Commissioning and Configuration Guide (V800R010C00 - 01)

SmartAX MA5600T Multi-service Access Module
V800R010C00
Commissioning and Configuration

Guide
Issue
01
Date
2012-01-18
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
[email protected]
Issue 01 (2012-01-18)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

Commissioning and Configuration Guide
About This Document
About This Document

Intended Audience
This document describes the commissioning of the basic functions provided by the device in
terms of hardware, software, interconnection, and maintenance and management to ensure that
the device runs in a stable and reliable state. This document describes the configuration
procedures of various services supported by the MA5600T in terms of configuration method
and configuration example.
This document helps to learn the commissioning flows, commissioning methods, and
configuration procedures of various services of the MA5600T.
This document is intended for:
l
Installation and commissioning engineers
System maintenance engineers
Data configuration engineers
Symbol Conventions
The following symbols may be found in this document. They are defined as follows
Symbol
Description
Indicates a hazard with a high level of risk which, if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk which,

if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation that, if not

avoided, could cause equipment damage, data loss, and
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save
your time.
Issue 01 (2012-01-18)

ii

Symbol
About This Document
Description
Provides additional information to emphasize or
supplement important points of the main text.
Command Conventions
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in square brackets [ ] are

optional.
{ x | y | ... }
Alternative items are grouped in braces and separated by

vertical bars. One is selected.
[ x | y | ... ]
Optional alternative items are grouped in square brackets

and separated by vertical bars. One or none is selected.
{ x | y | ... } *
Alternative items are grouped in braces and separated by

vertical bars. A minimum of one or a maximum of all can
be selected.
GUI Conventions
Convention
Description
Boldface
Buttons, menus, parameters, tabs, window, and dialog titles

are in boldface. For example, click OK.
>
Multi-level menus are in boldface and separated by the ">"

signs. For example, choose File > Create > Folder
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Updates in Issue 01 (2012-01-18)

This document is the first release.
Issue 01 (2012-01-18)

iii

Contents
Contents
About This Document.....................................................................................................................ii
1 Commissioning..............................................................................................................................1
1.1 Commissioning Introduction..............................................................................................................................2
1.1.1 Commissioning Definition........................................................................................................................2
1.1.2 Commissioning Procedure.........................................................................................................................2
1.2 Commissioning Preparations..............................................................................................................................3
1.2.1 Checking Hardware...................................................................................................................................3
1.2.2 Preparing Software....................................................................................................................................4
1.2.3 Preparing Tools..........................................................................................................................................4
1.2.4 Planning Data............................................................................................................................................6
1.3 Stand-Alone Commissioning..............................................................................................................................6
1.3.1 Powering On the Indoor Device................................................................................................................6
1.3.2 Checking the Power Supply of the Power Board......................................................................................7
1.3.3 Configuring the Maintenance Terminal....................................................................................................8
1.3.4 Logging In to the System.........................................................................................................................10
1.3.5 Checking the Software Version...............................................................................................................48
1.3.6 Loading the Script...................................................................................................................................48
1.3.7 Configuring a Board................................................................................................................................49
1.3.8 Modifying the Reserved VLANs.............................................................................................................52
1.3.9 Configuring Link Aggregation and Switching........................................................................................53
1.3.10 Checking the Status of the Service Port................................................................................................54
1.3.11 Checking the Status of the Upstream Port.............................................................................................55
1.3.12 Changing the System Name..................................................................................................................55
1.3.13 Configuring a System User....................................................................................................................56
1.3.14 Configuring the System Time................................................................................................................60
1.3.15 Commissioning the EMU......................................................................................................................62
1.3.16 Configuring the RADIUS server...........................................................................................................65
1.3.17 Configuring the System Energy-Saving Function.................................................................................67
1.3.18 Checking the Configuration of the Auto-Save Function.......................................................................68
1.3.19 Saving the Data......................................................................................................................................70
1.3.20 Backing Up System Files......................................................................................................................71
1.4 Interconnection Commissioning.......................................................................................................................72
1.4.1 Commissioning the Interconnection with the NMS................................................................................72
Issue 01 (2012-01-18)

iv

Contents
1.4.2 Commissioning the Interconnection with the Router..............................................................................84

1.4.3 Commissioning the Management Channel Between the OLT and the GPON MDU.............................85
1.4.4 Commissioning the Management Channel Between the OLT and the EPON MDU..............................90
1.4.5 Commissioning the Management Channel Between the OLT and the GPON ONT..............................93
1.4.6 Commissioning the Management Channel Between the OLT and the EPON ONT...............................97
1.5 Maintenance and Management Commissioning.............................................................................................100
1.5.1 Checking the System Switchover..........................................................................................................100
1.5.2 Checking Alarms and Events................................................................................................................101
1.5.3 Configuring a Log Host.........................................................................................................................105
1.6 Supplementary Information............................................................................................................................109
1.6.1 Making a Script.....................................................................................................................................109
1.6.2 Configuring the File Transfer Mode .....................................................................................................110
1.6.3 Software Package Settings.....................................................................................................................117
2 Basic Configurations.................................................................................................................126
2.1 Configuring the License Function..................................................................................................................128
2.2 Configuring Alarms........................................................................................................................................129
2.3 Configuring the Network Time......................................................................................................................132
2.3.1 (Optional) Configuring NTP Authentication.........................................................................................134
2.3.2 Configuring the NTP Broadcast Mode..................................................................................................135
2.3.3 Configuring the NTP Multicast Mode...................................................................................................137
2.3.4 Configuring the Unicast NTP Client.....................................................................................................140
2.3.5 Configuring the NTP Peer.....................................................................................................................141
2.4 Adding Port Description.................................................................................................................................143
2.5 Configuring the Attributes of an Upstream Ethernet Port..............................................................................144
2.6 Configuring a VLAN......................................................................................................................................146
2.7 Configuring a VLAN Service Profile.............................................................................................................152
2.8 Configuring the User Security........................................................................................................................154
2.8.1 Configuring Anti-Theft and Roaming of User Account Through PITP................................................155
2.8.2 Configuring Anti-Theft and Roaming of User Accounts Through DHCP............................................159
2.8.3 Configuring Anti-IP Spoofing...............................................................................................................161
2.8.4 Configuring Anti-MAC Spoofing.........................................................................................................162
2.9 Configuring System Security..........................................................................................................................166
2.9.1 Configuring Firewall.............................................................................................................................167
2.9.2 Configuring Anti-Attack........................................................................................................................169
2.9.3 Preventing the Access of Illegal Users..................................................................................................172
2.10 Configuring the ACL....................................................................................................................................173
2.10.1 Filtering Packets by a Basic ACL........................................................................................................175
2.10.2 Filtering Packets by an Advanced ACL..............................................................................................176
2.10.3 Filtering Packets by a Link-layer ACL................................................................................................177
2.10.4 Filtering Packets by a User-defined ACL............................................................................................178
2.11 Configuring QoS...........................................................................................................................................181
2.11.1 Configuring Traffic Management........................................................................................................182
Issue 01 (2012-01-18)


Contents
2.11.2 Configuring Early Drop.......................................................................................................................196

2.11.3 Configuring the Queue Scheduling.....................................................................................................198
2.11.4 Configuring Traffic Management Based on ACL Rules.....................................................................202
2.12 Configuring AAA.........................................................................................................................................206
2.12.1 Configuring the Local AAA................................................................................................................208
2.12.2 Configuring the Remote AAA (RADIUS Protocol)............................................................................209
2.12.3 Configuration Example of the RADIUS Authentication and Accounting..........................................217
2.12.4 Configuring the Remote AAA (HWTACACS Protocol)....................................................................219
2.12.5 Configuration Example of the HWTACACS Authentication (802.1X access user)...........................223
2.12.6 Configuration Example of HWTACACS Authentication (Management User)..................................226
2.13 Configuring ANCP.......................................................................................................................................229
3 Configuring L3 Features...........................................................................................................233
3.1 Configuring ARP Proxy for Interworking......................................................................................................234
3.2 Configuring DHCP.........................................................................................................................................236
3.2.1 Configuring the Standard DHCP Mode.................................................................................................238
3.2.2 Configuring the DHCP Option60 Mode................................................................................................240
3.2.3 Configuring the DHCP MAC Address Segment Mode.........................................................................243
3.3 Configuring the Route....................................................................................................................................245
3.3.1 Configuration Example of the Routing Policy......................................................................................246
3.3.2 Configuration Example of the Static Route...........................................................................................248
3.3.3 Configuration Example of RIP..............................................................................................................249
3.3.4 Configuration Example of OSPF...........................................................................................................253
4 Configuring the GPON Internet Access Service.................................................................257

4.1 Configuring xPON Profiles............................................................................................................................261
4.1.1 Configuring a DBA Profile....................................................................................................................261
4.1.2 Configuring a GPON ONT Line Profile................................................................................................262
4.1.3 Configuring a GPON ONT Service Profile...........................................................................................265
4.1.4 Configuring a GPON ONT Alarm Profile.............................................................................................268
4.3 Configuring an Upstream Port........................................................................................................................275
4.4 Configuring a GPON ONT.............................................................................................................................276
4.5 Configuring a GPON Port..............................................................................................................................279
4.6 Creating a GPON Service Port.......................................................................................................................281
5 Configuring the EPON Internet Access Service..................................................................286

5.1 Configuring an EPON ONT Profile...............................................................................................................290
5.1.1 Configuring a DBA Profile....................................................................................................................290
5.1.2 Configuring an EPON ONT Line Profile..............................................................................................291
5.1.3 Configuring an EPON ONT Service Profile.........................................................................................292
5.3 Configuring an Upstream Port........................................................................................................................300
5.4 Configure the EPON ONT.............................................................................................................................301
Issue 01 (2012-01-18)

vi

Contents
5.5 Configuring an EPON User Port....................................................................................................................303

5.6 Creating an EPON Service Port......................................................................................................................304
6 Configuring the Multicast Service (PON)............................................................................308

6.1 Configuring Multicast Global Parameters......................................................................................................313
6.2 Configuring the Multicast VLAN and the Multicast Program.......................................................................315
6.3 Configuring the Multicast EPON ONT..........................................................................................................319
6.4 Configuring the Multicast GPON ONT..........................................................................................................321
6.5 Configuring a Multicast User.........................................................................................................................322
6.6 (Optional) Configuring the Multicast Bandwidth..........................................................................................325
6.7 (Optional) Configuring Multicast Preview.....................................................................................................326
6.8 (Optional) Configuring Program Prejoin........................................................................................................328
6.9 (Optional) Configuring the Multicast Logging Function...............................................................................329
7 Configuring MPLS and PWE3................................................................................................333

7.1 Configuring the MPLS Service......................................................................................................................335
7.1.1 Configuring the Static LSP....................................................................................................................335
7.1.2 Configuring the LDP LSP.....................................................................................................................338
7.1.3 Configure an RSVP-TE LSP.................................................................................................................340
7.1.4 Configuring the MPLS OAM................................................................................................................344
7.2 Configuring the PWE3 Private Line Service..................................................................................................354
7.2.1 Configuring the PWE3 Outer Tunnel....................................................................................................355
7.2.2 Configuring the Tunnel Policy..............................................................................................................357
7.2.3 Configuring the PWE3 Inner PW..........................................................................................................358
7.2.4 Binding the Service to the PW..............................................................................................................362
7.2.5 Configuring MPLS Tunnel Protection..................................................................................................363
7.3 Configuring TDM PWE3 Private Line Service (T1 Upstream Transmission)...............................................366
8 Configuring Network Protection............................................................................................379

8.1 Configuring the NE Subtending Through the FE or GE Port.........................................................................381
8.2 Configuring the Uplink Redundancy Backup................................................................................................382
8.3 Configuring the Smart Link Redundancy Backup.........................................................................................384
8.4 Configuring the MPLS Service Board Redundancy Backup.........................................................................388
8.5 Configuring GPON Type B Protection..........................................................................................................389
8.6 Configuring EPON Type B Protection...........................................................................................................390
8.7 Configuring the Switchover of the Protect Group..........................................................................................392
8.8 Configuring the MSTP...................................................................................................................................394
8.9 Configuring RRPP..........................................................................................................................................397
8.10 Configuring the BFD....................................................................................................................................400
8.10.1 Configuration Example of the BFD Link Detection (Static Route)....................................................400
8.10.2 Configuration Example of the BFD Link Detection (Dynamic Route)...............................................403
8.11 Configuring ETH OAM................................................................................................................................405
8.11.1 Configuring Ethernet CFM OAM.......................................................................................................405
8.11.2 Configuring Ethernet EFM OAM........................................................................................................409
Issue 01 (2012-01-18)

vii

Contents
9 Configuration Example of the FTTH Service.......................................................................412

9.1 FTTH Network...............................................................................................................................................413
9.2 FTTH Data Plan (GPON Access)...................................................................................................................413
9.3 Configuring the FTTH Internet Access Service.............................................................................................417
9.4 Configuring the FTTH VoIP Service (SIP-based).........................................................................................422
9.5 Configuring the FTTH IPTV Service.............................................................................................................428
10 FAQ............................................................................................................................................435
10.1 How to Query the MAC Addresses of the Online Users and the Ports That Provide the Access for the Users
in the MA5600T...................................................................................................................................................436
10.2 How to Resolve the Issue of Unsuccessful Traffic Stream Configuration...................................................436
10.3 How to Calculate the Remaining Bandwidth of a PON Port on the MA5600T...........................................438
10.4 How to Change the Management IP Address and VLAN Remotely...........................................................439
10.5 How to Change the Rate of the User Port in a PON System........................................................................440
10.6 How to Realize the Communication Between Users on the Same Board....................................................440
10.7 How to Select the Matched Hardware for Expanding the Bandwidth of the Upstream Port.......................441
10.8 How to Confirm an Upgraded Board...........................................................................................................442
Issue 01 (2012-01-18)

viii

1 Commissioning
Commissioning
About This Chapter

This document describes the commissioning of the basic functions provided by the device in
terms of hardware, software, interconnection, and maintenance and management to ensure that
the device runs in a stable and reliable state.
1.1 Commissioning Introduction
The topic describes the commissioning definition and procedure.
1.2 Commissioning Preparations
This topic describes the hardware, software, and tool preparations for the commissioning.
1.3 Stand-Alone Commissioning
After the hardware installation, a stand-alone MA5600T should be commissioned to ensure that
the stand-alone MA5600T works in the normal state.
1.4 Interconnection Commissioning
The MA5600T provides multiple interfaces for interconnection. This topic describes the
interconnection commissioning of the MA5600T.
1.5 Maintenance and Management Commissioning
To ensure the stability of the MA5600T, you need to verify the maintainability and reliability
of the device after completing the stand-alone commissioning and interconnection
commissioning.
1.6 Supplementary Information
This topic provides the commissioning supplementary information, including script making,
transmission mode setting, and default software settings.
Issue 01 (2012-01-18)


1 Commissioning
1.1 Commissioning Introduction

The topic describes the commissioning definition and procedure.
1.1.1 Commissioning Definition

Commissioning refers to the stand-alone commissioning, the interconnection commissioning,
and the maintenance and management commissioning after the hardware installation. This
ensures that the device works in the normal state according to the design specifications.
1.1.2 Commissioning Procedure

This topic describes the procedure for commissioning the device.
Flowchart
Perform the commissioning according to the flowchart.
Figure 1-1 shows the commissioning procedure.
Figure 1-1 Commissioning procedure
Commissioning Item
The commissioning items in the commissioning procedure are described as follows:
Commissioning Preparations
Stand-Alone Commissioning
Issue 01 (2012-01-18)


1 Commissioning
Interconnection Commissioning
Maintenance and Management Commissioning
commissioning.
1.2 Commissioning Preparations

1.2.1 Checking Hardware

This topic describes how to prepare the hardware required before the commissioning. This
facilitates the subsequent commissioning.
Context
Table 1-1 lists the hardware to be checked before the commissioning.
Table 1-1 Hardware checklist
SN
Item
Description
Power supply
and grounding
Ensure that the power cable and the grounding meet the following
requirements:
l The power cable and the ground cable are connected properly
and are in good contact.
l The labels of the power cable, ground cable, and power
distribution switch are correct, legible and complete.
l The connectors of the external ground cables and protection
ground cables of the cabinet are connected properly, without
any damage.
l The power supply for the device is in the normal state.
Cables and
connectors
Check the local maintenance serial port cable, network cable,

optical fiber, subscriber cable, and connectors, and ensure that
they meet the following requirements:
l The connectors are tight and firm.
l The cable jacket is intact.
l Cable labels are legible.
l Cables are bundled properly.
Issue 01 (2012-01-18)


1 Commissioning
SN
Item
Description
Upper-layer
device
Ensure that the upper-layer device meets the following

requirements:
l The position of the interconnection port of the upper-layer
device is correct.
l The upper-layer device works in the normal state and can be
used for the commissioning.
Board
(daughter
board)
The board (daughter board) selected should meet the

requirements for the external ports.
NOTE
Different boards (daughter boards) provide different external ports. For
details about the boards and their external ports on the MA5600T, see
Board Overview of the MA5600T Hardware Description.
1.2.2 Preparing Software

This topic describes how to prepare the software required before the commissioning. This
facilitates the subsequent commissioning.
Table 1-2 shows the software checklist before the commissioning.
Table 1-2 Software checklist
SN
Item
Description
Software
package
Ensure that files in the software package for the commissioning

are complete and the software version is correct.
Software
commissioning
tools
Ensure that all the commissioning tools are available. The

common commissioning tools are as follows:
l HyperTerminal (provided by the Windows OS): used for
logging in to the MA5600T using the CLI.
l TFTP, SFTP, and FTP tools: used for loading software.
They can be downloaded from http://
support.huawei.com.
l Client software key generator Puttygen.exe, client software
key convertor sshkey.exe and SSH client software
putty.exe: used for logging in to the MA5600T through the
SSH.
1.2.3 Preparing Tools

This topic describes how to prepare the tools required before the commissioning. This facilitates
the subsequent commissioning.
Table 1-3 lists the tools to be prepared for the commissioning.
Issue 01 (2012-01-18)


1 Commissioning
Table 1-3 Tool checklist
Issue 01 (2012-01-18)
SN
Item
Description
Remarks
Cables
One RS-232 serial port cable (One end

with an RJ-45 connector used to
connect to the board and the other end
with a DB-9 or DB-25 female
connector used to connect to the
maintenance terminal)
Used to connect the

maintenance terminal to the
MA5600T for maintenance
using the serial port.
One crossover cable
Used to connect the

maintenance terminal to the
MA5600T for maintenance
through telnet.
Some optical fibers and patch cords

with different connectors
Used for the upstream

transmission and optical
power test.
Maintena
nce
terminal
One maintenance terminal configured

with a HyperTerminal application,
such as a laptop
Used to log in to the

MA5600T to commission the
MA5600T.
Auxiliary
device
and meter
One optical power meter
Used to test the mean

launched power and the input
optical power of an optical
port.
One optical attenuator
Used to attenuate the input

optical signal. It is used to
protect the optical port from
being damaged by intense
optical signals during the
device commissioning.
One multimeter
Used to measure the voltage,

resistance and current
intensity during the power
commissioning.
One optical multiplexer/demultiplexer
Used to test the input optical

power of a single-fiber bidirectional optical port. It is a
meter with the multiplexing
and demultiplexing functions.
One data network performance

analyzer
Used to test the input optical

power. It is used to transmit
data to simulate the
networking environment.


1 Commissioning
1.2.4 Planning Data

This topic describes the information to be collected about the hardware configuration,
networking, and data plan before the commissioning based on the engineering document. This
facilitates the data configuration.
Table 1-4 lists the data collected for the commissioning.
Table 1-4 Data checklist
SN
Item
Description
Hardware
configuration
This includes but is not limited to the following:

l Types and slot distribution of the control board and
service boards
l Types and physical positions of the upstream ports
and the service ports
Networking and data

plan
This includes but is not limited to the following:

l Networking mode
l IP address assignment
l VLAN planning
NOTE
l A commissioning script can be made based on the actual networking and the data plan. For how to
make a script, see 1.6.1 Making a Script.
l For details about the default settings of the main software on the MA5600T, see 1.6.3 Software
Package Settings.
1.3 Stand-Alone Commissioning

1.3.1 Powering On the Indoor Device

This topic describes how to power on the indoor device to ensure that all the boards can be
normally powered on.
Prerequisites
The after-installation check and the power-on check must be performed on the device.
Issue 01 (2012-01-18)


1 Commissioning
Context
CAUTION
Inserting or removing boards is prohibited during startup.
Procedure
Step 1 Connect the input power supply of the DC PDU.
Step 2 Turn on the output control switch of the DC PDU.
----End
Result
The device can be normally powered on, and the RUN LED on the boards are on for 1s and off
for 1s repeatedly.
1.3.2 Checking the Power Supply of the Power Board

This topic describes how to check the redundancy backup function of the power boards.
Prerequisites
The two power boards configured must work in the normal state.
Context
In the normal state, the two power boards work in the load balancing mode and provide power
for all the service boards in the shelf. When one power board is faulty, the other power board
provides power for all the service boards in the shelf.
When checking the power supply of the power board, pay attention to the following points:
l
Wear an ESD wrist strap during the operation.
Turn off the -48 V input switch on the PDU that corresponds to the power board before
replacing the board. In addition, when the board is powered on, do not remove or insert the
power connector.
If one power board is faulty, replace the board in time to prevent the shelf from working
for a long time when only one power board supplies power.
Procedure
Step 1 Turn off the switch on the PDU that corresponds to one power board, and check the power supply
for the service board.
Step 2 Turn on the switch again.
Step 3 Repeat steps 1 and 2 to check the other power board.
----End
Issue 01 (2012-01-18)


1 Commissioning
Result
The boards in the shelf work in the normal state after the switch on the PDU that corresponds
to either power board is turned off, that is, the RUN LED on the board is on for 1s and off for
1s repeatedly.
1.3.3 Configuring the Maintenance Terminal

During the commissioning, you need to maintain the device using the maintenance terminal.
This topic describes how to start the maintenance terminal and configure the IP address of the
maintenance terminal to meet the commissioning requirements.
Starting the Maintenance Terminal

This topic describes how to start the maintenance terminal to prepare for the subsequent
commissioning.
Context
A maintenance terminal is usually a laptop embedded with a HyperTerminal application.
Procedure
Step 1 Power on the maintenance terminal. The Windows OS starts automatically, and the Log In dialog
box is displayed.
Step 2 (Optional) If the user name and the password are required, input the user name and the password
of the administrator in the Log In dialog box.
Step 3 Click OK to enter the Windows OS.
----End
Result
The maintenance terminal runs in the normal state.
Configuring the IP Address of the Maintenance Terminal

This topic describes how to configure the IP address of the maintenance terminal to ensure that
you can log in to the MA5600T in the telnet or SSH mode using the maintenance terminal.
Prerequisites
The maintenance terminal must be started.
Procedure
Step 1 Right-click My Network Places and choose Properties. The Network Connections window
is displayed.
Step 2 In the Network Connections window, right-click Local Area Connection, and choose
Properties. The Local Area Connection Properties dialog box is displayed.
Step 3 Click the General tab, and then select Internet Protocol (TCP/IP) in Components checked
are used by this connection, as shown in the following figure.
Issue 01 (2012-01-18)


1 Commissioning
Figure 1-2 Configure the local area connection properties
Step 4 Click Properties to display the Internet Protocol (TCP/IP) Properties dialog box.
Step 5 Click General, and then select Use the following IP address: to configure the IP address and
the subnet mask, as shown in the following figure.
Issue 01 (2012-01-18)


1 Commissioning
Figure 1-3 Configure the IP address and the subnet mask
NOTE
The IP address of the maintenance terminal and the IP address of the maintenance Ethernet port of the
device must be in the same network segment.
Step 6 Click OK to return to the Local Area Connection Properties dialog box.
Step 7 Click OK.
----End
Result
The IP address of the maintenance terminal and the IP address of the maintenance Ethernet port
of the device are in the same network segment.
NOTE
By default, the IP address of the maintenance Ethernet port (ETH port on the control board) is 10.11.104.2,
and the subnet mask is 255.255.255.0.
1.3.4 Logging In to the System

You must log in to the MA5600T before commissioning the MA5600T using the maintenance
terminal. The following describes three login modes, namely, local serial port mode, telnet mode,
and SSH mode.
Issue 01 (2012-01-18)

10

1 Commissioning
Login Through the Local Serial Port

When you need to maintain and manage the MA5600T locally, you can log in to the system
using the local serial port.
Prerequisites
l
A maintenance terminal (generally a laptop configured with a HyperTerminal application)

must be available.
An RS-232 serial port cable (one end with an RJ-45 connector and the other end with a
DB-9 or DB-25 female connector) must be available.
Network Topology
Figure 1-4 shows the networking for logging in to the MA5600T using the local serial port.
Figure 1-4 Logging in to the MA5600T using the local serial port
Flowchart
Figure 1-5 shows the flowchart for logging in to the system using the local serial port.
Issue 01 (2012-01-18)

11

1 Commissioning
Figure 1-5 Flowchart for logging in to the system using the local serial port
Procedure
Step 1 Connect the serial port cable.
Use an RS-232 serial port cable to connect a serial port of the PC to the CON port of the SCU
control board, as shown in Figure 1-4.
Step 2 Set the HyperTerminal communication parameters.
1.
Set up a connection.
Click Start. Choose All Programs > Accessories > Communications > Hyper
Terminal to display the Connection Description dialog box. Input the connection name,
and click OK, as shown in the following figure.
Issue 01 (2012-01-18)

12

2.
1 Commissioning
Set the serial port.

Select the serial port that is connected to the MA5600T. You can select COM1 or
COM2 (here, use COM2 as an example), and click OK, as shown in the following figure.
3.
Issue 01 (2012-01-18)
Set the HyperTerminal communication parameters. For details, see the following figure.

13

1 Commissioning
NOTE
l The baud rate of the HyperTerminal must be the same as the baud rate of the serial port on the
MA5600T. By default, the baud rate of the serial port is 9600 bit/s.
l If illegible characters are displayed on the HyperTerminal interface after you log in to the system,
it is generally because the baud rate of the HyperTerminal is different from the baud rate of the
MA5600T. In this case, set the consistent baud rate for the HyperTerminal to log in to the system.
The system supports the baud rates of 9600 bit/s, 19200 bit/s, 38400 bit/s, 57600 bit/s, and 115200
bit/s.
4.
Click OK to display the HyperTerminal interface.
Step 3 (Optional) Set the properties of the HyperTerminal.

1.
Set the emulation type of the HyperTerminal.

Choose File > Properties on the HyperTerminal interface. In the dialog box that is
displayed, click the Settings tab, and set Emulation to VT100 or Auto Detect, as shown
in the following figure. It is Auto Detect by default.
Issue 01 (2012-01-18)

14

2.
1 Commissioning
Set the line delay and the character delay of the ASCII code.
Click ASCII Setup. In the dialog box that is displayed, set line delay to 200 and Character
delay to 300, and then click OK, as shown in the following figure. By default, Line
delay is 0, and Character delay is 0.
Issue 01 (2012-01-18)

15

1 Commissioning
NOTE
When you paste a text to the HyperTerminal, the character delay controls the character transmit speed,
and the line delay controls the interval of transmitting every line. If a delay is very short, loss of
characters occurs. When the pasted text is displayed abnormally, modify the delay.
----End
Result
On the Hyper Terminal interface, press Enter, and the system prompts you to input the user
name. Input the user name and the password for user registration (by default, the super user name
is root and the password is admin), and wait until the CLI prompt character is displayed.
and then click
on the operation interface. If the login still fails,
If the login fails, click
return to step 1 to check the parameter settings and the physical connections, and then try again.
Login Through Telnet (Outband Management)

This topic describes how to log in to the MA5600T using the local maintenance Ethernet port
(outband management port) in the telnet mode to maintain and manage the MA5600T.
Prerequisites
Engineers are logged in to the MA5600T by using the local serial port or the ETH port.
NOTE
The default IP address of the maintenance Ethernet port (ETH port on the control board) is 10.11.104.2,
For details about how to log in to the MA5600T by using the local serial port, see Login
Through the Local Serial Port.
For details about how to log in to the MA5600T by using the ETH port, see the following:
Configure the IP address of the PC that is used for logging in to the MA5600T. This IP
address is on the same subnet as the IP address of the maintenance Ethernet port but is
not the IP address of the maintenance Ethernet port. For example, configure the IP
address to 10.11.104.6.
After logging in to the MA5600T, in the MEth mode, run the ip address command to
change the IP address of the device to 10.50.1.10/24.
Change the IP address of the PC to be on the same subnet as the IP address of the
maintenance Ethernet port but is not the IP address of the maintenance Ethernet port.
For example, change the IP address of the device to 10.50.1.11/24.
Network Topology
Figure 1-6 shows an example network for outband management through telnet in a LAN, and
Figure 1-7 shows an example network for outband management through telnet in a WAN.
Issue 01 (2012-01-18)

16

1 Commissioning
Figure 1-6 Example network for outband management through telnet in a LAN
NOTE
The MA5600T is connected to the LAN using the straight using cable, and the IP address of the maintenance
Ethernet port of the MA5600T is in the same network segment as the IP address of the maintenance terminal.
Alternatively, the Ethernet port of the maintenance terminal can be directly connected to the maintenance
Ethernet port of the MA5600T to manage the MA5600T in the outband management mode. In such a
condition, a crossover cable must be used.
Figure 1-7 Network example for outband management through telnet in a WAN
Data Plan
Table 1-5 and Table 1-6 provide the data plan for the outband management through telnet in a
LAN and in a WAN respectively.
Table 1-5 Data plan for the outband management through telnet in a LAN
Item
Data
Maintenance Ethernet port of the MA5600T
IP address: 10.50.1.10/24
NOTE
By default, the IP address of the maintenance
Ethernet port (ETH port on the control board) is
10.11.104.2, and the subnet mask is
255.255.255.0.
Issue 01 (2012-01-18)

17

1 Commissioning
Item
Data
Maintenance terminal
IP address: 10.50.1.20/24 (in the same subnet

as the IP address of the maintenance Ethernet
port)
Table 1-6 Data plan for the outband management through telnet in a WAN
Item
Data
IP address: 10.50.1.10/24
NOTE
255.255.255.0.
IP address: 10.10.1.10/24
Router port connecting to the MA5600T
IP address: 10.50.1.1/24
Flowchart
Figure 1-8 shows the flowchart for logging in to the MA5600T through telnet (outband
management).
Figure 1-8 Flowchart for logging in to the MA5600T through telnet (outband management)
Issue 01 (2012-01-18)

18

1 Commissioning
Procedure
Step 1 Set up the network environment.
l
If you log in to the MA5600T in the LAN outband management mode through telnet, set
up a network environment according to Figure 1-6.
If you log in to the MA5600T in the MAN outband management mode through telnet, set
Step 2 Configure the IP address of the maintenance Ethernet port.

In the MEth mode, run the ip address command to configure the IP address of the maintenance
Ethernet port.
huawei(config)#interface meth 0
huawei(config-if-meth0)#ip address 10.50.1.10 24
Step 3 Add a route for the outband management.

l
If the network environment is set up as shown in Figure 1-6, you need not add a route.
If the network environment is set up as shown in Figure 1-7, run the ip route-static
command to add a route from the maintenance Ethernet port of the MA5600T to the
maintenance terminal.
huawei(config-if-meth0)#quit
huawei(config)#ip route-static 10.10.1.0 24 10.50.1.1
Step 4 Run the telnet application.

On the maintenance terminal, choose Start > Run. On the Run window, input "telnet
10.50.1.10" in the Open field as shown in Figure 1-9 (considering the Windows OS as an
example), and click OK. Then, the telnet dialog box is displayed.
Figure 1-9 Running the telnet application
Step 5 Log in to the system.

In the telnet dialog box, input the user name and the password. By default, the user name is
root, and the password is admin. When the login is successful, the system displays the following
information:
>>:root
>>:admin
Issue 01 (2012-01-18)

19

1 Commissioning
Huawei Integrated Access SoftwareMA5600T.

Copyright(C) Huawei Technologies Co., Ltd. 2002-2011. All rights reserved.
----------------------------------------------------------------------------User last login information:
----------------------------------------------------------------------------Access Type : Telnet
IP-Address : 10.10.10.122
Login Time : 2011-03-29 16:03:20+08:00
Logout Time : 2011-03-29 16:08:40+08:00
--------------------------------------------------------------------------------------------------------------------------------------------------------User fail login information:
----------------------------------------------------------------------------Last Access Type
: Telnet
Last IP-Address
: 10.10.10.74
Last Login Time
: 2011-03-29 16:11:10+08:00
Login Failure Times : 2
--------------------------------------------------------------------------------------------------------------------------------------------------------All user fail login information:
----------------------------------------------------------------------------Access Type IP-Address
Time
Login Times
----------------------------------------------------------------------------Telnet
10.10.10.74
2011-03-29 16:11:10+08:00
1
Telnet
10.10.10.122
2011-03-29 15:37:05+08:00
3
Telnet
10.10.10.193
2011-03-25 18:19:04+08:00
1
-----------------------------------------------------------------------------
The following table describes the parameters in response to this login.
Issue 01 (2012-01-18)
Parameter
Description
User name
Indicates the user name.
User password
Indicates the user password that is not displayed on the

User last login information
Indicates the information about the latest successful login.
Access Type
Indicates the access type of the latest successful login.
IP-Address
Indicates the IP address of the latest successful login.
Login Time
Indicates the time of the latest successful login.
Logout Time
Indicates the time of the latest successful logout. If the user

does not log out, it displays as "--".
User fail login information
Indicates the information about the failed login.
Last Access Type
Indicates the access type of the latest failed login.
Last IP-Address
Indicates the IP address of the latest failed login.
Last Login Time
Indicates the time of the latest failed login.
Login Failure Times
Indicates the failed login times. It is the times of login failures

between two login successes, but not the accumulative login
failures.
All user fail login

information
Indicates the information about failed login of all users, which

can be viewed only by user root or security administrator.

20

1 Commissioning
Parameter
Description
Access Type
Indicates the access type of the login.
IP-Address
Indicates the IP address of the login.
Time
Indicates the time of the login.
Login Times
Indicates the login times.
----End
Result
After logging in to the system, you can maintain and manage the MA5600T.
Login Through Telnet (Inband Management)

This topic describes how to log in to the MA5600T using the upstream port (inband management
port) in the telnet mode to maintain and manage the MA5600T.
Prerequisites
NOTE
address to 10.11.104.6.
Network Topology
Figure 1-10 shows an example network for inband management through telnet in a LAN, and
Figure 1-11 shows an example network for inband management through telnet in a WAN.
Issue 01 (2012-01-18)

21

1 Commissioning
Figure 1-10 Example network for inband management through telnet in a LAN
Figure 1-11 Example network for inband management through telnet in a WAN
Data Plan
Table 1-7 and Table 1-8 provide the data plan for the inband management through telnet in a
Table 1-7 Data plan for the inband management through telnet in a LAN
Item
Data
Upstream port of the MA5600T
l VLAN ID: 30
l Port: 0/17/0
l IP address: 10.50.1.10/24

port)
Table 1-8 Data plan for the inband management through telnet in a WAN
Item
Data
l VLAN ID: 30
l Port: 0/17/0
l IP address: 10.50.1.10/24
Issue 01 (2012-01-18)
IP address: 10.10.1.10/24

22

1 Commissioning
Item
Data
IP address: 10.50.1.1/24
Flowchart
Figure 1-12 shows the flowchart for logging in to the MA5600T through telnet (inband
management).
Figure 1-12 Flowchart for logging in to the MA5600T through telnet (inband management)
Procedure
l
If you log in to the MA5600T in the LAN inband management mode through telnet, set up
a network environment according to Figure 1-10.
If you log in to the MA5600T in the WAN inband management mode through telnet, set
Step 2 Configure the IP address of the VLAN Layer 3 interface.

1.
Run the vlan command to create a management VLAN.

huawei(config)#vlan 30 standard
2.
Issue 01 (2012-01-18)
Run the port vlan command to add an upstream port to the VLAN.
23

1 Commissioning
huawei(config)#port vlan 30 0/17 0
3.
In the VLANIF mode, run the ip address command to configure the IP address of the
VLAN Layer 3 interface.
huawei(config)#interface vlanif 30
huawei(config-if-vlanif30)#ip address 10.50.1.10 24
NOTE
If the packet transmitted from the upstream port is untagged, run the native-vlan command to configure
the native VLAN of the upstream port to be the same as the VLAN of the upstream port.
Step 3 Add a route for the inband management.

l
Step 4 Run the telnet application.

On the maintenance terminal, choose Start > Run. On the Run window, input "telnet
10.50.1.10" in the Open field as shown in Figure 1-13 (considering the Windows OS as an
example), and click OK. Then, the telnet dialog box is displayed.
Figure 1-13 Running the telnet application

In the telnet dialog box, input the user name and the password. By default, the user name is
root, and the password is admin. When the login is successful, the system displays the following
information:
>>:root
>>:admin
Huawei Integrated Access SoftwareMA5600T.
Copyright(C) Huawei Technologies Co., Ltd. 2002-2011. All rights reserved.
----------------------------------------------------------------------------User last login information:
----------------------------------------------------------------------------Access Type : Telnet
IP-Address : 10.10.10.122
Login Time : 2011-03-29 16:03:20+08:00
Logout Time : 2011-03-29 16:08:40+08:00
Issue 01 (2012-01-18)

24

1 Commissioning
--------------------------------------------------------------------------------------------------------------------------------------------------------User fail login information:

----------------------------------------------------------------------------Last Access Type
: Telnet
Last IP-Address
: 10.10.10.74
Last Login Time
: 2011-03-29 16:11:10+08:00
Login Failure Times : 2
--------------------------------------------------------------------------------------------------------------------------------------------------------All user fail login information:
----------------------------------------------------------------------------Access Type IP-Address
Time
Login Times
----------------------------------------------------------------------------Telnet
10.10.10.74
2011-03-29 16:11:10+08:00
1
Telnet
10.10.10.122
2011-03-29 15:37:05+08:00
3
Telnet
10.10.10.193
2011-03-25 18:19:04+08:00
1
-----------------------------------------------------------------------------
The following table describes the parameters in response to this login.
Issue 01 (2012-01-18)
Parameter
Description
User name
Indicates the user name.
User password
Indicates the user password that is not displayed on the

User last login information
Indicates the information about the latest successful login.
Access Type
Indicates the access type of the latest successful login.
IP-Address
Indicates the IP address of the latest successful login.
Login Time
Indicates the time of the latest successful login.
Logout Time
Indicates the time of the latest successful logout. If the user

does not log out, it displays as "--".
User fail login information
Indicates the information about the failed login.
Last Access Type
Indicates the access type of the latest failed login.
Last IP-Address
Indicates the IP address of the latest failed login.
Last Login Time
Indicates the time of the latest failed login.
Login Failure Times
Indicates the failed login times. It is the times of login failures

between two login successes, but not the accumulative login
failures.
All user fail login

information
Indicates the information about failed login of all users, which

can be viewed only by user root or security administrator.
Access Type
Indicates the access type of the login.
IP-Address
Indicates the IP address of the login.
Time
Indicates the time of the login.
Login Times
Indicates the login times.

25

1 Commissioning
----End
Result
Login Through SSH (Outband Management)

This topic describes how to log in to the MA5600T using the local maintenance Ethernet port
(outband management port) in the SSH mode to maintain and manage the MA5600T. The SSH
provides authentication, encryption, and authorization to ensure the network communication
security. When a user logs in to the MA5600T remotely over an insecure network, SSH provides
security guarantee and powerful authentication to protect the MA5600T against attacks such as
IP address spoofing and interception of plain text password.
Prerequisites
NOTE
address to 10.11.104.6.
Network Topology
Figure 1-14 shows an example network for outband management through SSH in a LAN, and
Figure 1-15 shows an example network for outband management through SSH in a WAN.
Issue 01 (2012-01-18)

26

1 Commissioning
Figure 1-14 Example network for outband management through SSH in a LAN
NOTE
The MA5600T is connected to the LAN using the straight using cable, and the IP address of the maintenance
Ethernet port of the MA5600T is in the same network segment as the IP address of the maintenance terminal.
Alternatively, the Ethernet port of the maintenance terminal can be directly connected to the maintenance
Ethernet port of the MA5600T to manage the MA5600T in the outband management mode. In such a
condition, a crossover cable must be used.
Figure 1-15 Example network for outband management through SSH in a WAN
Data Plan
Table 1-9 and Table 1-10 provide the data plan for the outband management through SSH in a
Issue 01 (2012-01-18)

27

1 Commissioning
Table 1-9 Data plan for the outband management through SSH in a LAN
Item
Data
l IP address: 10.50.1.10/24
l User authentication mode: RSA public
key authentication
l RSA key name: key
NOTE
255.255.255.0.
l User name/Password: huawei/test01
New user
l Authority: Operator
l Permitted reenter number: 4

port)
Table 1-10 Data plan for the outband management through SSH in a WAN
Item
Data
l IP address: 10.50.1.10/24
key authentication
l RSA key name: key
NOTE
255.255.255.0.
New user
IP address: 10.10.1.10/24
IP address: 10.50.1.1/24
Flowchart
Figure 1-16 shows the flowchart for logging in to the MA5600T through SSH.
Issue 01 (2012-01-18)

28

1 Commissioning
Figure 1-16 Flowchart for logging in to the MA5600T through SSH (Outband Management)
Issue 01 (2012-01-18)

29

1 Commissioning
Procedure
l
If you log in to the MA5600T in the LAN outband management mode through SSH, set up
If you log in to the MA5600T in the WAN outband management mode through SSH, set
Step 2 Configure the IP address of the maintenance Ethernet port.

In the MEth mode, run the ip address command to configure the IP address of the maintenance
Ethernet port.
huawei(config-if-meth0)#ip address 10.50.1.10 24
Step 3 Add a route for the outband management.

l
Step 4 Create a user.

Run the terminal user name command to create a user.
huawei(config)#terminal user name
User Name(length<6,15>):huawei
User Password(length<6,15>):test01 //The password is not displayed on the
Confirm Password(length<6,15>):test01 //The password is not displayed on the
User profile name(<=15 chars)[root]:
User's Level:
1. Common User 2. Operator:2
Permitted Reenter Number(0--4):4
User's Appended Info(<=30 chars):
Adding user succeeds
Repeat this operation? (y/n)[n]:n
Step 5 Create the local RSA key pair.

Run the rsa local-key-pair create command to create the local RSA key pair.
CAUTION
The prerequisite for the login through SSH is that the local RSA key pair must be configured
and generated. Therefore, before performing other SSH configurations, make sure that the local
RSA key pair is generated.
huawei(config)#rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
..++++++++++++
....................++++++++++++
Issue 01 (2012-01-18)

30

1 Commissioning
...............................++++++++
...........++++++++
Step 6 Set the SSH user authentication mode.

Run the ssh user huawei authentication-type rsa command to choose the authentication mode
of the SSH user.
There are four authentication modes for SSH users, as shown in the following. In this topic,
authentication mode rsa is considered as an example.
l password: authentication based on a password.
l rsa: authentication based on an RSA public key.
l all: authentication based on a password or an RSA public key. The user can log in to the
device either by the password or the RSA public key.
l password-publickey: authentication based on a password and a public key. The user can log
in to the device only after both the password and the RSA public key authentication.
huawei(config)#ssh user huawei authentication-type
{ all<K>|password-publickey<K>|password<K>|rsa<K> }:rsa
Command:
ssh user huawei authentication-type rsa
%Authentication type setted, and will be in effect next time.
Step 7 Generate the RSA public key.

1.
Run the key generator.

Run the client software key generator Puttygen.exe. Figure 1-17 shows the interface of the
key generator.
Figure 1-17 Interface of the key generator
Issue 01 (2012-01-18)

31

2.
1 Commissioning
Generate the client key.

Select SSH-2 RSA as the key type under Parameters, click Generate, and move the cursor
according to the prompt on the interface to generate the client key, as shown in Figure
1-18.
Click Save public key and Save private key to save the public key and the private key
respectively after they are generated, as shown in Figure 1-19.
Issue 01 (2012-01-18)

32

1 Commissioning
Figure 1-19 Save the public key and the private key
3.
Generate the RSA public key.

Open sshkey.exe, click Browse, and choose the public key file saved in the preceding step.
Then, click Convert to change the client public key to the RSA public key, as shown in
Figure 1-20.
Issue 01 (2012-01-18)

33

1 Commissioning
Figure 1-20 Interface of converting the client public key to the RSA public key
Step 8 Generate the public key for the SSH user.

Create RSA public key. Copy the RSA public key to the server in the config-rsa-key-code
command line mode.
huawei(config)#rsa peer-public-key key
Enter "RSA public key" view, return system view with "peer-public-key end".
NOTE: The number of the bits of public key must be between 769 and 2048.
huawei(config-rsa-public-key)#public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
huawei(config-rsa-key-code)#30818702 81810098 933744B6 7C864EC7 A86A84CC 198BAC1
5
huawei(config-rsa-key-code)#D32834F7 365CFD17 E7FE4041 3266E416 710D13ED 22BD4D5
9
huawei(config-rsa-key-code)#DF0C3E46 A995CC61 DC4CB179 F6888B8C 3F8A3085 51EDB5C
7
huawei(config-rsa-key-code)#5DEBDBE1 3AB4A256 0D0B9AA8 9A419D85 35C0E562 AE0BBFA
B
huawei(config-rsa-key-code)#515299F9 D2803E84 3AE36C20 949367EA 0697EB20 2594A77
4
huawei(config-rsa-key-code)#9A0EFF04 26928874 FF9124C4 D28F0702 0125
huawei(config-rsa-key-code)#public-key-code end
Issue 01 (2012-01-18)

34

1 Commissioning
huawei(config-rsa-public-key)#peer-public-key end
Step 9 Assign the public key to the SSH user.

Run the ssh user assign rsa-key command to assign the RSA public key to the SSH user.
huawei(config)#ssh user huawei assign rsa-key key

1.
Run the client software.

Run the SSH client software putty.exe, choose SSH > Auth from the navigation tree, and
assign a file for the RSA private key, as shown in Figure 1-21. Click Browse to display
the window for selecting the file. In the window, select the file for the private key, and click
OK.
Figure 1-21 Interface of the SSH client software
2.
Log in to the system.

Choose Session from the navigation tree, and then input the IP address of the MA5600T
in the Host Name (or IP address) field, as shown in Figure 1-22. Then, click Open to log
in to the system.
Issue 01 (2012-01-18)

35

1 Commissioning
Figure 1-22 Interface for logging in to the system using the SSH client software
The user authentication mode is set to the RSA authentication mode, and the system
therefore displays the prompt, as shown in Figure 1-23. Input the user name to log in to
the system (here, the user name is huawei).
Issue 01 (2012-01-18)

36

1 Commissioning
----End
Result
Login Through SSH (Inband Management)

This topic describes how to log in to the MA5600T using the upstream port (inband management
port) in the SSH mode to maintain and manage the MA5600T. The secure shell (SSH) provides
authentication, encryption, and authorization to ensure the network communication security.
When a user logs in to the MA5600T remotely over an insecure network, SSH provides security
guarantee and powerful authentication to protect the MA5600T against attacks such as IP address
spoofing and interception of plain text password.
Prerequisites
NOTE
address to 10.11.104.6.
Network Topology
Figure 1-24 shows an example network for inband management through SSH in a LAN, and
Figure 1-25 shows an example network for inband management through SSH in a WAN.
Figure 1-24 Example network for inband management through SSH in a LAN
Issue 01 (2012-01-18)

37

1 Commissioning
Figure 1-25 Example network for inband management through SSH in a WAN
Data Plan
Table 1-11 and Table 1-12 provide the data plan for the inband management through SSH in a
Table 1-11 Data plan for the inband management through SSH in a LAN
Item
Data
l VLAN ID: 30
l Port: 0/7/0
l IP address: 10.50.1.10/24
key authentication
l RSA key name: key
New user

port)
Table 1-12 Data plan for the inband management through SSH in a WAN
Item
Data
l VLAN ID: 30
l Port: 0/7/0
l IP address: 10.50.1.10/24
key authentication
l RSA key name: key
Issue 01 (2012-01-18)

38

1 Commissioning
Item
Data
New user

IP address: 10.10.1.10/24
IP address: 10.50.1.1/24
Flowchart
Figure 1-26 shows the flowchart for logging in to the MA5600T through SSH.
Issue 01 (2012-01-18)

39

1 Commissioning
Figure 1-26 Flowchart for logging in to the MA5600T through SSH (Inband Management)
Issue 01 (2012-01-18)

40

1 Commissioning
Procedure
l
If you log in to the MA5600T in the LAN inband management mode through SSH, set up
If you log in to the MA5600T in the WAN inband management mode through SSH, set up
Step 2 Configure the IP address of the VLAN Layer 3 interface.

1.
Run the vlan command to create a management VLAN.

2.
3.
VLAN Layer 3 interface.
NOTE
Step 3 Add a route for the inband management.

l
Step 4 Create a user.

Run the terminal user name command to create a user.
User Password(length<6,15>):test01 //The password is not displayed on the
Confirm Password(length<6,15>):test01 //The password is not displayed on the
User's Level:
User's Appended Info(<=30 chars):
Step 5 Create the local RSA key pair.

Run the rsa local-key-pair create command to create the local RSA key pair.
CAUTION
The prerequisite for the login through SSH is that the local RSA key pair must be configured
and generated. Therefore, before performing other SSH configurations, make sure that the local
RSA key pair is generated.
Issue 01 (2012-01-18)

41

1 Commissioning
huawei(config)#rsa local-key-pair create

The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
..++++++++++++
....................++++++++++++
...............................++++++++
...........++++++++
Step 6 Set the SSH user authentication mode.

Run the ssh user huawei authentication-type rsa command to choose the authentication mode
of the SSH user.
There are four authentication modes for SSH users, as shown in the following. In this topic,
authentication mode rsa is considered as an example.
l password: authentication based on a password.
l rsa: authentication based on an RSA public key.
l all: authentication based on a password or an RSA public key. The user can log in to the
device either by the password or the RSA public key.
l password-publickey: authentication based on a password and a public key. The user can log
in to the device only after both the password and the RSA public key authentication.
huawei(config)#ssh user huawei authentication-type
{ all<K>|password-publickey<K>|password<K>|rsa<K> }:rsa
Command:
ssh user huawei authentication-type rsa
%Authentication type setted, and will be in effect next time.
Step 7 Generate the RSA public key.

1.
Run the key generator.

Run the client software key generator Puttygen.exe. Figure 1-27 shows the interface of the
key generator.
Issue 01 (2012-01-18)

42

1 Commissioning
2.
Generate the client key.

Select SSH-2 RSA as the key type under Parameters, click Generate, and move the cursor
according to the prompt on the interface to generate the client key, as shown in Figure
1-28.
Issue 01 (2012-01-18)

43

1 Commissioning
Click Save public key and Save private key to save the public key and the private key
respectively after they are generated, as shown in Figure 1-29.
Figure 1-29 Save the public key and the private key
Issue 01 (2012-01-18)

44

3.
1 Commissioning
Generate the RSA public key.

Open sshkey.exe, click Browse, and choose the public key file saved in the preceding step.
Then, click Convert to change the client public key to the RSA public key, as shown in
Figure 1-30.
Figure 1-30 Interface of converting the client public key to the RSA public key
Step 8 Generate the public key for the SSH user.

Create RSA public key. Copy the RSA public key to the server in the config-rsa-key-code
command line mode.
huawei(config)#rsa peer-public-key key
Enter "RSA public key" view, return system view with "peer-public-key end".
NOTE: The number of the bits of public key must be between 769 and 2048.
huawei(config-rsa-public-key)#public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
huawei(config-rsa-key-code)#30818702 81810098 933744B6 7C864EC7 A86A84CC 198BAC1
5
huawei(config-rsa-key-code)#D32834F7 365CFD17 E7FE4041 3266E416 710D13ED 22BD4D5
9
huawei(config-rsa-key-code)#DF0C3E46 A995CC61 DC4CB179 F6888B8C 3F8A3085 51EDB5C
7
Issue 01 (2012-01-18)

45

1 Commissioning
huawei(config-rsa-key-code)#5DEBDBE1 3AB4A256 0D0B9AA8 9A419D85 35C0E562 AE0BBFA

B
huawei(config-rsa-key-code)#515299F9 D2803E84 3AE36C20 949367EA 0697EB20 2594A77
4
huawei(config-rsa-key-code)#9A0EFF04 26928874 FF9124C4 D28F0702 0125
huawei(config-rsa-key-code)#public-key-code end
huawei(config-rsa-public-key)#peer-public-key end
Step 9 Assign the public key to the SSH user.

Run the ssh user assign rsa-key command to assign the RSA public key to the SSH user.
huawei(config)#ssh user huawei assign rsa-key key

1.
Run the client software.

Run the SSH client software putty.exe, choose SSH > Auth from the navigation tree, and
assign a file for the RSA private key, as shown in Figure 1-31. Click Browse to display
the window for selecting the file. In the window, select the file for the private key, and click
OK.
Figure 1-31 Interface of the SSH client software
2.
Log in to the system.

Choose Session from the navigation tree, and then input the IP address of the MA5600T
in the Host Name (or IP address) field, as shown in Figure 1-32. Then, click Open to log
in to the system.
Issue 01 (2012-01-18)

46

1 Commissioning
The user authentication mode is set to the RSA authentication mode, and the system
therefore displays the prompt, as shown in Figure 1-33. Input the user name to log in to
the system (here, the user name is huawei).
Issue 01 (2012-01-18)

47

1 Commissioning
----End
Result
1.3.5 Checking the Software Version

This topic describes how to verify that current software version meets the deployment
requirement.
Procedure
Step 1 Run the display language command to check whether the version of the host software meets
the deployment requirement.
Step 2 Run the display version command to check whether the version of the board software meets
the deployment requirement.
----End
Result
l
The version of the host software and the version of the board software meet the deployment
requirement.
If the version of the host software and the version of the board software do not meet the
deployment requirement, contact the Huawei Customer Service Center. For the contact
information, see Contacting Huawei for Assistance. Upgrade the host software if necessary.
Example
To query the host software version and the board software version that are running in the system,
do as follows:
huawei>display language
Local:
Description: CHINESE SIMPLIFIED (DEFAULT LANGUAGE)
Version:
MA5600V800R203C00
Encoding:
GBK
General:
Description: ENGLISH (DEFAULT LANGUAGE)
Version:
MA5600V800R203C00
Encoding:
ANSI
huawei>display version
{ <cr>|backplane<K>|frameid/slotid<S><Length 1-15> }:
Command:
display version
VERSION : MA5600V800R203C00
PRODUCT MA5600T
Uptime is 4 day(s), 7 hour(s), 27 minute(s), 23 second(s)
1.3.6 Loading the Script

You can run the commands in the script in batches by loading the script instead of running the
commands one by one. This shortens the commissioning duration and improves the
Issue 01 (2012-01-18)

48

1 Commissioning
commissioning efficiency. If the script is not used, skip this operation, and follow the
commissioning procedure to perform the subsequent operations.
Prerequisites
l
The hardware must be installed and checked.
The script file must be ready. For details about how to make a script, see 1.6.1 Making a
Script.
The operator must be in the privilege mode.
Procedure
Step 1 Open the script file and copy all the commands to the CLI.
----End
Result
The commands in the script can be executed automatically and successfully.
1.3.7 Configuring a Board

Specific services require specific boards. To use a board, you need to first confirm the
automatically discovered board or add the board offline.
Checking the Board Status

This topic describes how to check whether the board works in the normal state.
Procedure
Step 1 Run the display board frameid command to query the status of all the boards.
----End
Result
All the boards work in the normal state. That is, all of the board status is displayed as Normal.
Example
To query the information about all the boards of shelf 0, do as follows:
huawei(config)#display board 0
------------------------------------------------------------------------SlotID BoardName PrimaryState SecondaryState
SubType0 SubType1
------------------------------------------------------------------------0
1
2
3
4
5
H801TOPA IS-NR
NH1A
6
7
H801SCUN IS-NR
STBYH
8
H801SCUN IS-NR
WRK
9
10
11
H801TOPA IS-NR
NH1A
Issue 01 (2012-01-18)

49

1 Commissioning
12
13
H802GPBD IS-NR
14
15
16
17
H801GICK IS-NR
18
H801GICG IS-NR
19
20
-------------------------------------------------------------------------
Confirming a Board
This topic describes how to confirm a board after the board installed in an idle slot is
automatically discovered. This ensures that the auto-discovered board runs in the normal state.
Prerequisites
A board must be installed in an idle slot or all the boards in the shelf must be installed. After
that, the system automatically identifies the board type, and the board status is Auto_find.
Procedure
Step 1 Run the board confirm command to confirm an Auto_find board.
NOTE
l To confirm only one board, run the board confirm frameid/slotid command.
l To confirm all the boards in a shelf, run the board confirm frameid command.
Step 2 Run the display board frameid [ /slotid ] command to query the board status.
----End
Result
The board status is displayed as Normal.
Example
To confirm the service board in slot 0/4, do as follows:
huawei(config)#board confirm 0/4
huawei(config)#display board 0/4
--------------------------------------Board Name
: H802GPBD
Primary State
: IS-NR
Secondary State
: --------------------------------------------------------------------------------------------------Port
Port
min-distance
max-distance
Optical-module
type
(km)
(km)
status
------------------------------------------------------------0
GPON
0
20
Offline
1
GPON
0
20
Offline
2
GPON
0
20
Offline
3
GPON
0
20
Offline
4
GPON
0
20
Offline
5
GPON
0
20
Offline
6
GPON
0
20
Offline
7
GPON
0
20
Offline
Issue 01 (2012-01-18)

50

1 Commissioning
------------------------------------------------------------In port 0, the total of ONTs are: 0

In port 1, the total of ONTs are: 0
Adding a Board Offline

This topic describes how to add a board to an idle slot that is consistent with the board actually
planned beforehand to ensure that the board runs immediately the board is installed in the slot.
Prerequisites
The slot to which a board is added must be idle.
Context
l
The boards other than the control board can be added offline.
After a board is added offline, the board status is displayed as Failed. The board status
becomes normal only when a board of the same type as the board added offline is installed
in the slot. If a board of a different type is installed, the board resets repeatedly due to the
board type mismatch.
Procedure
Step 1 Run the board add command to add a board offline.
NOTE
l The shelf ID and the slot ID of the board added offline must be the same as the actual position.
Otherwise, when the board is installed, the board status cannot be changed to normal.
l The type of the board added offline must be the same as the type of the board installed. Otherwise,
when the board is installed, the board status cannot be changed to normal.
Step 2 Run the display board frameid [ /slotid ] command to query the type of the added board.
----End
Result
The type of the added board is the same as the board type that is planned. When a board is
installed in the slot in which the board is added, the board status is displayed as Normal.
Example
To add a service board GPBD offline in slot 0/4, do as follows:
huawei(config)#board add 0/4 h802gpbd
huawei(config)#display board 0/4
--------------------------------------Board Name
: H802GPBD
Primary State
: IS-NR
Secondary State
: ---------------------------------------
Issue 01 (2012-01-18)

51

1 Commissioning
------------------------------------------------------------Port
Port
min-distance
max-distance
Optical-module
type
(km)
(km)
status
------------------------------------------------------------0
GPON
0
20
Offline
1
GPON
0
20
Offline
2
GPON
0
20
Offline
3
GPON
0
20
Offline
4
GPON
0
20
Offline
5
GPON
0
20
Offline
6
GPON
0
20
Offline
7
GPON
0
20
Offline
------------------------------------------------------------In port 0, the total of ONTs are: 0
1.3.8 Modifying the Reserved VLANs

After the reserved VLANs are successfully modified, the preset value is the start ID of the
reserved VLANs and the system automatically allocates 15 reserved VLANs from the start ID.
A reserved VLAN cannot function as a service VLAN or a management VLAN.
Context
l
The start ID of the reserved VLANs is 4079. The system allocates 15 reserved VLANs
ranging from 4079 to 4093.
The start ID of the reserved VLANs ranges from 2 to 4079. A configured VLAN cannot
be configured as a reserved VLAN.
VLAN 1 is the default VLAN, VLAN 4094 is a fixed reserved VLAN, and VLAN 4095 is
a reserved VLAN of the LAN switch. These VLANs cannot be configured as reserved
VLANs.
Procedure
Step 1 Run the vlan reserve command to modify a reserved VLAN.
Step 2 Run the save command to save the configuration data.
Step 3 Run the reboot command to make the configuration take effect.
----End
Example
To configure the range of the reserved VLANs to 4075-4089, do as follows:
huawei(config)#vlan reserve 4075
Are you sure to config reserved VLAN
huawei(config)#save
huawei(config)#reboot system
Please check whether data has saved,
system, are you sure to reboot system?
huawei(config)#display vlan reserve
The start actived reserved VLAN ID :
Issue 01 (2012-01-18)
? (y/n)[n]: y
the unsaved data will lose if reboot
(y/n)[n]: y
4075

52

1 Commissioning
The start configed reserved VLAN ID : 4075

The number of reserved VLAN IDs : 15
1.3.9 Configuring Link Aggregation and Switching

This topic describes how to configure a link aggregation group to improve reliability of service
transmission.
Context
An uplink aggregation group aggregates multiple Ethernet ports as an aggregation group to
increase the bandwidth and share the inbound/outbound load of each member port. In addition,
the ports in an aggregation group back up each other, which enhances the link security.
An aggregation group can implement inter-card aggregation between two GIU slots.
When only one control card is configured, inter-card aggregation is supported between the
SCUN card and the GIU slot.
In a link aggregation group, the member physical links are backed up with each other
dynamically. When a link is disconnected, another link can take the place of the faulty link.
Procedure
Step 1 Run the link-aggregation command to create an Ethernet port aggregation group. Add multiple
upstream Ethernet ports to the same aggregation group to implement protection and load
balancing between ports.
Step 2 Run the link-aggregation description command to configure the description of the aggregation
group.
The description is applicable to the transaction language 1 (TL1) northbound interface.
Step 3 Run the VLAN command to add a standard VLAN.
Step 4 Run the port vlan command to add an upstream port to the VLAN.
Step 5 Run the interface vlanif command to create a VLAN interface and enter the VLAN interface
mode.
Step 6 Run the ip address command to configure the IP address of the VLAN interface.
The IP address of the VLAN interface and the gateway IP address must be on the same network
segment.
Step 7 Run the shutdown command to deactivate the upstream port.
Step 8 Run the ping command to check if the upstream port is reachable from the MA5600T to the
gateway.
----End
Result
The connection from the MA5600T to the gateway is normal.
Issue 01 (2012-01-18)

53

1 Commissioning
Example
After the connection from the MA5600T to the gateway (with IP address 10.10.10.20) is
configured successfully, run the shutdown command to deactivate upstream port 0/17/0. Then,
the connection from the MA5600T to the gateway is normal.
l
Upstream ports 0/17/0 and 0/17/1 are configured as an aggregation group. The primary port
is 0/17/0 and its description is upport-link-aggregation.
The management VLAN from the MA5600T to the gateway is VLAN 100 and the IP
address of the VLAN interface is 10.10.10.10 (on the same network segment as the gateway
IP address).
huawei(config)#link-aggregation 0/17 0 0/17 1 ingress

huawei(config)#link-aggregation description 0/17/0 upport-link-aggregation
huawei(config)#port vlan 100 0/17
0,1
huawei(config)#interface giu 0/17
huawei(config-if-giu-0/17)#shutdown 0
huawei(config-if-giu-0/17)#quit
huawei(config)#ping 10.10.10.20
PING 10.71.43.10: 56 data bytes, press CTRL_C to break
Reply from 10.10.10.20: bytes=56 Sequence=1 ttl=255 time=1
ms
ms
ms
ms
ms
--- 10.10.10.20 ping statistics --5 packet(s) transmitted

5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
1.3.10 Checking the Status of the Service Port

This topic describes how to check whether the service port is in the normal state.
Prerequisites
NOTE
The MA5600T provides various service ports. The following only describes how to check the status of a
GPON port.
Procedure
Step 1 Run the interface gpon command to enter the GPON mode.
Step 2 Run the display port state command to check whether the service port is in the normal state.
----End
Result
All the service ports are in the normal state. That is , Status is displayed as Activated, and Laser
state is displayed as On.
Issue 01 (2012-01-18)

54

1 Commissioning
1.3.11 Checking the Status of the Upstream Port

This topic describes how to check whether the upstream port is in the normal state.
Procedure
Step 1 Follow the steps below to check the status of the upstream port.
l
If the control board is adopted for upstream transmission, do as follows:

1.
Run the interface scu command to enter the SCU mode.
2.
Run the display port stateall command to check whether the upstream port is in the
normal state.
If the upstream board is adopted for upstream transmission, do as follows:

1.
Run the interface giu command to enter the GIU mode.
2.
Run the display port stateall command to check whether the upstream port is in the
normal state.
----End
Result
The upstream port is in the normal state. That is, the upstream port is in the active state and the
link is in the online state. If the optical port is adopted for upstream transmission, Optic
Status is displayed as normal.
1.3.12 Changing the System Name

This topic describes how to customize the useful system name to differentiate MA5600Ts. This
facilitates the management of the MA5600T.
Context
l
By default, the device name is MA5600T.
The system name takes effect immediately after change.
After the system name is changed, the CLI prompt character changes to the new name
accordingly.
Procedure
Step 1 Run the sysname command to set the system name.
----End
Result
The CLI prompt character changes to the system name that is set after the command is executed
successfully.
Example
To name the first MA5600T at Shenzhen office in China shenzhen_MA5600T_A, do as follows:
Issue 01 (2012-01-18)

55

1 Commissioning
huawei(config)#sysname shenzhen_MA5600T_A
shenzhen_MA5600T_A(config)#
1.3.13 Configuring a System User

For logging in to, configuring, and managing the MA5600T, system users of different attributes
need to be added. This topic describes how to add a system user and modify the user attributes.
Adding a System User

This topic describes how to add system users of different attributes for logging in to, configuring,
and managing the MA5600T. This facilitates the management of the MA5600T.
Prerequisites
You must have the administrator authority or higher authority.
Context
l
The super user and the administrator have the authority to add a user at a lower level, that
is:
The super user can add an administrator, an operator, or a common user.
The administrator can add only an operator or a common user.
By default, the system has a super user with the name of root and password of admin. The
super user cannot be added or deleted.
The user name must be unique, and cannot be all or online.
The super user and the administrator can add multiple users consecutively. Up to 127 (total
128 including the root user) users can be added to the system.
The system supports up to 10 concurrently online terminal users.
When adding a user, you must configure the user attributes, including the user account, password,
profile, authority, permitted reenter number, and appended information. Table 1-13 lists the user
attributes.
Table 1-13 User attributes
Issue 01 (2012-01-18)
User Attribute
Description
Account
An account is also called a user name and consists of 6-15 printable

characters. The user name is unique in the system. It cannot contain any
space and is case insensitive.
Password
A password consists of 6-15 characters. It must contain at least one digit

and one letter, and is case-sensitive.
User profile
The name of a user profile consists of 1-15 printable characters. A user

profile includes the validity period of the user name, validity period of
the password, login time, and logout time.

56

1 Commissioning
User Attribute
Description
Authority
Users are classified into three levels: common user, operator, and
administrator.
NOTE
According to the operation authority, users of the MA5600T are classified into
four levels: common user, operator, administrator, and super user. The user at one
level can add only the user at a lower level. The following lists the authority of
all users.
l Common users can perform basic system operations and simple query
operations.
l Operators can configure the device and the services.
l For the administrator and the super user, they have the following similarities
and differences:
l Similarities:
l Perform all configurations.
l Maintain and manage the device, user account, and user authority.
l Differences:
l Only one super user exists in the system; however, multiple
administrators can coexist in the system.
l The super user can add an administrator, but an administrator has no
authority to add the super user.
Permitted reenter
number
The permitted reenter number determines whether a user name can be

used to log in to the system from several terminals at the same time. The
permitted reenter number ranges from 0 to 4, and is generally set to 1.
Appended
information
Appended information is a type of additional information about the user.

It consists of a string of 0-30 characters. It can be the telephone number
or the address of a user.
Procedure
Step 1 Run the terminal user name command to add a user that is consistent with the actual data plan.
Step 2 Run the display terminal user command to query the user information.
----End
Result
The queried user information is the same as the actual data plan.
Example
With the administrator authority, to add a common user with the account as huawei, password
as test01, user profile as the default root user profile, user level as Common User, permitted
reenter number as 3, and appended information as user, do as follows:
User Password(length<6,15>):test01//The password is not displayed on the
console.
Issue 01 (2012-01-18)

57

1 Commissioning
Confirm Password(length<6,15>):test01//The password is not displayed on the

console.
User's Level:
User's Appended Info(<=30 chars):user
huawei(config)#display terminal user name huawei
---------------------------------------------------------------------------Name
Level
Status Reenter Profile
Append
Num
Info
--------------------------------------------------------------------------huawei
User
Offline
3 root
user
----------------------------------------------------------------------------
Modifying the System User Attributes

This topic describes how to modify the attributes of a system user, including the password, user
profile, authority, permitted reenter number, and appended information in the case that the user
attributes are not consistent with the current data plan.
Prerequisites
For details about the user authority, see "Context".
Context
Table 1-14 lists the user attributes that can be modified and the related restrictions.
Table 1-14 Modifying the user attributes
User Attribute
Restriction
Password
l The super user and the administrator can change their own passwords
and the passwords of users at lower levels. When changing the
password of a user at a lower level, the super user and the
administrator need not input the old password.
l The common user and the operator can change only their own
passwords, but they must input their old passwords for this purpose.
l The super user and the administrator can modify the profiles bound
to them and the profiles bound to users at lower levels.
User profile
l The user name and the password must meet the specifications
described in the user profile to be bound. Otherwise, the binding
operation fails.
Authority
The super user and the administrator can modify the authority of users
at lower levels. In addition, the super user and the administrator can
modify the user authority only to a level lower than them.
Permitted reenter
number
l The super user and the administrator can change the permitted
reenter number of a user at a lower level.
l The permitted reenter number of the super user cannot be changed.
Issue 01 (2012-01-18)

58

1 Commissioning
User Attribute
Restriction
Appended
information
l The super user and the administrator can modify their own appended
information and the appended information about users at lower
levels.
l The common user and the operator can modify only their own
appended information.
Procedure
Step 1 Modify the system user attributes.
NOTE
Before modifying the user attributes, run the display terminal user command to query the user attributes
to be modified.
Run the terminal user password command to change the password of a user.
The password of a user consists of 6-15 characters, in which at least one digit and one letter
must be contained. The password is case sensitive.
Run the terminal user user-profile command to modify the profile bound to a user.
Run the terminal user level command to modify the authority of a user.
Run the terminal user reenter command to change the permitted reenter number of a user.
Run the terminal user apdinfo command to modify the appended information about a
user.
When the system has any problem, you can contact the user after querying the user appended
information. It is recommended that the user appended information be modified into the
information that has the actual meaning, such as the contact means and the user address.
Step 2 Check the user information.

Run the display terminal user command to query the user information.
----End
Result
The queried user information is consistent with the user attributes that are modified, and login
to the MA5600T by using the original user name and password is successful.
Example
To modify the attributes of user huawei, including changing the password to test02, user profile
to operator profile, user level to operator, permitted reenter number to 4, and appended
information to operator, do as follows:
huawei(config)#terminal user password
User Name(<=15 chars):huawei
New Password(length<6,15>):test02//The password is not displayed on the console.
Confirm Password(length<6,15>):test02//The password is not displayed on the
console.
Information takes effect
huawei(config)#terminal user user-profile
Issue 01 (2012-01-18)

59

1 Commissioning
Permitted user-profile[root]:operator
Confirm user-profile:operator
Configuration will take effect when the user logs on next time.
huawei(config)#terminal user level
1. Common User 2. Operator:
User's Level:2
Confirm Level:2
Information will take effect when this user logs on next time
huawei(config)#terminal user reenter
Confirm Reenter Number(0--4):4
Information will take effect when this user logs on next time
huawei(config)#terminal user apdinfo
User's Appended Info(<=30 chars):operator
Information takes effect
huawei(config)#display terminal user name huawei
---------------------------------------------------------------------------Name
Level
Status Reenter Profile
Append
Num
Info
--------------------------------------------------------------------------huawei
Operator Offline
4 operator
operator
----------------------------------------------------------------------------
1.3.14 Configuring the System Time

This topic describes how to configure the system time, time zone, time stamp, NTP (Network
Time Protocol), and start/end time of the daylight saving time (DST) of the MA5600T to ensure
that they are consistent with those in the actual condition.
Procedure
Step 1 Configure the system time.
Run the display time command to query the current system time. If the system time is consistent
with the local standard time, you need not change it. If the system time is inconsistent with the
local standard time, run the time command to change the system time.
Step 2 Configure the system time zone.
Run the display timezone command to query the current system time zone. If the system time
zone is consistent with the local standard time zone, you need not change it. If the system time
zone is inconsistent with the local standard time zone, run the timezone command to change the
system time zone.
NOTE
l The system time zone include the eastern time zone and the western time zone. "GMT+" indicates the
eastern time zone, that is, the local time is ahead of the Greenwich time. "GMT-" indicates the western
time zone, that is, the local time is behind the Greenwich time.
l By default, the system time zone is GMT+08:00.
Step 3 Configure the system time stamp.

Run the display time time-stamp command to query the time stamp between the NMS and the
NE, namely the displayed time format of the SNMP interface. If the system time stamp is
Issue 01 (2012-01-18)

60

1 Commissioning
consistent with the actual data plan, you need not change it. If the system time stamp is
inconsistent with the actual data plan, run the time time-stamp command to change the system
time stamp.
NOTE
The time type of the SNMP interface between the NMS and the NE are categorized as UTC time and NE
local time. By default, the time type is the NE local time.
Step 4 Configure NTP to ensure that the clock of all devices in the network is the same.
l (Optional) Run the ntp-service refclock-master command to configure the NTP master
clock.
l Run the ntp-service unicast-server command to configure the NTP unicast server mode,
and specify the IP address of the remote server that functions as the local time server and the
interface for transmitting and receiving NTP packets.
NOTE
l The NTP protocol supports the client/server, peer, broadcast, and multicast working modes. The
following uses the client/server mode as an example. If you need to set the working mode to other
modes, see 2.3 Configuring the Network Time.
l The Layer 3 interface and the interface IP address must be available for the client and the server to
communicate with each other.
l In the client/server mode, you need to configure only the client and the NTP master clock of the server.
l In the client/server mode, the client is synchronized to the server but the server will not be synchronized
to the client.
l The clock stratum of the synchronizing device must be smaller than that of the synchronized device.
Otherwise, the clock synchronization fails.
l The device that runs the NTP protocol can be synchronized to other clock sources or function as the
clock source for synchronizing other clocks. In addition, this device and other devices can be set to
synchronized from each other. When the device works in the client mode, you need not set the system
time and the device is automatically synchronized to the remote server.
Step 5 Configure the start/end time of the DST.

Run the display time dst command to query the current start/end time of the DST of the system.
If the start/end time of the DST is consistent with the actual start/end time of the DST, you need
not change it. If the start/end time of the DST is inconsistent with the actual start/end time of
the DST, run the time dst command to change the start/end time of the DST.
----End
Result
The system time, time zone, time stamp, NTP, and start/end time of the DST are consistent with
those in the actual condition.
Example
To set the time stamp between the NMS and the NE to use the UTC time, do as follows:
huawei#time time-stamp
{ local<K>|utc<K> }:utc
Command:
time time-stamp utc
Assume that the current time zone of MA5600T A is GMT+7:00, the device uses the network
clock to adjust the time, and VLAN interface 2 is used to sent a clock synchronization request
packet to MA5600T B (the IP address is 10.20.20.20/24 and the device works at layer 4) that
Issue 01 (2012-01-18)

61

1 Commissioning
functions as the NTP server. The start time is 00:00:00 on May 1, the end time is 00:00:00 on
September 30, and the adjust time is 1:00. That is, if the local time is 5:00, the time is adjusted
to 6:00. To set the DST, do as follows:
huawei(config)A#timezone GMT+ 7:00
huawei(config)B#ntp-service refclock-master 4
huawei(config)A#ntp-service unicast-server 10.20.20.20 source-interface vlanif 2
huawei(config)A#time dst start 5-1 00:00:00 end 9-30 00:00:00 adjust 1:00
Assume that the current time zone of MA5600T A is GMT- 4:00, the local time is used, the
current time is 2010-01-01 12:10:10. The start time is 00:00:00 on May 1, the end time is
00:00:00 on September 30, and the adjust time is 2:00. That is, if the local time is 5:00, the time
is adjusted to 7:00. To set the DST, do as follows:
huawei(config)A#timezone GMT- 4:00
huawei(config)A#time 2010-01-01 12:10:10
huawei(config)A#time dst start 5-1 00:00:00 end 9-30 00:00:00 adjust 2:00
1.3.15 Commissioning the EMU

The MA5600T monitors various environment parameters (including the temperature, humidity,
and voltage of the power supply) to ensure that the MA5600T can work stably in a proper
environment. This topic describes how to commission the environment monitoring unit (EMU).
Commissioning the EMU_CITB

This topic describes how to commission the H801CITB card to ensure that it accurately monitors
the ambient conditions of the device.
Context
The H801CITB card is a universal interface card. It monitors environment parameters such as
humidity, smoke, water, fire, voltage, and power supply through various sensors.
Points of attention when commissioning H801CITB cards:
l
The EMU sub-nodes are numbered from 0 to 31.
When the system is configured with multiple EMUs, ensure that the sub-nodes do not
conflict with each other.
Table 1-15 lists the default configuration of the H801CITB card.

Table 1-15 Default configuration of the H801CITB card
Parameter
Default Value
Sub-node
20
Digital parameters
CITB digital parameter IDs

l Allocated by default (unable to be changed by a user)
0: FAN
1: load fuse
l User-defined IDs
2-8: allocated to other extended digital sensors.
Issue 01 (2012-01-18)

62

Parameter
1 Commissioning
Default Value
Definitions of user-defined alarm indexes
1: AC voltage; 2: AC switch; 3: Battery voltage; 4: Battery fuse; 5:
Load fuse; 6: Rectifier; 7: DC power; 8: Room door; 9: Room door;
10: Thief; 11: Thief; 12: Wiring; 13: Fan; 14: Fire; 15: Fog; 16: Water;
17: Diesel; 18: Odor 19: Air-condition; 20: Arrester
Procedure
Step 1 Insert the H801CITB card into the corresponding slot.
Step 2 Run the emu add command to add an H801CITB card. The default sub-node ID is 31.
Step 3 Run the interface emu command to enter the H801CITX mode.
Step 4 Run the citx digital command to set the digital parameters.
Step 5 Run the save command to save the data.
----End
Result
l
After the configuration, the RUN ALM LED on the H801CITB card turns green and is on
for 1s and off for 1s repeatedly, which indicates that the H801CITB card is accurately
monitoring the environment.
In the H801CITX mode, run the display citx system parameter command to check
whether the EMU information is the same as the data plan.
Close the doors of the cabinet and query alarms. Ensure that none of the monitoring alarms
are generated.
Example
Add an H801CITB card and set its digital parameters (set the user-defined digital parameter ID
to 7, set the door status alarm ID to 8, set the alarm name to Door_1, and set the available level
of the alarm to high level), do as follows:
huawei(config)#emu add 1 H801CITX 0 15 H801CITX
huawei(config)#interface emu 1
huawei(config-if-h801citx-1)#citx digital 7 digital-alarm 8 name Door_1 availablelevel high-level
huawei(config-if-h801citx-1)#display citx system parameter
EMU ID: 1
Citx system parameter
---------------------------------------------------------------------------DigitalID Name
Level
|DigitalID Name
Level
0
FAN
1
|
1
Load fuse
1
2
1
|
3
1
4
1
|
5
1
6
1
|
7
Door_1
1
8
1
----------------------------------------------------------------------------
Issue 01 (2012-01-18)

63

1 Commissioning
Commissioning the EMU_FAN

This topic describes how to commission the FAN to ensure that it accurately monitors the running
status of fans on the device.
Context
NOTE
When the device is delivered, the EMU_FAN is already correctly connected to the shelf. The connection
does not need to be changed during device commissioning.
The fan tray is used to accurately monitor the running status of fans and correctly set the fan
rotation speed to ensure the proper heat dissipation of the device.
Points of attention when commissioning the FAN:
l
The EMU sub-nodes are numbered from 0 to 31.
When the system is configured with multiple EMUs, ensure that all the sub-nodes do not
conflict with each other.
It is recommended that you use the auto mode as the fan speed adjustment mode.
Table 1-16 lists the default settings of a fan tray.

Table 1-16 Default setting of a FAN
Parameter
Default Value
Sub-node
Fan speed
adjustment mode
Automatic
Report fan alarm
Permit
Procedure
Step 1 Insert the fan tray into the corresponding slot of the service shelf.
Step 2 Run the emu add command to add a FAN. The default sub-node ID is 1.
Step 3 Run the interface emu command to enter the FAN mode.
Step 4 Run the fan speed mode command to set the fan speed adjustment mode. The default fan speed
adjustment mode is set to automatic.
NOTE
When the fan speed adjustment mode is the manual mode, it is possible to run the
#GUID54A2D511-8A06-4A65-8ED6-BC8EFCB484D1_1 command to set the fan speed. The speed level
can be 0, 1, 2, 3, 4, 5. Here, 5 stands for the highest level and 0 stands for the lowest level.
Step 5 Run the fan alarmset command to configure the fan alarm reporting function. The fan alarms
are read temperature failure alarm, fan block alarm, over temperature alarm, and power failure
alarm. By default, the fan alarm reporting function is permitted.
----End
Issue 01 (2012-01-18)

64

1 Commissioning
Result
l
In the FAN mode, run the display fan system parameter command to query the parameters
of the fan tray. Ensure that the configuration is the same as the data plan.
In the FAN mode, run the display fan environment info command to query the running
status of fans.
In the FAN mode, run the display fan alarm command to query the alarm information
generated by the fan tray. The states of all the fan alarms are normal.
Example
To add a FAN with the default speed adjustment mode and the permitted alarm reporting
function, do as follows:
huawei(config)#emu add 0 FAN 0 1 FAN
huawei(config)#interface emu 0
huawei(config-if-fan-0)#display fan system parameter
EMU ID: 0
FAN configration parameter:
---------------------------------------------------------------------------FAN timing mode: Auto timing by temperature
---------------------------------------------------------------------------Alarm_name
Permit/Forbid
Read temperature fault
Permit
Fan block
Permit
Temperature high
Permit
Power fault
Permit
----------------------------------------------------------------------------
1.3.16 Configuring the RADIUS server

The MA5600T is interconnected with the RADIUS server using the RADIUS protocol to
implement authentication and accounting.
Background Information
l
Principle of RADIUS:
When a user tries to access another network (or some network resources) by setting up
a connection to the NAS using a network, the NAS forwards the user authentication and
accounting information to the RADIUS server. The RADIUS protocol specifies the
means of transmitting the user information and accounting information between the
NAS and the RADIUS server.
The RADIUS server receives the connection requests of users sent from the NAS,
authenticates the user account and password contained in the user data, and returns the
required data to the NAS.
Specification:
For the MA5600T, the RADIUS is configured based on each RADIUS server group.
In actual networking, a RADIUS server group can be an independent RADIUS server
or a pair of primary/secondary RADIUS servers with the same configuration but
different IP addresses.
Issue 01 (2012-01-18)

65

1 Commissioning
Procedure
Step 1 Run the radius-server template command to create an RADIUS server template and enter the
RADIUS server template mode.
Step 2 Run the radius-server authentication command to configure the IP address and the UDP port
ID of the RADIUS server for authentication.
NOTE
l To guarantee normal communication between the MA5600T and the RADIUS server, before configuring
the IP address and UDP port of the RADIUS server, make sure that the route between the RADIUS server
and the MA5600T is in the normal state.
l Make sure that the configuration of the RADIUS service port of the MA5600T is consistent with the port
configuration of the RADIUS server.
Step 3 Run the radius-server accounting command to configure the IP address and the UDP port ID
of the RADIUS server for accounting.
Step 4 Run the radius-server shared-key command to configure the shared key of the RADIUS server.
NOTE
l The RADIUS client (MA5600T) and the RADIUS server use the MD5 algorithm to encrypt the RADIUS
packets. They check the validity of the packets by setting the encryption key. They can receive the packets
from each other and can respond to each other only when their keys are the same.
l By default, the shared key of the RADIUS server is huawei.
Step 5 (Optional) Run the radius-server timeout command to set the response timeout time of the
RADIUS server. By default, the timeout time is 5s.
The MA5600T sends the request packets to the RADIUS server. If the RADIUS server does not
respond within the response timeout time, the MA5600T re-transmits the request packets to the
RADIUS to ensure that users can get corresponding services from the RADIUS server.
Step 6 (Optional) Run the radius-server retransmit command to set the maximum re-transmit time
of the RADIUS request packets. By default, the maximum re-transmit time is 3.
When the re-transmit time of the RADIUS request packets to a RADIUS server exceeds the
maximum re-transmit time, the MA5600T considers that its communication with the RADIUS
server is interrupted, and thus transmits the RADIUS request packets to another RADIUS server.
Step 7 Run the (undo)radius-server user-name domain-included command to configure the user
name (not) to carry the domain name when transmitted to the RADIUS server. By default, the
user name of the RADIUS server carries the domain name.
l An access user is named in the format of userid@domain-name, and the part after @ is the
domain name. The MA5600T classifies a user into a domain according to the domain name.
l If an RADIUS server group rejects the user name carrying the domain name, the RADIUS
server group cannot be set or used in two or more domains. Otherwise, when some access
users in different domains have the same user name, the RADIUS server considers that these
users are the same because the names transmitted to the server are the same.
Step 8 Run the quit command to return to the global config mode.
Step 9 In the domain mode, run the radius-server template command to use the RADIUS server
template.
Issue 01 (2012-01-18)

66

1 Commissioning
NOTE
You can use a RADIUS server template in a domain only after the RADIUS server template is created. Only
the essential parameters are configur for the information exchange between the MA5600T and the RADIUS
server. To make the essential parameters take effect, the RADIUS server group should be referenced in a certain
domain. The detail configuration of the RADIUS Authentication and Accounting, please see 2.12.3
Configuration Example of the RADIUS Authentication and Accounting.
----End
1.3.17 Configuring the System Energy-Saving Function

This topic describes how to power off a board that is not configured with any service for a long
time to reduce the system power and thus to reduce the system energy consumption.
Prerequisites
The board must support the power-off mode and the energy-saving mode.
Context
Energy-saving modes include the manual energy-saving mode and automatic energy-saving
mode. By default, the system energy-saving mode is disabled.
l
Manual energy-saving mode (powering off a board manually). You can manually powering
off a board that is not used in the shelf according to the plan for the energy-saving purpose.
When the service is provisioned from the OSS server to a board that is powered off, the
system prompts that the board is currently powered off. In this case, you can manually
power on the board according to the prompt.
Automatic energy-saving mode (automatically powering off a board). When the automatic
energy-saving mode is enabled, the board configured with no service and the board whose
ports are all deactivated will be automatically powered off in a certain period. When the
automatic energy-saving mode is disabled, the boards are automatically powered on.
Similarly, to provision the service to a board that is automatically powered off, you must
manually power on the board or disable the automatic energy-saving mode.
To power on a board that is powered off manually, you must run the board power-on
command to manually power it on.
You can recover the power supply of the board that is automatically powered off in the
following three ways:
Run the board power-on command to power on the board.
Remove the board from the slot that is automatically powered off, and the system
determines that the board is offline and then recovers the power supply of the slot. After
the power supply is recovered, reinstall the board.
Run the undo system energy-saving mode command to disable the system energysaving mode. Then, the system recovers the power supply of the boards that are
automatically powered off.
Procedure
l
Set the manual energy-saving mode.

1.
l
Issue 01 (2012-01-18)
Run the board power-offcommand to manually power off a board.
Set the automatic energy-saving mode.

67

1 Commissioning
1.
Run the system energy-saving mode command to enable the system energy-saving
mode. By default, the system energy-saving mode is disabled.
2.
Run the display system energy-saving mode command to query the system energysaving mode.
Set high-temperature protection of a board.

1.
Run the temperature threshold command to set the high-temperature threshold and
low-temperature threshold of the system. When the temperature of a board exceeds
the high-temperature threshold or low-temperature threshold, the system
automatically powers off the board.
2.
Run the display temperature threshold command to query the high-temperature

threshold and low-temperature threshold of the system.
----End
Result
The system energy-saving mode queried is enable. If no service is configured 15 minutes after
the board is confirmed and works normally, the board is powered off automatically
When the temperature of a board exceeds the high-temperature threshold or low-temperature
threshold, the system automatically powers off the board.
Example
To enable the system energy-saving mode, do as follows:
huawei(config)#system energy-saving mode
Set the energy-saving mode successfully
huawei(config)#display system energy-saving mode
The status of the energy-saving switch: enable
To set the high-temperature threshold of the system to 70C and low-temperature threshold of
the system to 10C, do as follows:
huawei(config)#temperature threshold 70
10
huawei(config)#display temperature threshold
The temperature threshold of the system:
Up-limit : 70C( 158F)
Down-limit: 10C( 50F)
1.3.18 Checking the Configuration of the Auto-Save Function

This topic describes how to check the configuration of the auto-save function on the
MA5600T, which prevents data loss in case of unexpected restart.
Context
The MA5600T supports two auto-save modes. One mode is that the data is automatically saved
at certain intervals by running the autosave interval command (that is, auto-save at intervals),
and the other mode is that the data is automatically saved at preset time by running the autosave
time command (that is, auto-save at preset time). These two auto-save modes conflict with each
other, and the auto-save at intervals is recommended.
Issue 01 (2012-01-18)

68

1 Commissioning
Saving data frequently affects the system performance. It is recommended that you set the autosave interval to 1440 minutes or longer.
You can run the save command to save the system data in real time regardless of whether the
auto-save function is enabled.
Table 1-17 lists the default configuration of the auto-save function.
Table 1-17 Default configuration of the auto-save function
Parameter
Default Value
Parameters of auto-save at intervals
l Switch of auto-save at intervals: off

l Auto-save interval: 1440 minutes
l Interval of changing configuration data:
30 minutes
Parameters of auto-save at preset time
l Switch of auto-save at preset time: off

l Auto-save time: 00:00:00
Procedure
Step 1 Run the display autosave configuration command to query the status of the auto-save function.
If the auto-save function is disabled, proceed to step 2. If the auto-save function is enabled, go
to step 3. By default, the auto-save function is disabled.
Step 2 Enable the function of auto-save.
l If the auto-save at intervals is selected, run the autosave interval on command to enable the
function of auto-save at intervals.
l If the auto-save at preset time is selected, run the autosave time on command to enable the
function of auto-save at preset time.
NOTE
Auto-save at intervals and auto-save at preset time conflict with each other. Therefore, before enabling an
auto-save function, you must run the autosave time off or autosave interval off command to disable the
other auto-save function.
Step 3 Configure the auto-save parameters.

l
If the auto-save at intervals is selected, run the autosave interval command to set the autosave interval. By default, the auto-save interval is 1440 minutes, and the interval of saving
the changed configuration data is 30 minutes.
If the auto-save at preset time is selected, run the autosave time command to set the autosave time. By default, the auto-save time is 00:00:00.
Step 4 Configure the type of the file.

Run the autosave type command to select the type of a file that is saved automatically. Files
that can be automatically saved include three types: data files, configuration files, database files
and configuration files.
Step 5 Run the display autosave configuration command to check whether the configuration of the
auto-save function is the same as the actual data plan.
----End
Issue 01 (2012-01-18)

69

1 Commissioning
Result
The configuration of the auto-save function is the same as the actual data plan.
Example
To enable the function of auto-save at intervals, and set the interval to 1600 minutes, do as
follows:
huawei#autosave interval on
System autosave interval switch: on
Autosave interval: 1440 minutes
Autosave type: data
System autosave modified configuration switch: on
Autosave type: data
huawei#autosave interval
{ configuration<K>|time<U><10,10080>|value<E><on,off> }:1600
Command:
autosave interval 1600
System autosave interval switch: on
Autosave type: data
1.3.19 Saving the Data

This topic describes how to save the data in the flash memory to prevent data loss in case of
unexpected restart.
Precautions
l
During the command running, the system displays the corresponding prompt. Do not power
off or restart the system before the saving process is complete. Otherwise, the data in the
flash memory may be damaged.
Saving the data frequently affects the system performance.
Procedure
Step 1 In the privilege mode, run the save command to save the database file and the configuration file
of the current system in the flash memory.
----End
Result
When the data is saved successfully, the system displays the corresponding prompt.
Example
To save the database file and the configuration file to the flash memory manually, do as follows:
huawei#save
{ <cr>|configuration<K>|data<K> }:
Command:
save
huawei#
Issue 01 (2012-01-18)

70

1 Commissioning
It will take several minutes to save configuration file, please wait...

huawei#
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
huawei#
The data is being saved, please wait a moment...
1.3.20 Backing Up System Files

When the first deployment or upgrade is complete, you need to back up the database file and
the configuration file so that the system can be easily recovered in case of a fault.
Prerequisites
If the maintenance Ethernet port is used to back up the system file, ensure that:
l
The Ethernet port of the maintenance terminal must be connected to the maintenance
Ethernet port on the MA5600T using a crossover cable. In addition, the IP address of the
maintenance terminal and the IP address of the maintenance Ethernet port on the device
must be in the same subnet.
The application program that is used for backing up the system file is installed on the
maintenance terminal, such as the TFTP, SFTP, or FTP program. In this topic, the TFTP
program is considered as an example.
Procedure
Step 1 Run the TFTP program on the maintenance terminal, and set the path for saving the backup files.
By default, the backup files are saved to the installation path of the TFTP software.
NOTE
The system supports a system backup using either the serial port or the maintenance Ethernet port. The
backup using the serial port uses the Xmodem protocol, and the backup using the maintenance Ethernet
port uses the TFTP, SFTP, or FTP protocol. For details about the configuration of Xmodem/TFTP/SFTP/
FTP, see Contacting Huawei for Assistance.
Step 2 In the privilege mode, run the save command to save the data.
Step 3 In the privilege mode, run the backup data command to back up the database file.
Step 4 In the privilege mode, run the backup configuration command to back up the configuration
file.
----End
Result
After the backup is completed, you can locate the files backed up in the path that you set.
Example
To back up the database file to the TFTP server (IP address: 10.10.1.2) using TFTP, and name
the file 2009070101.txt, do as follows:
huawei#backup data tftp 10.10.1.2 2009070101.txt
To back up the configuration file to the TFTP server (IP address: 10.10.1.2) using TFTP, and
name the file 2009070102.txt, do as follows:
huawei#backup configuration tftp 10.10.1.2 2009070102.txt
Issue 01 (2012-01-18)

71

1 Commissioning
1.4 Interconnection Commissioning

1.4.1 Commissioning the Interconnection with the NMS

The MA5600T provides the function of interconnecting with the network management system,
with which the administrator can maintain and manage the MA5600T using the NMS. This topic
considers the iManager NMS Network Management System as an example to describe how to
perform the interconnection commissioning between the NMS and the MA5600T in the inband
mode and the outband mode.
Commissioning Inband Network Management

This topic describes how to implement the inband network management on the MA5600T using
the upstream port (inband network management port). This enables the NMSto maintain the
MA5600T using this management channel. In the inband network management mode, the service
channel of the device is used to transmit the management information. The network is flexible
and requires no additional devices, which helps save the cost for carriers. This network, however,
is difficult to maintain.
Service Requirements
In the network as shown in Figure 1-34, the service requirements are as follows:
l
The MA5600T provides the inband network management using the upstream port.
The upstream port of the GIU board on the MA5600T is used as the inband network
management port.
A static route is used between the MA5600T and the NMS.
SNMP V3 is used (more reliable than V1 and V2, providing network security and access
control management functions).
Figure 1-34 Example network for the inband network management
Figure 1-35 shows the flowchart for commissioning the inband network management.
Issue 01 (2012-01-18)

72

1 Commissioning
Figure 1-35 Flowchart for commissioning the inband network management
Procedure
l
Commission the inband network management on the device.

1.
Configure the IP address of the inband network management port.

The upstream port (inband network management port) is 0/17/0, the VLAN ID is 1000,
the VLAN type is standard VLAN, and the IP address is 10.50.1.10/24.
huawei(config-if-vlanif1000)#ip address 10.50.1.10 255.255.255.0
huawei(config-if-vlanif1000)#quit
NOTE
If the packet transmitted from the upstream port is untagged, run the native-vlan command to
configure the native VLAN of the upstream port to be the same as the VLAN of the upstream
port.
2.
Add a route for the inband network management.

Use the static route. The destination IP address is 10.10.1.0/24 (the network segment
to which the NMS belongs), and the gateway IP address is 10.50.1.1/24 (the IP address
of the gateway of the MA5600T).
3.
Set the SNMP parameters.

a.
Issue 01 (2012-01-18)
Configure the SNMP user, group, and view.

73

1 Commissioning
The user name is user1, the group name is group1, the user authentication mode
is MD5, the authentication password is authkey123, the user encryption mode
is des56, the encryption password is prikey123, the read and write view names
are hardy, and the view includes the internet subtree.
huawei(config)#snmp-agent usm-user
authentication-mode md5 authkey123
huawei(config)#snmp-agent group v3
write-view hardy
huawei(config)#snmp-agent mib-view
b.
v3 user1 group1
privacy-mode des56 prikey123
group1 privacy read-view hardy
hardy include internet
(Optional) Set the ID and contact means of the administrator.

The contact means of the administrator is HW-075528780808.
huawei(config)#snmp-agent sys-info contact HW-075528780808
c.
(Optional) Set the location of the device.

The location of the device is Shenzhen_China.
huawei(config)#snmp-agent sys-info location Shenzhen_China
d.
(Optional) Configure the engine ID of the SNMP entity.

The engine ID of the SNMP entity is set to 0123456789.
NOTE
The context engine ID of the SNMP must be the same as that on the NMS.
huawei(config)#snmp-agent local-engineid 0123456789
e.
Set the SNMP version.

The SNMP version is SNMP V3.
NOTE
The SNMP version must be the same as the SNMP version set on the NMS.
huawei(config)#snmp-agent sys-info version v3
4.
Enable the function of sending traps.

On the MA5600T, enable the function of sending traps to the NMS.
huawei(config)#snmp-agent trap enable standard
5.
Configure the IP address of the destination host for the traps.

The host name is huawei, the IP address of the host is 10.10.1.10/24 (IP address of
the NMS), the trap parameter name is ABC, the SNMP version is V3, the parameter
security name is user1 (when the SNMP V3 is used, the parameter security name is
the USM user name), and the traps are authenticated and encrypted.
huawei(config)#snmp-agent target-host trap-hostname huawei
address 10.10.1.10 trap-paramsname ABC
huawei(config)#snmp-agent target-host trap-paramsname
ABC v3 securityname user1 privacy
6.
Configure the IP address of the VLAN interface as the source address for sending
traps.
Enable the forwarding of the SNMP packets from the Layer 3 interface of VLAN 1000
of the MA5600T.
huawei(config)#snmp-agent trap source vlanif 1000
7.
Save the data.

huawei(config)#save
Commission the inband network management on the NMS.

1.
Configure the gateway of the route from the NMS server to network segment
10.50.1.0/24 to 10.10.1.1.
In the Solaris OS, do as follows:
Issue 01 (2012-01-18)

74

1 Commissioning
Run the route add 10.50.1.0 10.10.1.1 command to add a route.

Run the netstat -r command to query the information about the current routing
table.
In the Windows OS, do as follows:
Run the route add 10.50.1.0 mask 255.255.255.0 10.10.1.1 command to add a
route.
Run the route print command to query the information about the current routing
table.
NOTE
When the IP address of the network management port and the IP address of the NMS are in
the same network segment, you need not configure the routing information.
2.

a.
Choose Administration > NE Communicate Parameter > Default Access

Protocol Parameters from the main menu.
b.
On the NE Access Parameters tab page, click Reset. In the dialog box that is
displayed, click the corresponding tab, and then click Add.
c.
Choose SNMP v3 Parameter, set the SNMP parameters in the lower pane, as
shown in Figure 1-36.
Figure 1-36 Set the SNMP parameters
After selecting corresponding protocols in Priv Protocol and Auth Protocol,

click
next to the parameter, and set the passwords of data encryption protocol
and authentication protocol, as shown in Figure 1-37.
Issue 01 (2012-01-18)

75

1 Commissioning
Figure 1-37 Set the password
NOTE
NE User, Context Engine ID, Priv Protocol and password, and Auth Protocol and
password must be the same as those configured on the MA5600T. You can run the display
snmp-agent usm-user command to query the device user, data encryption protocol, and
authentication protocol on the MA5600T and run the display snmp-agent localengineid command to query the context engine ID on the MA5600T.
3.
d.
Click OK.
e.
Select the added SNMP parameters. Click OK.
f.
In the dialog box that is displayed, click Yes to test the set SNMP parameters.
g.
The NMS displays the Loading dialog box. After the testing is complete, click
OK.
Add a device.
a.
In the Physical Root navigation tree on the Main Topology tab page, right-click
and choose New > NE from the shortcut menu.
b.
In the dialog box that is displayed, choose Access NE > Access NE from the
main menu.
c.
In the dialog box that is displayed, set the required parameters, as shown in
Figure 1-38.
IP address is 10.50.1.10, Device Name is huawei, SNMP Parameters is SNMP
V3:default.
Issue 01 (2012-01-18)

76

1 Commissioning
Figure 1-38 Add device
4.
Click OK. The system prompts a message indicating that several seconds or some 10
minutes are required for uploading the device data. After the related data is read, the
system automatically refreshes and displays the device icon.
----End
Result
You can maintain and manage the MA5600T using the NMS.
Configuration File
The following describes the script for commissioning the inband network management on the
device.
vlan 1000 standard
port vlan 1000 0/17 0
interface vlanif 1000
ip address 10.50.1.10 255.255.255.0
quit
ip route-static 10.10.1.0 24 10.50.1.1
snmp-agent usm-user v3 user1 group1 authentication-mode md5 authkey123 privacy-mode
des56 prikey123
snmp-agent group v3 group1 privacy read-view hardy write-view hardy
snmp-agent mib-view hardy include internet
snmp-agent sys-info contact HW-075528780808
snmp-agent sys-info location Shenzhen_China
snmp-agent sys-info version v3
Issue 01 (2012-01-18)

77

1 Commissioning
snmp-agent trap enable standard

snmp-agent target-host trap-hostname huawei address 10.10.1.10 trap-paramsname ABC
snmp-agent target-host trap-paramsname ABC v3 securityname user1 privacy
snmp-agent trap source vlanif 1000
save
Commissioning Outband Network Management

This topic describes how to implement the outband network management on the MA5600T using
the local maintenance Ethernet port (outband network management port). This enables the
U2000 to maintain the MA5600T using this management channel. In the outband network
management mode, a non-service channel is used to transmit the management information. With
the use of the non-service channel, the management channel is separated from the service
channel, which is more reliable than in the inband network management mode.
l
The MA5600T provides the outband network management channel using the local
maintenance Ethernet port.
A static route is used between the MA5600T and the NMS.
SNMP V3 is used (more reliable than V1 and V2, providing network security and access
control management functions).
Figure 1-39 Example network for the outband network management
Figure 1-40 shows the flowchart for commissioning the outband network management on the
device.
Issue 01 (2012-01-18)

78

1 Commissioning
Figure 1-40 Flowchart for commissioning the outband network management on the device
Procedure
l
Commission the outband network management on the device.

1.
Configure the IP address of the maintenance Ethernet port.

The IP address of the local maintenance Ethernet port (outband network management
port) of the MA5600T is 10.50.1.10/24.
NOTE
By default, the IP address of the maintenance Ethernet port (ETH port on the control board) is
10.11.104.2, and the subnet mask is 255.255.255.0.
huawei(config-if-meth0)#ip address 10.50.1.10 255.255.255.0
2.
Add a route for the outband network management.

Use the static route. The destination IP address is 10.10.1.0/24 (the network segment
to which the U2000 belongs), and the gateway IP address is 10.50.1.1/24 (the IP
address of the gateway of the MA5600T).
3.

a.
Configure the SNMP user, group, and view.

The user name is user1, the group name is group1, the user authentication mode
is MD5, the authentication password is authkey123, the user encryption mode
Issue 01 (2012-01-18)

79

1 Commissioning
is des56, the encryption password is prikey123, the read and write view names
are hardy, and the view includes the internet subtree.
huawei(config)#snmp-agent usm-user
authentication-mode md5 authkey123
huawei(config)#snmp-agent group v3
write-view hardy
huawei(config)#snmp-agent mib-view
b.
v3 user1 group1
privacy-mode des56 prikey123
group1 privacy read-view hardy
hardy include internet
(Optional) Set the ID and contact means of the administrator.

The contact means of the administrator is HW-075528780808.
huawei(config)#snmp-agent sys-info contact HW-075528780808
c.
(Optional) Set the location of the device.

The location of the device is Shenzhen_China.
huawei(config)#snmp-agent sys-info location Shenzhen_China
d.
(Optional) Configure the engine ID of the SNMP entity.

The engine ID of the SNMP entity is set to 0123456789.
NOTE
The context engine ID of the SNMP must be the same as that on the NMS.
huawei(config)#snmp-agent local-engineid 0123456789
e.
Set the SNMP version.

The SNMP version is SNMP V3.
NOTE
The SNMP version must be the same as the SNMP version set on the NMS.
huawei(config)#snmp-agent sys-info version v3
4.
Enable the function of sending traps.

On the MA5600T, enable the function of sending traps to the NMS.
huawei(config)#snmp-agent trap enable standard
5.
Configure the IP address of the destination host for the traps.

The host name is huawei, the IP address of the host is 10.10.1.10/24 (IP address of
the NMS), the trap parameter name is ABC, the SNMP version is V3, the parameter
security name is user1 (when the SNMP V3 is used, the parameter security name is
the USM user name), and the traps are authenticated and encrypted.
huawei(config)#snmp-agent target-host trap-hostname huawei
address 10.10.1.10 trap-paramsname ABC
huawei(config)#snmp-agent target-host trap-paramsname
ABC v3 securityname user1 privacy
6.
Set the IP address of the maintenance Ethernet port as the source IP address for sending
traps.
Set the SNMP packets to be forwarded from the maintenance Ethernet port of the
MA5600T. That is, the source address of the traps is meth 0.
huawei(config)#snmp-agent trap source meth 0
7.
Save the data.

huawei(config)#save
Commission the outband network management on the NMS.

1.
Configure the gateway of the route from the NMS server to network segment
10.50.1.0/24 to 10.10.1.1.
In the Solaris OS, do as follows:
Run the route add 10.50.1.0 10.10.1.1 command to add a route.
Issue 01 (2012-01-18)

80

1 Commissioning
Run the netstat -r command to query the information about the current routing
table.
In the Windows OS, do as follows:
Run the route add 10.50.1.0 mask 255.255.255.0 10.10.1.1 command to add a
route.
Run the route print command to query the information about the current routing
table.
NOTE
When the IP address of the network management port and the IP address of the NMS are in
the same network segment, you need not configure the routing information.
2.

a.
Choose Administration > NE Communicate Parameter > Default Access

Protocol Parameters from the main menu.
b.
On the NE Access Parameters tab page, click Reset. In the dialog box that is
displayed, click the corresponding tab, and then click Add.
c.
Choose SNMP v3 Parameter, set the SNMP parameters in the lower pane, as
Figure 1-41 Set the SNMP parameters
After selecting corresponding protocols in Priv Protocol and Auth Protocol,

next to the parameter, and set the passwords of data encryption protocol
click
and authentication protocol, as shown in Figure 1-42.
Issue 01 (2012-01-18)

81

1 Commissioning
Figure 1-42 Set the password
NOTE
NE User, Context Engine ID, Priv Protocol and password, and Auth Protocol and
password must be the same as those configured on the MA5600T. You can run the display
snmp-agent usm-user command to query the device user, data encryption protocol, and
authentication protocol on the MA5600T and run the display snmp-agent localengineid command to query the context engine ID on the MA5600T.
3.
d.
Click OK.
e.
Select the added SNMP parameters. Click OK.
f.
In the dialog box that is displayed, click Yes to test the set SNMP parameters.
g.
The NMS displays the Loading dialog box. After the testing is complete, click
OK.
Add a device.
a.
In the Physical Root navigation tree on the Main Topology tab page, right-click
and choose New > NE from the shortcut menu.
b.
In the dialog box that is displayed, choose Access NE > Access NE from the
main menu.
c.
In the dialog box that is displayed, set the required parameters, as shown in
Figure 1-43.
IP address is 10.50.1.10, Device Name is huawei, SNMP Parameters is SNMP
V3:default.
Issue 01 (2012-01-18)

82

1 Commissioning
Figure 1-43 Add device
4.
Click OK. The system prompts a message indicating that several seconds or some 10
minutes are required for uploading the device data. After the related data is read, the
system automatically refreshes and displays the device icon.
----End
Result
You can maintain and manage the MA5600T using the NMS.
Configuration File
The following describes the script for commissioning the outband network management on the
device.
interface meth 0
ip address 10.50.1.10 255.255.255.0
quit
ip route-static 10.10.1.0 24 10.50.1.1
snmp-agent usm-user v3 user1 group1 authentication-mode md5 authkey123 privacy-mode
des56 prikey123
snmp-agent group v3 group1 privacy read-view hardy write-view hardy
snmp-agent mib-view hardy include internet
snmp-agent sys-info contact HW-075528780808
snmp-agent sys-info location Shenzhen_China
snmp-agent sys-info version v3
snmp-agent trap enable standard
Issue 01 (2012-01-18)

83

1 Commissioning
snmp-agent target-host trap-hostname huawei address 10.10.1.10 trap-paramsname ABC

snmp-agent target-host trap-paramsname ABC v3 securityname user1 privacy
snmp-agent trap source meth 0
save
1.4.2 Commissioning the Interconnection with the Router

This topic describes how to check whether the MA5600T can normally communicate with the
router and whether the MA5600T can access the upper-layer device using the router.
l
The MA5600T uses the GIU board for upstream transmission.
By interconnecting with the router, the MA5600T can be interconnected with the upperlayer device by configuring a static route on the MA5600T.
NOTE
For details about how to configure a router, see the related configuration guide.
Figure 1-44 Example network for commissioning the interconnection with the router
Procedure
Step 1 Configure a VLAN.
The VLAN ID is 2, and the VLAN type is smart VLAN.
huawei(config)#vlan 2 smart
Step 2 Add an upstream port to the VLAN.

Upstream port 0/17/0 is added to VLAN 2.
NOTE
Step 3 Configure the IP address of the Layer 3 interface.

The Layer 3 interface IP address is 10.50.1.10/24, and this IP address must be in the same network
segment as the gateway IP address (IP address of the router port that is connected to the
MA5600T).
Issue 01 (2012-01-18)

84

1 Commissioning
Step 4 Add a static route.

The destination IP address is 10.10.1.0/24, and the next-hop IP address is gateway IP address
10.50.1.1.
Step 5 Save the data.

huawei(config)#save
----End
Result
After the MA5600T is interconnected with the router successfully, you can ping IP address
10.10.1.12 from the MA5600T.
Configuration File
vlan 2 smart
port vlan 2 0/17 0
interface vlanif 2
ip address 10.50.1.10 255.255.255.0
quit
ip route-static 10.10.1.0 24 10.50.1.1
save
1.4.3 Commissioning the Management Channel Between the OLT

and the GPON MDU
This topic describes how to commission the management channel between the MA5600T and
the GPON MDU to ensure that you can log in to the GPON MDU using the MA5600T at the
CO to remotely maintain and manage the GPON MDU.
l
A GPON port on the MA5600T is connected to 128 MDUs using an optical splitter.
NOTE
The following considers MDU 0 as an example for commissioning the management channel between
the OLT and the GPON MDU.
After the management channel between the MA5600T and the GPON MDU is set up, you
can log in to the MDU using port 0/4/0 connected to the MDU to remotely maintain and
manage the MDU.
The DBA profile is used to limit the user rate to the fixed 10 Mbit/s bandwidth.
Issue 01 (2012-01-18)

85

1 Commissioning
Figure 1-45 Example network for commissioning the management channel between the OLT
and the GPON MDU
Figure 1-46 shows the flowchart for commissioning the management channel between the OLT
and the GPON MDU.
Issue 01 (2012-01-18)

86

1 Commissioning
Figure 1-46 Flowchart for commissioning the management channel between the OLT and the
GPON MDU
Procedure
Step 1 Create a VLAN.
Issue 01 (2012-01-18)

87

1 Commissioning
Step 2 Add an upstream port to the VLAN.

Upstream port 0/17/0 on the GIU board is added to VLAN 20.

The Layer 3 IP address is 192.168.1.100/24.
Step 4 Add a DBA profile.

The DBA profile ID is 12, the DBA profile uses the default name DBA-profile_12, the bandwidth
type is type1 (fixed bandwidth), and the user rate is the fixed 10 Mbit/s bandwidth.
NOTE
l The bandwidth type and the attribute of the DBA profile must be compatible with the service to be
carried.
l The system supports five DBA profile types, namely, type1 (fixed bandwidth), type2 (assured
bandwidth), type3 (assured bandwidth+maximum bandwidth), type4 (maximum bandwidth), and type5
(fixed bandwidth+assured bandwidth+maximum bandwidth).
l By default, the system provides DBA profiles 1 to 9, each of which provides typical values for traffic
parameters. By default, T-CONT 0 is bound with DBA profile 1.
l The value of the bandwidth you input when adding the DBA profile rounds down to the nearest integer
multiple of 64. For example, if the input bandwidth value is 1022 kbit/s, the actual bandwidth is 960
kbit/s.
l You can run the display dba-profile command to query the information about the DBA profile.
huawei(config)#dba-profile add profile-id 12 type1 fix 10240
Step 5 Configure an MDU line profile.

The MDU line profile ID is 5, T-CONT 1 is bound with DBA profile 12, GEM port 0 is bound
to T-CONT 1, the service type is ETH, and the mapping mode is VLAN mapping.
huawei(config)#ont-lineprofile gpon profile-id 5
huawei(config-gpon-lineprofile-5)#tcont 1 dba-profile-id 12
huawei(config-gpon-lineprofile-5)#gem add 0 eth tcont 1
huawei(config-gpon-lineprofile-5)#gem mapping 0 0 vlan 20
huawei(config-gpon-lineprofile-5)#commit
huawei(config-gpon-lineprofile-5)#quit
Step 6 Add an MDU.

MDU 0 is connected to GPON port 0, the MDU authentication mode is the SN authentication,
the SN is 32303131B39FD641, the management protocol is SNMP, and MDU profile 5 is bound
to MDU 0.
NOTE
You can add an MDU in the following two ways: confirming an auto-discovered MDU and adding an
MDU offline. Here, the method of adding an MDU offline is considered as an example.
You can also run the port ont-auto-find command to enable the function of auto-discovering an MDU,
and then run the ont confirm command to confirm the auto-discovered MDU.
huawei(config)#interface gpon 0/4
huawei(config-if-gpon-0/4)#ont add 0 0 sn-auth 32303131B39FD641 snmp ontlineprofile-id 5
Step 7 Configure the management IP address of the MDU.

The management IP address is 192.168.1.200/24, and the ID of the native VLAN to which the
MDU port belongs is 20.
Issue 01 (2012-01-18)

88

1 Commissioning
huawei(config-if-gpon-0/4)#ont ipconfig 0 0 static ip-address 192.168.1.200 mask

255.255.255.0 vlan 20
huawei(config-if-gpon-0/4)#quit
Step 8 Set the SNMP parameters.

Configure the SNMP profile 10. That, the SNMP version is SNMP V2C, the read community
name is public, and the write community name is private, the IP address of the NMS is
10.10.1.10/24, the port is 162, the parameter security name is user1 (the parameter security name
is the write community name), the gateway IP address is 192.168.1.101.
huawei(config)#snmp-profile add profile-id 10 v2c public
private 10.10.1.10 162 private
huawei(config-if-gpon-0/4)#ont snmp-profile 0 0 profile-id 10
huawei(config-if-gpon-0/4)#ont snmp-route 0 0 ip-address 10.10.1.10 mask
255.255.255.0 next-hop 192.168.1.101
Step 9 Add a service port to the VLAN.

huawei(config)#service-port vlan 20 gpon 0/4/0 ont 0 gemport 0 multi-service uservlan 20

huawei(config)#save
----End
Result
After the commissioning is complete, you can remotely maintain and manage the MDU using
telnet 192.168.1.200.
Configuration File
vlan 20 smart
port vlan 20 0/17 0
interface vlanif 20
ip address 192.168.1.100 255.255.255.0
quit
dba-profile add profile-id 12 type1 fix 10240
ont-lineprofile gpon profile-id 5
tcont 1 dba-profile-id 12
gem add 0 eth tcont 1
gem mapping 0 0 vlan 20
commit
quit
interface gpon 0/4
ont add 0 0 sn-auth 32303131B39FD641 snmp ont-lineprofile-id 5
ont ipconfig 0 0 static ip-address 192.168.1.200 mask 255.255.255.0 vlan 20
quit
snmp-profile add profile-id 10 v2c public private 10.10.1.10 162 private
interface gpon 0/4
ont snmp-profile 0 0 profile-id 10
ont snmp-route 0 0 ip-address 10.10.1.10 mask 255.255.255.0 next-hop 192.168.1.101
quit
service-port vlan 20 gpon 0/4/0 ont 0 gemport 0 multi-service user-vlan 20
save
Issue 01 (2012-01-18)

89

1 Commissioning

and the EPON MDU
This topic describes how to commission the management channel between the MA5600T and
the EPON MDU to ensure that you can log in to the EPON MDU using the MA5600T at the
CO to remotely maintain and manage the EPON MDU.
l
An EPON port on the MA5600T is connected to 64 MDUs using a 2-level splitter.

NOTE
The following considers MDU 0 as an example to commission the management channel between the
OLT and the EPON MDU.
After the management channel between the MA5600T and the EPON MDU is set up, you
can log in to the MDU using port 0/4/0 connected to the MDU to remotely maintain and
manage the MDU.
and the EPON MDU
and the EPON MDU.
Issue 01 (2012-01-18)

90

1 Commissioning
EPON MDU
Procedure
Issue 01 (2012-01-18)

91

1 Commissioning
Step 2 Add the upstream port to the created VLAN.

Add the upstream port to VLAN 20.

Configure the IP address of the Layer 3 interface to 192.168.1.100/24.
Step 4 Configure a DBA profile.

The DBA profile ID is 12, the DBA profile name uses the default name DBA-profile_12, the
bandwidth type is type2 (assured bandwidth, and the user rate is the assured 10 Mbit/s
bandwidth).
NOTE
carried.
l The system supports fix DBA profile types, namely, type1 (fixed bandwidth), type2 (assured
l By default, the systems provides DBA profiles 1 to 9, each of which provides typical values for traffic
parameters. By default, T-CONT 0 is bound to DBA profile 1.
l You can run the display DBA-profile command to query the information about the DBA profile.
huawei(config)#DBA-profile add profile-id 12 type2 assure 10240
Step 5 Configure an MDU line profile.

MDU line profile 13 is bound to DBA profile 12.
huawei(config)#ont-lineprofile epon profile-id 13
huawei(config-epon-lineprofile-13)#llid dba-profile-id 12
huawei(config-epon-lineprofile-13)#commit
huawei(config-epon-lineprofile-13)#quit
Step 6 Add an MDU.

MDU 0 is connected to EPON port 0, and the MAC address for the MDU authentication is
0000-0010-0101, the management protocol is SNMP, and MDU 0 is bound to MDU profile 13.
NOTE
You can add an MDU in the following two ways: confirming an auto-discovered MDU and adding an
MDU offline. Here, the method of adding an MDU offline is considered as an example.
You can also run the port ont-auto-find command to enable the MDU auto-find function, and then run
the ont confirm command to confirm an auto-found MDU.
huawei(config)#interface epon 0/4
huawei(config-if-epon-0/4)#ont add 0 0
mac-auth 0000-0010-0101
snmp ont-lineprofile-id 13
Step 7 Configure the management IP address of the MDU.

The management IP address is 192.168.1.200/24, and the ID of the native VLAN to which the
MDU port belongs is 20.
huawei(config-if-epon-0/4)#ont ipconfig 0 0 ip-address 192.168.1.200
Issue 01 (2012-01-18)

92

1 Commissioning
mask 255.255.255.0 vlan 20

huawei(config-if-epon-0/4)#quit
Step 8 Set the SNMP parameters.

Configure the SNMP profile 10. That, the SNMP version is SNMP V2C, the read community
name is public, and the write community name is private, the IP address of the NMS is
10.10.1.10/24, the port is 162, the parameter security name is user1 (the parameter security name
is the write community name), the gateway IP address is 192.168.1.101.
huawei(config)#snmp-profile add profile-id 10 v2c public
private 10.10.1.10 162 private
huawei(config-if-epon-0/4)#ont snmp-profile 0 0 profile-id 10
huawei(config-if-epon-0/4)#ont snmp-route 0 0 ip-address 10.10.1.10 mask
255.255.255.0 next-hop 192.168.1.101
Step 9 Add a service port to the VLAN.

huawei(config)#service-port vlan 20 epon 0/4 ont 0 multi-service user-vlan 20

huawei(config)#save
----End
Result
After the commissioning is complete, you can remotely maintain and manage the MDU by telnet
192.168.1.200 using MA5600T.
Configuration File
vlan 20 smart
port vlan 20 0/17 0
interface vlanif 20
ip address 192.168.1.100 255.255.255.0
quit
DBA-profile add profile-id 12 type2 assure 10240
ont-lineprofile epon profile-id 13
llid dba-profile-id 12
commit
quit
interface epon 0/4
ont add 0 0 mac-auth 0000-0010-0101 snmp ont-lineprofile-id 13
quit
snmp-profile add profile-id 10 v2c public private 10.10.1.10 162 private
interface gpon 0/4
ont snmp-profile 0 0 profile-id 10
ont snmp-route 0 0 ip-address 10.10.1.10 mask 255.255.255.0 next-hop 192.168.1.101
quit
service-port vlan 20 epon 0/4 ont 0 gemport 0 multi-service user-vlan 20
save

and the GPON ONT
This topic describes how to commission the GPON OLT to ensure that the service configuration
and centralized management of the GPON ONTs are performed on the GPON OLT using the
ONT Management and Control Interface (OMCI) protocol.
Issue 01 (2012-01-18)

93

1 Commissioning
l
A GPON port on the MA5600T is connected to 128 ONTs using an optical splitter.
NOTE
The following considers ONT 0 as an example for commissioning the management channel between
the OLT and the GPON ONT.
On the MA5600T, you can configure ONTs at different locations in a centralized manner.
The DBA profile is used to ensure the maximum bandwidth of 10Mbit/s and the traffic
profile is used to limit subscriber rates.
and the GPON ONT
and the GPON ONT.
Issue 01 (2012-01-18)

94

1 Commissioning
GPON ONT
Procedure
The DBA profile ID is 12, the DBA profile uses the default name DBA-profile_12, the bandwidth
type is type1 (fixed bandwidth), and the user rate is the fixed 10 Mbit/s bandwidth.
NOTE
carried.
l The system supports five DBA profile types, namely, type1 (fixed bandwidth), type2 (assured
l By default, the system provides DBA profiles 1 to 9, each of which provides typical values for traffic
parameters. By default, T-CONT 0 is bound with DBA profile 1.
l The value of the bandwidth you input when adding the DBA profile rounds down to the nearest integer
multiple of 64. For example, if the input bandwidth value is 1022 kbit/s, the actual bandwidth is 960
kbit/s.
Step 2 Add an ONT line profile.

Issue 01 (2012-01-18)

95

1 Commissioning
The ONT line profile ID is 5, T-CONT 1 is bound with DBA profile 12, GEM port 0 is bound
to T-CONT 1, the service type is ETH, and the mapping mode is VLAN mapping.
Step 3 Add an ONT service profile.

The ONT service profile ID is 10, the quantity of Ethernet ports on the ONT is 4, the quantity
of POTS ports on the ONT is 2, and Ethernet ports 1-4 are added to VLAN 20.
NOTE
The port capability set in the ONT service profile must be the same as the actual ONT capability set.
huawei(config)#ont-srvprofile gpon profile-id 10
huawei(config-gpon-srvprofile-10)#ont-port eth 4 pots 2
huawei(config-gpon-srvprofile-10)#port vlan eth 1-4 20
huawei(config-gpon-srvprofile-10)#commit
huawei(config-gpon-srvprofile-10)#quit
Step 4 Add an ONT.

ONT 0 is connected to GPON port 0, the ONT authentication mode is the SN authentication,
the SN is 323031314D4B2041, the management protocol is OMCI, and ONT line profile 5 and
ONT service profile 10 are bound to ONT 0.
NOTE
You can add an ONT in the following two ways: confirming an auto-discovered ONT and adding an ONT
offline. Here, the method of adding an ONT offline is considered as an example.
You can also run the port ont-auto-find command to enable the function of auto-discovering an ONT,
and then run the ont confirm command to confirm the auto-discovered ONT.
huawei(config-if-gpon-0/4)#ont add 0 0 sn-auth 323031314D4B2041 omci ontlineprofile-id 5 ont-srvprofile-id 10

huawei(config)#save
----End
Result
After the commissioning is complete, you can maintain and manage the ONT on the
MA5600T (For example, run the ont deactivate command to deactivate the ONT that is in the
activated state).
Configuration File
vlan 20 smart
port vlan 20 0/17 0
interface vlanif 20
ip address 192.168.1.100 255.255.255.0
quit
Issue 01 (2012-01-18)

96

1 Commissioning

commit
quit
interface gpon 0/4
ont add 0 0 sn-auth 32303131B39FD641 snmp ont-lineprofile-id 5
quit
service-port vlan 20 gpon 0/4/0 ont 0 gemport 0 multi-service user-vlan 20
save

and the EPON ONT
This topic describes how to commission the EPON OLT to ensure that the service configuration
and centralized management of the EPON ONTs are performed on the EPON OLT using the
Operation, Administration, and Maintenance (OAM) protocol.
l
An EPON port on the MA5600T is connected to 64 ONTs using an optical splitter.

NOTE
The following considers ONT 0 as an example to commission the management channel between the
OLT and the EPON ONT.
On the MA5600T, you can configure ONTs at different locations in a centralized manner.
The DBA profile uses the assured bandwidth with the maximum bandwidth of 10 Mbit/s
and limits traffic using the traffic profile.
and the EPON ONT
Issue 01 (2012-01-18)

97

1 Commissioning
and the EPON ONT.
EPON ONT
Procedure
Step 1 Configure a DBA profile.
The DBA profile ID is 12, the DBA profile name uses the default name DBA-profile_12, the
bandwidth type is type2 (assured bandwidth, and the user rate is the assured 10 Mbit/s
bandwidth).
NOTE
carried.
l The system supports fix DBA profile types, namely, type1 (fixed bandwidth), type2 (assured
l By default, the systems provides DBA profiles 1 to 9, each of which provides typical values for traffic
parameters. By default, T-CONT 0 is bound to DBA profile 1.
Issue 01 (2012-01-18)

98

1 Commissioning
huawei(config)#dba-profile add profile-id 12 type2 assure 10240
Step 2 Configure an ONT line profile.

ONT line profile 13 is bound to DBA profile 12.
Step 3 Configure an ONT service profile.

The ONT service profile ID is 13, the number of Ethernet ports on the ONT is 4, the number of
POTS ports on the ONT is 2, and Ethernet ports 1-4 are add to VLAN 20.
NOTE
The port capability set in the ONT service profile must be the same as the actual ONT capability set.
huawei(config)#ont-srvprofile epon profile-id 13
huawei(config-epon-srvprofile-13)#ont-port eth 4 pots 2
huawei(config-epon-srvprofile-13)#port vlan eth 1 20
huawei(config-epon-srvprofile-13)#commit
huawei(config-epon-srvprofile-13)#quit
Step 4 Add an ONT.

ONT 0 is connected to EPON port 0, and the MAC address for the MDU authentication is
0000-0010-0101, the management protocol is OAM, and ONT line profile 13 and ONT service
profile 13 are bound to ONT 0.
NOTE
You can add an ONT in the following two ways: confirming an auto-discovered ONT and adding an ONT
offline. Here, the method of adding an ONT offline is considered as an example.
You can also run the port ont-auto-find command to enable the ONT auto-find function, and then run the
ont confirm command to confirm an auto-found ONT.
huawei(config-if-epon-0/4)#ont add 0 0 mac-auth 0000-0010-0101 oam
ont-lineprofile-id 13 ont-srvprofile-id 13

huawei(config)#save
----End
Result
After commissioning, the operator can maintain and manage the ONT on the MA5600T. For
example, the operator can run the ont deactivate command to deactivate an activated ONT.
Configuration File
dba-profile add profile-id 12 type2 assure 10240
commit
quit
ont-srvprofile epon profile-id 13
ont-port eth 4 pots 2
port vlan eth 1 20
commit
Issue 01 (2012-01-18)

99

1 Commissioning
quit
interface epon 0/4
ont add 0 0 mac-auth 0000-0010-0101 oam ont-lineprofile-id 13 ont-srvprofile-id 13
quit
save
1.5 Maintenance and Management Commissioning

commissioning.
1.5.1 Checking the System Switchover

After the active/standby switchover is performed, the services of the active control board are
switched to the standby control board. This ensures that the services run in the normal state.
Prerequisites
l
An active control board and a standby control board must be configured on the device, and
the cables must be connected correctly on the boards.
The patch status of the active and standby control boards must be consistent with the
hardware environment.
If the data of the active and standby control boards is not completely synchronized, the
system prohibits the active/standby switchover.
Precautions
NOTE
Run the display data sync state command to query the data synchronization status of the active and
standby control boards.
When the communication between the active and standby control boards fails or the standby
control board is faulty, the system prohibits the active/standby switchover.
When the data is being loaded, saved, or backed up, the system prohibits the active/standby
switchover.
Context
Classification of the active/standby switchover:
According to the status of the data synchronization, the active/standby switchover is classified
into the normal switchover and forced switchover.
l
Normal switchover: Refers to the active/standby switchover that is performed when the
data is synchronized sufficiently. A normal switchover does not cause links to break or
boards to reset.
Forced switchover: Refers to the active/standby switchover that is performed when the data
is not synchronized sufficiently.
The following data might be synchronized insufficiently:
Configuration data.
When the configuration data is not fully synchronized, the system prohibits performing
forced switchover by running the active/standby switchover command. Other forced
Issue 01 (2012-01-18)

100

1 Commissioning
switching methods, such as manually resetting the active control board or removing the
active control board, cause loss of basic data or the system to reset.
Therefore, when the configuration data is not fully synchronized, it is recommended
that you do not perform the forced switchover. You can choose to reset the system. In
this manner, the system can return to the normal state in a short period.
Basic data.
When the basic data is not fully synchronized, the system prohibits performing forced
switchover by running the active/standby switchover command. Other forced switching
methods, such as manually resetting the active board or removing the active control
board, neither reset the system nor affect the database, but they may cause service boards
to reset.
Dynamic data.
When certain dynamic data is not fully synchronized, the system permits performing
forced switchover by running the active/standby switchover command. After the
switchover, the on-going services continue to run in the normal state, and the original
connections, alarms, and logs are not lost.
Procedure
Step 2 Run the system switch-over command to perform the active/standby switchover.
----End
Result
When the ACT LED on the original standby control board is on, log in to the system using this
control board. It is found that the system runs in the normal state.
Example
After the data is saved, perform the active/standby switchover.
huawei#save
{ <cr>|configuration<K>|data<K> }:
Command:
save
huawei#
It will take several minutes to save configuration file, please wait...
huawei#
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
huawei#
The data is being saved, please wait a moment...
huawei(config)#system switch-over
Are you sure to switch over? (y/n)[n]:y
1.5.2 Checking Alarms and Events

This topic describes how to check the alarm and event reporting function of the device.
Issue 01 (2012-01-18)

101

1 Commissioning
Verifying the Alarm and Event Function

This topic describes how to verify the alarm and event function by triggering various alarms and
events through the related operations.
Verifying Operation
Table 1-18 lists the operations for verifying the alarm and event function.
Table 1-18 Operations for verifying the alarm and event function
Operation
Description
Remove a service board.
Check whether the corresponding alarm or event is

generated on the maintenance terminal.
Insert the service board back into the

slot.
Check whether the corresponding recovery alarm or

event is generated on the maintenance terminal.
Remove the optical fiber connected to

an optical port.

Insert the optical fiber back into the

optical port.

Remove the optical fiber connected to

an optical port when an ONT is online.

Insert the optical fiber back into the

optical port.

Open the cabinet door.

Close the cabinet door.

Remove the fan tray from the shelf.

Insert the fan tray back into the shelf.

Perform the active/standby switchover

of the control boards.
Log in to the system, and run the display event

history command to check whether the active/
standby switchover event history exists.
Querying Alarms and Events

This topic describes how to query history alarms and events using the maintenance terminal.
Context
Up to 1900 latest fault alarms and recovery alarms, and 1900 event alarms can be saved in the
system. If the record table is full, and a new alarm or event is generated, the new alarm or event
Issue 01 (2012-01-18)

102

1 Commissioning
overwrites the oldest record in the record table. You can query the records that have been
overwritten in the NMS database.
The CLI provides multiple ways to query history alarms and events.
Table 1-19 lists the commands for querying history alarms.
Table 1-19 Commands for querying history alarms
To
Run the Command...
Query alarms by alarm

SN
display alarm history alarmsn sn [ detail | list ]

ID
display alarm history alarmid id [ detail | list | start-number

number]

type
display alarm history alarmtype type [ detail | list | startnumber number]

class
display alarm history alarmclass class [ detail | list | startnumber number]

level
display alarm history alarmlevel level [ detail | list | startnumber number]

time
display alarm history alarmtime start start-date start-time end

end-date end-time [ start-number number ] [ detail | list | startnumber number]

parameter
display alarm history alarmparameter { frameid/slotid/portid |

frameid/slotid | frameid | vlanif vlanif } [ detail | list ]
Query all the latest

alarms
display alarm history all [ detail | list ]
Table 1-20 lists the commands for querying history events.

Table 1-20 Commands for querying history events
Issue 01 (2012-01-18)
To
Run the Command...
Query events by event

SN
display event history eventsn sn [ detail | list ]

ID
display event history eventid id [ detail | list | start-number

number]

type
display event history eventtype type [ detail | list | start-number

number]

class
display event history eventclass class [ detail | list | startnumber number]

103

1 Commissioning
To
Run the Command...

level
display event history eventlevel level [ detail | list | startnumber number]

time
display event history eventtime start start-date start-time end enddate end-time [ start-number number ] [ detail | list | startnumber number]

parameter
display event history eventparameter { frameid/slotid/portid |

frameid/slotid | frameid | vlanif vlanif } [ detail | list ]
Query all the latest

events
display event history all [ detail | list ]
Procedure
Step 1 Perform an operation (such as inserting and removing a board) to generate an alarm or event.
Step 2 Run the display alarm history command to query history alarms.
Step 3 Run the display event history command to query history events.
----End
Result
You can query the alarm or event triggered by the operation you have performed.
Example
To query the history environment alarms by alarm type, do as follows:
huawei>display alarm history alarmtype
{ type<E><communication,service,process,equipment,environment> }:environment
{ <cr>|detail<K>|list<K>|start-number<U><1,1900>||<K> }:list
{ <cr>||<K> }:
Command:
display alarm history alarmtype environment list
-----------------------------------------------------------------------AlarmSN Date&Time
Alarm Name/Para
-----------------------------------------------------------------------777
2009-08-21 10:18:29
The system resources usage recovers from
the overload state to the normal state
Resource Name: CPU, Current Percent: 70
765
2009-08-21 10:17:29
The system resources usage exceeds the
threshold
764
2009-08-21 10:17:29
714
2009-08-20 15:04:35
705
2009-08-20 15:03:35
The system resources usage exceeds the
threshold
704
2009-08-20 15:03:35
Issue 01 (2012-01-18)

104

1 Commissioning

---- More ( Press 'Q' to break ) ----
To query the history events by event date, and the start date is 2009-08-24, the star time is
16:00:00, the end date is 2009-08-24, and the end time is 18:00:00, do as follows:
huawei>display event history
{ all<K>|eventclass<K>|eventid<K>|eventlevel<K>|eventparameter<K>|eventsn<K>|eve
nttime<K>|eventtype<K> }:eventtime
{ start<K> }:start
{ start-date<D><yyyy-mm-dd> }:2009-08-24
{ start-time<T><hh:mm:ss> }:16:00:00
{ end<K> }:end
{ end-date<D><yyyy-mm-dd> }:2009-08-24
{ end-time<T><hh:mm:ss> }:18:00:00
{ <cr>|detail<K>|list<K>|start-number<U><1,1900>||<K> }:list
{ <cr>||<K> }:
Command:
display event history eventtime start 2009-08-24 16:00:00 end 2009-0824 18:00:00 list
-----------------------------------------------------------------------EventSN Date&Time
Event Name/Para
-----------------------------------------------------------------------35346
2009-08-24 17:59:40
Backing up files fails from the host to
the maintenance terminal
FrameID: 0, SlotID: 96, Position: -1,
Backup type: Host data, Backup Object:
Active control board, Failure cause: Failed
to transfer the file
35345
2009-08-24 17:58:52
Change of Maintenance User's State
User name: test01, Log mode: Telnet, IP:
10.71.42.55, State: Log on
35344
2009-08-24 17:58:47
Change of Maintenance User's State
User name: test01, Log mode: Telnet, IP:
10.71.42.55, State: Log off
35343
2009-08-24 17:58:24
Backing up files starts from the host to
the maintenance terminal
FrameID: 0, SlotID: 96, Position: -1,
Backup type: Host data, Backup Object:
---- More ( Press 'Q' to break ) ----
1.5.3 Configuring a Log Host

Logs can function as important references for system The log host is used for recording logs,
which are useful for the device maintenance and fault location.
Context
l
The log host is always installed on the NMS station and uses the NMS VLAN to
communicate with the MA5600T.
The log host must be installed with the FTP or TFTP software, and must be able to receive
and save the logs reported by the MA5600T.
Network Topology
The log host resides in the NMS station and is connected to the upstream port of the
MA5600T in the IP network. Figure 1-53 shows the example network for configuring a log
host.
Issue 01 (2012-01-18)

105

1 Commissioning
Figure 1-53 Example network for configuring a log host
Data Plan
Table 1-21shows the data plan for configuring a log host.
Table 1-21 Data plan for configuring a log host
Item
Data
Layer 3 interface
VLAN: 10
Data Layer 3 interface VLAN: 0/17/0
IP address of the Layer 3 interface: 10.50.1.10/24,
IP address of the gateway: 10.50.1.1/24
Log host
IP address: 10.10.1.20/24
Flowchart
Figure 1-54 shows the flowchart for configuring a log host.
Issue 01 (2012-01-18)

106

1 Commissioning
Figure 1-54 Flowchart for configuring a log host
Procedure
The VLAN ID is 10, and the VLAN attribute is Standard.
Step 2 Add upstream port to VLAN.

Add upstream ports 0/17/0 on the GIU board to VLAN 10.
NOTE

The Layer 3 IP address is 10.50.1.10/24, and this IP address must be in the same network segment
as the gateway IP address (IP address of the switch port that is connected to the MA5600T).
Step 4 Add the log host.

Issue 01 (2012-01-18)

107

1 Commissioning
l The IP address and name of the log host is 10.10.1.20 and huawei respectively.
l The IP address or name can uniquely identify a log host. Therefore, the IP address or name
of a log host must be unique in the system.
huawei(config)#loghost add 10.10.1.20 huawei
Step 5 Add the static route to the log host.

The destination IP address is 10.10.1.20/24, and the next-hop IP address is gateway IP address
10.50.1.1.
Step 6 Configure the ACL rule (optional).

Filter the packets that passes using the Layer 3 interface. Only the IP packet from the log host
is allowed to access the Layer 3 interface. The packets without authorization are not allowed to
access the Layer 3 interface.
huawei(config)#acl 3010
huawei(config-acl-adv-3010)#rule deny ip source any destination 10.10.10.10
0.0.0.0
huawei(config-acl-adv-3010)#rule permit ip source 10.10.1.20 0.0.0.0 destination
10.50.1.10 0.0.0.0
huawei(config-acl-adv-3010)#quit
huawei(config)#packet-filter inbound ip-group 3010 port 0/17/0
NOTE
The port aggregation configurations cannot be configured on the upstream port 0/17/0 with ACL rules.
Step 7 Activate the log host. The system sends log information only to the activated log hosts.
huawei(config)#loghost activate name huawei

huawei(config)#save
----End
Result
l
You can query the logs on the log server.
The logs record the operation commands executed on the system. They are the same as the
commands queried on the MA5600T.
Configuration File
vlan 10 standard
port vlan 10 0/17 0
interface vlanif 10
ip address 10.50.1.10 255.255.255.0
quit
loghost add 10.10.1.20 huawei
ip route-static 10.10.1.20 24 10.50.1.1
acl 3010
rule deny ip source any destination 10.10.10.10 0.0.0.0
rule permit ip source 10.10.1.20 0.0.0.0 destination 10.50.1.10 0.0.0.0
quit
packet-filter inbound ip-group 3010 port
loghost activate name huawei
save
Issue 01 (2012-01-18)

108

1 Commissioning
1.6 Supplementary Information

This topic provides the commissioning supplementary information, including script making,
transmission mode setting, and default software settings.
1.6.1 Making a Script

Before the commissioning, you can collect the information such as the data plan according to
1.2.4 Planning Data to make a commissioning script and then configure the basic data of the
device by loading the script. This ensures that the device is functioning properly, which facilitates
the commissioning of the basic functions and services of the device.
Script Overview
The basic configuration achieved by loading a script includes, but is not limited to:
l
Adding a power card
Configuring the environment monitoring unit (including the FAN and the CITB card)
Configuring the route protocol

NOTE
For details about how to load a script, see 1.3.6 Loading the Script.
Example Script
Table 1-22 lists the data plan of an example script. After this example script is configured, you
can log in to the MA5600T using the maintenance terminal in the management center to
commission the basic functions of the device.
Table 1-22 Script data plan
Item
Data
PAIC power card
Shelf IDs/slot IDs: 0/19 and 0/20
FAN
l SN: 0
l Sub-node ID: 1 (default)
l Name: FAN
l Fan speed adjustment mode: automatic
CITB card
l SN: 1
l Sub-node ID: 15 (default)
l Name: CITB
Issue 01 (2012-01-18)

109

Item
Data
Route protocol
l Upstream port: 0/17/0
1 Commissioning
l Management VLAN ID: 100; type: standard VLAN

l IP address of the Layer 3 interface of the management VLAN:
10.50.1.10/24
l Gateway IP address: 10.50.1.1/24
l IP address of the target network segment: 10.10.1.10/24
The following displays the commands that need to be included in the script according to the
preceding data plan.
CAUTION
It is necessary to press Enter after each command in the script.
enable
config
board add 0/19 H801PAIC
board add 0/20 H801PAIC
emu add 0 FAN 0 1 FAN
interface emu 0
fan speed mode automatic
quit
emu add 1 h801citx 0 15 h801citx
vlan 100 standard
port vlan 100 0/17 0
ip address 10.50.1.10 24
quit
ip route-static 10.10.1.0 24 10.50.1.1
save
1.6.2 Configuring the File Transfer Mode

This topic describes how to configure the file transfer mode of the FTP,SFTP, Xmodem and
TFTP.
Configuring the FTP Transfer Mode

This topic describes how to configure the FTP transfer mode for transferring (uploading or
downloading) files through the inband or outband Ethernet port of the MA5600T. After the
configuration, the FTP server and the MA5600T can communicate to transfer files in the FTP
mode.
Prerequisites
l
Issue 01 (2012-01-18)
The Ethernet port of the FTP server is directly connected to the inband or outband Ethernet
port of the MA5600T.
110

1 Commissioning
Connect to the inband Ethernet port (Maintenance port) through the crossover cable.
Connect to the outband Ethernet port (Upstream port) through the direct cable.
l
You have logged in to the MA5600T through Telnet from the console (maintenance
terminal), and have entered the global config mode.
Tools, Meters, and Materials

l
Crossover cable
Direct cable
Impact on System
None
Precautions
Make sure that the crossover cable is used to directly connect the FTP server to the MA5600T.
In other cases, a straight through cable is used.
Procedure
Step 1 On the FTP server, configure the IP address of its Ethernet port.
Configure the Ethernet port IP address of the FTP server according to the IP address planning
in the specific networking, and ensure that the Ethernet port of the FTP server and the inband
or outband Ethernet port of the MA5600T can ping each other.
For example, if the Ethernet port of the FTP server is directly connected to the MA5600T, the
IP address of this Ethernet port and the IP address of the inband or outband Ethernet port of the
MA5600T must be in the same subnet.
Step 2 On the FTP server, run the FTP application and set related parameters.
After running the FTP application, set the path for saving the file, FTP user name, and password.
Step 3 (This is step is used for setting the FTP user attributes for the manual file transfer.) On the
MA5600T, run the ftp set command to set the FTP user name and password.
huawei(config)#ftp set
User Password(<=40 chars):huawei//The input is not displayed on the CLI.
NOTE
By default, the FTP user name is anonymous and the password is [email protected] in the
MA5600T system.
Step 4 (Optional; this step is required when the function of database file auto-backup is used.) On the
MA5600T, run the file-server auto-backup data command to configure the FTP user name,
password, and port ID.
huawei(config)#file-server auto-backup data primary 10.10.20.1 ftp path test user
----End
Issue 01 (2012-01-18)

111

1 Commissioning
Reference
l
Any PC that runs the FTP software can serve as an FTP server.
In the FTP file transfer mode, the user name and the password must be authenticated. Apart
from setting the user name and password on the FTP server, you also need to set the FTP
user name and password on the FTP client (such as the MA5600T), and make sure that the
settings at both ends are the same.
Configuring the SFTP Transfer Mode

This topic describes how to configure the SFTP transfer mode for transferring (uploading or
configuration, the SFTP server and the MA5600T can communicate to transfer files in the SFTP
mode.
Prerequisites
l
The Ethernet port of the SFTP server is directly connected to the inband or outband Ethernet

l
Crossover cable
Direct cable
Impact on System
None
Precautions
Make sure that the crossover cable is used to directly connect the SFTP server to the
MA5600T. In other cases, a straight through cable is used.
Procedure
Step 1 On the SFTP server, configure the IP address of its Ethernet port.
Configure the Ethernet port IP address of the SFTP server according to the IP address planning
in the specific networking, and ensure that the Ethernet port of the SFTP server and the inband
For example, if the Ethernet port of the SFTP server is directly connected to the MA5600T, the
Step 2 On the SFTP server, run the SFTP application and set related parameters.
Issue 01 (2012-01-18)

112

1 Commissioning
After running the SFTP application, set the path for saving the file, SFTP user name, password,
and port ID. The port ID is 22 by default.
Step 3 (This is step is used for setting the SFTP user attributes for the manual file transfer.) On the
MA5600T, run the ssh sftp set command to set the SFTP user name, password, and port ID.
huawei(config)#ssh sftp set
Listening Port(0--65535):22
NOTE
The MA5600T system does not have default SFTP user name, password, or port ID.
Step 4 (Optional; this step is required when the function of database file auto-backup is used.) On the
MA5600T, run the file-server auto-backup data command to configure the SFTP user name,
password, and port ID.
huawei(config)#file-server auto-backup data primary 10.10.20.1 sftp path test port
22 user
NOTE
The MA5600T system does not have default SFTP user name, password, or port ID.
----End
Reference
l
Any PC that runs the SFTP software can serve as an SFTP server.
In the SFTP file transfer mode, the user name and the password must be authenticated.
Apart from setting the user name, password, and port ID on the SFTP server, you also need
to set the SFTP user name, password, and port ID on the SFTP client (such as the
MA5600T), and make sure that the settings at both ends are the same.
Configuring Xmodem File Transfer Mode

This topic describes how to configure the Xmodem file transfer mode. To upload or download
files through the maintenance serial port on the MA5600T, configure the Xmodem file transfer
mode according to this operation guide. Then, the console and the MA5600T can communicate
with each other normally and transfer files in Xmodem mode.
Prerequisites
You must be logged in to the MA5600T from the console (also called maintenance terminal)
through the serial port, and must enter the global config mode.

RS-232 serial port cable (used for logging in to the MA5600T from the console through the
serial port)
Impact on the System

None
Issue 01 (2012-01-18)

113

1 Commissioning
Precautions
NOTE
l The speed of transferring files in Xmodem mode through the serial port is limited. Therefore, the system
does not support file transfer in the Xmodem mode for large-size files such as program packet files
and configuration files.
l It is recommended to transfer files through other modes as much as possible, such as TFTP, even if
file transfer in the Xmodem mode is supported.
The baud rate of the serial port on the MA5600T must be the same as the baud rate of the
serial port on the console.
The Xmodem transfer mode is applicable to only the active control board.
Telnet users are prohibited from transferring files in Xmodem mode.
Procedure
Step 1 Query the baud rate of the serial port on the MA5600T.
huawei(config)#display baudrate
Current active serial baudrate: 9600 bps
Step 2 (This step is optional but is required when you reconfigure the baud rate of the serial port.) Run
the baudrate command on the MA5600T to configure the baud rate of the serial port on the
MA5600T. The high baud rate can increase the transmission speed.
For example, reconfigure the baud rate on the MA5600T to 9600 bit/s:
huawei(config)#baudrate 9600
Step 3 Open the HyperTerminal on the console to configure the baud rate of the serial port on the
console to be the same as the baud rate on the MA5600T.
Issue 01 (2012-01-18)

114

1 Commissioning
----End
Configuring the TFTP Transfer Mode

This topic describes how to configure the TFTP transfer mode for transferring (uploading or
configuration, the TFTP server and the MA5600T can communicate to transfer files in the TFTP
mode.
Prerequisites
l
The Ethernet port of the TFTP server is directly connected to the inband or outband Ethernet

l
Crossover cable
Direct cable
Impact on System
None
Precautions
Make sure that the crossover cable is used to directly connect the TFTP server to the
MA5600T. In other cases, a straight through cable is used.
Procedure
Step 1 On the TFTP server, configure the IP address of its Ethernet port.
Configure the Ethernet port IP address of the TFTP server according to the IP address planning
in the specific networking, and ensure that the Ethernet port of the TFTP server and the inband
For example, if the Ethernet port of the TFTP server is directly connected to the MA5600T, the
Step 2 On the TFTP server, run the TFTP application and set related parameters.
1.
Issue 01 (2012-01-18)
After the TFTP application is run on the TFTP server, an interface as shown in Figure
1-55 is displayed. In the Server interfaces drop-down list, select the IP address that is set
in step 1.
115

1 Commissioning
Figure 1-55 TFTP main interface
2.
In the interface as shown in Figure 1-55, click Settings.
3.
In the dialog box that is displayed, click Browse to select the path for saving the file, as
Issue 01 (2012-01-18)

116

1 Commissioning
Figure 1-56 Setting TFTP parameters
----End
Reference
l
Any PC that runs the TFTP software can serve as a TFTP server.
The IP address in the Server interfaces drop-down list is the IP address of the TFTP server.
The TFTP application can identify the IP address automatically. If the TFTP server has
multiple IP addresses, select the correct one.
If the TFTP file transfer fails, check the following items:

Whether the selected IP address of the TFTP server is correct.
Whether the TFTP server can ping the inband or outband Ethernet port of the
MA5600T (run the Ping command).
Whether the TFTP application is run on the TFTP server.
Whether the path is correctly set in the TFTP application.
Whether the TFTP file transfer function has been enabled through the command.
Whether the entered name of the file to be transferred is correct.
1.6.3 Software Package Settings

This topic provides the default software package settings of the MA5600T.
Issue 01 (2012-01-18)

117

1 Commissioning
Factory Defaults of a DBA Profile

The following table lists the factory defaults of a DBA profile on the MA5600T.
Table 1-23 Factory defaults of a DBA profile
Profile
Index
Profile
Factory Default
Profile-name
dba-profile_1
Profile-ID
type
Bandwidth compensation
No
Fix(kbps)
5120
Assure(kbps)
Max(kbps)
bind-times
Profile-name
dba-profile_2
Profile-ID
type
No
Fix(kbps)
1024
Assure(kbps)
Max(kbps)
bind-times
Profile-name
dba-profile_3
Profile-ID
type
No
Fix(kbps)
Assure(kbps)
Max(kbps)
32768
bind-times
Profile-name
dba-profile_4
Profile-ID
Issue 01 (2012-01-18)

118

Profile
Index
Issue 01 (2012-01-18)
1 Commissioning
Profile
Factory Default
type
No
Fix(kbps)
1024000
Assure(kbps)
Max(kbps)
bind-times
Profile-name
dba-profile_5
Profile-ID
type
No
Fix(kbps)
32768
Assure(kbps)
Max(kbps)
bind-times
Profile-name
dba-profile_6
Profile-ID
type
No
Fix(kbps)
102400
Assure(kbps)
Max(kbps)
bind-times
Profile-name
dba-profile_7
Profile-ID
type
No
Fix(kbps)
Assure(kbps)
32768
Max(kbps)

119

Profile
Index
1 Commissioning
Profile
Factory Default
bind-times
Profile-name
dba-profile_8
Profile-ID
type
No
Fix(kbps)
Assure(kbps)
102400
Max(kbps)
bind-times
Profile-name
dba-profile_9
Profile-ID
type
No
Fix(kbps)
Assure(kbps)
32768
Max(kbps)
bind-times
65536
Factory Defaults of a GPON ONT Line Profile

The following table lists the factory defaults of a GPON ONT line profile on the MA5600T.
Table 1-24 Factory defaults of a GPON ONT line profile
Issue 01 (2012-01-18)
Parameter
Factory Default
FEC upstream switch
Disable
OMCC encrypt switch
Off
QoS mode
PQ
Mapping mode
VLAN
Tr069 management
Disable
<T-CONT 0>
DBA Profile-ID: 1

120

1 Commissioning
Parameter
Factory Default
Binding times
Factory Defaults of a GPON ONT Service Profile

The following table lists the factory defaults of a GPON ONT service profile on the
MA5600T.
Table 1-25 Factory defaults of a GPON ONT service profile
Parameter
Port-type
Factory Default
POTS
ETH
Issue 01 (2012-01-18)
Portnumber
0
0
TDM
MOCA
CATV
TDM port type
E1
TDM service type
TDMoGem
MAC learning function switch
Enable
ONT transparent function

switch
Disable
Multicast forward mode
Unconcern
Multicast forward VLAN
Multicast mode
Unconcern
Upstream IGMP packet

forward mode
Unconcern

forward VLAN

priority
Native VLAN option
Concern
Port-type or Port type
IPHOST
Port-ID or Port ID
Dscp-mapping-table-index
Service-type
Translation

121

1 Commissioning
Parameter
Factory Default
Index
S-VLAN
S-PRI
C-VLAN
C-PRI
ENCAP
S-PRI POLICY
Binding times
Factory Defaults of a GPON ONT Alarm Profile

The following table lists the factory defaults of a GPON ONT alarm profile on the MA5600T.
Table 1-26 GPON ONT alarm profile
Issue 01 (2012-01-18)
Profile
Index
Profile
Parameter
Factory Default
alarmprofile_
1
GEM port loss of packets threshold
GEM port misinserted packets

threshold
GEM port impaired blocks threshold
Ethernet FCS errors threshold
Ethernet excessive collision count

threshold
Ethernet late collision count threshold
Too long Ethernet frames threshold
Ethernet buffer (Rx) overflows

threshold
Ethernet buffer (Tx) overflows

threshold
Ethernet single collision frame count

threshold
Ethernet multiple collisions frame

count threshold
Ethernet SQE count threshold

122

Profile
Index
Profile
1 Commissioning
Parameter
Factory Default
Ethernet deferred transmission count

threshold
Ethernet internal MAC Tx errors

threshold
Ethernet carrier sense errors threshold
Ethernet alignment errors threshold
Ethernet internal MAC Rx errors

threshold
PPPOE filtered frames threshold
MAC bridge port discarded frames

due to delay threshold
MAC bridge port MTU exceeded

discard frames threshold
MAC bridge port received incorrect

frames threshold
CES general error time threshold
CES severely time threshold
CES bursty time threshold
CES controlled slip time threshold
CES unavailable time threshold
Drop events threshold
Undersize packets threshold
Fragments threshold
Jabbers threshold
Failed signal of ONU threshold

(Format:1e-x)
Degraded signal of ONU threshold

(Format:1e-x)
Default settings of a EPON ONT line profile

The following table lists the default settings of a EPON ONT line profile on the MA5600T.
Issue 01 (2012-01-18)

123

1 Commissioning
Table 1-27 EPON ONT line profile

Parameter Name
Default
FEC switch
Disable
Encrypt type
off
DBA Profile-ID
Traffic-table-index
Dba-threshold
Binding times
Default settings of a EPON ONT service profile

The following table lists the default settings of a EPON ONT service profile on the
MA5600T.
Table 1-28 EPON ONT service profile
Parameter Name
Default
Port-type
Portnumber
POTS
ETH
TDM
0
0
0
TDM type
E1
Multicast fast leave switch
Unconcern
Ring check switch
Unconcern
Binding times
Factory Defaults of Environment Monitoring Units

The following tables Table 1-29, Table 1-30 list the factory defaults of environment monitoring
units on the MA5600T.
Table 1-29 Factory defaults of the H801CITB card
Issue 01 (2012-01-18)
Parameter
Factory Default
Sub-node
20

124

Parameter
Factory Default
Digital parameters
CITB digital parameter IDs
1 Commissioning
l Allocated by default (unchangeable)

0: FAN
1: load fuse
l User-defined IDs
2-8: allocated to other extended digital sensors.
Definitions of user-defined alarm indexes
1: AC voltage; 2: AC switch; 3: Battery voltage; 4: Battery fuse; 5:
Load fuse; 6: Rectifier; 7: DC power; 8: Room door; 9: Room door;
10: Thief; 11: Thief; 12: Wiring; 13: Fan; 14: Fire; 15: Fog; 16: Water;
17: Diesel; 18: Odor 19: Air-condition; 20: Arrester
Table 1-30 Factory defaults of the FAN
Issue 01 (2012-01-18)
Parameter
Factory Default
Sub-node
Fan speed
adjustment mode
Automatic
Report fan alarm
Permit

125

2 Basic Configurations
Basic Configurations
About This Chapter

Basic configurations mainly include certain common configurations, public configurations, and
pre-configurations in service configurations. There is no obvious logical relation between basic
configurations. You can perform basic configurations according to actual requirements.
2.1 Configuring the License Function
With the license platform enabled, the license server performs license control on the function
entries and resource entries supported by the MA5600T and provides customized services for
users.
2.2 Configuring Alarms
Alarm management includes the following functions: alarm record, alarm setting, and alarm
statistics. These functions help you to maintain the device and ensure that the device works
efficiently.
2.3 Configuring the Network Time
Configuring the NTP protocol to keep the time of all devices in the network synchronized, so
that the Background Information implement various service applications based on universal
time, such as the network management system and the network accounting system.
2.4 Adding Port Description
After the description of a physical port on the board is added, the description facilitates
information query in system maintenance.
2.5 Configuring the Attributes of an Upstream Ethernet Port
This topic describes how to configure the attributes of a specified Ethernet port so that the system
communicates with the upstream device in the normal state.
2.6 Configuring a VLAN
Configuring VLAN is a prerequisite for configuring a service. Hence, before configuring a
service, make sure that the VLAN configuration based on planning is complete.
2.7 Configuring a VLAN Service Profile
Integrate VLAN-related configurations into the VLAN service profile so that all attributes take
effect immediately after the VLAN service profile is bound to the VLAN. This increases the
configuration efficiency.
2.8 Configuring the User Security
Issue 01 (2012-01-18)

126

Configuring the security mechanism can protect operation users and access users against user
account theft and roaming or from the attacks from malicious users.
2.9 Configuring System Security
This topic describes how to configure the network security and protection measures of the system
to protect the system from malicious attacks.
2.10 Configuring the ACL
This topic describes the type, rule, and configuration of the ACL on the MA5600T.
2.11 Configuring QoS
This topic describes how to configure quality of service (QoS) on the MA5600T.
2.12 Configuring AAA
This topic describes how to configure the AAA on the MA5600T, including configuring the
MA5600T as the local and remote AAA servers.
2.13 Configuring ANCP
Access Node Control Protocol (ANCP) is used to implement the functions such as topology
discovery, line configuration, and L2C OAM on the user ports. The MA5600T establishes an
ANCP session according to the GSMP communication IP address configured in the network
access server (NAS).
Issue 01 (2012-01-18)

127

2.1 Configuring the License Function

With the license platform enabled, the license server performs license control on the function
entries and resource entries supported by the MA5600T and provides customized services for
users.
Prerequisites
The license platform must be enabled.
Application Context
The license platform provides the registration mechanism for the service modules of the
MA5600T. During system initialization, the service modules need to register for the controlled
resource entries or the controlled function entries. After the system starts to work, based on the
controlled entries that are registered, the license client management module obtains the
authentication information about the license controlled entries of the MA5600T from the license
server.
When a service module is configured through the command line interface (CLI) or NMS, the
device checks whether the resource entries of the service module or the function entries of the
service module are overloaded.
l
If overload occurs, the system quits the service configuration and displays a prompt of
insufficient license resources.
If overload does not occur, the system allows the user to continue configuring and using
the service. When the service configuration is deleted, the system automatically releases
the license resources occupied by the service configuration.
l
The MA5600T adopts the network license solution, that is, a license server is deployed in
the network. In this case, each MA5600T is like a license client, and the licenses of all the
clients are managed by the license server in a centralized manner.
In the management scope of the license server (generally a region or a city), each product
has only one license file that is stored on the license server. The resources of the product
that are controlled by the license are defined by the license file. Because one license server
can manage multiple products, multiple license files can be stored on one license server.
Precautions
If you need to use the license function supported by the MA5600T, be sure to consider the
deployment of the license server in network planning.
Procedure
Step 1 Configure the interface that is for communicating with the license server.
1.
Run the vlan command to create a VLAN.
2.
3.
(Optional) Run the native-vlan command to configure the default VLAN of the upstream
port.
Issue 01 (2012-01-18)

128

Whether the native VLAN needs to be set for the upstream port depends on whether the
upper-layer device connected to the upstream port supports packets carrying a VLAN tag.
The setting on the MA5600T must be the same as that on the upper-layer device.
4.
Run the ip address command to configure the IP address of the VLAN L3 interface so that
the IP packets in the VLAN are forwarded by using this IP address.
5.
Run the ip route-static command to configure the static route to the license server.
Step 2 Run the license esn command to configure the ESN of the device.
Each client of the license server is uniquely identified by the ESN. The ESN should be configured
if the user enables the license function. The ESN can be the NMS IP address of the device or
the IP address of the VLAN L3 interface.
Step 3 Run the license server command to configure the license server.
If the user enables the license function, configure the IP address and TCP port ID of the license
server so that the license server can communicate with the client.
Step 4 Run the display license info command to query the communication status between the device
and the license server.
----End
Example
To configure smart VLAN ID of the MA5600T to 10, configure the IP address of the L3 interface
to 10.10.10.10/24, configure the MA5600T to communicate with the license server (IP address:
10.20.20.2/24) through port 0/17/0, and configure the TCP port ID to 10010, do as follows:
huawei(config)#port vlan 10 0/17/0
huawei(config)#license esn 10.10.10.10
huawei(config)#license server ipaddress 10.20.20.2 tcpport 10010
2.2 Configuring Alarms

Alarm management includes the following functions: alarm record, alarm setting, and alarm
statistics. These functions help you to maintain the device and ensure that the device works
efficiently.
An alarm refers to the notification of the system after a fault is detected. After an alarm is
generated, the system broadcasts the alarm to the terminals, mainly including the NMS and
command line interface (CLI) terminals.
Alarms are classified into fault alarm and recovery alarm. After a fault alarm is generated at a
certain time, the fault alarm lasts till the fault is rectified to clear the alarm.
You can modify the alarm settings according to your requirements. The settings are alarm
severity, alarm output mode through the CLI and alarm statistics switch.
Issue 01 (2012-01-18)

129

When managing alarms on the GUI through the NMS, you can set filtering criteria to mask
unimportant alarms and events. Such filtering function facilitates the focus of the important
alarms and eliminates the load of the NMS.
Procedure
l
You can run the alarm active clear command to clear the alarms that are not recovered in
the system.
When an active alarm lasts a long time, you can run this command to clear the alarm.
Before clearing an alarm, you can run the display alarm active command to query the
currently active alarms.
Run the alarm alarmlevel command to configure the alarm level.

Alarm levels are critical, major, minor, and warning.
Parameter default indicates restoring the alarm level to the default setting.
You can run the display alarm list command to query the alarm level.
The system specifies the default (also recommended) alarm level for each alarm. Use
the default alarm level unless otherwise required.
Run the alarm jitter-proof command to configure the alarm jitter-proof function and the
jitter-proof period.
To prevent a fault alarm and its recovery alarm from being displayed frequently, you
can enable the alarm jitter-proof function to filter alarms in the system.
After the alarm jitter-proof function is enabled, the alarm in the system is not reported
to the NMS immediately but is reported to the NMS after an alarm jitter-proof period.
If an alarm is recovered in an alarm jitter-proof period, the alarm is not reported to the
NMS.
You can run the display alarm jitter-proof command to check whether the alarm jitterproof function is enabled and whether the alarm jitter-proof period is set.
By default, the alarm jitter-proof function is disabled. You can determine whether to
enable the function according to the running of the device.
Run the (undo) alarm output command to set or shield the output of alarms to the CLI
terminal.
Setting the output mode of alarms does not affect the generating of alarms. The alarms
generated by the system are still recorded. You can run the display alarm history
command to query the alarms that are shielded.
When the new output mode of an alarm conflicts with the previous mode, the new output
mode takes effect.
The output mode of the recovery alarm is the same as the output mode of the fault alarm.
When the output mode of the fault alarm is set, the system automatically synchronizes
the output mode of its recovery alarm. The reverse is also applicable.
Run the alarm-event statistics period command to set the alarm statistics collection
period.
You can use the statistical result of alarms and events to locate a problem in the system.
You can run the display alarm statistics command to query the alarm statistical record.
Issue 01 (2012-01-18)
Run the display alarm configuration command to query the alarm configuration according
to the alarm ID. The alarm configuration that you can query includes the alarm ID, alarm
130

name, alarm class, alarm type, alarm level, default alarm level, number of parameters, CLI
output flag, conversion flag, and detailed alarm description.
l
Run the display alarm statistics command to query the alarm statistical record.
When you need to know the frequency in which one alarm occurs within a time range,
and to know the working conditions of the device and analyze the fault that may exist,
run this command.
Currently, you can query the alarm statistics in the current period and previous period
in the system.
Run the trap filter alarm condition command to filter alarms that the device reports to
the NMS through traps.
The filtering criteria can be alarm ID, alarm severity, alarm type, subrack ID, subrack ID/
slot ID, subrack ID/slot ID/port ID, VLAN interface, and NE.
To reduce alarms and avoid alarm storms, the system does not send alarms of some ONTs
to the NMS. To query the filtering criteria of alarms and events in the system, run the
display trap filter command.
In FTTH scenarios, you can configure the ONT alarm policy profile to configure alarms
for different service policies.
1.
Create an ONT alarm policy profile.

Run the ont-alarm-policy command to create an ONT alarm policy profile.
The system supports a maximum number of 16 alarm policy profiles. The default
alarm policy profile is profile 0.
It is recommended that you configure different alarm policies for VIP and common
users.
2.
Configure attributes of the ONT alarm policy profile.

Run the alarm filter command to configure the control function of each alarm of the
profile.
Run the commit command to save the configuration.
Run the display ont-alarm-policy command to query attributes of the ONT alarm
policy profile.
3.
Bind the ONT to the ONT alarm policy profile.

Run the ont alarm-policy command to bind the ONT to the ONT alarm policy profile
so that the PON board can control whether to send the ONT alarm information.
During ONT adding or confirmation, the system binds the ONT to the default ONT
alarm policy profile 0.
----End
Example
Assume the following configurations: The output of all alarms at level warning is shielded to
the CLI terminal, the alarm jitter-proof function is enabled, the alarm jitter-proof period is set
to 15s, the level of alarms with IDs 0x0a310021 and 0x2e314021 are modified to critical, do as
follows:
huawei(config)#undo alarm output alarmlevel warning
huawei(config)#alarm jitter-proof on
Issue 01 (2012-01-18)

131

huawei(config)#alarm jitter-proof 15
huawei(config)#alarm alarmlevel 0x0a310021 critical
huawei(config)#alarm alarmlevel 0x2e314021 critical
To mask the online and offline alarm of the ONT (alarm IDs 0x2e11a00b and 0x2e12a00b) so
that normal operations are not affected by too many alarms, do as follows:
huawei(config)#undo alarm output alarmid 0x2e11a00b
huawei(config)#undo alarm output alarmid 0x2e12a00b
To create ONT alarm policy profile 10, filter the following alarms, and bind this profile to GPON
ONT 1 connected to port 0/3/0, do as follows:
l
0x2e112003 (The signal degrade of ONTi (SDi) occurs)
0x2e112004 (The signal fail of ONTi (SFi) occurs)
0x2e112006 (The loss of frame of ONTi (LOFi) occurs)
0x2e313015 (The hardware of the ONT is faulty)
0x2e313016 (The ONT switches to the standby battery)
0x2e313017 (The standby battery of the ONT is lost)
0x2e313018 (The standby battery of the ONT cannot be charged)
0x2e313019 (The voltage of the standby battery of the ONT is too low)
0x2e31301a (The shell of the ONT is opened)
0x2e313024 (The loss of signals occurs on the ethernet port of the ONT)
0x2e313025 (No signal is received in the video UNI of the ONT)
0x2e31302a (The E1/T1 port loss of signal (LOS) occurs at the ONT)
huawei(config)#ont-alarm-policy policy-id 10
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#commit
huawei(config-ont-alarm-policy-10)#quit
hauwei(config-if-gpon-0/3)#ont alarm-policy 0 1
0x2e112003
0x2e112004
0x2e112006
0x2e313015
0x2e313016
0x2e313017
0x2e313018
0x2e313019
0x2e31301a
0x2e313024
0x2e313025
0x2e31302a
policy-id 10
2.3 Configuring the Network Time

Configuring the NTP protocol to keep the time of all devices in the network synchronized, so
that the Background Information implement various service applications based on universal
time, such as the network management system and the network accounting system.
Introduction to the NTP Protocol:
l
Issue 01 (2012-01-18)
The Network Time Protocol (NTP) is an application layer protocol defined in RFC 1305,
which is used to synchronize the times of the distributed time server and the client. The
132

RFC defines the structures, arithmetics, entities and protocols used in the implementation
of NTP.
l
NTP is developed from the time protocol and the ICMP timestamp message protocol, with
special design on the aspects of accuracy and robustness.
NTP runs over UDP with port number as 123.
Any local system that runs NTP can be time synchronized by other clock sources, and also
act as a clock source to synchronize other clocks. In addition, mutual synchronization can
be done through NTP packets exchanges.
NTP is applied to the following situations where all the clocks of hosts or routers in a network
need to be consistent:
l
In the network management, an analysis of log or debugging information collected from

different routers needs time for reference.
The charging system requires the clocks of all devices to be consistent.
Completing certain functions, for example, timing restart of all the routers in a network
requires the clocks of all the routers be consistent.
When several systems work together on the same complicate event, they have to take the
same clock for reference to ensure correct implementation order.
Incremental backup between the backup server and clients requires clocks on them be
synchronized.
When all the devices on a network need to be synchronized, it is almost impossible for an
administrator to manually change the system clock by command line. This is because the work
load is heavy and clock accuracy cannot be ensured. NTP can quickly synchronize the clocks
of network devices and ensure their precision.
There are four NTP modes: server/client, peer, broadcast and multicast modes. The MA5600T
supports all these modes.
Default Configuration
Table 2-1 provides the default configuration for NTP.
Table 2-1 Default configuration for NTP
Issue 01 (2012-01-18)
Parameter
Default Value
NTP-service authentication
function
Disable
NTP-service authentication
key
None
The maximum allowed

number of sessions
100
Clock stratum
16

133

2.3.1 (Optional) Configuring NTP Authentication

This topic describes how to configure NTP authentication to improve the network security and
prevent unauthorized users from modifying the clock.
Prerequisites
Before configuring the NTP client/server mode, make sure that the network interface and the
routing protocol of the MA5600T are configured so that the server and the client are reachable
to each other at the network layer.
In certain networks that have strict requirements on security, enable NTP authentication when
running the NTP protocol. Configuring NTP authentication is classified into configuring NTP
authentication on the client and configuring NTP authentication on the server.
Precautions
l
If NTP authentication is not enabled on the client, the client can synchronize with the server,
regardless of whether NTP authentication is enabled on the server.
If NTP authentication is enabled, a reliable key should be configured.
The configuration of the server must be the same as that of the client.
When NTP authentication is enabled on the client, the client can pass the authentication if
the server is configured with the same key as that of the client. In this case, you need not
enable NTP authentication on the server or declare that the key is reliable.
The client synchronizes with only the server that provides the reliable key. If the key
provided by the server is unreliable, the client does not synchronize with the server.
The flow of configuring NTP authentication is as follows: start->enable NTP

authentication->configure the reliable NTP authentication key->declare the reliable key>end.
Procedure
Step 1 Run the ntp-service authentication enable command to enable NTP authentication.
Step 2 Run the ntp-service authentication-keyid command to set an NTP authentication key.
Step 3 Run the ntp-service reliable authentication-keyid command to declare that the key is reliable.
----End
Example
To enable NTP authentication, set the NTP authentication key as aNiceKey with the key number
42, and then define key 42 as a reliable key, do as follows:
huawei(config)#ntp-service authentication enable
huawei(config)#ntp-service authentication-keyid 42 authentication-mode md5 aNice
Key
huawei(config)#ntp-service reliable authentication-keyid 42
Issue 01 (2012-01-18)

134

2.3.2 Configuring the NTP Broadcast Mode

This topic describes how to configure the MA5600T for clock synchronization in the NTP
broadcast mode. After the configuration is completed, the server periodically broadcasts clock
synchronization packets through a specified port, and the client listens to the broadcast packets
sent from the server and synchronizes the local clock according to the received broadcast packets.
Prerequisites
Before configuring the NTP broadcast mode, make sure that the network interface and the routing
protocol of the MA5600T are configured so that the server and the client are reachable to each
other at the network layer.
In the broadcast mode, the server periodically sends clock synchronization packets to the
broadcast address 255.255.255.255, with the mode field set to 5 (indicating the broadcast mode).
The client listens to the broadcast packets sent from the server. After receiving the first broadcast
packet, the client exchanges NTP packet whose mode fields are set to 3 (client mode) and 4
(server mode) with the server to estimate the network delay between the client and the server.
The client then enters the broadcast client mode, continues to listen to the incoming broadcast
packets, and synchronizes the local clock according to the incoming broadcast packets, as shown
in Figure 2-1.
Figure 2-1 NTP broadcast mode
Precautions
1.
In the broadcast mode, you should configure both the NTP server and the NTP client.
2.
The clock stratum of the synchronizing device must be higher than or equal to that of the
synchronized device. Otherwise, the clock synchronization fails.
Configure the NTP broadcast server host.
Procedure
Issue 01 (2012-01-18)

135

1.
Run the ntp-service refclock-master command to configure the local clock as the
master NTP clock, and specify the stratum of the master NTP clock.
2.
(Optional) Configure NTP authentication.

In certain networks that have strict requirements on security, it is recommended that
you enable NTP authentication when running the NTP protocol. The configuration of
the server must be the same as that of the client.
3.
4.
a.
Run the ntp-service authentication enable command to enable NTP

authentication.
b.
Run the ntp-service authentication-keyid command to set an NTP

authentication key.
c.
Run the ntp-service reliable authentication-keyid command to declare that the

key is reliable.
Add a VLAN L3 interface.

a.
b.
Run the port vlan command to add an upstream port to the VLAN so that the
user packets carrying the VLAN tag are transmitted upstream through the
upstream port.
c.
In the global config mode, run the interface vlan command to create a VLAN
interface, and then enter the VLAN interface mode to configure the L3 interface.
d.
Run the ip address command to configure the IP address and subnet mask of the
VLAN interface so that the IP packets in the VLAN can participate in the L3
forwarding.
Run the ntp-service broadcast-server command to configure the NTP broadcast

server mode of the host, and specify the key ID for the server to send packets to the
client.
Configure the NTP broadcast client host.

1.

2.
Issue 01 (2012-01-18)
a.

authentication.
b.

authentication key.
c.

key is reliable.

a.
b.
upstream port.
c.

136

d.
3.
forwarding.
Run the ntp-service broadcast-client command to configure a host as the NTP

broadcast client.
----End
Example
Assume the following configurations: MA5600T_S uses the local clock as the master NTP clock
on stratum 2 and works in the NTP broadcast mode, broadcasting clock synchronization packets
periodically through IP address 10.10.10.10/24 of the L3 interface of VLAN 2, and
MA5600T_C functions as the NTP client, listening to the broadcast packets sent from the server
through IP address 10.10.10.20/24 of the L3 interface of VLAN 2 and synchronizing with the
clock on the broadcast server. To perform these configurations, do as follows:
1.
On MA5600T_S:
huawei(config)#ntp-service refclock-master 2
huawei(config-if-vlanif2)#ntp-service broadcast-server
2.
On MA5600T_C:
huawei(config-if-vlanif2)#ntp-service broadcast-client
2.3.3 Configuring the NTP Multicast Mode

This topic describes how to configure the MA5600T for clock synchronization in the NTP
multicast mode. After the configuration is completed, the server periodically multicasts clock
synchronization packets through a specified port, and the client listens to the multicast packets
sent from the server and synchronizes the local clock according to the received multicast packets.
Prerequisites
Before configuring the NTP multicast mode, make sure that the network interface and the routing
In the multicast mode, the server periodically sends clock synchronization packets to the
multicast address configured by the user. The default NTP multicast address 224.0.1.1 is used
if the multicast address is not configured. The mode field of clock synchronization packet is set
to 5 (multicast mode). The client listens to the multicast packets sent from the server. After
receiving the first multicast packet, the client exchanges NTP packet whose mode fields are set
to 3 (client mode) and 4 (server mode) with the server to estimate the network delay between
the client and the server. The client then enters the multicast client mode, continues to listen to
the incoming multicast packets, and synchronizes the local clock according to the incoming
multicast packets, as shown in Figure 2-2.
Issue 01 (2012-01-18)

137

Figure 2-2 NTP multicast mode
Precautions
1.
In the multicast mode, you should configure both the NTP server and the NTP client.
2.
The clock stratum of the synchronizing device must be higher than or equal to that of the
Configure the NTP multicast server host.
Procedure
1.
Run the ntp-service refclock-master command to configure the local clock as the
master NTP clock, and specify the stratum of the master NTP clock.
2.

3.
Issue 01 (2012-01-18)
a.

authentication.
b.

authentication key.
c.

key is reliable.

a.
b.
upstream port.
c.
d.
forwarding.
138

4.
Run the ntp-service multicast-server command to configure the NTP multicast

server mode of the host, and specify the key ID for the server to send packets to the
client.
Configure the NTP multicast client host.

1.
2.
3.

a.

authentication.
b.

authentication key.
c.

key is reliable.

a.
b.
upstream port.
c.
d.
forwarding.
Run the ntp-service multicast-client command to configure a host as the NTP

multicast client.
----End
Example
Assume the following configurations: MA5600T_S uses the local clock as the master NTP clock
on stratum 2 and works in the NTP multicast mode, multicasting clock synchronization packets
periodically through IP address 10.10.10.10/24 of the L3 interface of VLAN 2, and
MA5600T_C functions as the NTP client, listening to the multicast packets sent from the server
through IP address 10.10.10.20/24 of the L3 interface of VLAN 2 and synchronizing with the
clock on the multicast server. To perform these configurations, do as follows:
1.
On MA5600T_S:
huawei(config-if-vlanif2)#ntp-service multicast-server
2.
On MA5600T_C:
huawei(config-if-vlanif2)#ntp-service multicast-client
Issue 01 (2012-01-18)

139

2.3.4 Configuring the Unicast NTP Client

This topic describes how to configure the MA5600T as the NTP client to synchronize with the
NTP server in the network.
Prerequisites
Before configuring the NTP client/server mode, make sure that the network interface and the
routing protocol of the MA5600T are configured so that the server and the client are reachable
to each other at the network layer.
In the client/server mode, the client sends a synchronization packet to the server, with the mode
field set to 3 (client mode). After receiving the packet, the server automatically enters the server
mode and sends a response packet with the mode field set to 4 (server mode). After receiving
the response from the server, the client filters and selects the clock, and synchronizes with the
preferred server, as shown in Figure 2-3.
Figure 2-3 NTP client/server mode
Precautions
1.
In the client/server mode, you need to configure only the client, and need not configure the
server.
2.
The clock stratum of the synchronizing device must be lower than or equal to that of the
Procedure
Step 1 Add a VLAN L3 interface.
1.
2.
Run the port vlan command to add an upstream port to the VLAN so that the user packets
carrying the VLAN tag are transmitted upstream through the upstream port.
3.
In the global config mode, run the interface vlan command to create a VLAN interface,
and then enter the VLAN interface mode to configure the L3 interface.
Issue 01 (2012-01-18)

140

4.
Run the ip address command to configure the IP address and subnet mask of the VLAN
interface so that the IP packets in the VLAN can participate in the L3 forwarding.
Step 2 Run the ntp-service unicast-server command to configure the NTP unicast server mode, and
specify the IP address of the remote server that functions as the local timer server and the interface
for transmitting and receiving NTP packets.
NOTE
l In this command, ip-address is a unicast address, which cannot be a broadcast address, a multicast address,
or the IP address of a local clock.
l After the source interface of the NTP packets is specified by source-interface, the source IP address of the
NTP packets is configured as the primary IP address of the specified interface.
l A server can function as a time server to synchronize other devices only after its clock is synchronized.
l When the clock stratum of the server is higher than or equal to that of the client, the client does not
synchronize with the server.
l You can run the ntp-service unicast-server command for multiple times to configure multiple servers.
Then, the client selects the best server according to clock priorities.
Step 3 (Optional) Configure the ACL rules.

Filter the packets that pass through the L3 interface. Only the IP packet from the clock server is
allowed to access the L3 interface. Other unauthorized packets are not allowed to access the L3
interface. It is recommended to use the ACL rules for the system that has high requirements on
security.
1.
Run the acl adv-acl-numbe command to create an ACL.
2.
Run the rule command to classify traffic according to the source IP address, destination IP
address, type of the protocol over IP, and features or protocol of the packet, allowing or
forbidding the data packets that meet related conditions to pass.
3.
Run the packet-filter command to configure an ACL filtering rule for a specified port, and
make the configuration take effect.
----End
Example
Assume the following configurations: One MA5600T functions as the NTP server (IP address:
10.20.20.20/24), the other MA5600T (IP address of the L3 interface of VLAN 2: 10.10.10.10/24,
gateway IP address: 10.10.10.1) functions as the NTP client, the NTP client sends the clock
synchronization request packet through the VLAN L3 interface to the NTP server, the NTP
server responds to the request packet, and ACL rules are configured to allow only IP packets
from the clock server to access the L3 interface. To perform these configurations, do as follows:
huawei(config)#ntp-service unicast-server 10.20.20.20 source-interface vlanif 2
huawei(config-acl-adv-3050)#rule deny ip source any destination 10.10.10.10
0.0.0.0
huawei(config-acl-adv-3050)#rule permit ip source 10.20.20.20 0.0.0.0 destination
10.10.10.10 0.0.0.0
2.3.5 Configuring the NTP Peer

This topic describes how to configure the MA5600T for clock synchronization in the NTP peer
mode. In the peer mode, configure only the active peer, and the passive peer need not be
Issue 01 (2012-01-18)

141

configured. In the peer mode, the active peer and the passive peer can synchronize with each
other. The peer with a higher clock stratum is synchronized by the peer with a lower clock
stratum.
Prerequisites
Before configuring the NTP peer mode, make sure that the network interface and the routing
In the peer mode, the active peer and the passive peer exchange NTP packets whose mode fields
are set to 3 (client mode) and 4 (server mode). Then, the active peer sends a clock synchronization
packet to the passive peer, with the mode field of the packet set to 1 (active peer). After receiving
the packet, the passive peer automatically works in the passive mode and sends a response packet
with the mode field set to 2 (passive peer). Through packet exchange, the peer mode is set up.
The active peer and the passive peer can synchronize with each other. If both the clock of the
active peer and that of the passive peer are synchronized, the clock on a lower stratum is used,
as shown in Figure 2-4.
Figure 2-4 NTP peer mode
Precautions
1.
In the peer mode, you need to configure the NTP mode only on the active peer.
2.
The peers determine clock synchronization according to the clock stratum instead of
according to whether the peer is an active peer.
Procedure
Step 1 Configure the NTP active peer.
1.
Issue 01 (2012-01-18)
Run the ntp-service refclock-master command to configure the local clock as the master
NTP clock, and specify the stratum of the master NTP clock.
142

2.
Run the ntp-service unicast-peer command to configure the NTP peer mode, and specify
the IP address of the remote server that functions as the local timer server and the interface
for transmitting and receiving NTP packets.
NOTE
l In this command, ip-address is a unicast address, which cannot be a broadcast address, a multicast
address, or the IP address of a reference clock.
l After the source interface of the NTP packets is specified by source-interface, the source IP address
of the NTP packets is configured as the primary IP address of the specified interface.
Step 2 Add a VLAN L3 interface.

1.
2.
Run the port vlan command to add an upstream port to the VLAN so that the user packets
carrying the VLAN tag are transmitted upstream through the upstream port.
3.
In the global config mode, run the interface vlan command to create a VLAN interface,
and then enter the VLAN interface mode to configure the L3 interface.
4.
Run the ip address command to configure the IP address and subnet mask of the VLAN
interface so that the IP packets in the VLAN can participate in the L3 forwarding.
----End
Example
Assume the following configurations: One MA5600T functions as the NTP active peer (IP
address of the L3 interface of VLAN 2: 10.10.10.10/24) and works on clock stratum 4, the other
MA5600T (IP address: 10.10.10.20/24) functions as the NTP passive peer, the active peer sends
a clock synchronization request packet through the VLAN L3 interface to the passive peer, the
passive peer responds to the request packet, and the peer with a higher clock stratum is
synchronized by the peer with a lower clock stratum. To perform these configurations, do as
follows:
huawei(config)#ntp-service unicast-peer
2.4 Adding Port Description

After the description of a physical port on the board is added, the description facilitates
information query in system maintenance.
Prerequisites
A board must be added to the system.
Procedure
Step 1 In the global config mode, run the port desc command to add port description.
Port description is a character string, used to identify a port on a board in a slot of a shelf.
Step 2 Run the display port desc command to query port description.
----End
Issue 01 (2012-01-18)

143

Example
Plan the format of user port description as "community ID-building ID-floor ID/shelf ID-slot
ID-port ID". "Community ID-building ID-floor ID" indicates the physical location where the
user terminal is deployed, and shelf ID-slot ID-port ID" indicates the physical port on the local
device that is connected to the user terminal. This plan can present the user terminal location
and the connection between the user terminal and the device, which facilitates query in
maintenance. Assume that the user terminal that is connected to port 0/2/0 of the MA5600T is
deployed in floor 1, building 01 of community A. To add port description according to the plan,
do as follows:
huawei(config)#port desc 0/2/0 description A-01-01/0-2-0
huawei(config)#display port desc 0/2/0
-----------------------------------------------------------F/ S/ P
IMA Group
Port Description
-----------------------------------------------------------0/ 2/ 0
A-01-01/0-2-0
------------------------------------------------------------
2.5 Configuring the Attributes of an Upstream Ethernet Port

This topic describes how to configure the attributes of a specified Ethernet port so that the system
communicates with the upstream device in the normal state.
Prerequisites
The board in the GIU slot must be in position and must work in the normal state.
The MA5600T should be interconnected with the upstream device through the Ethernet port.
Therefore, pay attention to the consistency of port attributes.
Table 2-2 lists the default settings of the attributes of an Ethernet port.
Table 2-2 Default settings of the attributes of an Ethernet port
Parameter
Default Setting (Optical Port)
Default Setting (Electrical

Port)
Auto-negotiation
mode of the port
Disabled
Enabled
Port rate
l FE optical port: 100 Mbit/s
NA
l GE optical port: 1000 Mbit/s
NOTE
After the auto-negotiation mode
of the port is disabled, you can
configure the port rate.
l 10GE optical port: 10000 Mbit/

s
Issue 01 (2012-01-18)

144

Parameter
Default Setting (Optical Port)
Default Setting (Electrical

Port)
Duplex mode
Full-duplex, read only
NA
NOTE
After the auto-negotiation mode
of the port is disabled, you can
configure the duplex mode.
Network cable
adaptation mode
Not supported
Flow control
Disabled
l FE electrical port: auto

l GE electrical port: normal
Disabled
Procedure
l
Configure the physical attributes of an Ethernet port.

1.
(Optional) Set the auto-negotiation mode of the Ethernet port.

Run the auto-neg command to set the auto-negotiation mode of the Ethernet port. You
can enable or disable the auto-negotiation mode:
After the auto-negotiation mode is enabled, the port automatically negotiates with
the peer port for the rate and working mode of the Ethernet port.
After the auto-negotiation mode is disabled, the rate and working mode of the port
are in the forced mode (adopt default values or are set through command lines).
2.
(Optional) Set the rate of the Ethernet port.

Run the speed command to set the rate of the Ethernet port. After the port rate is set
successfully, the port works at the set rate. Pay attention to the following points:
Make sure that the rate of the Ethernet port is the same as that of the interconnected
port on the peer device. This prevents communication failure.
The auto-negotiation mode should be disabled.
3.
(Optional) Set the duplex mode of the Ethernet port.

Run the duplex command to set the duplex mode of the Ethernet port. The duplex
mode of an Ethernet port can be full-duplex, half-duplex, or auto negotiation. Pay
attention to the following points:
Make sure that the ports of two interconnected devices work in the same duplex
modes. This prevents communication failure.
The auto-negotiation mode should be disabled.
4.
(Optional) Configure the network cable adaptation mode of the Ethernet port.
Run the mdi command to configure the network cable adaptation mode of the Ethernet
port to match the actual network cable. The network adaptation modes are as follows:
normal: Specifies the adaptation mode of the network cable as straight through
cable. In this case, the network cable connecting to the Ethernet port must be a
straight-through cable.
across: Specifies the adaptation mode of the network cable as crossover cable. In
this case, the network cable connecting to the Ethernet port must be a crossover
cable.
Issue 01 (2012-01-18)

145

auto: Specifies the adaptation mode of the network cable as auto-sensing. The
network cable can be a straight through cable or crossover cable.
Pay attention to the following points:
The Ethernet optical port does not support the network cable adaptation mode.
If the Ethernet electrical port works in forced mode (auto-negotiation mode
disabled), the network cable type of the port cannot be configured to auto.
l
Configure flow control on the Ethernet port.

Run the flow-control command to enable flow control on the Ethernet port. When the flow
of an Ethernet port is heavy, run this command to control the flow to prevent network
congestion, which may cause the loss of data packets. Flow control should be supported
on both the local and peer devices. Pay attention to the following points:
If the peer device does not support flow control, generally, enable flow control on the
local device.
If the peer device supports flow control, generally, disable flow control on the local
device.
By default, flow control is disabled.
Mirror the Ethernet port.

Run the mirror port command to mirror the Ethernet port. When the system is faulty, copy
the traffic of a certain port to the other port and output the traffic for traffic observation,
network fault diagnosis, and data analysis.
----End
Example
Ethernet port 0/17/0 is an electrical port. the attribute is as follows: The port rate is 1000 Mbit/
s in duplex mode, with supporting flow control, not supporting auto-negotiation function. do as
follows:
huawei(config)#interface 0/17
huawei(config-if-0/17)#auto-neg 0 disable
huawei(config-if-0/17)#speed 0 1000
huawei(config-if-0/17)#duplex 0 full
huawei(config-if-0/17)#flow-control 0

Prerequisites
The VLAN to be added should not exist in the system.
Application Context
VLAN application is specific to user types. For details on the VLAN application, see Table
2-3.
Issue 01 (2012-01-18)

146

Table 2-3 VLAN application and planning

User Type
Application Scenario
VLAN Planning
l Household
user
N:1 scenario, that is, the

scenario of upstream
transmission through a
single VLAN, where the
services of multiple
subscribers are
converged to the same
VLAN.
VLAN type: smart
1:1 scenario, that is, the

transmission through
double VLANs, where
the outer VLAN tag
identifies a service and
the inner VLAN tag
identifies a user. The
service of each user is
indicated by a unique S
+C.
VLAN type: smart
Applicable only to the

transparent transmission
service of a commercial
user.
VLAN type: smart
l Commercial
user of the
Internet
access
service
Commercial
user of the
transparent
transmission
service
VLAN attribute: common

VLAN forwarding mode: by VLAN+MAC
Attribute: stacking
VLAN forwarding mode: by S+C
VLAN attribute: QinQ

VLAN forwarding mode: by VLAN+MAC or
S+C.
Table 2-4 lists the default parameter settings of VLAN.
Table 2-4 Default parameter settings of VLAN
Issue 01 (2012-01-18)
Parameter
Default Setting
Remarks
Default VLAN of
the system
VLAN ID: 1
Type: smart VLAN
You can run the defaultvlan modify

command to modify the VLAN type but
cannot delete the VLAN.
Reserved VLAN
of the system
VLAN ID range:
4079-4093
You can run the vlan reserve command to

modify the VLAN reserved by the system.
Default attribute
of a new VLAN
Common
VLAN
forwarding mode
VLAN+MAC

147

Procedure
Run the vlan to create a VLAN. VLANs of different types are applicable to different scenarios.
Table 2-5 VLAN types and application scenarios
Issue 01 (2012-01-18)
VLAN
Type
Configuration
Command
VLAN
Description
Standard
VLAN
To add a standard
VLAN, run the vlan
vlanid standard
command.
Standard VLAN.
Ethernet ports in a
standard VLAN are
interconnected with
each other but
Ethernet ports in
different standard
VLANs are isolated
from each other.
Only available to Ethernet

ports and specifically to
network management and
subtending.
Smart
VLAN
To add a smart VLAN,

run the vlan vlanid
smart command.
One VLAN may

contain multiple
xDSL service ports
or GPON service
ports. The traffic
streams of these
ports, however, are
isolated from each
other. In addition,
the traffic streams of
different VLANs are
also isolated. One
smart VLAN
provides access for
multiple subscribers
and thus saves
VLAN resources.
Smart VLANs can be applied

in residential communities to
provide xDSL or GPON
service access.
MUX
VLAN
To add a MUX VLAN,

run the vlan vlanid
mux command.
One MUX VLAN

contains only one
xDSL service port or
GPON service port.
The traffic streams
in different VLANs
are isolated from
each other. One-toone mapping can be
set up between a
MUX VLAN and an
access user. Hence, a
MUX VLAN can
identify an access
user.
MUX VLANs are applicable

to xDSL or GPON service
access. For example, MUX
VLANs can be used to
distinguish users.

148

VLAN
Type
Configuration
Command
VLAN
Description
Super
VLAN
To add a super VLAN,

run the vlan vlanid
super command.
The super VLAN is

based on layer 3.
One super VLAN
contains multiple
sub-VLANs.
Through an ARP
proxy, the subVLANs in a super
VLAN can be
interconnected at
layer 3.
Super VLANs save IP

addresses and improve the
utilization of IP addresses.
For a super VLAN, subVLANs must be configured.
You can run the supervlan
command to add a sub-VLAN
to a specified super VLAN. A
sub-VLAN must be a smart
VLAN or MUX VLAN.
NOTE
l To add VLANs with consecutive IDs in batches, run the vlan vlanid to end-vlanid command.
l To add VLANs with inconsecutive IDs in batches, run the vlan vlan-list command.
Step 2 (Optional) Configure the VLAN attribute.

The default attribute for a new VLAN is "common". You can run the vlan attrib command to
configure the attribute of the VLAN.
Configure the attribute according to VLAN planning.
Table 2-6 VLAN attributes and application scenarios
Issue 01 (2012-01-18)
VLA
N
Attri
bute
Configuration
Command
VLAN Type
VLAN
Description
Application
Scenario
Com
mon
The default attribute

for a new VLAN is
"common".
The VLAN with

this attribute can
be a standard
VLAN, smart
VLAN, MUX
VLAN, or super
VLAN.
A VLAN with the

common attribute
can function as a
common layer 2
VLAN or
function for
creating a layer 3
interface.
Applicable to the
N:1 access
scenario.

149

Issue 01 (2012-01-18)
VLA
N
Attri
bute
Configuration
Command
VLAN Type
VLAN
Description
QinQ
VLA
N
To configure QinQ
as the attribute of a
VLAN, run the vlan
attrib vlanid q-in-q
command.
The VLAN with

this attribute can
be a standard
VLAN, smart
VLAN or MUX
VLAN. The
attribute of a sub
VLAN, the
VLAN with a
Layer 3 interface,
and the default
VLAN of the
system cannot be
set to QinQ
VLAN.
The packets from Applicable to the

a QinQ VLAN
enterprise private
contain two
line scenario.
VLAN tags, that
is, inner VLAN
tag from the
private network
and outer VLAN
tag from the
MA5600T.
Through the outer
VLAN, an L2
VPN tunnel can
be set up to
transparently
transmit the
services between
private networks.
VLA
N
Stacki
ng
To configure
stacking as the
attribute of a VLAN,
run the vlan attrib
vlanid stacking
command.
The VLAN with

this attribute can
only be a smart
VLAN or MUX
VLAN. The
attribute of a sub
VLAN, the
VLAN with an L3
interface, and the
default VLAN of
the system cannot
be set to VLAN
Stacking.
The packets from

a stacking VLAN
contain two
VLAN tags, that
is, inner VLAN
tag and outer
VLAN tag from
the MA5600T.
The upper-layer
BRAS
authenticates the
access users
according to the
two VLAN tags.
In this manner,
the number of
access users is
increased. On the
upper-layer
network in the L2
working mode, a
packet can be
forwarded
directly by the
outer VLAN tag
and MAC address
mode to provide
the wholesale
service for ISPs.

Application
Scenario
Applicable to the
1:1 access
scenario for the
wholesale service
or extension of
VLAN IDs.
In the case of a
stacking VLAN,
to configure the
inner tag of the
service port, run
the stacking
label command.
150

NOTE
l To configure attributes for the VLANs with consecutive IDs in batches, run the vlan attrib vlanid to endvlanid command.
l To configure attributes for the VLANs with inconsecutive IDs in batches, run the vlan attrib vlan-list
command.
Step 3 (Optional) Configure VLAN description.

To configure VLAN description, run the vlan desc command. You can configure VLAN
description to facilitate maintenance. The general VLAN description includes the usage and
service information of the VLAN.
Step 4 (Optional) Configure the VLAN forwarding policy.
vlan-connect corresponds to the S+C forwarding policy, which ensures higher security by
solving the problems of insufficiency in the MAC address space, MAC address aging, and MAC
address spoofing and attacks.
You can configure the VLAN forwarding policy in either the global config mode or VLAN
service profile configuration mode.
l In the global config mode, to configure the VLAN forwarding policy, run the vlan
forwarding command. The default VLAN forwarding mode is VLAN+MAC in the system.
l In the VLAN service profile configuration mode, to configure the VLAN forwarding policy,
do as follows:
1.
Run the vlan service-profile command to create a VLAN service profile and enter the
VLAN service profile mode.
2.
Run the forwarding command to configure the VLAN forwarding policy. The default
VLAN forwarding policy is VLAN+MAC in the system.
3.
Run the commit command to validate the profile configuration. The configuration of
the VLAN service profile takes effect only after execution of this command.
4.
Run the quit command to quit the VLAN service profile mode.
5.
Run the vlan bind service-profile command to bind the VLAN to the VLAN service
profile created in 4.1.
----End
Example
Assume that a stacking VLAN with ID of 50 is to be configured for extension of the VLAN. A
service port is added to VLAN 50. The outer VLAN tag 50 of the stacking VLAN identifies the
access device and the inner VLAN tag 10 identifies the user with access to the device. For the
VLAN, description needs to be configured for easy maintenance. To configure such a VLAN,
do as follows:
huawei(config)#vlan attrib 50 stacking
huawei(config)#service-port vlan 50 gpon 0/4/0 ont 1 gemport 126 rx-cttr 6 tx-cttr
6
huawei(config)#stacking label vlan 50 baselabel 10
huawei(config)#vlan desc 50 description stackingvlan/label10
Issue 01 (2012-01-18)

151

Assume that a QinQ VLAN with ID of 100 is to be configured for an enterprise user to ensure
higher security and the VLAN forwarding policy is S+C. For the VLAN, description needs to
be configured for easy maintenance. To configure such a VLAN, do as follows:
huawei(config)#vlan
huawei(config)#vlan
huawei(config)#vlan
huawei(config)#vlan
100 smart
attrib 100 q-in-q
desc 100 description qinqvlan/forhuawei
forwarding 100 vlan-connect
2.7 Configuring a VLAN Service Profile

Integrate VLAN-related configurations into the VLAN service profile so that all attributes take
effect immediately after the VLAN service profile is bound to the VLAN. This increases the
configuration efficiency.
Prerequisite
l
The VLAN to which the VLAN service profile is bound must be created.
After a VLAN service profile is bound to a VLAN, regarding the parameters whose
Committed state is NotConfig, the configuration commands that are independent of the
VLAN take effect; other parameter adopt the control parameters of the profile. Modifying
the feature parameters relevant to the VLAN does not take effect.
Procedure
Step 1 Create a VLAN service profile.
Run the vlan service-profile command create a VLAN service profile or enter the configuration
mode of the VLAN service profile. When the profile does not exist, running this command means
to create a VLAN service profile and enter the configuration mode of the service profile. When
the profile already exists, running this command means to directly enter the configuration mode
of this service profile.
Step 2 Configure parameters of the VLAN service profile.
The VLAN service profile contains VLAN-related configurations. You can select them
according to your requirements.
l Run the bpdu tunnel command to configure the BPDU transparent transmission switch.
After transparent transmission is enabled, the L2 BPDUs of the private network can be
transmitted transparently over the public network.
l Run the forwarding command to configure the VLAN forwarding mode. The MA5600T
supports two forwarding modes: VLAN+MAC address (vlan-mac) and S+C (vlan-connect).
The system forwarding policy differs according to different VLAN forwarding modes.
l Run the packet-policy command to configure the forwarding policy for the broadcast
packets, unknown unicast packets, and unknown multicast packets in the VLAN. Two
policies namely forward and discard are supported.
l Run the pitp command to configure the PITP function to implement authentication of bound
user account and access port.
l Run the pppoe mac-mode command to configure the MAC address allocation mode of the
PPPoE user. Two modes namely, single-mac and multi-mac are supported.
Issue 01 (2012-01-18)

152

l Run the rip tunnel command to configure the RIP L2 transparent transmission switch. After
the transparent transmission switch is enabled, RIP packets can be transparent transmitted at
L2 based on VLAN on the MA5600T without running the RIP protocol.
l Run the security anti-ipspoofing command to configure the anti-IP spoofing function. After
the anti-IP spoofing function is enabled, the system automatically and dynamically binds the
IP address to the user. The packet can be transmitted upstream through the device only when
the source IP address of the packet is the same as the bound IP address. Otherwise, the packet
is discarded.
l Run the security anti-macspoofing command to configure the anti-MAC spoofing function.
After the anti-MAC spoofing function is enabled, the system automatically and dynamically
binds the MAC address to the traffic stream. When the source MAC address of the traffic
stream is the same as the bound MAC address, the traffic stream can be upstream transmitted
through the device. Otherwise, the packets are discarded.
l Run the user-bridging command to configure the bridging function of the VLAN service
profile. After the bridging function is enabled, two users in the same VLAN can directly
communicate with each other at L2.
NOTE
L2 interoperation is available only to the SCUN control board.
l Run the vtp-cdp tunnel command to configure the VTP/CDP packet transparent
transmission switch. After the switch is enabled, VTP/CDP packets are transparently
transmitted based on the VLAN.
l Run the dhcp mode command to switch between the DHCP L2 forwarding mode and the
L3 forwarding mode.
l Run the dhcp option82 command to configure the DHCP option 82 feature.
l Run the dhcp proxy command to configure the DHCP proxy function. After the DHCP proxy
function is enabled, the server ID proxy function and lease time proxy function will be
enabled.
l Run the igmp mismatch command to configure the mismatch IGMP policy of the VLAN,
supports the transparent and discard policies.
l Run the vmac command to enable or disable VMAC. By default, VMAC is disabled.
l Run the vmac aging-mode command to configure the VMAC aging mode, which can be
common aging or DHCP-based aging.
l Run the commit command to commit the current parameter configuration of the VLAN
service profile.
NOTE
After the configuration is completed, run the commit command to make the configuration take effect.
Step 3 Bind the VLAN service profile to the VLAN.

Run the vlan bind service-profile command to bind the configured VLAN service profile to a
specified VLAN. After the binding, the VLAN-level feature control switch is based on the
configuration of the VLAN service profile. Independent configuration commands for VLANbased features are no longer effective.
----End
Example
Add VLAN service profile 3 and bind it to VLAN 100. The profile parameters are planned as
follows:
Issue 01 (2012-01-18)

153

VLAN forwarding mode VLAN+MAC address (vlan-mac)
BPDU transparent transmission: enabled
Unknown multicast packet: discarded
Adopt the default values for other parameters.

huawei(config)#vlan service-profile profile-id 3
huawei(config-vlan-srvprof-3)#forwarding vlan-mac
huawei(config-vlan-srvprof-3)#bpdu tunnel enable
huawei(config-vlan-srvprof-3)#packet-policy multicast discard
huawei(config-vlan-srvprof-3)#commit
huawei(config-vlan-srvprof-3)#quit
huawei(config)#vlan bind service-profile 100 profile-id 3
2.8 Configuring the User Security

Configuring the security mechanism can protect operation users and access users against user
account theft and roaming or from the attacks from malicious users.
The user security mechanism includes:
l
PITP: The purpose of the PITP feature is to provide the user physical location information
for the upper-layer authentication server. After the BRAS obtains the user physical location
information, the BRAS binds the information to the user account for authentication, thus
protecting the user account against theft and roaming.
DHCP option 82: The user physical location information is added to the option 82 field in
the DHCP request sent by the user. The information is used by the upper-layer
authentication server for authenticating the user, thus protecting the user account against
theft and roaming.
IP address binding: The IP address of the user is bound to the corresponding service port
for authenticating the user, thus ensuring the security of the authentication.
MAC address binding: The MAC address is bound to the service port, thus preventing the
access of illegal users.
Anti-MAC spoofing: It is a countermeasure taken by the system to prevent a user from

attacking the system with a forged MAC address.
Anti-IP spoofing: It is a countermeasure taken by the system to prevent a user from attacking
the system with a forged IP address.
Table 2-7 lists the default settings of the user security mechanism.
Table 2-7 Default settings of the user security mechanism
Parameter
Default Setting
Remarks
PITP
Global function: disabled
The PITP function can be enabled

only when the functions at all
levels are enabled.
Port-level function: enabled

VLAN-level function: enabled
Service-port-level function: enabled
Issue 01 (2012-01-18)

154

Parameter
Default Setting
Remarks
DHCP option
82
The DHCP option 82 function can

be enabled only when the functions
at all levels are enabled.

Anti-IP
spoofing

Anti-MAC
spoofing

VLAN-level function: disabled
Service-port-level status: enabled By
default, up to eight MAC addresses
can be bound.
The anti-IP spoofing function can

be enabled only when the functions
at all levels are enabled.
The anti-MAC spoofing function
can be enabled only when the
functions at all levels are enabled.
2.8.1 Configuring Anti-Theft and Roaming of User Account

Through PITP
Policy Information Transfer Protocol (PITP) is mainly used for the user PPPoE dialup access.
It is a protocol defined for transferring policy information between the access device and the
Broadband Remote Access Server (BRAS) through L2 P2P communication. PITP can be used
for transferring the user physical port information and protecting the user account against theft
and roaming.
Application Context
PITP is used for providing the user port information for the BRAS. After the BRAS obtains the
user port information, the BRAS binds the user account to the user port, thus protecting the user
account against theft and roaming. PITP has two modes, the PPPoE+ mode (also called the PITP
P mode) and the VBAS mode (also called the PITP V mode).
PITP is applicable to the networking of a standalone 0/4/0 and the networking of subtended
MA5600Ts.
l
In the networking of a standalone MA5600T: Two PCs (PC1 and PC2) are connected to
different ports of the MA5600T for the dialup access.
In the networking of subtended MA5600Ts: Two PCs (PC1 and PC2) are connected to
different MA5600Ts (PC1 is connected to the MA5600T, and PC2 is connected to the
MA5600T through a subtended device) for the dialup access.
The principles in the two scenarios are similar. The user dials up from PC1 by using the
corresponding user account. The BRAS binds the user account to the user's physical port
information reported by the MA5600T. When the user of PC2 dials up by using the user account
of PC1, the BRAS discovers that the user account does not match the physical port information
and thus rejects the dialup access request of PC2.
Issue 01 (2012-01-18)

155

Table 2-8 lists the default settings related to PITP.
Table 2-8 Default settings related to PITP
Parameter
Default Setting
PITP function

PITP sub-option 90
Disabled
User-side PPPoE packet carrying the

vendor tag information
Disabled
Procedure
Step 1 Configure the relay agent information option (RAIO). Before using the PITP function, you must
configure RAIO.
l Run the raio-mode mode pitp-pmode command to configure the RAIO mode in the PITP
P mode.
l Run the raio-mode mode pitp-vmode command to configure the RAIO mode in the PITP
V mode.
The PITP P mode supports all the RAIO modes; the PITP V mode currently supports only the
common, cntel, and userdefine modes. When the auto-sensing traffic stream is configured, fill
in 8191.35 as the VPI/VCI of the tag, regardless of whether the traffic stream has learned the
VPI/VCI or not.
user-defined: indicates the user-defined mode. In this mode, you need to run the raio-format
command to configure the RAIO format. Select a corresponding keyword for configuring the
RAIO format according to the PITP mode.
l In the PITP P mode, run the raio-format pitp-pmode command to configure the RAIO
format.
l In the PITP V mode, run the raio-format pitp-vmode command to configure the RAIO
format.
In the case of the user-defined RAIO format, configure the circuit ID (CID) and the remote ID
(RID). If the access mode is not selected, the configured format applies to all access modes. If
the access mode is selected, the configured format applies to only this access mode. The CID
format and RID format in the PITP V mode are the same:
l CID: identifies the attribute information about the device.
l RID: identifies the access information about the user.
Step 2 Configure the PITP function.
The PITP function can be enabled or disabled at four levels. The PITP function is enabled only
when it is enabled at all the four levels. The global PITP function has higher priority over the
port-level and service-port-level PITP functions.
Issue 01 (2012-01-18)

156

1.
Global PITP function: Run the pitp enable pmode command to enable global PITP P mode.
By default, the global PITP function is disabled.
In the PITP V mode, run the pitp vmode ether-type command to set the Ethernet protocol
type to be the same as that of the BRAS. Then, run the pitp enable vmode command to
enable global PITP V mode.
NOTE
The Ethernet protocol type of the PITP V mode must be configured when the PITP V mode is disabled.
2.
Port-level PITP function: Run the pitp port or pitp board command to configure the portlevel PITP function. By default, the port-level PITP function is enabled.
3.
VLAN-level PITP function:
4.
a.
Run the vlan service-profile command to create a VLAN service profile and enter
the VLAN service profile mode.
b.
Run the pitp enable command to enable the PITP function of the VLAN. By default,
the PITP function of the VLAN is enabled.
c.
Run the commit command to make the profile configuration take effect. The
configuration of the VLAN service profile takes effect only after this command is
executed.
d.
e.
profile configured in 2.3.a.
Service-port-level PITP function: Run the pitp service-port command to enable the
service-port-level PITP function. By default, the service-port-level PITP function is
enabled.
Step 3 Configure the optional attributes of PITP.

l Run the pitp permit-forwarding service-port command to set whether the service port
allows the user-side PPPoE packet carrying the vendor tag information. By default, this
function is disabled, that is, the user-side PPPoE packet carrying the vendor tag information
is not allowed.
The system adds a tag containing the device name, shelf ID, slot ID, and port ID to the PPPoE
+ upstream PADI and PADR packets to generate new packets. If this function is enabled,
tagged packets are forwarded. If this function is disabled, tagged packets are discarded.
When the PITP function is applied to the OLT+MxU network, pay attention to the following
points:
1.
When the PITP function is enabled only on the OLT, the tag of the PADI packet contains
only the information about the PON port of the OLT.
2.
When the PITP function is enabled only on the MxU, the tag of the PADI packet contains
only the information about the user port of the MxU.
3.
If the PITP function is enabled on both the OLT and the MxU, a function (through the
pitp permit-forwarding service-port command) is used to choose which tag the PADI
packet carries.
When this function is enabled, the tag of the PADI packet contains only the
information about the PON port of the OLT.
When this function is disabled, subscribers connected to the MxU fail to dial the
number. That is, the PADI packet (PITP P mode) cannot be transmitted.
The PON board of the OLT can be connected to the terminals such as the ONT and the MxU.
Generally, the PITP function is enabled on the OLT in the global mode. Certain PON ports
Issue 01 (2012-01-18)

157

are connected to ONUs. For example, in the FTTB application, however, the MDUs are
connected to multiple subscribers. For the OLT, an MDU is one subscriber, regardless of
how many subscribers are connected to the MDU. In this case, to differentiate subscribers
connected to the MDU, you need to enable the PITP function on the MDU.
l Run the pitp sub-option90 command to configure PITP sub-option 90. By default, PITP
sub-option 90 is disabled.
The PPPoE+ mode supports reporting the sub-option 90 line parameters, including the
activation bandwidth. Enable or disable PITP sub-option 90 according to actual requirements.
The configuration of PITP sub-option 90 takes effect only in the PITP P mode; the PITP V
mode does not support reporting the line parameters.
----End
Example
Assume the following configuration:
l
RAIO mode: user-defined mode
CID format for the ATM access mode: shelf ID/slot ID/port ID:VPI.VCI
CID format for the Ethernet access mode: shelf ID/slot ID/port ID:VLAN ID
CID format for the xPON access mode: shelf ID/slot ID/port ID:ONT ID.VLAN ID
To enable the PITP P mode of service port 1 under port 0/4/0, do as follows:
huawei(config)#raio-mode user-defined pitp-pmode
huawei(config)#raio-format pitp-pmode cid atm anid atm frame/slot/port:vpi.vci
huawei(config)#raio-format pitp-pmode cid eth anid eth frame/slot/port:vlanid
huawei(config)#raio-format pitp-pmode cid xpon anid xpon frame/slot/
port:ontid.vlanid
huawei(config)#raio-format pitp-pmode rid atm plabel
huawei(config)#raio-format pitp-pmode rid eth plabel
huawei(config)#raio-format pitp-pmode rid xpon plabel
huawei(config)#pitp enable pmode
huawei(config)#pitp port 0/4/0 enable
huawei(config)#pitp service-port 1 enable
Assume the following configuration:

l
CID/RID format for the ATM access mode: shelf ID/slot ID/port ID:VPI.VCI
CID/RID format for the Ethernet access mode: shelf ID/slot ID/port ID:VLAN ID
CID/RID format for the xPON access mode: shelf ID/slot ID/port ID:ONT ID.VLAN ID
To set the Ethernet protocol type of VBRAS packets to be the same as that of the upper-layer
BRAS, that is, 0x8500, and enable the PITP V mode of service port 0, do as follows:
huawei(config)#raio-mode user-defined pitp-vmode
huawei(config)#raio-format pitp-vmode atm anid atm frame/slot/port:vpi.vci
huawei(config)#raio-format pitp-vmode eth anid eth frame/slot/port:vlanid
huawei(config)#raio-format pitp-vmode xpon anid xpon frame/slot/port:ontid.vlanid
huawei(config)#pitp vmode ether-type 0x8500
huawei(config)#pitp enable vmode
huawei(config)#pitp port 0/4/0 enable
huawei(config)#pitp service-port 0 enable
Issue 01 (2012-01-18)

158

2.8.2 Configuring Anti-Theft and Roaming of User Accounts

Through DHCP
DHCP improves the user authentication security by adding the user physical location information
to the option 82 field of the DHCP request packets initiated by the user, so as to prevent theft
and roaming of the user account.
The option 82 field contains the circuit ID (CID), remote ID (RID), and sub-option 90 field
(optional), which provides the information such as the user shelf ID, slot ID, port ID, VPI, and
VCI.
The MA5600T can work in the L2 DHCP forwarding mode or L3 DHCP forwarding mode. In
either mode, anti-theft and roaming of user accounts through DHCP option 82 can be configured,
and the configurations are the same.
Table 2-9 lists the default settings related to DHCP option 82.
Table 2-9 Default settings related to DHCP option 82
Parameter
Default Setting
Status of the DHCP option 82 function
Global status: disabled

Port-level status: enabled
VLAN-level status: enabled
Service-port-level status: enabled
Status of the DHCP sub-option 7

function
Disabled
Status of the DHCP sub-option 90

function
Disabled
Procedure
Step 1 Configure the RAIO. The RAIO is the short form for relay agent information option. Before
using the DHCP function, you must configure the RAIO.
Run the raio-mode command to set the RAIO mode.
l Select dhcp-option 82 as the corresponding mode.
l In the user-defined mode, you need to run the raio-format command to configure the RAIO
format, and select dhcp-option 82 as the corresponding mode. To configure the user-defined
format, mainly configure the RID in the CID. If the access mode is not selected, the
configured format is valid to all access modes. If the access mode is selected, the configured
format is valid to only this access mode. For details about the RAIO format, see the raioformat command.
CID identifies the attribute information of the device.
RID identifies the access information of the user.
Issue 01 (2012-01-18)

159

Step 2 (Optional) Set the service port to allow or prohibit the user-side DHCP packets that carry the
option 82 information.
l Run the dhcp-option82 permit-forwarding service-port command to set the service port
to allow or prohibit the DHCP packets that carry the option 82 information.
The system adds the device name, shelf ID, slot ID, and port ID to the option 82 field of
DHCP packets to generate new packets. If the service port is set to allow the packets carrying
the option 82 information, tagged packets are forwarded. If the service port is set to prohibit
the packets carrying the option 82 information, tagged packets are dropped.
Step 3 Enable or disable the DHCP option 82 function.
Run the dhcp option82 command to enable the DHCP option 82 function on the port. By default,
the DHCP option 82 function is disabled globally.
The DHCP option 82 function can be enabled or disabled at four levels. The DHCP option 82
function takes effect only when it is enabled at all four levels.
1.
System level: Run the dhcp option82 command to enable the DHCP option 82 function
globally. By default, the DHCP option 82 function is disabled globally.
2.
Port level: Run the dhcp option82 board or dhcp option82 port command to enable the
DHCP option 82 function for a board or port. By default, the DHCP option 82 function for
a board or port is enabled.
3.
VLAN level:
4.
a.
b.
Run the dhcp option82 command to enable the DHCP option 82 function. By default,
the DHCP option 82 function is enabled.
c.
configuration of the VLAN service profile takes effect only after you run this
command.
d.
e.
Run the vlan bind service-profile command to bind the VLAN service profile created
in 3.3.a to the VLAN.
Service port level: Run the dhcp option82 service-port command to enable the DHCP
option 82 function for a service port. By default, the DHCP option 82 function for a service
port is enabled.
Step 4 (Optional) Enable or disable the sub-option function.

In the DHCP mode, reporting the sub-option 90 line parameters, including reporting the
activation bandwidth, is supported. Enable or disable the sub-option function according to your
requirements. In the DHCP option 82 mode, sub-option 81 to sub-option 91 in sub-option 9 need
to be filled.
1.
Run the dhcp sub-option7 command to enable or disable the sub-option 7 function. By
default, the sub-option 7 function is disabled.
2.
Run the dhcp sub-option90 command to enable or disable the sub-option 90 function. By
default, the sub-option 90 function is disabled.
----End
Example
To enable the DHCP option 82 function, Assume that:
Issue 01 (2012-01-18)

160

CID format for the ETH access mode: shelf ID/slot ID/sub slot ID/port ID: vlanid
CID format for the xPON access mode: shelf ID/slot ID/sub slot ID/port ID: ontid.vlanid
RID format for all access modes: label of the service port
do as follows:
huawei(config)#raio-mode user-defined dhcp-option 82
huawei(config)#raio-format dhcp-option 82 cid eth anid eth frame/slot/subslot/
port:vlanid
huawei(config)#raio-format dhcp-option 82 cid xpon anid xpon frame/slot/subslot/
port:ontid.vlanid
huawei(config)#raio-format dhcp-option 82 rid eth splabel
huawei(config)#raio-format dhcp-option 82 rid xpon splabel
huawei(config)#dhcp option 82 enable
2.8.3 Configuring Anti-IP Spoofing

This topic describes how to configure IP address binding and anti-IP spoofing to prevent
malicious users from attacking the device or authorized users by forging the IP addresses of
authorized users.
IP address binding refers to binding an IP address to a service port. After the binding, the service
port permits only the packet whose source IP address is the bound address to go upstream, and
discards the packets that carry other source IP addresses.
Anti-IP spoofing is to dynamically trigger the IP address binding, thus preventing illegal users
from stealing the IP address of legal users. When anti-IP spoofing is enabled, a user port is bound
to an IP address after the user goes online. Then, the user cannot go online through this port by
using other IP addresses, and any user cannot go online through other ports by using this IP
address.
Procedure
l
Configure the IP address binding.

Run the bind ip command to bind an IP address to a service port.
To permit only the users of certain IP addresses to access the system so that illegal users
cannot access the system by using the IP addresses of legal users, configure the IP address
binding.
Configure anti-IP spoofing.

The anti-IP spoofing function can be enabled or disabled at three levels. The anti-IP
spoofing function is enabled only when it is enabled at all the three levels.
Global function: Run the security anti-ipspoofing command to configure the global
function. By default, the global function is disabled.
VLAN-level function:
Issue 01 (2012-01-18)
1.
2.
Run the security anti-ipspoofing command to configure the VLAN-level

function. By default, the VLAN-level function is enabled.
161

3.
configuration of the VLAN service profile takes effect only after this command is
executed.
4.
5.
Run the vlan bind service-profile command to bind the VLAN to the VLAN
service profile configured in 1.
Service-port-level function: Run the security anti-ipspoofing service-port command

to configure the service-port-level function. By default, the service-port-level function
is enabled.
NOTE
When anti-IP spoofing is enabled after a user is already online, the IP address of this user is not bound by
the system. As a result, the service of this user is interrupted, this user goes offline, and the user needs to
go online again. Only the user who goes online after anti-IP spoofing is enabled can have the IP address
bound.
----End
Example
To bind IP address 10.1.1.245 to service port 2, that is, service port 2 permits only the packet
whose source IP address is 10.1.1.245, do as follows:
huawei(config)#bind ip service-port 2 10.1.1.245
To enable anti-IP spoofing for service port 1 in service VLAN 10, do as follows:
huawei(config)#security anti-ipspoofing enable
huawei(config-vlan-srvprof-2)#security anti-ipspoofing enable
Info: Please use the commit command to make modifications take effect
huawei(config)#security anti-ipspoofing service-port 1 enable
2.8.4 Configuring Anti-MAC Spoofing

This topic describes how to configure MAC address binding, anti-MAC spoofing, anti-MAC
duplicate, and virtual MAC (VMAC) address to prevent malicious users from attacking the
device or authorized users by forging the MAC addresses of authorized users.
MAC address binding refers to binding a MAC address to a service port. After the binding, only
the user whose MAC address is the bound MAC address can access the network through the
service port. The MA5600T does not support the direct binding of a MAC address. Instead, the
binding between a service port and a MAC address is implemented through setting a static MAC
address entry of a port and setting the maximum number of learnable MAC addresses to 0.
The major function of anti-MAC spoofing is to prevent illegal users from forging the MAC
address of legal users. The purpose is to ensure that the service of legal users is not affected.
Anti-MAC spoofing is mainly applied to PPPoE and DHCP access users.
VMAC adopts the trusty virtual MAC address allocated by the MA5600T to replace the source
MAC addresses of terminal users and prevents untrusty MAC addresses from entering the
network, thus preventing MAC address conflict and MAC address spoofing from malicious
users.
Issue 01 (2012-01-18)

162

The anti-MAC-duplicate function does not allow dynamic MAC addresses to be duplicated
before they are aged. In this way, when MAC address conflicts occur between different users,
the user that goes online first will not be affected.
Procedure
l
Configure the MAC address binding.

1.
Run the mac-address static command to add a static MAC address.
2.
Run the mac-address max-mac-count command to set the maximum number of

learnable MAC addresses to 0.
This parameter is to limit the maximum number of the MAC addresses that can be
learned through one account, that is, to limit the maximum number of the PCs that
can access the Internet through one account.
Configure anti-MAC spoofing.
CAUTION
To ensure device security, it is recommended that you enable this function.
The anti-MAC spoofing function can be enabled or disabled at three levels. The anti-MAC
spoofing function is enabled only when it is enabled at all the three levels.
Global function: Run the security anti-macspoofing command to configure the global
function. By default, the global function is disabled.
You can configure the VLAN-level function in either of the following two modes:
In the global config mode: Run the security anti-macspoofing vlan command to
configure the VLAN-level function. By default, the VLAN-level function is
disabled.
In the VLAN service profile:
1.
Run the vlan service-profile command to create a VLAN service profile and
enter the VLAN service profile mode.
2.
Run the security anti-macspoofing command to configure the VLAN-level

function. By default, the VLAN-level function is disabled.
3.
configuration of the VLAN service profile takes effect only after this command
is executed.
4.
5.
service profile configured in 1.
Service-port-level function: Run the security anti-macspoofing max-mac-count

command to configure the maximum number of MAC addresses that can be bound to
the service port. By default, up to eight MAC addresses can be bound.
NOTE
When anti-MAC spoofing is enabled after a user is already online, the MAC address of this user is not
bound by the system. As a result, the service of this user is interrupted, this user goes offline, and the user
needs to go online again. Only the user who goes online after anti-MAC spoofing is enabled can have the
MAC address bound.
Issue 01 (2012-01-18)

163

Configure 1:1 VMAC or N:1 VMAC.

1.
Configure VMAC-related attributes.

a.
Run the vmac dslam-id command to configure the DSLAM ID.

The DSLAM ID is bits 21-39 of the VMAC address, 19 bits in total. VMAC can
be enabled only when dslam-id is in the range of 0x0000-0x7FFFF.
NOTE
The uniqueness of the DSLAM ID must be ensured by the configuration engineer to

prevent allocating the same VMAC address to two DSLAMs.
b.
(Optional) Run the vmac port-vmac-count command to configure the number

of VMAC addresses on each port.
To limit the number of VMAC addresses on each port, run this command. By
default, the number of VMAC addresses on each port is 32.
c.
(Optional) Run the vmac reserved-bits command to configure the reserved bits
of the VMAC address.
This command is used to set the value of the reserved bits (bits 47-42) in the
VMAC address generating format. The VMAC value is made up of the value of
reserved bits and other bits. To enable VMAC, the value of the reserved bits must
be in the range of [0x0,0x3F]. Otherwise, VMAC fails to be enabled. By default,
the value is 0x0.
2.
(Optional) Configure the mode for allocating MAC addresses to xPoE/xPoA users.
The xPoE/xPoA MAC address can be allocated in two modes: single-MAC or multiMAC (default). When VMAC is enabled:
Single-MAC: Also called N:1 VMAC. The device uses a unique VMAC address
to replace the MAC addresses of a group of users. The relationship between user
MAC address and device VMAC address is N:1.
Multi-MAC: Also called 1:1 VMAC. The device uses a unique VMAC address to
replace the MAC address of a single user. The relationship between user MAC
address and device VMAC address is 1:1.
NOTE
l If VMAC is disabled, the PPPoA and IPoA MAC addresses are obtained from the configured
MAC address pool (by running the mac-pool command).
l IPoA does not supports obtaining the MAC address through VMAC and supports obtaining the
MAC address from the MAC address pool only.
The MAC address allocation mode has two levels: global level and VLAN service
profile level.
a.
Configure the global MAC address allocation mode.

Run the pppoa mac-mode command to configure the MAC address
allocation mode for PPPoA users.
Run the pppoe mac-mode command to configure the MAC address
allocation mode for PPPoE users.
b.
Configure the MAC address allocation mode at the VLAN service profile level.
When VMAC is enabled, the xPoA/xPoE MAC allocation mode can be set to
multi-MAC only.
a.
Issue 01 (2012-01-18)
In the global config mode, run the vlan service-profile command to enter

164

b.
3.
Run the pppoe mac-mode command to configure the MAC address

allocation mode for PPPoE users.
Enable VMAC.
Run the vmac enable command to enable VMAC. After VMAC is enabled, the
VMAC address is generated according to the DSLAM ID, slot ID, and port ID.
VMAC can be enabled globally or at the VLAN service profile level.
a.
In the global config mode, run the vmac enable command to enable VMAC.
b.
Run the vlan service-profile command to enter the VLAN service profile mode.
c.
Run the vmac enable command to enable VMAC at the VLAN service profile
level.
d.
Run the commit command to commit the configuration.
Configure the anti-MAC-duplicate function.

After the anti-MAC-duplicate function is enabled and before the dynamic MAC address
learned by the system is aged, the packets transmitted from other ports will be discarded if
the packets carry the same MAC address.
NOTE
l Only the SCUN board supports the anti-MAC-duplicate function.

l By default, the anti-MAC-duplicate function is disabled.
l When anti-MAC duplicate and anti-MAC spoofing are enabled, anti-MAC spoofing is preferred and
anti-MAC duplicate does not take effect.
1.
Run the security anti-macduplicate command to enable anti-MAC duplicate.
2.
Run the display security config command to query the configuration.
----End
Example
To bind static MAC address 1010-1010-1010 to service port 1, and set the maximum number
of learnable MAC addresses to 0, that is, service port 1 permits only the packet whose source
MAC address is 1010-1010-1010, do as follows:
huawei(config)#mac-address static service-port 1 1010-1010-1010
huawei(config)#mac-address max-mac-count service-port 1 0
To enable anti-MAC spoofing for VLAN 10, and set the maximal number of MAC address
bound to service port 2 (related to VLAN 10) to 7.
huawei(config)#security anti-macspoofing enable
huawei(config)#security anti-macspoofing vlan 10 enable
huawei(config)#security anti-macspoofing max-mac-count service-port 2 7
To enable global VMAC, enable VMAC for VLAN service profile 2 to which VLAN 10 is
bound, and configure 1:1 VMAC for PPPoE users in VLAN 10, do as follows:
huawei(config-vlan-srvprof-2)#pppoe mac-mode multi-mac
huawei(config-vlan-srvprof-2)#vmac enable
To enable anti-MAC duplicate so that the user that goes online first will not be affected when
MAC address conflicts occur between different users, do as follows:
Issue 01 (2012-01-18)

165

huawei(config)#security anti-macduplicate enable

huawei(config)#display security config
Anti-ipspoofing function
:
Anti-dos function
:
Anti-macspoofing function
:
Anti-ipattack function
:
Anti-icmpattack function
:
Source-route filter function :
Anti-macduplicate function
:
PPPoE Overall Aging Time(sec) :
PPPoE Aging Period
(sec) :
ARP detect mode
:
Anti-dos control-packet policy:
disable
disable
disable
disable
disable
disable
enable
360
90
dummy
deny
2.9 Configuring System Security

This topic describes how to configure the network security and protection measures of the system
to protect the system from malicious attacks.
With the system security feature, the MA5600T can be protected against the attacks from the
network side or user side, and thus the MA5600T can run stably in the network. System security
includes the following items:
l
ACL/Packet filtering firewall
Blacklist
Anti-DoS attack
Anti-ICMP/IP attack
Source route filtering
Source MAC address filtering
User-side ring network detection
Allowed/Denied address segment
The following common inappropriate configurations affect the system security:

l
The ring network detection and anti-address spoofing functions are not enabled. If the antiaddress spoofing function is not enabled, an unauthorized user may forge the MAC address
of an authorized user to send PPPoE or DHCP control packets, thus threatening the system
security.
Preventive methods or measures:
Run the ring check command to enable the function of checking user-side ring
networks.
Run the security anti-macspoofing enable command to enable the anti-MAC spoofing.
Use a public network address to manage the device. The access rights are not strictly limited
when the ACL is configured. Thus, the network may be attacked.
Preventive methods or measures:
Use a private network address to manage the device.
When configuring the ACL, apply the minimum authorization principle.
Issue 01 (2012-01-18)

166

Configure the permitted IP address segment, and add only the necessary management
IP address segment. IP addresses other than have been specified are not permitted to
access the device through the management port.
l
Packets accessing the management interface of the device are not controlled. When a device
is attacked by packets, the system is busy and the services cannot be provided in the normal
state.
Preventive methods or measures: Run the firewall packet-filter command to apply the
firewall packet filtering rule on the interface to filter packets received on the interface and
prevent packet attacks.
Table 2-10 lists the default settings of system security.

Table 2-10 Default settings of system security
Parameter
Default Setting
Firewall blacklist
Disabled
Anti-DoS attack
Disabled
Anti-ICMP attack
Disabled
Anti-IP attack
Disabled
Source route filtering
Disabled
User-side ring network detection
Disabled
2.9.1 Configuring Firewall

Configuring system firewall can control the packets that go through the management port of the
device so that unauthorized operators cannot access the system through the inband or outband
channel.
Firewall includes the following items:
l
Blacklist: The blacklist function can be used to screen the packets sent from a specific IP
address. A major feature of the blacklist function is that entries can be dynamically added
or deleted. When firewall detects the attack attempt of a specific IP address according to
the characteristics of packets, firewall actively adds an entry to the blacklist and then filters
the packets from this IP address.
ACL/Packet filtering firewall: Configure an ACL to filter data packets. To set a port to
allow only one type of packets to go through, use the ACL to implement the packet filtering
function.
For example, to allow only the packets from source IP address 1.1.1.1 to go through a port
in the inbound direction, do as follows:
Issue 01 (2012-01-18)
1.
Configure an ACL rule1, which allows the packets with source IP address 1.1.1.1 to
pass.
2.
Configure an ACL rule2, which denies all packets.

167

3.
Run the firewall packet-filter command, and bind rule2 first and then rule1 to the
inbound direction.
NOTE
On the MA5600T, an ACL can be activated in two modes. In two modes, the execution priorities
on the sub-rules in one ACL are different.
l Run the firewall packet-filter command to activate an ACL. This mode is mainly applied to
the NMS. For the sub-rules in one ACL, the execution priority is implemented by software. The
earlier the execution priority of the sub-rules in one ACL is configured, the higher the priority.
l Run the packet-filter command to activate an ACL. For the sub-rules in one ACL, the execution
priority is implemented by hardware. The later the execution priority of the sub-rules in one
ACL is configured, the higher the priority.
CAUTION
To ensure device security, firewall must be configured. This is to control the packets that go
through the management port of the device.
Procedure
l
Configure firewall blacklist.

Two modes are supported: configuring firewall blacklist by using ACLs or by adding the
source IP addresses of untrusted packets. Choose either mode, or both.
When two modes are configured, the priority of the firewall blacklist function is higher
than the priority of ACLs. That is, the system checks the firewall blacklist first, and then
matches ACLs.
NOTE
The firewall blacklist function only takes effect to the service packets that are sent from the user side.
l
Issue 01 (2012-01-18)
Configure the firewall blacklist function by using advanced ACLs.

1.
Run the acl command to create an ACL. Only advanced ACLs can be used when
the black list function is enabled. Therefore, the range of the ACL ID is
3000-3999.
2.
Run the rule(adv acl) command to create an advanced ACL.
3.
Run the quit command to return to the global config mode.
4.
Run the firewall blacklist enable acl-number acl-number command to enable

the firewall blacklist function.
Configure the firewall blacklist function by adding the source IP addresses of untrusted
packets.
1.
Run the firewall blacklist item command to add the source IP addresses of
untrusted packets to the blacklist.
2.
Run the firewall blacklist enable command to enable the firewall blacklist
function.
Configure the firewall (filtering packets based on the ACL).

168

1.
Run the acl command to create an ACL. Only basic ACLs and advanced ACLs can
be used when packet filtering by firewall is configured. Therefore, the range of the
ACL ID is 2000-3999.
2.
Run different commands to create different types of ACLs.

Basic ACL: Run the rule(basic acl) command.
Advanced ACL: Run the rule(adv acl) command.
3.
4.
Run the firewall enable command to enable the firewall blacklist function. By default,
the firewall blacklist function is disabled.
To filter the packets of a port based on the basic ACL, enable the firewall blacklist
function.
5.
Run the interface meth command to enter the METH mode to configure the firewall
packet filtering rules for an METH interface; run the interface vlanif command to
enter the VLANIF mode configure the firewall packet filtering rules for a VLAN
interface.
6.
Run the firewall packet-filter command to apply firewall packet filtering rules to an
interface.
----End
Example
To add IP address 192.168.10.18 to the firewall blacklist with the aging time of 100 min, do as
follows:
huawei(config)#firewall blacklist item 192.168.10.18 timeout 100
huawei(config)#firewall blacklist enable
To add the IP addresses in network segment 10.10.10.0 to the firewall blacklist and bind ACL
3000 to these IP addresses, do as follows:
huawei(config-acl-adv-3000)#rule deny ip source 10.10.10.0 0.0.0.255 destination
10.10.10.20 0
huawei(config)#firewall blacklist enable acl-number 3000
To deny the users in network segment 172.16.25.0 to access the maintenance Ethernet port with
IP address 172.16.25.28 on the device, do as follows:
huawei(config-acl-adv-3001)#rule 5 deny icmp source 172.16.25.0 0.0.0.255 destin
ation 172.16.25.28 0
huawei(config)#firewall enable
huawei(config-if-meth0)#firewall packet-filter 3001 inbound
ACL applied successfully
2.9.2 Configuring Anti-Attack

Enabling anti-DoS attack and anti-ICMP/IP attack, and configuring the source route filtering
and source MAC address filtering functions can prevent malicious users' attack on the system,
so as to improve system security.
Issue 01 (2012-01-18)

169

The MA5600T supports the following measures to prevent malicious users' attack on the system.
Choose measures according to actual requirements.
l
Anti-DoS attack: indicates the defensive measures taken by the system to receive only a
certain number of control packets sent from a user.
Anti-ICMP attack: indicates the defensive measures taken by the system to drop the ICMP
packets sent from the user-side device to the MA5600T. This is to prevent the user-side
device from pinging the VLAN interface of the MA5600T.
Anti-IP attack: indicates the defensive measures taken by the system to drop the IP packets
sent from the user-side device to the MA5600T.
Source route filtering: indicates the defensive measures taken by the system to filter the IP
packets that are sent by the user and carry the routing option field.
Source MAC address filtering: indicates the defensive measures taken by the system to
filter the packets that are sent by the user and carry certain source MAC addresses.
User-side ring network check: indicates the defensive measures taken by the system to
check user-side ring networks. In this way, the system can process ring networks to prevent
ring networks from affecting services.
Configure anti-DoS attack.
Procedure
Run the security anti-dos enable command to enable global anti-DoS attack.
With global anti-DoS attack enabled, when the system receives attack packets from a
user port, the system adds the user port to the blacklist. When global anti-DoS attack is
disabled, the system deletes the blacklist.
Run the security anti-dos control-packet policy command to configure the protocol
packet processing policy in the case of a DoS attack.
Configure whether to allow protocol packets to be sent to the CPU in the case of a DoS
attack. If sending protocol packets to the CPU is allowed, the protocol packets are
always sending to the CPU. By default, protocol packets are directly discarded in the
case of a DoS attack.
CAUTION
When you run this command, the system does not check whether the anti-DoS function
is enabled. If the anti-DoS function is disabled, the system does not perform the antiDoS check. Therefore, before allowing protocol packets to be sent to the CPU, run the
security anti-dos enable command to enable the global anti-DoS function.
Run the security anti-dos control-packet rate command to configure the rate threshold
for sending protocol packets to the CPU.
When the anti-DoS function is enabled, the system generates an anti-DoS attack alarm
if the rate exceeds the preset value. If sending protocol packets to the CPU is allowed,
the packet rate cannot exceed the preset value, and the exceeded packets are discarded.
By default, the rate threshold for sending protocol packets to the CPU is 63 pps.
Application scenario: Two PCs (PC1 and PC2) are connected to the network through the
MA5600T. If a malicious user (PC1) sends a large number of protocol control packets to
Issue 01 (2012-01-18)

170

attack the CPU of the MA5600T, the CPU usage of the MA5600T will be over high, and
then the MA5600T is unable to process the services of another user (PC2). To implement
anti-DoS attack, shield the attack port or suppress the protocol packet sending to protect
the MA5600T from being attacked.
l
Configure anti-ICMP attack.

Run the security anti-icmpattack enable command to enable anti-ICMP attack. AntiICMP attack is mainly used to prevent the user-side device from pinging the VLAN
interface of the MA5600T.
Application scenario: Two PCs (PC1 and PC2) are connected to the network through the
MA5600T. When PC2 sends a large number of ICMP packets to the VLAN interface, the
services of the user (PC1) that obtains the upper-layer DHCP information through the same
VLAN interface will be abnormal. To implement anti-ICMP attack, directly drop the userside ICMP packets if the IP address of the VLAN interface on the MA5600T is its
destination IP address.
Enable anti-IP attack.

Run the security anti-ipattack enable command to enable anti-IP attack. The anti-IP attack
is used to prevent user-side IP packets from attacking the L3 interface of the device or to
prevent illegal users from logging in to the device through telnet.
Application scenario: When a PC sends the packets with the address of VLAN x as the
destination IP address to VLANIF x, it may send a large number of packets to attack the
device, causing the device to fail to process normal services; when a user knows the address
of VLAN x, or the user name and password for logging in to the device, the user may log
in to the device through telnet to randomly change the configurations of the device. To
prevent the two preceding cases, the device needs to implement anti-IP attack. With this
feature, the device drops the packets with the address of the device interface as the
destination IP address to prevent the user from attacking the device.
Enable the source route filtering function.

Run the security source-route enable command to enable the source route filtering
function. This function is mainly used to filter the packets that carry the routing information
and are reported to the L3 switch.
Application scenario: In general, routes are dynamic and application does not control route
selection. The sender can add the routing information to IP packets through the source route
to perform route selection. In this case, packets go along a specific route in the network
according to the intention of the sender. To prevent the preceding cases, enable the source
route filtering function. Then the MA5600T performs validity check on IP packets and
drops the packets that match the source route options.
Configure the MAC address filtering function.

Run the security mac-filter command to enable the MAC address filtering function.
The MAC addresses that are dynamically learned by the host and the source MAC addresses
that are statically configured by running the security mac-filter source command share
the four entries for source MAC addresses on the board. The entries for the statically
configured MAC addresses are of a higher priority than that of the dynamically learned
MAC addresses.
Application scenario: To prevent users from forging the MAC address of the network-side
device, or forging certain renowned MAC addresses, set the MAC address of the networkside as the MAC address to be filtered.
Issue 01 (2012-01-18)

171

Configure the function of checking user-side ring networks.

Run the ring check enable command to enable the function of checking user-side ring
networks. By default, the function of checking user-side ring networks is disabled.
CAUTION
To ensure device security, it is recommended that you enable this function.
----End
Example
To enable the global anti-DoS attack function, discard protocol packets in the case of a DoS
attack, enable anti-IP attack function, and the function of checking user-side ring networks, do
as follows:
huawei(config)#security anti-dos enable
huawei(config)#security anti-dos control-packet policy deny
huawei(config)#security anti-ipattack enable
huawei(config)#ring check enable
2.9.3 Preventing the Access of Illegal Users

Only the users of the permitted IP address segment can access the device, and the users of the
denied IP address segment cannot access the device. This prevents the users of illegal IP address
segments from logging in to the system, thus safeguarding the system.
l
Each firewall can be configured with up to 10 address segments.
When adding an address segment, ensure that the start address does not repeat an existing
start address.
To delete an address segment, you only need to enter the start address of the address
segment.
CAUTION
l To ensure the device security, apply the minimum authorization principles. That is, configure
the permitted IP address segment, and add only the necessary management IP address
segment. IP addresses other than have been specified are not permitted to access the device
through the management port.
l It is recommended that the permitted IP address segment and the denied IP address segment
should not overlap, and only the user whose IP address is in the permitted address segment
and is not in the denied address segment can access the device.
Procedure
l
Issue 01 (2012-01-18)
Configure the permitted/denied IP address segment for the access through Telnet.
172

1.
Run the sysman ip-access telnet command to configure the IP address segment that
is permitted to access the device through Telnet.
2.
Run the sysman ip-refuse telnet command to configure the IP address segment that
is forbidden to access the device through Telnet.
3.
Run the sysman firewall telnet enable command to enable the firewall function for
the access through Telnet. By default, the firewall function of the system is disabled.
Configure the permitted/denied IP address segment for the access through SSH.
1.
Run the sysman ip-access ssh command to configure the IP address segment that is
permitted to access the device through SSH.
2.
Run the sysman ip-refuse ssh command to configure the IP address segment that is
forbidden to access the device through SSH.
3.
Run the sysman firewall ssh enable command to enable the firewall function for the
access through SSH. By default, the firewall function of the system is disabled.
Configure the permitted/denied IP address segment for the access through SNMP (NMS).
1.
Run the sysman ip-access snmp command to configure the IP address segment that
is permitted to access the device through SNMP.
2.
Run the sysman ip-refuse snmp command to configure the IP address segment that
is forbidden to access the device through SNMP.
3.
Run the sysman firewall snmp enable command to enable the firewall function for
the access through SNMP. By default, the firewall function of the system is disabled.
----End
Example
To enable the firewall function for the access through Telnet, and permit only the users of the
IP address segment 10.10.5.1-10.10.5.254 to log in to the device through Telnet, do as follows:
huawei(config)#sysman ip-access telnet 10.10.5.1 10.10.5.254
huawei(config)#sysman firewall telnet enable
To enable the firewall function for the access through SSH, and permit only the users of the IP
address segment 10.10.20.1-10.10.20.254 to log in to the device through SSH, do as follows:
huawei(config)#sysman ip-access ssh 10.10.20.1 10.10.20.254
huawei(config)#sysman firewall ssh enable
To enable the firewall function for the access through SNMP, and permit only the users of the
IP address segment 10.10.20.1-10.10.20.254 to log in to the device through SNMP, do as follows:
huawei(config)#sysman ip-refuse snmp 10.10.20.1 10.10.20.254
huawei(config)#sysman firewall snmp enable
2.10 Configuring the ACL

This topic describes the type, rule, and configuration of the ACL on the MA5600T.
An access control list (ACL) is used to filter certain packets by a series of preset rules. In this
manner, the objects that need to be filtered can be identified. After the specific objects are
identified, the corresponding data packets are permitted to pass or prohibited from passing
Issue 01 (2012-01-18)

173

according to the preset policy. The ACL-based traffic filtering process is a prerequisite for
configuring the QoS or user security.
Table 2-11 lists the ACL types.
Table 2-11 ACL types
Type
Value
Range
Feature
Basic ACL
2000-2999
The rules of a standard ACL are only defined according

to the L3 source IP address for analyzing and processing
data packets.
Advanced ACL
3000-3999
The rules of an advanced ACL are defined according to

the source IP address, destination IP address, type of the
protocol over IP, and features of the protocol (including
TCP source port, TCP destination port, and ICMP
message type).
Compared with the basic ACL, the advanced ACL
contains more accurate, abundant, and flexible rules.
Link layer ACL
4000-4999
A link-layer ACL allows definition of rules according to

the link-layer information such as the source MAC
address, VLAN ID, link-layer protocol type, and
destination MAC address, and the data is processed
accordingly.
User-defined
ACL
5000-5999
The rules of a user-defined ACL are defined according to

any 32 bytes of the first 80 bytes in the L2 data frame for
analyzing and processing data packets.
When an arrival traffic stream matches two or more ACL rules, the matching sequence is
as follows:
The priority of a user-defined rule is higher than the priority of all non-user-defined
rules.
An ACL rule is valid only when it is within the period of time range.
If the rules are all user-defined rules or non-user-defined rules, and are issued to the
physical port:
If the rules of an ACL are activated at the same time, the rule with larger rule ID has
a higher priority.
If the rules of an ACL are activated one by one, the rule activated later has higher
priority over the one activated earlier.
If the rules are issued to the port from different ACLs, the rule activated later has
higher priority over the one activated earlier.
If the rules are all user-defined rules or non-user-defined rules, and are issued to the
routing interface or firewall, the rule with smaller rule ID has a higher priority. It is
irrelative to the activation sequence. The rules are used to match the packets based on
rule ID in an ascending order. Once the rule with a smaller rule ID matches the packets,
its subsequent rules are not used. That is, the rules with a larger rule ID are invalid.
Issue 01 (2012-01-18)

174

Precautions
Because the ACL is flexible in use, Huawei provides the following suggestions on its
configuration:
l
It is recommended that you define a general rule, such as permit any or deny any, in each
ACL, so that each packet has a matching traffic rule that determines to forward or filter the
unspecified packet.
The activated ACL rules share the hardware resources with the protocol modules (such as
DHCP module and IPoA module) . In this case, the hardware resources are limited and may
be insufficient. To prevent the failure of enabling other service functions due to insufficient
hardware resources, it is recommended you enable the protocol module first and then
activate ACL rules in the data configuration. If you fail to enable a protocol module, perform
the following steps:
1.
Check whether ACL rules occupy too many resources.
2.
If ACL rules occupy too many resources, deactivate or delete the unimportant or
temporarily unused ACL configurations, and then configure and enable the protocol
module.
2.10.1 Filtering Packets by a Basic ACL

This topic is applicable to the scenario where the device needs to classify traffic for packets
according to the source IP address.
Context
l
The number of a basic ACL is in the range of 2000-2999.
A basic ACL is only defined according to the L3 source IP address for analyzing and
processing data packets.
Procedure
Step 1 (Optional) Set a time range.
Run the time-range command to create a time range, which can be used when an ACL rule is
created.
Step 2 Create a basic ACL.
Run the acl command to create a basic ACL, and then enter the ACL mode. The number of a
basic ACL can only be in the range of 2000-2999.
Step 3 Configure a basic ACL rule.
In the acl-basic mode, run the rule command to create a basic ACL rule. The parameters are as
follows:
l rule-id: Indicates the ACL rule ID. To create an ACL rule with a specified ID, use this
parameter.
l permit: Indicates the keyword for allowing the data packets that meet related conditions to
pass.
l deny: Indicates the keyword for discarding the data packets that meet related conditions.
l time-range: Indicates the keyword of the time range during which the ACL rule will be
effective.
Issue 01 (2012-01-18)

175

Step 4 Activate the ACL.

After an ACL is configured, only an ACL gets generated but it will not be functional. You need
to run other commands to activate the ACL. Some common commands are as follows:
l Run the packet-filter command to activate an ACL.
l Run the firewall packet-filter command to activate an ACL. For details, see Configuring
the Firewall.
l Perform the QoS operation. For details, see Configuring Traffic Management Based on
ACL Rules.
----End
Example
To configure that from 00:00 to 12:00 on Fridays, port 0/4/0 on the MA5600T receives only the
packets from 2.2.2.2, and discards the packets from other addresses, do as follows:
huawei(config)#time-range time1 00:00 to 12:00 fri
huawei(config-acl-basic-2000)#rule permit source 2.2.2.2 0.0.0.0 time-range time1
huawei(config-acl-basic-2000)#rule deny time-range time1
huawei(config-acl-basic-2000)#quit
huawei(config)#save
2.10.2 Filtering Packets by an Advanced ACL

This topic describes how to classify traffic for the data packets according to the source IP address,
destination IP address, protocol type over IP, and features for protocol, such as source port of
the TCP, destination port of the TCP, and ICMP type of the data packets.
Context
The number of an advanced ACL is in the range of 3000-3999.
An advanced ACL can classify traffic according to the following information:
l
Protocol type
Source IP address
Destination IP address
Source port ID (source port of the UDP or TCP packets)
Destination port ID (destination port of the UDP or TCP packets)
ICMP packet type
Precedence value: priority field of the data packet
Type of service (ToS) value: ToS field of the data packet
Differentiated services code point (DSCP) value: DSCP of the data packet
Procedure
created.
Issue 01 (2012-01-18)

176

Step 2 Create an advanced ACL.

Run the acl command to create an advanced ACL, and then enter the acl-adv mode. The number
of an advanced ACL can only be in the range of 3000-3999.
Step 3 Configure a rule of the advanced ACL.
In the acl-adv mode, run the rule command to create an ACL rule. The parameters are as follows:
parameter.
pass.
l time-range: Indicates the keyword of the time range during which the ACL rules are
effective.
After an ACL is configured, only an ACL is generated and the ACL does not take effect. You
need to run other commands to activate the ACL. Some common commands are as follows:
l Run the firewall packet-filter command to activate an ACL. For details, see 2.9.1
Configuring Firewall.
l Perform the QoS operation. For details, see 2.11.4 Configuring Traffic Management Based
on ACL Rules.
----End
Example
Assume that the service board of the MA5600T resides in slot 1 and belongs to a VLAN, and
the IP address of the VLAN L3 interface is 10.10.10.101. To prohibit the ICMP (such as ping)
and telnet operations from the user side to the VLAN interface on the device, do as follows:
huawei(config-acl-basic-3001)rule 1 deny icmp destination 10.10.10.101 0
huawei(config-acl-basic-3001)rule 2 deny tcp destination 10.10.10.101 0
destination-port eq telnet
huawei(config-acl-basic-3001)quit
huawei(config)#packet-filter inbound ip-group 3001 rule 1 port 0/1/0
huawei(config)#packet-filter inbound ip-group 3001 rule 2 port 0/1/0
huawei(config)#save
2.10.3 Filtering Packets by a Link-layer ACL

This topic describes how to classify traffic according to the link layer information such as source
MAC address, source VLAN ID, L2 protocol type, and destination MAC address.
Context
The number of a link layer ACL is in the range of 4000-4999.
A link layer ACL can classify traffic according to the following link layer information:
l
Protocol type over Ethernet
802.1p priority
Issue 01 (2012-01-18)

177

VLAN ID
Source MAC address
Destination MAC address
Procedure
created.
Step 2 Create a link layer ACL.
Run the acl command to create a link layer ACL, and then enter the acl-link mode. The number
of a link layer ACL can only be in the range of 4000-4999.
Step 3 Configure a link layer ACL rule.
In the acl-link mode, run the rule command to create a link layer ACL rule. The parameters are
as follows:
parameter.
pass.
l time-range: Indicates the keyword of the time range during which the ACL rule is effective.
After an ACL is configured, only an ACL is generated and the ACL does not take effect. You
need to run other commands to activate the ACL. Some common commands are as follows:
on ACL Rules.
----End
Example
To create a link layer ACL rule that allows data packets with protocol type 0x8863 (pppoecontrol message), VLAN ID 12, CoS 1, source MAC address 2222-2222-2222, and destination
MAC address 00e0-fc11-4141 to pass, do as follows:
huawei(config-acl-link-4001)rule 1 permit type 0x8863 cos 1 source 12
2222-2222-2222 0000-0000-0000 destination 00e0-fc11-4141 0000-0000-0000
huawei(config-acl-basic-4001)quit
huawei(config)#save
2.10.4 Filtering Packets by a User-defined ACL

This topic describes how to classify traffic according to any 32 bytes of the first 80 bytes of a
L2 data frame.
Issue 01 (2012-01-18)

178

Prerequisites
Configuring a user-defined ACL requires a deep understanding of the L2 data frame structure.
Be sure to make a data plan according to the format of the L2 data frame.
Context
The number of a user-defined ACL must be in the range of 5000-5999.
A user-defined ACL rule can be created according to any 32 bytes of the first 80 bytes of a L2
data frame
Figure 2-5 First 64 bytes of a data frame
Table 2-12 lists the meaning of the letters and their offset values.
Table 2-12 Description of letters and their offset values
Issue 01 (2012-01-18)
Letter
Description
Offset
Lette
r
Description
Offset
Destination MAC
address
IP check sum
28
Source MAC address
Source IP address
30
VLAN tag
12
Destination IP address
34
D:
Protocol type
16
TCP source port
38
IP version number
18
TCP destination port
40
Type of service
19
Serial number
42
Length of the IP packet
20
Acknowledgement
field
46
ID
22
IP header length and

reserved bit
50
Flags
24
Reserved bit and flags

bit
51
J7
Time to live
26
Window size
52

179

Letter
Description
Offset
Lette
r
Description
Offset
Protocol ID ("6"
represents TCP and
"17" represents UDP)
27
Other
54
NOTE
The offset value of each field is the offset value in data frame ETH II+VLAN tag. In a user-defined ACL,
you can use the two parameters of rule mask and offset to extract any bytes from the first 80 bytes of the
data frame. After the comparison with the user-defined rule, the data frame matching the rule is filtered
for related processing.
Procedure
created.
Step 2 Create a user-defined ACL.
Run the acl command to create a user-defined ACL, and then enter the acl-user mode. The
number of a user-defined ACL can only be in the range of 5000-5999.
Step 3 Configure the user-defined ACL rule.
In the acl-user mode, run the rule command to create an ACL rule. The parameters are as follows:
parameter.
pass.
l rule-string: Indicates the character string of the user-defined rule. The character string is in
hexadecimal notation. The number of characters in the string must be an even number.
l rule-mask: Indicates the mask of the user-defined rule. It is a positive mask, used to perform
the AND operation with the data packets for extracting the information of the data packets.
l offset: Indicates the offset. With the header of the packet as the reference point, it specifies
the byte from which the AND operation begins. Together with the rule mask, it extracts a
character string from the packets.
l ipoe: Indicates that the Ethernet packet header encapsulates an IP packet, including the IP
packet without VLAN tag, IP packet with one VLAN tag, and IP packet with two VLAN
tags.
l non-ipoe: Indicates that the Ethernet packet header encapsulates a non-IP packet, including
the non-IP packet without VLAN tag, non-IP packet with one VLAN tag, non-IP packet with
two VLAN tags, and non-IP packet with multiple VLAN tags.
l time-range: Indicates the keyword of the time range during which the ACL rule will be
effective.
After an ACL is configured, only an ACL gets generated but it will not be functional. You need
to run other commands to activate the ACL. Some common commands are as follows:
Issue 01 (2012-01-18)

180


on ACL Rules.
----End
Example
Assume that the packet sent from port 0/3/0 to the MA5600T is the QinQ packet containing two
VLAN tags. To change the CoS priority in the outer VLAN tag (VLAN ID: 10) to 5, do as
follows:
Figure 2-6 QinQ packet format
huawei(config-acl-user-5001)#rule 1 permit 8100 ffff 16
NOTE
The type value of a QinQ packet varies with different vendors. Huawei adopts the default 0x8100. As shown in
Figure 2-6, the offset of this type value should be 16 bytes.
huawei(config-acl-user-5001)#rule 10 permit 0a ff 19
NOTE
"19" indicates the ADN operation after an offset of 19 bytes with the header of the packet as the base. "0a" refers
to the value of the inner tag field of the QinQ packet. In this example, the second byte of the inner tag field is a
part of the VLAN ID, which is exactly the value of the inner VLAN ID (VLAN 10).
huawei(config-acl-user-5001)#quit
huawei(config)#traffic-priority inbound user-group 5001 cos 5 port 0/3/0
2.11 Configuring QoS

This topic describes how to configure quality of service (QoS) on the MA5600T.
Configuring QoS in the system can provide different quality guarantees for different services.
QoS does not have a unified service model. Therefore, make the QoS plan for networkwide
services before making the configuration solution.
Issue 01 (2012-01-18)

181

On the MA5600T, the key points for implementing QoS are as follows:
l
Traffic management
Configuring traffic management can limit the traffic for a user service or user port.
Queue scheduling
For the service packets that are already configured with traffic management, through the
configuration of queue scheduling, the service packets can be placed into queues with
different priorities, thus implementing QoS inside the system.
In addition to the preceding key points, the MA5600T supports hierarchical quality of service
(HQoS) and ACL-based traffic management.
l
HQoS
Two levels of traffic management is supported: for HQoS users and for the HQoS user
group.
ACL-based traffic management

In the scenario where users have flexible requirements on implementing QoS for traffic
streams, the ACL can be used to implement flexible traffic classification (see 2.10
Configuring the ACL), and then QoS can be implemented for traffic streams.
2.11.1 Configuring Traffic Management

This topic describes how to configure traffic management on the MA5600T.
Overview
The MA5600T supports traffic management for the inbound and outbound traffic streams of the
system. Traffic management can be implemented based on the following three granularities:
l
Based on service port

NOTE
For details on configuring traffic classification, see Creating an xDSL Service Port or 4.6 Creating
a GPON Service Port.
Based on port+CoS
Based on port+VLAN
In addition, the MA5600T supports rate limit on the Ethernet port and traffic suppression on
inbound broadcast packets and unknown (multicast or unicast) packets.
Configuring Traffic Management Based on Service Port

This topic describes how to configure traffic management based on service port. When
configuring a service port, you need to bind an IP traffic profile to the service port and manage
the traffic of the service port through the traffic parameters defined in the profile.
Traffic management based on service port is implemented by creating an IP traffic profile and
then binding the IP traffic profile when creating the service port.
l
Issue 01 (2012-01-18)
The system has seven default IP traffic profiles with the IDs of 0-6. You can run the display
traffic table command to query the traffic parameters of the default traffic profiles.
182

It is recommended that you use the default traffic profiles. A new IP traffic profile is created
only when the default traffic profiles cannot meet the requirements.
Table 2-13 lists the traffic parameters defined in the IP traffic profiles.
Table 2-13 Traffic parameters defined in the IP traffic profiles
Item
Parameter Description
Parameters of two
rate three color
management
CIR: committed information rate

CBS: committed burst size
PIR: peak information rate
PBS: peak burst size
NOTE
l CIR is mandatory, and the other three parameters are optional. If you
configure only CIR, the system calculates the other three parameters based
on the formula. Thus, you are recommended to configure only CIR.
l The system marks the service packets with colors according to the CIR and
PIR parameters. To be specific, for the packets whose rate is equal to or lower
than CIR, the system marks them as green (allowed to pass). For the packets
whose rate is higher than CIR and lower than PIR, the system marks them as
yellow (allowed to pass). For the packets whose rate is higher than PIR, the
system drops such packets. After the configuration is completed, green
packets are allowed to pass, yellow packets that do not exceed the bandwidth
can also pass, and yellow packets that exceed the bandwidth are dropped.
Priority policies
The priority policies are classified into the following three types:
l user-cos: Copy the 802.1p priority in the outer VLAN tag of the
packet to the 802.1p priority in the VLAN tag of the outbound
packet.
l user-inner-cos: Copy the 802.1p priority in the inner VLAN tag
(CTag) of the packet to the 802.1p priority in the VLAN tag of the
outbound packet.
l user-tos: Copy the ToS priority in the VLAN tag of the packet to the
802.1p priority in the VLAN tag of the outbound packet.
Scheduling
policies
There are three types of scheduling policies:

l Tag-In-Package: The system performs scheduling according to the
802.1p priority of the packet.
l Local-Setting: It is the local priority. That is, the system performs
scheduling according to the 802.1p priority specified in the traffic
profile bound to the traffic stream.
l Tag-In-Ingress-Package: For the downstream packets, The system
schedules the packet by the priority that the ingress packet.
NOTE
"Outbound" (upstream) in this document refers to the direction from the user side to the network side, and
"inbound" (downstream) refers to the direction from the network side to the user side.
Issue 01 (2012-01-18)

183

Procedure
Step 1 Run the display traffic table command to query whether there is a proper traffic profile in the
system.
Check whether an existing traffic profile meets the planned traffic management parameters,
priority policy, and scheduling policy to confirm the index of the traffic profile to be used. If a
proper traffic profile does not exist in the system, create an IP traffic profile.
Step 2 Run the traffic table ip command to create a traffic profile.
The usage of this command is complicated. The following is a detailed description:
l The traffic management parameters must contain at least CIR, which must be assigned with
a value.
l Keyword priority must be entered to set the outer 802.1p priority of the packet. Two options
are available for setting the priority policy:
Enter a value in the range of 0-7 to specify a priority for the packet.
If the priority of the user-side packet is copied according to user-cos, user-inner-cos, or
user-tos, you need to enter the default 802.1p priority of the packet (a value in the range
of 0-7). If the user-side packet does not carry a priority, the specified default 802.1p
priority of the packet is adopted as the priority of the outbound packet.
l (Optional) Enter keyword inner-priority to set the inner 802.1p priority (the 802.1p priority
in the CTag) of the packet. Two options are available for setting the priority policy:
Enter a value in the range of 0-7 to specify a priority for the packet.
If the priority of the user-side packet is copied according to user-cos, user-inner-cos, or
user-tos, you need to enter the default 802.1p priority of the packet (a value in the range
of 0-7). If the user-side packet does not carry a priority, the specified default 802.1p
priority of the packet is adopted as the priority of the outbound packet.
l Keyword priority-policy must be entered to specify a scheduling policy for the inbound
packet. For details about the scheduling policies, see Table 2-13.
Step 3 Run the service port command to bind a proper traffic profile.
----End
Example
Assume that the CIR is 2048 kbit/s, 802.1p priority of the outbound packet is 6, and the
scheduling policy of the inbound packet is Tag-In-Package. To add traffic profile 9 with these
settings, do as follows:
huawei(config)#traffic table ip index 9 cir 2048 priority 6 priority-policy tag-InPackage
Create traffic descriptor record successfully
-----------------------------------------------TD Index
: 9
TD Name
: ip-traffic-table_9
Priority
: 6
Copy Priority
: Mapping Index
: CTAG Mapping Priority: CTAG Mapping Index
: CTAG Default Priority: 0
Priority Policy
: tag-pri
CIR
: 2048 kbps
CBS
: 67536 bytes
PIR
: 4096 kbps
Issue 01 (2012-01-18)

184

PBS
: 133072 bytes
Referenced Status
: not used
-----------------------------------------------huawei(config)#display traffic table ip index 9
-----------------------------------------------TD Index
: 9
TD Name
Priority
: 6
Copy Priority
: Mapping Index
Priority Policy
: tag-pri
CIR
: 2048 kbps
CBS
: 67536 bytes
PIR
: 4096 kbps
PBS
: 133072 bytes
Referenced Status
: not used
------------------------------------------------
Configuring Traffic Management Based on Port+CoS

This topic describes how to configure traffic management based on port+CoS so that different
IP traffic profiles can be specified for the traffic streams that have different 802.1p priorities on
a port.
Prerequisites
A proper IP traffic profile must be created and the index of the IP traffic profile to be used must
be confirmed. For the configuration method, see Configuring Traffic Management Based on
Service Port.
l
Traffic management based on service ports conflicts with traffic management based on port
+CoS. By default, the system supports traffic management based on service ports.
If service ports are configured on the board, the traffic management mode of the board
cannot be changed.
Procedure
Step 1 According to the type of the board to be configured, enter the EPON,, or GPON mode.
Step 2 Run the car-mode port-cos command to configure the traffic management mode of the service
board to traffic management based on port+CoS.
The configured traffic management mode is valid to all the ports on the board. The configured
traffic management mode has the following two options:
l service-port: Indicates traffic management based on service port (default).
l port-cos: Indicates traffic management based on port+CoS.
Step 3 Run the car-port command to specify the 802.1p priority for the port, and bind an IP traffic
profile to the traffic streams that meet the specified 802.1p priority.
When traffic management based on port+CoS is selected for a board, pay attention to the
following points:
Issue 01 (2012-01-18)

185

l For a non-xPON board, you can bind the corresponding traffic profile in the inbound/
outbound direction according to a CoS value of a port on the board.
l For a GPON board, you can bind the corresponding traffic profile in the inbound/outbound
direction according to a CoS value of a GEM port on the board.
l For an 8-port EPON board, you can bind the corresponding traffic profile in the inbound/
outbound direction according to the CoS value of an LLID on the board.
----End
Example
To configure GEM port 130 on port 0 of the GPON board in slot 0/4, and bind traffic profile 2
to the packets with priority 7, do as follows:
huawei(config-if-gpon-0/4)#car-mode port-cos
huawei(config-if-gpon-0/4)#car-port 0 gemport 130 cos 0 inbound 2 outbound 2
huawei(config-if-gpon-0/4)#display car-mode
The CAR mode of the board : port-cos
huawei(config-if-gpon-0/4)#display car-port 0 gemport
130
---------------------------------------------Port GEM port CoS Inbound-index Outbound-index
---------------------------------------------0
130
7
2
2
----------------------------------------------
To configure port 0 of theVDSL2 board in slot 0/4, and bind traffic profile 3 to the packets with
priority 3, do as follows:
huawei(config)#interface vdsl 0/4
huawei(config-if-vdsl-0/4)#car-mode port-cos
huawei(config-if-vdsl-0/4)#car-port 0 cos 3 inbound 3 outbound 3
huawei(config-if-vdsl-0/4)#display car-mode
The CAR mode of the board : port-cos
huawei(config-if-vdsl-0/4)#display car-port 0
---------------------------------------------Port CoS Inbound-index Outbound-index
---------------------------------------------0
3
3
3
----------------------------------------------
Configuring User-based Rate Limitation

In the user-based rate limitation, the VoIP, IPTV service, and Internet access service of each
user share a total user bandwidth. When there is no voice or IPTV service, the Internet access
service can hold a burst of the total user bandwidth so that the total user bandwidth can be
managed in a unified manner.
When the user uses the Triple play service, the VoIP, IPTV service, and Internet access service
of each user share a total user bandwidth. All services of the user hold the total user bandwidth,
and the service with the highest CoS priority is ensured first. When other services carry no traffic,
each service can hold a burst of the total user bandwidth. The multicast bandwidth is determined
by the bandwidth of demanded programs. The total bandwidth of demanded programs cannot
exceed the total user bandwidth.
Issue 01 (2012-01-18)

186

Procedure
l
For PON access users.

In the user-based rate limitation, multiple service ports of a user are added to a ratelimited group. Through the QoS strategy applied on the rate-limited group, the total user
bandwidth is ensured on the basis that the committed information rate (CIR) and peak
information rate (PIR) of each service are ensured, and each service is allowed to hold
a burst of the total user bandwidth.
Only the GPBD, EPBC service boards support user-based rate limitation.
1.
Run the traffic table ip command to create an IP traffic profile to configure the CoS
priority of each service and ensure the CIR and PIR.
The CoS priorities of services are VoIP, IPTV service, and Internet access service
in a descending order.
In the IP traffic profile used by the rate-limited group, the PIR must be equal to or
larger than the sum of CIRs of all services in other IP traffic profiles.
2.
Run the service-port command to create service ports of the VoIP, IPTV service, and
Internet access service, using the IP traffic profile created in Step 1.
3.
Run the car-group command to create the rate-limited group of service ports to
manage the total user bandwidth of multiple services.
To ensure the user bandwidth, the PIR of the rate-limited group must be equal to
or larger than the sum of CIRs of all services in the rate-limited group.
The PIR is equal to the total user bandwidth. In the case that any two services carry
no traffic, the third service can hold a burst of the total user bandwidth.
4.
Run the car-group add-member service-port command to add service ports to the
rate-limited group.
Pay attention to the following points when adding service ports to the rate-limited
group:
Only service ports of the same PON port can be added to the same rate-limited
group.
For Type C and Type D, only service ports of the same ONT can be added to the
same rate-limited group.
One service port cannot be added to multiple rate-limited groups.
A maximum of eight service ports can be added to a rate-limited group.
----End
Example
Assume that under GPON port 0/4/1, the user with the ONT 1 is provided with the VoIP, IPTV,
and Internet access services. Set the total user bandwidth to 10 Mbit/s, add rate-limited group
0, add service ports 100, 101, and 102 of the user to rate-limited group 0, and use traffic profile
30 to control traffic of rate-limited group 0. In the case that any two services carry no traffic,
the third service can hold a burst of the total user bandwidth. To perform such a configuration
with the following parameters, do as follows:
l
Issue 01 (2012-01-18)
Service port 100 of the Internet access service uses traffic profile 10, with the CIR 2 Mbit/
s and the 802.1p priority 4.
187

Service port 101 of the VoIP service uses traffic profile 11, with the CIR 1 Mbit/s and the
802.1p priority 6.
Service port 102 of the IPTV service uses traffic profile 12, with the packet rate not limited
and the 802.1p priority 5.
huawei(config)#traffic table ip index 10 cir 2048 pir 10240 priority 4 prioritypolicy local-Setting
huawei(config)#service-port 100 vlan 2 gpon 0/4/1 ont 1 gemport 4 multi-service
user-vlan 20 rx-cttr 10 tx-cttr 10
huawei(config)#traffic table ip index 12 cir off priority 5 priority-policy localSetting
huawei(config)#car-group 0 inbound traffic-table index 30 outbound traffic-table
index
huawei(config)#car-group 0 add-member service-port 100-102
huawei(config)#display car-group 0
Command:
display car-group 0
---------------------------------------------------------------------------Inbound
Outbound
GroupID
Member List
Index
Index
---------------------------------------------------------------------------0
100,101,102
10
10
---------------------------------------------------------------------------Total: 1
Configuring Rate Limitation on an Ethernet Port

This topic describes how to configure rate limitation on a specified Ethernet port.
Prerequisites
The Ethernet board must be configured in the system.
l
Rate limitation on an Ethernet port is valid only to the Ethernet board.
Traffic streams exceeding the specified rate are discarded.
Procedure
Step 1 In the global config mode, run the line-rate command to configure rate limitation on a specified
Ethernet port.
The main parameters are as follows:
l target-rate: Indicates the limited rate of the port, in the unit of kbit/s.
l port: Indicates the shelf ID/slot ID/port ID.
Step 2 You can run the display qos-info line-rate port command to query the configured rate limitation
on the specified Ethernet port
----End
Issue 01 (2012-01-18)

188

Example
To limit the rate of Ethernet port 0/17/0 to 6400 kbit/s, do as follows:
huawei(config)#line-rate 6400 port 0/17/0
huawei(config)#display qos-info line-rate port 0/17/0
line-rate:
port 0/17/0:
Line rate: 6400 Kbps
Configuring GPON Rate Limitation

This topic describes how to configure rate limitation for GPON services, thereby providing
differentiated quality of service (QoS) for various GPON services.
l
There are multiple methods of rate-limiting GPON services, for example, rate-limiting
downstream traffic by using an IP traffic profile and ACL rules, rate-limiting the ONT
upstream bandwidth by using a DBA profile, and rate-limiting the GEM port and GEM
port traffic on an ONT.
Rate limitation on GPON services can be performed on the OLT and the ONT concurrently.
If more than one rate limitation modes are configured in the system, the minimum rate
prevails.
Which method of rate-limiting the ONT upstream bandwidth is used depends on the ONT
capability. Specifically, if an ONT supports various rate limitation methods and the ONT
upstream traffic is small (for example, FTTH service), a DBA profile is a best choice to
rate-limit the ONT upstream traffic. If a T-CONT carries upstream traffic for multiple users
(for example, FTTB/FTTC service), rate limitation on GEM port is generally used to
prevent a user from occupying bandwidth for a long time. If the priority of user packets is
trustable (for example, an enterprise user), priority queue (PQ) scheduling is generally used.
Perform rate limitation on the OLT.
Procedure
Rate limitation using an IP traffic profile includes two modes. For details, see
Configuring Traffic Management Based on Service Port, and Configuring Traffic
Management Based on Port+CoS.
Performing rate limitation by configuring an ACL rule can control the traffic matching
the ACL rule. For details, see Controlling the Traffic Matching an ACL Rule.
l
Perform rate limitation on the ONT.

NOTE
l In the case of an MxU device, rate limitation can be performed on downstream traffic of a service
port or a port by configuring an IP traffic profile. For details, see MxU manuals.
l In the case of H805GPBD board, you can run the traffic-limit ont command to limit the traffic
of downstream packets on a specified ONT. The system limits the traffic of downstream packets
on an ONT by using the shaping function and buffers the packets that exceed the limit (that is
the PIR parameter in traffic profile ) and transmits them at a proper time (such as during periodic
checks). This reduces packet drop and at the same time complies with traffic features.
1.
Issue 01 (2012-01-18)
Run the dba-profile add command to add a DBA profile. The DBA profile is used
to schedule the ONT upstream bandwidth properly, achieving the best bandwidth
utilization.
189

A DBA profile supports five types (Type1 to Type5). Generally, Services with a higher
priority adopts Type1 or Type2 DBA profiles and services with a lower priority adopts
Type3 or Type4 DBA profiles. Table 2-14 shows the features of the DBA profile of
each type.
Table 2-14 The features of the DBA profile
Profile
Type
Features
Type1
Indicates the fixed bandwidth. After the DBA profile of Type1 is

bound, the system assigns a specified bandwidth, regardless of
whether there is upstream traffic.
Type2
Indicates the assured bandwidth. After the DBA profile of Type2

is bound, the system meets the bandwidth requirements if the
upstream traffic does not exceed a specified value. When there is
no upstream traffic, the system does not assign any bandwidth.
Type3
Indicates the hybrid of assured bandwidth and non-assured

bandwidth. The DBA profile of Type3 specifies an assured value
and non-assured value. After assigning the fixed bandwidth and
assured bandwidth, the system assigns the remaining bandwidth
(if any) to the user bound with the DBA profile of Type3 (the
assigned bandwidth does not exceed the non-assured bandwidth).
Type4
Indicates the best-effort bandwidth. The DBA profile of Type4 just

specifies a maximum value. After the DBA profile of Type4 is
bound, its priority for obtaining the bandwidth is the lowest. That
is, after assigning the fixed bandwidth, assured bandwidth, and
non-assured bandwidth, the system assigns the remaining
bandwidth (if any) to the user bound with the DBA profile of Type4
(the assigned bandwidth does not exceed the maximum value).
Type5
Indicates the hybrid bandwidth. The preceding four types of values

need to be specified.
2.
Run the ont-lineprofile gpon command to add a GPON ONT line profile, and then
enter the GPON ONT line profile mode.
3.
Run the tcont command to bind a T-CONT to the DBA profile.

It is recommended that one service type use one T-CONT and different T-CONTs be
planned with different bandwidth assurance types.
4.
Run the qos-mode command to configure a QoS mode of the GPON ONT line profile
to ensure that the QoS mode is the same as that of the GEM port.
By default, the QoS mode of the GPON ONT line profile (that is, the ONT scheduling
mode) is priority queue (PQ). The QoS mode includes:
gem-car: Indicates the rate limitation mode based on the GEM port of the T-CONT.
Rate limitation is performed on a specified GEM port in the ONT upstream
direction. To select the gem-car mode, set gem add to gem-car. The maximum
traffic is determined by the DBA profile bound to the GEM port. If a T-CONT
contains multiple GEM ports, the scheduling mechanism of packets between
multiple GEM ports depends on the default scheduling mechanism of the ONT.
Issue 01 (2012-01-18)

190

flow-car: Indicates the rate limitation mode based on traffic streams of a GEM
port. Rate limitation is performed on a specified traffic stream in the ONT upstream
direction. To select the flow-car mode, set gem mapping to flow-car. The
maximum traffic is determined by the DBA profile bound to the traffic stream.
Flow-car is more specific than gem-car. After rate limitation based on traffic
streams is performed, traffic is scheduled in the T-CONT queue. The scheduling
mechanism depends on the default scheduling mechanism of the ONT. Before
configuring flow-car, make sure that the required traffic profile is created by
running the traffic table ip command.
NOTE
The traffic stream in this topic refers to the service channel between an ONT and OLT. It is
different the service port created by running the service-port command.
priority-queue: Indicates the PQ mode based on the GEM port of the T-CONT.
Traffic is scheduled based on PQ between multiple GEM ports in the ONT
upstream direction. To select priority-queue mode, set gem add to priorityqueue. By default, the system supports eight (0-7) queues. Queue 7 has the highest
priority and services of queue 7 are preferentially guaranteed. The maximum traffic
is determined by the DBA profile to which the T-CONT is bound.
5.
configuration of the line profile takes effect only after you run this command.
----End
Example
Assume that:
l
A user under ONT 1 connected to GPON port0/4/1 requires 2 Mbit/s high-speed Internet
access service.
The priority of user packets is trustable. The PQ scheduling mechanism is used, with priority
1.
The default IP traffic profile, namely IP traffic profile 5 is used for rate limitation on a
GPON port, with CIR of 2048 kbit/s.
DBA profile 10 of Type4 is used and the maximum bandwidth in the ONT upstream
direction is 100 Mbit/s.
To perform the preceding configurations, do as follows:

huawei(config)#dba-profile add profile-id 10 type4 max 102400
huawei(config-gpon-lineprofile-5)#qos-mode Priority-queue
huawei(config-gpon-lineprofile-5)#gem add 1 eth tcont 1 priority-queue 1
huawei(config-gpon-lineprofile-5)#mapping-mode vlan
huawei(config-if-gpon-0/4)#ont confirm 1 ontid 1 sn-auth 32303131B39FD641
snmp ont-lineprofile-id 5
huawei(config)#service-port 101 vlan 100 gpon 0/4/1 ont 1 gemport 1 rx-cttr 5 txcttr 5
Issue 01 (2012-01-18)

191

Configuring EPON Rate Limitation

This topic describes how to configure rate limitation for EPON services, thereby providing
differentiated quality of service (QoS) for various EPON services.
l
There are multiple methods of limiting the traffic of EPON services, for example, limiting
downstream traffic by using an IP traffic profile and ACL rules, limiting the ONT upstream
bandwidth by using a DBA profile, and limiting the ONT downstream bandwidth by using
a traffic profile.
Rate limitation on EPON services can be performed on the OLT and the ONT concurrently.
If more than one rate limitation modes are configured in the system, the minimum rate
prevails.
Perform rate limitation on the OLT.
Procedure
Rate limitation using an IP traffic profile includes two modes. For details, see
Configuring Traffic Management Based on Service Port and Configuring Traffic
Management Based on Port+CoS
Performing rate limitation by configuring an ACL rule can control the traffic matching
the ACL rule. For details, see Controlling the Traffic Matching an ACL Rule.
NOTE
Rate limitation of the EPBA board cannot be performed on the OLT.
Perform rate limitation on the ONT.

Rate limitation for upstream packets
In the EPON mode, run the ont port attribute portid ontid eth ont-portid up-policing
traffic-table-index command to limit the traffic of upstream packets on an ETH port.
NOTE
This command can be executed only when it is supported by the ONT version. For details, refer to the
corresponding manual of the ONT.
A DBA profile is used to dynamically assign the ONT upstream bandwidth and improve
upstream bandwidth usage efficiency.
1.
Run the dba-profile add command to add a DBA profile.

A DBA profile supports five types (Type1 to Type5). Generally, Services with a
higher priority use Type1 or Type2 DBA profiles and services with a lower priority
use Type3 or Type4 DBA profiles. Table 2-15 describes the features of the DBA
profile of each type.
Table 2-15 Features of DBA profiles
Issue 01 (2012-01-18)
Profile
Type
Feature
Type1
Indicates the fixed bandwidth. After the DBA profile of Type1

is bound, the system assigns a specified bandwidth, regardless
of whether there is upstream traffic or not.

192

Profile
Type
Feature
Type2
Indicates the assured bandwidth. After the DBA profile of

Type2 is bound, the system meets the bandwidth requirements
if the upstream traffic does not exceed a specified value. When
there is no upstream traffic, the system does not assign any
bandwidth.
Type3
Indicates the hybrid of assured bandwidth and non-assured

bandwidth. The DBA profile of Type3 specifies an assured
value and non-assured value. After assigning the fixed
bandwidth and assured bandwidth, the system assigns the
remaining bandwidth (if any) to the user bound to the DBA
profile of Type3 (the assigned bandwidth does not exceed the
non-assured bandwidth).
Type4
Indicates the best-effort bandwidth. The DBA profile of Type4

just specifies a maximum value. After the DBA profile of Type4
is bound, its priority for obtaining the bandwidth is the lowest.
That is, after assigning the fixed bandwidth, assured bandwidth,
and non-assured bandwidth, the system assigns the remaining
bandwidth (if any) to the user bound to the DBA profile of
Type4 (the assigned bandwidth does not exceed the maximum
value).
Type5
Indicates the hybrid bandwidth. The preceding four types of

values must be all specified if this type of profile is used.
2.
Run the ont-lineprofile epon command to add an ONT line profile, and then enter
the ONT line profile mode.
3.
Run the llid command to bind an ONT to the DBA profile.
4.
Run the commit command to make the parameters of the profile take effect. The
configuration of a line profile takes effect only after you perform this operation.
5.
When the ont add command is executed to add an ONT, bind the ONT line profile
to the ONT.
Rate limitation for downstream packets

Run the llid ont-car command to bind an ONT to the traffic profile to limit the traffic
of downstream packets on this ONT.
In the EPON mode, run the ont port attribute portid ontid eth ont-portid ds-policing
traffic-table-index command to limit the traffic of downstream packets on an ETH
port.
NOTE
This command can be executed only when it is supported by the ONT version. For details, refer to the
corresponding manual of the ONT.
----End
Example
Assume that:
Issue 01 (2012-01-18)

193

A user under ONT 1 connected to EPON port 0/4/1 requires 2 Mbit/s high-speed Internet
access service.
Use traffic profile 8 in the system for rate limitation on an EPON port, with CIR of 2 Mbit/
s.
Use DBA profile 10 of Type4 to limit the maximum upstream bandwidth of the ONT to
100 Mbit/s.
Use traffic profile 20 to limit the maximum downstream bandwidth of the ONT to 100
Mbit/s.
To perform the preceding configurations, do as follows:

huawei(config)#traffic table ip index 20 cir 102400 priority 1 priority-policy tagIn-Package
huawei(config-epon-lineprofile-5)#llid dba-profile-id 10 ont-car 20
huawei(config-if-epon-0/4)#ont add 1 1 password-auth 0100000001 once-on no-aging
oam ont-lineprofile-id 5 ont-srvprofile-id 11
huawei(config)#traffic table ip index 8 cir 2048 priority 1 priority-policy tag-InPackage
huawei(config)#service-port 101 vlan 100 epon 0/4/1 ont 1 multi-service
user-vlan 10 inbound traffic-table index 8 outbound traffic-table index 8
Configuring Traffic Suppression

This topic describes how to configure traffic suppression. The purpose of traffic suppression is
to ensure the provisioning of the normal service of system users by suppressing the broadcast,
unknown multicast, and unknown unicast packets received by the system.
Traffic suppression can be configured based on a board or based on the port on a board.
Procedure
l
Configure traffic suppression based on a board.

1.
Query the thresholds of traffic suppression.

In the privilege mode, run the display traffic-suppress all command to query the
thresholds of traffic suppression.
2.
Run the traffic-suppress command to suppress the traffic of the board in a slot.
broadcast: Suppresses the broadcast traffic.
multicast: Suppresses the unknown multicast traffic.
value: Indicates the index of the traffic suppression level. The index value is the
value queried in step 1.
l
Issue 01 (2012-01-18)
Configure traffic suppression based on the port on a board.

194

1.
According to the board configured in the system, enter one of the following modes:
Run the interface GIU command to enter the GIU mode.
Run the interface SCU command to enter the SCU mode.
Run the interface eth command to enter the ETH mode.
2.
Query the thresholds of traffic suppression.

Run the display traffic-suppress all command to query the thresholds of traffic
suppression.
3.
Run the traffic-suppress command to suppress the traffic of the port on a GIU or
SCU board.
broadcast: Suppresses the broadcast traffic.
multicast: Suppresses the unknown multicast traffic.
unicast: Suppresses the unknown unicast traffic.
value: Indicates the index of the traffic suppression level. The index value is the
value queried in step 2.
----End
Example
To suppress the broadcast packets according to traffic suppression level 8 on port 0 on the SCU
board in slot 0/7, do as follows:
huawei(config)#interface scu 0/7
huawei(config-if-scu-0/7)#display traffic-suppress all
Command:
display traffic-suppress all
Traffic suppression ID definition:
--------------------------------------------------------------------NO. Min bandwidth(kbps) Max bandwidth(kbps) Package number(pps)
--------------------------------------------------------------------1
6
145
12
2
12
291
24
3
24
582
48
4
48
1153
95
5
97
2319
191
6
195
4639
382
7
390
9265
763
8
781
18531
1526
9
1562
37063
3052
10
3125
74126
6104
11
6249
148241
12207
12
12499
296483
24414
13
0
0
0
----------------------------------------------------------------------------------------------------------------------------------------PortID
Broadcast_index
Multicast_index
Unicast_index
--------------------------------------------------------------------0
7
7
OFF
1
7
7
OFF
2
7
7
OFF
3
7
7
OFF
--------------------------------------------------------------------huawei(config-if-scu-0/7)#traffic-suppress all broadcast value 12
huawei(config-if-scu-0/7)#display traffic-suppress all
Traffic suppression ID definition:
--------------------------------------------------------------------NO. Min bandwidth(kbps) Max bandwidth(kbps) Package number(pps)
Issue 01 (2012-01-18)

195

--------------------------------------------------------------------1
6
145
12
2
12
291
24
3
24
582
48
4
48
1153
95
5
97
2319
191
6
195
4639
382
7
390
9265
763
8
781
18531
1526
9
1562
37063
3052
10
3125
74126
6104
11
6249
148241
12207
12
12499
296483
24414
13
0
0
0
----------------------------------------------------------------------------------------------------------------------------------------PortID
Broadcast_index
Multicast_index
Unicast_index
--------------------------------------------------------------------0
12
OFF
OFF
1
12
OFF
OFF
2
12
OFF
OFF
3
12
OFF
OFF
---------------------------------------------------------------------
2.11.2 Configuring Early Drop

This topic describes how to configure early drop, which is applicable to the dropping policy
settings for the packets in the queue.
Early drop means that the system drops the packets that wait to enter the queue when congestion
occurs. This process occurs after traffic management. The MA5600T supports early drop based
on the following criteria:
l
Color
The system drops the yellow packets when congestion occurs.
Priority
The system supports the global configuration of the early drop threshold for each CoS
priority, thus differentiating the services with different priorities in the same queue.
Configuring Priority-based Early Drop

The MA5600T can differentiate the services with different priorities in the same queue. The
packet priority serves as a criterion for dropping packets.
Procedure
l
Configure the early drop mode.

In the global config mode, run the early-drop mode pri-base command to configure the
priority-based early drop. After the configuration is completed, the system performs early
drop according to the outer 802.1p priorities of the packets. When congestion occurs in a
queue, the packets are dropped according to the early drop thresholds of the priorities.
(Optional) Configure the early drop threshold.

1.
Issue 01 (2012-01-18)
Configure the early drop threshold.

Run the early-drop command to configure the mapping between service priorities
and drop thresholds. After configuration is successful, if the packets of the specified
service priority reach the threshold of the queue (the percentage of the queue depth),
196

subsequent packets of the same service priority will be dropped instead of entering
the queue.
2.
Query the configured early drop threshold.

You can run the display early-drop command to query the configured early drop
threshold.
----End
Example
To set the early drop threshold of the packet with CoS value 0 to 40, CoS value 2 to 60, and CoS
values 3 and 4 to 80, do as follows:
huawei(config)#early-drop mode pri-base
huawei(config)#early-drop cos0 40 cos2 60 cos3 80 cos6 80
{<cr>|cos1<k>|cos4<k>|cos5<k>|cos7<k>}:
Command:
early-drop cos0 40 cos2 60 cos3 80 cos6 80
huawei(config)#display early-drop
-----------------------Priority
Threshold
-----------------------0
40
1
100
2
60
3
80
4
100
5
100
6
80
7
100
------------------------
The following figure shows the implementation of the early drop as configured.
Configuring Color-based Early Drop

According to the parameters in the IP traffic profile, the MA5600T can implement early drop
based on the color of packets. When congestion occurs, the yellow packets are dropped.
Issue 01 (2012-01-18)

197

Procedure
l
Configure the early drop mode.

In the global config mode, run the early-drop mode color-base command to configure the
color-based early drop.
According to the CIR and PIR parameters in the IP traffic profile, the system marks packets
with colors. The packets within the CIR bandwidth are marked as green, and the packets
between the CIR and PIR bandwidth are marked as yellow.
After the configuration is completed, green packets are allowed to pass, yellow packets that
do not exceed the bandwidth can also pass, and yellow packets that exceed the bandwidth
are dropped.
----End
2.11.3 Configuring the Queue Scheduling

A queue is an unit based on which packets are scheduled in a physical port. After the queue
scheduling is configured, the packet of the priority service can be processed in time when
network congestion occurs.
Configuring the Queue Scheduling Mode

This topic describes how to configure the queue scheduling mode for ensuring that packets in
the queue with a higher priority can be processed in time in case of congestion.
The MA5600T supports three queue scheduling modes: priority queuing (PQ), weighted round
robin (WRR), and PQ+WRR.
l
PQ
The PQ gives preference to packets in a queue with a higher priority. When a queue with
a higher priority is empty, the packets in a queue with a lower priority can be transmitted.
By default, the PQ mode is used.
WRR
The system supports WRR for eight queues. Each queue has a weight value (w7, w6, w5,
w4, w3, w2, w1, and w0 in descending order) for resource acquisition. In the WRR mode,
queues are scheduled in turn to ensure that each queue can be scheduled.
Table 2-16 lists the mapping between the configured weight and the actual weight of
queues.
Table 2-16 Mapping between the configured weight and the actual weight of queues
Issue 01 (2012-01-18)
Queue No.
Configured
Weight
Actual Weight (for

Port Supporting
Eight Queues)
Actual Weight (for

Port Supporting
Four Queues)
W7
W7
W6
W6

198

Queue No.
Configured
Weight
Actual Weight (for

Port Supporting
Eight Queues)
Actual Weight (for

Port Supporting
Four Queues)
W5
W5
W4
W4
W3
W3
W7+W6
W2
W2
W5+W4
W1
W1
W3+W2
W0
W0
W1+W0
Wn: Indicates the weight of queue n. The weight sum of all queues must be 0 or 100
(excluding the queue with weight 255). Here, 0 indicates that the PQ mode is used and 255
indicates that the queue is not used.
l
PQ+WRR
The system supports PQ for some queues and WRR for the other queues. When the
specified WRR value is 0, the queue is scheduled by PQ.
The queue scheduled by PQ should be a queue that has a higher priority.
The weight sum of queues scheduled by WRR must be equal to 100.
Procedure
Step 1 Run the queue-scheduler command to configure the queue scheduling mode.
Step 2 Run the display queue-scheduler command to query the configuration of the queue scheduling
mode.
----End
Example
To configure WRR scheduling, with the weight values of the eight queues as 10, 10, 20, 20, 10,
10, 10, and 10 respectively, do as follows:
huawei(config)#queue-scheduler wrr 10 10 20 20 10 10 10 10
huawei(config)#display queue-scheduler
Queue scheduler mode : WRR
--------------------------------Queue Scheduler Mode WRR Weight
--------------------------------0 WRR
10
1 WRR
10
2 WRR
20
3 WRR
20
4 WRR
10
5 WRR
10
6 WRR
10
7 WRR
10
---------------------------------
Issue 01 (2012-01-18)

199

To configure PQ+WRR scheduling, with the weight values of the six queues as 20, 20, 10, 30,
10, and 10 respectively, do as follows:
huawei(config)#display queue-scheduler
Queue scheduler mode : WRR
--------------------------------Queue Scheduler Mode WRR Weight
--------------------------------0 WRR
20
1 WRR
20
2 WRR
10
3 WRR
30
4 WRR
10
5 WRR
10
6 PQ
-7 PQ
----------------------------------
Configuring the Mapping Between the Queue and the 802.1p Priority
This topic describes how to configure the mapping between the queue and the 802.1p priority
so that packets with different 802.1p priorities are mapped to the specified queues based on the
configured mapping. This enhances the flexibility of mapping packets to queues.
l
The configuration is valid to all the service boards in the system.
By default, the mapping between the queue and the 802.1p priority is as listed in Table
2-17.
Table 2-17 Mapping between the queue and the 802.1p priority
Issue 01 (2012-01-18)
Queue Number
Actual Queue
Number (Port
Supporting Eight
Queues)
Actual Queue
Number (Port
Supporting Four
Queues)
802.1p Priority

200

Procedure
Step 1 Run the cos-queue-map command to configure the mapping between the 802.1p priority and
the queue.
Step 2 Run the display cos-queue-map command to query the mapping between the 802.1p priority
and the queue.
----End
Example
To map 802.1p priority 0 to queue 0, 802.1p priority 1 to queue 2, and the other 802.1p priorities
to queue 6, do as follows:
huawei(config)#cos-queue-map cos0 0 cos1 2 cos2 6 cos3 6 cos4 6 cos5 6 cos6 6
cos7
6
huawei(config)#display cos-queue-map
CoS and queue map:
-----------------------CoS
Queue ID
-----------------------0
0
1
2
2
6
3
6
4
6
5
6
6
6
7
6
------------------------
Configuring the Queue Depth

This topic describes how to configure the queue depth (the queue buffer space) to re-allocate
buffer space to the queues, thus to improve the flexibility of QoS.
The queue depth determines the capability of a queue for processing burst packets. The greater
the queue depth, the larger the buffer space, and the more capable is the queue in processing
burst packets.
The queue depth of the port is allocated on a percentage basis. Table 2-18 lists the default queue
depths of the system.
Table 2-18 Queue depth allocation
Issue 01 (2012-01-18)
Queue Number
Queue Depth (Port

Supporting Eight Queues)
Actual Queue Number

(Port Supporting Four
Queues)
L7 (default: 6)
L6 (default: 25)
L5 (default: 12)

201

Queue Number
Queue Depth (Port

Supporting Eight Queues)
Actual Queue Number

(Port Supporting Four
Queues)
L4 (default: 12)
L3 (default: 13)
L7+L6 (default: 31)
L2 (default: 13)
L5+L4 (default: 24)
L1 (default: 6)
L3+L2 (default: 26)
L0 (default: 13)
L1+L0 (default: 18)
Ln: Indicates the depth of queue n. The sum of all the queue depths must be equal to 100.
Procedure
Step 1 Run the queue-buffer command to configure the queue depth of the service board.
Step 2 Run the display queue-buffer command to query the queue depth of the current service board.
----End
Example
To set the queue depths to 20, 20, 10, 10, 10, 10, 10, and 10, do as follows:
huawei(config)#queue-buffer 20 20 10 10 10 10 10 10
huawei(config)#display queue-buffer
-----------------------Queue
Depth size ratio
-----------------------0
20
1
20
2
10
3
10
4
10
5
10
6
10
7
10
------------------------
2.11.4 Configuring Traffic Management Based on ACL Rules

The ACL can be used to implement flexible traffic classification according to user requirements.
After traffic classification based on ACL rules is completed, you can perform QoS for the traffic
streams.
Controlling the Traffic Matching an ACL Rule

This topic describes how to control the traffic matching an ACL rule on a specified port, and
process the traffic that exceeds the limit, such as adding the DSCP tag or dropping the packet
directly.
Issue 01 (2012-01-18)

202

Prerequisite
The ACL and the rule of the ACL are configured, and the port for traffic limit is working in the
normal state.
l
The traffic statistics are only effective for the permit rules of an ACL.
The limited traffic must be an integer multiple of 64 kbit/s.
Procedure
Step 1 Run the traffic-limit command to control the traffic matching an ACL rule on a specified port.
Run this command to set the action to be taken when the traffic received on the port exceeds the
limited value. Two options are available:
l drop: Drop the traffic that exceeds the limited value.
l remark-dscp value: To set the DSCP priority for the traffic that exceeds the limited value,
use this parameter.
Step 2 Run the display qos-info traffic-limit port command to query the traffic limit information on
the specified port.
----End
Example
To limit the traffic that matches ACL 2001 received on port 0/4/0 to 512 kbit/s, and add the
DSCP priority tag (af1) to packets that exceed the limit, do as follows:
huawei(config)#traffic-limit inbound ip-group 2001 512 exceed remark-dscp af1 port
0/4/0
//"af1" represents a dscp type: Assured Forwarding 1 service (10).
huawei(config)#display qos-info traffic-limit port 0/4/0
traffic-limit:
port 0/4/0:
Inbound:
Matches: Acl 2001 rule 5
running
Target rate: 512 Kbps
Exceed action: remark-dscp af1
Adding a Priority Tag to the Traffic Matching an ACL Rule

This topic describes how to add a priority tag to the traffic matching an ACL rule on a specified
port so that the traffic can obtain the service that match the specified priority. The priority tag
type can be ToS, DSCP, or 802.1p.
Prerequisite
The ACL and the rule of the ACL are configured, and the port for traffic limit is working in the
normal state.
l
Issue 01 (2012-01-18)
The traffic statistics are only valid to permit rules of an ACL.

203

The ToS and the DSCP priorities are mutually exclusive. Therefore, they cannot be
configured at the same time.
Procedure
Step 1 Run the traffic-priority command to add a priority tag to the traffic matching an ACL rule on
a specified port.
Step 2 Run the display qos-info traffic-priority port command to query the configured priority.
----End
Example
To add a priority tag to the traffic that matches ACL 2001 received on port 0/4/1, and the DSCP
priority and local priority of the traffic are 10 (af1) and 0 respectively, do as follows:
huawei(config)#traffic-priority inbound ip-group 2001 dscp af1 local-precedence 0
port 0/4/1
huawei(config)#display qos-info traffic-priority port 0/4/1
traffic-priority:
port 0/4/1:
Inbound:
Matches: Acl 2001 rule 5 running
Priority action: dscp af1 local-precedence 0
Enabling the Statistics Collection of the Traffic Matching an ACL Rule

This topic describes how to enable the statistics collection of the traffic matching an ACL rule,
thus analyzing and monitoring the traffic.
Prerequisite
The ACL and the rule of the ACL are configured, and the port for traffic statistics is working in
the normal state.
Procedure
Step 1 Run the traffic-statistic command to enable the statistics collection of the traffic matching an
ACL rule on a specified port.
Step 2 Run the display qos-info traffic-mirror port command to query the statistics information about
the traffic matching an ACL rule on a specified port.
----End
Example
To enable the statistics collection of the traffic that matches ACL 2001 received on port
0/17/0, do as follows:
huawei(config)#traffic-statistic inbound ip-group 2001 port 0/17/0
Issue 01 (2012-01-18)

204

huawei(config)#display qos-info traffic-statistic port 0/17/0

traffic-statistic:
port 0/17/0:
Inbound:
0 packet
running
Enabling the Mirroring of the Traffic Matching an ACL Rule

This topic describes how to mirror the traffic matching an ACL rule on a port to a specified port.
Mirroring does not affect packet receipt and transmission on the mirroring source port. You can
monitor the traffic of the mirroring source port by analyzing the traffic that passes the mirroring
destination port.
Prerequisite
The ACL and the rule of the ACL are configured, and the port for traffic mirroring is working
in the normal state.
l
The destination mirroring port cannot be an aggregation port.
The system supports only one mirroring destination port and the mirroring destination port
must be the upstream port.
Procedure
Step 1 Run the traffic-mirror command to enable the mirroring of the traffic matching an ACL rule
on a specified port.
Step 2 Run the display qos-info traffic-mirror port command to query the mirroring information
about the traffic matching an ACL rule on a specified port.
----End
Example
To mirror the traffic that matches ACL 2001 received on port 0/4/1 to port 0/17/0, do as follows:
huawei(config)#traffic-mirror inbound ip-group 2001 port 0/4/1 to port 0/17/0
huawei(config)#display qos-info traffic-mirror port 0/4/1
traffic-mirror:
port 0/4/1:
Inbound:
Mirror to: port 0/17/0
running
Enabling the Redirection of the Traffic Matching an ACL Rule

This topic describes how to redirect the traffic matching an ACL rule on a specified port. After
this operation is executed successfully, the original port does not forward the traffic matching
the ACL rule, but the specified port forwards the traffic.
Issue 01 (2012-01-18)

205

Prerequisites
The ACL and the rule of the ACL are configured, and the port for redirection is working in the
normal state.
Context
l
Currently, the service ports support only redirection of the traffic matching the ACL rule
to upstream ports. The upstream ports support only redirection of the traffic matching the
ACL rule to ports on the board of the same type.
Procedure
Step 1 Run the traffic-redirect command to redirect the traffic matching an ACL rule on a specified
port.
Step 2 Run the display qos-info traffic-redirect port command to query the redirection information
about the traffic matching an ACL rule on a specified port.
----End
Example
To redirect the traffic that matches ACL 2001 received on port 0/17/0 to port 0/17/1, do as
follows:
huawei(config)#traffic-redirect inbound ip-group 2001 port 0/17/0 to port 0/17/1
huawei(config)#display qos-info traffic-redirect port 0/17/0
traffic-redirect:
port 0/17/0:
Inbound:
running
Redirected to: port 0/17/1
2.12 Configuring AAA

This topic describes how to configure the AAA on the MA5600T, including configuring the
MA5600T as the local and remote AAA servers.
AAA refers to authentication, authorization, and accounting. In the process that a user accesses
network resources, through AAA, certain rights are authorized to the user if the user passes
authentication, and the original data about the user accessing network resources is recorded.
l
Authentication: Checks whether a user is allowed to access network resources.
Authorization: Determines what network resources a user can access.
Accounting: Records the original data about the user accessing network resources.
Application Context
AAA is generally applied to the users that access the Internet in the PPPoA, PPPoE, 802.1x,
VLAN, WLAN, ISDN, or Admin Telnet (associating the user name and the password with the
domain name) mode.
Issue 01 (2012-01-18)

206

NOTE
In the existing network, 802.1x and Admin Telnet correspond to the local AAA, that is, the MA5600T
functions as a local AAA server; PPPoE corresponds to the remote AAA, that is, the MA5600T functions
as the client of a remote AAA server.
Figure 2-7 shows an example network of the AAA application.

Figure 2-7 Example network of the AAA application
The preceding figure shows that the AAA function can be implemented on the MA5600T in the
following three ways:
l
The MA5600T functions as a local AAA server. In this case, the local AAA needs to be
configured. The local AAA does not support accounting.
The MA5600T functions as the client of a remote AAA server, and is connected to the
HWTACACS server through the HWTACACS protocol, thus implementing the AAA.
The MA5600T functions as the client of a remote AAA server, and is connected to the
RADIUS server through the RADIUS protocol, thus implementing the AAA. The RADIUS
protocol, however, does not support authorization.
Table 2-19 lists the differences between HWTACACS and RADIUS.

Table 2-19 Differences between HWTACACS and RADIUS
Issue 01 (2012-01-18)
HWTACACS
RADIUS
Uses TCP to realize more reliable network

transmission.
Uses UDP for transmission.
Encrypts the body of HWTACACS packets,

except their header.
Encrypts only the password field of the

authenticated packets.
Separated authorization and authentication.
Concurrent processing of authentication and

authorization.
Applicable to security control.
Applicable to accounting.
Supports authorization of the configuration

commands on the router.
Does not support the authorization of the

configuration commands on the router.

207

2.12.1 Configuring the Local AAA

This topic describes how to configure the local AAA so that the user authentication can be
performed locally.
l
The local AAA configuration is simple, which does not depend on the external server.
The local AAA supports only authentication.
Procedure
Step 1 Configure the AAA authentication scheme.
NOTE
l The authentication scheme specifies how all the users in an Internet service provider (ISP) domain are
authenticated. The system supports up to 16 authentication schemes.
l The system has a default authentication scheme named default. It can be modified, but cannot be deleted.
1.
Run the aaa command to enter the AAA mode.
2.
Run the authentication-scheme command to add an authentication scheme.
3.
Run the authentication-mode local command to configure the authentication mode of the
authentication scheme.
4.
Run the quit command to return to the AAA mode.
Step 2 Create a domain.

NOTE
l A domain is a group of users of the same type.

l In the user name format userid@domain-name (for example, [email protected]), "userid"
indicates the user name for authentication and "domain-name" followed by "@" indicates the domain name.
l The domain name for user login cannot exceed 15 characters, and the other domain names cannot exceed
20 characters.
1.
In the AAA mode, run the domain command to create a domain.
Step 3 Refer the authentication scheme.

NOTE
You can refer an authentication scheme in a domain only after the authentication scheme is created.
1.
In the domain mode, run the authentication-scheme command to reference the

authentication scheme.
2.
Step 4 Configure a local user.

In the AAA mode, run the local-user password command to create a local AAA user.
----End
Example
User1 in the isp domain adopts the local server for authentication. The authentication scheme is
newscheme, the password is a123456, do as follows:
Issue 01 (2012-01-18)

208

huawei(config)#aaa
huawei(config-aaa)#authentication-scheme newscheme
Info: Create a new authentication scheme
huawei(config-aaa-authen-newscheme)#authentication-mode local
huawei(config-aaa-authen-newscheme)#quit
huawei(config-aaa)#domain isp
Info: Create a new domain
huawei(config-aaa-domain-isp)#authentication-scheme newscheme
huawei(config-aaa-domain-isp)#quit
huawei(config-aaa)#local-user user1 password a123456
2.12.2 Configuring the Remote AAA (RADIUS Protocol)

The MA5600T is interconnected with the RADIUS server through the RADIUS protocol to
l
What is RADIUS:
Radius is short for the remote authentication dial-in user service. It is a distributed
information interaction protocol with the client-server structure. Generally, it is used to
manage a large number of distributed dial-in users.
Radius implements the user accounting by managing a simple user database.
The authentication and accounting requests of users can be passed on to the Radius
server through a network access server (NAS).
Principle of RADIUS:
When a user tries to access another network (or some network resources) by setting up
a connection to the NAS through a network, the NAS forwards the user authentication
and accounting information to the RADIUS server. The RADIUS protocol specifies the
means of transmitting the user information and accounting information between the
NAS and the RADIUS server.
The RADIUS server receives the connection requests of users sent from the NAS,
authenticates the user account and password contained in the user data, and returns the
required data to the NAS.
Specification:
For the MA5600T, the RADIUS is configured based on each RADIUS server group.
In actual networking, a RADIUS server group can be any of the following:
An independent RADIUS server
A pair of primary/secondary RADIUS servers with the same configuration but
different IP addresses
The following lists the attributes of a RADIUS server template:
IP addresses of primary and secondary servers
Shared key
RADIUS server type
The configuration of the RADIUS protocol defines only the essential parameters for the
information exchange between the MA5600T and the RADIUS server. To make the
essential parameters take effect, the RADIUS server group should be referenced in a certain
domain.
The RADIUS attribute list defines the attribute parameters for interaction between the
MA5600T and the RADIUS server. Table 2-20 describes the parameters.
Issue 01 (2012-01-18)

209

Table 2-20 RADIUS attribute list
Issue 01 (2012-01-18)
Parameter Code
Parameter Name
Description
User-Name
Indicates the user name for

authentication.
Password
Indicates the user password for

authentication. This parameter is
valid only for PAP
authentication.
Challenge-Password
Indicates the user password for

authentication. This parameter is
valid only for CHAP
authentication.
NAS-IP-Address
Indicates the IP address of the

access device. If the RADIUS
server group is bound to an
interface address, use the bound
interface address; otherwise, use
the address of the interface where
packets are sent.
NAS-Port
Indicates the user access port.

The format of this parameter is
four-digit slot ID + two-digit
card number + five-digit port
number + 21-digit VLAN ID.
Service-Type
Indicates the user service type.

The value of this parameter is 2
(frame) for access users and is 6
for telnet management users.
Currently, the MA5600T
supports only 802.1x access
users but not PPP, L2TP, or
DHCP access users for RADIUS
authentication.
Framed-Protocol
The value of this parameter is

fixed to 1 (PPP) because ITU-T
RFC 2856 does not define 802.1x
for this parameter.
14
Login-IP-Host
Indicates the host IP address of a

login user.
15
Login-Service
Indicates the login service type.

The valid types are Telnet,
Rlogin, TCP Clear, PortMaster
(proprietary), and LAT.

210

Parameter Code
Parameter Name
Description
24
State
If the access challenge packet

that the RADIUS server sends to
a device contains this parameter,
the subsequent access request
packet sent by the device to the
RADIUS server must also
contain this parameter of the
same value as that is contained in
the access challenge packet.
25
Class
If the access accept packet sent

by the RADIUS server to a
device contains this parameter,
the subsequent charging request
packet sent by the device to the
RADIUS server must also
contain this parameter of the
same value.
For a standard RADIUS server, a
device can use the Class attribute
to represent the CAR parameter.
27
Session-Timeout
Indicates the available remaining

time in the unit of second. It is the
user re-authentication time in the
EAP challenge packet.
29
Termination-Action
Indicates the service termination

mode. The valid modes are reauthentication and forcing users
to go offline.
31
Calling-Station-Id
Allows the NAS to send the

calling number.
32
NAS-Identifier
Indicates the host name of the

device.
40
Acct-Status-Type
Indicates the charging packet

type.
l 1: charging start packet
l 2: charging stop packet
l 3: real-time charging packet
41
Issue 01 (2012-01-18)
Acct-Delay-Time

Indicates the time for generating

a charging packet in the unit of
second.
211

Parameter Code
Parameter Name
Description
42
Acct-Input-Octets
Indicates the number of upstream

bytes in the unit of byte, kbyte,
Mbyte, or Gbyte. The specific
unit can be configured using
commands.
43
Acct-Output-Octets
Indicates the number of

downstream bytes in the unit of
byte, kbyte, Mbyte, or Gbyte.
The specific unit can be
configured using commands.
44
Acct-Session-Id
Indicates the charging

connection number. The
connection numbers for the
charging start packet, real-time
charging packet, and charging
stop packet of the same
connection must be the same.
45
Acct-Authentic
Indicates the user authentication

mode.
l 1: RADIUS authentication
l 2: local authentication
46
Acct-Session-Time
Indicates the time for a user to go

online in the unit of second.
47
Acct-Input-Packets

packets.
48
Acct-Output-Packets

downstream packets.
49
Terminate-Cause
Indicates the user connection

interruption cause. The valid
values are as follows:
l User-Request(1): The user
actively goes offline.
l Lost Carrier(2): The
handshake fails, such as the
EAPOL detection fails.
l User Error(17): The user
authentication fails or times
out.
52
Issue 01 (2012-01-18)
Acct-Input-Gigawords


bytes in the unit of 4Gbyte,
kbyte, Mbyte, or Gbyte. The
specific unit can be configured
using commands.
212

Parameter Code
Parameter Name
Description
53
Acct-Output-Gigawords

downstream bytes in the unit of
4Gbyte, kbyte, Mbyte, or Gbyte.
The specific unit can be
configured using commands.
55
Event-Timestamp
Indicates the user online time in

the unit of second. The value is
the absolute number of seconds
counting from 1970-01-01
00:00:00.
60
CHAP-Challenge
Indicates the challenge field for

CHAP authentication. This
parameter is valid only for
CHAP authentication.
61
NAS-Port-Type
Indicates the NAS port type.
79
EAP-Message
Carries EAP packets.
80
Message-Authenticator
Verifies validity of packets

between the RADIUS server and
RADIUS client to prevent
malicious attacks.
85
Acct-Interim-Interval
Indicates the interval for realtime charging in the unit of

second.
87
NAS-Port-Id
Indicates the user access port

number. The format of this
parameter uses the format when
DHCP option 82 is in common
raio mode.
88
Framed-Pool
Indicates the name and address

segment number of the address
pool. After being delivered by
the RADIUS server, this
parameter is filled to suboption 7
in user DHCP packets by the
MA5600T.
26-29
Exec-Privilege
Indicates the priority of

operation users such as Telnet
users. The value ranges from 0 to
15.
NOTE
The preceding parameters
are RADIUS standard
attributes. Starting from
this row, the following
parameters are Huaweidefined attributes.
l 0: common user
l 1: operator
l 2: administrator
l 3-15: common user
Issue 01 (2012-01-18)

213

Parameter Code
Parameter Name
Description
26-60
Ip-Host-Address
Indicates the user IP address and

MAC address that are contained
in authentication and charging
packets. The format is A.B.C.D
HH:HH:HH:HH:HH:HH. The
IP address and MAC address are
separated by a space.
26-254
Version
Indicates the software version of

the access device.
26-255
Product-ID
Indicates the product name.
NOTE
There super level user can not be authenticated. You can query the user level by the command display terminal
user.
Procedure
Step 1 Configure the authentication scheme.
NOTE
l The authentication scheme specifies how all the users in an ISP domain are authenticated.
l The system supports up to 16 authentication schemes. The system has a default accounting scheme
named default. It can only be modified, but cannot be deleted.
1.
2.
3.
Run the authentication-mode radius command to configure the authentication mode of

the authentication scheme.
4.
Step 2 Configure the accounting scheme.

NOTE
l The accounting scheme specifies how all the users in an ISP domain are charged.
l The system supports up to 128 accounting schemes. The system has a default accounting scheme named
default. It can be modified, but cannot be deleted.
1.
In the AAA mode, run the accounting-scheme command to add an AAA accounting
scheme.
2.
Run the accounting-mode radius command to configure the accounting mode.
3.
Run the accounting interim interval command to set the interval of real-time accounting.
By default, the interval is 0 minutes, that is, the real-time accounting is not performed.
4.
Step 3 Configure the RADIUS server template.

1.
Run the radius-server template command to create an RADIUS server template and enter
the RADIUS server template mode.
2.
Run the radius-server authentication command to configure the IP address and the UDP
port ID of the RADIUS server for authentication.
Issue 01 (2012-01-18)

214

NOTE
l To guarantee normal communication between the MA5600T and the RADIUS server, before
configuring the IP address and UDP port of the RADIUS server, make sure that the route between the
RADIUS server and the MA5600T is in the normal state.
l Make sure that the configuration of the RADIUS service port of the MA5600T is consistent with the
port configuration of the RADIUS server.
3.
Run the radius-server accounting command to configure the IP address and the UDP port
ID of the RADIUS server for accounting.
4.
Run the radius-server shared-key command to configure the shared key of the RADIUS
server.
NOTE
l The RADIUS client (MA5600T) and the RADIUS server use the MD5 algorithm to encrypt the
RADIUS packets. They check the validity of the packets by setting the encryption key. They can
receive the packets from each other and can respond to each other only when their keys are the same.
l By default, the shared key of the RADIUS server is huawei.
5.
(Optional) Run the radius-server timeout command to set the response timeout time of
the RADIUS server. By default, the timeout time is 5s.
The MA5600T sends the request packets to the RADIUS server. If the RADIUS server
does not respond within the response timeout time, the MA5600T re-transmits the request
packets to the RADIUS to ensure that users can get corresponding services from the
RADIUS server.
6.
(Optional) Run the radius-server retransmit command to set the maximum re-transmit
time of the RADIUS request packets. By default, the maximum re-transmit time is 3.
When the re-transmit time of the RADIUS request packets to a RADIUS server exceeds
the maximum re-transmit time, the MA5600T considers that its communication with the
RADIUS server is interrupted, and thus transmits the RADIUS request packets to another
RADIUS server.
7.
Run the (undo)radius-server user-name domain-included command to configure the

user name (not) to carry the domain name when transmitted to the RADIUS server. By
default, the user name of the RADIUS server carries the domain name.
l An access user is named in the format of userid@domain-name, and the part after @
is the domain name. The MA5600T classifies a user into a domain according to the
domain name.
l If an RADIUS server group rejects the user name carrying the domain name, the
RADIUS server group cannot be set or used in two or more domains. Otherwise, when
some access users in different domains have the same user name, the RADIUS server
considers that these users are the same because the names transmitted to the server are
the same.
8.

A domain is a group of users of the same type.
In the user name format userid@domain-name (for example, [email protected]),
"userid" indicates the user name for authentication and "domain-name" followed by "@"
indicates the domain name.
The domain name for user login cannot exceed 15 characters, and the other domain names cannot
exceed 20 characters.
Issue 01 (2012-01-18)

215

1.
2.
Step 5 Use the authentication scheme.

You can use an authentication scheme in a domain only after the authentication scheme is
created.
In the domain mode, run the authentication-scheme command to use the authentication scheme.
Step 6 Use the accounting scheme.
You can use an accounting scheme in a domain only after the accounting scheme is created.
In the domain mode, run the accounting-scheme command to use the accounting scheme.
Step 7 Use the RADIUS server template.
NOTE
You can use a RADIUS server template in a domain only after the RADIUS server template is created.
1.
In the domain mode, run the radius-server template command to use the RADIUS server
template.
2.
----End
Example
User1 in the isp domain adopts the HWTACACS protocol for authentication and accounting.
The accounting interval is 10 minutes, the authentication password is a123456, HWTACACS
server 10.10.66.66 functions as the primary authenticationand accounting server, and
HWTACACS server 10.10.66.67 functions as the standby authenticationand accounting server.
On the HWTACACS server, the authentication port ID is 1812, accounting port ID 1813, and
other parameters adopt the default values. To perform the preceding configuration, do as follows:
huawei(config)#aaa
huawei(config-aaa-authen-newscheme)#authentication-mode radius
huawei(config-aaa)#accounting-scheme newscheme
huawei(config-aaa-accounting-newscheme)#accounting-mode radius
huawei(config-aaa-accounting-newscheme)#accounting interim interval 10
huawei(config-aaa-accounting-newscheme)#quit
huawei(config)#radius-server template hwtest
huawei(config-radius-hwtest)#radius-server authentication 10.10.66.66 1812
huawei(config-radius-hwtest)#radius-server authentication 10.10.66.67 1812
secondary
huawei(config-radius-hwtest)#radius-server accounting 10.10.66.66 1813
huawei(config-radius-hwtest)#radius-server accounting 10.10.66.67 1813 secondary
huawei(config-radius-hwtest)#quit
huawei(config)#aaa
huawei(config-aaa-domain-isp)#accounting-scheme newscheme
huawei(config-aaa-domain-isp)#radius-server hwtest
Issue 01 (2012-01-18)

216

2.12.3 Configuration Example of the RADIUS Authentication and

Accounting
The MA5600T is interconnected with the RADIUS server through the RADIUS protocol to
l
The RADIUS server performs authentication and accounting for users in the ISP1 and ISP2
domains.
The RADIUS server with the IP address 10.10.66.66 functions as the primary server for
authentication and accounting.
The RADIUS server with the IP address 10.10.66.67 functions as the secondary server for
authentication and accounting.
The authentication port number is 1812, and the accounting port number is 1813.
Other parameters adopt the default settings.
Networking
Figure 2-8 shows an example network of the RADIUS Authentication and Accounting
application.
Figure 2-8 Example network of the RADIUS Authentication and Accounting application.
Procedure
Configure authentication scheme named newscheme (users are authenticated through
RADIUS).
huawei(config)#aaa
Issue 01 (2012-01-18)

217

Info: Create a new authentication scheme

huawei(config-aaa-authen-newscheme)#authentication-mode radius

Configure accounting scheme named newscheme (users are authenticated through RADIUS).
the interval is 10 minutes.
Info: Create a new accounting scheme
huawei(config-aaa-accounting-newscheme)#accounting-mode radius
huawei(config-aaa)#quit
Step 3 Configure the RADIUS protocol.

Create RADIUS server template named hwtest with the RADIUS server 10.10.66.66 as the
primary authentication and accounting server, and the RADIUS server 10.10.66.67 as the
secondary authentication and accounting server.
huawei(config)#radius-server template hwtacacs
Note: Create a new server template
huawei(config-radius-hwtacacs)#radius-server authentication 10.10.66.66 1812
huawei(config-radius-hwtacacs)#radius-server authentication 10.10.66.67 1812
secondary
huawei(config-radius-hwtacacs)#radius-server accounting 10.10.66.66 1813
huawei(config-radius-hwtacacs)#radius-server accounting 10.10.66.67 1813 secondary
huawei(config-radius-hwtacacs)#quit

Create a domain named isp1.
huawei(config)
#aaa
huawei(config-aaa)#domain isp1

created.
huawei(config-aaa-domain-isp1)#authentication-scheme newscheme

huawei(config-aaa-domain-isp1)#accounting-scheme newscheme
Step 7 Use the RADIUS server template.

You can use a RADIUS server template in a domain only after the RADIUS server template is
created.
huawei(config-aaa-domain-isp1)#radius-server hwtacacs
huawei(config-aaa-domain-isp1)#quit
----End
Issue 01 (2012-01-18)

218

Result
User 1 in ISP 1 can pass authentication only if both the user name and password are correct, and
then can log in to the MA5600T. Then, the user starts to be accounted.
Configuration File
aaa
authentication-scheme newscheme
authentication-mode radius
quit
accounting-scheme
newscheme
accounting-mode
radius
accounting interim interval 10
quit
quit
radius-server template radtest
radius-server authentication 10.10.66.66
1812
radius-server authentication 10.10.66.67 1812 secondary
radius-server accounting 10.10.66.66
1813
radius-server accounting 10.10.66.67 1813 secondary
quit
aaa
domain
isp1
accounting-scheme newscheme
radius-server
hwtacacs
quit
2.12.4 Configuring the Remote AAA (HWTACACS Protocol)

The MA5600T is interconnected with the HWTACACS server through the HWTACACS
protocol to implement authentication, authorization, and accounting.
l
What is HWTACACS:
HWTACACS is a security protocol with enhanced functions on the base of TACACS
(RFC1492). Similar to the RADIUS protocol, HWTACACS implements multiple
subscriber AAA functions through communications with the HWTACACS server in
the client/server (C/S) mode.
HWTACACS is used for the authentication, authorization, and accounting for the 802.1
access users and management users.
Principle of HWTACACS:
Adopting the client/server architecture, HWTACACS is a protocol through which the NAS
(MA5600T) transmits the encrypted HWTACACS data packets to communicate with the
HWTACACS database of the security server. The working mode is as follows:
HWTACACS authentication. When the remote user connects to the corresponding port
of the NAS, the NAS communicates with the daemon of the HWTACACS server, and
obtains the prompt of entering the user name from the daemon. Then, the NAS displays
the message to the user. When the remote user enters the user name, the NAS transmits
Issue 01 (2012-01-18)

219

the user name to the daemon. Then, the NAS obtains the prompt of entering the
password, and displays the message to the user. After the remote user enters the
password, the NAS transmits the password to the daemon.
HWTACACS authorization. After being authenticated, the user can be authorized. The
NAS communicates with the daemon of the HWTACACS server, and then returns the
accept or reject response of the authorization.
NOTE
l The HWTACACS configuration only defines the parameters used for data exchange between the
MA5600T and the HWTACACS server. To make these parameters take effect, you need to use the
HWTACACS server group in a domain.
l The settings of an HWTACACS server template can be modified regardless of whether the template
is bound to a server or not.
Procedure
Step 1 Configure the AAA authentication scheme.
The authentication scheme specifies how all the users in an ISP domain are authenticated.
The system supports up to 16 authentication schemes. The system has a default authentication
scheme named default. It can be modified, but cannot be deleted.
1.
2.
3.
Run the authentication-mode local command to configure the authentication mode of the
authentication scheme. Use the HWTACACS protocol to authenticate users.
4.
Step 2 Configure the AAA authorization scheme.

The authorization scheme specifies how all the users in an ISP domain are authorized.
1.
In the AAA mode, run the authorization-scheme command to add an AAA authorization
scheme.
2.
Run the authorization-mode hwtacacs command to configure the authorization mode.
3.
4.
Step 3 Configure the AAA accounting scheme.

The accounting scheme specifies how all the users in an ISP domain are charged.
The system supports up to 128 accounting schemes. The system has a default accounting scheme
named default. It can be modified, but cannot be deleted.
1.
In the AAA mode, run the accounting-scheme command to add an AAA accounting
scheme.
2.
Run the accounting-mode hwtacacs command to configure the accounting mode. By

default, the accounting is not performed.
3.
Run the accounting interim interval command to set the interval of real-time accounting.
By default, the interval is 0 minutes, that is, the real-time accounting is not performed.
4.
Issue 01 (2012-01-18)

220

Step 4 Configure the HWTACACS protocol.

The configuration of the HWTACACS protocol of the MA5600T is on the basis of the
HWTACACS server group. In actual networking scenarios, an HWTACACS server group can
be an independent HWTACACS server or a combination of two HWTACACS servers, that is,
a primary server and a secondary server with the same configuration but different IP addresses.
Each HWTACACS server template contains the primary/secondary server IP address, shared
key, and HWTACACS server type.
Primary and secondary authentication, accounting, and authorization servers can be configured.
The IP address of the primary server, however, must be different from that of the secondary
server. Otherwise, the configuration of primary and secondary servers will fail. By default, the
IP addresses of the primary and secondary servers are both 0.0.0.0.
1.
Run the hwtacacs-server template command to create an HWTACACS server template

and enter the HWTACACS server template mode.
2.
Run the hwtacacs-server authentication command to configure a primary authentication

server. You can select secondary to configure a secondary authentication server.
NOTE
l To ensure normal communication between the MA5600T and the HWTACACS server, before
configuring the IP address and the UDP port of the HWTACACS server, make sure that the route
between the HWTACACS server and the MA5600T is in the normal state.
l Make sure that the HWTACACS server port of the MA5600T is the same as the port of the
HWTACACS server.
3.
Run the hwtacacs-server accounting command to configure a primary accounting server.

You can select secondary to configure a secondary accounting server.
4.
Run the hwtacacs-server authorization command to configure a primary authorization

server. You can select secondary to configure a secondary authorization server.
5.
(Optional) Run the hwtacacs-server shared-key command to configure the shared key of
the HWTACACS server.
NOTE
l The HWTACACS client (MA5600T) and the HWTACACS server use the MD5 algorithm to encrypt
the HWTACACS packets. They check the validity of the packets by configuring the encryption key.
They can receive the packets from each other and can respond to each other only when their keys are
the same.
l By default, the HWTACACS server does not have a key.
6.
(Optional) Run the hwtacacs-server timer response-timeout to set the response timeout
time of the HWTACACS server.
NOTE
l If the HWTACACS server does not respond to the HWTACACS request packets within the timeout
time, the communication between the MA5600T and the current HWTACACS server is considered
interrupted.
l By default, the response timeout time of the HWTACACS server is 5s.
7.
Issue 01 (2012-01-18)
(Optional) In the global config mode, run the hwtacacs-server accounting-stop-packet

command to configure the re-transmission mechanism of the accounting-stop packets of
the HWTACACS server.

221

NOTE
l To prevent the loss of the accounting packets, the MA5600T supports the re-transmission of the
accounting-stop packets of the HWTACACS server.
l By default, the re-transmit time of the accounting-stop packets of the HWTACACS server is 100.
8.
(Optional) Run the (undo)hwtacacs-server user-name domain-included command to

configure the user name (not) to carry the domain name when transmitted to the
HWTACACS server.
l By default, the user name of the HWTACACS server carries the domain name.
l After the undo hwtacacs-server user-name domain-included command is executed,
the domain name is deleted from the user name when the client sends authentication
and authorization requests to the HWTACACS server. The domain name in the user
name of the accounting request is, however, reserved. This is to ensure that the users
can be distinguished from each other in the accounting.
9.

A domain is a group of users of the same type.
In the user name format userid@domain-name (for example, [email protected]),
"userid" indicates the user name for authentication and "domain-name" followed by "@"
indicates the domain name.
The domain name for user login cannot exceed 15 characters, and the other domain names cannot
exceed 20 characters.
1.
2.

created.
In the domain mode, run the authentication-scheme command to use the authentication scheme.
In the domain mode, run the accounting-scheme command to use the accounting scheme.
Step 8 Use the authorization scheme.
You can use an authorization scheme in a domain only after the authorization scheme is created.
In the domain mode, run the authorization-mode command to use the authorization scheme.
Step 9 Use the HWTACACS server template.
You can use an HWTACACS server template in a domain only after the HWTACACS server
template is created.
1.
In the domain mode, run the radius-server template command to use the HWTACACS
server template.
2.
----End
Issue 01 (2012-01-18)

222

Example
User1 in the isp domain adopts the HWTACACS protocol for authentication, authorization, and
accounting. The accounting interval is 10 minutes, the authentication password is a123456,
HWTACACS server 10.10.66.66 functions as the primary authentication, authorization, and
accounting server, and HWTACACS server 10.10.66.67 functions as the standby authentication,
authorization, and accounting server. On the HWTACACS server, the parameters adopt the
default values. To perform the preceding configuration, do as follows:
huawei(config)#aaa
huawei(config-aaa-authen-newscheme)#authentication-mode hwtacacs
huawei(config-aaa)#authorization-scheme newscheme
huawei(config-aaa-author-newscheme)#authorization-mode hwtacacs
huawei(config-aaa-author-newscheme)#quit
huawei(config-aaa-accounting-newscheme)#accounting-mode hwtacacs
huawei(config)#hwtacacs-server template hwtest
huawei(config-hwtacacs-hwtest)#hwtacacs-server authentication 10.10.66.66
huawei(config-hwtacacs-hwtest)#hwtacacs-server authentication 10.10.66.67
secondary
huawei(config-hwtacacs-hwtest)#hwtacacs-server authorization 10.10.66.66
huawei(config-hwtacacs-hwtest)#hwtacacs-server authorization 10.10.66.67 secondary
huawei(config-hwtacacs-hwtest)#hwtacacs-server accounting 10.10.66.66
huawei(config-hwtacacs-hwtest)#hwtacacs-server accounting 10.10.66.67 secondary
huawei(config-hwtacacs-hwtest)#quit
huawei(config)#aaa
huawei(config-aaa-domain-isp)#authorization-scheme newscheme
huawei(config-aaa-domain-isp)#accounting-scheme newscheme
huawei(config-aaa-domain-isp)#hwtacacs-server hwtest
2.12.5 Configuration Example of the HWTACACS Authentication

(802.1X access user)
The MA5600T is interconnected with the HWTACACS server through the HWTACACS
protocol to implement authentication, authorization, and accounting.
l
The HWTACACS server performs authentication, authorization, and accounting for

802.1X access users.
The user logs in to the server carrying the domain name.
The HWTACACS server with the IP address 10.10.66.66 functions as the primary server
for authentication, authorization, and accounting.
The HWTACACS server with the IP address 10.10.66.67 functions as the secondary server
for authentication, authorization, and accounting.
Networking
Figure 2-9 shows an example network of the HWTACACS authentication.
Issue 01 (2012-01-18)

223

Figure 2-9 Example network of the HWTACACS authentication
Procedure
Step 1 Configure an authentication scheme.
Configure authentication scheme named newscheme (users are authenticated through
HWTACACS).
huawei(config)#aaa
huawei(config-aaa-authen-newscheme)#authentication-mode hwtacacs
Step 2 Configure an authorization scheme.

Configure authorization scheme named newscheme (users are authorized through
HWTACACS).
huawei(config-aaa)#authorization-scheme newscheme
huawei(config-aaa-author-newscheme)#authorization-mode hwtacacs
huawei(config-aaa-author-newscheme)#quit

Configure accounting scheme named newscheme (users are authenticated through
HWTACACS). the interval is 10 minutes.
huawei(config-aaa-accounting-newscheme)#accounting-mode hwtacacs

Issue 01 (2012-01-18)

224

Create HWTACACS server template named hwtest with the HWTACACS server 10.10.66.66
as the primary authentication, authorization and accounting server, and the HWTACACS server
10.10.66.67 as the secondary authentication, authorization and accounting server.
huawei(config)#hwtacacs-server template hwtest
Create a new HWTACACS-server template
huawei(config-hwtacacs-radtest)#hwtacacs-server authentication 10.10.66.66
huawei(config-hwtacacs-radtest)#hwtacacs-server authentication 10.10.66.67
secondary
huawei(config-hwtacacs-hwtest)#hwtacacs-server authorization 10.10.66.66
huawei(config-hwtacacs-hwtest)#hwtacacs-server authorization 10.10.66.67 secondary
huawei(config-hwtacacs-radtest)#hwtacacs-server accounting 10.10.66.66
huawei(config-hwtacacs-radtest)#hwtacacs-server accounting 10.10.66.67 secondary
huawei(config-hwtacacs-radtest)#quit
Step 5 Configure the 802.1X authentication.

1.
Enable the 802.1X global switch. Enable the 802.1X authentication for ports 1, 2, and 3.
The 802.1X needs to be triggered by DHCP. Therefore, the DHCP-trigger authentication
must be enabled.
huawei(config)#dot1x
2.
enable
service-port
service-port
service-port
dhcp-trigger
1
2
3
enable
Configure an 802.1X parameters. In the local termination authentication, the 802.1X

parameters should be configured to be in the EAP termination mode. The count of allowed
handshake failure is 1 and the handshake interval is 20s.
keepalive retransmit
eap-end service-port
1 interval 20 service-port 1
1
2
3

Create a domain named isp1.
huawei(config)
#aaa

created.
huawei(config-aaa-domain-isp1)#authentication-scheme newscheme
Step 8 Use the authorization scheme.

You can use an authorization scheme in a domain only after the authorization scheme is created.
huawei(config-aaa-domain-isp1)#authorization-scheme newscheme

huawei(config-aaa-domain-isp1)#accounting-scheme newscheme
Step 10 Bind the HWTACACS server template.

Issue 01 (2012-01-18)

225

You can use a HWTACACS server template in a domain only after the HWTACACS server
huawei(config-aaa-domain-isp1)#hwtacacs-server hwtest
----End
Result
User 1 in ISP 1 can pass authentication only if both the user name and password are correct, and
then can log in to the MA5600T. Then, the user starts to be accounted.
Configuration File
aaa
authentication-mode hwtacacs
quit
authorization-scheme newscheme
authorization-mode hwtacacs
quit
accounting-mode hwtacacs
accounting interim interval 10
quit
quit
hwtacacs-server template hwtest
hwtacacs-server authentication 10.10.66.66
hwtacacs-server authentication 10.10.66.67 secondary
hwtacacs-server authorization 10.10.66.66
hwtacacs-server authorization 10.10.66.67 secondary
hwtacacs-server accounting 10.10.66.66
hwtacacs-server accounting 10.10.66.67 secondary
quit
dot1x enable
dot1x service-port 1
dot1x dhcp-trigger enable
dot1x keepalive retransmit 1 interval 20 service-port 1
dot1x eap-end service-port 1
quit
domain
isp1
authorization-scheme newscheme
hwtacacs-server hwtest
2.12.6 Configuration Example of HWTACACS Authentication

(Management User)
The MA5600T allows the management user of the device to log in to the system by the
HWTACACS authentication mode.
Issue 01 (2012-01-18)

226

Prerequisites
l
The route from the MA5600T to the HWTACACS server must be configured.
The management user information (user name@domain and password) must be configured
on the HWTACACS server.
l
The HWTACACS server performs authentication for management user of domain isp1.
The user logs in to the server carrying the domain name.
The HWTACACS server with the IP address 10.10.66.66 functions as the primary server
for authentication.
The HWTACACS server with the IP address 10.10.66.67 functions as the secondary server
for authentication.
Networking
Figure 2-10 shows an example network of HWTACACS authentication.
Figure 2-10 Example network of HWTACACS authentication
Procedure
Configure authentication scheme named login-auth (users are authenticated through
HWTACACS).
huawei(config)#aaa
huawei(config-aaa)#authentication-scheme login-auth
Issue 01 (2012-01-18)

227

huawei(config-aaa-authen-login-auth)#authentication-mode hwtacacs
huawei(config-aaa-authen-login-auth)#quit

Create HWTACACS server template named ma56t-login with HWTACACS server
10.10.66.66 as the primary authentication server, and HWTACACS server 10.10.66.67 as the
secondary authentication server.
huawei(config)#hwtacacs-server template ma56t-login
Create a new HWTACACS-server template
huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10.10.66.66
1812
1812 secondary
huawei(config-hwtacacs-ma56t-login)#quit
Step 3 Create a domain named isp1.

NOTE
l A domain is a group of users of the same type.

l In the user name format userid@domain-name (for example, [email protected]), "userid"
indicates the user name for authentication and "domain-name" followed by "@" indicates the domain name.
l The domain name for user login cannot exceed 15 characters, and the other domain names cannot exceed
20 characters.
huawei(config)#aaa
Step 4 Use the authentication scheme login-auth.

created.
huawei(config-aaa-domain-isp1)#authentication-scheme login-auth
Step 5 Bind the HWTACACS server template ma56t-login to the user.

You can use a HWTACACS server template in a domain only after the HWTACACS server
huawei(config-aaa-domain-isp1)#hwtacacs-server ma56t-login
----End
Result
l
When the HWTACACS server is reachable, the management user can log in to the
MA5600T through Telnet. After entering the user name and password specified on the
HWTACACS server, the management user can successfully log in to the MA5600T.
When the HWTACACS server is unreachable, the management user cannot log in to the
MA5600T through Telnet by entering the user name and password specified on the
HWTACACS server.
Configuration File
huawei(config)#aaa
huawei(config-aaa)#authentication-scheme login-auth
huawei(config-aaa-authen-login-auth)#authentication-mode hwtacacs
huawei(config-aaa-authen-login-auth)#quit
huawei(config)#hwtacacs-server template ma56t-login
Issue 01 (2012-01-18)

228


1812
1812 secondary
huawei(config-hwtacacs-ma56t-login)#quit
huawei(config)#aaa
huawei(config-aaa-domain-isp1)#authentication-scheme login-auth
huawei(config-aaa-domain-isp1)#hwtacacs-server ma56t-login
huawei(config-aaa-domain-isp1)#quit
2.13 Configuring ANCP

Access Node Control Protocol (ANCP) is used to implement the functions such as topology
discovery, line configuration, and L2C OAM on the user ports. The MA5600T establishes an
ANCP session according to the GSMP communication IP address configured in the network
access server (NAS).
Prerequisites
l
The system must work in the normal state.
The system must be connected to the network access server in the normal state.
The MA5600T and the NAS use the TCP connection to carry an ANCP session. Therefore,
before creating the ANCP session, you must create a TCP connection between the
MA5600T and the NAS. The NAS functions as the server of the TCP connection, and the
MA5600T functions as the client of the TCP connection.
After the TCP connection is created successfully between the MA5600T and the NAS, an
ANCP session is created between the MA5600T and the NAS. After the ANCP session is
created successfully, the MA5600T and the NAS need to use the ANCP ACK packets for
heartbeat detection to maintain the ANCP session.
The default values of the ANCP parameters are as follows:
Context
GSMP address for an ANCP session: 0.0.0.0

ANCP session capability set: topology-discovery, line-config, and oam
ANCP packet sending priority: highest level 6
GSMP TCP communication port number on the NAS side in an ANCP session: 6068
Interval for sending packets during the initial stage of an ANCP session: 10 (unit: 0.1s)
Interval for sending packets during the ANCP session stage: 100 (unit: 0.1s)
Procedure
Step 1 Run the ancp partition enable command to enable the ANCP partition function.
By default, the ANCP partition function is disabled.
Step 2 Run the ancp port command to enable the ANCP function of a port.
The ANCP function takes effect only when the ANCP function in the ANCP session mode and
ANCP session function of a port are enabled.
Issue 01 (2012-01-18)

229

Step 3 (Optional) Run the ancp version command to configure the ANCP version.
l The configured ANCP version must be the same as that on the NAS.
l By default, the ANCP version is draft-01.
Step 4 Run the ancp session command to enter the ANCP session mode.
Step 5 (Optional) Run the ancp partition command to configure the ID of the partition associated with
an ANCP session.
Step 6 Run the ancp ip command to configure the GSMP communication IP address for the ANCP
session.
l The IP address configured here must be the same as the GSMP communication IP address
configured on the NAS, but it should to not be the same as the default IP address, multicast
IP address, or broadcast IP address.
l When an ANCP session is enabled, the GSMP communication IP address cannot be
configured.
Step 7 (Optional) Run the ancp capability command to configure the capability set of the ANCP
session.
l Supports topology discovery. When you select topology-discovery parameter, the
MA5600T automatically reports the line parameters to the NAS.
l Supports line configuration. When you select line-config parameter, the MA5600T responds
to the line configuration that is sent by the NAS.
l Supports the OAM. When you select oam parameter, the MA5600T responds to the line
testing information that is sent by the NAS.
l Supports the preceding three types of capability.
l The default value is all, that is, the three capabilities (topology discovery, line configuration,
and L2C OAM) are supported.
Step 8 (Optional) Run the ancp ancp-8021p command to set the priority for sending ANCP packets.
l You can set the priority according to the actual requirements and network conditions, the
higher the priority, the higher the reliability.
l After an ANCP session is enabled, the priority for sending the ANCP packet of the ANCP
session cannot be configured.
Step 9 (Optional) Run the ancp nas-tcp-port command to set the GSMP TCP communication port
number for the ANCP session on the NAS.
l By default, the GSMP TCP communication port number is 6068.
l The GSMP TCP communication port number on the MA5600T must be the same as that on
the NAS.
l Run the ancp port begin command to set the start port ID of the ANCP session. Make sure
that the start port ID of the ANCP session is the same as the start ID of the ports on the service
board.
Step 10 (Optional) Run the ancp init-interval command to set the interval for sending packets during
the establishment of the ANCP session.
l By default, the general query interval is 125s.
Step 11 (Optional) Run the ancp keep-alive command to set the interval for sending packets during the
ACNP session so that the handshake messages can be sent to the peer end at the preset interval.
Issue 01 (2012-01-18)

230

l By default, the interval is 10s.

Step 12 (Optional) Run the ancp bandwidthCAC command to enable the ANCP multicast CAC. After
the ANCP multicast CAC is enabled, if the bandwidth of the demanded multicast program is
larger than the available multicast bandwidth of the user, the user can apply for the bandwidth
resource of the unicast VOD program.
l After an ANCP session is enabled, its ANCP multicast CAC function cannot be enabled or
disabled.
l The ANCP multicast CAC function of only one session can be enabled at a time.
l After the ANCP multicast CAC function is enabled, if the ancp disable command is
executed, the ANCP will be disabled. The system still performs CAC using the bandwidth
issued by the ANCP CAC and the original BTV CAC does not take effect. In this case, the
normal BTV CAC takes effect only when the ANCP CAC function of the ANCP session is
disabled by running the ancp bandwidthCAC disable command.
Step 13 Run the ancp enable command to enable the ANCP session.
l By default, the ANCP session is disabled.
l Before an ANCP session is enabled, related parameters can be modified. After an ANCP
session is enabled, related parameters cannot be modified.
Step 14 Run the quit command to quit the ANCP mode.
Step 15 Run the display ancp session command to query the information about the ANCP session.
----End
Example
Consider configuring the ANCP topology discovery function of port 0/5/1 as an example.
Configure the partition ID of the ANCP session to 1, ANCP version to draft-02, start port ID to
1, GSMP communication address of the ANCP session to 10.10.10.10, packet sending interval
at the ANCP session creation phase to 2s, ANCP session capability set to topology-discovery,
ANCP packet sending priority to 7, GSMP TCP communication port ID at the NSA side in the
ANCP session to 6000, and packet sending interval at the ANCP session phase to 7s.
huawei(config)#ancp partition enable
huawei(config)#ancp port 0/5/1 partition 1
huawei(config)#ancp version draft-02
huawei(config)#ancp port begin 1
huawei(config)#ancp session 1
huawei(config-session-1)#ancp partition 1
huawei(config-session-1)#ancp ip 10.10.10.10
huawei(config-session-1)#ancp capability topology-discovery
huawei(config-session-1)#ancp ancp-8021p 7
huawei(config-session-1)#ancp nas-tcp-port 6000
huawei(config-session-1)#ancp init-interval 20
huawei(config-session-1)#ancp keep-alive 70
huawei(config-session-1)#ancp bandwidthCAC enable
huawei(config-session-1)#ancp enable
huawei(config-session-1)#quit
huawei(config)#display ancp session 1
Session config status
Session running status
Session diagnostic status
GSMP version
Issue 01 (2012-01-18)
:
:
:
:
Enable
Before syn phase
3

231

GSMP sub version
AN name
NAS name
NAS IP
Local IP
AN instance
NAS instance
Config capabilities
Negotiate capabilities
NAS TCP port
Startup time(0.01s)
Discontinuity time(0.01s)
Init interval(0.1s)
Keepalive interval(0.1s)
PartitionID
Bandwidth CAC status
Line config roll default
OAM threshold(0.01)
Topology report shaper interval(0.1s)
S-VLAN
S-VLAN priority
C-VLAN
C-VLAN priority
Session down send trap status
Session up send trap status
Issue 01 (2012-01-18)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
1
10.10.10.10
TopologyDiscovery
6000
20
70
1
Enable
Disable
100
10
7
Disable
Disable

232

3 Configuring L3 Features
Configuring L3 Features
About This Chapter

L3 feature configurations include configurations of common L3 protocols and features. There
is no obvious logical relation between L3 feature configurations. You can perform L3 feature
configurations according to actual requirements.
3.1 Configuring ARP Proxy for Interworking
This topic describes how to configure the ARP proxy of the L3 interface so that users on isolated
ports of the same broadcast domain or on ports of different broadcast domains can communicate
with each other. To reduce the network load, the ARP request packets are limited in a VLAN.
3.2 Configuring DHCP
The MA5600T can implement DHCP relay and DHCP proxy on a network. Configuring DHCP
relay is applicable to the scenario where users dynamically obtain IP addresses from the DHCP
server through DHCP. In DHCP proxy, the MA5600T proxy can implement certain functions
of the DHCP server.
3.3 Configuring the Route
This topic describes the routing policy supported by the MA5600T and how to configure the
routing protocol.
Issue 01 (2012-01-18)

233

3.1 Configuring ARP Proxy for Interworking

This topic describes how to configure the ARP proxy of the L3 interface so that users on isolated
ports of the same broadcast domain or on ports of different broadcast domains can communicate
with each other. To reduce the network load, the ARP request packets are limited in a VLAN.
Context
After the ARP proxy function is enabled, communication between users on the same board,
including users in the same VLAN and in different VLAN can be implemented.
Networking
Figure 3-1 shows an example network of the ARP proxy.
PC1 and PC2 are in sub VLAN 10, service ports are isolated, and PC3 is in sub VLAN 20. User
packets can be forwarded in the L3 forwarding mode through the super VLAN interface. The
IP address of the super VLAN interface is 10.0.0.254, and the interface is in the same subnet as
PC1, PC2, and PC3. After the ARP proxy function is enabled, PC1 and PC2 can communicate
with each other, and PC3 can communicate with PC1 and PC2.
Figure 3-1 Example network of the ARP proxy
Data Plan
Table 3-1 provides the data plan for configuring the ARP proxy.
Table 3-1 Data plan for configuring the ARP proxy
Item
Data
Super VLAN
VLAN ID: 100

Sub VLAN: VLAN 10, VLAN 20
IP address: 10.0.0.254/24
Sub VLAN
VLAN ID: 10
VLAN type: smart VLAN
Issue 01 (2012-01-18)

234

Item
Data
Sub VLAN
VLAN ID: 20
VLAN type: MUX VLAN
Upstream port
Port: 0/17/0
VLAN: standard VLAN 30
IP address: 10.0.1.254/24
Configuration Flowchart
Figure 3-2 shows the flowchart for configuring the ARP proxy.
Figure 3-2 Flowchart for configuring the ARP proxy
Procedure
Step 1 Create a super VLAN.
huawei(config)#vlan 100 super
Issue 01 (2012-01-18)

235

Step 2 Create sub VLANs, and add them to the super VLAN.
huawei(config)#vlan 20 mux
huawei(config)#supervlan 100 subvlan 10
Step 3 Configure the service ports of the sub VLANs.

huawei(config)#service-port vlan 10 gpon 0/4/0 ont 1 gemport 1 rx-cttr 5 tx-cttr 5
Step 4 Configure the upstream port.

NOTE
The IP address of the L3 interface of the super VLAN must be in the same subnet with the IP address
obtained by the PC1-PC3.
Step 5 Configure an L3 Interface for the super VLAN

NOTE
The IP address of the L3 interface of the super VLAN must be in the same subnet with the IP address
obtained by the PC.
Step 6 Enable ARP proxy.

1.
Enable the ARP proxy function globally.

huawei(config)#arp proxy enable
2.
Enable the global ARP proxy on the VLAN interface.

huawei(config-if-vlanif100)#arp proxy enable
3.
Enable ARP proxy on the sub VLAN interface.

huawei(config-if-vlanif100)#arp proxy enable subvlan 10
NOTE
Skip this step if you only want PCs in different VLANs to communicate with each other.

huawei(config)#save
----End
Result
l
After the global ARP proxy function and the ARP proxy function of the super VLAN
interface are enabled, PC1 and PC3, PC2 and PC3 in different VLANs can communicate
with each other.
After the global ARP proxy function, the ARP proxy function of the super VLAN interface,
and that of the sub VLAN interface are enabled, PC1 and PC2 in the same VLAN can
3.2 Configuring DHCP

The MA5600T can implement DHCP relay and DHCP proxy on a network. Configuring DHCP
relay is applicable to the scenario where users dynamically obtain IP addresses from the DHCP
Issue 01 (2012-01-18)

236

server through DHCP. In DHCP proxy, the MA5600T proxy can implement certain functions
of the DHCP server.
The MA5600T can work in the L2 DHCP relay mode or L3 DHCP relay mode to forward the
DHCP packets exchanged between the user and the DHCP server. By default, the MA5600T
works in the L2 DHCP relay mode. In this mode, the MA5600T transparently transmits the
DHCP packets initiated by the user and configurations are not required. If the MA5600T works
in the L3 mode, the DHCP server must support DHCP relay and you must perform corresponding
configurations on the DHCP server. The L3 DHCP relay mode can be classified into three
working modes:
l
DHCP standard mode

In this mode, the MA5600T identifies the VLAN to which the user belongs and binds
different VLANs to the corresponding DHCP server groups.
Configure the DHCP standard mode as follows: Configure the working mode of the DHCP
relay. Configure the DHCP server group. Bind VLANs to DHCP server groups.
DHCP option 60 mode

The MA5600T differentiates the DHCP packets transmitted from the user terminal
according to the DHCP option 60 field in the packets, and binds different DHCP option 60
domains to the corresponding DHCP server groups.
Configure the DHCP option 60 mode as follows: Configure the working mode of the DHCP
relay. Configure the DHCP server group. Create DHCP option 60 field. Bind DHCP option
60 domains to DHCP server groups.
MAC address segment mode

The MA5600T differentiates users according to the MAC address segment of the user
terminals, and binds different MAC address segments to the corresponding DHCP server
group.
Configure the MAC address segment mode as follows: Configure the working mode of the
DHCP relay. Configure the DHCP server group. Define the MAC address segment. Bind
MAC address segments to DHCP server groups.
If the MA5600T works in the L3 DHCP relay mode, the MA5600T supports the DHCP proxy
function in addition to the DHCP relay function. That is, the MA5600T functions as a proxy to
implement certain functions of the DHCP server. A DHCP proxy can implement the functions
of server ID proxy and lease-time proxy.
l
The server ID proxy is a function for modifying option 54 field in DHCP packets so that
the IP address of the DHCP server is unavailable to the client. This prevents the attacks
initiated by the DHCP client to the DHCP server.
With the lease-time proxy, the information related to the lease-time in the DHCP packets
is modified by MA5600T so that the client can obtain a lease time. This lease time is shorter
than the lease time directly allocated by the DHCP server. This facilitates the lease-time
management.
NOTE
The MA5600T supports the DHCP option 82 to ensure the security of the DHCP function. For the
configuration related to the DHCP option 82 feature, see 2.8.2 Configuring Anti-Theft and Roaming of
User Accounts Through DHCP.
Issue 01 (2012-01-18)

237

3.2.1 Configuring the Standard DHCP Mode

This topic is applicable to the scenario for specifying the corresponding DHCP server groups
for different users of the VLAN (the VLAN that is used when the service ports are created).
Prerequisites
A VLAN must be created. For details, see 2.6 Configuring a VLAN.
Procedure
Step 1 Configure the DHCP forwarding mode.
Choose one from the following two methods for configuring the DHCP forwarding mode:
l In the global config mode, run the dhcp mode layer-3 standard command to configure the
DHCP relay mode to standard L3 DHCP relay mode (layer-3, standard). If keyword vlan is
selected and vlanid is entered, this configuration takes effect to only this VLAN.
l Perform the following configuration in the VLAN service profile:
1.
2.
Run the dhcp mode layer-3 standard command to configure the DHCP mode.
3.
Run the commit command to make the configuration parameters of the profile take
effect. The configuration of the VLAN service profile takes effect only after you run
this command.
4.
5.
Step 2 Configure the DHCP server group.

1.
In the global config mode, run the dhcp-server command to create a DHCP server group.
l igroup-number: Indicates the number of the DHCP server group. It identifies a server
group. You can run the display dhcp-server all-group command to query the DHCP
server groups that are already configured and select a DHCP server group number that
is not used by the system.
l ip-addr: Indicates the IP address of the DHCP server in the DHCP server group. Up to
four IP addresses can be entered.
CAUTION
The IP address of the DHCP server configured here must be the same as the IP address
of the DHCP server in the network side.
2.
(Optional) Run the dhcp server mode command to configure the working mode of the
DHCP server.
The DHCP servers in the DHCP server group can work in the load balancing mode or
active/standby mode. By default, they work in the load balancing mode.
Step 3 Bind the VLAN to the DHCP server.

Issue 01 (2012-01-18)

238

1.
In the global config mode, run the interface vlanif command to create a VLAN L3
interface.
The VLAN ID must be the same as the ID of the VLAN described in the prerequisite.
2.
VLAN L3 interface.
After the configuration is completed, this IP address is used as the source IP address for
forwarding the IP packets in the VLAN at L3.
CAUTION
l If only an L2 device exists between the MA5600T and the DHCP server, the IP address
of the VLAN L3 interface should be in the same subnet as the IP address of the DHCP
server.
l If the upper-layer device of the MA5600T is an L3 device, the IP address of the VLAN
L3 interface and the IP address of the DHCP server can be in different subnets; however,
a route must exist between the VLAN L3 interface and the DHCP server. For details,
see 3.3 Configuring the Route.
3.
In the VLANIF mode, run the dhcp-server command to bind the DHCP server to the
VLAN.
This command requires parameter group-number, the value of which is the number of the
created DHCP server group.
Step 4 (Optional)Configure the DHCP proxy.

To hide the IP address of the DHCP server (preventing attacks to the DHCP server from the
client), or to configure the MA5600T to allocate a shorter lease time to the client (compared
with the lease time directly allocated by the DHCP server), configure the DHCP proxy.
1.
Enable the DHCP proxy function. When DHCP proxy is enabled, the DHCP server ID
proxy and the lease-time proxy are enabled.
Choose one from the following two methods for enabling DHCP proxy:
l In the global config mode, run the dhcp proxy enable command to enable DHCP proxy.
l Perform the configuration in the VLAN service profile.
2.
a.
Run the vlan service-profile command to enter the VLAN service profile mode.
b.
Run the dhcp proxy enable command to enable DHCP proxy.
c.
Run the commit command to make the configuration parameters of the profile
take effect. The configuration of the VLAN service profile takes effect only after
you run this command.
d.
e.
service profile created in 4.1.a.
In the global config mode, run the dhcp proxy lease-time command to configure the global
proxy lease time.
The proxy lease time configured here should be shorter than the lease time allocated by the
DHCP server.
----End
Issue 01 (2012-01-18)

239

Example
Assume that server group 1 contains two DHCP servers working in active/standby mode, with
the maximum response time of 20s, the maximum count of response timeout of 10, the IP address
of the primary server 10.1.1.9 and the IP address of the secondary server 10.1.1.10. To bind
server group 1 to users in VLAN 2 (with the IP address of the L3 interface 10.1.1.101/24), do
as follows:
huawei(config)#dhcp mode layer-3 standard
huawei(config)#dhcp server mode backup 20 10
huawei(config)#dhcp-server 1 ip 10.1.1.9 10.1.1.10
huawei(config-if-vlanif2)#dhcp-server 1
3.2.2 Configuring the DHCP Option60 Mode

This topic is applicable to the scenario for specifying the corresponding DHCP servers for
different option60 domain users.
Prerequisites
l
Before the configuration, confirm the option60 domain name of the user terminal.
When multiple services such as video multicast and IP telephone services are provisioned on
the MA5600T, the services are provided by different service providers. The service providers
may use different relay IP addresses of the same DHCP server or different DHCP servers to
allocate IP addresses to users. Therefore, configure the users to apply for IP addresses from the
DHCP server in the DHCP option60 mode.
In the DHCP option60 mode, the DHCP server group is selected according to the character string
(namely domain name) in the option60 of DHCP packets. The option60 domain name and the
DHCP server group to which the domain name is bound need to be configured beforehand. In
this mode, users are actually differentiated according to the domain information in the packet,
and different service types in the same VLAN can also be differentiated.
Procedure
l In the global config mode, run the dhcp mode layer-3 option60 command to configure the
DHCP relay mode to L3 option60 mode (layer-3, option60). If keyword vlan is selected and
vlanid is entered, this configuration takes effect to only this VLAN.
l Perform the configuration in the VLAN service profile:
Issue 01 (2012-01-18)
1.
2.
Run the dhcp mode layer-3 option60 command to configure the DHCP mode.
240

3.
configuration of the VLAN service profile takes effect only after execution of this
command.
4.
5.

1.
CAUTION
2.
DHCP server.
Step 3 Create a DHCP option60 domain.

In the global config mode, run the dhcp domain command to create a DHCP domain, and then
enter the DHCP domain mode. The option60 domain name should be configured according to
the type of the terminal connected to the device. For the DHCP client installed with the Windows
98/2000/XP/NT series of OSs, the domain name must be msft.
Step 4 Bind the DHCP option60 domain to the DHCP server group.
In the option60 domain mode, run the dhcp-server command to bind the DHCP domain to the
DHCP server group. After the configuration is completed, the DHCP clients belonging to the
DHCP correspond to the DHCP server group.
Step 5 Configure the IP address of the gateway corresponding to the DHCP domain.
1.
interface.
2.
VLAN L3 interface.
Issue 01 (2012-01-18)

241

CAUTION
server.
3.
In the VLANIF mode, run the dhcp domain gateway command to configure the IP address
of the gateway corresponding to the DHCP domain.
The IP address of the gateway must be a configured IP address of the VLAN interface.
Under the same VLAN interface, different option60 domains can be configured with
different gateways. Therefore, different DHCP servers can be selected according to the
domain information in the packet.
Step 6 (Optional) Configure the DHCP proxy.

1.
l In VLAN service profile configuration mode, to configure the VLAN forwarding policy,
do as follows:
2.
a.
b.
c.
command.
d.
e.
proxy lease time.
DHCP server.
----End
Example
Assume that server group 2 contains two DHCP servers working in the load balancing mode,
with the IP address of the primary server 10.10.10.10 and the IP address of the secondary server
Issue 01 (2012-01-18)

242

10.10.10.11. To bind server group 2 to users whose option60 domain name is msft in VLAN 2
(with the IP address of the L3 interface 10.1.2.1/24), do as follows:
huawei(config)#dhcp mode layer-3 Option60
huawei(config)#dhcp domain msft
huawei(config-dhcp-domain-msft)#dhcp-server 2
huawei(config-if-vlanif2)#dhcp domain msft gateway 10.1.2.1
3.2.3 Configuring the DHCP MAC Address Segment Mode

This topic is applicable to the scenario for specifying the corresponding DHCP servers for users
in different MAC address segments.
Prerequisites
In the networking, devices of various manufacturers may exist in the network. The devices of
each manufacturer have a fixed MAC address segment. In this case, the IP address can be
obtained from the DHCP server through DHCP relay in the MAC address segment mode.
The MA5600T can select the DHCP server based on the MAC address segment. After the
configuration is completed, clients in this MAC address segment obtain IP addresses from the
corresponding DHCP server.
Procedure
l In the global config mode, run the dhcp mode layer-3 mac-range command to configure
the DHCP relay mode to L3 MAC address segment mode (layer-3, mac-range). If keyword
vlan is selected and vlanid is entered, this configuration takes effect to only this VLAN.
l Perform the following configuration in the VLAN service profile:
1.
2.
Run the dhcp mode layer-3 mac-range command to configure the DHCP mode.
3.
command.
4.
5.

1.
Issue 01 (2012-01-18)

243

CAUTION
2.
DHCP server.
Step 3 Define the MAC address segment.

1.
In the global config mode, run the dhcp mac-range to create a MAC address segment, and
then enter the MAC address segment mode.
range-name indicates the name of the MAC address segment. It functions as a comment
and has no other special meanings.
2.
In the MAC address segment mode, run the mac-range mac-address-start to macaddress-end command to configure the MAC address range.
Step 4 Bind the DHCP server group to the MAC address segment.
In the MAC address segment mode, run the dhcp-server command to bind a DHCP server group
to the MAC address segment.
Step 5 Configure the IP address of the gateway corresponding to the MAC address segment.
1.
interface.
2.
VLAN L3 interface.
CAUTION
server.
3.
Issue 01 (2012-01-18)
In the VLANIF mode, run the dhcp mac-range gateway command to configure the IP
address of the gateway corresponding to the DHCP domain.
244

The IP address of the gateway must be a configured IP address of the VLAN interface.
Under the same VLAN interface, different MAC address segments can be configured with
different gateways. Therefore, different DHCP servers can be selected according to the
MAC address segment information in the packet.
Step 6 (Optional) Configure the DHCP proxy.
1.
l Perform the configuration in the VLAN service profile:
2.
a.
b.
c.
command.
d.
e.
proxy lease time.
DHCP server.
----End
Example
Assume that server group 2 contains two DHCP servers working in the load balancing mode,
with the IP address of the primary server 10.10.10.10 and the IP address of the secondary server
10.10.10.11. To bind server group 2 to certain users (whose MAC address is in the range from
0000-0000-0001 to 0000-0000-0100) in VLAN 2, do as follows:
huawei(config)#dhcp mode layer-3 mac-range
huawei(config)#dhcp mac-range huawei
huawei(config-mac-range-huawei)#mac-range 0000-0000-0001 to 0000-0000-0100
huawei(config-mac-range-huawei)#dhcp-server 2
huawei(config)#quit
huawei(config-if-vlanif2)#dhcp mac-range huawei gateway 10.1.2.1
3.3 Configuring the Route

This topic describes the routing policy supported by the MA5600T and how to configure the
routing protocol.
Issue 01 (2012-01-18)

245

3.3.1 Configuration Example of the Routing Policy

This topic provides an example for configuring a routing policy for imported routes.
l
Consider two MA5600Ts with routing function enabled, namely MA5600T_A and
MA5600T_B. Both of them are running the OSPF routing protocol, and within area 0.
MA5600T_A imports static routes, and MA5600T_B is configured with the routing
filtering policy.
Figure 3-3 Example network for configuring the routing policy

Static:10.0.10.1
10.0.20.1
10.0.30.1
Vlanif2
10.0.0.1/16
MA5600T_A
1.1.1.1
Vlanif2
10.0.0.2/16
Area 0
MA5600T_B
2.2.2.2
Procedure
Step 1 Configuring MA5600T_A.
1.
Configure the IP address of the L3 interface on MA5600T_A.

2.
Enable OSPF on MA5600T_A and specify the area ID to which the interface belongs.
huawei(config)#ospf
huawei(config-ospf-1)#area 0
huawei(config-ospf-1-area-0.0.0.0)#network 10.0.0.0 0.0.0.255
huawei(config-ospf-1-area-0.0.0.0)#quit
huawei(config-ospf-1)#quit
3.
Configure the OSPF router ID on MA5600T_A.

huawei(config)#router id 1.1.1.1
4.
Configure three static routes.

huawei(config)#ip route-static 20.0.0.1 32 vlanif 2 10.0.0.1
5.
Import static routes into the OSPF routing table to improve its capability of obtaining routes.
huawei(config)#ospf
hawei(config-ospf-1)#import-route static
hawei(config-ospf-1)#quit
6.
Save the data.

huawei(config)#save
Issue 01 (2012-01-18)

246

Step 2 Configuring MA5600T_B.

1.
Configure the IP address of the L3 interface on MA5600T_B.

2.
Configure the ACL.

huawei(config-acl-basic-2000)#rule deny source 30.0.0.0 255.255.255.0
huawei(config-acl-basic-2000)#rule permit source any
huawei(config-acl-basic-2000)#quit
3.
Enable OSPF on MA5600T_B and specify the area id to which the interface belongs.
huawei(config)#ospf
4.
Configure the OSPF router ID of MA5600T_B.

5.
Filter imported routes.

huawei(config)#ospf
uawei(config-ospf-1)#filter-policy 2000 import
6.
Save the data.

huawei(config)#save
----End
Result
1.
MA5600T_A and MA5600T_B run OSPF successfully, and they can communicate well
with each other.
2.
After a filter is configured on MA5600T_B, parts of the three imported static routes are
available while part of them is screened on MA5600T_B. That is, routes from segments
20.0.0.0 and 40.0.0.0 are available, while the route from segment 30.0.0.0 is screened.
Configuration File
Configuration on MA5600T_A.
vlan 2 smart
port vlan 2 0/17 0
interface vlanif 2
ip address 10.0.0.1 24
quit
ospf
area 0
network 10.0.0.0 0.0.0.255
quit
quit
router id 1.1.1.1
ip route-static 20.0.0.1 32 vlanif 2 10.0.0.1
ospf
import-route static
quit
save
Issue 01 (2012-01-18)

247

Configuration on MA5600T_B.
vlan 2 smart
port vlan 2 0/17 0
interface vlanif 2
acl 2000
rule deny source 30.0.0.0 255.255.255.0
rule permit source any
quit
ospf
area 0
network 10.0.0.0 0.0.0.255
quit
quit
router id 2.2.2.2
ospf
filter-policy 2000 import
quit
save
3.3.2 Configuration Example of the Static Route

This topic describes how to manually add the static route to implement the interconnection
between MA5600T.
In this example network, MA5600T_A, MA5600T_B, and MA5600T_C have the routing
function. It is expected that after the configuration, any two PCs can communicate with each
other.
Figure 3-4 Example network for configuring the static route
PC_C 1.1.5.1/24
1.1.5.2/24
1.1.2.2/24
1.1.2.1/24
MA5600T_ C
1.1.3.1/24
1.1.3.2/24
1.1.4.2/24
1.1.1.2/24
MA5600T_ A
MA5600T_ B
PC_A 1.1.1.1/24
PC_B 1.1.4.1/24
Procedure
Step 1 Configure the IP address of the L3 interface.
The configurations for the three MA5600T devices are the same. The configuration of the
MA5600T is considered as an example.
Issue 01 (2012-01-18)

248

huawei(config-if-vlanif2)#ip address 1.1.2.1 24 sub
Step 2 Configure static routes.

1.
Configure static route for MA5600T_A.

huawei(config)#ip route-static 1.1.5.0 255.255.255.0 1.1.2.2
2.
Configure static route for MA5600T_B.

3.
Configure static routes for MA5600T_C.

Step 3 Configure the host gateways.

1.
Configure the default gateway of Host A to 1.1.1.2.
2.
Configure the default gateway of Host B to 1.1.4.2.
3.
Configure the default gateway of Host C to 1.1.5.2.

huawei#save
----End
Result
After the configuration, an interconnection can be set up between all the hosts and between all
the MA5600T devices.
Configuration File
Configuration example of MA5600T_A.
vlan 2 smart
port vlan 2 0/17 0
interface vlanif 2
ip address 1.1.2.1 24 sub
quit
ip route-static 1.1.5.0 255.255.255.0 1.1.2.2
ip route-static 1.1.4.0 255.255.255.0 1.1.2.2
3.3.3 Configuration Example of RIP

This topic provides an example for configuring RIP on the MA5600T.
l
MA5600T_A is subtended with MA5600T_B through port 0/17/1, and uses port 0/17/0 to
transmit services in the upstream. Besides, it connects to the management center network
through the WAN.
RIP is enabled on MA5600T_A and MA5600T_B so that the administrator can access
MA5600T_A and MA5600T_B through the RIP route. Then, you can operate and maintain
MA5600T_A and MA5600T_B.
Issue 01 (2012-01-18)

249

Figure 3-5 Example network for configuring RIP

Management
Center
Router
10.13.24.5/22
GE
10.15.24.1/26
MA5600T_B
Loopback ip
10.13.2.2/32
MA5600T_A
Loopback ip
10.13.2.1/32
Operation and maintenance
10.15.24.2/26
Data Plan
Table 3-2 provides the data plan for configuring RIP.
Table 3-2 Data plan for configuring RIP
Item
Data
MA5600T_A
Upstream port: 0/17/0

Administration VLAN: smart VLAN 100
IP address of the L3 interface in the administration VLAN:
10.13.24.5/22
Loopback interface address: 10.13.2.1/32
RIP version: V2
RIP route filtering policy: filtering routes based on the IP address prefix
list "abc". Only the routes with the IP addresses 10.13.2.1 and 10.13.2.2
can be advertised through the L3 interface of VLAN 100.
Subtending port: 0/17/1
Subtending administration VLAN: smart VLAN 10
IP address of the L3 interface in the subtending administration VLAN:
10.15.24.1/26
MA5600T_B
Subtending port: 0/17/0

Administration VLAN: smart VLAN 10
IP address of the L3 interface in the administration VLAN:
10.15.24.2/26
Loopback interface address: 10.13.2.2/32
Issue 01 (2012-01-18)

250

Item
Data
RIP version: V2
RIP route filtering policy: filtering routes based on the IP address prefix
list "abc". Only the route with the IP address 10.13.2.2 can be advertised
through the L3 interface of VLAN 10.
Procedure
l
Configure MA5600T_A.
1.
Configure the RIP-supported L3 interface.

huawei(config)#interface loopBack 0
huawei(config-if-loopback0)#ip address 10.13.2.1 32
huawei(config-if-loopback0)#quit
2.
Enable RIP.
huawei(config)#rip 1
huawei(config-rip-1)#network 10.13.24.0
huawei(config-rip-1)#version 2
huawei(config-rip-1)#quit
3.
Configure the route filtering policy.

huawei(config)#ip ip-prefix abc permit 10.13.2.1 32
huawei(config-rip-1)#filter-policy ip-prefix abc export vlanif 100
4.
Configure the subtending port.

huawei(config-if-giu-0/17)#network-role 1 cascade
5.
Enable RIP on the subtending port.

6.
Save the data.

huawei(config)#save
Configure MA5600T_B.
1.
Configure the RIP-supported L3 interface.

huawei(config)#interface loopBack 0
Issue 01 (2012-01-18)

251


2.
Enable RIP.
huawei(config-rip-1)#version 2
3.
Configure the route filtering policy.

huawei(config-rip-1)#filter-policy ip-prefix abc export vlanif 10
4.
Save the data.

huawei(config)#save
----End
Result
The maintenance terminal of the administration center can access MA5600T_A and
MA5600T_B, and operate and maintain the two devices.
Configuration File
Configuration on MA5600T_A
vlan 100 smart
ip address 10.13.24.5 22
quit
interface loopBack 0
ip address 10.13.2.1 32
quit
rip 1
network 10.13.24.0
network 10.13.2.0
version 2
quit
ip ip-prefix abc permit 10.13.2.1 32
rip 1
filter-policy ip-prefix abc export vlanif 100
quit
vlan 10 smart
port vlan 10 0/17 1
interface giu 0/17
network-role 1 cascade
quit
interface vlanif 10
ip address 10.15.24.1 26
quit
rip 1
network 10.15.24.0
quit
save
Configuration on MA5600T_B
vlan 10 smart
port vlan 10 0/17 0
interface vlanif 10
ip address 10.15.24.2 26
Issue 01 (2012-01-18)

252

quit
interface loopBack 0
ip address 10.13.2.2 32
quit
rip 1
network 10.15.24.0
network 10.13.2.0
version 2
quit
rip 1
filter-policy ip-prefix abc export vlanif 10
quit
save
3.3.4 Configuration Example of OSPF

This topic provides an example for configuring OSPF on the MA5600T.
l
OSPF is enabled on the four MA5600Ts.
MA5600T_A is configured with the highest designated router (DR) priority,

MA5600T_C is configured with the second highest DR priority, and MA5600T_A realizes
the broadcast of network link status for the DR.
Figure 3-6 Example network for configuring OSPF

MA5600T_ A
1.1.1.1
MA5600T_D
4.4.4.4
DR
192.1.1.1/24
192.1.1.4/24
192.1.1.2/24
192.1.1.3/24
BDR
MA5600T_B
2.2.2.2
MA5600T_C
3.3.3.3
Data Plan
Table 3-3 provides the data plan for configuring OSPF.
Table 3-3 Data plan for configuring OSPF
Issue 01 (2012-01-18)
Item
Data
Remarks
MA5600T_A
IP address of the L3 interface:

192.1.1.1/24
Priority: 100
VLAN ID: 2
Router ID: 1.1.1.1

253

Item
Data
Remarks
MA5600T_B

192.1.1.2/24
Priority: 80
VLAN ID: 2
Router ID: 2.2.2.2

192.1.1.3/24
Priority: 90
VLAN ID: 2
Router ID: 3.3.3.3

192.1.1.4/24
Priority: not configured
Default: 1
VLAN ID: 2
Router ID: 4.4.4.4
MA5600T_C
MA5600T_D
l
The native VLAN of each interface of the MA5600T must be configured to ensure a normal
communication.
The OSPF area IDs of the MA5600T devices must be consistent.
Procedure
Step 1 Configure MA5600T_A.
1.
Configure the IP address of the L3 interface.

2.
Configure the OSPF Router ID.

3.
Enable OSPF.
huawei(config)#ospf
4.
Issue 01 (2012-01-18)
Configure the OSPF priority.

254

huawei(config-if-vlanif2)#ospf dr-priority 100
5.
Save the data.

huawei(config)#save
Step 2 Configure MA5600T_B.

1.

2.

3.
Enable OSPF.
huawei(config)#ospf
4.

5.
Save the data.

huawei(config)#save
Step 3 Configure MA5600T_C.

1.

2.

3.
Enable OSPF.
huawei(config)#ospf
4.

5.
Save the data.

huawei(config)#save
Step 4 Configure MA5600T_D.

1.

Issue 01 (2012-01-18)

255


2.

3.
Enable OSPF.
huawei(config)#ospf
4.
Save the data.

huawei(config)#save
----End
Result
Run the display ip routing-table command and you can find the learnt route table. Hosts can
Configuration File
Configuration on each MA5600T is similar. Take MA5600T_A for example.
vlan 2 smart
port vlan 2 0/17 0
interface vlanif 2
ip address 192.1.1.1 24
quit
router id 1.1.1.1
ospf
area 0
network 192.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
quit
quit
interface vlanif 2
ospf dr-priority 100
quit
save
Issue 01 (2012-01-18)

256

4 Configuring the GPON Internet Access Service
Configuring the GPON Internet Access

Service
About This Chapter

The GPON broadband Internet access service is applicable to the scenario that provides users
with the Internet access service through optical fibers. The networking mode for the service can
be FTTH, FTTB, FTTC. This topic describes how to configure the Internet access service
provided by the MA5600T through GPON.
Application Context
GPON is mainly used in the FTTx solution. The FTTx technology is mainly used for adopting
optical network in the access network. Its coverage is from the CO device of the regional
telecommunications room to the subscriber terminal. The optical line terminal (OLT) functions
as the CO device. The optical network unit (ONU) or the optical network terminal (ONT)
functions as the subscriber terminal.
l
FTTH refers to fiber to the home. In this networking scenario, the MA5600T functions as
an OLT and is connected to the ONT at lower layer through the ODN. The ONT is connected
to subscribers to provide the voice, Internet access, and IPTV services.
FTTB refers to fiber to the building. In this networking scenario, the MA5600T functions
as an OLT and is connected to the MDU or ONUs of other types at lower layer through the
ODN. The ONU or MDU is connected to subscribers. FTTB can be further classified into
FTTB+DSL and FTTB+LAN. These two modes respectively use the home gateway with
an RJ-11 upstream port and the home gateway with a LAN upstream port to provide the
voice, Internet access, and IPTV services.
FTTC refers to fiber to the curb. FTTC is mainly used to provide services for residential
subscribers. The ONU is placed in the cabinet at the curb. It uses coaxial cables to transmit
CATV signals or uses twisted pairs to transmit the voice and Internet access services. In
this networking scenario, the MA5600T functions as an OLT and is connected to the MDU
or outdoor cabinets for ONUs of other types at lower layer through the ODN. The ONU or
MDU is connected to subscribers. FTTC and FTTB are the same in configuration and differ
from each other only in the networking mode.
Issue 01 (2012-01-18)

257

Prerequisite
l
Configure the AAA function.

To enable the AAA function on the device, see 2.12 Configuring AAA.
If the AAA function is implemented by the BRAS, a connection to the BRAS must be
established. The BRAS should be capable of identifying the VLAN tag of the
MA5600T in the upstream direction. For the identification purpose, the user name and
password for dial-up Internet access must be configured on the BRAS.
The GPON profile for the Internet access service is already created.
For an ONT, 4.1.2 Configuring a GPON ONT Line Profile, 4.1.3 Configuring a
GPON ONT Service Profile, and 4.1.4 Configuring a GPON ONT Alarm Profile
are already completed.
For an MDU or ONU, 4.1.2 Configuring a GPON ONT Line Profile and 4.1.4
Configuring a GPON ONT Alarm Profile are already completed.
The GPON mode is already switched to the profile mode.
Data Plan
Before configuring the GPON Internet access service, plan the data items as listed in Table
4-1.
Table 4-1 Data plan for the GPON Internet access service
Paramete
r
Data
Remarks
MA5600T
Access rate
Configure the data according to the

user requirements.
Access port

network planning.
VLAN planning
The cooperation with the upper-layer

device should be considered in the
VLAN planning. The upstream VLAN
must be the same as that of the upperlayer device.
QoS policy

QoS policy of the entire network.
Generally, the priority of the Internet
access service is lower than the
priorities of the voice and video
services.
T-CONT ID
It is recommended that you do not use

T-CONT 0 to transmit services.
GEM port index
ONT line profile, ONT service profile
The ONT service profile must be the

same as the actual capacity.
ONT
Issue 01 (2012-01-18)

258

Paramete
r
Upperlayer LAN
switch
Data
Remarks
ONT index
GPON supports a split ratio of up to

1:128. You need to plan the ONTs
connected to the MA5600T to
facilitate management.
Authentication mode
You can use the password

authentication and the serial number
authentication.
The LAN switch transparently

transmits the service packets of the
MA5600T on L2.
The VLAN ID must be the same as the

upstream VLAN ID of the MA5600T.
BRAS
The BRAS performs the related

configurations according to the
authentication and accounting
requirements for dialup users, for
example, configures the access user
domain (including the authentication
scheme, accounting scheme, and
authorization scheme bound to the
domain) and specifies the RADIUS
server.
If the BRAS is used to authenticate

users, you need to configure the user
name and the password for each user
on the BRAS. If the BRAS is used to
allocate IP addresses, you need to
configure the corresponding IP
address pool on the BRAS.
Procedure
1.
4.1 Configuring xPON Profiles

Configuring an xPON profile is a prerequisite for configuring an xPON access service. This
topic describes how to configure a DBA profile and an xPON ONT profile.
2.

Configuring VLAN is a prerequisite for configuring a service. Hence, before configuring
a service, make sure that the VLAN configuration based on planning is complete.
3.
4.3 Configuring an Upstream Port

This topic describes how to add an upstream port for an Internet access service to a VLAN.
4.
4.4 Configuring a GPON ONT

The MA5600T provides end users with services through the ONT. The MA5600T can
manage the ONT and the ONT can work in the normal state only after the channel between
the MA5600T and the ONT is available.
Issue 01 (2012-01-18)

259

5.
4.5 Configuring a GPON Port

To work normally and carry the service, a GPON port must be enabled first. This topic
describes how to enable a GPON port and configure related attributes of the port.
6.
4.6 Creating a GPON Service Port

A service port is a service channel connecting the user side to the network side. To provision
services, a service port must be created.
Issue 01 (2012-01-18)

260

4.1 Configuring xPON Profiles

Configuring an xPON profile is a prerequisite for configuring an xPON access service. This
topic describes how to configure a DBA profile and an xPON ONT profile.
Context
NOTE
For the MA5600T, xPON indicates GPON and EPON collectively.
4.1.1 Configuring a DBA Profile

A DBA profile defines the traffic parameters of xPON and can be bound to dynamically allocate
the bandwidth and improve the usage of the upstream bandwidth.
Table 4-2 lists the default settings of the DBA profiles.
Table 4-2 Default settings of the DBA profiles
Parameter
Default Setting
Remarks
Default DBA profile ID

in the system
1-9
You can run the display dbaprofile all command to query

the parameter values of each
default DBA profile.
Procedure
Run the dba-profile add command to add a DBA profile. The system provides nine default
DBA profiles numbered 1-9, which define the typical values of traffic parameters. These DBA
profiles cannot be added or deleted.
NOTE
l By default, T-CONT is not bound to any DBA profile. Hence, a DBA profile must be configured for TCONT. By default, LLID is bound to No.9 DBA profile.
l When you add a DBA profile, the bandwidth value must be a multiple of 64. If you enter a bandwidth value
not of a multiple of 64, the system adopts the closest multiple of 64 that is smaller than the value you enter.
Step 2 Query a DBA profile.

Run the display dba-profile command to query a DBA profile.
----End
Issue 01 (2012-01-18)

261

Example
Assume that the name and type of a DBA profile are "DBA_bandwidth" and "type3"
respectively, and that the bandwidth required by a user is 10 Mbit/s. To add such a DBA profile,
do as follows:
huawei(config)#dba-profile add profile-name DBA_10M type3 assure 10240 max 10240
huawei(config)#display dba-profile profile-name DBA_10M
----------------------------------------------------------------Profile-name :
DBA_10M
Profile-ID:
10
type:
3
Bandwidth compensation:
No
Fix(kbps):
0
Assure(kbps):
10240
Max(kbps):
10240
bind-times:
0
-----------------------------------------------------------------
4.1.2 Configuring a GPON ONT Line Profile

Configure a GPON ONT line profile and use it when adding an ONT. An ONT must be bound
to a GPON ONT line profile when its management mode is OMCI or SNMP.
Table 4-3 lists the default settings of a GPON ONT line profile.
Table 4-3 Default settings of a GPON ONT line profile
Parameter
Default Setting
QoS mode
Priority-queue (PQ) scheduling mode
Mapping mode supported by the ONT
VLAN mapping mode
Upstream FEC switch
Disabled
Procedure
Step 1 Run the ont-lineprofile gpon command to add a GPON ONT line profile, and then enter the
GPON ONT line profile mode.
Regardless of whether the ONT is in the OMCI or SNMP management mode, the line profile
must be configured for the ONT. After adding a GPON ONT line profile, directly enter the
GPON ONT line profile mode to configure the related attributes of the ONT line.
Step 2 Bind the T-CONT with a DBA profile.
Use the following two methods to bind a DBA profile.
l In line profile mode:
This method is applicable to the scenario where the DBA profile is stable and the terminals
are of a single type.
Run the tcont command to bind the T-CONT with a DBA profile. Ensure that 4.1.1
Configuring a DBA Profile is completed before the configuration.
Issue 01 (2012-01-18)

262

l In GPON mode:
This method is applicable to the scenario where the DBA profile changes frequently and the
terminals are of different types.
1.
Run the tcont command to create a T-CONT, which is not bound with the DBA.
2.
After the configuration of a GPON ONT line profile is complete, enter the GPON mode.
Run the tcont bind-profile command to bind the T-CONT with a DBA profile. Ensure
that 4.1.1 Configuring a DBA Profile is completed before the configuration.
By default, T-CONT 0 of an ONT is used by OMCI and is bound with DBA profile 1. The
configuration suggestions for the OMCI T-CONT are as follows:
l Do not modify the DBA profile bound to the T-CONT. If you need to modify the profile,
ensure that the fixed bandwidth of the modified profile is not lower than 5 Mbit/s.
l Do not bind the GEM port with the T-CONT. That is, ensure that the T-CONT does not carry
any service.
l If the sum of the fixed bandwidth and assured bandwidth of the bound DBA profile is larger
than the remaining bandwidth of the GPON port, the binding fails and the system displays a
message "Failure: The bandwidth is not enough". In this case, you can run the display port
info command to query the remaining bandwidth (Left guaranteed bandwidth (kbit/s)) of the
GPON port beforehand, and then decrease the fixed bandwidth and assured bandwidth of the
bound DBA profile accordingly.
Step 3 (Optional) Configure the QoS mode of the GPON ONT line profile.
Run the qos-mode command to configure the QoS mode of the GPON ONT line profile so that
the QoS mode is the same as the QoS mode of the GEM port. By default, the QoS mode of the
ONT line profile is the PQ scheduling mode. The three QoS modes are as follows:
l flow-car: When this mode is selected, flow-car should be selected in the gem mapping
command, and the maximum traffic depends on the traffic profile bound to the service port.
Run the traffic table ip command to create a required traffic profile before the configuration.
NOTE
The service port here refers to the service channel from the ONT to the OLT, and is different from the service
port created by running the service-port command.
l gem-car: When this mode is selected, gem-car should be selected in the gem add command,
and the maximum traffic depends on the traffic profile bound to the GEM port.
l priority-queue: When this mode is selected, priority-queue should be selected in the gem
add command. The system has eight default queues (0-7). Queue 7 has the highest priority
and the traffic of this queue must be ensured first. The maximum traffic depends on the DBA
profile bound to the corresponding T-CONT.
Step 4 Configure the binding relation between the GEM index and the T-CONT.
Run the gem add command to configure the binding relation between the GEM index and the
T-CONT in the GPON ONT line profile.
The ONT can carry services only after the mapping between the GEM port and the T-CONT,
and the mapping between the GEM port and the service port are configured for the ONT. A
correct attribute should be selected for service-type based on the service type. Select eth when
the Ethernet service is carried. Select tdm when the TDM service is carried.
Step 5 Configure the mapping between the GEM port and the ONT-side service.
Run the gem mapping command to set up the mapping between the GEM port and the ONTside service.
Issue 01 (2012-01-18)

263

Before the configuration, run the mapping-mode command to configure the mapping mode
supported by the ONT so that the mapping mode supported by the ONT is the same as the
configured mapping mode between the GEM port and the ONT-side service. By default, the
ONT supports the VLAN mapping mode.
l The mapping modes of the ETH port and the MOCA port are as follows:
If the port is specified and then the VLAN is further specified, the mapping mode should
be configured to port-vlan in the mapping-mode command. That is, the port+VLAN
mapping mode is used.
If the port is specified and then the priority is further specified, the mapping mode should
be configured to port-priority in the mapping-mode command. That is, the port+priority
mapping mode is used.
If the port and the VLAN are specified and then the priority is further specified, the
mapping mode should be configured to port-vlan-priority in the mapping-mode
command. That is, the port+VLAN+priority mapping mode is used.
l As a special port, the IPHOST or E1 port is not restricted by the ONT mapping mode.
Step 6 Configure the upstream FEC switch.
Run the fec-upstream command to configure the upstream FEC switch of the GPON ONT line
profile. By default, this switch is disabled.
In the FEC check, the system inserts redundancy data into normal packets. In this way, the line
has certain error tolerant function, but certain bandwidth resources are wasted. Enabling the FEC
function enhances the error tolerant capability of the line but occupies certain bandwidth.
Therefore, determine whether to enable the FEC function based on the actual line planning.
Step 7 Run the commit command to make the parameters of the profile take effect. The configuration
of a line profile takes effect only after you perform this operation.
NOTE
If this profile is not bound, all the parameters that are configured take effect when the profile is bound. If this
profile is already bound, the configuration takes effect on all ONTs bound with this profile immediately.
Step 8 Run the quit command to return to the global configuration mode.
----End
Example
Assume that the GEM index is 1, the GEM port is bound with T-CONT 1 and mapped to ETH
1 of the ONT. To add GPON ONT line profile 5, create a channel for carrying the Ethernet
service, with T-CONT 1 and bound with DBA profile 12, use the QoS policy of controlling the
traffic based on GEM ports, and bind the GEM port with default traffic profile 6, do as follows:
huawei(config-gpon-lineprofile-5)#qos-mode gem-car
huawei(config-gpon-lineprofile-5)#gem add 1 eth tcont 1 gem-car 6
huawei(config-gpon-lineprofile-5)#mapping-mode port
huawei(config-gpon-lineprofile-5)#gem mapping 1 0 eth 1
Issue 01 (2012-01-18)

264

4.1.3 Configuring a GPON ONT Service Profile

The GPON ONT service profile provides a channel for configuring the service of the ONT
managed in the OMCI mode. To configure the service of the ONT (such as the MDU) managed
in the SNMP mode, you need to log in to the ONT.
Table 4-4 lists the default settings of the GPON ONT service profile.
Table 4-4 Default settings of the GPON ONT service profile
Parameter
Default Setting
Multicast mode of the ONT
Unconcern (the OLT does not perform any

processing)
Mode for the ONT to process the

VLAN tag of the multicast data packets
Unconcern
Source of the priority copied for the

upstream packets on the ONT port
Unconcern
QinQ attribute for the Ethernet port of

the ONT
Unconcern
Transparent transmission function of

the ONT
Disabled
MAC address learning function of the

ONT
Enabled
Procedure
Step 1 Run the ont-srvprofile gpon command to add a GPON ONT service profile, and then enter the
GPON ONT service profile mode.
If the ONT management mode is the SNMP mode, you need not configure the service profile.
After adding a GPON ONT service profile, directly enter the GPON ONT service profile mode
to configure the related items. Select the configuration items according to the service
requirements.
Step 2 Configure the Internet access service.
1.
Run the ont-port eth command to configure the port capability set of the ONT. The
capability set plans various types of ports supported by the ONT. The port capability set in
the ONT service profile must be the same as the actual ONT capability set.
2.
Run the port vlan command to configure the port VLAN of the ONT.
Step 3 Configure the voice service.

NOTE
The voice service of the ONT is configured by issuing an XML file to the NMS and the OLT performs only
transparent transmission. You only need to run the service-port command to create a service port carrying the
voice service.
Issue 01 (2012-01-18)

265

1.
Run the ont-port pots command to configure the port capability set of the ONT. The port
capability set in the ONT service profile must be the same as the actual ONT capability set.
2.
Step 4 Configure the multicast service.

1.
Run the ont-port eth command to configure the port capability set of the ONT. The port
2.
3.
Run the multicast mode command to configure the multicast mode of the ONT. By default,
the multicast mode of the ONT is unconcern.
l Unconcern: indicates the unconcern mode. After this mode is selected, the OLT does
not limit the multicast mode, and the multicast mode on the OLT automatically matches
the multicast mode on the ONT.
l Igmp-snooping: IGMP snooping obtains the related information and maintains the
multicast forwarding entries by listening to the IGMP packets in the communication
between the user and the multicast router.
l Olt-control: indicates the dynamic controllable multicast mode. A multicast forwarding
entry can be created for the multicast join packet of the user only after the packet passes
the authentication. This mode is supported by the MDU, but is not supported by the
ONT.
4.
Run the multicast-forward command to configure the processing mode on the VLAN tag
of the multicast data packets for the ONT. By default, the multicast forwarding mode of
the ONT is unconcern.
l Unconcern: indicates the unconcern forwarding mode. After this mode is selected, the
OLT does not process the VLAN tag of the multicast data packets.
l Tag: Set the multicast forwarding mode to contain the VLAN tag. To transparently
transmit the VLAN tag of the multicast packets, select transparent. To switch the
VLAN tag of the multicast packets, select translation, and then configure the VLAN
ID that is switched to.
l Untag: Set the multicast forwarding mode not to contain the VLAN tag.
Step 5 Configure the transparent LAN service (TLS).

1.
2.
3.
Run the port q-in-q eth ont-portid enable command to enable the QinQ function of the
Ethernet port on the ONT. By default, the QinQ function of the Ethernet port on the ONT
is unconcerned.
4.
Run the port priority-policy command to configure the source of the priority copied for
the upstream packets on the ONT port. By default, the source of the priority copied for the
upstream packets on the ONT Ethernet port is unconcerned.
l Unconcern: The source of the priority copied for the upstream packets on the Ethernet
port of the ONT is not concerned.
l assigned: Specifies the priority. Run the ont port native-vlan command to specify the
priority of the port.
l Copy-cos: Copy the priority. Copy the priority from C-TAG.
5.
Issue 01 (2012-01-18)
Run the transparent enable command to enable the transparent transmission function of
the ONT. By default, the transparent transmission function of the ONT is disabled. After
266

the transparent transmission function of the ONT is enabled, all packets (including service
packets and protocol packets) are transparently transmitted by the ONT.
NOTE
The service port for the TLS service must also be of the TLS type. Run the service-port command to create a
service port of the TLS type. Select other-all for the multi-service type.
Step 6 Configure the 1:1 (that is, packets reported by the ONT must contain two VLAN tags) service.
1.
2.
3.
Run the port q-in-q eth ont-portid enable command to enable the QinQ function of the
Ethernet port on the ONT. By default, the QinQ function of the Ethernet port on the ONT
is unconcerned.
4.
Run the port priority-policy command to configure the source of the priority copied for
the upstream packets on the ONT port. By default, the source of the priority copied for the
upstream packets on the ONT Ethernet port is unconcerned.
l Unconcern: The source of the priority copied for the upstream packets on the Ethernet
port of the ONT is not concerned.
l assigned: Specifies the priority. Run the ont port native-vlan command to specify the
priority of the port.
l Copy-cos: Copy the priority. Copy the priority from C-TAG.
5.
Run the transparent disable command to disable the transparent transmission function of
the ONT.
Step 7 Run the mac-learning command to configure the MAC address learning function of the ONT.
This function is enabled by default.
of the service profile takes effect only after you perform this operation.
NOTE
----End
Example
Assume that the profile is used for the Internet access service, the ONT supports four ETH ports,
and the VLAN ID of the ETH ports is 10. To add GPON ONT service profile 5, do as follows:
huawei(config-gpon-srvprofile-5)#ont-port eth 4
Assume that the profile is used for the multicast service, the ONT supports four ETH ports, the
VLAN ID of the ETH ports is 100, and the multicast mode of the ONT is the controllable
multicast mode (you need to switch the multicast VLAN tag to 841 because the STB only
supports carrying the VLAN tag of 841). To add GPON ONT service profile 6, do as follows:
huawei(config-gpon-srvprofile-6)#ont-port eth 4
Issue 01 (2012-01-18)

267


huawei(config-gpon-srvprofile-6)#multicast mode olt-control
huawei(config-gpon-srvprofile-6)#multicast-forward tag translation 841
4.1.4 Configuring a GPON ONT Alarm Profile

This topic describes how to add an alarm profile, and configure most of the performance
parameters for various ONT lines as a profile. After the alarm profile is configured and bound
successfully, the ONT can directly use the profile when it is activated.
An ONT alarm profile defines a series of alarm thresholds that are used to monitor the
performance of an activated ONT line. When the statistics result of a parameter reaches the alarm
threshold, the NE is notified and an alarm is sent to the log server and the NMS.
l
The MA5600T supports up to 50 alarm profiles.
The system contains a default alarm profile with the ID 1. This profile cannot be deleted
but can be modified.
Procedure
Step 1 Run the gpon alarm-profile add command to add a GPON ONT alarm profile.
All parameters in the default profile are set to 0, which indicates that no alarm is reported. When
an alarm profile is created, the default values of all alarm thresholds are 0, which indicates that
no alarm is reported.
Step 2 Run the display gpon alarm-profile command to query the alarm profile.
----End
Example
To add GPON ONT alarm profile 5, set the alarm threshold for the packet loss of the GEM port
to 10, set the alarm threshold for the number of mis-transmitted packets to 30, and use the default
value 0 for all other thresholds, do as follows:
huawei(config)#gpon alarm-profile add profile-id 5
{ <cr>|profile-name<K> }:
Command:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Issue 01 (2012-01-18)
gpon alarm-profile add profile-id 5

Press 'Q' or 'q' to quit input
GEM port loss of packets threshold (0~100)[0]:
GEM port misinserted packets threshold (0~100)[0]:
GEM port impaired blocks threshold (0~100)[0]:
Ethernet FCS errors threshold (0~100)[0]:
Ethernet excessive collision count threshold (0~100)[0]:
Ethernet late collision count threshold (0~100)[0]:
Too long Ethernet frames threshold (0~100)[0]:
Ethernet buffer (Rx) overflows threshold (0~100)[0]:
Ethernet buffer (Tx) overflows threshold (0~100)[0]:
Ethernet single collision frame count threshold (0~100)[0]:
Ethernet multiple collisions frame count threshold (0~100)[0]:
Ethernet SQE count threshold (0~100)[0]:
Ethernet deferred transmission count threshold (0~100)[0]:
Ethernet internal MAC Tx errors threshold (0~100)[0]:
Ethernet carrier sense errors threshold (0~100)[0]:

10
30
268

>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Ethernet alignment errors threshold (0~100)[0]:

Ethernet internal MAC Rx errors threshold (0~100)[0]:
PPPOE filtered frames threshold (0~100)[0]:
MAC bridge port discarded frames due to delay threshold (0~100)[0]:
MAC bridge port MTU exceeded discard frames threshold (0~100)[0]:
MAC bridge port received incorrect frames threshold (0~100)[0]:
CES general error time threshold(0~100)[0]:
CES severely time threshold(0~100)[0]:
CES bursty time threshold(0~100)[0]:
CES controlled slip threshold(0~100)[0]:
CES unavailable time threshold(0~100)[0]:
Drop events threshold(0~100)[0]:
Undersize packets threshold(0~100)[0]:
Fragments threshold(0~100)[0]:
Jabbers threshold(0~100)[0]:
Failed signal of ONT threshold(Format:1e-x, x: 3~8)[3]:
Degraded signal of ONT threshold(Format:1e-x, x: 4~9)[4]:
Adding an Alarm profile succeeded
Profile ID : 5
Profile name: alarm-profile_5
huawei(config)#display gpon alarm-profile profile-id 5
-------------------------------------------------------------Profile ID : 5
Profile name: alarm-profile_5
-------------------------------------------------------------GEM port loss of packets threshold:
10
GEM port misinserted packets threshold:
30
GEM port impaired blocks threshold:
0
Ethernet FCS errors threshold:
0
Ethernet excessive collision count threshold:
0
Ethernet late collision count threshold:
0
Too long Ethernet frames threshold:
0
Ethernet buffer (Rx) overflows threshold:
0
Ethernet buffer (Tx) overflows threshold:
0
Ethernet single collision frame count threshold:
0
Ethernet multiple collisions frame count threshold:
0
Ethernet SQE count threshold:
0
Ethernet deferred transmission count threshold:
0
Ethernet internal MAC Tx errors threshold:
0
Ethernet carrier sense errors threshold:
0
Ethernet alignment errors threshold:
0
Ethernet internal MAC Rx errors threshold:
0
PPPOE filtered frames threshold:
0
MAC bridge port discarded frames due to delay threshold:
0
MAC bridge port MTU exceeded discard frames threshold:
0
MAC bridge port received incorrect frames threshold:
0
CES general error time threshold:
0
CES severely time threshold:
0
CES bursty time threshold:
0
CES controlled slip time threshold:
0
CES unavailable time threshold:
0
Drop events threshold:
0
Undersize packets threshold:
0
Fragments threshold:
0
Jabbers threshold:
0
Failed signal of ONU threshold (Format:1e-x):
3
Degraded signal of ONU threshold (Format:1e-x):
4
-------------------------------------------------------------Binding Times:
0
--------------------------------------------------------------

Issue 01 (2012-01-18)

269

Prerequisites
Application Context
4-5.
User Type
VLAN Planning
l Household
user

subscribers are
VLAN.
VLAN type: smart

double VLANs, where
the outer VLAN tag
the inner VLAN tag
+C.
VLAN type: smart

user.
VLAN type: smart
l Commercial
user of the
Internet
access
service
Commercial
user of the
transparent
transmission
service

Attribute: stacking

S+C.
Issue 01 (2012-01-18)
Parameter
Default Setting
Remarks
Default VLAN of
the system
VLAN ID: 1

Type: smart VLAN

270

Parameter
Default Setting
Remarks
Reserved VLAN
of the system
VLAN ID range:
4079-4093

Default attribute
of a new VLAN
Common
VLAN
forwarding mode
VLAN+MAC
Procedure
Issue 01 (2012-01-18)
VLAN
Type
Configuration
Command
VLAN
Description
Standard
VLAN
To add a standard
VLAN, run the vlan
vlanid standard
command.
Standard VLAN.
Ethernet ports in a
standard VLAN are
interconnected with
each other but
Ethernet ports in
different standard
VLANs are isolated
from each other.

subtending.
Smart
VLAN

run the vlan vlanid
smart command.
One VLAN may

contain multiple
xDSL service ports
or GPON service
ports. The traffic
streams of these
ports, however, are
isolated from each
other. In addition,
different VLANs are
also isolated. One
smart VLAN
provides access for
and thus saves
VLAN resources.

service access.

271

VLAN
Type
Configuration
Command
VLAN
Description
MUX
VLAN
To add a MUX VLAN,

run the vlan vlanid
mux command.
One MUX VLAN

contains only one
GPON service port.
The traffic streams
in different VLANs
are isolated from
set up between a
MUX VLAN and an
MUX VLAN can
identify an access
user.

distinguish users.
Super
VLAN

run the vlan vlanid
super command.
The super VLAN is

based on layer 3.
One super VLAN
contains multiple
sub-VLANs.
Through an ARP
VLAN can be
interconnected at
layer 3.
Super VLANs save IP

VLAN or MUX VLAN.
NOTE

Issue 01 (2012-01-18)

272

Issue 01 (2012-01-18)
VLA
N
Attri
bute
Configuration
Command
VLAN Type
VLAN
Description
Application
Scenario
Com
mon

for a new VLAN is
"common".
The VLAN with

this attribute can
be a standard
VLAN, smart
VLAN, MUX
VLAN, or super
VLAN.
A VLAN with the

common attribute
can function as a
common layer 2
VLAN or
function for
creating a layer 3
interface.
Applicable to the
N:1 access
scenario.
QinQ
VLA
N
To configure QinQ
VLAN, run the vlan
command.
The VLAN with

this attribute can
be a standard
VLAN, smart
VLAN or MUX
VLAN. The
attribute of a sub
VLAN, the
VLAN with a
Layer 3 interface,
and the default
VLAN of the
system cannot be
set to QinQ
VLAN.

a QinQ VLAN
enterprise private
contain two
line scenario.
VLAN tags, that
is, inner VLAN
tag from the
private network
and outer VLAN
tag from the
MA5600T.
Through the outer
VLAN, an L2
VPN tunnel can
be set up to
transparently
transmit the
services between
private networks.

273

VLA
N
Attri
bute
Configuration
Command
VLAN Type
VLAN
Description
Application
Scenario
VLA
N
Stacki
ng
To configure
stacking as the
run the vlan attrib
vlanid stacking
command.
The VLAN with

this attribute can
only be a smart
VLAN or MUX
VLAN. The
attribute of a sub
VLAN, the
VLAN with an L3
interface, and the
default VLAN of
the system cannot
be set to VLAN
Stacking.
The packets from

a stacking VLAN
contain two
VLAN tags, that
is, inner VLAN
tag and outer
VLAN tag from
the MA5600T.
The upper-layer
BRAS
authenticates the
access users
according to the
two VLAN tags.
In this manner,
the number of
access users is
increased. On the
upper-layer
network in the L2
working mode, a
packet can be
forwarded
directly by the
outer VLAN tag
and MAC address
mode to provide
the wholesale
service for ISPs.
Applicable to the
1:1 access
scenario for the
wholesale service
or extension of
VLAN IDs.
In the case of a
stacking VLAN,
to configure the
inner tag of the
service port, run
the stacking
label command.
NOTE
command.

Issue 01 (2012-01-18)

274

do as follows:
1.
2.
3.
4.
5.
----End
Example
do as follows:
6
huawei(config)#vlan
huawei(config)#vlan
huawei(config)#vlan
huawei(config)#vlan
100 smart
attrib 100 q-in-q

Procedure
Step 1 Configure an upstream port for the VLAN.
Run port vlan command to add the upstream port to the VLAN.
Step 2 Configure the attribute of the upstream port.
Issue 01 (2012-01-18)

275

If the default attribute of the upstream port does not meet the requirement for interconnection
of the upstream port with the upper-layer device, you need to configure the attribute. For
configuration details, see 2.5 Configuring the Attributes of an Upstream Ethernet Port.
Step 3 Configure redundancy backup for the uplink.
To ensure reliability of the uplink, two upstream ports must be available. That is, redundancy
backup of the upstream ports needs to be configured. For details, see 8.2 Configuring the Uplink
Redundancy Backup.
----End
Example
Assume that the 0/17/0 and 0/17/1 upstream ports are to be added to VLAN 50. The 0/17/0 and
0/17/1 need to be configured into an aggregation group for double upstream accesses. For the
two upstream ports, the working mode is full-duplex (full) and the port rate is 100 Mbit/s. To
configure such upstream ports, do as follows:
huawei(config-if-giu-0/17)#duplex 0 full
huawei(config-if-giu-0/17)#speed 0 100
huawei(config)#link-aggregation 0/17 0 0/17 1 egress-ingress workmode lacp-static
4.4 Configuring a GPON ONT

The MA5600T provides end users with services through the ONT. The MA5600T can manage
the ONT and the ONT can work in the normal state only after the channel between the
MA5600T and the ONT is available.
Prerequisites
The GPON ONT profile is already created.
l
For an ONT, 4.1.2 Configuring a GPON ONT Line Profile, 4.1.3 Configuring a GPON
ONT Service Profile, and 4.1.4 Configuring a GPON ONT Alarm Profile are already
completed.
For an MDU or ONU, 4.1.2 Configuring a GPON ONT Line Profile and 4.1.4
Configuring a GPON ONT Alarm Profile are already completed.
The MA5600T uses the ONT Management and Control Interface (OMCI) protocol to manage
and configure the GPON ONT, and supports the offline configuration of the ONT. The ONT
does not need to save the configuration information locally. This helps to provision services.
In the profile mode, the related configuration of the GPON ONT is already integrated in the
service profile and the line profile. When adding an ONT, you only need to bind the ONT with
the corresponding service profile and line profile.
Table 4-9 lists the default settings of the GPON ONT.
Issue 01 (2012-01-18)

276

Table 4-9 Default settings of the GPON ONT

Parameter
Default Setting
ONT auto-find function of a GPON

port
Disabled
ONT status after an ONT is added
Activated
Default VLAN of the ONT port
Procedure
Step 2 Add a GPON ONT.
1.
Run the port portid ont-auto-find command to enable the auto discovery function of the
ONT. After the function is enabled, the system reports the SN and password of the auto
discovery ONT and you can add an ONT according to the information reported by the
system. By default, the ONT auto discovery function of a GPON port is disabled.
NOTE
An auto discovery ONT is in the auto discovery state. The auto discovery ONT can work in the normal
state only after it is confirmed or added.
2.
Run the ont add command to add an ONT offline, or run the ont confirm command to
confirm the auto discovery ONT.
When ONTs are added or confirmed, the system provides three authentication modes: SN,
password, SN+password.
l SN authentication: The OLT detects the serial number (SN) reported by an ONT. If the
SN is consistent with the OLT configuration, authentication is passed and the ONT goes
online. This mode requires recording all ONT SNs. Hence, it is used to confirm auto
discovery ONTs and is not applicable to adding ONTs in batches.
l Password authentication: The OLT detects the password reported by an ONT. If the
password is consistent with the OLT configuration, the ONT goes online normally. This
mode requires planning ONT passwords and does not require manually recording ONT
SNs. Hence, it is applicable to adding ONTs in batches. The password authentication
provides two discovery modes: always-on and once-on.
always-on: After first password authentication is passed, no SN is allocated and
password authentication is always used in subsequent authentications. This
discovery mode is easy for future maintenance. In the always-on discovery mode,
configuration is not required to be modified when an ONT is replaced and only the
password is required. The always-on discovery mode has lower security. If other
users know the password, the users will illegally have service permissions.
Once-on: After first password authentication is passed, an SN is automatically
allocated and password+SN authentication is used in subsequent authentications.
An ONT can go online only after the correct password and SN are entered. The onceon authentication mode has high security. After an ONT is replaced or the password
is mistakenly changed, the ONT needs to be configured again, which requires more
maintenance effort.
l SN+password: The OLT detects the password and SN reported by an ONT. If the
password and SN are consistent with the OLT configuration, the ONT goes online
Issue 01 (2012-01-18)

277

normally. This authentication mode has the highest security but it requires manually
recording ONT SNs.
Adding ONTs in offline mode is applicable to the batch deployment scenario. All ONTs
are added to the OLT to complete service provisioning beforehand. When a use subscribes
to the service, an installation engineer takes an ONT to the user's house and completes
configurations. After the ONT goes online and passes authentication (generally the
password authentication mode is used), the service is provisioned.
Adding ONTs in auto discovery mode is applicable to the scenario where a small number
of ONTs are added. When users subscribe to the service, installation engineers take ONTs
to the users' houses. After the ONTs go online, the OLT confirms the ONTs one by one.
Generally, the MAC address authentication mode is used to confirm the ONTs.
NOTE
l If the ONU is an independent NE and is directly managed by the NMS through the SNMP management
mode, select the SNMP management mode. For this mode, you only need to configure the parameters
for the GPON line and the parameters for the management channel on the OLT. You only need to bind
the ONU with a line profile.
l If the ONU is not an independent NE and all its configuration data is issued by the OLT through OMCI,
select the OMCI management mode. For this mode, you need to configure all parameters (including
line parameters, UNI port parameters, and service parameters) that are required for the ONU on the
OLT. Configuring management channel parameters is not supported. You need to bind the ONT with
a line profile and a service profile.
l Generally, the ONT management mode is set to the OMCI mode. You need to bind the ONT with a
line profile and a service profile.
3.
(Optional) When the ONT management mode is the SNMP mode, you need to configure
the SNMP management parameters for the ONT. The procedure is as follows:
a.
Run the ont ipconfig command to configure the management IP address of the ONT.
The IP address should not be in the same subnet for the IP address of the VLAN port.
b.
Run the ont snmp-profile command to bind the ONT with an SNMP profile.
Run the snmp-profile add command to add an SNMP profile before the configuration.
c.
Run the ont snmp-route command to configure a static route for the NMS server,
that is, configure the IP address of the next hop.
Step 3 Configure the default VLAN (native VLAN) for the ONT port.
Run the ont port native-vlan command to configure the default VLAN for the ONT port. By
default, the default VLAN ID of the ONT port is 1.
l If the packets reported from a user (such a PC) to the ONT are untagged, the packets are
tagged with the default VLAN of the port on the ONT and then reported to the OLT.
l If the packets reported from a user to the ONT are tagged, you need to configure the port
VLAN of the ONT to be the same as the VLAN in the user tag. The packets are not tagged
with the default VLAN of the port on the ONT but are reported to the OLT with the user tag.
Step 4 Bind an alarm profile.
Run the ont alarm-profile command bind an alarm profile. Ensure that 4.1.4 Configuring a
GPON ONT Alarm Profile is completed before the configuration.
Step 5 Activate the ONT.
Run the ont activate command to activate the ONT. The ONT can transmit services only when
it is in the activated state.
Issue 01 (2012-01-18)

278

After being added, the ONT is in the activated state by default. The step is required only when
the ONT is in the deactivated state.
----End
Example
To add five ONTs in offline mode with password authentication mode (ONT passwords are
0100000001-0100000005), set the discovery mode of password authentication to always-on,
and bind line profile 10 and service profile 10, do as follows:
huawei(config-if-gpon-0/4)#ont add 0 password-auth
lineprofile-id 10 ont-srvprofile-id 10
0100000001 always-on omci ont0100000002 always-on omci ont0100000003 always-on omci ont0100000004 always-on omci ont0100000005 always-on omci ont-
To add an ONT that is managed by the OLT through the OMCI protocol, confirm this ONT
according to the SN 3230313185885B41 automatically reported by the system, and bind the
ONT with line profile 3 and service profile 3 that match the ONT, do as follows:
huawei(config-if-gpon-0/4)#port 0 ont-auto-find enable
huawei(config-if-gpon-0/4)#ont confirm 0 sn-auth 3230313185885B41 omci ontlineprofile-id 3 ont-srvprofile-id 3
To add an ONU that is managed as an independent NE and whose SN is known as

3230313185885641, bind the ONU with line profile 4 that matches the ONU, configure the NMS
parameters for the ONU, and set the management VLAN to 100, do as follows:
huawei(config)#snmp-profile add profile-id 1 v2c public private 10.10.5.53 161
huawei
huawei(config-if-gpon-0/4)#ont add 0 2 sn-auth 3230313185885641 snmp ontlineprofile-id 4
huawei(config-if-gpon-0/4)#ont ipconfig 0 2 static ip-address 10.20.20.20 mask
255.255.255.0 gateway 10.10.20.1 vlan 100
huawei(config-if-gpon-0/4)#ont snmp-profile 0 2 profile-id 1
huawei(config-if-gpon-0/4)#ont snmp-route 0 2 ip-address 10.10.20.190 mask
255.255.255.0 next-hop 10.10.20.100
4.5 Configuring a GPON Port

To work normally and carry the service, a GPON port must be enabled first. This topic describes
how to enable a GPON port and configure related attributes of the port.
Table 4-10 lists the default settings of the GPON port.
Issue 01 (2012-01-18)

279

Table 4-10 Default settings of the GPON port

Parameter
Default Setting
GPON port
Enabled
Downstream FEC function of the

GPON port
Disabled
Compensation distance range of the

GPON port ranging
Minimum logical distance: 0 km; maximum logical

distance: 20 km
Procedure
Step 2 Configure the laser of the GPON port.
l Run the undo shutdown command to enable the laser of the GPON port. By default, the
laser of the GPON port is enabled and the GPON port is available. In this case, skip this step.
l If the GPON port is not to be used, run the shutdown command to disable the laser of the
GPON port.
CAUTION
Disabling a PON port that carries services will cause the interruption of such services.
Step 3 Configure the downstream FEC function of the GPON port.
Run the port portid fec command to configure the FEC function of the GPON port. By default,
the FEC function is disabled.
NOTE
l FEC is to insert redundant data into normal packets so that the line has certain error tolerance. Some
bandwidth, however, must be consumed. Enabling FEC enhances the error correction capability of the line
but at the same time occupies certain bandwidth. Determine whether to enable FEC according to the actual
line planning.
l If a large number of ONTs are already online, enabling FEC on the GPON port may cause certain ONTs to
go offline. Therefore, it is suggested that FEC should not be enabled on a GPON port that connects to online
ONTs.
Step 4 Configure the renewal time of the ONT key.

Run the port portid ont-password-renew command to configure the interval for renewing the
ONT key. To ensure the system security, the ONT key renewal must be configured.
Step 5 Configure the compensation distance in the ranging.
Run the port range command to configure the compensation distance range of the GPON port
ranging. By default, the minimum logical distance is 0 km, and the maximum logical distance
is 20 km. The difference between the minimum logical distance and the maximum logical
distance must not exceed 20 km.
Issue 01 (2012-01-18)

280

Step 6 (Optional) Configure the DBA calculation period on a GPON port basis.
When different GPON ports provide different access services, the bandwidth delays on these
ports are different. In this case, the DBA calculation period needs to be configured on a GPON
port basis.
1.
In GPON board mode, run the port dba bandwidth-assignment-mode command to

configure the DBA mode on a GPON port.
2.
In diagnose mode, run the gpon port dba calculate-period command to configure the
DBA calculation period on the GPON port.
NOTE
l The DBA calculation period on a GPON port can be configured only when the DBA mode is set to
manual on this GPON port.
l By default, the DBA mode on a GPON port is default, which means the global DBA mode is used as the
bandwidth assignment mode for the GPON port. In this case, if the global DBA mode is modified by running
the gpon dba bandwidth-assignment-mode command, the bandwidth assignment mode on the GPON port
is also modified. If the DBA mode on a GPON port is not default, the bandwidth assignment mode on the
GPON port is not affected by the global DBA mode.
l If ONTs are configured on a GPON port, modifying the DBA mode is not allowed on this GPON port.
l For the TDM service, the DBA mode must be set to min-loop-delay.
----End
Example
Assume that the key renew interval of the ONT under the port is 10 hours, the minimum
compensation distance of ranging is 10 km, and the maximum compensation distance of ranging
is 15 km. To enable the FEC function of GPON port 0/4/0, do as follows:
huawei(config-if-gpon-0/4)#port 0 fec enable
huawei(config-if-gpon-0/4)#port 0 ont-password-renew 10
huawei(config-if-gpon-0/4)#port 0 range min-distance 10 max-distance 15
This command will result in the ONT's re-register in the port.
Are you sure to execute this command? (y/n)[n]: y
To set the global DBA mode to min-loop-delay, DBA mode on GPON port 0/4/0 to manual,
and DBA calculation period to 4, do as follows:
huawei(config)#gpon dba bandwidth-assignment-mode min-loop-delay
huawei(config-if-gpon-0/4)#port dba bandwidth-assignment-mode 0 manual
huawei(config)#diagnose
huawei(diagnose)%%gpon port dba calculate-period 0/4/0 4
4.6 Creating a GPON Service Port

A service port is a service channel connecting the user side to the network side. To provision
services, a service port must be created.
A service port can carry a single service or multiple services. When a service port carries multiple
services, the MA5600T supports the following modes of classifying traffic:
l
Issue 01 (2012-01-18)
By user-side VLAN
281

By user-side service encapsulation mode
By VLAN+user-side packet priority
By VLAN+user-side service encapsulation mode
Table 4-11 lists the default settings of a service port.

Table 4-11 Default settings of a service port
Parameter
Default Setting
Traffic profile ID
0-6
Administrative status of the service

port
Activated
Maximum number of MAC addresses

that are learned
1023
Procedure
Step 1 Create a traffic profile.
Run the traffic table ip command to create a traffic profile. There are seven default traffic
profiles in the system with the IDs of 0-6.
Before creating a service port, run the display traffic table command to check whether the
traffic profiles in the system meet the requirement. If no traffic profile in the system meets the
requirement, add a traffic profile that meets the requirement. For details about the traffic profile,
see Configuring Traffic Management Based on Service Port.
Step 2 Create a service port.
You can choose to create a single service port or multiple service ports in batches according to
requirements.
l
Run the service-port command to create a single service port. Service ports are classified
into single-service service ports and multi-service service ports. Multi-service service ports
are generally used for the triple play service.
Single-service service port:
By default, a service port is a single-service service port if you do not enter multiservice.
Multi-service service port based on the user-side VLAN:
Select multi-service user-vlan { untagged | user-vlanid | priority-tagged | otherall }.
untagged: When untagged is selected, user-side packets do not carry a tag.
user-vlanid: When user-vlanid is selected, user-side packets carry a tag and the value
of user-vlanid must be the same as the tag carried in user-side packets, that is, CVLAN.
priority-tagged: When priority-tagged is selected, the VLAN tag is 0 and the
priorities of user-side packets are 0-7.
other-all: When other-all is selected, service ports for the transparent LAN service
(TLS) are created, which are mainly used in the QinQ transparent transmission
Issue 01 (2012-01-18)

282

service for enterprises. All the traffic except known traffic in the system is carried
over this channel.
Multi-service service port based on the user-side service encapsulation mode:
Select multi-service user-encap user-encap.
Multi-service service port based on VLAN+user-side packet priority (802.1p):
Select multi-service user-8021p user-8021p [ user-vlan user-vlanid ].
Multi-service service port based on VLAN + user-side service encapsulation mode
(user-encap):
Select multi-service user-vlan { untagged | user-vlanid | priority-tagged } userencap user-encap.
NOTE
l The system supports creating service ports by index. One index maps one service port and the input
of a large number of traffic parameters is not required. Therefore, the configuration of service ports
is simplified. During the creation of a service port, index indicates the index of the service port and it
is optional. If it is not input, the system automatically adopts the smallest value.
l vlan indicates the S-VLAN. An S-VLAN can only be a MUX VLAN or smart VLAN.
l rx-cttr is the same as outbound in terms of meanings and functions. Either of them indicates the index
of the traffic from the network side to the user side. tx-cttr is the same as inbound in terms of meanings
and functions. Either of them indicates the index of the traffic from the user side to the network side.
The traffic profile bound to the service port is created in Step 1.
Run the multi-service-port command to create service ports in batches.
Step 3 Configure the attributes of the service port. Configure the attributes of the service port according
to requirements.
l
Run the service-port desc command to configure the description of the service port.
Configure the description for a service port to facilitate maintenance. In general, configure
the purpose and related service information as the description of a service port.
Run the service-port index adminstatus command to configure the administrative status
of the service port. By default, a service port is in the activated state.
A service port can be activated at two levels: port level and service port level. To provision
services for a user, the access port and the corresponding service port of the user must be
activated.
Run the mac-address max-mac-count service-port command to configure the maximum

number of MAC addresses learned by the service port to restrict the maximum number of
PCs that can access the Internet by using a same account. By default, the maximum number
of MAC addresses learned by the service port is 1023.
----End
Example
Connect ONT 1 to GPON port 0/4/0 of the MA5600T. Plan an Internet access user. The ONT
provides the Internet-access-only service with a rate of 4096 kbit/s for this user, the index of the
GEM port that carries the service is 126, the service VLAN ID is 1000, and only three users are
allowed to use a same account for Internet access at the same time. The query shows that there
is no proper traffic profile in the system. Then, create traffic profile 10. This user is not registered
yet. Therefore, the service is not provided for the user for the moment. To configure such a user,
do as follows:
huawei(config)#traffic table ip index 10 cir 4096 priority 3 priority-policy loc
al-Setting
Issue 01 (2012-01-18)

283


-----------------------------------------------TD Index
: 10
TD Name
Priority
: 3
Mapping Priority
: Mapping Index
Priority Policy
: local-pri
CIR
: 4096 kbps
CBS
: 133072 bytes
PIR
: 8192 kbps
PBS
: 264144 bytes
Referenced Status
: not used
-----------------------------------------------huawei(config)#service-port 5 vlan 1000 gpon 0/4/0 ont 1 gemport 126 inbound
traffic-table index 10 outbound traffic-table index 10
huawei(config)#service-port 5 adminstatus disable
Connect ONT 2 to GPON port 0/4/0 of the MA5600T. A commercial user requires the Internet
access service with a rate of 8192 kbit/s to be provided. For subsequent service expansion, the
ONT provides the Internet access service for this user in the multi-service mode. The user is
differentiated based on the user-end VLAN, S-VLAN ID is 1023, C-VLAN ID is 100, and the
index of the GEM port that carries the service is 126. The query shows that there is no proper
traffic profile in the system. Then, create traffic profile 8. The Internet access service is required
to be provided immediately. The description of the service port is added to facilitate maintenance.
To configure such a user, do as follows:
huawei(config)#display traffic table ip from-index 0
{ <cr>|to-index<K> }:
Command:
display traffic table ip from-index 0
---------------------------------------------------------------------------TID CIR(kbps) CBS(bytes) PIR(kbps) PBS(bytes) Pri Copy-policy
Pri-Policy
---------------------------------------------------------------------------0
1024
34768
2048
69536
6 tag-pri
1
2496
81872
4992
163744
6 tag-pri
2
512
18384
1024
36768
0 tag-pri
3
576
20432
1152
40864
2 tag-pri
4
64
4048
128
8096
4 tag-pri
5
2048
67536
4096
135072
0 tag-pri
6
off
off
off
off
0 tag-pri
---------------------------------------------------------------------------Total Num : 7
huawei(config)#traffic table ip index 8 cir 8192 priority 4 priority-policy loca
l-Setting
-----------------------------------------------TD Index
: 8
TD Name
Priority
: 4
Mapping Priority
: Mapping Index
Priority Policy
: local-pri
CIR
: 8192 kbps
CBS
: 264144 bytes
PIR
: 16384 kbps
PBS
: 526288 bytes
Referenced Status
: not used
-----------------------------------------------huawei(config)#service-port 10 vlan 1023 gpon 0/4/0 ont 2 gemport 126 multi-
Issue 01 (2012-01-18)

284

service
user-vlan 100 inbound traffic-table index 8 outbound traffic-table index 8
huawei(config)#service-port desc 10 description gpon/Vlanid:1023/uservlan:100
Issue 01 (2012-01-18)

285

5 Configuring the EPON Internet Access Service
Configuring the EPON Internet Access

Service
About This Chapter

The EPON broadband Internet access service is applicable to the scenario of that provides
subscribers with the Internet service through optical fibers. The networking mode for the service
can be FTTH, FTTB, FTTC, or FTTO. This topic describes how to configure the Internet access
service provided by the MA5600T through EPON.
Application Context
EPON is mainly used in the FTTx solution. The FTTx technology is mainly used for adopting
optical network in the access network. Its coverage is from the CO device of the regional
telecommunications room to the subscriber terminal. The optical line terminal (OLT) functions
as the CO device. The optical network unit (ONU) or the optical network terminal (ONT)
functions as the subscriber terminal.
l
FTTH refers to fiber to the home. In this networking scenario, the MA5600T functions as
an OLT and is connected to the ONT at lower layer through the ODN. The ONT is connected
to subscribers to provide the voice, Internet access, and IPTV services.
FTTB refers to fiber to the building. In this networking scenario, the MA5600T functions
as an OLT and is connected to the MDU or ONUs of other types at lower layer through the
ODN. The ONU or MDU is connected to subscribers. FTTB can be further classified into
FTTB+DSL and FTTB+LAN. These two modes respectively use the home gateway with
an RJ-11 upstream port and the home gateway with a LAN upstream port to provide the
voice, Internet access, and IPTV services.
FTTC refers to fiber to the curb. FTTC is mainly used to provide services for residential
subscribers. The ONU is placed in the cabinet at the curb. It uses coaxial cables to transmit
CATV signals or uses twisted pairs to transmit the voice and Internet access services. In
this networking scenario, the MA5600T functions as an OLT and is connected to the
outdoor cabinet of the MDU or ONU at lower layer through the ODN. The ONU or MDU
is connected to subscribers. FTTC and FTTB are the same in configuration and differ from
each other only in the networking mode.
FTTO refers to fiber to the office. The Ethernet port of the ONU is connected to the LAN
of subscribers so that subscribers can be directly connected to the Internet, or connected to
Issue 01 (2012-01-18)

286

the headquarters or branch offices through VPN. In this networking scenario, the
MA5600T functions as an OLT and is connected to the ONU at lower layer through the
ODN. The ONU is connected to subscribers to provide the voice, Internet access, IPTV,
and private line services.
Prerequisite
l
Configure the AAA function.

To enable the AAA function on the device, see 2.12 Configuring AAA.
If the AAA function is implemented by the BRAS, a connection to the BRAS must be
established. The BRAS should be capable of identifying the VLAN tag of the
MA5600T in the upstream direction. For the identification purpose, the user name and
password for dial-up Internet access must be configured on the BRAS.
The EPON profile that is used for the Internet access service is already created.
For an ONT, Configuring the EPON ONT Line Profile and Configuring the EPON
ONT Service Profile are already completed.
For an MDU or ONU, Configuring the EPON ONT Line Profile is already completed.
Data Plan
Before configuring the EPON Internet access service, plan the data items as listed in Table
5-1.
Table 5-1 Data plan for the EPON Internet access service
Item
Data
Remarks
MA5600T
Access rate

user requirements.
Access port

network planning.
VLAN planning
The cooperation with the upper-layer

device should be considered in the
VLAN planning. The upstream VLAN
must be the same as that of the upperlayer device.
QoS policy

QoS policy of the entire network.
Generally, the priority of the Internet
access service is lower than the
priorities of the voice and video
services.
LLID
ONT index
EPON supports a split ratio of up to

1:128. You need to plan the ONTs
connected to the MA5600T to
facilitate management.
ONT
Issue 01 (2012-01-18)

287

Item
Upperlayer LAN
switch
Data
Remarks
Authentication mode
You can use the password

authentication and the MAC address
authentication.
The LAN switch transparently

transmits the service packets of the
MA5600T on L2.
The VLAN ID must be the same as the

upstream VLAN ID of the MA5600T.
BRAS
The BRAS performs the related

configurations according to the
authentication and accounting
requirements for dialup users, for
example, configures the access user
domain (including the authentication
scheme, accounting scheme, and
authorization scheme bound to the
domain) and specifies the RADIUS
server.
If the BRAS is used to authenticate

users, you need to configure the user
name and the password for each user
on the BRAS. If the BRAS is used to
allocate IP addresses, you need to
configure the corresponding IP
address pool on the BRAS.
Procedure
1.
5.1 Configuring an EPON ONT Profile

EPON ONT profiles are classified into DBA profiles, line profiles and service profiles.
This topic describes how to configure these profiles.
2.

Configuring VLAN is a prerequisite for configuring a service. Hence, before configuring
a service, make sure that the VLAN configuration based on planning is complete.
3.

4.
5.4 Configure the EPON ONT

The MA5600T provides end users with services through the ONT. The MA5600T can
manage the ONT and the ONT can work in the normal state only after the channel between
the MA5600T and the ONT is available.
5.
5.5 Configuring an EPON User Port

An EPON port can work in the normal state and transmit services only after it is enabled.
This topic describes how to enable an EPON port and configure the attributes for the port.
6.
5.6 Creating an EPON Service Port
Issue 01 (2012-01-18)

288

A service port is a service channel between the user side and the network side. To provide
services, you must configure the service port.
Issue 01 (2012-01-18)

289

5.1 Configuring an EPON ONT Profile

EPON ONT profiles are classified into DBA profiles, line profiles and service profiles. This
topic describes how to configure these profiles.
In the profile mode, EPON ONT profiles are classified into line profiles and service profiles
according to the EPON ONT parameters. The line profile is mainly used to configure the
information related to DBA. The service profile is mainly used to configure the actual ONT
capability and the parameters related to services.
The line profile is mandatory and the service profile is optional and dependent of service
requirements. Set related attributes in line profile mode and service profile mode, and directly
bind the ONT to the line profile and service profile.
5.1.1 Configuring a DBA Profile

A DBA profile defines the traffic parameters of xPON and can be bound to dynamically allocate
the bandwidth and improve the usage of the upstream bandwidth.
Table 5-2 lists the default settings of the DBA profiles.
Table 5-2 Default settings of the DBA profiles
Parameter
Default Setting
Remarks
Default DBA profile ID

in the system
1-9
You can run the display dbaprofile all command to query

the parameter values of each
default DBA profile.
Procedure
Run the dba-profile add command to add a DBA profile. The system provides nine default
DBA profiles numbered 1-9, which define the typical values of traffic parameters. These DBA
profiles cannot be added or deleted.
NOTE
l By default, T-CONT is not bound to any DBA profile. Hence, a DBA profile must be configured for TCONT. By default, LLID is bound to No.9 DBA profile.
l When you add a DBA profile, the bandwidth value must be a multiple of 64. If you enter a bandwidth value
not of a multiple of 64, the system adopts the closest multiple of 64 that is smaller than the value you enter.
Step 2 Query a DBA profile.

Issue 01 (2012-01-18)

290

Run the display dba-profile command to query a DBA profile.

----End
Example
Assume that the name and type of a DBA profile are "DBA_bandwidth" and "type3"
respectively, and that the bandwidth required by a user is 10 Mbit/s. To add such a DBA profile,
do as follows:
huawei(config)#dba-profile add profile-name DBA_10M type3 assure 10240 max 10240
huawei(config)#display dba-profile profile-name DBA_10M
----------------------------------------------------------------Profile-name :
DBA_10M
Profile-ID:
10
type:
3
Bandwidth compensation:
No
Fix(kbps):
0
Assure(kbps):
10240
Max(kbps):
10240
bind-times:
0
-----------------------------------------------------------------
5.1.2 Configuring an EPON ONT Line Profile

Configure the EPON ONT line profile so that you can reference the profile when adding an
ONT. Regardless of whether the ONT is in the OAM or SNMP management mode, the ONT
needs to be bound with an EPON ONT line profile.
Table 5-3 lists the default settings of the EPON ONT line profile.
Table 5-3 Default settings of the EPON ONT line profile
Parameter
Default Setting
DBA profile bound to LLID
Profile ID: 9
Upstream FEC switch
Disabled
Procedure
Step 1 Run the ont-lineprofile epon command to add an EPON ONT line profile, and then enter the
EPON ONT line profile mode.
Regardless of whether the ONT is in the OAM or SNMP management mode, the line profile
must be configured for the ONT. After adding an EPON ONT line profile, directly enter the
EPON ONT line profile mode to configure the related attributes of the ONT line.
Step 2 Bind LLID with a DBA profile.
Run the llid command to bind LLID with a DBA profile. Ensure that 4.1.1 Configuring a DBA
Profile is completed before the configuration.
Step 3 Bind LLID with a DBA profile.
Use the following two methods to bind a DBA profile.
Issue 01 (2012-01-18)

291

l In line profile mode:

This method is applicable to the scenario where the DBA profile is stable and the terminals
are of a single type.
Run the llid command to bind LLID with a DBA profile. Ensure that Adding a DBA
Profile is completed before the configuration.
l In EPON mode:
This method is applicable to the scenario where the DBA profile changes frequently and the
terminals are of different types.
1.
Run the undo llid command to unbind the default DBA profile.
2.
After the configuration of a EPON ONT line profile is complete, enter the EPON mode.
Run the ont llid command to bind LLID with a DBA profile. Ensure that Adding a
DBA Profile is completed before the configuration.
Step 4 Configure the queue threshold of the DBA queue set.

Run the dba-threshold command to configure the queue threshold of the DBA queue set. The
terminal has its own default value for the queue threshold in the OAM management mode. You
can use the default value and need not configure the threshold.
Step 5 Configure the upstream FEC switch.
Run the fec enable command to enable the upstream FEC function of the EPON ONT. By
default, the ONT FEC function is disabled.
In the FEC check, the system inserts redundancy data into normal packets. In this way, the line
has certain error tolerant function, but certain bandwidth resources are wasted. Enabling the FEC
function enhances the error tolerant capability of the line but occupies certain bandwidth.
Therefore, determine whether to enable the FEC function based on the actual line planning.
of a line profile takes effect only after you perform this operation.
NOTE
----End
Example
To add EPON line profile 5 and bind LLID with DBA profile 1, do as follows:
5.1.3 Configuring an EPON ONT Service Profile

The EPON ONT service profile provides a channel for configuring the service of the ONT
managed in the OAM mode. To configure the service of the ONT (such as the MDU) managed
in the SNMP mode, you need to log in to the ONT.
Issue 01 (2012-01-18)

292

Table 5-4 lists the default settings of the EPON ONT service profile.
Table 5-4 Default settings of the EPON ONT service profile
Parameter
Default Setting
Multicast mode of the ONT port
CTC
Quick leave mode of the ONT port
Unconcern (the OLT does not perform any

processing)
Procedure
Step 1 Run the ont-srvprofile epon command to add an EPON ONT service profile, and then enter the
EPON ONT service profile mode.
After adding an EPON service profile, directly enter the EPON ONT service profile mode to
configure the related services. Select the configuration items according to the service
requirements.
Step 2 Configure the Internet access service.
1.
capability set plans the number of various ports supported by the ONT. The port capability
set must be the same as the actual ONT capability set.
2.
Run the port vlan command to configure the port VLAN of the ONT. Alternatively, run
the ont port vlan command to configure the port VLAN of the ONT in the EPON mode.
Step 3 Configure the voice service.

NOTE
The voice service of the ONT is issued to the NMS for configuration through XML, and the OLT transparently
transmits the service. Therefore, you only need to run the service-port command to create a service port channel
for carrying the voice service.
1.
Run the ont-port pots command to configure the port capability set of the ONT. The
2.
Step 4 Configure the multicast service.

1.
2.
3.
Run the multicast mode command to configure the multicast mode and the quick leave
mode of the ONT port. By default, the multicast mode is CTC and the quick leave mode
is unconcern.
Issue 01 (2012-01-18)

293

If the ONT does not support the CTC mode, you need to configure the ONT multicast mode
to a mode that is actually supported by the ONT.
l Ctc is a standard of China Telecom Corporation (CTC). Demanding multicast programs
on the ONT is based on the index of the multicast user. For example, if the index of a
multicast user connected to the ONT is 0, when this multicast user demands a multicast
program, the multicast packets of this multicast user carry the VLAN 1 (index of the
multicast user + 1) tag when transmitted from the ONT.
CAUTION
If the multicast mode is the CTC mode, the VLAN ID of the service port to be created
is the ID of the port where the ONT is located.
l Igmp-snooping: IGMP snooping obtains the related information and maintains the
l Transparent: Transparently transmit the multicast traffic streams without processing
them.
4.
Run the port eth ont-portid multicast-tagstripe { untag | tag } command to configure the
mode for processing the VLAN tag of the multicast data packets.
l Untag: Peel off the VLAN tag of the downstream multicast data packets.
l Tag: Transparently transmit the downstream multicast data packets.
5.
Run the port multicast-vlan command to configure the multicast VLAN of the ONT port.
The multicast VLAN must be consistent with the multicast VLAN on the OLT side.
CAUTION
If the multicast VLAN of the ONT port is not configured, the downstream data streams of
the multicast VLAN are discarded by the ONT.
of the service profile takes effect only after you perform this operation.
NOTE
----End
Example
Assume that the profile is used for the Internet access service, the ONT supports four ETH ports,
and the VLAN ID of ONT port 1 is 10. To add EPON service profile 200, do as follows:
huawei(config-epon-srvprofile-200)#ont-port eth 4
Issue 01 (2012-01-18)

294

Assume that the profile is used for the multicast service, the ONT supports four ETH ports, the
VLAN ID of ONT port 1 is 100, the ONT supports the IGMP snooping mode, the VLAN tag of
the multicast packets is transparently transmitted, and the multicast VLAN ID is 10. To add
EPON service profile 20, do as follows:
huawei(config-epon-srvprofile-20)#ont-port eth 4
huawei(config-epon-srvprofile-20)#multicast mode igmp-snooping
huawei(config-epon-srvprofile-20)#port eth 1 multicast-tagstripe tag
huawei(config-epon-srvprofile-20)#port multicast-vlan eth 1 10

Prerequisites
Application Context
5-5.
User Type
VLAN Planning
l Household
user

subscribers are
VLAN.
VLAN type: smart

double VLANs, where
the outer VLAN tag
the inner VLAN tag
+C.
VLAN type: smart
l Commercial
user of the
Internet
access
service
Issue 01 (2012-01-18)

Attribute: stacking

295

User Type
VLAN Planning
Commercial
user of the
transparent
transmission
service

user.
VLAN type: smart

S+C.
Parameter
Default Setting
Remarks
Default VLAN of
the system
VLAN ID: 1
Type: smart VLAN

Reserved VLAN
of the system
VLAN ID range:
4079-4093

Default attribute
of a new VLAN
Common
VLAN
forwarding mode
VLAN+MAC
Procedure
Issue 01 (2012-01-18)
VLAN
Type
Configuration
Command
VLAN
Description
Standard
VLAN
To add a standard
VLAN, run the vlan
vlanid standard
command.
Standard VLAN.
Ethernet ports in a
standard VLAN are
interconnected with
each other but
Ethernet ports in
different standard
VLANs are isolated
from each other.

subtending.

296

Issue 01 (2012-01-18)
VLAN
Type
Configuration
Command
VLAN
Description
Smart
VLAN

run the vlan vlanid
smart command.
One VLAN may

contain multiple
xDSL service ports
or GPON service
ports. The traffic
streams of these
ports, however, are
isolated from each
other. In addition,
different VLANs are
also isolated. One
smart VLAN
provides access for
and thus saves
VLAN resources.

service access.
MUX
VLAN
To add a MUX VLAN,

run the vlan vlanid
mux command.
One MUX VLAN

contains only one
GPON service port.
The traffic streams
in different VLANs
are isolated from
set up between a
MUX VLAN and an
MUX VLAN can
identify an access
user.

distinguish users.
Super
VLAN

run the vlan vlanid
super command.
The super VLAN is

based on layer 3.
One super VLAN
contains multiple
sub-VLANs.
Through an ARP
VLAN can be
interconnected at
layer 3.
Super VLANs save IP



VLAN or MUX VLAN.
297

NOTE

Issue 01 (2012-01-18)
VLA
N
Attri
bute
Configuration
Command
VLAN Type
VLAN
Description
Application
Scenario
Com
mon

for a new VLAN is
"common".
The VLAN with

this attribute can
be a standard
VLAN, smart
VLAN, MUX
VLAN, or super
VLAN.
A VLAN with the

common attribute
can function as a
common layer 2
VLAN or
function for
creating a layer 3
interface.
Applicable to the
N:1 access
scenario.
QinQ
VLA
N
To configure QinQ
VLAN, run the vlan
command.
The VLAN with

this attribute can
be a standard
VLAN, smart
VLAN or MUX
VLAN. The
attribute of a sub
VLAN, the
VLAN with a
Layer 3 interface,
and the default
VLAN of the
system cannot be
set to QinQ
VLAN.

a QinQ VLAN
enterprise private
contain two
line scenario.
VLAN tags, that
is, inner VLAN
tag from the
private network
and outer VLAN
tag from the
MA5600T.
Through the outer
VLAN, an L2
VPN tunnel can
be set up to
transparently
transmit the
services between
private networks.

298

VLA
N
Attri
bute
Configuration
Command
VLAN Type
VLAN
Description
Application
Scenario
VLA
N
Stacki
ng
To configure
stacking as the
run the vlan attrib
vlanid stacking
command.
The VLAN with

this attribute can
only be a smart
VLAN or MUX
VLAN. The
attribute of a sub
VLAN, the
VLAN with an L3
interface, and the
default VLAN of
the system cannot
be set to VLAN
Stacking.
The packets from

a stacking VLAN
contain two
VLAN tags, that
is, inner VLAN
tag and outer
VLAN tag from
the MA5600T.
The upper-layer
BRAS
authenticates the
access users
according to the
two VLAN tags.
In this manner,
the number of
access users is
increased. On the
upper-layer
network in the L2
working mode, a
packet can be
forwarded
directly by the
outer VLAN tag
and MAC address
mode to provide
the wholesale
service for ISPs.
Applicable to the
1:1 access
scenario for the
wholesale service
or extension of
VLAN IDs.
In the case of a
stacking VLAN,
to configure the
inner tag of the
service port, run
the stacking
label command.
NOTE
command.

Issue 01 (2012-01-18)

299

do as follows:
1.
2.
3.
4.
5.
----End
Example
do as follows:
6
huawei(config)#vlan
huawei(config)#vlan
huawei(config)#vlan
huawei(config)#vlan
100 smart
attrib 100 q-in-q

Procedure
Step 1 Configure an upstream port for the VLAN.
Run port vlan command to add the upstream port to the VLAN.
Step 2 Configure the attribute of the upstream port.
Issue 01 (2012-01-18)

300

If the default attribute of the upstream port does not meet the requirement for interconnection
of the upstream port with the upper-layer device, you need to configure the attribute. For
configuration details, see 2.5 Configuring the Attributes of an Upstream Ethernet Port.
Step 3 Configure redundancy backup for the uplink.
To ensure reliability of the uplink, two upstream ports must be available. That is, redundancy
backup of the upstream ports needs to be configured. For details, see 8.2 Configuring the Uplink
Redundancy Backup.
----End
Example
Assume that the 0/17/0 and 0/17/1 upstream ports are to be added to VLAN 50. The 0/17/0 and
0/17/1 need to be configured into an aggregation group for double upstream accesses. For the
two upstream ports, the working mode is full-duplex (full) and the port rate is 100 Mbit/s. To
configure such upstream ports, do as follows:
5.4 Configure the EPON ONT

The MA5600T provides end users with services through the ONT. The MA5600T can manage
the ONT and the ONT can work in the normal state only after the channel between the
MA5600T and the ONT is available.
Prerequisites
The EPON ONT profile is already created.
l
For an ONT, Configuring the EPON ONT Line Profile and Configuring the EPON
ONT Service Profile are already completed.
For an MDU or ONU, Configuring the EPON ONT Line Profile is already completed.
The MA5600T uses the OAM protocol to manage and configure the EPON ONT, and supports
the offline configuration of the ONT and the configuration recovery of the online ONT. Based
on this mechanism, the ONT need not save the configuration information locally. This helps to
provision services and maintain terminals.
In the profile mode, the related configuration of the EPON ONT is already integrated in the
service profile and the line profile. When adding an ONT, you only need to bind the ONT with
the corresponding service profile and line profile.
Table 5-9 lists the default settings of the EPON ONT.
Issue 01 (2012-01-18)

301

Table 5-9 Default settings of the EPON ONT

Parameter
Default Setting
ONT auto-find function of an EPON

port
Disabled
ONT status after an ONT is added
Activated
Default VLAN of the ONT port
Procedure
Step 1 Run the interface epon command to enter the EPON mode.
Step 2 Add an EPON ONT.
1.
Run the port portid ont-auto-find command to enable the auto-find function of the ONT.
After the function is enabled, the system reports the MAC address and password of the
auto-find ONT and you can add an ONT according to the information reported by the
system. By default, the ONT auto-find function of an EPON port is disabled.
NOTE
An auto-find ONT is in the auto-find state. The auto-find ONT can work in the normal state only after it
is confirmed or added.
2.
Run the ont add command to add an ONT offline, or run the ont confirm command to
confirm the auto-find ONT.
NOTE
l If the ONU is an independent NE and is directly managed by the NMS through the SNMP management
mode, select the SNMP management mode. For this mode, you only need to configure the parameters
for the EPON line and the parameters for the management channel on the OLT. You only need to bind
the ONU with a line profile.
l If the ONU is not an independent NE and all its configuration is managed by the OLT through the
OAM protocol, select the OAM management mode. For this mode, you need to configure all
parameters that are required for the ONU on the OLT. You need to bind the ONU with the line profile
and the service profile.
l Generally, the ONT management mode is set to the OAM mode. You need to bind the ONT with a
line profile and a service profile.
3.
Run the ont ipconfig command to configure the IP address of the ONT. The IP address
should not be in the same subnet for the IP address of the VLAN port.
For the ONU that is managed as an independent NE, you need to configure both the IP
address and the management VLAN for the ONT. For the ONU that supports the voice
service, you need to configure the IP address of the ONT for the voice service. In this case,
you need not configure the management VLAN.
4.
When the ONT management mode is the SNMP mode, you need to configure the SNMP
management parameters for the ONT. The procedure is as follows:
a.
Run the ont snmp-profile command to bind the ONT with an SNMP profile.
Run the snmp-profile add command to add an SNMP profile before the configuration.
b.
Issue 01 (2012-01-18)
Run the ont snmp-route command to configure a static route for the NMS server,
that is, configure the IP address of the next hop.
302

Step 3 Configure the default VLAN (native VLAN) for the ONT port.
Run the ont port native-vlan command to configure the default VLAN for the ONT port. By
default, the default VLAN ID of the ONT port is 1.
l If the packets reported from a user (such a PC) to the ONT are untagged, the packets are
tagged with the default VLAN of the port on the ONT and then reported to the OLT.
l If the packets reported from a user to the ONT are tagged, you need to configure the port
VLAN of the ONT to be the same as the VLAN in the user tag. The packets are not tagged
with the default VLAN of the port on the ONT but are reported to the OLT with the user tag.
Step 4 Activate the ONT.
Run the ont activate command to activate the ONT. The ONT can transmit services only when
it is in the activated state.
After being added, the ONT is in the activated state by default. The step is required only when
the ONT is in the deactivated state.
----End
Example
To add an ONT that is managed by the OLT through the OAM protocol, confirm this ONT
according to the MAC address 0018-8256-3E47 automatically reported by the system, and bind
the ONT with line profile 1 and service profile 1 that match the ONT, do as follows:
huawei(config-if-epon-0/4)#port 0 ont-auto-find enable
huawei(config-if-epon-0/4)#ont confirm 0 mac-auth 0018-8256-3E47 oam ontlineprofile-id 1 ont-srvprofile-id 1 desc HG850e
To add an ONU that is managed as an independent NE and whose MAC address is known as
0073-075B-C9FE, bind the ONU with line profile 2 that matches the ONU, configure the NMS
parameters for the ONU, and set the management VLAN to 31, do as follows:
huawei(config)#snmp-profile add profile-id 1 v2c public private 10.10.5.53 161
huawei
huawei(config-if-epon-0/4)#ont add 0 2 mac-auth 0073-075B-C9FE snmp ontlineprofile-id 2
huawei(config-if-epon-0/4)#ont ipconfig 0 2 ip-address 10.20.20.20 mask
255.255.255.0 gateway 10.10.20.1 manage-vlan 31
huawei(config-if-epon-0/4)#ont snmp-profile 0 2 profile-id 1
huawei(config-if-epon-0/4)#ont snmp-route 0 2 ip-address 10.10.20.190 mask
255.255.255.0 next-hop 10.10.20.100 desc MA5620E
5.5 Configuring an EPON User Port

An EPON port can work in the normal state and transmit services only after it is enabled. This
topic describes how to enable an EPON port and configure the attributes for the port.
Table 5-10 lists the default settings of an EPON user port.
Issue 01 (2012-01-18)

303

Table 5-10 Default settings of an EPON user port

Parameter
Default Setting
EPON port
Enabled
Maximum registrable ONT distance
20 km
Procedure
Step 1 Run the interface epon command to enter the EPON mode.
Step 2 Enable or disabled an optical port.
l Run the port portid laser-switch on command to enable the laser of an optical port. By
default, the laser of an optical port is enabled and the optical port is available. In this case,
this step is not required.
l For an unneeded optical port, run the port portid laser-switch off command to disable the
laser of the port.
CAUTION
Ensure that the PON port does not carry any service before performing this operation.
Step 3 Configure the maximum registrable ONT distance.
Run the port portid range command to configure the maximum registrable ONT distance of
the EPON port. The default value is 20 km. If the ONT actual distance is larger than the preset
maximum registrable distance, the ONT cannot be registered.
----End
Example
To set the maximum registrable ONT distance under EPON 0/4 to 15 km, do as follows:
huawei(config-if-epon-0/4)#port 0 range max-distance 15
5.6 Creating an EPON Service Port

A service port is a service channel between the user side and the network side. To provide
services, you must configure the service port.
A service port can carry a single service or multiple services. When a service port carries multiple
services, the MA5600T supports the following modes of classifying traffic:
l
By user-side VLAN
By user-side service encapsulation mode
Issue 01 (2012-01-18)

304

By VLAN+user-side packet priority
By VLAN+user-side service encapsulation mode
Table 5-11 lists the default settings of a service port.

Table 5-11 Default settings of a service port
Parameter
Default Setting
Traffic profile ID
0-6
Administrative status of the service

port
Activated
Maximum number of MAC addresses

that are learned
1023
Procedure
Step 1 Create a traffic profile.
Run the traffic table ip command to create a traffic profile. There are seven default traffic
profiles in the system with the IDs of 0-6.
Before creating a service port, run the display traffic table command to check whether the
traffic profiles in the system meet the requirement. If no traffic profile in the system meets the
requirement, add a traffic profile that meets the requirement. For details about the traffic profile,
see Configuring Traffic Management Based on Service Port.
Step 2 Create a service port.
You can choose to create a single service port or multiple service ports in batches according to
requirements.
l
Run the service-port command to create a single service port. Service ports are classified
into single-service service ports and multi-service service ports. Multi-service service ports
are generally used for the triple play service.
Single-service service port:
By default, a service port is a single-service service port if you do not enter multiservice.
Multi-service service port based on the user-side VLAN:
Select multi-service user-vlan { untagged | user-vlanid | priority-tagged | otherall }.
untagged: When untagged is selected, user-side packets do not carry a tag.
user-vlanid: When user-vlanid is selected, user-side packets carry a tag and the value
of user-vlanid must be the same as the tag carried in user-side packets, that is, CVLAN.
priority-tagged: When priority-tagged is selected, the VLAN tag is 0 and the
priorities of user-side packets are 0-7.
other-all: When other-all is selected, service ports for the transparent LAN service
(TLS) are created, which are mainly used in the QinQ transparent transmission
Issue 01 (2012-01-18)

305

service for enterprises. All the traffic except known traffic in the system is carried
over this channel.
Multi-service service port based on the user-side service encapsulation mode:
Select multi-service user-encap user-encap.
Multi-service service port based on VLAN+user-side packet priority (802.1p):
Select multi-service user-8021p user-8021p [ user-vlan user-vlanid ].
Multi-service service port based on VLAN + user-side service encapsulation mode
(user-encap):
Select multi-service user-vlan { untagged | user-vlanid | priority-tagged } userencap user-encap.
NOTE
l The system supports creating service ports by index. One index maps one service port and the input
of a large number of traffic parameters is not required. Therefore, the configuration of service ports
is simplified. During the creation of a service port, index indicates the index of the service port and it
is optional. If it is not input, the system automatically adopts the smallest value.
l vlan indicates the S-VLAN. An S-VLAN can only be a MUX VLAN or smart VLAN.
l rx-cttr is the same as outbound in terms of meanings and functions. Either of them indicates the index
of the traffic from the network side to the user side. tx-cttr is the same as inbound in terms of meanings
and functions. Either of them indicates the index of the traffic from the user side to the network side.
The traffic profile bound to the service port is created in Step 1.
Run the multi-service-port command to create service ports in batches.
Step 3 Configure the attributes of the service port. Configure the attributes of the service port according
to requirements.
l
Run the service-port desc command to configure the description of the service port.
Configure the description for a service port to facilitate maintenance. In general, configure
the purpose and related service information as the description of a service port.
Run the service-port index adminstatus command to configure the administrative status
of the service port. By default, a service port is in the activated state.
A service port can be activated at two levels: port level and service port level. To provision
services for a user, the access port and the corresponding service port of the user must be
activated.
Run the mac-address max-mac-count service-port command to configure the maximum

number of MAC addresses learned by the service port to restrict the maximum number of
PCs that can access the Internet by using a same account. By default, the maximum number
of MAC addresses learned by the service port is 1023.
----End
Example
Connect ONT 1 to EPON port 0/4/1 of the MA5600T. Plan an Internet access user. The ONT
provides the Internet-access-only service with a rate of 2048 kbit/s for this user, the service
VLAN ID is 100, and only three users are allowed to use a same account for Internet access at
the same time. The query shows that there is a proper traffic profile. Then, directly reference
this traffic profile. This user is not registered yet. Therefore, the service is not provided for the
user for the moment. To configure such a user, do as follows:
Issue 01 (2012-01-18)

306

Command:
Pri-Policy
---------------------------------------------------------------------------0
1024
34768
2048
69536
6 tag-pri
1
2496
81872
4992
163744
6 tag-pri
2
512
18384
1024
36768
0 tag-pri
3
576
20432
1152
40864
2 tag-pri
4
64
4048
128
8096
4 tag-pri
5
2048
67536
4096
135072
0 tag-pri
6
off
off
off
off
0 tag-pri
---------------------------------------------------------------------------Total Num : 7
huawei(config)#service-port 4 vlan 100 epon 0/4/1 ont 1 inbound traffic-table index
5 outbound traffic-table index 5
huawei(config)#service-port 4 adminstatus disable
Connect ONT 1 to EPON port 0/4/1 of the MA5600T. A commercial user requires the Internet
access service with a rate of 4096 kbit/s to be provided. For subsequent service expansion, the
ONT provides the Internet access service for this user in the multi-service mode. The user is
differentiated based on the user-end VLAN, S-VLAN ID is 50, and C-VLAN ID is 10. The query
shows that there is no proper traffic profile in the system. Then, create traffic profile 9. The
Internet access service is required to be provided immediately. The description of the service
port is added to facilitate maintenance. To configure such a user, do as follows:
Command:
Pri-Policy
---------------------------------------------------------------------------0
1024
34768
2048
69536
6 tag-pri
1
2496
81872
4992
163744
6 tag-pri
2
512
18384
1024
36768
0 tag-pri
3
576
20432
1152
40864
2 tag-pri
4
64
4048
128
8096
4 tag-pri
5
2048
67536
4096
135072
0 tag-pri
6
off
off
off
off
0 tag-pri
---------------------------------------------------------------------------Total Num : 7
huawei(config)#traffic table ip index 9 cir 4096 priority 4 priority-policy loca
l-Setting
-----------------------------------------------TD Index
: 9
TD Name
Priority
: 4
Mapping Priority
: Mapping Index
Priority Policy
: local-pri
CIR
: 4096 kbps
CBS
: 133072 bytes
PIR
: 8192 kbps
PBS
: 264144 bytes
Referenced Status
: not used
-----------------------------------------------huawei(config)#service-port 5 vlan 50 epon 0/4/1 ont 2 multi-service user-vlan 10
inbound traffic-table index 9 outbound traffic-table index 9
huawei(config)#service-port desc 5 description epon/Vlanid:50/uservlan/10
Issue 01 (2012-01-18)

307

6 Configuring the Multicast Service (PON)
Configuring the Multicast Service (PON)
About This Chapter

This topic describes how to configure the GPON/EPON multicast service on the MA5600T in
a single-NE network.
Application Context
The multicast feature of the MA5600T is mainly applicable to the live TV and near-video on
demand (NVOD) multicast video services.
Currently, the multicast application of the MA5600T is oriented to L2, which forwards data
based on VLAN ID + multicast MAC address. A multicast program in the network is identified
by VLAN ID + multicast IP address uniquely. The MA5600T differentiates multicast sources
through VLANs. It allocates a unique VLAN to each multicast source, controls the multicast
domain and the user authority based on VLANs, and provides a platform for different ISPs to
implement different multicast video services.
In terms of multicast processing mode, the MA5600T supports IGMP proxy and IGMP snooping.
Both of them provide the function of forwarding multicast video data, but their processing
mechanisms are different:
l
IGMP snooping obtains related information and maintains the multicast forwarding entries
by listening to the IGMP packets in the communication between the user and the multicast
router.
IGMP proxy intercepts the IGMP packets between the user and the multicast router,
processes the IGMP packets, and then forwards the IGMP packets to the upper-layer
multicast router. For the multicast user, the MA5600T is a multicast router that implements
the router functions in the IGMP protocol; for the multicast router, the MA5600T is a
multicast user.
In terms of multicast program configuration, the MA5600T supports statically configuring a

multicast program library and dynamically generating a multicast program library.
l
Issue 01 (2012-01-18)
Statically configuring a multicast program library: Configure the program list before the
users watch the video programs. In this mode, the authority profile can be used to control
the multicast. The program list and the authority profile, however, need to be maintained
308

according to the video service change. The program host, program prejoin, and multicast
bandwidth management functions are supported.
l
Dynamically generating a multicast program library: Dynamically generate the program

list according to the programs demanded by the users. In this mode, the program list need
not be configured or maintained; however, the functions such as program management,
user multicast bandwidth management, program preview, and program prejoin are not
supported.
If the traffic with a high priority is suddenly overloaded and the service with a low priority is
affected, IGMP packets are not discarded. MA5600Tprocesses and sends the IGMP packets first.
Data Plan
Before configuring the multicast video service, plan the data items as listed in Table 6-1.
Table 6-1 Data items planned for the multicast service
Device
Data Item
Remarks
MA5600T
L2 multicast protocol
IGMP version
Multicast program configuration mode
Parameter values of the multicast

protocol
Program list
User authentication policy
Program bandwidth, upstream port

bandwidth, and user bandwidth
Multicast ONT
Multicast log policy
IGMP version
The IGMP version of the

upper-layer multicast
router cannot be earlier
than the IGMP version
used by the MA5600T.
Upper-layer
multicast router
Configuration Flowchart
Figure 6-1 shows the scheme of configuring the multicast service under GPON.
Issue 01 (2012-01-18)

309

Figure 6-1 Scheme of configuring the multicast service under GPON
Figure 6-2 shows the scheme of configuring the multicast service under EPON.
Issue 01 (2012-01-18)

310

Figure 6-2 Scheme of configuring the multicast service under EPON
Table 6-2 lists the default configuration of the multicast service provided by the MA5600T.
Table 6-2 Default configuration of the multicast service
Issue 01 (2012-01-18)
Feature
Multicast protocol
Disable

311

Feature
IGMP version
V3
Multicast program configuration mode
Static configuration mode
Multicast bandwidth management
Enable
Multicast preview
Enable
Multicast log switch
Enable
Multicast mode of the GPON ONT
Unconcern
Multicast forwarding mode of the GPON

ONT
Unconcern
1.
6.1 Configuring Multicast Global Parameters

The general parameters of L2 multicast protocols (including IGMP proxy and IGMP
snooping) configured for a device are applicable to all the multicast VLANs on the device.
2.
6.2 Configuring the Multicast VLAN and the Multicast Program

In the application of multicast service, multicast VLANs (MVLANs) are used to distinguish
multicast ISPs. Generally, a multicast VLAN is allocated to each multicast ISP for the
VLAN-based management of multicast programs, multicast protocols, IGMP versions, and
the VLAN-based control of multicast domain and user right.
3.
6.3 Configuring the Multicast EPON ONT

When the device is connected downstream to an ONT or an MDU, you need to configure
the multicast interconnection data for forwarding the multicast traffic streams.
4.
6.4 Configuring the Multicast GPON ONT

When the MA5600T is connected with an ONT or an MDU, you need to configure the
multicast interconnection data to forward the multicast traffic streams.
5.
6.5 Configuring a Multicast User

This topic describes how to configure a multicast user and the related authority to provision
the multicast service.
6.
6.6 (Optional) Configuring the Multicast Bandwidth

To limit the multicast bandwidth of a user, you can enable multicast bandwidth
management, that is, connection admission control (CAC), and then control the bandwidth
of a multicast user by setting the program bandwidth and the user bandwidth.
7.
6.7 (Optional) Configuring Multicast Preview

Multicast preview is an advertizing method provided by carriers for ISPs. The purpose is
to allow users to have an overview of a program in a controlled way. In other words, the
duration, interval, and count of the user previews are controlled.
8.
6.8 (Optional) Configuring Program Prejoin

In program prejoin, the MA5600T receives in advance the multicast stream of a program
from the upper-layer multicast router to the upstream port before a user sends a request to
join a program, thus shortening the waiting time of the user for requesting the program.
9.
6.9 (Optional) Configuring the Multicast Logging Function

Multicast log serves as a criterion for carriers to evaluate the viewership of multicast
programs.
Issue 01 (2012-01-18)

312

6.1 Configuring Multicast Global Parameters

The general parameters of L2 multicast protocols (including IGMP proxy and IGMP snooping)
configured for a device are applicable to all the multicast VLANs on the device.
Context
The multicast global parameters include general query, group-specific query, and the policy of
processing multicast packets.
The description of a general query is as follows:
l
Purpose: A general query packet is periodically sent by the MA5600T to check whether
there is any multicast user who leaves the multicast group without sending the leave packet.
Based on the query result, the MA5600T periodically updates the multicast forwarding
table and releases the bandwidth of the multicast user that has left the multicast group.
Principle: The MA5600T periodically sends the general query packet to all online IGMP
users. If the MA5600T does not receive the response packet from a multicast user within
a specified time (Robustness variable x General query interval + Maximum response time
of a general query), it regards the user as having left the multicast group and deletes the
user from the multicast group.
The description of a group-specific query is as follows:

l
Purpose: A group-specific query packet is sent by the MA5600T after a multicast user that
is not configured with the quick leave attribute sends the leave packet. The group-specific
query packet is used to check whether the multicast user has left the multicast group.
Principle: When a multicast user leaves a multicast group, for example, switches to another
channel, the user unsolicitedly sends a leave packet to the MA5600T. If the multicast user
is not configured with the quick leave attribute, the MA5600T sends a group-specific query
packet to the multicast group. If the MA5600T does not receive the response packet from
the multicast user within a specified duration (Robustness variable x Group-specific query
interval + Maximum response time of a group-specific query), it deletes the multicast user
from the multicast group.
Table 6-3 lists the default settings of the multicast global parameters. In the actual application,
you can modify the values according to the data plan.
Table 6-3 Default settings of the multicast global parameters
Parameter
Default Value
General query parameter
Query interval: 125s

Maximum response time: 10s
Robustness variable (query times): 2
Group-specific query
parameter
Query interval: 1s
Maximum response time: 0.8s.
Robustness variable (query times): 2
Issue 01 (2012-01-18)

313

Parameter
Default Value
Policy of processing multicast

packets
IGMP packet: normal (IGMP packets are processed as

controllable multicast)
Unknown multicast packet: discard
Procedure
Step 1 In the global config mode, run the btv command to enter the BTV mode.
Step 2 Configure the general query parameters.
1.
Run the igmp proxy router gen-query-interval command to set the general query interval.
By default, the general query interval is 125s.
2.
Run the igmp proxy router gen-response-time command to set the maximum response
time of the general query. By default, the maximum response time of the general query is
10s.
3.
Run the igmp proxy router robustness command to set the robustness variable (query
times) of the general query. By default, the robustness variable (query times) is 2.
Step 3 Set the group-specific query parameters.

1.
Run the igmp proxy router sp-response-time command to set the group-specific query
interval. By default, the group-specific query interval is 1s.
2.
Run the igmp proxy router sp-query-interval command to set the maximum response
time of the group-specific query. By default, the maximum response time of the groupspecific query is 0.8s.
3.
Run the igmp proxy router sp-query-number command to set the robustness variable
(query times) of the group-specific query. By default, the robustness variable (query times)
is 2.
Step 4 Configure the policy of processing multicast packets.

By default, the normal mode for processing IGMP packets is adopted. In this mode, IGMP
packets are processed as controllable multicast. The discard mode is adopted for unknown
multicast packets. In this mode, unknown multicast packets are discarded.
The default values are adopted for multicast service and need not be modified. To control the
forwarding of multicast packets when configuring other services, run the following commands
to configure the policy.
1.
Run the igmp policy command to set the policy of processing IGMP packets.
2.
Run the multicast-unknown policy command to set the policy of processing unknown
multicast packets.
Step 5 Run the display igmp config global command to check whether the values of the multicast
parameters are correct.
----End
Example
To configure the multicast general query parameters by setting the query interval to 150s,
maximum response time to 20s, and number of queries to 3, do as follows:
Issue 01 (2012-01-18)

314

huawei(config)#btv
huawei(config-btv)#igmp proxy router gen-query-interval 150
huawei(config-btv)#igmp proxy router gen-response-time v3 20
huawei(config-btv)#igmp proxy router robustness 3
To configure the multicast group-specific query parameters by setting the query interval to 200s,
maximum response time to 100s, and number of queries to 3, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp proxy router sp-query-interval 200
huawei(config-btv)#igmp proxy router sp-response-time v3 100
huawei(config-btv)#igmp proxy router sp-query-number 3
6.2 Configuring the Multicast VLAN and the Multicast

Program
In the application of multicast service, multicast VLANs (MVLANs) are used to distinguish
multicast ISPs. Generally, a multicast VLAN is allocated to each multicast ISP for the VLANbased management of multicast programs, multicast protocols, IGMP versions, and the VLANbased control of multicast domain and user right.
Context
To create a multicast VLAN, a common VLAN must be created first. The multicast VLAN can
be the same as the unicast VLAN. In this case, the two VLANs can share the same service stream
channel. The multicast VLAN can be different from the unicast VLAN. In this case, the two
VLANs use different service stream channels.
One user port can be added to multiple multicast VLANs under the following restrictions:
l
Among all the multicast VLANs of a user port, only one multicast VLAN is allowed to
have dynamically generated programs.
One user port is not allowed to belong to multiple multicast VLANs that are in the IGMP
v3 snooping mode.
The source IP address in the multicast packets that are sent to the upper device by the OLT may
be as follows:
l
If the IP address of the program VLAN interface is configured, the source IP address is the
IP address of VLAN interface.
If the IP address of the program VLAN interface is not configured, the source IP address
is the host IP address of the program.
If the host IP address is not configured, the default address 0.0.0.0 is used.
Table 6-4 lists the default settings of the multicast VLAN attributes, including the L2 multicast
protocol, IGMP version, multicast program, and multicast upstream port.
Table 6-4 Default settings of the multicast VLAN attributes
Issue 01 (2012-01-18)
Parameter
Default Value
Program matching mode
enable (static configuration mode)
Multicast upstream port mode
default
L2 multicast protocol
off (multicast function disabled)

315

Parameter
Default Value
IGMP version
v3
Priority of forwarding IGMP

packets by the upstream port
Procedure
Step 1 Create a multicast VLAN.
1.
Run the vlan command to create a VLAN, and set the VLAN type according to the actual
application. For details on the VLAN configuration, see Configuring VLAN.
2.
Run the multicast-vlan command to set the created VLAN to a multicast VLAN. The
VLAN with S+C forwarding mode cannot be set as a multicast VLAN.
Step 2 Configure multicast programs.

The multicast VLAN can be configured statically or generated dynamically.
l
Static configuration mode: Configure a program list for the multicast VLAN beforehand,
and bind the program to a right profile to implement program right management.
1.
Run the igmp match mode enable command to set the static configuration mode. By
default, the system adopts the static configuration mode.
2.
Run the igmp program add [name name ] ip ip-addr [ sourceip ip-addr ] [ hostip ipaddr ] command to add a multicast program.
NOTE
If the IGMP version of a multicast VLAN is v3, the program must be configured with a source IP
address. If the IGMP version of a multicast VLAN is v2, the program must not be configured with
a source IP address.
3.
Add a right profile.

In the BTV mode, run the igmp profile add command to add a right profile.
4.
Bind the program to the right profile.

In the BTV mode, run the igmp profile command to bind the program to the right profile,
and set the right to watch.
NOTE
When a user is bound to multiple right profiles, and the right profiles have different rights to a
program, the right with the highest priority prevails. You can run the igmp right-priority command
to adjust the priorities of the four rights: watch, preview, forbidden, and idle. By default, the priorities
of the four rights are forbidden > preview > watch > idle.
Dynamic generation mode: A program list is dynamically generated according to the

programs requested by users. In this mode, the program list need not be configured or
maintained; however, the functions such as program management, user multicast
bandwidth management, program preview, and program prejoin are not supported.
1.
Run the igmp match mode disable command to set the dynamic generation mode.
Issue 01 (2012-01-18)

316

CAUTION
The igmp match mode command can be executed only when the IGMP mode is disabled.
2.
Run the igmp match group command to configure the IP address range of the program
group that can be dynamically generated. Users can request only the programs whose IP
addresses are within the specified range.
Step 3 Configure the multicast upstream port.

1.
Run the igmp uplink-port command to configure the multicast upstream port. The packets
of the multicast VLAN corresponding to the upstream port are forwarded and received by
this upstream port.
2.
In the BTV mode, run the igmp uplink-port-mode command to change the mode of the
multicast upstream port. By default, the port is in the default mode. In the MSTP network,
the port adopts the MSTP mode.
l Default mode: If the multicast VLAN contains only one upstream port, the multicast
packets that go upstream can be sent only by this port. If the multicast VLAN contains
multiple upstream ports, the multicast packets that go upstream are sent by all the
upstream ports.
l MSTP mode: This mode is adopted in the MSTP network.
Step 4 Select the multicast mode.

Run the igmp mode { proxy | snooping } command to select the L2 multicast mode. By default,
the multicast mode is disabled.
In the IGMP snooping mode, proxy can be enabled for the report packet and the leave packet.
When a multicast user joins or leaves a multicast program, the MA5600T can implement IGMP
proxy. IGMP snooping and IGMP proxy are controlled separately.
l Run the igmp report-proxy enable command to enable the proxy of the snooping report
packet. When the first user requests to join a program, after authenticating the user, the
MA5600T sends the user report packet to the network side and receives a corresponding
multicast stream from the multicast router. The report packets of the users that follow the
first user are not sent by the MA5600T to the network side.
l Run the igmp leave-proxy enable command to enable the proxy of the snooping leave
packet. When the last user requests to leave the program, the MA5600T sends the user leave
packet to the network side to request the upper-layer device to stop sending multicast streams.
The leave packets of the users that precede the last user are not sent by the MA5600T to the
network side.
Step 5 Set the IGMP version.
Run the igmp version{ v2 | v3 } command to set the IGMP version. By default, IGMP v3 is
enabled in the system. If the upper-layer and lower-layer devices in the network are IGMP v2
devices and cannot recognize the IGMP v3 packets, run this command to change the IGMP
version.
IGMP v3 is compatible with IGMP v2 in packet processing. If IGMP v3 is enabled on the
MA5600T and the upper-layer multicast router switches to IGMP v2, the MA5600T
automatically switches to IGMP v2 when receiving the IGMP v2 packets. If the MA5600T does
not receive any more IGMP v2 packets within the preset IGMP v2 timeout time, it automatically
Issue 01 (2012-01-18)

317

switches back to IGMP v3. In the BTV mode, run the igmp proxy router timeout command
to set the IGMP v2 timeout time. By default, the timeout time is 400s.
Step 6 Change the priority for forwarding IGMP packets.
Run the igmp priority command to change the priority for forwarding the IGMP packets by the
upstream port. By default, the priority is 6 and need not be changed.
l In the IGMP proxy mode, the IGMP packets sent from the upstream port to the network side
adopt the priority set through the preceding command in the multicast VLAN.
l In the IGMP snooping mode, the IGMP packets forwarded to the network side adopt the
priority of the user service stream. The priority of the service stream is set through the traffic
profile.
Step 7 Check whether the configuration is correct.
l Run the display igmp config vlan command to query the attributes of the multicast VLAN.
l Run the display igmp program vlan command to query the information about the program
of the multicast VLAN.
----End
Example
Assume the following configurations: VLAN 101 is created, multicast programs are configured
statically, the IP address of the program is 224.1.1.1, the source IP address is 10.10.10.10,the
host IP address is 10.0.0.254,the program bandwidth is 5000 kbit/s, the upstream port of the
multicast VLAN is 0/17/0, the IGMP proxy is used, and the IGMP version is IGMP V3. To
perform these configurations, do as follows:
huawei(config)#multicast-vlan 101
huawei(config-mvlan101)#igmp match mode enable
huawei(config-mvlan101)#igmp program add name movie ip 224.1.1.1 sourceip
10.10.10.10
hostip 10.0.0.254 bandwidth 5000
huawei(config-mvlan101)#igmp uplink-port 0/17/0
huawei(config-mvlan101)#igmp mode proxy
Are you sure to change IGMP mode?(y/n)[n]:y
huawei(config-mvlan101)#igmp version v3
Assume the following configurations: VLAN 101 is created, multicast programs are configured
dynamically, the upstream port of the multicast VLAN is 0/17/0, the IGMP proxy is used, and
the IGMP version is IGMP V3. To perform these configurations, do as follows:
huawei(config-mvlan101)#igmp match mode disable
This operation will delete all the programs in current multicast vlan
Are you sure to change current match mode? (y/n)[n]: y
Command is being executed, please wait...
Command has been executed successfully
Issue 01 (2012-01-18)

318

6.3 Configuring the Multicast EPON ONT

When the device is connected downstream to an ONT or an MDU, you need to configure the
multicast interconnection data for forwarding the multicast traffic streams.
Prerequisites
Before configuring the multicast EPON ONT, you must add the ONT correctly. For the
configuration method, see Configuring the EPON ONT.
Context
l
When connected downstream to an ONT such as the HG8240, the MA5600T manages the
ONT in the OAM mode. In this case, you need to configure the ONT line profile and the
ONT service profile, configure the multicast data in the ONT service profile, and bind the
profiles to the ONT to issue the multicast service.
When connected downstream to an MDU such as the MA5612 or MA5662, the

MA5600T manages the MDU in the SNMP mode. In this case, you do not need to configure
the ONT service profile. You only need to configure the multicast data on the MDU for
interconnection with the MA5600T to forward the multicast traffic streams.
Add an ONT line profile.

For the configuration method, see Configuring the EPON ONT Line Profile.
Add an ONT service profile.
Procedure
If the ONT is managed in the SNMP mode, you do not need to configure a service profile.
After adding an EPON ONT service profile, directly enter the EPON ONT service profile
mode to configure the related multicast data.
1.
Run the ont-port command to configure the port capability set of the ONT. The
capability set plans the number of ETH, POTS, and TDM ports supported by the ONT.
The port capability set in the ONT service profile must be the same as the actual ONT
capability set.
2.
3.
Configure the multicast VLAN of the ONT port.

Run the port multicast-vlan command to configure the multicast VLAN of the ONT
port.
WARNING
If the multicast VLAN of the ONT port is not configured, the downstream data streams
of the multicast VLAN are discarded by the ONT.
4.
(Optional) Configure the VLAN tag processing mode of the multicast data packets.
Run the port eth ont-portidmulticast-tagstripe { untag | tag | translation } command
to configure the VLAN tag processing mode of the multicast data packets.
Issue 01 (2012-01-18)

319

untag: Removes the VLAN tag of the downstream packets.

tag: Transparently transmits the downstream multicast data packets.
translation: Translates the VLAN tag of the downstream packets to another
VLAN tag.
5.
After the configuration is complete, run the commit command to make the configured
service profile take effect.
NOTE
l For an ONT that is added by running the ont add command or an auto-discovered ONT that is
confirmed by running the ont confirm command, if you run the commit command after
modifying the ONT line profile parameters and the ONT service profile parameters, the modified
profile parameters take effect immediately.
l The EPBA board does not support the commit command. You need to first configure the ONT
line profile and the ONT service profile, and then bind the profiles to the ONT. After the binding,
the profile parameters are not allowed modification.
Configure the multicast mode of the ONT.

In the EPON mode, run the ont multicast-mode { igmp-snooping | ctc | transparent }
command to select the multicast mode.
igmp-snooping: The ONU generates a multicast forwarding table based on the upstream
IGMP report and leave packets and maintains it to control multicast users' rights to order
multicast programs.
ctc: It is a standard of China Telecom Corporation (CTC). The MA5600T maintains a
rights control table of multicast services to manage the users' multicast service access
rights in a unified manner. The MA5600T uses extended OAM packets for multicast
control to issue the users' access rights of the multicast channel to the ONU and the
ONU forwards or disconnects the traffic stream. Specifically, the ONU maintains a
multicast forwarding table that is not generated based on the upstream IGMP report and
leave packets but a multicast forwarding table that is dynamically updated according to
the multicast control OAM packets issued by the MA5600T. The multicast service
access rights are managed by the MA5600T-side NMS in a unified manner. The
MA5600T is the party of the multicast rights management and the ONU is the executor.
transparent: Directly forward the multicast traffic streams without processing them.
NOTE
l If the multicast mode is the CTC mode, the VLAN ID of the service port to be created is the ID of the
port to which the ONT is connected.
l The controllable multicast mode is different from multicast modes (IGMP proxy and IGMP snooping).
The IGMP proxy and IGMP snooping are processing modes for the multicast streams.
l The advantage of the CTC mode is that the multicast rights management of the dynamic controllable
multicast is transferred to the MA5600T. Hence, the ONU configuration is simplified and the
management and maintenance efficiency is improved. In the CTC mode, if a multicast program is
added or updated, update the MA5600T only and you do not need to update the ONUs.
----End
Example
To configure the multicast mode of ONT 1 connected to port 0/4/1 to IGMP snooping, the ONT
service profile ID to 10, the VLAN ID of ETH ports to 10, and the VLAN ID of multicast ports
to 100, and configure 4 ETH ports and 2 POTS ports, do as follows:
huawei(config-if-epon-0/4)#ont multicast-mode 1 1 igmp-snooping
Issue 01 (2012-01-18)

320


huawei(config-epon-srvprofile-10)#multicast mode igmp-snooping
huawei(config-epon-srvprofile-10)#port multicast-vlan eth 1 100
6.4 Configuring the Multicast GPON ONT

When the MA5600T is connected with an ONT or an MDU, you need to configure the multicast
interconnection data to forward the multicast traffic streams.
Prerequisites
Before configuring the multicast GPON ONT, you must add the ONT correctly. For the
configuration method, see 4.4 Configuring a GPON ONT.
Context
l
When the OLT is connected with an ONT such as the HG8240, the MA5600T manages
the ONT in the OMCI mode. In this case, you need to configure the ONT line profile and
the ONT service profile, configure the multicast data in the ONT service profile, and bind
the profiles to the ONT to issue the multicast service.
When the OLT is connected with an MDU such as the MA5612 or MA5662, the
MA5600T manages the MDU in the SNMP mode. In this case, you need not configure the
ONT service profile. You only need to configure the multicast data on the MDU
interconnected with the MA5600T to forward the multicast traffic streams.
Procedure
Step 1 Add an ONT line profile.
For the configuration method, see 4.1.2 Configuring a GPON ONT Line Profile.
Step 2 Add an ONT service profile.
Run the ont-srvprofile gpon command to add a GPON ONT service profile, and then enter the
GPON ONT service profile mode.
After adding a GPON ONT service profile, directly enter the GPON ONT service profile mode
to configure the related multicast data.
1.
Run the ont-port command to configure the port capability set of the ONT. The port
2.
3.
Configure the multicast mode of the ONT.

Run the multicast mode { igmp-snooping|olt-control|unconcern } command to select
the multicast mode.
l igmp-snooping: IGMP snooping obtains related information and maintains the
Issue 01 (2012-01-18)

321

l olt-control: It is the dynamic controllable multicast mode. A multicast forwarding entry

can be created for the multicast join packet of the user only after the packet passes the
authentication.
l unconcern: It is the unconcern mode. After this mode is selected, the OLT does not
limit the multicast mode, and the multicast mode on the OLT automatically matches
the multicast mode on the ONT.
4.
Configure the multicast forwarding mode.

Run the multicast-forward { tag|unconcern|untag } command to configure the
processing mode on the VLAN tag of the multicast data packets.
l tag: Set the multicast forwarding mode to contain the VLAN tag.
l untag: Set the multicast forwarding mode not to contain the VLAN tag.
l unconcern: The forwarding mode is not concerned.
5.
After the configuration is complete, run the commit command to make the configured
service profile take effect.
NOTE
For an ONT that is added through the ont add command or an automatically found ONT that is confirmed
through the ont comfirm command, if you run the commit command after modifying the ONT line profile
parameters and the ONT service profile parameters, the modified profile parameters take effect
immediately.
----End
Example
To configure the ONT service profile 10 of 4 ETH ports, 2 POTS ports, the VLAN of the ETH
port as 10, the multicast mode as IGMP snooping, the multicast forwarding mode as unconcern,
do as follows:
huawei(config-gpon-srvprofile-10)#port vlan eth 1 10
huawei(config-gpon-srvprofile-10)#multicast mode igmp-snooping
huawei(config-gpon-srvprofile-10)#multicast-forward unconcern
6.5 Configuring a Multicast User

This topic describes how to configure a multicast user and the related authority to provision the
multicast service.
Prerequisites
Before configuring a multicast user, you need to create the service channel. The procedure is as
follows:
l
Issue 01 (2012-01-18)
Configure a GPON multicast user

1.
Configure the VLAN
2.
Configure the upstream port
3.
Configure the multicast GPON ONT

322

4.
Configure the GPON user port
5.
Configure the GPON traffic stream
Context
Add a multicast user and bind the multicast user to the multicast VLAN to create a multicast
member. Bind the multicast user to an authority profile to implement multicast user
authentication.
Table 6-5 lists the default settings of the multicast user attributes.
Table 6-5 Default settings of the multicast user attributes
Parameter
Default Setting
Limitation on the number of

programs that can be watched by
the multicast user
Number of programs that can be watched concurrently: 8
Quick leave mode of the

multicast user
mac-based
Global switch of multicast user

authentication
enable
Maximum number of programs at various levels that can

be watched: no limit
Procedure
Step 2 Configure a multicast user and the multicast user attributes.
1.
Add a multicast user.

Run the igmp user add service-port command to add a multicast user.
2.
Configure the maximum number of programs that can be watched by the multicast user.
l Run the igmp user add service-port index max-program { max-program-num | nolimit } command to set the maximum number of programs that can be watched by the
multicast user concurrently. Up to 32 programs can be watched by the multicast user
concurrently. By default, it is no limit.
l Run the igmp user watch-limit service-port { hdtv | sdtv | streaming-video }
command to set the maximum number of programs at various levels that can be watched
by the multicast user.
3.
Set the quick leave mode of the multicast user.

Run the igmp user add service-port index quickleave { immediate | disable | macbased } command to set the quick leave mode of the multicast user. By default, the quick
leave mode is the mac-based mode.
l immediate: After receiving the leave request packet of the multicast user, the system
immediately deletes the multicast user from the multicast group. This setting is
applicable to the scenario where only one terminal is connected to the same port or the
terminal works in the IGMP proxy mode.
Issue 01 (2012-01-18)

323

l disable: After receiving the leave request packet of the multicast user, the system sends
ACK packets to confirm that the multicast user leaves, and then deletes the multicast
user from the multicast group.
l mac-based: It is the quick leave mode based on the MAC address. The system detects
the MAC address in the leave packet of the user. If it is the same as the MAC address
in the report packet of the user, the system immediately deletes the multicast user from
the multicast group. Otherwise, the system does not delete the multicast user. In this
mode, the application scenario with multiple terminals is supported.
Step 3 Configure multicast user authentication.
To control the authority of a multicast user, you can enable the multicast user authentication
function.
1.
Configure the multicast user authentication switch.

Run the igmp user add service-port index { auth | no-auth } command to configure
whether to authenticate a multicast user. The default configuration is no-auth.
NOTE
After configuring multicast user authentication, you need to enable the global authentication switch
to make the configuration take effect. By default, the global switch of multicast user authentication
is enabled. You can run the igmp proxy authorization command to change the configuration.
2.
Bind the multicast user to a global profile. The multicast user is bound to an authority profile
to implement user authentication.
Run the igmp user bind-profile command to bind the user to an authority profile. After
the binding, the multicast user uses the authority of the programs configured in the bound
profile.
Step 4 Bind the multicast user to a multicast VLAN.

In the multicast VLAN mode, run the igmp multicast-vlan member command to bind the user
to the multicast VLAN. Then, the user becomes a multicast member of the multicast VLAN and
can demand programs configured for the multicast VLAN.
Step 5 Run the display igmp user command to check whether the related information about the
multicast user is correct.
----End
Example
To add multicast user (port) 0/4/1 to multicast VLAN 101, enable user authentication, enable
log report, set the maximum bandwidth to 10 Mbit/s, and bind the user to right profile music,
do as follows:
huawei(config)#service-port 100 vlan 101 gpon 0/4/1 ont 0 gemport 1 rx-cttr 2 txcttr 2
huawei(config)#btv
huawei(config-btv)#igmp user add service-port 100 auth log enable max-bandwidth
10240
huawei(config-btv)#igmp user bind-profile service-port 100 profile-name music
huawei(config-btv)#quit
huawei(config-mvlan10)#igmp multicast-vlan member service-port 100
Issue 01 (2012-01-18)

324

6.6 (Optional) Configuring the Multicast Bandwidth

To limit the multicast bandwidth of a user, you can enable multicast bandwidth management,
that is, connection admission control (CAC), and then control the bandwidth of a multicast user
by setting the program bandwidth and the user bandwidth.
Prerequisites
The program matching mode of the multicast VLAN must be the static configuration mode.
Context
If the CAC function (not the dynamic ANCP CAC function) is enabled and a user demands a
multicast program, the system compares the remaining bandwidth of the user (bandwidth
configured for the user - total bandwidth of the online programs of the user) with the bandwidth
of the multicast program. If the remaining bandwidth of the user is sufficient, the system adds
the user to the multicast group. If the bandwidth is insufficient, the system does not respond to
the request of the user.
If the CAC function is disabled, the system does not guarantee the bandwidth of the multicast
program. When the bandwidth is not guaranteed, problems such as mosaic and delay occur in
the multicast program.
Table 6-6 lists the default settings of the CAC parameters.
Table 6-6 Default settings of the CAC parameters
Parameter
Default Setting
Global CAC switch
enable
Bandwidth of the multicast

program
5000 kbit/s
Bandwidth of the multicast user
no-limit
Bandwidth of the GPON port
716800 kbit/s
Procedure
Step 2 Enable the global CAC switch.
By default, the global CAC switch is already enabled. You can run the igmp bandwidthCAC
{ enable | disable } command to change the setting.
Step 3 Configure the bandwidth of the multicast program.
l Run the igmp program add ip ip-addr bandwidth command to configure the bandwidth of
a single multicast program.
l Run the igmp bandwidth port frameid/slotid/portid max-bandwidth{ bandwidth | nolimit } command to configure the program bandwidth of a physical port on a board. This
Issue 01 (2012-01-18)

325

command is available for only the GPON port. The default bandwidth of a port is 716800
kbit/s.
Step 4 Configure the bandwidth of the multicast user.
Run the igmp user add service-port index max-bandwidth command to allocate the bandwidth
that is available to the multicast user.
Step 5 Check whether the multicast bandwidth configuration is correct.
l Run the display igmp config global command to check the status of the global CAC switch.
l Run the display igmp program command to query the bandwidth allocated to the multicast
program.
l Run the display igmp user command to query the maximum bandwidth and the occupied
bandwidth of the multicast user.
----End
Example
To enable bandwidth management for multicast users, set the user bandwidth to 10 Mbit/s when
adding multicast user 0/4/1, and configure the program bandwidth to 1 Mbit/s when adding
multicast program 224.1.1.1.
huawei(config)#btv
huawei(config-btv)#igmp bandwidthcAC enable
huawei(config-btv)#igmp user add port 0/4/1 max-bandwidth 10240
huawei(config-mvlan101)#igmp program add ip 224.1.1.1 bandwidth 1024
6.7 (Optional) Configuring Multicast Preview

Multicast preview is an advertizing method provided by carriers for ISPs. The purpose is to
allow users to have an overview of a program in a controlled way. In other words, the duration,
interval, and count of the user previews are controlled.
Prerequisites
Context
The difference between program preview and normal program watching is that, after the user
goes online, the duration of the preview is restricted. When the duration expires, the user goes
offline. The user can request the program again only after the preview interval expires. The count
by which the user can request the program within a day (the start time can be configured) is
restricted by the preview count of the user.
Multicast preview parameters are managed through the preview profile. One program can be
bound to only one preview profile, but one preview profile can be referenced by multiple
programs.
Table 6-7 lists the default settings of the multicast preview parameters.
Issue 01 (2012-01-18)

326

Table 6-7 Default settings of the multicast preview parameters

Parameter
Default Value
Global multicast preview

function
enable
Preview profile
Preview profile with index 0
Preview profile parameters
Maximum preview duration: 120s

Maximum preview count: 8
Minimum interval between two previews: 120s
Time for resetting the preview

record
4:00:00 am
Valid duration of multicast

preview
30s
Procedure
Step 2 Enable the global multicast preview function.
By default, the global multicast preview function is enabled. You can run the igmp preview{
enable | disable } command to change the setting.
Step 3 Configure the preview profile.
Run the igmp preview-profile add command to configure the preview profile, and set the
parameters: maximum preview duration, maximum preview count, and minimum interval
between two previews. The system has a default preview profile with index 0.
Step 4 Bind the program to the preview profile.
In the multicast VLAN mode, run the igmp program add ip ip-addr preview-profile index
command to bind the program to be previewed to the preview profile so that the program has
the preview attributes as defined in the preview profile. By default, the program is bound to the
preview profile with index 0.
Step 5 Change the time for resetting the preview record.
Run the igmp preview auto-reset-time command to change the time for resetting the preview
record. The preview record of the user remains valid within one day. On the second day, the
preview record is reset. By default, the system resets the preview record at 4:00:00 a.m.
Step 6 Modify the valid duration of multicast preview.
Run the igmp proxy recognition-time command to modify the valid duration of multicast
preview. If the actual preview duration of the user is shorter than the valid duration, the preview
is not regarded as a valid one and is not added to the preview count. By default, the valid duration
of multicast preview is 30s.
Issue 01 (2012-01-18)

327

Step 7 Run the display igmp config global command to check whether the values of the multicast
preview parameters are correct.
----End
Example
To enable preview of multicast programs by using the system default preview profile, do as
follows:
huawei(config)#btv
huawei(config-btv)#igmp preview enable
To enable preview of multicast programs, create preview profile 1, set the maximum preview
time to 150s, the maximum preview count to 10, and apply this preview profile when adding
program 224.1.1.1, do as follows:
huawei(config)#btv
huawei(config-btv)#igmp preview enable
huawei(config-btv)#igmp preview-profile add index 1 duration 150 times 10
huawei(config-mvlan101)#igmp program add ip 224.1.1.1 preview-profile 1
6.8 (Optional) Configuring Program Prejoin

In program prejoin, the MA5600T receives in advance the multicast stream of a program from
the upper-layer multicast router to the upstream port before a user sends a request to join a
program, thus shortening the waiting time of the user for requesting the program.
Prerequisites
Context
Multicast program prejoin is the same as program request. The MA5600T plays the role of a
user and sends the report packet for receiving in advance the multicast stream from the upperlayer multicast router to the upstream port.
After the prejoin function is enabled, if the upper-layer multicast router does not support static
multicast entry forwarding, the unsolicited report function needs to be enabled so that the user
can request the program quickly. Generally, the upper-layer multicast router processes the user
request by responding to the group-specific query and the general query.
Table 6-8 lists the default settings of the prejoin parameters.
Table 6-8 Default settings of the prejoin parameters
Issue 01 (2012-01-18)
Parameter
Default Value
Prejoin function
disable
Unsolicited report of IGMP packets
disable

328

Procedure
Step 1 Enable the prejoin function.
Run the igmp program add ip ip-addr prejoin enable command to enable the prejoin function
of a program. By default, the prejoin function is disabled.
Step 2 After the prejoin function is enabled, if the upper-layer multicast router does not support static
multicast entry forwarding, the unsolicited report function needs to be enabled for IGMP packets.
l Run the igmp program add ip ip-addr unsolicited enable command to enable the
unsolicited report function for IGMP packets. By default, the unsolicited report function is
disabled.
l Run the igmp unsolicited-report interval command to modify the interval for unsolicitedly
reporting IGMP packets. By default, the interval is 10s.
Step 3 Check whether the prejoin function is configured correctly.
l Run the display igmp program command to query the status of the prejoin function and the
unsolicited report function.
l Run the display igmp config vlan command to query the interval for unsolicitedly reporting
IGMP packets.
----End
Example
To enable the prejoin function when adding program 224.1.1.1, do as follows:
huawei(config-mvlan101)#igmp program add ip 224.1.1.1 prejoin enable
6.9 (Optional) Configuring the Multicast Logging Function

Multicast log serves as a criterion for carriers to evaluate the viewership of multicast programs.
Prerequisites
If the syslog is used for reporting multicast logs, the syslog server must be properly configured.
Context
Multicast logs have three control levels: multicast VLAN level, multicast user level, and
multicast program level. The system generates logs only when the logging functions at the three
levels are enabled.
When the user stays online for longer than the valid time for generating logs, the system generates
logs in any of the following conditions:
l
The user goes offline naturally, by force, or abnormally.
The user is blocked or deleted.
The program is deleted.
The program priority is changed.
The upstream port to which the program is bound changes.
The VLAN of the upstream port to which the program is bound changes.
Issue 01 (2012-01-18)

329

The right mode is switched.
The user preview times out.
The IGMP mode is switched.
The bandwidth CAC is not passed.
The system supports up to 10K logs. When the user goes online, the system records only the
online date and time. The system generates a complete log only when the user goes offline.
The MA5600T can report the multicast log to the log server in the syslog mode and the call
detailed record (CDR) mode. By default, the MA5600T reports the log in the syslog mode.
l
Syslog mode: Logs are reported to the syslog server in the form of a single log.
CDR mode: Logs are reported to the log server in the form of a log file (.cvs). One log file
contains multiple logs.
Table 6-9 lists the default settings of the multicast logging parameters.
Table 6-9 Default settings of the multicast logging parameters
Parameter
Default Value
Report mode of the multicast log
Syslog mode
Logging function at the multicast

VLAN level
enable

user level
enable

program level
enable
Interval for automatically

logging
2 hours
Minimum online duration for

generating a valid log
30s
Parameters of the log report in the

CDR mode
Report interval: 600s

Maximum number of logs that can be reported each time:
200
Procedure
l
Configure the parameters of the logging function of the multicast host.

1.
Enable the multicast logging functions.

Multicast logs have three control levels: multicast VLAN level, multicast user level,
and multicast program level. The system generates logs only when the logging
functions at the three levels are enabled. By default, the three functions are enabled.
In the BTV mode,run the igmp log { enable | disable } command to configure the
logging function at the multicast VLAN level.
Issue 01 (2012-01-18)

330

In the BTV mode,Run the igmp user add service-port index log { enable |
disable } command to configure the logging function at the multicast user level.
In the Multicast VLAN mode,run the igmp program add ip ip-addr log
{ enable | disable } command to configure the logging function at the multicast
program level.
2.
Modify the interval for automatically logging.

In the BTV mode,run the igmp proxy log-interval command to modify the interval
for automatically logging. When the user stays online for a long time, the system
generates logs at the preset interval. This is to prevent the problem that a log is not
generated when the user leaves the multicast group without sending a leave packet,
which can affect the accounting. By default, the interval is two hours.
3.
Modify the minimum online duration for generating a valid log.

In the BTV mode,run the igmp proxy recognition-time command to modify the
minimum online duration for generating a valid log. If the user is in a multicast group
(such as to preview a program) for shorter than the preset duration, the user operation
is not regarded as a valid one and a log is not generated. A log is generated only when
a user stays online for longer than the specified duration. By default, the minimum
online duration is 30s.
Configure the function of CDR-mode log report.

1.
Configure the multicast log server and the data transmission mode for the CDR-mode
log report.
Run the file-server auto-backup cdr command to configure the active and standby
multicast log servers.
2.
Enable the function of CDR-mode log report.

In the BTV mode,run the igmp cdr { enable | disable } command to configure the
function of CDR-mode log report. After the function is enabled, the MA5600T reports
the local multicast logs to the multicast log server in the form of a file. After the
function is disabled, the MA5600T reports each single log to the syslog server in the
default syslog mode.
3.
Configure the parameters of the log report in the CDR mode.

In the BTV mode,run the igmp cdr-interval command to set the report interval.
By default, the interval is 600s.
In the BTV mode,run the igmp cdr-number command to set the maximum number
of logs that can be reported each time. When the number of the multicast logs in
the CDR file reaches the preset value, the MA5600T reports the logs. By default,
the maximum number is 200.
4.
Check whether the configuration is correct.

Run the display file-server command to query the configuration of the CDR
multicast log server.
Run the display igmp config global command to query the status and other
parameters of the function of CDR-mode log report.
----End
Example
To configure the multicast log to be reported to log server 10.10.10.1 in the CDR mode, and use
the TFTP transmission mode, do as follows:
Issue 01 (2012-01-18)

331

huawei(config)#file-server auto-backup cdr primary 10.10.10.1 tftp

huawei(config)#btv
huawei(config-btv)#igmp cdr enable
Issue 01 (2012-01-18)

332

7 Configuring MPLS and PWE3
Configuring MPLS and PWE3
About This Chapter

The Multi-protocol Label Switching (MPLS) network adopts the standard packet switching
mode to forward L3 packets and the label switching mode to exchange L2 packets. Pseudo Wire
Emulation Edge to Edge (PWE3) uses MPLS to carry L2 services so that packets can smoothly
traverse the MPLS area and users or services can be differentiated.
Context
MPLS resides between the data link layer and the network layer in the TCP/IP protocol stack.
The label in a short fixed length is used to encapsulate IP packets. On the data plane, fast label
forwarding is implemented. On the control plane, MPLS can meet the requirements on the
network from various new applications with the help of the powerful and flexible routing
functions of the IP network.
The MPLS feature includes the following sub-features:
l
Basic MPLS functions.
MPLS RSVP-TE.
MPLS OAM.
PWE3 is a technology used to emulate ATM, frame relay, Ethernet and SONET/SDH services
in packet switched network (PSN). After processing various services from the access layer, the
provider edge (PE) creates the PWE3 service, which can be carried on the IP or MPLS network
in a unified manner.
According to the emulation service type, MA5600T supports the following types of PWE3:
l
TDM PWE3.
TDM PWE3 is a mechanism that emulates the basic behaviors and characteristics of the
TDM circuit service in the PSN to enable the PSN to carry the TDM service.
ETH PWE3
ETH PWE3 uses user Ethernet frames as payload, encapsulates the frames through PWE3,
and sends them to the PSN. In the downstream direction, ETH PWE3 terminates the PW
encapsulation of Ethernet frames and forwards them to the user device.
Issue 01 (2012-01-18)

333

ATM PWE3
ATM PWE3 uses user ATM cells as payload, encapsulates the frames through PWE3, and
sends them to the PSN. In the downstream direction, ETH PWE3 terminates the PW
encapsulation of ATM cells and forwards them to the user device.
7.1 Configuring the MPLS Service

This topic describes the MPLS technology and how to configure the MPLS service on the
MA5600T.
7.2 Configuring the PWE3 Private Line Service
Pseudo wire emulation edge-to-edge (PWE3) uses LDP or RSVP-TE as the signaling protocol
and carries various L2 services of the customer edge (CE) over the MPLS LSP or TE tunnel,
transparently transmitting the L2 data of the CE.
7.3 Configuring TDM PWE3 Private Line Service (T1 Upstream Transmission)
The MA5612 receives the time division multiplexing (TDM) service through T1 ports, performs
circuit emulation service over packet (CESoP) emulation on the TDM service and transmits the
service to the MA5600T. The MA5600T terminates the emulation data, restores TDM signals,
and transmits the signals to the synchronous digital hierarchy (SDH) network through T1 ports.
Such a mechanism allows the traditional circuit-switched service to be carried over the Ethernet
passive optical network (EPON).
Issue 01 (2012-01-18)

334

7.1 Configuring the MPLS Service

This topic describes the MPLS technology and how to configure the MPLS service on the
MA5600T.
Basic concept
l
The path that an FEC traverses in an MPLS network is called LSP. The LSP, whose function
is the same as the virtual circuit in ATM and frame relay, is a unidirectional path from the
ingress to the egress. Each node on the LSP is an LSR.
The static LSP is the label forwarding path manually set up for label distribution to each
FEC.
The dynamic LSP is the label forwarding path dynamically established through the label
distribution protocol (LDP or RSVP-TE).
Configuration logic
In the MPLS configuration, the core is to configure the LSP and the second is to configure fault
detection and protection for the LSP. At the same time, According to the protocol for creating
LSPs, LSPs are categorized as static LSP, LDP LSP, and RSVP-TE LSP.
Therefore, configure MPLS as follows:
1.
Configure LSPs.
l Configure a static LSP.
l Configure an LDP LSP.
l Configure an RSVP-TE LSP.
2.
Configure LSP protection. Configure the MPLS OAM .
7.1.1 Configuring the Static LSP

Static LSP is configured manually. A static LSP can work in the normal state only when all the
LSRs along the static LSP are configured.
Prerequisites
1.
The IP address of the loopback interface must be configured.
2.
The LSR ID must be configured.
3.
The global MPLS, VLAN MPLS, and VLAN interface MPLS must be enabled.
4.
A static or dynamic route must be successfully configured on each device in the network
(so that LSRs can reach each other through the IP route).
Context
The administrator needs to manually distribute labels to each LSR when configuring the static
lsp. Principle: The out label value of a node must be equal to the in label value of its next node.
LSRs on a static LSP cannot perceive the entire LSP. Therefore, static LSP is a local concept.
The MA5600T can function as a label switching edge router (LER) or a label switching router
(LSR). According to the position of the LER or LSR in a network, the configuration of the static
LSP involves the ingress configuration, transit node configuration, and egress configuration.
Issue 01 (2012-01-18)

335

An LSP corresponds to a unidirectional forwarding path. To ensure bidirectional communication

of the MPLS service, two static LSPs are required. The two LSPs have opposite directions. Their
ingress and egress are reverse. Their transit nodes can be the same or different according to the
networking requirements, or even free of being configured.
Procedure
l
When the MA5600T functions as an LER, configure the static LSP as follows:
1.
Run the static-lsp ingress command to configure the ingress parameters of a static
LSP.
An LER is generally located at the edge of an MPLS network. The PE or PTN device
can be considered an LER.
Format:
static-lsp ingress { lsp-name | tunnel-interface tunnel tunnel-id } destination
ip-addr nexthop ip-addr out-label out-label
You can create a static LSP by using the LSP name or the tunnel. To create a static
LSP by using the tunnel, you must run the interface tunnel command to create a
tunnel interface and then configure its attributes.
destination ip-addr: Indicates the destination IP address of the LSP, that is, the
loopback interface IP address of the PE or PTN device.
nexthop ip-addr: Indicates the next hop IP address, that is, the VLAN interface
IP address of the adjacent LSR.
out-label out-label: Indicates the out label value, which must be the same as the
in label value of the downstream LSR.
2.
Run the static-lsp egress command to configure the egress parameters of a static LSP.
Format:
static-lsp egress lsp-name incoming-interface vlanif vlanid in-label in-label[
lsrid ingress-lsr-id tunnel-id tunnel-id ]
In the egress configuration of a static LSP, only a VLAN interface can be used as
the ingress interface.
in-label in-label: Indicates the in label value of the egress, which must be the same
as the out label value of the upstream LSR.
3.
l
Run the display mpls static-lsp command to query the configuration of a static LSP.
When the MA5600T functions as an LSR, configure the static LSP as follows:
1.
Run the static-lsp transit command to configure the transit node parameters of a static
LSP.
An LSR is generally located in the middle of an MPLS network. The P device can be
considered an LSR that forwards MPLS labels.
Format:
static-lsp transit lsp-name incoming-interface interface-type interface-number
in-label in-label nexthop next-hop-address out-label out-label
The ingress interface of the transit node on a static LSP can only be the VLAN
interface, that is, the VLAN interface of the upstream egress.
Issue 01 (2012-01-18)

336

in-label in-label: Indicates the in label value of the transit node, which must be
the same as the out label value of the upstream ingress.
nexthop next-hop-address: Indicates the next hop IP address, that is, the VLAN
interface IP address of the adjacent LSR.
out-label out-label: Indicates the out label value of the transit node, which must
be the same as the in label value of the downstream LSR.
CAUTION
Because the LSP is unidirectional, you must configure the transit node parameters
twice with opposite directions to ensure bidirectional communication of the MPLS
service.
2.
Run the display mpls static-lsp command to query the configuration of a static LSP.
----End
Example
When the MA5600T functions as an LER, to configure the ingress and egress of a static LSP,
set the parameters as follows:
l
Ingress node name of the static LSP: lsp1; egress name of the static LSP: lsp2
IP address of local VLAN interface 100: 100.1.1.2/24
Destination IP address of the LSP: 3.3.3.3/32
Out label: 8200; in label: 8300
Next hop IP address: 100.1.1.3
huawei(config)#static-lsp ingress lsp1 destination 3.3.3.3 32 nexthop 100.1.1.3

out-label 8200
huawei(config)#static-lsp egress lsp2 incoming-interface vlanif 100 in-label 8300
huawei(config)#display mpls static-lsp
{ <cr>|exclude<K>|include<K>|string<S><Length 1-19>|verbose<K> }:
Command:
TOTAL
UP
DOWN
Name
lsp1
lsp2
display mpls static-lsp

:
2
STATIC
:
0
STATIC
:
2
STATIC
FEC
3.3.3.3/32
-/-
LSP(S)
LSP(S)
LSP(S)
I/O Label I/O If
NULL/8200 -/vlanif100
8300/NULL vlanif100/-
Stat
Down
Down
When the MA5600T functions as an LSR, to configure the transit node parameters of a static
LSP, set the parameters as follows:
l
LSP name of the transit node in the positive direction: lsp1; LSP name of the transit node
in the negative direction: lsp2
Out label in the positive direction: 8200; in label in the positive direction: 8300
Out label in the negative direction: 8200; in label in the negative direction: 8300
Next hop IP address in the positive direction: 200.1.1.3
Issue 01 (2012-01-18)

337

Next hop IP address in the negative direction: 100.1.1.3
huawei(config)#static-lsp transit lsp1 incoming-interface vlanif 100 in-label 82

00 nexthop 200.1.1.3 out-label 8300
huawei(config)#static-lsp transit lsp2 incoming-interface vlanif 200 in-label 83
00 nexthop 100.1.1.2 out-label 8200
huawei(config)#display mpls static-lsp
{ <cr>|exclude<K>|include<K>|string<S><Length 1-19>|verbose<K> }:
Command:
TOTAL
UP
DOWN
Name
lsp1
lsp2
display mpls static-lsp

:
2
STATIC
:
0
STATIC
:
2
STATIC
FEC
-/-/-
LSP(S)
LSP(S)
LSP(S)
I/O Label I/O If
8200/8300 vlanif100/vlanif200
8300/8200 vlanif200/vlanif100
Stat
Down
Down
7.1.2 Configuring the LDP LSP

Set up an MPLS LDP session between LSRs along the LSP. After the MPLS LDP session is set
up, the LDP LSP is automatically created.
Prerequisites
1.
2.
3.
The VLAN for MPLS label forwarding must be created.
4.
Global MPLS must be enabled.
5.
The MA5600T supports LDP and RSVP-TE, both of which generate dynamic LSPs.
LDP is a standard MPLS label distribution protocol defined by IETF. LDP, which is mainly
used to distribute labels for the negotiation between LSRs to set up label switching paths
(LSPs), regulates various types of information for the label distribution process, and the
related processing. The LSRs form an LSP that crosses the entire MPLS domain according
to the local forwarding table, which correlates the in label, network hop node, and out label
of each specific FEC.
Context
Procedure
Step 1 Configure the MPLS LDP session.
The MPLS-LDP session is used for information exchange such as label mapping and release
between LSRs. The MPLS-LDP session is classified into two types:
l Local LDP session: Two LSRs between which a session is set up are connected directly.
l Remote LDP session: Two LSRs between which a session is set up are not connected directly.
Remote LDP sessions are mainly set up between nonadjacent LSRs. They can also be set up
between adjacent LSRs.
NOTE
If local adjacency with the specified remote peer exists, remote adjacency cannot be set up; if remote adjacency
exists and local adjacency is set up for the remote peer, the remote peer will be deleted. In other words, only
one session can exist between two LSRs and a local LDP session takes priority over a remote LDP session.
Issue 01 (2012-01-18)

338

l Configure the local LDP session.

1.
In the global config mode, run the mpls ldp command to enable global MPLS LDP.
2.
In the global config mode, run the mpls vlan command to enable the MPLS function
of the VLAN.
3.
Run the interface vlanif command to enter the VLAN interface mode.
4.
In the VLAN interface mode, run the mpls command to enable the MPLS function of
the VLAN interface and run the mpls ldp command to enable the MPLS LDP function
of the VLAN interface.
5.
Run the quit command to quit the VLAN interface mode.
l Configure the remote LDP session.

1.
In the global config mode, run the mpls ldp command to enable global MPLS LDP.
2.
Run the mpls ldp remote-peer command to create an LDP remote peer and then enter
the remote peer mode.
3.
Run the remote-ip command to configure the IP address of the LDP remote peer.
NOTE
The IP address of the remote LDP peer should be the LSR ID of the remote LSR. When the LSR ID
is used as the transmission address of a remote peer, two remote peers set up a TCP connection between
them using the LSR ID as the transmission address.
Step 2 (Optional) Configure the LDP MTU signaling function.

Run the mtu-signalling command to enable the sending of the MTU type, length, and value
(TLV). This enables the LDP to automatically calculate and negotiate the minimum MTU value
for all ports on each LSP. In this way, the MPLS determines the size of the MPLS forwarding
packet at the ingress according to the minimum MTU, thereby avoiding the forwarding failure
on transit nodes caused by oversize packets at the ingress.
By default, the LDP MTU signaling is enabled.
Step 3 (Optional) Configure the route trigger policy for setting up an LSP.
Run the lsp-trigger host command to configure the route trigger policy for setting up an LSP.
The default route trigger policy is used to set up an LSP by triggering the LDP through the host
address. To modify the default route trigger policy, run this command.
NOTE
It is recommended that you configure the route trigger policy for setting up an LSP to host (default), that
is, the host route triggers the LDP to set up an LSP. In this way, the setup of useless LSPs can be prevented.
Step 4 (Optional) Configure the trigger policy set up by the transit LSP.
Run the propagate mapping command to filter certain routes received by the LDP by using the
IP prefix table. Only the route that matches the specified IP prefix table is used by the local LDP
for creating the transit LSP. By default, the LDP does not filter the received routes when creating
the transit LSP.
Step 5 Query the relevant information about the LDP LSP configuration.
l Run the display mpls ldp lsp command to query the relevant information about the created
LDP LSP.
l Run the display mpls ldp session command to check whether the created remote MPLS LDP
session is in the normal (operational) state.
l Run the display mpls interface command to check whether the MPLS interface is in the
normal (up) state.
----End
Issue 01 (2012-01-18)

339

Example
To configure an LDP LSP between two adjacent LSRs by using VLAN interface 200 as the
MPLS forwarding interface and using default values for other parameters, do as follows:
huawei(config)#mpls ldp
huawei(config-mpls-ldp)#quit
huawei(config)#mpls vlan 200
huawei(config-if-vlanif200)#mpls ldp
huawei(config)#display mpls interface vlanif 200
{ <cr>|verbose<K> }:
Command:
Interface
vlanif200
display mpls interface vlanif 200

Status
TE Attr
LSP Count
Down
Dis
0
CRLSP Count Effective MTU

0
1500
To configure an LDP LSP between two nonadjacent LSRs by configuring the local lsr-id to
3.3.3.3, configuring the remote lsr-id to 5.5.5.5, and using default values for other parameters,
do as follows:
huawei(config)#mpls ldp remote-peer session1
huawei(config-mpls-ldp-remote-session1)#remote-ip 5.5.5.5
huawei(config-mpls-ldp-remote-session1)#quit
huawei(config)#display mpls ldp remote-peer
{ <cr>|string<S><Length 1-32>||<K> }:
Command:
display mpls ldp remote-peer
LDP Remote Entity Information
-----------------------------------------------------------------------------Remote Peer Name: session1
Remote Peer IP: 5.5.5.5
LDP ID: 3.3.3.3:0
Transport Address: 3.3.3.3
Entity Status: Active
Configured Keepalive Timer: 45 Sec
Configured Hello Timer: 45 Sec
Negotiated Hello Timer: 45 Sec
Hello Packet sent/received: 0/0
-----------------------------------------------------------------------------TOTAL: 1 Peer(s) Found.
7.1.3 Configure an RSVP-TE LSP

MPLS TE is a technology that integrates TE with MPLS. Through the MPLS TE technology,
you can create an LSP tunnel to a specified path, to reserve resources and implement reoptimization.
Prerequisites
1.
2.
3.
The VLAN for MPLS label forwarding must be created.
4.
Global MPLS and VLAN MPLS must be enabled.
5.
The OSPF protocol must be successfully configured on each device in the network (the
host route of each port must be successfully advertised).
Issue 01 (2012-01-18)

340

Context
l
To create constraint-based LSPs in MPLS TE, RSVP is extended. The extended RSVP
signaling protocol is called the RSVP-TE signaling protocol.
MPLS TE creates the LSP tunnel along a specified path through RSVP-TE and reserves
resources. Thus, carriers can accurately control the path that traffic traverses to avoid the
node where congestion occurs. This solves the problem that certain paths are overloaded
and other paths are idle, utilizing the current bandwidth resources sufficiently. In addition,
MPLS TE can reserve resources during the creation of LSP tunnels to ensure the QoS.
Procedure
Step 1 Enable MPLS TE and RSVP-TE.
1.
In the global config mode, run the mpls command to enter the MPLS mode.
2.
In the MPLS mode, run the mpls te command to enable global MPLS TE, run the mpls
rsvp-te command to enable global RSVP-TE, and run the mpls te cspf command to enable
Constraint Shortest Path First (CSPF).
3.
Run the quit command to quit the MPLS mode and run the interface vlanif command to
enter the VLAN interface mode.
4.
In the VLAN interface mode, run the mpls command to enable the VLAN interface MPLS,
run the mpls te command to enable the VLAN interface MPLS TE, and run the mpls rsvpte command to enable the VLAN interface RSVP-TE.
NOTE
l CSPF provides a way to select the path in an MPLS area. Enable CSPF before configuring other CSPF
functions.
l It is recommended that you configure CSPF on all transit nodes lest the ingress cannot calculate the
entire path.
Step 2 (Optional) Configure the line bandwidth.

To guarantee the bandwidth of the service transmitted on the MPLS TE tunnel, perform this
operation.
1.
In the VLAN interface mode, run the mpls te bandwidth max-reservable-bandwidth

command to configure the maximum reservable bandwidth for the MPLS TE tunnel on the
VLAN interface.
2.
In the VLAN interface mode, run the mpls te bandwidth { bc0 bandwidth | bc1
bandwidth } command to configure the bandwidth that can be obtained from BC0 and BC1
of the VLAN interface when an MPLS TE tunnel is created.
NOTE
l BC0: Indicates the global pool bandwidth of an MPLS TE tunnel.

l BC1: Indicates the sub-pool bandwidth type of an MPLS TE tunnel. It is used to transmit services with
higher priority and higher performance requirements.
l The bandwidth values must meet the following requirement: maximum reservable bandwidth BC0
bandwidth BC1 bandwidth.
Step 3 Enable MPLS TE for the OSPF area.

The MA5600T enables the MPLS TE to know the relevant dynamic TE attributes of each link
by extending the OSPF protocol. The extended OSPF enables the link status entry to add TE
attributes, such as link bandwidth and affinity attribute. Each router in the network collects all
the TE information in OSPF area and generates traffic engineering database (TEDB).
Issue 01 (2012-01-18)

341

1.
In the global config mode, run the ospf command to start the OSPF process and enter the
OSPF mode.
2.
Run the opaque-capability enable command to enable the OSPF opaque capability.
After the opaque capability of the MA5600T is enabled, it can exports TEDB information
to neighbor devices.
3.
Run the area ospf command to enter the OSPF area mode and run the mpls-te enable
command to enable the OSPF area TE.
Step 4 (Optional) Configure an MPLS TE explicit path.

An explicit path consists of a series of nodes, which constitute a vector path according to the
configured sequence. The IP address in an explicit path is the IP address of the interface on the
node. Generally, the loopback interface IP address on the egress is used as the destination IP
address of the explicit path.
To specify a known path for a special traffic stream in the MPLS network, you can run the
explicit-path command in the global config mode to configure an explicit path, and then run
the mpls te path explicit-path command in the tunnel mode to specify the explicit path for the
tunnel.
After an explicit path is created, you can run the next hop, modify hop, and delete hop command
to add a next hop node, modify a node, and delete a node respectively for the explicit path.
Step 5 Configure an MPLS TE tunnel interface.
1.
In global config mode, run the interface tunnel command to create a tunnel interface and
enter the tunnel interface mode.
2.
Run the tunnel-protocol mpls te command to configure the tunnel protocol to MPLS TE.
3.
Run the destination ip-address command to configure the destination IP address of the
tunnel. Generally, the egress LSR ID is used.
4.
Run the mpls te tunnel-id command to configure the tunnel ID.
5.
Run the mpls te signal-protocol rsvp-te command to configure the signaling protocol of
the tunnel to RSVP-TE.
6.
(Optional) Run the mpls te bandwidth command to configure the bandwidth for the tunnel.
After the configuration is completed, only the VLAN interface that meets this bandwidth
value can be selected as the node traversed by the MPLS TE tunnel path when the MPLS
TE tunnel is created.
If the MPLS TE tunnel is only used to change the data transmission path, you may not
configure the tunnel bandwidth.
7.
(Optional) Run the mpls te path explicit-path command to configure the explicit path used
by the MPLS TE tunnel.
If only the bandwidth used by the MPLS TE tunnel is limited but the transmission path is
not limited, you may not configure the explicit path used by the MPLS TE tunnel.
8.
Run the mpls te commit command to commit the current configuration of the tunnel.
Step 6 Check the configuration.

1.
Run the display mpls te cspf tedb command to query the CSPF TEDB information.
2.
Run the display mpls te link-administration admission-control command to check the

CR LSP information allowed on the link, including the bandwidth and priority.
3.
Run the display mpls te tunnel command to query details about a specified tunnel.
Issue 01 (2012-01-18)

342

4.
Run the display mpls te tunnel path command to query the path information about a tunnel
on a local node.
5.
Run the display mpls te tunnel-interface command to query the tunnel interface
information about a local node.
----End
Example
To configure the RSVP-TE LSP from the MA5600T to the PTN, set the parameters as follows.
l
Set the parameters on the MA5600T.

LSR-ID: 3.3.3.3
L3 interface IP address of VLAN 20 for MPLS forwarding: 10.1.1.3/24
Maximum reservable bandwidth of the VLAN interface: 20480 kbit/s; BC0 bandwidth:
10240 kbit/s
OSPF process ID: 100; OSPF area ID: 1
MPLS TE tunnel ID: 10; tunnel interface ID: 10
Required BC0 bandwidth when an MPLS TE tunnel is created: 5120 kbit/s
Other parameters: default settings
Set the LSR ID of the PTN to 5.5.5.5.
huawei(config)#interface loopback 0
huawei(config)#mpls lsr-id 3.3.3.3
huawei(config)#mpls
huawei(config-mpls)#mpls te
huawei(config-mpls)#mpls rsvp-te
//Configure the MPLS TE to use CSPF to calculate the shortest path to a node.
huawei(config-mpls)#mpls te cspf
huawei(config-mpls)#quit
//Configure the IP address of the VLAN L3 interface.
//Enable MPLS for the VLAN interface.
huawei(config-if-vlanif20)#mpls
//Enable MPLS TE for the VLAN interface.
huawei(config-if-vlanif20)#mpls te
//Enable MPLS RSVP-TE for the VLAN interface.
huawei(config-if-vlanif20)#mpls rsvp-te
huawei(config)#ospf 100
//Enable the opaque capability to send the engineering data base information
to peripheral devices.
huawei(config-ospf-100)#opaque-capability enable
//Enable MPLS TE for the OSPF area.
huawei(config-ospf-100-area-0.0.0.1)#mpls-te enable standard-complying
//Configure the maximum reservable bandwidth of the L3 interface.
huawei(config-if-vlanif20)#mpls te bandwidth max-reservable-bandwidth 20480
//Configure the obtainable maximum bandwidth of the L3 interface from BC0
when the MPLS TE tunnel is created.
huawei(config-if-vlanif20)#mpls te bandwidth bc0 10240
huawei(config)#interface tunnel 10
//Configure the link layer encapsulation protocol to MPLS TE for the tunnel
Issue 01 (2012-01-18)

343

interface,
that is, configure the tunnel interface to work in the CR-LSP tunnel mode.
huawei(config-if-tunnel10)#tunnel-protocol mpls te
//Configure the destination IP address of the MPLS TE tunnel.
huawei(config-if-tunnel10)#destination 3.3.3.3
//Configure the MPLS TE tunnel ID, which, along with the LSR-ID,
uniquely indicates an MPLS TE tunnel.
huawei(config-if-tunnel10)#mpls te tunnel-id 10
//Configure the protocol of the MPLS TE tunnel to RSVP-TE.
huawei(config-if-tunnel10)#mpls te signal-protocol rsvp-te
//Configure the global pool bandwidth required by the MPLS TE tunnel.
huawei(config-if-tunnel10)#mpls te bandwidth bc0 5120
//Allow the MPLS TE tunnel to be bound to a VPN instance, that is, the MPLS TE
tunnel
can function as the outer tunnel of the PWE3 service.
huawei(config-if-tunnel10)#mpls te reserved-for-binding
huawei(config-if-tunnel10)#mpls te commit
huawei(config-if-tunnel10)#quit
7.1.4 Configuring the MPLS OAM

The MPLS OAM function uses an effective OAM mechanism to detect whether an LSP is normal
and report an alarm in time when an LSP fault occurs. In addition, the MPLS OAM function
features a complete protection switching mechanism, which triggers a switchover when a defect
at the MPLS layer is detected to minimize the user data loss.
Context
Through the MPLS OAM mechanism, the MA5600T can effectively detect, confirm, and locate
internal defects at the MPLS layer of a network. Then, the system reports and handles the defects.
In addition, the system provides a mechanism for triggering 1:1 protection switching when a
fault occurs.
The basic process of the MPLS OAM connectivity check and protection switching is as follows:
1.
The source transmits the CV/FFD packets to the destination through the detected LSP.
2.
The destination checks the correctness of the type and frequency carried in the received
detection packets and measures the number of correct and errored packets that are received
within the detection period to monitor the connectivity of the LSP in real time.
3.
After detecting a defect, the destination transmits the BDI packets that carry the defect
information to the source through the backward path.
4.
The source learns about the status of the defect, and triggers the corresponding protection
switching when the protect group is correctly configured.
Configure the MPLS OAM as follows:

1.
Configure the active LSP at the source end (ingress).
2.
Configure the standby LSP at the source end.
3.
Create a tunnel protect group.
4.
Enable the MPLS OAM function at the source end.
5.
Configure the backward LSP at the destination end (egress).
6.
Enable the MPLS OAM function at the destination end.

NOTE
If only the MPLS OAM connectivity check needs to be enabled and 1:1 protection is not required for the LSP,
you need not configure the standby LSP or the tunnel protect group at the source end.
Issue 01 (2012-01-18)

344

Configuration Example for Detection of MPLS OAM for Static LSP Connectivity
This topic describes how to configure the function of MPLS OAM to detect the static LSP
connectivity.
Prerequisites
Before the configuration, make sure that:
l
Set the IP addresses and the masks of the ports based on the example network. After that,
LSRs can ping the peer LSRs.
Networking
Figure 7-1 shows an example network of configuring MPLS OAM to detect the static LSP
connectivity.
1.
Source end MA5600T_A sends CV/FFD detection packets to the destination end through
the detected LSP (MA5600T_A->Router A->MA5600T_B).
2.
information to the source through the backward LSP (MA5600T_B->Router B>MA5600T_A). This enables the source end to obtain the defect status in time.
NOTE
To facilitate description of the MPLS OAM application, the MA5600T is used at both the source end and
destination end as an example. In the actual application, the MA5600T at one end may be replaced by a device
that supports MPLS OAM such as a PTN device, but their implementation principles are the same.
Figure 7-1 Example network of detection of MPLS OAM for static LSP connectivity
Data Plan
Table 7-1 provides the data plan for detection of MPLS OAM for static LSP connectivity.
Issue 01 (2012-01-18)

345

Table 7-1 Data plan for detection of MPLS OAM for static LSP connectivity
Item
Data
MA5600T_A
LSR ID: 1.1.1.1

Port: 0/17/0
IP address of VLAN interface 10 connected to Router A: 10.1.2.10/24
Tunnel ID: 10; tunnel interface ID: 10
Out label value of the LSP ingress: 8192
In label value of the LSP egress: 8193
Port: 0/17/1
IP address of VLAN interface 21 connected to Router B: 10.1.1.10/24
Static LSP: Router A to MA5600T_B
MA5600T_B
LSR ID: 3.3.3.3

Port: 0/17/0
Port: 0/17/1
Tunnel ID: 20; tunnel interface ID: 20
Out label value of the LSP ingress: 8200
In label value of the LSP egress: 8201
Static LSP: Router B to MA5600T_A
Router A
LSR ID: 2.2.2.2

IP address of the interface connected to the MA5600T_A:
10.1.2.20/24
IP address of the interface connected to the MA5600T_B:
10.1.3.10/24
Router B
LSR ID: 4.4.4.4

IP address of the interface connected to the MA5600T_A:
10.1.1.20/24
IP address of the interface connected to the MA5600T_B:
10.1.4.10/24
Procedure
l
Configure source end MA5600T_A.

1.
Configure the loopback interface.

Issue 01 (2012-01-18)

346

2.
Enable the basic MPLS and MPLS TE.

a.
Enable the basic MPLS and MPLS TE globally.

huawei(config)#mpls
b.
Enable the basic MPLS and MPLS TE on the interface.

3.
Configure the MPLS TE tunnel from the source end to the destination end.
Configure the MPLS TE tunnel bound to the detected LSP.
huawei(config-if-tunnel10)#mpls te signal-protocol static
4.
Configure the static LSP bound to the MPLS TE tunnel.

Destination end MA5600T functions as the ingress of the detected static LSP.
huawei(config)#static-lsp ingress tunnel-interface tunnel 10
destination 3.3.3.3 nexthop 10.1.2.20 out-label 8192
Destination end MA5600T functions as the egress of the detected static LSP.
huawei(config)#static-lsp egress LSP1 incoming-interface vlanif 10 inlabel 8193
Destination end MA5600T functions as the egress of the backward static LSP.
5.
Enable MPLS OAM at source end MA5600T_A.

huawei(config)#mpls
huawei(config-mpls)#mpls oam
huawei(config)#mpls oam ingress tunnel 10 type ffd frequency 100
backward-lsp lsr-id 3.3.3.3 tunnel-id 20
...//Configure the MPLS OAM source end. Configure the tunnel ID of the
detected LSP to 10, detection packet type to FFD, Tx frequency to 100 ms,
LSR-ID of the backward LSP to 3.3.3.3,
...//and backward LSP tunnel ID to 20.
huawei(config)#mpls oam ingress enable all
6.
Save the data.

huawei(config)#save
l
Issue 01 (2012-01-18)
Configure Router A or Router B.

347

When functioning as the transit node, Router A or Router B mainly forwards MPLS labels.
The ingress interface, in label, next hop IP address, and out label must be configured bidirectionally. For detailed configuration, see the configuration guide of the specific router.
l
Configure destination end MA5600T_B.

1.

2.
Enable the basic MPLS and MPLS TE.

a.
Enable the basic MPLS and MPLS TE globally.

huawei(config)#mpls
b.
Enable the basic MPLS and MPLS TE on the interface.

3.
Configure the MPLS TE tunnel from the destination end to the source end.
Configure the MPLS TE tunnel bound to the detected LSP.
Configure the MPLS TE tunnel bound to the backward LSP.

4.
Configure the static LSP bound to the tunnel.

Source end MA5600T functions as the egress of the detected static LSP.
Source end MA5600T functions as the ingress of the detected static LSP.
Source end MA5600T functions as the ingress of the backward static LSP.
Issue 01 (2012-01-18)

348


5.
Enable MPLS OAM at destination end MA5600T.

huawei(config)#mpls
huawei(config)#mpls oam egress lsr-id 1.1.1.1 tunnel-id 10
frequency 100 backward-lsp t
unnel 20 private
...//Configure the MPLS OAM destination end. Configure the
of the detected LSP to 1.1.1.1, tunnel ID to 10, detection
FFD, Tx frequency to 100 ms,
...//backward LSP tunnel ID to 20, and tunnel to exclusive
huawei(config)#mpls oam egress enable all
6.
type ffd
ingress LSR-ID
packet type to
mode.
Save the data.

huawei(config)#save
----End
Result
After the configuration, shut down the interface of VLAN 10 by running the shutdown command
on MA5600T_A to simulate the link fault:
l
On MA5600T_B, run the display mpls oam egress command and you can see the following
defect state: dLocv detected (dLocv).
On MA5600T_A, run the display mpls oam ingress command and you can see the
following defect state: in defect (In-defect).
Perform similar operations on MA5600T_B and you can obtain similar results.
Configuration Example of the MPLS OAM Protection Switching Function

This topic describes how to configure MPLS OAM to implement the protection switching
function.
l
The OAM mechanism is used to detect in real time whether the MPLS link is normal and
generates an alarm in time when a link fault is detected.
The end-to-end tunnel protection technology is provided to recover the interrupted service.
RSVP-TE is used to create an LSP tunnel for the specified path and reserve resources so
that the existing bandwidth resources can be fully used and QoS can be improved for
specific services.
The OSPF protocol must be successfully configured on each LSR in the network (the host
route of each port must be successfully advertised).
The interface IP address and mask, loopback interface, and LSR-ID must be configured on
each LSR.
The global and physical interface MPLS and MPLS TE functions must be enabled on each
node of the LSR.
Prerequisite
Issue 01 (2012-01-18)

349

Networking
Figure 7-2 shows an example network for configuring the MPLS OAM protection switching
function.
Configure two LSP tunnels on source end MA5600T_A and destination end MA5600T_B
functioning primary and secondary LSPs. Enable the MPLS OAM protection switching function
for the LSPs. When the primary LSP is faulty, the traffic is switched to the secondary LSP.
Configure the backward LSP for reporting a fault to source end MA5600T_A.
NOTE
To prevent a fault from occurring on a transit node (for example, router A), it is recommended that you specify
different transit nodes when creating a secondary LSP.
Figure 7-2 Configuring the MPLS OAM protection switching function
Data Plan
Table 7-2 provides the data plan for the MPLS OAM protection switching.
Table 7-2 Data plan for the MPLS OAM protection switching
Item
Data
MA5600T_A
LSR ID: 1.1.1.1

Port: 0/17/0
Port: 0/17/1
MA5600T_B
Issue 01 (2012-01-18)
LSR ID: 3.3.3.3

350

Item
Data
Port: 0/17/0
Port: 0/17/1
Backward tunnel: Router B to MA5600T_A
Router A
LSR ID: 2.2.2.2
Router B
LSR ID: 4.4.4.4
Procedure
l
Configure source end MA5600T_A.

1.

2.
Enable the basic MPLS, MPLS TE, and RSVP-TE functions.

a.
Enable the global basic MPLS, MPLS TE, and RSVP-TE functions.
huawei(config)#mpls
b.
Enable the interface basic MPLS, MPLS TE, and RSVP-TE functions.
//Configure the attributes of VLAN interface 10 and configure the
IP address of VLAN interface10 to 10.1.2.10/24.
huawei(config-if-vlanif10)#mpls te bandwidth max-reservable-bandwidth
10240
//(Optional) Configure VLAN interface 10 to provide a reservable
bandwidth of 10240 kbit/s for all tunnels.
IP address of VLAN interface 30 to 10.1.5.10/24.
10240
Issue 01 (2012-01-18)

351


10240
3.
Enable MPLS TE for the OSPF area.

huawei(config-ospf-100)#opaque-capability enable
huawei(config-ospf-100-area-0.0.0.0)#mpls-te enable standard-complying
4.
Configure the MPLS TE tunnel from the source end to the destination end.
Configure the attributes of the working MPLS TE tunnel from the source end to the
destination end.
//(Optional)
Configure the global bandwidth of tunnel 10 to 5210 kbit/s.
Configure the attributes of the protection MPLS TE tunnel from the source end to the
destination end.
//(Optional)
Configure the global bandwidth of tunnel 30 to 5210 kbit/s.
5.
Configure a tunnel protect group.

Configure tunnel 30 as the protect tunnel for tunnel 10, switching mode to revertive,
and automatic WTR time to 900s.
huawei(config-if-tunnel10)#mpls te protection tunnel 30 mode revertive wtr
30
6.
Enable MPLS OAM at source end MA5600T_A.

huawei(config)#mpls
huawei(config)#mpls oam ingress tunnel 10 type ffd frequency 100
backward-lsp lsr-id 3.3.3.3 tunnel-id 20
//Configure the MPLS OAM source end. Configure the tunnel ID of the
Issue 01 (2012-01-18)

352

detected LSP to 10, detection packet type to FFD, Tx frequency to 100 ms,
LSR-ID of the backward LSP to 3.3.3.3,
//and backward LSP tunnel ID to 20.
huawei(config)#mpls oam ingress enable all
7.
Save the data.

huawei(config)#save
Configure Router A or Router B.

When functioning as the transit node, Router A or Router B mainly forwards MPLS labels.
The ingress interface, in label, next hop IP address, and out label must be configured bidirectionally. For detailed configuration, see the configuration guide of the specific router.
Configure destination end MA5600T_B.

1.

2.
Enable the basic MPLS, MPLS TE, and RSVP-TE functions.

a.
Enable the global basic MPLS, MPLS TE, and RSVP-TE functions.
huawei(config)#mpls
b.
Enable the interface basic MPLS, MPLS TE, and RSVP-TE functions.
3.
Configure the MPLS TE tunnel bound to the backward LSP.

Configure the tunnel ID to 20, destination IP address to 1.1.1.1, and global bandwidth
for the tunnel to 5120 kbit/s.
Issue 01 (2012-01-18)

353

huawei(config-if-tunnel20)#mpls te reserved-for-binding
4.
Enable MPLS OAM at destination end MA5600T_B.

huawei(config)#mpls
huawei(config)#mpls oam egress lsr-id 1.1.1.1 tunnel-id 10
frequency 100
backward-lsp tunnel 20 private
//Configure the MPLS OAM destination end. Configure the
of the detected LSP to 1.1.1.1, tunnel ID to 10, detection
FFD, Tx frequency to 100 ms,
//backward LSP tunnel ID to 20, and tunnel to exclusive
huawei(config)#mpls oam egress enable all
5.
type ffd
ingress LSR-ID
packet type to
mode.
Save the data.

huawei(config)#save
----End
Result
After the configuration, you can shut down the interface of VLAN 10 by running the
shutdown command on MA5600T_A to simulate the link fault. Then, you can query the
information about the primary tunnel (with ID 10) that is configured on MA5600T_A by running
the display mpls te protection tunnel command on MA5600T_A. The information is as
follows:
l
Status of the working tunnel (work-tunnel defect state): in defect.
Status of the protection tunnel (protect-tunnel defect state): non-defect.
Switch result: The traffic is switched to protection tunnel 30.
7.2 Configuring the PWE3 Private Line Service

Pseudo wire emulation edge-to-edge (PWE3) uses LDP or RSVP-TE as the signaling protocol
and carries various L2 services of the customer edge (CE) over the MPLS LSP or TE tunnel,
transparently transmitting the L2 data of the CE.
PWE3 Service Model

According to the PWE3 service model, PWE3 is indicated by the outer packet switch network
(PSN) tunnel label and the inner label (PW demultiplexer).
The PSN layer can select the MPLS or IP technology and the PW demultiplexer can select the
MPLS, UDP, or layer-2 tunneling protocol (L2TP) technology. The PWE3 outer label and inner
label support the following combinations: MPLS over MPLS, MPLS over IP, UDP over IP, and
L2TP over IP. The MA5600T supports the first three.
Network Application
The mainstream applications of the MPLS PWE3 supported by the MA5600T are as follows:
Issue 01 (2012-01-18)

354

TDM PWE3: A mobile 2G base station is connected to the ONU through the TDM E1 port.
The ONU implements the TDM PWE3, transmitting traffic streams to the peer TDM PWE3
device through the PSN. The OLT functions as a L2 transparent transmission device, PE
device, or P device.
ATM PWE3: The IMA service data of a 3G base station is connected to the ONU through
the E1 port. The ONU restores the IMA service to the ATM service and encapsulates the
ATM service on the ATM PWE3 private line for connecting to the peer ATM PWE3 device
(PTN device in the figure). The MA5600T functions as a L2 transparent transmission device
or P device.
ETH PWE3: A 3G base station is connected to the ONU through the FE/GE port. The ONU
performs the ETH PWE3 encapsulation for interconnecting with the peer ETH PWE3
device. The MA5600T functions as a L2 transparent transmission device or P device.
Procedure
According to the PWE3 service model, PWE3 configurations include the outer tunnel
configuration, inner PW configuration, and tunnel protection. Therefore, the configuration
procedure is as follows.
7.2.1 Configuring the PWE3 Outer Tunnel

To provide services across the IP network or MPLS network, the MA5600T supports PW over
the IP tunnel or MPLS tunnel to transparently transmit services in the IP network.
Prerequisites
1.
The loopback interface IP address must be configured.
2.
3.
The global MPLS and MPLS TE functions must be enabled.
4.
The OSPF protocol must be successfully configured on each device in the network (the
host route of each port must be successfully advertised).
Context
According to the upper-layer PSN type, namely MPLS network or IP network, the PWE3 outer
tunnel is categorized as MPLS tunnel and IP tunnel.
Different PWE3s support different tunnel encapsulation formats. Pay attention to the following
points during the configuration:
l
TDM PWE3 supports the following PWE3 tunnel encapsulation formats: MPLS over
MPLS, MPLS over IP, and UDP over IP. The EDTB board does not support UDP over IP
currently.
ATM PWE3 supports the following PWE3 tunnel encapsulation formats: MPLS over
MPLS and MPLS over IP.
ETH PWE3 supports only the MPLS over MPLS encapsulation format.
Configure the MPLS TE tunnel.
Procedure
1.
Issue 01 (2012-01-18)
In the global config mode, run the interface tunnel command to create a tunnel
interface and enter the tunnel interface mode.
355

2.
Run the tunnel-protocol mpls te command to configure the tunnel protocol to MPLS
TE, that is, configure the tunnel interface to work in the TE tunnel mode.
3.
Run the destination ip-address command to configure the destination IP address of

the tunnel. Generally, the LSR ID of the ingress is used.
4.
5.
Run the mpls te signal-protocol { rsvp-te | static } command to configure the

signaling protocol for the MPLS TE tunnel.
According to whether the MPLS TE tunnel uses the dynamic signaling protocol, the
tunnel is categorized as static MPLS TE tunnel and MPLS RSVP-TE tunnel.
Static MPLS TE tunnel: The forwarding information and resource information are
configured manually, and the signaling protocol and path calculation are not
involved. Because the MPLS-related control packets are not exchanged, fewer
resources are used. The static tunnel, however, cannot be dynamically adjusted
according to network changes. Therefore, the actual application is limited.
MPLS RSVP-TE tunnel: MPLS TE creates the LSP tunnel along a specified path
through RSVP-TE and reserves resources. Thus, carriers can accurately control
the path that traffic traverses to avoid the node where congestion occurs. This
solves the problem that certain paths are overloaded and other paths are idle,
utilizing the current bandwidth resources sufficiently.
6.
(Optional) Run the mpls te bandwidth command to configure the bandwidth of the
tunnel. After the configuration is completed, only the VLAN interface meeting this
bandwidth requirement is selected as the node traversed by an MPLS TE tunnel when
the MPLS TE tunnel is created.
If the MPLS TE tunnel is only used to change the data transmission path, you may
not configure the bandwidth of the tunnel.
7.
(Optional) Run the mpls te path explicit-path command to configure the explicit path
used by the MPLS TE tunnel.
To limit only the bandwidth of the MPLS TE tunnel but not the transmission path,
you may not configure the explicit path of the tunnel.
8.
Run the mpls te commit command to commit the current tunnel configuration.
NOTE
Each time the MPLS TE parameters on the tunnel interface are changed, you need to run the mpls
te commit command to commit the configuration.
9.
l
Run the display interface tunnel command to query the configuration of the tunnel.
Configure the MPLS IP tunnel.

1.
In the global config mode, run the interface tunnel command to create a tunnel
interface and enter the tunnel interface mode.
2.
Run the tunnel-protocol mpls ip command to configure the tunnel protocol to MPLS
IP, that is, configure the tunnel interface to work in the IP tunnel mode.
3.
Run the source ip_addr command to configure the source IP address of the tunnel.
Generally, the LSR ID of the ingress is used.
4.
Run the destination ip-address command to configure the destination IP address of

the tunnel. Generally, the LSR ID of the egress is used.
5.
Run the mpls te commit command to commit the current tunnel configuration.
NOTE
Each time the MPLS IP parameters on the tunnel interface are changed, you need to run the mpls
te commit command to commit the configuration.
Issue 01 (2012-01-18)

356

6.
Run the display interface tunnel command to query the configuration of the tunnel.
----End
7.2.2 Configuring the Tunnel Policy

Configure the tunnel selection sequence for load balancing or the tunnel binding policy in the
tunnel. After the configuration is successful, packets in the tunnel are processed according to
tunnel policy.
Prerequisites
The PWE3 outer tunnel must be created.
Context
The tunnel selection sequence and the tunnel binding policy are mutually exclusive. This means
that you can configure only one of them.
l
The IP tunnel supports the configuration of only the tunnel selection sequence.
The MPLS TE tunnel supports the configuration of only the tunnel binding policy.
Procedure
Step 1 Run the tunnel-policy command to create a tunnel policy name and enter the tunnel policy mode.
Step 2 For IP tunnel, run the tunnel select-seq command to configure the selection sequence of tunnels
for load balancing.
To configure different tunnel types for load balancing according to priorities, run this command.
The more the tunnel type close to keyword select-seq, the higher priority for load balancing.
The MA5600T does not support load balancing between different tunnels. In other words,
tunnels for load balancing must be of the same type. The tunnels are selected according to the
tunnel configuration.
Step 3 For MPLS TE tunnel, run the tunnel binding command to configure the tunnel binding policy.
To bind to a specified tunnel ID and configure the system to switch another tunnel according to
the configured sequence when a tunnel is not available, run this command. After the tunnel
binding policy is configured, run the mpls te reserved-for-binding command in the tunnel mode
to allow the MPLS TE tunnel to be bound to the VPN instance.
destination ip-addr indicates the destination IP address of the tunnel, which must be the same
as the destination IP address configured in the MPLS TE tunnel.
Step 4 In the global config mode, run the display tunnel-policy command to query the information
about the tunnel policy.
----End
Example
To configure a tunnel policy named te_policy and bind to tunnels with the destination IP address
5.5.5.5 and IDs 10 and 20, do as follows:
huawei(config)#tunnel-policy te_policy
Info: New tunnel-policy is configured.
huawei(config-tunnel-policy-te_policy)#tunnel binding destination 5.5.5.5 te
Issue 01 (2012-01-18)

357

tunnel
10 tunnel 20
huawei(config)#display tunnel-policy
{ <cr>|string<S><Length 1-19> }:
Command:
Total
Sel-Seq
Binding
Invalid
display tunnel-policy
tunnel policy num:
tunnel policy num:
tunnel policy num:
tunnel policy num:
1
0
1
0
Tunnel Policy Name Destination

Tunnel Intf
Down switch
----------------------------------------------------------------------------te_policy
5.5.5.5
tunnel10
Disable
tunnel20
7.2.3 Configuring the PWE3 Inner PW

Configure the attribute of PW and use the PW parameters for PW binding.
Prerequisites
l
MPLS L2VPN must be enabled.
The tunnel policy must be configured.
Context
PW parameters include the following parameters: control word, jitter buffer (only for TDM
PWs), maximum transmission unit (MTU), loopback IP address of the peer device, PW type,
RTP control header, virtual circuit connectivity verification (VCCV), used tunnel policy, flow
label classification, and TDM load time (only for TDM PWs).
Different services have different configurations when the services are bound to a PW.
Procedure
Step 1 Run the pw-para command to create PW parameter.
PW parameters and the PW have a one-to-one mapping. One PW parameter can be used by only
one PW.
Step 2 Run the peer-address command to configure the IP address of the peer device.
peer-address indicates the peer IP address in the PW for creating communication. In the actual
transmission, data packets are automatically transmitted to the peer device according to this IP
address.
Step 3 Run the pw-type command to configure the PW type.
The MA5600T supports TDM, ATM and ETH PWs.
The ATM PW is categorized as ATM NTo1 VCC and ATM SDU types.
l ATM NTo1 VCC: One or more ATM VCCs are transmitted on a PW.
l ATM SDU: Only the AAL5 CPCS-SDU payload is transmitted.
ETH PWs are categorized as raw and tagged modes.
l Raw mode: The PW VLAN tag is not carried in the upstream direction, but the PW payload
can carry the SVLAN.
Issue 01 (2012-01-18)

358

l Tagged mode: The payload of an upstream packet carries the PW VLAN tag, and the PW
VLAN tag is removed in the downstream direction.
For the same PW, the PW types at both ends must be the same. In this way, the PW can be
available.
CAUTION
Among PW parameters, the IP address and PW type of the peer device cannot be changed after
they are configured. To change these two parameters, run the undo pw-para command to delete
them first, and then configure them again. Make sure that the two parameters are correctly
configured the first time, so as to prevent repeated operations.
Step 4 Run the control-word command to enable the control word mode.
When VCCV ping works in the control word mode, you need to enable the control word. It is
recommended that you enable the control word mode.
Step 5 (Optional) Run the jitter-buffer command to configure the jitter buffer.
The jitter buffer can effectively prevent jitter and delay. By default, the jitter buffer size is 2000
s.
NOTE
l Only a TDM PW supports setting of the jitter buffer size.

l The jitter buffer size must be an integer multiple of 125.
Step 6 (Optional) Run the mtu command to configure the MTU.

Due to the limit in the system, the configurable MTU ranges for different PW types are different:
l MTU values set on the two devices at the ends of an ETH PW must be the same. If MTU
values are different, an ETH PW can never be available.
l By default, the MTU is 1500 bytes. Do not modify this value unless there is a special
requirement.
Step 7 Run the rtp-header command to configure the RTP control header.
NOTE
This command is applicable to only TDM PWs.
The length of the RTP header is 12 bytes, including the version number, padding flag, and
timestamp fields. The timestamp field, whose length is 32 bits, is used for clock synchronization.
For format of the RTP header, see RFC3550.
After RTP is enabled, PW packets of the TDM type carry the RTP control header. Otherwise,
the RTP control header is not carried.
The RTP configuration must be the same as that on the peer PW device. By default, the
MA5600T disables the RTP control header.
Step 8 Run the vccv command to enable VCCV, so as to notify the peer device of the VCCV types
supported by the local device. After a successful negotiation be both devices, a virtual circuit
connectivity verification is performed by using LSP ping according to the priority of the VCCV
type.
VCCV is an end-to-end PW fault detection and diagnosis mechanism. Simply, VCCV is a control
channel for the PW to send verification messages between the ingress and egress.
Issue 01 (2012-01-18)

359

Enable the LSP ping function for alter, CW, and TTL channels or any of the three channels
according to the VCCV types supported by the system. By default, VCCV is disabled.
Step 9 (Optional) Run the tdm-load-time command to configure the TDM load time.
NOTE
Only a TDM PW supports the setting of the load time.
Because each TDM frame is 125 s, the load time must be an integer multiple of 125. If the
entered number is not an integer multiple of 125, the system rounds it down to the nearest integer
multiple of 125 s. The jitter buffer must be greater than the load time.
The default jitter buffer is 1000 s. Do not modify this value unless there is a special requirement.
Step 10 (Optional) Run the tnl-policy command to configure the tunnel policy used by the PW.
NOTE
The tunnel policy and the PW flow label classification are mutually exclusive. Configure either of them.
After the tunnel policy used by the PW is configured, the PW can perform load balancing or
path selection according to the tunnel policy.
Step 11 (Optional) Run the flow-label command to enable flow classification.
NOTE
l The tunnel policy and the PW flow label classification are mutually exclusive. Configure either of them.
l Only the ETH PW supports flow label.
l Before configuring the flow label capability, make sure that the status of the flow label function on the local
end is same as that on the peer end, and it is recommended that you adopt the same classification rules. If
the flow label function is enabled on the local end but is disabled on the peer end, the packets carrying a
flow label sent by the local end will be dropped after they arrive at the peer end, and the packet carrying no
flow label will also be dropped after they arrive at the local end. As a result, services will be interrupted.
l After flow classification is enabled, you need to run the mpls ecmp command in the global config mode to
enable the MPLS ECMP function. Then, the flow classification function takes effect.
To implement PWE3 load balancing, at the start point of the PW (ingress PE), the PW data is
classified into different flows and each flow is allocated with a flow label. The downstream P
node of the PW performs load balancing according to the flow labels.
The flow label supports the following flow classification by the source IP address, destination
IP address, source MAC address, destination MAC and address, and any combination of the
previous four IP addresses.
Step 12 (Optional) Run the max-atm-cells command to configure the maximum number of ATM cells
that can be subtended.
Only the PW bound to a PW of the NTo1 VCC type requires the configuration of the maximum
number of ATM cells that can be subtended. After the configuration, the number of ATM cells
in the packet sent from the peer end cannot exceed this value. The default value is 1.
Step 13 (Optional) Run the max-encapcell-delay command to configure the packet delay of the ATM
cell maximum group.
Only the PW of the NTo1 VCC type requires the configuration of the packet delay of the ATM
cell maximum group. After the configuration, the maximum waiting time of subtended ATM
cells encapsulated in a packet is the packet delay of the ATM cell maximum group. The default
value is 0 ms.
Issue 01 (2012-01-18)

360

CAUTION
If a PW is already set up and its adminstatus queried by running the display pw command is
displayed as up, the attributes of the PW cannot be changed. Before changing the attributes, run
the manual-set pw-ac-fault command to set the adminstatus of the PW to down. After the
attributes are changed, run the undo manual-set pw-ac-fault command to set the adminstatus
of the PW back to up. Then, the new configurations of the PW take effect.
Step 14 In the privilege mode or global config mode, run the display pw-para command to query the
configuration of the PW.
----End
Example
To configure PW 10 with the following attributes, do as follows:
l
PW type: TDM SAToP E1
IP address of the peer PW device: 10.10.10.20
Name of the tunnel policy used by the PW: tdm-policy
Enable the RTP control header and the control word mode
Enable the connectivity verification function of the alter, CW and TTL channels
huawei(config)#pw-para 10
huawei(config-pw-para-10)#peer-address 10.10.10.20
huawei(config-pw-para-10)#pw-type tdm satop e1
huawei(config-pw-para-10)#tnl-policy tdm-policy
huawei(config-pw-para-10)#rtp-header
huawei(config-pw-para-10)#control-word
huawei(config-pw-para-10)#vccv cc cw alert ttl cv lsp-ping
huawei(config-pw-para-10)#quit
huawei(config)#display pw-para 10
PW ID
: 10
PeerIP
: 10.10.10.20
Tnl Policy Name
: tdm-policy
PW Type
: tdm satop e1
CtrlWord
: enable
VCCV Capability
: cw alert ttl lsp-ping
MTU
: 1500
MaxAtmCells
: -MaxEncapDelay
: -RTP
: enable
JitterBuffer
: 2000
LoadTime(us)
: 1000
TimeSlotNum
: 32
PayLoadSize(bytes) : 256
FlowLabel
: --
To configure PW 20 with the following attributes, do as follows:

l
PW type: ETH Tagged
IP address of the peer PW device: 10.20.30.40
Name of the tunnel policy used by the PW: eth-policy
huawei(config-pw-para-20)#pw-type ethernet tagged
Issue 01 (2012-01-18)

361

huawei(config-pw-para-20)#tnl-policy eth-policy
huawei(config)#display pw-para 20
PW ID
: 20
PeerIP
: 10.20.30.40
Tnl Policy Name
: eth-policy
PW Type
: ethernet tagged
CtrlWord
: disable
VCCV Capability
: disable
MTU
: 1500
MaxAtmCells
: -MaxEncapDelay
: -RTP
: -JitterBuffer
: -LoadTime(us)
: -TimeSlotNum
: -PayLoadSize(bytes) : -FlowLabel
: --
7.2.4 Binding the Service to the PW

Bind various PWE3 services to a PW. After the binding, user packets are encapsulated and
forwarded according to the modes defined in the PW parameters.
Prerequisites
l
The PW must be configured.
For TDM PWE3, the TDM connection must be created.
For ATM PWE3, the ATM-based service port must be created.
For ETH PWE3, the ETH-based service port must be created.
Context
Different PWE3 services have different configurations when the services are bound to a PW.
l
TDM PWE3 supports dynamic PW, static PW, and UDP PW.
ATM PWE3 supports dynamic PW, static PW, and UDP PW.
ETH PWE3 supports dynamic PW and static PW.
The parameters of a static PW are not negotiated using the signaling protocol, the relevant
information is configured manfully through the command line interface (CLI), and the data is
transmitted through tunnels between PEs.
Procedure
l
Bind the TDM service to a PW.

Run the pw-ac-binding tdm command to use a PW to create the TDM PW service.
Pay attention to the following points during the configuration:
To specify a PW as a static PW, you need to configure the in label and out label of the
PW. The out label value must be an unallocated and idle value at the peer end and the
in label value must be an unallocated value at the local end.
To specify a PW and an UDP PW, you need to configure the destination port ID and
source port ID of the PW. The destination port ID must be the same as the source port
Issue 01 (2012-01-18)

362

ID at the peer PW device and the source port ID must be the same as the destination
port ID at the peer PW device.
l
Bind the ATM service to a PW.

Run the pw-ac-binding pvc command to use a PW to create the ATM PW service.
The PVC and the PW can be bound in two modes: NTo1 mode and SDU mode. Pay attention
to the following points during the configuration:
In the SDU mode, a PW is bound to only one PVC. Therefore, you need not change the
VPI or VCI.
In the NTo1 mode, a PW can be bound to multiple PVCs. To differentiate between
PVCs, you must change the out VPI and VCI of the PW, that is, you must specify
outvpi and outvci. Operation procedure is as follows:
1.
Run the pw-ac-binding pvc command to bind a PW to a PVC.
2.
Run the pw-ac-append pvc command to bind the PW to another PVC.
Bind the ETH service to a PW.

Run the pw-ac-binding vlan command to use a PW to create the ETH PW service.
Note: To specify a PW as a static PW, you need to configure the in label and out label of
the PW. The out label value must be an unallocated and idle value at the peer end and the
in label value must be an unallocated value at the local end.
----End
Example
To bind the TDM service to a PW with the following settings, do as follows. Settings: TDM
connection ID 10, PW ID 12, PW label using the UDP port, UDP destination port ID 50050,
and UDP source port ID 50050.
huawei(config)#pw-ac-binding tdm 10 pw 12 udp ingress-dst-por
t 50050 egress-dst-port 50060
To bind the ATM service to a PW with the following settings, PW type to ATM sdu, do as
follows. Settings: ATM access port 0/3/0, VPI/VCI 0/35, and PW ID 20.
huawei(config)#pw-ac-binding pvc 0/3/0 vpi 0 vci 35 pw 20
To bind the ETH service to a PW with the following settings, do as follows. Settings: VLAN
ID 100, PW ID 30, PW out label 8500, and PW in label 8600.
huawei(config)#pw-ac-binding vlan 100 pw 30 static tra
nsmit-label 8500 receive-label 8600
7.2.5 Configuring MPLS Tunnel Protection

Create a protection tunnel for the MPLS TE tunnel. When the working tunnel is faulty, the system
quickly switches to the protection tunnel to ensure the service reliability.
Prerequisites
l
The forward LSP must be created.
The backward LSP must be created.
MPLS OAM must be enabled.
Issue 01 (2012-01-18)

363

Context
MPLS tunnel protection is a part of the MPLS OAM connectivity detection mechanism.
The basic process of the MPLS OAM connectivity check and protection switching is as follows:
1.
The source transmits the CV/FFD packets to the destination through the detected LSP.
2.
The destination checks the correctness of the type and frequency carried in the received
detection packets and measures the number of correct and errored packets that are received
within the detection period to monitor the connectivity of the LSP in real time.
3.
information to the source through the backward path.
4.
The source learns about the status of the defect, and triggers the corresponding protection
switching when the protect group is correctly configured.
Procedure
Step 1 Configure working MPLS TE tunnel.
1.
In global config mode, run the interface tunnel command to create a tunnel interface and
enter the tunnel interface mode.
2.
Run the tunnel-protocol mpls te command to configure the tunnel protocol to MPLS TE.
3.
Run the destination ip-address command to configure the destination IP address of the
tunnel. Generally, the egress LSR ID is used.
4.
5.
Run the mpls te signal-protocol rsvp-te command to configure the signaling protocol of
the tunnel to RSVP-TE.
6.
(Optional) Run the mpls te bandwidth command to configure the bandwidth for the tunnel.
After the configuration is completed, only the VLAN interface that meets this bandwidth
value can be selected as the node traversed by the MPLS TE tunnel path when the MPLS
TE tunnel is created.
If the MPLS TE tunnel is only used to change the data transmission path, you may not
configure the tunnel bandwidth.
7.
(Optional) Run the mpls te path explicit-path command to configure the explicit path used
by the MPLS TE tunnel.
If only the bandwidth used by the MPLS TE tunnel is limited but the transmission path is
not limited, you may not configure the explicit path used by the MPLS TE tunnel.
8.
Run the mpls te commit command to commit the current configuration of the tunnel.
Step 2 Configure protection MPLS TE tunnel.

The working mode of MPLS OAM protection switching is 1:1 protection. Normally, each
working tunnel has a protection tunnel.
The configuration of the protection tunnel is the same as that of the working tunnel.
Step 3 Configure a tunnel protect group.
Configure the working tunnel and the protection tunnel as a tunnel protect group. When the
source end finds the active LSP is defective through the MPLS OAM detection mechanism, and
the protection switching is required, the system can switch the data to the protection tunnel for
continuous transmission.
Issue 01 (2012-01-18)

364

1.
In the global config mode, run the interface tunnel command to enter the working tunnel
interface mode.
2.
Run the mpls te protection tunnel command to create a tunnel protect group and set the
switchback mode of the protect group.
The switchback policy of a PW protect group can be immediate automatic switchback,
automatic switchback after a period of time, and no automatic switchback.
Step 4 (Optional) Run the mpls te protect-switch command forcibly switch over the tunnel protect
group.
To manually switch data streams between working and protection tunnels, run this command.
There are for forcible switching modes:
l clear: clears all external switching commands that are already executed in the system.
l lock: lock switching, which locks data streams on the working tunnel.
l force: forcible switching, which forcibly switch data streams to the protect tunnel.
l manual work-lsp: manually switches data streams on the working tunnel to the protection
tunnel.
l manual protect-lsp: manually switches data streams on the protection tunnel to the working
tunnel.
Keywords clear, lock, force, and manual corresponds to switching priorities in descending
order. If a command with a higher priority is executed, a command with a lower priority cannot
be executed.
Step 5 In the global config mode, run the display mpls te protection tunnel command to query the
configuration of the tunnel protect group.
----End
Example
To configure RSVP-TE tunnel IDs to 10 and 30, destination IP address of the tunnels to 3.3.3.3,
tunnel 30 as the protection tunnel of tunnel 10, switchback mode to revertive, and WTR time to
900s, do as follows:
//(Optional) Configure the
global bandwidth of tunnel 10 to 5210 kbit/s.
//(Optional) Configure the
global bandwidth of tunnel 30 to 5210 kbit/s.
huawei(config-if-tunnel10)#mpls te protection tunnel 30 mode revertive wtr 30
Issue 01 (2012-01-18)

365

7.3 Configuring TDM PWE3 Private Line Service (T1

Upstream Transmission)
The MA5612 receives the time division multiplexing (TDM) service through T1 ports, performs
circuit emulation service over packet (CESoP) emulation on the TDM service and transmits the
service to the MA5600T. The MA5600T terminates the emulation data, restores TDM signals,
and transmits the signals to the synchronous digital hierarchy (SDH) network through T1 ports.
Such a mechanism allows the traditional circuit-switched service to be carried over the Ethernet
passive optical network (EPON).
l
The MA5612 receives TDM access service from enterprise users and home users through
T1 ports.
Existing SDH resources are utilized efficiently. The optical line terminals (OLTs) and cell
backhaul units (CBUs) from different manufacturers are required to interoperate properly.
Figure 7-3 shows an example network of the TDM pseudo wire emulation edge-to-edge (PWE3)
private line service.
The MA5612 receives the TDM service through T1 ports, performs CESoP emulation on the
TDM service data, and transmits the data upstream to the OLT's EPON service boards. The OLT
terminates the emulation data, restores TDM signals, and transmits the TDM signals to TDM
networks through T1 ports on EDTB boards. This process implements the TDM private line
access service between the MA5612 and the MA5600T by means of CESoP emulation.
Figure 7-3 TDM PWE3 private line access service
Data Plan
Table 7-3 provides the data plan of the OLT, and Table 7-4 provides the data plan of the
MA5612.
Issue 01 (2012-01-18)

366

Table 7-3 Data plan for configuring the TDM PWE3 private line access service on OLT
Item
Data
VLAN
Inband management VLAN: smart VLAN 8

Service VLAN (S-VLAN): smart VLAN 500
IP address
Inband management IP address: 192.168.50.1/24

IP address of the Layer 3 interface of VLAN 500: 10.0.0.10/24
EPON service board
Port: 0/6/1
ONU ID: 1
ONU authentication mode: medium access control (MAC)
address
SPUB board
Board slot: 0/3
MPLS
MPLS label switching router (LSR) ID: 3.3.3.3

Multi-protocol label switch (MPLS) Label Distribution Protocol
(LDP): enabled
PW parameters
PW ID: 3
IP address of the peer end: 5.5.5.5
PW type: TDM CESoP
PW load time: 125 s
TDM timeslot: 24
Jitter buffer size: 2500 s
Control word: supported
Real-time Transfer Protocol (RTP): enabled
Virtual circuit connectivity verification (VCCV): enabled
H802EDTB service
board
T1 port: 0/9/0
Port impedance: 100 ohms
Port line coding: B8ZS
DBA profile
Profile ID: 20
Type: type1
Fixed bandwidth: 30 Mbit/s
Bandwidth compensation: enabled
Issue 01 (2012-01-18)
ONU line profile
Profile ID: 20. Line profile 20 is bound to dynamic bandwidth

allocation (DBA) profile 20.
ONU management mode
SNMP
Tx clock of a T1 port
Line clock. Clock signals are obtained from the T1 line.

367

Table 7-4 Data plan for configuring the TDM PWE3 private line access service on MA5612
Item
Data
VLAN
Inband management VLAN: smart VLAN 8. EPON upstream port

0/0/0 is added to this VLAN.
SVLAN: smart VLAN 500. EPON upstream port 0/0/0 is added
to this VLAN.
IP address
Inband management IP address: 192.168.50.2/24

IP address of loopback interface 0: 5.5.5.5/32
IP address of the Layer 3 interface of VLAN 500: 10.0.1.10/24
MAC address
MAC address of the EPON port of the MA5612: 0018-82D6D178
MPLS
MPLS LSR ID: 5.5.5.5

Global MPLS: enabled
MPLS LDP: enabled
PW parameters
PW ID: 5
PW type: TDM CESoP
IP address of the peer end: 3.3.3.3
PW load time: 125 s
TDM timeslot: 24
Jitter buffer size: 2500 s
Control word: supported
RTP: enabled
VCCV: enabled
Port ID: 0/1/0
T1 port
Port working mode: structured data transfer (SDT)

TDM signals output by the T1 port support the extended super
frame (ESF) check.
ID of the TDM virtual channel link (VCL) timeslot bitmap created
by the T1 port: 0xfffffffe
TDM VCL ID: 10
TDM VCL service type: CESoP
Tx Clock: adaptive clock, restoring from PW 5
Procedure
l
Configure the OLT.

1.
Configure EPON ONU profiles.

NOTE
Unless otherwise specified, ONUs in this topic refer to the MA5612s.
EPON ONU profiles include DBA profiles and line profiles.

Issue 01 (2012-01-18)

368

DBA profile: A DBA profile describes EPON traffic parameters. A logic link ID
(LLID) is bound to a DBA profile for dynamically allocating bandwidth and
improving upstream bandwidth usage efficiency.
Line profile: A line profile describes the relationships between an LLID and a DBA
profile.
a.
Configure a DBA profile.

Run the display dba-profile command to query existing DBA profiles in the
system. If the existing DBA profiles in the system cannot meet the requirements,
run the dba-profile add command to add a DBA profile.
Set the DBA profile ID to 20, type to type1, and fixed bandwidth to 30 Mbit/s.
bandwidth_compensate yes
b.
Configure an ONU line profile.

Set the line profile ID to 20 and the DBA profile ID bound to LLID to 20. Disable
forward error correction (FEC) and traffic limitation. Both functions are disabled
by default.
NOTE
a. (Optional) Run the fec enable command to enable FEC. FEC improves transmission
reliability between the OLT and ONU.
b. (Optional) Run the llid ont-car command to limit ONU's upstream traffic.
After the configurations are complete, run the commit command to make the
configured parameters take effect.
2.
Add an MA5612 on the OLT.

Connect an MA5612 to the EPON port of the OLT by using optical fibers. Services
can be configured only after an MA5612 is successfully added on the OLT.
Connect the MA5612 to EPON port 0/6/1 through an optical splitter. Set ONT ID to
1, use the MAC address authentication mode, set the MAC address to 0018-82D6D178, set the management mode to SNMP, and bind line profile 20 to the ONU.
An ONU can be added in two modes. Select either mode as required.
Offline mode: If an ONU's password or MAC address is obtained, run the ont
add command to add an ONU offline.
Auto discovery mode: If an ONU's password or MAC address is unknown, run the
port ont-auto-find command in the EPON mode to enable the ONU auto
discovery function of the EPON port. Then, run the ont confirm command to
confirm the ONU after it is auto discovered.
Run the following commands to add an MA5612 in offline mode:
huawei(config-if-epon-0/6)#ont add 1 1 mac-auth 0018-82D6-D178 snmp ontlineprofile-id
20 desc MA5612_0/6/1/1_lineprofile20
Run the following commands to add an MA5612 in auto discovery mode:

huawei(config-if-epon-0/6)#port 1 ont-auto-find enable
Issue 01 (2012-01-18)

369

huawei(config-if-epon-0/6)#display ont autofind 1

//After this command is executed, the information about all ONUs
connected to the EPON port through optical splitters is displayed.
-----------------------------------------------------------------------Number
:
1
F/S/P
: 0/6/1
Ont Mac
: 0018-82D6D178
Password
:
00000000000000000000000000000000
VenderID
:
HWTC
Ontmodel
:
MA5612
Ont SoftwareVersion :
V800R308C00
OntHardwareVersion :
MA5612
Ont autofind time
: 2010-03-20
10:20:45
-----------------------------------------------------------------------huawei(config-if-epon-0/6)#ont confirm 1 ontid 1 mac-auth 0018-82D6-D178
snmp ont-lineprofile-id
NOTE
If multiple MA5612s bound to the same line profile are connected to the same port, you can bulk
add MA5612s by bulk confirming auto discovered MA5612s to make configuration easier and more
efficient. For example, the preceding command can be modified as follows:
huawei(config-if-epon-0/6)#ont confirm 1 all mac-auth snmp ontlineprofile-id 20 desc MA5612_0/6/1_lineprofile20
3.
Confirm that the MA5612 goes online normally.

After adding an MA5612, run the display ont info command to query the current
status of the MA5612. Ensure that Control flag of the MA5612 is active, Run
State is online, Config state is normal, and Match state is match.
huawei(config-if-epon-0/6)#display ont info 1 1
--------------------------------------------------------------------F/S/P
:
0/6/1
ONT-ID
:
1
Control flag
: active
//Indicates that the ONU is
activated.
Run state
: online
//Indicates that the ONU goes online
successfully.
Config state
: normal
//Indicates that the ONU configuration
recovery is in the normal state.
Match state
: match
//Indicates that the capability profile
bound to the ONU is consistent with the actual capabilities of the
ONU.
...//The rest of the response information is not provided here.
When Config state is failed, Run state is offline, or Match state is mismatch, refer
to the following suggestions to rectify the fault.
If Control flag is deactive, run the ont active command in the GPON port mode
to activate the ONU.
Issue 01 (2012-01-18)

370

If Run state is offline, a physical line break may occur or the optical module may
be damaged. Check the line and the optical module hardware.
If Config state is failed, run the display ont failed-configuration command in
the diagnosis mode to check the failed configuration item and the failure cause.
Rectify the fault accordingly.
If Match state is mismatch, run the display ont capability command to query
the actual capabilities of the ONU, and select either of the following methods to
modify the ONU configuration:
Create a proper ONU profile based on the actual capabilities of the ONU, and
run the ont modify command to modify the configuration data of the ONU.
Modify the ONU profile based on the actual capabilities of the ONU and save
the modification. The ONU will automatically recover the configuration.
4.
Configure the management channel from the OLT to the MA5612.

a.
Configure the inband management VLAN and IP address of the OLT.

To telnet to the MA5612 from the OLT and configure the MA5612, you need to
configure the inband management VLANs and IP addresses of the OLT and the
MA5612 on the OLT.
Configure the inband management VLAN and IP address of the OLT. Create
management VLAN 8, add the upstream port to VLAN 8, and set the inband
management IP address to 192.168.50.1/24.
b.
Configure the inband management VLAN and IP address of the MA5612.

Set 192.168.50.2/24 as the static IP address of the MA5612 and VLAN 8 (the
same as that of the OLT) as the management VLAN of the MA5612.
huawei(config-if-epon-0/6)#ont ipconfig 1 1 ip-address 192.168.50.2
mask 255.255.255.0 manage-vlan 8
c.
Configure an inband management service port.

Configure the management service port index to 0, management VLAN ID to
8, GEM port ID to 0, and customer VLAN (C-VLAN) ID to 8. The OLT does
not limit the rate of the inband management service port. Therefore, use default
traffic profile 6. To limit the rate of a service port, run the traffic table ip
command to create a traffic profile and then bind the traffic profile to the service
port.
huawei(config)#service-port vlan 8 epon 0/6/1 ont 1 multi-service
user-vlan 8
5.
Confirm that the management channel between the OLT and the MA5612 is available.
On the OLT, run the ping 192.168.50.2 command to check the connectivity with
the MA5612. The ICMP ECHO-REPLY message should be received from the
MA5612.
Run the telnet 192.168.50.2 command to telnet to the MA5612. The MA5612 can
be configured from the OLT.
6.
Issue 01 (2012-01-18)
Configure a loopback interface.

371

Set the ID of the loopback interface to 0 and its IP address to 3.3.3.3/32.

7.
Enable basic MPLS functions.

Set the MPLS LSR ID. Set the IP address of loopback interface 0 as the LSR ID.
Enable MPLS and Layer 2 virtual private network (VPN) globally.

huawei(config)#mpls
huawei(config-mpls)#lsp-trigger host
the host to set up an LSP.
huawei(config)#mpls l2vpn
//Triggers LDP by the IP address of
Enable LDP globally.

NOTE
l Only one session is allowed between two LSRs. Local LDP sessions have higher priority over
remote LDP sessions. To simplify configuration, assume that the MA5600T is directly connected
to the packet transport network (PTN). In this case, only LDP needs to be enabled. When LDP
is enabled, a local LDP session is automatically set up.
l If the MA5600T is not directly connected to the PTN, after enabling LDP, run the mpls ldp
remote-peer command to create a remote LDP peer and enter the remote peer mode. Then, run
the remote-ipip-addr command to set the remote LSR ID.
8.
Configure a VLAN and enable MPLS for the VLAN and VLAN interface.
Add VLAN 500 for MPLS forwarding.
Enable MPLS for VLAN 500.

Set the IP address of VLAN interface 500 to 10.0.0.10/24 and enable MPLS LDP for
the VLAN interface.
9.
Configure a route.
PWE3 has no special requirement for routing policies. PWE3 supports static routes,
RIP routes, and OSPF routes. Because OSPF supports MPLS RSVP-TE extension, an
OSPF dynamic route is recommended.
Set the OSPF process ID to 100 and OSPF area ID to 1. Configure the interface
(loopback interface) that runs OSPF and configure the area of the interface.
huawei(config-ospf-1-area-0.0.0.100)#return
Issue 01 (2012-01-18)

372

10. Create an EPON service port.

Set the service port ID to 1, S-VLAN ID to 500, ONU ID to 1, and C-VLAN ID to
500. The MA5612 limits upstream and downstream traffic but the OLT does not.
Therefore, use default traffic profile 6. To limit the rate of a service port, run the traffic
table ip command to create a traffic profile and then bind the traffic profile to this
service port.
The C-VLAN must be the same as the upstream VLAN of the MA5612.
huawei(config)#service-port 1 vlan 500 epon 0/6/1 ont 1 multi-service uservlan 500
11. Configure the attributes of the T1 port on the EDTB board.

The attributes of the T1 port must be the same as those of the peer T1 port.
Set the board working mode to SAToP and port working mode to T1.
huawei(config)#interface edt 0/9
huawei(config-edt-0/9)#board workmode satop
Success: Set the board workmode success
huawei(config-edt-0/9)#tdm access-mode t1
(Optional) Configure port impedance. A T1 port supports only 100 ohm impedance
by default.
huawei(config-edt-0/9)#impendance 100
(Optional) Configure the port line code. The default line code of a T1 port default
is B8ZS.
huawei(config-edt-0/9)#line-code 0 B8ZS
huawei(config-edt-0/9)#quit
12. Configure PW parameters.

a.
Create PW 3 and enter the PW parameter mode.

b.
Configure the loopback interface IP address of the remote PTN device.

Set the loopback interface IP address to 5.5.5.5.
c.
Set the PW type to TDM CESoP.

huawei(config-pw-para-3)#pw-type tdm cesopsn
d.
Set the PW load time.

Set the load time to 125 s and the number of timeslots to 24.
huawei(config-pw-para-3)#tdm-load-time cesopsn loadtime 125
timeslotnum 24
e.
(Optional) Enable RTP. When RTP is enabled, the TDM PW packets will carry
an RTP control header. By default, RTP is disabled.
NOTE
The RTP configuration must be the same as that on the PTN.

huawei(config-pw-para-3)#rtp enable
f.
(Optional) Set a jitter buffer size. The jitter buffer can effectively prevent jitter
and latency. Only PWs of the TDM type support jitter buffer settings. The default
jitter buffer size is 2000 s.
NOTE
The jitter buffer size ranges from 500 s to 32000 s and must be an integer multiple of 125.
Set this value based on specific requirements. In this example, the jitter buffer size is set to
2500 s.
huawei(config-pw-para-3)#jitter-buffer buffer-size 2500
Issue 01 (2012-01-18)

373

g.
Configure the PW to support the control word.

h.
Enable VCCV.
13. Configure a TDM connection.

Configure a TDM connection on T1 port 0/9 of the EDTB board.
huawei(config)#tdm-connect connectid 2 tdm pwe3-uplink 0/9 t1 0/9/0
14. Bind the TDM connection to the PW to create the PW service of the TDM type.
Bind TDM connection 2 to PW 3.
huawei(config)#pw-ac-binding tdm 2 pw 3
15. Confirm that the PW is in the normal state.

On the OLT, run the display pw or display pw-ac-binding command to query the
PW status. Ensure that PW STATE is up.
huawei(config)#display pw-ac-binding tdm 3
Total : 1 (Up/Down :
1/0
Static/LDP :
0/1)
--------------------------------------------------------------------------TDM
PW
PW
PROTO RECEIVE TRNS
PW
ID
ID
STATE TYPE
LABEL
LABEL
INDEX
--------------------------------------------------------------------------2
3
up
LDP
----3
--------------------------------------------------------------------------Note : F--Frame, S--Slot, P-Port
*:
Secondary
16. Configure clock synchronization on the T1 port.

Set the line clock as the Tx clock of the EDTB T1 port. This means to obtain clock
signals from T1 line.
huawei(config)#interface edt 0/9
huawei(config-edt-0/9)#clock-work 0 line
huawei(config-edt-0/9)#quit
17. Save the data.

huawei(config)#save
Configure the MA5612.

NOTE
Because the management VLAN and the management IP address have been configured, run the telnet
192.168.50.2 command on the OLT to log in to the MA5612 and perform configuration. You can also log
in to the MA5612 through a serial port and perform configuration.
1.
Configure the IP address of the loopback interface.

Set the IP address of loopback interface 0 to 5.5.5.5/32.
Issue 01 (2012-01-18)

374

2.
Configure the MPLS LSR ID, and enable MPLS LDP and Layer 2 VPN globally.
huawei(config)#mpls
huawei(config)#mpls l2vpn
3.
Configure a VLAN and enable MPLS for the VLAN and VLAN interface.
Add VLAN 500 for forwarding MPLS packets and add an upstream port to it.
huawei(config)#port vlan 500 0/0/0
Enable MPLS for VLAN 500.

Set the Layer 3 IP address of VLAN 500 to 10.0.1.10/24 and enable MPLS LDP for
the interface.
4.
Configure a route.
PWE3 has no special requirement for routing policies. PWE3 supports static routes,
RIP routes, and OSPF routes. Because OSPF supports MPLS RSVP-TE extension, an
OSPF dynamic route is recommended.
Set the OSPF process ID to 200 and OSPF area ID to 2. Configure the interface
(loopback interface) that runs OSPF and configure the area of the interface.
huawei(config-ospf-2-area-0.0.0.200)#return
5.
Configure PW parameters.
a.
Create PW 5 and enter the PW parameter mode.

b.
Configure the loopback interface IP address of the remote PTN device.

Set the loopback interface IP address to 3.3.3.3.
c.
Set the PW type to TDM CESoP.

huawei(config-pw-para-5)#pw-type tdm cesopsn
d.
Set the PW load time.

Set the load time to 125 s and the number of timeslots to 24.
huawei(config-pw-para-5)#tdm-load-time cesopsn loadtime 125
timeslotnum 24
e.
(Optional) Enable RTP. When RTP is enabled, the TDM PW packets will carry
an RTP control header. By default, RTP is disabled.
NOTE
The RTP configuration must be the same as that on the PTN.

huawei(config-pw-para-5)#rtp enable
Issue 01 (2012-01-18)

375

f.
(Optional) Set a jitter buffer size. The jitter buffer can effectively prevent jitter
and latency. Only PWs of the TDM type support jitter buffer settings. The default
jitter buffer size is 2000 s.
NOTE
The jitter buffer size ranges from 500 s to 32000 s and must be an integer multiple of 125.
Set this value based on specific requirements. In this example, the jitter buffer size is set to
2500 s.
huawei(config-pw-para-5)#jitter-buffer buffer-size 2500
g.
Configure the PW to support the control word.

h.
Enable VCCV.
6.
Configure clock synchronization.

Configure the MA5612 T1 port to restore clock from TDM PWE3 service packets and
use it as the Tx clock of the T1 port.
huawei(config)#interface tdm 0/1
huawei(config-if-tdm-0/1)#adapt-clock-source 0 5 //Configure adaptive
clock source 0, recovered from PW 5.
huawei(config-if-tdm-0/1)#port 0 sdt acm 0 esf enable //Configure TDM
port 0 to work in the SDT mode, use the adaptive clock as the Tx clock of
the port, and enable ESF.
7.
Configure the TDM service port and create TDM VCL 10.
huawei(config-if-tdm-0/1)#tdm access-mode t1 //Configure the board access
mode to T1.
huawei(config-if-tdm-0/1)#quit
huawei(config)#tdm-vcl tdm-vcl-id 10 cesop 0/1/0 timeslot 0xfffffffe
//On port 0/1/0, set TDM VCL ID to 10, TDM VCL service
type to CESoP, and timeslot to 0xfffffffe.
8.
Dynamically bind the TDM to the PW.

Use MPLS over MPLS dynamic encapsulation mode and set TDM VPN ID to 10 and
PW ID to 3.
huawei(config)#pw-ac-binding tdm 10 pw 5
9.
Confirm that the PW is in the normal state.

On the CBU (MA5612), run the display pw or display pw-ac-binding command to
query the PW status. Ensure that PW STATE is up.
huawei(config)#display pw-ac-binding tdm 10
{ <cr>|
secondary<K> }:
Command:
display pw-ac-binding tdm
10
Total : 1
0/1)
(Up/Down :
1/0
Static/LDP :
--------------------------------------------------------------------------TDM
PW
PW
PROTO RECEIVE TRNS
TEMPLATE
ID
ID
STATE TYPE
LABEL
LABEL
NAME
--------------------------------------------------------------------------10
5
up
LDP
-----
Issue 01 (2012-01-18)

376

5
--------------------------------------------------------------------------Note : F--Frame, S--Slot, P-Port
*:
Secondary
10. Save the data.

huawei(config)#save
----End
Result
After a network is restructured, bit error ratio and latency over a long period meet application
requirements, the T1 private line service or ISDN PRI PBX service runs normally, and the
operation method for end users is not changed.
Configuration File
Configure the OLT.
vlan 8 smart
port vlan 8 0/17 0
interface vlanif 8
ip address 192.168.50.1 24
quit
commit
quit
interface epon 0/6
port 1 ont-auto-find enable
ont confirm 1 ontid 1 mac-auth 0018-82D6-D178 snmp ont-lineprofile-id
ont ipconfig 1 1 ip-address 192.168.50.2 mask 255.255.255.0 manage-vlan 8
quit
service-port 0 vlan 8 epon 0/6/1 ont 1 multi-service user-vlan 8
interface loopback 0
quit
mpls lsr-id 3.3.3.3
mpls
lsp-trigger host
quit
mpls l2vpn
mpls ldp
quit
vlan 500 smart
mpls vlan 500
ip address 10.0.0.10 24
mpls
mpls ldp
quit
ospf 1
area 100
network 3.3.3.3 0.0.0.0
network 10.0.0.0 0.0.0.255
return
service-port 1 vlan 500 epon 0/6/1 ont 1 multi-service user-vlan 500
interface edt 0/9
board workmode satop
Issue 01 (2012-01-18)

377

tdm access-mode t1
impendance 100
line-code 0 B8ZS
quit
pw-para 3
peer-address 5.5.5.5
pw-type tdm cesopsn
tdm-load-time cesopsn loadtime 125 timeslotnum 24
rtp enable
jitter-buffer buffer-size 2500
control-word
vccv cc cw alert ttl cv lsp-ping
quit
tdm-connect connectid 2 tdm pwe3-uplink 0/9 t1 0/9/0
pw-ac-binding tdm 2 pw 3
interface edt 0/9
clock-work 0 line
quit
save
Configure the MA5612.

interface loopback 0
quit
vlan 500 smart
port vlan 500 0/0/0
mpls vlan 500
ip address 10.0.1.10 24
mpls
quit
mpls l2vpn
mpls ldp
quit
ospf 2
area 200
network 10.0.1.0 0.0.0.255
network 5.5.5.5 0.0.0.0
return
pw-para 5
peer-address 3.3.3.3
pw-type tdm cesopsn
tdm-load-time cesopsn loadtime 125 timeslotnum 24
rtp enable
jitter-buffer buffer-size 2500
control-word
vccv cc cw alert ttl cv lsp-ping
quit
interface tdm 0/1
adapt-clock-source 0 3
port 0 sdt acm 0 esf enable
tdm access-mode t1
quit
tdm-vcl tdm-vcl-id 10 cesop 0/1/0 timeslot 0xfffffffe
pw-ac-binding tdm 10 pw 5
save
Issue 01 (2012-01-18)

378

8 Configuring Network Protection
Configuring Network Protection
About This Chapter

The MA5600T provides a powerful redundancy backup mechanism. The redundancy or backup
implements the high reliability and self-healing capability of the system. In this way, when an
exception occurs, the stability of the services and customer network provided by the carrier can
be optimally ensured and the loss is reduced to the minimum.
In the carrier-class operation, to ensure that the system to work normally in case of an accident
or disaster, generally, redundancy (backup) devices or parts are added to increase the reliability
of the entire system.
8.1 Configuring the NE Subtending Through the FE or GE Port
The MA5600Ts (NEs) can be directly connected to each other though the FE or GE port.
Subtending saves the upstream optical fibers and simplifies networking and service
configuration.
8.2 Configuring the Uplink Redundancy Backup
This topic describes how to configure the link aggregation group or uplink protection group to
improve the reliability of service transmission.
8.3 Configuring the Smart Link Redundancy Backup
The smart link is a solution that is applied in the network with dual uplinks and provides reliable
and efficient backup and quick switching for the dual uplinks. The solution provides high
reliability for carriers' network.
8.4 Configuring the MPLS Service Board Redundancy Backup
This topic describes how to configure 1+1 redundancy backup for the MPLS service board. In
this way, when the MPLS service board is faulty, the service is not affected.
8.5 Configuring GPON Type B Protection
Type B protection is to configure 1+1 redundancy backup of different GPON ports on
MA5600T. In this way, when a GPON port is faulty, automatic switching is performed and the
services are not affected.
8.6 Configuring EPON Type B Protection
Issue 01 (2012-01-18)

379

This topic describes how to configure 1+1 redundancy backup for the EPON service board. After
1+1 redundancy backup is configured, services will not be affected when the EPON service
board is faulty.
8.7 Configuring the Switchover of the Protect Group
This topic describes how to configure the ARP detection between the MA5600T and the BRAS.
When the active uplink in the dual uplinks of the MA5600T is faulty, the service data can be
automatically switched to the protection uplink, thus implementing the switchover between
protect group of upstream ports on the MA5600T to ensure the normal running of the service.
8.8 Configuring the MSTP
The MA5600T supports the application of the Multiple Spanning Tree Protocol (MSTP),
Spanning Tree Protocol (STP), and Rapid Spanning Tree Protocol (RSTP). The MA5600T
supports the MSTP ring network, which can meet various networking requirements.
8.9 Configuring RRPP
Rapid Ring Protection Protocol (RRPP) is a data link layer protocol specially applied to the
Ethernet ring. When the Ethernet ring is complete, RRPP can prevent broadcast storms caused
by a data loop. When a link on the Ethernet ring is disconnected, RRPP can quickly recover the
communication channels between nodes on the Ethernet ring, thus increasing the network
reliability.
8.10 Configuring the BFD
This topic describes how to configure the BFD on the MA5600T.
8.11 Configuring ETH OAM
In a broad sense, operation, administration, and maintenance (OAM) means a set of methods
for monitoring and diagnosing network faults. The Ethernet OAM feature includes two subfeatures: Ethernet CFM OAM and Ethernet EFM OAM.
Issue 01 (2012-01-18)

380

8.1 Configuring the NE Subtending Through the FE or GE

Port
The MA5600Ts (NEs) can be directly connected to each other though the FE or GE port.
Subtending saves the upstream optical fibers and simplifies networking and service
configuration.
l
The two ports to be subtended must be the same in the port type, port rate, and port duplex
mode.
ETHB board supports to set the network role of the port based only on whole board, so if
the ETHB board is used for subtending, the network role of the all ports on the ETHB board
must be set as "cascade".
GIU board supports to set the network role of each port, so if the GIU board is used for
subtending, the network role of the specified port on the GIU board must be set as "cascade".
Procedure
Step 1 Configure the VLAN of the master NE.
The VLAN type is smart, and the VLAN attribute is common. For details about the configuration,
see 2.6 Configuring a VLAN.
Step 2 Add an upstream port to the VLAN of the master NE.
Step 3 Add a subtending port to the VLAN of the master NE.
Run the port vlan command to add a subtending port to the VLAN.
Step 4 Set the network role of the subtending port of the master NE.
1.
Run the interface eth command or interface giu command to enter the ETH mode or GIU
mode.
2.
Run the network-role command to set the network role of the port to subtending.
By default, the port of ETHB board functions as a cascade port, while the port of GIU board
functions as an upstream port.
Step 5 Configure the VLAN of the slave NE. The VLAN of the slave NE is the same as the VLAN of
the master VLAN.
The VLAN type is smart, and the VLAN attribute is common. For details about the configuration,
see 2.6 Configuring a VLAN.
Step 6 Add an upstream port to the VLAN of the slave NE.
----End
Issue 01 (2012-01-18)

381

Example
Assume that master NE huawei_A and slave NE huawei_B are subtended through the GIU board.
To add upstream port 0/17/0 and subtending port 0/17/1 of huawei_A to VLAN 100, and add
upstream port 0/17/0 of huawei_B to VLAN 100, do as follows:
huawei_A(config)#vlan 100 smart
huawei_A(config)#port vlan 100 0/17 0
huawei_A(config)#interface giu 0/17
huawei_A(config-if-giu-0/17)#network-role 1 cascade
huawei_B(config)#vlan 100 smart
huawei_B(config)#port vlan 100 0/17 0
Assume that master NE huawei_A and slave NE huawei_B are subtended through the ETHB
board. To add upstream port 0/17/0and subtending port 0/4/0 of huawei_A to VLAN 100, and
add upstream port 0/17/0 of huawei_B to VLAN 100, do as follows:
huawei_A(config)#vlan 100 smart
huawei_A(config)#interface eth 0/4
huawei_A(config-if-eth-0/4)#network-role cascade
huawei_A(config-if-eth-0/4)#quit
huawei_B(config)#vlan 100 smart
huawei_B(config)#port vlan 100 0/17 0
8.2 Configuring the Uplink Redundancy Backup

This topic describes how to configure the link aggregation group or uplink protection group to
improve the reliability of service transmission.
Uplink redundancy backup includes to aspects:
l
Link aggregation group: Multiple Ethernet ports are aggregated as an aggregation group to
increase the bandwidth and share the incoming/outgoing load of each member port. At the
same time, the ports in an aggregation group back up each other, which increases the link
security.
NOTE
l An aggregation group can implement inter-board aggregation between two GIU slots.
l An aggregation group can implement inter-board aggregation between two SPUA boards.
l When only one control board is configured, inter-board aggregation is supported between the SCUN
board and the GIU slot.
Issue 01 (2012-01-18)
Upstream port protection group: An upstream port protection group contains a working
port and a protection group. In the normal state, the working port carries services. When
the link of the working port fails, the system automatically switches the service on the
working port to the protect port to ensure normal service transmission and to protect the
uplink.

382

NOTE
A protection group works in either of the following modes:

1. Port status detection mode.
l Two ports of the protection group or the transmit ports on two boards are enabled. You can
determine whether to perform a switchover according to the port status.
l When the number of ports that are in the up state on the standby board is larger than the number
of ports that are in the up state on the active board, a switchover is triggered.
2. Time delay detection mode.
l Only one transmit port of the protection group is enabled, and the other is disabled.
l When the enabled transmit port is in the down state, disable the transmit port and enable the other
transmit port.
l If the second port is in the up state, a switchover is performed. Otherwise, the detection continues.
Procedure
l
Configure redundancy backup for the uplink by configuring an aggregation group.

1.
Create an Ethernet port aggregation group.

Run the link-aggregation command to add multiple upstream Ethernet ports to the
same aggregation group to implement protection and load balancing between ports.
When configuring port aggregation, note that the SCU board does not support interboard aggregation. When you run the link-aggregation command, if frameid/slotid
is entered twice, inter-board aggregation is configured; if frameid/slotid is entered
only once, intra-board aggregation is configured.
2.
(Optional) Add members to the aggregation group.

Run the link-aggregation add-member command to add an Ethernet port to an
existing aggregation port to increase the bandwidth of the aggregation port and
improves the link reliability.
NOTE
This step is optional and is recommended if you need to further increase the bandwidth of an
aggregation group or improve the link reliability.
3.
Query the information about the aggregation group.

Run the display link-aggregation command to query the types, number, and working
modes of aggregated Ethernet ports.
Configure redundancy backup for the uplink by configuring an upstream port protection
group.
1.
Create an upstream port protection group.

In the protect mode, run the protect-group command to create an upstream port
protection group. After the protection group is configured successfully, the system
switches the service over to the standby port to protect the uplink if the connection
between the active port and the upper-layer device is broken.
When running the protect-group to create a protection group, if frameid/slotid/
portid is entered, a port-level protection group is created; if frameid/slotid is entered,
a board-level protection group is created.
Issue 01 (2012-01-18)

383

NOTE
1. When working in the load balancing mode, the SCUN board supports the board-level protection
of the control board.
2. When supporting the board-level protection of the control board, the SCUB or SCUN board can
work in only the port status detection mode.
2.
Query the information about the protection group.

Run the display protect-group command to query the information about the
protection group and all the members in the protection group.
----End
Example
Assume the following configurations: The MA5600T transmits services upstream through the
GIU board, upstream ports 0/17/0 and 0/17/1 on the same GIU board are configured as an
upstream port aggregation group, packets are distributed to the member ports of the aggregation
group according to the source MAC address, and the working mode is the LACP static
aggregation mode. To perform these configurations, do as follows:
huawei(config)#link-aggregation 0/17 0-1 ingress workmode lacp-static
GIU board, upstream ports 0/17/0 and 0/18/0 on the same GIU board are configured as an interboard aggregation group, packets are distributed to the member ports of the aggregation group
according to the source MAC address and destination MAC address, and the working mode is
the LACP static aggregation mode. To perform these configurations, do as follows:
GIU board, upstream ports 0/17/0 and 0/17/1 on the same GIU board are configured as an
upstream port protection group, port 0/17/0 functions as the active port, port 0/17/1 functions as
the protection port, the working mode is the delay detection mode, and enable the protection
group function. To perform these configurations, do as follows:
huawei(config-protect)#protect-group first 0/17/0 second 0/17/1 eth workmode
timedelay enable
When the MA5600T is configured with only one SCUN board, to configure the SCUN board
and the GIU slot as an inter-board aggregation group, distribute packets to each member port
according to the source MAC address, and configure the working mode to LACP static
aggregation, do as follows:
huawei(config)#link-aggregation 0/9 0-3 0/20 0-1 ingress workmode lacp-static
8.3 Configuring the Smart Link Redundancy Backup

The smart link is a solution that is applied in the network with dual uplinks and provides reliable
and efficient backup and quick switching for the dual uplinks. The solution provides high
reliability for carriers' network.
Thus, the smart link solution is applied to the access network. With this solution, redundancy
backup for active and standby links and quick switching are implemented for a dual homing
network. This ensures high reliability and quick convergence. Meanwhile, as a supplementary
Issue 01 (2012-01-18)

384

to the smart link solution, the monitor link solution is introduced to monitor uplinks. This
improves the backup function of the smart link solution.
The smart link and monitor link feature, which is applied to the scenario of a network with dual
uplinks (the network is connected to the upstream IP network through dual uplinks), is related
to the OLT and the upstream network device. The upstream network device such as the router
must support the smart link and monitor link feature.
NOTE
The smart link and monitor link feature is put forth by Huawei. Currently, only Huawei devices support this
technology.
Smart link-related concepts:

l
Smart link protection group

A smart link group contains up to two ports, namely one master port and one slave port. In
normal conditions, only one port is in the active state, and the other port is blocked and in
the standby state. When the port in the active state fails, the smart link group automatically
blocks the port, and switches the previously standby port to the active state.
Master port
The master port, which is also called the work port, is a port role in a smart link group.
When both ports are in the standby state, the master port takes priority to switch to the
active state.
Slave port
The slave port, which is also called the protection port, is a port role in the smart link group.
When both ports are in the standby state, the master is prevailed upon to switch to the active
state, and the slave port remains in the standby state.
Flush packet
After link switching occurs on the smart link group, the original forwarding entry is not
applicable to the network with new topology, and the upstream convergence device needs
to update the MAC and ARP entries. In this case, the smart link group notifies the other
devices in the network of updating the address table through sending the notification packet.
This notification packet is the flush packet.
Monitor link-related concepts:

l
Monitor link group

A monitor link group is composed of one uplink and several downlinks.
Uplink
When the uplink in a monitor link group fails, it indicates that the monitor link group fails.
In this case, the downlinks in the monitor link group will be blocked by force.
Downlink
When a downlink in a monitor link group fails, it does not affect the uplink or the other
downlinks.
A smart link can work in either the active/standby mode or the load balancing mode. The
differences are as follows:
l
In the active/standby mode, both ports are enabled. Only the master port is in the active
state and can forward data. The slave port is blocked and is in the standby state.
In the load balancing mode, both ports are enabled. If both ports work in the normal state,
the data is forwarded through both ports, implementing load balancing.
Issue 01 (2012-01-18)

385

Procedure
Step 1 Configure a smart link protection group.
1.
Run the protect-group command to create a smart link protection group. The protection
group works in either the active/standby mode or the load balancing mode.
NOTE
l When configuring a smart link protection group, set the protected object to eth-nni-port. Working
modes of other types do not support the smart link feature.
l Keyword smart-link: Indicates the smart-link active and standby mode. In this mode, both members
in the PG are enabled, but only the active member forwards data.
l Keyword smart-link load-balance: Indicates the smart-link load balancing mode. In this mode, both
links are enabled to share load to improve the usage ratio of the line.
2.
Run the protect-group member command to add members to a smart link protection
group.
When adding members to the protection group, add a working member, and then add a
protection member.
3.
Run the protect-group enable command to enable the smart link protection group.
After a protection group is created, the protection group is in the disabled state by default.
You should enable the protection group to make the configuration take effect.
4.
Query the information about the protection group.

Run the display protect-group command to query the information about the protection
group and all the members in the protection group.
Step 2 Configure the flush packet sending mode.

After service switching occurs on a protection group, the original forwarding entry is not
applicable to the new network, and the entire network needs to update the MAC and ARP entries.
In this case, the protection group sends flush packets to other devices to notify them of updating
the MAC and ARP entries.
1.
2.
Run the flush send command to configure the flush packet sending parameters of the
protection group, including the control VLAN and the password.
a.
If the flush packet sending parameters are not configured, no flush packet is sent when
switching occurs on the protection group.
b.
If the protection group is not in the control VLAN, no flush packet is sent.
c.
The peer device must support receiving flush packets, and the flush packet receiving
function of the corresponding port must be enabled.
Run the display flush receive command to query the port that receives flush packets and
the flush packet receiving parameters.
Step 3 (Optional) Run the load-balance instance command to configure the load balancing parameters
of a protection group.
Load balancing parameters determine that the working member and protection member carry
different STP instances. Because VLANs are mapped to STP instances, the load balancing
parameters in practice determine through which port (working member or protection member)
the packets with different VLAN tags are transmitted.
NOTE
Configure the load balancing parameters only when the specified smart link protection group works in the load
balancing mode.
Issue 01 (2012-01-18)

386

l This command is used to configure STP instances that are carried by the protection member.
The instances that are unconfigured are carried by the working member.
l The load balancing parameters of a protection group are based on STP instances preconfigured. You can run the instance vlan command to map VLANs to STP instances.
Step 4 (Optional) Configure a monitor link group.
The monitor link group and the smart link protect group are generally used together for
monitoring the uplink and completing the smart link redundancy.
NOTE
1. Generally, the monitor link group is configured on the upper-layer device (such as a router) that is
interconnected with the OLT, subtended to the smart link protection group.
2. You need to configure the monitor link on the MA5600T for monitoring the uplink of the subtended OLT
only when the MA5600T functions as an upper-layer device interconnecting with the OLT. Otherwise, the
configuration is meaningless.
1.
Run the monitor-link group command to create a monitor link group, and enter the monitor
link group mode.
A monitor link group consists of one upstream port and multiple downstream ports. When
the upstream port is faulty, the downstream ports are disabled. Thus, the downstream
devices can detect the link fault and switch the services to a normal link.
2.
Run the member port command to add members to a monitor link group.
l The uplink of a monitor link group can be a common Ethernet port, the master port of
a protection group, or the master port of an aggregation group.
l The downlink of a monitor link group can be only a common Ethernet port.
3.
Run the display monitor-link group command to query the information about the monitor
link group.
----End
Example
Assume the following configurations: The MA5600T implements dual uplinks through the
GIU board, upstream ports 0/17/0 and 0/17/1 on the GIU board are added as members of smart
link protection group 2, port 0/17/0 functions as the working port, port 0/17/1 functions as the
protection port, the working mode is the load balancing mode, where,
l
The STP instance 1 (mapping to VLAN 100-110) is carried by the working member.
The STP instance 2 (mapping to VLAN 120-130) is carried by the protection member.
The control VLAN of flush packets is VLAN 10, and the password is abc.
To perform these configurations and enable the protection group function, do as follows:
huawei(config)##stp region-configuration
huawei(stp-region-configuration)#instance 1 vlan 100 to 110
huawei(stp-region-configuration)#instance 2 vlan 120 to 130
huawei(stp-region-configuration)#active region-configuration
STP actives region configuration,it may take several minutes,are you sure to
active region configuration? [Y/N][N]y
huawei(stp-region-configuration)#quit
huawei(config)#protect-group 2 protect-target eth-nni-port workmode smart-link
load-balance
huawei(config-protect-group-2)#protect-group member port 0/17/0 role work
huawei(config-protect-group-2)#protect-group member port 0/17/1 role protect
huawei(config-protect-group-2)#load-balance instance 2
huawei(config-protect-group-2)#flush send control-vlan 10 password simple abc
huawei(config-protect-group-2)#protect-group enable
huawei(config-protect-group-2)#quit
Issue 01 (2012-01-18)

387

8.4 Configuring the MPLS Service Board Redundancy

Backup
This topic describes how to configure 1+1 redundancy backup for the MPLS service board. In
this way, when the MPLS service board is faulty, the service is not affected.
Context
Only MPLS boards of the same type support redundancy backup.
Procedure
Step 1 Create a protection group.
Run the protect-group command to a protection group that protects the service processing
board.
l Configure protect-target to service-process-board.
l The working mode of the MPLS service board protection group can be only boardstate.
Step 2 Add members to the protection group.
Run the protect-group member command to add members to a protection group.
l When adding members to the protection group, add a working member, and then add a
protection member.
l Adding a protection group member based on the port is not supported for the MPLS service
board, and only adding a protection group member based on the board is supported.
Step 3 Enable the protection group.
Run the protect-group enable command to enable the protection group. After a protection group
is created, the protection group is in the disabled state by default. You should enable the
protection group to make the configuration take effect.
Step 4 Query the information about the protection group.
Run the display protect-group command to query the information about the protection group
and all the members in the protection group.
----End
Example
To configure redundancy back for MPLS boards in slots 0/4 and 0/5 of the MA5600T so that
when the service board in slot 0/4 fails, the system can automatically switch the services to the
service board in slot 0/5.
huawei(config)#protect-group 1 protect-target service-process-board workmode
boardstate
huawei(protect-group-1)#protect-group member board 0/4 role work
huawei(protect-group-1)#protect-group member board 0/5 role protect
huawei(protect-group-1)#protect-group enable
Issue 01 (2012-01-18)

388

8.5 Configuring GPON Type B Protection

Type B protection is to configure 1+1 redundancy backup of different GPON ports on
MA5600T. In this way, when a GPON port is faulty, automatic switching is performed and the
services are not affected.
The GPON port supports redundancy backup on the same board and the redundancy on different
boards. The differences are as follows:
l
Port redundancy backup on the same board does not require extra GPON service board,
which saves hardware resources. In case that the GPON service board fails, however, the
services on the entire board are interrupted.
Port redundancy backup on the different boards requires an independent standby GPON
service board, which increases the hardware cost. In the case that the active GPON service
board fails, however, the services can be automatically switched over to the GPON ports
on the standby board, and the service access is not affected.
NOTE
Only GPON boards of the same type support inter-board redundancy backup.
After Type B protection is configured, service configuration on the ONU is the same as that
before Type B protection is configured. That is, service configuration is applied to the active
GPON port only.
Figure 8-1 shows the Type B protection network topology.
Figure 8-1 Type B protection network topology
Procedure
Step 1 Create a GPON port protection group.
Run the protect-group command to add a protection group that protects the ports on the GPON
access side.
NOTE
1. Configure protect-target to gpon-uni-port.

2. The working mode of the GPON port protection group can be only timedelay.
Step 2 Add members to the protection group.

Issue 01 (2012-01-18)

389

Run the protect-group member command to add members to a protection group.

NOTE
l When adding members to the protection group, add a working member, and then add a protection member.
l Adding a protection group member based on the board is not supported for the GPON port, and only adding
a protection group member based on the port is supported.
l The member ports can be ports on different GPON boards, but the GPON board types must be the same.
Step 3 Enable the protection group.

Run the protect-group enable command to enable the GPON protection group. After a
protection group is created, the protection group is in the disabled state by default. You should
enable the protection group to make the configuration take effect.
Step 4 Query the information about the protection group.
Run the display protect-group command to query the information about the protection group
and all the members in the protection group.
NOTE
The GPON protection group supports the binding to a PPPoE single-MAC address pool. When the PPPoE singleMAC address function is enabled, run the bind mac-pool single-mac command to bind a GPON protection
group to a PPPoE single-MAC address. If the GPON protection group is not bound to the PPPoE source MAC
address, when the GPON protection group is switched over, the PPPoE service carried on this port is interrupted.
In this case, you must re-dial and determine the service interruption time according to the BRAS configuration.
This may fail to meet the switchover performance requirement that the service interruption time must not exceed
50 ms.
----End
Example
To configure redundancy backup for ports 0/4/0 and 0/4/1 on the same GPON board of the
MA5600T so that when port 0/4/0 is faulty, the system can automatically switch the service to
port 0/4/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target gpon-uni-port workmode timedelay
huawei(protect-group-0)#protect-group member port 0/4/0 role work
huawei(protect-group-0)#protect-group member port 0/4/1 role protect
To configure inter-board redundancy backup for ports 0/5/1 and 0/6/1 on different GPON boards
of the MA5600T so that when port 0/5/1 is faulty, the system can automatically switch the service
to port 0/6/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target gpon-uni-port workmode timedelay
8.6 Configuring EPON Type B Protection

This topic describes how to configure 1+1 redundancy backup for the EPON service board. After
1+1 redundancy backup is configured, services will not be affected when the EPON service
board is faulty.
The EPON port supports redundancy backup on the same board and redundancy on different
boards. The differences are as follows:
Issue 01 (2012-01-18)

390

Port redundancy backup on the same board does not require an extra EPON service board,
which saves hardware resources. If the EPON service board fails, however, services carried
on the entire board will be interrupted.
Port redundancy backup on different boards requires an independent standby EPON service
board, which increases the hardware cost. In the case that the active EPON service board
fails, however, the services can be automatically switched over to the EPON ports on the
standby board, and the service access will not be affected.
NOTE
Only the same type of EPON boards support inter-board redundancy backup.
Procedure
Step 1 Create an EPON port protect group.
Run the protect-group command to a protect group that protects the ports on the EPON access
side.
NOTE
1. Configure protect-target to epon-uni-port.

2. The working mode of the EPON port protect group can be only timedelay.
Step 2 Add members to the protect group.

Run the protect-group member command to add members to a protect group.
NOTE
l When adding members to the protect group, add a working member, and then add a protection member.
l Adding a protect group member based on the board is not supported for the EPON port, and only adding a
protect group member based on the port is supported.
l The member ports can be ports on different EPON boards, but the EPON board types must be the same.
Step 3 Enable the protect group.

Run the protect-group enable command to enable the smart link protect group. After a protect
group is created, the protect group is in the disabled state by default. You need to enable the
protect group to make the protect group take effect.
Step 4 Query the information about the protect group.
Run the display protect-group command to query the information about the protect group and
all the members in the protect group.
NOTE
The EPON protect group supports the binding to a PPPoE single-MAC address pool. When the PPPoE singleMAC address function is enabled, run the bind mac-pool single-mac command to bind an EPON protect group
to a PPPoE single-MAC address. If the EPON protect group is not bound to the PPPoE source MAC address,
when the EPON protect group is switched over, the PPPoE service carried on this port is interrupted. In this
case, you must re-dial and determine the service interruption time according to the BRAS configuration. This
may fail to meet the switchover performance requirement that the service interruption time must not exceed 50
ms.
----End
Example
To configure redundancy backup for ports 0/4/0 and 0/4/0 on the same EPON board of the
MA5600T so that when port 0/4/0 is faulty, the system can automatically switch the service to
port 0/4/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target EPON-uni-port workmode timedelay
Issue 01 (2012-01-18)

391


To configure inter-board redundancy backup for ports 0/5/1 and 0/5/1 on different EPON boards
of the MA5600T so that when port 0/5/1 is faulty, the system can automatically switch the service
to port 0/5/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target epon-uni-port workmode timedelay
8.7 Configuring the Switchover of the Protect Group

This topic describes how to configure the ARP detection between the MA5600T and the BRAS.
When the active uplink in the dual uplinks of the MA5600T is faulty, the service data can be
automatically switched to the protection uplink, thus implementing the switchover between
protect group of upstream ports on the MA5600T to ensure the normal running of the service.
Figure 8-2 shows an example network of the dual uplink protect group between the
MA5600T and the BRAS.
Figure 8-2 Example network of the dual uplink protect group between the MA5600T and the
BRAS
The MA5600T accesses BRAS1 and BRAS2 through the protect group of upstream ports. The
current uplinks are Link1 and Link2, and Link3 functions as the protection link. The protection
switchover module of the MA5600T processes the link status and port status detected through
ARP, both of which jointly determine whether to trigger the SF signal of the port. If Link1 is
broken and Link2 is normal, although the upstream port of the MA5600T is in the UP state, the
MA5600T can actively trigger a switchover of the upstream port according to the ARP detection
result to ensure the normal running of the service.
Issue 01 (2012-01-18)

392

NOTE
l The protect group created in the GIU slot or on the ETH board supports ARP detection. Currently,
other types of protect groups do not support ARP detection.
l According to the ARP detection feature, no network device that can terminate ARP detection packets
should exist between the source end and destination end of ARP detection, that is, the LAN switch in
the network cannot terminate the ARP detection packet sent from the MA5600T or the BRAS.
Procedure
Step 1 Create an ARP detection task.
1.
Run the arp-detect command to create an ARP detection task in the VLAN from the
upstream port to the peer IP address.
NOTE
The upstream port of the ARP detection task must be added to the VLAN.
2.
Configure the interval for transmitting ARP detection packets.

Run the min-tx-interval command to configure the interval for transmitting ARP detection
packets.
After ARP detection is enabled, the CPU usage increases because the CPUs of the
MA5600T and the BRAS need to process ARP packets, and the CPU usage increases as
the frequency for transmitting ARP packets increases. Therefore, you need to configure the
interval for transmitting ARP detection packets according to actual conditions. By default,
the interval for transmitting ARP detection packets is 1000 ms.
3.
Configure the ARP detection timeout multiplier.

Run the detect-multiplier command to configure the ARP detection timeout multiplier.
ARP detection timeout time = Transmit interval x Detection multiplier. The minimum value
is 3s, which is the time for the ARP detection to trigger a switchover. The detailed value
varies according to the CPU load of the MA5600T and the CPU load of the peer device. It
should be configured properly according to the application environment. By default, the
ARP detection timeout multiplier is 3.
4.
Enable ARP detection.

Run the detect command to enable ARP detection.
Step 2 Configure an upstream port protect group.

1.
Create a protect group and configure its members.

a.
Run the protect-group command to create a protect group of Ethernet upstream ports,
and configure its working mode.
b.
Run the protect-group member command to add the working port and protection
port to the protect group.
Step 3 Enable the protect group.

Run the protect-group enable command to enable the protect group. After a protect group is
created, the protect group is in the disabled state by default. You should enable the protect group
to make the configuration take effect.
----End
Example
Assume the following configurations: The MA5600T accesses BRAS1 and BRAS2 through
dual uplinks, upstream ports 0/17/0 and 0/17/1 on the GIU board are configured as a protect
Issue 01 (2012-01-18)

393

group that allows ARP detection, port 0/17/0 functions as the working port, port 0/17/1 functions
as the protect port, the IP address of BRAS1 for ARP detection is 10.10.10.10, the VLAN for
ARP detection is VLAN 10, the expected interval for transmitting ARP detection packets is 60
ms, and the ARP detection timeout multiplier is 5. To perform these configurations so that the
system automatically switches to BRAS2 when the ARP detection times out to ensure the normal
running of the service, do as follows:
huawei(config)#arp-detect dett bind peer-ip 10.10.10.10 vlan 10 port 0/17/0
huawei(config-arp-detect-dett)#min-tx-interval 60
huawei(config-arp-detect-dett)#detect-multiplier 5
huawei(config-arp-detect-dett)#detect enable
huawei(config-arp-detect-dett)#quit
huawei(config)#protect-group 2 protect-target eth-nni-port workmode timedelay
huawei(protect-group-2)protect-group member port 0/17/0 role work
8.8 Configuring the MSTP

The MA5600T supports the application of the Multiple Spanning Tree Protocol (MSTP),
Spanning Tree Protocol (STP), and Rapid Spanning Tree Protocol (RSTP). The MA5600T
supports the MSTP ring network, which can meet various networking requirements.
l
MSTP applies to a redundant network. It makes up for the drawback of STP and RSTP.
MSTP makes the network converge fast and the traffic of different VLANs distributed
along their respective paths, which provides a better load-sharing mechanism.
MSTP trims a loop network into a loop-free tree network. It prevents the proliferation and
infinite cycling of the packets in the loop network. In addition, MSTP supports load sharing
by VLAN during data transmission.
Procedure
Step 1 Enabling the MSTP function.
l By default, the MSTP function is disabled.
l After the MSTP function is enabled, the device determines whether it works in STP
compatible mode or MSTP mode based on the configured protocol.
l After the MSTP function is enabled, MSTP maintains dynamically the spanning tree of the
VLAN based on the received BPDU packets. After the MSTP function is disabled, the
MA5600T becomes a transparent bridge and does not maintain the spanning tree.
1.
Run the stp enable command to enable the MSTP function of the bridge.
2.
Run the stp port enable command to enable the MSTP function of the port.
3.
Run the display stp command or the display stp port command to query the MPLS state
of the bridge or the port.
Step 2 Configuring the MST region name.

1.
Run the stp region-configuration command to enter MST region mode.
2.
Run the region-name command to configure the name of the MST region.
By default, the MST region name is the bridge MAC address of the device.
Step 3 Configuring the MSTP instance.

Issue 01 (2012-01-18)

394

The MSTP protocol configures the VLAN mapping table (mapping between the VLAN and the
spanning tree), which maps the VLAN to the spanning tree.
1.
Run the stp region-configuration command to switch over to MST region mode.
2.
Run the instance vlan command to map the specified VLAN to the specified MSTP
instance.
l By default, all VLANs are mapped to CIST, that is, instance 0.
l One VLAN can be mapped to only one instance. If you re-map a VLAN to another
instance, the original mapping is disabled.
l A maximum of 10 VLAN sections can be configured for an MSTP instance.
NOTE
A VLAN section refers to the consecutive VLAN IDs from the start VLAN ID to the end VLAN ID.
3.
Run the check region-configuration command to query the parameters of the current MST
region.
Step 4 Activating the configuration of the MST region.

1.
Run the stp region-configuration command to switch over to MST region mode.
2.
Run the active region-configuration command to activate the configuration of the MST
region.
3.
Run the display stp region-configuration command to query the effective configuration
of the MST region.
Step 5 Setting the priority of the device in the specified spanning tree instance.
1.
Run the stp priority command to set the priority of the device in the specified spanning
tree instance.
2.
Run the display stp command to query the MSTP configuration of the device.
Step 6 Other optional configurations.

l Setting the MST region parameters.
Run the stp md5-key command to set the MD5-Key for the MD5 encryption algorithm
configured on the MST region.
In the MSTP region mode, run the vlan-mapping module command to map all VLANs
to the MSTP instances by modular arithmetic.
In the MSTP region mode, run the revision-level command to set the MSTP revision
level of the device.
Run the reset stp region-configuration command to restore the default settings to all
parameters of the MST region.
l Specifying the device as a root bridge or a backup root bridge.
Run the stp root command to specify the device as a root bridge or a backup root bridge.
l Setting the time parameters of the specified network bridge.
Run the stp timer forward-delay command to set the Forward Delay of the specified
network bridge.
Run the stp timer hello command to set the Hello Time of the specified network bridge.
Run the stp timer max-age command to set the Max Age of the specified network bridge.
Run the stp time-factor command to set the timeout time factor of the specified network
bridge.
Issue 01 (2012-01-18)

395

l Setting the parameters of the specified port.

Run the stp port transmit-limit command to set the number of packets transmitted by
the port within the Hello Time.
Run the stp port edged-port enable command to set the port as an edge port.
Run the stp port cost command to set the path cost of a specified port.
Run the stp port port-priority command to set the priority of the specified port.
Run the stp port point-to-point command to set whether the link that is connected to the
port is a point-to-point link.
l Configuring the device protection function.
Run the stp bpdu-protection enable command to enable the BPDU protection function
of the device.
Run the stp port loop-protection enable command to enable the loop protection function
of the port.
Run the stp port root-protection enable command to enable the root protection function
of the port.
l Setting the maximum number of hops of the MST region.
Run the stp max-hops command to set the maximum number of hops of the MST region.
l Setting the diameter of the switching fabric.
Run the stp bridge-diameter command to set the diameter of the switching fabric.
l Setting the calculation standard for the path cost.
Run the stp pathcost-standard command to set the calculation standard for the path cost.
l Clear the MSTP protocol statistics.
Run the reset stp statistics command to clear the MSTP protocol statistics.
----End
Example
Configure the MSTP parameters as follows:
l
Enable the MSTP function.
Enable the MSTP function on port 0/17/0.
Set the MSTP running mode to MSTP compatible mode.
Configure MST region parameters:

Configure the MD5-Key for the MD5 encryption algorithm to 0x11ed224466.
Configure the MST region name to huawei-mstp-bridge.
Map VLAN2-VLAN10 and VLAN12-VLAN16 to MSTP instance 3.
Map all the VLANs to the specified MSTP instances.
Configure the MSTP revision level of the device to 100.
Configure the maximum hops for the MST region to 10.
Activate the configuration of the MST region manually.
Configure the priority of the device in spanning tree instance 2 to 4096.
Configure the current device as the root bridge of MSTP instance 2.
Issue 01 (2012-01-18)

396

Configure the diameter of the switching network to 6.
Configure the calculation standard for the path cost to IEEE 802.1t.
Configure the time parameters of a specified bridge:

Configure the forward delay to 2000 centiseconds.
Configure the hello time to 1000 centiseconds.
Configure the max age to 3000 centiseconds.
Configure the timeout time factor to 6.
Configure the parameters of a specified port:

Configure the maximum number of packets transmitted in a hello time period to 16.
Configure port 0/17/0 to be an edge port.
Configure the path cost of the port in a specified spanning tree instance to 1024.
Configure the priority of the port to 64.
The link connected to port 0/17/0 is a point-to-point link.
Enable the BPDU protection function on the device.
huawei(config)#stp enable
Change global stp state may active region configuration,it may take several
minutes,are you sure to change global stp state? [Y/N][N]y
huawei(config)#stp port 0/17/0 enable
huawei(config)#stp mode mstp
huawei(config)#stp md5-key 11ed224466
huawei(config)#stp region-configuration
huawei(stp-region-configuration)#region-name huawei-mstp-bridge
huawei(stp-region-configuration)#instance 3 vlan 2 to 10 12 to 16
huawei(stp-region-configuration)#vlan-mapping module 16
huawei(stp-region-configuration)#revision-level 100
huawei(stp-region-configuration)#active region-configuration
huawei(stp-region-configuration)#quit
huawei(config)#stp instance 2 priority 4096
huawei(config)#stp instance 2 root primary
huawei(config)#stp max-hops 10
huawei(config)#stp bridge-diameter 6
huawei(config)#stp pathcost-standard dot1t
huawei(config)#stp timer forward-delay 2000
huawei(config)#stp timer hello 1000
huawei(config)#stp timer max-age 3000
huawei(config)#stp time-factor 6
huawei(config)#stp port 0/17/0 transmit-limit 16
huawei(config)#stp port 0/17/0 edged-port enable
huawei(config)#stp port 0/17/0 instance 0 cost 1024
huawei(config)#stp port 0/17/0 instance 0 port-priority 64
huawei(config)#stp port 0/17/0 point-to-point force-true
huawei(config)#stp bpdu-protection enable
8.9 Configuring RRPP

Rapid Ring Protection Protocol (RRPP) is a data link layer protocol specially applied to the
Ethernet ring. When the Ethernet ring is complete, RRPP can prevent broadcast storms caused
by a data loop. When a link on the Ethernet ring is disconnected, RRPP can quickly recover the
communication channels between nodes on the Ethernet ring, thus increasing the network
reliability.
Context
Most MANs and enterprise networks adopt the ring network structure to increase the reliability.
Any faulty node on the ring does not affect the service. RRPP is a dedicated data link layer
Issue 01 (2012-01-18)

397

protocol applied to the Ethernet ring. Compared with other Ethernet ring technologies, RRPP
has the following advantages:
l
The topology convergence is quick.
The convergence time is irrelevant with the number of nodes in the ring network. RRPP is
applicable to the network that has a relatively large network diameter.
A complete Ethernet ring can prevent broadcast storm caused by data loop.
When a link in the Ethernet ring network is disconnected, RRPP can quickly recover the
communication between nodes in the ring network by using the backup link.
Currently, the MA5600T supports only the single-ring network application of RRPP. The
MA5600T can function as a primary node or a transmission node.
Procedure
l
Configure the primary node.

1.
Run the rrpp mode command to configure the RRPP protocol mode.
You can select the RRPP standard mode or EAPS compatible mode. The RRPP
standard mode is used by default.
When the RRPP function is enabled or an RRPP domain exists on the device, the
RRPP protocol mode cannot be changed.
2.
Run the rrpp domain command to configure the RRPP domain.

Currently, the MA5600T supports only one RRPP domain.
3.
Run the control-vlan command to configure the control VLAN of the RRPP domain.
The specified VLAN must be created through the vlan command and must be a
standard VLAN.
During the configuration, you need to specify only the major control VLAN ID.
The sub-control VLAN ID is specified by the system. Sub-control VLAN ID =
Major control VLAN ID + 1.
The major control VLAN or sub-control VLAN cannot be a system reserved
VLAN or a VLAN that is in use.
4.
Run the ring command to configure the RRPP ring.

Currently, the MA5600T supports only one RRPP ring and the ring must be the
primary ring.
The network role of a port joining the RRPP ring must be an upstream port. It
cannot be a subtending port.
NOTE
On the same port, the RRPP function and the STP function cannot be enabled at the same time.
Because the system enables the STP port-level switch by default, before creating an RRPP port, you
must disable the STP function of the primary and secondary ports.
5.
(Optional) Run the timer hello-timer command to configure the hello timer and fail
time of the RRPP domain.
By default, the hello timer is 1s and the fail timer is 3s.
The value of the fail timer must be three times equal to or larger than the value of
the hello timer.
Issue 01 (2012-01-18)
6.
Run the ring enable command to enable the RRPP ring.
7.
Run the rrpp enable command to enable the RRPP protocol.

398

8.
Run the display rrpp brief domain command to query the brief information about
the RRPP domain.
9.
Run the display rrpp verbose domain command to query details of the RRPP ring.
Configure the transmission node.

1.
Run the rrpp mode command to configure the RRPP protocol mode. The
configuration must be the same as that on the primary node.
You can select the RRPP standard mode or EAPS compatible mode. The RRPP
standard mode is used by default.
When the RRPP function is enabled or an RRPP domain exists on the device, the
RRPP protocol mode cannot be changed.
2.
Run the rrpp domain command to configure the RRPP domain. The domain ID must
be the same as that on the primary node.
Currently, the MA5600T supports only one RRPP domain.
3.
Run the control-vlan command to configure the control VLAN of the RRPP domain.
The configuration must be the same as that on the primary node.
The specified VLAN must be created through the vlan command and must be a
standard VLAN.
During the configuration, you need to specify only the major control VLAN ID.
The sub-control VLAN ID is specified by the system. Sub-control VLAN ID =
Major control VLAN ID + 1.
The major control VLAN or sub-control VLAN cannot be a system reserved
VLAN or a VLAN that is in use.
4.
Run the ring command to configure the RRPP ring. The ring ID must be the same as
that on the primary node.
Currently, the MA5600T supports only one RRPP ring and the ring must be the
primary ring.
The network role of a port joining the RRPP ring must be an upstream port. It
cannot be a subtending port.
NOTE
On the same port, the RRPP function and the STP function cannot be enabled at the same time.
Because the system enables the STP port-level switch by default, before creating an RRPP port, you
must disable the STP function of the primary and secondary ports.
5.
(Optional) Run the timer hello-timer command to configure the hello timer and fail
time of the RRPP domain.
By default, the hello timer is 1s and the fail timer is 3s.
The transmission node uses the fail timer as the timeout timer.
6.
Run the ring enable command to enable the RRPP ring.
7.
Run the rrpp enable command to enable the RRPP protocol.
----End
Example
To configure the MA5600T as the primary node of an RRPP ring with the following settings,
do as follows:
l
Issue 01 (2012-01-18)
RRPP mode: standard

399

Major control VLAN ID: 14; sub-control VLAN ID: 15
RRPP primary port: 0/17/0; RRPP secondary port: 0/17/1
RRPP domain ID: 1
RRPP ring ID: 64

huawei(config)#port vlan 14-15 0/17 0-1
huawei(config)#stp port 0/17/0 disable
huawei(config)#stp port 0/17/1 disable
huawei(config)#rrpp mode rrpp
huawei(config)#rrpp domain 1
huawei(rrpp-domain-region-1)#control-vlan 14
huawei(rrpp-domain-region-1)#ring 64 node-mode master primary-port 0/17/0 second
ary-port 0/17/1 level 0
huawei(rrpp-domain-region-1)#ring 64 enable
huawei(rrpp-domain-region-1)#quit
huawei(config)#rrpp enable
huawei(config)#display rrpp brief domain 1
---------------------------------------------------------------------------Rrpp Protocol Status : Enable
Rrpp protocol mode
: RRPP
Number of RRPP Domains: 1
---------------------------------------------------------------------------Domain Index
: 1
Major Control VLAN
: 14
Hello Timer
: 1 sec (default is 1 sec)
Fail Timer
: 3 sec (default is 3 sec)
Number of RRPP Rings : 1
---------------------------------------------------------------------------Ring
Ring
Node
Primary/Common
Secondary/Edge
Is
ID
Level
Mode
Port
Port
Enabled
--------------------------------------------------------------------------64
0
M
GE 0/17/0
GE 0/17/1
Yes
---------------------------------------------------------------------------Note: M - Master, T - Transit , E - Edge , A - Assistant-Edge
8.10 Configuring the BFD

This topic describes how to configure the BFD on the MA5600T.
Context
Bidirectional Forwarding Detection (BFD) protocol is a draft standardized by the Internet
Engineering Task Force (IETF). BFD detects the traffic forwarding capability of the link or
system by quickly sending BFD control packets (the UDP packets in a specified format) at
intervals between two nodes.
8.10.1 Configuration Example of the BFD Link Detection (Static

Route)
The MA5600T supports detecting the fault of a static route by using the BFD. This topic
describes how to configure the BFD link detection based on an example network.
Prerequisites
The BFD function must be enabled globally on the MA5600T.
Issue 01 (2012-01-18)

400

Networking
Figure 8-3 shows an example network of the BFD link detection.
Different static routes exist between the MA5600T and Router_3 through Router_1 and
Router_2, and the BFD session is bound to the static route. When one link is faulty, the BFD
session notifies the bound route for route switching.
Figure 8-3 Example network of the BFD link detection
30.30.30.1
Router_3
Router_1
Router_2
10.10.10.2
20.20.20.2
10.10.10.1
20.20.20.1
MA5600T
Data Plan
Table 8-1 provides the data plan for configuring the BFD link detection.
Table 8-1 Data plan for configuring the BFD link detection
Item
Data
Remarks
MA5600T
Upstream ports: 0/17/0 and 0/17/1
VLANs
VLAN ID: 30
VLAN type: Smart VLAN

IP address of the L3 interface: 10.10.10.1/24
VLAN ID: 40

BFD session
Session name: ToRouter_1
Minimum transmit interval: 10 ms

Minimum receive interval: 10 ms
Detection multiplier: 3
Identifier: auto-negotiation
Issue 01 (2012-01-18)

401

Item
Data
Remarks
Session name: ToRouter_2

Identifier: auto-negotiation
Requirements for
the upper-layer
device
Router_1:
l IP address of the L3 interface: see the example
network
l VLAN ID: 30
l BFD session parameters: consistent with the
parameters of the MA5600T
Router_2:
For details
about the
configuration
of the routers,
see the
corresponding
configuration
guide.

network
l VLAN ID: 40
Procedure
Step 1 Create VLANs and add upstream ports to the VLANs.
huawei(config)#vlan
huawei(config)#port
huawei(config)#vlan
huawei(config)#port
30 smart
vlan 30 0/17 0
40 smart
vlan 40 0/17 1
Step 2 Configure the IP address of the L3 interface of the VLAN.

Step 3 Configure the BFD sessions.

You can configure BFD sessions only after the BFD function is enabled.
huawei(config)#bfd
huawei(config-bfd)#quit
huawei(config)#bfd ToRouter_1 bind peer-ip 10.10.10.2 source-ip 10.10.10.1 auto
huawei(config-bfd-session-torouter_1)#min-rx-interval 10
huawei(config-bfd-session-torouter_1)#min-tx-interval 10
huawei(config-bfd-session-torouter_1)#detect-multiplier 3
huawei(config-bfd-session-torouter_1)#commit
huawei(config-bfd-session-torouter_1)#quit
huawei(config)#bfd ToRouter_2 bind peer-ip 20.20.20.2 source-ip 20.20.20.1 auto
huawei(config-bfd-session-torouter_2)#min-rx-interval 10
huawei(config-bfd-session-torouter_2)#min-tx-interval 10
huawei(config-bfd-session-torouter_2)#detect-multiplier 3
huawei(config-bfd-session-torouter_2)#commit
huawei(config-bfd-session-torouter_2)#quit
Issue 01 (2012-01-18)

402

Step 4 Bind the BFD sessions to the static routes.

huawei(config)#ip route-static 30.30.30.1 24 10.10.10.2 preference 2 track bfdsession ToRouter_1
huawei(config)#ip route-static 30.30.30.1 24 20.20.20.2 preference 6 track bfdsession ToRouter_2

huawei(config)#save
----End
Result
BFD sessions ToRouter_1 and ToRouter_2 are in the up state. The priority of the route to which
ToRouter_1 is bound takes effect and carries services because it has a higher priority. When a
faulty link is detected, BFD session ToRouter_1 turns to the down state, which triggers the
deactivation of the bound route. In this case, the route to which ToRouter_2 is bound takes effect
and carries services.
8.10.2 Configuration Example of the BFD Link Detection (Dynamic

Route)
The MA5600T supports detecting the fault of a dynamic route by using the BFD. This topic
describes how to configure the BFD link detection based on the dynamic routing protocol OSPF.
Prerequisites
The BFD function must be enabled globally on the MA5600T.
Networking
Figure 8-4 shows an example network of the BFD link detection.
Dynamic routes between the MA5600T and Router_1, Router_2 are generated through OSPF.
The BFD session is bound to the OSPF route. When one link is faulty, the BFD session reports
that the bound OSPF neighbor is down, thus switching the route.
Figure 8-4 Example network of the BFD link detection
Router_3
Router_1
Router_2
10.10.10.1
20.20.20.1
MA5600T
Issue 01 (2012-01-18)

403

Data Plan
Table 8-2 provides the data plan for configuring the BFD link detection.
Table 8-2 Data plan for configuring the BFD link detection
Item
Data
Remarks
MA5600T
VLANs
VLAN ID: 30

VLAN ID: 40

BFD session

Requirements for
the upper-layer
device
Router_1:
network
l VLAN ID: 30
l OSPF: enabled
Router_2:
For details
about the
configuration
of the router,
see the
correspondin
g
configuration
guide.

network
l VLAN ID: 40
l OSPF: enabled
Procedure
Step 1 Create VLANs and add upstream ports to the VLANs.
huawei(config)#vlan
huawei(config)#port
huawei(config)#vlan
huawei(config)#port
30 smart
vlan 30 0/17 0
40 smart
vlan 40 0/17 1
Step 2 Configure the IP address of the L3 interface of the VLAN.

Issue 01 (2012-01-18)

404

Step 3 Configure OSPF.

Step 4 Enable BFD in the L3 interface mode.

huawei(config)#interface vlanif
huawei(config-if-vlanif30)#ospf
multiplier 3
huawei(config)#interface vlanif
multiplier 3
30
bfd enable
bfd min-rx-interval 10 min-tx-interval 10 detectcost 30
40
bfd enable
bfd min-rx-interval 10 min-tx-interval 10 detectcost 40

huawei(config)#save
----End
Result
After establishing the neighbor relation with each router through OSPF, the MA5600T
automatically creates two BFD sessions. When the active link is faulty, its bound BFD session
is down, which triggers the OSPF neighbor relation to be down. Thus, the route is switched to
the standby link.
8.11 Configuring ETH OAM

In a broad sense, operation, administration, and maintenance (OAM) means a set of methods
for monitoring and diagnosing network faults. The Ethernet OAM feature includes two subfeatures: Ethernet CFM OAM and Ethernet EFM OAM.
8.11.1 Configuring Ethernet CFM OAM

The MA5600T can detect the fault by using the Ethernet CFM OAM. This topic describes how
to configure Ethernet CFM OAM based on the example network.
The two remote devices send detection packets periodically to check the link connectivity.
Networking
Figure 8-5 shows the example network for configuring the Ethernet CFM OAM.
Issue 01 (2012-01-18)

405

In this example network, the Ethernet CFM OAM mechanism is run to detect faults on the link
between MA5600T_A and MA5600T_B. The two devices are configured under the same MA
in the same MD. When a connection fault occurs, the system reports the alarm and locate the
fault.
Figure 8-5 Example Network for configuring Ethernet CFM OAM
Data Plan
Table 8-3 provides the data plan for configuring Ethernet CFM OAM.
Table 8-3 Data plan for configuring Ethernet CFM OAM
Item
Data
MA5600T_A
Port: 0/17/0
Smart VLAN: 100
MEP: 2/6/1
CC-interval: 10 minutes
MA5600T_B
Port: 0/17/1
Smart VLAN: 100
MEP: 2/6/2
CC-interval: 10 minutes
Procedure
Step 1 Create a VLAN and add the upstream port to the VLAN.
Set the VLAN ID to 100 and the VLAN type to smart.
Add port 0/17/0 to VLAN 100.

Issue 01 (2012-01-18)

406

Step 2 (Optional) Configure the native VLAN for the upstream port.
This step is to enable the packets of the upstream Ethernet port to or not to carry the VLAN
tag.Whether the native VLAN needs to be set for the upstream port depends on whether the
upper-layer device connected to the upstream port supports packets carrying a VLAN tag. The
setting on the MA5600T must be consistent with that on the upper-layer device.
huawei(config)#interface scu 0/17
huawei(config-if-scu-0/17)#native-vlan 0 100
huawei(config-if-scu-0/17)#quit
Step 3 Configuring MD
Configure MD 2 with a name of the character string type, name md-huawei, and MD level 3.
l MDs with the same index or level cannot be created.
l The name type and the name of an MD must be unique.
l The total length of the names of an MD and its MAs cannot be longer than 44 characters.
l The MD name type, the MD name and the MD level must be consistent at both ends.
huawei(config)#cfm md 2 name-format string md-huawei level 3
Step 4 Configuring MA
l The system supports up to 4096 MAs. That is, if an MD is configured with 4096 MAs, the
other MDs in the system cannot be configured with any MA.
l An MD of must be available for creating an MA.
l An existing MA cannot be created again.
l The total length of the names of an MD and its MAs cannot be longer than 44 characters.
l The MA name type, the MA name and the sending period of CC packets must be consistent
at both ends.
1.
Create an MA with the index 2/6. The name type is the character string type, and the name
is ma-huawei. The sending period of CC packets is 10 minutes (the sending period of CC
packets is 1 minute by default).
huawei(config)#cfm ma 2/6 name-format string ma-huawei cc-interval 10m
2.
Set the VLAN associated to the MA to 100.

huawei(config)#cfm ma 2/6 vlan 100
3.
Set the ID of MEP contained by the MA to 1.Currently, an MA supports a local MEP and
a remote MEP, and the their IDs must be unique.MEP ID 2 needs to be configured on the
MA5600T_B device of the peer end.
huawei(config)#cfm ma 2/6 meplist 1
huawei(config)#cfm ma 2/6 meplist 2
Step 5 Configuring MEP

l MEP refers to a maintenance association end points. Ethernet CFM OAM is used to test the
link connectivity by using the MEPs at the two ends of a maintenance channel.
l By default, the MEP management function is enabled, the priority of sending CFM packets
is 7, and the function of sending CC packets is enabled.
l There are two kinds of MEPs: UP MEP and DOWN MEP.An UP MEP indicates that the
MEP transmits packets to the bridge trunk direction. A DOWN MEP indicates that the MEP
transmits packets to the physical medium direction.When you define the port on a device,
you must define the port as an UP MEP or a DOWN MEP.That is, after the port is defined
as an MEP, it can send packets in only one direction.For example, after the GIU upstream
Issue 01 (2012-01-18)

407

port on the MA5600T is defined as an MEP, it is a DOWN MEP if it can transmit packets
to only the upstream direction (convergence layer) according to the definition; it is an UP
MEP if it can transmit packets to only the downstream direction (to hardware and logic)
according to the definition.
l vlantag1 or vlantag2 must be configured, when you add an MEP is added for a port with
service streams. vlantag2 is the outer VLAN of the port carrying the service link for the
MEP. vlantag2 is the inner VLAN of the port carrying the service link for the MEP.
l The MEP priority must be consistent at both ends.
huawei(config)#cfm mep 2/6/1 direction down port 0/17/0 priority 7
Step 6 Enable the RMEP detection function.

The system can check the remote MEPs of an MA and report alarms for loss of CCM and RDI
only when the following functions are enabled: the global CFM function, the global function of
checking remote MEPs, and the function of checking the remote MEPs of the MA.
By default, the RMEP detection function of MA is enabled, while the global RMEP detection
function is disabled.
1.
Enable the RMEP detection function of the MA.

huawei(config)#cfm ma 2/6 remote-mep-detect enable
2.
Enable the global RMEP detection function.

huawei(config)#cfm remote-mep-detect enable
Step 7 Enable the global CFM function.

huawei(config)#cfm enable

huawei(config)#save
NOTE
Configuration on MA5600T_B is the same as that on MA5600T_A. Except that the index of MEP is 2/6/2, other
parameters are the same.
----End
Result
After the configuration, run the display cfm mep command on MA5600T_A or MA5600T_B
to query MEP configuration, and the parameter Remote MEP ID/MAC is not empty.
Configuration File
vlan 100 smart
interface scu 0/17
native-vlan 0 100
quit
cfm md 2 name-format string md-huawei level 3
cfm ma 2/6 name-format string ma-huawei cc-interval 10m
cfm ma 2/6 vlan 100
cfm ma 2/6 meplist 1
cfm ma 2/6 meplist 2
cfm mep 2/6/1 direction down port 0/17/0 priority 7
cfm ma 2/6 remote-mep-detect enable
cfm remote-mep-detect enable
cfm enable
save
Issue 01 (2012-01-18)

408

8.11.2 Configuring Ethernet EFM OAM

This topic describes how to configure the Ethernet EFM OAM on the MA5600T.
Prerequisites
The Ethernet EFM OAM license must be obtained and installed.
l
Ethernet EFM OAM is enabled on both local MA5600T_A and remote MA5600T_B.
When the remote end is faulty, the local end generates an alarm.
The local end can be used to locate a fault through the EFM remote end loopback.
Figure 8-6 Example network of Ethernet EFM OAM
Data Plan
Table 8-4 provides the data plan for configuring Ethernet EFM OAM.
Table 8-4 Data plan for configuring Ethernet EFM OAM
Item
Data
MA5600T_A
Port: 0/17/0
Ethernet OAM mode: active
MA5600T_B
Port: 0/17/1
Ethernet OAM mode: passive
Loopback control parameter: process
Procedure
l
Configure local MA5600T_A.

1.
(Optional) Configure the Ethernet EFM OAM mode of the port.

Configure Ethernet OAM port 0/17/0 to actively initiate the discovery process and the
loopback control packet. The default mode is the active mode.
huawei(config)#efm oam mode 0/17/0 active
2.
(Optional) Configure the loopback control parameter of the Ethernet EFM OAM port.
By default, EFM remote loopback is disabled, and the configuration of the local end
is process.
Issue 01 (2012-01-18)

409

huawei(config)#efm loopback 0/17/0 process
3.
Enable Ethernet EFM OAM of the port.

After Ethernet EFM OAM is enabled, the loopback control parameter and Ethernet
EFM OAM mode of the port cannot be modified.
huawei(config)#efm oam 0/17/0 enable
4.
Save the data.

huawei(config)#save
5.
(Optional) Enable EFM remote loopback.

When the remote end is faulty, use the EFM remote loopback function to locate the
fault.
huawei(config)#efm loopback 0/17/0 start
Starting loopback will interrupt all the services on this port. Are you
sure
to start loopback? (y/n)[n]:y
Configure remoteMA5600T_B.
1.
Configure the Ethernet EFM OAM mode of the port.

Configure Ethernet EFM OAM port 0/17/1 to work in the passive mode. The default
mode is the active mode.
huawei(config)#efm oam mode 0/17/1 passive
2.
Configure the loopback control parameter of the Ethernet EFM OAM port.
The Ethernet EFM OAM loopback control parameter of the remote end must be
process. In this way, the EFM remote loopback function can be used normally.
huawei(config)#efm loopback 0/17/1 process
3.
Enable Ethernet EFM OAM of the port.

After Ethernet EFM OAM is enabled, the loopback control parameter and Ethernet
EFM OAM mode of the port cannot be modified.
huawei(config)#efm oam 0/17/1 enable
4.
Save the data.

huawei(config)#save
----End
Result
After the configuration is completed, you can run the display efm oam status command on
MA5600T_A or MA5600T_B to query the relevant information about the local end or remote
end.
Configuration File
On local MA5600T_A:
efm oam mode 0/17/0 active
efm loopback 0/17/0 process
efm oam 0/17/0 enable
save
efm loopback 0/17/0 start
y
On remote MA5600T_B:
efm oam mode 0/17/1 passive
efm loopback 0/17/1 process
Issue 01 (2012-01-18)

410

efm oam 0/17/1 enable

save
Issue 01 (2012-01-18)

411

9 Configuration Example of the FTTH Service
Configuration Example of the FTTH Service
About This Chapter

This topic describes how to configure the Internet access, VoIP, and IPTV services in the FTTH
GPON access mode.
9.1 FTTH Network
FTTH indicates fiber to the home. The ONT is connected to the OLT in the PON mode to
implement FTTH. The voice, data, and video services are provided through a single optical fiber.
9.2 FTTH Data Plan (GPON Access)
This topic provides the unified data plan for the FTTH GPON access. The subsequent examples
are configured based on the following data plan.
9.3 Configuring the FTTH Internet Access Service
The OLT is connected to the remote ONT through the GPON port to provide users with the highspeed Internet access service.
9.4 Configuring the FTTH VoIP Service (SIP-based)
The OLT is connected to the remote ONT through a GPON port to provide users with the IPbased high-quality and low-cost VoIP service.
9.5 Configuring the FTTH IPTV Service
The OLT is connected to the remote ONT through a GPON port to provide users with the IPTV
service.
Issue 01 (2012-01-18)

412

9.1 FTTH Network

FTTH indicates fiber to the home. The ONT is connected to the OLT in the PON mode to
implement FTTH. The voice, data, and video services are provided through a single optical fiber.
Network
Figure 9-1 shows an example network of full access services in the FTTH scenario.
Figure 9-1 Example network of the FTTH service
9.2 FTTH Data Plan (GPON Access)

This topic provides the unified data plan for the FTTH GPON access. The subsequent examples
are configured based on the following data plan.
Data Plan
Table 9-1 provides the unified data plan for configuring the HSI, IPTV, VoIP in an FTTH
network.
Table 9-1 Data plan for the FTTH GPON access
Issue 01 (2012-01-18)
Service
Classificat
ion
Item
Data
Remarks
Network
data
FTTH
OLT PON port: 0/5/1
Device
managemen
t
Inband NMS IP
address of the OLT
ONT ID: 1
192.168.50.1/24

In the GPON access,

the network
management protocol
413

Service
Classificat
ion
Service
VLAN
Item
Data
Remarks
Management
VLAN of the OLT
4000
of the ONT adopts

OMCI.
HSI service
ONT VLAN: 10
l For the Internet

access service, you
can use two
precisely-bound
VLAN tags to
extend VLANs and
identify users. On
the ONT, each user
is allocated with a
CVLAN. On the
OLT, each OLT,
each slot of the
OLT, or each PON
port can be
allocated with an
SVLAN.
OLT VLANs:
l CVLAN (using the VLAN
of the ONT): 10
l SVLAN: 100
l The ONT VLANs

of the same OLT
must be planned in
a unified manner
and each ONT
VLAN ID must be
unique.
IPTV service
Multicast VLAN: 1000
Generally, multicast
VLANs are divided
according to multicast
sources.
VoIP service
ONT VLAN: 20
Generally, the VoIP

service can be
identified by a single
VLAN tag.
OLT VLAN: 200
Each OLT, each slot of

the OLT, or each PON
port can be allocated
with a VLAN to reduce
VLAN broadcast
domains.
QoS
(priority)
Issue 01 (2012-01-18)
HSI service
Priority: 1; queue scheduling:

WRR
IPTV service

WRR

Generally, the QoS

priorities are NMS
service and IP voice
service > IPTV service
> Internet access
414

Service
Classificat
ion
QoS (DBA)
Item
Data
Remarks
VoIP service

PQ
service in a descending
order.
HSI service
l Profile type: Type4
DBA is used to control

the upstream
bandwidth of the ONT.
DBA profiles are
bound to TCONTs.
Different TCONTs are
planned for different
bandwidth assurance
types.
Generally, the service
with a high priority
adopts a fixed
bandwidth or an
assured bandwidth, and
the service with a low
priority adopts the
maximum bandwidth
or best effort.
l Maximum bandwidth:
100 Mbit/s
l T-CONT ID: 4
IPTV service

l Maximum bandwidth: 60
Mbit/s
l T-CONT ID: 3
VoIP service

l Assured bandwidth: 15
Mbit/s
l Maximum bandwidth: 30
Mbit/s
l T-CONT ID: 2
QoS (CAR)
IPTV
service data
Issue 01 (2012-01-18)
VoIP service
No rate limitation in the

upstream and downstream
directions
IPTV service
No rate limitation in the

upstream and downstream
directions
HSI service
Upstream and downstream

bandwidth: 4 Mbit/s
Multicast protocol
OLT: IGMP proxy
Multicast version
IGMP V3
IGMP v3 and IGMP v2

are supported, and
IGMP v3 is compatible
with IGMP v2.

Traffic control can be

implemented on the
BRAS, or on the OLT
or ONT by using port
rate limitation or using
a traffic profile to limit
the upstream and
downstream traffic.
Generally, in the case
of FTTH, limit the rate
on the OLT.
415

Service
Classificat
ion
VoIP
service data
Item
Data
Remarks
Multicast program
configuration
mode
Static configuration mode
The OLT can also

generate a multicast
program library, that is,
dynamically generate a
program list according
to the programs
requested by users. In
this mode, the program
list need not be
configured or
maintained; however,
the functions such as
program management,
user multicast
bandwidth
management, program
preview, and program
prejoin are not
supported.
IP address of the
multicast server
10.10.10.10
Multicast program
224.1.1.10
Signaling and
media IP addresses
17.10.10.10/24
SIP support separate

media and signaling.
The media and
signaling IP address
can be the same or
different.
Gateway IP
address
17.10.10.0/24
SIP interface (SIP)
SIP interface ID: 0
It is the SIP interface

ID used for the VoIP
service to be
configured, which
determines the virtual
access gateway (VAG)
specified for the user.
Signaling port ID of the SIP

interface: 5056
IP address of the primary

softswitch to which the SIP
interface belongs:
200.200.200.200/24
When dual homing is

configured, the IP
address and the port ID
of the secondary
NOTE
The parameters of
the SIP interface
must be the same as
the parameters on
the softswitch. SIP
has many
negotiation
parameters, and the
parameters here are
mandatory.
Issue 01 (2012-01-18)

416

Service
Classificat
ion
Item
Data
Remarks
Port ID of the primary

softswitch to which the SIP
interface belongs: 5060/24
softswitch must also be

configured.
Coding mode of the SIP

interface: text
Transmission mode of the SIP

interface: UDP
The transmission mode

is selected according to
the requirements on the
softswitch. Generally,
UDP is adopted.
Home domain of the SIP

interface: huawei
Index of the profile used by

the SIP interface: 1
Different profile
indexes are used for
interconnection with
non-Huawei
softswitches. You can
run the if-h248
attribute profileindex command to
query the profile index.
For interconnection
with a ZTE softswitch,
use profile 5; for
interconnection with a
Bell softswitch, no
constant profile is used.
Profile 0 can be used
and the data is
negotiated with the
Bell softswitch.
9.3 Configuring the FTTH Internet Access Service

The OLT is connected to the remote ONT through the GPON port to provide users with the highspeed Internet access service.
l
Issue 01 (2012-01-18)
The user PC is connected to the ONT through the LAN port in the PPPoE dialing mode.
The ONT is connected to the OLT and then to the upper-layer network in the GPON mode
to provide the high-speed Internet access service.

417

The high-speed Internet access service adopts a single VLAN tag. Each ONT is allocated
with a CVLAN, which is translated into the same SVLAN on the OLT.
The high-speed Internet access service adopts a bandwidth-ensured mode with the
maximum bandwidth 100 Mbit/s as the DBA profile and performs the 4 Mbit/s rate
limitation on both the upstream and downstream directions.
To ensure reliability, dual GE ports are adopted for upstream transmission, and link
aggregation is configured for the two upstream ports.
Table 9-2 Data plan

Item
Data
OLT
SVLAN ID: 100

S-VLAN type: smart VLAN
SVLAN attribute: common
ONT
ONT ID: 1
ID of the port on the ONT that is connected to the PC: 1
Type of the port on the ONT that is connected to the PC:
ETH
VLAN ID of the port on the ONT that is connected to the
PC: 10
Prerequisite
l
The OLT is connected to the BRAS.
Relevant configurations are performed on the BRAS according to the authentication and
accounting requirements for dialup users. For details about the configuration, see the
corresponding configuration guide.
The VLAN of the LAN switch port connected to the OLT is the same as the upstream
VLAN of the OLT.
Configure the OLT.
Procedure
1.
Create an SVLAN and add upstream ports to it.

Set the VLAN ID to 100, VLAN type to smart, and VLAN attribute to common
(default). Add upstream ports 0/17/0 and 0/18/0 to VLAN 100.
2.
Configure the upstream port aggregation.

To aggregate the two upstream ports as one aggregation group, set the packet
forwarding mode of the aggregation group to egress-ingress, and set the aggregation
group to work in the LACP static mode.
huawei(config)#link-aggregation 0/17 0 0/18 0 egress-ingress workmode
lacp-static
Issue 01 (2012-01-18)

418

NOTE
To configure port aggregation, the following requirements must be met: The ports must work in the
full duplex mode. The port rates must be the same. The default VLANs (PVIDs) and VLAN attributes
of both ports must be the same. One port belongs to only one aggregation group. No mirror
destination port is included.
3.
Configure a traffic profile.

You can run the display traffic table ip command to query the traffic profiles existing
in the system. If the traffic profiles existing in the system do not meet the requirements,
you need to run the traffic table ip command to add a traffic profile.
Set the profile ID to 8, CIR to 4 Mbit/s, and priority to 1, and schedule packets
according to their priorities.
huawei(config)#traffic table ip index 8 cir 4096 priority 1 prioritypolicy
tag-In-Packag
4.

You can run the display dba-profile command to query the DBA profiles existing in
the system. If the DBA profiles existing in the system do meet the requirements, you
need to run the dba-profile add command to add a DBA profile.
Set the DBA profile ID to 10, type to type4, and maximum bandwidth to 100 Mbit/s.
5.
(Optional) Configure an alarm profile.

The ID of the default GPON alarm profile is 1. The thresholds of all the alarm
parameters in the default alarm profile are 0, which indicates that no alarm is
generated.
In this example, the default alarm profile is used, and therefore the configuration
of the alarm profile is not required.
Run the gpon alarm-profile add command to configure an alarm profile, which
is used for monitoring the performance of an activated ONT line.
6.
Configure an ONT line profile.

Add GPON ONT line profile 10 and bind T-CONT 4 to the DBA profile 10. In this
way, the T-CONT can provide flexible DBA solutions based on different
configurations in the DBA profile.
Add GEM port 1 for transmitting ETH traffic streams and bind GEM port 1 to TCONT 4. The QoS mode is priority-queue (default).
NOTE
1. To change the QoS mode, run the qos-mode command to configure the QoS mode to gem-car
or flow-car, and run the gem add command to configure the ID of the traffic profile bound to
the GEM port.
2. When the QoS mode is PQ, the default queue priority is 0; when the QoS is flow-car, traffic
profile 6 is bound to the port by default (no rate limitation); when the QoS mode is gem-car,
traffic profile 6 is bound to the port by default (no rate limitation).
Configure the service mapping mode from the GEM port to the ONT to VLAN
(default), and map CVLAN 10 to GEM port 1.
Issue 01 (2012-01-18)

419

NOTE
After a profile is configured, run the commit command to make the configuration take effect before
the system quits the profile mode.
7.
Configure an ONT service profile.

The service profile type must be the same as the actual ONT type. Considering the
HG8240 as an example, configure four ETH ports and two POTS ports. The ID of the
VLAN to which ETH port 1 belongs is 10.
NOTE
8.
Add an ONT.
Connect the ONT to GPON port 0/5/1. The ONT ID is 1, the SN is
32303131D659FD40, the management mode is OMCI, the bound ONT line profile
ID is 10, and the bound ONT service profile ID is 10.
NOTE
l You can run the ont add command to add an ONT offline or run the ont confirm command to
confirm an automatically discovered ONT.
l Before confirming an automatically discovered ONT, you must run the portportidont-autofind command in the GPON mode to enable the ONT automatic discovery function of the port.
l In this example, the method of confirming the automatically discovered ONT is used.
huawei(config-if-gpon-0/5)#display ont autofind 1
-----------------------------------------------------------------------Number
: 1
F/S/P
: 0/5/1
Ont SN
: 32303131D659FD40
Password
:
VenderID
: HWTC
Ont Version
: HG850aGTH.B
Ont SoftwareVersion : V1R1C01SPC033
Ont EquipmentID
: EchoLife:HG850a
Ont autofind time
: 2009-10-24 14:59:10
-----------------------------------------------------------------------huawei(config-if-gpon-0/5)#ont confirm 1 ontid 1 sn-auth 32303131D659FD40
omci
ont-lineprofile-id 10 ont-srvprofile-id 10 desc HG850a
NOTE
l After the ONT is added, it is recommended that you run the display ont info command to
query the ONT status. In this step, ensure that Config State of the ONT is normal and
Match State is match.
l If the ONT state in the actual query result is different from the preceding description, run
the display ont capability command to query the actual ONT capabilities and then based
on the queried ONT capabilities, add a proper ONT profile and a proper ONT.
9.
(Optional) Bind the alarm profile to the ONT.

The default alarm profile (profile 1) is adopted.
Issue 01 (2012-01-18)

420

huawei(config-if-gpon-0/5)#ont alarm-profile 1 1 profile-id 1
10. Specify the VLAN for the ONT port.

ETH port 1 on the ONT is connected to the PC and the native VLAN of the port is
VLAN 10.
huawei(config-if-gpon-0/5)#ont port native-vlan 1 1 eth 1 vlan 10
11. Add a service port to the VLAN.

Set the management service port ID to 1, SVLAN ID to 100, GEM port ID to 1, and
CVLAN ID to 10. Use traffic profile 8.
huawei(config)#service-port 1 vlan 100 gpon 0/5/1 ont 1 gemport 1 multiservice
12. Configure queue scheduling.

Use the 3PQ+5WRR queue scheduling. Queues 0-4 adopt the WRR mode, with the
weights of 10, 10, 20, 20, and 40 respectively; queues 5-7 adopt the PQ mode. Set the
priority of the HSI service to 1 and adopt the WRR mode.
NOTE
Queue scheduling is a global configuration. You need to configure queue scheduling only once on
the OLT, and then the configuration takes effect globally. In the subsequent phases, you need not
configure queue scheduling repeatedly when configuring other services.
Configure the mapping between queues and 802.1p priorities. Priorities 0-7 map
queues 0-7 respectively.
huawei(config)#cos-queue-map cos0 0 cos1 1 cos2 2 cos3 3 cos4 4 cos5 5 cos6
6 cos7 7
NOTE
For the service board that supports only four queues, the mapping between 802.1p priorities and
queue IDs is as follows: priorities 0 and 1 map queue 1; priorities 2 and 3 map queue 2; priorities 4
and 5 map queue 3; priorities 6 and 7 map queue 4.
13. Save the data.

huawei(config)#save
The ONT need not be configured.
----End
Result
Connect the ONT to the PC, and perform dialing on the PC by using the PPPoE dialing software.
After the dialup is successful, the user can access the Internet.
Configuration File
vlan 100 smart
link-aggregation 0/17 0 0/18 0 egress-ingress workmode lacp-static
traffic table ip index 8 cir 4096 priority 1 priority-policy tag-In-Packag
mapping-mode vlan
Issue 01 (2012-01-18)

421

commit
quit
ont-srvprofile gpon profile-id 10
port vlan eth 1 10
commit
quit
interface gpon 0/5
display ont autofind 1
ont confirm 1 ontid 1 sn-auth 32303131D659FD40 omci ont-lineprofile-id 10
ont-srvprofile-id 10 desc HG850a
ont alarm-profile 1 1 profile-id 1
ont port native-vlan 1 1 eth 1 vlan 10
quit
service-port 1 vlan 100 gpon 0/5/1 ont 1 gemport 1 multi-service user-vlan 10
rx-cttr 8 tx-cttr 8
queue-scheduler wrr 10 10 20 20 40 0 0 0
cos-queue-map cos0 0 cos1 1 cos2 2 cos3 3 cos4 4 cos5 5 cos6 6 cos7 7
save
9.4 Configuring the FTTH VoIP Service (SIP-based)

The OLT is connected to the remote ONT through a GPON port to provide users with the IPbased high-quality and low-cost VoIP service.
l
The ONT is connected to the SIP server through SIP.
The ONT obtains the IP address through DHCP.
Two phone sets are connected to two TEL ports of the ONT respectively, and calls can be
made between two phone sets.
The DBA mode of the VoIP service is assured bandwidth + maximum bandwidth, and no
rate limitation is performed on the upstream and downstream traffic.
Table 9-3 Data plan

Item
Data
OLT
S-VLAN ID: 200

S-VLAN type: smart VLAN
C-VLAN ID: 20
ONT
ONT ID: 1
IP address of the SIP server: 200.200.200.200/24
Port ID of the SIP server: 5060
Issue 01 (2012-01-18)

422

Prerequisite
l
The SIP interface data and the PSTN user data corresponding to the MG interface must be
configured on the SIP server.
The OLT must be connected to the SIP server.
Configure the OLT.
Procedure
1.
Create an SVLAN and add an upstream port to it.

Create smart VLAN 200. Add upstream ports 0/17/0 and 0/18/0 to VLAN 200.
2.

lacp-static
NOTE
3.

The profile ID is 9, no rate limitation in the upstream and downstream directions, the
priority is 6, and packets are scheduled according to the priority carried.
huawei(config)#traffic table ip index 9 cir off priority 6 prioritypolicy
tag-In-Packag
4.
Add a DBA profile.

Configure the profile ID to 20, type to type3, assured bandwidth to 15 Mbit/s, and
maximum bandwidth to 30 Mbit/s.
huawei(config)#dba-profile add profile-id 20 type3 assure 15360 max 30720
5.
(Optional) Add an alarm profile.

reported.
6.
Issue 01 (2012-01-18)

423


NOTE
the GEM port.
Configure the service mapping mode from the GEM port to the ONU to VLAN
NOTE
7.
Add an ONT service profile.

The service profile type should be consistent with the actual ONT type. Considering
the HG850a as an example, configure four ETH ports and two POTS ports.
NOTE
8.
Add an ONT.
The ONT is connected to GPON port 0/5/1. Configure the ONT ID to 1, SN to
32303131D659FD40, management to OMCI, the bound line profile ID is 10, and the
bound service profile ID is 10.
NOTE
l Before confirming an automatically discovered ONT, you must run the port portid ont-autofind command in the GPON mode to enable the ONT automatic discovery function of the port.
l In this example, the method of confirming an automatically discovered ONT is used.
-----------------------------------------------------------------------Number
: 1
F/S/P
: 0/5/1
Ont SN
: 32303131D659FD40
Password
:
VenderID
: HWTC
Ont Version
: HG850aGTH.B
Ont EquipmentID
: EchoLife:HG850a
Ont autofind time
: 2009-10-24 14:59:10
Issue 01 (2012-01-18)

424


omci
NOTE
l After an ONT is added, it is recommended that you run thedisplay ont info command to
query the ONT status. In this step, ensure that Config State and Match State of the ONT
are normal and match respectively.
the display ont capability command to query the actual ONT capabilities, and then add a
proper ONT profile based on the queried ONT capabilities. Then, add an ONT again.
9.
(Optional) Bind the alarm profile to the ONU.


Configure the service port ID to 2, SVLAN ID to 200, GEM port ID to 2, and CVLAN
ID to 20. Bind traffic profile 9 to the service port.

weights of 10, 10, 20, 20, and 40 respectively; queues 5-7 adopt the PQ mode. The
priority of the VOIP service is 6, adopting the PQ scheduling.
NOTE
6 cos7 7
NOTE
12. Save the data.

huawei(config)#save
Configure the ONT. Consider the HG850a as an example. The configurations on other
types of ONTs are similar.
NOTE
In the case of the HG850a, to provide voice services of different versions, you must select different ONT
software versions. Before the configuration, ensure that the current software version of the HG850a
supports SIP. Currently, SIP is supported on versions V100R001C01, V100R001C03, V100R001C05,
and V100R001C07.
1.
Issue 01 (2012-01-18)
Open the Web browser, and enter the IP address of the local maintenance Ethernet
port of the HG850a (default: 192.168.100.1).
425

2.
On the login interface, enter the user name (default: telecomadmin) and password
(default: admintelecom) of the administrator. After the password authentication is
passed, the Web configuration interface is displayed.
3.
In the navigation pane, choose Basic > WAN. On the interface that is displayed, click
New in the upper-right corner.
4.
Configure parameters of the voice WAN port, as shown in Figure 9-2.

Service list: VoIP
VLAN ID: 20 (the same as the C-VLAN ID on the OLT)
IPGetMode: DHCP
NAT: Enable
NAT Type: NAPT
For other parameters, use the default values.
Figure 9-2 WAN port parameters
5.
Click Apply.
6.
In the navigation pane, choose Basic > VoIP.
7.
Configure the basic VoIP parameters. Configure the phone number to 88860001, as
SIP Local Port: 5060
Register Server Address: 200.200.200.200
Register Server Port: 5060
Issue 01 (2012-01-18)

426

Figure 9-3 VoIP parameters
8.
Click Apply. Add another phone number 88860000 in the same way.
9.
In the navigation pane, click Advanced > VoIP, and click the Port tab in the right
pane, as shown in Figure 9-4.
Figure 9-4 Port bind
10. Bind ports 0 and 1 to the two phone numbers added in the preceding steps respectively.
Click the required port, and then select the numbers mapping the port.
11. In the navigation pane, choose Status > VoIP to view the port status, as shown in
Figure 9-5.
Issue 01 (2012-01-18)

427

Figure 9-5 Port status
----End
Result
Connect two phone sets to two TEL ports on the ONT, and calls can be made between two phone
sets.
Configuration File
vlan 200 smart
link-aggregation 0/17 0 0/18 0 egress-ingress workmode lacp-static
traffic table ip index 9 cir off priority 6 priority-policy tag-In-Packag
dba-profile add profile-id 20 type3 assure 16384 max 26624
mapping-mode vlan
commit
quit
commit
quit
interface gpon 0/5
ont confirm 1 ontid 1 sn-auth 32303131D659FD40 omci ont-lineprofile-id 10 ontsrvprofile-id 10
quit
service-port 2 vlan 200 gpon 0/5/1 ont 1 gemport 2 multi-service user-vlan 20 rxcttr 9 tx-cttr 9
save
9.5 Configuring the FTTH IPTV Service

The OLT is connected to the remote ONT through a GPON port to provide users with the IPTV
service.
Issue 01 (2012-01-18)

428

l
The OLT adopts the L2 multicast protocol IGMP proxy.
Multicast programs are configured statically and multicast users are authenticated.
The IGMP version of the multicast VLAN is IGMP V3.
The DBA mode of the IPTV service is assured bandwidth, and no rate limitation is
performed on the upstream and downstream traffic.
Table 9-4 Data plan

Item
Data
OLT
SVLAN ID: 1000

SVLAN type: smart VLAN
ONT
ONT ID: 1
ID of the port on the ONT that is connected to the STB: 3
Type of the port on the ONT that is connected to the STB:
ETH
Native VLAN ID of the port on the ONT that is connected
to the STB: 30
Prerequisite
l
The license for the multicast program or the multicast user must be applied for and installed.
The OLT is connected to the BRAS and the multicast source.
The VLAN of the LAN switch port connected to the OLT is the same as the upstream
VLAN of the OLT.
Configure the OLT.
Procedure
1.
Create an SVLAN and add an upstream port to it.

Create smart VLAN 1000. Add upstream ports 0/17/0 and 0/18/0 to VLAN 1000.
2.

lacp-static
Issue 01 (2012-01-18)

429

NOTE
3.

Set the profile ID to 10, perform no rate limitation on both upstream and downstream
directions, set the priority to 4, and schedule packets according to their priorities.
huawei(config)#traffic table ip index 10 cir off priority 4 prioritypolicy
tag-In-Packag
4.

You can run the display dba-profile command to query the DBA profiles existing in
the system. If the DBA profiles existing in the system do meet the requirements, you
need to run the dba-profile add command to add a DBA profile.
Set the DBA profile ID to 30, type to type4, and maximum bandwidth to 60 Mbit/s.
5.
(Optional) Configure an alarm profile.

generated.
6.

NOTE
the GEM port.
Configure the service mapping mode from the GEM port to the ONT to VLAN
Issue 01 (2012-01-18)

430

NOTE
7.
Configure an ONT service profile.

The service profile type must be the same as the actual ONT type. Considering the
HG850a as an example, configure four ETH ports and two POTS ports. The ID of the
VLAN to which ETH port 3 belongs is 30.
NOTE
8.
Add an ONT.
Connect the ONT to GPON port 0/5/1. The ONT ID is 1, the SN is
32303131D659FD40, the management mode is OMCI, the bound ONT line profile
ID is 10, and the bound ONT service profile ID is 10.
NOTE
l Before confirming an automatically discovered ONT, you must run the port portid ont-autofind command in the GPON mode to enable the ONT automatic discovery function of the port.
l In this example, the method of confirming the automatically discovered ONT is used.
-----------------------------------------------------------------------Number
: 1
F/S/P
: 0/5/1
Ont SN
: 32303131D659FD40
Password
:
VenderID
: HWTC
Ont Version
: HG850aGTH.B
Ont EquipmentID
: EchoLife:HG850a
Ont autofind time
: 2009-10-24 14:59:10
omci
NOTE
l After the ONT is added, it is recommended that you run the display ont info command to
query the ONT status. In this step, ensure that Config State of the ONT is normal and
Match State is match.
the display ont capability command to query the actual ONT capabilities and then based
on the queried ONT capabilities, add a proper ONT profile and a proper ONT.
9.
(Optional) Bind the alarm profile to the ONT.

Issue 01 (2012-01-18)

431

10. Specify the VLAN for the ONT port.

ETH port 3 on the ONT is connected to the STB and the native VLAN of the port is
VLAN 30.
huawei(config-if-gpon-0/5)#ont port native-vlan 1 1 eth 3 vlan 30

Configure the service port ID to 3, SVLAN ID to 1000, GEM port ID to 3, and CVLAN
ID to 30. Bind traffic profile 10 to the service port.

weights of 10, 10, 20, 20, and 40 respectively; queues 5-7 adopt the PQ mode. Set the
priority of the IPTV service to 4 and adopt the WRR mode.
NOTE
6
cos7 7
NOTE
13. Create a multicast VLAN and select the IGMP mode.

Select the IGMP proxy mode.
14. Set the IGMP version.

Set the IGMP version of the multicast VLAN to IGMP v3.
15. Configure an IGMP upstream port.

The IGMP upstream port is master aggregation port 0/17/0 and works in the default
mode, and protocol packets are transmitted to all the IGMP upstream ports in the
multicast VLAN.
huawei(config-mvlan1000)#btv
huawei(config-btv)#igmp uplink-port-mode default
Are you sure to change the uplink port mode?(y/n)[n]:y
16. (Optional) Set the multicast global parameters.

In this example, the default settings are used for all the multicast global parameters.
17. Configure the program library.
Issue 01 (2012-01-18)

432

Configure the IP address of the multicast program to 224.1.1.10, program name to

program1, IP address of the program source to 10.10.10.10.
huawei(config-btv)#multicast-vlan 1000
huawei(config-mvlan1000)#igmp program add name program1 ip 224.1.1.10
sourceip 10.10.10.10
18. Configure the right profile.

Configure the profile name to profile0, with the right of watching program 1.
huawei(config-mvlan1000)#btv
huawei(config-btv)#igmp profile add profile-name profile0
huawei(config-btv)#igmp profile profile-name profile0 program-name
program1
watch
19. Configure the multicast user.

Configure the user of service port 3 as a multicast user and bind right profile named
profile0 to the service port.
huawei(config-btv)#igmp policy service-port 3 normal
huawei(config-btv)#igmp user add service-port 3 auth
huawei(config-btv)#igmp user bind-profile service-port 3 profile-name
profile0
huawei(config-btv)#multicast-vlan 1000
huawei(config-mvlan1000)#igmp multicast-vlan member service-port 3
huawei(config-mvlan1000)#quit
20. Save the data.

huawei(config)#save
The ONT need not be configured.
----End
Result
The user can watch program 1 on the TV.
Configuration File
vlan 1000 smart
port vlan 1000 0/17 0
port vlan 1000 0/18 0
link-aggregation 0/17 0 0/18 0 egress-ingress workmode
lacp-static
traffic table ip index 10 cir off priority 4 priority-policy tag-In-Packag
dba-profile add profile-id 30 type4 max 61440
mapping-mode vlan
commit
quit
port vlan eth 3 30
commit
quit
interface gpon 0/5
ont confirm 1 ontid 1 sn-auth 32303131D659FD40 omci ont-lineprofile-id 10
ont-srvprofile-id 10
ont port native-vlan 1 1 eth 3 vlan 30
quit
service-port 3 vlan 1000 gpon 0/5/1 ont 1 gemport 3 multi-service user-vlan 30
Issue 01 (2012-01-18)

433

rx-cttr 10 tx-cttr 10
multicast-vlan 1000
igmp mode proxy
igmp version v3
igmp uplink-port 0/17/0
btv
igmp uplink-port-mode default
multicast-vlan 1000
igmp program add name program1 ip 224.1.1.10 sourceip 10.10.10.10
btv
igmp profile add profile-name profile0
igmp profile profile-name profile0 program-name program1 watch
igmp policy service-port 3 normal
igmp user add service-port 3 auth
igmp user bind-profile service-port 3 profile-name profile0
multicast-vlan 1000
igmp multicast-vlan member service-port 3
quit
save
Issue 01 (2012-01-18)

434

10 FAQ
10
FAQ
About This Chapter

FAQs analyze and answer the frequently asked questions of configuring the MA5600T device.
10.1 How to Query the MAC Addresses of the Online Users and the Ports That Provide the
Access for the Users in the MA5600T
10.2 How to Resolve the Issue of Unsuccessful Traffic Stream Configuration
10.3 How to Calculate the Remaining Bandwidth of a PON Port on the MA5600T
10.4 How to Change the Management IP Address and VLAN Remotely
10.5 How to Change the Rate of the User Port in a PON System
10.6 How to Realize the Communication Between Users on the Same Board
10.7 How to Select the Matched Hardware for Expanding the Bandwidth of the Upstream Port
10.8 How to Confirm an Upgraded Board
Issue 01 (2012-01-18)

435

10 FAQ
10.1 How to Query the MAC Addresses of the Online Users

and the Ports That Provide the Access for the Users in the
MA5600T
Question
How to query the MAC addresses and the ports of the online users that provide the access for
the users in the MA5600T?
Answer
Step 1 Run the display mac-address all command to query the MAC addresses of all the online users.
Step 2 Run the display location command to query the ports of the online users according to the
specified MAC addresses.
----End
10.2 How to Resolve the Issue of Unsuccessful Traffic

Stream Configuration
Question
During traffic stream (service port) configuration, the system displays the following prompt
messages:
1.
The resource of service is full on the port. The resource of service is full on the board.
2.
The VLAN-TAG mode of the epon port does not support this operation.
3.
Failure: The board does not support adding VLAN-RANGE service virtual port when the
VLAN-RANGE switch is disabled.
Answer
A service port, or a traffic stream, is a group of data with the same characteristics. The possible
causes for unsuccessful traffic stream configuration are as follows:
l
The number of traffic streams reaches the maximum specification of an EPON board or a
port.
The restrictions on a certain type of traffic stream are not met.
The traffic stream classification will be described here for you to better understand the traffic
stream. Based on service features, EPON traffic streams can be classified into:
l
Port-based traffic stream
CVLAN-based traffic stream
CoS-based traffic stream
Ethernet type-based traffic stream
VLAN-range traffic stream (or sub traffic stream)
Issue 01 (2012-01-18)

436

10 FAQ
Other-all traffic stream
Issue 1 shows that the number of traffic streams reaches the maximum specification of the board
or port. This issue can be resolved by creating a VLAN-range traffic stream (also called raw
stream). The procedure is as follows:
1.
Run the undo service-port command to delete one or multiple traffic streams.
2.
For an EPBA board, run the portportidtag-based-vlan command to add a VLAN-based

tag to a port. For an EPBC/EPBD board, run the vlan-range enable command to enable
VLAN range.
3.
Run the service-port [index] vlan vlanid epon FrameId/SlotId/PortId ont all multiservice user-vlan user-vlanid to end-user-vlanid command to configure VLAN-range
traffic streams.
NOTE
During VLAN-range traffic stream configuration, the ONT is specified to all and CVLAN IDs are set to a range.
A VLAN-range traffic stream occupies the specification of a traffic stream on a board or port but not the
specification of a traffic stream on an ONT. Services of all CVLANs in the range can match the VLAN-range
traffic stream. Therefore, traffic stream resources of a board or port can be maximally saved. Creating VLANrange traffic streams is a solution to insufficient traffic stream specification.
The VLAN-range stream feature has the following restrictions:

l
VLAN-range traffic streams can add tags but cannot modify tags.
The SVLAN of a VLAN-range traffic stream must be QinQ or stacking VLAN.
The SVLAN forwarding mode of a VLAN-range traffic stream must be VLAN+MAC but
not SVLAN+CVLAN.
On the same PON port, the CVLAN tags of VLAN-range traffic streams and common
traffic streams cannot be the same.
The maximum number of learnable MAC addresses cannot be configured for a VLANrange traffic stream.
Static MAC addresses cannot be configured for a VLAN-range traffic stream.
Multicast users cannot be added for a VLAN-range traffic stream.
VLAN-range traffic streams do not support QoS.
The suggestions are as follows:

1.
Use the VLAN range feature only when necessary.
2.
It is recommended to use the feature of creating traffic streams in batches in a new

deployment or capacity expansion scenario.
Issue 2 occurs when a VLAN-range traffic stream is created on an EPBA board. The prerequisite
for creating a VLAN-range traffic stream on an EPBA board is to run the port tag-basedvlan command to configure VLAN-based tagging.
Issue 3 occurs when a VLAN-range traffic stream is created. The prerequisite for creating a
VLAN-range traffic stream is to run the vlan-range command to enable the board to support
the creation of VLAN-range traffic streams. The issue is resolved after the board is enabled to
support the creation of VLAN-range traffic streams.
Issue 01 (2012-01-18)

437

10 FAQ
10.3 How to Calculate the Remaining Bandwidth of a PON

Port on the MA5600T
Question
How to calculate the remaining bandwidth of a PON port on the MA5600T?
Answer
The remaining bandwidth of a PON port on the MA5600T cannot be calculated. When the
downstream packets exceed 2.5 G, excessive packets will be discarded. To limit the downstream
bandwidth of a specified service, refer to Configuring GPON Rate Limitation or Configuring
EPON Rate Limitation.
You can run a command to query the remaining upstream bandwidth of a PON port on the
MA5600T or manually calculate the remaining upstream bandwidth of a PON port on the
MA5600T.
l
Run a command to query the remaining upstream bandwidth of a PON port:

Run the display port info(gpon)display port info(epon) command to query the remaining
committed bandwidth of a port. The remaining bandwidth is 1164032 kbps.
When you run the display port state(gpon)display port state(epon) command to query
the port status, the Available bandwidth parameter in the output result indicates the
available bandwidth of the port, that is, the actually available bandwidth. This value is a
dynamic value. In an actual network, although multiple ONTs may be configured for an
xPON port, yet some ONTs may not fully occupy their fixed bandwidth. The bandwidth
that is not occupied is the remaining bandwidth.
Manually calculate the remaining upstream bandwidth of a PON port:

Run the display ont info(gpon)display ont info(epon) command to query the related
information about the ONT of a port.
This port has four ONTs. ONT 1 has three service T-CONTs that are respectively bound
to DBA profiles 10, 10, and 20; ONT 2 has two service T-CONTs that are both bound
to DBA profile 10; ONT 3 has two service T-CONTs that are both bound to DBA profile
10; ONT 4 has one service T-CONT that is bound to DBA profile 10.
Run the display DBA-profile command to query the DBA profile.
The fixed bandwidth is 5 M for DBA profile 1, 6 M for DBA profile 10, and 5 M for
DBA profile 20.
Maximum upstream bandwidth of the PON port: 1244160 kbit/s = 19440 bytes.
Bandwidth reserved for emergency PLOAM messages of the OLT: (52 x 64) kbit/s =
52 bytes; PLOu bandwidth reserved for each ONT: 32 bytes. The bandwidth occupied
by each ONT is as follows:
NOTE
Each ONT has a default T-CONT 0 that is bound to DBA profile 1 by default for transmitting ONT
management messages. This T-CONT can be modified but cannot be deleted.
Service bandwidth of ONT 1:

<T-CONT 0> DBA Profile-ID:1 80 bytes
Issue 01 (2012-01-18)

438

10 FAQ

The remaining upstream bandwidth of the PON port is the difference between the total
upstream bandwidth and the occupied bandwidth. That is, Remaining upstream
bandwidth of the PON port = 19440 - 52 - 32 * 4 - 80 * 5 - 96 * 7 = 18188 bytes. 18188
bytes * 64 kbit/s = 1164032 kbps. This value is the same as the query result in the
command.
10.4 How to Change the Management IP Address and VLAN

Remotely
Question
When the device is managed and maintained in the inband management mode, how to modify
the related configuration remotely if the IP address and the VLAN of the NMS are changed?
Answer
Step 1 Log in to the gateway where the MA5600T is located, and then run the telnet command to log
in to the MA5600T through the gateway.
Step 2 Run the display packet-filter or display firewall packet-filter statistics command to query
the ACL configuration. Make sure that the new IP address can access the device.
Step 3 Run the vlan command to create a management VLAN, run the port vlan command to add an
upstream port to the VLAN, and then run the interface vlanif command to enable the L3
interface of the VLAN. Then, run the ip address command to configure the management IP
address, and run the ip route-static command to add a route.
Step 4 Log out of the MA5600T. Run the ip address command to change the IP address of the gateway
interface to be in the same subnet as the new management IP address. Then, use the new
management IP address to log in to the device. Run the undo interface vlanif command to delete
the L3 interface of the original management VLAN, run the undo port vlan command to delete
the upstream port of the original management VLAN, and then run the undo vlan command to
delete the original management VLAN. Run the undo ip route-static command to delete the
original route.
Issue 01 (2012-01-18)

439

10 FAQ
Step 5 Run the save command to save the data, and then exit.
----End
10.5 How to Change the Rate of the User Port in a PON

System
Question
How to change the rate of the user port in a PON system?
Answer
In a PON system, when the rate of the user port fails to meet the requirement, the possible causes
are as follows:
l
The rate of the ONT port does not meet the requirement.
The user bandwidth configured in the DBA profile is improper.
When the rate of the ONT port does not meet the requirement, run the ont port attribute
command to change the rate of the ONT port.
When the user bandwidth configured in the DBA profile is improper, do as follows:
1.
Run the undo tcont command to unbind the T-CONT from the DBA profile.
2.
Run the dba-profile modify command to change the user bandwidth configured in
the DBA profile.
3.
Run the tcont command to bind the T-CONT to the DBA profile.
----End
10.6 How to Realize the Communication Between Users on

the Same Board
Question
How to realize the communication between users on the same board, including users in the same
VLAN and in different VLANs?
Answer
When users are in different VLANs, user ports are isolated at L2. Therefore, even if users are
on the same board, they cannot directly communicate with each other at L2. To realize the
communication between users on the same board, users must belong to the same super VLAN,
and thus different sub VLANs can communicate with each other through the ARP proxy. That
is, through the L3 interface of the super VLAN, the services of different sub VLANs can be
forwarded at L3, and then users in the same super VLAN can communicate with each other.
Step 1 Create VLAN 20,VLAN 30.
Issue 01 (2012-01-18)

440

10 FAQ
Step 2 Create super VLAN 40.

huawei(config)#vlan 40 super
Step 3 Add a sub VLAN 20 to super VLAN 40.

Step 4 Add a sub VLAN 30 to super VLAN 40.

Step 5 Enable the ARP proxy globally.

huawei(config)#arp proxy enable
Step 6 Enable the ARP proxy on VLAN L3 interface 40.

huawei(config-if-Vlanif40)#arp proxy enable
Step 7 Configure the IP address of VLAN L3 interface 40.

huawei(config-if-Vlanif40)#ip address 10.1.1.254 24
When only users in different VLANs need to communicate with each other, steps 8 is not
required.
Step 8 Enable the ARP proxy on VLAN20,VLAN30.
----End
10.7 How to Select the Matched Hardware for Expanding the

Bandwidth of the Upstream Port
Question
When the upstream bandwidth of the device is insufficient, how to expand the bandwidth by
changing the port type? Assume that the 2GE GICF upstream board is used in the
telecommunications room, and the upstream bandwidth is to be expanded to 4GE or higher.
Answer
Step 1 Confirm the supported boards: According to the board matching relation description in the
Release Notes, it can be confirmed that the GICD board supports upstream transmission through
the 4GE optical port, and the X1CA/X2CA board supports upstream transmission through the
10GE optical port.
NOTE
Assume that the GICD board is selected.
Step 2 Confirm the installation position of the board: According to the Hardware Description, you can
confirm the installation position of the GICD board.
Issue 01 (2012-01-18)

441

10 FAQ
Step 3 Confirm the cable required: According to the external ports of each board as described in
board in the Hardware Description, optical fibers are required for connecting the board to the
ODF.
Step 4 Install the selected board and optical fibers to expand the upstream bandwidth.
----End
10.8 How to Confirm an Upgraded Board

Question
After a board (newly added) is upgraded on a device, the board is not displayed in the software.
Or, the board status is displayed as Auto_find. In such cases, data cannot be configured on the
newly added board. So, how to add the board successfully?
Answer
A board can be added in two ways:
l
Added offline. After you run the board add command to add a board to a vacant slot, the
system generates a board fault alarm. After that, insert the board into the corresponding
slot. If the type of the inserted board is the same as the type of the board added offline, the
system generates a board recovery alarm (alarm ID 0x02310000). If the board types do not
match, the system generates a non-match alarm (alarm ID 0x02300082).
Auto-found. Insert the board into a vacant slot. When the system prompts that the board is
automatically found, you need to run the board confirm command to confirm the board.
NOTE
l To add a board successfully, make sure that the shelf ID and slot ID of the board added through the command
line interface (CLI) are the same as the actual shelf ID and slot ID of the board inserted manually.
l To add a board successfully, make sure that the type of the board added through the CLI is the same as the
actual board type.
Issue 01 (2012-01-18)

442

Commissioning and Configuration Guide (V800R010C00 - 01)

Uploaded by

Copyright:

Available Formats

Commissioning and Configuration Guide (V800R010C00 - 01)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Commissioning and Configuration Guide (V800R010C00 - 01)

Uploaded by

Copyright:

Available Formats

SmartAX MA5600T Multi-service Access Module