华为S9300核心交换机VLAN聚合

华为交换机VLAN聚合（超级vlan）配置示例1、组网需求图1 VLAN聚合组网图如图1所示，某公司拥有多个部门且位于同一网段，为了提升业务安全性，将不同部门的用户划分到不同VLAN中。

现由于业务需要，不同部门间的用户需要互通。

VLAN2和VLAN3为不同部门，现需要实现不同VLAN间的用户可以互相访问。

可以在Switch上部署VLAN聚合，实现VLAN2和VLAN3二层隔离、三层互通，同时VLAN2和VLAN3采用同一个子网网段，节省了IP地址。

2、配置思路2.1、把Switch接口加入到相应的sub-VLAN中，实现不同sub-VLAN间的二层隔离。

2.2、把sub-VLAN聚合为super-VLAN。

2.3、配置VLANIF接口的IP地址。

2.4、配置super-VLAN的Proxy ARP，实现sub-VLAN间的三层互通。

3、操作步骤3.1、配置接口类型# 配置接口GE1/0/1为Access类型。

接口GE1/0/2、GE1/0/3、GE1/0/4的配置与GE1/0/1相同，不再赘述。

<HUAWEI> system-view[HUAWEI] sysname Switch[Switch] interface gigabitethernet 1/0/1[Switch-GigabitEthernet1/0/1] port link-type access[Switch-GigabitEthernet1/0/1] quit#创建VLAN2并向VLAN2中加入GE1/0/1和GE1/0/2。

[Switch] vlan 2[Switch-vlan2] port gigabitethernet 1/0/1 1/0/2[Switch-vlan2] quit#创建VLAN3并向VLAN3中加入GE1/0/3和GE1/0/4。

[Switch] vlan 3[Switch-vlan3] port gigabitethernet 1/0/3 1/0/4[Switch-vlan3] quit3.2、配置VLAN4# 配置super-VLAN。

核心交换机各项配置 Vlan划分、互访、ACL管控、链路聚合教程交换机的主要功能包括物理编址、网络拓扑结构、错误校验、帧序列以及流控。

交换机还具备了一些新的功能，如对VLAN(虚拟局域网)的支持、对链路汇聚的支持，甚至有的还具有防火墙的功能。

这篇文章主要为大家介绍了核心交换机配置的方法，比如给核心交换机配置Vlan划分、互访、ACL管控、链路聚合等，需要的朋友可以参考下。

概念介绍访问控制列表(Access Control List，ACL) 是路由器和交换机接口的指令列表，用来控制端口进出的数据包。

ACL适用于所有的被路由协议，如IP、IPX、AppleTalk等。

链路聚合是将两个或更多数据信道结合成一个单个的信道，该信道以一个单个的更高带宽的逻辑链路出现。

链路聚合一般用来连接一个或多个带宽需求大的设备，例如连接骨干网络的服务器或服务器群。

具体配置#!Software Version V200R001C00SPC300sysname IT_ServerRoom #交换机名称##vlan batch 10 20 30 40 50 60 70 80 90 99 to 100 #设置Vlan# vlan batch 110#lacp priority 100 #链路聚合优先级设定##undo http server enable#undo nap slave enable#dhcp enable #打开DHCP功能##acl number 3001 #配置ACL访控#rule 4 permit tcp source 0.0.0.0 192.168.21.11 destination-port eq 3389 #允许指定IP使用远程协助#rule 5 permit tcp source 0.0.0.0 192.168.21.13 destination-port eq 3389rule 6 permit tcp source 0.0.0.1 192.168.11.254 destination-port eq 3389rule 7 permit tcp source 0.0.0.0 192.168.51.13 destination 0.0.0.0 192.168.11.10 destination-port eq 3389rule 8 permit tcp source 0.0.0.0 192.168.81.31 destination 0.0.0.0 192.168.11.10 destination-port eq 3389rule 9 permit tcp source 0.0.0.0 192.168.21.14 destination 0.0.0.0 192.168.11.12 destination-port eq 3389rule 10 permit tcp source 0.0.0.3 192.168.21.12 destination-port eq telnetrule 11 permit tcp source 0.0.0.1 192.168.11.254 destination-port eq telnetrule 12 permit tcp source 0.0.0.0 192.168.21.250 destination 0.0.0.0 192.168.11.12 destination-port eq 3389rule 100 deny tcp destination-port eq 3389 #关闭远程协助端口#rule 105 deny tcp destination-port eq telnet #关闭Telnet端口##ip pool 1 #设置IP地址池#gateway-list 192.168.11.254 #设置网关#network 192.168.11.0 mask 255.255.255.0 #子网掩码及IP区段#excluded-ip-address 192.168.11.1 192.168.11.60 #DHCP分配时豁免的IP地址#lease day 10 hour 0 minute 0 #IP地址有效时间# dns-list 192.168.11.2 192.168.11.5 #DNS配置##ip pool 2gateway-list 192.168.21.254network 192.168.21.0 mask 255.255.255.0excluded-ip-address 192.168.21.1 192.168.21.60 lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 3gateway-list 192.168.31.254network 192.168.31.0 mask 255.255.255.0excluded-ip-address 192.168.31.1 192.168.31.60 lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 4gateway-list 192.168.41.254network 192.168.41.0 mask 255.255.255.0excluded-ip-address 192.168.41.1 192.168.41.60 lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 5gateway-list 192.168.51.254network 192.168.51.0 mask 255.255.255.0excluded-ip-address 192.168.51.1 192.168.51.60 lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 6gateway-list 192.168.61.254network 192.168.61.0 mask 255.255.255.0 excluded-ip-address 192.168.61.1 192.168.61.60 lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 7gateway-list 192.168.71.254network 192.168.71.0 mask 255.255.255.0 excluded-ip-address 192.168.71.1 192.168.71.60 lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 8gateway-list 192.168.81.254network 192.168.81.0 mask 255.255.255.0 excluded-ip-address 192.168.81.1 192.168.81.60 lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 9gateway-list 192.168.91.254network 192.168.91.0 mask 255.255.255.0 excluded-ip-address 192.168.91.1 192.168.91.60 lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 10gateway-list 192.168.101.254network 192.168.101.0 mask 255.255.255.0excluded-ip-address 192.168.101.1 192.168.101.60lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#ip pool 11gateway-list 192.168.111.254network 192.168.111.0 mask 255.255.255.0excluded-ip-address 192.168.111.1 192.168.111.60lease day 10 hour 0 minute 0dns-list 192.168.11.2 192.168.11.5#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %$%$O9hP7mbdf4Q#E\vU4j#wX3ypg%$%$@!@$ local-user admin service-type http#interface Vlanif1ip address 192.168.66.254 255.255.255.0#interface Vlanif10 #实现Vlan间互访#ip address 192.168.11.254 255.255.255.0dhcp select global#interface Vlanif20ip address 192.168.21.254 255.255.255.0 dhcp select global#interface Vlanif30ip address 192.168.31.254 255.255.255.0 dhcp select global#interface Vlanif40ip address 192.168.41.254 255.255.255.0 dhcp select global#interface Vlanif50ip address 192.168.51.254 255.255.255.0 dhcp select global#interface Vlanif60ip address 192.168.61.254 255.255.255.0 dhcp select global#interface Vlanif70ip address 192.168.71.254 255.255.255.0 dhcp select global#interface Vlanif80ip address 192.168.81.254 255.255.255.0 dhcp select global#interface Vlanif90ip address 192.168.91.254 255.255.255.0dhcp select global#interface Vlanif99ip address 10.0.0.2 255.255.255.0#interface Vlanif100ip address 192.168.101.254 255.255.255.0dhcp select global#interface Vlanif110ip address 192.168.111.254 255.255.255.0dhcp select global#interface MEth0/0/1ip address 192.168.88.1 255.255.255.0#interface Eth-Trunk1 #链路聚合设置#port link-type trunk #链路聚合后的模式#port trunk allow-pass vlan 2 to 4094 #允许通过的Vlan标签# mode lacp-static #链路聚合模式#max active-linknumber 2 #最大在线端口##interface GigabitEthernet0/0/1 #各端口配置#port link-type accessport default vlan 10loopback-detect enable #环路检测##interface GigabitEthernet0/0/2port link-type accessport default vlan 10 loopback-detect enable#interface GigabitEthernet0/0/3 port link-type accessport default vlan 10 loopback-detect enable#interface GigabitEthernet0/0/4 port link-type accessport default vlan 10 loopback-detect enable#interface GigabitEthernet0/0/5 port link-type accessport default vlan 110#interface GigabitEthernet0/0/6 port link-type accessport default vlan 110 loopback-detect enable#interface GigabitEthernet0/0/7 port link-type accessport default vlan 100 loopback-detect enable#interface GigabitEthernet0/0/8 port link-type accessport default vlan 100loopback-detect enable#interface GigabitEthernet0/0/9 port link-type accessport default vlan 90 loopback-detect enable#interface GigabitEthernet0/0/10 port link-type accessport default vlan 90 loopback-detect enable#interface GigabitEthernet0/0/11 port link-type accessport default vlan 60 loopback-detect enable#interface GigabitEthernet0/0/12 port link-type accessport default vlan 60 loopback-detect enable#interface GigabitEthernet0/0/13 port link-type accessport default vlan 70 loopback-detect enable#interface GigabitEthernet0/0/14 loopback-detect enable#interface GigabitEthernet0/0/15loopback-detect enable#interface GigabitEthernet0/0/16loopback-detect enable#interface GigabitEthernet0/0/17 #链路聚合端口配置1# eth-trunk 1lacp priority 100 #高优先级##interface GigabitEthernet0/0/18 #链路聚合端口配置2# eth-trunk 1lacp priority 100#interface GigabitEthernet0/0/19 #链路聚合端口配置3# eth-trunk 1 #备用链路，2用1备##interface GigabitEthernet0/0/20loopback-detect enable#interface GigabitEthernet0/0/21port link-type trunkport trunk allow-pass vlan 10 20 30 40 50 60 70 80 90 100 port trunk allow-pass vlan 110loopback-detect enable#interface GigabitEthernet0/0/22port link-type trunkport trunk allow-pass vlan 10 20 30 40 50 60 70 80 90 100 port trunk allow-pass vlan 110loopback-detect enable#interface GigabitEthernet0/0/23 #连接防火墙配置#port link-type accessport default vlan 99loopback-detect enable#interface GigabitEthernet0/0/24port link-type accessport default vlan 99loopback-detect enable#interface NULL0#arp static 192.168.81.13 7427-ea35-eedf#ip route-static 0.0.0.0 0.0.0.0 10.0.0.1 #静态路由#ip route-static 192.168.10.0 255.255.255.0 192.168.71.1ip route-static 192.168.12.0 255.255.255.0 192.168.71.2ip route-static 192.168.118.0 255.255.255.0 192.168.111.1#traffic-filter inbound acl 3001 #全局启用ACL管控##snmp-agent #利用Cacti监控192.168.11.151，配置SNMP# snmp-agent local-engineid 800007DB037054F5DFC580snmp-agent community read cipher %$%$@(=VHL9T2A-VkMN9{/I'MJ\SJ%$%$snmp-agent sys-info version allsnmp-agent group v3 publicsnmp-agent target-host trap address udp-domain192.168.11.151 params securityname public#user-interface con 0 #console口密码#authentication-mode passwordset authentication password cipher %$%$Q]]8BRT8^WMuCf9~]%QX~@7.\~)c#$!;K>.194{Fa qXM&$F=8%$%$@#user-interface vty 0 4 #Telnet密码#authentication-mode passworduser privilege level 3set authentication password cipher %$%$%'cJU]0{$8$:m91'RKYxGYsja6iDE%48L>!hl'$Av[8vK 6ypk%$%$@#$#user-interface vty 16 20#相关阅读：交换机硬件故障常见问题电源故障：由于外部供电不稳定，或者电源线路老化或者雷击等原因导致电源损坏或者风扇停止，从而不能正常工作。

华为交换机动态链路聚合命令动态链路聚合（Dynamic Link Aggregation）是一种实现高可靠性、高带宽和负载均衡的技术，其实现方式是通过将多个物理端口组装成一个逻辑端口来满足用户需求。

华为交换机支持动态链路聚合技术，可以有效地提高网络的带宽和可靠性，下面详细介绍华为交换机动态链路聚合命令的相关参考内容。

1. 配置动态链路聚合组在华为交换机上配置动态链路聚合组需要使用命令“interface bridge-aggregation < ID >”，其中“< ID >”为一个数字，表示动态链路聚合组的编号。

例如，配置一个编号为“1”的动态链路聚合组需要使用以下命令：interface bridge-aggregation 12. 添加物理端口到动态链路聚合组将物理端口添加到动态链路聚合组需要使用命令“interface < interface-type > < interface-number >”，其中“< interface-type >”表示物理端口的类型，例如“gigabitethernet”表示千兆以太网端口，“10ge”表示10G以太网端口，“< interface-number >”则表示物理端口的编号。

例如，将端口GigabitEthernet0/0/1和GigabitEthernet0/0/2添加到动态链路聚合组1中需要使用以下命令：interface gigabitethernet 0/0/1eth-trunk 1interface gigabitethernet 0/0/2eth-trunk 13. 配置动态链路聚合组的参数动态链路聚合组支持多种参数配置，包括链路聚合控制协议（LACP）模式、链路可用性检测、负载均衡算法等。

以下是华为交换机动态链路聚合组的参数配置命令示例：3.1 配置链路聚合控制协议模式华为交换机支持静态链路聚合模式和LACP模式两种链路聚合控制协议模式，其中LACP模式可以更好地实现链路的可靠性和负载均衡。

Realize Your Potential华为技术有限公司Huawei S9300系列交换机详版彩页01 Huawei S9300系列交换机Huawei S9300系列是华为公司面向融合多业务的网络架构而推出的新一代高端智能T比特核心路由交换机。

该产品基于华为公司智能多层交换的技术理念，在提供稳定、可靠、安全的高性能L2/L3层交换服务S9303 S9306 S9312S9310产品特点S9300敏捷交换机，让网络更敏捷地为业务服务• S9300 敏捷单板内置高速灵活的以太网络处理器ENP，针对以太网专属设计。

借其灵活的报文处理及流量控制能力，深入贴近业务，满足现在及未来的各种挑战，助力客户构建弹性扩展的网络。

ENP芯片采用全可编程架构，可以完全自定义流量的转发模式、转发行为和查找算法。

通过微码编程实现新业务，客户无需更换新的硬件，快速灵活，6个月即可上线，而传统AS I C 芯片采用固定的转发架构和转发流程，新业务无法快速部署，需要等待1～3年的硬件支持。

• 凭借敏捷单板，S9300支持统一用户管理功能，屏蔽了接入层设备能力和接入方式的差异，支持802.1X/ MAC/Portal等多种认证方式，支持对用户进行分组/分域/分时的管理，用户、业务可视可控，实现了从“以设备管理为中心”到“以用户管理为中心”的飞跃。

• 凭借敏捷单板，S9300支持iPCA网络包守恒算法，改变了传统利用模拟流量做故障定位的检测模型，可对任意业务流随时随地逐点检测网络质量，无需额外开销；可在短时间内立刻检测业务闪断性故障，检测直接精准到故障端口，实现从“粗放式运维”到“精准化运维”的大转变。

• 凭借敏捷单板，S9300支持1588v2和同步以太，满足网络设备间的高精度时间同步，相比GPS的时间不同方案，提升安全的同时降低成本。

创新的CSS集群技术• S9300可通过集群卡连接和业务口连接两种方式实现虚拟化。

CSS集群创新性采用交换网集群技术，提供业界主机间最大的320G集群带宽；业务口集群支持成员机通过LPU上的普通业务口连接，将LPU上的业务口配置为堆叠物理成员端口后加入逻辑堆叠端口，通过SFP+光模块和光纤或SFP+堆叠线缆将堆叠物理成员端口连接。

1 产品定位Quidway® S9300系列以太汇聚交换机（以下简称S9300）是基于新一代的硬件和华为公司统一的VRP®（Versatile Routing Platform）平台而推出的下一代以太网汇聚交换机，提供超大容量、高密度、模块化体系架构，提供二、三层线速转发能力，具有强大组播功能，VLAN交换功能，EPON接口，完善的QoS保障、有效的安全管理机制和传输级高可靠设计，满足城域网、企业园区网对Multi-Play业务承载和全光接入的组网需求，为运营商和企业网提供强大的网络交换和业务运营能力，支持IP专线、VPN、IPTV、IPv6等多种服务。

为了降低运营成本，满足节能减排需求，S9300作为新一代以太汇聚平台采用了多种绿色节能的创新技术，大幅降低设备能耗、减小噪声污染。

图1 Quidway S9300 系列以太汇聚交换机全家福S9300系列包括S9303、S9306、S9312三个产品形态，整个系列秉承模块与备件通用化、归一化的设计理念，最小化备板、备件成本，在保证设备扩展性的同时最大限度地保护用户投资。

同时，S9300整个系列均采用紧凑化设计，满足从城域边缘接入到核心汇聚、从企业高密汇聚到企业核心多种产品密度要求。

2 系统概述2.1 体系架构S9300在传统交换机的数据转发、管理控制双平面基础上进行了创新，在双平面的基础上增加了独立的环境监控平面，率先实现整机三平面设计。

业界首创的环境监控板，核心芯片采用华为自主知识产权的中控芯片，实现硬件级的按流量动态调整功率、风扇分区控制、风扇智能调速、端口休眠技术等多项节能控制技术，独立环境监控与网管联动，实现整机运营维护的全面可视化管理。

图2 创新的三平面设计2.2 产品特点S9300满足城域网以及企业园区网未来发展需求，能够实现交换容量、承载业务的全方位扩展，硬件级运维检测与设备安全防护，平滑升级保护用户投资。

●超大容量交换平台，弹性可扩展硬件架构作为新一代的以太汇聚平台，S9300单槽位支持12×10GE线速线卡，最大可以支持4.8T的背板容量和2T的交换能力，更好地满足IPTV等大带宽业务和IDC机房的接入需求。

一、删除接口下配置9300交换机如果要更改端口模式（如access模式改为trunk模式，或trunk模式改为hybrid 模式），需要清楚接口下所有配置后，才能变更。

命令如下：说明：为方便记忆，本例中部分命令单词采用缩写，命令末尾说明中追加完整命令单词。

1、删除trunk接口所有配置信息：undo port trunk allow vlan all //allow的完整为allow-passport trunk allow vlan 1undo port link trunk //link的完整为link-type2、删除hybrid接口所有配置信息：undo port hyb vlan all //hyb的完整为hybridport hyb untag vlan 1 //untag的完整为untagged3、删除access接口所有配置信息：undo port def vlan xxxx //def的完整为default二、透传vlanport hybrid tagged vlan 100 to 200//tag模式透传vlan，效果相当于trunk模式透传vlanport hybrid untagged vlan 150 to 200//untag模式透传vlan，通常只有需要把QINQ vlan的外层剥掉的情况下这么配置。

port trunk allow-pass vlan 100 to 200//trunk模式透传vlan，通常上下行接设备的时候这么配置。

port default vlan 100//access模式透传vlan，转发出去的报文不带vlan标签，通常接PC时候需要这么配置。

说明：vlan之间是连续的，可以使用to将首尾vlan连起来输入，如上。

如果vlan是不连续的，可以使用空格分隔开。

三、典型配置步骤9300交换机一般配置流程：vlan batch 100 to 200 //批量创建VLAN 100到200interface vlan 100 //配置三层vlanif接口，这里以管理vlan为100举例ip address 1.1.1.2 30 //配置IP地址#interface gig1/0/0 //进入接口（上行或下行，都可以）disp this一定要看一下接口有没有配置，如果现有配置的端口模式跟考试内容有冲突，需要删除。

交换机端口汇聚操作方法
交换机端口汇聚操作方法如下：
1. 首先，将需要汇聚的端口设置为Trunk（汇聚）模式。

在交换机的管理界面或命令行界面中，找到对应的端口配置选项，将其设置为Trunk 模式。

Trunk 模式允许传递多个VLAN 的数据。

2. 接下来，选择一个VLAN 作为Trunk 的本地VLAN。

这是你想要在交换机上配置的VLAN，并且可以在Trunk 模式下传递给其他设备。

在交换机的管理界面或命令行界面中，找到VLAN 配置选项，将其设置为本地VLAN。

3. 配置Trunk 端口的允许VLAN。

在交换机的管理界面或命令行界面中，找到Trunk 端口的配置选项，配置允许通过Trunk 端口的VLAN。

可以选择允许所有VLAN 通过，或者限制只允许特定的VLAN 通过。

4. 如果需要，配置VLAN 标记选项。

有些交换机支持VLAN 标记功能，即将传递的数据进行标记以区分不同的VLAN。

在交换机的管理界面或命令行界面中，找到VLAN 标记配置选项，并根据需要进行配置。

5. 最后，保存并应用配置。

在交换机的管理界面或命令行界面中，找到保存配置的选项，并将配置应用到交换机上。

确认配置成功应用后，Trunk 端口即可开始汇聚工作，传递多个VLAN 的数据。

请注意，不同品牌和型号的交换机可能具有不同的配置方法和选项，以上是一般的操作步骤，具体操作需参考交换机的用户手册或官方文档。

华为交换机链路聚合配置命令1 华为交换机的链路聚合配置华为交换机的链路聚合是指在短暂的网络出现故障时候，可以将几条物理线路聚合，形成逻辑上的一条虚拟通路，提供更高的可靠性和负荷均衡。

1.1 配置步骤下面介绍华为交换机支持的链路聚合配置的步骤：（1）登录华为交换机，进入命令模式。

（2）首先需要配置聚合数量和备用系数:QinQ aggregation interface number xQinQ aggregation spare-ratio y其中，x代表聚合组接口数；y代表源开关检测时间，比如 "0"代表立即把连接移除，"6"表示等待6s后把连接移除，"12"表示等待12s 再把连接移除。

（3）然后配置聚合类型:QinQ aggregation mode x其中，x代表聚合模式："fixed"表示固定负载均衡模式（将流量依然平均分配给eBGP的每个聚合接口），"adaptive"表示自适应负载均衡模式（根据网络状况自动选择最优的聚合接口，保证性能的最优利用）。

（4）在配置完上面的信息后，接着连接并启用链路聚合:Link aggregation group x（5）最后，通过设置port channel口绑定序号，来实现聚合多条物理线路:Link-aggregation group x mode x其中，x表示聚合口编号，x表示聚合模式（static为静态聚合和dynamic为动态聚合），可以使用display link-aggregation x命令，来检查聚合接口名称，以及它们绑定的端口。

1.2 注意事项在华为交换机的链路聚合配置中，需要注意以下几点：（1）确保所有参与聚合的接口当前状态都是up，否则聚合操作将会失败。

（2）保证所有参与聚合的接口都处于同一VLAN环境下，或者是处于统一tag中。

华为交换机vlan划分方法
华为交换机VLAN划分方法
一、VLAN的概念
VLAN（虚拟局域网），是指通过交换机技术，在一个物理网络上模拟出一组逻辑网络。

VLAN可以按照业务类型、部门、物理位置等不同属性，将整个网络拆分成多个不同的网络，减少网络内部的广播流量，提高网络效率，并保证网络安全。

二、VLAN的划分方法
1.物理网络布局
华为交换机的VLAN划分方法，首先要考虑的是物理网络布局，考虑网络交换设备的端口数、网络链路连接、网络拓扑结构等，然后根据实际需求将网络分区为VLAN，使各个VLAN之间的网络访问/交换受到限制，以满足网络安全的基本要求。

2.按业务类型划分
根据公司内部的业务属性划分VLAN，将不同的业务部门或业务类型放在不同的VLAN中，以降低业务之间的耦合度，并降低网络内部的广播流量，提高网络效率。

3.按部门划分
将同一部门的设备放在同一个VLAN中，以便更好地管理和控制网络，使部门内的网络资源能够更好地利用，以提高网络的效率和安全性。

四、VLAN的注意事项
1、VLAN划分时需充分考虑公司内部的业务属性和部门的要求，以便实现有效的业务隔离和范围限制，保证网络的安全性。

2、用户的VLAN访问权限要在满足授权规则的基础上作出有效的限制，以合理限定访问权限，以防止权限滥用。

3、在网络设备的端口设置中，要考虑各VLAN之间的通信情况，有效避免网络当中的环路，确保网络顺利访问。

4、VLAN的划分要灵活，用户之间的网络范围、访问权限、安全性等都要受到充分的保护，以确保网络的正常运行。

华为交换机动态链路聚合命令华为交换机动态链路聚合命令一、动态链路聚合简介动态链路聚合（Dynamic Link Aggregation，DLA）是一种将多个物理链路绑定成一个逻辑链路的技术。

通过将多个物理链路绑定成一个逻辑链路，可以提高网络带宽、提高网络可靠性和实现负载均衡等功能。

在华为交换机中，动态链路聚合可以通过LACP协议实现。

LACP协议是一种标准化的协议，可以实现交换机之间的动态链路聚合。

二、配置动态链路聚合命令1. 创建Link Aggregation Group（LAG）在华为交换机中创建Link Aggregation Group需要使用以下命令：[Switch] interface gigabitethernet 0/0/1[Switch-GigabitEthernet0/0/1] port link-aggregation group 1[Switch-GigabitEthernet0/0/1] quit其中，gigabitethernet 0/0/1表示需要绑定的物理接口，group 1表示创建的LAG编号。

2. 配置LAG属性创建好LAG后，还需要对LAG进行属性配置。

以下是常用的LAG属性配置命令：[Switch] interface Eth-Trunk 1[Switch-Eth-Trunk1] mode lacp-static[Switch-Eth-Trunk1] lacp priority 32768[Switch-Eth-Trunk1] quit其中，mode lacp-static表示LAG使用静态LACP模式，lacp priority 32768表示LAG的优先级为32768。

3. 配置物理接口将物理接口绑定到LAG上需要使用以下命令：[Switch] interface gigabitethernet 0/0/2[Switch-GigabitEthernet0/0/2] quit4. 查看LAG状态查看创建好的LAG状态需要使用以下命令：[Switch] display link-aggregation summary其中，可以查看到LAG的编号、状态、绑定的物理接口等信息。

1、开始建立本地配置环境，将主机的串口通过配置电缆与以太网交换机的Console口连接。

在主机上运行终端仿真程序（如Windows的超级终端等），设置终端通信参数为：波特率为9600bit/s、8位数据位、1位停止位、无校验和无流控，并选择终端类型为VT100。

以太网交换机上电，终端上显示以太网交换机自检信息，自检结束后提示用户键入回车，之后将出现命令行提示符（如<Quidway>）。

键入命令，配置以太网交换机或查看以太网交换机运行状态。

需要帮助可以随时键入"?" 2、命令视图0000(1)用户视图(查看交换机的简单运行状态和统计信息)<Quidway>:与交换机建立连接即进入(2)系统视图(配置系统参数)[Quidway]:在用户视图下键入system-view(3)以太网端口视图(配置以太网端口参数)[Quidway-Ethernet0/1]:在系统视图下键入int erface ethernet 0/1(4)VLAN视图(配置VLAN参数)[Quidway-Vlan1]:在系统视图下键入vlan 1(5)VLAN接口视图(配置VLAN和VLAN汇聚对应的IP接口参数)[Quidway-Vlan-interface1]:在系统视图下键入interface vlan-interface 1(6)本地用户视图(配置本地用户参数)[Quidway-luser-user1]:在系统视图下键入local-u ser user1(7)用户界面视图(配置用户界面参数)[Quidway-ui0]:在系统视图下键入user-interface00003、其他命令0000设置系统时间和时区<Quidway>clock time Beijing add 8<Quidway>clock datetime 12:00:00 2005/01/23设置交换机的名称[Quidway]sysname TRAIN-3026-1[TRAIN-3026-1]配置用户登录[Quidway]user-interface vty 0 4[Quidway-ui-vty0]authentication-mode scheme创建本地用户[Quidway]local-user huawei[Quidway-luser-huawei]password simple huawei[Quidway-luser-huawei] service-type telnet level 300004、VLAN配置方法000『配置环境参数』SwitchA端口E0/1属于VLAN2，E0/2属于VLAN3『组网需求』把交换机端口E0/1加入到VLAN2 ，E0/2加入到VLAN3数据配置步骤『VLAN配置流程』(1)缺省情况下所有端口都属于VLAN 1，并且端口是access端口，一个access端口只能属于一个vlan；(2)如果端口是access端口，则把端口加入到另外一个vlan的同时，系统自动把该端口从原来的vlan中删除掉；(3)除了VLAN1，如果VLAN XX不存在，在系统视图下键入VLAN XX，则创建VLAN XX并进入VLAN视图；如果VLAN XX已经存在，则进入VLAN视图。

Huawei S9300 SwitchProduct BrochuresRealize Your Potential01 Huawei S9300 Switch Product S9303 S9306S9312 Product OverviewProduct FeaturesAgile Switch, Enabling Networks to Be More Agile for Services• The high-speed ENP is tailored for Ethernet networks. The ENP's flexible packet processing and traffic control capabilities can meet current and future service requirements and help build a highly scalable network. The ENP has a fully programmable architecture, in which customers can define their own forwarding models, forwarding behaviors, and lookup algorithms. Microcode programmability enables new services to be provisioned within six months, without the need of replacing the hardware. In contrast, with traditional ASIC chips, new services cannot be provisioned until new hardware is developed to support the services, which may take 1 to 3 years, because ASIC chips use a fixed forwarding architecture and follow a fixed forwarding process.• By using an ENP board, the S9300 supports the unified user management function to authenticate both wired and wireless users, ensuring a consistent user experience regardless of whether they use wired or wireless access devices to connect to the network. The unified user management function supports various authentication methods, including 802.1x, MA C, and Portal authentications, and is capable of managing users based on user groups, domains, and time ranges. This function visualizes user and service management and enables the transformation from device-centric management to user-centric management.• The ENP board supports the Packet Conservation Algorithm for Internet (iPCA) function, which changes the traditional method of using simulated traffic for fault location. iPCA technology can monitor network quality for any service flow at any network node, at any time, and without extra costs. It can detect temporary service interruptions in a very short time and precisely identify faulty ports. This cutting-edge fault detection technology turns "extensive management" to "fine granular management."• Huawei's IEEE 1588v2 and Synchronous Ethernet (SyncE) solutions enable high-precision time synchronization between network devices. Compared with the Global Positioning System (GPS) time synchronization solution, Huawei's solutions enhance security while reducing costs. Innovative CSS Technology• S9300 switches can set up a clustering switch system (CSS) through cluster cards or service ports. The CSS providesindustry-leading 320 Gbps inter-chassis bandwidth dueto Huawei's novel approach of using the switching fabric clustering technology in CSS. Member switches can be connected through the service ports on LPUs. Theseservice ports can be configured as stack member portsand added to a logical stack port to enable connectionthrough SFP+ optical modules and fibers, or direct connection through SFP+ stack cables. Virtualization technology improves link use efficiency and preventssingle-point failures through inter-chassis link aggregation.• The S9300 uses route hot backup technology to backup and uninterruptedly forward all data of the controland data planes at Layer 3. This technology significantly improves reliability and performance of the S9300. Theinter-chassis links in a CSS can be bundled to improve linkuse efficiency and eliminate single-point failures.• The S9300 can use common service ports as cluster ports,and member switches can be connected through opticalfibers. This increases the permitted distance between switches in the CSS.• All member switches in a CSS are managed through asingle IP address, which simplifies network device and topology management, improves network operationefficiency, and reduces maintenance costs.Carrier-Class Reliability• The S9300's key components, such as MPUs, power supplies, and fans trays, use a redundant design, and all modules are hot swappable to ensure stable network running.• The S9300 supports 3.3 ms hardware-based BFD for staticroutes and routing protocols such as RIP, OSPF, BGP, IS-IS, VRRP, PIM, and MPLS. Hardware-based BFD significantly improves network reliability.• The S9300 supports High-speed Self Recovery (HSR) technology. Using Huawei's ENP cards, the S9300 is the industry's only switch that implements end-to-end IPMPLS bearer network protection switchover within 50 ms, improving network reliability.• The S9300 supports hardware-based Ethernet OA Min compliance with IEEE 802.3ah, 802.1ag, and ITU-Y.1731. Hardware-based Ethernet OAM can collect precise network parameters, such as transmission latency andjitter, to help customers monitor network operating statusin real time and to realize fast fault detection, location,and failover.• The S9300 supports Graceful Restart (GR) technology to implement nonstop forwarding (NSF) and ensure reliableand high-speed operation of the entire network.02Powerful Service Processing Capabilities• The S9300 provides high-density 10GE ports and provide 4 x 100GE line card, Each S9312 chassis can provide a maximum of 576 x 10GE ports and 48 x 100GE ports, meeting the requirements of bandwidth-consuming applications, such as multimedia conferencing and data access.• Based on a multi-service routing and switching platform, the S9300 provides wireless access, voice, video, and data services for network access, aggregation, and core layers, helping customers build a highly reliable, low-latency, and multi-service network.• The S9300 supports distributed MPLS L2/L3VPN functions including MPLS, virtual private LA N service (VPLS), hierarchical VPLS (HVPLS), and virtual leased line (VLL), to provide secure access for VPN users.• The S9300 supports comprehensive Layer 2 and Layer 3 multicast protocols, including Protocol Independent Multicast Sparse Mode (PIM SM), PIM Dense Mode (DM), PIM Source-Specific Multicast (SSM), Multicast Listener Discovery (MLD), and Internet Group Management Protocol (IGMP) snooping, to ensure high-quality HD video surveillance and video conferencing services.• The Service Chain feature virtualizes the value-added service processing capabilities, such as firewall, so that campus networks can utilize these capabilities in an undifferentiated manner. That is, these capabilities can be used without location constraint.• The software platform where the S9300 runs supports various routing protocols (including IPv6) to meet carriers' network requirements and allows carriers to smoothly upgrade their networks to IPv6.Various Network Traffic Analysis Functions• The S9300 supports NetStream, including V5/V8/V9 versions. The NetStream features involve aggregation traffic template, real-time traffic sampling, dynamic report generation, traffic attribute analysis, and traffic exception alarms. The S9300 sends traffic statistics logs to master and backup servers simultaneously to avoid data loss. NetStream helps monitor the operating status and traffic model on the entire network. It also provides fault pre-detection, effective fault rectification, fast problem handling, and security monitoring capabilities to help customers optimize network structure and adjust service deployment.Comprehensive Security Measures• The S9300 supports MAC security (MACSec) that enables hop-by-hop secure data transmission. The S9300 can beapplied to scenarios that pose high requirements on data confidentiality, such as government and finance sectors.• NGFW is a next-generation firewall card installed on an S9300. In addition to the traditional defense functions, such as identity authentication and Anti-DDoS, the NGFW supports IPS, anti-spam, web security, and application control functions.• The S9300 provides comprehensive network admission control (NAC) solutions, involving MAC, 802.1x, and Portal authentications as well as authentication triggered by DHCP snooping. These authentication methods ensure the security of various access users, such as dumb terminals, mobile users, and users allocated dynamic IP addresses. Comprehensive IPv6 Solution• The S9300 software and hardware platforms support IPv6. The Ministry of Industry and Information Technology (MIIT) has certified the S9300 as IPv6 network-access compliant and has awarded IPv6 Ready Logo Phase 2 certification.• The S9300 supports IPv6 routing protocols such as RIPng, OSPFv3, IS-ISv6, as well as IPv6 static routes, and supports BGP4+, MLD v1/v2, MLD snooping, PIM-SM/DMv6, and PIM-SSMv6.• The S9300 supports various IPv4-to-IPv6 technologies to ensure seamless network migration. The technologies include IPv6 manual tunnel, 6to4 tunnel, Intra-site Automatic Tunnel Addressing Protocol (ISATAP) tunnel, Generic Routing Encapsulation (GRE) tunnel, and IPv4-compatible automatic tunnel.Innovative Energy Saving Design• The S9300 uses a rotating ventilation channel to improve heat dissipation efficiency and a variable-current chip to dynamically adjust power according to traffic volume. These technologies reduce power consumption of the entire chassis by 11%. The S9300 supports port sleeping. Idle ports enter the sleeping state to reduce power consumption.• The S9300 supports intelligent fan-speed adjustment, in which fans are grouped into multiple zones and fan speed in each zone is adjusted individually based on service loads. This technology lowers power consumption, reduces noise, and extends the service life of fans.• The S9300 supports Energy Efficient Ethernet (EEE) in compliance with IEEE 802.3az. Transceivers on line cards can quickly transition to the lower power idle state to reduce power consumption when no traffic is being transmitted.03VXLAN• VXLAN is used to construct a Unified Virtual Fabric (UVF). As such, multiple service networks or tenant networks can be deployed on the same physical network, and service and tenant networks are isolated from each other. This capability truly achieves 'one network for multiple purposes'. The resulting benefits include enabling data transmission of different servicesor customers, reducing the network construction costs, and improving network resource utilization. The S9300 series switches are VXLAN-capable and allow centralized and distributed VXLAN gateway deployment modes. These switches alsosupport the BGP EVPN protocol for dynamically establishing VXLAN tunnels and can be configured using NETCONF/YANG.OPS• Open Programmability System (OPS) is an open programmable system based on the Python language. IT administratorscan program the O&M functions of a switch through Python scripts to quickly innovate functions and implement intelligentO&M.Big Data Security Collaboration• Agile switches use NetStream to collect campus network data and then report such data to the Huawei Cybersecurity Intelligence System (CIS). The purposes of doing so are to detect network security threats, display the security posture acrossthe entire network, and enable automated or manual response to security threats. The CIS delivers the security policies to theAgile Controller. The Agile Controller then delivers such policies to agile switches that will handle security events accordingly.All these ensure campus network security.Intelligent Diagnosis• Open Intelligent Diagnosis System (OIDS) integrates the device health monitoring and fault diagnosis functions – that are typically deployed on a Network Management System (NMS) – into the switch software to implement intelligent diagnosison a single switch. After OIDS is deployed on a switch, the switch periodically collects and records the running informationand automatically determines whether a fault occurs. If a fault occurs, the switch automatically locates the fault or helpslocate the fault. All these merits increase fault locating efficiency of O&M staff while improving device maintainability.04Product Specifications0506Product List07080910111213 Applications Applications in Carriers' MANs Applications in Large-Scale Data Centers The S9300 provides carrier-class reliability, security, and manageability. By converging DSLAM, LAN, and enterprise access services, the S9300 provides large-capacity switching and high-density 10G interfaces. At the convergence layer, the interface rate can be smoothly upgraded from 10GE to 40GE/100GE, meeting the increasing bandwidth requirements of ISP networks. The S9300 supports features such as RRPP , Ethernet OAM, VRRP , and MPLS L2/L3VPN, and satisfies the requirements for IPTV, high speed Internet (HSI), and enterprise leased lines.The S9300 switches function as high-density 10G core and aggregation nodes in large-scale data centers, helping enterprises build highly reliable, non-blocking, and virtualized data center networks. The S9300 switches use various technologies, including IP FRR, hardware-level BFD, NSF, VRRP , and E-Trunk, to ensure uninterrupted services. In addition, the S9300 switches support the CSS function to improve network IT efficiency and reduce network maintenance costs.For more information, visit / or contact your local Huawei sales office.Web & Email Application Application Database S2300Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.Trademark NoticeGeneral Disclaimer, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.Other trademarks, product, service and company names mentioned are the property of their respective owners.The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei maychange the information at any time without notice. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.HUAWEI TECHNOLOGIES CO.,LTD.Huawei Industrial Base Bantian Longgang Shenzhen 518129,P.R.China Tel: +86 755 。

S9300系列T比特核心路由交换机S9303S9306S9300系列是华为公司面向融合多业务的网络架构而推出的新一代高端智能T 比特核心路由交换机。

该产品基于华为公司智能多层交换的技术理念，在提供稳定、可靠、安全的高性能L2/L3层交换服务基础上，实现高清视频流承载、大容量无线网络、弹性云计算、硬件IPv6、一体化安全等业务应用，同时具备强大扩展性和可靠性。

S9300系列交换机广泛适用于广域网、城域网、园区网络和数据中心，帮助企业构建面向应用的网络平台，提供交换路由一体化的端到端融合网络。

S9300系列提供S9303、S9306、S9312三种产品形态，支持不断扩展的交换能力和端口密度。

整个系列秉承模块通用化、部件归一化的设计理念，最小化备件成本，在保证设备扩展性的同时最大限度地保护用户投资。

此外，S9300作为新一代智能交换机采用了多种绿色节能创新技术，在不断提升性能及稳定性的同时，大幅降低设备能源消耗，减小噪声污染，为网络绿色可持续发展提供领先的解决方案。

S9300系列T 比特核心路由交换机产品概述先进交换架构提升网络扩展性• 背板具备良好的扩展性，可平滑扩展至更高带宽，支持单端口速率40G ，同时完美兼容现网板卡，保护初始投资。

• 超高万兆端口密度，单台设备支持480个万兆端口，助力企业园区和数据中心迎来全万兆核心时代。

运营级高可靠性设计，保障企业应用永续运行• S9300所有关键器件,如主控、电源、风扇等均采用冗余设计，所有模块均支持热插拔。

• CSS 集群创新性采用交换网集群技术，克服了业界普遍采用的线卡集群跨框多次交换，交换效率低下的架构难题，提供业界主机间最大的256G 集群带宽，同时可以通过跨框链路聚合提高链路的利用率，并消除单点故障。

产品特点S93121•支持完善的运维检测与性能管理802.3ah、802.1ag和ITU-Y.1731，能够对网络传输中的时延、抖动等参数进行精确统计，实时监测网络运行情况，并在设备故障发生时快速定位。

华为交换机链路聚合命令一、华为交换机链路聚合概述链路聚合（Link Aggregation，LAG）是指将多个物理端口绑定成一个逻辑端口，从而提高带宽和可靠性。

华为交换机支持静态链路聚合和动态链路聚合两种方式。

静态链路聚合需要手动配置，适用于网络拓扑结构比较简单的场景；动态链路聚合则由协议自动完成，适用于网络拓扑结构比较复杂的场景。

二、华为交换机静态链路聚合命令1. 创建静态链路聚合组创建静态链路聚合组需要指定组号和模式（标准模式或LACP模式），示例命令如下：[huawei] interface Eth-Trunk 1[huawei-Eth-Trunk1] mode lacp2. 添加物理接口到静态链路聚合组添加物理接口到静态链路聚合组需要指定组号和物理接口编号，示例命令如下：[huawei] interface GigabitEthernet 0/0/1[huawei-GigabitEthernet0/0/1] eth-trunk 13. 配置静态链路聚合组的基本属性配置静态链路聚合组的基本属性包括：最大帧长、端口优先级、链路聚合组的描述等，示例命令如下：[huawei] interface Eth-Trunk 1[huawei-Eth-Trunk1] description trunk-group-1[huawei-Eth-Trunk1] port link-type trunk[huawei-Eth-Trunk1] port max-frame-length 9216[huawei-Eth-Trunk1] port priority 644. 配置静态链路聚合组的负载均衡方式配置静态链路聚合组的负载均衡方式包括：源MAC地址、目的MAC 地址、源IP地址、目的IP地址等，示例命令如下：[huawei] interface Eth-Trunk 1[huawei-Eth-Trunk1] load-balance dst-ip5. 查看静态链路聚合组信息查看静态链路聚合组信息可以使用display interface eth-trunk命令，示例如下：[huawei] display interface eth-trunk 1Eth-Trunk1 current state : UPLine protocol current state : UPDescription: trunk-group-1Route Port,The Maximum Transmit Unit is 9216, Hold timer is10(sec)Internet Address is not setLink layer protocol is IEEE 802.3adLoad sharing method: destination IP address-based(Hash) Member port:GigabitEthernet0/0/1 GigabitEthernet0/0/2 GigabitEthernet0/0/3三、华为交换机动态链路聚合命令动态链路聚合需要使用LACP协议，在华为交换机上的配置命令如下：1. 开启LACP协议开启LACP协议需要在接口上配置，示例命令如下：[huawei] interface GigabitEthernet 0/0/1[huawei-GigabitEthernet0/0/1] lacp enable2. 配置LACP协议的基本属性配置LACP协议的基本属性包括：端口优先级、系统优先级等，示例命令如下：[huawei] interface GigabitEthernet 0/0/1[huawei-GigabitEthernet0/0/1] lacp priority 1003. 查看动态链路聚合信息查看动态链路聚合信息可以使用display lacp命令，示例如下：[huawei] display lacpGlobal LACPDUs: Sent 22, Received 19Local System ID: 32768-00e0-fc00-0001System Priority: 32768Aggregation Mode: Link Aggregation Control Protocol (LACP) Actor Information:Actor System ID:32768-00e0-fc00-0001Actor Key:32769Actor Port Priority:32Actor Port Number:5Partner Information:Partner System ID:32768-0018-ba00-0002Partner Key:32769Partner Port Priority:255Partner Port Number:3四、华为交换机链路聚合常见问题及解决方法1. 静态链路聚合组无法建立可能原因：组号或模式设置错误；物理接口未添加到组中。