1215100134-002 ZXR10 5900E Series (V2.8.23.C) Easy-Maintenance MPLS Routing Switch User Manual (Basic Configuration) - 396889

ZXR10 5900E Series
Easy-Maintenance MPLS Routing Switch

User Manual (Basic Configuration)
Version: 2.8.23.C
ZTE CORPORATION
NO. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://ensupport.zte.com.cn
E-mail: support@zte.com.cn
LEGAL INFORMATION
Copyright 2011 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided as is, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Revision No. Revision Date Revision Reason
R1.0 2012-01-31 First edition
Serial Number: SJ-20111215100134-002
Publishing Date: 2012-01-31 (R1.0)

Contents
About This Manual ......................................................................................... I
Chapter 1 Safety Instructions.................................................................... 1-1
1.1 Safety Introduction ............................................................................................. 1-1
1.2 Safety Signs ...................................................................................................... 1-1
Chapter 2 Usage and Operation................................................................ 2-1

2.1 Configuration Mode ............................................................................................ 2-1
2.1.1 Console Port-Based Configuration Mode ................................................... 2-1
2.1.2 Telnet-Based Configuration Mode.............................................................. 2-4
2.1.3 SSH-Based Configuration Mode................................................................ 2-6
2.1.4 SNMP-Based Configuration Mode ............................................................. 2-8
2.2 Command Modes............................................................................................... 2-8
2.3 Command Line Function................................................................................... 2-10
2.3.1 Online Help Commands.......................................................................... 2-10
2.3.2 Command Abbreviation .......................................................................... 2-12
2.3.3 Recent Commands................................................................................. 2-12
Chapter 3 System Management ................................................................ 3-1

3.1 File System........................................................................................................ 3-1
3.1.1 Introduction.............................................................................................. 3-1
3.1.2 File System Management ......................................................................... 3-2
3.2 FTP/TFTP Overview........................................................................................... 3-3
3.2.1 Configuring a ZXR10 5900E Series Unit as an FTP Client .......................... 3-4
3.2.2 Configuring a ZXR10 5900E Series Unit as a TFTP Client .......................... 3-5
3.3 Backing Up and Restoring Data .......................................................................... 3-6
3.3.1 Backing Up the Configuration File ............................................................. 3-6
3.3.2 Restoring the Configuration File ................................................................ 3-6
3.3.3 Backing Up the Software File .................................................................... 3-7
3.3.4 Restoring the Software File ....................................................................... 3-7
3.4 Upgrading the Software ...................................................................................... 3-7
3.4.1 Abnormal Software Upgrade ..................................................................... 3-7
3.4.2 Normal Software Upgrade....................................................................... 3-10
3.5 Configuring the System Parameters .................................................................. 3-10
3.5.1 Setting a Hostname ................................................................................ 3-10
3.5.2 Setting the Welcome Message .................................................................3-11
I
3.5.3 Setting a Privileged Mode Key .................................................................3-11
3.5.4 Setting Telnet Username and Password....................................................3-11
3.5.5 Setting the System Clock .........................................................................3-11
3.5.6 Setting System Console User Connection Parameters...............................3-11
3.5.7 Setting System Telnet User Connection Parameters ................................. 3-12
3.5.8 Allowing Multiple Users to Configure the System at the Same Time ........... 3-12
3.6 Viewing System Information .............................................................................. 3-13
3.6.1 Viewing Hardware and Software Versions ................................................ 3-13
3.6.2 Viewing the Operating Configuration........................................................ 3-13
3.6.3 System Abnormal Display and Record..................................................... 3-13
3.6.4 Collecting System Information by One Command ..................................... 3-14
3.6.5 Collecting System Fault and Diagnosis Information .................................. 3-15
3.7 Memory Detection ............................................................................................ 3-15
3.7.1 Function Overview.................................................................................. 3-15
3.7.2 Command Description ............................................................................ 3-15
3.7.3 Configuration Examples.......................................................................... 3-17
3.8 Configuring System by One-Command ............................................................. 3-19
3.9 Device Power-off Alarm .................................................................................... 3-20
3.10 Restart on Schedule ....................................................................................... 3-21
3.10.1 Periodical Restart Overview .................................................................. 3-21
3.10.2 Configuring Scheduled Restart ............................................................. 3-21
3.10.3 Periodical Restart Configuration Example .............................................. 3-22
3.11 System Maintenance ...................................................................................... 3-22
3.11.1 System Maintenance Overview.............................................................. 3-22
3.11.2 Configuring System Maintenance Function............................................. 3-22
3.11.3 System Maintenance Configuration Example.......................................... 3-23
Chapter 4 Interface Configuration ............................................................ 4-1

4.1 Basic Port Configuration ..................................................................................... 4-1
4.1.1 Enabling/Disabling an Ethernet Port .......................................................... 4-2
4.1.2 Configuring Auto-Negotiation on an Ethernet Port ...................................... 4-2
4.1.3 Configuring Automatic Negotiation Notification on an Ethernet Port ............ 4-3
4.1.4 Configuring Duplex Mode on an Ethernet Port............................................ 4-3
4.1.5 Configuring Speed on an EthernetPort....................................................... 4-3
4.1.6 Configuring Flow Control on an Ethernet Port............................................. 4-4
4.1.7 Configuring Jumbo Frame Functionality on an Ethernet Port ....................... 4-4
4.1.8 Configuring a Port Alias on an Ethernet Port .............................................. 4-4
4.1.9 Configuring Broadcast Storm Suppression on an Ethernet Port ................... 4-5
II
4.1.10 Configuring Multicast Packet Suppression on an Ethernet Port.................. 4-5
4.1.11 Configuring Illegal Packet Suppression on an Ethernet Port ...................... 4-5
4.1.12 Configuring the Link State Monitoring Mode of an Ethernet Port ................ 4-6
4.1.13 Configuring a Gigabit Optical Port to Support a 1000Base-T Small
Form-factor Pluggable (SFP) Module ....................................................... 4-6
4.1.14 Viewing the Layer 2Interface Operation Status ....................................... 4-6
4.1.15 Displaying Port Information ..................................................................... 4-7
4.1.16 Viewing Queue Statistics ........................................................................ 4-8
4.1.17 Analyzing and Diagnosing Cable Connections.......................................... 4-9
4.1.18 Monitoring Interface Traffic.................................................................... 4-10
4.2 Port Mirroring Configuration .............................................................................. 4-10
4.2.1 Port Mirroring Overview .......................................................................... 4-10
4.2.2 Configuring Port Mirroring ........................................................................4-11
4.2.3 Port Mirroring Configuration Examples..................................................... 4-12
4.3 ERSPAN Configuration ..................................................................................... 4-14
4.3.1 ERSPAN Overview ................................................................................. 4-14
4.3.2 Configuring ERSPAN.............................................................................. 4-14
4.3.3 ERSPAN Configuration Example ............................................................. 4-15
4.4 Loopback Detection Configuration ..................................................................... 4-16
4.4.1 Introduction to Interface Loopback Detection............................................ 4-16
4.4.2 Configuring Interface Loopback Detection................................................ 4-16
4.5 DOM Configuration........................................................................................... 4-18
4.5.1 DOM Function Overview......................................................................... 4-18
4.5.2 Configuring DOM ................................................................................... 4-18
Chapter 5 Network Protocol Configuration.............................................. 5-1

5.1 IP Address Configuration .................................................................................... 5-1
5.1.1 IP Address Overview ................................................................................ 5-1
5.1.2 Configuring an IP Address ........................................................................ 5-1
5.1.3 IP Address Configuration Example ............................................................ 5-1
5.2 Address Resolution Protocol (ARP) Configuration ................................................ 5-2
5.2.1 ARP Overview ......................................................................................... 5-2
5.2.2 Configuring ARP ...................................................................................... 5-2
5.2.3 ARP Configuration Example...................................................................... 5-3
5.3 MFF Configuration.............................................................................................. 5-4
5.3.1 MFF Function Overview............................................................................ 5-4
5.3.2 Configuring MFF ...................................................................................... 5-4
5.3.3 MFF Configuration Example...................................................................... 5-5
III
5.3.4 MFF Maintenance and Diagnosis .............................................................. 5-8
Chapter 6 Access Control List (ACL) Configuration............................... 6-1

6.1 ACL Overview.................................................................................................... 6-1
6.2 Configuring ACL................................................................................................. 6-1
6.2.1 Configuring a Time Range ........................................................................ 6-1
6.2.2 Configuring ACL Rules ............................................................................. 6-2
6.2.3 Applying an ACL on an Ingress VFP.......................................................... 6-6
6.2.4 Applying an ACL to a VLAN ...................................................................... 6-6
6.2.5 Applying an ACL in the Inbound Direction .................................................. 6-7
6.2.6 Applying an ACL in the Outbound Direction................................................ 6-8
6.2.7 Applying ACL on a Physical Port ............................................................... 6-9
6.2.8 Configuring Description for a Rule ............................................................. 6-9
6.3 ACL Configuration Example .............................................................................. 6-10
6.4 ACL Maintenance and Diagnosis....................................................................... 6-12
Chapter 7 QoS Configuration .................................................................... 7-1

7.1 QoS Overview.................................................................................................... 7-1
7.1.1 Traffic Classification ................................................................................. 7-1
7.1.2 Traffic Policing ......................................................................................... 7-1
7.1.3 Adding, Deleting, and Modifying VLAN ID .................................................. 7-6
7.1.4 Traffic Shaping ......................................................................................... 7-8
7.1.5 Queue Bandwidth Limit............................................................................. 7-8
7.1.6 Queue Scheduling and Default 802.1p Priority ........................................... 7-8
7.1.7 Redirection and Policy Routing.................................................................. 7-9
7.1.8 Priority Tagging ........................................................................................ 7-9
7.1.9 Remarking Outer-Layer VLAN Value ......................................................... 7-9
7.1.10 Flow Mirroring ........................................................................................ 7-9
7.1.11 Traffic Statistics ...................................................................................... 7-9
7.2 Configuring QoS .............................................................................................. 7-10
7.2.1 Configuring Traffic Policing ..................................................................... 7-10
7.2.2 Adding/Deleting/Modifying VLAN-ID ........................................................ 7-12
7.2.3 Configuring Traffic Shaping ..................................................................... 7-13
7.2.4 Configuring Queue Bandwidth Limit......................................................... 7-13
7.2.5 Configuring Queue Scheduling and Default 802.1p of a Port ..................... 7-13
7.2.6 Configuring Redirection and Policy Routing.............................................. 7-14
7.2.7 Configuring Priority Marking .................................................................... 7-14
7.2.8 Configuring an Outer-Layer VLAN Value .................................................. 7-15
7.2.9 Configuring Traffic Mirroring .................................................................... 7-15
IV
7.2.10 Configuring Tail-Drop ............................................................................ 7-16
7.2.11 Configuring Traffic Statistics .................................................................. 7-16
7.3 Configuring 802.1p and MPLS EXP Mapping Function ....................................... 7-17
7.3.1 Configuring the Mapping from Multi Protocol Label Switching (MPLS)
EXP to Class of Service (CoS)/DSCP..................................................... 7-17
7.3.2 Configuring the Mapping from CoS to MPLS EXP .................................... 7-18
7.3.3 Viewing EXP Mapping Configuration ....................................................... 7-19
7.3.4 Viewing CoS Mapping Configuration........................................................ 7-19
7.3.5 Enabling MPLS-EXP Mapping on a Port .................................................. 7-20
7.3.6 Enabling CoS Mapping on a Port............................................................. 7-20
7.4 QoS Configuration Examples ............................................................................ 7-21
7.4.1 Typical QoS Configuration Example......................................................... 7-21
7.4.2 Policy Routing Configuration Example ..................................................... 7-22
7.5 QoS Maintenance and Diagnosis ...................................................................... 7-23
7.6 WRED Function ............................................................................................... 7-23
7.6.1 WRED Overview .................................................................................... 7-23
7.6.2 Configuring WRED ................................................................................. 7-24
Chapter 8 DHCP Configuration ................................................................. 8-1

8.1 DHCP Overview ................................................................................................. 8-1
8.2 Configuring DHCP.............................................................................................. 8-1
8.2.1 Configuring an IP Address Pool................................................................. 8-1
8.2.2 Configuring a DHCP Address Pool ............................................................ 8-3
8.2.3 Configuring a DHCP Policy ....................................................................... 8-5
8.2.4 Configuring a DCHP Server ...................................................................... 8-6
8.2.5 Configuring DHCP Snooping..................................................................... 8-9
8.2.6 Configuring a DHCP Relay ..................................................................... 8-12
8.2.7 Configuring a DHCP Client ..................................................................... 8-16
8.3 DHCP Configuration Examples ......................................................................... 8-17
8.3.1 DHCP Server Configuration Example ...................................................... 8-17
8.3.2 DHCP Relay Configuration Example........................................................ 8-18
8.3.3 DHCP Snooping Configuration Example .................................................. 8-19
8.3.4 DHCP Snooping Preventing Static IP Configuration.................................. 8-20
8.4 DHCP Maintenance and Diagnosis.................................................................... 8-21
Chapter 9 VRRP Configuration ................................................................. 9-1

9.1 VRRP Overview ................................................................................................. 9-1
9.2 Configuring VRRP .............................................................................................. 9-1
9.3 VRRP Configuration Examples............................................................................ 9-2
V
9.3.1 Basic VRRP Configuration Example .......................................................... 9-2
9.3.2 Symmetric VRRP Configuration Example................................................... 9-3
9.4 VRRP Maintenance and Diagnosis...................................................................... 9-4
Chapter 10 DOT1X Configuration ........................................................... 10-1

10.1 DOT1x Overview ............................................................................................ 10-1
10.2 Configuring DOT1X ........................................................................................ 10-1
10.2.1 Configuring AAA................................................................................... 10-1
10.2.2 Configuring the DOT1X Parameters ...................................................... 10-3
10.2.3 Configuring a Local Authentication User................................................. 10-4
10.2.4 Managing DOT1X Authentication Access Users ..................................... 10-5
10.2.5 Managing Multi-Domains ...................................................................... 10-6
10.2.6 Configuring 802.1x VLAN Jumping ........................................................ 10-7
10.3 DOT1X Configuration Examples ...................................................................... 10-8
10.3.1 DOT1X RADIUS Authentication Application ........................................... 10-8
10.3.2 DOT1X Relay Authentication Application ............................................... 10-9
10.3.3 DOT1X Local Authentication Application ...............................................10-10
10.3.4 VLAN Jumping Function in DOT1X Local Authentication........................ 10-11
10.4 DOT1X Maintenance and Diagnosis ............................................................... 10-11
Chapter 11 VBAS Configuration.............................................................. 11-1

11.1 VBAS Overview...............................................................................................11-1
11.2 Configuring VBAS............................................................................................11-1
11.2.1 Enabling VBAS......................................................................................11-1
11.2.2 Enabling VBAS in VLAN Mode ...............................................................11-1
11.2.3 Configuring a VBAS Trust Interface.........................................................11-1
11.2.4 Configuring a VBAS Port Type................................................................11-2
11.3 VBAS Configuration Example ...........................................................................11-2
11.4 VBAS Maintenance and Diagnosis....................................................................11-3
Chapter 12 ZESR/ZESR+ Configuration ................................................. 12-1

12.1 ZESR/ZESR+ Overview.................................................................................. 12-1
12.2 Configuring ZESR/ZESR+............................................................................... 12-1
12.2.1 Configuring a Protection Instance in a ZESR Domain ............................. 12-1
12.2.2 Configuring ZESR on a Node on a Major Ring........................................ 12-2
12.2.3 Configuring ZESR on a Node on an Access Ring ................................... 12-3
12.2.4 Configuring ZESR Restart-Time ............................................................ 12-4
12.2.5 Configuring ZESR Destination MAC Address ......................................... 12-4
12.2.6 Configuring the Function of Sending TCN Packets in the ZESR
Domain ................................................................................................ 12-5
VI
12.2.7 Configuring the Function of Sending TCN Packets.................................. 12-5
12.2.8 Configuring the Interface Detection Mode .............................................. 12-6
12.2.9 Configuring Link-Hello Packet Parameters ............................................. 12-7
12.3 ZESR/ZESR+ Configuration Examples ............................................................ 12-7
12.3.1 ZESR Configuration Example................................................................ 12-7
12.3.2 ZESR and ZESR+ Hybrid Configuration Example .................................. 12-11
Chapter 13 IPTV Configuration ............................................................... 13-1

13.1 IPTV Overview ............................................................................................... 13-1
13.2 Configuring IPTV ............................................................................................ 13-1
13.2.1 Configuring IPTV Global Parameters ..................................................... 13-1
13.2.2 Configuring an IPTV Channel ................................................................ 13-2
13.2.3 Configuring an IPTV Channel Group...................................................... 13-3
13.2.4 Configuring CAC .................................................................................. 13-3
13.2.5 Managing the IPTV Users ..................................................................... 13-5
13.2.6 Enabling or Disabling the IPTV Privilege Function Globally ..................... 13-5
13.2.7 Configuring Default Source VLAN of the IPTV Privilege Function............. 13-5
13.2.8 Creating or Deleting an IPTV Privilege Rule ........................................... 13-5
13.3 IPTV Privilege Function Configuration Example................................................ 13-6
13.4 IPTV Privilege Function Maintenance and Diagnosis ........................................ 13-9
13.5 IPTV Configuration Examples.........................................................................13-10
13.6 IPTV Maintenance and Diagnosis................................................................... 13-11
Chapter 14 Network Management Configuration .................................. 14-1

14.1 NTP Configuration .......................................................................................... 14-1
14.1.1 NTP Overview...................................................................................... 14-1
14.1.2 Configuring NTP................................................................................... 14-1
14.1.3 NTP Configuration Example .................................................................. 14-3
14.2 RADIUS Configuration .................................................................................... 14-3
14.2.1 RADIUS Overview ................................................................................ 14-3
14.2.2 Configuring Radius ............................................................................... 14-4
14.2.3 RADIUS Configuration Example ............................................................ 14-5
14.3 SNMP Configuration ....................................................................................... 14-6
14.3.1 SNMP Overview................................................................................... 14-6
14.3.2 Configuring SNMP................................................................................ 14-6
14.3.3 SNMP Configuration Example ............................................................... 14-9
14.4 RMON Configuration ...................................................................................... 14-9
14.4.1 RMON Overview .................................................................................. 14-9
14.4.2 Configuring RMON ............................................................................... 14-9
VII
14.4.3 RMON Configuration Examples............................................................14-10
14.5 SysLog Configuration ....................................................................................14-12
14.5.1 SysLog Overview ................................................................................14-12
14.5.2 Configuring SysLog .............................................................................14-12
14.5.3 Syslog Configuration Example..............................................................14-14
14.6 TACACS+ Configuration ................................................................................14-15
14.6.1 TACACS+ Overview ............................................................................14-15
14.6.2 Configuring TACACS+ .........................................................................14-15
14.6.3 TACACS+ Configuration Example ........................................................14-17
Chapter 15 Cluster Management Configuration .................................... 15-1

15.1 Cluster Management Overview........................................................................ 15-1
15.2 Configuring Cluster Management .................................................................... 15-3
15.2.1 Configuring ZDP................................................................................... 15-3
15.2.2 Configuring ZTP ................................................................................... 15-3
15.2.3 Establishing a Cluster ........................................................................... 15-4
15.2.4 Maintaining a Cluster ............................................................................ 15-5
15.3 Cluster Management Configuration Example.................................................... 15-6
15.4 Cluster Management Maintenance and Diagnosis ............................................ 15-7
Chapter 16 Security Configuration ......................................................... 16-1

16.1 IP Source Guard ............................................................................................ 16-1
16.1.1 IP Source Guard Overview.................................................................... 16-1
16.1.2 Configuring IP Source Guard ................................................................ 16-1
16.1.3 IP Source Guard Configuration Examples .............................................. 16-1
16.2 Control Plane Security Configuration ............................................................... 16-3
16.2.1 Control Plane Security Overview ........................................................... 16-3
16.2.2 Configuring Control Plane Security ........................................................ 16-3
16.2.3 Control Plane Security Configuration Examples...................................... 16-5
16.2.4 Control Plane Security Maintenance and Diagnosis ................................ 16-5
16.3 DAI Configuration ........................................................................................... 16-6
16.3.1 DAI Overview ....................................................................................... 16-6
16.3.2 Configuring DAI.................................................................................... 16-7
16.3.3 DAI Maintenance and Diagnosis............................................................ 16-7
16.3.4 DAI Configuration Example ................................................................... 16-8
16.4 MFF Configuration.......................................................................................... 16-9
16.4.1 MFF Overview...................................................................................... 16-9
16.4.2 Configuring MFF .................................................................................. 16-9
16.4.3 MFF Configuration Example.................................................................16-10
VIII
16.4.4 MFF Maintenance and Diagnosis .........................................................16-10
Chapter 17 URPF Configuration.............................................................. 17-1

17.1 URPF Overview ............................................................................................. 17-1
17.2 Configuring URPF .......................................................................................... 17-1
17.3 URPF Maintenance and Diagnosis .................................................................. 17-1
Chapter 18 M_Button Function ............................................................... 18-1

18.1 M_button Function Description ........................................................................ 18-1
18.2 M_button Mode Switching ............................................................................... 18-2
Chapter 19 Energy-Efficiency.................................................................. 19-1

19.1 Energy-Efficiency Overview............................................................................. 19-1
19.2 Function Description ....................................................................................... 19-2
19.3 Energy-Efficiency Configuration....................................................................... 19-2
19.3.1 Energy-Efficiency Global Configuration .................................................. 19-2
19.3.2 Configuring an Energy-Efficiency Interface ............................................. 19-2
19.3.3 Energy-Efficiency Maintenance and Diagnosis ....................................... 19-3
Figures............................................................................................................. I
Tables ............................................................................................................ III
Glossary .........................................................................................................V
IX
X
About This Manual
Purpose
This manual is applicable to ZXR10 5900E series (V2.8.23.C) easy-maintenance MPLS
routing switches (abbreviated throughout this guide as ZXR10 5900E).This includes:
l ZXR10 5916E Easy-Maintenance MPLS Routing Switch
l ZXR10 5928E-FI Easy-Maintenance MPLS Routing Switch
What Is in This Manual

This manual contains the following chapters:
Chapter Summary
Chapter 1, Safety Instructions Describes the safety instructions and signs.
Chapter 2, Usage and Operation Describes configuration and command modes and command
line usage.
Chapter 3, System Management Describes in detail system management, the file system, switch
operation and software upgrade procedures.
Chapter 4, Interface Configuration Describes interface configuration for the ZXR10 5900E .
Chapter 5, Network Protocol Describes Internet Protocol (IP) address configuration and ARP
Configuration configuration for the ZXR10 5900E.
Chapter 6, Access Control List Describes the ACL concept, related configuration commands and
(ACL) Configuration configuration examples.
Chapter 7, QoS Configuration Describes the QoS concept, related configuration commands
and configuration examples.
Chapter 8, DHCP Configuration Describes the DHCP concept, related configuration commands
Chapter 9, VRRP Configuration Describes the VRRP concept, related configuration commands
Chapter 10, DOT1X Configuration Describes the DOT1X concept, related configuration commands
Chapter 11, VBAS Configuration Describes the VBAS concept, related configuration commands
I
Chapter Summary
Chapter 12, ZESR/ZESR+ Describes the ZESR/ZESR+ concept, related configuration

Configuration command and configuration examples.
Chapter 13, IPTV Configuration Describes the IPTV concept, related configuration commands
Chapter 14, Network Describes Network Time Protocol (NTP), Remote Authentication
Management Configuration Dial-In User Service (RADIUS), Simple Network Management
Protocol (SNMP), Remote Monitoring (RMON) and System
Log (SysLog) concepts, related configuration commands and
configuration examples.
Chapter 15, Cluster Management Describes cluster management concepts, related configuration
Configuration commands and configuration examples.
Chapter 16, Security Describes security management concepts, related configuration

Configuration commands and configuration examples.
Chapter 17, URPF Configuration Describes the URPF concept, related configuration commands.
Chapter 18, M_Button Function Describes the M_Button functions and mode switch methods.
Chapter 19, Energy-Efficiency Describes the energy-efficiency concepts and configuration

methods.
II
Chapter 1
Safety Instructions
Table of Contents
Safety Introduction .....................................................................................................1-1
Safety Signs ...............................................................................................................1-1
1.1 Safety Introduction

Only duly trained and qualified personnel can install, operate and maintain the ZXR10
5900E series devices.
During device installation, operation and maintenance, follow local safety regulations and
related operation instructions. Failure to follow safety guidelines and operation instructions
can result in damage to equipment, loss of traffic or personal injury. The safety precautions
in this manual are only supplements to local safety regulations.
Debug commands affect device performance, which may have serious consequences. So,
use the debug commands with caution. Especially, the debug all command, which opens
all debug processes. Therefore, do not use this command on in-service devices. ZTE
Corporation recommends that ZXR10 5900E series users NOT use the debug commands
while user networks are in the normal state.
ZTE Corporation assumes no responsibility for consequences of violating general
operational safety guidelines.
1.2 Safety Signs

The information that users should pay attention to when they install, operate and maintain
devices are explained in the following formats:
Caution!
Indicates matters needing attention during configuration.
Note:
Provides enhanced description, hint, tip and so on for ZXR10 5900E series operations.
1-1
SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

ZXR10 5900E Series User Manual (Basic Configuration)
This page intentionally left blank.
1-2

Chapter 2
Usage and Operation
Table of Contents
Configuration Mode ....................................................................................................2-1
Command Modes .......................................................................................................2-8
Command Line Function ..........................................................................................2-10
2.1 Configuration Mode

The ZXR10 5900E offers multiple configuration modes. See Figure 2-1. Select one of the
following configuration modes based on the connected network.
1. Console port-based configuration mode
2. Telecommunication Network Protocol (Telnet)-based configuration mode
3. Secure Shell (SSH)-based configuration mode
4. Simple Network Management Protocol (SNMP)-based configuration mode
Figure 2-1 ZXR10 5900E Configuration Modes Diagram
2.1.1 Console Port-Based Configuration Mode

This is the main ZXR10 5900E configuration mode. Implement ZXR10 5900E debugging
configuration through the console port connection. This configuration mode uses the
VT100 terminal.
2-1

1. Click Start > Programs > Accessories > Communications > HyperTerminal to start
HyperTerminal.
2. The Location Information dialog box is displayed. See Figure 2-2. Enter the location
information, and click OK.
Figure 2-2 Location Information Dialog Box
3. The Connection Description dialog box is displayed. See Figure 2-3. Enter a name
and select an icon for the new connection. Click OK.
Figure 2-3 Connection Description Dialog Box
2-2

Chapter 2 Usage and Operation
4. Select COM1 or COM2 according to the serial port used in the connection. See Figure
2-4.
Figure 2-4 Connect To Dialog Box
5. Select the properties of the connection. See Figure 2-5.
2-3

Figure 2-5 COM1 Properties Dialog Box
Apply power to and boot the ZXR10 5900E series unit to initialize the system and begin
configuration for operation.
2.1.2 Telnet-Based Configuration Mode

Telnet-based configuration mode is a remote mode to configure the ZXR10 5900E series
unit.
Telnet access requires a username and password, which prevents unauthorized users
from accessing the system through Telnet. To set a username and password, use the
following command in the command line interface:
username <username> password <password>
The device can define a list of authorized users to limit Telnet access and provide a higher
level of security. To permit or deny the IP addresses for Telnet access, use the following
command in the command line interface:
line telnet access-class <basic access list>
1. To log in to the ZXR10 5900E series unit through Telnet and connect to the host directly:
2-4

a. Configure a Virtual Local Area Network (VLAN) and its interfaces Internet Protocol
(IP) address through the console port. For VLAN configuration, refer to ZXR10
5900E Series (V2.8.23.C) Easy-Maintenance MPLS Routing Switch User Manual
(Ethernet Switching).
b. Configure a Telnet login username and password through the console port.
c. Connect the host network port to the ZXR10 5900E devices Ethernet port.
d. Set the network mask of the host IP address to match the VLAN interface so that
the host can ping the IP address of the VLAN interface successfully.
e. Log in to the ZXR10 5900E series unit by running the telnet command on the host.
f. Enter the IP address of the VLAN interface in the Open text field of the Run dialog
box. See Figure 2-6.
Figure 2-6 Run Dialog Box
g. Click OK to start the interface. See Figure 2-7.
Figure 2-7 Telnet Login
h. Enter the correct username and password to start device configuration.
2-5

Note:
a. Up to 16 Telnet users can access the ZXR10 5900E series unit simultaneously.
b. Never modify or delete the IP address of the management Ethernet port during
Telnet configuration. If the IP address of the management Ethernet port is modified
or deleted during Telnet configuration through the management port, the Telnet
connection fails.
2. Perform the following steps to log in to the device through Telnet from another device
(such as a switch or router).
a. Configure an IP address and VLAN interface through the console port.
b. Configure a Telnet login username and password through the console port.
c. Connect the router (or switch) to the ZXR10 5900E series unit, and ensure that
the router (or the switch) can ping the units VLAN interface successfully.
d. Run the telnet command on the unit and type the IP address of the VLAN interface
to log in to the device.
2.1.3 SSH-Based Configuration Mode

Telnet and File Transfer Protocol (FTP) connections are not safe because they use plain
text to transmit a password and other data on the network. In this case, data can be easily
intercepted by hackers. A disadvantage of Telnet/FTP security authentication is that it is
easily attacked by a man-in-the-middle (MITM). The MITM imitates a server to receive data
sent by the client and imitates the client to transmit data to the real server.
SSH can prevent this potential risk. SSH sets up a security channel for remote login on a
non-secured network and other networks to encrypt and compress all transmitted data. In
this way, no interception can obtain useful information.
The current SSH protocol has two versions that are incompatible with each other: SSH
v1.x and SSH v2.x. The ZXR10 5900E series system supports SSH v2.0 for safe remote
logins.
SSH consists of a server and a client. ZXR10 5900E serves as an SSH server. A host
runs the SSH client to log in to the ZXR10 5900E series unit.
1. To enable the SSH server in a ZXR10 5900E series environment, run the ssh server
enable command. By default, the SSH server is disabled.
2. Connect the host network interface to an Ethernet interface on the ZXR10 5900E series
unit so that the host can ping the ZXR10 5900E series unit VLAN interface successfully.
3. Run the SSH client software (PuTTY) on the host.
a. Click Session in the Category field. Set an IP and port number of the SSH server.
See Figure 2-8.
2-6

Figure 2-8 PuTTY Configuration Dialog Box
b. Click SSH in the Category field. Set the SSH version. See Figure 2-9.
2-7

Figure 2-9 PuTTY Configuration Dialog Box
4. Click Open to log in to the ZXR10 5900E series uni.

5. Enter the correct username and password.
The configuration interface is displayed. Begin normal configuration.
2.1.4 SNMP-Based Configuration Mode

SNMP is one of the most popular network protocols. A Network Management (NM) server
can manage all devices on the network through this protocol.
SNMP manages the system based on a client-server network configuration. A connected
NM server provides the functionality of an SNMP server and the ZXR10 5900E series
unit serves as an SNMP client. The NM server and ZXR10 5900E series unit share one
Management Information Base (MIB) and the SNMP provides the communications link.
Install Network Management Server (NMS) software supporting the SNMP on the
background NM server to manage and configure the ZXR10 5900E series unit.
2.2 Command Modes

ZXR10 5900E commands of are divided into many different modes. The commands that
can be used depend on the current mode.
2-8

Enter a question mark (?) at the system prompt to obtain a list of the commands available
for each command mode. Refer to Table 2-1 for the main ZXR10 5900E command modes.
Table 2-1 Command Modes
Mode Prompt Command
User mode ZXR10>
Privileged mode ZXR10# enable (used in user mode)
Global configuration ZXR10(config)# configure terminal (used in privileged mode)

mode
Port configuration ZXR10(config-gei_1/x)# interface {<interface-name>|byname

mode <by-name>} (used in global configuration mode)
VLAN database ZXR10(vlan)# vlan database (used in privileged mode)

configuration mode
VLAN configuration ZXR10(config-vlan)# vlan {<vlan-id>|<vlan-name>} (used in global

mode configuration mode)
VLAN interface ZXR10(config-if)# interface {vlan <vlan-id>|<vlan-if>} (used in

configuration mode global configuration mode)
Multiple ZXR10(config-mstp)# spanning-tree mst configuration (used in global

Spanning Tree configuration mode)
Protocol (MSTP)
configuration mode
Standard Access ZXR10(config-std-acl)# acl standard {number <acl-number>| name

Control List (ACL) <acl-name>} (used in global configuration
configuration mode mode)
Extended ACL ZXR10(config-ext-acl)# acl extended {number <acl-number>| name

configuration mode <acl-name>} (used in global configuration
mode)
L2 ACL ZXR10(config-link-acl)# acl link {number <acl-number>| name

mode)
Hybrid ACL ZXR10(config-hybd-acl)# acl hybrid {number <acl-number>| name

mode)
Routing Information ZXR10(config-router)# router rip (used in global configuration mode)

Protocol (RIP)
configuration mode
RIP address ZXR10(config-router- address-family ipv4 vrf <vrf-name> (used in RIP

configuration mode af)# routing configuration mode)
2-9

Mode Prompt Command
Open Shortest ZXR10(config-router)# router ospf < process-id> (used in global

Path First (OSPF) configuration mode)
configuration mode
Intermediate ZXR10(config-router)# router isis (used in global configuration mode)

System-to-
Intermediate System
(IS-IS) configuration
mode
Border Gateway ZXR10(config-router)# router bgp <as-number> (used in global

Protocol (BGP) configuration mode)
configuration mode
BGP address ZXR10(config-router- address-family {{ ipv4 {multicast | vrf <

configuration mode af)# vrf-name>}}| ipv6 } (used in BGP configuration
mode)
BGP configuration ZXR10(config-router)# router pimsm (used in global configuration

mode mode)
Route map ZXR10(config-route- route-map < map-tag>|{[<sequence-number>|

configuration mode map)# permit| deny]|<sequence-number>]} (used in
global configuration mode)
Diagnosis test mode ZXR10(diag)# diagnose (used in privileged mode)
To view the list of the commands available, enter a question mark after the prompt in a
command mode.
To return to the user mode, execute the disable command in privileged mode.
To exit the device, execute the exit command in user mode and privileged mode. To return
to the previous mode from other command modes, execute the exit command.
To return to the privileged mode from a command mode other than user mode and
privileged mode, execute the end command or entering Ctrl+z.
2.3 Command Line Function

2.3.1 Online Help Commands
1. To display a list of commands available for each command mode, enter a question
mark (?) after the system prompt. The following is an example.
ZXR10>?
Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
2-10

exitExit from the EXEC

login Login as a particular user
logout Exit from the EXEC
pingSend echo messages
ping6 Send IPv6 echo messages
quitQuit from the EXEC
showShow running system information
telnet Open a telnet connection
telnet6 Open a telnet6 connection
trace Trace route to destination
trace6 Trace route to destination using IPv6
who List users who are logining on
2. To obtain a list of commands that begin with a specific character string, enter the
character string followed by a question mark (?). The following is an example.
ZXR10#co?
configure copy
ZXR10#co
3. To complete a partial command name, press Tab after the character string. The
following is an example.
ZXR10#con<Tab>
ZXR10#configure (there is a space between the configure and cursor.)
4. To list the associated keywords for a command, enter the command followed by a
question mark (?). There is a space in front of the question mark. The following is an
example.
ZXR10#configure ?
terminal Enter configuration mode
ZXR10#configure
5. If a command is entered incorrectly, a caret (^) marks the position of the error. The caret
displays below the first character of the incorrect command, keyword or parameter.
The following is an example.
ZXR10#von ter
^
% Invalid input detected at '^' marker.
ZXR10#
6. The following example shows how to set the system clock by the online help function.
ZXR10#cl?
clear clock
ZXR10#clock ?
set Set the time and date
ZXR10#clock set ?
hh:mm:ss Current Time
ZXR10#clock set 13:32:00
% Incomplete command.
2-11

At the end of this example, the system prompts that the command is incomplete and
other keywords or parameters should be typed.
Note:
The command line is not case sensitive.
2.3.2 Command Abbreviation

The ZXR10 5900E series system allows a command or keyword to be abbreviated to
a character or character string that uniquely identifies the command or keyword. For
example, the show command can be abbreviated to sh or sho.
2.3.3 Recent Commands

The user interface can record up to 10 of the most recent commands. This function recalls
long or complicated commands.
Refer to Table 2-2 for the actions necessary to recall commands from the history buffer.
Table 2-2 Recalling Recent Commands
Action Function
Press Ctrl+P or the up arrow key. Recalls a command from the buffer forward
Press Ctrl+N or the down arrow key. Recalls a command from the buffer backward
In privileged mode, execute the show history command to list the most recent commands.
2-12

Chapter 3
System Management
Table of Contents
File System ................................................................................................................3-1
FTP/TFTP Overview...................................................................................................3-3
Backing Up and Restoring Data .................................................................................3-6
Upgrading the Software..............................................................................................3-7
Configuring the System Parameters .........................................................................3-10
Viewing System Information .....................................................................................3-13
Memory Detection ....................................................................................................3-15
Configuring System by One-Command ...................................................................3-19
Device Power-off Alarm............................................................................................3-20
Restart on Schedule.................................................................................................3-21
System Maintenance................................................................................................3-22
3.1 File System

3.1.1 Introduction
In the ZXR10 5900E system, the flash memory is the major device for storing software and
configuration files.
There are three default flash directories.

1. IMG: The IMG directory stores a software version file. The software version file name
for the ZXR10 5900E is zxr10.zar. Version upgrading refers to a process for changing
the software file under this directory.
Note:
By default, the software file name for the ZXR10 5900E series unit must be zxr10.zar.
2. CFG: The CFG directory stores the configuration file named startrun.dat. Information
is saved in memory when the system executes a command that modifies device
configuration. To prevent configuration data loss during device restarts, use the write
command to write information into the flash memory, and save information in the
startrun.dat file. To clear the original configuration in the device and configure new
3-1

data, use the delete command to delete the startrun.dat file, and then restart the
device.
3. DATA: The DATA directory stores the log.dat file which records alarm information.
3.1.2 File System Management

The ZXR10 5900E series unit provides commands for managing file operations. The
command format is similar to Disk Operating System (DOS) commands in the Microsoft
Windows operating system. The operation commands for common files are as follows:
1. To copy files between flash memory and the FTP/Trivial File Transfer Protocol (TFTP)
server, use the following command:
copy <source-device><source-file><destination-device><destination-file>
2. To view the current directory path, use the following command:
pwd
3. To view files and subdirectories of a specific device or under a specific directory, use
the following command:
dir [<directory>]
4. To delete a file under a specific directory of the current device, use the following
command while in that directory:
delete <filename>
5. To go to a specific directory, use the following command:
cd <directory>
6. To create a directory in the flash memory, use the following command:
mkdir<directory>
7. To delete a directory in the flash memory, use the following command:
rmdir<directory>
8. To modify the name of a directory in the flash memory, use the following command:
rename <source-filename><destination-filename>
9. To view the file Cyclic Redundancy Check (CRC) checksum, use the following
command:
checksum32 < File Path Name>
The following examples show how to use these commands.
1. This example shows how to view the current files in the flash memory.
ZXR10#dir
Directory of flash:/
attribute size date time name
1 drwx 512 MAY-17-2004 14:22:10 img
2 drwx 512 MAY-17-2004 14:38:22 cfg
3-2

Chapter 3 System Management
3 drwx 512 MAY-17-2004 14:38:22 data

16117760 bytes total (3485696 bytes free)
ZXR10#cd img /*Enter the directory img*/
ZXR10#dir /*Show the current directory information*/
Directory of flash:/img
1 drwx 512 MAY-17-2004 14:22:10 .
2 drwx 512 MAY-17-2004 14:22:10 ..
3 -rwx 15922273 MAY-17-2004 14:29:18 zxr10.zar
2. This example shows how to create a directory named ABC in the flash memory and
then delete it.
ZXR10#mkdir ABC /*Add a sub-directory of ABC in
current directory*/
ZXR10#dir /*view the information in current directory
and find the sub-directory of ABC*/
1 drwx 512 MAY-17-2004 14:22:10 IMG
2 drwx 512 MAY-17-2004 14:38:22 CFG
3 drwx 512 MAY-17-2004 14:38:22 DATA
4 drwx 512 MAY-17-2004 15:40:24 ABC
ZXR10#rmdir ABC /*remove the sub-directory of ABC*/
ZXR10#dir /*Show the current directory information and
find sub-directory of ABC which has been removed*/
1 drwx 512 MAY-17-2004 14:22:10 IMG
2 drwx 512 MAY-17-2004 14:38:22 CFG
3 drwx 512 MAY-17-2004 14:38:22 DATA
3. This example shows how to view the zxr10.zar CRC checksum.

ZXR10#checksum32 /img/zxr10.zar
The result is: 1254502308
3.2 FTP/TFTP Overview

A ZXR10 5900E series unit can serve as an FTP/TFTP client. ZXR10 5900E users can
back up and restore files and import or export configurations.
3-3

3.2.1 Configuring a ZXR10 5900E Series Unit as an FTP Client

To configure a ZXR10 5900E series unit as an FTP client, perform the following steps:
1. Run FTP server software on the connected PC. The ZXR10 5900E series unit serves
as the communications client.
2. Run wftpd software on the host PC. The WFTPD window displays. See Figure 3-1.
Figure 3-1 No log file open-WFTPD Window
3. Select Security > User/Rights. The User/Rights Security dialog box displays.
See Figure 3-2.
Figure 3-2 User/Rights Security Dialog Box
a. Click New User to create a user, such as target, and set a password for the new
user.
b. Select target from the User Name drop-down list.
c. Enter the directory name of the software or configuration file in the Home
Directory text box, for example, D:\IMG.
3-4

4. Click Done to finish the settings.

When the FTP server is enabled, to back up and recover files or import and export
configurations, execute the copy command.
3.2.2 Configuring a ZXR10 5900E Series Unit as a TFTP Client

To configure a ZXR10 5900E series unit as a TFTP client, perform the following steps:
1. Run TFTP server software on the host PC. The ZXR10 5900E series unit serves as
the communications client.
2. Run tftpd software on the host PC. The TFTP server window displays. See Figure
3-3.
Figure 3-3 TFTPD Window
3. Select Tftpd > Configure. The Tftpd Settings dialog box displays. See Figure 3-4.
3-5

Figure 3-4 Tftpd Settings Dialog Box
4. Click Browse after the Home Directory text box on the dialog box, and select a di-
rectory to store the software of configuration file, for example, D:\IMG.
5. Click OK to finish the settings.
When the system enables the TFTP sever, execute the copy command to back up or
recover files and import or export configurations.
3.3 Backing Up and Restoring Data

FTP/TFTP enables ZXR10 5900E software, configuration and log file backup to and
restoration from the background server.
3.3.1 Backing Up the Configuration File

After saving configuration information to startrun.dat through the write command,
optionally back up the file to the background FTP/TFTP server for data security and
restoration.
Run the copy command to back up the configuration file from flash to the TFTP server, as
follows:
ZXR10#copy flash: /cfg/startrun.dat tftp: //168.1.1.1/startrun.dat
3.3.2 Restoring the Configuration File

Run the copy command to restore the backup of the configuration file from the background
TFTP server, as follows:
ZXR10#copy tftp: //168.1.1.1/startrun.dat flash: /cfg/startrun.dat
3-6

3.3.3 Backing Up the Software File

Back up the current software file on the background server before a software upgrade so
that the original version can be restored if the upgrade procedure fails.
Run the following command to back up the software file from the flash to the root directory
of the TFTP server by the switch interface:
ZXR10#copy flash: /img/zxr10.zar tftp: //168.1.1.1/zxr10.zar
3.3.4 Restoring the Software File

Software restoration is a process used to transfer the backup software file from the
background server to the ZXR10 5900E series units flash memory through FTP/TFTP.
Software restoration is important if the upgrade fails.
The upgraded file takes effect upon the next system boot.
Note:
1. When using the copy command to transfer an FTP file between a background host and
ZXR10 5900E series unit, first configure the host IP address in the VLAN interfaces
network segment. Ensure that the interface that the host connects to belongs to the
VLAN and can ping the VLAN successfully.
2. When editing the startrun.dat file through a text editor, note that the format should
meet the command requirements. In addition, the start and end of the configuration
file should not be modified. If the format does not meet the command requirements,
or the start and end of the configuration file are modified, the configuration file cannot
be loaded successfully.
3.4 Upgrading the Software

Normally, the system only needs a software upgrade when the original version does not
support a particular function. If the software upgrade is performed improperly, an upgrading
failure or system startup failure occurs.
3.4.1 Abnormal Software Upgrade

To upgrade ZXR10 5900E series software in abnormal cases, perform the following steps:
1. For the serial port cable delivered along with the device, connect one RJ45 end to
the configuration port of the ZXR10 5900E (console port on the main control board),
and connect the other DB9 end to the serial port of the server. For the network cable
with RJ45 ports at both ends, connect one end to the network port of the server, and
connect the other end to an port on the first daughter card of the ZXR10 5900E and
record the number of the connected port.
3-7

2. Ensure that the management Ethernet port of the ZXR10 5900E series unit and the
host PC have the same IP network mask.
3. Start the background FTP server.
4. Reboot the ZXR10 5900E series unit, and then press any key in a HyperTerminal
session to enable the Boot state. The information displayed is as follows:
ZXR10 System Boot Version: 1.0
Creation date: Dec 31 2002, 14:01:52
(Omitted)
Press any key to stop for change parameters...
2
[Boot]:
Type c in the Boot state, and press ENTER to enable the parameter modification state.
Change the boot mode to booting from the background FTP. Change the FTP server
address to that of the background host. Change the client and the gateway addresses
to that of the management Ethernet port of ZXR10 5900E. Set the subnet mask, the
FTP username and the password. After the modification, the prompt Boot: displays.
[Boot]:c
'.' = clear field; '-' = go to previous field; '^' = quit
Boot Location [0:Net,1:Flash] : 0
/*0 means booting from the background FTP, 1 means botting from Flash*/
Port Number : 24
Client IP [0:bootp]: 168.4.168.168
/*Management Ethernet port address*/
Netmask: 255.255.0.0
Server IP [0:bootp]: 168.4.168.89
/*Background FTP server address*/
Gateway IP: 168.4.168.168
/*Management Ethernet port address*/
FTP User: target
/*FTP user name target*/
FTP Password:
/*Password of target*/
FTP Password Confirm:
Bootfile: zxr10.zar
Enable Password: /*Default*/
Enable Password Confirm: /*Default*/
[Boot]:
5. Type b and press ENTER. The system automatically boots from the background FTP
server.
[Boot]:b
Loading... get file zxr10.zar[15922273] successfully!
file size 15922273.
3-8

/*Omitted*/
**********************************************************
Welcome to ZXR10 5928E Switch of ZTE Corporation
**********************************************************
ZXR10>
6. If the system starts successfully, enter show version to check whether the new version
is running in the memory. If not, repeat steps 1 to 4.
7. Delete the old version file (zxr10.zar) from the IMG directory in flash by using the delete
command.
8. Copy the new software file from the background FTP server to the IMG directory in
flash. Name the new version file zxr10.zar.
a. Set a temporary VLAN interface connected to the host (for example, IP address
168.4.168.1).
b. Set the host IP address (for example, 168.4.168.89) in the network segment where
the VLAN interface IP address located. Ensure that the interface that the host
connects to belongs to the VLAN and can ping the it successfully.
c. Use the copy command in the privileged mode.
ZXR10#copy ftp: //168.4.168.89/zxr10.zar@target:target
flash: /img/zxr10.zar
Starting copying file
.................................................................
.................................................................
......................................
file copied successfully.
ZXR10#
9. Search for the new software file in flash. If it cannot be located, repeat step 7 to copy
the version file again.
10. Reboot the ZXR10 5900E series unit and follow step 3 to change the boot mode to
booting from flash. The Bootfile is modified to /img/zxr10.zar automatically.
Note:
The booting mode can be changed to booting form flash through the nvram imgfile-lo
cation local command in global configuration mode.
11. Type b at the prompt Boot: and press ENTER to boot the system using the new
software in flash.
12. When the system boots successfully, check the operating version to confirm a
successful upgrade.
3-9

3.4.2 Normal Software Upgrade

If the ZXR10 5900E series system is working properly before upgrading, there are many
ways to upgrade the software, such as copying the software to a ZXR10 5900E series unit
acting as an FTP/TFTP client, and upgrading through FTP. Refer to the following for this
procedure:
1. Connect the console port of the ZXR10 5900E series unit to the serial port of the
background host with a console cable. Connect the management Ethernet port
(10/100 M Ethernet port on the main control board) to the network port of the
background host with a straight-through network cable. Ensure that both connections
are correct.
2. Ensure that the management Ethernet port of the ZXR10 5900E series unit and the
background host have the same network mask so that the background host can ping
the management Ethernet port successfully.
3. Start the background FTP server.
4. Verify the operating version.
5. Use the Delete command to delete the old software file from the IMG directory in flash.
If there is enough space to the old version in flash with a new name.
6. Copy the new software file on the background FTP servers IMG directory in flash.
Name the new software file zxr10.zar.
7. Search for the new software file in the IMG directory in flash. If it cannot be located,
the copy failed. Repeat step 6 to copy the version again.
8. When the system is rebooted successfully, check the operating version to confirm the
success of the upgrading.
Note:
The remote upgrade is implemented on a switch by Telnet. Use the FTP function to copy
the version file from the host to the switch and then restart the switch remotely. After the
switch runs normally, check the version information by Telnet. Note: Exercise caution
when users perform the remote upgrade. Do not forget to save the current configuration
or back up the related files.
3.5 Configuring the System Parameters

3.5.1 Setting a Hostname
The default hostname of the system is ZXR10. Use the hostname <network-name>
command in global configuration mode to modify the hostname.
Log into the ZXR10 5900E series unit again after the hostname modification and the prompt
will include the new hostname.
3-10

3.5.2 Setting the Welcome Message

Execute the banner command to set the welcome message for system boot. The welcome
message begins and ends with a user-defined character. The following is an example.
ZXR10(config)# banner incoming C
Enter TEXT message. End with the character 'C'.
***********************************
Welcome to ZXR10 Switch World
**********************************
C
ZXR10(config)#
3.5.3 Setting a Privileged Mode Key

To prevent an unauthorized user from modifying the configuration, use the following
command:
Command Function
ZXR10(config)#ZXR10(config)#enable secret [level <level Sets a password.

number>]{ 0 < password>| 5 < password>|<password>}
3.5.4 Setting Telnet Username and Password

To set a Telnet username and password, use the following command:
Command Function
ZXR10(config)#username <username> password <password> Sets a Telnet username and

password.
3.5.5 Setting the System Clock

To set the system clock, use the following command:
Command Function
ZXR10#clock set <current-time><month><day><year> Sets the system clock.
3.5.6 Setting System Console User Connection Parameters

To set the system console user connection parameters, use the following commands.
Command Function
ZXR10(config)#line console idle-timeout <idle-timeout> Sets the idle time-out time.
3-11

Command Function
ZXR10(config)#line console absolute-timeout <absolute-timeout> Sets the absolute time-out time.
ZXR10(config)#user-authentication-type {local|radius<numb Sets the Telnet user authentication.

er>{chap|pap}|tacacs+} The available options are local,
radius, tacacs+radius. The
default value is local. For
radius, the authentication
group number (number) and
authentication mode (chap or
pap) are mandatory. The default
mode is chap.
3.5.7 Setting System Telnet User Connection Parameters

To set the system Telnet user connection parameters, use the following commands.
Command Function
ZXR10(config)#line telnet access-class <access-list-number> Configures an access class.
ZXR10(config)#line telnet idle-timeout <idle-timeout> Configures the idle time-out time.
ZXR10(config)#line telnet absolute-timeout <absolute-timeout> Configures the absolute time-out

time.
ZXR10(config)#user-authorization-type {radius|tacacs+} Sets the Telnet user

authorization type to local or
tacasc+authorization.
By default, the absolute time-out is 1440 minutes and the idle time-out is 120 minutes.
3.5.8 Allowing Multiple Users to Configure the System at the Same

Time
To allow multiple users to configure the system at the same time, use the following
command:
Command Function
ZXR10(config)#multi-user configure Allow multiple users to configure

the system at the same time.
3-12

Caution!
Use extreme caution when performing this function. If the configuration is not done
properly, the device configuration does not operate.
3.6 Viewing System Information

3.6.1 Viewing Hardware and Software Versions
To view the hardware and software versions, execute the show version command. The
following is an example.
ZXR10(config)#sho ver
ZXR10 Router Operating System Software, ZTE Corporation
ZXR10 ROS Version V4.08.24
ZXR10_5928E Software, Version ZXR10 5900&5200 V2.8.23.B2.06, RELEASE SOFTWARE
Copyright (c) 2010-2015 by ZTE Corporation
Compiled Jul 23 2010, 17:50:54
System image files are flash:<//flash/img/zxr10.zar>
System uptime is 1 days, 3 hours, 27 minutes
[MPU]
Main processor: ZXR10 MPC8270, 450M - PCI with 256M bytes of memory
8K bytes of non-volatile configuration memory
16M bytes of processor board System flash (Read/Write)
ROM: System Bootstrap, Version: V2.01 , RELEASE SOFTWARE
Hardware Version: V1.1, CPLD Version: V1.4
System serial: 4294967295
System temperature(Celsius):43
3.6.2 Viewing the Operating Configuration

To view the configuration that is operating, use the show running-config command.
3.6.3 System Abnormal Display and Record

To view the system abnormal display and record, use the following commands.
3-13

Command Function
show equipment-information Collects and displays all equipment

resource information. This
command is used in all modes
where the show commands can be
used.
show trace-information Collects and displays all equipment

abnormal information. This
command is used in all modes
where the show commands can be
used.
3.6.4 Collecting System Information by One Command

To collect system information by one command, use the following command.
Command Function
ZXR10#show tech-support [{[bfd],[bgp],[common],[isis],[mpls],[o Collects system information and

spf],[vpls],[vrrp]}] protocol-related information by
one command.
Instruction
1. If no option is configured for this command, all the collected system information will be
written to /flash/data/tech.dat.
2. If a protocol option (such as bgp) is configured in the command, the system collects
and writes general information and protocol-related information to /flash/data/te
ch.dat.
3. If only the common option is configured in the command, the system only collects and
writes the general information to /flash/data/tech.dat.
After completing a diagnosis command, the command line displays a system prompt before
implementing the command. Copy the /flash/data/tech.dat file in flash to the FTP
or TFTP server through the copy command and view the file by text software such as
notepad and wordpad.
Examples
1. This example shows how to collect all system information by one-command.
ZXR10#show tech-support
2. This example shows how to collect general system information, OSPF information and
IS-IS information by one-command.
ZXR10#show tech-support ospf isis
3. This example shows how to collect general system information only.
ZXR10#show tech-support common
3-14

3.6.5 Collecting System Fault and Diagnosis Information

To collect system fault and diagnosis information, use the following command.
Command Function
ZXR10#show diag info [all] Collects system fault and diagnosis

information by one-command.
Instruction
1. If the all option is not configured in this command, invoking the command only
executes part of the diagnosis commands. The diagnosis information that is in text
format is written to /flash/data/diaginfo.dat and read directly.
2. If the all option is configured in this command, invoking the command executes all
diagnosis commands. The file with diagnosis information is written into /flash/dat
a/diaginfo.dat in zar decompression format.
The prompt displays when one-command for diagnosis is completed, copy the /flash/
data/diaginfo.dat file in flash to the FTP/TFTP server through the copy command.
Then check the file according to whether the all option is used in this command.
3.7 Memory Detection

3.7.1 Function Overview
When memory usage is too high, an exception may occur to a function that needs
complex processing. For example, a task failure or a task exception may occur because
the required memory is not available. When the remaining memory is lower than a certain
threshold, the ZXR10 5900E series unit can send an alarm to network management to
record the memory-low event in the log, which ensures that maintenance personnel have
the opportunity to learn from the alarm and the conditions leading up to the alarm.
3.7.2 Command Description

3.7.2.1 Entering Environment Configuration Mode
To enter environment configuration mode, use the following command:
Command Function
ZXR10(config)#environ Enters environment configuration

mode.
Example
Configure the memory detection function after entering environment configuration mode.
This example shows how to enter environment configuration mode.
3-15

ZXR10(config)#environ
ZXR10(config-environ)#
3.7.2.2 Configuring memory-check threshold

To configure the memory-check threshold, use the following commands:
Command Function
ZXR10(config-environ)#memory-check-threshold {[ low-grade Configures the high limit and the

value1 ]|[ high-grade value2]} low limit of the remaining-memory
threshold detection alarm.
l Low-level value: 1-10 (Default
= 10)
l High-level value: 11-100
(Default = 25)
ZXR10(config-environ)#no memory-check-threshold Cancels the remaining memory

threshold detection alarm.
Example
This example shows how to configure the high limit and low limit of the remaining memory
threshold detection alarm to 30 and 8, respectively.
ZXR10(config-environ)#memory-check-threshold high-grade 30 low-grade 8
3.7.2.3 Configuring memory-check interval

To configure the memory-check interval, use the following commands:
Command Function
ZXR10(config-environ)#memory-check-interval < interval value1 Configures the time interval of

> the remaining memory threshold
detection. The range of the
interval value1 is 11800. The unit
is second. The default value is 1.
ZXR10(config-environ)#no memory-check-switch Cancels the time interval of the

remaining memory threshold
detection.
Example
This example shows how to configure the time interval of the remaining memory threshold
detection to 30 seconds.
ZXR10(config-environ)#memory-check-interval 30
3-16

3.7.2.4 Configuring memory-check switch

To configure the memory-check switch, use the following commands:
Command Function
ZXR10(config-environ)#memory-check-switch on Configures the switch of remaining

memory threshold detection to on.
ZXR10(config-environ)#memory-check-switch off Configures the switch of remaining

memory threshold detection to off.
ZXR10(config-environ)#no memory-check-switch Cancels the configuration of

remaining memory threshold
detection switch.
By default, the switch is on.
Example
This example shows how to configure the switch of remaining memory threshold detection
to on.
ZXR10(config-environ)#memory-check-switch on
3.7.3 Configuration Examples

3.7.3.1 Starting Without Configuration
The following information shows the state of the ZXR10 5900E series unit when it is started
without configuration.
ZXR10(config-environ)#memory-check-switch on
Note:
This example means that all the configurations use default values.
3-17

3.7.3.2 Configuring Detection Interval and Threshold

Assume that the current memory usage is 68.364%. The remaining memory is 31.636%.
PhyMem: Physical memory (megabyte)
Panel CPU(5s) CPU(1m) CPU(5m) PhyMem Buffer Memory
MP(M) 1 10% 10% 10% 256 0% 68.364%
After 30 seconds, the following alarm displays:

00:05:25 01/01/2001 UTC alarm 66 occurred %ENVIRONMENT% MP(M) panel
1 current memory rate is: 31.636% under the high threshold 40% sent by MCP
To clear the alarm, configure a new memory high threshold, as shown below:
ZXR10(config-environ)#memory-check-threshold high-grade 30
The alarm clears after 30 seconds.

00:05:55 01/01/2001 UTC alarm 66 cleared %ENVIRONMENT% MP(M) panel 1
current memory rate is: 31.636% exceeds the high threshold 30% sent by MCP
If the remaining memory exceeds the high threshold, the alarm clears and a message
prints.
When the remaining memory rate is less than the threshold (for example, 5%), ZXR10
5900E series unit raises an alarm. But when the remaining memory rate returns to a value
between the high threshold and low threshold, the alarm does not clear. The alarm clears
only when the remaining memory rate exceeds the high threshold.
In this example, the alarm appears after the ZXR10(config-environ)#memory-check-thres
hold high-grade 40 low-grade 5 command is configured. During the next detection, if the
system detects that the remaining memory rate is a value between the high threshold and
the low threshold, the alarm does not display again.
Configuring the detection time interval regulates the frequency of detection. The default is
once per second (s). The value can be configured from 1 s to 1800 s (30 minutes).
3.7.3.3 Configuring Check Switch

ZXR10(config-environ)#memory-check-switch off
The above configuration disables the detection switch of the remaining memory threshold,
but the configuration still can be seen through the show run command.
ZXR10(config-environ)#memory-check-switch off
The above configuration is valid and still exists, but cannot be configured when the
detection switch of the remaining memory threshold is off.
3-18

Use the no memory-check-switch and memory-check-switch on commands to enable this

function again.
To view the changes of the above steps, run the show run command.
3.8 Configuring System by One-Command

To configure system by one-command, use the following commands:
Command Function
ZXR10(config)#exec file <file name>[<hh:mm:ss><mm-dd-yyyy>] Configures the system to execute

the one-command configuration at
a certain time on a certain date.
ZXR10(config)#no exec file Cancels the systems regular

execution of the one-command
configuration.
ZXR10#show exec-cmd-file Views the one-command

configuration.
Instructions
1. If the time parameter is configured in this command, the device executes the
configuration at the specified time. It is unnecessary to add an absolute path or
a relative path to the file name. It is only necessary to list the file name. Before
configuration, copy the file to the /flash/cfg/ in flash.
2. The requirements of the information in the file are:
l The first line in the file must be the configure terminal command (the abbreviation
is con t) to enter configuration mode.
l Subsequent commands can be modified according to required mode. Then add
the configuration commands by one command one line.
l After completing the configuration, add the write command and press ENTER
after a command is typed. If the commands were copied and pasted from the
screen, invisible characters can be present and lead to execution failure.
l After completing file editing, upload it to the /flash/cfg/ directory in flash.
3. If the time parameter is not set in this command, the device executes the configuration
immediately.
4. The no exec file command cancels the regular configuration of the system. If the time
needs to be reset, this command must be implemented for the next configuration to
pass its check.
5. The show exec-cmd-file command can be executed in any mode except the user mode.
Use this command to view the systems current execution timing plans. If a plan exists,
the detailed execution time and configuration file displays. If no plan exists, no current
system execution timing plan displays.
6. One-command for configuration is used to open the file according to specific
parameters. The generated file name (without extension name) has the same name
3-19

as the opened file, but the extension name changes from .dat to .log. For example,
using the exec file zerodis.dat command to open the /flash/cfg/zerodis.dat
file, generates the /flash/data/zerodis.log file.
Examples
1. This command runs the zerodis.dat configuration file.
ZXR10(config)#exec file zerodis.dat
2. This command sets the system to execute the configuration file at 19:00:00 on
20091230.
ZXR10(config)#exec file zerodis.dat 19:00:00 dec 30 2009
3. This command cancels the existing timing configuration.
ZXR10(config)#no exec file
4. This command displays the information in a configuration file (that is, the information
in the zerodispo.dat file)
con t
int vlan 10
ip add 10.1.1.2 255.255.255.0
exit
int vlan 20
ip add 20.1.1.3 255.255.255.0
exi
exi
write
5. This command displays the schedule for regularly executed system commands.
ZXR10#show exec-cmd-file
3.9 Device Power-off Alarm

The device power-off alarm requires the alarm ports of two ZXR10 5900E series units to
be connected to each other. With this configuration, when power is removed from one of
the devices, the other device issues an alarm.
The ZXR10 5900E series system supports the device power off alarm function. To
implement the power-off alarm function, do the following:
Connect the Alarm Out port of SW1 on the first ZXR10 5900E series unit to SW2 of the
second ZXR10 5900E series unit using a straight-through network cable.
When power is not applied to the first unit, the second units Alarm indicator activates,
turning red and flashing. When power is applied to the first unit, the second units alarm
indicator de-activates.
3-20

3.10 Restart on Schedule

3.10.1 Periodical Restart Overview
After this function is enabled, the switch can be restarted periodically in accordance with
the time set by the administrator.
3.10.2 Configuring Scheduled Restart

To configure the scheduled restart function, use the following commands:
Command Function
ZXR10#reload [{ at <hh:mm:ss>[<1-31><month>[<2001-2098>]]| Restarts the system periodically.

in <0-35791>| cancel }]
ZXR10#show reload Displays the status of periodical

restart for the current system.
Parameter descriptions:
Command Description
at Configures the absolute time at which the device restarts.
< hh:mm:ss > Configures the specific time point. The format is
HH:MM:SS.
<1-31> Configures the specific date. The value varies with the
maximum number of days in each month.
< month> Configures the specific month.
< 2001-2098> Configures the specific year.
in Configures the interval of restarting the device. The value of

this parameter ranges from 0 to 35791. The unit is minute.
cancel Cancels the restart operation to be executed.
Instructions:
The periodical restart function is supported only by the terminals of the B2, 2823C, and
later versions. The Reload command followed by no parameter refers to immediate restart.
The Reload command followed by the parameters such as at refers to the restart at the
absolute time. The Reload command followed by the in parameter refers to the restart
at the relative time. The Reload command followed by the cancel parameter refers to
canceling the restart operation to be executed. The time for periodical restart ranges from
0 to 35791. The unit is minute.
3-21

3.10.3 Periodical Restart Configuration Example

1. Configure the device to be restarted at 15:07:15 on April 12, 2011.
ZXR10#reload at 15:07:15 12 apr 2011
Proceed with reload? [yes/no]:y
ZXR10#
2. Configure the device to be restarted after 35 minutes.
ZXR10#reload in 35
Proceed with reload? [yes/no]:y
ZXR10#
3. Cancel a periodical restart.
ZXR10#reload cancel
3.11 System Maintenance

3.11.1 System Maintenance Overview
The trace function can be used to check the path on which IP packets are transmitted from
the source device to the destination device, and locate a network fault quickly.
The trace function implements detection in accordance with the life time of IP packets.
3.11.2 Configuring System Maintenance Function

To configure the system maintenance function, use the following command:
Command Function
ZXR10#trace <destination-address>[{option [max-ttl<1-255>]|[m Displays the path for transmitting

in-ttl<1-255>]|[repeat<1-65535>]|[ source < source-address IPv4 packets from the source
>]|[timeout<1-60>]|[udpporttype<1-65535>]}|{{extcom [loose< device to the destination device.
source-address >]|[none]|[ record < 1-9 >]|[ strict < source-address
>]|[ timestamp < 1-9 >]}]
Command Description
<destination-address> Destination IP address of the traced packet
max-ttl<1-255> Maximum TTL, which is the maximum number of hops

allowed by a packet
The value of this parameter ranges from 1 to 255 and is
larger than the initial TTL. The default value is 30.
3-22

Command Description
min -ttl<1-255> Initial TTL, which is the number of hops allowed by the first
packet
The value of this parameter ranges from 1 to 255 and is
smaller than the maximum TTL. The default value is 1.
repeat<1-65535> Number of probe packets sent each time. The value of this
parameter ranges from 1 to 65535. The default value is 3.
source < source-address > Source IP address of the traced packet. The address must
be a valid IP address configured on the device.
timeout<1-60> Timeout time of the response to the probe packet. The

value of this parameter ranges from 1 to 60. The unit is
second.
udpporttype<1-65535> UDP port of the target device. The value of this parameter
ranges from 1 to 65535. The default value is 33434.
loose< source-address > IP header option, loose path

The switch probes packets in loose mode in accordance
with the specified path. When configuring the IP header
option, configure the IP address of a device on the N hop
of the specified path.
none No IP header option
strict < source-address > IP header option. The switch probes packets in strict mode
in accordance with the specified path. When configuring
the IP header option, configure the IP address of the device
on each hop of the specified path.
record < 1-9 > IP header option. The parameter records the IP address
of the device on each hop of the path.
timestamp < 1-9 > IP header option, time stamp of the probe packet during
packet trace. The value of this parameter ranges from 1
to 9.
Instructions:
1. The output information of the trace command includes the IP addresses of all the L3
devices on the path to the destination device and the extended information.
2. If a device times out, the switch prints "* * *".
3. During command execution, press Ctrl+C to end the operation.
3.11.3 System Maintenance Configuration Example

As shown in Figure 3-5, three switches S1, S2, and S3 are cascaded, and S1 detects the
path from S1 to S3.
3-23

Figure 3-5 Trace Function Configuration Example
1. Detect the path from S1 to S3 when the network is normal.

ZXR10#trace 1.1.1.10
tracing the route to 1.1.1.10
1 2.1.1.8 4 ms 3 ms 3 ms
2 1.1.1.10 3 ms 10 ms 9 ms
[finished]
2. Detect the path from S1 to S3 when the network is abnormal, for example, the link
between S2 and S3 is down.
ZXR10#trace 1.1.1.10
tracing the route to 1.1.1.10
1 2.1.1.8 4 ms 3 ms 3 ms
2 * * *
3 * * *
4 *
[finished]
3-24

Chapter 4
Interface Configuration
Table of Contents
Basic Port Configuration.............................................................................................4-1
Port Mirroring Configuration......................................................................................4-10
ERSPAN Configuration.............................................................................................4-14
Loopback Detection Configuration............................................................................4-16
DOM Configuration...................................................................................................4-18
4.1 Basic Port Configuration

Each ZXR10 5900E series unit provides Gigabit Ethernet (GE) and XGE ports.
l GE electrical ports support full- and half-duplex, 10/100/1000 Mbps adaptation,
and MDI/MDIX adaptation. A GE port works in auto-negotiation mode by default,
negotiating work mode and rate with the peer end.
l The GE optical (XGE) port works at 1000 Mbps full duplex. Duplex mode and rate
cannot be configured but can be set to auto-negotiation mode.
l The 10G optical port supports 10,000 Mbps full duplex. Auto-negotiation, duplex
mode, and rate cannot be configured on a 10G port.
The system applies the automatic addition mode, so that when an interface board is
installed and started, the system port list automatically includes the boards ports.
Note:
The daughter board is not hot swappable.
The ZXR10 5900E series unit names ports in the following formats:
<Port type>_<Slot No.>/<Port No.>
l <Port type> : gei (1000M Ethernet interface) and xgei (10G Ethernet interface).
l <Slot No.>
ZXR10 5928E/5928E-FI only has two slots.
ZXR10 5952E has six slots.
l <Port No.>
The port numbers on the interface board start at 1.
Example:
4-1

Gei_1/8: Port 8 on the GE interface board in slot 1.

Xgei_6/1: Port 1 on the 10G interface board in slot 6.
The ports are named differently because the number of boards and the number of ports
on each board are different.
1. ZXR10 5928E/5928E-FI
l The 24 ports, named gei_1/1 to gei_1/24, correspond to slot 1.
l The 4 uplink 10G/1000M Ethernet ports, named xgei_2/1 / gei_2/1xgei_2/4 /
gei_2/4, correspond to slot 2.
2. ZXR10 5952E
l The 16 gigabit optical ports on the main board, corresponding to
gei_1/1gei_1/16, belong to slot 1.
l The four line cards correspond to slot 2, slot 3, slot 4, and slot 5 at the lower
left, upper left, lower right, and upper right. The ports are named gei_2/1fei_2/8,
gei_3/1fei_3/8, gei_4/1fei_4/8, gei_5/1fei_5/8, respectively.
l The extension card corresponds to slot 6, the port names are xgei_6/1 /
gei_6/1xgei_6/4 / gei_6/4.
4.1.1 Enabling/Disabling an Ethernet Port

To enable/disable an Ethernet port, perform the following steps:
Command Function
ZXR10(config)#interface <port-name> Enters interface configuration

mode.
ZXR10(config-gei_1/x)#shutdown/no shutdown Enables or disables an Ethernet

port.
The shutdown command disables the physical link provided by the port. All ports are
enabled by default.
4.1.2 Configuring Auto-Negotiation on an Ethernet Port

To configure auto-negotiation on an Ethernet port, perform the following steps:
Command Function

mode.
ZXR10(config--gei_1/x)#negotiation auto/ no negotiation auto Enables/disables auto-negotiation

on an Ethernet port.
When the GE port operates at 1000 Mbps, enable the auto-negotiation function.
The 10Gbps Ethernet port operates in full-duplex mode and does not support the
auto-negotiation function.
4-2

Chapter 4 Interface Configuration
4.1.3 Configuring Automatic Negotiation Notification on an

Ethernet Port
To configure automatic negotiation notification on an Ethernet port, use the following
command:
Command Function
ZXR10(config-gei_1/x)#negotiation auto [ speed [10|100]] Configures automatic negotiation

notification on an Ethernet port to
10Mbps or 100Mbps.
When the port physical state operates in electrical interface mode (GE, Fast Ethernet [FE],
10Mpbs), half-duplex, and full-duplex can be set to whether it can be notified.
When the port physical state operates in optical interface mode, only half-duplex and
full-duplex can be set to whether the system can notify the unit. The notification of speed
cannot be set.
The four negotiation modes (negotiation auto speed 100, negotiation auto speed 10, negotiat
ion auto, and no negotiation auto) are mutual exclusive.
After configuring negotiation auto [ speed [10|100]], the speed and duplex mode of a port
cannot be configured but are sensitive to network conditions.
4.1.4 Configuring Duplex Mode on an Ethernet Port

To configure duplex mode on an Ethernet port, perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#duplex {half|full} Sets duplex mode on an Ethernet

port.
4.1.5 Configuring Speed on an EthernetPort

To configure the Ethernet port speed, perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#speed {10|100} Sets the Ethernet port speed.
Only the GE ports support duplex mode and rate configurations. It is necessary to disable
automatic negotiation on the port before configuration.
4-3

4.1.6 Configuring Flow Control on an Ethernet Port

To configure flow control on an Ethernet port, perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#flowcontrol {enable|disable} Sets flow control on an Ethernet

port.
Flow control limits the packets sent to an Ethernet port during a specific period. When the
receiving buffer is full, the port sends a pause packet to tell the remote port not to send
any packets during the period. The Ethernet port can also receive pause packets from
other devices and perform those operations as required.
4.1.7 Configuring Jumbo Frame Functionality on an Ethernet Port

To configure jumbo frame functionality on an Ethernet port, perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#jumbo-frame{enable|disable} Enables/disables the jumbo fame

function on an Ethernet port.
By default, the maximum frame allowed on an Ethernet port is 1560 bytes and jumbo frame
functionality is disabled. The maximum frame allowed on an Ethernet port is 16379 bytes
with jumbo frame functionality enabled. For cross-chips, up to 16344 bytes of frames are
allowed to pass an Ethernet interface.
4.1.8 Configuring a Port Alias on an Ethernet Port

To configure a port alias on an Ethernet port, perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#byname <by-name> Sets a port alias on an Ethernet

port.
A port alias uniquely identifies a port to simplify access to the port.
4-4

4.1.9 Configuring Broadcast Storm Suppression on an Ethernet

Port
To configure broadcast storm suppression on an Ethernet port, perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#broadcast-limit<value> Sets the number of broadcast

packets allowed by the ZXR10
5900E series units Ethernet port.
Broadcast traffic through an Ethernet port can be limited by dropping broadcast packets
when the traffic exceeds a configured limit. This effectively suppresses broadcast storm,
helps to avoid congestion, and ensures normal network service operation.
4.1.10 Configuring Multicast Packet Suppression on an Ethernet

Port
To configure multicast packet suppression on the ZXR10 5900E series units Ethernet port,
perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#multicast-limit <value> Sets the number of multicast

packets allowed by the units
Ethernet port.
4.1.11 Configuring Illegal Packet Suppression on an Ethernet Port

To configure illegal packet suppression on an Ethernet port, perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#unknowcast-limit < value> Sets the number of illegal packets

allowed per second on the ZXR10
5900E series unit Ethernet port.
4-5

4.1.12 Configuring the Link State Monitoring Mode of an Ethernet

Port
To configure the link state monitoring mode of an Ethernet port, use the following command:
Command Function
ZXR10(config)#port-mode{interrupt|poll} Sets the link state monitoring

mode of an Ethernet port.
The port-mode poll command configures a device to monitor port link states by scanning
all the ports at regular intervals. If the link state of a port changes, the system records
the change in the log. The port-mode interrupt command configures a device to monitor
port link states recording changes to each ports link-state as soon as the change takes
place. By default, ZXR10 5900E series units monitor port link states using the port-mode
poll method. The 5928E-FI unit does not support the link-state monitoring function.
4.1.13 Configuring a Gigabit Optical Port to Support a 1000Base-T

Small Form-factor Pluggable (SFP) Module
To configure a gigabit optical port to support a 1000Base-T SFP module, use the following
command:
Command Function
ZXR10(config-gei_1/x)#change-attribute Sets a 1000Base-T SFP inserted in a gigabit

copper optical port to work in 1000 Mbps, 100 Mbps or
10 Mbps auto-negotiation mode.
4.1.14 Viewing the Layer 2Interface Operation Status

To view the Layer 2interface operation status, use the following command:
Command Function
ZXR10#show interface brief Displays the interface operation

status.
Example
The following example shows how to view the interface operation status.
ZXR10#show interface brief
Interface portattribute mode BW(Mbits) Admin Phy Prot Description
gei_2/1 electric Duplex/full 1000 up up up none
4-6


gei_2/7 electric Duplex/full 1000 up down down none
gei_2/8 electric Duplex/full 1000 up down down none
Admin, Phy, and Prot indicate administration, physical, and protocol states of an interface,
respectively. Only when all three states are up is the interface working properly.
The shutdown command, when executed from interface configuration mode, sets the
Admin interface state to DOWN.
Table 4-1 lists some abnormal interface conditions and their solutions.
Table 4-1 Interface State Abnormal Conditions
Interface State Analysis and Solution
Admin: DOWN Indicates that the physical connection is

Phy: UP normal and the corresponding interface may be
Prot: DOWN shutdown. Execute the no shutdown command
in interface mode.
Admin: UP Indicates that there is a fault on the physical link.

Phy: DOWN Check the physical link.
Prot: DOWN
Admin: UP Check the interface configuration. The interface

Phy: UP parameters may be incorrect or are unconfigured.
Prot: DOWN If the problem persists, contact ZTE technical
support engineers.
4.1.15 Displaying Port Information

To display port information, use the following commands:
Command Function
ZXR10#show interface [<port-name>] Shows Ethernet port state

information.
ZXR10#show running-config interface <port-name> Shows Ethernet port configuration

information.
Examples:
1. This example shows how to view the state and statistics information on interface
gei_1/2.
ZXR10#show int gei_1/2
gei_1/2 is down, line protocol is down
Description is none
The port is electric
4-7

Duplex full
Mdi type:auto
MTU 1500 bytes BW 1000000 Kbits
Last clearing of "show interface" counters never
20 seconds input rate : 0 Bps, 0 pps
20 seconds output rate: 0 Bps, 0 pps
Interface peak rate :
input 0 Bps, output 0 Bps
Interface utilization: input 0%, output 0%
/* Forward packets input/output statistics, including error packet statistics */
Input:
Packets : 19 Bytes : 1501
Unicasts : 19 Multicasts: 0
Broadcasts : 0 Undersize : 0
Oversize : 0 CRC-ERROR : 0
Dropped : 0 Fragments : 0
Jabber : 0 MacRxErr : 0
Output:
Packets : 0 Bytes : 0
Unicasts : 0 Multicasts: 0
Broadcasts : 0 Collision : 0
LateCollision: 0
Total:
64B : 0 65-127B : 19
128-255B : 0 256-511B : 0
512-1023B : 0 1024-2047B: 0
2. This example shows how to view the configuration information on interface gei_1/2.
ZXR10(config)#show running-config interface gei_1/2
Building configuration...
!
interface gei_1/2
out_index 9
!
end
4.1.16 Viewing Queue Statistics

To view queue statistics information, perform the following steps:
Command Function
ZXR10#show interface queue <port-name> Shows queue packet-loss statistics

information on the named Ethernet
port.
4-8

Command Function
ZXR10#clear queue-counter <port-name> Clears queue packet-loss statistics

information on the named Ethernet
port.
Example:
This example shows how to view packet loss statistics information of each queue on
gei_1/5
ZXR10#show interface queue gei_1/5
----------------------------------------------------------------------
Ingress drop packets: 100 Ingress drop bytes: 15000

------------------------------- -------------------------------
Egress drop packets: 8000 Egress drop bytes: 1200000

cos 0: 1000 cos 0: 150000
cos 1: 1000 cos 1: 150000
cos 2: 1000 cos 2: 150000
cos 3: 1000 cos 3: 150000
cos 4: 1000 cos 4: 150000
cos 5: 1000 cos 5: 150000
cos 6: 1000 cos 6: 150000
cos 7: 1000 cos 7: 150000
----------------------------------------------------------------------
4.1.17 Analyzing and Diagnosing Cable Connections

The ZXR10 5900E system supports cable connection analysis and diagnosis to assist in
network management and troubleshooting.
A GE electrical port connects to another device through a twisted pair network cable. The
port uses pairs 1-2 and 3-6 when operating at 100Mbps. The port uses all four pairs (1-2,
3-6, 4-5 and 7-8) when operating at 1Gbps. Line detection can test the state of each
twisted pair with the following possible cable states:
1. Open: open line

2. Short: short circuit
3. Good: normal line
4. Broken: open/broken line
5. Unknown: unknown line or no result
6. Crosstalk: line coupling
7. Fail: detection failure
4-9

In case of a line fault, the system locates the failure. To analyze and diagnose a fault, run
the show vct interface command in any configuration mode other than user configuration
mode.
Caution!
In a connection check, the tested port restarts, disconnecting and reconnecting its links.
Example: Detect the cable of port gei_1/2.

ZXR10(config)#show vct int gei_1/2
CableStatus Good
Pair 1-2 3-6 4-5 7-8
Status Good Good Good Good
Length <50m <50m <50m <50m
4.1.18 Monitoring Interface Traffic

The interface traffic alarm provides the following functions:
l Set the uplink and downlink alarm thresholds of the interface traffic by the command
line.
l Generate an alarm when the usage of interface traffic (compared with the Interface
utilization keyword in the show interface command) exceeds the threshold. The alarm
can be restored.
l Send a trap to the NMS or write the threshold-crossing event in a log.
Command Function
ZXR10(config-if)#traffic-threshold {input | output}<1-100> Configures the alarm threshold

of the traffic usage on the input
interface. The default value is
100%.
4.2 Port Mirroring Configuration

4.2.1 Port Mirroring Overview
Port mirroring is a process for copying data from one or more ports (mirrored ports) on
a ZXR10 5900E series unit to a specified destination port (monitoring port). It provides
an effective tool for maintaining and monitoring the device and supports cross-device port
mirroring (RSPAN).
The port mirroring function of ZXR10 5900E series unit meets the following specifications:
4-10

l Supports up to four groups of mirrored ports, each group containing up to fifty-two

ports. The monitoring ports for each group must be different while the mirrored ports
in each group can be the same.
l Supports cross-board port mirroring, that is, the mirrored port and monitoring port can
be on different interface boards.
l Supports the monitoring of data sent or received on a mirrored port.
l Supports cross-device port mirroring, that is, the mirrored ports and the monitoring
ports can be on different devices.
l Supports cross-tunnel port mirroring, that is, data traffic from the source port can be
encapsulated and forwarded to the destination monitoring terminal through a General
Routing Encapsulation (GRE) tunnel.
4.2.2 Configuring Port Mirroring

To configure port mirroring, perform the following steps:
Ste- Command Function

p
1 ZXR10(config-gei_1/x)#monitor session Sets the monitoring port of a mirrored

<session-number> source [direction {both|tx|rx}] port and the direction of the traffic to be
monitored.
l The range of the <session-number>
parameter is 14.
2 ZXR10(config-gei_1/x)#monitor session Sets a monitoring port.

<session-number> desination l The range of the <session-number>
parameter is 14.
3 ZXR10(config-gei_1/x)#monitor session Sets a Remote Switched Port Analyzer

<session-number> desination [rspan-vlanid (RSPAN) monitoring port.
<vlanid>][priority < priorityid >] l The range of the <session-number>
parameter is 14.
l The range of the <vlanid> parameter
is 14094.
l The range of the <priorityid>
parameter is 07.
4 ZXR10(config-gei_1/x)#ZXR10(config)# show Displays the configuration and status of

monitor session {all|<session-number>} port mirroring.
l The range of the <session-number>
parameter is 14.
5 ZXR10(config-tunnelx)#monitor session < Sets Encapsulated RSPAN (ERSPAN)

session-number> desination erspan [ ttl < 1-255>][ monitoring port.
flags{ disable| enable}][ tpid 0x8100][ DSCP < l The range of the <session-number>
0-63>] parameter is 14.
4-11

4.2.3 Port Mirroring Configuration Examples

Example 1
The following example shows a port mirroring configuration.
Port gei_1/3 connects analyzer1. Port gei_1/4 connects analyzer2. Analyzer1 monitors
the traffic on gei_1/1 and gei_1/2. Analyzer2 monitors the traffic on gei_1/1. Figure 4-1
shows the network topology.
Figure 4-1 Port Mirroring Example
The switch configuration is as follows:

ZXR10(config)#interface gei_1/1
ZXR10(config-gei_1/1)#monitor session 1 source direction rx
ZXR10(config-gei_1/1)#exit
ZXR10(config-gei_1/2)#monitor session 1 source
ZXR10(config-gei_1/3)#monitor session 1 destination
ZXR10(config-gei_1/4)#monitor session 2 destination
The following information shows the port mirroring configuration.

ZXR10(config)#show monitor session all
Session 1
------------
Source Ports:
Port: gei_1/1 Monitor Direction: rx
Port: gei_1/2 Monitor Direction: both
Destination Port:
Port: gei_1/3
4-12

Session 2
------------
Source Ports:
Destination Port:
Port: gei_1/4
ZXR10(config)#
Example 2
The following example shows an RSPAN mirroring configuration.
Monitor data received on gei_1/1, and monitor data received and sent on gei_1/2. Port
gei_1/3 is the mirroring egress port connected to other devices. The VLAN of RSPAN is
VLAN 10 and the priority is 1. Figure 4-2 shows the network topology.
Figure 4-2 Port RSPAN Mirroring Example

ZXR10(config-gei_1/2)#monitor session 1 source
ZXR10(config-gei_1/3)#monitor session 1 destination rspan-vlanid 10 priority 1
The following information shows the port mirroring configuration.

ZXR10(config)#show monitor session 1
Session 1
------------
Source Ports:
4-13

Port: gei_1/2 Monitor Direction: both
Destination Port:
Port: gei_1/3
RSPAN :
VLAN ID: 10 Rspan priority: 1
ZXR10(config)#
4.3 ERSPAN Configuration

4.3.1 ERSPAN Overview
An Encapsulated Remote Port Analyzer (ERSPAN) supports the cross-network, remote
port mirroring function. It duplicates data from one or more ports (monitored port) of a
device to a specific device on the network. The data on the mirrored port can be obtained
on the monitoring port through mirroring for network traffic analysis and fault diagnosis.
The ERSPAN function of the ZXR10 5900E system meets the following criteria:
l Supports up to one ERSPAN group, which supports up to fifty-two mirrored ports.
l Port mirroring can cross interface boards, that is, the mirrored ports and the monitoring
ports can be on different interface boards.
l Port mirroring can monitor only packets sent only packets received through the
mirrored ports.
l Supports cross-device port mirroring, that is, the mirrored ports and the monitoring
ports can be on different devices.
4.3.2 Configuring ERSPAN

To configure ERSPAN, perform the following steps:

p
1 ZXR10(config-gei_1/x)#monitor session < session-number> Configures mirrored ports, data

source [ direction { both| tx| rx}] flow direction, and monitoring
ports in interface mode.
4-14


p
2 ZXR10(config-tunnelX)#tunnel mode gre ip Configures ERSPAN in tunnel

mode.
ZXR10(config-tunnelX)#tunnel dest ip < A.B.C.D>
l Time To Live (TTL): the ttl
ZXR10(config-tunnelX)#tunnel source ip < A.B.C.D>
field in the encapsulated
ZXR10(config-tunnelX)#monitor session < session-number> GRE header.
destination erspan [ ttl< 0-255>| flags{ disable| enable}| tpid < l flags: whether to delete
0x8100>| dscp < 0-63>] the tag of load.
l Tag Protocol Identifier
(TPID): only can be
configured as 0x8100.
l Differentiated Services
Code Point (DSCP):
the dscp field in the
encapsulated GRE header.
3 ZXR10(config)#show monitor session { all |< session-number>} Displays the configuration and
state of ERSPAN.
4 ZXR10(config-tunnelX)#no session { all |< session-number>} Deletes the configuration and

state of ERSPAN in tunnel
mode.
4.3.3 ERSPAN Configuration Example

See Figure 4-3, the port Gigabit Ethernet Interface (gei)_1/1 of switch1 is connected to
a computer to monitor the received data on gei_1/1 by the analyzer with an IP address
192.168.2.1.
Figure 4-3 ERSPAN Configuration Example
The configuration of switch1 is as follows:

ZXR10(config)#interface tunnel1
4-15

ZXR10(config-tunnel1)#tunnel mode gre ip

ZXR10(config-tunnel1)#tunnel destination ip 192.168.2.1
ZXR10(config-tunnel1)#tunnel source ip 192.168.1.1
ZXR10(config-tunnel1)#monitor session 1 destination erspan
ZXR10(config-tunnel1)#exit
ZXR10(config)#ip route 192.168.2.0 255.255.255.0 192.168.1.2
The following information shows port mirroring configuration.

ZXR10(config)#show monitor session 1
Session 1
------------
Source Ports:
Destination Port:
Port: tunnel1
ERSPAN:
IP TTL: 128 Tpid: 0x8100 Flags: 0 DSCP: 0
Source IP: 192.168.1.1, Destination IP: 192.168.2.1
ZXR10(config)#
4.4 Loopback Detection Configuration

4.4.1 Introduction to Interface Loopback Detection
ZXR10 5900E series unit supports single-interface loopback detection. This function
detects users connected to ZXR10 5900E and within the ZXR10 5900E itself. It can limit
the influence on some interfaces by avoiding broadcast storms.
Users can configure ZXR10 5900E series units to detect the loopback of some interfaces or
all interfaces. By default, however, the ZXR10 5900E series system disables the detection
function. This function also supports VLAN-based loopback detection. A single interface
supports loop detection in up to 8 VLANs at the same time.
4.4.2 Configuring Interface Loopback Detection

To configure interface loopback detection, perform the following steps:

p
1 ZXR10(config)#loop-detect interface <port-name>[enable Enables or disables loopback

| disable] detection for one or multiple
interfaces.
4-16


p
2 ZXR10(config)#loop-detect interface <port-name> vlan Enables or disables loopback

<vlan-id>[enable | disable] detection in a VLAN on an
interface.
3 ZXR10(config)#loop-detect protect-interface Configures a loopback detection

<port-name><enable | disable> protection interface.
When a switch detects a
loopback on one interface,
the switch deals with
the loopback according
to the protect attribute.
When protect-interface is
enabled, the switch sends
a loopback alarm but does
not activate an operation.
When protect-interface is
disabled, the switch shuts
down the interface. After the
loopback detection is enabled,
protect-interface is disabled
by default.
4 ZXR10(config)#loop-detect reopen-time <interval> Configures the time when the

interface is to be reopened after
being shut down as a result of
loopback detection.
5 ZXR10(config)#show loop-detect interface Displays the interfaces on which

the loopback detection function
is enabled.
6 ZXR10(config)#show loop-detect interface-detail Displays details of interfaces on

<port-name> which the loopback detection
function is enabled.
7 ZXR10(config)#show loop-detect protect-interface Displays the protection

interfaces on which the
loopback detection protection
function is enabled.
8 ZXR10(config)#show loop-detect reopen-time Displays the reopen-time of a

port that has been shut down as
a result of loopback detection.
4-17

4.5 DOM Configuration

4.5.1 DOM Function Overview
Digital Optical Monitoring (DOM) is a part of optical module specification. The optical
module with the DOM function can read temperature, voltage, current, and the sending
and receiving power of an optical module. Each optical module also sets some threshold
values (including alarm threshold and warning threshold) before delivery. With the DOM
function enabled, the ZXR10 5900E series unit can read the running state of the optical
module through an Inter-Integrated Circuit (I2C) bus. When the current value exceeds the
threshold value, the unit sends an alarm through thes system log (syslog) or an SNMP
trap.
4.5.2 Configuring DOM

4.5.2.1 Enabling DOM Function on a Port
To enable the DOM function on a port, use the following command:
Command Function
ZXR10(config-gei_1/x)#optical-inform monitor {enable | The polling detection function

disable} of SFP DOM can be enabled or
disabled by command lines in
interface mode. By default, this
function is disabled. When this
function is enabled, information
related to polling diagnosis of the
optical module on the interface
can display. When this function
is disabled, related information
cannot display. Only physical
ports, including:
l 100M ports
l gigabit ports
l 10G ports)
support this function.
4.5.2.2 Displaying Current Optical Module Information

To view current optical module information, use the following command:
4-18

Command Function
ZXR10#show optical-info brief Displays the current information

about the interface's optical
module, including temperature,
voltage, current and power (both
transmitting and receiving). The
ZXR10 5900E series unit can
display up-to-the-second optical
module information for an interface
or a board. Only physical ports
Example
The following example shows how to display an interface's optical module information.
ZXR10#show optical-inform brief
If device is externally calibrated, only calibrated values are printed.
-Inf: not applicable, Tx: transmit, Rx: receive.
Optical Optical
Interface Temperature Voltage Voltage Current Tx Power Rx Power
Name (Celsius) (3.3Volts) (5 Volts) (mA) (mW) (mW)
gei_1/21 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/22 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/23 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/24 12.00 2.00 5.00 60.00 0.00 1.00
4.5.2.3 Displaying Module Threshold Information

To display module threshold information, use the following command:
Command Function
ZXR10#show optical-inform detail [ temperature | voltage1 Displays detailed threshold

| voltage2 | current | rx-power | tx-power ][ iintterrffaace < information of the interfaces
interface-name>] optical module, including
temperature, voltage, current
and power (both transmitting and
receiving). The system can display
threshold information for interfaces
or for boards. Only physical ports
Parameter Description
interface <interface-name> Optical module interface name
4-19

temperature Optical module temperature
voltage1 3.3 V voltage of the optical module
voltage2 5 V voltage of the optical module
current Optical module current
rx-power Optical module receiving power
tx-power Optical module transmitting power
The threshold is related to the optical module hardware. If optical modules and/or
manufacturers are different, the system displays different information.
Example
The following example shows how to display interface optical module threshold information
and the type of information displayed.
Optical Optical
Name (Celsius) (3.3 Volts) (5 Volts) (mA) (mW) (mW)
------------------------------------------------------------
gei_1/21 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/22 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/23 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/24 12.00 2.00 5.00 60.00 0.00 1.00
4.5.2.4 Displaying Optical Module Threshold Alarm Information

To display optical module threshold alarm information, use the following command:
Command Function
ZXR10#show optical-inform threshold-alarm [interface Displays threshold alarm

<interface-name>] information of an optical module,
including temperature, voltage,
current, transmitting power and
receiving power. The threshold
alarm information can be viewed
on an interface or a board.
Only physical ports support this
function.
4-20

The threshold is related to the optical module hardware. If optical modules and/or
manufacturers are different, the system displays different information.
Example
The following example shows how to display optical module threshold alarm information
and the type of information displayed.
ZXR10#Show optical-inform threshold-alarm
Description:
tem : temperature vol : voltage cur: current
tx : transmit power rx : receive power
h-w : high-warning(+) h-a : high-alarm(++)
l-w : low-warning(-) l-a : low-alarm(--)
Interface Time in slot Threshold Violation Type(s) of Last Known
Name (DDDD:HH:MM:SS) (DDDD:HH:MM:SS) Threshold Violation
-------------------------------------------------------------
gei_2/1/22 14:57:27 04/29/2008 14:57:07 04/29/2008
tem h-w -52.00C>=-52.00C
14:57:07 04/29/2008 vol h-w 5.00V>=5.00V
14:57:07 04/29/2008 cur l-w 60.00mA<=80.00mA
14:57:07 04/29/2008 rx l-a -440.00dBm<=-333.01dBm
14:57:07 04/29/2008 rx l-a -440.00dBm<=-333.01dBm
gei_2/1/23 14:57:27 04/29/2008 14:57:07 04/29/2008
tem h-w -52.00C>=-52.00C
14:57:07 04/29/2008 vol h-w 5.00V>=5.00V
14:57:07 04/29/2008 cur l-w 60.00mA<=80.00mA
14:57:07 04/29/2008 rx l-a -440.00dBm<=-333.01dBm
14:57:07 04/29/2008 rx l-a -440.00dBm<=-333.01dBm
4.5.2.5 Displaying Module Thresholds

Command Function
ZXR10#show optical-inform detail [ temperature | voltage1| Displays the optical module

voltage2 | current | rx-power | tx-power ][ interface < information of an interface,
interface-name>] including temperature, voltage,
current, transmit power, and
receive power.
The threshold details can be
displayed for a single interface or
board.
function.
4-21

interface <interface-name> Interface name
temperature Temperature of the optical module
voltage1 3.3 V voltage of the optical module
Voltage2 5 V voltage of the optical module
current Current of the optical module
rx-power Receive power of the optical module
tx-power Transmit power of the optical module
Example
This example shows how to display the optical module information of an interface.
Optical Optical
Name (Celsius) (3.3 Volts) (5 Volts) (mA) (mW) (mW)
------------------------------------------------------------
gei_1/21 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/22 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/23 12.00 2.00 5.00 60.00 0.00 1.00
gei_1/24 12.00 2.00 5.00 60.00 0.00 1.00
The optical module information varies with different functions supported by the module
hardware. For example, the optical module information is different if the module types or
vendors are different.
4.5.2.6 Displaying Information of the Current Optical Module

Command Function
ZXR10#show optical-inform [interface <interface-name>] Displays the optical module

information of an interface,
including online status, optical
module type, vendor, serial
number, single mode or
multi-mode, and transmission
distance.
The information can be displayed
for a single interface or board.
function.
4-22

Example
This example shows how to display the optical module information of an interface.
ZXR10(config)#show optical-inform
Portname Online EtherProperty Vendor VendorPN VendorSn Type Length
--------------------------------------------------------------------------------------
gei_4/1 SFP FINISAR CORP. FTLX8571D3BCL AKE0PKT
gei_4/3 SFP FIBERXON INC. FTM-C012R-LMG NL201094633432
gei_4/4 SFP 1000BASE-LX NEOPHOTONICS PT7620-61-2W A1107014252 single 150 hm
gei_4/5 SFP WTD RTXM139-400 BE0742010327
ZXR10(config)#
ZXR10(config-gei_4/5)#show optical-inform interface gei_4/4
Portname Online EtherProperty Vendor VendorPN VendorSn Type Length
--------------------------------------------------------------------------------------
gei_4/4 SFP 1000BASE-LX NEOPHOTONICS PT7620-61-2W A1107014252 single 150 hm
The optical module information varies with different functions supported by the module
hardware. For example, the optical module information is different if the module types or
vendors are different. In addition, users need to enable the DOM function before using
this command on the interface.
4-23

4-24

Chapter 5
Network Protocol
Configuration
Table of Contents
IP Address Configuration............................................................................................5-1
Address Resolution Protocol (ARP) Configuration ......................................................5-2
MFF Configuration......................................................................................................5-4
5.1 IP Address Configuration

5.1.1 IP Address Overview
A network layer address in the IP stack refers to an IP address. An IP address consists of
two parts:
l Network bits: Identifying the network which this IP address belongs to.
l Host bits: Identifying a certain host on the network.
5.1.2 Configuring an IP Address

To configure an IP address on a ZXR10 5900E series system, perform the following steps:
Command Function
ZXR10(config)#interface <interface-name> Enters interface configuration

mode.
ZXR10(config-if-vlanX)#ip address <ip-address><net-mask>[<b Sets an IP address.

roadcast-address>][secondary]
One interface allows multiple IP addresses.
5.1.3 IP Address Configuration Example

The following example shows how to create a Layer 3 interface named vlan 1 on ZXR10
5900E series equipment and set the IP address of this interface to 192.168.3.1 and the
mask to 255.255.255.0.
ZXR10(config)#interface vlan 1
ZXR10(config-if-vlan1)#ip address 192.168.3.1 255.255.255.0
5-1

The following example shows how to display the IP address of the interface with the show
ip interface command.
ZXR10(config-if-vlan1)#show ip interface
vlan1 AdminStatus is up, PhyStatus is up, line protocol is up

Internet address is 10.1.1.1/24
Broadcast address is 255.255.255.255
IP MTU is 1500 bytes
ICMP unreachables are always sent
ICMP redirects are never sent
ARP Timeout: 00:10:00
5.2 Address Resolution Protocol (ARP) Configuration

5.2.1 ARP Overview
When a network device sends data to another network device, the first device must know
the IP address and the Medium Access Control (MAC) address of the destination device.
Address Resolution Protocol (ARP) maps an IP address to a MAC address to ensure
smooth communication.
5.2.2 Configuring ARP

To configure ARP, perform the following steps:

p
1 ZXR10(config)#arp protect {interface | mac | whole} Configures ARP protection.

limit-num <number>
2 ZXR10(config)#arp to-static Converts dynamic ARP entities

to static ARP entities.
3 ZXR10(config)#interface vlan <vlan-id> Enters Layer 3 VLAN interface.
4 ZXR10(config-if-vlanX)#arp timeout <timeout> Configures the aging time ofthe

ARP entities in the ARP cache.
5 ZXR10(config-if-vlanX)#set arp {static|permanent}<ip-a Adds an ARP entity.

ddress><hardware-address>
6 ZXR10(config-if-vlanX)#arp gratuitous-learn or Configures the ARP gratuitous

ZXR10(config-supervlanX)#arp gratuitous-learn learning function on a VLAN
interface or SuperVLAN
interface. By default, the
function is disabled.
5-2

Chapter 5 Network Protocol Configuration

p
7 ZXR10(config-if-vlanX)#arp gratuitous-send-timeout Configures the the interval

<interval> or ZXR10(config-supervlanX)#arp of sending gratuitous ARP
gratuitous-send-timeout <interval> packets on a VLAN interface
or SuperVLAN interface, in the
range of 0 to 3600. The unit is
second. The default value is 0,
which indicates that the system
does not send gratuitous ARP
packets periodically.
To delete ARP entries, use the following command:
Command Function
ZXR10#clear arp-cache interface{supervlan<id>|vlan<id>}[<ipad Deletes all ARP entities in the ARP

dress>|dynamic|permanent|static] cache on the specified interface.
5.2.3 ARP Configuration Example

The following is an example of an ARP configuration:
ZXR10(config-if-vlan1)#arp timeout 1200
To view the ARP entities on a specified interface, use the show arp [ interface { vlan | supe
rvlan }<id>] command.
The following example shows how to view the ARP table of the Layer 3 interface VLAN 1:
ZXR10#show arp
Address Age(min) Hardware Addr Interface
10.1.1.1 - 000a.010c.e2c6 vlan1
10.1.100.100 18 00b0.d08f.820a vlan1
10.10.10.2 S 0000.1111.2222 vlan1
10.10.10.3 P 0000.1111.2221 vlan1
ZXR10#
The - under the Age(min) column indicates that this is an ARP entity of the VLAN interface.
VLAN interface address configuration generates the ARP entity. S indicates that it is a
static ARP entity. P indicates that it is a permanent ARP entity added manually.
5-3

5.3 MFF Configuration

5.3.1 MFF Function Overview
The MFF is a sub-module of the ARP module. The MFF uses the ARP reply function to
implement layer-2 isolation and layer-3 interaction in one broadcast domain. The ARP
reply function has two responsibilities: replying users as a gateway and replying the
gateway as a user. In this way, the switch must learn the accurate IP addresses and MAC
addresses of all users and gateways.
Currently, the switch supports two MFF modes: automatic mode and manual mode.
l In automatic mode, the switch learns the IP addresses, MAC addresses, and related
gateway IP addresses of users by intercepting DHCP snooping ACK packets.
l In manual mode, the switch learns the IP addresses, MAC addresses, and related
gateway IP addresses of users by manual configuration, or learns the IP addresses
and MAC addresses of users by ARP packets.
5.3.2 Configuring MFF

To configure the MFF, perform the following steps:

p
1 ZXR10(config)#mff {enable | disable} Enables the MFF function

globally.
2 ZXR10(config)#mff mode {auto | manus} Configures the global mode of

the MFF function.
3 ZXR10(config)#mff gateway detect {enable | disable} Configures the global MFF

gateway detection function.
4 ZXR10(config)#mff gateway-mac <mac-address> Configures the MAC address of

the global MFF gateway.
5 ZXR10(config)#mff user <ip-address><mac-address> vlan Configures the static MFF user

<vlan-id> gateway <ip-address> information.
6 ZXR10(config-if-vlanX)#mff disable[{auto | manu}] Enables the MFF function

based on VLAN.
When the mff enable command
is not followed by any
parameter, the default mode is
auto.
7 ZXR10(config-if-vlanX)#mff enable [{auto | manu}] Disables the MFF function

based on VLAN.
5-4


p
8 ZXR10(config-if-vlanX)#set mff gateway {ip <ip-address>| Configures the gateway IP/MAC

mac <mac-address>} address of the VLAN interface.
When the VLAN interface is
configured to be in manual
mode, the set mff gateway ip
<ip-address> command is used
to specify the IP address of
the user gateway. When the
VLAN interface is configured
to be in auto mode, the set mff
gateway-mac <mac-address>
command is used to specify
the MAC address of the user
gateway.
9 ZXR10(config-gei_X/1)#set mff { userport | network}[ vlan Configures the MFF interface

<vlan-list>] type and enables the VLAN
function.
If the vlan <vlan-list>
parameter is not used, it
indicates that user ports or
network ports are enabled in
their respective VLANs. If the
vlan <vlan-list> parameter is
used, it indicates that the ports
are enabled in the specified
VLAN.
5.3.3 MFF Configuration Example

In the network as shown in Figure 5-1, the MFF function device at P1 can use a 59E/39E
rack and the MFF gateway can use an ordinary switch with the DHCP server function.
All the configuration examples are executed in this network topology. P1 is configured with
the MFF function and P2 is configured with the MFF gateway and DHCP server functions.
5-5

Figure 5-1 MFF Network Topology
1. P2: MFF gateway 2. P1: MFF function device
Configuring VLAN Interface Manually

As shown in Figure 5-1, the rack starts normally and P1 is an MFF function device. All the
three Ethernet interfaces are configured to belong to VLAN 100.
gei_1/1 sw access vlan 100
gei_1/20 sw trunk vlan 100
In this example, the IP address of the MFF gateway is 168.1.70.1, the IP address of PC1
is 168.1.70.80, and the IP address of PC2 is 168.1.70.70.
The configuration of P1:
ZXR10#config ter
ZXR10(config)# mff enable
ZXR10(config)# mff gateway detect enable
ZXR10(config)# interface vlan 100
ZXR10(config-if-vlan100)# mff enable manu
ZXR10(config-if-vlan100)# set mff gateway ip 168.1.70.1
ZXR10(config-if) # exit
ZXR10(config)# interface gei_1/1
ZXR10(config-gei_1/1)# set mff user-port vlan 100
ZXR10(config-gei_1/20)# set mff network-port
ZXR10(config-if) # end
5-6

ZXR10(config)# interface vlan 100

ZXR10(config-if-vlan100)# ip address 168.1.70.1 255.255.255.255
ZXR10(config-if-vlan100)#end
Configuring VLAN Interface Automatically

As shown in Figure 5-1, the rack starts normally and P1 is an MFF function device. All the
three Ethernet interfaces are configured to belong to VLAN 100.
gei_1/20 sw trunk vlan 100

ZXR10(config)#ip dhcp enable
ZXR10(config)#vlan 100
ZXR10(config-vlan100)#ip dhcp snooping
ZXR10(config-if-vlan100)#mff enable auto
ZXR10(config-if-vlan100)#exit
ZXR10(config)#mff gateway detect enable
ZXR10(config- gei_1/10)#exit
ZXR10(config-gei_1/20)#set mff network-port
ZXR10(config-gei_1/20)#ip dhcp snooping trust
ZXR10(config-gei_1/20)#end

ZXR10(config)#mff enable
ZXR10(config)#ip dhcp snooping enable
ZXR10(config)#ip pool dhcp
ZXR10(config-ip-pool)#range 168.1.70.1 168.1.70.254 255.255.255.0
ZXR10(config-ip-pool)#exit
ZXR10(config)#ip dhcp pool dhcp
ZXR10(config-dhcp-pool)#ip-pool dhcp
ZXR10(config-dhcp-pool)#default-router 168.1.70.1
ZXR10(config-dhcp-pool)#exit
ZXR10(config)#ip dhcp policy zte 1
ZXR10(config-dhcp-policy)#dhcp-pool dhcp
ZXR10(config-dhcp-policy)#exit
5-7


ZXR10(config-if-vlan100)#ip dhcp mode server
ZXR10(config-if-vlan100)#ip dhcp policy zte
5.3.4 MFF Maintenance and Diagnosis

To show the MFF status, use the following commands:
Command Function
ZXR10(config)#show mff configure Displays the MFF global

configuration.
ZXR10(config)#show mff vlan <vlan-id> Displays the MFF VLAN

configuration.
ZXR10(config)#show mff interface Displays the MFF interface

information.
Note:
The ARP packet reply information of the MFF can be obtained by using the debug ARP
switch.
5-8

Chapter 6
Access Control List (ACL)
Configuration
Table of Contents
ACL Overview ............................................................................................................6-1
Configuring ACL.........................................................................................................6-1
ACL Configuration Example .....................................................................................6-10
ACL Maintenance and Diagnosis..............................................................................6-12
6.1 ACL Overview

An ACL is a command list of an interface on a ZXR10 5900E series unit. An ACL controls
the packets entering and leaving an interface. ACL is applicable to all routed protocols,
such as IP and Internetwork Packet Exchange protocol (IPX).
6.2 Configuring ACL

6.2.1 Configuring a Time Range
To configure time range, use the following command:
Command Function
ZXR10(config)#time-range < time-range-name> Configures a time range.

ZXR10(config-tr)#{ absolute {start < hh:mm:ss><
mm-dd-yyyy>}|{ end < hh:mm:ss>< mm-dd-yyyy>}}|{ periodic {
daily | friday | monday | off-day | staturday | sunday | thursday |
tuesday | wednesday | working-day }<hh:mm:ss> to {<hh:mm:ss>|
friday | monday | off-day | staturday | sunday | thursday | tuesday |
wednesday | working-day }}
There are several conditions in the time range configuration.

l Configure a time range for each day: Specify the exact start time and end time. If the
start time and the end time are not configured, the time range is a full day.
l Configure a period: Specify the period to be a certain day of a week.
l Configure a date range: Specify the start date and end date. If the start date and the
end date are not configured, the start date is the day when the configuration takes
effect and the end date is the day when the configuration is invalid.
6-1

6.2.2 Configuring ACL Rules

To configure an ACL, enter ACL configuration mode and define ACL rules.
Note the following items when configuring ACL rules:
1. If a packet matches multiple rules at the same time, the first matched rule is applied.
So, the sequence of these rules is important. Usually, a rule with a smaller range
comes before a rule with a larger range.
2. For network security, an implicit rule (deny any any) is automatically attached to the
end of each ACL to deny all packets. So, usually configuration requires a rule that
permits all packets at the end of an ACL.
6.2.2.1 Configuring a Basic ACL

To configure a basic ACL, perform the following steps:

p
1 ZXR10(config)#acl standard {number <acl-number>|name Enters standard ACL

<acl-name>| alias <alias-name>}[match-order {auto | config}] configuration mode.
2 ZXR10(config-std-acl)#rule <1-1000>{permit|deny}{<sour Configures a rule.

ce>[<source-wildcard>]|any}[time-range <timerange-name>]
3 ZXR10(config-std-acl)#move <1-1000>{after | Changes the order of rules.

before}<1-1000>
Example
The following example shows how to define a standard ACL that permits packets from
the network segment 192.168.1.0/24 but rejects packets with the source IP address
192.168.1.100.
ZXR10(config)#acl standard number 10
ZXR10(config-std-acl)#rule 1 deny 192.168.1.100 0.0.0.0
ZXR10(config-std-acl)#rule 2 permit 192.168.1.0 0.0.0.255
6.2.2.2 Configuring an Extended ACL

To configure an extended ACL, perform the following steps:

p
1 ZXR10(config)#acl extend {number <acl-number>|name Enters extended ACL

<acl-name>} configuration.
6-2

Chapter 6 Access Control List (ACL) Configuration

p
2 ZXR10(config-ext-acl)#rule <rule-no>{perm Configures a rule based on

it|deny}{<source><source-wildcard>|any}{<dest Internet Control Message
><dest-wildcard>|any}[<icmp-type>[icmp-code Protocol (ICMP).
<icmp-code>]][{[precedence <pre-value>][tos
<tos-value>]}|dscp <dscp-value>][fragment][time-range
<timerange-name>]
3 ZXR10(config-ext-acl)#rule <rule-no>{permit|den Configures a rule based on IP or

y}{<ip-number>|ip}{<source><source-wildcard>|any}{<de IP protocol number, excluding
st><dest-wildcard>|any}[{[precedence <pre-value>][tos ICMP, Transfer Control Protocol
<tos-value>]}|dscp <dscp-value>][fragment][time-range (TCP), and User Datagram
<timerange-name>] Protocol (UDP).
4 ZXR10(config-ext-acl)#rule <rule-no>{permit|deny}{<s Configures a rule based on

ource><source-wildcard>|any}[<rule><port>]{<dest><dest- TCP.
wildcard>|any}[<rule><port>][established][{[precedence
<pre-value>][tos <tos-value>]}|dscp <dscp-value>][fragmen
t][time-range <timerange-name>]
5 ZXR10(config-ext-acl)#rule <rule-no>{permit|deny}{<so Configures a rule based on

urce><source-wildcard>|any}[<rule><port>]{<dest><dest-wil UDP.
dcard>|any}[<rule><port>][{[precedence <pre-value>][tos
<tos-value>]}|dscp <dscp-value>][fragment][time-range
<timerange-name>]
6 ZXR10(config-ext-acl)#move <rule-no>{after | Changes the order of rules.

before}<rule-no>
Example
The following example shows how to configure an extended ACL to do the following:
1. Permit UDP packets from network segment 210.168.1.0/24 with the destination IP
address 210.168.2.10, the source port 100 and the destination port 200.
2. Deny the Border Gateway Protocol (BGP) packets from the network segment
192.168.2.0/24.
3. Deny all ICMP packets.
4. Deny all packets with the IP protocol number 8.
ZXR10(config)#acl extend number 150
ZXR10(config-ext-acl)#rule 1 permit udp 210.168.1.0 0.0.0.255 eq 100 210.168.2.10
0.0.0.0 eq 200
ZXR10(config-ext-acl)#rule 2 deny tcp 192.168.2.0 0.0.0.255 eq bgp any
ZXR10(config-ext-acl)#rule 3 deny icmp any any
ZXR10(config-ext-acl)#rule 4 deny 8 any any
6-3

6.2.2.3 Configuring a Layer 2 ACL

To configure a Layer 2 ACL, perform the following steps:

p
1 ZXR10(config)#acl link {number <acl-number>|name Enters Layer 2 ACL

<acl-name>| alias <alias-name>} configuration mode.
2 ZXR10(config-link-acl)#rule <rule-no>{pe Configures a rule.

rmit|deny}<protocol>[cos <cos-vlaue>][egress
{<destination-mac><dest-mac-wildcard>|any}][ingress
{<source-mac><src-mac-wildcard>|any}][time-range
<timerange-name>]
3 ZXR10(config-link-acl)#move <1-1000>{after | Changes the order of rules.

before}<1-1000>
Example
The following example shows how to define a Layer 2 ACL to permit IP packets with
the source MAC address 00d0.d0c0.5741 and the 802.1p 5 from VLAN 10 and deny the
received MPLS (Ethernet type is 8847) packets.
ZXR10(config)#acl link number 200
ZXR10(config-link-acl)#rule 1 permit ip cos 5 ingress 00d0.d0c0.5741 0000.0000.0000
ZXR10(config-link-acl)#rule 2 deny 8847
6.2.2.4 Configuring a Hybrid ACL

To configure a hybrid ACL, perform the following steps:
Step Command Function
1 ZXR10(config)#acl hybrid {number <acl-number>|name Enters hybrid ACL

<acl-name>| alias <alias-name>} configuration.
2 ZXR10(config-hybd-acl)#rule < rule-no>{ permit| deny}< Configures a rule.

protocol-numberl>{{< source-ip>< source-ip-wildcard>}|
any}[ eq < port-number>]{{< destination-ip><
dest-ip-wildcard>}| any}[ eq < port-number>][ dsscp <
dscp-value>]{< ethernet-protocol-number>| any | arp | ip}[ cos
| doutervlan | egress | ingress | time-range]
3 ZXR10(config-hybd-acl)#move <1-1000>{after | Changes the order of rules.

before}<1-1000>
Example
The following example shows how to configure a hybrid ACL to do the following:
6-4

1. Permit UDP packets from the network segment 210.168.1.0/24 with the destination IP
address 210.168.2.10, the destination MAC address 00d0.d0c0.5741, the source port
100 and the destination port 200.
2. Deny the BGP packets from the network segment 192.168.3.0/24.
3. Deny all packets with the MAC address 0100.2563.1425.
ZXR10(config)#acl hybrid number 300
ZXR10(config-hybd-acl)#rule 1 permit udp 210.168.1.0 0.0.0.255 Eq 100 210.168.2.10
0.0.0.0 eq 200 any egress 00d0.d0c0.5741 0000.0000.0000
ZXR10(config-hybd-acl)#rule 2 deny tcp 192.168.3.0 0.0.0.255 Eq BGP any any
ZXR10(config-hybd-acl)#rule 3 deny any any any ingress 0100.2563.1425 0000.0000.0000
6.2.2.5 Configuring a Basic IPv6 ACL

To configure a basic IPv6 ACL, perform the following steps:

p
1 ZXR10(config)#ipv6 acl standard {number Enters basic IPv6 ACL

<acl-number>|name <acl-name>| alias <alias-name>} configuration mode.
2 ZXR10(config-std-v6acl)#rule <1-1000>{permit|deny}{<s Configures a rule.

ource>|any}[time-range <timerange-name>]
3 ZXR10(config-std-v6acl)#move <rule-no>{after | Changes the order of rules.

before}<rule-no>
Example
The following example shows how to define an ACL to permit packets from network
segment 3001::/16.
ZXR10(config)# ipv6 acl standard number 2000
ZXR10(config-std-v6acl)# rule 1 permit 3001::/16
6.2.2.6 Configuring an Extended IPv6 ACL

To configure an extended IPv6 ACL, perform the following steps:

p
1 ZXR10(config)#ipv6 acl extended {number Enters extended IPv6 ACL

<acl-number>|name <acl-name>| alias <alias-name>} configuration mode.
2 ZXR10(config-ext-v6acl)#rule <1-1000>{permit|deny} ip Configures a rule.

{<source>|any}{<dest>|any}[time-range <timerange-name>]
3 ZXR10(config-ext-v6acl)#move <rule-no>{after | Changes the order of rules.

before}<rule-no>
6-5

Example
The following example shows how to define an extended IPv6 ACL to permit packets from
the network segment 3000::/16 to the destination network segment 4000::/16.
ZXR10(config)#ipv6 acl extended 2500
ZXR10(config-ext-v6acl)#rule 1 permit ipv6 3000::/16 4000::/16
6.2.3 Applying an ACL on an Ingress VFP
Note:
Only one ACL can be applied on a given physical port when the ACL is applied on an
ingress VFP. The new configuration overwrites the old one.
For example, configuration of the following commands takes place in interface
configuration mode.
ZXR10(config-gei_1/1)#ip access-group 10 vfp
ZXR10(config-gei_1/1)#ip access-group 100 vfp
Only ACL 100 is valid.
To apply an ACL on an ingress VFP, perform the following steps:

p
1 ZXR10(config)#interface< interface-name> Enters interface configuration

mode.
2 ZXR10(config-gei_1/x)#ip access-group <acl-number> vfp Applies an ACL to an ingress

VFP.
3 ZXR10(config-gei_1/x)#no ip access-group <acl-number> Releases an ACL previously

vfp applied to the ingress VFP.
6.2.4 Applying an ACL to a VLAN
Note:
Only one ACL can be applied in each VLAN. The new configuration overwrites the old one.
For example, configuration of the following commands takes place in VLAN configuration
mode.
ZXR10(config-vlan1)#ip access-group 10 in
6-6

ZXR10(config-vlan1)#ip access-group 100 in
To apply an ACL to a VLAN, perform the following steps:

p
1 ZXR10(config)#vlan <vlan-number> Enters VLAN configuration

mode.
2 ZXR10(config-vlanX)#ip access-group <acl-number> in Applies an ACL to a VLAN.
3 ZXR10(config-vlanX)#no ip access-group <acl-number> in Releases an ACL previously

applied to a VLAN.
6.2.5 Applying an ACL in the Inbound Direction
Note:
Only one ACL can be applied on the inbound direction. The new configuration overwrites
the old one.
configuration mode.
ZXR10(config-gei_1/x)#ip access-group 10 in
Only ACL 100 is valid in the inbound direction.

If the configuration is modified as follows:
ZXR10(config-gei_1/x)#ip access-group 100 out
ACL 10 is valid in the inbound direction. ACL 100 is valid in the outbound direction.
To apply an ACL to an inbound interface, perform the following steps:

p

mode.
6-7


p
2 ZXR10(config-gei_1/x)#ip access-group < acl-number> in Applies an ACL in the inbound

direction.
3 ZXR10(config-gei_1/x)#no ip access-group < acl-number> Releases an ACL previously

in applied in the inbound direction.
6.2.6 Applying an ACL in the Outbound Direction
Note:
Only one ACL can be applied in the outbound direction. The new configuration overwrites
the old one.
configuration mode.
Only ACL 100 is valid in the outbound direction.
To apply an ACL to an outbound interface, perform the following steps:

p

mode.
2 ZXR10(config-gei_1/x)#ip access-group < acl-number> out Applies an ACL in the outbound

direction.
3 ZXR10(config-gei_1/x)#no ip access-group < acl-number> Releases an ACL previously

out applied in the outbound
direction.
6-8

6.2.7 Applying ACL on a Physical Port
Note:
Only one ACL can be applied on a physical port in a given direction. The new configuration
overwrites the old one. For example, configuration of the following commands takes place
in interface configuration mode of fei_1/1.
ZXR10(config-if)#ip access-group 10 in
ZXR10(config-if)#ip access-group 100 in
To apply an ACL on a physical port, perform the following steps:

p
1 ZXR10(config)#interface <port-name> Enters interface configuration

mode.
2 ZXR10(config-if)#ip access-group <acl-number> in|out|vfp Applies an ACL on a physical

port.
6.2.8 Configuring Description for a Rule

To configure a name for a rule, perform the following steps:

p
1 ZXR10(config)#acl standard {number <acl-number>|name Enters standard ACL

<acl-name>} configuration mode.
2 ZXR10(config-std-acl)#rule < 1-1000>{ permit| deny}{< Configures a rule.

source>[< source-wildcard>]| any}[ ttiime-rraange <
timerange-name>]
3 ZXR10(config-std-acl)#rule-description <1-1000><rule Configures a name for a rule.

-description>
Example
The following example shows how to define a standard ACL that permits packets from
the network segment 192.168.1.0/24 and denies packets with the source IP address
192.168.1.100. Rule 1 and rule 2 can use different names.
ZXR10(config-std-acl)#rule 1 deny 192.168.1.100 0.0.0.0
6-9

ZXR10(config-std-acl)#rule-description 1 test1
ZXR10(config-std-acl)#rule-description 2 test2
Note:
Currently, only IPv4 standard rules, extended rules, hybrid rules, and L2 ACLs support the
description function.
6.3 ACL Configuration Example

See Figure 6-1, a company has an Ethernet switch. Users of department A, department
B and servers are connected to the switch. The rules are as follows:
1. Users of department A and department B are not allowed to access the FTP server
and the Video On Demand (VOD) server during the work hours (9 a.m. 5 p.m.), but
they can access the Mail server at any time.
2. The users can access the Internet through the proxy 192.168.3.100, but they cannot
access the Internet during the work hours.
3. General Managers of department A and department B (with the IP addresses
192.168.1.100 and 192.168.2.100, respectively) can access the Internet and all
servers at any time.
The IP addresses of the servers are as follows:
Mail server: 192.168.4.50
FTP server: 192.168.4.60
VOD server: 192.168.4.70
6-10

Figure 6-1 ACL Configuration Example
Configure the switch as follows:

/*Configure a time range*/
ZXR10(config)#time-range enable
ZXR10(config)#time-range working-time
ZXR10(config-tr)#periodic daily 09:00:00 to 17:00:00
/*Define an extended ACL to limit users of department A*/

ZXR10(config-ext-acl)#rule 1 permit ip 192.168.1.100 0.0.0.0 any
ZXR10(config-ext-acl)#rule 2 deny ip 192.168.1.0 0.0.0.255 192.168.4.60 0.0.0.0
time-range working-time
ZXR10(config-ext-acl)#rule 3 deny tcp any 192.168.4.70 0.0.0.0 time-range
working-time
ZXR10(config-ext-acl)#rule 4 deny ip any 192.168.3.100 0.0.0.0 time-range
working-time
ZXR10(config-ext-acl)#rule 5 permit ip any any
/*Define an extended ACL to limit users of department B*/

ZXR10(config-ext-acl)#rule 2 deny ip 192.168.2.0 0.0.0.255 192.168.4.60 0.0.0.0
time-range working-time
ZXR10(config-ext-acl)#rule 3 deny tcp any 192.168.4.70 0.0.0.0 time-range
working-time
6-11

/*Apply the ACLs on the corresponding physical ports*/

ZXR10(config-gei_1/1)#ip access-group 100 in
6.4 ACL Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for ACL maintenance and
diagnosis:
Command Function
ZXR10(config)#show acl [<acl-number>|name <acl-name>] Displays information for a specific

ACL or all ACLs.
ZXR10(config)#show running-config interface <port-name> Displays whether an ACL is

applied on an interface.
ZXR10(config)#show access bound Displays ACLs applied on the

interfaces.
ZXR10(config)#show access vlan-bound Displays ACLs applied in the

VLANs.
ZXR10(config)#show access brief Displays the configured ACLs and

the number of ACL rules.
6-12

Chapter 7
QoS Configuration
Table of Contents
QoS Overview ............................................................................................................7-1
Configuring QoS.......................................................................................................7-10
Configuring 802.1p and MPLS EXP Mapping Function.............................................7-17
QoS Configuration Examples ...................................................................................7-21
QoS Maintenance and Diagnosis .............................................................................7-23
WRED Function .......................................................................................................7-23
7.1 QoS Overview

QoS provides different levels of service according to the requirements of different
applications, such as increased bandwidth, reduced packet loss, shortened delay and
reduced jitter. To achieve all this, QoS provides the following functions:
l Traffic classification
l Traffic policing
l Traffic shaping
l Queue scheduling and default 802.1p priority
l Redirection and policy routing
l Priority marking
l Flow mirroring
l Traffic statistics
l Adding/deleting/modifying VLAN-ID
7.1.1 Traffic Classification

Traffic refers to the packets that pass through the switch. Traffic classification is used to
classify these packets, and define or describe the packets with certain characteristics.
The traffic classification of QoS is based on the ACL and the ACL rule must be permit. The
user can classify packets in accordance with some filter items of the ACL, such as source
IP address, destination IP address, source MAC address, destination MAC address, IP
protocol type, source TCP port, destination TCP port, source UDP port, destination UDP
port, ICMP type, ICMP code, DSCP, ToS, precedence, In/Out VLAN ID, and 802.1p priority.
7.1.2 Traffic Policing

The 5928E/5952E device supports two levels of traffic policing, namely level 1 traffic
policing and level 2 traffic policing. Level 1 traffic policing refers to limiting the bandwidth
7-1

of a single service stream. Level 2 traffic policing refers to limiting the total bandwidth
of multiple service streams in one ACL. Level 2 traffic policing is implemented based on
level 1 traffic policing. In other words, to configure level 2 traffic policing, users must
configure level 1 traffic policing first. In this way, level 2 traffic policing can take effect.
Figure 7-1 shows the level 2 traffic policing in Single-or mode.
Figure 7-1 Level 2 Traffic Policing in Single-or Mode
l Flow 1 carries 50 MB of service data, Flow 2 carries 30 MB of service data, Flow 3 is

idle, and Flow 4 carries 20 MB of service data.
l During the configuration of level 1 traffic policing, the maximum bandwidth for Flow 1,
Flow 2, Flow 3, and Flow 4 are 20 Mbit/s, 30 Mbit/s, 40 Mbit/s, and 10 Mbit/s.
l During the configuration of level 2 traffic policing, the total bandwidth of the four service
streams is limited to 100 Mbit/s.
l The result is as follows: Flow 1 receives 50 MB of service data, Flow 2 receives 30
MB of service data, and Flow 4 receives 20 MB of service data.
7.1.2.1 Level 1 Traffic Policing

The level 1 traffic policing is used to limit the bandwidth of a certain service. It helps prevent
the bandwidth from exceeding the threshold and therefore protect other services. For the
traffic exceeding the bandwidth, users can perform the following operations:
l Discard or forward the traffic.

l Modify the DSCP value of the traffic.
l Modify the discard priority. The packets with high discard priority will be discarded
during queue congestion.
The traffic policing does not cause any delay. For the traffic policing process, refer to
Figure 7-2.
7-2

Chapter 7 QoS Configuration
Figure 7-2 Traffic Policing Process
l The ZXR10 5900E supports the following algorithms: Flow, Single Rate Three Color
Marker (RFC2697), Two Rate Three Color Marker (RFC2698), and Modified Two Rate
Three Color Marker (RFC4115). All the algorithms except Flow support the Color-Blind
and Color-Aware modes.
l The Meter can work in two modes. In color-blind mode, it considers packets colorless.
In color-aware mode, it considers packets marked with colors. The switch marks each
received packet with a color in accordance with certain rules (information contained
in the packet). The Maker colors IP packets in accordance with the result from the
Meter and records the colors in the DS domain.
l The four marking algorithms are described as follows.
1. Single Rate Two Color Marker (Flow)
The algorithm is used in the Diffserv traffic conditioner. It measures traffic and marks
packets in accordance with two traffic parameters Committed Information Rate (CIR)
and Committed Burst Size (CBS). After passing the ingress policing, a packet needs
to obtain a token from the CBS bucket. If the operation is successful, the packet is
marked green. Otherwise, the packet is marked red. By default, the packets marked
red will be discarded.
2. Single Rate Three Color Marker (SrTCM)

The algorithm is used in the Diffserv traffic conditioner. It measures traffic and marks
packets in accordance with three traffic parameters Committed Information Rate (CIR),
Committed Burst Size (CBS), and Excess Burst Size (EBS). These parameters are
called green, yellow, and red markers. After passing the ingress policing, a packet
needs to obtain a token from the CBS bucket. If the operation is successful, the
packet is marked green. If the operation fails, the packet needs to obtain a token
from the EBS bucket. In this case, if the operation is successful, the packet is marked
7-3

yellow. Otherwise, the packet is marked red. By default, the packets marked red will
be discarded.
3. Two Rate Three Color Marker (TrTCM)
The algorithm is used in the Diffserv traffic conditioner. It measures IP traffic and
marks packets in accordance with two rate parameters Peak Information Rate (PIR)
and Committed Information Rate (CIR), and related CBS and PBS parameters. The
packets can be marked green, yellow, or red. If the rate of a packet exceeds the PIR,
it is marked red. If the rate of a packet exceeds the CIR, it is marked yellow. If the rate
of a packet does not exceed the CIR, it is marked green.
4. Modified Two Rate Three Color Marker (Modified TrTCM)

The algorithm is used in the Diffserv traffic conditioner. It measures IP traffic and marks
packets in accordance with two rate parameters PIR and CIR, and related CBS and
PBS parameters. The packets can be marked green, yellow, or red. If the rate of
a packet exceeds the sum of PIR and CIR, it is marked red. If the rate of a packet
exceeds the CIR, it is marked yellow. If the rate of a packet does not exceed the CIR,
it is marked green.
7.1.2.2 Level 2 Traffic Policing

The level 2 traffic policing is used to limit the bandwidth of a group of services. It helps
prevent the bandwidth from exceeding the threshold and therefore protect other services.
When limiting the total bandwidth, the level 2 traffic policing can use the level 1 traffic
policing to limit the bandwidth of a single service in the group. In this case, the service can
share the total bandwidth.
The traffic policing does not cause any delay. For the traffic policing process, refer to
Figure 7-3.
7-4

Figure 7-3 Traffic Policing Process
The level 2 traffic policing of the ZXR10 5900E supports only the Flow mode.
When the level 2 traffic policing is configured, the function is enabled only when the packets
marked red are discarded.
The relationship between the level 1 traffic policing and level 2 traffic policing is described
as follows:
1. Single-or mode
In this mode, the total bandwidth for level 2 traffic policing must be larger than or equal
to the sum of the bandwidth for level 1 traffic policing in the group. In this way, the level
1 traffic policing can guarantee the minimum bandwidth for each type of services. If
the total bandwidth is not fully occupied, all the services in the group can preempt the
remaining bandwidth. In this mode, the level 1 traffic policing must work in Flow mode.
The traffic policing result is as follows:
Level 1 Traffic Level 2 Traffic Level 1 Color Level 2 Color Final Color
Policing Mode Policing Mode
Flow Single_or Green Green Green
Flow Single_or Green Red Green
Flow Single_or Red Green Green
Flow Single_or Red Red Red
2. Single-and mode
In this mode, the total bandwidth for level 2 traffic policing must be smaller than or equal
to the sum of the bandwidth for level 1 traffic policing in the group. In this way, the level
1 traffic policing can both limit the maximum bandwidth for each type of services and
7-5

use the bandwidth properly. In this mode, the level 1 traffic policing must work in Flow
mode.
Flow Single_and Green Green Green
Flow Single_and Green Red Red
Flow Single_and Red Green Red
Flow Single_and Red Red Red
3. Dual mode
In this mode, the total bandwidth is also limited but the working principle is complicated.
The level 1 traffic policing uses the modified trTCM. Therefore, there are three cases
after packets are colored. In this mode, the level 1 traffic policing must be configured
to the modified trTCM (RFC4115).
Mod.Trtcm Dual Green Green Green
Mod.Trtcm Dual Green Red Green
Mod.Trtcm Dual Yellow Green Yellow
Mod.Trtcm Dual Yellow Red Red
Mod.Trtcm Dual Red Green Red
Mod.Trtcm Dual Red Red Red
7.1.3 Adding, Deleting, and Modifying VLAN ID

1. Add an outer-layer VLAN ID.
7-6

2. Modify an outer-layer VLAN ID.
3. Add an inner-layer VLAN ID.
4. Modify an inner-layer VLAN ID.
5. Delete an inner-layer VLAN ID.
7-7

7.1.4 Traffic Shaping

Traffic shaping refers to controlling the rate of packets in the TX direction and helps send
packets at fixed rate. The function is provided to match the packet rate with that of the
downlink device so that the network is not congested and packets are not discarded.
The main difference between traffic shaping and traffic policing is as follows: Traffic
shaping caches the packets whose rate exceeds the threshold and makes the packets
sent at fixed rate. Traffic policing discards the packets whose rate exceeds the threshold.
Therefore, traffic shaping will cause delay but traffic policing will not cause any delay.
7.1.5 Queue Bandwidth Limit

Queue bandwidth limit refers to limiting the queue bandwidth of an interface. After the
minimum bandwidth is configured for a queue, the queue can obtain the guaranteed
bandwidth during network congestion. In addition, the maximum bandwidth limit ensures
that all queues can obtain bandwidth.
7.1.6 Queue Scheduling and Default 802.1p Priority

Each physical port of the ZXR10 5900E supports eight output queues (0 to 7), which are
called CoS queues. The switch performs operations on the required output queue of an
ingress port in accordance with the CoS queue indicated in a 802.1p packet. When network
congestion occurs, multiple packets will preempt the resources at the same time. In this
case, the queue scheduling function is usually used to resolve the problem.
The ZXR10 5900E supports two queue scheduling modes: Strict Priority (SP) and
Weighted Round Robin (WRR). The eight output queues of the port can use different
scheduling modes.
l SP
In SP mode, the packets in the queues are scheduled strictly in accordance with the
queue priority. The packets in the queue with the highest priority are first sent. After
all the packets in the queue are sent, the packets in the queue with the second highest
priority are sent. All the packets in the eight queues are set by this analogy.
In SP mode, key service packets can be processed first, which ensures the QoS of key
services. However, the packets in the queues with low priorities may not be processed
for ever, which results in the problem of "starving to death".
l WRR
In WRR mode, the packets in each queue has a chance to be scheduled and therefore
the problem of "starving to death" does not exist. However, the queues are scheduled
at different time, that is, the weight of each queue is different. The weight here refers
to the probability of each queue in getting network resources. In this case, the packets
in the queue with higher priority are scheduled first.
The 802.1p tag contains the data priority. If a packet passing through the port is not tagged
with a 802.1p priority, the switch will assign the default 802.1p priority for the packet.
7-8

7.1.7 Redirection and Policy Routing

Redirection refers to changing the output direction of the packets with certain
characteristics in accordance with the traffic classification and forwarding the packets to
the target port, CPU, or next-hop IP address.
Redirecting packets to the next-hop IP address helps implement policy routing.
For packet forwarding, policy routing has more powerful control capability than traditional
routing. To be specific, policy routing can select a path for forwarding packets in
accordance with the matched field in the ACL. In addition, policy routing implements
traffic engineering so that the packets with different QoS or services such as voice service
and FTP service can be forwarded over different paths. Users raise higher and higher
requirements on network performance. Therefore, it is necessary to select paths for
forwarding packets in accordance with different services or users.
7.1.8 Priority Tagging

Priority tagging refers to assigning a set of service parameters for the specified traffic
described by the ACL. Users can perform the following operations:
1. Change the CoS queue of packets and the 802.1p value.
2. Change the CoS queue of packets but do not change the 802.1p value.
3. Change the DSCP value of packets.
4. Change the discard priority of packets.
7.1.9 Remarking Outer-Layer VLAN Value

This operation refers to setting an outer-layer VLAN value for the traffic that matches the
ACL rule.
7.1.10 Flow Mirroring

Flow mirroring refers to copying the service traffic matching an ACL rule to the specified
CPU or interface, which facilitates packet analysis and policing. It is usually used during
network fault diagnosis.
7.1.11 Traffic Statistics

Traffic statistics refers to collecting statistics on the packets of the specified service, so as
to learn the actual network status and allocate network resources properly. It is commonly
used to collect statistics on the number of packets received by an interface.
7-9

7.2 Configuring QoS

7.2.1 Configuring Traffic Policing
7.2.1.1 Configuring Level 1 Traffic Policing
To configure level 1 traffic policing, use the following command:
Command Function
ZXR10(config)#traffic-limit-micro <acl-number> rule-id Configures level 1 traffic policing.

<rule-no> cir <cir-value> cbs <cbs-value>[[[[ ebs <ebs-value>]|[pir
<pir-value>{pbs<pbs-value>}[modified-trtcm]]]{mode
<mode>[[drop-yellow][forward-red][remark-red-dp
{high|low|medium}][remark-red-dscp<value>][remark-yellow-dp
{high|low|medium}][remark-yellow-dscp <value>]]}]|[[forward-
red][remark-red-dp {high|low|medium}][remark-red-dscp<va
lue>]]]
In the ZXR10 5900E system, this command configures the traffic policing function using
the coloring parameters cir, cbs, ebs and pir. If the pir parameter indicates the two-rate
marking algorithm. The ebs parameter indicates the Peak Burst Size (PBS) specified in
the protocol.
The modified-trtcm keyword means the modified Two-rate Three Color Marker (TrTCM)
marking algorithm that is differentiated from the TrTCM marking algorithm.
The <mode> parameter indicates the working mode. Blind refers to the color-blind mode,
and aware refers to the color-aware mode.
The drop-yellow keyword means that the yellow packets are to be discarded. By default,
the yellow packets are to be forwarded.
The forward-red keyword means that the red packets are to be forwarded. By default, the
red packets will be discarded.
The remark-red-dp parameter means to remark the drop priority of the red packets as
either high, medium or low.
The remark-red-dscp parameter means to remark the Differentiated Services Code Point
(DSCP) value of the red packets. The range of the <value> parameter is 063.
The remark-yellow-dp parameter means to remark the drop priority of the yellow packets
as either high, medium or low.
The remark-yellow-dscp parameter means to remark the DSCP value of the yellow packets.
The range of the <value> parameter is 063.
7-10

Example
This example shows how to configure traffic policing for the packets with the destination
IP address 168.2.5.5 on gei_1/1 and set the bandwidth to 10 M.
ZXR10(config)#acl extended number 100
ZXR10(config-ext-acl)#rule 1 permit ip any 168.2.5.5 0.0.0.0
ZXR10(config-ext-acl)#exit
ZXR10(config)#traffic-limit-micro 100 rule-id 1 cir 10000 cbs 2000 pir 10001 pbs 2000
mode blind
7.2.1.2 Configuring Level 2 Traffic Policing
Note:
To configure level 2 traffic policing, users must first configure level 1 traffic policing and a
template of level 2 traffic policing.
It is necessary to apply the template of level 2 traffic policing to rules.
To configure level 2 traffic policing, perform the following steps:
Command Function
ZXR10(config)#traffic-limit-macro template <acl-number> Configures a template based on

rule-group <group -no> cir <cir-value> cbs <cbs-value> mode an ACL.
<single-and|single-or|dual>
ZXR10(config)#traffic-limit-macro template-bind <acl-number> Applies the template to a rule.

group-id <group -no> with rule-id <rule-id>
Example
This example shows how to configure traffic policing for the packets with the destination
IP addresses 168.2.5.1, 168.2.5.2, 168.2.5.3, and 168.2.5.4 on gei_1/1 and set the
bandwidths to 10 M, 20 M, 30 M, and 20 M, respectively. The total bandwidth is limited to
100 M. The mode is single-or.
/*Configure an ACL*/
/*Configure level 1 traffic policing*/
7-11

ZXR10(config)#traffic-limit-micro 100 rule-id 1 cir 10000 cbs 100

/*Configure a template of level 2 traffic policing*/
ZXR10(config)#raffic-limit-macro template 100 rule-group 1 cir 1000000 cbs 100
mode single-or
/*Bind the template to rules*/
ZXR10(config)#traffic-limit-macro template-bind 100 group-id 1 with rule-id 1
/*Apply the ACL on an interface*/
7.2.2 Adding/Deleting/Modifying VLAN-ID
Note:
Outbound ACLs do not support this function.
Modifying the outer VLAN-ID is only supported by inbound ACLs.
Only ACLs bound to a VLAN and an ingress VFP support modifying VLAN-IDs.
To add/delete/modify a vlan-id, use the following command:
Command Function
ZXR10(config)#qos set change-vlan acl <acl-number> rule Adds, deletes or modifies a

<rule-id>{ add {inner-vlan | outer-vlan}<vlan-id>| change VLAN-ID.
{inner-vlan | outer-vlan}<vlan-id>| delete inner-vlan }
Example
This example shows how to modify outer-layer VLAN-ID of packets with the destination IP
address 168.2.5.1 on gei_1/1 to 100.
/*Configure an ACL*/
/*Configure QoS*/
ZXR10(config)#qos set change-vlan acl 100 rule 1 change outer-vlan 100
7-12

7.2.3 Configuring Traffic Shaping

To configure traffic shaping, use the following command:
Command Function
ZXR10(config-gei_1/x)#traffic-shape data-rate <rate-value> Configures traffic shaping on an

burst-size <value> interface.
Example
This example shows how to configure traffic shaping on gei_1/1 and set the interface rate
to 20 M.
ZXR10(config-gei_1/1)#traffic-shape data-rate 20000 burst-size 4
7.2.4 Configuring Queue Bandwidth Limit

To configure queue bandwidth limit, use the following command:
Command Function
ZXR10(config-gei_1/x)#traffic-shape queue <queue-no>{m Configures queue bandwidth limit.

ax-datarate-limit <max-daterate-vlaue>|min-gua-datarate
<min-datarate-vlaue>}
Example
This example shows how to configure queue bandwidth limit on gei_1/1. The maximum
bandwidth of queue 1 is limited to 20 M, and the minimum bandwidth of queue 1 is limited
to 2 M. The maximum bandwidth of queue 2 is limited to 20 M. The minimum bandwidth
of queue 3 is limited to 2 M.
ZXR10(config-gei_1/1)#traffic-shape queue 1 max-datarate-limit 20000
min-gua-datarate 2000
ZXR10(config-gei_1/1)#traffic-shape queue 2 max-datarate-limit 20000
ZXR10(config-gei_1/1)#traffic-shape queue 3 min-gua-datarate 2000
7.2.5 Configuring Queue Scheduling and Default 802.1p of a Port

To configure queue scheduling and default 802.1p priority of a port, use the following
command:
Command Function
ZXR10(config-gei_1/x)#queue-mode strict-priority|wrr <Queue Configures queue scheduling and

number><Queue weight> default 802.1p priority of a port.
7-13

Example
This example shows how to configure SP scheduling on gei_1/1. Use Weighted Round
Robin (WRR) scheduling on gei_1/2. Set the weight of queue 0 to queue 7 to 10, 5, 8, 10,
5, 8, 9, and 10, respectively. Set the default 802.1p to 5 on gei_1/2.
ZXR10(config-gei_1/1)#queue-mode strict-priority
ZXR10(config-gei_1/2)#queue-mode wrr 0 10
ZXR10(config-gei_1/2)#priority 5
7.2.6 Configuring Redirection and Policy Routing

To configure redirection and policy routing, use the following command.
Command Function
ZXR10(config)#redirect <acl-number> rule-id <rule-no>{cpu|int Configures redirection.

erface <port-name>|next-hop <ip-address>}
Example
This example shows how to redirect the packets with the source IP address 168.2.5.5 on
gei_1/4 to gei_1/3. Implement policy routing for the packets with the destination IP address
66.100.5.6, and specify the next-hop IP address to 166.88.96.56.
ZXR10(config)#redirect in 100 rule-id 1 interface gei_1/3
ZXR10(config)#redirect in 100 rule-id 2 next-hop 166.88.96.56
7.2.7 Configuring Priority Marking

To configure priority marking, use the following command:
7-14

Command Function
ZXR10(config)#priority-mark <acl-number> rule-id <rule-no>{ Configures priority marking.

dscp <dscp-value>| cos<cos-value> local-precedence
<local-value> drop-precedence <dropl-value>}}
Example
This example shows how to modify the DSCP value of the packets with the source IP
address 168.2.5.5 on gei_1/1 to 34 and set the output queue to 4.
ZXR10(config-std-acl)#rule 1 permit 168.2.5.5
ZXR10(config-std-acl)#exit
ZXR10(config)#priority-mark 10 rule-id 1 dscp 34 local-precedence 4
7.2.8 Configuring an Outer-Layer VLAN Value

To configure an outer-layer VLAN value, use the following command:
Command Function
ZXR10(config)#qos set acl-svlan-map acl {acl-number | acl-name} Configures an outer-layer VLAN

rule <rule-id> to out-vlanid-<vlan-id> value of traffic that matches an
ACL rule.
Example
This example shows how to set the outer-layer VLAN value of traffic that matches the ACL
rule 1 on gei_1/4 to 2000.
ZXR10(config)#qos set change-vlan acl 10 rule 1 change outer-vlan 2000
7.2.9 Configuring Traffic Mirroring

To configure traffic mirroring, use the following command:
Command Function
ZXR10(config)#traffic-mirror<acl-number> rule-id Configures traffic mirroring.

<rule-no>{cpu|interface <interface-num>}
7-15

Example
This example shows how to mirror the packets with the source IP address 168.2.5.6 on
gei_1/8 to gei_1/4.
ZXR10(config)#traffic-mirror in 10 rule-id 2 interface gei_1/4
7.2.10 Configuring Tail-Drop

Tail-drop is a method of first-in-first-out queue management to help avoid congestion on
the IP connection.
To configure tail-drop, perform the following steps:
Command Function
ZXR10(config)#qos tail-drop < session-index> queue-id < Configures the tail-drop

queue-id>< all-threshold>< yellow-threshold>< red-threshold> parameters.
ZXR10(config-gei_1/x)#drop-mode tail-drop <session-id> Enable the tail-drop function on an

interface.
Example
This example shows how to configure the tail-drop parameters and apply the tail-drop
function on gei_1/8. In queue 1, set the threshold to drop the red packets to 120, set the
threshold to drop the yellow packets to 120, and set the threshold to drop all packets to
240.
ZXR10(config)#qos tail-drop 1 queue-id 1 240 120 120
ZXR10(config-gei_1/8)#drop-mode tail-drop 1
7.2.11 Configuring Traffic Statistics

To configure traffic statistics, use the following command:
Command Function
ZXR10(config)#traffic-statistics < acl-number> rule-id < rule-no> Configures traffic statistics.

pkt-type { all| green| red| yellow} statistics-type { byte| packet}
7-16

Example
This example shows how to collect statistics of the packets with the destination IP address
67.100.88.0/24 on gei_1/8.
ZXR10(config)#traffic-statistics 100 rule-id 2 pkt-type all statistics-type byte
7.3 Configuring 802.1p and MPLS EXP Mapping

Function
7.3.1 Configuring the Mapping from Multi Protocol Label Switching
(MPLS) EXP to Class of Service (CoS)/DSCP
To configure the mapping from MPLS EXP to CoS/DSCP, use the following command.
Command Function
ZXR10(config)#qos conform-exp <exp-list>{[cos Configures the mapping from

<cos-value>][dscp <dscp-value>]} MPLS EXP to CoS/DSCP.
Parameters descriptions:
<exp-list> MPLS EXP value, in the range of 07
<cos-value> CoS value, in the range of 07
<dscp-value> DSCP value, in the range of 063
The default mapping from EXP to CoS/DSCP is shown below.
Exp Value CoS Value DSCP Value
0 0 0
1 1 8
2 2 16
3 3 24
4 4 32
5 5 40
6 6 48
7-17

Exp Value CoS Value DSCP Value
7 7 56
If the mapping of an <exp-list> value is configured multiple times, only the last configuration
is reserved.
Example
This example shows how to map the EXP value 1 to CoS value 2 and DSCP value 15.
ZXR10(config)#qos conform-exp 1 cos 2
ZXR10(config)#qos conform-exp 1 dscp 15
7.3.2 Configuring the Mapping from CoS to MPLS EXP

To configure the mapping from CoS to MPLS EXP, use the following command.
Command Function
ZXR10(config)#qos conform-cos <cos-list><exp-value> Configures the mapping from CoS

to MPLS EXP.
ZXR10(config)#no qos conform-cos <cos-list> Restores the default system

configuration.
<cos-list> CoS value, in the range of 07
<exp-value> MPLS EXP value, in the range of 07
The default CoS-EXP mapping table is shown below.
EXP Value CoS Value
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
The command can be used to set the mapping from the CoS field to the EXP field.
7-18

Repeatedly configure the mapping with the same value of <cos-list> and save only the last
configuration.
Run the no command to restore the default system configuration.
If no CoS mapping is configured and the CoS mapping list is bound to an interface or
VLAN, the default mapping relationship will be enabled.
Example
This example shows how to map the CoS value 1 to EXP value 5.
ZXR10(config)#qos conform-cos 1 exp 5
ZXR10(config)#qos conform-cos 1 exp 5
7.3.3 Viewing EXP Mapping Configuration

To view EXP mapping configuration, use the following command:
Command Function
ZXR10(config)#show qos conform-exp Views the EXP mapping

configuration.
For the display format, refer to Table 7-1.
Table 7-1 Display Format
list cos dscp list cos dscp
0 0 0 4 4 32
1 1 8 5 5 40
2 2 16 6 6 48
3 3 24 7 7 56
7.3.4 Viewing CoS Mapping Configuration

To view CoS mapping configuration, use the following command:
Command Function
ZXR10(config)#show qos conform-cos Views the CoS mapping

configuration.
For the display forma, refer to Table 7-2.
Table 7-2 Display Format
list exp list exp
0 0 4 4
7-19

list exp list exp
1 1 5 5
2 2 6 6
3 3 7 7
7.3.5 Enabling MPLS-EXP Mapping on a Port

To enable MPLS-EXP mapping on a port, use the following command:
Command Function
ZXR10(config-gei_1/x)trust-exp-map {enable | disable} Enables or disables MPLS EXP

mapping on a port.
{enable | disable} Enables or disables EXP mapping
By default, MPLS EXP mapping is disabled.
Example
This example shows how to enable EXP mapping on gei_1/1.
ZXR10(config-gei_1/1)#trust-exp-map enable
7.3.6 Enabling CoS Mapping on a Port

To enable or disable CoS mapping on a port, use the following command:
Command Function
ZXR10(config-gei_1/1)#trust-cos-map {enable | disable} Enables or disables CoS mapping

on a port.
By default, CoS mapping is disabled.
Example
This example shows how to enable CoS mapping on gei_1/1.
ZXR10(config-gei_1/1)#trust-cos-map enable
7-20

7.4 QoS Configuration Examples

7.4.1 Typical QoS Configuration Example
In an example office, department A, department B and internal servers connect to
an Ethernet switch. There is a VoD server with intranet IP address 192.168.4.70. To
guarantee the service quality of the VoD server, the video server needs a higher priority.
Internal users can access the Internet through the proxy 192.168.3.100. Bandwidth limits
must be set and traffic statistics configured for department A and department B. See
Figure 7-4.
Figure 7-4 Typical QoS Configuration Example
The configuration of the switch is as follows:

ZXR10(config-ext-acl)#rule 1 permit tcp any 192.168.4.70 0.0.0.0
/*To guarantee the service quality of the VoD, set the egress queue value to 7*/
/*Limit the bandwidths of department A to access the Internet*/
ZXR10(config)#traffic-limit-micro 100 rule-id 2 cir 5000 cbs 2000 ebs 3000
mode blind
/*Configure traffic statistics of department A*/
ZXR10(config-ext-acl)#rule 1 permit tcp 192.168.2.0 0.0.0.255 192.168.4.70 0.0.0.0
7-21


/*To guarantee the service quality of the VoD, set the egress queue value to 7*/
/*Limit the bandwidth of department B to access the Internet*/
ZXR10(config)#traffic-limit-micro 101 rule-id 2 cir 10000 cbs 2000 ebs 3000
mode blind
/*Configure traffic statistics of department B*/
7.4.2 Policy Routing Configuration Example

When there are multiple Internet Service Provider (ISP) egresses on the network, policy
routing and service types can form the basis for choosing which ISP egress to assign to
which user group.
Users on two subnets connect to the switch, with two ISP egresses available. The ZXR10
5900E system requires different egresses according to the IP addresses of the users.
The users on the subnet 10.10.0.0/24 choose the ISP1 egress. The users on the subnet
11.11.0.0/24 choose the ISP2 egress. See Figure 7-5.
Figure 7-5 Policy Routing Configuration Example

/*Define an ACL that describes the users of 10.10.0.0/24 and 11.11.0.0/24*/
7-22

/*Configure QoS policy routing*/

ZXR10(config)#redirect 10 rule-id 1 next-hop 100.1.1.1
ZXR10(config)#redirect 10 rule-id 2 next-hop 200.1.1.1
/*Apply the ACL on related interfaces*/

7.5 QoS Maintenance and Diagnosis

The ZXR10 5900E system provides the following command for QoS maintenance and
diagnosis:
Command Function
ZXR10(config)#show qos [ name < acl-name>| number < Displays QoS configuration
acl-number>] information.
Example
The following example shows how to display QoS configuration information:
ZXR10(config)#show qos
traffic-limit-macro template 100 rule-group 1 cir 100000 cbs 100 mode single-or
traffic-limit-micro 100 rule-id 1 cir 10000 cbs 100
traffic-limit-macro template-bind 100 group-id 1 with rule-id 1
7.6 WRED Function

7.6.1 WRED Overview
Weighted Random Early Detection (WRED) is a method to avoid congestion that
combines an IP priority with a Random Early Detection (RED) policy and provides a
variety of services.
7-23

7.6.2 Configuring WRED

The ZXR10 5900E system can use the WRED method of queue management, on one port
or globally. users can configure WRED on the basis of the number of bytes or packets.
Users can also configure WRED for green TCP packets, yellow TCP packets, red TCP
packets, or non TCP packets, respectively.
To configure WRED, use the following commands:
Command Function
ZXR10(config)#qos wred < session-index > packet-type { (0 Configures a WRED functional

{[green-tcp < pkt-start-threshold >< pkt-end-threshold >< drop-rate template.
>][yellow-tcp < pkt-start-threshold >< pkt-end-threshold ><
drop-rate >][red-tcp < pkt-start-threshold >< pkt-end-threshold ><
drop-rate >][no-tcp < pkt-start-threshold >< pkt-end-threshold ><
drop-rate >]} weight < weight >[capavg] ) | ( 1 {[green-tcp <
cell-start-threshold >< cell-end-threshold >< drop-rate >][yellow-tcp
< cell-start-threshold >< cell-end-threshold >< drop-rate >][red-tcp
< cell-start-threshold >< cell-end-threshold >< drop-rate >][no-tcp <
cell-start-threshold >< cell-end-threshold >< drop-rate >]} weight <
weight >[capavg] ) }
ZXR10(config)#drop-mode wred < session-index > global Applies a template in global mode.
ZXR10(config-gei_1/X)#drop-mode wred < session-index >{ Applies a template to a port or a

port | queue-id < queue-id >} queue.
<session-index> The template number, in the range of 116.
<pkt-start-threshold> The average queue threshold to drop packets on the basis of the
number of packets, in the range of 111264.
<pkt-end-threshold> The average queue threshold to drop all packets on the basis of
the number of packets, in the range of 111264.
<cell-start-threshold> The average queue threshold to drop packets on the basis of the
number of bytes, in the range of 13047424.
<cell-end-threshold> The average queue threshold to drop all packets on the basis of
the number of bytes, in the range of 13047424.
<drop-rate> The maximum drop rate, in the range of 0-100.
<weight> The weight that the current queue is mapped to the average
queue, in the range of 015.
capavg The calculation that replaces the average queue length with the
current queue length as the drop rate.
<queue-id> The queue number, in the range of 07.
7-24

Example
This example shows how to configure a WRED functional template on the basis of the
number of packets. In the template, the start threshold to drop the green TCP packets is
1000, the end threshold to drop all packets is 2000, and the maximum drop rate is 100. The
start threshold to drop the non-TCP packets is 500, the end threshold to drop all packets
is 800, and the maximum drop rate is 80. The weight that the current queue is mapped to
the average queue is 15. Apply this template globally, to gei_1/1 and queue 1.
ZXR10(config)# qos wred 1 packet-type 0 green-tcp 1000 2000 100 no-tcp 500
800 80 weight 15
ZXR10(config)#drop-mode wred 1 global
ZXR10(config-gei_1/1)#drop-mode wred 1 port
ZXR10(config-gei_1/1)#drop-mode wred 1 queue-id 1
7-25

7-26

Chapter 8
DHCP Configuration
Table of Contents
DHCP Overview .........................................................................................................8-1
Configuring DHCP......................................................................................................8-1
DHCP Configuration Examples ................................................................................8-17
DHCP Maintenance and Diagnosis ..........................................................................8-21
8.1 DHCP Overview

DHCP enables a host on the network to obtain an IP address ensuring its communication
and related configuration information from a DHCP server.
8.2 Configuring DHCP

8.2.1 Configuring an IP Address Pool
To configure an IP address pool, perform the following steps:
1. Create an IP address pool.
Command Function
ZXR10(config)#ip pool <word> Creates an IP address pool. The

<word> parameter is the name of
the IP address pool.
Run the no command to delete
an address pool.
2. Configure the conflict time of an IP in an pool.
Command Function
ZXR10(config-ip-pool)#conflict-time <time> Configures the conflict time of an

IP in an pool.
The <time> parameter is the
conflict time, in the range of
118000 minutes. By default, it
is 30 minutes.
Run the no command to clear the
current configuration and restore
the default time.
8-1

3. Configure reserved addresses in an IP pool.
Command Function
ZXR10(config-ip-pool)#exclude <low_ip_addr>[<hig_ip_ Configures reserved addresses

addr>] in an IP pool.
The <low_ip_addr> parameter is
the start address of the reserved
addresses or a specific address.
The <hig_ip_addr> parameter is
the end address of the reserved
addresses.
Run the no command to clear
the current configuration.
4. Add all suitable IP addresses on a subnet to an IP address pool.
Command Function
ZXR10(config-ip-pool)#network <net_number><net_mask> Adds all suitable IP addresses

on a subnet to an IP address
pool.
The <net_number> parameter is
the network number of a subnet.
The <net_mask> parameter is the
subnet mask.
the related IP address range.
5. Configure the address range of an IP address pool.
Command Function
ZXR10(config-ip-pool)#range <begin_ip_addr><last_ip_addr Configures the address range of

><ip_mask> an IP address pool.
The <begin_ip_addr> parameter is
the start address of an IP address
pool.
The <last_ip_addr> parameter is
the end address of an IP address
pool.
The <ip_mask> parameter is the
address mask.
Run the no command to delete the
related IP address range.
8-2

Chapter 8 DHCP Configuration
8.2.2 Configuring a DHCP Address Pool

A DHCP address pool can be bound to an IP address pool. The DHCP server allocates
addresses from the bound address pool.
To configure a DHCP address pool, perform the following steps:
1. Create a DHCP pool.
Command Function
ZXR10(config)#ip dhcp pool <word> Creates a DHCP address pool.

The <word> parameter is the
name of the DHCP address pool.
Run the no command to delete a
DHCP pool.
2. Associate a MAC address with an IP address.
Command Function
ZXR10(config-dhcp-pool)#binding <mac_addr><ip_addr>[v Associates a MAC address with

rf-instance <instance_ namer>] an IP address.
l <mac_addr> indicates the
MAC address.
l <ip_addr> indicates the IP
address.
l <instance_namer> indicates
the instance name.
3. Configure a default route.
Command Function
ZXR10(config-dhcp-pool)#default-router <ip_addr>[<ip_a Configures a default route. The

ddr>][<ip_addr>] ZXR10 5900E system accepts
up to eight default routes.
<ip_addr> indicates the IP
address.
4. Configure the server address of a Domain Name System (DNS).
8-3

Command Function
ZXR10(config-dhcp-pool)#dns-server <ip_addr>[<ip_addr Configure the server address of

>][<ip_addr>] a DNS.
address.
5. Associate a specified IP address pool with the DHCP address pool.
Command Function
ZXR10(config-dhcp-pool)#ip-pool <ip_pool_name> Associates a specified IP

address pool with the DHCP
address pool.
The <ip_pool_name> parameter
is the name of an IP address
pool, with 116 characters.
the binding relationship.
6. Configure the lease-time of IP addresses.
Command Function
ZXR10(config)#lease-time [[infinite]|[<days><hours><minute Configures the lease-time of IP

s>]] addresses.
The range of the <days>
parameter is 0365.
The range of the <hours>
parameter is 023
The range of the <minutes>
parameter is 059
The default lease-time is 60
minutes.
the configured time and restore
the default configuration.
7. Configure other options.
8-4

Command Function
ZXR10(config-dhcp-pool)#option <option_code>[[ascii Configures other options.

<string>]|[hex <hex_num>]|[ip <ip_addr>]] The <option_code> parameter is
an optional code, in the range of
1254.
The <string> parameter is an
NVT ASCII character string.
8. Configure the IP address of the TFTP server.
Command Function
ZXR10(config-dhcp-pool))#tftp-server < ip_addr>[<ip_a Configures the IP address of the

ddr>][< ip_addr>] TFTP server.
address.
9. Configure the next server IP address field of a DHCP packet.
Command Function
ZXR10(config-dhcp-pool))#next-server < ip_addr> Configures the next server IP

address field of a DHCP packet.
address.
8.2.3 Configuring a DHCP Policy

To configure a DHCP policy, perform the following steps:
1. Create a DHCP policy and enter policy configuration mode.
8-5

Command Function
ZXR10(config)#ip dhcp policy <policy_name><priority> Creates a DHCP policy and

enters policy configuration
mode.
The <policy_name> parameter is
the name of a policy, with 116
characters.
Run the no command to
delete the policy configuration
corresponding to the name.
2. Associate a DHCP address pool with a policy.
Command Function
ZXR10(config-dhcp-pool)#dhcp-pool <pool_name> Associates a DHCP address

pool with a policy.
<pool_name> indicates the name
of the DHCP pool.
the binding relationship.
3. Configure the address of a relay agent.
Command Function
ZXR10(config-dhcp-pool)#relay-agent <ip_addr> Configures the address of a relay

agent.
address.
8.2.4 Configuring a DCHP Server

To configure a DHCP server, perform the following steps:
1. Enable the DHCP process.
8-6

Command Function
ZXR10(config)#ip dhcp enable Enables the internal DHCP

process.
The system supports both the
DHCP server and DHCP Relay
functions. This command is used
to enable these two functions.
Run the no command to disable
the DHCP process.
By default, the DHCP process is
not enabled.
2. Configure the DHCP working mode on an interface.
Command Function
ZXR10(config-if-vlanX)#ip dhcp mode [server | relay | Enables the DHCP mode of the
proxy] interface.
l relay refers to enabling the
DHCP Relay function of the
interface.
l server refers to enabling the
DHCP Server function of the
interface.
l proxy refers to enabling the
DHCP Proxy function of the
interface.
After enabling the built-in DHCP relay process, the system processes an IP address
request sent from a DHCP client on the interface. It allocates an IP address to a DHCP
client dynamically through an external DHCP server configured on an interface.
After enabling the built-in DHCP proxy process, the system processes an IP address
request sent from a DHCP client on the interface. It allocates an IP address to a
DHCP client dynamically through an external DHCP server configured in an interface.
It replaces the short lease deployed by the proxy with the long lease deployed by
the server. When the DHCP client sends a request to continue the lease, if the long
lease allocated by the DHCP server does not expire, the DHCP proxy will respond to
the DHCP client directly rather than the DHCP Server. This relieves the load on the
DHCP server.
Only one of the three functions can be enabled on an interface.
3. Associate an interface with a policy.
8-7

Command Function
ZXR10(config-if-vlanX)#ip dhcp policy < policy_name> Associates an interface with a

policy.
<policy_name> indicates the
name of the policy to be bound
to the interface.
4. Configure the DHCP user quota on an interface.
Command Function
ZXR10(config-if-vlanX)#ip dhcp user quota <limit-value> Configures the DHCP user

quota, the maximum number of
DHCP clients allowed, on an
interface.
The range of the <limit-value>
parameter is 12048.
By default, there is no quota.
Run the no command to
cancel DHCP user quota of the
interface.
This command is valid for a DHCP server and, under special conditions, for a DHCP
relay.
For a DHCP server, the DHCP user quota limits the maximum number of DHCP
users on an interface. It limits the number of IP addresses allocated on the interface
indirectly.
For a DHCP relay, standard mode does not support the DHCP user quota
configuration. In secure forwarding mode, however, user quota is valid for a DHCP
relay.
5. Configure the policy according to the interface that chooses an external DHCP server.
Command Function
ZXR10(config-if-vlanX)#ip dhcp helper-address policy Configures the policy according

vclass-id to the interface that chooses an
external DHCP server.
By default, the system selects
the DHCP server configured by
using the ip dhcp relay server
command on the interface.
6. Configure the ramble function of a DHCP server/relay/proxy.
8-8

Command Function
ZXR10(config)#ip dhcp ramble When the ramble function is

enabled, a DHCP user can
switch to the access interface
when the user is online. By
default, the ramble function is
disabled.
the DHCP roaming function.
7. Enable the DHCP log print switch so that the ZXR10 5900E system can record the
DHCP users online logs.
Command Function
ZXR10(config)#ip dhcp logging on Enables the DHCP log print

switch so that the ZXR10 5900E
system can record the DHCP
users online logs.
By default, the DHCP log print
function is disabled.
the DHCP printing function.
8.2.5 Configuring DHCP Snooping

To configure DHCP snooping, perform the following steps:
1. Add a binding entity to the DHCP snooping binding table manually.
Command Function
ZXR10(config)#ip dhcp snooping binding <mac> vlan Adds a binding entity to the
<vlan><ip address><interface-number> expiry <2147483647> DHCP snooping binding table
manually.
The <mac> parameter is the
users MAC address.
The <vlan> parameter is a VLAN
to which the user belongs or a
range of VLANs to which the
users belong, in the range of
14096.
The <interface-number>
parameter is a physical port,
such as fei, gei and smartgroup.
8-9

Command Function
Run the no command to delete a

binding entry from the database
bound to the DHCP snooping.
2. Delete an entity in the DHCP snooping binding table on a Layer 2 interface manually.
Command Function
ZXR10(config)#ip dhcp snooping clear [<interface-number>] Manually deletes an entity in the

DHCP snooping binding table on
a Layer 2 interface.
<interface-number> indicates a
physical port, such as fei, gei,
and smartgroup.
3. Enable the DHCP snooping function.
Command Function
ZXR10(config)#ip dhcp snooping enable Enables the DHCP snooping

function.
the DHCP snooping function.
4. Insert the Option82 into a DHCP packet forwarded by DHCP snooping.
Command Function
ZXR10(config)#ip dhcp snooping information option Inserts the Option82 into a

DHCP packet forwarded by
DHCP snooping. By default, the
Option82 is not inserted.
5. Configure the format to insert the Option82 into a DHCP packet.
Command Function
ZXR10(config)#ip dhcp snooping information format { Configures the format to insert

china-tel | dsl-forum| Telenor| user-configuration} the Option82 into a DHCP
packet.
The china-tel keyword means
the China Telecom format.
The dsl-forum keyword means
the Digital Subscriber Line (DSL)
forum format.
The default setting is the China
Telecom format.
8-10

Command Function
Run the no command to cancel

the configured Option82 format
and restore the default format.
There are four formats: china-tel, dsl-forum, Telenor, and user-configuration.

6. Configure a policy for DHCP Option 82 requests.
Command Function
ZXR10(config)#ip dhcp snooping information policy {keep Configures the policy for DHCP
| replace} Option82 packets.
The keep keyword means to
keep the previous Option82.
The replace keyword means to
replace the previous Option82.
By default, the system keeps the
previous Option82.
the configured Option82 policy
and restore the default policy.
7. Configure the DHCP snooping ramble function.
Command Function
ZXR10(config)#ip dhcp snooping ramble Configures the DHCP snooping

ramble function.
the roaming function of the
DHCP snooping.
8. To configure the interface connected to the DHCP server as a trust interface, use the
following command. The switch does not restrict a trust interface. By default, the other
interfaces are not trust interfaces.
Command Function
ZXR10(config)#ip dhcp snooping trust <interface-number> Configures the interface

connected to the DHCP server
as a trust interface.
<interface-number> indicates a
physical port, such as fei, gei,
and smartgroup.
9. Enable the DHCP snooping function on a specific VLAN or VLAN range.
8-11

Command Function
ZXR10(config)#ip dhcp snooping vlan <vlan> Enables the DHCP snooping

function on a specific VLAN or
VLAN range.
The <vlan> parameter is a VLAN
to which a user belongs or a
range of VLANs to which the
users belong, in the range of
14096.
10. To configure the circuit-id when the format of the Option82 in VLAN mode is
user-configuration, use the following command:

p
1 ZXR10(config-vlan)#ip dhcp snooping information Configures the circuit-id

circuit-id when the format of the
Option82 in VLAN mode is
user-configuration.
11. To configure the remote-id when the format of the Option82 in VLAN mode is
user-configuration, use the following command:

p
1 ZXR10(config-vlan)#ip dhcp snooping information Configures the remote-id

remote-id when the format of the
Option82 in VLAN mode is
user-configuration.
Caution!
The configuration of the Option82 in VLAN mode is higher than that in global mode and
lower than that in port+VLAN mode in terms of priority.
8.2.6 Configuring a DHCP Relay

To configure a DHCP relay, perform the following steps:
1. Configure the IP address of a DHCP agent on an interface.
8-12

Command Function
ZXR10(config-if-vlanX)#ip dhcp relay agent <ip-address> Configures the IP address of a

DHCP agent on an interface.
<ip-address> indicates the IP
address of the DHCP agent on
the interface. The IP address is
in dotted decimal notation.
the IP address of the DHCP
agent on the interface.
Before enabling the DHCP Relay to forward DHCP requests to the DHCP server,
configure the IP address of the DHCP Relay. The IP address is one of the IP addresses
of the interface configured for the DHCP client.
The DHCP server allocates IP addresses in accordance with the IP address of the
DHCP Relay so that the IP addresses belong to different subnets. The DHCP Relay
forwards the DHCP responses from the DHCP server to the DHCP client. Therefore,
the DHCP server must be configured with a route in the subnet where the DHCP Relay
resides.
2. Configure the forwarding mode on an interface.
Command Function
ZXR10(config-if-vlanX)#ip dhcp relay server Configures the forwarding mode

<ip-address>{standard | security} on an interface.
The standard keyword means to
comply with the DHCP standard
protocol forwarding mode.
The security keyword means to
comply with the ZTE security
forwarding mode.
The default forwarding mode is
standard.
the IP address of the DHCP
server on the interface.
The standard forwarding mode complies with the standard DHCP protocol. After users
are assigned with IP addresses, the DHCP process does not perform any action during
future unicast interaction, for example, security check. Meanwhile, the function of
writing data to the ARP table is invalid to the standard mode. In standard mode,
the DHCP process does not perform any action during future unicast interaction and
therefore the performance is enhanced in case of large traffic.
8-13

In security mode, the DHCP protocol and ZTE protocols are used together to control
and process all the actions performed between DHCP users and the DHCP server, for
example, security check. In this way, the DHCP process can perform actions during the
whole process of DHCP interaction. In addition, the DHCP process supports writing
data to the ARP table. The default forwarding mode of the DHCP Relay is standard.
3. Configure the number of retry attempts that a DHCP relay applies for an address from
the external DHCP servers.
Command Function
ZXR10(config)#ip dhcp relay server retry <limit-values> Configures the number of retry
attempts that a DHCP relay
applies for an address from the
external DHCP servers.
The range of the <limit-values>
parameter is 51000. The
default value is 10.
4. Configure a DHCP client with a specific domain name to apply for an IP address from
the external DHCP server.
Command Function
ZXR10(config)#ip dhcp relay server vclass-id <domain Configures a DHCP client with a
name><ip-address>{standard | security} specific domain name to apply
for an IP address from the
external DHCP server.
The <domain name> parameter is
the domain name contained in
the request sent by the DHCP
client.
The <ip-address> parameter is
the IP address of the external
DHCP server.
5. Configure not to strictly check the message for continue a lease of a DHCP user in the
standard forwarding mode on a DHCP relay.
Command Function
ZXR10(config)#ip dhcp relay forward reply unrestricted Enables the function of

transparently transmit ACK
packets.
Run the no command to restrict
the renewal packets of DHCP
users and restore the default
format.
8-14

6. Insert an Option82 request into a DHCP packet forwarded by a DHCP relay.
Command Function
ZXR10(config)#ip dhcp relay information option Enables the function of inserting

the Option82.
the function of inserting the
Option82.
7. Configure the policy for a DHCP packet when there has been an Option82 request.
Command Function
ZXR10(config)#ip dhcp relay information policy {keep | Configures the policy for a DHCP
replace} packet when there has been an
Option82 request.
The keep keyword means to
keep the previous Option82
information.
The replace keyword means to
replace the previous Option82
information.
By default, the system keeps the
previous Option82 information.
the configured Option82 policy
and restore the default policy.
8. Configure the server-id that a DHCP relay replies to a DHCP client.
Command Function
ZXR10(config)#ip dhcp relay security client server-id Configures the server-id that a
<ip-address> DHCP relay replies to a DHCP
client.
<ip-address> indicates the IP
address of the server-id. The
IP address is in dotted decimal
notation.
the IP address of the server-id
from the DHCP Relay to the
DHCP client.
9. Enable the DHCP relay snooping function globally.
8-15

Command Function
ZXR10(config)#ip dhcp relay snooping enable Enables the function of DHCP

Relay Snooping globally.
10. Enable the ZXR10 5900E series system to obtain the DHCP packets of all reply types
on an interface.
Command Function
ZXR10(config-if-vlanX)#ip dhcp relay snooping packet Enables the ZXR10 5900E

reply series system to obtain the
DHCP packets of all reply types
on an interface.
11. Enable the ZXR10 5900E series system to obtain the DHCP packets of all request
types on an interface.
Command Function
ZXR10(config-if-vlanX)#ip dhcp relay snooping packet Enables the ZXR10 5900E

request series system to obtain the
DHCP packets of all request
types on an interface.
12. Set an interface to a trust interface of a DHCP relay.
Command Function
ZXR10(config-if-vlanX)#ip dhcp relay snooping trust Enables the interface to be a

trust interface of the DHCP
Relay.
13. Enable the DHCP relay snooping trust function globally.
Command Function
ZXR10(config)#ip dhcp relay snooping trust enable Enables the function of DHCP
Relay Snooping Trust globally.
8.2.7 Configuring a DHCP Client

To configure a DHCP client, perform the following steps:
1. Enable the class-id function of a DHCP client.
Command Function
ZXR10(config-if-vlanX)#ip dhcp client class-id {WORD | Enables the class-id function of

hex} a DHCP client on an interface.
8-16

2. To configure the client-id of a DHCP client, use the following commands.
Command Function
ZXR10(config-if-vlanX)#ip dhcp client client-id supervlan Configures the client-id of a

DHCP client.
ZXR10(config-if-vlanX)#ip dhcp client client-id vlan
3. Configure the hostname of a DHCP client.
Command Function
ZXR10(config-if-vlanX)#ip dhcp client hostname WORD Configures the hostname of a

DHCP client.
4. Configure the lease of a DHCP client.
Command Function
ZXR10(config-if-vlanX)#ip dhcp client lease { 0-365 | Configures the lease of a DHCP

infinite } client.
5. Configure request information of a DHCP client.
Command Function
ZXR10(config-if-vlanX)#ip dhcp client request { Configures request information

dns-nameserver | domain-name | router | static-route | of a DHCP client.
tftp-server-address }
8.3 DHCP Configuration Examples

8.3.1 DHCP Server Configuration Example
R1 works as a DHCP server and a default gateway. The host obtains an IP address through
DHCP dynamically. See Figure 8-1.
8-17

Figure 8-1 DHCP Server Configuration Example
R1 configuration:
ZXR10(config-if-vlan10)#ip dhcp mode server
ZXR10(config)#ip pool pool1
ZXR10(config-ip-pool)#range 10.10.1.10 10.10.1.100 255.255.255.0
ZXR10(config-ip-pool)#exit
ZXR10(config)#ip dhcp pool dhcp1
ZXR10(config-dhcp-pool)#ip-pool pool1
ZXR10(config-dhcp-pool)#default-route 10.10.1.1
ZXR10(config-dhcp-pool)#exit
ZXR10(config)#ip dhcp policy p1 1
ZXR10(config-dhcp-policy)#dhcp-pool dhcp1
ZXR10(config-dhcp-policy)#exit
ZXR10(config-if-vlan10)#ip dhcp policy p1
8.3.2 DHCP Relay Configuration Example

The following example shows the DHCP relay function enabled on R1. A server at
10.10.2.2 provides the DHCP server function. This mode is usually used when several
hosts require DHCP service. See Figure 8-2.
8-18

Figure 8-2 DHCP Relay Configuration Example
R1 configuration:
ZXR10(config)#interface vlan10
ZXR10(config-if-vlan10)#ip dhcp mode relay
ZXR10(config-if-vlan10)#ip dhcp relay agent 10.10.1.1
ZXR10(config-if-vlan10)#ip dhcp relay server 10.10.2.2 security
8.3.3 DHCP Snooping Configuration Example

The following example shows DHCP server 1 connected to gei_1/1 of R1. The DHCP
server 2 connects to gei_1/2 of R1. DHCP server 2 is an illegal DHCP server configured
by users. Both gei_1/1 and gei_1/2 belong to VLAN 100. Users must enable the DHCP
snooping function on R1 to prevent the illegal DHCP server. see Figure 8-3.
This requires enabling the DHCP snooping function in VLAN 100 and setting gei_1/1 to a
trust interface.
8-19

Figure 8-3 DHCP Snooping Configuration Example
R1 configuration:
ZXR10(config-gei_1/1)#switch access vlan 100
ZXR10(config-gei_1/2)#switch access vlan 100
ZXR10(config)#ip dhcp snooping vlan 100
ZXR10(config)#ip dhcp snooping trust gei_1/1
8.3.4 DHCP Snooping Preventing Static IP Configuration

The following example shows static IP configuration on a DHCP server. The PC belongs
to VLAN 100. The PC obtains an IP address through DHCP. This is necessary to prevent
the PC from configuring a static IP address through the DHCP snooping function and the
dynamic ARP inspection function. See Figure 8-4.
Figure 8-4 DHCP Snooping Preventing Static IP Configuration
R1 configuration:

ZXR10(config-vlan100)#ip arp inspection
8-20

8.4 DHCP Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for DHCP maintenance and
diagnosis:
Command Function
ZXR10(config)#show ip dhcp relay [forward | information | Displays configuration information

security | server | snooping | user] of DHCP.
ZXR10(config)#show ip local pool [<pool-name>] Displays configuration information

of a local address pool.
ZXR10(config)#show running-config interface[ fei | gei | Displays configuration information

smartgroup | supervlan | vlan ] for DHCP servers/relays on
interfaces.
ZXR10(config)#show ip dhcp snooping configure Displays the global DHCP

snooping configuration.
ZXR10(config)#show ip dhcp snooping vlan [<vlan-id>] Displays the DHCP snooping

configuration in a VLAN.
ZXR10(config)#show ip dhcp snooping trust Displays the trust interface

configuration of DHCP snooping.
ZXR10(config)#show ip dhcp snooping database <port-number> Displays the DHCP snooping

database.
ZXR10(config)#show ip arp inspection vlan [<vlanl-id>] Displays dynamic ARP inspection

information.
ZXR10(config)#show ip dhcp pool [<pool-name>] Displays the DHCP pool

configuration.
ZXR10(config)#show ip dhcp policy [<policy_name>] Displays the DHCP policy

configuration.
ZXR10#debug ip dhcp Traces the packets sent and

received on a DHCP server/relay.
8-21

8-22

Chapter 9
VRRP Configuration
Table of Contents
VRRP Overview .........................................................................................................9-1
Configuring VRRP ......................................................................................................9-1
VRRP Configuration Examples...................................................................................9-2
VRRP Maintenance and Diagnosis.............................................................................9-4
9.1 VRRP Overview

VRRP sets multiple interfaces in a broadcast domain into a group to form a virtual router.
It allocates an IP address to the virtual router as an interface address. In this way, VRRP
prevents single-point faults due to failures on the single default gateway.
9.2 Configuring VRRP

To configure Virtual Router Redundancy Protocol (VRRP), perform the following steps:
1. Run VRRP.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> ip <ip-address>[s Runs VRRP.

econdary]
A VRRP group can consist of multiple virtual addresses. A host can use any address
as the gateway for communications.
2. Configure the VRRP priority.
Command Function
ZXR10(config-if-vlanX)#vrrp < group> preempt [ delay < Configures the VRRP priority.
seconds>]
3. Configure preemption.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> preempt [delay Configures preemption.

<milliseconds>]
4. Configure the VRRP notification interval.
9-1

Command Function
ZXR10(config-if-vlanX)#vrrp <group> advertise Configures the VRRP notification

[msec]<interval> interval.
5. Configure the interval for retrieving VRRP messages from the master.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> learn Configures the interval for

retrieving VRRP messages from
the master.
6. Configure an authentication string.
Command Function
ZXR10(config-if-vlanX)#vrrp <group> authentication Configures an authentication

<string> string.
7. Configure the VRRP uplink track function.
Command Function
ZXR10(config-if-vlanX)#vrrp < group> track < track-num>{ Configures the VRRP uplink
decrement< priority>}|{ bfd { priority-down | switch }} track function.
8. Configure the mode of a virtual router.
Command Function
ZXR10(config-if-vlanX)#vrrp < group> mode {private | Configures the mode of a virtual

standard} router.
9. Configure an out-interface for VRRP protocol messages on a virtual router.
Command Function
ZXR10(config-if-vlanX)#vrrp < group> out-interface Configures an out-interface for

{supervlan | vlan <interfacenumber>} VRRP protocol messages on a
virtual router.
9.3 VRRP Configuration Examples

9.3.1 Basic VRRP Configuration Example
VRRP runs between R1 and R2. The interface address of R1 10.0.0.1 is used as the
VRRP virtual address. R1 works as the master router. See Figure 9-1.
9-2

Chapter 9 VRRP Configuration
Figure 9-1 Basic VRRP Configuration Example
R1 configuration:
ZXR10_R1(config)#interface vlan 1
ZXR10_R1(config-if-vlan1)#ip address 10.0.0.1 255.255.0.0
ZXR10_R1(config-if-vlan1)#vrrp 1 ip 10.0.0.1
R2 configuration:
9.3.2 Symmetric VRRP Configuration Example

There are two VRRP groups. PC1 and PC2 use the virtual router in Group 1 as the default
gateway and the address 10.0.0.1. PC3 and PC4 use the virtual router in Group 2 as the
default gateway and the address 10.0.0.2. R1 and R2 are backups for each other. The four
hosts cannot communicate with the outside network when neither router works properly.
See Figure 9-2.
9-3

Figure 9-2 Symmetric VRRP Configuration Example
R1 configuration:
R2 configuration:
9.4 VRRP Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for VRRP maintenance and
diagnosis:
Command Function
ZXR10(config)#show vrrp [<group>|brief|interface Displays VRRP group

<interface-name>|all] configuration.
ZXR10#debug vrrp {state|packet|event|error|all} Displays VRRP debugging

information.
9-4

Chapter 10
DOT1X Configuration
Table of Contents
DOT1x Overview ......................................................................................................10-1
Configuring DOT1X ..................................................................................................10-1
DOT1X Configuration Examples...............................................................................10-8
DOT1X Maintenance and Diagnosis....................................................................... 10-11
10.1 DOT1x Overview

DOT1X, that is, Institute of Electrical and Electronics Engineers (IEEE) 802.1x, is a
port-based network access control protocol. It optimizes the authentication mode and
authentication architecture, and solves the problems caused by traditional Point to Point
Protocol over Ethernet (PPPoE) and Web/Portal authentication modes. This makes it
more suitable for broadband Ethernet.
The IEEE 802.1x protocol architecture consists of three parts:
l A supplicant system
l An authenticator system
l An authentication server system
10.2 Configuring DOT1X

10.2.1 Configuring AAA
To configure Authentication, Authorization and Accounting (AAA), perform the following
steps:
1. Create an AAA control entity.
Command Function
ZXR10(config-nas)#create aaa <rule-id>[port Creates an AAA control entity.

<port-name>][vlan <vlan-id>]
2. Delete an AAA control entity.
Command Function
ZXR10(config-nas)#clear aaa <rule-id> Deletes an AAA control entity.
3. Enable/disable DOT1X authentication or DOT1X relay.
10-1

Command Function
ZXR10(config-nas)#aaa <rule-id> control {dot1x|dot1x-rela Enables/disables DOT1X

y}{enable|disable} authentication or DOT1X relay.
4. Configure the authentication type.
Command Function
ZXR10(config-nas)#aaa <rule-id> protocol {pap|chap|eap} Configures the authentication

type.
5. Configure the keep-alive interval.
Command Function
ZXR10(config-nas)#aaa <rule-id> keepalive {enable [period Configures the keep-alive

< period-value >]|disable} interval.
6. Enable/disable accounting.
Command Function
ZXR10(config-nas)#aaa <rule-id> accounting {enable|disable} Enables/disables accounting.
7. Allow multiple users and configure the maximum number of users, or disallow multiple
users.
Command Function
ZXR10(config-nas)#aaa <rule-id> multiple-hosts {enable Allows multiple users and

[max-hosts <host-number>]|disable} configures the maximum number
of users, or disallows multiple
users.
8. Configure the default ISP name.
Command Function
ZXR10(config-nas)#aaa < rule-id> default-isp < isp-name>[ Configures the default ISP name.
default]
9. Configure whether to include the ISP domain name in a username.
Command Function
ZXR10(config-nas)#aaa <rule-id> fullaccount {enable|disable} Configures whether to include

the ISP domain name in a
username.
10. Configure a group name.
10-2

Chapter 10 DOT1X Configuration
Command Function
ZXR10(config-nas)#aaa <rule-id> groupname Configures a group name.

<group-name>
11. Associate a RADIUS authentication server group.
Command Function
ZXR10(config-nas)#aaa <rule-id> radius-server Associates a RADIUS

authentication< group-number > authentication server group.
12. Associate a RADIUS accounting server group.
Command Function
ZXR10(config-nas)#aaa <rule-id> radius-server Associates a RADIUS

accounting < group-number > accounting server group.
13. Set the authentication mode to local or radius.
Command Function
ZXR10(config-nas)#aaa <rule-id> authentication Sets the authentication mode to

{local|radius} local or radius.
14. Configure the authorization mode.
Command Function
ZXR10(config-nas)#aaa <rule-id> authorization Configures the authorization

{auto|unauthorized|authorized} mode.
15. Configure the authentication mode based on a rule.
Command Function
ZXR10(config-nas)#aaa <rule-id> rule-based-auth Configures the authentication

mode based on a rule.
10.2.2 Configuring the DOT1X Parameters

To configure the DOT1X parameters, perform the following steps:
1. Configure the DOT1X re-authentication period.
Command Function
ZXR10(config-nas)#dot1x re-authentication {enable [period Configures the DOT1X

< period >]|disable} re-authentication period.
10-3

2. Configure the quiet period of DOT1X authentication.
Command Function
ZXR10(config-nas)#dot1x quiet-period < period > Configures the quiet period of

DOT1X authentication.
3. Configure the period of DOT1X authentication started by a supplicant system.
Command Function
ZXR10(config-nas)#dot1x tx-period <period> Configures the period of DOT1X

authentication started by a
supplicant system.
4. Configure the time-out period of a supplicant system.
Command Function
ZXR10(config-nas)#dot1x supplicant-timeout <period> Configures the time-out period of

a supplicant system.
5. Configure the time-out period of a DOT1X authentication server.
Command Function
ZXR10(config-nas)#dot1x server-timeout <period> Configures the time-out period of

a DOT1X authentication server.
6. Configure the maximum number of requests by a supplicant system.
Command Function
ZXR10(config-nas)#dot1x max-request < count> Configures the maximum

number of requests by a
supplicant system.
7. Configure the MAC address bypass authentication of the DOT1X.
Command Function
ZXR10(config-nas)#dot1x mac-auth-bypass Configures the MAC address

bypass authentication of the
DOT1X.
10.2.3 Configuring a Local Authentication User

To configure a local authentication user, perform the following steps:
1. Create a local user.
10-4

Command Function
ZXR10(config-nas)#create localuser <user-id>[name Creates a local user.

<user-name>][password <user-password>]
2. Associate the user with a port.
Command Function
ZXR10(config-nas)#localuser <user-id> port <port-name> Associates the user with a port.
3. Bind the user to a VLAN.
Command Function
ZXR10(config-nas)#localuser <user-id> vlan <vlan-id> Binds the user to a VLAN.
4. Bind the user to a MAC address.
Command Function
ZXR10(config-nas)#localuser <user-id> mac <mac-address> Binds the user to a MAC address.
5. Enable or disable accounting for the local user.
Command Function
ZXR10(config-nas)#localuser <user-id> accounting Enables or disables accounting

{enable|disable} for the local user.
10.2.4 Managing DOT1X Authentication Access Users

To manage DOT1X authentication access users, perform the following steps:
1. Display all DOT1X authentication access users.
Command Function
ZXR10(config-nas)#show clients [ index < client-index>| mac Displays all DOT1X

< mac-address>| port < port-name>| vlan < vlan-id>] authentication access users.
2. Clear a specific user.
Command Function
ZXR10(config-nas)#clear client [index <client-index>|port Clears a specific user.

<port-name>| vlan <vlan-id>]
10-5

10.2.5 Managing Multi-Domains

To manage multi-domains, perform the following steps:
1. Enable or disable the multi-domain function.
Command Function
ZXR10(config)#domain-auth enable Enables or disables the

multi-domain function.
ZXR10(config)#no domain-auth Disables the multi-domain

authentication function.
2. Configure a global domain delimiter.
Command Function
ZXR10(config)#domaindelimiter <domaindelimiter> Configures a global domain

delimiter. The delimiter can be
@, /, %, # or other characters.
ZXR10(config)#no domaindelimiter Cancels the global domain

delimiter configuration.
3. Configure domain information.
Command Function
ZXR10(config)#domain <domain-id>[ default ] Configures domain information.
ZXR10(config)#no domain <domain-id>[ default ] Deletes domain information.
4. Enable domain full-account authentication.
Command Function
ZXR10(config-domain)#domain-fullaccount enable Enables domain full-account

authentication.
ZXR10(config-domain)#no domain-fullaccount Deletes domain full-account

authentication information.
5. Configure a domain name.
Command Function
ZXR10(config-domain)#domain-name <domain-name> Configures a domain name.
ZXR10(config-domain)#no domain-name Deletes a domain name.
6. Configure a domain accounting server.
10-6

Command Function
ZXR10(config-domain)#domain-radius-account-server Configures a domain accounting

<server-id> server.
ZXR10(config-domain)#no domain-radius-account-server Deletes a domain accounting

server.
7. Configure a domain authentication server.
Command Function
ZXR10(config-domain)#domain-radius-authen-server Configures a domain

<server-id> authentication server.
ZXR10(config-domain)#no domain-radius-authen-server Deletes a domain authentication

server.
8. Configure the ISP name in a rule.
Command Function
ZXR10(config-nas)#aaa <rule-id> default-isp <isp-name>[ Configures the ISP name in a

default ] rule.
ZXR10(config-nas)#no aaa <rule-id> default-isp [<isp-name>] Deletes the ISP name in a

rule. If the domain name is
not configured, this command
deletes the default domain name
in a rule.
9. Configure the domain name delimiter in a rule.
Command Function
ZXR10(config-nas)#aaa < rule-id> domain-delimite < Configures the domain name

domaindelimiter> delimiter in a rule. The delimiter
can be @, /, %, # or other
characters.
ZXR10(config-nas)#no aaa < rule-id> domain-delimite Cancels the domain delimiter

configuration in a rule.
10.2.6 Configuring 802.1x VLAN Jumping

To configure the VLAN jumping function on an interface, use the following command.
Command Function
ZXR10(config-gei_1/x)#vlanjump {port-base| mac-base}{ Configures the VLAN jumping

enable| disable}[ defaultauthvlan < vlan-id>] function on an interface.
10-7

10.3 DOT1X Configuration Examples

10.3.1 DOT1X RADIUS Authentication Application
The workstation of a user is connected to the Ethernet A port of the Ethernet switch. See
Figure 10-1.
Figure 10-1 DOT1X RADIUS Authentication Application
DOT1X RADIUS authentication application requirements:

l Implement user access authentication on each port to control the access to the
Internet.
l Use the MAC address-based access control mode.
l All the AAA access users must belong to the default domain named zte163.net.
l Use RADIUS authentication mode.
l Disconnect the user if RADIUS accounting fails.
l A username does not include the ISP domain name.
l Connect a server group consisting of two RADIUS servers to the switch. The IP
addresses of the servers are 10.1.1.1 and 10.1.1.2. Use the server with the IP address
10.1.1.1 as the master authentication server and the slave accounting server. Use the
server with the IP address 10.1.1.2 as the slave authentication server and the master
accounting server.
l Set the encryption password to aaazte used for packet interaction between the
switch and the authentication RADIUS servers. If there is no response within five
seconds of the switchs sending a packet to the RADIUS server, set the switch to
retry the packet. Set the maximum number of retry attempts to five. Set the switch to
remove the user domain name from the username and then send it to the RADIUS
server.
Switch configuration:
ZXR10(config)#radius authentication-group 1
10-8

ZXR10(config-authgrp-1)#server 1 10.1.1.1 key aaazte port gei_1/1

ZXR10(config-authgrp-1)#server 2 10.1.1.2 key aaazte port gei_1/2
ZXR10(config-authgrp-1)#exit
ZXR10(config)#radius accounting-group 1
ZXR10(config-acctgrp-1)#server 1 10.1.1.2 key aaazte port gei_1/1
ZXR10(config-acctgrp-1)#exit
ZXR10(config)#nas
ZXR10(config-nas)#dot1x re-authentication enable period 5
ZXR10(config-nas)#dot1x max-request 5
ZXR10(config-nas)#create aaa 1 port gei_1/1
ZXR10(config-nas)#aaa 1 authentication radius
ZXR10(config-nas)#aaa 1 control dot1x enable
ZXR10(config-nas)#aaa 1 authorization auto
ZXR10(config-nas)#aaa 1 accounting enable
ZXR10(config-nas)#aaa 1 multiple-hosts enable
ZXR10(config-nas)#aaa 1 default-isp zte163.net
ZXR10(config-nas)#aaa 1 fullaccount disable
ZXR10(config-nas)#aaa 1 radius-server authentication 1
ZXR10(config-nas)#aaa 1 radius-server accounting 1
ZXR10(config-nas)#aaa 1 authen radius
10.3.2 DOT1X Relay Authentication Application

Figure 10-2 shows an enterprise intranet.
Figure 10-2 DOT1X Relay Authentication Application
Ensure that only hosts that can pass authentication can access the Internet, and other
hosts can only access enterprise intranet resources.
According to system requirements, do the following:

l Divide the the enterprise hosts into a subnet (or several subnets) where they can
access each other.
10-9

l Enable the 802.1X relay function on the Ethernet switch inside the subnet. Enable
802.1X authentication on the Ethernet port of the gateway on the subnet.
l Do not account users on the intranet. Authenticate users on the RADUIS server. The
IP addresses of the master and the slave authentication servers are 10.1.1.1 and
10.1.1.2, respectively.
The 2826E Ethernet switch is used on the intranet. The ZXR10 5900E series unit is used
as a gateway.
The ZXR10 5900E unit configuration is as follows:
ZXR10(config)#radius authentication-group 1
ZXR10(config-authgrp-1)#server 1 10.1.1.1 key aaazte port 1812
ZXR10(config-authgrp-1)#server 2 10.1.1.2 key aaazte port 1812
ZXR10(config-authgrp-1)#exit
ZXR10(config)#nas
ZXR10(config-nas)#aaa 1 authentication radius
ZXR10(config-nas)#aaa 1 accounting disable
ZXR10(config-nas)#aaa 1 radius-server authentication 1
10.3.3 DOT1X Local Authentication Application

When a user logs in to the network by the Dot1X client, only the MAC address of the
network card is checked. If the address is legal, the user can log in. This address is
numbered by the administrator. The user is accounted according to the number. The
ZXR10 5900E system can accomplish the application. Use the ZXR10 5900E system as
an authenticator system. The application configuration is as follows:
ZXR10(config-acctgrp-1)#exit
ZXR10(config)#nas
ZXR10(config-nas)#aaa 1 authentication local
ZXR10(config-nas)#aaa 1 accounting enable
ZXR10(config-nas)# aaa 1 radius-server accounting 1
10-10

ZXR10(config-nas)#create localuser 1 name A0001

ZXR10(config-nas)#localuser 1 mac 00d0.d0d0.1234
ZXR10(config-nas)#localuser 1 accounting enable
In the configuration, the ZXR10 5900E series unit provides the local authentication
function to meet the application requirements. According to the configuration, only users
whose MAC addresses are 00d0.d0d0.1234, 00d0.d0d0.1456 or 00d0.d0d0.1689 can be
accessed. The Internet access duration of the users, numbered as A0001, A0002 and
A0003, is accounted. The duration is recorded on the RADIUS server.
10.3.4 VLAN Jumping Function in DOT1X Local Authentication

The Guest VLAN function is on the basis of an interface. When a user is authenticated
successfully on an interface, the system switches the interface to the authentication VLAN.
Other users who are unauthenticated on this interface cannot access the internal resources
of the Guest VLAN. When all authenticated users on the interface are offline, the interface
can restore the attributes of the Guest VLAN. If one authentication user is on the interface,
it cannot restore the attributes of the Guest VLAN. This application can be implemented
on the ZXR10 5900E system, which works as an authenticator system. The configuration
is as follows.
ZXR10(config)#nas
ZXR10(config-nas)#aaa 1 authentication local
ZXR10(config-gei_1/1)#vlanjump port-base enable defaultauthvlan 20
In the above configuration, the system applies the local authentication function of the
ZXR10 5900E series unit to meet the application requirement.
10.4 DOT1X Maintenance and Diagnosis

ZXR10 5900E provides the following commands for DOT1X maintenance and diagnosis:
Command Function
ZXR10#show dot1x Displays Dot1x authentication

configuration information.
ZXR10#show aaa Displays AAA control entities.
ZXR10#show clients Displays online user information.
10-11

Command Function
ZXR10#show localuser Displays local user information.
ZXR10#debug nas Traces DOT1X packet transmitting

and receiving.
ZXR10#debug radius {all | exception | user <user name><domain Traces interaction with RADIUS.
name>|{authentication | accounting}{ data | error | event | packet
{<group number>| all }}}
10-12

Chapter 11
VBAS Configuration
Table of Contents
VBAS Overview........................................................................................................11-1
Configuring VBAS ....................................................................................................11-1
VBAS Configuration Example...................................................................................11-2
VBAS Maintenance and Diagnosis ...........................................................................11-3
11.1 VBAS Overview

Virtual Broadband Access Server (VBAS) is an extended inquiry protocol between an
IP-Digital Subscriber Line Access Multiplexer (DSLAM) device and a Broadband Remote
Access Server (BRAS) device.
The VBAS protocol operates through VBAS packet transmission between a BRAS device
and a DSLAM device.
11.2 Configuring VBAS

11.2.1 Enabling VBAS
To enable VBAS, use the following command:
Command Function
ZXR10(config)#vbas enable Enables VBAS.
11.2.2 Enabling VBAS in VLAN Mode

To enable VBAS in VLAN mode, perform the following steps:
Command Function
ZXR10(config)#vlan <vlan-id> Enters VLAN configuration mode.
ZXR10(config-vlanX)#vbas enable Enables VBAS in VLAN

configuration mode.
11.2.3 Configuring a VBAS Trust Interface

To configure a VBAS trust interface, perform the following steps:
11-1

Command Function

mode.
ZXR10(config-gei_1/x)#vbas trust Configures a VBAS trust interface.
11.2.4 Configuring a VBAS Port Type

To configure a VBAS port type, perform the following steps:
Command Function

mode.
ZXR10(config-gei_1/x)#vbas port-type {user|net} Sets a VBAS interface to a user

interface or a network interface.
11.3 VBAS Configuration Example

Enable the VBAS function on the switch. To be specific, set the VLAN to VLAN 1, gei_1/1
as a trust interface, and port type to net.
Note:
In this example, there should be at least two interfaces in VLAN1. One is connected to a
user and the other is connected to the BRAS device. Here gei_1/1 is connected the BRAS
device.
The following example shows how to configure VBAS on the ZXR10 5900E system.
Enable the VBAS function, enable VBAS in VLAN 1, set gei_1/1 to a trust interface and
set the port type to user.
ZXR10(config)#vbas enable
ZXR10(config-vlan1)#vbas enable
ZXR10(config-vlan1)#exit
ZXR10(config-gei_1/1)#vbas trust
ZXR10(config-gei_1/1)#vbas port-type net
11-2

Chapter 11 VBAS Configuration
11.4 VBAS Maintenance and Diagnosis

ZXR10 5900E provides the following command for VBAS maintenance and diagnosis:
Command Function
ZXR10#debug vbas Enables the VBAS debugging

function.
11-3

11-4

Chapter 12
ZESR/ZESR+ Configuration
Table of Contents
ZESR/ZESR+ Overview ...........................................................................................12-1
Configuring ZESR/ZESR+ ........................................................................................12-1
ZESR/ZESR+ Configuration Examples.....................................................................12-7
12.1 ZESR/ZESR+ Overview

ZTE Ethernet Switch Ring (ZESR) is an improvement based on the Ethernet Automatic
Protection Switching (EAPS) principle. It detects whether there is a ring and ensures that
there is only one logical path between any two nodes. It sets the state (Block or Forward)
according to the ring change and hands over the logic path quickly.
ZESR is applicable to multi-ring and multi-area networks. On a multi-ring network, each
level is an independent ring. There are two access points connected to a higher level
access ring on a low level access ring. Such a network topology is considered as an
independent ring. A tangent ring is not a part of this ring. Instead, it belongs to another
ring. The highest level ring is the major ring, and others are access rings. On a multi-area
network, there are many protection instances used for different service VLANs. Their logic
paths are different and they are independent.
ZESR+ is applicable to a dual-node, dual-uplink network. It is an improvement to ZESR
that provides redundancy protection for the uplinks and nodes at the same time.
12.2 Configuring ZESR/ZESR+

12.2.1 Configuring a Protection Instance in a ZESR Domain
To configure a protection instance in a ZESR domain, use the following command.
Command Function
ZXR10(config)#zesr ctrl-vlan <1-4094> protect-instance The <1-4094> parameter is the

<<0-16> control VLAN of the domain,
identifying a ZESR domain.
The <0-16> parameter is the
protected instance ID.
To configure a ZESR domain, first configure a protection instance. At most, the system
accepts four configured instances. Each domain is identified by a control VLAN.
12-1

A ZESR protection instance is the same as a Spanning Tree Protocol (STP) instance. The
service VLANs are in the protection instance. So, in general, STP should be enabled to
work with ZESR. The control VLAN should use a VLAN without service. The control VLAN
should not be the same as the service VLANs or network management VLANs. The Port
VLAN ID (PVID) of a port must not be the control VLAN. A port outside the ring must not
be added to the control VLAN.
Example
This example shows how to configure a protection instance in a ZESR domain whose
control VLAN is VLAN 4000.
ZXR10(config)#zesr ctrl-vlan 4000 protect-instance 1
12.2.2 Configuring ZESR on a Node on a Major Ring

To configure ZESR/ZESR+ on a node on a major ring, use the following command.
Command Function
ZXR10(config)#zesr ctrl-vlan < 1-4094> major-level { Configures ZESR on a node on a

preforward < 10-600>[ preup < 0-500>]| role { master | major ring.
transit| zess-master| zess-transit}< primary-interface-name><
secondary-interface-name>}
<1-4094> The control VLAN of the domain, identifying a ZESR domain
<1-600> Preforward value, in seconds. After a disconnected port is

reconnected without ZESR configuration, the port is automatically
enabled in the preforward time. The default is 10 s.
<0-500> Preup value, in seconds. Once the Master detects that the ring is
up, the status changes after preup time. The default value is 0.
master|transit|zess-master|zess-t The role of a node. The master|transit keyword means a ZESR

ransit master or transit node. The zess-master|zess-transit keyword
means a ZESR+ master or transit node.
The master|transit|zess-master|zess-transit keyword means the role of a node. The zess-m

aster|zess-transit keyword means a ZESR+ master or transit node.
Before the preforward and preup parameters are set, the role and port of the node must
be determined. The preup parameter can only be used by the master or zess-master node.
Before the interface is configured, it must be added to the control VLAN. The interface is
a Link Aggregation Control Protocol (LACP) interface. Ensure that STP is disabled on the
member interfaces.
12-2

Chapter 12 ZESR/ZESR+ Configuration
Because the secondary interface of a zess-master node determines the blocking location,
it must be on the uplink that is intended to be blocked. ZTE also recommends setting the
secondary interface of a zess-transit node on an uplink.
Example
1. This example shows how to configure a node whose control VLAN is 4000, whose role
is master, and whose interfaces are gei_2/10 and gei_2/20.
ZXR10(config)# zesr ctrl-vlan 4000 major-level role master gei_2/10 gei_2/20
2. This example shows how to configure a node whose control VLAN is 4000, whose role
is zess-master, and whose interfaces are gei_2/10 and gei_2/20.
ZXR10(config)# zesr ctrl-vlan 4000 major-level role zess-master gei_2/10
gei_2/20
3. This example shows how to configure the preforward and preup of a master whose
control VLAN is 4000 to 20 s and 10 s, respectively.
ZXR10(config)#zesr ctrl-vlan 4000 major-level preforward 20 preup 10
12.2.3 Configuring ZESR on a Node on an Access Ring

To configure ZESR on node on an access ring, use the following command.
Command Function
ZXR10(config-router)#zesr ctrl-vlan < 1-4094> level Configures ZESR on a node of an

< 1-2> seg < 1-10>{ preforward < 10-600>[ preup < access ring
0-500>]| role { master | transit}< primary-interface-name>< Run the no command to cancel
secondary-interface-name>|{ edge-assistant | edge-control}< ZESR on a node of an access ring.
edge-interface-name>}
<1-4094> The control VLAN of the domain (a ZESR domain)
<1-2> The level of an access ring
<1-10> The segment number on an access ring. At most there are four
access rings on a level.
<10-600> Preforward value, in seconds. After a disconnected port is

reconnected without ZESR configuration, the port is automatically
enabled in the preforward time. The default is 10 s.
<0-500> Preup value, in seconds. Once the Master detects that the ring is
up, the status changes after preup time. The default is 0.
<primary-interface-name><second Two interfaces on an access ring

ary-interface-name>
<edge-interface-name>} The interface of an access node
12-3

A ZXR10 5900E series unit can be at the intersection point of a major ring and an
access ring. At that time, it can be in on the major ring or on the access ring. There
are two interfaces on the major ring and there is one interface on the access ring. The
device is named an access node in such situation. The role of the access node can be
edge-assistant or edge-control on the access ring. The edge-control role equals to a
master role of a general node.
Example
1. This example shows how to configure an access ring node whose control VLAN is
4000, level is 1, seg is 1, role is master, and interface is fei_1/10 or fei_1/20.
ZXR10(config)#zesr ctrl-vlan 4000 level 1 seg 1 role master fei_1/10 fei_1/20
4000, whose role is edge-assistant, whose level is 1, whose seg is 1, and whose
interface is fei_1/10.
ZXR10(config)#zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant fei_1/10
4000, level is 1, seg is 1, preforward is 20s, and preup is 10s.
ZXR10(config)#zesr ctrl-vlan 4000 level 1 seg 1 preforward 20 preup 10
12.2.4 Configuring ZESR Restart-Time

To configure the ZESR restart time, use the following command:
Command Function
ZXR10(config)#zesr restart-time <30-600> Configures the ZESR restart time.

The unit is second. The default is
120 s.
Example
This example shows how to set the ZESR restart time to 60 s.
ZXR10(config)#zesr restart-time 60
12.2.5 Configuring ZESR Destination MAC Address

Command Function
ZXR10(config)#zesr protocol-mac {normal | special} Configures the destination

MAC address of a packet to
0x00e02b000004 in normal mode.
Configures the destination MAC
address of a packet to a ZTE
customized address in special
mode.
12-4

Example
This example shows how to configure the destination MAC address of ZESR in special
mode.
ZXR10(config)#zesr protocol-mac special
12.2.6 Configuring the Function of Sending TCN Packets in the

ZESR Domain
To enable or disable the energy-efficiency function of an interface, use the following
commands:
Command Function
ZXR10(config)#zesr ctrl-vlan <1-4094> tcn cancel-sending Control VLAN of the <1-4094>

domain, ID of the ZESR domain
ZXR10(config)#no zesr ctrl-vlan <1-4094> tcn cancel-sending Control VLAN of the <1-4094>
domain, ID of the ZESR domain
To configure the function of sending TCN packets in a ZESR domain, create the ZESR
domain first. The commands can be used to enable or disable the function of sending
TCN packets in a ZESR domain. By default, the function is enabled.
When the user runs the zesr ctrl-vlan <1-4094> tcn cancel-sending command, TCN packets
will not be sent in the ZESR domain. The configuration can be saved or restored.
Example
1. This example shows how to disable the function of sending TCN packets in the ZESR
domain with the VLAN ID of 100.
ZXR10(config)#zesr ctrl-vlan 100 tcn cancel-sending
2. This example shows how to enable the function of sending TCN packets in the ZESR
domain with the VLAN ID of 100.
ZXR10(config)#no zesr ctrl-vlan 100 tcn cancel-sending
12.2.7 Configuring the Function of Sending TCN Packets

To configure the function of sending TCN packets on the current interface, use the following
command:
Command Function
ZXR10(config-gei_3/1)#zesr tcn-sending {enable | disable} Configures the function of sending

TCN packets on the current
interface.
12-5

{enable | disable} enable refers to enabling the function of sending TCN

packets on the current interface. disable refers to disabling
the function of sending TCN packets on the current interface.
The default value is disable.
This command is not supported by smartgroup interfaces.

This command can be used to enable or disable the function of sending TCN packets
on the specified interface. The default value is disable. When the ZESR ring status is
changed and TCN packets are allowed to be sent in the instance to which the interface
belongs, the related TCN packets will be sent. The configuration can be saved or restored.
Example
1. This example shows how to disable the function of sending TCN packets on interface
gei_3/1.
ZXR10(config-gei_3/1)#zesr tcn-sending disable
2. This example shows how to enable the function of sending TCN packets on interface
gei_3/1.
ZXR10(config-fei_1/1)#zesr tcn-sending enable
12.2.8 Configuring the Interface Detection Mode

To enable or disable an interface to send Link-Hello packets, use the following command:
Command Function
ZXR10(config)#zesr link-hello <interface name>{normal | special} Enables or disables an interface to

send Link-Hello packets.
<interface name> Interface name
{ normal | special } normal refers to not sending Link-Hello packets. special

refers to sending Link-Hello packets. The default value is
normal.
Example
1. This example shows how to enable gei_1/1 to send Link-Hello packets.
ZXR10(config)#zesr link-hello gei_1/1 special
2. This example shows how to disable gei_1/1 to send Link-Hello packets.
ZXR10(config)#zesr link-hello gei_1/1 normal
12-6

12.2.9 Configuring Link-Hello Packet Parameters

To configure the interval of sending Link-Hello packets and the timeout time of receiving
Link-Hello packets, use the following command:
Command Function
ZXR10(config)#zesr link-hello hello-interval <100-10000> Configures the interval of sending

fail-times <3-10> Link-Hello packets and the timeout
time of receiving Link-Hello
packets.
Parameter description:
hello-interval Interval of sending Link-Hello packets, in the range of

100-10000. The unit is ms. The default value is 1000 ms.
fail-times Number of Link-Hello packets not received, in the range of

3-10. When the threshold is exceeded, it indicates that the
link is down. The default value is 5.
To validate the parameter, the Link-Hello detection mode of an interface must be set to
special. If hello-interval is configured to 500 ms and fail-times is configured to 5, the
timeout time is 2500 ms (500 ms x 5).
Example
This example shows how to configure the interval of sending Link-Hello packets to 500 ms
and the timeout times to 5.
ZXR10(config)#zesr link-hello hello-interval 500 fail-times 5
12.3 ZESR/ZESR+ Configuration Examples

12.3.1 ZESR Configuration Example
S1, S2, S3, and S4 form a ring network to transmit VLANs 100200 transparently. S1 is
the core Sitch and the exit of the network. S2, S3, and S4 are aggregation switches. It is
required that service cannot be affected when any link is down. See Figure 12-1.
12-7

Figure 12-1 ZESR Configuration Example
On S1, sg1 (fei_1/1, fei_1/2) is connected to S2, and sg2 (fei_1/3, fei_1/4) is connected to
S3.
On S2, fei_1/1 is connected to S3, fei_1/2 is connected to S4, and sg2 (fei_1/3, fei_1/4) is
connected to S1
On S3, fei_1/1 is connected to S2, fei_1/2 is connected to S4, and sg2 (fei_1/3, fei_1/4) is
connected to S1.
On S4, fei_1/1 is connected to S2, and fei_1/2 is connected to S3.
The network formed by S1, S2, and S3 is at the major level. S2 is the master node. The
port on S2 that is connected to S1 is the major port (sg1). The network formed by S2, S3,
and S4 is the secondary ring level 1 seg 1. S4 is the master node. The port on S4 that is
connected to S3 is a secondary interface (fei_1/2 of S4). The control VLAN is VLAN 4000.
S1 configuration:
ZXR10_S1(config)#spanning-tree enable
ZXR10_S1(config)#spanning-tree mst configuration
ZXR10_S1(config-mstp)#instance 1 vlan 100-200
ZXR10_S1(config-mstp)#exit
ZXR10_S1(config)#interface smartgroup1 /*Connect to S2*/

ZXR10_S1(config-smartgroup1)#Sitchport mode trunk
ZXR10_S1(config-smartgroup1)#smartgroup mode 802.3ad
ZXR10_S1(config-smartgroup1)#switchport trunk vlan 100-200
12-8

ZXR10_S1(config-smartgroup1)#switchport trunk vlan 4000

ZXR10_S1(config-smartgroup1)#exit
ZXR10_S1(config)#interface smartgroup2 /*Connect to S3*/

ZXR10_S1(config-smartgroup2)#switchport mode trunk
ZXR10_S1(config)#interface fei_1/1 /*Connect to S2*/

ZXR10_S1(config-fei_1/1)#switchport mode trunk
ZXR10_S1(config-fei_1/1)#switchport trunk vlan 100-200
ZXR10_S1(config-fei_1/1)#switchport trunk vlan 4000
ZXR10_S1(config-fei_1/1)#smartgroup 1 mode active /*Configure dynamic LACP*/
ZXR10_S1(config-fei_1/1)#exit



ZXR10_S1(config)#zesr ctrl-vlan 4000 protect-instance 1

ZXR10_S1(config)#zesr ctrl-vlan 4000 major-level role transit
smartgroup1 smartgroup2
S2 Configuration:
12-9

ZXR10_S2(config-mstp)#nstance 1 vlan 100-200

ZXR10_S2(config-mstp)#exit
ZXR10_S2(config)#interface smartgroup1
ZXR10_S2(config-smartgroup1)#switchport mode trunk



ZXR10_S2(config-fei_1/3)#negotiation auto
ZXR10_S2(config-fei_1/3)#smartgroup 1 mode active

ZXR10_S2(config-fei_1/4)#smartgroup 1 mode active

ZXR10_S2(config)#zesr ctrl-vlan 4000 major-level role transit smartgroup1 fei_1/1
ZXR10_S2(config)#zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant fei_1/2
S3 Configuration:
The configurations (such as the interface instance configuration) are the same as those
on SW2.
12-10


ZXR10_S3(config)#zesr ctrl-vlan 4000 major-level role transit smartgroup2 fei_1/1
ZXR10_S3(config)#zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant fei_1/2
S4 configuration:
on S2
ZXR10_S4(config)#zesr ctrl-vlan 4000 level 1 seg 1 role master fei_1/1 fei_1/2
12.3.2 ZESR and ZESR+ Hybrid Configuration Example

Figure 12-2 shows a typical ZESR+ and ZESR hybrid network. Nodes ZXR10-2 , ZXR10-3,
and ZXR10-1 form dual-node dual-uplink, that is, ZESR+. It also can be considered that
the three nodes form a major ring virtually. Nodes ZXR10-2, ZXR10-3, and ZXR10-4 form
a level 1 seg 1 secondary ring, that is, ZESR.
Figure 12-2 ZESR and ZESR+ Hybrid Configuration Example
ZXR101 configuration:
Node 1 is an ordinary switch, which is used for transparently transmitting packets. For
the switch, configure a VLAN and disable the function of broadcast/unknown unicast
suppression of the interface.
12-11

ZXR10_S1(config)#interface fei_1/1
//Connect to ZXR10-2
//Set the interface working mode to auto negotiation
//Set ZXR102 to a ZESR+ master node

ZXR10(config-mstp)#instance 1 vlan 100-200
ZXR10(config-mstp)#exit
ZXR10_S2(config-fei_2/1)switchport mode trunk
ZXR10_S2(config-fei_2/1)switchport trunk vlan 100-200
ZXR10_S2(config-fei_2/1)switchport trunk vlan 4000
ZXR10_S2(config-fei_2/1)exit
ZXR10_S2(config-fei_2/2)negotiation auto
ZXR10_S2(config-fei_2/3)negotiation auto
12-12


ZXR10_S2(config)#zesr ctrl-vlan 4000 major level role
zess-master fei_2/2 fei_2/1
//Set to a zess-master node
/*Note: The secondary interface determines the blocked location. So,
it cannot be configured on the interface of the link between ZXR10-2 and ZXR10-3.
If the secondary interface is configured on the interface of the link between
ZXR10-2 and ZXR10-3, a fault will occur.*/
ZXR10_S2(config)#zesr ctrl-vlan 4000 level 1 seg 1 role edge- assistant fei_2/3
//Configure a ZESR edge node
on ZXR102.
//Configure a ZESR+ tansit node

ZXR10 s3(config)#zesr ctrl-vlan 4000 major-level role zess-transit fei_3/2 fei_3/1
//Configure a zess-transit node
/*When the zess-transit role is configured, the primary interface determines the
direction of the Hello packets sent by the node. So, the primary interface
must be configured on the interface of the link between ZXR10-2 and ZXR10-3.
If the primary interface is not configured on the interface of the link between
ZXR10-2 and ZXR10-3, a configuration error will occur.*/
ZXR10 s3(config)#zesr ctrl-vlan 4000 level 1 seg 1 role edge-assistant fei_3/3
//Configure a ZESR edge node
on ZXR102.
//Configure a ZESR low-level master node

ZXR10_S4(config)#zesr ctrl-vlan 4000 level 1 seg 1 role master fei_4/2 fei_4/1
//Configure a ZESR master
12-13

12-14

Chapter 13
IPTV Configuration
Table of Contents
IPTV Overview .........................................................................................................13-1
Configuring IPTV ......................................................................................................13-1
IPTV Privilege Function Configuration Example........................................................13-6
IPTV Privilege Function Maintenance and Diagnosis................................................13-9
IPTV Configuration Examples.................................................................................13-10
IPTV Maintenance and Diagnosis........................................................................... 13-11
13.1 IPTV Overview

Internet Protocol Television (IPTV) is also called interactive network TV. It is a service
provided ISPs over broadband. Combining Internet, multimedia and communication
technologies, IPTV uses the IP broadband network to provide multiple interactive services
such as live TV, on-demand video, and Internet surfing. A user can use the IPTV service
through a PC or an IP Set Top Box (STB)-enabled TV set.
13.2 Configuring IPTV

13.2.1 Configuring IPTV Global Parameters
To configure IPTV global parameters, perform the following steps:
1. Set the minimum view time.
Command Function
ZXR10(config-nas)#iptv control login-time <1-65534> Sets the minimum view time.
2. Set the global maximum number of previews.
Command Function
ZXR10(config-nas)#iptv control prvcount count <0-65535> Sets the global maximum

number of previews.
3. Set the global minimum interval the time between previews.
13-1

Command Function
ZXR10(config-nas)#iptv control prvinterval <2-65535> Sets the global minimum interval

the time between previews.
4. Set the global maximum duration of previews.
Command Function
ZXR10(config-nas)#iptv control prvtime <2-65535> Sets the global maximum

duration of previews.
5. Set the global preview reset-period.
Command Function
ZXR10(config-nas)#iptv control prvcount reset-period Sets the global preview

<1-4294967295> reset-period.
6. Enable/disable the IPTV function.
Command Function
ZXR10(config-nas)#iptv control { enable | disable } Enables/disables the IPTV

function.
13.2.2 Configuring an IPTV Channel

To configure an IPTV channel, perform the following steps:
1. Create an IPTV channel.
Command Function
ZXR10(config)#create iptv channel [general <256>| special Creates an IPTV channel.

<0-255>]
The range of channel numbers is 0256. The numbers 0255 are for special channels,
and it is necessary to specify a multicast address for each channel. The number 256
is the general channel, and does not require a multicast address.
2. Set the name of a channel.
Command Function
ZXR10(config)#iptv channel <0-256> name <WORD> Sets the name of a channel.
3. Set the multicast VLAN to which a channel belongs.
13-2

Chapter 13 IPTV Configuration
Command Function
ZXR10(config)#iptv channel < 0-256> mvlan <1-4094> Sets the multicast VLAN to which
a channel belongs.
4. Delete a channel.
Command Function
ZXR10(config)#clear iptv channel<0-256> Deletes a channel.
13.2.3 Configuring an IPTV Channel Group

1. Create an IPTV channel group.
Command Function
ZXR10(config-nas)#create iptv channel-group <0127> Creates an IPTV channel group.
2. Set a channel name.
Command Function
ZXR10(config-nas)#iptv channel-group <0-127> name Sets the name of a channel

<WORD> group.
3. Set the multicast VLAN to which a channel group belongs.
Command Function
group < 0-127> mvlan

ZXR10(config-nas)#iptv channel Sets the multicast VLAN to which
<1-4094> a channel group belongs.
4. Delete a channel group.
Command Function
ZXR10(config-nas)#clear iptv channel-group <0-127> Deletes a channel group.
13.2.4 Configuring CAC

To configure Channel Access Control (CAC), perform the following steps:
1. Create a CAC rule.
Command Function
ZXR10(config)#create iptv cac-rule<1-256> Creates a CAC rule.
2. Set the name of a CAC rule.
13-3

Command Function
ZXR10(config)#iptv cac-rule < 1-256> name <WORD> Sets the name of a CAC rule.
3. Set the maximum number of previews of a rule.
Command Function
ZXR10(config)#iptv cac-rule < 1-256> prvcount <0-65535> Sets the maximum number of
previews of a rule. By default,
the value is the global maximum
number of previews.
4. Set the maximum duration of previews of a rule.
Command Function
ZXR10(config)#iptv cac-rule < 1-256> prvtime <2-65535> Set the maximum duration of
the value is the global maximum
duration.
5. Set the minimum intervals of previews of a rule.
Command Function
ZXR10(config)#iptv cac-rule < 1-256> prvinterval <2-65535> Sets the minimum intervals of
the value is the global minimum
intervals of previews.
6. Applies a rule to a channel.
Command Function
ZXR10(config)#iptv cac-rule < 1-256> right {order| Applies a rule to a channel.

preview|query}<0-256>
7. Configure the right of a rule to a channel group.
Command Function
ZXR10(config-nas)#iptv cac-rule <1-256> right Configures the right of a rule to a

{order|preview|query} channel-group <0-127> channel group.
8. Delete a rule.
Command Function
ZXR10(config)#clear iptv cac-rule <1-256> Deletes a rule.
13-4

13.2.5 Managing the IPTV Users

To manage the IPTV users, use the following commands:
Command Function
ZXR10(config)#clear iptv client Closes the connections of online

IPTV users.
13.2.6 Enabling or Disabling the IPTV Privilege Function Globally

To enable or disable the IPTV privilege function globally, use the following command:
Command Function
ZXR10(config-nas)#iptv privilege {enable | disable} Enables or disables the IPTV

privilege function globally.
Instructions:
Enable the IPTV function before enabling the privilege function. Otherwise, the system
prompts an error.
13.2.7 Configuring Default Source VLAN of the IPTV Privilege

Function
To configure the source VLAN, use the following command:
Command Function
ZXR10(config-nas)#iptv privilege mvlan <1-4094> Configures the default source

VLAN of the IPTV privilege
function.
Instructions:
Enable the IPTV privilege function before running the command. Otherwise, the system
prompts an error.
13.2.8 Creating or Deleting an IPTV Privilege Rule

To create or delete an IPTV privilege rule, use the following commands:
13-5

Command Function
ZXR10(config-nas)#create iptv privilege-rule <rule-id>{[port Creates an IPTV privilege rule.

<port-name>]|[vlan <vlan-id>]|[port <port name> vlan <vlan-id>]} For the parameters following the
command, users can use a single
parameter or a combination of
them, for example, port, VLAN,
or port+VLAN. However, the rule
cannot be null.
ZXR10(config-nas)#clear iptv privilege-rule <rule-list> Deletes an IPTV privilege rule

from the rule-list.
Instructions:
It is unnecessary to enable the IPTV privilege function before a privilege rule is created or
deleted. However, the rule will not be validated before the privilege function is enabled.
13.3 IPTV Privilege Function Configuration Example

Figure 13-1 shows that two switches form a simple ZESR ring network. The control VLAN
is 4000, the protection VLAN is 10, the primary node is R1, and the transport node is R2.
Each switch is configured with the IPTV function and IPTV privilege function, and the ports
on the ring are configured with the privilege rights. Therefore, the VOD function can be
implemented without channel configuration or CAC rule configuration. If the broadcast
source belongs to VLAN 1 and the user belongs to VLAN 2, implement the VOD function
by using the devices on the ring.
13-6

Figure 13-1 IPTV Privilege Function Configuration Example
R1 configuration:
ZXR10(config)#vlan 10 //Protection VLAN
ZXR10(config)#vlan 4000 //Control VLAN
ZXR10(config-gei_1/1)#switchport mode trunk
ZXR10(config-gei_1/1)#switchport trunk vlan 10
13-7


ZXR10(config)#spanning-tree enable
ZXR10(config)#spanning-tree mst configuration
ZXR10(config-mstp)#instance 1 vlans 10
ZXR10(config)#zesr ctrl-vlan 4000 major-level role master gei_1/1 gei_1/2
ZXR10(config)#interface gei_1/3 //Interface connected to the multicast source
ZXR10(config-gei_1/3)#switchport access vlan 1
ZXR10(config)#nas
ZXR10(config-nas)#iptv control enable
ZXR10(config-nas)#iptv privilege enable
ZXR10(config-nas)#iptv privilege mvlan 1
ZXR10(config-nas)#create iptv privilege-rule 1 port gei_1/1
ZXR10(config-nas)#exit
ZXR10(config)#ip igmp snooping querier //Querier configuration
ZXR10(config-vlan2)#igmp snooping querier
R2 configuration:
ZXR10(config)#vlan 10 //Protection VLAN
ZXR10(config)#vlan 4000 //Control VLAN
ZXR10(config)#spanning-tree enable
ZXR10(config)#spanning-tree mst configuration
ZXR10(config-mstp)#instance 1 vlans 10
ZXR10(config)#zesr ctrl-vlan 4000 major-level role transit gei_1/1 gei_1/2
ZXR10(config)#interface gei_1/3 //Interface connected to the VOD user
ZXR10(config-gei_1/3)#switchport access vlan 2
13-8

ZXR10(config)#nas
ZXR10(config-nas)#exit
ZXR10(config-nas)#iptv privilege enable
ZXR10(config-nas)#iptv privilege mvlan 10
//Privilege right assigned for the interface on the ring
//Privilege right assigned for the interface on the ring
//The following command is used to assign privilege rights for the user interface.
CAC rules or channels can also be configured for the user port.
ZXR10(config)#ip igmp snooping querier //Querier configuration
ZXR10(config-vlan2)#igmp snooping querier
After the configuration is complete, the user can play any channel on gei_1/3 of R2.
13.4 IPTV Privilege Function Maintenance and

Diagnosis
1. Show the global configuration of the IPTV privilege function.
Command descriptions:
Command Function
ZXR10#show iptv privilege control Shows the global configuration

of the IPTV privilege function.
Instructions:
The configuration includes the enable status of the privilege function and the VLAN ID
of the privilege source. If the source VLAN is not configured, the related field shows
"Unspecified".
2. Show the IPTV privilege rule table.
Command Function
ZXR10#show iptv privilege rule Shows the statistics and rules in

the IPTV privilege rule table.
Instructions:
The configuration includes the maximum number of rules, number of current rules,
number of historical rules, and details of current rules.
13-9

3. Show the information of online IPTV privilege users.

Command Function
ZXR10#show iptv privilege user Show the information of online

IPTV privilege users and the
related statistics.
Instructions:
The configuration includes the maximum number of users supported by the privilege
module, number of current online users, number of historical online users, and details
of current online users.
To check whether IGMP packets can pass the privilege module on the switch
configured with the IPTV privilege function, use the debug ip igmp-snooping command.
13.5 IPTV Configuration Examples

l The user connected to gei_1/1 is a subscriber of the multicast group 224.1.1.1. The
VLAN ID of this multicast group is 100. The configuration is shown below:
ZXR10(config-nas)#create iptv channel special 1 address 224.1.1.1
ZXR10(config-nas)#iptv channel 1 mvlan 100
ZXR10(config-nas)#iptv channel 1 name cctv1
ZXR10(config-nas)#create iptv cac-rule 1 port gei_1/1
ZXR10(config-nas)#iptv cac-rule 1 right order 1
l The user connected to gei_1/1 in VLAN 1 is a preview user of the multicast group
224.1.1.1. The maximum preview duration is 2 minutes. The minimum preview
interval is 20 seconds. The maximum number of previews is 10. The multicast group
is in VLAN 100. The configuration is shown below:
ZXR10(config-nas)#iptv channel 1 name cctv1
ZXR10(config-nas)#create iptv cac-rule 1 port gei_1/1 vlan 1
ZXR10(config-nas)#iptv cac-rule 1 prvcount 10
ZXR10(config-nas)#iptv cac-rule 1 prvtime 120
ZXR10(config-nas)#iptv cac-rule 1 prvinterval 20
ZXR10(config-nas)#iptv cac-rule 1 right preview 1
l The user connected to gei_1/1 can view all multicast groups in VLAN 100. The
configuration is shown below:
ZXR10(config-nas)#create iptv channel general 256
13-10

ZXR10(config-nas)#iptv cac-rule 1 right order 256

l Port gei_1/1 only permits receiving the querying packets from the multicast group
224.1.1.1. The multicast group is in VLAN 100. The configuration is shown below:
ZXR10(config-nas)#iptv cac-rule 1 right query 1
13.6 IPTV Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for IPTV maintenance and
diagnosis:
Command Function
ZXR10(config)#show iptv control Displays global IPTV configuration

information
ZXR10(config)#show iptv channel [{ id <channelno>| Displays IPTV channel information

name<channel-name>}]
ZXR10(config)#show iptv channel-group [{ id <channel-group-no>| Shows IPTV channel group

name<channel-group-name>}] information.
ZXR10(config)#show iptv cac-rule [{ id <channelno>| Displays a CAC rule

name<channel-name>}]
ZXR10(config)#show iptv client [{port<portno>| vlan <vlanid>| Displays the online IPTV users
device <devno>}]
13-11

13-12

Chapter 14
Network Management
Configuration
Table of Contents
NTP Configuration....................................................................................................14-1
RADIUS Configuration .............................................................................................14-3
SNMP Configuration.................................................................................................14-6
RMON Configuration ................................................................................................14-9
SysLog Configuration .............................................................................................14-12
TACACS+ Configuration.........................................................................................14-15
14.1 NTP Configuration

14.1.1 NTP Overview
Network Time Protocol (NTP) is a protocol used to synchronize the clocks of different
network members. NTP transmission is on the basis of UDP. The devices adjust their
system clocks by interacting with NTP messages, thus ensuring clock consistency. The
ZXR10 5900E series unit can work as an NTP client. It supports a maximum of five NTP
servers.
14.1.2 Configuring NTP

To configure NTP, perform the following steps:
1. Define an NTP server.
Command Function
ZXR10(config)#ntp server <ip-address> priority <1-5> { [ Defines an NTP server. The

version <number>] [ key <number>] | [lock | unlock ] } priority must be configured.
The priorities of the servers
are different. The range of the
priority is 15. The range of
the version parameter is 13.
The default version is 3. The
key parameter is valid when
authentication is enabled. The
14-1

Command Function
lock and unlock keywords mean

whether to lock the server.
ZXR10(config)#ntp server {< ip-address>| mng< ip-address>| Configures an NTP server. To

vrf< ip-address>} priority < 1-5>{[ version < number>]|[ key be specific, configure the server
< number>]|[ lock | unlock ]} address by an ordinary service
port. This operation is optional.
(Optional) Select a management
network port to implement the
NTP service.
(Optional) Configure the NTP
service by the VRF.
priority must be configured.
The priorities of the servers are
different and in the range of 1-5.
version refers to the version
number, which is optional and
in the range of 1-3. The default
value is 3.
key is optional and is valid when
the authentication is enabled.
lock and unlock are optional and
determine whether the server is
locked.
2. Enable the NTP function.
Command Function
ZXR10(config)#ntp enable Enables the NTP function.
3. Set the source address used by NTP to send a time synchronization request.
Command Function
ZXR10(config)#ntp source <ip-address> Sets the source address

used by NTP to send a time
synchronization request.
4. Set a time zone.
Command Function
ZXR10(config)#clock timezone <timezone-name><hours Sets a time zone.

offset>[<minutes offset>]
5. Display the NTP operation state.
14-2

Chapter 14 Network Management Configuration
Command Function
ZXR10(config)#show ntp status Displays the NTP operation

state.
14.1.3 NTP Configuration Example

ZXR10 works as an NTP client. The NTP protocol version is 2. See Figure 14-1.
Figure 14-1 NTP Configuration Example
ZXR10(config)#interface vlan24
ZXR10(config)#ntp enable
ZXR10(config)#ntp server 192.168.2.1 version 2
14.2 RADIUS Configuration

14.2.1 RADIUS Overview
RADIUS is a standard AAA protocol. For the ZXR10 5900E series unit, AAA is used to
prevent unauthorized access to the system by authenticating users accessing the device.
This improves device security.
ZXR10 5900E series units support the RADIUS authentication function. The function
provides authentication and authentication functions for Telnet users accessing the
device.
ZXR10 5900E series units support several RADIUS server groups. In each RADIUS group,
there are at most three authentication servers.
14-3

14.2.2 Configuring Radius

To configure Radius, perform the following steps:
1. Create a Radius accounting group.
Command Function
ZXR10(config)#radius accounting-group <group-number> Creates a Radius accounting

group
2. Create a Radius authentication group.
Command Function
ZXR10(config)#radius authentication-group <group-number> Creates a Radius authentication

group.
3. Configure the Radius parameters.
Command Function
ZXR10(config)#radius nas-id <string> Configures the NAS-ID character

string. The length is in the range
of 1-32. The default value is
ZXR10.
ZXR10(config-authgrp-1)#timeout <timeout> Configures the time-out period.
ZXR10(config-authgrp-1)#algorithm {first|round-robin} Configures the algorithm to

choose a Radius server.
ZXR10(config-authgrp-1)#alias <name-str> Configures an alias for a Radius

server group.
ZXR10(config-authgrp-1)#deadtime <time> Configures the dead time of an

authentication server.
ZXR10(config-authgrp-1)#max-retries <times> Configures the maximum

number of retries after a time-out
period for a Radius server.
ZXR10(config-authgrp-1)#nas-ip-address < NAS IP address> Configures the nas-ip of a

Radius server. This address
corresponds to the nas-ip field
and the source IP address of a
protocol packet.
ZXR10(config-authgrp-1)#server <server num>< Configures a Radius server and

ipaddress>[master] key < keystr>[port < port num>] its parameters.
14-4

Command Function
ZXR10(config-authgrp-1)#user-name-format Configures the format of a

{include-domain|strip-domain} username that a Broadband
Remote Access Server (BRAS)
sends to a Radius server.
ZXR10(config-authgrp-1)#vendor {enable|disable} Enables/disables the vendor

attribute in Radius protocol
messages.
4. Maintain and diagnose Radius parameters.
Command Function
ZXR10#debug radius {all | exception | user <user name><domain Shows the Radius debug
name>|{authentication | accounting}{ data | error | event | information.
packet {<group number>| all }}}
ZXR10#show counter radius { accounting-group Shows the statistic information.

<group-number>| authentication-group <group-number>| all}
ZXR10#show accounting local-buffer { group <group-number>{[ Shows the accounting packets

head <count>]|[ index <index number><count>]|[tail cached locally.
<count>]}| name <radius-name>| session <session-id>| user
<user-name>| sum| all}
ZXR10#clear accounting local-buffer {< group number>| all} Clears the accounting packets
cached locally.
ZXR10#show configuration radius {all | auto-change | nas-id} Shows the Radius configuration.
all: shows the configuration of
Radius authentication group and
accounting group.
auto-change: shows the Radius
auto-change configuration.
nas-id: shows the Radius
NAS-ID configuration.
14.2.3 RADIUS Configuration Example

The way to configure an accounting server group is the same as that to configure an
authentication server group. The following example shows how to configure an accounting
server group.
ZXR10(config-acct-group-1)#algorithm round-robin
ZXR10(config-acct-group-1)#calling-station-format 2
ZXR10(config-acct-group-1)#deadtime 5
14-5

ZXR10(config-acct-group-1)#local-buffer enable
ZXR10(config-acct-group-1)#max-retries 5
ZXR10(config-acct-group-1)#nas-ip-address 10.1.1.4
ZXR10(config-acct-group-1)#server 1 10.2.1.3 key uas
ZXR10(config-acct-group-1)#server 2 12.1.2.3 key uas
ZXR10(config-acct-group-1)#timeout 10
14.3 SNMP Configuration

14.3.1 SNMP Overview
At present, SNMP is the most widely used NM protocol. An NM server can manage all the
devices on a network through SNMP.
SNMP applies the management based on a server and a client. A background NM server
serves as an SNMP server and foreground network device serves as an SNMP client.
The SNMP server and client share one MIB and communicate through SNMP. When the
ZXR10 5900E series unit works as an SNMP agent, the user must specify an SNMP server,
define the right to collect information, and range of information allowed to be collected.
14.3.2 Configuring SNMP

To configure SNMP, perform the following steps:
1. Set an SNMP packet community.
Command Function
ZXR10(config)#snmp-server community <community-name Sets an SNMP packet

>[view <view-name>][ro|rw] community.
SNMPv1/v2c uses the community authentication mode. An SNMP community is

named by a string. Different communities have read-only or read-write access
privileges. A community with read-only privilege can only query device information. A
community with read-write privilege can configure the device.
Both read-only and read-write privileges are limited by view. The system only allows
operations in the permitted view range. If the view parameter is not configured, the
system uses the default view. If the right (ro/rw) is not configured, the default right (ro)
will be used.
2. Define an SNMPv2 view.
Command Function
ZXR10(config)#snmp-server view <view-name><subtree-id>{i Defines an SNMPv2 view.

ncluded|excluded}
3. Set the contract (sysContact) of an MIB object.
14-6

Command Function
ZXR10(config)#snmp-server contact <mib-syscontact-text> Sets the contract (sysContact) of

an MIB object.
SysContact is a management variable of the system group in MIB II. It records the ID
and contact mode of the related personnel who manage the device.
4. Set the location (SysLocation) of an MIB object.
Command Function
ZXR10(config)#snmp-server location <mib-syslocation-text> Sets the location (SysLocation)

of an MIB object.
SysLocation is a management variable of the system group in MIB II. It is used to

indicate the location of the managed device.
5. Set the types of TRAP that can be sent.
Command Function
ZXR10(config)#snmp-server enable trap [<notification-type>] Sets the types of TRAP that can
be sent.
TRAP is a type of information sent by the managed device to the NM server without
requests. It is used to report emergent events.
6. Set a TRAP destination host.
Command Function
ZXR10(config)#snmp-server host [ mng|vrf <vpn name>]< Sets a TRAP destination host.

ip-address>{ trap| inform} version {{{ 1| 2c}<community-name>}|
3 { auth| noauth| priv}<user name>}[ udp-port < udp-port>][
< trap-type>]
ZXR10 5900E supports five types of traps: SNMP, BGP, Open Shortest Path First
(OSPF), RMON, and stalarm.
7. Use an ACL to control the host that can access the system through SNMP.
Command Function
ZXR10(config)#snmp-server access-list <acl-number> Uses an ACL to control the host

that can access the system
through SNMP
8. Define the name of an SNMP context.
14-7

Command Function
ZXR10(config)#snmp-server context < context name > Defines the name of an SNMP
context.
9. Set a local engine ID of SNMPv3.
Command Function
ZXR10(config)#snmp-server engine-id <engine-id> Sets a local engine ID of

SNMPv3.
10. Configure a user security mode group.
Command Function
ZXR10(config)#snmp-server group <groupname> Configure a user security mode

v3 {auth|noauth|priv}[context <context-name> group.
match-prefix|match-exact ][read <readview>][write
<writeview>][notify <notifyview>]
11. Set the maximum size of SNMP packets.
Command Function
ZXR10(config)#snmp-server packetsize <484-8192> Sets the maximum size of SNMP

packets.
12. Configure a TRAP source.
Command Function
ZXR10(config)#snmp-server trap-source <IP address> Configures a TRAP source.
13. Configure a user who is allowed to access the SNMP engine.
Command Function
ZXR10(config)#snmp-server user <username><groupname> Configures a user who is allowed

v3 [encrypted][auth {md5|sha}<auth-password>[priv des56 to access the SNMP engine.
<priv-password>]]
14. Display SNMP-related information.
Command Function
ZXR10(config)#show snmp Displays SNMP-related

information.
15. Display SNMP configuration information.
14-8

Command Function
ZXR10(config)#show snmp config Displays SNMP configuration

information.
16. Display the SNMPv3 users.
Command Function
ZXR10(config)#show snmp user Displays the SNMPv3 users.
17. Display the information of SNMPv3 group, use the following command.
Command Function
ZXR10(config)#show snmp group Displays the information of

SNMPv3 group.
18. Display an SNMP engine ID.
Command Function
ZXR10(config)#show snmp engine-id Displays an SNMP engine ID.
14.3.3 SNMP Configuration Example

The following example shows how to configure SNMP:
ZXR10(config)#snmp-server view myViewName 1.3.6.1.2.1 included
ZXR10(config)#snmp-server community myCommunity view myViewName rw
ZXR10(config)#snmp-server host 168.1.1.1 trap version 1 myCommunity ospf
ZXR10(config)#snmp-server location this is ZXR10 in china
ZXR10(config)#snmp-server contact this is ZXR10, tel: (025)2872006
14.4 RMON Configuration

14.4.1 RMON Overview
Remote Monitoring (RMON) is used to monitor remote services on a network. A remote
detector (ZXR10 5900E) completes data collection and processing through RMON. The
ZXR10 5900E system provides RMON agent software that communicates with the NM
system through SNMP. When necessary, information is sent from ZXR10 5900E to the
NM system.
14.4.2 Configuring RMON

To configure RMON, perform the following steps:
14-9

1. Enable the statistics function on an interface (only for Ethernet).
Command Function
ZXR10(config-gei_1/x)#rmon collection statistics Enables the statistics function on

<index>[owner <string>] an interface (only for Ethernet).
2. Set an alarm and an MIB object.
Command Function
ZXR10(config)#rmon alarm <index><variable><interval Sets an alarm and an MIB object.

>{delta|absolute} rising-thershold <value>[<event-index>]
falling-threshold <value>[<event-index>][owner <string>]
3. Enable the historical information collection function on an interface.
Command Function
ZXR10(config-gei_1/x)#rmon collection history Enables the historical information

<index>[owner <string>][buckets <bucket-number>][interval collection function on an
<seconds>] interface.
4. Configure an event.
Command Function
ZXR10(config)#rmon event <index>[log][trap Configures an event.

<community>][description <string>][owner <string>]
5. Display the RMON configuration and related information.
Command Function
ZXR10(config)#show rmon [alarms][events][history][statistics] Displays the RMON configuration

and related information.
14.4.3 RMON Configuration Examples

l This example shows how to configure and enable the RMON statistics control entities.
ZXR10(config-gei_1/1)#rmon collection statistics 1 owner rmontest
ZXR10(config-gei_1/1)#
Assume that there are several computers connected to gei_1/1. When these
computers communicate on the subnet, traffic statistics data can be viewed through
the NM system. RMON statistics information also can be viewed with the show rmon
statistics command, as shown below.
ZXR10#show rmon statistics
14-10

EtherStatsEntry 1 is active, and owned by rmontest

Monitors ifEntry.1.1 which has
Received 60739740 octets, 201157 packets,
1721 broadcast and 9185 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 32 collisions.
# of dropped packet events (due to lack of resources): 511
# of packets received of length (in octets):
64: 92955, 65-127: 14204, 128-255: 1116,
256-511: 4479, 512-1023: 85856, 1024-1518:2547
ZXR10#
l This example shows how to configure and enable the RMON historical control entities.
ZXR10(config-gei_1/1)#rmon collection history 1 bucket 10 interval 10 owner
rmontest
ZXR10(config-gei_1/1)#
RMON historical information can be viewed with the show rmon history command, as
shown below.
ZXR10#show rmon history
Entry 1 is active, and owned by rmontest
Monitors ifEntry.1.1 every 10 seconds
Requested # of time intervals, ie buckets, is 10
Granted # of time intervals, ie buckets, is 10
Sample # 1 began measuring at 00:11:00
Received 38346 octets, 216 packets,
0 broadcast and 80 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions.
# of dropped packet events is 0
Network utilization is estimated at 1
l This example shows how to configure and enable the RMON alarm control entities.
ZXR10(config)#rmon alarm 1 system.3.0 10 absolute rising-threshold 1000 1
Falling-threshold 10 1 owner rmontest
ZXR10(config)#
RMON alarm information can be viewed with the show rmon alarm command, as
shown below.
ZXR10#show rmon alarm
Alarm 1 is active, owned by rmontest
Monitors system.3.0 every 10 seconds
Taking absolute samples, last value was 54000
Rising threshold is 1000, assigned to event 1
14-11

Falling threshold is 10, assigned to event 1

On startup enable rising or falling alarm
ZXR10#
l This example shows how to configure and enable the event function.
ZXR10(config)#rmon event 1 log trap rmontrap
description test owner rmontest
ZXR10(config)#
Configure an alarm control entity. After 10 seconds, RMON events can be viewed
with the show rmon event command, as shown below.
ZXR10#show rmon event
Event 1 is active, owned by rmontest
Description is test
Event firing causes log and trap to community/user rmontrap, last fired 0w0d, 05:40:20
last fired 05:40:20
Current log entries:
index time description
1 05:40:14 test
ZXR10#
14.5 SysLog Configuration

14.5.1 SysLog Overview
The ZXR10 5900E system provides users with the log information setting and query
functions. Log information facilitates routine maintenance. Alarm information and port
state changes can be viewed through log information. Log information can be displayed
on a configuration terminal in real time, or be saved to a file on the ZXR10 5900E series
unit or a background log server. The Syslog protocol can be enabled on the ZXR10
5900E series unit so that the device can communicate with the background Syslog server
to transmit log information.
14.5.2 Configuring SysLog

To configure Syslog, perform the following steps:
1. Enable the log function.
Command Function
ZXR10(config)#logging on Enables the log function.
2. Set the log buffer size.
Command Function
ZXR10(config)#logging buffer <buffer-size> Sets the log buffer size.
14-12

3. Set the log clearing mode.
Command Function
ZXR10(config)#logging mode <mode>[<interval>] Sets the log clearing mode.
4. Set the level of the logs displayed on the console interface or a TELNET interface.
Command Function
ZXR10(config)#logging console <level>[filter map-name] Sets the level of the logs

displayed on the console
interface or a TELNET interface.
5. Set the level of the logs saved in the log buffer.
Command Function
ZXR10(config)#logging level <level> Sets the level of the logs saved

in the log buffer.
6. Set the parameters of a background FTP log server.
Command Function
ZXR10(config)#logging ftp <level>[mng]<ftp-server><userna Sets the parameters of a

me><password>[<filename>] background FTP log server.
7. Set the parameters used for sending alarm information to a trap server.
Command Function
ZXR10(config)#logging trap-enable <level>[ filter Sets the parameters used for

<map-name>] sending alarm information to a
trap server.
8. Set the parameters that are used for packaging information in the alarm buffer to a file
and sending it to an FTP server.
Command Function
ZXR10(config)#syslog-server host < ip-address>[ fport < Sets the parameters that are
fport>][ lport < lport>][ alarmlog level <level>][ cmdlog][ used for packaging information
debugmsg] in the alarm buffer to a file and
sending it to an FTP server.
9. Set the parameters of a background Syslog server.
Command Function
ZXR10(config)#syslog-server host <ip-address>[fport Sets the parameters of a

<fport>][lport <lport>][ alarmlog| alarmlog| alarmlog] background Syslog server.
14-13

10. Display log information.
Command Function
ZXR10(config)#show logging alarm {[typeid Displays log information.

<type>][start-date <date>][end-date <date>][level
<level>]}
At present, the following types of alarm information are supported:

l ENVIROMENT
l BOARD
l PORT
l ROS
l DATABASE
l SECURITY
l OAM
l OSPF
l RIP
l BGP
l DRP
l TCP-UDP
l IP
l IGMP
l TELNET
l ARP
l IS-IS
l ICMP
l SNMP
l RMON
11. Save alarm log information to flash:/data/log.dat.
Command Function
ZXR10#write logging Saves alarm log information to

flash:/data/log.dat.
14.5.3 Syslog Configuration Example

The following example shows how to configure the Syslog function. The user must first
enable the log function with the logging on command.
ZXR10(config)#logging on
ZXR10(config)#logging buffer 100
ZXR10(config)#logging mode FULLCLEAR
ZXR10(config)#logging console warnings
ZXR10(config)#logging level errors
14-14

ZXR10(config)#logging ftp notificational 168.1.70.100 target target zxralarm.log

ZXR10(config)# syslog-server host 192.168.0.100
14.6 TACACS+ Configuration

14.6.1 TACACS+ Overview
Terminal Access Controller Access-Control System Plus (TACACS+) is the most popular
AAA protocol. TACACS+ supports independent authentication, authorization, and
accounting. It allows different TACACS+ security servers to work as the authentication,
authorization and accounting servers, respectively.
On the ZXROS platform, it is necessary to implement AAA functions for Point to Point
Protocol (PPP) users and TELNET users that use the system service. The TACACS+
protocol can solve this problem. TACACS+ provides centralized security authentication,
authorization, and accounting functions for the users.
The TACACS+ software module on the ZXROS platform is client software of TACACS+
authentication. It accomplishes protocol interaction between a Network Access Server
(NAS) and a TACACS+ security server to provide the TACACS+ AAA function.
At present, ZXR10 5900E supports the TACACS+ authentication function to provide
authentication for the TELNET users accessing the device.
ZXR10 5900E supports multiple TACACS+ server groups. In each TACACS+ group, there
are at most four authentication servers.
14.6.2 Configuring TACACS+

To configure TACACS+, perform the following steps:
1. Enable the TACACS+ function.
Command Function
ZXR10(config)#tacacs enable Enables the TACACS+ function.
2. Disable the TACACS+ function.
Command Function
ZXR10(config)#tacacs disable [clear] Disables the TACACS+ function.
3. Configure a member in a TACACS+ server group.
Command Function
ZXR10(config-sg)#server <ip-addr>[port <102565535>] Configures a member in a

TACACS+ server group.
14-15

<ip-addr> The configured IP address of a TACACS+ server
<102565535> The port number of a TCP connection.
4. Configure the IP address of a TACACS+ client.
Command Function
ZXR10(config)#tacacs-client <ip-addr>[port <102565535>] Configures the IP address of a

TACACS+ client.
<ip-addr> The IP address of a client
<102565535> The Layer 4 port of a client
5. Configure the parameters of a TACACS+ server.
Command Function
ZXR10(config)#tacacs-server host <ip-addr>[port Configures the parameters of a

<integer>][timeout <integer>][key <string>] TACACS+ server.
<ip-addr> The IP address of a TACACS+ server
port The port number of a TCP connection. The default value is 49.
timeout Connection time-out period, in the range of 11000. The unit is

seconds. This configuration will make the global configuration
invalid.
key The key between an NAS and a TACACS+ server. This

configuration makes the global configuration invalid.
6. Configure a global TACACS+ key.
Command Function
ZXR10(config)#tacacs-server key <key> Configures a global TACACS+

key. This key is valid for all
servers without a specified key.
14-16

<key> The key used for interacting with messages between an NAS
and a server, with 163 characters (no spaces). The key
defined on the server must be the same as this one.
7. Configure the maximum length of TACACS+ packets.
Command Function
ZXR10(config)#tacacs-server packet <1024-4096> Configures the maximum length

of TACACS+ packets. The
default length is 1024 bytes.
8. Configure the connection time-out period of a TACACS+ server.
Command Function
ZXR10(config)#tacacs-server timeout <1-1000> Configures the connection

time-out period of a TACACS+
server. The range of the period
is 1-1000, in the unit of second.
The default value is 5 s.
9. Configure a TACACS+ server group.
Command Function
ZXR10(config)#aaa group server tacacs+ <group-name> Configures a TACACS+ server

group and enters AAA server
group configuration mode.
<group-name> The name of a TACACS+ server group, with 131 characters
14.6.3 TACACS+ Configuration Example

The following example shows how to configure TACACS+.
ZXR10(config)#tacacs enable
ZXR10(config)#tacacs-server host 1.1.1.1
ZXR10(config)#tacacs-client 1.1.1.2
ZXR10(config)#aaa authentication default group zte
ZXR10(config)#aaa authentication enable default local group zte
14-17

ZXR10(config)#aaa authorization login default group zte

ZXR10(config)#user-authentication-type tacacs+
ZXR10(config)#user-authorization-type tacacs+
ZXR10(config)#aaa group-server tacacs+ zte
ZXR10(config-sg)#server 1.1.1.1
14-18

Chapter 15
Cluster Management
Configuration
Table of Contents
Cluster Management Overview ................................................................................15-1
Configuring Cluster Management .............................................................................15-3
Cluster Management Configuration Example............................................................15-6
Cluster Management Maintenance and Diagnosis ....................................................15-7
15.1 Cluster Management Overview

A cluster is a group of switches in a specific broadcast domain. These switches form
a unified management domain. The cluster provides a public network IP address and
a management interface and provides the functions of managing and accessing the
members in the cluster.
The management switch that configures the public network IP address is the command
switch. Other managed switches are the member switches. Generally, a public network
IP address is not configured for the member switches. The command switch allocates a
private address to a member switch through the function similar to DHCP. The command
switch and the member switches form a cluster (a private network).
ZTE recommends isolating the broadcast domain of the public network and that of
the private network on the command switch. This shields direct access to the private
addresses. The command switch provides a management and maintenance channel to
manage the cluster in a centralized and unified manner.
A broadcast domain where a cluster locates usually consists of four types of switches: a
command switch, a member switch, a candidate switch, and an independent switch.
There is only one command switch in a cluster. The command switch can collect the
device topology automatically and establish a cluster. After the cluster is established,
the command switch provides a management channel through which the cluster can
manage the member switches. The member switches are candidate switches before
being added into the cluster. The switches that do not support cluster management are
called independent switches.
For the network of a cluster, see Figure 15-1.
15-1

Figure 15-1 Network of a Cluster
For the rules for the four types of switches to change their roles in a cluster, see Figure
15-2.
15-2

Chapter 15 Cluster Management Configuration
Figure 15-2 Rules to Change Roles
15.2 Configuring Cluster Management

15.2.1 Configuring ZDP
To configure ZTE Discovery Protocol (ZDP), perform the following steps:
1. Enable the ZDP function globally.
Command Function
ZXR10(config)#zdp enable Enables the ZDP function

globally.
2. Configure the intervals of sending ZDP messages.
Command Function
ZXR10(config)#zdp timer <time> Configures the intervals of

sending ZDP messages.
3. Configure the hold-time of ZDP information.
Command Function
ZXR10(config)#zdp holdtime <time> Configures the hold-time of ZDP

information.
15.2.2 Configuring ZTP

To configure ZTE Topology Protocol (ZTP), perform the following steps:
15-3

1. Enable the ZTP function globally.
Command Function
ZXR10(config)#ztp enable Enables the ZTP function

globally.
2. Collect the ZTP topology on a VLAN.
Command Function
ZXR10(config)#ztp vlan <vlanId> Collects the ZTP topology on a

VLAN.
3. Set the number of ZTP topology collection hops.
Command Function
ZXR10(config)#ztp hop <number> Sets the number of ZTP topology

collection hops
4. Set the delay of sending ZTP protocol packets on each hop.
Command Function
ZXR10(config)#ztp hop-delay <time> Sets the delay of sending ZTP

protocol packets on each hop.
5. Set the delay of sending ZTP protocol packets on a port.
Command Function
ZXR10(config)#ztp port-delay <time> Sets the delay of sending ZTP

protocol packets on a port.
6. Start to collect the topology.
Command Function
ZXR10(config)#ztp start [ completely] Starts to collect the topology.
7. Set a timer for ZTP topology collection.
Command Function
ZXR10(config)#ztp timer Sets a timer for ZTP topology

collection.
15.2.3 Establishing a Cluster

To establish a cluster, perform the following steps:
15-4

1. Set the role of a switch and allocate an IP address to the cluster.
Command Function
ZXR10(config)#group switch-type { candidate | independent |{ Sets the role of a switch and

commander [ ip-pool < ip_addr>{ mask < ip_addr>| length < allocates an IP address to the
mask_len>}]}} cluster.
2. Change the cluster name.
Command Function
ZXR10(config)#group name <name > Changes the cluster name.
3. Set the handshake time of a cluster.
Command Function
ZXR10(config)#group handtime <time> Sets the handshake time of a

cluster.
4. Set the hold-time between member switches and the command switch on the
command switch.
Command Function
ZXR10(config)#group holdtime <time> Sets the hold-time between

member switches and the
command switch on the
command switch.
5. Add a specific device or a MAC address as a member on the command switch.
Command Function
ZXR10(config)#group member {{mac <mac_addr> member Add a specific device or a MAC

<mem_id>}|{device <device_id>}} address as a member on the
command switch.
15.2.4 Maintaining a Cluster

To maintain a cluster, perform the following steps:
1. Restart a member switch or all member switches on the command switch.
Command Function
ZXR10(config)#group reset-member { all |<member_id>} Restarts a member switch or

all member switches on the
command switch.
15-5

2. Save a member switch or all member switches on the command switch.
Command Function
ZXR10(config)#group save-member { all |<member_id>} Saves a member switch or

all member switches on the
command switch.
3. Delete the member configuration file on the command switch.
Command Function
ZXR10(config)#group erase-member { all |<member_id>} Deletes the member

configuration file on the
command switch.
4. Configure a TFTP server of the cluster.
Command Function
ZXR10(config)#group tftp-server <ip_addr> Configures a TFTP server of the

cluster.
5. Configure an alarm receiver of the cluster.
Command Function
ZXR10(config)#group trap-host <ip_addr> Configures an alarm receiver of

the cluster.
15.3 Cluster Management Configuration Example

Two devices are connected to accomplish cluster management. See Figure 15-3.
Figure 15-3 Cluster Management Configuration Example
The configuration steps are as follows:
1. Set the two ports to be in a VLAN (such as VLAN 1, and ensure that no Layer 3 address
is configured on VLAN 1).
2. Execute the show zdp neighbor command on DUT A to ensure that the ZDP neighbor
relationship has been established.
3. Execute the ztp start command on DUT A to start topology collection. Then execute
the show ztp device-list command to ensure that DUT A and DUT B are listed.
15-6

4. Set DUT A to the command switch with the group switch-type commander command.
Ensure that DUT A is the command switch with the show group command.
5. Set DUT B to the member switch with the group member device 1 command. Display
the member switches with the show group member command, and the state is up.
6. In privileged mode, the Member 1 can be logged into with the rlogin member 1 com-
mand on the command switch. The command switch can be logged in to with the
rlogin commander command on the member switch.
15.4 Cluster Management Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for cluster management
maintenance and diagnosis:
Command Function
ZXR10#show zdp Displays ZDP configuration

information.
ZXR10#show ztp Displays ZTP configuration

information.
ZXR10#show group Displays cluster configuration

information.
ZXR10#show zdp neighbour [ interface <interface>| mac Displays the ZDP neighbors
<mac-address>] (directly connected ZDP nodes).
ZXR10#show ztp {device-list | device {mac <mac-address>|<id>}} Displays collected device

information.
ZXR10#show group {{members [ member-num <number>]}|{ Displays cluster member

candidates [ mac <mac-address>]}} information.
ZXR10#debug group-management Traces ZDP and ZTP packet

transmitting and receiving.
15-7

15-8

Chapter 16
Security Configuration
Table of Contents
IP Source Guard ......................................................................................................16-1
Control Plane Security Configuration ........................................................................16-3
DAI Configuration .....................................................................................................16-6
MFF Configuration....................................................................................................16-9
16.1 IP Source Guard

16.1.1 IP Source Guard Overview
IP source guard is an application on the basis of DHCP snooping. It records dynamic user
information (IP and MAC ) by constructing a DHCP snooping association database. After
this function is enabled, users can only use the addresses that are allocated by a DHCP
server dynamically to access the external network. This prevents IP snooping.
16.1.2 Configuring IP Source Guard

To configure IP source guard, use the following command:
Command Function
ZXR10(config-gei_1/x)#ip dhcp snooping ip-source-guard { Configures IP source guard on an

ip-base| mac-base| mac-ip-base }[ vlan { default |<vlan-id>}] interface.
16.1.3 IP Source Guard Configuration Examples

16.1.3.1 IP Source Guard Configuration Based on an IP Address
A DHCP server connects to gei_1/1 on R1. An administrator sets the management DHCP.
The interface gei_1/1 belongs to VLAN 100. The DHCP snooping function is enabled on
VLAN 100. The interface gei_1/1 is a trusted interface. A PC connects to gei_1/2 of R1.
The interface gei_1/2 also belongs to VLAN 100. See Figure 16-1.
16-1

Figure 16-1 IP Source Guard Configuration Based on an IP Address
IP source guard based on an IP address is configured on gei_1/2. After getting an IP

address dynamically, the PC can only pass the packets whose source IP address is
allocated by the DHCP server.
Configuration of R1:
XR10(config)#interface gei_1/2
ZXR10(config-gei_1/2)#ip dhcp snnoping ip-source-guard ip-base
16.1.3.2 IP Source Guard Configuration based on a MAC Address

VLAN 100. The interface gei_1/1 a trusted interface. A PC connects to gei_1/2 of R1. The
interface gei_1/2 also belongs to VLAN 100. See Figure 16-2.
Figure 16-2 IP Source Guard Configuration based on a MAC Address
IP source guard based on a MAC address is configured on gei_1/2 . After getting an IP

address dynamically, the PC can only pass the packets whose source MAC address is the
MAC address of the network card on the local host.

ZXR10(config-if)#ip dhcp snnoping ip-source-guard mac-base
16-2

Chapter 16 Security Configuration
16.1.3.3 IP Source Guard Configuration based on an IP Address and a MAC Address

VLAN 100. The interface gei_1/1 is a trusted interface. A PC connects to gei_1/2 of R1.
The interface gei_1/2 also belongs to VLAN 100. See Figure 16-3.
Figure 16-3 IP Source Guard Configuration based on an IP Address and a MAC Address
IP source guard based on a MAC address is configured on gei_1/2. After getting an IP

address dynamically, the PC can only pass the packets whose source MAC address is
the MAC address of the network card on the local host and whose source IP address is
allocated by the DHCP server.
ZXR10(config-if)#ip dhcp snnoping ip-source-guard mac-ip-base
16.2 Control Plane Security Configuration

16.2.1 Control Plane Security Overview
Control plane security monitors the packet sending rate and generates alarms when
packets are sent at an abnormal rate. In this way, the network management system can
know possible packet attacks to CPU and then decides whether to discard these packets
on the interface and limit the rate.
16.2.2 Configuring Control Plane Security

To configure control plane security, perform the following steps:
1. Enable/disable the control plane security function.
Command Function
ZXR10(config)#control-plane-security {enable | disable} Enables/disables the control

plane security function. By
default, this function is enabled.
16-3

2. Transmit or discard a protocol packet type.
Command Function
ZXR10(config-gei_1/x)#protocol-protect mode Transmits or discards a protocol

<protocolname>{enable | disable} packet type.
This command is configured in interface mode. If this command is configured on a

physical port, the configuration determines whether the packets of a certain protocol
are discarded. For a port whose port mode is Network Node Interface (NNI), all
protocol packets are transmitted by default. For a port whose port mode is User
Network Interface (UNI), the default action depends on the protocols. Display the
default action with the show command.
3. Configure an alarm threshold for a protocol packet type.
Command Function
ZXR10(config-gei_1/x)#protocol-protect alarm mode Configures an alarm threshold

<protocol name>< alarm-limit > for a protocol packet type.
The range of the < alarm-limit >
parameter is 1000-18000.
Configure this command in interface mode. It is used to modify the alarm threshold for
a protocol packet type on a physical port. When the number of the specific protocol
packets exceeds this threshold in 30 s, an alarm message is sent. The default alarm
threshold is 3000.
4. Configure the peak rate or the average rate of a protocol packet type.
Command Function
ZXR10(config-gei_1/x)#protocol-protect {peak-rate | Configures the peak rate or the

average-rate} mode <protocol name>< rate-limit > average rate of a protocol packet
type.
The unit is packets-per-second (pps). The range of the peak rate is 1001000, and
the default peak rate is 300. The range of the average rates is 10600, and the default
average rate is 100.
5. Configure the port type of an interface type.
Command Function
ZXR10(config-gei_1/x)#protocol-protect type {nni | uni} Configures the port type of an

interface type.
The default type is nni.

The protocols supported by this command include PIM, IGMP, ICMP, ARPREPLY,
ARPREQUEST, UDLD, GROUP MNG, VBASE, LLDP, DHCP, LACP, BPDU, SNMP,
NA, NS, RA and RS.
16-4

When the protocol packets are set to be discarded, even if the packets are sent to the
MUX module, they are still discarded by this module. They cannot hit the platform.
When the control plane security module finds that a protocol packet type is sent to the
platform at too fast a rate, it sends alarms to remind users that there may be a protocol
packet type attacking the CPU. When this alarm appears, users can set the system to
discard the packets or limit the packet rate to prevent the attack on the CPU.
Note:
If the protocol packets of some types are discarded, the related services may fail.
16.2.3 Control Plane Security Configuration Examples

l This example shows how to configure control plane security to transmit ARP packets
on an interface set the alarm threshold to 2500.
ZXR10#config terminal
ZXR10(config-gei_1/1)#protocol-protect mode arp enable
ZXR10(config-gei_1/1)#protocol-protect alarm mode arp 2500
l This example shows how to configure the peak rate and the average rate of ICMP
protocol packets on an interface.
ZXR10#config terminal
ZXR10(config-gei_1/1)#protocol-protect peak-rate mode icmp 500
ZXR10(config-gei_1/1)#protocol-protect average-mode mode icmp 250
16.2.4 Control Plane Security Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for maintenance and
diagnosis.
Command Function
ZXR10(config)#show protocol-protect packet-config Displays an interfaces port type,

<interfacename> protocol packet configuration, and
receiving statistics.
ZXR10(config)#show protocol-protect token-buckets Displays an interfaces protocol

<interfacename> packet receiving rate and statistics.
ZXR10#clear protocol-protect {packets-count | buckets-count}<i Clears an interfaces protocol

nterfacename> packet statistics.
16-5

16.3 DAI Configuration

16.3.1 DAI Overview
Attacks based on ARP often occur on a network. The DHCP snooping module on the
ZXR10 5900E series unit provides Dynamic ARP Inspection (DAI).
At present, the DAI function only checks the DHCP association table in the learned ARP
packets.
If the users connected to a switch are in the same broadcast domain, the users can
communicate with each other through Layer 2 forwarding instead of Layer 3 forwarding
by the switch. So, the switch does not need to learn the ARP packets of these users,
and there are no related security checks. This is a security bug, which can lead to
man-in-the-middle, or attacks, see Figure 16-4.
Figure 16-4 Man-in-the-Middle Attack
A, B and C are in the same broadcast domain, that is, the same network segment. When
A and B communicate with each other, ARP packets are sent and C can intercept these
ARP packets. If C acts as a man in the middle to do malicious scanning, it sends free ARP
to A to inform that the IP corresponding to the MAC address of B has been updated to
that of C, causing traffic from A to B to be directly forwarded to C. As the same time, traffic
from B to A also can be forwarded to C. After doing malicious scanning on the packets, C
modifies the destination address to the real MAC address of B or A and returns the packets
to the switch. Traffic between A and B can be forwarded properly and not be perceived so
that C completes a man-in-the-middle attack.
To avoid that, check all ARP packets. Packets that pass the check are forwarded. ARP
packets that fail the check are discarded.
Based on this requirement, the ZXR10 5900E system to help prevent ARP attack.
l For untrusted interfaces, DAI intercepts all ARP packets and sends them to the upper
layer for confirmation.
l Users can configure the rate at which ARP packets sent to the CPU can be configured.
l When the DHCP snooping function is enabled, the relation between an IP address, a
MAC address and a port is checked. Illegal packets are discarded.
16-6

DAI checks the ARP packets according to the association between IP addresses and MAC
addresses in the trusted database. When enabled, the DHCP snooping function of a VLAN
creates a database. If the ARP packets are received from a trusted port, the device does
not check the packets and forwards the packets directly. If the ARP packets are received
from an untrusted port, the switch only forwards valid packets.
16.3.2 Configuring DAI

To configure DAI, perform the following steps:

p
1 ZXR10(config-gei_1/x)#ip arp inspection trust Configures the trusted attribute

of an interface.
2 ZXR10(config-smartgroupX)#ip arp inspection trust Configures the trusted attribute

of a Smartgroup interface.
3 ZXR10(config)#ip arp inspection validate {[des-mac][ip][src Configures the global ARP

-mac]} validation inspection function.
4 ZXR10(config-gei_1/x)#ip arp inspection limit <1-100> Configures the rate limit of an

interface.
For an untrusted interface, the
default rate limit is 15 pps.
For a trusted interface, the ARP
packet rate is not limited.
5 ZXR10(config-vlanX)#ip arp inspection Enables the DAI function on a

VLAN.
16.3.3 DAI Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for DAI maintenance and
diagnosis:
Command Function
ZXR10#show ip arp inspection interface {interface_name} Displays the trusted attribute of an

interface.
ZXR10#show ip arp inspection configure Displays ARP packet validation

inspection information.
ZXR10#show ip arp inspection vlan [{<1-4094>| disable | enable | Displays DAI configuration
name vlan_name}] information of a VLAN.
16-7

16.3.4 DAI Configuration Example

The user must configure VLAN 2 on the switch and run DAI. See Figure 16-5.
Figure 16-5 DAI Configuration Example
The prerequisite is that the DHCP snooping function of VLAN 2 has been enabled.
ZXR10(config)#ip dhcp snooping trust fei_X/X
Configure VLAN 2 on theswitch and run DAI.

ZXR10(config-vlan2)#ip arp inspection
Bind the interfaces gei_1/1 and gei_1/2 to VLAN 2.

The interface gei_1/1 is set to an untrusted interface (the default attribute is untrusted).
The legal ARP packets that host A sends to the switch are broadcast in the VLAN. Host B
receives the ARP packets. The illegal packets are discarded and not forwarded. Host B
cannot receive the illegal ARP packets.
If the interface gei_1/1 is set to a trusted interface, no matter whether the ARP packets
sent to the switch by host A are legal or illegal, the switch forwards them to all interfaces
in VLAN 1. Host B receives the ARP packets. When the interface rate limit is set to X, the
switch receives up to X ARP packets per second, the remaining packets are discarded.
16-8

16.4 MFF Configuration

16.4.1 MFF Overview
MAC-Forced Forwarding (MFF) accomplishes Layer 2 isolation and Layer 3
intercommunication between different hosts in the same broadcast domain. MFF
improves network security.
16.4.2 Configuring MFF

To configure MFF, perform the following steps:
1. Set the MFF mode.
Command Function
ZXR10(config)#mff mode {auto | manus} Sets the MFF mode.
2. Enable the MFF function on a VLAN interface.
Command Function
ZXR10(config-if-vlanX)#mff enable Enables the MFF function on a

VLAN interface.
3. Configure MFF interface type.
Command Function
ZXR10(config-gei_1/x)#set mff {user-port | network-port} Configures MFF interface type.
4. Configure the IP address of the MFF gateway.
Command Function
ZXR10(config-if-vlanX)#set mff gateway ip <A.B.C.D> Configures the IP address of the

MFF gateway.
5. Configure a static MFF user.
Command Function
ZXR10(config)#mff user <A.B.C.D><H.H.H> vlan <1-4094> Configures a static MFF user.

gateway < A.B.C.D >
6. Enable the MFF gateway MAC address detection function.
Command Function
ZXR10(config)#mff gateway detect enable Enables the MFF gateway MAC

address detection function.
16-9

16.4.3 MFF Configuration Example

R1 is an MFF gateway. PC1 obtains an IP address through DHCP. Users configure DHCP
snooping and MFF on the switch. See Figure 16-6.
Figure 16-6 MFF Configuration Example
The MFF configuration of the switch:

ZXR10(config)#mff mode auto
ZXR10(config)#mff gateway detect enable
ZXR10(config-if-vlan1)#mff enable
ZXR10(config-gei_1/2)#set mff network-port
ZXR10(config-gei_1/4)#set mff user-port
16.4.4 MFF Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for MFF maintenance and
diagnosis:
16-10

Command Function
ZXR10#show mff configure Displays MFF global configuration

information.
ZXR10#show mff vlan <vlan-id> Displays MFF configuration

information on a VLAN.
ZXR10#show mff interface [<interface-name>] Displays MFF configuration

information on a physical interface.
ZXR10#show mff-table [vlan <vlan-id>[A.B.C.D]] Displays the MFF table.
16-11

16-12

Chapter 17
URPF Configuration
Table of Contents
URPF Overview .......................................................................................................17-1
Configuring URPF ....................................................................................................17-1
URPF Maintenance and Diagnosis...........................................................................17-1
17.1 URPF Overview

Unicast Reverse Path Forwarding (URPF) prevents network attacks based on source
address deceit.
There are three types of URPF:
l Strict URPF (sRPF)
l Loose URPF (lRPF)
l Default route-ignored URPF (lnRPF)
17.2 Configuring URPF

To configure URPF, perform the following steps:
1. Enable the URPF function on an interface.
Command Function
ZXR10(config-gei_1/x)#ip verify { strict | loose | Enables the URPF function on

loose-ignoring-default-route } an interface.
2. Enable/disable the URPF log function.
Command Function
ZXR10(config)#urpf log { on | off} Enables/disables the URPF log

function.
17.3 URPF Maintenance and Diagnosis

The ZXR10 5900E system provides the following commands for URPF maintenance and
diagnosis:
17-1

Command Function
ZXR10#show interface <interfac_name> Displays the interfaces URPF

statistics information.
ZXR10#show ip traffic Displays URPF statistics

information of the system.
ZXR10#show logging alarm typeid urpf Displays URPF log information.
17-2

Chapter 18
M_Button Function
Table of Contents
M_button Function Description .................................................................................18-1
M_button Mode Switching ........................................................................................18-2
18.1 M_button Function Description

The M_button function is implemented by using the indicators on the panel to provide users
with functions of displaying some key statistics and indicating key events. This facilitates
users to maintain ZTE devices easily and intuitively.
The M_button function supports the following modes:
1. LINK mode: In this mode, the indicator shows the LINK/ACT status of the port. If the
port is in the LINK state, the indicator is lit green. If there is traffic on the port, the
indicator blinks green. If the port is in the non-LINK state, the indicator is not lit.
2. SPEED mode (SPD): In this mode, the indicator shows the current rate of the port. If
the current rate is the same as the default port rate, the indicator is lit green. Otherwise,
the indicator is lit yellow.
3. DUPLEX mode (DUP): In this mode, the indicator shows the duplex mode of the port.
If the port is in full-duplex mode, the indicator is lit green. If the port is in half-duplex
mode, the indicator is lit yellow.
4. STA mode (STAT): In this mode, the indicator shows the STP status of the port. If
the STP status is Forward, the indicator is lit green. If the STP status is Disable, the
indicator is off. If the STP status is not Forward or Disable, the indicator is lit yellow.
The STA status is the same as the status of the port in instance 0 (default port).
5. CPU usage mode (CPU%): In this mode, the indicator shows the current CPU usage
of the device. The 5928E and 5928E-FI use the indicators of ports 1-20 to represent
the CPU usage, with 5% for each port. The 5952E uses the indicators of ports 1-16
on the main control board to represent the CPU usage, with 6.25% for each port.
6. Memory usage mode (MEM%): In this mode, the indicator shows the current memory
usage of the device. The 5928E and 5928E-FI use the indicators of ports 1-20 to
represent the memory usage, with 5% for each port. The 5952E uses the indicators
of ports 1-16 on the main control board to represent the memory usage, with 6.25%
for each port.
7. Uplink egress bandwidth usage mode (BW%): In this mode, the indicator shows the
current egress bandwidth usage of the uplink port based on the current uplink port rate.
The 5928E and 5928E-FI use the indicators of ports 1-20 to represent the bandwidth
usage, with 5% for each port. The 5952E uses the indicators of ports 1-16 on the main
control board to represent the bandwidth usage, with 6.25% for each port.
18-1

8. Uplink ingress bandwidth usage mode (BW%): In this mode, the indicator shows
the current ingress bandwidth usage of the uplink port based on the current uplink
port rate. The 5928E and 5928E-FI use the indicators of ports 1-20 to represent the
bandwidth usage, with 5% for each port. The 5952E uses the indicators of ports 1-16
on the main control board to represent the bandwidth usage, with 6.25% for each port.
9. Ping NMS center mode (PING): In this mode, the first five indicators are used to show
the status. The device sends five ICMP packets to the NMS center. If a correct
response is received for each ICMP packet, the corresponding indicator is lit green.
Otherwise, the corresponding indicator is lit yellow. After the five indicators are lit for
20s, they are off to go to the next Ping process. If the NMS address is not configured,
the five indicators are lit yellow at the same time and then off to go to the next Ping
process.
10. CRC port display mode (CRC): In this mode, the indicator prompts a CRC error. If a
CRC error exists on the port, the indicator is lit yellow. Otherwise, the indicator is off.
11. STORM port display mode (STORM): In this mode, the indicator indicates a storm port.
If the port is a storm port, the indicator is lit yellow. Otherwise, the indicator is off.
12. NoMAC port display mode (NoMAC): In this mode, the indicator indicates whether the
port learns the MAC address. If the port does not learn the MAC address, the indicator
is lit yellow. Otherwise, the indicator is off. This mode supports the trunk function. If
the trunk port learns the MAC address, the indicators of active ports in the trunk are
off.
18.2 M_button Mode Switching

1. On the panel, there is a mode button. After a user presses it, the indicator
corresponding to the next mode blinks for 2s and 6 to 7 times. The modes are
switched in accordance with the sequence described in the previous section. If the
user does not press the button again within the 2s, the indicator is off and the switch
enters the mode. If the user presses the button again within the 2s, the switch enters
the next mode. In this case, the indicator corresponding to the next mode blinks for
2s. The operation is performed repeatedly by this analogy.
2. If the user does not press the button within three minutes after the switch enters
a mode, the switch automatically exits the mode and returns to the LINK mode.
Otherwise, the switch enters the next mode and the corresponding indicator blinks as
described above.
3. In LINK, SPD, DUP or STAT mode, the status is updated in real time. In PING mode,
the Ping command is run every 20s. In other modes, the status is updated every 3s.
18-2

Chapter 19
Energy-Efficiency
Table of Contents
Energy-Efficiency Overview......................................................................................19-1
Function Description.................................................................................................19-2
Energy-Efficiency Configuration................................................................................19-2
19.1 Energy-Efficiency Overview

IEEE puts forward a new energy-efficient Ethernet standard called IEEE P802.3az, which
aims to reduce the usage of network resources.
The standard was approved in September 30, 2010. It was the first standard in the
history that requires network equipment to reduce the usage of network resources during
operation. It is also a protocol specially designed for network management companies
and network service consumption companies to reduce the usage of network resources
such as routers, switches, PCs, and printers.
In some networks, all link resources are used but there is still room to reduce the usage
of network resources. In most cases, network resources are partially used and most of
network resources are idle. Therefore, it is necessary to use network resources efficiently.
In addition, it is a great waste in electricity consumption. The actual power consumption
of network equipment (power consumed during network operation) ranges only from 5%
to 10%. When the network is idle, the network equipment are still powered on, which
causes a waste of about 50% electricity. The IEEE802.3az is a protocol working based
on the IEEE802.3 Ethernet standard to save the energy consumed by network equipment.
When the usage of network resources is low, the network equipment automatically work
in low-power state.
The protocol recommends a new technology called Low Power Idle, which helps save
energy when network connections are not used. Regarding the burst characteristic of most
Ethernet traffic, the technology brings the considerable energy-saving effect, especially for
the application of some high-performance technologies such as 10 GbE (1 GbE and 100
MbE).
Caution!
Only when the electrical ports at both ends of two interconnected devices enable the
energy-efficiency function, the function can take effect.
19-1

19.2 Function Description

The devices supporting the function are 5928E-SEGTT, 5928E-SEGTF, and 5952E whose
fixed interface is an electrical interface. The function can be used to read and display the
current power usage of a device by the power chip on main control board.
If the show power-usage command is used in the configuration mode, it displays the current
power usage of a device. An example is as follows:
ZXR10(config)#show power-usage
Power Usage: 30.700
For the unsupported devices, the system prompts an error.
ZXR10(config)#show power-usage
The Device is not support get Power-Usage.
19.3 Energy-Efficiency Configuration

19.3.1 Energy-Efficiency Global Configuration
To enable or disable the energy-efficiency global configuration and configure the start time
for collecting user statistics, use the following commands:
Command Function
ZXR10(config)#eee {enable|disable} Enables or disables the global

EEE function.
ZXR10(config)#eee statistic from-now-on Configures the start time for

collecting user statistics.
If the eee enable and eee disable commands are used in the configuration mode, they help
enable and disable the global EEE function. When the global EEE function is disabled,
the actual PHY chip does not work in the EEE state no matter whether the EEE function
is enabled on the interface. By default, the EEE function is enabled on the supported
devices.
If the eee statistic from-now-on command is used in the configuration mode, it provides
users with the time points recorded when power statistics are collected. When the user
runs the command, the data in the specified statistic field will be cleared and accumulated
every hour.
19.3.2 Configuring an Energy-Efficiency Interface

To enable or disable the energy-efficiency function of an interface, use the following
commands:
19-2

Chapter 19 Energy-Efficiency
Command Function
ZXR10(config-gei_1/x)#eee {enable|disable} Enables or disables the EEE

function of an interface.
If the eee enable and eee disable commands are used in the interface mode, they enable
and disable the EEE function of an interface. When the global EEE function and the EEE
function of the interface are enabled at the same time, the PHY chip will work in the EEE
state. By default, the EEE function is enabled on the supported devices.
19.3.3 Energy-Efficiency Maintenance and Diagnosis

To show and clear the EEE energy-efficiency statistics of a port, use the following
commands:
Command Function
ZXR10(config)#show eee statistic Shows the EEE energy-efficiency

statistics of a port.
ZXR10#clear eee statistic Clears the EEE energy-efficiency

statistics of a port.
If the eee statistic from-now-on command is used in the configuration mode, it provides
users with the time points recorded when power statistics are collected. When the user
runs the command, the data in the specified statistic field will be cleared and accumulated
every hour. The 12Hours column shows the saved power in last 12 hours before the data
is shown. The 24Hours column shows the saved power in last 24 hours before the data is
shown. The User column shows the saved power after the user customizes the time and
before the data is shown. The Total column shows the saved power after the system is
started and before the data is shown. The unit is joule.
If the clear eee statistic command is used in the privilege mode, it clears all the EEE
statistics.
19-3

19-4

Figures
Figure 2-1 ZXR10 5900E Configuration Modes Diagram........................................... 2-1
Figure 2-2 Location Information Dialog Box ............................................................. 2-2
Figure 2-3 Connection Description Dialog Box .......................................................... 2-2
Figure 2-4 Connect To Dialog Box ............................................................................ 2-3
Figure 2-5 COM1 Properties Dialog Box ................................................................... 2-4
Figure 2-6 Run Dialog Box....................................................................................... 2-5
Figure 2-7 Telnet Login ............................................................................................. 2-5
Figure 2-8 PuTTY Configuration Dialog Box ............................................................. 2-7
Figure 2-9 PuTTY Configuration Dialog Box ............................................................. 2-8
Figure 3-1 No log file open-WFTPD Window............................................................. 3-4
Figure 3-2 User/Rights Security Dialog Box .............................................................. 3-4
Figure 3-3 TFTPD Window ....................................................................................... 3-5
Figure 3-4 Tftpd Settings Dialog Box......................................................................... 3-6
Figure 3-5 Trace Function Configuration Example .................................................. 3-24
Figure 4-1 Port Mirroring Example .......................................................................... 4-12
Figure 4-2 Port RSPAN Mirroring Example ............................................................. 4-13
Figure 4-3 ERSPAN Configuration Example............................................................ 4-15
Figure 5-1 MFF Network Topology ............................................................................ 5-6
Figure 6-1 ACL Configuration Example ................................................................... 6-11
Figure 7-1 Level 2 Traffic Policing in Single-or Mode................................................. 7-2
Figure 7-2 Traffic Policing Process............................................................................ 7-3
Figure 7-3 Traffic Policing Process............................................................................ 7-5
Figure 7-4 Typical QoS Configuration Example....................................................... 7-21
Figure 7-5 Policy Routing Configuration Example .................................................. 7-22
Figure 8-1 DHCP Server Configuration Example .................................................... 8-18
Figure 8-2 DHCP Relay Configuration Example...................................................... 8-19
Figure 8-3 DHCP Snooping Configuration Example ................................................ 8-20
Figure 8-4 DHCP Snooping Preventing Static IP Configuration ............................... 8-20
Figure 9-1 Basic VRRP Configuration Example ........................................................ 9-3
Figure 9-2 Symmetric VRRP Configuration Example ................................................ 9-4
Figure 10-1 DOT1X RADIUS Authentication Application ......................................... 10-8
Figure 10-2 DOT1X Relay Authentication Application ............................................ 10-9
I
Figure 12-1 ZESR Configuration Example .............................................................. 12-8

Figure 12-2 ZESR and ZESR+ Hybrid Configuration Example .............................. 12-11
Figure 13-1 IPTV Privilege Function Configuration Example ................................... 13-7
Figure 14-1 NTP Configuration Example................................................................. 14-3
Figure 15-1 Network of a Cluster ............................................................................ 15-2
Figure 15-2 Rules to Change Roles ........................................................................ 15-3
Figure 15-3 Cluster Management Configuration Example ....................................... 15-6
Figure 16-1 IP Source Guard Configuration Based on an IP Address...................... 16-2
Figure 16-2 IP Source Guard Configuration based on a MAC Address ................... 16-2
Figure 16-3 IP Source Guard Configuration based on an IP Address and a MAC
Address ................................................................................................ 16-3
Figure 16-4 Man-in-the-Middle Attack ..................................................................... 16-6
Figure 16-5 DAI Configuration Example .................................................................. 16-8
Figure 16-6 MFF Configuration Example............................................................... 16-10
II
Tables
Table 2-1 Command Modes ...................................................................................... 2-9
Table 2-2 Recalling Recent Commands .................................................................. 2-12
Table 4-1 Interface State Abnormal Conditions ......................................................... 4-7
Table 7-1 Display Format ........................................................................................ 7-19
Table 7-2 Display Format ........................................................................................ 7-19
III
Tables

Glossary
AAA
- Authentication, Authorization and Accounting
ACL
- Access Control List
ARP
- Address Resolution Protocol
BGP
- Border Gateway Protocol
BRAS
- Broadband Remote Access Server
CAC
- Channel Access Control
CRC
- Cyclic Redundancy Check
DNS
- Domain Name System
DOS
- Disk Operating System
DSCP
- Differentiated Services Code Point
DSL
- Digital Subscriber Line
DSLAM
- Digital Subscriber Line Access Multiplexer
EAPS
- Ethernet Automatic Protection Switching
FE
- Fast Ethernet
FTP
- File Transfer Protocol
GRE
- General Routing Encapsulation
I2C
- Inter-Integrated Circuit
V
ICMP
- Internet Control Message Protocol
IEEE
- Institute of Electrical and Electronics Engineers
IP
- Internet Protocol
IPTV
- Internet Protocol Television
IPX
- Internetwork Packet Exchange protocol
IS-IS
- Intermediate System-to-Intermediate System
ISP
- Internet Service Provider
LACP
- Link Aggregation Control Protocol
MAC
- Medium Access Control
MFF
- MAC-Forced Forwarding
MIB
- Management Information Base
MSTP
- Multiple Spanning Tree Protocol
NAS
- Network Access Server
NM
- Network Management
NMS
- Network Management Server
NNI
- Network Node Interface
NTP
- Network Time Protocol
OSPF
- Open Shortest Path First
PBS
- Peak Burst Size
VI
Glossary
PPP
- Point to Point Protocol
PPPoE
- Point to Point Protocol over Ethernet
PVID
- Port VLAN ID
RED
- Random Early Detection
RIP
- Routing Information Protocol
RMON
- Remote Monitoring
SNMP
- Simple Network Management Protocol
SSH
- Secure Shell
STB
- Set-top Box
STP
- Spanning Tree Protocol
TACACS+
- Terminal Access Controller Access-Control System Plus
TCP
- Transfer Control Protocol
TFTP
- Trivial File Transfer Protocol
TPID
- Tag Protocol Identifier
TTL
- Time To Live
TrTCM
- Two-rate Three Color Marker
UDP
- User Datagram Protocol
UNI
- User Network Interface
URPF
- Unicast Reverse Path Forwarding
VII
VBAS
- Virtual Broadband Access Server
VLAN
- Virtual Local Area Network
VOD
- Video On Demand
VRRP
- Virtual Router Redundancy Protocol
WRED
- Weighted Random Early Detection
WRR
- Weighted Round Robin
ZDP
- ZTE Discovery Protocol
ZESR
- ZTE Ethernet Switch Ring
ZTP
- ZTE Topology Protocol
VIII

1215100134-002 ZXR10 5900E Series (V2.8.23.C) Easy-Maintenance MPLS Routing Switch User Manual (Basic Configuration) - 396889

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

1215100134-002 ZXR10 5900E Series (V2.8.23.C) Easy-Maintenance MPLS Routing Switch User Manual (Basic Configuration) - 396889

Încărcat de

Drepturi de autor:

Formate disponibile

ZXR10 5900E Series

Easy-Maintenance MPLS Routing Switch

Revision No. Revision Date Revision Reason

R1.0 2012-01-31 First edition

Serial Number: SJ-20111215100134-002

Publishing Date: 2012-01-31 (R1.0)

Chapter 2 Usage and Operation................................................................ 2-1

Chapter 3 System Management ................................................................ 3-1

Chapter 4 Interface Configuration ............................................................ 4-1

Chapter 5 Network Protocol Configuration.............................................. 5-1

Chapter 6 Access Control List (ACL) Configuration............................... 6-1

Chapter 7 QoS Configuration .................................................................... 7-1

Chapter 8 DHCP Configuration ................................................................. 8-1

Chapter 9 VRRP Configuration ................................................................. 9-1

Chapter 10 DOT1X Configuration ........................................................... 10-1

Chapter 11 VBAS Configuration.............................................................. 11-1

Chapter 12 ZESR/ZESR+ Configuration ................................................. 12-1

Chapter 13 IPTV Configuration ............................................................... 13-1

Chapter 14 Network Management Configuration .................................. 14-1

Chapter 15 Cluster Management Configuration .................................... 15-1

Chapter 16 Security Configuration ......................................................... 16-1

Chapter 17 URPF Configuration.............................................................. 17-1

Chapter 18 M_Button Function ............................................................... 18-1

Chapter 19 Energy-Efficiency.................................................................. 19-1

What Is in This Manual

Chapter 1, Safety Instructions Describes the safety instructions and signs.

Chapter 12, ZESR/ZESR+ Describes the ZESR/ZESR+ concept, related configuration

Chapter 16, Security Describes security management concepts, related configuration

Chapter 19, Energy-Efficiency Describes the energy-efficiency concepts and configuration

1.1 Safety Introduction

1.2 Safety Signs

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

This page intentionally left blank.

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

2.1 Configuration Mode

Figure 2-1 ZXR10 5900E Configuration Modes Diagram

2.1.1 Console Port-Based Configuration Mode

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

Figure 2-2 Location Information Dialog Box

Figure 2-3 Connection Description Dialog Box

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

Figure 2-4 Connect To Dialog Box

5. Select the properties of the connection. See Figure 2-5.

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

Figure 2-5 COM1 Properties Dialog Box

2.1.2 Telnet-Based Configuration Mode

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

Figure 2-6 Run Dialog Box

g. Click OK to start the interface. See Figure 2-7.

Figure 2-7 Telnet Login

h. Enter the correct username and password to start device configuration.

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

2.1.3 SSH-Based Configuration Mode

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

Figure 2-8 PuTTY Configuration Dialog Box

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

Figure 2-9 PuTTY Configuration Dialog Box

4. Click Open to log in to the ZXR10 5900E series uni.

2.1.4 SNMP-Based Configuration Mode

2.2 Command Modes

SJ-20111215100134-002|2012-01-31 (R1.0) ZTE Proprietary and Confidential

Table 2-1 Command Modes

Mode Prompt Command