< Home

SVF Service Deployment Limitations

SVF supports two service configuration modes: centralized mode and independent mode.

The following describes the configurable functions in different service configuration modes.

Centralized Mode (Batch Configuration: Functions Globally Delivered)

Function

Description

Configure the SVF forwarding mode.

An SVF system supports two forwarding modes: centralized forwarding and distributed forwarding.

  • In centralized forwarding mode, traffic forwarded by the local AS and forwarded between ASs is sent to the parent for forwarding.

  • In distributed forwarding mode, an AS directly forwards local traffic and the parent forwards traffic between ASs.

NOTE:
  • In centralized forwarding mode, ports of the ASs connected to the same fabric port of the parent are isolated and so cannot communicate at Layer 2, and need to have proxy ARP in the corresponding VLAN configured using the arp-proxy inner-sub-vlan-proxy enable command to communicate at Layer 3.
  • In centralized forwarding mode, after an AS goes offline, traffic of its attached network cannot be forwarded by the parent and will be interrupted.
  • In distributed forwarding mode, after an AS goes offline, in versions earlier than V200R012C00, downlink ports of the AS are automatically shut down. As a result, traffic of the AS attached network will be interrupted. In V200R012C00 and later versions, downlink ports of the AS will not be shut down, and traffic of the AS attached network will be forwarded as usual.

By default, the forwarding mode of an SVF system is distributed forwarding.

Configure the URL encoding function for an AS (This function is supported in V200R009 and later versions).

To improve web application security, data from untrustworthy sources must be encoded before being sent to clients. URL encoding is most commonly used in web applications. After URL encoding is enabled for ASs, special characters in redirect URLs are converted to secure formats, preventing clients from mistaking them for syntax signs or instructions and unexpectedly modifying the original syntax. In this way, cross-site scripting attacks and injection attacks are prevented. By default, URL encoding is enabled in ASs. This function can be disabled using the portal url-encode disable command.

Configure authentication-free rules.

In addition to the configurations in service profiles, the parent delivers the configured Portal authentication-free rules to ASs. Authentication-free rules 0 to 127 can be delivered to ASs of the S5720-EI model; authentication-free rules 0 to 31 can be delivered to ASs of other models; authentication-free rules outside the two ranges will not be delivered to ASs.

Enable IGMP snooping for a service VLAN on an AS (This function is supported in V200R010 and later versions).

By default, IGMP snooping is disabled for service VLANs on an AS.

Enable the function of retaining the authentication configuration after an AS goes offline. (This function is supported in V200R019 and later versions.)

By default, the authentication configuration is cleared after an AS goes offline.

Centralized Mode (Batch Configuration: Functions Delivered Using Profiles)

Function

Sub-function

Service

Device management

Administrator

User name and password of the local administrator

Traffic policing

Rate limit for outgoing ARP and DHCP packets on an uplink fabric port

BPDU protection

BPDU protection on ASs (supported only in V200R013C00 and later versions)

Basic network service

VLAN management

Addition and removal of ports to or from a VLAN

Configuration of the port that connects an AS to an AP

Voice VLAN based on LLDP or CDP negotiation

Enhanced network service

Basic QoS

Trust 802.1p (This function is not supported in V200R011C10 and later versions)

NOTE:

In V200R011C10 and later versions, the priority-trust enable command cannot be executed in the network enhanced profile view to configure the priority trust function.

Port security

Broadcast, multicast, and unknown unicast traffic suppression on a port

Port rate limiting

STP edge port

Access security

DHCP snooping, IPSG, and DAI

MAC management

(supported only in V200R013C00 and later versions)

Action taken on an interface in case of MAC address flapping

Alarm function for MAC address learning and aging

Access service

Access authentication
  • 802.1X authentication, MAC address authentication, and Portal authentication
  • Access control over IPv6 users and single-stack authentication (supported in V200R019 and later versions)

Access control

MAC address limiting

Maximum number of access users on an AS port (This function is supported in V200R010 and later versions)

Traffic policing

Rate limit for incoming ARP and DHCP packets on an AS port

QoS service

(supported only in V200R013C00 and later versions)

Priority mapping

To configure priority mapping based on DSCP priorities, run the trust dscp command.

Queue scheduling mode

To configure a queue scheduling mode, run the qos { pq | wrr | drr } command.

Queue scheduling weight

To configure a queue scheduling weight, run the qos queue command.

Traffic policy services

(supported only in V200R019C00 and later versions)

Packet re-marking

To configure the packet re-marking rule and information, run the policy command.

Centralized Mode (Single Configuration: Functions Delivered Using the direct-command Command)

The interface view cannot be the Eth-Trunk interface view.

In versions earlier than V200R019C00, a maximum of 4096 commands can be configured. In V200R019C00 and later versions, a maximum of 8192 commands can be configured.

Service Category

Format

View

Function

Configuration Dependency and Restriction

Energy-saving management

port-auto-sleep enable

Interface view

Enables the port sleeping function on an electrical interface.

This command cannot be configured on combo interfaces.

PoE

poe force-power

Interface view

Enables forcible PoE power supply on an interface.

-

poe legacy enable

Interface view

Enables an interface to check compatibility of PDs.

-

poe priority { critical | high | low }

Interface view

Sets the power supply priority of a PoE interface.

-

poe af-inrush enable slot slot-id

System view

Configures the IEEE 802.3at-compliant device to provide power in accordance with IEEE 802.3af.

-

poe high-inrush enable slot slot-id

System view

Configures a device to allow high inrush current during power-on.

-

undo poe enable (supported in V200R011C10 and later versions)

Interface view

Disables the PoE function on an interface.

-

Ethernet interfaces

undo negotiation auto

Interface view

Configures an interface to work in non-auto negotiation mode.

After you run the undo direct-command command, the interface works in auto negotiation mode.
  • This command cannot be configured on combo interfaces.

  • Do not cancel the undo negotiation auto command when speed or duplex is specified.

speed { 10 | 100 | 1000 | 2500 | 5000 | 10000 }

Interface view

Sets the rate in non-auto negotiation mode.

  • This command cannot be configured on combo interfaces.

  • Ensure that the interface works in non-auto negotiation mode before configuring this command.

speed auto-negotiation

Interface view

Enables auto-negotiation on a GE optical interface.

  • Support for this command varies depending on switch models. For details, see the speed auto-negotiation command in the Command Reference - Interface Management Commands - Ethernet Interface Configuration Commands.

  • Ensure that the interface works in auto-negotiation mode before configuring this command.

duplex { full | half }

Interface view

Sets the duplex mode for an electrical interface in non-auto negotiation mode.

  • This command cannot be configured on combo interfaces.

  • Ensure that the interface works in non-auto negotiation mode before configuring this command.

  • When the working rate of a GE electrical interface is 1000 Mbit/s, the interface supports only the full duplex mode.

loopback internal

Interface view

Configures a loopback detection mode on an interface.

-

description description (supported in V200R011C10 and later versions)

Interface view

Configures the description for an interface.

The description contains a maximum of 52 characters in V200R011C10, and the description contains a maximum of 116 characters in V200R012C00 and later versions.

Eth-Trunk interface

description description (supported in V200R019C00 and later versions)

Eth-Trunk interface view

Configures the description for an Eth-Trunk interface.

The description contains a maximum of 116 characters.

The description can be configured for a service Eth-Trunk interface or an Eth-Trunk interface used in an SVF system to connect upstream and downstream devices. The description cannot be configured for Eth-Trunk0.

Port bridge

port bridge enable

Interface view

Enables the bridging function on an interface.

-

Port Security

(supported in V200R019 and later versions)

port-security mac-address sticky mac-address vlan vlan-id

Interface view

Configures a sticky MAC address entry.

-

save sticky-mac configuration

System view

Saves the sticky MAC addresses on an AS to a file named unimng-xxxx.ztbl. xxxx in the file name represents the management MAC address of the AS.

-

port-security max-mac-num max-number

Interface view

Sets the maximum number of secure MAC addresses that can be learned on an interface.

The port-security max-mac-num max-number command in direct configuration mode is mutually exclusive with the mac-limit maximum max-num command configured in a user access profile and cannot be both configured.

Voice VLAN

voice-vlan mac-address mac-address mask mask (supported in V200R011C10 and later versions)

System view

Configures the OUI address of the voice VLAN.

-

LBDT

loopback-detect enable

Interface view

Enables loopback detection on an interface.

-

loopback-detect packet vlan vlan-id

Interface view

Enables loopback detection for a specified VLAN.

If you configure this command multiple times, loopback detection is enabled for multiple VLANs.

ARP rate limiting

arp speed-limit source-mac maximum maximum

System view

Configures ARP rate limiting based on source MAC addresses.

  • Only the S5720-EI, S6720S-EI, and S6720-EI support this command.

  • This function takes effect only for the ARP packets sent to the CPU.

arp speed-limit source-ip maximum maximum

System view

Configures ARP rate limiting based on source IP addresses.

This function takes effect only for the ARP packets sent to the CPU.

Stack

port interface { interface-type interface-number1 [ to interface-type interface-number2 ] } enable (supported in V200R010 and later versions)

Stack interface view:

stack-port member-id/port-id

Configures a service interface as a stack member port and adds it to a stack port.

Before restoring the stack member ports that are added to a stack port in direct configuration mode as common service interfaces, you do not need to run the shutdown interface command in the stack interface view.

stack slot slot-id priority priority (supported in V200R010 and later versions)

System view

Sets a stack priority for a member switch in a stack.

-

stack slot slot-id renumber new-slot-id (supported in V200R011C10 and later versions)

System view

Changes the stack ID of a specified member switch in a stack.

NOTICE:

If there are services running, delivering this command may cause service interruptions and configuration loss. Therefore, you are advised to deliver this command when an AS is unconfigured.
A stack ID cannot be changed in the following situations:
  • The switch is a standalone switch that does not join any stack.
  • The newly configured stack ID is an existing stack ID of a specified member switch in a stack.
  • Ports with the specified slot-id have been configured as member ports of an uplink fabric port.
  • Ports with the specified slot-id have been configured as member ports of a downlink fabric port.

User Access and Authentication (supported in V200R012C00 and later versions)

access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

System view

Sets the source IP address and source MAC address of offline detection packets in a VLAN.
  • In other V200R012C00 versions except V200R012C00SPC710, this command can be configured only one. If you want to modify the configuration, delete the existing configuration and then perform the configuration again.
  • In V200R012C00SPC710 and V200R013C00, when vlan, ip-address, and mac-address are all different, multiple configurations of this command can be generated. If any one of vlan, ip-address, and mac-address has been configured, delete the existing configuration before reconfiguring them.
  • In V200R019 and later versions, multiple configurations of this command can be generated regardless of whether the VLAN, IP address, and MAC address are the same. You do not need to delete the existing configuration. If the newly configured VLAN is the same as the existing one, the IP address and MAC address in the original configuration are replaced with the newly configured IP address and MAC address. If the newly configured VLAN is different from the existing one, a new configuration is generated.

access-user arp-detect default ip-address ip-address

System view

Sets the default source IP address of offline detection packets.

-

undo user-detect

System view

Disables the online user detection function.

-

authentication speed-limit max-num max-num-value interval interval-value (supported in V200R013C00 and later versions)

System view

Configures the rate limit for an access device to send user association and disassociation request messages.

-

access-user arp-detect fallback ip-address mask-length (supported in V200R013C00 and later versions)

System view

Configures an IP address required for calculating the source address of offline detection packets.

If you run this command multiple times, only the latest configuration takes effect.

access-user arp-detect delay delay (supported in V200R013C00 and later versions)

System view

Configures the delay for sending offline detection packets.

-

static-user start-ip-address [ end-ip-address ] [ mac-address mac-address | vlan vlan-id ] (supported in V200R019C00 and later versions)

System view

Configures a static user.

If the IP address of a static user is set to an IP address range, any IP address in this address range cannot be modified or deleted.

Centralized Mode (Configurable Commands After Logins to ASs Using the attach-as Command or Console Port)

Commands that can be configured after you log in to an AS in centralized configuration mode are mainly used for fault diagnosis.

  • In the user view and diagnostic view, all commands are supported except the commands listed in Table 1. Additionally, in V200R009 and earlier versions, the diagnostic view can be displayed only after the diagnose-command command is executed in the user view.

    Table 1 Commands not supported in the user view and diagnostic view of ASs

    Command

    View

    configuration copy file file-name to running

    User view

    configuration copy startup to file file-name

    User view

    configuration exclusive

    User view

    format drive

    User view

    lldp clear neighbor [ interface interface-type interface-number ]

    User view

    local-user change-password

    User view

    lock

    User view

    startup patch patch-name [ slave-board | slot slot-id ]

    User view

    startup saved-configuration configuration-file [ slot slot-id ]

    User view

    startup system-software system-file [ all | slave-board | slot slot-id ]

    User view

    save [ all ] [ configuration-file ]

    User view

    save logfile [ all ]

    User view

    reboot [ fast | save diagnostic-information ]

    User view

    schedule reboot { at time | delay interval [ force ] }

    User view

    rollback

    User view

    cli enable-config

    Diagnostic view

    configuration datasync start script-file script-file { result-file result-file }

    Diagnostic view

    test-device port loopback slot { slot-id | interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-10> }

    Diagnostic view

    stack enable

    undo stack enable

    Diagnostic view

    undo startup system-software

    Diagnostic view

  • Commands that are supported in other views are used for service diagnosis and fault location. In V200R009 and earlier versions, the uni-mng diag-mode enable command must be executed first to enable the diagnostic mode.

    Table 2 Commands supported in other views

    Command

    Function

    Configuration Guidelines

    port-mirroring

    undo port-mirroring

    Binds a mirrored port to an observing port.

    You are not advised to perform service configurations on Eth-Trunk member ports of an AS that are bound to a fabric port, as doing so may cause a failure of SVF system setup.

    traffic-mirror

    undo traffic-mirror

    Configures the traffic mirroring function.

    You are not advised to perform service configurations on Eth-Trunk member ports of an AS that are bound to a fabric port, as doing so may cause a failure of SVF system setup.

    observe-port

    undo observe-port

    Configures an observing port.

    Generally, an observing port is dedicated to monitoring forwarding of mirrored traffic. Therefore, configuring an AS port with service configurations as an observing port is not recommended. If a port has been configured as an observing port, do not deliver service configurations to this port through service profiles or the direct-command command.

    You are not advised to perform service configurations on Eth-Trunk member ports of an AS that are bound to a fabric port, as doing so may cause a failure of SVF system setup.

    traffic-statistic

    undo traffic-statistic

    Enables the traffic statistics collection function.

    If you delete the traffic-statistic command that is delivered by the parent to an AS, you will fail to obtain traffic statistics about the AS on the parent.

    You are not advised to perform service configurations on Eth-Trunk member ports of an AS that are bound to a fabric port, as doing so may cause a failure of SVF system setup.

    capture-packet

    Configures the packet header obtaining function.

    In an SVF system, an Eth-Trunk bound to a fabric port cannot capture service packets.

    acl 2000-2999

    undo acl 2000-2999

    Creates or deletes an ACL rule.

    If the number of traffic policies on an AS reaches the upper limit, the parent fails to deliver the IPSG or DAI configurations. Run the display uni-mng commit-result profile command on the parent to check the configuration delivery result. If the command output shows that the configuration delivery fails, run the display uni-mng execute-failed-record profile as name as-name command to check execution failure records after the configuration is delivered to an AS. The command output provides detailed information about the delivery failure. You can log in to the AS to check whether the ACL resources are used up.
    • Versions earlier than V200R019:

      acl 3000-3998

      undo acl 3000-3998

    • V200R019 and later versions:

      acl 3901-3998

      undo acl 3901-3998

    acl 4000-4997

    undo acl 4000-4997

    rule

    undo rule

    Creates an ACL rule.

    -

    interface Eth-Trunk

    undo interface Eth-Trunk

    Creates or deletes an Eth-Trunk interface or displays the Eth-Trunk interface view.

    In V200R011C10 and later versions, you can only enter the Eth-Trunk interface view and cannot create or delete Eth-Trunk interfaces.

    Do not delete Eth-Trunk0 or Eth-Trunk interfaces that are bound to the downlink fabric port from an AS.

    interface interface-type interface-number

    Displays the physical service interface view.

    -

    display

    Displays the device status or configurations.

    -

    quit

    Returns to the upper-level view.

    -

    return

    Returns to the user view.

    -

    interface stack-port

    Displays the stack port view.

    -

    shutdown interface

    undo shutdown interface

    Shuts down/restores a stack member port.

    This command is configured in the stack port view.

    mad restore

    Restores all the blocked interfaces of a standby switch that enters the Recovery state after its stack splits.

    -

    reset trace instance (supported in V200R010 and later versions)

    Clears all the diagnosis instances on a device.

    -

    save trace information (supported in V200R010 and later versions)

    Saves diagnosis information in the buffer area as a file.

    -

    Commands starting with the trace keyword (supported in V200R010 and later versions)

    Commands starting with the undo trace keyword (supported in V200R010 and later versions)

    Used for service diagnosis and executed in the system view.

    -

    Commands starting with info-center source (supported in V200R019 and later versions)

    Configures the rules for outputting information to information channels in the information center.

    -

Independent Mode (Configurable Commands After Logins to ASs Using the attach-as Command or Console Port)

The independent mode has been supported since V200R010. In independent mode, the commands listed in the following table can be configured on ASs. When configuring these commands, pay attention to the following points:

  • These commands vary depending on the AS device type. For details, see the command reference of these devices.
  • In independent mode, configuring some commands may cause an AS's failure to go online. To prevent this problem, some commands listed in the following table are not supported. If an unsupported command is executed on an AS, an error message is displayed.

Function

Command

Basic Configuration

CLI overview commands

File management commands

System startup commands

Device Management

Hardware configuration commands

Energy-saving configuration commands

PoE configuration commands

Stack configuration commands (except the smooth upgrade commands)

Commands for configuring rules for outputting information to information channels in the information center (supported in V200R019 and later versions)

Interface Management

Basic interface configuration commands

Ethernet interface configuration commands

Logical interface configuration commands

Ethernet Switching

MAC address table configuration commands

Link aggregation commands

VLAN configuration commands

VLAN aggregation configuration commands

MUX VLAN configuration commands

Voice VLAN configuration commands

QinQ configuration commands

VLAN mapping configuration commands

Loopback detection configuration commands

BPDU protection configuration commands (supported in V200R012C00 and later versions)

Layer 2 protocol tunneling commands

IP Service

IPv4 configuration commands

ARP configuration commands

DHCP policy VLAN configuration commands

Reliability

DLDP configuration commands

MAC swap loopback configuration commands

User Access and Authentication

AAA configuration commands

NAC configuration commands (unified mode)

Policy association configuration commands

Security

ACL configuration commands

Local attack defense configuration commands

Attack defense configuration commands

MFF configuration commands

Traffic suppression and storm control configuration commands

ARP security configuration commands

Port security configuration commands

DHCP snooping configuration commands

ND snooping configuration commands

PPPoE+ configuration commands

IP source guard configuration commands

SAVI configuration commands

MPAC configuration commands

QoS

MQC configuration commands

Priority mapping commands

Traffic policing, traffic shaping, and interface-based rate limiting commands

Congestion avoidance and congestion management commands

Filtering configuration commands

Redirection configuration commands

Statistics configuration commands

ACL-based simplified traffic policy commands

Network Management and Monitoring

display and snmp-agent trap enable feature-name commands in SNMP configuration commands

LLDP configuration commands

Service diagnosis configuration commands

Mirroring configuration commands

Packet obtaining configuration command

Ping and tracert configuration commands
Parent Topic: Information to Know Before SVF Deployment
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic