the ports will
Configured multicast learning strategies, the administrator can control the router only to learn
the specific multicast group. If a multicast group is added to the blacklist, then the router will
not learn the multicast group; the contrary, in the white list in the multicast group of routers can
be learned.
Operation Command Remarks
208
EPON OLT Operation Manual V1.3
vlan-id
After running the MLD protocol multicast network, there will be a full-time query multicast
However, MLD does not support Layer 2 switch function, so no way to query device
capabilities, universal group can’t send query message. Users can configure MLD-Snooping
querier, the switch to the second floor take the initiative in the data link layer to send general
Users can also configure the MLD Snooping querier sends general query messages with the
message
209
EPON OLT Operation Manual V1.3
You can configure the router port will be automatically added to the dynamic MLD Snooping
Multicast learn to make routing port also has a multicast packet forwarding capability.
When the switch receives a host membership report sent packets, the port will be forwarded to
the route.
Operation Command Remarks
Multicast VLAN on the port function, regardless of the port received MLD messages belong to
210
EPON OLT Operation Manual V1.3
After completing the above configuration, can use the following command to view
configuration.
Operation Command Remarks
211
EPON OLT Operation Manual V1.3
manually configured multicast table is a static multicast table. The static multicast MAC table
At present, only the corresponding multicast entries of ipv4 can be static configured, and ipv6
212
EPON OLT Operation Manual V1.3
vlan-id
vlan vlan-id ]
The parameter mac refers to the mac address of the multicast group. It is required to use the
multicast address format, for example: 01: 00: 5e: **: **: **, ip refers to multicast ip, for example,
224.0.1.1; vlan-id refers to VLAN ID, with the range of 1 to 4094. It must be an existed VLAN. If
the added static multicast group belongs to a VLAN that does not exist,, the multicast group
fails to be added.
interface-list }
213
EPON OLT Operation Manual V1.3
Delte a por from static multicast undo multicast ip-address ip-address vlan
MAC mac-address
214
EPON OLT Operation Manual V1.3
Chapter 28 IGMP
IGMP (Internet Group Management Protocol) is used to manage IP multicast group member
as well as to establish and maintain the relationship between the IP host and multicast router.
Currently, there are three versions of IGMP: IGMPv1 (RFC 1112), IGMPv2 (RFC 2236) and
IGMPv1 defines two types of message: General Query and Group Membership Report. It
manages the multicast group members based on query mechanism and response mechanism.
IGMPv2 defines three types of message: Membership Query (including General Query and
with IGMPV1, IGMPV12 added querier election mechanism and leave group mechanism.
IGMPv3 added source filter mechanism on the basis of v2, enhancing the function of query
and report. Moreover, it presents the clear requirements to accept or reject the multicast
message from some certain multicast source when the host adds certain multicast group.
All versions support ASM mode. Only IGMPv3 supports SSM mode. IGMPv1 and IGMPv2 can
be able to apply to SSM mode under the help of IGMP SSM Mapping technology.
215
EPON OLT Operation Manual V1.3
216
EPON OLT Operation Manual V1.3
You should enable multicast routing before Configure IGMP protocol. Only if you enable the
Enable the IGMP protocol on interface to make Switch forward multicast message. Please
perform the configurations under interface configuration mode (including VLAN interface and
SuperVlan interface).
supervlan-interface } vlan-id
Due to different versions of the IGMP protocol have different message structures and message
types, so you need to configure the same IGMP version for all the routers in the same network
segment. Otherwise, IGMP cannot be able to run normally. Please perform the configurations
217
EPON OLT Operation Manual V1.3
under interface configuration mode (including VLAN interface and SuperVlan interface).
supervlan-interface } vlan-id
version default
The Ethernet switch periodically sends the Membership Query Message to discover which
multicast groups exist on the network connected to the Ethernet switch. This time interval is set
by the Query Interval timer. You can configure the Query Interval timer to modify the interval at
supervlan-interface } vlan-id
interval default.
query interval
218
EPON OLT Operation Manual V1.3
After receiving leave-message, switch will forward specified group query message to know
whether there are other group members in multicast group. User can be able to modify the
supervlan-interface } vlan-id
last-member-query-interval
The robustness variable is a very important parameter that reflects the performance of the
IGMP protocol running on the switch. It is mainly used to control message forwarding
robustness variable coefficient is also an important parameter for calculating other variables,
such as the existence time of other inquires, group membership time, etc.
Operation Command Remarks
219
EPON OLT Operation Manual V1.3
supervlan-interface } vlan-id
IGMP querier
Through this function, users can easily control the number of multicast groups that an interface
can join. If the maximum number is exceeded, the switch will not process the newly added
IGMP messages.
Operation Command Remarks
supervlan-interface } vlan-id
groups added to
an interface is
the maximum
220
EPON OLT Operation Manual V1.3
number of
multicast groups
When the host receives the query from the switch, it will start the Delay Timers for each
multicast group it joins. It uses a random number between 0 and Max Response Time as the
initial value. The Max Response Time is the maximum response time specified by the query
message (the maximum query response time for IGMP Version 1 is 10 seconds). The host
should inform switch the member of the multicast group before the timer expired. If the switch
does not receive any group member reports after the maximum query response time has
expired, it considers that there is no local group member and it will not send the multicast
supervlan-interface } vlan-id
221
EPON OLT Operation Manual V1.3
The switch determines which multicast group includes the local group members that are
directly connected to the switch by sending an IGMP query message. If you do not want to add
certain multicast groups to a host on the network segment where the interface is located, you
can configure the ACL rule on the interface. The interface filters the received IGMP report
according to the rule. The multicast group maintains the group membership.
Operation Command Remarks
supervlan-interface } vlan-id
Configure filter function of multicast ip igmp access-group acl-number [ all | By default, hosts
multicast group.
group | ethernetinterface-list ]
Create a static IP multicast entry to realize the forwarding of multicast message. You can
create (S, G) and (*, G) entries. If a static multicast member exists (which is created through
222
EPON OLT Operation Manual V1.3
the command of ip igmp static-group), It will automatically add the static member's port to the
supervlan-interface } vlan-id
by default.
groups-address-list source { * |
source-address }
Configure the switch port to become a static multicast group so that the switch can forward the
multicast packets to this port and specify the source address list at the same time. Please
perform the configurations under interface configuration mode (including VLAN interface and
SuperVlan interface). When Configure this function under the SuperVlan interface mode, you
223
EPON OLT Operation Manual V1.3
supervlan-interface } vlan-id
sourcelist }
sourcelist { * | sourcelist } }
After enabling IGMP proxy, Switch acts as a host forwards the multicast group information via
report message. When the multicast router receives the message, it transmits the multicast
traffic to Switch and then Switch will transmit the multicast traffic to the downlink user. If a
certain multicast has no host, Switch will forward leave message to multicast routing, and then
multicast routing will stop forwarding multicast data to Switch. This function is mainly applied to
network peripheral Switches, which effectively saves Switch resources since Switches can
complete the multicast forwarding without enabling the multicast routing protocols.
Operation Command Remarks
supervlan-interface } vlan-id
224
EPON OLT Operation Manual V1.3
In the SSM network, some recipient hosts only run IGMPv1 or IGMPv2 due to the variety of
possible restrictions. You can configure the IGMP SSM Mapping function in router so as to
supervlan-interface } vlan-id
mode
address
mapping rule is
configured
225
EPON OLT Operation Manual V1.3
[ multicast-ip ]
226
EPON OLT Operation Manual V1.3
Chapter 29 PIM
The operation of PIM-DM can be understood as neighbor discovery, flooding-prune, and graft.
1) Neighbor discovery
Upon startup, a PIM-DM router needs to discover neighbors by sending Hello packets.
The relationships between PIM-DM capable network nodes are maintained through
2) Flooding&Prune
PIM-DM assumes that all the hosts on a network are ready to receive multicast data. A
packet is transmitted from multicast source S to multicast group G. After receiving this
multicast packet, the router performs an RPF check based on the unicast routing table
and creates an (S,G) entry if the RPF check is successful. Then the router floods the
packet to all the downstream PIM-DM nodes in the network. The router discards the
packet if the RPF check fails (the multicast packet is from an incorrect interface). In the
227
EPON OLT Operation Manual V1.3
flooding process, an (S,G) entry will be created in the PIM-DM multicast domain.
If no downstream node is a multicast group member, the router sends a Prune message to
notify the upstream node that data should not be sent to downstream nodes any more.
After receiving the Prune message, the upstream node removes the interface that sends
the multicast packet from the outbound interface list matching the (S,G) entry. Eventually,
a Shortest Path Tree (SPT) with S as the root is created. The prune process is initiated by
a leaf router.
The whole process is called the flooding&prune process. A timeout mechanism is made
available on a pruned router so that the router may initiate a flooding&prune process
again if the prune process times out. The flooding&prune mechanism of PIM-DM operates
In the flooding&prune process, PIM-DM performs RPF check and builds a multicast
forwarding tree with the data source as the root based on the current unicast routing
tables. When a multicast packet arrives, the router first judges whether the path of the
multicast packet is correct. If the interface where the packet arrives is what specified in the
unicast route, the path is considered correct. Otherwise, the multicast packet is discarded
as a redundant packet and will not be forwarded in multicast mode. The unicast route may
be discovered by any unicast routing protocol such as RIP and OSPF instead of a specific
routing protocol.
3) Assert
As shown in the following figure, multicast routers A and B are on the same LAN segment
and they have their respective paths to multicast source S. After receiving a multicast
228
EPON OLT Operation Manual V1.3
packet from S, both of them will forward the packet on the LAN. As a result, the
An upstream router uses the Assert mechanism to select the only forwarder. The
upstream router sends Assert messages to select the best route. If two or more paths
have the same priority and metric value, the router with the largest IP address is selected
as the upstream neighbor of the (S,G) entry and is responsible for forwarding the (S,G)
multicast packet.
Assert mechanism
4) Graft
When the pruned downstream node needs to enter the forwarding state again, it sends a
Graft message to the upstream node. Before Configure the features of IGMP, you must
5) SRM
229
EPON OLT Operation Manual V1.3
To avoid repeated flooding&prune actions, the SRM is added to new protocol standards. The
router in direct connection with the multicast source sends state update packets periodically.
After receiving a state update packet, the PIM-capable router refreshes the prune state.
neighbor discovery, rendezvous point tree (RPT) generation, multicast source registration, and
SPT switch. The neighbor discovery of PIM-SM is the same as that of PIM-DM.
1) RPT generation
When a host joins a multicast group (G), the leaf router which is directly connected with
the host if detecting receivers of G by sending IGMP packets, calculates an RP for G and
sends a Join message to an upper-level node of the RP for participating in the multicast
group. Every router between the leaf router and the RP will generate a (*,G) entry in its
forwarding table and therefore they will forward any packets destined for G regardless of
where the packets come from. When the RP receives a packet bound for G, the packet
will later be sent to the leaf router along the established path and then reach the host.
When multicast source S is sending a multicast packet to multicast group G, the PIM-SM router
which is directly connected with S encapsulates the multicast packet into a registration packet
and then sends it to an RP in unicast mode. If multiple PIM-SM routers exist on a network
230
EPON OLT Operation Manual V1.3
PIM-Source Specific Multicast (PIM-SSM) is dependent on PIM-SM and they may coexist on a
router. Whether PIM-SSM or PIM-SM is used is subject to the multicast address in a data or
protocol packet. IANA assigns SSM an address segment (232.0.0.0 to 232.255.255.255). The
multicast groups on this address segment will not join an RPT but is processed by SSM. In
PIM-SSM, Hello packets are also transmitted periodically between routers for neighbor
Usually IGMPv3 is deployed on the host to establish and maintain multicast group
memberships. Compared with IGMPv2, IGMPv3 is designed with the source-based filtering
function. This function allows a host to receive only the data from a specific group and even
from a specific source in this group. Based on a received IS_IN packet of IGMPv3, the
SSM-enabled router learns that a host on the network connected with the interface receiving
the IS_IN packet wants to receive (S,G) packets. This router unicasts a PIM (S,G) Join
message to the next-hop router of the multicast source hop by hop and thereby an SPT can be
established between the multicast source and the last-hop router. When the multicast source is
sending multicast data, the data reaches the receiver along the SPT.
If a host supports only IGMPv1/IGMPv2, you can configure SSM mapping on the router
connected with the host to convert the (*,G) Join messages of IGMPv1/IGMPv2 into (S,G) Join
messages.
231
EPON OLT Operation Manual V1.3
The operations listed in the tablemust be performed sequentially during PIM configuration. It is
recommended that PIM-DM be enabled on all the interfaces of a non-border router running in
PIM-DM domains. In contrast, PIM-SM does not need to be enabled on every interface.
Note:
232
EPON OLT Operation Manual V1.3
233
EPON OLT Operation Manual V1.3
rp-candidate interface-type
priority
rp-candidate interface-type
Deletes a C-RP.
interface-number group-list acl-number
interfaces. vid ]
234
EPON OLT Operation Manual V1.3
C-BSRs.
Note: Be sure to enable PIM on an interface before Configure the PIM attributes of the interface.
This point must be noted when you use the commands for Configure interface attributes and will
Ensure that all the devices in the domain are configured with the same range of SSM multicast
group addresses. Otherwise, multicast information cannot be transmitted using the SSM model.
If members of an SSM multicast group send Join messages over IGMPv1 or IGMPv2, (*,G) Join
235
EPON OLT Operation Manual V1.3
Chapter 30 SNTP
The Simple Network Time Protocol Version 4 (SNTPv4), which is a subset of the Network
Time Protocol (NTP) used to synchronize computer clocks in the Internet. In common,
there is at least one server in the network, it provides reference time for clienets, finally,
SNTPv4 can be worked in four modes: unicast, multicast, broadcast and anycast. In unicast
mode, client actively sends a request to server, and server sends reply packet to client according
In broadcast and multicast modes, server sends broadcast and multicast packets to client
In anycast mode, client actively sends request to local broadcast or multicast address, and all
servers in the network will reply to the client. Client will choose the server whose reply packet is
first received to be the server, and drops packets from others. After choosing the server, working
In all modes, after receiving the reply packet, client resolves this packet to obtain current
236
EPON OLT Operation Manual V1.3
standard time, and calculates network transmit delay and local time complementary, and then
237
EPON OLT Operation Manual V1.3
Administrators can modify SNTP operating mode according to the network------ unicast,
modifying SNTP client Operation sntp client mode { broadcast | unicast | Broadcast
SNTP client must configure appointed SNTP sever in the unicast way. You can also use below
When SNTP client works in the broadcast or multicast way, it needs to use broadcast transfer
delay. In the broadcast way, the local time of SNTP client equals the time receiving from sever
adds transferring time. Administrators modify the transferring time according to the actual
238
EPON OLT Operation Manual V1.3
configure broadcast transfer delay sntp client broadcastdelay time 3ms by default
To restrict the pass range of multicast message, SNTP client needs configure the sending
multicast TTL when working both in the any cast and in the request way of forwarding the
multicast address.
Configure multicast TTL sntp client multicast ttl ttl 255 by default
Configure interval polling is necessary when SNTP client works in the uticast or any cast
way.SNTP client adjusts the local system time by each interval polling requesting to sever.
This Command is effective in unicast and any cast operating mode. SNTP request packet is
UDP packet, overtime retransmission system is adopted because the requirement packet cannot
be guaranteed to send to the destination. Use above Commands to configure retransmit times
239
EPON OLT Operation Manual V1.3
By default 0,
configure overtime retransmit times sntp client retransmit times means do not
retransmit
In broadcast and multicast mode, SNTP client receives protocol packets from all servers without
distinction. When there is malice attacking server (it will not provide correct time), local time
cannot be the standard time. To solve this problem, a series of valid servers can be listed to
To enhance the safety, MD5 authentication can be setup between SNTP sever and SNTP client
which only receives the authenticated message. MD5 authentication configures as below:
240
EPON OLT Operation Manual V1.3
After finishing above configuration, you can use below Commands to display SNTP client
configuration.
241
EPON OLT Operation Manual V1.3
Chapter 31 802.1X
IEEE 802.1X is the accessing management protocol standard based on interface accessing
control passed in June, 2001. Traditional LAN does not provide accessing authentication. Users
access the devices and resources in LAN when connecting to the LAN, which is a security
hidden trouble. For application of motional office and CPN, device provider hopes to control and
IEEE 802.1X is a network accessing control technology based on interface which is the
accessing devices authentication and control by physical accessing level of LAN devices.
Physical accessing level here means the interface of LAN Switch devices. When getting
authentication, switch is the in-between (agency) of client and authentication server. It obtains
user’s identity from client of accessing switch and verifies the information through authentication
server. If the authentication passes, this user is allowed to access LAN resources or it will be
refused.
802.1X operates in the typical client/server model and defines three entities: supplicant system,
Supplicant system: A system at one end of the LAN segment, which is authenticated by the
242
EPON OLT Operation Manual V1.3
authenticator system at the other end. A supplicant system is usually a user-end device and
initiates 802.1x authentication through 802.1x client software supporting the EAP over LANs
(EAPOL) protocol.
Authenticator system: A system at the other end of the LAN segment, which authenticates
network device and provides ports (physical or logical) for supplicants to access the LAN.
accounting services for the authenticator system. The authentication server, usually a Remote
Authentication Dial-in User Service (RADIUS) server, maintains user information like
username, password, VLAN that the user belongs to, committed access rate (CAR)
The above systems involve three basic concepts: PAE, controlled port, control direction.
1) PAE
Port access entity (PAE) refers to the entity that performs the 802.1x algorithm and protocol
243
EPON OLT Operation Manual V1.3
operations.
The authenticator PAE uses the authentication server to authenticate a supplicant trying to
access the LAN and controls the status of the controlled port according to the authentication
result, putting the controlled port in the authorized or unauthorized state. In authorized state,
the port allows user data to pass, enabling the supplicant(s) to access the network resources;
while in unauthorized state, the port denies all data of the supplicant(s).
The supplicant PAE responds to the authentication request of the authenticator PAE and
provides authentication information. The supplicant PAE can also send authentication
An authenticator provides ports for supplicants to access the LAN. Each of the ports can be
The uncontrolled port is always open in both the inbound and outbound directions to allow
EAPOL protocol frames to pass, guaranteeing that the supplicant can always send and receive
authentication frames.
The controlled port is open to allow normal traffic to pass only when it is in the authorized state.
The controlled port and uncontrolled port are two parts of the same port. Any frames arriving
3) Control direction
In the unauthorized state, the controlled port can be set to deny traffic to and from the
244
EPON OLT Operation Manual V1.3
The 802.1x authentication system employs the Extensible Authentication Protocol (EAP) to
exchange authentication information between the supplicant PAE, authenticator PAE, and
authentication server.
At present, the EAP relay mode supports four authentication methods: EAP-MD5, EAP-TLS
(Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security), and PEAP
1) When a user launches the 802.1x client software and enters the registered username and
password, the 802.1x client software generates an EAPOL-Start frame and sends it to the
4) Upon receiving the EAP-Response/Identity packet, the authenticator relays the packet in a
5) When receiving the RADIUS Access-Request packet, the RADIUS server compares the
identify information against its user information table to obtain the corresponding password
information. Then, it encrypts the password information using a randomly generated challenge,
and sends the challenge information through a RADIUS Access-Challenge packet to the
authenticator.
6) After receiving the RADIUS Access-Challenge packet, the authenticator relays the
245
EPON OLT Operation Manual V1.3
7) When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the offered
challenge to encrypt the password part (this process is not reversible), creates an
EAP-Response/MD5 Challenge packet, and then sends the packet to the authenticator.
8) After receiving the EAP-Response/MD5 Challenge packet, the authenticator relays the
9) When receiving the RADIUS Access-Request packet, the RADIUS server compares the
password information encapsulated in the packet with that generated by itself. If the two are
identical, the authentication server considers the user valid and sends to the authenticator a
10) Upon receiving the RADIUS Access-Accept packet, the authenticator opens the port to
grant the access request of the supplicant. After the supplicant gets online, the authenticator
periodically sends handshake requests to the supplicant to check whether the supplicant is still
online. By default, if two consecutive handshake attempts end up with failure, the authenticator
concludes that the supplicant has gone offline and performs the necessary operations,
guaranteeing that the authenticator always knows when a supplicant goes offline.
11) The supplicant can also send an EAPOL-Logoff frame to the authenticator to go offline
unsolicitedly. In this case, the authenticator changes the status of the port from authorized to
246
EPON OLT Operation Manual V1.3
RADIUS server saves valid user’s identity. When authentication, system transfers user’s
identity to RADIUS server and transfer the validation to user .User accessing to system can
username-format { with-domain |
Setup the username format
without-domain }
247
EPON OLT Operation Manual V1.3
Client need provide username and password when authentication. Username contains user’s
ISP information, domain and ISP corresponded. The main information of domain is the
248
EPON OLT Operation Manual V1.3
it executives disable }
249
EPON OLT Operation Manual V1.3
passes , it will be
modified by the
user where port
PVID is
Enable limit port of MAC address radius mac-address-number enable This feature is
numbers turned on, if the
user
authentication
passes, the user
will modify the
port about the
limiting number
of MAC address
learning.
The 802.1X authentication can be initiated by either a supplicant or the authenticator system.
A supplicant can initiate authentication by launching the 802.1x client software to send an
EAPOL-Start frame to the authenticator system, while an authenticator system can initiate
250
EPON OLT Operation Manual V1.3
supplicant.
Operation Command Remarks
802.1x provides a user identity authentication scheme. However, 802.1x cannot implement the
Enabling 802.1S authentication, users connected to the system can access to LAN per
The 802.1x proxy detection function depends on the online user handshake function. Be sure
to enable handshake before enabling proxy detection and to disable proxy detection before
disabling handshake.
Operation Command Remarks
251
EPON OLT Operation Manual V1.3
interface-list ]
In EAP-FINISH way, the port supports re-authentication. After the user is authenticated, the
on a port interface-list ]
Opening function, the port without the user's circumstances, will watch regularly sends a 1x
252
EPON OLT Operation Manual V1.3
The operations mainly conclude of the number of users for port configuration, user and delete
253
EPON OLT Operation Manual V1.3
Chapter 32 LLDP
standard has nothing to do with the manufacturer. It announces its information to other
neighbor devices in the network, receives the neighbor’s information and saves to
standard MIB of LLDP for users to check the downlink devices and connected ports for
connections by accessing.
01-80-c2-00-00-0e. LLDP devices will send 2 LLDP notice and the sending interval is
set by hello-time. After receiving neighbor’s advertisement, LLDP device will read the
advertisement content and save in LLDP neighbor table. LLDP neighbor table can be
aged with TTL value being aging time. If neighbor’s LLDP advertisement cannot be
254
EPON OLT Operation Manual V1.3
TTL: TTL equals to hello-time ties hold-time which means aging time of neighbor entry.
Only after enabling global LLDP, all related configurations can be effective. Global and port
LLDP can be configured and saved no matter the LLDP is enabled. When global LLDP is
255
EPON OLT Operation Manual V1.3
By default, the mode for all ports is rxtx, that is, transferring and receiving all LLDP packets.
Operation Command Remarks
256
EPON OLT Operation Manual V1.3
Management address is the IP address of the device.LLDP devices use the vlan-interface IP
address to encapsulate the LLDP packet and send the packet to the neighbor.
Operation Command Remarks
After the above configurations, you can execute the display commands in any configuration
257
EPON OLT Operation Manual V1.3
The Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating
Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL
services where individual users connect to the DSL modem over Ethernet and in plain Metro
Ethernet networks. It was developed by UUNET, Redback Networks and RouterWare and is
PPPoE packet will be forwarded to trust port. Trust port should be configured after enable this
function. Generally, PPPoE plus will add option content to PPPoE packet. If the received
PPPoE packet has contained option content, the handling strategy will be defined.
258
EPON OLT Operation Manual V1.3
The option content need to be added before PPPoE packet forwarding out, the contents of this
option can be determined by a variety of ways. Option content can be specified in interface
configured rules. If pppoe plus type is self-defined, the format should also be specified.
Operation Command Remarks
Enter global configuration mode system-view
client-mac } * }
Configure default PPPoE Plus type undo pppoeplus type By default, type
259
EPON OLT Operation Manual V1.3
is standard
By default, it is
Configure default format undo pppoeplus format
binary
After finishing above configuration, user can check the configurations by command below.
Operation Command Remarks
display pppoeplus interface [ ethernet
Display PPPoE Plus configuration
interface-list ]
260
EPON OLT Operation Manual V1.3
Chapter 34 CFM
CFM (Connectivity Fault Management, the connectivity fault management protocol), defined
by the IEEE 802.1ag standard is a Layer 2 link on the VLAN-based end to end OAM
Concept Remark
domain of "Maintain the domain name"to identify, according to network planning can
cross,and the nesteddomain can only bemaintainedby the high-level domain to the
261
EPON OLT Operation Manual V1.3
message.
Maintenance DOWN MEP for the two.MEP direction that themaintenance ofdomain relative to the
point location oftheport. DOWN MEP isthe port whereto send its message, UP MEPport
whereit is not sent to themessage, butit isthe port to the device send its message.
not the mainaction issued CFMprotocol packets, but can handle andrespond to CFM
protocol packets.
Connectivity fault detection based on a reasonable and effective application deployment and
configuration over the network, its function is maintained in the configuration between points,
Function Remark
Continuity It is a proactive OAM functionality is used to detect the state to maintain connectivity
262
EPON OLT Operation Manual V1.3
configuration error.
Link It is akind ofon-demandOAM functions for thelocal device todeterminethe path between
tracking the remote devices, in order to achieve the positioning of link failure.
CFM function in the configuration before the network should carry the following plan:
For the maintenance of the entire network to carry out sub-domain level, determine the
Determine the maintenance of the domain name, the same domain on a different device
Required monitoring of VLAN, determine the set of maintenance within the maintenance
domain.
Determine the maintenance set name, the same maintenance domain within the same set
That the same maintenance domain within the same set of maintenance to maintain a list
In the maintenance field and set the boundaries of the maintenance port on the endpoint
on a mid-point.
After the completion of network planning, come line the following configuration.
263
EPON OLT Operation Manual V1.3
Configure name and the associated VLAN to maintain set Required 34.2.5
maintenance mode
264
EPON OLT Operation Manual V1.3
In order to distinguish between the various maintenance domain, you can specify a different
domain for each maintenance of domain names, the name by the name of the format and
content of two parts, the whole network a unique domain name is best; to display nested
relationship between the maintenance domain, must also designated to maintain the domain
level, only the level of maintenance of large domain nested level can only be a small
maintenance domain.
Operation Command Remarks
the domain name, and specify the cfm md format { dns-name | mac-uint |
maintenance
265
EPON OLT Operation Manual V1.3
mode to enter
maintain
In order to maintain the distinction between the various domains to maintain set, you can
specify a different set for each to maintain the instance name, instance name, the name by the
name of the format and content of two parts, the maintenance of set where the maintenance of
the domain name plus the instance name must ensure that all network only.
Operation Command Remarks
To maintainthe domainconfiguration
cfm md md-index
mode to enter
The name of the configuration set cfm ma format { primary-vid | string | uint16 |
CFM is mainly reflected in the maintenance of a variety of endpoints operating on, the user can
program the network port on the network configuration to maintain the boundary endpoints.
266
EPON OLT Operation Manual V1.3
To maintainthe domainconfiguration
cfm md md-index
mode to enter
send maintenance to use the cfm mep mep-id priority priority-id Default priority is
priorityLTM 0
Remote maintenance end point is equivalent to the local maintenance of the end points, and in
the maintenance of concentration, in addition to the maintenance of the local endpoint, all
other maintenance endpoints should be configured in the local endpoint for the remote
maintenance.
Operation Command Remarks
267
EPON OLT Operation Manual V1.3
To maintainthe domainconfiguration
cfm md md-index
mode to enter
point, and specify the end of its peer cfm rmep rmep-id mep mep-id
MEPs
MIPs used to test the response of CFM message, the user can program the network device or
To maintainthe domainconfiguration
cfm md md-index
mode to enter
between endpoint CCM packets to check the connectivity between these endpoints maintain
268
EPON OLT Operation Manual V1.3
To maintainthe domainconfiguration
cfm md md-index
mode to enter
Enable sending MEPccm cfm mep mep-id cc { enable | disable } Default is off
Caution:
Different devices at the same maintenance domain and maintain a centralized maintenance
By Configure the loopback function, you can check the source to the target MEPs MEPs or
MIPs link between the situations in order to achieve the link connectivity verification.
Operation Command Remarks
To maintainthe domainconfiguration
cfm md md-index
mode to enter
269
EPON OLT Operation Manual V1.3
maintain
datapkt-data ]
By Configure the link tracking, you can find the source to the target MEPs MEPs or
maintenance intermediate point between the path in order to achieve the positioning of link
failure.
Operation Command Remarks
To maintainthe domainconfiguration
cfm md md-index
mode to enter
unuse-mpdb } ]
After completing the above configuration, you can use the following command to display the
270
EPON OLT Operation Manual V1.3
CFM configuration.
Operation Command Remarks
271
EPON OLT Operation Manual V1.3
Chapter 35 EFM
EFM (Ethernet of First Mile) as the first mile Ethernet, defined by the IEEE 802.3ah standard,
used for the two devices point to point Ethernet link between the management and
maintenance.
EFM Ethernet can effectively improve the management and maintenance capabilities to
ensure the stable operation of the network, its main features include:
Function Remarks
EFM EFM work in two modes: active mode and passive mode, EFM connected only by
auto-discovery the active mode of EFM entity initiated the passive mode EFM physical entity can
only wait for the end of the connection requests are in a passive mode of the two an
When the device detects a link event of an emergency, the fault will end EFM
Remote failure
entity's Flag by Information OAMPDU fault information field (the type of emergency
indication
event link) EFM notification to the peer entity. In this way, administrators can log
272
EPON OLT Operation Manual V1.3
Event types, including emergency Link Fault, Dying Gasp and Critical Event of
three.
Link monitoring function is used in a variety of environments and found that the link
monitor the link: When the end of the EFM to detect the general physical link event,
Link monitoring
the Event Notification sent to its peer OAMPDU for notification, the administrator
capabilities
can log information by observing the network to dynamically control the situation.
Remote loopback is active mode EFM entity sends to the remote except OAMPDU
than all other messages, the remote receives the packet forwarding address is not
its purpose, but the road back to its original The end.
Remote loopback
Remote loopback is controlled by remote Loopback Control OAMPDU remote
loopback or remote loopback operation to cancel the function can be used to detect
EFM entities can interact with Variable Request / Response OAMPDU far end of the
Remote access to
entity to obtain the MIB variable value.Include Ethernet MIB variable chain on the
MIB variable
road all the performance parameters and error statistics. It provides a local EFM
function
physical entity on the far side of the general performance and error detection
273
EPON OLT Operation Manual V1.3
mechanisms.
Description:
EFM working in the data link layer, the protocol packet is called OAMPDU (OAM Protocol Data
Units, OAM protocol data unit).EFM is through regular interaction between the device
OAMPDU to report link status, enabling network administrators to effectively manage the
network.
EFM entity status for the information (including local information, the
Information OAMPDU remote information and custom information) sent to the remote entity
Generally used for link monitoring on local and remote connected EFM
Event Notification OAMPDU
physical link failures in the warning.
Mainly use for remote loopback control in order to control the EFM
Variable Request / Mainly used for remoteMIBvariable values, in order to achieve the end of
274
EPON OLT Operation Manual V1.3
EFM mode of operation is divided into proactive mode and passive mode, when the EFM
function enabled, the Ethernet port started to use the default mode of operation and the
275
EPON OLT Operation Manual V1.3
By default, EFM
StartEFM efm
is off
By default, EFM
mode
EFM connection is established, both ends of the EFM entity will be a certain time interval to
send Information OAMPDU cycle to detect whether the connection is normal, the interval is
called the interval to send handshake packets. If one end of the connection timeout EFM entity
within an entity does not receive remote EFM sent Information OAMPDU, EFM is considered
disconnected.
EFM handshake by adjusting packet transmission interval and the connection timeout, the
connection can change the EFM detection accuracy. With Configure OAMPDU remote request
message to the response timeout, then discard the message which receiving the later
276
EPON OLT Operation Manual V1.3
handshake packetsEFM
Caution:
Because EFM connection times out, the local entity will EFM EFM aging and physical
connection to the end of the relationship, the EFM connection is broken, so the connection
must be greater than the timeout interval to send handshake packets (Recommended for 3
By
is enabled
Description:
Remote failure indication function device supports a single-pass function required to detect the
local emergency link to the remote event notification, in the single-pass functions are not
277
EPON OLT Operation Manual V1.3
supported on the device, the local emergency is detected only in the event link end of reporting
errored-frame-seconds } enabled
278
EPON OLT Operation Manual V1.3
Description:
errored-symbol-period threshold event detection cycle and a 64-bit integer value, high
and low parameter values, respectively, after the value of the high and low 32-bit, that is,
By default, loopback at the far end is in the off state. It can only support the far end loopback
As the remote loopback function will be affected normal business in order to avoid this
situation, users can configure the local port of the peer sent from the Loopback Control
OAMPDU control, which refused to end the remote initiated EFM loopback request.
279
EPON OLT Operation Manual V1.3
By default, the
remote refused
Reject remote loopback requests
efm remote-loopback { ignore | process } to initiate a
initiated by remote
remote loopback
request
Description:
Only when the port EFM connection has been created, and the mode of EFM proactive
mode, in order to launch on the far side of the port loopback request.
Only the port side and far side far side loopback support feature, and in full-duplex chain
In the open far end loopback, it will cause all data traffic in off; when the exit far end
loopback, the local and remote port will be back to normal. Lead to far-side exit port
loopback reasons: use undo EFM command to close the EFM function, use the EFM
280
EPON OLT Operation Manual V1.3
remote-loopback stop command or exit the far end loopback connected EFM over time
and so on.
By default,
enabled
Description:
281
EPON OLT Operation Manual V1.3
Only when the port EFM connection has been created, EFM working model is for the
proactive mode, the far side far side port supports MIB variable access function to the port
on the far end of the MIB variable for initiating the request.
Currently only supports remote query capability of FEC, FEC mode, port status and port to
enable auto-negotiation enabled, the other MIB variables can later be added on demand
to achieve.
After completing the above configuration, you can use the following command to display the
EFM configuration.
statistics interface-num ]
282
EPON OLT Operation Manual V1.3
Chapter 36 ERRP
Ethernet Redundant Ring Protocol is a link layer protocol specifically designed for Ethernet
ring. It prevents broadcast storms caused by data loops when the Ethernet ring is complete;
when a link on the Ethernet ring is disconnected, the communication path between the nodes
on the ring network can be quickly restored. Compared with STP, ERRP has the
In order to avoid conflict between ERRP and STP in calculating port congestion / release
status, ERRP and STP are mutually exclusive on the enabled port. That is, the STP protocol
cannot be enabled by the two ports connected to the ERRP ring, and STP can be enabled by
ERRP region
The ERRP region is identified by an integer ID. A set of switch groups configured with the
same domain ID, control VLAN and connected to each other form an ERRP domain. An ERRP
283
EPON OLT Operation Manual V1.3
ERRP loop
Master node
Transport node
ERRP loop
The ERRP ring is also identified by an integer ID, and an ERRP ring physically corresponds to
ERRP rings that are connected to each other. One of them is the master ring and the other ring
is a sub-ring. The master ring and the sub-ring are distinguished by the specified level at the
time of configuration. The level of the primary ring is 0 and the level of the sub-ring is 1.
Health state: All links of the ring are normal and the physical link of the ring is connected.
Fault state: The link on the ERRP ring is faulty. One or many physical links of the ring network
are down.
Node role
The node on the ERRP ring is divided into the master node and the transit node. The node role
is specified by the user. The master node is the decision-making and control node for ring
284
EPON OLT Operation Manual V1.3
protection. Each ERRP ring must specify only one master node. All nodes except the master
If more than one ERRP ring intersects, one of the intersecting nodes is designated as an edge
node and the other intersecting node is designated as an assistant edge node. The role of the
two nodes on the master ring is the transit node. The two nodes role of the sub-ring is the edge
node and the assistant edge node. The specific role of the sub-ring can be specified by the
Port role
Each node of an ERRP ring has two ports connected to a ring. User can specify one of the
ports as the primary port and the other port as the secondary port. The master port of the
master node is used to send health detection message (hello message), received from the
secondary port of the main node. The master port and secondary port of the transit node are
functionally indistinguishable. To prevent the loop from causing broadcast storms, if the ERRP
ring is normal, the secondary port of the master node is blocked and all the other ports are in
If multiple ERRP rings intersect, the ports in the intersecting nodes that access both the
primary ring and the sub-ring (that is, the port of the primary ring and the sub-ring common link)
are called common ports at the same time. Only the ports that access the sub-rings are called
regarded as part of the main ring, that is, the public link is the link of the primary ring, not the
285
EPON OLT Operation Manual V1.3
link of the sub-ring. The state change of the public link is only reported to the master node of
the primary ring. The master node of the sub-ring does not need to know.
Control VLAN
Control VLAN is relative to the data VLAN, the data VLAN is used to transmit data messages,
Each ERRP region has two control VLANs, called the primary control VLAN and the
sub-control VLAN. The protocol message of the primary ring is propagated in the master
control VLAN, and the protocol message of the sub-ring is propagated in the sub-control VLAN.
User need to specify the primary control VLAN. The VLAN that is one greater than the master
Only port (ERRP port) connecting the Ethernet of each switch belongs to the control VLAN,
and the other ports cannot join the control VLAN. The ERRP port of the primary ring belongs to
both the primary control VLAN and the sub-control VLAN. The ERRP port of the sub-ring
belongs to the sub-control VLAN. The data VLAN can contain ERRP ports or non-ERRP ports.
The primary ring is regarded as a logical node of the sub-ring. The protocol messages of the
sub-ring are transmitted through the primary ring and processed in the primary ring as data
messages. The protocol messages of the primary ring are transmitted only within the primary
286
EPON OLT Operation Manual V1.3
ERRP is used in conjunction with IGMP Snooping, if the topology of the ERRP changes, the
forwarding state of the port will be changed. If the multicast state is not updated through the
IGMP Snooping module after the port state changes, the multicast forwarding may become
abnormal. To introduce the query solicit function. When a topology change occurs in the ERRP,
the device sends a query solicit message or a general IGMP query message to all the ports so
that the member port re-initiates an IGMP report to update the multicast entry.
HELLO message
The hello message is initiated by the master node, and detects loop integrity of the network.
The master node periodically sends HELLO message from its primary port, and the transit
node forwards the message to the next node, which is then received by the secondary port of
the master node. Periodically send, and the sending period is Hello timer.
LINK_UP message
The LINK_UP message is initiated by the transit node, edge node, or assistant edge node that
recovers the link. It informs the master node that there is link recovery on the loop. Trigger to
send.
LINK_DOWN message
287
EPON OLT Operation Manual V1.3
The LINK_DOWN message is initiated by the transit node, edge node, or assistant edge node
that fails the link. It informs the master node that there is link failure on the loop, and the
COMMON_FLUSH_FDB message
It is initiated by the master node, and informs the transit node, the edge node and the assistant
edge node to update their respective MAC address forwarding tables. Trigger on link failure or
link recovery.
COMPLETE_FLUSH_FDB message
It is initiated by the master node, and informs the transit node, the edge node and the assistant
edge node to update their respective MAC address forwarding tables, and informs the transit
node to release the blocked state of the port temporarily blocking the data VLAN. It is sent
when the link recovery (That is, the secondary port of the master node receives Hello packets)
is complete.
EDGE_HELLO message
The EDGE_HELLO message is initiated by the edge node of the sub-ring to check the loop
Edge nodes send EDGE_HELLO messages periodically from the two ports connected to the
primary ring. The nodes in the primary ring process the message as data message and receive
288
EPON OLT Operation Manual V1.3
them from the assistant edge nodes on the same sub-ring. Periodically send, sending cycle is
MAJOR_FAULT message
The MAJOR_FAULT message is originated by the assistant edge node and reports to the
edge node that the primary ring of the domain is faulty. When the assistant edge node of the
sun-ring cannot receive the EDGE_HELLO message from the edge node in the specified time,
the assistant edge node sends a MAJOR_FAULT message from its edge port. After the
sub-ring node receives the message, it forwards the message directly to the next node, and
finally the edge node of same sub-ring receives. Periodically send after triggering, the sending
Health status
The master node periodically sends the hello message from its primary port, which in turn
travels through the transit nodes of the ring. If the secondary port of the master node receives
a hello message before it times out, it considers that the ERRP ring is health status. The status
of the master node reflects the health of the ring. When the ring network is in a healthy state,
the master node blocks its secondary port in order to prevent the data message from forming a
broadcast loop.
289
EPON OLT Operation Manual V1.3
Link failure
When an ERRP port of the transit node detects a port Link Down, the node sends a
LINK_DOWN message to the master node from the ERRP PORT in the up state that is paired
After the master node receives the LINK_DOWN message, the node state is immediately
changed for failed state. Disable the blocking state of the secondary port. The FDB table is
refreshed and a COMMON_FLUSH_FDB message is sent from the primary and secondary
ports to notify all transit nodes to refresh their respective FDB tables.
After receiving the COMMON_FLUSH_FDB message, the transit node immediately refreshes
The fault reporting mechanism is initiated by the transit node. In order to prevent the
LINK_DOWN message from losing during transmission, the master node implements the
Polling mechanism. The Polling mechanism is the mechanism that the master node of the
ERRP ring actively detects the health status of the ring network. The master node periodically
sends HELLO message from its master port, and then transmits it through the transmission
nodes.
290
EPON OLT Operation Manual V1.3
If the master node can receive the HELLO message from the secondary port in time, it
indicates that the ring network is complete and the master node will keep the secondary port
blocked. If the secondary port of the master node cannot receive HELLO message in the
specified time, it is considered that a link fault has occurred on the ring network. The fault
Link recovery
After the ports of the transit node that belong to the ERRP region are re-up, the master node
may find loop recovery after a certain period of time. In the time, the network may form a
In order to prevent the generation of the temporary loop, the transit node moves to the
Preforwarding state and immediately blocks the port that has just been recovered, after it finds
the port accessing the ring network re-up. At the same time, the transmitting node that has
recovered the link sends a LINK_UP message to the master node from ERRP port that is
paired with the recovery port in the UP state. After receiving the LINK_UP message from the
transmitting node, the master node sends a COMMON_FLUSH_FDB message from the
primary port and the secondary port to notify all transit nodes to refresh the FDB table. The
291
EPON OLT Operation Manual V1.3
port recovered by the transit node only releases the blocked state after receiving the
COMPLETE_FLUSH_FDB packet sent by the master node or the Preforward timer expires.
The response of the master node to the LINK_UP message does not represent the response
processing to the ring network recovery. If multiple links on the ring network fail and then one
of the links is restored, the LINK_UP reporting mechanism and the response mechanism of the
master node are introduced to quickly refresh the FDB tables of the nodes on the ring.
Ring network recovery processing is initiated by the main node. The master node sends the
Hello messages periodically from the master port. After the faulty link on the ring network is
restored, the master node will receive its own test messages from the secondary port. After
receiving the HELLO message from the host, the master node first moves the state back to the
complete state, blocks the secondary port, and then sends the COMPLETE_FLUSH_FDB
message from the primary port. After receiving the COMPLETE_FLUSH_FDB message, the
transit node moves back to the Link_Up state, releases the temporarily blocked port, and
adopted to recover the temporarily blocked port of the transit node. The transmission node is in
the Pre-forwarding state, if the COMPLETE_FLUSH_FDB message from the master node is
not received in the specified time, Self-release temporary blocking port, restore data
292
EPON OLT Operation Manual V1.3
communication.
Multi-ring and single-ring is almost the same, The difference between a multi-ring and a single
ring is that multiple rings are introduced the sub-ring protocol message channel state detection
mechanism in the main ring, after the channel is interrupted, the edge port of the edge node is
blocked before the secondary port of the master node of the sub-ring is released to prevent the
data loop from forming between the sub-ring. For details, see Sub-channel Protocol Channel
COMPLETE-FLUSH-FDB message from the sub-ring, it will refresh the FDB table. The
COMPLETE-FLUSH-FDB of the sub-ring does not cause the sub ring transit node to release
the temporarily blocked port. The COMPLETE-FLUSH-FDB message of the primary ring does
not do so.
293
EPON OLT Operation Manual V1.3
User can modify the ERRP timer parameters as requirement, but make sure that the timer
parameters are the same on all nodes. Ensure that the value of the Failed timer is not less
294
EPON OLT Operation Manual V1.3
configuration mode
In order to connect with other vendors device, user can modify the work mode in the ERRP
domain, and configure multiple ERRP domains on the same device. Each domain can be
configured with different work modes. All the nodes in the same ERRP domain must work in the
same mode.
By default, it works in standard mode. Support compatible with EIPS and RRPP.
295
EPON OLT Operation Manual V1.3
configuration mode
eips-subring }
Control VLAN is relative to the data VLAN, the data VLAN is used to transmit data message,
Each ERRP domain has two control VLANs, called the primary control VLAN and the sub-control
VLAN. The protocol messages of the primary ring are propagated in the master control VLAN,
and the protocol messages of the sub-ring are propagated in the sub-control VLANs. User needs
to specify only the primary control VLAN and a VLAN with the maximum control VLAN ID of 1 as
When an ERRP port sends protocol messages, it always takes control VLAN tags, regardless of
configuration mode
296
EPON OLT Operation Manual V1.3
To avoid conflict between ERRP and STP in calculating port blocking / releasing status, ERRP
and STP are mutually exclusive on the port. Before specifying an ERRP port, user must disable
If a device is on multiple ERRP rings of the same ERRP domain, only one master ring can exist.
The node role of the device on other sub-rings can be only the edge node or assistant edge
node.
The ERRP field takes effect only when both the ERRP protocol and the ERRP ring enable. To
enable the ring, user must first configure the control VLAN.
ERRP ring is divided into the main ring and sub-ring. Respectively use 0,1.
configuration mode
Configure ring and ring levels ring ring-id role master primary-port
297
EPON OLT Operation Manual V1.3
edge-port
configuration mode
This function is used to cooperate with IGMP SNOOPING. When the topology of the ERRP ring
network changes, it immediately notifies the IGMP querier to resend the IGMP general query to
update the IGMP SNOOPING multicast database in time. Currently, there is not related standard.
The query solicit message is private and the IGMP type is 0xff.
1. The default Query solicitation function is enabled on the master node, the transit node
2. The master node topology change is determined by: The master node status is from Health
298
EPON OLT Operation Manual V1.3
3. Other nodes topology changes are determined by: The primary and secondary port status is
(block/disable).
4. When the node detects a topology change: If the node itself is the IGMP querier, it
immediately sends a General Query message to all the ports. Otherwise, immediately send a
5. After the IGMP querier receives the Query Solicit message: Respond immediately to the
configuration mode
configuration mode
299
EPON OLT Operation Manual V1.3
ring-id ] ]
[ ring ring-id ] ]
300
EPON OLT Operation Manual V1.3
Chapter 37 ERPS
ERPS (Ethernet Ring Protection Switching) is released by ITU-T with the convergence rate of
telecommunication level. If all devices inside the ring support this agreement, it can achieve
intercommunication.
ERPS mainly includes ERPS ring, node, port role and port status.
1.ERPS Example
EPRS instance is formed by the same instance ID, control VLAN and interconnected Switches.
2.Control VLAN
Control VLAN is the transmission VLAN of ERPS protocol, and the protocol packet will carry
3.RPL
RPL (Ring Protection Link), Link designated by mechanism that is blocked during Idle state to
301
EPON OLT Operation Manual V1.3
4.ERPS ring
ERPS ring is EPRS basic unit. It composed by a set of the same control VLAN and the
5.Node
The L2 Switch equipment added in ERPS ring are called nodes. Each node cannot be added
to more than two ports in the same ERPS ring. The nodes are divided into RPL Owner,
6.Port Role
In ERPS, port roles include: RPL Owner, Neighbor, Next Neighbor, and Common:
RPL Owner: An ERPS ring has only one RPL Owner port configured by the user and it
prevents loops in the ERPS ring via blocking the RPL Owner port. The node that owns the RPL
RPL Neighbour: An ERPS ring has only one RPL Neighbor port configured by the user and it
must be a port connected to the RPL Owner port. If the network is normal, it will block together
with the RPL Owner port to prevent loops in the ERPS ring. The node with the RPL Neighbor
302
EPON OLT Operation Manual V1.3
RPL Next Neighbour: An ERPS ring can have up to two RPL Next Neighbor ports configured
by the user. It must be the port connecting the RPL Owner node or the RPL Neighbor node. To
become the RPL Next Neighbor node, the RPL Next Neighbor port should own the node of
Note:RPL Next Neighbour nodes are not much different from ordinary nodes. They can be
Common: The common port. The ports except RPL owner, Neighbor and Neighbor port are
common ports. If the node has only the Common port, this node will become the Common
node.
7.Port Status
In the ERPS ring, the port status of the ERPS protocol is divided into three types.
Forwarding: In Forwarding status, the port forwards user traffic and receives / forwards
Discarding: In the Discarding status, the port can only receive / forward R-APS packets and
303
EPON OLT Operation Manual V1.3
Revertive: When the link fails, the RPL link is in the release protection state and the RPL link
Non-revertive: After the fault is rectified, the faulty node remains faulty (without entering
Forwarding) and the RPL link remains in the release protection state.
ERPS uses ETH CFM for link monitoring. When the network is normal, a blocking link is set on
the ring network to prevent the ring network from ringing. If a fault occurs in the network, a
blocked backup link is opened to ensure uninterrupted link between each node. The general
process is as follows:
As shown , when six devices are connected in a ring and the link is in the IDLE state, the loop
is removed via setting the RPL link and locking the port (RPL Owner port).
304
EPON OLT Operation Manual V1.3
When a node on the link detects a fault, it immediately blocks the faulty node and reports the
fault message (R-APS (SF)) to all the other devices in the ring. After receiving the message, all
other nodes refresh the FDB. The RPL owner port receives the fault message, and the
recovery port is in the forwarding state. The ERPS ring enters the protection state. As shown in
the Figure:
when the link of the faulty device recovers, it sends RAPS (NR) packets to other devices in
the ring to inform them that there is no local request. When the RPL owner receives the packet,
it will block the port and send the R-APS (NR, RB) message again after some time. After
receiving the packet, the other nodes will refresh the FDB entry. Later, the port of the faulty
node will be restored to the forwarding state, and the ring will revert to the IDLE state.
305
EPON OLT Operation Manual V1.3
306
EPON OLT Operation Manual V1.3
Note:
About Ring ID: ERPS ring ID, the last byte of the DMAC in the R-APS message is Ring Id.
From G.8032 can be learned that the ERPS ring ID can be the same, and the control VLAN
needs to be different. The reverse is also true. The ring ID of each instance can be 1 to 239,
307
EPON OLT Operation Manual V1.3
In ERPS, there is no HELLO packet to monitor link connectivity in real time. Instead, it uses the
CC function in ETH CFM to detect the link connectivity by sending ETH-CC messages
between the two ports. Therefore, you need to configure the CFM CC for the ports in the ERPS.
In the ERRP instance, you need to configure the MEL (MEG level, which must be consistent
For more information about CFM, please refer to the CFM User Manual.
Command Remarks
Operation
WTR timer: When the RPL owner port is restored to the Forwarding state due to another
device or link failure, if the fault is restored and some ports may not have been changed from
the Down state to the Up state, it starts the WTR timer when the RPL owner port receives the
fault-free RAPS packet from a port to prevent the shock of blocking point; If the fault is
received before the timer expires, the WTR timer is disabled. If a faulty RAPS packet from
another port is received before the timer times out, the WTR timer will be disabled. If the WTR
timer does not receive any faulty RAPS packets from other ports, it will block the RPL Owner
308
EPON OLT Operation Manual V1.3
port and send RPL blocking RAPS packets after timed out. After receiving the packet, the
other ports set the forwarding state of its own port as Forwarding state.
Guard timer: After the failure recovery, the equipment involved in link failure or node failure
will send R-APS packet to the other devices and it will start the Guard Timer at the same time.
The device does not process RAPS packets until the timer times out with the purpose to
prevent the receipt of outdated faulty R-APS packets. If the device receives the faulty RAPS
packet from another port after the timer times out, the port forwarding state will turn to
Forwarding.
309
EPON OLT Operation Manual V1.3
Chapter 38 FlexLink
Flex links is layer 2 links backup protocol which provides for STP option scheme. Choose
Flex links to realize link backup when the STP is not wanted in customer network. If STP
enables, flex links is disabled. Flex links consists of a pair of interfaces (can be ports or
convergent interface). One interface is transmitting data, the other is standby. The backup
interface starts transmitting data when there is default in master link. The failure interface will
be standby when it turns well and it will be transmitting data in 60 seconds when preempt
mechanism is set. Flex links interface should disable STP and Flex links interface can
configure bandwidth and delay being preempt mechanism and the superior one will be the
master interface. There must be trap alarm when master or backup link default.
-Keeping one uplink connected and the other blocked when both uplinks in a dual uplink
network are healthy, thus preventing broadcast storms caused by network loops.
-Switching the traffic to the backup link within a few sub-seconds when the primary link fails,
-Easy to configure.
310
EPON OLT Operation Manual V1.3
A Flex link group consists of only two member ports: the master and the slave. At a time, only
one port is active for forwarding, and the other port is blocked, that is, in the standby state.
When link failure occurs on the active port due to port shutdown or presence of unidirectional
link for example, the standby port becomes active to take over while the original active port
2. Master port
The master port of a Flex link group is a port role specified using commands. It can be an
Ethernet port (electrical or optical), or an aggregate interface.
3. Slave port
The slave port of a Flex link group is another port role specified using commands. It can be an
Ethernet port (electrical or optical), or an aggregate interface. The link on which the slave port
resides is called the backup link.
When link switchover occurs in a Flex link group, the old forwarding entries are no longer
useful for the new topology. Therefore, all devices in the network need to refresh their MAC
address forwarding entries. Flex Link notifies devices to refresh their MAC address forwarding
This section uses the network shown in the below figure to describe the Flex link mechanism
as the link status transiting from normal, to faulty, and then to recovery.
311
EPON OLT Operation Manual V1.3
Link-Normal Operating
GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 of Switch A form a Flex link group, with the
former as the master port and the latter as the slave port. When both uplinks are healthy, the
master port is in the forwarding state, while the slave port is in the standby state, and the links
on which the two ports are seated respectively are called the primary link and the backup link.
In this case, data is transmitted along the link indicated by the blue line. There is no loop in the
Link-Faulty Handling
When the primary link on Switch A fails, the master port GigabitEthernet 0/0/1 transits to the
312
EPON OLT Operation Manual V1.3
standby state, while the slave port GigabitEthernet 0/0/2 transits to the forwarding state. A link
switchover occurs. After the link switchover, the MAC address forwarding entries kept on the
devices in the network may become incorrect, and need to be refreshed, so that traffic can be
rapidly switched to another link, thus avoiding traffic loss. Currently, one mechanism is
available for refreshing MAC address forwarding entries: MMU message-notified refreshing.
This mechanism is applicable when the upstream devices (such as Switch B, Switch C, and
Switch D in the Figure) support Flex Link and are able to recognize MMU messages.
To enable rapid link switchover, you need to enable Switch A to send MMU messages, and all
upstream devices’ ports that are on the dual uplink network to receive and process MMU
messages.
After link switchover occurs on Switch A, MMU messages are sent along the new primary link,
that is, through GigabitEthernet 0/0/2. When an upstream device receives and handles a MMU
message, transmit MAC address carried in the MMU message to the receiving port.
After that, when Switch D receives a data packet destined for Host A, Host B, Host C, switch D
will broadcasts the packet at Layer 2; Switch C will search MAC address table after receiving it,
and forward it to Switch A from GE0/0/2; Switch A forward it to Host A, Host B, Host C. In this
This mechanism will update MAC address without waiting for entry aged. Generally, the whole
313
EPON OLT Operation Manual V1.3
preemption. Under different modes, the port state changes are different:
If role preemption is configured, when the primary link recovers, the master port enters the
forwarding state and takes over the traffic, while the slave port enters the standby state. The
slave port transits from standby to forwarding only when the primary link fails.
If non-role preemption is configured, when the primary link recovers, the slave port
remains in the forwarding state, while the master port remains in the standby state, so as to
If bandwidth preemption is configured, when the primary link recovers, the slave port
remains in the forwarding state if it occupies more bandwidth, while the master port remains in
the standby state; the slave port transits from forwarding to standby only when master port
314
EPON OLT Operation Manual V1.3
Note:
The STP of master port and slave port should be disabled, and cannot be ERRP port.
315
EPON OLT Operation Manual V1.3
standby state. When link failure occurs on the active port due to port shutdown or presence of
unidirectional link for example, the standby port becomes active to take over while the original
active port transits to the blocked state.
Operation Command Remarks
Enter global configuration mode system-view -
channel-group-n
channel-group channel-group-number_1
umber_1 is
backup { interface device/slot/port_2 |
Configure Flex Links preemption master
channel-group channel-group-number_2 }
mode port,port_2/chan
preemption mode { forced | bandwidth |
nel-group-numbe
off }
r_2 is slave port
Enter interface configuration mode interface ethernet device/slot/port_1
port backup port_1 is master
{ interface device/slot/port_2 | port,
Configure Flex Links preemption
channel-group channel-group-number_2 } port_2/channel-g
mode
preemption mode { forced | bandwidth | roup-number_2
off } is slave port
316
EPON OLT Operation Manual V1.3
317
EPON OLT Operation Manual V1.3
Chapter 39 Monitorlink
Monitor Link is developed to complement the Flex Link feature. By monitoring the uplink, and
synchronizing the downlink with the uplink, Monitor Link triggers the switchover between the
primary and backup links in a Flex link group, thus perfecting the link redundancy mechanism of
Flex Link.
318
EPON OLT Operation Manual V1.3
As shown in the figure, ports GigabitEthernet 0/0/1, GigabitEthernet 0/0/2, and GigabitEthernet
1. Uplink Port
An uplink port is a monitored port in a monitor link group. It is a port role specified using
As shown in the figure, GigabitEthernet 0/0/1 of Switch A is the only uplink port of the monitor
For a monitor link group that has multiple uplink ports, as long as at least one of its uplink ports
is in the forwarding state, the monitor link group is up. However, when all uplink ports of the
monitor link group fail, the monitor link group goes down, shutting down all the downlink ports.
319
EPON OLT Operation Manual V1.3
If no uplink port is specified in a monitor link group, the system considers the monitor link
group’s uplink ports to be faulty, and thus shuts down all the downlink ports in the monitor link
group.
2. Downlink Port
A downlink port is a monitoring port in a monitor link group. It is another port role specified
As shown in the figure, GigabitEthernet 0/0/2 and GigabitEthernet 0/0/3 of Switch A are two
Note:
When a monitor link group’s uplink ports recover, only downlink ports that were blocked due to
uplink port failure will be brought up. Downlink ports manually shut down will not be brought up
automatically. The failure of a downlink port does not affect the uplink ports or other downlink
ports.
As shown in the below figure, to provide reliable access to the Internet for the hosts, a Flex link
group is configured on Switch A. GigabitEthernet 0/0/1 is the master port of the Flex link group,
320
EPON OLT Operation Manual V1.3
To avoid traffic interruption due to the failure of the link on which GigabitEthernet 0/0/1 of
Switch B resides, configure a monitor link group on Switch B, and specify GigabitEthernet
0/0/1 as the uplink port, and GigabitEthernet 0/0/2 as the downlink port.
When the link on which GigabitEthernet 0/0/1 of Switch B resides fails, the monitor link group
shuts down its downlink port GigabitEthernet 0/0/2, triggering a link switchover in the Flex link
When the link on which GigabitEthernet 0/0/1 of Switch B resides recovers, the downlink port
GigabitEthernet 0/0/2 is also brought up, triggering another link switchover in the Flex link
321
EPON OLT Operation Manual V1.3
Collaboratively, Monitor Link and Flex Link deliver reliable link redundancy and fast
If the port is Ethernet port, configuration should be in interface configuration mode; if port is
322
EPON OLT Operation Manual V1.3
After finishing above configuration, user can check the configurations by command below.
323
EPON OLT Operation Manual V1.3
The L3 switch is a 10-Gigabit intelligent routing switch based on the application specific
integrated circuit (ASIC) technology and supports layer 2 (L2) and layer 3 (L3) forwarding. It
performs L2 forwarding when hosts in the same virtual local area network (VLAN) access each
other and L3 forwarding when hosts in different VLANs access each other.
324
EPON OLT Operation Manual V1.3
host on interfaces
L3 interfaces are classified into common VLAN interfaces and superVLAN interfaces.
Common VLAN interfaces are created on VLANs and superVLAN interfaces on superVLANs
The L3 switch supports stream forwarding and network topology-based forwarding. In stream
forwarding mode, The L3 switch identifies the failed route or the unreachable destination host
route and sends packets to the CPU for further processing. In network topology-based
forwarding mode, The L3 switch directly discards the packets. By default, The L3 switch works
325
EPON OLT Operation Manual V1.3
topology-based forwarding.
A VLAN interface needs to be configured for each VLAN that performs L3 forwarding or the
326
EPON OLT Operation Manual V1.3
SuperVLAN interfaces are used for communication between hosts in different VLANs in the
same network segment. SuperVLAN interfaces are implemented through the ARP proxy.
configuration mode.
327
EPON OLT Operation Manual V1.3
and the IP addresses of VLAN or superVLAN interfaces cannot be in the same network
segment. The first IP address of an interface will be automatically selected as the primary IP
address. When the primary IP address is deleted, the interface automatically selects another
the primary IP address. For example, if the IP address of VLAN interface 1 is 10.10.0.1/16, the
IP addresses of other interfaces must not be in the 10.10.0.0/16 network segment (such as
10.10.1.1/24).
328
EPON OLT Operation Manual V1.3
the interface.
Each VLAN or superVLAN interface can be configured with a maximum of eight IP address
ranges. After an IP address range is configured, only the ARP entries within this range can be
learnt so as to restrict user access. When a VLAN or superVLAN interface is deleted, relevant
For superVLAN interfaces, sub VLANs can be specified at the same time so that the set
329
EPON OLT Operation Manual V1.3
Delete the IP address ranges of the undo ip address range startip endip vlan
ARP request packets are broadcast packets and cannot pass through VLANs. If the ARP
proxy function is enabled, ARP interaction is supported between hosts in sub VLANs of the
same superVLAN. When the ARP proxy is disabled, the hosts of the sub VLANs in the
By default, the ARP request packets from all sub VLANs are processed in the preceding
manner. In addition, relevant commands can be used to prevent the ARP request packets from
a sub VLAN from being broadcast to other sub VLANs when they are processed by the ARP
proxy.
330
EPON OLT Operation Manual V1.3
VLAN.
in the system.
The L3 switch integrates VLAN interface information and superVLAN interface information.
331
EPON OLT Operation Manual V1.3
URPF aims to prevent network attack behaviors based on source address spoofing. URPF
obtains the source address and ingress interface of a packet and uses the source address as
the destination address to query the routing table for the matching route. The packet is
forwarded if it meets conditions and discarded if it does not meet conditions. Two URPF
Strict mode: In this mode, the source address must exist in the routing table and the egress
interface of the source address of the packet is the same as the ingress interface of the packet.
Loose mode: In this mode, the system only checks whether the source address of the packet
332
EPON OLT Operation Manual V1.3
To avoid attacks from address scanning software similar to ip-scan, users can disable the
unreachable destination
unreachable destination
333
EPON OLT Operation Manual V1.3
The Switch is an ASIC-based Gigabit intelligent switch, in which a layer-3 forwarding and
routing table is maintained to specify the next hops of routes and relevant information. These
routes may be learned dynamically through routing protocols or added manually. A static route
334
EPON OLT Operation Manual V1.3
Notes:
This command displays the information relevant to the specified routing entry, such as the
next-hop address and route type. You can choose to view the routes to a specific destination
address, all static routes, and all routes. By default, all routes will be displayed.
Parameter description:
notation;
335
EPON OLT Operation Manual V1.3
336
EPON OLT Operation Manual V1.3
Chapter 42 RIP
Routing Information Protocol (RIP) is a routing protocol based on the Distance-Vector (D-V)
algorithm and has seen wide deployment. It exchanges routing information by sending route
update packets over the User Datagram Protocol (UDP) every 30 seconds. If having not
received a route update packet from the peer router within 180 seconds, the local router marks
all the routes from the peer router as unreachable. If no update packet is received from the
peer router yet in 120 seconds after a route is marked as unreachable, the local router deletes
RIP uses Hop Count as a routing metric to measure the distance from a destination host. In a
RIP network, Hop Count is 0 if a router is directly connected with a network and 1 if a route
needs to traverse a router before reaching the destination network, and so on. To restrain the
route convergence time, RIP stipulates that Hop Count is an integer ranging from 0 to 15. The
distance is considered infinite if Hop Count is larger than or equal to 16. In this case, the
RIP has two versions: RIP-1 and RIP-2 (support for plaintext authentication).
To improve routing performance and avoid routing loops, RIP presents the concepts of Split
337
EPON OLT Operation Manual V1.3
Each RIP router manages a routing database, which contains all the destination reachable
routing entries on a network. These routing entries include the following information:
Metric value: cost of a route from the local router to a destination, which is an integer from 0 to
15.
Timer: time counted from the last modification of a routing entry. The timer is zeroed every
Upon RIP startup on a router, the router broadcasts a request packet to its neighboring routers.
After receiving the request packet, the neighboring routers (with RIP started) return a response
packet which contains the information about their respective local routing tables.
Upon receipt of the response packets, the router that sends the request packet modifies its
RIP broadcasts or multicasts the local routing table to its neighboring routers every 30s. The
neighboring routers maintain their local routes to select a best route and then broadcast or
multicast the modification to their respective neighboring networks, so that the routing update
will eventually take effect globally. RIP employs a timeout mechanism to process expired
338
EPON OLT Operation Manual V1.3
routes, ensuring that the routes are latest and valid. As an interior routing protocol, RIP helps
acquaint routers with the network-wide routing information because of these mechanisms.
RIP has been accepted as one of the standards which regulate the route transmission
between a router and a host. L3 switches forward IP packets across a LAN the same way as
routers. Therefore, RIP is also widely deployed on L3 switches. It is applicable to most campus
networks and regional networks with a simple structure and good continuity but not
339
EPON OLT Operation Manual V1.3
By default, an interface does not send or receive RIP packets until the IP network segment to
run RIP is specified by the administrator even if RIP is enabled on the interface.
340
EPON OLT Operation Manual V1.3
command, after using this command, the RIP update packets will not be sent out from this
interface.
vlanid }
RIP has two versions: RIP-1 and RIP-2. You can specify the version of the RIP packets to be
processed by an interface.
RIP-1 packets are transmitted in broadcast mode. RIP-2 packets may be transmitted in either
broadcast or multicast mode. The multicast mode is used by default. In RIP-2, the multicast
address is 224.0.0.9.
When the multicast mode is used, non-RIP hosts on the same network will not receive RIP
broadcast packets and RIP-1 hosts will not receive or process the RIP-2 routes with a subnet
mask. A RIP-2 interface can also receive the RIP-1 broadcast packets.
341
EPON OLT Operation Manual V1.3
By default,
ip rip receive version { 1 | 2 [ bcast |
Configure RIP receive Version Version is
mcast ] }
2mcast
2mcast
Notes:
A RIP-1 interface can send and receive RIP-1 broadcast packets. A RIP-2 broadcast interface
can receive RIP-1 packets and RIP-2 broadcast packets but not RIP-2 multicast packets. A
RIP-2 multicast interface can send and receive RIP-2 multicast packets.
342
EPON OLT Operation Manual V1.3
Route aggregation consolidates the routes on different subnets of a natural network segment
into one route with a natural mask and sends the route to another network segment. This
function minimizes both the number of entries in a routing table and the amount of information
RIP-1 sends only the routes with a natural mask, that is, aggregate routes. RIP-2 supports the
subnet mask. To broadcast all the subnet routes, you should disable the route aggregation
function of RIP-2.
Operation Command Remarks
undo aggregate-address
Delete aggregation address
ip-address/mask-length
343
EPON OLT Operation Manual V1.3
RIP-1 does not support packet authentication. A RIP-2 interface, however, can be configured
Split horizon is designed to prevent the routes learned on an interface from being sent through
the interface, which avoids routing loops. This function must be disabled in some special
344
EPON OLT Operation Manual V1.3
mode
By default,it is
Enable split-horizon function ip rip split-horizon
enabled
Disable split-horizon
undo ip rip split-horizon poisoned-reverse
poisoned-reverse function
The additional routing metric value is added to RIP routes on an inbound or outbound interface.
It does not change the routing metric value of routes in the routing table but adds a designated
345
EPON OLT Operation Manual V1.3
A prefix list is identified by a prefix list name, and may contain multiple entries, each of which
During prefix matching, the switch checks the entries in ascending order of sequence numbers.
If an entry is matched, it is permitted by the current prefix list and will not be matched next time.
Note: By default, if more than one prefix list entry has been defined, at least one permit entry
should be available. The deny entries can be defined in advance so that the routes that do not
meet the condition are filtered quickly. However, if all the entries are prefixed by deny, no route
will be permitted by the address prefix list. You are advised to define an entry permit 0.0.0.0/0
after defining multiple deny entries, so that all the routes meeting the condition are permitted.
Alternatively, you can run the ip prefix-list default command to change the default configuration.
346
EPON OLT Operation Manual V1.3
For details, see the description of this command in a command line manual.
Operation Command Remarks
[ le max-prefix-len ] }
[ le max-prefix-len ] } ]
In an Ethernet switch, connected, static, and OSPF routes can be imported into RIP.
Operation Command Remarks
347
EPON OLT Operation Manual V1.3
route-map route-map
Policies and rules can be configured to filter incoming and outgoing routes based on an
address prefix list. In addition, you can configure that only the RIP packets from a specific
supervlan-interfac } vlan-id ]
vlan-id ]
supervlan-interfac } vlan-id ]
348
EPON OLT Operation Manual V1.3
vlan-id ]
349
EPON OLT Operation Manual V1.3
Chapter 43 OSPF
Open Shortest Path First (OSPF) is an interior routing protocol, which is developed by IETF
based on the link state detection and shortest path first technologies. In an IP network, OSPF
dynamically discovers and advertise routes by collecting and transmitting the link states of
route calculation security and employs IP multicast to send and receive packets.
Each OSPF router maintains a database that describes the topological structure of an AS. The
database is a collection of link-state advertisements (LSAs) of all the routers. Every router
always broadcasts the local state information across the entire AS. If two or more routers exist
in a multi-access network, a designated router (DR) and a backup designated router (BDR)
must be elected. The DR is responsible for broadcasting the LSAs of the network. With a DR, a
between routers. OSPF allows an AS to be divided into areas, between which routing
OSPF uses four types of routes, which are listed in order of priority as follows:
Intra-area routes
Inter-area routes
351
EPON OLT Operation Manual V1.3
Intra-area and inter-area routes describe the network structure of an AS, while external routes
depict how routes are distributed to destinations outside an AS. Generally, type 1 external
routes are based on the information imported by OSPF from other interior routing protocols
and comparable to OSPF routes in routing cost; type 2 external routes are based on the
information imported by OSPF from exterior routing protocols and the costs of such routes are
far greater than those of OSPF routes. Therefore, route calculation only takes the external
Based on the link state database (LSDB), each router builds a shortest path tree with itself as
the root, which presents the routes to every node in an AS. An external route emerges as a
leaf node and can also be marked by the router that broadcasts the external route so that
All the OSPF areas are connected to the backbone area, which is identified by 0.0.0.0. OSPF
areas must be logically continuous. To achieve this end, virtual connection is introduced to the
backbone area to ensure the logical connectivity of areas even if they are physically
separated.
All the routers in an area must accept the parameter settings of the area. Therefore, the
configuration of routers in the same area must be performed in consideration of the parameter
settings of the area. A configuration error may lead to the failure of information transfer
352
EPON OLT Operation Manual V1.3
OSPF divides an AS into different areas, based on which routers are logically classified into
different groups. Area border routers (ABRs) may belong to different areas. A network
segment belongs to only one area, that is, the homing area of an OSPF interface must be
specified. An area is identified by an area ID. Routes between areas are transmitted by ABRs.
In addition, all the routers in an area must unanimously accept the parameter settings of the
area. Therefore, the configuration of routers in the same area must be performed in
353
EPON OLT Operation Manual V1.3
consideration of the parameter settings of the area. A configuration error may lead to the
failure of information transfer between adjacent routers and even routing failures or routing
loops.
OSPF calculates routes based on the topological structure of the network adjacent to the local
router. Each router describes the topology of its adjacent network and transmits it to the other
routers. According to the link layer protocol, OSPF classifies networks into the following four
types:
354
EPON OLT Operation Manual V1.3
Broadcast networks: When Ethernet or FDDI is used as the link layer protocol, OSPF
Non Broadcast MultiAccess (NBMA) networks: When ATM is used as the link layer protocol,
always a substitute of other network types through forcible change. An NBMA network that is
Point-to-Point networks: When PPP, LAPB, or POS is used as the link layer protocol, OSPF
The ATM network is a typical NBMA network. A polling interval can be configured to specify
the interval of sending Hello packets before a router establishes a neighbor relationship with its
neighboring router.
On a broadcast network incapable of multi-address access, you can configure the interface
type to nonbroadcast.
If some routers are not directly reachable on an NBMA network, you can configure the
If a router has only one peer router on an NBMA network, you can set the interface type to
point-to-point.
The differences between an NBMA network and a point-to-multipoint network are as follows:
355
EPON OLT Operation Manual V1.3
A DR and a BDR must be elected on an NBMA network but are not involved on a
point-to-multipoint network.
NBMA is a default network type. For example, if the link layer protocol is ATM, OSPF
considers that the network type is NBMA by default no matter whether the network is fully
meshed. Point-to-multipoint is not a default network type. No link layer protocol is viewed as a
point-to-multipoint protocol. You can use this network type through a forcible change. An
NBMA network that is not fully meshed is often changed to a point-to-multipoint network.
On an NBMA network, packets are transmitted in unicast mode, which requires you to
An Ethernet switch uses Ethernet as the link layer protocol, so OSPF regards that the network
type is broadcast. Do not change the network type of an Ethernet switch at discretion.
356
EPON OLT Operation Manual V1.3
value.
default value.
357
EPON OLT Operation Manual V1.3
value.
adjacent routers.
value.
authentication. [ ipaddress ]
358
EPON OLT Operation Manual V1.3
A stub area is a special LSA area in which ABRs do not distribute the external routes they
have received. In stub areas, both the size of routing tables and the amount of the routing
Any area that meets certain conditions can be configured into a stub area. Generally, a stub
area is located at the border of an AS. It may be a non-backbone area with only one ABR or a
non-backbone area with multiple ABRs between which no virtual connection is configured.
To make a stub area reachable for other ASs, the ABR in the stub area generates a default
-A backbone area cannot be a stub area and a virtual connection is not allowed in a stub
area.
-All the routers in a stub area must be configured to indicate that they are located in a stub
area.
-No ASBR is allowed in a stub area, that is, routes from outside the AS where the stub area
359
EPON OLT Operation Manual V1.3
Cancels the stub area configuration. undo area area-id stub [ no-summary ]
360
EPON OLT Operation Manual V1.3
key } } * ]
map-name ]
Disables the import of routes of isis | kernel | rip |static } [ metric metric ]
map-name ]
[ route-map map-name ]
361
EPON OLT Operation Manual V1.3
external routes.
rip | static }
362
EPON OLT Operation Manual V1.3
Chapter 44 BGP
Border Gateway Protocol (BGP) is a dynamic routing protocol deployed between autonomous
systems (ASs). It automatically exchanges loop-free routing information between ASs and
builds up the topological structure of ASs through exchange of network reachability information
BGP normative references include RFC1105 (BGP-1), RFC1163 (BGP-2), RFC1267 (BGP-3),
RFC1771 (BGP-4), and RFC4271 (BGP-4). RFC1771 has seen the widest application and
RFC4271 is the latest issue. BGP is suitable for a distributed network and supports Classless
InterDomain Routing (CIDR). With BGP, users can customize policies. BGP-4 is becoming a
matter-of-factor standard for Internet exterior routing protocols. BGP is usually deployed
between ISPs.
Interior routing protocols such as OSPF and RIP are designed to discover and calculate routes.
As an exterior routing protocol, BGP focuses on control of route distribution and selection of
The AS Path attribute is added to BGP routes to eliminate the routing loop problem.
With TCP as the transport layer protocol, BGP presents better protocol reliability.
363
EPON OLT Operation Manual V1.3
Support for CIDR is a significant characteristic of BGP-4 compared with BGP-3. The CIDR
technology does not categorized IP addresses into class A, class B, and class C IP addresses.
address. /16 indicates that the subnet mask is composed of the first 16 bits counted from the
left of the IP address. CIDR also simplifies route aggregation, which is a process of
consolidating several different routes. With the route aggregation technology, multiple routes
are advertised as one route, which reduces the overhead of BGP tables and network
bandwidth usage.
In the case of route updates, BGP transmits only incremental routes and substantially reduces
the bandwidth used by BGP route transmission. Therefore, BGP is appropriate when a large
In consideration of management and security, each AS expects to control its incoming and
outgoing routes. BGP-4 provides abundant routing policies for flexible route filtering and
BGP runs on a specific router as an upper-layer protocol. Upon startup of BGP, the BGP router
sends the entire BPG table to its peer for routing information exchange and then only Update
messages are exchanged between them for processing of changed routes. BGP detects the
The router sending a BGP message is called the BGP speaker, which constantly receives or
generates new routing information and advertises it to other BGP speakers. After receiving a
364
EPON OLT Operation Manual V1.3
new route advertisement from another AS, the BGP speaker distributes the route
advertisement to all the other BGP speakers in the same AS if the route is better than the
current one or has not been received ever. If two BGP speakers are exchanging messages,
BGP is regarded as IBGP when deployed within an AS and as EBGP when deployed between
ASs.
Open message
Update message
Notification message
Keepalive message
An Open message is the first message to be sent after setup of a TCP connection and used to
establish a BGP peer relationship. A Notification message is sent when there is an error. A
Keepalive message is sent to detect the validity of a connection. As the most important
message in BGP, an Update message is transmitted between BGP peers for routing
information exchange. It consists of three parts at most: unreachable route, path attributes,
365
EPON OLT Operation Manual V1.3
366
EPON OLT Operation Manual V1.3
mode
configuration mode.
peer.
neighbor-name
peer-group neighbor-name
peer on an indirectly-connected
367
EPON OLT Operation Manual V1.3
network.
peer on a directly-connected
network.
hold-time
default values.
message. seconds
advertisement.
368
EPON OLT Operation Manual V1.3
| ip-acl-number } { in | out }
| ip-acl-number } { in | out }
{ in | out }
{ in | out }
out }
out }
369
EPON OLT Operation Manual V1.3
configuration mode.
configuration mode.
timer.
neighbor-name } shutdown
neighbor-name } shutdown
370
EPON OLT Operation Manual V1.3
ip-address/mask-length } [ summary-only ]
[ as-set ]
| ip-address/mask-length }
Imports IGP routes into BGP. redistribute { babel | connected | isis | kernel
[ route-map route-map ] ]
Cancels the import of IGP routes undo redistribute { babel | | connected | isis
371
EPON OLT Operation Manual V1.3
Chapter 45 BFD
Bidirectional Forwarding Detection (BFD) periodically checks the status of the peers of a
session and notifies a routing protocol of a fault if any immediately. Then the routing protocol
responds with a fast reroute action. Generally, the BFD interval is shorter than 1s and therefore
the convergence time of routing protocols is reduced. For this reason, BFD can help routing
protocols such as OSPF, RIP, and BGP to detect the reachability of neighbors or link failures,
372
EPON OLT Operation Manual V1.3
OSPF BFD is
disabled by
default.
Disable bfd function undo ip ospf bfd
Currently, only
OSPF BFD is
supported.
Restores the desired minimum undo bfd min-transmit-interval The default value
373
EPON OLT Operation Manual V1.3
default value.
whether BFD sessions can enter the bfd demand off is off (not
374
EPON OLT Operation Manual V1.3
through an interface.
Notes:
value: desired minimum packet transmission interval of an interface. It ranges from 200 to
375
EPON OLT Operation Manual V1.3
Chapter 46 VRRP
On a TCP/IP network, routes must be configured between two devices without a physical
connection to ensure their communication. Currently, routes can be specified through dynamic
learning by means of a routing protocol (such as RIP and OSPF) or static configuration. It is
impractical to run a dynamic routing protocol on every terminal. Most client operating systems
do not support the dynamic routing and they are still under the restraint of management
overhead, convergence degree, and security even if they can be configured with a routing
protocol. Usually, static routes are configured for IP terminals by specifying one or more default
gateways. Static routing simplifies network management and reduces the communication
communication in which the switch is used as the next-hop host will inevitably be interrupted. A
terminal will not be switched to a new gateway even if there are multiple default gateways until
it is restarted. Virtual Router Redundancy Protocol (VRRP) can rectify the defect of static
routing.
VRRP introduces two pairs of concepts: VRRP switch and virtual switch, master switch and
backup switch. A VRRP switch is a real switch where VRRP runs, while a virtual switch is a
logical switch created by VRRP. A group of VRRP switches form a virtual switch, which is also
called a backup group. The virtual switch is represented as a logical switch with a unique IP
376
EPON OLT Operation Manual V1.3
address and MAC address. Switches in a VRRP group are classified into master switches and
backup switches. A VRRP group has only one master switch and one or more backup
switches. VRRP selects a master switch from the switch group. The master switch responds to
ARP requests and forwards IP packets, and the other switches are standby as a backup. If the
master switch is faulty due to some reason, a backup switch will become the master one within
several seconds. Such a switchover is completed very quickly without requiring you to change
The ip vrrp vrid vip command is used to assign a virtual switch (or a backup group) an IP
address on the local network segment. The no form of this command is used to remove the
377
EPON OLT Operation Manual V1.3
Description:
The backup group number ranges from 1 to 255. A virtual address can be an unassigned IP
address on the network segment where the backup group resides or the IP address of an
interface belonging to the backup group. A maximum of 255 backup groups can be configured.
The IP address of the switch itself can be configured. In this case, the switch is known as an IP
address owner. When the first IP address is assigned to a backup group, VRRP creates the
backup group. Other virtual IP addresses configured for the backup group will only be added to
the virtual IP address list of the backup group. A backup group can be configured with eight IP
addresses at most. A backup group will be deleted together with the last virtual IP address.
That is, this backup group does not exist on the interface and all configurations of the backup
The master switch in a backup group will not be replaced unless it is faulty even if another
switch is configured with a higher priority later. However, if the preemption mechanism is
applied, a switch will become the master switch if its priority is higher than that of the master
378
EPON OLT Operation Manual V1.3
switch and the original master switch will become a backup switch accordingly. When
preemption is enabled, you can set the delay of preemption. Then a backup switch becomes
master after the delay. A backup switch will become the master switch if it does not receive a
packet from the original master switch. However, if a network has unstable performance, a
backup switch may not receive a packet due to network congestion but the master switch is
still working properly. In this situation, the backup switch will receive a packet from the master
switch after waiting a short time. As a result, frequent switchovers can be avoided. The delay
The master switch sends VRRP packets within the VRRP backup group at an interval specified
by adver_interval to indicate that it is working properly. If the backup switch does not receive a
VRRP packet from the master switch within a period of time specified by
master_down_interval, it regards that the master switch is faulty and changes its state to
Master.
You can modify the value of adver_interval by running a timer setting command. The value of
in the event of extremely large traffic or variance in timer settings between switches. To solve
this problem, you can set adver_interval to a greater value or modify the preemption delay.
379
EPON OLT Operation Manual V1.3
mode
The priority
ranges from 0 to
value indicates a
higher priority.
380
EPON OLT Operation Manual V1.3
Note: The priority of the IP address owner cannot be changed and is always 255.
Parameter description:
381
EPON OLT Operation Manual V1.3
Chapter 47 DLF-Control
Unknown packets are classified into unknown unicast packets and unknown multicast packets.
Unknown unicast packets are packets that cannot find the destination MAC addresses in the
MAC table.
Unknown multicast packets are packets that cannot find the destination MAC addresses of the
382
EPON OLT Operation Manual V1.3
Enabled by
Enable dlf-forward unicast dlf-forward unicast
default.
Enabled by
Enable dlf-forward multicast dlf-forward multicast
default.
control interface-num ]
Displays themulticastdlf-forward
display dlf-forward global
control
383
EPON OLT Operation Manual V1.3
Chapter 48 SLF-Control
Whether the switch forwards the packet with an unknown source MAC address requires the
network administrator to plan according to the security policy. The switch defaults to forward
the packet with an unknown source MAC address. You can disable the forwarding function of
packet with an unknown source MAC address by setting the commands. After disable this
function, if the device receives the packets, it will check whether the source mac exists in the
mac table. If it does not exist, the packets will be discarded, that is, the switch only forwards
Generally, this function is used when the MAC address learning function is disabled or MAC
384
EPON OLT Operation Manual V1.3
Disabled by
Disable Slf-forward undo slf-forward
default.
385
EPON OLT Operation Manual V1.3
Chapter 49 BPDU-Discard
The Discard-bpdu function is used to drop spanning tree message. If the device does not want
to receive BPDU message from other networks and cause the switch spanning tree to vibrate.
The Discard-BPDU function is disabled by default. Global configuration and port configuration
are mutually exclusive: globally, all ports are enabled. If you only need to enable certain
designated ports and other ports are not enabled, you need not configure them globally to
386
EPON OLT Operation Manual V1.3
Disabled by
Disable BPDU-Discard undo bpdu-discard
default.
configuration interface-num ]
387
EPON OLT Operation Manual V1.3
Chapter 50 BPDU-Tunnel
L2TP (Layer 2 Tunneling Protocol) is a Layer 2 tunneling technology, L2TP enables Layer 2
With L2TP, Layer 2 protocol packets from customer networks can be transparently transmitted
1. After receiving a Layer 2 protocol packet from User A network 1, PE 1 in the service provider
network encapsulates the packet, replaces its destination MAC address with a specific
multicast MAC address, and then forwards the packet in the service provider network.
388
EPON OLT Operation Manual V1.3
2. The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU for short)
is forwarded to PE 2 at the other end of the service provider network, which de-encapsulates
the packet, restores the original destination MAC address of the packet, and then sends the
389
EPON OLT Operation Manual V1.3
After finishing above configuration, user can check the configurations by command below.
390
EPON OLT Operation Manual V1.3
Chapter 51 Local-Switch
Normally, packets coming from port A are not forwarded from port A by the switch. However, it
may require packets coming from the A port are forwarded from the A port sometimes. In this
391
EPON OLT Operation Manual V1.3
392
EPON OLT Operation Manual V1.3
The device utilization alarm is used to monitor port bandwidth, CPU occupation and alarm
when congestion in order to administrator aware the running status between the network and
device.
Exceed: when port bandwidth utilization over “exceed”, it triggers congestion alarm.
Normal: when port bandwidth utilization less “exceed”, it triggers recover alarm CPU utilization
Busy: when CPU utilization over “busy”, it triggers alarm of CPU busyness
Unbusy: when CPU utilization less “busy”, it triggers alarm of CPU idle Notes, all alarms will
393
EPON OLT Operation Manual V1.3
Using below commands to configure port utilization. Enable port utilization in system and port
mode by default. The “exceed” value equals 850M, the “normal” value equals 600M.
Using below commands to configure CPU utilization. Enable CPU utilization by default. The
394
EPON OLT Operation Manual V1.3
After finishing above configuration, you can show configuration by below commands.
395
EPON OLT Operation Manual V1.3
ONU discovery refers to the process of newly connected or offline ONUs accessing the PON.
mode
396
EPON OLT Operation Manual V1.3
loid
Display the auto-discover list display onu autofind [ slot slot_id mac
mac]
【Example】
Configure the authentication mode as MAC authentication,The MAC configure in whitelist can
be registered and online normally,but the MAC configure in blacklist can’t be registered and
online.
configuration mode
397
EPON OLT Operation Manual V1.3
mode
mac_address }
old_mac } new_mac
【Example】
mode
authentication mode
398
EPON OLT Operation Manual V1.3
【Example】
mode
[ type type ]
Delete offline ONU undo onu add { all | slot slot_id [ pon
pon_id ] | onu_id }
399
EPON OLT Operation Manual V1.3
【Example】
mode
configure mode
400
EPON OLT Operation Manual V1.3
【Example】
401
EPON OLT Operation Manual V1.3
configuration mode
information
402
EPON OLT Operation Manual V1.3
【Example】
[EPON-onu-0/2/1:1-port-0/1]shutdown
state,the port speed mode is full-duplex,in the nor-auto-negotitation state,the port speed mode
is half-duplex.
Operation Command Remarks
【Example】
403
EPON OLT Operation Manual V1.3
[EPON-onu-0/2/1:1-port-0/1]speed auto
When the flow control function is enable on the ONU port,if the packet receiving rate of ONU
port is too high and the port is blocked,ONU will send a flow control frame and notify to slow
【Example】
[EPON-onu-0/2/1:1-port-0/1]flow-control
404
EPON OLT Operation Manual V1.3
【Example】
405
EPON OLT Operation Manual V1.3
【Example】
406
EPON OLT Operation Manual V1.3
SN of Onu 0/2/1:3:
Vendor ID : MONU (HEX: 4d 4f 4e 55)
Model : V691 (HEX: 56 36 39 31)
OnuID(MAC) : 00:18:93:ed:69:94
HW : V5.2
SW : V1.0.1
407
EPON OLT Operation Manual V1.3
isloation
Enter ONU mode interface onu onu_id
【Example】
Configure ONU bandwidth upstream fir fir cir cir pir pir
upstream bandwidth weight weight
limit
Configure ONU bandwidth downstream pir pir burst
downstream bandwidth burst
limit
Display ONU display onu bandwidth { downstream |
bandwidth configure upstream }
【Example】
408
EPON OLT Operation Manual V1.3
【Example】
[EPON-onu-0/2/1:1]mac-limit maximum 10
409
EPON OLT Operation Manual V1.3
【Example】
[EPON-onu-0/2/1:1]laser shutdown 30
【Example】
410
EPON OLT Operation Manual V1.3
【Example】
411
EPON OLT Operation Manual V1.3
【Example】
[EPON-onu-0/2/1:1]catv disable
412
EPON OLT Operation Manual V1.3
OLT and ONU support VLAN tagging、VLAN transparent transmission、VLAN translation and
Configure the VID value,and set TPID and Pri of the Tag to the default value
(TPID=0x8100,Pri=0)
Down VLAN Tag It is forwarded to the corresponding port according to the VID,and the Tag is
stripped, If the VLAN ID of the downstream tagged packet is not equal to the
VID configured on the port, the packet is discarded.
Down VLAN Tag Do not make any change to the Ethernet packet(Retain the original VLAN
Tag),forward
413
EPON OLT Operation Manual V1.3
Down VLAN Tag If the VLAN ID of the packet belongs to the “Allowed Vlan”of the port,it will be
forwarded downward;if the VLAN ID of the packet is the defult VLAN,it will be
forwarded downward after the VLAN tag is stripped off;if the VLAN ID of the
packet not belong to the “Allowed Vlan”of the port,it will be discarded
414
EPON OLT Operation Manual V1.3
Down VLAN Tag If the VID of the original tag has a corresponding entry (equal to its output
VID) in the VLAN Translation list of the corresponding port, the VID will be
converted to the corresponding VID (input VID) according to the entry, and
forwarded; if its original If the VID of the tag is the default VID, the tag will be
stripped and forwarded; if its VID does not have a corresponding entry in the
VLAN Translation list of the corresponding port, it will be discarded; Currently,
only the device is required to convert the VID, and set the TPID of the
converted VLAN Tag to the default value (TPID=0x8100), and the Pri keeps
the original value.
Down VLAN Tag If the VLAN ID of the packet is equal to the "VLAN to be aggr." in the VLAN
aggregation table entry of the port, the VID is converted to the corresponding
"aggregated VLAN" according to the MAC address value or Cos according to
the table entry, and forwarded; If the VID of the original tag is the default VID,
the tag will be stripped and forwarded; if its VLAN ID is neither equal to
"VLAN to be aggr." nor the default VLAN ID, then discarded; The TPID of the
converted VLAN Tag is set to the default value (TPID=0x8100), and Pri
remains the original value.
415
EPON OLT Operation Manual V1.3
configuration mode
mode pri ]
mode
416
EPON OLT Operation Manual V1.3
configuration mode
transparent mode
mode
Configure VLAN trunk ctc vlan-mode trunk pvid vlan [ priority pri ]
Delete ONU port VLAN ctc vlan-mode trunk delete vlan vlan_list
entry
417
EPON OLT Operation Manual V1.3
configuration mode
mode
configuration mode
mode
mode
418
EPON OLT Operation Manual V1.3
419
EPON OLT Operation Manual V1.3
In the EPON system, the SCB method is adopted to realize the distribution of multicast
services, and the IGMP method or the controllable multicast method based on OAM is used to
realize the member management of the multicast group. The distributed IGMP mode is that the
OLT uses IGMP Proxy and the ONU uses IGMP Snooping to manage the members of the
multicast group. It is mainly through IGMP Report/Leave and IGMP Query messages to realize
the dynamic joining/exiting and maintenance of multicast group members. The EPON system
realizes simple user multicast authority control through the multicast VLAN configuration of the
UNI port.
420
EPON OLT Operation Manual V1.3
configuration mode
snooping mode
mode
configuration mode
leave disable }
421
EPON OLT Operation Manual V1.3
leave
configuration mode
multicast VLAN
multicast limit
configuration mode
422
EPON OLT Operation Manual V1.3
mode
【Example】
After the ONU receives the upstream IGMP Report message, it is tagged with the VLAN tag
that identifies the port. The TPID value of the VLAN Tag is 0x8100, the CFI value is 0, the Pri
value is 0, and the VID value is the port number of the Ethernet UNI port that received the
IGMP control message. If the IGMP Report message already has a Vlan Tag, replace its VID
with a VLAN Tag that identifies the user port. For example, for Ethernet port 1, the ONU will tag
the upstream IGMP control message received by the port with a VLAN tag of VID=1, and then
forward it; for Ethernet port 10, the ONU will control the upstream IGMP control message
received by the port. The message is marked with a VLAN Tag with VID=10, and then
forwarded upward; and so on. If the IGMP control message with a VLAN tag is already
attached to the Ethernet port of the ONU (for example, when a home gateway is attached to
423
EPON OLT Operation Manual V1.3
the Ethernet port and the home gateway has tagged the IGMP control message with a VLAN
tag), the ONU will replace its VID with Port number of this Ethernet UNI port. Then the ONU
transparently transmits the IGMP Report message to the OLT. When Configure controllable
multicast, it is generally necessary to configure a multicast VLAN on the OLT PON port.
parameter
mode
424
EPON OLT Operation Manual V1.3
【Example】
Configure the maximum number of onu ctc multicast-control preview group-number Default value is
Configure multicast control aging onu ctc multicast-control preview age-time Default value is
425
EPON OLT Operation Manual V1.3
Configure the number of multicast onu ctc multicast-control preview Default value is
Configure the interval for multicast onu ctc multicast-control preview interval-time Default value is
Configure the time for a multicast onu ctc multicast-control preview duration-time Default value is
Configure the multicast preview onu ctc multicast-control preview perodic-time Default value is
【Example】
preview number : 20
426
EPON OLT Operation Manual V1.3
mode
【Example】
427
EPON OLT Operation Manual V1.3
!Upgrade ONU
ONU 0/2/5:1 ctc upgrade download done,do commit after onu reboot.
!Commit Operation
【Example】
428
EPON OLT Operation Manual V1.3
ONU 0/2/5:1 ctc upgrade download done,do commit after onu reboot.
mode
mode
mode
429
EPON OLT Operation Manual V1.3
【Example】
[EPON-onu-0/2/1:1]stp loopback
ONU 0/2/1:1
430
EPON OLT Operation Manual V1.3
01:54:38: %ONU-4-EVENT: onu ctc event : onu onu ctc event : onu n pow : onu port 3 loop on
431
EPON OLT Operation Manual V1.3
The OLT supports typeB protection, that is, the two PON ports of the OLT use independent
PON MAC chips and optical modules to protect the two PON ports. The specific
implementation method includes PON port protection in the same PON board of the OLT and
between the PON boards. In order to improve network reliability and survivability, an optical
link protection switching mechanism can be adopted in the EPON system. Optical link
degradation;
432
EPON OLT Operation Manual V1.3
mode
【Example】
433
EPON OLT Operation Manual V1.3
mode
group
【Example】
434
EPON OLT Operation Manual V1.3
group group
435
EPON OLT Operation Manual V1.3
The OLT configures an IP address for the ONU, and uses this IP address to remotely log in
436
EPON OLT Operation Manual V1.3
437
EPON OLT Operation Manual V1.3
The EPON system adopts the broadcast mode in the downstream direction, and it is easy for
malicious users to intercept the information of other users in the system. In order to improve
the confidentiality of user data, the downstream direction of the EPON system supports the
stirring function for each LLID, and each LLID should have an independent key. Stirring is
requested by the OLT to update the key, and the ONU provides a stirring key for the LLID, and
438
EPON OLT Operation Manual V1.3
sw-aes-32 | sw-aes-48 }
【Example】
439
EPON OLT Operation Manual V1.3
440
EPON OLT Operation Manual V1.3
The OLT measures the received upstream average optical power from each ONU, and the
measurement accuracy in the range of -30dBm to -10dBm is not inferior to ±1dB. When the
upstream optical power received by the OLT from a certain ONU is too low or too high, the
OLT should generate a corresponding optical power over-limit alarm. The OLT supports the
fault diagnosis function of the optical link based on the measurement of the upstream optical
power of the ONU under the PON interface. Fault diagnosis refers to analyzing whether
indicators such as the attenuation of the optical link are normal according to the optical power
441
EPON OLT Operation Manual V1.3
Display ONU optical power display onu opm all [ pon pon_id ]
opm-threshold { bias-high-alarm |
bias-high-warning | bias-low-alarm |
bias-low-warning | rx-high-alarm |
rx-high-warning | rx-low-alarm |
temp-high-warning | temp-low-alarm |
temp-low-warning | tx-high-alarm |
tx-high-warning | tx-low-alarm |
tx-low-warning | voltage-high-alarm |
442
EPON OLT Operation Manual V1.3
voltage-high-warning | voltage-low-alarm |
voltage-low-warning }
【Example】
[EPON-onu-0/2/1:1]opm-alarm enable
Temperature : 42 Celsius
Voltage : 3.31 V
!Configure the high optical power alarm, and you will receive the high optical power alarm every 10s after it is
turned on
443
EPON OLT Operation Manual V1.3
Since PON belongs to time division multiplexing, in the upstream direction, the ONU sends
data packets in the upstream direction according to the time stamp assigned by the OLT.
When a certain ONT emits light when there is no time stamp assigned, it will conflict with the
light-emitting signals of other ONU. This kind of ONU that does not send optical signals
upwards according to the assigned time stamp is called a rogue ONU. When the OLT detects
a rogue ONU, it will turn off the laser of the rogue ONU.
mode
window num }
444
EPON OLT Operation Manual V1.3
The OLT classifies the service flow based on the relevant parameters in the Ethernet frame
The parameters used for traffic classification include: LLID, MAC DA, MAC SA, User Priority
(IEEE 802.1D), EtherType, destination IPv4 address, source IPv4 address, destination IPv6
address, source IPv6 address, destination IPv6 address prefix, source IPv6 Address prefix, IP
protocol version (v4, v6), IP protocol type (TCP, UDP, ICMPv4, ICMPv6, IGMP, MLD, etc.), IP
priority (DSCP), IP Flow Label (IPv6), destination L4 protocol port, source L4 protocol port, etc.
445
EPON OLT Operation Manual V1.3
classification epon_id
【Example】
[EPON]epon classif
!Configure EPON downstream service flow classification, match the outer VLAN of the downstream service
flow on EPON 0/2/1, ranging from 100 to 200, and pop up the outer VLAN
[EPON-classif]classif epon downstream 0/2/1 rule-id 1 permit rule or vlan top-vlan-range 100 200 action top-vlan
pop
446
EPON OLT Operation Manual V1.3
mode
top-inner-vlan | top-vlan }
mode
447
EPON OLT Operation Manual V1.3
based on ONU
configuration mode
source-port | vlan }
Display ONU
display onu classification
classification
【Example】
!Configure ONU classification, add priority 2 to the upstream of VLAN 100, and put it in queue 1
448
EPON OLT Operation Manual V1.3
The ONU profile can be configured in batches for ONUs of the same model or the same PON
port. Reduce the workload of manually Configure a single ONU. The matched ONU delivers
mode
449
EPON OLT Operation Manual V1.3
port_id }
Configure ONU port outbound rate-limit outbound cir cir pir pir [ port port_id ]
450
EPON OLT Operation Manual V1.3
rate limit
Configure ONU port inbound rate-limit inbound cir cir cbs cbs ebs ebs port
fixed-bandwidth bandwidth
Need to
configure base
Configure VLAN increment ctc vlan-mode tag { base | step } vlan vlan
vlan and step
base on port [ priority pri port num ]
vlan at the same
time
Configure ONU upstream bandwidth upstream fir fir cir cir pir pir weight
banwidth weight
451
EPON OLT Operation Manual V1.3
top-vlan }
increment vlan
【Example】
[EPON]line-profile 1
!Configure the line template, VLAN is incremented based on the ONU port, the number of steps is 1
configuration mode
Configure match rule match { slot num [ pon pon_id ] | mac start_mac
452
EPON OLT Operation Manual V1.3
【Example】
[EPON]rule-profile 1
[EPON-profile-rule-1]commit
onu 0/2/1:1 :
453
EPON OLT Operation Manual V1.3
configuration mode
mode snooping }
Configure multicast
ctc multicast fastleave { enable | disable }
fast leave
Configure multicast
ctc multicast group-limit num [ port port_id ]
group limit
Configure multicast
ctc multicast vlan vlan_list [ port port_id ]
VLAN
454
EPON OLT Operation Manual V1.3
Configure VLAN
ctc vlan-mode tag { base | step } vlan vlan [ priority pri port
increment base on
num ]
port
Configure ONU
bandwidth upstream fir fir cir cir pir pir weight weight
upstream bandwidth
Configure ONU
bandwidth
455
EPON OLT Operation Manual V1.3
Configure outer
vlan-swap onu domain-id id step egress-vlan vlan
VLAN increment
Activate unique
unique-cfg
configuration
【Example】
[EPON-profile-onu-0/2/1:1]commit
[EPON-onu-0/2/1:1]display onu-profile
profile onu-0/1/1
456
EPON OLT Operation Manual V1.3
commit
457