sx300 series switches maintenance guide

Sx300 Series Switches

Maintenance Guide

Issue 02Date 2015-01-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://enterprise.huawei.com

Issue 02 (2015-01-20) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.

i

About This Document

Intended AudienceThis document provides guidance for maintaining the S series switches, covering FAQ, commonmaintenance commands and preventive inspection guide, troubleshooting guide, typicaltroubleshooting cases, configuration notes, and prewarning.Maintenance personnel must have the following qualifications:l Be familiar with the current network topology and NE version information.l Have equipment maintenance experience and be familiar with equipment maintenance

methods.

Applicable VersionsThis document is applicable to V200R003 and earlier versions of the S series switches.

Symbol ConventionsThe symbols that may be found in this document are defined as follows.Symbol Conventions

Symbol DescriptionIndicates an imminently hazardous situation which, if notavoided, will result in death or serious injury.

Indicates a potentially hazardous situation which, if notavoided, could result in death or serious injury.

Indicates a potentially hazardous situation which, if notavoided, may result in minor or moderate injury.

Sx300 Series SwitchesMaintenance Guide About This Document


ii

Symbol DescriptionIndicates a potentially hazardous situation which, if notavoided, could result in equipment damage, data loss,performance deterioration, or unanticipated results.NOTICE is used to address practices not related topersonal injury.Calls attention to important information, best practices andtips.NOTE is used to address information not related topersonal injury, equipment damage, and environmentdeterioration.

Change HistoryChanges between document issues are cumulative. The latest document issue contains all thechanges made in earlier issues.

Issue Release Date Description02 2015-01-20 The second commercial release.01 2014-10-30 Initial official release.

Sx300 Series SwitchesMaintenance Guide About This Document


iii

1 FAQ1.1 Hardware

1.1.1 How Do I View the Transmit and Receive Optical Power of an Optical Module?1.1.2 How Do I Identify Combo Interfaces of a Switch?1.1.3 Why Are Only Two Optical Interfaces Displayed After a 4-Port Front subcard Is Installedin an S5300?1.1.4 When and How Should a Surge Protector Be Used on a Fixed Switch?1.1.5 What Are Similarities and Differences Between Console and Mini USB Interfaces?1.1.6 Are Subcards of Fixed Switches Hot Swappable?1.1.7 Can AC and DC Power Supplies Be Installed on the same Switch?1.1.8 Can a 10GE Optical Interface Use a GE Optical Module?1.1.9 Can a GE Optical Interface Use a 100M Optical Module?1.1.10 Can a GE Optical Interface Use a 10GE Optical Module?1.1.11 Which Product Models Support Copper Transceiver Modules?1.1.12 Can a GE Optical Interface Be Manually Configured as a 100M Interface to Work withAnother 100M Optical Interface?1.1.13 Can Two GE Interfaces Be Connected Using a 100M Network Cable?

1.1.1 How Do I View the Transmit and Receive Optical Power of anOptical Module?

Run the display transceiver verbose command.1.1.1.1 In V100R006C03 or V100R006C05 of fixed or modular switches1.1.1.2 In V200R001 of fixed switches1.1.1.3 Modular Switch V200R0011.1.1.4 Fixed Switch V200R002&V200R003

Sx300 Series SwitchesMaintenance Guide 1 FAQ


1

1.1.1.5 Modular Switch V200R002&V200R003

1.1.1.1 In V100R006C03 or V100R006C05 of fixed or modular switchesThe RX Power(dBM) field in the command output indicates the receive power of the opticalmodule, and the TX Power(dBM) field indicates the transmit power. display transceiver interface gigabitethernet 0/0/1 verboseGigabitEthernet0/0/1 transceiver information: -------------------------------------------------------------Common information: Transceiver Type :1000_BASE_SX_SFP Connector Type :LC Wavelength(nm) :850 Transfer Distance(m) :300(50um),150(62.5um) Digital Diagnostic Monitoring :YES Vendor Name :SumitomoElectric Vendor Part Number :HFBR-5710L Ordering Name :-------------------------------------------------------------Manufacture information: Manu. Serial Number :88K056C10353 Manufacturing Date :2008-08-08 Vendor Name :SumitomoElectric-------------------------------------------------------------Diagnostic information: //The diagnoistic information is displayed only in V100R006C03. Temperature(C) :26.00 Temp High Threshold(C) :85.00 Temp Low Threshold(C) :-40.00 Voltage(V) :3.29 Volt High Threshold(V) :3.64 Volt Low Threshold(V) :2.95 Bias Current(mA) :4.57 Bias High Threshold(mA) :9.00 Bias Low Threshold(mA) :2.00 RX Power(dBM) :-40.00 RX Power High Threshold(dBM) :0.00 RX Power Low Threshold(dBM) :-16.99 TX Power(dBM) :-5.03 TX Power High Threshold(dBM) :-2.22 TX Power Low Threshold(dBM) :-6.99------------------------------------------------------------- User information: THIS_IS_A_TEST-------------------------------------------------------------Diagnostic information: Temperature(C) :40.21 Temp High Warning Threshold(C) :93.00 Temp Low Warning Threshold(C) :-30.00 Temp High Alarm Threshold(C) :110.00 Temp Low Alarm Threshold(C) :-40.00

Voltage(V) :3.26 Volt High Warning Threshold(V) :3.70 Volt Low Warning Threshold(V) :2.90 Volt High Alarm Threshold(V) :3.90 Volt Low Alarm Threshold(V) :2.70

Bias Current(mA) :23.78 Bias High Warning Threshold(mA) :70.00 Bias Low Warning Threshold(mA) :4.00 Bias High Alarm Threshold(mA) :80.00 Bias Low Alarm Threshold(mA) :2.00

RX Power(dBM) :-31.10



2

RX Power High Warning Threshold(dBM) :-1.00 RX Power Low Warning Threshold(dBM) :-20.00 RX Power High Alarm Threshold(dBM) :0.75 RX Power Low Alarm Threshold(dBM) :-23.97

TX Power(dBM) :-5.78 TX Power High Warning Threshold(dBM) :-1.00 TX Power Low Warning Threshold(dBM) :-11.50 TX Power High Alarm Threshold(dBM) :0.99 TX Power Low Alarm Threshold(dBM) :-13.50-------------------------------------------------------------

1.1.1.2 In V200R001 of fixed switchesThe RX Power(dBM) field in the command output indicates the receive power of the opticalmodule, and the TX Power(dBM) field indicates the transmit power. display transceiver interface gigabitethernet 0/0/1 verboseGigabitethernet0/0/1 transceiver information:

-------------------------------------------------------------Common information: Transceiver Type :OC3_INTER_REACH_SFP Connector Type :LC Wavelength(nm) :1310 Transfer Distance(m) :15000(9um) Digital Diagnostic Monitoring :YES Vendor Name :HUAWEI Vendor Part Number :34060358 Ordering Name : -------------------------------------------------------------Manufacture information: Manu. Serial Number :EH1048220807 Manufacturing Date :2010-12-06 Vendor Name :HUAWEI-------------------------------------------------------------Alarm information: RX loss of signal RX power low-------------------------------------------------------------Diagnostic information: Temperature(C) :26.00 Temp High Threshold(C) :85.00 Temp Low Threshold(C) :-40.00 Voltage(V) :3.29 Volt High Threshold(V) :3.64 Volt Low Threshold(V) :2.95 Bias Current(mA) :4.57 Bias High Threshold(mA) :9.00 Bias Low Threshold(mA) :2.00 RX Power(dBM) :-40.00 RX Power High Threshold(dBM) :0.00 RX Power Low Threshold(dBM) :-16.99 TX Power(dBM) :-5.03 TX Power High Threshold(dBM) :-2.22 TX Power Low Threshold(dBM) :-6.99-------------------------------------------------------------

1.1.1.3 Modular Switch V200R001The Current Rx Power(dBM) field in the command output indicates the current receive powerof the optical module, and the Current Tx Power(dBM) field indicates the current transmitpower. display transceiver interface gigabitethernet 3/1/4 verboseGigabitEthernet3/1/4 transceiver information:



3

-------------------------------------------------------------Common information: Transceiver Type :OC3_INTER_REACH_SFP Connector Type :LC Wavelength(nm) :1310 Transfer Distance(m) :15000(9um) Digital Diagnostic Monitoring :YES Vendor Name :HUAWEI Vendor Part Number :34060358 Ordering Name :-------------------------------------------------------------Manufacture information: Manu. Serial Number :EH1048220807 Manufacturing Date :2010-12-06 Vendor Name :HUAWEI-------------------------------------------------------------Alarm information: RX loss of signal RX power low------------------------------------------------------------- Diagnostic information: Temperature(C) :18 Voltage(V) :3.32 Bias Current(mA) :8.12 Bias High Threshold(mA) :27.34 Bias Low Threshold(mA) :2.17 Current Rx Power(dBM) :-30.00 Default Rx Power High Threshold(dBM) :0.00 Default Rx Power Low Threshold(dBM) :-16.99 Current Tx Power(dBM) :-4.42 Default Tx Power High Threshold(dBM) :0.00 Default Tx Power Low Threshold(dBM) :-9.50 User Set Rx Power High Threshold(dBM) :0.00 User Set Rx Power Low Threshold(dBM) :-16.99 User Set Tx Power High Threshold(dBM) :0.00 User Set Tx Power Low Threshold(dBM) :-9.50-------------------------------------------------------------

1.1.1.4 Fixed Switch V200R002&V200R003The RX Power(dBM) field in the command output indicates the receive power of the opticalmodule, and the TX Power(dBM) field indicates the transmit power. display transceiver interface gigabitethernet 0/0/1 verboseGigabitethernet0/0/1 transceiver information:-------------------------------------------------------------Common information: Transceiver Type :1000_BASE_SX_SFP Connector Type :LC Wavelength(nm) :850 Transfer Distance(m) :300(50um),150(62.5um) Digital Diagnostic Monitoring :YES Vendor Name :SumitomoElectric Vendor Part Number :HFBR-5710L Ordering Name :-------------------------------------------------------------Manufacture information: Manu. Serial Number :88K056C10353 Manufacturing Date :2008-08-08 Vendor Name :SumitomoElectric-------------------------------------------------------------Diagnostic information: Temperature(C) :26.00 Temp High Threshold(C) :85.00 Temp Low Threshold(C) :-40.00 Voltage(V) :3.29 Volt High Threshold(V) :3.64



4

Volt Low Threshold(V) :2.95 Bias Current(mA) :4.57 Bias High Threshold(mA) :9.00 Bias Low Threshold(mA) :2.00 RX Power(dBM) :-40.00 RX Power High Threshold(dBM) :0.00 RX Power Low Threshold(dBM) :-16.99 TX Power(dBM) :-5.03 TX Power High Threshold(dBM) :-2.22 TX Power Low Threshold(dBM) :-6.99-------------------------------------------------------------

1.1.1.5 Modular Switch V200R002&V200R003The Current Rx Power(dBM) field in the command output indicates the current receive powerof the optical module, and the Current Tx Power(dBM) field indicates the current transmitpower. display transceiver interface gigabitethernet 3/0/0 verboseGigabitEthernet3/0/0 transceiver information: ------------------------------------------------------------- Common information: Transceiver Type :1000_BASE_SX_SFP Connector Type :LC Wavelength(nm) :850 Transfer Distance(m) :500(50um),300(62.5um) Digital Diagnostic Monitoring :YES Vendor Name :FINISAR CORP. Vendor Part Number :FTLF8519P2BNL-HW Ordering Name :-------------------------------------------------------------Manufacture information: Manu. Serial Number :PEP3L5D Manufacturing Date :2008-12-05 Vendor Name :FINISAR CORP.-------------------------------------------------------------Alarm information: TX power low------------------------------------------------------------- Diagnostic information: Temperature(C) :39 Voltage(V) :3.31 Bias Current(mA) :6.59 Bias High Threshold(mA) :10.50 Bias Low Threshold(mA) :2.50 Current Rx Power(dBM) :-2.23 Default Rx Power High Threshold(dBM) :3.01 Default Rx Power Low Threshold(dBM) :-15.02 Current Tx Power(dBM) :-2.45 Default Tx Power High Threshold(dBM) :3.01 Default Tx Power Low Threshold(dBM) :-9.00 User Set Rx Power High Threshold(dBM) :3.01 User Set Rx Power Low Threshold(dBM) :-15.02 User Set Tx Power High Threshold(dBM) :3.01 User Set Tx Power Low Threshold(dBM) :-9.00-------------------------------------------------------------

1.1.2 How Do I Identify Combo Interfaces of a Switch?A combo interface is a dual-purpose interface consisting of an Ethernet optical interface and anEthernet electrical interface on the panel. The electrical and optical interfaces of a combointerface are multiplexed, and only one of them can work at a time.



5

NOTE

In V100R003 and earlier versions, a combo interface works as an optical interface by default.In V100R005 and later versions, a combo interface works in auto mode by default and automaticallydetermines the interface type depending on whether the optical interface has an optical module installed:l If the optical interface has no optical module installed and the electrical interface has no network cable

connected, the interface type depends on which interface is connected first. If the electrical interfaceis connected by a network cable first, the electrical interface is used for data switching. If the opticalinterface has an optical module installed first, the optical interface is used for data switching.

l If the electrical interface has a network cable connected and is in Up state, the electrical interface isstill used for data switching when the optical interface has an optical module installed.

l If the optical interface has an optical module installed, it is still used for data switching when theelectrical interface has a network cable connected, regardless of whether the optical interface is in Upstate.

l If the optical interface has an optical module installed (with optical fibers connected) and the electricalinterface has a network cable connected, the optical interface is used for data switching after the switchrestarts.

You can use the combo-port command to configure a combo interface to work as an electrical or opticalinterface.

You can use the following methods to identify a combo interface on a switch:l Identify a combo interface based on the interface identifier on the switch panel. If two

interfaces have the same ID but connect to different transmission media, the two interfacesare multiplexed as a combo interface. As shown in Figure 1-1, interfaces 1 and 2 are combointerfaces.

Figure 1-1 Combo interfaces on a switch

l Run the display interface command to check whether an interface is a combo interface. display interface gigabitethernet 1/0/1...IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e80-2494Port Mode: COMBO AUTOSpeed : 100, Loopback: NONE

1.1.3 Why Are Only Two Optical Interfaces Displayed After a 4-PortFront subcard Is Installed in an S5300?

This is because no extended channel rear card is installed in the switch.An S5300SI or S5300EI switch can provide only two optical interfaces for front subcard. If a4-port front subcard is installed, the switch must use an ES5D00ETPB00 extended channel rearsubcard to provide the other two interfaces. Without an extended channel rear subcard, only twooptical interfaces are displayed.l If a 4-port GE front subcard (LS5D00E4GF01/LS5D0E4GFA00) and an ES5D00ETPC00

rear stack card (working normally) are used together in a switch, only the first and secondinterfaces on the front card can work normally, and the other two interfaces cannot be used.



6

l If a 4-port 10GE front subcard (LS5D00E4XY01) and an ES5D00ETPC00 rear stack card(working normally) are used together in a switch, only the first and third interfaces on thefront subcard can work normally, and the other two interfaces cannot be used.

NOTE

The available interfaces on the LS5D00E4XY01 front subcard are displayed as XGigabitEthernet */1/1and XGigabitEthernet */1/2 on the CLI, corresponding to physical interfaces 1 and 3 on the front subcard.* indicates a slot ID on the switch.

1.1.4 When and How Should a Surge Protector Be Used on a FixedSwitch?Common Causes of Lightning Strikes

l Outdoor network cables or power cables are routed overhead.l A switch is deployed outdoors but is not properly grounded.

Damages of Lightning Strikesl If power cables of a switch are routed overhead in an outdoor environment, lightning strikes

may burn the power supplies.l If network cables of a switch are routed overhead in an outdoor environment, lightning

strikes may burn interfaces of the switch.When a switch undergoes lightning strikes, overvoltage is induced by lightning on networkcables and transmitted to interior of the chassis. The surge protection measures, such as lightningrod and chassis grounding cannot prevent the damage. Therefore, surge protectors or surgeprotection circuits are recommended.

Surge Protector Use PrecautionsTake the following precautions to protect a switch from lightning:l Ensure that the ground cable is connected to a ground bar or a ground point on the cabinet.l Avoid routing cables overhead in an outdoor environment. Bury cables underground or

route them in steel tubes.l To protect network interfaces against lightning, use 8-line surge protectors (or Huawei

certified 4-line surge protectors).l When installing a network interface surge protector, connect the IN end to terminals and

the OUT end to network interfaces of the switch.If a fixed switch is installed in a network box, as shown in Figure 1-2, follow the instructions :l Connect the ground cables of the switch and surge protectors to the ground bar in the

network box.l The maximum length of a ground cable cannot exceed 40 cm, and a length of smaller than

15 cm is recommended.l If the network box is located outdoors and power cables are routed aerially over a long

distance (more than 300 m) to the network box, it is recommended that you install a power



7

supply surge protector in the network box. The decoupled power cable must be at least 3m long.

Figure 1-2 Cable connection in a network box

1.1.5 What Are Similarities and Differences Between Console andMini USB Interfaces?

The console interface can be connected to an operation terminal for onsite configuration. It mustbe used with a console cable. After a switch is powered on for the first time, you need to log into the switch through the console interface to configure the switch.The Mini USB interface is also used to connect an operation terminal to the switch. The MiniUSB and console interfaces are logically the same interface. Only one of the Mini USB andconsole interfaces can be used at a time. The Mini USB interface is preferred.

1.1.6 Are Subcards of Fixed Switches Hot Swappable?Subcards of the S5300-SI and S5300-EI are not hot swappable. Subcards of the S3300-HI,S5300-HI, and S5310-EI are hot swappable.



8

1.1.7 Can AC and DC Power Supplies Be Installed on the sameSwitch?Fixed Switches

Product Type Model Can AC and DC PowerSupplies Be Installed on thesame Switch?

S3300/S5300/S6300 S3326C-HI YesS5310-28C-EI YesS5310-52C-EI YesS5328C-HI YesS5328C-HI-24S YesS3300-52P-EI YesS5300-EI (non-PoE) NoS5300-SI (non-PoE) NoS6300 No

Modular SwitchesAC and DC power supplies cannot be installed in the slots of the same type on the same switch,and the power supplies of different power cannot be installed on the same switch.

1.1.8 Can a 10GE Optical Interface Use a GE Optical Module?Fixed Switches

10GE XFP interfaces cannot use GE optical modules. Only 10GE SFP+ interfaces on certainswitch models and versions can use GE optical modules. For details, see Table 1-1.

Table 1-1 10GE interface support for GE optical modulesSeries Support for 10GE

InterfaceSupport for GE Optical Module on10GE Optical Interface

S2300 Not supported NAS2350S3300



9

Series Support for 10GEInterface

Support for GE Optical Module on10GE Optical Interface

S5300-LI Supported (fixed interfaces ofthe models with an X inproduct names, for example,S5300-28X-LI-AC)

Supported

S5300-SI Supported by all modelsexcept the TP models (10GEinterface cards)

Supported

S5300-EI Supported (10GE interfacecards)

Not supported

S5300-HI Supported (10GE interfacecards)

Supported

S5310-EI Supported (fixed interfaces orinterfaces on 10GE interfacecards)

Supported

S6300 Supported (fixed interfaces) SupportedOn the S6300 of V100R006C00SPC800,when a GE optical module is installed on a10GE optical interface, the interface speedautomatically changes to 1000 Mbit/s and theinterface works in non-auto-negotiationmode. If the 10GE interface connects to a GEinterface, the GE interface must also work innon-auto-negotiation mode. Otherwise, thetwo interfaces cannot go Up. After patchV100R006SPH005 is loaded, the 10GEoptical interface with a GE optical moduleinstalled can be switched to the auto-negotiation mode using the negotiationauto command. The interface can thencommunicate with an optical interface thatworks at 1000 Mbit/s in auto-negotiationmode.In versions later thanV100R006C00SPC800, a 10GE interfaceautomatically works at 1000 Mbit/s in auto-negotiation mode after a GE optical moduleis installed.

Modular Switches10GE interfaces on the following cards support GE optical modules:



10

l S9300: LE0DX16SFC00, LE0DX40SFC00l S9300E: LE0DX16SFC00, LE0DX40SFC00, LE2D2X48SEC0

NOTE

You are not advised to install a low-speed optical module on a high-speed optical interface.

1.1.9 Can a GE Optical Interface Use a 100M Optical Module?Fixed Switches

Whether a GE interface can use a 100M optical module depends on device models and softwareversion, as shown in Table 1-2 .

Table 1-2 GE interface support for 100M optical modulesSeries Support for GE Optical

InterfaceSupport for 100M Optical Moduleon GE Optical Interface

S2300 Supported (fixed interfaces) Supported only on combo opticalinterfaces and 100/1000BASE-X opticalinterfaces

S2350 Supported (fixed interfaces) Supported only on combo opticalinterfaces

S3300 Supported (fixed interfaces) Supported only on combo opticalinterfaces and 100/1000BASE-X opticalinterfaces

S5300-LI Supported (fixed interfaces) Supported only on combo opticalinterfaces and 100/1000BASE-X opticalinterfaces

S5300-SI Supported (fixed interfaces orinterfaces on GE interface cards)

Supported only on combo opticalinterfaces and 100/1000BASE-X opticalinterfaces, not on interface cardsS5300-EI

S5300-HI Supported (fixed interfaces orinterfaces on GE interface cards)

Supported only on 100/1000BASE-Xoptical interfaces, not on interface cards

S5310-EI Supported (fixed interfaces orinterfaces on GE interface cards)

Supported only on combo opticalinterfaces, not on interface cards

S6300 10GE interfaces can beconfigured as GE interfaces

Not supported

Modular SwitchesAll GE optical interfaces on modular switches support 100M optical modules.

NOTE

You are not advised to install a low-speed optical module on a high-speed optical interface.



11

1.1.10 Can a GE Optical Interface Use a 10GE Optical Module?GE optical ports of the switch cannot use 10GE optical modules. Similarly, 100M optical portscannot use GE optical modules.

1.1.11 Which Product Models Support Copper TransceiverModules?Fixed Switches

Huawei fixed switches support only one type of copper transceiver module: SFP-1000BaseT, aGE copper transceiver module that has been certified by Huawei.Table 1-3 describes the fixed switches' support for copper transceiver modules.

Table 1-3 Fixed switches' support for copper transceiver modulesSeries Support for GE Copper Transceiver ModuleS2300 Not supportedS2350 Supported on all optical interfaces except the combo optical

interfacesS3300 Not supportedS5300-LI Supported on all optical interfaces except the combo optical

interfaces, in V200R002C00 and later versionsS5300-SI Supported on all optical interfaces except the combo optical

interfacesNOTE

10GE interface cards are supported in V200R002C00 and later versions.When interfaces on a GE interface card use GE copper transceiver modules,the interfaces can go Up, but the commands used for configuring the interfacespeed, duplex mode, auto-negotiation, MDI, flow control, and virtual cabletest cannot be used on the interfaces.

S5300-EI Supported on all optical interfaces except the combo opticalinterfaces and interfaces on 10GE interface cardsNOTE

When interfaces on a GE interface card use GE copper transceiver modules,the interfaces can go Up, but the commands used for configuring the interfacespeed, duplex mode, auto-negotiation, MDI, flow control, and virtual cabletest cannot be used on the interfaces.

S5300-HI Supported on all optical interfacesNOTE

10GE interface cards are supported in V200R002C00 and later versions.When interfaces on a GE interface card use GE copper transceiver modules,the interfaces can go Up, but the commands used for configuring the interfacespeed, duplex mode, auto-negotiation, MDI, flow control, and virtual cabletest cannot be used on the interfaces.



12

Series Support for GE Copper Transceiver ModuleS5310-EI Supported on all optical interfaces except the combo optical

interfaces, in V200R002C00 and later versionsS6300 Supported on all optical interfaces, in V200R001C01 and later

versions

Modular SwitchesGE copper transceiver modules can be used on all GE optical interface cards and the 10GEoptical interface cards that support GE optical modules.GE optical interface cards of modular switches support only Huawei-certified copper transceivermodules. When non-Huawei-certified copper transceiver modules are installed on interfaces ofHuawei switches, the interfaces still work as optical interfaces.

1.1.12 Can a GE Optical Interface Be Manually Configured as a100M Interface to Work with Another 100M Optical Interface?

It depends on the installed optical module. However, this method is not recommended even ifit is feasible.

1.1.13 Can Two GE Interfaces Be Connected Using a 100M NetworkCable?

In V100R006SPC800 and later versions, switch interfaces cannot work at a lower speed throughauto-negotiation by default. If two GE interfaces are connected using a 100M network cable(Category-4 or lower category cable), the interface speed cannot be negotiated as 100 Mbit/sand the two interfaces are in Down state. You can manually set the speed of the two interfacesto 100 Mbit/s or replace the 100M network cable with a 1000M cable.

1.2 DHCP1.2.1 What are functions of DHCP?1.2.2 How Do I Configure a DHCP Server?1.2.3 How Do I Configure the DHCP Relay Agent?1.2.4 How Do I Configure DHCP Snooping?1.2.5 How Do I Maintain DHCP?1.2.6 How Can I Use the Extended DHCP Functions?1.2.7 How Does a Switch Support DHCP?

1.2.1 What are functions of DHCP?Dynamic Host Configuration Protocol (DHCP)dynamically manages and configures user IPaddresses based on the client/server model. DHCP clients request network configuration



13

parameters from a DHCP server, and the DHCP server returns the parameters (including IPaddresses, subnet masks, and default gateway addresses) according to configured policies.DHCP supports Option fields. For details about Option fields, see RFC2132.The DHCP protocol structure involves the following roles:l DHCP ServerA DHCP server processes requests for address allocation, address renewal, and address releasefrom DHCP clients or DHCP relay agents, and allocates IP addresses and other networkconfiguration parameters to DHCP clients.l DHCP RelayA DHCP relay agent forwards DHCP packets between clients and server to help the themcomplete address configuration. The request packets sent by DHCP clients are broadcast on thenetwork. If the server and client are located on different links, the DHCP relay agent is requiredto forward packets between the server and client. It is unnecessary to deploy a DHCP server oneach network segment. Therefore, network deployment costs are reduced and centralized devicemanagement is implemented.The DHCP relay agent is optional in a DHCP protocol structure. It is required only when DHCPclients and server are on different network segments.l DHCP ClientDHCP clients obtain IP addresses and other network configuration parameters by exchangingDHCP packets with the DHCP server. After the DHCP client function is configured on aninterface, the interface can function as a DHCP client to dynamically obtain configurationparameters such as an IP address from a DHCP server. This facilitates device configurations andcentralized management.

1.2.2 How Do I Configure a DHCP Server?A switch functioning as a DHCP server can allocate IP addresses to clients in either of thefollowing methods:l Allocating IP addresses using a global address poolAn IP address pool is created in the system view on a DHCP server. In the interface view, theserver is configured to allocate IP addresses, gateway addresses, and DNS server addresses toclients based on the global address pool.l Allocating IP addresses using an interface address poolAn IP address pool is created in the interface view on a DHCP server. In the interface view, theserver is configured to allocate IP addresses, gateway addresses, and DNS server addresses toclients based on the interface address pool.

NOTE

In the preceding configurations, the interface can be a VLANIF interface or a physical interface workingin Layer 3 mode. Since V200R005C00, the physical interfaces working in Layer 3 mode have supportedthe preceding configurations.

Depending on creation methods, address pools are classified into interface address pools andglobal address pools.



14

l Interface address poolAn IP address is allocated to the interface of the server connecting to clients. The addresspool is on the same network segment as the interface address, and the IP addresses in theaddress pool can only be allocated to the clients connected to this interface. This methodis applicable only when the DHCP clients and server are on the same network segment.For example, when a switch functions as a DHCP server, the switch can allocate IPaddresses to only the clients connected to one interface or allocate IP addresses of differentnetwork segments to clients on different interfaces.

l Global address poolAn address pool of the specified network segment is created in the system view. The IPaddresses in the address pool can be allocated to the clients connected to all interfaces onthe server. This method is applicable when: The DHCP server and clients are on different network segments, and a DHCP relay

agent is deployed. The DHCP server and clients are on the same network segment, and the server needs

to allocate IP addresses to only the clients connected to one interface or allocate IPaddresses of different network segments to clients on different interfaces.

As shown in Figure 1-3, the switch functions as a DHCP server to allocate IP addresses andDNS address to the PC. Both the global and interface address pools can be used in this scenario.

Figure 1-3 A switch functions as a DHCP server

l Configure the DHCP server to use a global address pool:1. Create an IP address pool.

system-view[HUAWEI] ip pool 1 //Create an IP address pool.[HUAWEI-ip-pool-1] network 10.10.10.0 mask 255.255.255.0 //Configure a network segment.[HUAWEI-ip-pool-1] gateway-list 10.10.10.1 //Configure the gateway address.[HUAWEI-ip-pool-1] excluded-ip-address 10.10.10.10 10.10.10.50 //Configure a reserved IP address.[HUAWEI-ip-pool-1] dns-list 10.8.8.8 //Configure a DNS server address.[HUAWEI-ip-pool-1] lease day 0 hour 8 minute 0 //Configure the lease period.[HUAWEI-ip-pool-1] quit

2. Enable the DHCP function.[HUAWEI] dhcp enable //Enable DHCP globally.

3. Enable DHCP server on VLANIF10 and configure the server to use the global addresspool.[HUAWEI] interface vlanif10 //Enter the VLANIF interface view.[HUAWEI-Vlanif10] ip address 10.10.10.1 255.255.255.0 //Configure IP addresses.[HUAWEI-Vlanif10] dhcp select global //Configure the DHCP server to use the global address pool.

l Configure the DHCP server to use an interface address pool:



15

1. Enable the DHCP function. system-view[HUAWEI] dhcp enable

2. Enable DHCP server on VLANIF10 and configure the server to use the interfaceaddress pool.

NOTICEBefore running the dhcp select interface command, allocate an IP address to theVLANIF interface.

[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] ip address 10.10.10.1 255.255.255.0 //Configure a network segment.[HUAWEI-Vlanif10] dhcp select global //Configure the DHCP server to use the interface address pool.[HUAWEI-Vlanif10] dhcp server dns-list 10.8.8.8 //Configure a DNS server address.[HUAWEI-Vlanif10] dhcp server excluded-ip-address 10.10.10.10 10.10.10.50 //Configure a reserved IP address.[HUAWEI-Vlanif10] dhcp server lease day 0 hour 8 minute 0 //Configure the lease period.[HUAWEI-Vlanif10] quit

1.2.3 How Do I Configure the DHCP Relay Agent?When DHCP clients and server are on different network segments, a switch (which cannot be aDHCP server) needs to be configured as the DHCP relay agent to forward request packets fromclients to the DHCP server.

NOTE

Before configuring a DHCP relay agent, ensure that reachable routes exist between clients and the DHCPserver.

The procedure for configuring DHCP relay agent is as follows:1. Configure a destination DHCP server group.

system-view[HUAWEI] dhcp server group group1[HUAWEI-dhcp-server-group-group1] dhcp-server 10.10.10.1[HUAWEI-dhcp-server-group-group1] quit

2. Enable the DHCP function.[HUAWEI] dhcp enable

3. Configure DHCP relay on VLANIF100 and bind VLANIF100 to group1.[HUAWEI] interface vlanif 100[HUAWEI-Vlanif100] ip address 10.20.20.1 24[HUAWEI-Vlanif100] dhcp select relay[HUAWEI-Vlanif100] dhcp relay server-select group1[HUAWEI-Vlanif100] quit

1.2.4 How Do I Configure DHCP Snooping?DHCP snooping is a DHCP security feature that intercepts and analyzes DHCP packetstransmitted between DHCP clients and a DHCP server. DHCP snooping creates and maintainsa DHCP snooping binding table, and filters untrusted DHCP packets according to the table. The



16

binding table contains the MAC address, IP address, lease, binding type, VLAN ID, and interfaceinformation.The DHCP snooping binding entries are dynamically generated based on the DHCP ACKpackets received by trusted interfaces. The entries record the mappings between clients' IPaddresses and MAC addresses. DHCP snooping is equivalent to a firewall between DHCP clientsand the DHCP server to prevent DHCP Denial of Service (DoS) attacks, bogus DHCP serverattacks, and bogus DHCP request packet attacks, and ensure that only authorized users can accessthe network.

Figure 1-4 Prevention against bogus DHCP server attack

In the scenario shown in Figure 1-4, the procedure for configuring bogus DHCP server attackis as follows:1. Enable DHCP snooping globally. system-view[Quidway] dhcp enable[Quidway] dhcp snooping enable

2. Enable DHCP snooping on user-side interfaces GE0/0/2 and GE0/0/3.[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping enable[Quidway-GigabitEthernet0/0/2] quit[Quidway] interface gigabitethernet 0/0/3[Quidway-GigabitEthernet0/0/3] dhcp snooping enable[Quidway-GigabitEthernet0/0/3] quit

3. Configure the DHCP server-side interface GE0/0/1 as a trusted interface.[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] dhcp snooping trusted[Quidway-GigabitEthernet0/0/1] quit

1.2.5 How Do I Maintain DHCP?1. Check whether the IP addresses run out.Run the ping ip-address command to test whether an IP address is allocated to a client. If theping operation is successful, the IP address has been allocated. If the ping operation fails, the IPaddress is idle.



17

2. Check IP addresses that are dynamically allocated.Run the display ip pool name ip-pool-name used command on the DHCP server to checkallocated IP addresses.3. Reclaim IP addresses.Run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address [ end-ip-address ] | all | conflict | expired | used } command in the user view to manually reclaim IPaddresses in the address pool.If an IP address has been manually bound to a MAC address, the binding is still valid after thiscommand is executed and the IP address cannot be allocated to other clients. To unbind the IPaddress from the MAC address, run the following commands as required:l For a global address poolundo static-bind [ ip-address ip-address | mac-address mac-address ]l For an interface address poolundo dhcp server static-bind [ ip-address ip-address | mac-address mac-address ]

1.2.6 How Can I Use the Extended DHCP Functions?l How to bind a fixed IP address to a specified MAC address

There are two methods: Based on a global address pool

system-view[HUAWEI] ip pool 1[HUAWEI-ip-pool-1] static-bind ip-address X.X.X.X mac-address H-H-H

Based on an interface address pool system-view[HUAWEI] interface vlanif 10[HUAWEI-Vlanif10] dhcp server static-bind ip-address X.X.X.X mac-address H-H-H

NOTE

The IP address to be bound to a specified MAC address cannot be occupied. If the IP address is beingoccupied, run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address[ end-ip-address ] | all | conflict | expired | used } command in the user view to reclaim the IP addressin the address pool.

l How to enable authorized users with static IP addresses to go onlineAfter the DHCP snooping and IPSG functions are enabled (using the ip source check user-bind enable command), the switch discards packets from the authorized users with staticIP addresses because the switch does not have the dynamic DHCP snooping entriesmatching the packets. As a result, the users cannot go online. To address this problem, youcan configure static binding entries for these users.Run the following command.In the system view:user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } & |ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]



18

At least two attributes among IP address, MAC address, interface, and VLAN need to bespecified in a static binding entry. The effect varies depending on the bound attributes. Atmost four attributes can be bound.After the static binding entries are configured, authorized users with static IP addresses cango online. If a static user changes the IP address, the user cannot go online because thedevice has neither the dynamic nor static DHCP snooping binding entry of the user.

1.2.7 How Does a Switch Support DHCP?l Modular switch

All models and versions support DHCP server, DHCP relay, and DHCP snooping. TheDHCP client has been supported since V200R005C00.

l Fixed switch In the versions earlier than V200R005C00, S2300SI, S2300EI, S5306LI, and

S5300LI support only DHCP client, but do not support DHCP server or DHCP relay. In the versions later than V200R005C00, all models except S5306LI, support DHCP

server, DHCP relay, and DHCP client. The S5306LI supports only DHCP client. All models except S2300SI support DHCP snooping.

1.3 PoE1.3.1 How Much Power Does a PoE Power Module Provide?1.3.2 Which Switch Models Support the PoE Function?1.3.3 Why Can't a PoE Card Be Registered?

1.3.1 How Much Power Does a PoE Power Module Provide?Power over Ethernet (PoE) refers to power supply over a 10Base-T, 100Base-TX, or 1000Base-T Ethernet cable.PoE provides power for terminals such as IP phones, access points (APs), portable devicechargers, point-of-sale (POS) machines, cameras, and data collectors. These terminals arepowered when they connect to the network, so the indoor power supply systems are not required.IEEE 802.3af and IEEE 802.3at are PoE standards defined to provide remote power supply forthe devices from different vendors. IEEE 802.3af supports a maximum of 15.4 W power andIEEE 802.3at supports a maximum of 30 W power.

Fixed switchFixed switches support 250 W (sales part number 02130878), 500 W (sales part number02130879) PoE power modules. The actual available power of a 250 W PoE power module isaround 120 W (measured 123.2 W). The actual available power of a 500 W PoE power moduleis around 370 W (measured 369.6 W).A 250 W PoE power module can provide 802.3af full power on 8 interfaces or 802.3at full poweron 4 interfaces.A 500 W PoE power module can provide 802.3af full power on 24 interfaces or 802.3at fullpower on 12 interfaces.



19

PoE supports remote power supply over a distance of up to 100 m.

Modular switchTable 1-4 lists the PoE power modules supported by the S9300 series switches and the availablepower they can provide.

NOTICEDifferent types of power modules cannot be used in the same switch.

Table 1-4 PoE power modules supported by the S9300 series switches and their available powerPoE Power Module Supported Maximum Available

Power800 W AC power module (sales part number 0213085) 800 W2200 W AC power module (sales part number 02130909) 2200 W2200 W DC power module (sales part number 02270099)

Table 1-5 lists the PoE power that the S9300 series switches can provide and the number of PoEinterfaces they support.

Table 1-5 PoE power provided by the S9300 series switches and the number of PoE interfacessupported

Chassis Number of PoEPower ModulesSupported

Maximum Power Number of PoE InterfacesSupported

S9303 1 2200 W 144S9306 4 8800 W 288S9312 576

1.3.2 Which Switch Models Support the PoE Function?Fixed switches

You can use the display device command to check a switch's product name and determinewhether the switch supports the PoE function according to its product name.l If the product name contains PWR, this switch model supports the PoE function.



20

l If the product name does not contain PWR, this switch model does not support the PoEfunction.

Modular switchesAmong modular switches, only the S9300 series switches support the PoE function. The PoEcard of an S9300 is LE0DG48VEA00.

1.3.3 Why Can't a PoE Card Be Registered?The PoE card of an S9300 is LE0DG48VEA00. The possible causes are as follows: 1. The PoEpower module is not installed in the PoE power slot. 2. The PoE power module is not poweredon. 3. The DIMM is faulty. For the handling methods, see "Cards Cannot Be Registered" in theHardware Troubleshooting.

1.4 NAT1.4.1 Do Huawei Switches Support NAT?1.4.2 How Do I Configure Outbound NAT to Enable Private Network Users to Access theInternet?1.4.3 How Do I Configure NAT Server to Enable Internet Users to Access Private Servers?

1.4.1 Do Huawei Switches Support NAT?Fixed switches in all versions do not support NAT.Modular switches in V100R003 and later versions support NAT after an SPU is installed.

1.4.2 How Do I Configure Outbound NAT to Enable PrivateNetwork Users to Access the Internet?Applicable Products and Versions

This configuration applies to modular switches in V100R006C00 and later versions.

Networking RequirementsThe SPU is installed in slot 5 of the Switch in Figure 1-5. Hosts on the internal networks ofcompany A and company B use private IP addresses. Company A has 100 hosts and 101 idlepublic IP addresses (202.169.10.100 to 202.169.10.200). Hosts in company B are on a VPN andcompany B does not have idle public IP addresses.Company A and company B require that internal hosts access the Internet.



21

Figure 1-5 Configuring outbound NAT to allow private network users to access the Internet

Configuration RoadmapThe configuration roadmap is as follows:1. Direct flows from the Switch to the SPU.2. On the Switch, configure outbound NAT with an address pool for hosts in company A. The

Switch maps each private IP address to a public IP address so that hosts in company A cansuccessfully access the Internet.

3. On the Switch, configure Easy IP without an address pool for hosts in company B. TheSwitch maps each private IP address to the public IP address of the outbound interface sothat hosts in company B can successfully access the Internet.

Procedure1. Configure Layer 2 flow import to direct flows from the Switch to the SPU. GE2/0/1 and

GE2/0/3 are inbound interfaces, and GE2/0/2 is the outbound interface.# Configure the Switch. system-view[HUAWEI] sysname Switch[Switch] vlan batch 101 to 103[Switch] interface eth-trunk 1[Switch-Eth-Trunk1] port link-type trunk[Switch-Eth-Trunk1] port trunk allow-pass vlan 101 to 103[Switch-Eth-Trunk1] quit[Switch] interface gigabitethernet 2/0/1[Switch-GigabitEthernet2/0/1] port link-type trunk[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 101[Switch-GigabitEthernet2/0/1] quit[Switch] interface gigabitethernet 2/0/2[Switch-GigabitEthernet2/0/2] port link-type trunk[Switch-GigabitEthernet2/0/2] port trunk allow-pass vlan 102[Switch-GigabitEthernet2/0/2] quit[Switch] interface gigabitethernet 2/0/3[Switch-GigabitEthernet2/0/3] port link-type trunk[Switch-GigabitEthernet2/0/3] port trunk allow-pass vlan 103[Switch-GigabitEthernet2/0/3] quit[Switch] interface xgigabitethernet 5/0/0



22

[Switch-XGigabitEthernet5/0/0] eth-trunk 1[Switch-XGigabitEthernet5/0/0] quit[Switch] interface xgigabitethernet 5/0/1[Switch-XGigabitEthernet5/0/1] eth-trunk 1[Switch-XGigabitEthernet5/0/1] quit

# On the SPU, configure IP addresses for interfaces and add interfaces to VLANs. system-view[HUAWEI] sysname SPU[SPU] interface eth-trunk 1[SPU-Eth-Trunk1] quit[SPU] interface eth-trunk 1.1[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination[SPU-Eth-Trunk1.1] dot1q termination vid 101[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0[SPU-Eth-Trunk1.1] arp broadcast enable[SPU-Eth-Trunk1.1] quit[SPU] interface eth-trunk 1.2[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 102[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0[SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit[SPU] ip vpn-instance vpn_b[SPU-vpn-instance-vpn_b] route-distinguisher 0:1[SPU-vpn-instance-vpn_b] quit[SPU] interface eth-trunk 1.3[SPU-Eth-Trunk1.3] control-vid 103 dot1q-termination[SPU-Eth-Trunk1.3] dot1q termination vid 103[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b[SPU-Eth-Trunk1.3] ip address 10.0.0.1 255.255.255.0[SPU-Eth-Trunk1.3] arp broadcast enable[SPU-Eth-Trunk1.3] quit[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2 202.169.10.2[SPU] interface xgigabitethernet 0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 1[SPU-XGigabitEthernet0/0/1] quit[SPU] interface xgigabitethernet 0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 1[SPU-XGigabitEthernet0/0/2] quit

2. Configure outbound NAT on the SPU.[SPU] nat address-group 1 202.169.10.100 202.169.10.200 [SPU] acl 2000 [SPU-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [SPU-acl-basic-2000] quit [SPU] acl 2001 [SPU-acl-basic-2001] rule 5 permit vpn-instance vpn_b source 10.0.0.0 0.0.0.255 [SPU-acl-basic-2001] quit [SPU] interface eth-trunk 1.2 [SPU-Eth-Trunk1.2] nat outbound 2000 address-group 1 no-pat [SPU-Eth-Trunk1.2] nat outbound 2001 [SPU-Eth-Trunk1.2] quit

3. Verify the configuration.Run the display nat outbound interface eth-trunk 1.2 command on the SPU to view theoutbound NAT configuration.[SPU] display nat outbound interface eth-trunk 1.2 NAT Outbound Information: --------------------------------------------------------------------------



23

Interface Acl Address-group/IP/Interface Type -------------------------------------------------------------------------- Eth-Trunk1.2 2000 1 no-pat Eth-Trunk1.2 2001 202.169.10.1 easyip -------------------------------------------------------------------------- Total : 2

After the configuration is complete, hosts in company A and company B can access the Internet.Take company A as an example. On the host with the private IP address 192.168.20.2, ping thepublic IP address 202.169.10.2 on the Internet. The ping succeeds.Run the display nat session destination 202.169.10.2 command on the SPU to view the sourceIP address before and after the NAT operation.[SPU] display nat session destination 202.169.10.2 The operation may take a few minutes, please wait... NAT Session Table Information: Protocol : ICMP(1) SrcAddr Vpn : 192.168.20.2 DestAddr Vpn : 202.169.10.2 Type Code IcmpId : 8 0 44006 NAT-Info New SrcAddr : 202.169.10.100 New DestAddr : ---- New IcmpId : ---- Total : 1

Take company B as an example. On the host with the private IP address 10.0.0.2, ping the publicIP address 202.169.10.2 on the Internet. The ping succeeds.Run the display nat session destination 202.169.10.2 command on the SPU to view the sourceIP address before and after the NAT operation.[SPU] display nat session destination 202.169.10.2 The operation may take a few minutes, please wait... NAT Session Table



24

Information: Protocol : ICMP(1) SrcAddr Vpn : 10.0.0.2 vpn_b DestAddr Vpn : 202.169.10.2 Type Code IcmpId : 8 0 44028 NAT-Info New SrcAddr : 202.169.10.1 New DestAddr : ---- New IcmpId : 10240 Total : 1

Configuration Filesl Configuration file of the SPU

#sysname SPU#ip vpn-instance vpn_broute-distinguisher 0:1#acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255#acl number 2001 rule 5 permit vpn-instance vpn_b source 10.0.0.0 0.0.0.255# nat address-group 1 202.169.10.100 202.169.10.200# interface Eth-Trunk1#interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0 arp broadcast enable#interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.169.10.1 255.255.255.0 arp broadcast enable nat outbound 2000 address-group 1 no-pat nat outbound 2001 #interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103 ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0



25

arp broadcast enable#interface XGigabitEthernet0/0/1 eth-trunk 1#interface XGigabitEthernet0/0/2 eth-trunk 1#ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2#return

l Configuration file of the Switch#sysname Switch#vlan batch 101 to 103#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103#interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101#interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102# interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103# interface XGigabitEthernet5/0/0 eth-trunk 1#interface XGigabitEthernet5/0/1 eth-trunk 1#return

1.4.3 How Do I Configure NAT Server to Enable Internet Users toAccess Private Servers?Applicable Products and Versions

This configuration applies to modular switches in V100R006C00 and later versions.

Networking RequirementsThe SPU is installed in slot 5 of the Switch in Figure 1-6. Company A provides a web serverfor Internet users to access. The private IP address of the web server is 192.168.20.2:8080 andits public IP address is 202.169.10.5. Company B provides an FTP server on the VPN for Internetusers to access. The private IP address of the FTP server is 10.0.0.3 and its public IP address is202.169.10.33.Internet users need to access company A's web server and company B's FTP server using publicIP addresses.



26

Figure 1-6 Networking diagram for NAT server configuration

Configuration RoadmapThe configuration roadmap is as follows:1. Direct flows from the Switch to the SPU.2. Configure the NAT server function so that Internet users can access company A's web

server and company B's FTP server using public IP addresses.3. Enable the NAT ALG function to implement address translation for FTP packets.

Procedure1. Configure Layer 2 flow import to direct flows from the Switch to the SPU. GE2/0/2 is the

inbound interface, and GE2/0/1 and GE2/0/3 are outbound interfaces.# Configure the Switch. system-view [HUAWEI] vlan batch 101 to 103 [HUAWEI] interface eth-trunk 1 [HUAWEI-Eth-Trunk1] port link-type trunk [HUAWEI-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 [HUAWEI-Eth-Trunk1] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] port link-type trunk [HUAWEI-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [HUAWEI-GigabitEthernet2/0/1] quit [HUAWEI] interface gigabitethernet 2/0/2 [HUAWEI-GigabitEthernet2/0/2] port link-type trunk [HUAWEI-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [HUAWEI-GigabitEthernet2/0/2] quit [HUAWEI] interface gigabitethernet 2/0/3 [HUAWEI-GigabitEthernet2/0/3] port link-type trunk [HUAWEI-GigabitEthernet2/0/3] port trunk allow-pass vlan 103 [HUAWEI-GigabitEthernet2/0/3] quit [HUAWEI] interface xgigabitethernet 5/0/0 [HUAWEI-XGigabitEthernet5/0/0] eth-trunk 1 [HUAWEI-XGigabitEthernet5/0/0] quit [HUAWEI] interface xgigabitethernet 5/0/1 [HUAWEI-XGigabitEthernet5/0/1] eth-trunk 1 [HUAWEI-XGigabitEthernet5/0/1] quit



27

# On the SPU, configure IP addresses for interfaces and add interfaces to VLANs. system-view [SPU] interface eth-trunk 1 [SPU-Eth-Trunk1] quit [SPU] interface eth-trunk 1.1 [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination [SPU-Eth-Trunk1.1] dot1q termination vid 101 [SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable [SPU-Eth-Trunk1.1] quit [SPU] interface eth-trunk 1.2 [SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination [SPU-Eth-Trunk1.2] dot1q termination vid 102 [SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable [SPU-Eth-Trunk1.2] quit [SPU] ip vpn-instance vpn_b [SPU-vpn-instance-vpn_b] route-distinguisher 0:1 [SPU-vpn-instance-vpn_b] quit [SPU] interface eth-trunk 1.3 [SPU-Eth-Trunk1.3] control-vid 103 dot1q-termination [SPU-Eth-Trunk1.3] dot1q termination vid 103 [SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b [SPU-Eth-Trunk1.3] ip address 10.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.3] arp broadcast enable [SPU-Eth-Trunk1.3] quit [SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2 202.169.10.2 [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 1 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 1 [SPU-XGigabitEthernet0/0/2] quit

2. Configure the internal servers on the SPU.[SPU] interface eth-trunk 1.2 [SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 [SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b

3. On the SPU, enable the NAT ALG function for FTP.[SPU] nat alg ftp enable

4. Verify the configuration.Run the display nat server interface eth-trunk 1.2 command on the SPU to view the NATserver configuration.[SPU] display nat server interface eth-trunk 1.2 Nat Server Information: Interface : Eth-Trunk1.2 Global IP/Port : 202.169.10.5/80(www) Inside IP/Port : 192.168.20.2/8080 Protocol : 6(tcp) VPN instance-name : ---- Description : ----

Global IP/Port : 202.169.10.33/21(ftp) Inside IP/Port : 10.0.0.3/21(ftp) Protocol : 6(tcp) VPN instance-name : vpn_b

Total : 2

After the configuration is complete, Internet users can access company A's web server andcompany B's FTP server using public IP addresses.



28

Configuration Filesl Configuration file of the SPU

#sysname SPU#ip vpn-instance vpn_broute-distinguisher 0:1#nat alg ftp enable#interface Eth-Trunk1#interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0 arp broadcast enable#interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.169.10.1 255.255.255.0 arp broadcast enable nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b#interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103 ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable#interface XGigabitEthernet0/0/1 eth-trunk 1#interface XGigabitEthernet0/0/2 eth-trunk 1#ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2#return

l Configuration file of the Switch#vlan batch 101 to 103#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103#interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101#interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102# interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103# interface XGigabitEthernet5/0/0 eth-trunk 1



29

#interface XGigabitEthernet5/0/1 eth-trunk 1#return

1.5 Web System1.5.1 How Do I Obtain a Web File and Configure the Web System?1.5.2 What Rights Do Web Management Accounts Have?

1.5.1 How Do I Obtain a Web File and Configure the Web System?Obtaining a Web File

The web file is released with the system software package and varies depending on softwareversions. The following uses S9300V200R003 as an example to describe how to obtain a webfile.

Step 1 Open the Internet Explorer and enter http://enterprise.huawei.com/en/ in the address box.NOTE

You must have a permission to obtain the web file. To obtain the permission, choose My Huawei >Permissions.

Step 2 Choose Support > Product Support.Step 3 Choose Software > Enterprise Networking > Switch > Campus Switch.Step 4 In the navigation tree on the left, choose S9300.Step 5 Select Quidway S9300 V200R003C00SPC500 and click the version number to view details.Step 6 Under Version and Patch Software, find the web file with the file name extension .web.7z and

download the web file.----End

Loading the Web File and Configuring an HTTP UserThe following uses S9300 V200R003 as an example.

Step 1 Run the system-view command to enter the system view.Step 2 Run the http server load file-name command to load the web file.

NOTE

Before loading a web file, upload the web file to the switch through FTP, SFTP, or TFTP. The web filemust be loaded to the root directory of the switch's storage medium; otherwise, the web file cannot beloaded.

Step 3 Run the http secure-server enable command to enable the HTTPS server function.Step 4 Run the http server enable command to enable the HTTP server function.



30

Step 5 Run the aaa command to enter the AAA view.Step 6 Run the local-useruser-namepassword { cipher | irreversible-cipher } password command to

configure an AAA local user name and password.Step 7 Run the local-useruser-nameprivilege levellevel command to set the local user level.

NOTE

HTTP users of level 3 or higher can manage the switch on the web system, whereas HTTP users of level2 or lower can only view the switch configuration.

Step 8 Run the local-useruser-nameservice-type http command to set the service type to HTTP.----End

Logging In to the Web SystemStep 1 Open the Internet Explorer on the PC, enter http://IP address (for example, https://

10.164.19.131) in the address box, and press Enter. The login dialog box is displayed.NOTE

The IP address is the management address of a device, and can be an IPv4 or IPv6 address depending onthe HTTPS type (HTTPS IPv4 or IPv6) you have selected.To ensure compatibility, the system converts http://IP address you entered into https://IP address.

Step 2 Enter the HTTP user name, password, and verification code, and select a language for the websystem.

Step 3 Click Login or press Enter. The web system home page is displayed.----EndYou can manage and maintain the switch after logging in to the web system.

1.5.2 What Rights Do Web Management Accounts Have?Web management accounts are local AAA users whose service type is HTTP.HTTP users of level 3 or higher can manage the switch on the web system, whereas HTTP usersof level 2 or lower can only view the switch configuration.

1.6 NAC1.6.1 What Is the Difference Between 802.1x and DOT1x?1.6.2 Must a Shared Key Be Configured for Portal Authentication?1.6.3 Why Does a User Go Offline 10 Seconds After Passing 802.1x Authentication?1.6.4 Why 802.1x or MAC Address Authentication Does Not Take Effect After Being Enabledand the Configuration Is Displayed in the Configuration File?1.6.5 Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses FromIf MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface?



31

1.6.1 What Is the Difference Between 802.1x and DOT1x?They are different names for the same function.

1.6.2 Must a Shared Key Be Configured for Portal Authentication?On a switch in V100R006 or a later version, a shared key must be configured for informationexchange with the Portal server during External Portal authentication. The shared key configuredon the switch must be the same as that on the Portal server.

1.6.3 Why Does a User Go Offline 10 Seconds After Passing 802.1xAuthentication?

If handshake with online 802.1x users is enabled on a switch, the switch periodically sendshandshake packets to a user client after the client is authenticated. If the client sends nohandshake packet to the switch, the switch forces the user offline.The user goes offline 10 seconds after being authenticated. This may be caused by a handshakefailure.To solve this problem, run the undo dot1x handshake command to disable the handshakefunction.

1.6.4 Why 802.1x or MAC Address Authentication Does Not TakeEffect After Being Enabled and the Configuration Is Displayed inthe Configuration File?

If ACL resources are used up, the dot1x enable or mac-authen command run globally or on aninterface does not take effect.

1.6.5 Which VLAN Do DHCP Users Connected to a Switch InterfaceObtain IP Addresses From If MAC Address Authentication IsEnabled and a Guest VLAN Is Configured on the Interface?

When a user without VLAN tag passes MAC address authentication, the user obtains an IPaddress from the VLAN matching the interface PVID. When a user with a VLAN tag passesMAC address authentication, the user obtains an IP address from the VLAN matching the VLANtag.If a user fails MAC address authentication, the user obtains an IP address from the guest VLANon the interface where the user accesses.

1.7 Loop Detection1.7.1 Which Switch Models Support Loop Detection?1.7.2 How Do I Configure Single-Interface Loop Detection?1.7.3 How Do I Configure Multi-Interface Loop Detection?



32

1.7.4 What Is the Default Interval for Sending LBDT Packets on an Interface?1.7.5 How Do I Differentiate LBDT Packets Sent by Different Interfaces

1.7.1 Which Switch Models Support Loop Detection?Among the S series switches, the S2300SI does not support loop detection, and the S2300EIdoes not support loop detection in a link aggregation group (does not support the loopback-detect packet vlan command). Other models support loop detection.

1.7.2 How Do I Configure Single-Interface Loop Detection?Switches can detect only external loops that occur on a single interface. After external loopdetection is enabled, the switch sends packets periodically to check whether an external loopoccurs on an interface. When a loop is found on an interface, the switch performs the specifiedaction on the interface. In versions earlier than V200R002, the switch sets the interface state toblocking by default. In V200R002 and later versions, the switch sets the interface state toshutdown by default.

Usage ScenarioGenerally, single-interface loop detection is used on downlink interfaces of newly deployedswitches to help field engineers discover incorrect cable connections.It is recommended that you set the action for interfaces with loops to block.

Configuration ProcedureAfter you enable loop detection globally, this function is enabled on all interfaces.[Quidway] loopback-detect enable

Modular switches of V200R001 and later versions support loop detection in eight VLANs onan interface.Fixed switches of V100R005 and later versions support loop detection in eight VLANs on aninterface. In addition to trap, shutdown, and block, the action for interfaces with loops can beset to nolearn (stop learning MAC addresses).The following configuration is performed on fixed switches:[Quidway-Ethernet0/0/1] loopback-detect packet vlan 20 21 22 23 24 25 26 27 [Quidway-Ethernet0/0/1] loopback-detect action nolearn

Modular switches of V200R001 and later versions and fixed switches of V100R005 and laterversions can generate loop traps, and the traps contain VLANs where loops have occurred.The following is an example of loop trap:#Jan 1 2008 06:43:54-08:00 Quidway LDT/4/Porttrap:OID1.3.6.1.4.1.2011.5.25.174.3.3Loopback does exist on interface(5) Ethernet0/0/1 ( VLAN 20 ) , loopback detect status: 4.(1:normal; 2:block;3:shutdown; 4:trap; 5:nolearn)

PrecautionsLoop detection is an auxiliary tool and consumes system resources. When loop detection iscomplete, run the undo loopback-detect enable command to disable this function.



33

1.7.3 How Do I Configure Multi-Interface Loop Detection?S series switches support MAC address flapping detection. MAC address flapping detection candetect loops formed among multiple interfaces. It is recommended that you configure multi-interface loop detection on downlink interfaces and set the action for interfaces with loops toalarm-only. When a loop is detected, the system sends a trap to the network management systemto help locate the fault.You can enable MAC address flapping detection in a VLAN to detect loops in the VLAN. Allsoftware versions support MAC address flapping detection in up to 32 VLANs.[Quidway] vlan 3[Quidway-vlan-3] loop-detect eth-loop block-time 30 retry-times 3

The alarm information includes the interface number, VLAN ID, and time. The system candisplay consecutive alarms and specific MAC addresses where flapping occurs.#Jan 1 2008 06:53:12-08:00 Quidway L2IFPPI/4/MFLPIFRESUME:OID1.3.6.1.4.1.2011.5.25.160.3.2 Loop does not exist in vlan 3, Interface Ethernet0/0/1 resumed, block-time is 30 for mac-flapping disappeared.#Jan 1 2008 06:52:22-08:00 Quidway L2IFPPI/4/MFLPIFBLOCK:OID1.3.6.1.4.1.2011.5.25.160.3.1 Loop exist in vlan 3, InterfaceEthernet0/0/1 blocked, block-time is 30 for mac-flapping, Mac Address is 00e0-fc22-765a.

In V200R003 and later versions, a switch considers that a loop has occurred on the networkconnected to an interface if detection packets sent from the interface are sent back to anotherinterface. This mechanism can also be used for multi-interface loop detection.

1.7.4 What Is the Default Interval for Sending LBDT Packets on anInterface?

Run the loopback-detect packet-interval packet-interval-time command in the system view toset the interval for sending LBDT packets.l V100R005: The default interval for sending LBDT packets is 30s.l V100R006 and later versions: The default interval for sending LBDTpackets is 5s.

NOTE

A shorter interval indicates that the system sends more LBDT packets in a given period and detects loopsmore accurately. However, more system resources are consumed.

1.7.5 How Do I Differentiate LBDT Packets Sent by DifferentInterfaces

The LBDT-enabled interface sends an LBDT packet at intervals to detect loops. If the LBDTpacket is received by the same interface, a loopback occurs on the interface or loops occur onthe network connected to the interface. Then the interface switches to the loopback detectionstate. The interface automatically restores after three detection intervals.

NOTE

LBDT packets are sent frequently; therefore, the CPU usage will increase if the LBDT function is enabledon all interfaces.

l V100R005



34

LBDT packets sent by different interfaces are distinguished by the protocol ID. By default,the system assigns a protocol ID to each interface in ascending order.You can run the loopback-detect protocol protocol-id command to configure a protocolID in LBDT packets.

NOTE

l The protocol ID in LBDT packets can be configured only when LBDT is disabled.l The protocol ID in LBDT packets must be unique on an interface.

l V100R006 and later versionsLBDT packets sent by different interfaces are distinguished by the interface index.

1.8 How Do I Configure a Static Binding Entry (user-bindstatic) for IPSG?

IPSG stands for IP Source Guard, a feature used to defend against source IP address spoofingattacks.IPSG checks validity of IP packets against DHCP dynamic or static binding entries. The IPSGfunction works only when binding entries are available. Before a switch forwards an IP packet,it compares the source IP address, source MAC address, inbound interface, and VLAN ID ofthe IP packet with DHCP binding entries. If the IP packet matches a binding entry, the switchconsiders the IP packet valid and forwards it. Otherwise, the switch considers the IP packet asan attack packet and discards it.You can configure static binding entries on a switch when the switch connects to a LAN withonly a few hosts using static IP addresses. All the S series switches support configuration ofstatic DHCP binding entries.The configuration procedure is as follows:# Create static binding entries by specifying the bound IP addresses and MAC addresses in thesystem view.[Quidway] user-bind static ip-address 10.1.1.1 mac-address 00E0-1011-0001[Quidway] user-bind static ip-address 10.1.1.2 mac-address 00E0-1011-0002

# Enable IPSG on specified interfaces.[Quidway] interface Ethernet0/0/1[Quidway-Ethernet0/0/1] ip source check user-bind enable[Quidway-Ethernet0/0/1] quit[Quidway] interface Ethernet0/0/2[Quidway-Ethernet0/0/2] ip source check user-bind enable[Quidway-Ethernet0/0/2] quit

1.9 VLAN1.9.1 How Do I Change the Link Type of an Interface?1.9.2 Which VLAN Assignment Methods Do S Series Switches Support?1.9.3 The Link Type of an Interface Cannot Be Changed from Hybrid to Access. How Is ThisProblem Solved?



35

1.9.1 How Do I Change the Link Type of an Interface?Four link types are defined: access, trunk, hybrid, and dot1q-tunnel. The following provides themethods to set different link types.1. Access

[Quidway-GigabitEthernet1/0/1] port link-type access[Quidway-GigabitEthernet1/0/1] port default vlan 10

The preceding configuration changes the link type of the interface to access.An access interface processes packets as follows:l When receiving an untagged packet, the interface accepts the packet and tags it with

the default VLAN ID.l When receiving a tagged packet:

If the VLAN ID of the packet is the same as the default VLAN ID of the interface, theinterface accepts the packet.If the VLAN ID of the packet is different from the default VLAN ID of the interface,the interface drops the packet.

l Before sending a packet, the interface removes the VLAN tag from the packet.2. Trunk

[Quidway-GigabitEthernet1/0/1] port link-type trunk[Quidway-GigabitEthernet1/0/1] port trunk pvid vlan 20[Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 10 20

The preceding configuration changes the link type of the interface to trunk.A trunk interface processes packets as follows:l When receiving an untagged packet:

The interface tags the packet with the default VLAN ID. If the default VLAN ID is inthe list of allowed VLAN IDs, the interface accepts the packet.The interface tags the packet with the default VLAN ID. If the default VLAN ID is notin the list of allowed VLAN IDs, the interface drops the packet.

l When receiving a tagged packet:If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface acceptsthe packet.If the VLAN ID of the packet is not in the list of allowed VLAN IDs, the interface dropsthe packet.

l When sending a packet:If the VLAN ID of the packet is the same as the default VLAN and is in the list ofallowed VLAN IDs, the interface removes the tag from the packet and sends the packet.If the VLAN ID of the packet is different from the default VLAN and is in the list ofallowed VLAN IDs, the interface retains the tag and sends the packet.

3. Hybrid[Quidway-GigabitEthernet1/0/1] port link-type hybrid[Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10[Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 2 10[Quidway-GigabitEthernet1/0/1] port hybrid tagged vlan 20

The preceding configuration changes the link type of the interface to hybrid.A hybrid interface processes packets as follows:



36

l When receiving a tagged packet:The interface tags the packet with the default VLAN ID. If the default VLAN ID is inthe list of allowed VLAN IDs, the interface accepts the packet.The interface tags the packet with the default VLAN ID. If the default VLAN ID is notin the list of allowed VLAN IDs, the interface drops the packet.

l When receiving a tagged packet:If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface acceptsthe packet.If the VLAN ID of the packet is not in the list of allowed VLAN IDs, the interface dropsthe packet.

l When sending a packet:If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface sendsthe packet. You can run the port hybrid untagged vlan command to configure theinterface to remove tags of packets or run the port hybrid tagged vlan command toconfigure the interface to send tagged packets.

4. Dot1q-tunnel[Quidway-GigabitEthernet1/0/1] port link-type dot1q-tunnel[Quidway-GigabitEthernet1/0/1] port default vlan 20

The preceding configuration changes the link type of the interface to dot1q-tunnel. A dot1q-tunnel interface adds a VLAN tag to packets before forwarding them, regardless of theoriginal VLAN IDs of the packets. Before sending a packet, a dot1q-tunnel interfaceremoves the tag with the default VLAN ID from the packet.

1.9.2 Which VLAN Assignment Methods Do S Series SwitchesSupport?

Table 1-6 lists the VLAN assignment methods supported by different switch models of differentversions.

Table 1-6 VLAN assignment methodsVLAN Assignment Method V100R006C03 V100R006C05 V200R001/

V200R002/V200R003

Port-based VLAN assignment Supported by all models Supported by allmodels

Supported by allmodels

MAC address-based VLANassignment

Not supported by theS2300SI

Not supported by theS2300SI


IP subnet-based VLAN assignment Not supported by theS2352EI and S2300

Not supported by theS2300


Protocol-based VLAN assignment Not supported by theS2352EI and S2300

Not supported by theS2300


Policy-based VLAN assignment Not supported by theS2352EI and S2300

Not supported Supported by allmodels



37

1.9.3 The Link Type of an Interface Cannot Be Changed fromHybrid to Access. How Is This Problem Solved?

Before using the port link-type command to change the link type of an interface, restore thedefault configuration of the interface.You can run the display the display this command in the interface view to view the interfaceconfiguration. Assume that the following configuration is used:#interface GigabitEthernet0/0/1undo port hybrid vlan 1port hybrid tagged vlan 10#

Run the port hybrid untagged vlan 1 and undo port hybrid tagged vlan 10 commands torestore the default configuration of the interface. Then change the link type of the interface.

1.10 Password1.10.1 Which Are the Default Passwords Used on S Series Switches?1.10.2 How Can I Delete a Console Login Password?

1.10.1 Which Are the Default Passwords Used on S Series Switches?On the S series switches of all versions:l When you log in a a switch through a console port, no default user name or password is

provided. The system asks you to set the user name and password when you log in to theswitch for the first time.

l Before you log in to a switch through Telnet, create a Telnet account.You can set the Telnet login authentication method in the VTY. If the passwordauthentication mode is configured, set a password in the VTY. If the AAA localauthentication mode is configured, set the user name and password in the AAA view. Ifthe remote AAA authentication mode is configured, set the user name and password on theAAA server.

l When you log in to a switch through web, your default user level is 0: visit level.For other default passwords, see Table 1-7

NOTE

By

sx300 series switches maintenance guide

Documents

huawei trademarks

huawei proprietary

huawei industrial basebantian

hazardous situation

important information

serious injury

equipment damage

moderate injury