ZXA10 C610

Optical Access Convergence Equipment

Configuration Management

Version: V2.x

ZTE CORPORATION
No. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
URL: http://support.zte.com.cn
E-mail: [email protected]
LEGAL INFORMATION
Copyright 2021 ZTE CORPORATION.

The contents of this document are protected by copyright laws and international treaties. Any reproduction
or distribution of this document or any portion of this document, in any form by any means, without the

prior written consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document

are protected by contractual confidentiality obligations.

All company, brand and product names are trade or service marks, or registered trade or service marks,

of ZTE CORPORATION or of their respective owners.

This document is provided as is, and all express, implied, or statutory warranties, representations or

conditions are disclaimed, including without limitation any implied warranty of merchantability, fitness for

a particular purpose, title or non-infringement. ZTE CORPORATION and its licensors shall not be liable

for damages resulting from the use of or reliance on the information contained herein.

ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applica-

tions covering the subject matter of this document. Except as expressly provided in any written license
between ZTE CORPORATION and its licensee, the user of this document shall not acquire any license

to the subject matter herein.

ZTE CORPORATION reserves the right to upgrade or make technical change to this product without

further notice.

Users may visit the ZTE technical support website http://support.zte.com.cn to inquire for related infor-

mation.

The ultimate right to interpret this product resides in ZTE CORPORATION.

Statement on the Use of Third-Party Embedded Software:

If third-party embedded software such as Oracle, Sybase/SAP, Veritas, Microsoft, Vmware, and Redhat

is delivered together with this product of ZTE, the embedded software must be used as only a component

of this product. If this product is discarded, the licenses for the embedded software must be void either

and must not be transferred. ZTE will provide technical support for the embedded software of this product.

Revision History

Revision No. Revision Date Revision Reason

R1.0 2021-08-18 First edition

Serial Number: SJ-20210730093619-005

Publishing Date: 2021-08-18 (R1.0)

 Contents
1 VLAN Configuration..................................................................................... 1
1.1 Configuring the Basic VLAN.................................................................................... 1
1.2 Configuring a VLAN Cross Connection................................................................... 3
2 Multicast Configuration............................................................................... 5
2.1 Configuring IGMP Multicast..................................................................................... 6
2.2 Configuring MLD Multicast....................................................................................... 9
3 QoS Configuration......................................................................................13
3.1 Global QoS Configuration...................................................................................... 13
3.1.1 Configuring a CoS Priority Remarking Template...................................... 13
3.1.2 Configuring a DSCP-CoS Remarking Template....................................... 14
3.1.3 Configuring a DSCP Priority Remarking Template................................... 15
3.1.4 Configuring a Queue Configuration Template...........................................16
3.1.5 Configuring a Traffic Template..................................................................17
3.1.6 Configuring Queue Scheduling................................................................. 18
3.1.7 Configuring Traffic Limit and Coloring for VLANs..................................... 18
3.1.8 Configuring CoS-DEI Remarking.............................................................. 19
3.2 QoS Configurations for the Ethernet Interface.......................................................20
3.2.1 Configuring the Priority Type to Trust....................................................... 20
3.2.2 Configuring the Default CoS Priority......................................................... 21
3.2.3 Configuring CoS Priority Remarking......................................................... 22
3.2.4 Configuring DSCP-CoS Priority Remarking.............................................. 23
3.2.5 Configuring DSCP Priority Remarking...................................................... 24
3.2.6 Configuring CoS Remarking in the Egress Direction................................ 25
3.2.7 Configuring DSCP-CoS Remarking in the Egress Direction..................... 26
3.2.8 Configuring the Queue Depth................................................................... 27
3.2.9 Configuring Traffic Shaping.......................................................................28
3.3 QoS Configuration for the Vport Interface............................................................. 28
3.3.1 Configuring the Priority Type to Trust....................................................... 28
3.3.2 Configuring the Default CoS Priority......................................................... 29
3.3.3 Configuring CoS Priority Remarking......................................................... 30
3.3.4 Configuring DSCP-CoS Priority Remarking.............................................. 31
3.3.5 Configuring DSCP Priority Remarking...................................................... 32
3.3.6 Configuring CoS Remarking in the Egress Direction................................ 33

I
 3.3.7 Configuring DSCP-CoS Remarking in the Egress Direction..................... 34
3.3.8 Configuring the Queue Depth................................................................... 35
3.3.9 Configuring Traffic Shaping.......................................................................35
3.3.10 Configuring a Traffic Policy..................................................................... 36
4 Configuring an ACL................................................................................... 37
5 Configuring STP......................................................................................... 39
6 DHCP Configuration...................................................................................43
6.1 Configuring DHCP Snooping................................................................................. 43
6.2 Configuring the DHCP Relay................................................................................. 45
6.3 Configuring the DHCP Server................................................................................47
6.4 Configuring the DHCP Client................................................................................. 49
7 Uplink Protection Configuration............................................................... 50
7.1 Configuring Link Aggregation.................................................................................50
7.2 Configuring the UAPS Function............................................................................. 54
8 Access Security Configuration................................................................. 57
8.1 User Port Identification Configuration.................................................................... 57
8.1.1 Configuring a Format Template................................................................ 57
8.1.2 Configuring a Carrier Template.................................................................59
8.1.3 Configuring the Port Identification Function.............................................. 61
8.2 Configuring the IP Source Guard Function............................................................62
8.3 Configuring the MAC Address Anti-Flapping Function...........................................63
8.4 Configuring the MFF Function............................................................................... 65
9 System Security Configuration.................................................................67
9.1 Configuring the SSH Service................................................................................. 67
9.2 Configuring TACACS+............................................................................................70
9.3 Configuring RADIUS.............................................................................................. 73
9.4 Configuring a Management ACL............................................................................76
9.5 Configuring Control-Plane Security........................................................................ 77
9.6 Configuring DoS Attack Prevention....................................................................... 77
Figures............................................................................................................ 80
Tables.............................................................................................................. 81
Glossary.......................................................................................................... 82

II
 Chapter 1
VLAN Configuration
Table of Contents
Configuring the Basic VLAN............................................................................................. 1
Configuring a VLAN Cross Connection............................................................................ 3

A VLAN is a technology that implements virtual workgroups by dividing the physical

equipment in a LAN into several logical network segments. The IEEE issued the IEEE
802.1q standard in 1999 to normalize the VLAN solution.
The ZXA10 C610 supports 4094 VLANs.
For VLAN applications, refer to Table 1-1.

Table 1-1 VLAN Applications

VLAN Application Description

Basic VLAN Used to isolate ports.

TLS VLAN Used to add an SVLAN to a packet to implement the TLS service no mat-
ter whatever the user access mode is, or no matter whether users' up-
stream packets have a VLAN tag, or whatever the VLAN tag is.

VLAN conversion Implements conversion from a user VLAN to a network VLAN and adds
different SVLANs based on different VLANs on the user side.

VLAN cross connection Used to set dedicated channels for service ports and uplink ports. The
packets are forwarded in 1:1 mode in accordance with the VLAN ID.

1.1 Configuring the Basic VLAN

By configuring a basic VLAN, you can logically divide ports into different network seg-
ments to control the communication between the ports.

Context

By configuring a service port VLAN for the Vport interface, you can implement VLAN
conversion at the ONU level. The service port configuration of the ZXA10 C610 supports
the following:
 Adding CVLAN + SVLAN to untagged packets.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 1

ZXA10 C610 Configuration Management

 Adding SVLANs to user VLANs in accordance with the user VLAN range.
 Converting user VLANs to VLAN + SVLAN.
 Converting user VLANs to VLAN + SVLAN based on the combination type (user
VLAN, Ethernet protocol type, or 802.1p priority).
 Modifying the priority of SVLAN 802.1p.
 TLS VLANs

Steps

1. In ZXAN(config)# mode, run the interface xgei-1/x/x command to enter uplink port
configuration mode.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the switchport vlan command to config-
ure an uplink port VLAN.

Note

When you configure an uplink port VLAN, the system automatically creates the cor-
responding VLAN.

3. In ZXAN(config)# mode, run the interface vport-1/x/x.x:x command to enter Vport

interface configuration mode.
4. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the service-port command to config-
ure a service port VLAN.

Example

1. Configure a port VLAN in uplink port configuration mode.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#switchport vlan 100,300,500 tag

2. Configure a service port VLAN in Vport interface configuration mode.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#service-port 1 user-vlan 100 vlan 100

ZXAN(config-if-vport-1/3/1.1:1)#service-port 2 other-all tls-vlan 300

ZXAN(config-if-vport-1/3/1.1:1)#service-port 3 user-begin-vlan 101 user-end-vlan

110 user-priority 2 svlan 500

3. (Optional) Display the configured service port VLAN.

ZXAN(config-if-vport-1/3/1.1:1)#show service-port interface vport-1/3/1.1:1

Interface vport-1/3/1.1:1

Sport Vport BeginVid EndVid OuterVid InnerVid UserPrio Etype Vlan Cos

2 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 1 VLAN Configuration

SVlan SCos Tls TlsSVid Ingress Egress Status Enable

-----------------------------------------------------------------------

-------------------------------------------------------

1 1 100 100 -- -- -- -- 100 --

-- -- -- -- -- -- -- YES

2 1 -- -- -- -- -- -- -- --

-- -- 300 -- -- -- -- YES

3 1 101 110 -- -- 2 -- -- --

500 -- -- -- -- -- -- YES

Sport total number:

1.2 Configuring a VLAN Cross Connection

This procedure describes how to configure a VLAN cross connection to implement 1:1
VLAN forwarding.

Context

A VLAN cross connection is a dedicated channel for a user port and an uplink port, an
uplink port and an uplink port or a user port and a user port. After a VLAN cross connec-
tion is configured, packets are forwarded in 1:1 mode in accordance with the VLAN ID
but not forwarded in MAC + VLAN mode.
With the VLAN cross connection, data is exchanged based on the following:
 SVLAN
 Dual-layer (CVLAN + SVLAN) tags

Steps

1. In ZXAN(config)# mode, run the interface xgei-1/x/x command to enter uplink port
configuration mode.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the switchport vlan command to config-
ure an uplink port VLAN.
3. In ZXAN(config)# mode, run the interface vport-1/x/x.x:x command to enter Vport
interface configuration mode.
4. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the service-port command to config-
ure a service port VLAN.
5. In ZXAN(config)# mode, run the vlan-connect svlan command to set the 1:1 VLAN
mode for the VLAN.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 3

ZXA10 C610 Configuration Management

Example

1. Configure a port VLAN in uplink port configuration mode.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#switchport vlan 5 tag

ZXAN(config-if-xgei-1/1/1)#exit

2. Configure a service port VLAN in ONU interface configuration mode.

ZXAN(config)#interface vport-1/3/1.2:1

ZXAN(config-if-vport-1/3/1.2:1)#service-port 1 user-vlan 3 vlan 3 svlan 5

ZXAN(config-if-vport-1/3/1.2:1)#exit

3. Configure a VLAN cross connection in global configuration mode.

ZXAN(config)#vlan-connect svlan 5 interface vport-1/3/1.2:1 interface xgei-1/1/1

4. (Optional) Display the VLAN cross connection configuration.

ZXAN(config)#show vlan-connect detail

Interface Interface Svlan Cvlan Status1 Status2

----------------------------------------------------------------------

vport-1/3/1.2:1 xgei-1/1/1 5 -- OK OK

4 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 Chapter 2
Multicast Configuration
Table of Contents
Configuring IGMP Multicast.............................................................................................. 6
Configuring MLD Multicast................................................................................................9

The ZXA10 C610 has a carrier class multicast operation capability, supports multicast
protocols and controllable multicast, supports all user and network protocols, and pro-
vides a base for value-added broadband multicast services and multicast service man-
agement. The ZXA10 C610 provides controllable multicast services, and supports IGM-
Pv1/v2/v3 and three modes: IGMP Snooping, IGMP Proxy, and IGMP Router.
 Supports IGMPv1/v2/v3.
 Supports MLDv1/v2.
 Supports IGMP Snooping/Proxy/Router.
 Supports MLD Snooping/Proxy.
 Supports 8K multicast items.
 Supports 4094 multicast VLANs.
Layer-2 multicast services are copied on the OLT and ONU (2-layer). Related configura-
tions are as follows:
 Basic service parameter configurations on the OLT
Basic parameters involved in layer-2 multicast control include multicast VLANs,
source ports, receive ports, and multicast program addresses. A multicast VLAN
bears multicast data. The source ports are uplink ports connecting the multicast
source, the receive ports are ONU interfaces connecting multicast users, and a multi-
cast program address is composed of a group IP address and a source address.
 Configuration of the OLT multicast protocol mode
The ZXA10 C610 supports IPv4 multicast dual-stack protocols. It can be flexibly con-
figured to accept or drop multicast packets of various protocol versions. Three work-
ing modes can be configured based on a multicast VLAN: Snooping, Router, and
Proxy.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 5

ZXA10 C610 Configuration Management

2.1 Configuring IGMP Multicast

IGMPMVLAN carries IGMP multicast data and is composed of service VLANs, source
ports, receiving ports, and multicast groups.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the switchport vlan command to config-

ure an uplink port VLAN.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the no shutdown command to enable the
uplink port.
3. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the service-port command to config-
ure a service port VLAN.
4. In ZXAN(config)# mode, run the igmp enable command to globally enable IGMP.
5. In ZXAN(config)# mode, run the igmp mvlan command to configure an MVLAN.
6. In ZXAN(config-igmp-mvlan-xx)# mode, run the work-mode command to config-
ure the MVLAN working mode.
7. In ZXAN(config-igmp-mvlan-xx)# mode, run the host-version command to config-
ure the MVLAN host version.
8. In ZXAN(config-igmp-mvlan-xx)# mode, run the group-filter enable command to
enable the group filter function.
9. In ZXAN(config-igmp-mvlan-xx)# mode, run the group command to configure the
multicast group.
10. In ZXAN(config-igmp-mvlan-xx)# mode, run the source-port command to config-
ure the source port of the MVLAN.
11. In ZXAN(config-igmp-mvlan-xx)# mode, run the receive-port command to config-
ure the receiving port of the MVLAN.

Verification

 You can use the show igmp command to display global IGMP configurations.
 You can use the show igmp mvlan command to display the configurations of the
IGMP MVLAN.

Example

For the configurations of the IGMP MVLAN, refer to Table 2-1.

Table 2-1 IGMP MVLAN Configurations

Configuration Item Data

IGMP Enable

6 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 2 Multicast Configuration

Configuration Item Data

MVLAN ID 200

MVLAN working mode Proxy

MVLAN host version IGMPv3

MVLAN multicast group filtering function Enable

Multicast group IP address 224.1.1.1 through 224.1.1.3

Multicast source IP address 10.1.1.1

Multicast source port xgei-1/1/1

Multicast receiving port vport-1/3/1.1:1

1. Configure an uplink port VLAN.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#switchport vlan 200 tag

ZXAN(config-if-xgei-1/1/1)#no shutdown

ZXAN(config-if-xgei-1/1/1)#exit

2. Configure a service interface VLAN.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#service-port 1 user-vlan 200 vlan 200

ZXAN(config-if-vport-1/3/1.1:1)#exit

3. Enable the global IGMP function .

ZXAN(config)#igmp enable

4. Configure an MVLAN.

ZXAN(config)#igmp mvlan 200

ZXAN(config-igmp-mvlan-200)#work-mode proxy

ZXAN(config-igmp-mvlan-200)#host-version v3

ZXAN(config-igmp-mvlan-200)#group-filter enable

ZXAN(config-igmp-mvlan-200)#group 224.1.1.1 to 224.1.1.3

ZXAN(config-igmp-mvlan-200)#source-port xgei-1/1/1

ZXAN(config-igmp-mvlan-200)#receive-port vport-1/3/1.1:1

ZXAN(config-igmp-mvlan-200)#end

5. Display global IGMP configurations.

ZXAN#show igmp

IGMP global parameters:

----------------------------------------------------

IGMP is globally enable.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 7

ZXA10 C610 Configuration Management

Span vlan is enable.

Host tracking is disable.

Bandwidth control is disable.

IGMP log is enable.

IGMP log record-packet is disble.

IGMP syslog is disable.

General query gemport mode is unicast.

Router alert is disable.

Query-version user-compatible is enable.

Prejoin interval is 120(second).

6. Display the configurations of the IGMP MVLAN.

ZXAN#show igmp mvlan 200

Protocol packet's priority is 0 (in proxy/spr/router mode).

Protocol packet's dscp is 48 (in proxy/spr/router mode).

Act Port is 0.

Cvlan is 0.

MaxGroupNum is 8192.

Host ip is 192.168.2.14.

Router ip is 192.168.2.14.

Igmp v1 mode is accept.

Igmp v2 mode is accept.

Igmp v3 mode is accept.

Robustness variable is 2.

General query interval is 125(second).

Query max response time is 100(0.1second).

Last member query interval is 10(0.1second).

Last member query count is 2.

Unsolicited report interval is 1(second).

Startup query interval is 30(second).

Startup query count is 2.

Snooping aging time is 300(second).

Query active user only control is enable.

-------------------------------------------------------------------------------

Source Port HostCompatibleMode HostConfigMode V1TimeOut V2TimeOut

-------------------------------------------------------------------------------

xgei-1/1/1 v3 v3 0 0

Receive Port

8 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 2 Multicast Configuration

----------------------------

vport-1/3/1.1:1

SSM Group Range

----------------------------

232.0.0.0 mask 255.0.0.0

2.2 Configuring MLD Multicast

An MLDMVLAN carries MLD multicast data and is composed of service VLANs, source
ports, receiving ports, and multicast groups.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the switchport vlan command to config-

ure an uplink port VLAN.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the no shutdown command to enable the
uplink port.
3. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the service-port command to config-
ure a service port VLAN.
4. In ZXAN(config)# mode, run the mld enable command to globally enable the MLD
protocol.
5. In ZXAN(config)# mode, run the mld mvlan command to create an MVLAN.
6. In ZXAN(config-mld-mvlan-xx)# mode, run the work-mode command to configure
the MVLAN working mode.
7. In ZXAN(config-mld-mvlan-xx)# mode, run the host-version command to config-
ure the MVLAN host version.
8. In ZXAN(config-mld-mvlan-xx)# mode, run the group-filter enable command to
enable the multicast group filtering function of the MVLAN.
9. In ZXAN(config-mld-mvlan-xx)# mode, run the group command to configure the
multicast group.
10. In ZXAN(config-mld-mvlan-xx)# mode, run the source-port command to configure
the source port for the MVLAN.
11. In ZXAN(config-mld-mvlan-xx)# mode, run the receive-port command to configure
the receiving port for the MVLAN.

Verification

 You can use the show mld command to display global MLD configurations.
 You can use the show mld mvlan command to display the configurations of the
MLD MVLAN.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 9

ZXA10 C610 Configuration Management

Example

For the configurations of an MLD MVLAN, refer to Table 2-2.

Table 2-2 MLD MVLAN Configurations

Configuration Item Data

MLD Enable

MVLAN ID 200

MVLAN working mode Proxy

MVLAN host version MLDv1

Multicast source IP address ff1e::0101 through ff1e::0103

Multicast source port xgei-1/1/1

Multicast receiving port vport-1/3/1:1:1

1. Configure an uplink port VLAN.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#switchport vlan 200 tag

ZXAN(config-if-xgei-1/1/1)#no shutdown

ZXAN(config-if-xgei-1/1/1)#exit

2. Configure a service interface VLAN.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#service-port 1 user-vlan 200 vlan 200

ZXAN(config-if-vport-1/3/1.1:1)#exit

3. Enable the global MLD function.

ZXAN(config)#mld enable

4. Configure an MVLAN.

ZXAN(config)#mld mvlan 200

ZXAN(config-mld-mvlan-200)#work-mode proxy

ZXAN(config-mld-mvlan-200)#host-version v1

ZXAN(config-mld-mvlan-200)#group ff1e::0101 to ff1e::0103

ZXAN(config-mld-mvlan-200)#source-port xgei-1/1/1

ZXAN(config-mld-mvlan-200)#receive-port vport-1/3/1.1:1

ZXAN(config-mld-mvlan-200)#exit

5. Display global MLD configurations.

ZXAN(config)#show mld

MLD global parameters:

10 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 2 Multicast Configuration

----------------------------------------------------

MLD is globally enable.

Span vlan is enable.

Host tracking is disable.

Bandwidth control is disable.

MLD log is disable.

MLD log record-packet is disable.

MLD syslog is disable.

General query gemport mode is unicast.

Router alert is enable.

Query-version user-compatible is disable.

Prejoin interval is 120(second).

6. Display the configurations of the MLD MVLAN.

ZXAN(config)#show mld mvlan 200

Protocol packet's priority is 0 (in proxy/spr/router mode).

Protocol packet's traffic class is 192 (in proxy/spr/router mode).

Act Port is 0.

Cvlan is 0.

MaxGroupNum is 8192.

Host ip is fe80::c0a8:20e.

Router ip is fe80::c0a8:20e.

Mld v1 mode is accept.

Mld v2 mode is accept.

Robustness variable is 2.

General query interval is 125(second).

Query max response time is 100(0.1second).

Last member query interval is 10(0.1second).

Last member query count is 2.

Unsolicited report interval is 1(second).

Startup query interval is 30(second).

Startup query count is 2.

Snooping aging time is 300(second).

Query active user only control is enable.

----------------------------------------------------------------------------

Source Port HostCompatibleMode HostConfigMode V1TimeOut

----------------------------------------------------------------------------

xgei-1/1/1 v1 v1 0

SJ-20210730093619-005 | 2021-08-18 (R1.0) 11

ZXA10 C610 Configuration Management

Receive Port

----------------------------

vport-1/3/1.1:1

SSM Group Range

----------------------------

ff30:: mask fff0:ffff:ffff:ffff:ffff:ffff::

12 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 Chapter 3
QoS Configuration
Table of Contents
Global QoS Configuration............................................................................................... 13
QoS Configurations for the Ethernet Interface............................................................... 20
QoS Configuration for the Vport Interface...................................................................... 28
The QoS function provides different QoS services based on different requirements of
applications, such as providing dedicated bandwidth, reducing the packet loss ratio, and
reducing the packet transmission delay and jitter. By flexibly configuring and applying
the QoS feature, the carrier can provide effective differentiated services, and implement
and assure the promised service quality.
The ZXA10 C610 supports the following QoS operations:
 Priority remarking
 Queue scheduling
 Queue mapping
 Traffic shaping

3.1 Global QoS Configuration

3.1.1 Configuring a CoS Priority Remarking Template
This procedure describes how to configure a CoS priority remarking template. The tem-
plate can be applied to interfaces to modify the CoS priority of packets.

Steps

1. In ZXAN(config)# mode, run the qos cos-to-cos-profile command to configure a

CoS priority remarking template.

Verification

You can use the show qos cos-to-cos-profile name command to display the configu-
rations of the CoS priority remarking template.

Example

1. Configure a CoS priority remarking template.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 13

ZXA10 C610 Configuration Management

ZXAN(config)#qos cos-to-cos-profile test cos0 3

2. Display the configurations of a CoS priority remarking template.

ZXAN(config)#show qos cos-to-cos-profile name test

-----------------------------------------------------------------

profile name : test

profile detail :

-----------------------------------------------------------------

old-cos : 0 1 2 3 4 5 6 7

new-cos : 3 1 2 3 4 5 6 7

used-count : 0

profile used by :

-----------------------------------------------------------------

3.1.2 Configuring a DSCP-CoS Remarking Template

After a DSCP-CoS priority remarking template is configured, it can be applied to inter-
faces to modify the CoS priority of packets based on the DSCP priority of the packets.

Steps

1. In ZXAN(config)# mode, run the qos dscp-to-cos-profile command to configure a

DSCP-CoS priority remarking template.

Verification

You can use the show qos dscp-to-cos-profile name command to display the configu-
rations of the DSCP priority remarking template.

Example

1. Configure a DSCP priority remarking template.

ZXAN(config)#qos dscp-to-cos-profile test 12 to 3

2. Display the configurations of a DSCP priority remarking template.

ZXAN(config)#show qos dscp-to-cos-profile name test

-----------------------------------------------------------------

profile name : test

profile detail :

-----------------------------------------------------------------

dscp-list : 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

cos-value : 0 0 0 0 0 0 0 0 1 1 1 1 3 1 1 1

-----------------------------------------------------------------

14 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

dscp-list : 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

cos-value : 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3

-----------------------------------------------------------------

dscp-list : 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

cos-value : 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5

-----------------------------------------------------------------

dscp-list : 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

cos-value : 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7

used-count : 0

profile used by :

-----------------------------------------------------------------

3.1.3 Configuring a DSCP Priority Remarking Template

This procedure describes how to configure a DSCP priority remarking template. The tem-
plate can be applied to interfaces to modify the DSCP priority of packets.

Steps

1. In ZXAN(config)# mode, run the qos dscp-to-dscp-profile command to configure a

DSCP priority remarking template.

Verification

You can use the show qos dscp-to-dscp-profile name command to display the config-
urations of the DSCP priority remarking template.

Example

1. Configure a DSCP priority remarking template.

ZXAN(config)#qos dscp-to-dscp-profile test 10 to 5

2. Display the configurations of a DSCP priority remarking template.

ZXAN(config)#show qos dscp-to-dscp-profile name test

-----------------------------------------------------------------

profile name : test

profile detail :

-----------------------------------------------------------------

old-dscp : 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

new-dscp : 0 1 2 3 4 5 6 7 8 9 5 11 12 13 14 15

-----------------------------------------------------------------

old-dscp : 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

SJ-20210730093619-005 | 2021-08-18 (R1.0) 15

ZXA10 C610 Configuration Management

new-dscp : 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

-----------------------------------------------------------------

old-dscp : 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

new-dscp : 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

-----------------------------------------------------------------

old-dscp : 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

new-dscp : 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

used-count : 0

profile used by :

-----------------------------------------------------------------

3.1.4 Configuring a Queue Configuration Template

A queue configuration template is used to configure the depth of a queue.

Steps

1. In ZXAN(config)# mode, run the qos queue-conf-profile command to configure a

queue configuration template.

Verification

You can use the show qos queue-conf-profile name command to display the configu-
rations of the QoS queue configuration template.

Example

1. Configure a queue configuration template.

ZXAN(config)#qos queue-conf-profile test queue0 100

2. Display the configurations of a QoS queue configuration template.

ZXAN(config)#show qos queue-conf-profile name test

-----------------------------------------------------------------

profile name : test

profile detail :

-----------------------------------------------------------------

queue id : 0 1 2 3 4 5 6 7

queue depth : 100 50 50 50 50 50 50 50

used-count : 0

profile used by :

-----------------------------------------------------------------

16 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

3.1.5 Configuring a Traffic Template

A traffic template is used to define the traffic CIR, PIR, CBS, and PBS so that the message
rate matches downstream devices. Thus congestion can be avoided and messages will
not be discarded.

Steps

1. In ZXAN(config)# mode, run the traffic-profile command to configure a traffic tem-

plate.

Verification

You can use the show qos traffic-profile name command to display the configurations
of the QoS traffic template.

Example

1. In global configuration mode, configure a traffic template.

ZXAN(config)#traffic-profile test cir 10240 cbs 1000 pir 20480 pbs 1000

2. Display the configurations of a QoS traffic template.

ZXAN(config)#show qos traffic-profile name test

-----------------------------------------------------------------

profile name :test

profile detail :

-----------------------------------------------------------------

basic traffic type : ip

committed information rate : 10240 kbps

committed burst size : 1000 kbytes

peak information rate : 20480 kbps

peak burst size : 1000 kbytes

discard mode : no distinction

color mode : aware

policer type : mef

coupling flag : enable

Counting information:

-----------------------------------------------------------------

policy use number :0

queue shaping use number : 0

shaping use number :0

flow group use number :0

SJ-20210730093619-005 | 2021-08-18 (R1.0) 17

ZXA10 C610 Configuration Management

flow profile use number :0

service port use number :0

profile used by

-----------------------------------------------------------------

3.1.6 Configuring Queue Scheduling

ZXA10 C610 supports SP + WRR queue scheduling, and support the configuration of
WRED packet discard ratio.

Steps

1. In ZXAN(config)# mode, run the qos queue-scheduler command to configure

queue scheduling mode.

Note

SP mode: all queue weights are 0

WRR mode: all queue weights are not 0.
SP + WRR mode: high priority queue weights are 0, low priority queue weights are
not 0.

2. In ZXAN(config)# mode, run the qos queue-wred-config command to configure

packet discard ratio.

Example

1. Configure the SP + WRR queue scheduling.

ZXAN(config)#qos queue-scheduler queue0 10 queue1 20 queue2 30 queue3 40

queue4 53 queue5 0 queue6 0 queue7 0

2. Configure the packet discard ratio for green packets in queue 2.

ZXAN(config)#qos queue-wred-config 2 green-low-ratio 50 green-high-ratio 70

green-discard-ratio 30

3.1.7 Configuring Traffic Limit and Coloring for VLANs

A flow template is applied to Ethernet ports to implement traffic limit and coloring for
VLANs.

Steps

1. In ZXAN(config)# mode, run the flow-profile command to configure a flow template.

18 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

2. In ZXAN(config-flowPrf-xxx)# mode, run the flow traffic-profile command to con-

figure the traffic template for each flow.
3. In ZXAN(config-if-xgei-1/x/x)# mode, run the flow-group flow-profile command to
configure traffic limit and coloring for VLANs.

Example

1. Configure a CoS type flow template F1.

ZXAN(config)#flow-profile F1 mode cos

ZXAN(config-flowPrf-F1)#flow 1 cos 0,1,2 traffic-profile 3M

ZXAN(config-flowPrf-F1)#flow 2 cos 5 traffic-profile 20M

ZXAN(config-flowPrf-F1)#exit

2. Configure the flow-group on xgei_1/1/2, on the egress direction, traffic limit for cos0,
cos1, cos2 in VLAN 100 + VLAN 200 + VLAN 300 is 3M, traffic limit for cos5 in VLAN
100 + VLAN 200 + VLAN 300 cos5 is 20M.

ZXAN(config)#interface xgei-1/1/2

ZXAN(config-if-xgei-1/1/2)#flow-group 1 flow-profile F1 full-match Svlan1 100

Svlan2 200 Svlan3 300 direction egress

3. Configure an any type flow template F5.

ZXAN(config)#flow-profile F5 mode any

ZXAN(config-flowPrf-F5)#flow 1 traffic-profile 1M

ZXAN(config-flowPrf-F5)#flow 2 traffic-profile 2M

ZXAN(config-flowPrf-F5)#flow 3 traffic-profile 3M

ZXAN(config-flowPrf-F5)#flow 4 traffic-profile 5M

4. Configure the flow-group on xgei_1/1/4, in the ingress direction, traffic limit for VLAN
200 is 1M, traffic limit for VLAN 300 is 2M, traffic limit for VLAN 400 is 3M, traffic limit
for VLAN 500 is 5M.

ZXAN(config)#interface xgei-1/1/4

ZXAN(config-if-xgei-1/1/7)#flow-group 1 flow-profile F5 one-to-one Svlan1 200

Svlan2 300 Svlan3 400 Svlan4 500 direction ingress

3.1.8 Configuring CoS-DEI Remarking

The CoS-DEI (Drop Eligible Indicator) profile is used to color packets according to their
CoS priority on a VLAN.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 19

ZXA10 C610 Configuration Management

Steps

1. In ZXAN(config)# mode, run the qos cos-to-dei command to configure CoS-DEI re-
mark profile.
2. In ZXAN(config-sub-vid)# mode, run the cos-to-dei-profile command to apply an
CoS-DEI profile to the VLAN.
3. In ZXAN(config-sub-vid)# mode, run the egress-dei-mark command to enable the
egress DEI mark function on the VLAN.

Example

1. Configure a CoS-DEI profile to modify SVLAN DEI according to SVLAN CoS, and
cos0/cos1/cos3/cos5/cos6 are remarked to yellow (1), cos2/cos4/cos7 are remarked
to green (0).

ZXAN(config)#qos cos-to-dei test type Scos_to_Sdei cos0 1 cos1 1 cos2 0 cos3 1

cos4 0 cos5 1 cos6 1 cos7 0

2. Apply the CoS-DEI profile to VLAN 100 and enable the egress DEI mark function.

ZXAN(config)#vlan 100

ZXAN(config-sub-100)#cos-to-dei-profile test

ZXAN(config-sub-100)#egress-dei-mark

3.2 QoS Configurations for the Ethernet Interface

3.2.1 Configuring the Priority Type to Trust
This procedure describes how to configure an Ethernet interface to trust the CoS priority
or DSCP priority.

Context

 If an Ethernet interface trusts a CoS priority, the CoS priority of a packet is marked
in the override>cos-remark>trust priority sequence based on the CoS priority in the
ingress direction.
 If an Ethernet interface trusts a DSCP priority, the CoS priority of a packet is marked
based on the preset DSCP-to-CoS mapping relationship.

Steps

1. In ZXAN(config-if-xgei-1/x/x.x)# mode, run the qos trust command to configure a

priority that an Ethernet interface trusts.

20 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

Verification

You can use the show qos interface command to display the QoS configurations of the
Ethernet interface.

Example

1. Configure the priority type that an Ethernet interface trusts.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#qos trust cos

2. Display the QoS configurations of an interface.

ZXAN(config-if-xgei-1/1/1)#show qos interface xgei-1/1/1

qos trust cos

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.2.2 Configuring the Default CoS Priority

After the default priority is configured, the default CoS priority can be added for un-
tagged packets on an Ethernet interface.

Context

If the Ethernet interface trusts a CoS priority, subsequent messages can be processed
as follows.
 If the override function is configured, all CoS priorities of the services on a virtual port
are forcibly modified as the default CoS priority, including those of untagged packets.
 If the override function is not configured, the default CoS priority is valid for only un-
tagged packets.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos cos default-cos command to

configure the default CoS priority.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 21

ZXA10 C610 Configuration Management

Verification

You can use the show qos interface command to display the QoS configurations of the
Ethernet interface.

Example

1. Configure the default CoS priority.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#qos cos default-cos 5 override

2. Display the QoS configurations of an Ethernet interface.

ZXAN(config-if-xgei-1/1/1)#show qos interface xgei-1/1/1

qos trust cos

qos cos default-cos 5 override

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.2.3 Configuring CoS Priority Remarking

After a CoS priority remarking template is used, the CoS priority of the packets on an
Ethernet interface can be modified based on the original CoS priority of the packets.

Context

If the Ethernet interface trusts a CoS priority and the default priority is not configured
with the override function, after a CoS priority remarking template is configured, the ser-
vice CoS priority is modified according to the mapping relationship in the template.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos cos cos-remark command to ap-

ply a CoS priority remarking template.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos trust cos command to configure
a CoS priority that an Ethernet interface trusts.

Verification

You can use the show qos interface command to display the QoS configurations of the
Ethernet interface.

22 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

Example

1. Apply a CoS priority remarking template.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#qos cos cos-remark test

2. Configure a CoS priority that an Ethernet interface trusts.

ZXAN(config-if-xgei-1/1/1)#qos trust cos

3. Display the QoS configurations of an Ethernet interface.

ZXAN(config-if-xgei-1/1/1)#show qos interface xgei-1/1/1

qos trust cos

qos cos default-cos 0

qos cos cos-remark test

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.2.4 Configuring DSCP-CoS Priority Remarking

After a DSCP-CoS priority remarking template is used, the CoS priority of the packets
on an Ethernet interface can be modified based on the DSCP priority of the packets.

Context

If the Ethernet interface trusts a DSCP priority, after a DSCP priority remarking template
is used, the service CoS priority can be modified according to the mapping relationship
in the template.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos cos dscp-remark command to

apply a DSCP priority remarking template.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos trust dscp command to config-
ure a DSCP priority that an Ethernet interface trusts.

Verification

You can use the show qos interface command to display the QoS configurations of the
Ethernet interface.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 23

ZXA10 C610 Configuration Management

Example

1. Apply a DSCP priority remarking template.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#qos cos dscp-remark test

2. Configure a DSCP priority that an Ethernet interface trusts.

ZXAN(config-if-xgei-1/1/1)#qos trust dscp

3. Display the QoS configurations of an Ethernet interface.

ZXAN(config-if-xgei-1/1/1)#show qos interface xgei-1/1/1

qos trust dscp

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark test

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.2.5 Configuring DSCP Priority Remarking

After a DSCP priority remarking template is used, the DSCP priority of the packets on an
Ethernet interface can be modified based on the original DSCP priority of the packets.

Context

If the Ethernet interface trusts a DSCP priority, after a DSCP priority remarking template
is used, the service DSCP priority can be modified according to the mapping relationship
in the template.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos dscp dscp-remark command to

apply a DSCP priority remarking template.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos trust dscp command to config-
ure a DSCP priority that an Ethernet interface trusts.

Verification

You can use the show qos interface command to display the QoS configurations of the
Ethernet interface.

24 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

Example

1. Apply a DSCP priority remarking template.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#qos dscp dscp-remark test

2. Configure a DSCP priority that an Ethernet interface trusts.

ZXAN(config-if-xgei-1/1/1)#qos trust dscp

3. Display the QoS configurations of an Ethernet interface.

ZXAN(config-if-xgei-1/1/1)#show qos interface xgei-1/1/1

qos trust dscp

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark test

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.2.6 Configuring CoS Remarking in the Egress Direction

After a CoS priority remarking template is configured, the CoS priority of the packets on
an Ethernet interface can be modified in the egress direction based on the original CoS
priority of the packets.

Context

If the Ethernet interface trusts a CoS priority and the default priority is not configured
with the override function, after a CoS priority remarking template in the egress direction
is used, the service CoS priority is modified according to the mapping relationship in the
template.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos egress-cos cos-remark

command to apply a CoS priority remarking template.
2. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos trust cos command to con-
figure a CoS priority that an Ethernet interface trusts.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 25

ZXA10 C610 Configuration Management

Verification

You can use the show qos interface command to display the QoS configurations of the
Ethernet interface.

Example

1. Apply a CoS priority remarking template.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos egress-cos cos-remark test

2. Configure a CoS priority that an Ethernet interface trusts.

ZXAN(config-if-vport-1/3/1.1:1)#qos trust cos

3. Display the QoS configurations of an Ethernet interface.

ZXAN(config-if-vport-1/3/1.1:1)#show qos interface vport-1/3/1.1:1

qos trust cos

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark test

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.2.7 Configuring DSCP-CoS Remarking in the Egress Direction

After a DSCP-CoS priority remarking template is used, the CoS priority of the packets
on an Ethernet interface can be modified in the egress direction based on the DSCP pri-
ority of the packets.

Context

If an Ethernet interface trusts a DSCP priority, after a DSCP priority remarking template
in the egress direction is used, the service CoS priority can be modified according to the
mapping relationship in the template.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos egress-cos dscp-remark com-

mand to apply a DSCP priority remarking template.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos trust dscp command to config-
ure a DSCP priority that an Ethernet interface trusts.

26 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

Verification

You can use the show qos interface command to display the QoS configurations of the
Ethernet interface.

Example

1. Apply a DSCP priority remarking template.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#qos egress-cos dscp-remark test

2. Configure a DSCP priority that an Ethernet interface trusts.

ZXAN(config-if-xgei-1/1/1)#qos trust dscp

3. Display the QoS configurations of an Ethernet interface.

ZXAN(config-if-xgei-1/1/1)#show qos interface xgei-1/1/1

qos trust dscp

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark test

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.2.8 Configuring the Queue Depth

This procedure describes how to modify the queue depth of an Ethernet interface after a
queue configuration template is used.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos queue-conf-profile command to

apply a queue configuration template.

Example

Apply a queue configuration template on an Ethernet interface.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#qos queue-conf-profile test

SJ-20210730093619-005 | 2021-08-18 (R1.0) 27

ZXA10 C610 Configuration Management

3.2.9 Configuring Traffic Shaping

After a traffic template is used, traffic shaping is implemented on an Ethernet interface.
Traffic can be delayed through the buffering mechanism after the traffic threshold is
reached.

Steps

1. In ZXAN(config-if-xgei-1/x/x)# mode, run the qos traffic-shaping command to ap-

ply a traffic template.

Example

Apply a traffic template on an Ethernet interface.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#qos traffic-shaping test

3.3 QoS Configuration for the Vport Interface

3.3.1 Configuring the Priority Type to Trust
This procedure describes how to configure a Vport interface of the ONU to trust either
CoS priority or DSCP priority.

Context

 If a Vport interface trusts a CoS priority, the CoS priority of a packet is marked ac-
cording to the override>cos-remark>trust priority sequence based on the CoS priority
in the ingress direction.
 If a Vport interface trusts a DSCP priority, the CoS priority of a packet is marked
based on the DSCP-to-CoS mapping relationship.

Steps

1. In ZXAN(config-if-vport-1/x/x.x)# mode, run the qos trust command to configure a

priority that a Vport interface trusts.

Verification

You can use the show qos interface command to display the QoS configurations of the
Vport interface.

Example

1. Configure the priority type that a Vport interface trusts.

ZXAN(config)#interface vport-1/3/1.1:1

28 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

ZXAN(config-if-vport-1/3/1.1:1)#qos trust cos

2. Display the QoS configurations of a Vport interface.

ZXAN(config-if-vport-1/3/1.1:1)#show qos interface vport-1/3/1.1:1

qos trust cos

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.3.2 Configuring the Default CoS Priority

After the default priority is configured, the default CoS priority can be added for un-
tagged packets on a Vport interface of the ONU.

Context

If a Vport interface trusts a CoS priority, subsequent packets can be processed as fol-
lows.
 If the override function is configured, all CoS priorities of the services on a virtual port
are forcibly modified as the default CoS priority, including those of untagged packets.
 If the override function is not configured, the default CoS priority is valid for only un-
tagged packets.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos cos default-cos command

to configure the default CoS priority.

Verification

You can use the show qos interface command to display the QoS configurations of the
Vport interface.

Example

1. Configure the default CoS priority.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos cos default-cos 5 override

2. Display the QoS configurations of a Vport interface.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 29

ZXA10 C610 Configuration Management

ZXAN(config-if-vport-1/3/1.1:1)#show qos interface vport-1/3/1.1:1

qos trust cos

qos cos default-cos 5 override

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.3.3 Configuring CoS Priority Remarking

After a CoS priority remarking template is used, the CoS priority of the packets on a
Vport interface of the ONU can be modified based on the original CoS priority of the
packets.

Context

If a Vport interface trusts a CoS priority and the default priority is not configured with the
override function, after a CoS priority remarking template is configured, the service CoS
priority is modified according to the mapping relationship in the template.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos cos cos-remark command

to apply a CoS priority remarking template.
2. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos trust cos command to con-
figure a CoS priority that a Vport interface trusts.

Verification

You can use the show qos interface command to display the QoS configuration of the
Vport interface.

Example

1. Apply a CoS priority remarking template on a Vport interface.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos cos cos-remark test

2. Configure a CoS priority that a Vport interface trusts.

ZXAN(config-if-vport-1/3/1.1:1)#qos trust cos

3. Display the QoS configurations of a Vport interface.

30 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

ZXAN(config-if-vport-1/3/1.1:1)#show qos interface vport-1/3/1.1:1

qos trust cos

qos cos default-cos 0

qos cos cos-remark test

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.3.4 Configuring DSCP-CoS Priority Remarking

After a DSCP-CoS priority remarking template is used, the CoS priority of the packets
on a Vport interface can be modified based on the DSCP priority of the packets.

Context

If a Vport interface trusts a DSCP priority, after a DSCP priority remarking template is
used, the service CoS priority can be modified according to the mapping relationship in
the template.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos cos dscp-remark command

to apply a DSCP priority remarking template.
2. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos trust dscp command to
configure a DSCP priority that a Vport interface trusts.

Verification

You can use the show qos interface command to display the QoS configurations of the
Vport interface.

Example

1. Apply a DSCP priority remarking template.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos cos dscp-remark test

2. Configure a DSCP priority that a Vport interface trusts.

ZXAN(config-if-vport-1/3/1.1:1)#qos trust dscp

3. Display the QoS configurations of a Vport interface.

ZXAN(config-if-vport-1/3/1.1:1)#show qos interface vport-1/3/1.1:1

SJ-20210730093619-005 | 2021-08-18 (R1.0) 31

ZXA10 C610 Configuration Management

qos trust dscp

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark test

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.3.5 Configuring DSCP Priority Remarking

After a DSCP priority remarking template is configured, the DSCP priority of the packets
on a Vport interface of the ONU can be modified based on the original DSCP priority of
the packets.

Context

If a Vport interface trusts a DSCP priority, after a DSCP priority remarking template is
configured, the service DSCP priority can be modified according to the mapping relation-
ship in the template.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos dscp dscp-remark com-

mand to apply a DSCP priority remarking template.
2. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos trust dscp command to
configure a DSCP priority that a Vport interface trusts.

Verification

You can use the show qos interface command to display the QoS configurations of the
Vport interface.

Example

1. Apply a DSCP priority remarking template on a Vport interface.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos dscp dscp-remark test

2. Configure a DSCP priority that a Vport interface trusts.

ZXAN(config-if-vport-1/3/1.1:1)#qos trust dscp

3. Display the QoS configurations of a Vport interface.

ZXAN(config-if-vport-1/3/1.1:1)#show qos interface vport-1/3/1.1:1

32 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

qos trust dscp

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark test

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.3.6 Configuring CoS Remarking in the Egress Direction

After a CoS priority remarking template is configured, the CoS priority of the packets on
a Vport interface of the ONU can be modified in the egress direction based on the origi-
nal CoS priority of the packets.

Context

If a Vport interface trusts a CoS priority and the default priority is not configured with the
override function, after a CoS priority remarking template is used, the service CoS priori-
ty is modified according to the mapping relationship in the template.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos egress-cos cos-remark

command to apply a CoS priority remarking template.
2. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos trust cos command to con-
figure a CoS priority that a Vport interface trusts.

Verification

You can use the show qos interface command to display the QoS configurations of the
Vport interface.

Example

1. Apply a CoS priority remarking template on a Vport interface.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos egress-cos cos-remark test

2. Configure a CoS priority that a Vport interface trusts.

ZXAN(config-if-vport-1/3/1.1:1)#qos trust cos

3. Display the QoS configurations of a Vport interface.

ZXAN(config-if-vport-1/3/1.1:1)#show qos interface vport-1/3/1.1:1

SJ-20210730093619-005 | 2021-08-18 (R1.0) 33

ZXA10 C610 Configuration Management

qos trust cos

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark test

qos egress-cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.3.7 Configuring DSCP-CoS Remarking in the Egress Direction

After a DSCP-CoS priority remarking template is used, the CoS priority of the packets
on a Vport interface of the ONU can be modified in the egress direction based on the
DSCP priority of the packets.

Context

If a Vport interface trusts a DSCP priority, after a DSCP priority remarking template in
the egress direction is used, the service CoS priority can be modified according to the
mapping relationship in the template.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos egress-cos dscp-remark

command to apply a DSCP priority remarking template.
2. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos trust dscp command to
configure a DSCP priority that a Vport interface trusts.

Verification

You can use the show qos interface command to display the QoS configurations of the
Vport interface.

Example

1. Apply a DSCP priority remarking template on a Vport interface.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos egress-cos dscp-remark test

2. Configure a DSCP priority that a Vport interface trusts.

ZXAN(config-if-vport-1/3/1.1:1)#qos trust dscp

3. Display the QoS configurations of a Vport interface.

ZXAN(config-if-vport-1/3/1.1:1)#show qos interface vport-1/3/1.1:1

34 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 3 QoS Configuration

qos trust dscp

qos cos default-cos 0

qos cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos cos dscp-remark _DEFAULT_DSCP_TO_COS_PROFILE

qos dscp dscp-remark _DEFAULT_DSCP_TO_DSCP_PROFILE

qos egress-cos cos-remark _DEFAULT_COS_TO_COS_PROFILE

qos egress-cos dscp-remark test

qos queue-conf-profile _DEFAULT_QUEUE_CONF_PROFILE

3.3.8 Configuring the Queue Depth

This procedure describes how to modify the queue depth of a Vport interface of the
ONU after a queue configuration template is used.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos queue-conf-profile com-

mand to apply a queue configuration template.

Example

Apply a queue configuration template on a Vport interface.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos queue-conf-profile test

3.3.9 Configuring Traffic Shaping

After a traffic template is used, traffic shaping is implemented on a Vport interface of the
ONU. After the traffic threshold is reached, follow-up traffic can be delayed through the
buffering mechanism.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos traffic-shaping command to

apply a traffic template.

Example

Apply a traffic template on a Vport interface.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos traffic-shaping test

SJ-20210730093619-005 | 2021-08-18 (R1.0) 35

ZXA10 C610 Configuration Management

3.3.10 Configuring a Traffic Policy

This procedure describes how to configure a traffic policy so that the traffic rate can be
restricted on a Vport interface of the ONU and excessive traffic can be discarded in re-
ceiving or sending direction.

Steps

1. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the qos traffic-policy command to

configure a traffic policy.

Example

Configure a traffic policy on a Vport interface to restrict the traffic rate in receiving direc-
tion.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#qos traffic-policy test direction ingress

36 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 Chapter 4
Configuring an ACL
This procedure describes how to configure an ACL and apply it to interfaces.

Context

Network devices filter data packets and control policy-based routing and special traffic
through an ACL. A number of rules are configured for an ACL to identify the packets to
be filtered, and corresponding packets are accepted or rejected based on a preset poli-
cy.
An ACL is composed of one or more statements. Each statement accepts or rejects traf-
fic based on a specified parameter. The ACL compares the traffic with each statement in
the list until it finds a matching statement or all statements are compared. The last state-
ment of an ACL is an implicit reject statement.

Steps

1. In ZXAN(config)# mode, run the acl number command to create an ACL.

2. In ZXAN(config-acl-xx)# mode, run the rule command to create rules for the ACL.
3. In ZXAN(config-if-xgei-1/x/x)# or ZXAN(config-if-vport-1/x/x.x:x)# mode, run the
ip access-group command to apply the ACL.

Verification

 You can use the show acl command to display the ACL configuration.
 You can use the show access-list bound command to display the interface bound
to the ACL.

Example

1. Create an ACL.

ZXAN(config)#acl number 101

ZXAN(config-acl-101)#

2. Configure rules for the ACL.

ZXAN(config-acl-101)#rule 1 deny any any any arp

SJ-20210730093619-005 | 2021-08-18 (R1.0) 37

ZXA10 C610 Configuration Management

ZXAN(config-acl-101)#rule 2 deny any any 192.168.1.0 0.0.0.255 ipv4 src-mac

0000.0001.0000 0000.0000.ffff

ZXAN(config--acl-101)#rule 3 permit any any any any

ZXAN(config--acl-101)#exit

3. Apply the ACL in Vport interface mode.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#ip access-group 101 in

4. Display the ACL configurations.

ZXAN(config-if-vport-1/3/1.1:1)#show acl

acl number 101

rule 1 deny any any any arp

rule 2 deny any any 192.168.1.0 0.0.0.255 ipv4 src-mac 0000.0001.0000 0000.0000

.ffff

rule 3 permit any any any any

5. Display the interface bound to the ACL.

ZXAN(config-if-vport-1/3/1.1:1)#show access-list bound

Interface Direction Acl number

vport-1/3/1.1:1 in 101

38 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 Chapter 5
Configuring STP
The ZXA10 C610 supports MSTP and is compatible with SSTP and RSTP. The default
protocol type of the ZXA10 C610 is MSTP. Any of the STP modes is fully compatible and
interactive with the other two modes. This procedure describes how to configure MSTP
as an example.

Context

The ZXA10 C610 supports three STP modes.

 SSTP
SSTP abides by IEEE802.1d and is compatible with STP, RSTP, and MSTP. The
bridges in SSTP mode are fully interactive with the bridges in RSTP or MSTP mode.
 RSTP
Compared with SSTP mode, RSTP abides by IEEE802.1w and improves the conver-
gence rate. When the network topology is changed, the state of a redundancy port in
a point-to-point connection can be changed rapidly (Discard→Forward).
 MSTP
MSTP abides by IEEE802.1s, with instances and VLAN mapping added. Both SSTP
and RSTP can be regarded as a special MSTP mode, in which only one instance (0)
exists. In addition, MSTP supports fast convergence and load balancing in VLANs.
In SSTP or RSTP mode, no VLAN is used. Each port has one status only, meaning
that a port has the same forwarding status in different VLANs.
In MSTP mode, multiple spanning-tree instances may exist, and the forwarding sta-
tus of a port in different VLANs may be different. Within an MST area, multiple inde-
pendent subtree instances can be generated to implement load balance.
MSTP is applicable to a redundancy network. Traffic can be rapidly converged. In
addition, the traffic in different VLANs can be delivered along different paths. Thus a
desirable load sharing mechanism is provided for redundancy links.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 39

ZXA10 C610 Configuration Management

Steps

1. In ZXAN(config)# mode, run the spantree command to enter STP configuration

mode.
2. In ZXAN(config-stp-0)# mode, run the enable command to enable the STP.
3. In ZXAN(config-stp-0)# mode, run the mode command to configure the STP type.
4. (Optional) In ZXAN(config-stp-0)# mode, run the mst hmd5-key command to con-
figure an MST key.

Note

The MSTP packet format of the devices from CISCO and Huawei does not meet all
the requirements of IEEE. When interconnecting the ZXA10 C610 with a device from
the above vendors, you must configure the values of KEY and DIGEST to intercon-
nect the devices in an area.

5. (Optional) In ZXAN(config-stp-0)# mode, run the mst hmd5-digest command to

configure Digest.
6. In ZXAN(config-stp-0)# mode, run the mst name command to configure the MST
name.
7. In ZXAN(config-stp-0)# mode, run the mst revision command to configure the MST
version.
8. In ZXAN(config-stp-0)# mode, run the mst vlan instance command to configure an
MST instance.
In SSTP and RSTP modes, the ZXA10 C610 has only one instance: 0, which indi-
cates Common and Internal Spanning Tree (CIST). In MSTP mode, the default in-
stance 0 cannot be deleted.
If interconnected devices meet all of the following conditions, they are considered to
be in the same MST area:
 They have the same MST name.
 They have the same MST version.
 They have the same INS-VLAN mapping table.
 They are physically interconnected.
9. In ZXAN(config-stp-0)# mode, run the mst priority command to configure the prior-
ity of the local bridge.
10. In ZXAN(config-xgei-1/x/x)# mode, run the switchport vlan command to configure
an interface VLAN.

40 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 5 Configuring STP

Verification

 You can use the show spantree mst-config command to display the MSTP configu-
rations.
 You can use the show spantree instance command to display the instance configu-
rations.

Example

1. Enable the STP.

ZXAN(config)#spantree

ZXAN(config-stp-0)#enable

2. Configure the SPT type.

ZXAN(config-stp-0)#mode mstp

3. (Optional) Configure the values of MST Key and Digest.

ZXAN(config-stp-0)#mst hmd5-key cisco 0x13ac06a62e47fd51f95d2ba243cd0346

ZXAN(config-stp-0)#mst hmd5-digest cisco 0x13ac06a62e47fd51f95d2ba243cd0346

4. Set the MST name and version.

ZXAN(config-stp-0)#mst name zte

ZXAN(config-stp-0)#mst revision 10

5. Configure an MST instance.

ZXAN(config-stp-0)#mst vlans 10-20 instance 1

ZXAN(config-stp-0)#mst priority 4096 instance 1

6. Configure a port VLAN.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#switchport vlan 10 tag

7. Display MSTP configurations.

ZXAN(config-stp-0)#show spantree mst-config

spantree mode: [MSTP]

CISCO HMD5-key : 0x13ac06a62e47fd51f95d2ba243cd0346

CISCO HMD5-digest : 0x13ac06a62e47fd51f95d2ba243cd0346

HUAWEI HMD5-key : 0x13ac06a62e47fd51f95d2ba243cd0346

HUAWEI HMD5-digest : 0x00000000000000000000000000000000

Name : [zte]

Revision : 10

Instance Vlans mapped

-------- --------------------------------------------------------

SJ-20210730093619-005 | 2021-08-18 (R1.0) 41

ZXA10 C610 Configuration Management

0 1-9,21-4094

1 10-20

8. Display instance configurations.

ZXAN(config-stp-0)#show spantree instance 1

MST01

Spantree enabled protocol MSTP

RegRootID: Priority 4097; Address 00a2.b3c4.d511

Hello-Time 2 sec; Max-Age 20 sec

Forward-Delay 15 sec;

BridgeID: Priority 4097; Address 00a2.b3c4.d511

Hello-Time 2 sec; Max-Age 20 sec

Forward-Delay 15 sec; Max-Hops 20

Message-Age 0 sec; RemainHops 20

Interface Prio.Nbr

Name Port ID Cost State Role Type Bound

-------------------------------------------------------------------------

42 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 Chapter 6
DHCP Configuration
Table of Contents
Configuring DHCP Snooping.......................................................................................... 43
Configuring the DHCP Relay.......................................................................................... 45
Configuring the DHCP Server.........................................................................................47
Configuring the DHCP Client.......................................................................................... 49

ZXA10 C610 supports the following DHCP applications:

 DHCP snooping
 DHCP relay
 DHCP server
 DHCP client (including IPv6 DHCP client)
ZXA10 C610 can serve as both DHCP Server and DHCP Relay to forward DHCP infor-
mation.The two functions cannot be used in the same VLAN interface at the same time.

6.1 Configuring DHCP Snooping

After DHCP Snooping is configured on the ZXA10 C610, it listens to the DHCP interac-
tive procedure of the ports of specified users, extracts the IP addresses and MAC ad-
dresses, and establishes a DHCP Snooping binding table. This table is the base for the
IP source guard function.

Steps

1. In ZXAN(config)# mode, run the ip dhcp snooping enable command to enable the
global DHCP function.
2. In ZXAN(config-xgei-1/x/x)# mode, run the switchport vlan command to configure
an interface VLAN.
3. In ZXAN(config)# mode, run the ip dhcp snooping vlan command to enable the
DHCP Snooping function of a VLAN.
4. In ZXAN(config-if-vport-1/x/x.x)# mode, run the service-port command to config-
ure an interface VLAN.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 43

ZXA10 C610 Configuration Management

Verification

You can use the show ip dhcp snooping dynamic database command to display DHCP
Snooping information.

Example

1. Enable the global DHCP Snooping function.

ZXAN(config)#ip dhcp snooping enable

2. Configure an uplink port VLAN.

ZXAN(config)#interface xgei-1/1/1

ZXAN(config-if-xgei-1/1/1)#switchport vlan 100 tag

ZXAN(config-if-xgei-1/1/1)#exit

3. Enable the DHCP Snooping function of the VLAN.

ZXAN(config)#ip dhcp snooping vlan 100

4. Configure a Vport interface VLAN.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#service-port 1 user-vlan 100 vlan 100

ZXAN(config-if-vport-1/3/1.1:1)#exit

5. Display the configurations of the DHCP Snooping VLAN.

ZXAN(config)#show ip dhcp snooping vlan

DHCP snooping state on vlans

Vlan State

-------------------------------

100 enable

6. Display the dynamic information of the DHCP Snooping function.

ZXAN(config)#show ip dhcp snooping dynamic database

Current bind users are 2.

Index MAC addr IP addr VLAN State Interface Expiration Remaining

1 0000.1100.0721 101.0.0.10 100 dynamic vport-1/3 16:02:34 4 0:44:48

/1.1:1 /9/2018

2 0000.1100.0722 101.0.0.10 100 dynamic vport-1/3 16:03:34 4 0:45:48

/1.1:1 /9/2018

44 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 6 DHCP Configuration

6.2 Configuring the DHCP Relay

When the DHCP client and DHCP server do not work in the same network segment, the
DHCP relay is required. A ZXA10 C610 can work as the DHCP relay to forward user's
DHCP request to the specified DHCP server.

Context

The ZXA10 C610 supports the DHCP relay and DHCP proxy functions. The DHCP
proxy mode is the extension of the DHCP relay mode, which can quickly detect whether
a user is offline.

Steps

1. In ZXAN(config)# mode, run the dhcp command to enter DHCP configuration

mode.
2. In ZXAN(config-dhcp)# mode, run the enable command to enable global DHCP
function.
3. In ZXAN(config-if-vlanid)# mode, run the ip address command to configure the
layer 3 interface IP address.
4. In ZXAN(config-dhcp-if-vlanid)# mode, run the mode relay command to configure
the DHCP relay function on the VLAN interface.
5. In ZXAN(config-dhcp-if-vlanid)# mode, run the relay agent command to configure
the DHCP relay IP address.

Note

The IP address of the relay agent should be consistent with the IP address of the
VLAN interface.

6. In ZXAN(config)# mode, run the ip dhcp relay server group command to create a
DHCP server group.
7. In ZXAN(config-dhcp-server-group)# mode, run the algorithm command to config-
ure server polling algorithm.
8. In ZXAN(config-dhcp-server-group)# mode, run the server command to configure
the DHCP server IP address.
9. In ZXAN(config-dhcp-if-vlanid)#mode, run the relay server group command to
configure the DHCP relay server with the layer-3 interface.
10. In ZXAN(config-dhcp-if-vlanid)#mode, run the relay forward mode command to
configure forwarding mode for the DHCP relay server with the layer-3 interface.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 45

ZXA10 C610 Configuration Management

Verification

You can use the show ip dhcp relay user command to query the DHCP relay users.

Example

Table 6-1 lists the configuration data of the DHCP relay.

Table 6-1 Configuration Data of DHCP Relay

Item Data

Global DHCP Enable

Network side layer 3 interface  VLAN ID: 100

 IP address: 10.1.1.1/24

User side layer 3 interface  VLAN ID: 200

 IP address: 20.1.1.1/24

DHCP server group  Group ID: 1

 Algorithm: forward-all
 IP address: 10.1.1.2
 DHCP forwarding mode: security

1. Enable the global DHCP function.

ZXAN(config)#dhcp

ZXAN(config-dhcp)#enable

2. Configure the layer 3 interface IP address on the network side.

ZXAN(config)#interface vlan100

ZXAN(config-if-vlan100)#ip address 10.1.1.1 255.255.255.0

ZXAN(config-if-vlan100)#exit

3. Configure the layer 3 interface IP address on the user side.

ZXAN(config)#interface vlan200

ZXAN(config-if-vlan200)#ip address 20.1.1.1 255.255.255.0

ZXAN(config-if-vlan200)#exit

4. On the user side VLAN interface, configure DHCP relay mode.

ZXAN(config)#dhcp

ZXAN(config-dhcp)#interface vlan200

ZXAN(config-dhcp-if-vlan200)#mode relay

ZXAN(config-dhcp-if-vlan200)#relay agent 20.1.1.1

ZXAN(config-dhcp-if-vlan200)#exit

ZXAN(config-dhcp)#exit

5. Configure the DHCP relay server.

46 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 6 DHCP Configuration

ZXAN(config)#ip dhcp relay server group 1

ZXAN(config-dhcpr-server-group)#algorithm forward-all

ZXAN(config-dhcpr-server-group)#server 1 10.1.1.2

ZXAN(config-dhcpr-server-group)#exit

ZXAN(config-dhcp)#exit

6. On the VLAN interface, configure the DHCP relay server and forwarding mode.

ZXAN(config)#dhcp

ZXAN(config-dhcp)#interface vlan200

ZXAN(config-dhcp-if-vlan200)#relay server group 1

ZXAN(config-dhcp-if-vlan200)#relay forward mode security

6.3 Configuring the DHCP Server

After you configure the DHCP server function, the ZXA10 C610 can work as a DHCP
server to allocate IP addresses to subscribers.

Steps

1. In ZXAN(config)# mode, run the dhcp command to enter DHCP configuration

mode.
2. In ZXAN(config-dhcp)# mode, run the enable command to enable global DHCP
function.
3. In ZXAN(config-if-vlanid)# mode, run the ip address command to configure the
layer 3 interface IP address.
4. In ZXAN(config-dhcp-if-vlanid)# mode, run the mode server command to config-
ure the DHCP server function on the VLAN interface.
5. In ZXAN(config-dhcp-if-vlanid)# mode, run the policy command to configure the
DHCP policy on the VLAN interface.
6. In ZXAN(config)# mode, run the ip dhcp policy command to create a DHCP policy.
7. In ZXAN(config-dhcp-policy)# mode, run the dhcp pool command to apply a
DHCP pool to the policy.
8. In ZXAN(config)# mode, run the ip dhcp pool command to create DHCP IP ad-
dress pool.
9. In ZXAN(config-dhcp-pool)# mode, run the ip-pool command to apply an IP ad-
dress pool to the DHCP IP address pool.
10. In ZXAN(config-dhcp-pool)# mode, run the default-router command to configure
the default router.
11. In ZXAN(config)# mode, run the ip pool command to create an IP address pool.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 47

ZXA10 C610 Configuration Management

12. In ZXAN(config-ip-pool)# mode, run the range command to configure the IP ad-
dress pool for DHCP clients.

Verification

You can use the show ip dhcp server user interface command to query the DHCP server
clients.

Example

Table 6-2 lists the configuration data of the DHCP server.

Table 6-2 Configuration Data of DHCP Server

Item Data

Global DHCP status enable

DHCP server interface  VLAN ID: 100

 Policy: zte

DHCP policy  Name: zte

 DHCP IP address pool: zte

DHCP IP address pool  Name: zte

 Level: 1
 IP pool: zte
 Default router: 200.1.1.5

IP address pool  Name: zte

 Range: 200.1.1.2 – 200.1.1.200

1. Enable the global DHCP function.

ZXAN(config)#dhcp

ZXAN(config-dhcp)#enable

2. Configure DHCP mode and policy on the DHCP server interface.

ZXAN(config)#dhcp

ZXAN(config-dhcp)#interface vlan100

ZXAN(config-dhcp-if-vlan100)#mode server

ZXAN(config-dhcp-if-vlan100)#policy zte

ZXAN(config-dhcp-if-vlan100)#exit

ZXAN(config-dhcp)#exit

3. Configure the DHCP policy.

ZXAN(config)#ip dhcp policy zte 1

ZXAN(config-dhcp-policy)#dhcp-pool zte

ZXAN(config-dhcp-policy)#exit

48 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 6 DHCP Configuration

4. Apply an IP address pool to the DHCP IP address pool.

ZXAN(config)#ip dhcp pool zte

ZXAN(config-dhcp-pool)#ip-pool zte

ZXAN(config-dhcp-pool)#default-router 200.1.1.5

5. Configure the IP address pool for DHCP clients.

ZXAN(config)#ip pool zte

ZXAN(config-ip-pool)#range 200.1.1.2 200.1.1.200 255.255.255.0

ZXAN(config-ip-pool)#exit

6.4 Configuring the DHCP Client

A ZXA10 C610 can work as a client to acquire an IP address from a DHCP server.

Steps

1. In ZXAN(config)# mode, run the dhcp command to enter DHCP configuration

mode.
2. In ZXAN(config-dhcp)# mode, run the enable command to enable global DHCP
function.
3. In ZXAN(config-dhcp-if-vlanid)# mode, run the mode client command to configure
the DHCP client function on the VLAN interface.
4. In ZXAN(config-dhcp-if-vlanid)# mode, run the client start command to configure
the VLAN interface to acquire an IP address.
5. (Optional) In ZXAN(config-dhcp-if-vlanid)# mode, run the client stop command to
release the IP address.

Verification

Run the show ip dhcp client runr interface command to query the interface IP address.

Example

1. Enable the global DHCP function.

ZXAN(config)#dhcp

ZXAN(config-dhcp)#enable

2. Configure DHCP client mode on the VLAN interface.

ZXAN(config-dhcp)#interface vlan300

ZXAN(config-dhcp-if-vlan300)#mode client

3. Acquire an IP address.

ZXAN(config-dhcp-if-vlan300)#client start

SJ-20210730093619-005 | 2021-08-18 (R1.0) 49

 Chapter 7
Uplink Protection Con-
figuration
Table of Contents
Configuring Link Aggregation..........................................................................................50
Configuring the UAPS Function......................................................................................54
The ZXA10 C610 uses dual uplink protection mechanisms to ensure proper and stable
services. When the ZXA10 C610 is physically disconnected from upper-layer devices
and services are interrupted, the ZXA10 C610 automatically switches to the standby line
so that services can be recovered rapidly.

7.1 Configuring Link Aggregation

This procedure describes how to configure link aggregation to implement load sharing and
protection on uplink ports.

Prerequisite

The peer device is configured with link aggregation and has the same working rate and
VLAN attributes as those of the local end.

Context

The ZXA10 C610 supports two link aggregation modes.

 Static aggregation mode
Multiple physical interfaces are directly added to a trunk group to form a logical port.
This mode is unfavorable for observing the status of a link aggregation port.
 LACP
Multiple physical interfaces are dynamically aggregated into a trunk group to form a
logical port. Thus egress and ingress traffic load sharing is implemented on member
interfaces. LACP aggregates ports to obtain the maximum bandwidth.
The link aggregation function of the ZXA10 C610 abides by the following rules:
 Up to 8 trunk groups are allowed, and up to 8 member interfaces are allowed for
each trunk group.

50 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 7 Uplink Protection Configuration

 Aggregation crossing interface boards is allowed and member interfaces can be dis-
tributed on any interface board.
 Member interfaces must operate in full duplex mode and have the same work rate
and VLAN attributes.
The logical interface formed the ZXA10 C610 after link aggregation is named smart-
group and has the same attributes as the default VLAN of common Ethernet interfaces.

Steps

1. In ZXAN(config)# mode, run the interface xgei-1/x/x command to enter uplink inter-
face configuration mode.
2. In ZXAN(config-if-xgei-1/x/x)# mode, run the switchport mode command to config-
ure interface mode.
3. In [ZXAN(config-if-xgei-1/x/x)#] mode, run the switchport vlan command to config-
ure interface VLAN.
4. In [ZXAN(config-if-xgei-1/x/x)#] mode, run the no shutdown command to enable
the interface.
5. In ZXAN(config)# mode, run the interface smartgroupid command to create a
smartgroup。
6. In ZXAN(config-if-smartgroupid# mode, run the switchport mode command to
configure smartgroup mode.
7. In ZXAN(config-if-smartgroupid# mode, run the switchport vlan command to con-
figure smartgroup VLAN.

Note

Before an interface is added to a smartgroup, its VLAN configurations and switchport

mode must be the same as the smartgroup.

8. In ZXAN(config)# mode, run the lacp command to enter LACP configuration mode.
9. In ZXAN(config-lacp)# mode, run the interface smartgroup command to create an
aggregation group.
10. In ZXAN(config-lacp-sg-if-smartgroupx)# mode, run the lacp load-balance com-
mand to configure the load sharing mode for the aggregation group.

Note

The ZXA10 C610 supports load sharing based on the source IP address, destina-
tion IP address, both the source and destination IP addresses, source MAC address,

SJ-20210730093619-005 | 2021-08-18 (R1.0) 51

ZXA10 C610 Configuration Management

destination MAC address, or both the source and destination MAC addresses. The
default value is based on both the source and destination MAC addresses.

11. In ZXAN(config-lacp-sg-if-smartgroupx)# mode, run the lacp mode command to

configure the aggregation group operation mode.
12. In ZXAN(config-lacp-member-if-xgei-1/x/x)# mode, run the smartgroup command
to add an interface into an aggregation group and configure the interface aggregation
mode.

Note

The ZXA10 C610 supports three interface aggregation modes.

 On: Static aggregation trunk mode. The interfaces involved in aggregation must
be set to this mode.
 Active: active LACP negotiation mode
 Passive: passive LACP negotiation mode
It is recommended to set the interface aggregation mode to active on one end and
passive on the other end, or active on both ends.

Verification

You can use the show lacp counter command to display the aggregation group traffics.
You can use the show lacp internal command to display the aggregation group status.

Example

1. Configure the uplink interfaces.

ZXAN(config)#interface xgei-1/1/2

ZXAN(config-if-xgei-1/1/2)#swtichport mode hybrid

ZXAN(config-if-xgei-1/1/2)#swtichport vlan 100 tag

ZXAN(config-if-xgei-1/1/2)#no shutdown

ZXAN(config-if-xgei-1/1/2)#exit

ZXAN(config)#interface xgei-1/1/3

ZXAN(config-if-xgei-1/1/3)#swtichport mode hybrid

ZXAN(config-if-xgei-1/1/3)#swtichport vlan 100 tag

ZXAN(config-if-xgei-1/1/3)#no shutdown

ZXAN(config-if-xgei-1/1/3)#exit

2. Configure a smartgroup.

ZXAN(config)#interface smartgroup1

52 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 7 Uplink Protection Configuration

ZXAN(config-if-smartgroup1)#switchport mode hybrid

ZXAN(config-if-smartgroup1)#switchport vlan 100 tag

ZXAN(config-if-smartgroup1)#exit

3. Create an aggregation group.

ZXAN(config)#lacp

ZXAN(config-lacp)#interface smartgroup1

ZXAN(config-lacp-sg-if-smartgroup1)#

4. Configure the load sharing mode and operation mode for the aggregation group.

ZXAN(config-lacp-sg-if-smartgroup1)#lacp load-balance src-dst-mac

ZXAN(config-lacp-sg-if-smartgroup1)#lacp mode 802.3ad

ZXAN(config-lacp-sg-if-smartgroup1)#exit

5. Add an interface to the aggregation group and configure the interface aggregation
mode.

ZXAN(config)#lacp

ZXAN(config-lacp)#interface xgei-1/1/2

ZXAN(config-lacp-member-if-xgei-1/1/2)#smartgroup 1 mode active

ZXAN(config-lacp-member-if-xgei-1/1/2)#exit

ZXAN(config-lacp)#interface xgei-1/1/3

ZXAN(config-lacp-member-if-xgei-1/1/3)#smartgroup 1 mode active

ZXAN(config-lacp-member-if-xgei-1/1/3)#exit

6. Display the traffics of an aggregation group.

ZXAN#show lacp 1 counters

Smartgroup:1

Actor LACPDUs Marker LACPDUs Marker

Port Tx Rx Tx Rx Err Err

-------------------------------------------------------------------

xgei-1/1/2 2605 2548 0 0 0 0

xgei-1/1/3 2605 2556 0 0 0 0

7. Display the status of an aggregation group.

ZXAN#show lacp 1 internal

Smartgroup:1

Flags: * - Port is Active member Port

S - Port is requested in Slow LACPDUs

F - Port is requested in Fast LACPDUs

A - Port is in Active mode

P - Port is in Passive mode

SJ-20210730093619-005 | 2021-08-18 (R1.0) 53

ZXA10 C610 Configuration Management

Actor Agg LACPDUs Port Oper Port RX Mux

Port[Flags] State Interval Pri Key State Machine Machine

--------------------------------------------------------------------------------

xgei-1/1/2[SA*] ACTIVE 30 32768 0x121 0x3d CURRENT COLL&DIST

xgei-1/1/3[SA*] ACTIVE 30 32768 0x121 0x3d CURRENT COLL&DIST

ZXAN#show lacp 1 neighbors

Smartgroup 1 neighbors

Actor Actor Partner Partner Port Oper Port

Port Port No. System ID Port No. Priority Key State

-------------------------------------------------------------------------------

xgei-1/1/2 4609 0x8000,cc1a.faea.0ee0 8276 32768 0x1f21 0x3d

xgei-1/1/3 4865 0x8000,cc1a.faea.0ee0 8290 32768 0x1f21 0x3d

7.2 Configuring the UAPS Function

This procedure describes how to configure the UAPS function to implement automatic
protection switchover of uplink ports.

Context

The ZXA10 C610 supports the UAPS function of an Ethernet port. The system periodi-
cally detects the working mode of an uplink port. If it detects that the working port is dis-
connected or the link quality is degraded to be unavailable, it automatically switches ser-
vices over to the slave port so that services will not be interrupted.

Steps

1. In ZXAN(config)# mode, run the uaps-group command to create a UAPS group.

2. In ZXAN(config-uaps-id)# mode, run the master-port command to configure the
master port for the UAPS group.

Note

The master and slave ports of the UAPS group must be consistent.

3. In ZXAN(config-uaps-id)# mode, run the slave-port command to configure the

slave port for the UAPS group.
4. In ZXAN(config-uaps-id)# mode, run the revertive enable command to enable the
automatic recovery function of the master and slave ports of the UAPS group.
5. In ZXAN(config-uaps-id)# mode, run the protect-time command to configure the
UAPS group protection period.

54 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 7 Uplink Protection Configuration

Note

If a switchover occurs in a UAPS group, no more switchover will occur within the pro-
tection period.

6. In ZXAN(config-uaps-id)# mode, run the switch-type common-port command to

configure the attributes of the ports in the UAPS group.

Note

The ZXA10 C610 supports the following port attributes:

 Common-port
 Max-ports-switch: The group with the maximum number of ports in Up status is
the working group.
 Trunking-port: link aggregation port.

Verification

You can use the show uaps groupid command to display the configurations of the
UAPS group.

Example

1. Create a UAPS group.

ZXAN(config)#uaps-group 1

ZXAN(cfg-uaps-1)#

2. Configure the master and slave ports for the UAPS group.

ZXAN(cfg-uaps-1)#master-port port xgei-1/1/1

ZXAN(cfg-uaps-1)#slave-port port xgei-1/1/2

3. Enable the automatic recovery function of the master and slave ports of the UAPS
group.

ZXAN(cfg-uaps-1)#revertive enable

4. Configure the UASP group protection period.

ZXAN(cfg-uaps-1)#protect-time 300

5. Configure the attributes of the ports in the UAPS group.

ZXAN(cfg-uaps-1)#switch-type common-port

6. Display the UAPS group configurations.

ZXAN(cfg-uaps-1)#show uaps groupid 1

SJ-20210730093619-005 | 2021-08-18 (R1.0) 55

ZXA10 C610 Configuration Management

Revertive control : enable

PortLight control : disable

Protect-time : 300s

Is-in-protect-time : no

Next-hop : 0.0.0.0

Link-detect-retry : 5

Link-detect-interval : 3s

Link status : unknown

Switch-type : common port

Failure-time : 43s

Swap-reason : no swap

Master ports status : forwarding

xgei-1/1/1 : down

Slave ports status : blocking

xgei-1/1/2 : down

56 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 Chapter 8
Access Security Con-
figuration
Table of Contents
User Port Identification Configuration............................................................................. 57
Configuring the IP Source Guard Function.................................................................... 62
Configuring the MAC Address Anti-Flapping Function................................................... 63
Configuring the MFF Function........................................................................................ 65
With access security configuration, user account security is ensured, access of illegal
users is prevented, and attacks from users' illegal packets on the device are prevented.

8.1 User Port Identification Configuration

The ZXA10 C610 provides a desirable user port identification mechanism to ensure net-
work security and prevent user accounts from being stolen.
User port identification means using the option field of a protocol to transport user loca-
tion information (physical line information of users) in the protocol message exchanging
procedure. The user location information will be used for AAA.

8.1.1 Configuring a Format Template

This procedure describes how to configure a format template to specify the parameters
involved in the line format to identify users.

Steps

1. In ZXAN(config)# mode, run the port-identification format-profile command to

create a format template.
2. In ZXAN(config-portloc-format-profile-xx)# mode, run the add variable command
to add template variables.
3. In ZXAN(config-portloc-format-profile-xx)# mode, run the add delimiter command
to add delimiter to the template.
4. In ZXAN(config-portloc-format-profile-xx)# mode, run the add string command to
add customized strings to the template.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 57

ZXA10 C610 Configuration Management

Verification

 You can use the show port-identification format-profile command to display all
format templates.
 You can use the show port-identification format-profile command to display the
details of all format templates.

Example

1. Create a format template.

ZXAN(config)#port-identification format-profile abc

ZXAN(config-portloc-format-profile-abc)#

2. Configure the format template.

ZXAN(config-portloc-format-profile-abc)#add variable standard access-node-id

index 1

ZXAN(config-portloc-format-profile-abc)#add delimiter space index 2

ZXAN(config-portloc-format-profile-abc)#add variable extended access-node-type

width 5 index 3

ZXAN(config-portloc-format-profile-abc)#add delimiter space index 4

ZXAN(config-portloc-format-profile-abc)#add variable standard rack index 5

ZXAN(config-portloc-format-profile-abc)#add string / index 6

ZXAN(config-portloc-format-profile-abc)#add variable standard frame index 7

ZXAN(config-portloc-format-profile-abc)#add string / index 8

ZXAN(config-portloc-format-profile-abc)#add variable standard port index 9

ZXAN(config-portloc-format-profile-abc)#add string : index 10

ZXAN(config-portloc-format-profile-abc)#add variable extended onu-id width 3

index 11

3. Display all port identification format templates.

ZXAN#show port-identification format-profile

Profile id Profile name

1 CHINA-NETCOM-DSL

2 CHINA-NETCOM-PON

3 CHINA-TELECOM-DSL

4 CHINA-TELECOM-PON

5 DEFAULT-ONU-PROFILE

6 DSL-FORUM-ATM

7 DSL-FORUM-ETH

8 DSL-FORUM-PON

58 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 8 Access Security Configuration

9 FT

10 GT

11 UNI-BASE

12 abc

4. Display the details of the port identification format templates.

ZXAN#show port-identification format-profile info abc

Index VariableType VariableName OnuProfile Width

1 Variable Access-Node-ID 0

2 Delimiter Space 1

3 Variable Access-Node-Type 5

4 Delimiter Space 1

5 Variable Rack 0

6 String / 1

7 Variable Frame 0

8 String / 1

9 Variable Port 0

10 String : 1

11 Variable Onu-ID 3

Cid-Syntax Format:

Access-Node-ID Access-Node-Type Rack/Frame/Port:Onu-ID

8.1.2 Configuring a Carrier Template

By configuring a carrier template, you can configure a line format template for port identi-
fication and the DHCPv4 L2RA (Layer 2 Relay Agent) and PPPoE IA (Intermediate Agent)
functions. A carrier template can be applied globally or applied to only a specified VLAN
or Vport.

Context

The default port identification format template, a carrier template, is the template for Chi-
na Telecom.

Steps

1. In ZXAN(config)# mode, run the port-identification operator-profile command to

create a carrier template.
2. (Optional) In ZXAN(config-portloc-operator-profile-xx)# mode, run the port-identi-
fication format pon command to configure a port identification CID format template
for PON.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 59

ZXA10 C610 Configuration Management

3. (Optional) In ZXAN(config-portloc-operator-profile-xx)# mode, run the port-iden-

tification format lan command to configure a port identification CID format template
for the Ethernet.
4. In ZXAN(config-portloc-operator-profile-xx# mode, run the dhcpv4-l2-re-
lay-agent enable command to enable DHCPv4 L2RA.
5. (Optional) In ZXAN(config-portloc-operator-profile-xx)# mode, run the dhcpv4-l2-
relay-agent trust command to configure the DHCPv4 L2RA processing mode.
6. In ZXAN(config-portloc-operator-profile-xx)# mode, run the add-access-loop-tag
dhcpv4 command to add the DHCPv4 sub tag.
7. In ZXAN(config-portloc-operator-profile-xx)# mode, run the pppoe-intermedi-
ate-agent enable command to enable PPPoE IA.
8. (Optional) In ZXAN(config-portloc-operator-profile-xx)# mode, run the pppoe-in-
termediate-agent trust command to configure the PPPoE IA processing mode.
9. In ZXAN(config-portloc-operator-profile-xx)# mode, run the add-access-loop-tag
pppoe command to add the PPPoE sub tag.

Verification

Run the show port-identification operator-profile info command to display the details
of a carrier template.

Example

1. Create a carrier template.

ZXAN(config)#port-identification operator-profile abc

ZXAN(config-portloc-operator-profile-abc)#

2. Configure a port identification format template.

ZXAN(config-portloc-operator-profile-abc)#port-identification format pon DSL-FORUM-PON

ZXAN(config-portloc-operator-profile-abc)#port-identification format lan DSL-FORUM-ETH

3. Enable the DHCPv4 L2RA and PPPoE IA functions.

ZXAN(config-portloc-operator-profile-abc)#dhcpv4-l2-relay-agent enable

ZXAN(config-portloc-operator-profile-abc)#pppoe-intermediate-agent enable

4. Add the DHCPv4 and PPPoE sub tags.

ZXAN(config-portloc-operator-profile-abc)#add-access-loop-tag dhcpv4 subopt81

ZXAN(config-portloc-operator-profile-abc)#add-access-loop-tag pppoe subopt90

5. Display the configurations of the carrier template.

ZXAN#show port-identification operator-profile info abc

Port-identification format:

60 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 8 Access Security Configuration

pon: DSL-FORUM-PON

lan: DSL-FORUM-ETH

Pppoe-intermediate-agent configuration:

Status: enable Trust: false Policy: add

Rid status: disable Rid format:

Access Loop Characteristics TAG configuration:

subopt90

Dhcpv4-l2-relay-agent configuration:

Status: enable Trust: true Policy: replace

Rid status: disable Rid format:

Access Loop Characteristics TAG configuration:

subopt81

8.1.3 Configuring the Port Identification Function

If the ZXA10 C610 identifies user ports through PPPoE IA (Intermediate Agent), DHCPv4
L2RA (Layer 2 Relay Agent), a circuit ID and a remote end ID must be configured.

Steps

1. In ZXAN(config)# mode, run the port-identification access-node-id-type com-

mand to configure an access node ID.
2. In ZXAN(config)# mode, run the port-identification access-node-name command
to configure the host name of an access node.
3. In ZXAN(config)# mode, run the port-identification operator-profile global com-
mand to globally apply a carrier template.

Verification

 You can use the show port-identification global command to display the global
port identification configuration.
 You can use the show port-identification port command to display the port identifi-
cation configuration.

Example

1. Configure the type of an access node.

ZXAN(config)#port-identification access-node-id-type access-node-name

2. Configure the name of an access node.

ZXAN(config)#port-identification access-node-name ZXA10-C610

3. Globally apply a carrier template.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 61

ZXA10 C610 Configuration Management

ZXAN(config)#port-identification operator-profile global abc

4. Display the global port identification configuration.

ZXAN#show port-identification global

access-node-name : ZXA10-C610

access-node-id-type : access-node-name

rackno :1

frameno : 1

8.2 Configuring the IP Source Guard Function

This procedure describes how to configure the IP source guard function that is based on
service ports to prevent access of illegal user IP addresses.

Context

The ZXA10 C610 supports the IP source guard function for both IPv4 addresses.
Legal IPv4 users can be obtained through the DHCP Snooping table. Alternatively, IPv4
addresses can be configured to support access of users with static IPv4 addresses.

Steps

1. In ZXAN(config)# mode, run the ip-source-guard enable command to enable the

global IP source guard function.
2. In ZXAN(config)# mode, run the ip-source-guard bind-type command to configure
the address binding type for the IP source guard function.
3. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the service-port command to config-
ure a service port VLAN.
4. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the ip-source-guard enable sport
command to enable the IP source guard function of the service port.
5. In ZXAN(config-if-vport-1/x/x.x:x)# mode, run the ip dhcp snooping binding com-
mand to configure the IP address of a user using a static IPv4 address.

Verification

 You can use the show ip-source guard command to display the global configura-
tions of the IP source guard function.
 You can use the show ip-source-guard user vport-1/x/x.x:x command to display
the configurations of users using static IPv4 addresses.

Example

1. Enable the global IP source guard function.

62 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 8 Access Security Configuration

ZXAN(config)#ip-source-guard enable

2. Configure the IP address binding type.

ZXAN(config)#ip-source-guard bind-type IP

3. Configure a service port VLAN in ONU interface configuration mode.

ZXAN(config)#interface vport-1/3/1.1:1

ZXAN(config-if-vport-1/3/1.1:1)#service-port 1 user-vlan 100 vlan 100

4. Enable the IP source guard function of the service port.

ZXAN(config-if-vport-1/3/1.1:1)#ip-source-guard enable sport 1

5. Configure the IP addresses for a user using static IPv4 and IPv6 addresses.

ZXAN(config-if-vport-1/3/1.1:1)#ip dhcp snooping binding 1.1.1.2 sport 1

128 sport 1

6. Display the global configurations of the IP source guard function.

ZXAN(config-if-vport-1/3/1.1:1)#show ip-source-guard

ip source guard global status: enable

ip source guard bind type: ip bind

7. Display the configurations for users using static IPv4 and IPv6 addresses.

ZXAN(config)#show ip-source-guard user vport-1/3/1.1:1

Port Sport IP-addr Mask MAC-addr Source

vport-1/3/1.1:1 1 1.1.1.2 32 fixed-user

8.3 Configuring the MAC Address Anti-Flapping Function

This procedure describes how to configure the MAC address anti-flapping function to pre-
vent malicious MAC address fraud.

Context

The MAC address anti-flapping function of the ZXA10 C610 has the following character-
istics:
 Restricts MAC address learning on user ports. A MAC item that has been learned on
a user port cannot be learned on other ports. This prevents the same address from
flapping between different ports.
 Once a user port is detected attempting address flapping, a notification message is
reported, carrying the port and MAC address.
 Supports uplink port protection. The MAC address of a user port can flap to an up-
link port, but the MAC address of an uplink port cannot flap to a user port. The MAC
address between uplink ports can flap. Thus the gateway MAC address of an uplink
port is protected.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 63

ZXA10 C610 Configuration Management

Steps

1. In ZXAN(config)# mode, run the security mac-anti-spoofing enable command to

enable the MAC address anti-flapping function.
2. In ZXAN(config)# mode, run the security mac-move-report enable command to
enable the function of reporting MAC address fraud.
3. In ZXAN(config)# mode, run the security mac-move-permit vlan command to con-
figure a VLAN that allows MAC address flapping.

Verification

 You can use the show security mac-anti-spoofing configuration command to dis-
play the MAC address anti-flapping configuration.
 You can use the show security mac-move-log command to display the MAC ad-
dress fraud log.

Example

1. Enable the MAC address anti-flapping function.

ZXAN(config)#security mac-anti-spoofing enable

2. Enable the function of reporting MAC address fraud.

ZXAN(config)#security mac-move-report enable

3. Configure a VLAN that allows MAC address flapping.

ZXAN(config)#security mac-move-permit vlan 100

4. Display the MAC address anti-flapping configuration.

ZXAN(config)#show security mac-anti-spoofing configuration

mac-move-report :enable

mac-move-report interval :30[minutes]

mac-anti-spoofing :enable

mac-move-permit vlan :100

5. Display the MAC address fraud log.

ZXAN(config)#show security mac-move-log

Flag *--macMove is forbidden by system.

the total mac-move-log num:103

the total mac-move-log num:103

-------------------------------------------------------------------------

mac-address vlan cfgMacProtect moveToPort moveToIfId itemStatus

index trapFlag detector queryPort moveFromPort moveFromIfId trapCount

-------------------------------------------------------------------------

64 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 8 Access Security Configuration

288c.b80a.0cca 46 UNNEED vport-1/3/1.8:2 vport-1/3/1.8:2 STALE

1 SENDED NP UNNEED vport-1/3/1.9:1 vport-1/3/1.9:1 1

-------------------------------------------------------------------------

083f.bcfd.bd3c 100 UNNEED vport-1/3/1.8:1 vport-1/3/1.8:1 STALE

2 SENDED NP UNNEED vport-1/3/1.8:2 vport-1/3/1.8:2 1

-------------------------------------------------------------------------

288c.b80a.0cca 46 UNNEED vport-1/3/1.8:1 vport-1/3/1.8:1 STALE

3 SENDED NP UNNEED vport-1/3/1.8:2 vport-1/3/1.8:2 1

-------------------------------------------------------------------------

0000.0d00.0018 1024 UNNEED smartgroup1 smartgroup1 STALE

4 SENDED NP UNNEED smartgroup128 smartgroup128 2

-------------------------------------------------------------------------

8.4 Configuring the MFF Function

This procedure describes how to configure the MFF function to implement 3-layer inter-
communication between users and prevent malicious attacks.

Context

The MFF function disables two users in the same subnet to directly communicate with
each other, and forcibly forwards users' uplink traffic to the gateway, which forwards the
traffic. Thus 3-layer intercommunication between users is implemented. The gateway
can monitor the traffic between users to prevent malicious attacks.

Steps

1. In ZXAN(config)# mode, run the ip-service mac-forced-forwarding enable com-

mand to enable the MFF function.
2. In ZXAN(config)# mode, run the ip-service mac-forced-forwarding vlan command
to configure the gateway address of the VLAN with the MFF function enabled.

Verification

 You can use the show ip-service mac-forced-forwarding command to display the
global MFF configuration.
 You can use the show ip-service gateway command to display the gateway infor-
mation of the VLAN with the MFF function.

Example

1. Enable the MFF function.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 65

ZXA10 C610 Configuration Management

ZXAN(config)#ip-service mac-forced-forwarding enable

2. Set the gateway address of the VLAN with the MFF function.

ZXAN(config)#ip-service mac-forced-forwarding vlan 100 gateway 10.1.1.1

3. Display the global MFF configuration.

ZXAN(config)#show ip-service mac-forced-forwarding

Mac-Forced Forwarding status : enable

4. Display the gateway information of the VLAN with the MFF function.

ZXAN(config)#show ip-service gateway

Vlan GatewayIp GatewayMask GatewayMac Type

--------------------------------------------------------------------

100 10.1.1.1 0.0.0.0 00d0.d0c7.0561 invalid

66 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 Chapter 9
System Security Con-
figuration
Table of Contents
Configuring the SSH Service.......................................................................................... 67
Configuring TACACS+.....................................................................................................70
Configuring RADIUS....................................................................................................... 73
Configuring a Management ACL.................................................................................... 76
Configuring Control-Plane Security.................................................................................77
Configuring DoS Attack Prevention................................................................................ 77
System security configuration prevents attacks on devices from illegal packets on the
network side and ensures stable device operation on the network.

9.1 Configuring the SSH Service

This procedure describes how to configure the SSH service to replace the Telnet service
and implement secure remote login.

Prerequisite

The SSH client software is installed.

Context

The SSH service can encrypt transmitted data and prevents man-in-the-middle attacks.
In addition, data transmitted through the SSH is compressed, so the transmission is ac-
celerated. When an SSH client communicates with an SSH server, both the user name
and the password are encrypted to avoid password wiretapping.
The ZXA10 C610 supports the functions of the SSH server.

Note
Because Telnet has potential risk in remote access, it is recommended to use SSH for
remote access and use the line telnet server disable command to disable the Telnet
service.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 67

ZXA10 C610 Configuration Management

To ensure the remote CLI access, SSH and Telnet cannot be disabled simultaneously.
When the SSH service is disabled, the Telnet service is enabled automatically.
You can use a management ACL to disable all remote CLI access, refer to 9.4 Configur-
ing a Management ACL.

Verification

1. In ZXAN(config)# mode, run the ssh server enable command to enable the func-
tions of the SSH server.
2. In ZXAN(config)# mode, run the ssh server version command to configure the pro-
tocol version of the SSH server.
3. In ZXAN(config)# mode, run the ssh server username command to configure the
SSH server authentication type.

Result

 You can use the show acl command to display the SSH configuration.
 You can use the show ssh server authentication-info command to display the
SSH authentication information.

Example

1. In global configuration mode, enable the functions of an SSH server.

ZXAN(config)#ssh server enable

2. Configure the SSH server protocol version.

ZXAN(config)#ssh server version 2

3. Configure the SSH server authentication type.

ZXAN(config)#ssh server username zte authentication-type password

4. Display the SSH configuration.

ZXAN(config)#show ssh

=================================================================

SSH configuration

=================================================================

SSH enable-flag configuration : enable

SSH version : 2

SSH listen port : 22

SSH DSCP value :

SSH IPv4 ACL name :

SSH IPv6 ACL name :

68 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 9 System Security Configuration

SSH rekey interval : 1(hours)

-----------------------------------------------------------------

ZXAN(config)#show ssh server authentication-info

SSH users:

--------------------------------------------------------------------------------

Username Authentication-Type Key-Name

--------------------------------------------------------------------------------

zte password

Related Task

1. In a Windows OS, run the SSH client software (PuTTY, for example).
2. In the PuTTY Configuration dialog box, select Connection > SSH from the left nav-
igation tree, select 2 for SSH protocol version in the right pane, see Figure 9-1.

Figure 9-1 PuTTY Configuration

3. Select from the left navigation tree, type Hostname and Port (default: 22), select
SSH for Connection type, see Figure 9-2,and then click Open.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 69

ZXA10 C610 Configuration Management

Figure 9-2 Configuring SSH Session

Note

The hostname is the in-band/out-of-band NM IP address of the ZXA10 C610.

4. In the pop-up PuTTY Security Alert dialog box, click Yes to save the RSA key, or
click Noto skip.
5. In the pop-up window, type the username and password to log in.

9.2 Configuring TACACS+

This procedure describes how to configure TACACS+ to implement security authentication
and authorization on users who remotely access the ZXA10 C610 and ensure data security
on the ZXA10 C610.

Context

TACACS+ supports two login modes.

 Telnet mode
 SSH mode

70 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 9 System Security Configuration

Steps

1. Configuring a TACACS+ Server

a. In ZXAN(config)# mode, run the tacacs enable command to enable the
TACACS+ function.
b. In ZXAN(config)# mode, run the tacacs-server host vrf mng command to con-
figure the IP address and password of the TACACS+ server.
c. In ZXAN(config)# mode, run the tacacs-client command to configure the IP ad-
dress of a TACACS+ client.
d. In ZXAN(config)# mode, run the tacplus group-server command to create a
TACACS+ server group.
e. In ZXAN(config)# mode, run the server vrf mng command to specify a TACACS
+ server.
2. Binding the User Templates
a. In ZXAN(config-system-user)# mode, run the user-name command to create a
user.
b. In ZXAN(config-system-user-username)# mode, run the bind authentica-
tion-template command to bind the authentication template.
c. In ZXAN(config-system-user-username)# mode, run the bind authoriza-
tion-template command to bind the authorization template.
3. Configuring an AAA Authorization Template
a. In ZXAN(config)# mode, run the aaa-authorization-template command to con-
figure the AAA authorization template.
b. In ZXAN(config-aaa-author-template)# mode, run the aaa-authorization-type
command to configure the AAA authorization mode.
c. In ZXAN(config-aaa-authen-template)# mode, run the authorization-ra-
dius-group command to configure an AAA authorization server group.
4. Configuring an AAA Authentication Template
a. In ZXAN(config)# mode, run the aaa-authentication-template command to con-
figure the AAA authentication template.
b. In ZXAN(config-aaa-authen-template)# mode, run the aaa-authentication-type
command to configure the AAA authentication mode.
c. In ZXAN(config-aaa-authen-template)# mode, run the authentication-ra-
dius-group command to configure an AAA authentication server group.

Verification

 You can use the show tacacs global-config command to display the TACACS+
configuration.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 71

ZXA10 C610 Configuration Management

 You can use the show tacacs-server command to display the TACACS+ server con-
figuration.
 You can use the show tacplus group-server command to display the TACACS+
server group configuration.

Example

1. Enable the TACACS+ function.

ZXAN(config)#tacacs enable

2. Configure a TACACS+ server and a TACACS+ client.

ZXAN(config)#tacacs-server host vrf mng 172.10.3.133 key 12345678

ZXAN(config)#tacacs-client 172.10.4.200

3. Configure a TACACS+ server group.

ZXAN(config)#tacplus group-server zte1

ZXAN(config-sg)#server vrf mng 172.10.3.133

ZXAN(config-sg)#exit

4. Bind the authentication and authorization templates of a user.

ZXAN(config-system-user)#user-name zte1

ZXAN(config-system-user-username)#bind authentication-template 128

ZXAN(config-system-user-username)#bind authorization-template 128

ZXAN(config-system-user-username)#exit

5. Configure an AAA authentication template.

ZXAN(config)#aaa-authentication-template 2128

ZXAN(config-aaa-authen-template)#aaa-authentication-type tacacs

ZXAN(config-aaa-authen-template)#authentication-radius-group zte1

ZXAN(config-aaa-authen-template)#exit

6. Configure an AAA authorization template.

ZXAN(config)#aaa-authorization-template 2128

ZXAN(config-aaa-author-template)#aaa-authorization-type tacacs

ZXAN(config-aaa-author-template)#authorization-radius-group zte1

ZXAN(config-aaa-author-template)#exit

7. Display the TACACS+ configuration.

ZXAN(config-sg)#show tacacs global-config

tacacs:enable

packet:1024

timeout:5

72 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 9 System Security Configuration

deadtime:5

hashType:md5

tacacs-client 172.10.4.200

8. Display the TACACS+ server group configuration.

ZXAN(config-sg)#show tacplus group-server

tacplus group-server zte1

state:active

server vrf:mng addr:172.10.3.133 port:49 slave current server

9.3 Configuring RADIUS

This procedure describes how to configure RADIUS to implement security authentication
and authorization on users who remotely access the ZXA10 C610 and ensure data security
on the ZXA10 C610.

Context

RADIUS supports two login modes.

 Telnet mode
 SSH mode

Steps

1. Configuring a RADIUS Authentication Server

a. In ZXAN(config)# mode, run the radius authentication-group command to con-
figure a RADIUS authentication server group.
b. In ZXAN(config-authgrp-xxx)# mode, run the server command to configure the
server IP address and password.
c. In ZXAN(config-authgrp-xxx)# mode, run the nas-ip-address command to con-
figure an NAS-IP address (source address of RADIUS messages).

Note

When the ZXA10 C610 is connected to a RADIUS server in out-of-band manage-

ment mode, the NAS-IP address is the out-of-band management IP address of
the NE.

d. In ZXAN(config-authgrp-xxx)# mode, run the ip vrf mng command to configure

the default route.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 73

ZXA10 C610 Configuration Management

Note

If the ZXA10 C610 is connected to the RADIUS server in in-band network man-
agement mode, skip this step.

2. Binding the User Templates

a. In ZXAN(config-system-user)# mode, run the user-name command to create a
user.
b. In ZXAN(config-system-user-username)# mode, run the bind authentica-
tion-template command to bind the authentication template.
c. In ZXAN(config-system-user-username)# mode, run the bind authoriza-
tion-template command to bind the authorization template.
3. Configuring the Authorization and Authorization Templates for a User
a. In ZXAN(config)# mode, run the system-user command to enter user configura-
tion mode.
b. In ZXAN(config-system-user)# mode, run the authentication-template com-
mand to configure the authentication template.
c. In ZXAN(config-system-user-authen-temp)# mode, run the bind aaa-authenti-
cation-template command to bind the AAA authentication template.
d. In ZXAN(config-system-user)# mode, run the authorization-template com-
mand to configure the authorization template.
e. In ZXAN(config-system-user-author-temp)# mode, run the bind aaa-autho-
rization-template command to bind the AAA authorization template.
4. Configuring an AAA Authorization Template
a. In ZXAN(config)# mode, run the aaa-authorization-template command to con-
figure the AAA authorization template.
b. In ZXAN(config-aaa-author-template)# mode, run the aaa-authorization-type
command to configure the AAA authorization mode.
c. In ZXAN(config-aaa-authen-template)# mode, run the authorization-ra-
dius-group command to configure an AAA authorization server group.
5. Configuring an AAA Authentication Template
a. In ZXAN(config)# mode, run the aaa-authentication-template command to con-
figure the AAA authentication template.
b. In ZXAN(config-aaa-authen-template)# mode, run the aaa-authentication-type
command to configure the AAA authentication mode.
c. In ZXAN(config-aaa-authen-template)# mode, run the authentication-ra-
dius-group command to configure an AAA authentication server group.

74 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 9 System Security Configuration

Verification

 You can use the show radius-server all command to display the RADIUS server
configuration.
 You can use the show aaa-authentication-template command to display the AAA
authentication template configuration.
 You can use the show aaa-authorization-template command to display the AAA
authorization template configuration.

Example

1. Configure a RAIDUS server.

ZXAN(config)#radius authentication-group zte1

ZXAN(config-authgrp-zte1)#server 1 172.10.3.133 key 123456

ZXAN(config-authgrp-zte1)#nas-ip-address 172.10.4.200

ZXAN(config-authgrp-zte1)#ip vrf mng

ZXAN(config-authgrp-zte1)#exit

2. Configure an AAA authentication template.

ZXAN(config)#aaa-authentication-template 2128

ZXAN(config-aaa-authen-template)#aaa-authentication-type radius

ZXAN(config-aaa-authen-template)#authentication-radius-group zte1

ZXAN(config-aaa-authen-template)#exit

3. Configure an AAA authorization template.

ZXAN(config)#aaa-authorization-template 2128

ZXAN(config-aaa-author-template)#aaa-authorization-type radius

ZXAN(config-aaa-author-template)#authorization-radius-group zte1

ZXAN(config-aaa-author-template)#exit

4. Configure the authentication and authorization templates for a user.

ZXAN(config)#system-user

ZXAN(config-system-user)#authentication-template 128

ZXAN(config-system-user-authen-temp)#bind aaa-authentication-template 2128

ZXAN(config-system-user-authen-temp)#exit

ZXAN(config-system-user)#authorization-template 128

ZXAN(config-system-user-author-temp)#bind aaa-authorization-template 2128

ZXAN(config-system-user-author-temp)#exit

5. Bind the authentication and authorization templates of a user.

ZXAN(config-system-user)#user-name zte1

SJ-20210730093619-005 | 2021-08-18 (R1.0) 75

ZXA10 C610 Configuration Management

ZXAN(config-system-user-username)#bind authentication-template 128

ZXAN(config-system-user-username)#bind authorization-template 128

ZXAN(config-system-user-username)#exit

6. Display the RADIUS authentication group configuration.

ZXAN(config)#show radius-server all

Authentication-group zte1 Server count: 1 Master: N/A

------------------------------------------------------------------------

Slot Id Address Port State Deadtime Deadclock

------------------------------------------------------------------------

5 1 172.10.3.133 1812 active 0'00"

------------------------------------------------------------------------

7. Display the AAA configuration.

ZXAN(config)#show aaa-authentication-template

authen-template:2001

authen-type:local

authen-template:2128

authen-type:radius

authen-radius-group:zte1

ZXAN(config)#show aaa-authorization-template

author-template:2001

author-type:local

author-template:2128

author-type:radius

author-radius-group:zte1

9.4 Configuring a Management ACL

This procedure describes how to configure a management ACL to restrict access to the
ZXA10 C610 through Telnet, SSH, and SNMP.

Steps

1. In ZXAN(config)# mode, run the ipv4-access-list command to create an ACL.

2. In ZXAN(config-ipv4-acl)# mode, run the rule command to configure ACL rules.
3. In ZXAN(config)# mode, run the line telnet access-class command to apply the
ACL rule to Telnet.
4. In ZXAN(config)# mode, run the ssh server access-class command to apply the
ACL rule to SSH.

76 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 9 System Security Configuration

5. In ZXAN(config)# mode, run the snmp-server access-class command to apply the

ACL rule to SNMP.

Example

1. Create an ACL.

ZXAN(config)#ipv4-access-list zte

ZXAN(config-ipv4-acl)#

2. Configure ACL rules.

ZXAN(config-ipv4-acl)#rule 1 deny tcp any any

ZXAN(config-ipv4-acl)#rule 2 permit tcp 10.2.1.1 0.0.0.255 11.1.1.0 0.0.0.255

ZXAN(config-ipv4-acl)#exit

3. Apply the ACL.

ZXAN(config)#line telnet access-class ipv4 zte

ZXAN(config)#ssh server access-class ipv4 zte

ZXAN(config)#snmp-server access-list ipv4 zte

9.5 Configuring Control-Plane Security

This procedure describes how to configure control-plane security to restrict the rate of the
protocol messages on the ZXA10 C610.

Steps

1. In ZXAN(config)# mode, run the control-panel command to enter control panel

configuration mode.
2. In ZXAN(config-control-panel)# mode, run the packet-limit command to configure
protocol message restriction.

Example

1. Enter control panel mode.

ZXAN(config)#control-panel

2. Configure protocol message rate restriction.

ZXAN(control-panel)#packet-limit dhcp 20

ZXAN(control-panel)#packet-limit arp_user_side 50

9.6 Configuring DoS Attack Prevention

This procedure describes how to configure DoS attack prevention to avoid attacks from
the ARP, DHCP, IGMP, and PPPoE protocol packets on the user side.

SJ-20210730093619-005 | 2021-08-18 (R1.0) 77

ZXA10 C610 Configuration Management

Context

After the DoS attack prevention function is enabled, the ZXA10 C610 monitors the pro-
tocol packets that users send to the system CPU. If the number of times that the system
continuously detects attacks exceeds the alarm value, the user interface is added to the
blacklist and an alarm is reported. In this case, the data packets sent through user in-
terfaces are processed according to a preset processing policy. If the device detects no
DoS attacks in a period, it deletes the user interface from the blacklist.

Steps

1. In ZXAN(config)# mode, run the security anti-dos enable command to enable the
DoS attack prevention function.
2. In ZXAN(config)# mode, run the security anti-dos packet-limit command to con-
figure the rate threshold of protocol packets for DoS attack prevention.

Verification

 You can use the show security anti-dos config command to display the DoS attack
prevention configuration.
 You can use the show security anti-dos black-list command to display the blacklist
for DoS attack prevention.

Example

1. Enable DoS attack prevention.

ZXAN(config)#security anti-dos enable

2. Configure the rate threshold of the protocol packets for DoS attack prevention.

ZXAN(config)#security anti-dos packet-limit all alarm-threshold default control-

threshold default interval default interface-type pon

3. Display the DoS attack prevention configuration.

ZXAN#show security anti-dos config

global-status: enable

Security anti-dos interface type rule:

PortType PktType Alarm-Threshold(pps) Control-Threshold(pps) Interval(s)

-------------------------------------------------------------------------------

PON ALL 256 64 30

Security anti-dos interface rule:

Interface PktType AlmThresh(pps) CtrlThresh(pps) Interval(s)

--------------------------------------------------------------------------------

78 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 9 System Security Configuration

4. Display the blacklist for DoS attack prevention.

ZXAN(config)#show security anti-dos black-list

SJ-20210730093619-005 | 2021-08-18 (R1.0) 79

 Figures
Figure 9-1 PuTTY Configuration.................................................................. 69

Figure 9-2 Configuring SSH Session........................................................... 70

80 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 Tables
Table 1-1 VLAN Applications......................................................................... 1

Table 2-1 IGMP MVLAN Configurations........................................................ 6

Table 2-2 MLD MVLAN Configurations........................................................ 10

Table 6-1 Configuration Data of DHCP Relay............................................. 46

Table 6-2 Configuration Data of DHCP Server............................................ 48

SJ-20210730093619-005 | 2021-08-18 (R1.0) 81

 Glossary

AAA

- Authentication, Authorization and Accounting

ACL

- Access Control List

ARP

- Address Resolution Protocol

AS

- Autonomous System

BFD

- Bidirectional Forwarding Detection

BGP

- Border Gateway Protocol

CBS

- Committed Burst Size

CCM

- Continuity Check Message

CFM

- Connectivity Fault Management

CIR

- Committed Information Rate

CLI

- Command Line Interface

CoS

- Class of Service

82 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 DHCP

- Dynamic Host Configuration Protocol

DoS

- Denial of Service

DSCP

- Differentiated Services Code Point

IGMP

- Internet Group Management Protocol

IGP

- Interior Gateway Protocol

IP

- Internet Protocol

LACP

- Link Aggregation Control Protocol

LB

- Loopback

LBM

- Loopback Message

LSP

- Label Switched Path

LT

- Link Trace

LTM

- Link Trace Message

MA

- Maintenance Association

SJ-20210730093619-005 | 2021-08-18 (R1.0) 83

 MD

- Maintenance Domain

MEP

- Maintenance association End Point

MFF

- MAC-Forced Forwarding

MLD

- Multicast Listener Discovery

MPLS

- Multiprotocol Label Switching

MSTP

- Multiple Spanning Tree Protocol

MVLAN

- Multicast Virtual Local Area Network

ONU

- Optical Network Unit

OSPF

- Open Shortest Path First

PBS

- Peak Burst Size

PIR

- Peak Information Rate

PPPoE

- Point to Point Protocol over Ethernet

QoS

- Quality of Service

84 SJ-20210730093619-005 | 2021-08-18 (R1.0)

 RADIUS

- Remote Authentication Dial In User Service

RSTP

- Rapid Spanning Tree Protocol

SNMP

- Simple Network Management Protocol

SP

- Strict Priority

SSH

- Secure Shell

SSTP

- Single Spanning Tree Protocol

SVLAN

- Service Virtual Local Area Network

TACACS+

- Terminal Access Controller Access-Control System Plus

TLS

- Transparent LAN Service

UAPS

- Uplink Auto Protection Switching

VLAN

- Virtual Local Area Network

WRED

- Weighted Random Early Detection

WRR

- Weighted Round Robin

SJ-20210730093619-005 | 2021-08-18 (R1.0) 85