3Com 4500G Series Configuration Manual Download

Page: 712 / 1206

1-8

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter PKI domain view

pki domain

domain-name

—

Set the certificate request mode to
manual

certificate request mode manual

Optional

Manual by default

Return to system view

quit

—

Retrieve a CA certificate manually

Refer to

Retrieving a Certificate

Manually

Required

Generate a local RSA key pair

public-key local create

rsa

Required

No local RSA key pair exists by
default.

Submit a local certificate request
manually

pki request-certificate domain
domain-name

[

password

]

[

pkcs10

[

filename

filename

] ]

Required

If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency

between the key pair and the certificate. To generate a new RSA key pair, delete the local

certificate and then issue the

public-key local create

command. For information about the

public-key local create

command, refer to

Public Key Commands

in the

Security Volume

A newly created key pair will overwrite the existing one. If you perform the

public-key local create

command in the presence of a local RSA key pair, the system will ask you whether you want to

overwrite the existing one.

If a PKI domain has already a local certificate, you cannot request another certificate for it. This is to

avoid inconsistency between the certificate and the registration information resulting from

configuration changes. To request a new certificate, use the

pki delete-certificate

command to

delete the existing local certificate and the CA certificate stored locally.

When it is impossible to request a certificate from the CA through SCEP, you can save the request

information by using the

pki request-certificate domain

command with the

pkcs10

and

filename

keywords, and then send the file to the CA by an out-of-band means.

Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the

certificate will be abnormal.

The

pki request-certificate domain

configuration will not be saved in the configuration file.

Retrieving a Certificate Manually

You can download an existing CA certificate, local certificate, or peer entity certificate from the CA

server and save it locally. To do so, you can use two ways: online and offline. In offline mode, you need

to retrieve a certificate by an out-of-band means like FTP, disk, e-mail and then import it into the local

PKI system.

Certificate retrieval serves two purposes:

Locally store the certificates associated with the local security domain for improved query efficiency

and reduced query count,

Summary of Contents for 4500G Series

Page 1: ...tion Guide Switch 4500G 24 Port Switch 4500G 48 Port Switch 4500G PWR 24 Port Switch 4500G PWR 48 Port Product Version V05 02 00 Manual Version 6W101 20100310 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...mmercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered...

Page 3: ...outing 03 IP Routing Volume RIPng Route Policy Mulitcast Overview IGMP Snooping Multicast VLAN MLD Snooping 04 Multicast Volume IPv6 Multicast VLAN 05 QoS Volume QoS User Profile AAA 802 1X HABP MAC Authentication Port Security IP Source Guard SSH2 0 PKI 06 Security Volume SSL Public Key ACL ARP Attack Protection Smart Link Monitor Link RRPP DLDP 07 High Availability Volume Ethernet OAM CFD Track ...

Page 4: ...n be selected x y Optional alternative items are grouped in square brackets and separated by vertical bars Many or none can be selected 1 n The argument s before the ampersand sign can be entered 1 to n times A line starting with the sign is comments GUI conventions Convention Description Button names are inside angle brackets For example click OK Window names menu items data table and field names...

Page 5: ...0 Provide detailed descriptions of command line interface CLI commands that you require to manage your switch 3Com Switch 4500G Family Getting Started Guide This guide provides all the information you need to install and use the 3Com Switch 4500G Family Obtaining Documentation You can access the most up to date 3Com product documentation on the World Wide Web at this URL http www 3com com ...

Page 6: ... Software 1 1 2 Product Features 2 1 Introduction to Product 2 1 Feature Lists 2 1 3 Features 3 1 Access Volume 3 1 IP Services Volume 3 3 IP Routing Volume 3 4 Multicast Volume 3 5 QoS Volume 3 5 Security Volume 3 6 High Availability Volume 3 7 System Volume 3 8 ...

Page 7: ...t 01 Access Volume 05 LLDP BPDU tunneling support the transparent transmission of these types of Layer 2 protocol packets in V05 02 00P19 CDP DLDP EOAM GVRP HGMP LACP LLDP PAGP PVST UDLD and VTP 01 Access Volume 09 BPDU Tunneling Configuring ARP Quick Notify 02 IP Services Volume 02 ARP Enabling the DHCP relay agent to periodically refresh dynamic client entries 02 IP Services Volume 03 DHCP Confi...

Page 8: ...2 Software Version Added and Modified Features Compared With The Earlier Version Manual Modified features arp detection mode command 06 Security Volume 12 ARP Attack Protection Deleted features V05 02 00 ...

Page 9: ... Ethernet Port Ethernet Link Aggregation Port Isolation MSTP LLDP VLAN GVRP QinQ 01 Access Volume BPDU Tunneling Mirroring IP Addressing ARP DHCP DNS IP Performance Optimization UDP Helper IPv6 Basics Dual Stack 02 IP Services Volume sFlow IP Routing Overview Static Routing RIP IPv6 Static Routing 03 IP Routing Volume RIPng Route Policy Mulitcast Overview IGMP Snooping Multicast VLAN MLD Snooping ...

Page 10: ...em Configuration Device Management File System Management HTTP SNMP RMON MAC Address Table System Maintaining and Debugging Information Center PoE Hotfix NQA NTP Cluster Management Stack Management 08 System Volume Automatic Configuration ...

Page 11: ...DI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an Ethernet Interface Ethernet Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link This document describes z Basic Concepts of Link Aggregation z Configuring an Aggregation Group z Configuring an Aggregate Interface z Configuri...

Page 12: ...ds the VLAN space by allowing Ethernet frames to travel across the service provider network with double VLAN tags This document describes z Introduction to QinQ z Configuring basic QinQ z Configuring Selective QinQ z Configuring the TPID Value in VLAN Tags BPDU Tunneling BPDU tunneling enables transparently transmission of customer network BPDU frames over the service provider network This documen...

Page 13: ... distributed database which provides the translation between domain name and the IP address This document describes z Configuring the DNS Client z Configuring the DNS Proxy IP Performance In some network environments you need to adjust the IP parameters to achieve best network performance This document describes z Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Net...

Page 14: ...ork applications This document describes z Static route configuration z Detecting Reachability of the Static Route s Nexthop RIP Routing Information Protocol RIP is a simple Interior Gateway Protocol IGP mainly used in small sized networks This document describes z RIP basic functions configuration z RIP advanced functions configuration z RIP network optimization configuration IPv6 Static Routing ...

Page 15: ...iscovery Snooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups This document describes z Configuring Basic Functions of MLD Snooping z Configuring MLD Snooping Port Functions z Configuring MLD Snooping Querier z Configuring MLD Snooping Policy IPv6 Multicast VLAN IPv6 Multicast VLAN configuration QoS Volume Table ...

Page 16: ...t Security Port security is a MAC address based security mechanism for network access controlling It is an extension to the existing 802 1X authentication and MAC authentication This document describes z Enabling Port Security z Setting the Maximum Number of Secure MAC Addresses z Setting the Port Security Mode z Configuring Port Security Features z Configuring Secure MAC Addresses z Ignoring Auth...

Page 17: ...Configuring ARP Detection High Availability Volume Table 3 7 Features in the High Availability Volume Features Description Smart Link Smart Link is a solution for active standby link redundancy backup and rapid transition in dual uplink networking This document describes z Smart Link Overview z Configuring a Smart Link Device z Configuring an Associated Device Monitor Link Monitor link is a port c...

Page 18: ... z Basic Configuration Tasks z Configuring CC on MEPs z Configuring LB on MEPs z Configuring LT on MEPs Track The track module is used to implement collaboration between different modules through established collaboration objects The detection modules trigger the application modules to perform certain operations through the track module This document describes z Track Overview z Configuring Collab...

Page 19: ...eting modifying and renaming a file or a directory and opening a file This document describes z File system management z Configuration File Management z FTP configuration z TFTP configuration HTTP Hypertext Transfer Protocol HTTP is used for transferring web page information across the Internet This document describes z HTTP Configuration z HTTPS Configuration SNMP Simple network management protoc...

Page 20: ...g equipment PSE to feed powered devices PDs from Ethernet ports through twisted pair cables This document describes z PoE overview z Configuring the PoE Interface z Configuring PoE power management z Configuring the PoE monitoring function z Online upgrading the PSE processing software z Configuring a PD Disconnection Detection Mode z Enabling the PSE to detect nonstandard PDs Hotfix Hotfix is a f...

Page 21: ...ber Devices z Adding a Candidate Device to a Cluster z Configuring Advanced Cluster Functions Stack Management A stack is a set of network devices Administrators can group multiple network devices into a stack and manage them as a whole Therefore stack management can help reduce customer investments and simplify network management This document describes z Stack Configuration Overview z Configurin...

Page 22: ...G Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router ASCII American Standard Code for Information Interchange ASE Application service element ASIC Application Specific Integrated Circuit ASM Any Source Multicast ASN Auxiliary Signal Network AT Advanced...

Page 23: ...e and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain Routing CIR Committed Information Rate CIST Common and Internal Spanning Tree CLNP Connectionless Network Protocol CPOS Channelized POS CPU Central Processing Unit CQ Custom Queuing CRC Cyclic Redunda...

Page 24: ...point Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavelength Division Multiplexing E Return EACL Enhanced ACL EAD Endpoint Admission Defense EAP Extensible Authentication Protocol EAPOL Extensible Authentication Protocol over LAN EBGP External Border Gat...

Page 25: ...hernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC High level Data Link Control HEC Header Error Control HoPE Hiberarchy of PE HoVPN Hiberarchy of VPN HQoS Hierarchical Quality of Service HSB Hot Standby HTTP Hyper Text Transport Protocol H VPLS Hiber...

Page 26: ...n IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IS Intermediate System ISATAP Intra Site Automatic Tunnel Addressing Protocol ISDN Integrated Services Digital Network IS IS Intermediate System to Intermediate System intra domain routing information exchange protocol ISO International Organization for Standardization ISP Internet ser...

Page 27: ...State Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data Unit LSPM Label Switch Path Management LSR Link State Request LSR Label Switch Router LSR ID Label Switch Router Identity LSU Link State Update M Return MAC Media Access Control MAN Metropolitan Area Network MaxBC Max Bandwidth Constra...

Page 28: ... Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Multicast VPN Routing and Forwarding N Return NAPT Network Address Port Translation NAS Network Access Server NAT Net Address Translation NBMA Non Broadcast Multi Access NBT NetBIOS over TCP IP NCP Network Control Protocol ND Neighborho...

Page 29: ...fier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB Printed Circuit Board PCM Pulse Code Modulation PD Powered Device PDU Protocol Data Unit PE Provider Edge PHP Penultimate Hop Popping PHY Physical layer PIM Protocol Independent Multicast PIM DM Protocol Independent Multic...

Page 30: ...do wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority RADIUS Remote Authentication Dial in User Service RAM random access memory RD Routing Domain RD Router Distinguisher RED Random Early Detection RFC Request For comments RIP Routing Information Protocol RIPng RIP next gen...

Page 31: ...ignal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicast Distribution Tree SIP Session Initiation Protocol Site of Origin Site of Origin SLA Service Level Agreement SMB Standby Main Board SMTP Simple Mail Transfer Protocol SNAP Sub Network Access Point SNMP Simple Network M...

Page 32: ...TA Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBase TFTP Trivial File Transfer Protocol TLS Transparent LAN Service TLV Type Length Value ToS Type of Service TPID Tag Protocol Identifier TRIP Trigger RIP TS Traffic Shaping TTL Time to Live TTY True Type Terminal U Return...

Page 33: ... Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary VTY Virtual Type Terminal W Return WAN Wide Area Network WFQ Weighted Fair Queuing WINS Windows Internet Naming Service WLAN wireless local area network WRED Weighted Random Early Detection WRR Weighted Round...

Page 34: ...or Collecting Ethernet Interface Statistics z Enabling Forwarding of Jumbo Frames z Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an Ethernet Interface Ethernet Link aggregation Link aggregation aggregates multiple physical Ethernet ports into one l...

Page 35: ...user vlan configuration z Introduction and Configuration of Voice VLAN GVRP GVRP is a GARP application This document describes z GARP overview z GVRP configuration z GARP Timers configuration QinQ As defined in IEEE802 1Q 12 bits are used to identify a VLAN ID so a device can support a maximum of 4094 VLANs The QinQ feature extends the VLAN space by allowing Ethernet frames to travel across the se...

Page 36: ...ork monitoring and troubleshooting Traffic mirroring is implemented by a QoS policy which defines certain match criteria to match the packets to be mirrored and defines the action of mirroring such packets to the specified destination This document describes z Port Mirroring overview z Local port mirroring configuration z Remote port mirroring configuration z Traffic mirroring ...

Page 37: ...e Change on an Ethernet Port 1 4 Configuring Loopback Testing on an Ethernet Port 1 4 Configuring a Port Group 1 5 Configuring Storm Suppression 1 5 Setting the Interval for Collecting Ethernet Port Statistics 1 6 Enabling Forwarding of Jumbo Frames 1 7 Enabling Loopback Detection on an Ethernet Port 1 7 Configuring the MDI Mode for an Ethernet Port 1 8 Testing the Cable on an Ethernet Port 1 9 Co...

Page 38: ...ks Enter system view system view Enter Ethernet port view interface interface type interface number Enable a specified Combo port undo shutdown Optional By default of the two ports in a Combo port the one with a smaller port ID is enabled In case of a Combo port only one port either the optical port or the electrical port is active at a time That is once the optical port is active the electrical p...

Page 39: ...plex auto full half Optional auto by default The optical port of an SFP port and the electrical port of an Ethernet port whose port rate is configured as 1000 Mbps do not support the half keyword Set the transmission rate speed 10 100 1000 auto Optional The optical port of an SFP port does not support the 10 or 100 keyword By default the port speed is in the auto negotiation mode Shut down the Eth...

Page 40: ...e an auto negotiation transmission rate To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the auto negotiation transmission rate range speed auto 10 100 1000 Optional z This function is available for auto negotiation capable Gigabit Layer 2 Ethernet electrical ports only z If you repeatedly use the speed and the...

Page 41: ...ystem view system view Enter Ethernet port view interface interface type interface number Configure the up down suppression time of physical link state changes link delay delay time Required By default the physical link state change suppression time is not configured Configuring Loopback Testing on an Ethernet Port You can enable loopback testing to check whether the Ethernet port functions proper...

Page 42: ... apply to all group member ports Note that even though the settings are made on the port group they are saved on a port basis rather than on a port group basis Thus you can only view the settings in the view of each port with the display current configuration command or the display this command Follow these steps to configure a manual port group To do Use the command Remarks Enter system view syst...

Page 43: ...Optional By default the threshold of broadcast packets that can be forwarded on an Ethernet port is 3000pps Set the multicast storm suppression ratio multicast suppression ratio pps max pps Optional By default all multicast traffic is allowed to pass through a port that is multicast traffic is not suppressed Set the unknown unicast storm suppression ratio unicast suppression ratio pps max pps Opti...

Page 44: ...em view system view port group manual port group name In port group view jumboframe enable interface interface type interface number Enable the forwarding of jumbo frames In Ethernet port view jumboframe enable Use any command By default the device allows jumbo frames with the length of 1 522 bytes to pass through all Layer 2 Ethernet ports Enabling Loopback Detection on an Ethernet Port If a port...

Page 45: ... has been configured in both system view and the port view of the port z Loopback detection on all ports will be disabled after the configuration of the undo loopback detection enable command under system view Configuring the MDI Mode for an Ethernet Port 10 Gigabit Ethernet ports and optical ports of SFP ports do not support this function Two types of Ethernet cables can be used to connect Ethern...

Page 46: ...e Ethernet port mdi across auto normal Optional Defaults to auto That is the Ethernet port determines the physical pin roles transmit or receive through negotiation Testing the Cable on an Ethernet Port z 10 Gigabit Ethernet ports and optical ports of SFP ports do not support this feature z A link in the up state goes down and then up automatically if you perform the operation described in this se...

Page 47: ...ng down the port In this case the port is shut down and stops forwarding all types of traffic Ports shut down by the storm constrain function can only be brought up by using the undo shutdown command or disabling the storm constrain function Follow these steps to configure the storm constrain function on an Ethernet port To do Use the command Remarks Enter system view system view Set the interval ...

Page 48: ...eriods z The storm constrain function is applicable to multicast packets and broadcast packets and you can specify the upper and lower threshold for any of the three types of packets Displaying and Maintaining an Ethernet Port To do Use the command Remarks Display the current state of an port and the related information display interface interface type interface number Available in any view Displa...

Page 49: ...ort group manual all name port group name Available in any view Display the information about the loopback function display loopback detection Available in any view Display the information about storm constrain display storm constrain broadcast multicast interface interface type interface number Available in any view ...

Page 50: ...mic Aggregation Group 1 10 Configuring an Aggregate Interface 1 11 Configuring the Description of an Aggregate Interface 1 11 Enabling Link State Trapping for an Aggregate Interface 1 12 Shutting Down an Aggregate Interface 1 12 Configuring Load Sharing for Link Aggregation Groups 1 12 Configuring Load Sharing Criteria for Link Aggregation Groups 1 12 Displaying and Maintaining Ethernet Link Aggre...

Page 51: ...z The configuration of the group specific load sharing criteria is added in V05 02 00P19 on the 3Com Switch 4500G For the detailed configuration please refer to Configuring group specific load sharing criteria Overview Ethernet link aggregation most often simply called link aggregation aggregates multiple physical Ethernet links into one logical link to increase link bandwidth beyond the limits of...

Page 52: ... selected state and its duplex mode is the same as that of the selected member ports For more information about the states of member ports in an aggregation group refer to Aggregation states of member ports in an aggregation group Aggregation states of member ports in an aggregation group A member port in an aggregation group can be in either of the following two aggregation states z Selected a se...

Page 53: ...fic To make sure that you are aware of the risk the system displays a warning message every time you attempt to change a class two configuration setting on a member port z Class one configurations which are configurations that do not affect the aggregation state of the member port even if they are different from those on the aggregate interface GVRP and MSTP settings are examples of class one conf...

Page 54: ...re are two types of LACP priorities system LACP priority and port LACP priority as described in Table 1 3 Table 1 3 LACP priorities Type Description Remarks System LACP priority Used by two peer devices or systems to determine which one is superior in link aggregation In dynamic link aggregation the system that has higher system LACP priority sets the selected state of member ports on its side fir...

Page 55: ...s Pros Cons Static Disabled Aggregation is stable The aggregation state of the member ports is not affected by their peers The member ports cannot change their aggregation state in consistent with their peers The administrator needs to manually maintain link aggregations Dynamic Enabled The administrator does not need to maintain link aggregations The peer systems maintain the aggregation state of...

Page 56: ...duplex low speed half duplex high speed and half duplex low speed The one at the top is selected as the reference port If two ports have the same duplex mode and speed the one with the lower port number wins out Setting the aggregation state of each member port After selecting the reference port the static aggregation group sets the aggregation state of each member port as shown in Figure 1 2 Figu...

Page 57: ...state of each member port Selecting a reference port The local system the actor negotiates with the remote system the partner to select a reference port as follows 1 Compare the system ID comprising the system LACP priority and the system MAC address of the actor with that of the partner The system with the lower LACP priority value wins out If they are the same compare the system MAC addresses Th...

Page 58: ... aware of the aggregation state changes on the remote system changes the aggregation state of its ports accordingly z Because any port attribute or class two configuration change on a member port may cause the aggregation state of the port and other member ports to change and thus affect services you are recommended to do that with caution z In a dynamic aggregation group when the aggregation stat...

Page 59: ...ation Groups Optional Configuring an Aggregation Group Configuration Guidelines Link aggregation cannot be used along with some features Table 1 5 lists the ports that cannot be assigned to a Layer 2 aggregation group Table 1 5 Ports that cannot be assigned to a Layer 2 aggregation group Port type Reference RRPP enabled ports RRPP Configuration in the High Availability Volume MAC address authentic...

Page 60: ...ace interface type interface number Assign the Ethernet interface to the aggregation group port link aggregation group number Required Repeat these two steps to assign multiple Layer 2 Ethernet interfaces to the aggregation group Configuring a Dynamic Aggregation Group To guarantee a successful dynamic aggregation ensure that the peer ports of the ports aggregated at one end are also aggregated Th...

Page 61: ...rt priority Optional By default the LACP priority of a port is 32768 Changing the LACP priority of a port may affect the aggregation state of the ports in the dynamic aggregation group Configuring an Aggregate Interface You can perform the following configurations on an aggregate interface z Configuring the Description of an Aggregate Interface z Enabling Link State Trapping for an Aggregate Inter...

Page 62: ...gate interface affects the aggregation state and link state of ports in the corresponding aggregation group z When an aggregate interface is shut down all selected ports in the corresponding aggregation group become unselected and their link state becomes down z When an aggregate interface is brought up the aggregation state of ports in the corresponding aggregation group is recalculated and their...

Page 63: ...l link aggregation load sharing criterion or criteria the switch supports the following criteria z Use a source IP address alone z Use a destination IP address alone z Use a source MAC address alone z Use a destination MAC address alone z Combine a source IP address and a destination IP address z Combine a source IP address and a source port number z Combine a destination IP address and a destinat...

Page 64: ...ce list Available in any view Display the summary of all aggregation groups display link aggregation summary Available in any view Display detailed information about a specific or all aggregation groups display link aggregation verbose bridge aggregation interface number Available in any view Clear LACP statistics for a specific or all link aggregation member ports reset lacp statistics interface ...

Page 65: ...r ports based on source and destination MAC addresses Figure 1 4 Network diagram for static aggregation Configuration procedure 1 Configure Device A Create VLAN 10 and assign port GigabitEthernet1 0 4 to VLAN 10 DeviceA system view DeviceA vlan 10 DeviceA vlan10 port gigabitEthernet 1 0 4 DeviceA vlan10 quit Create VLAN 20 and assign port GigabitEthernet1 0 5 to VLAN 20 DeviceA vlan 20 DeviceA vla...

Page 66: ...ernet1 0 3 Done DeviceA Bridge Aggregation1 quit Configure to use the source and destination MAC addresses of packets as the global link aggregation load sharing criteria DeviceA link aggregation load sharing mode source mac destination mac 2 Configure Device B Configure Device B as you configure Device A 3 Verify the configurations Display the summary information about all aggregation groups on D...

Page 67: ...e VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end and VLAN 20 at one end to communicate with VLAN 20 at the other end z Enable traffic to be load shared across aggregation group member ports based on source and destination MAC addresses Figure 1 5 Network diagram for dynamic aggregation Configuration procedure 1 Configure Device A Create VLAN 10 and assign por...

Page 68: ...eA interface bridge aggregation 1 DeviceA Bridge Aggregation1 port link type trunk DeviceA Bridge Aggregation1 port trunk permit vlan 10 20 Please wait Done Configuring GigabitEthernet1 0 1 Done Configuring GigabitEthernet1 0 2 Done Configuring GigabitEthernet1 0 3 Done DeviceA Bridge Aggregation1 quit Configure to use the source and destination MAC addresses of packets as the global link aggregat...

Page 69: ...faces GigabitEthernet 1 0 1 through GigabitEthernet 1 0 4 z Configure two Layer 2 static link aggregation groups 1 and 2 on Device A and Device B respectively enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end and VLAN 20 at one end to communicate with VLAN 20 at the other end z Configure the load sharing criterion for link aggregation group 1 as the sourc...

Page 70: ...ration automatically propagates to all the member ports in link aggregation group 1 DeviceA interface bridge aggregation 1 DeviceA Bridge Aggregation1 port link type trunk DeviceA Bridge Aggregation1 port trunk permit vlan 10 20 Please wait Done Configuring GigabitEthernet1 0 1 Done Configuring GigabitEthernet1 0 2 Done DeviceA Bridge Aggregation1 quit Create Layer 2 aggregate interface 2 configur...

Page 71: ...Aggregation Mode S Static D Dynamic Loadsharing Type Shar Loadsharing NonS Non Loadsharing Actor System ID 0x8000 000f e2ff 0001 AGG AGG Partner ID Select Unselect Share Interface Mode Ports Ports Type BAGG1 S none 2 0 Shar BAGG2 S none 2 0 Shar The output above shows that link aggregation groups 1 and 2 are both load sharing capable Layer 2 static aggregation groups and each contains two selected...

Page 72: ...solation Configuration 1 1 Introduction to Port Isolation 1 1 Configuring the Isolation Group 1 1 Assigning a Port to the Isolation Group 1 1 Displaying and Maintaining Isolation Groups 1 2 Port Isolation Configuration Example 1 2 ...

Page 73: ...tween a port inside an isolation group and a port outside the isolation group but not between ports inside the isolation group Configuring the Isolation Group Assigning a Port to the Isolation Group Follow these steps to add a port to the isolation group To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Layer 2...

Page 74: ...that Host A Host B and Host C cannot communicate with one another at Layer 2 but can access the Internet Figure 1 1 Networking diagram for port isolation configuration Configuration procedure Add ports GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to the isolation group Device system view Device interface GigabitEthernet 1 0 1 Device GigabitEthernet1 0 1 port isolate enable...

Page 75: ...1 3 Uplink port support NO Group ID 1 Group members GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3 ...

Page 76: ...g the Priority of a Device 1 19 Configuring the Maximum Hops of an MST Region 1 20 Configuring the Network Diameter of a Switched Network 1 20 Configuring Timers of MSTP 1 21 Configuring the Timeout Factor 1 22 Configuring the Maximum Port Rate 1 23 Configuring Ports as Edge Ports 1 23 Configuring Path Costs of Ports 1 24 Configuring Port Priority 1 26 Configuring the Link Type of Ports 1 27 Confi...

Page 77: ... Rapid Spanning Tree Protocol RSTP and the Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Introduction to STP Why STP STP was developed based on the 802 1d standard of IEEE to eliminate loops at the data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging...

Page 78: ... the BPDUs Root port On a non root bridge the port nearest to the root bridge is called the root port The root port is responsible for communication with the root bridge Each non root bridge has one and only one root port The root bridge has no root port Designated bridge and designated port The following table describes designated bridges and designated ports Table 1 1 Description of designated b...

Page 79: ...e spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the root bridge denoted by the root identifier from the transmitting bridge z Designated bridge ID consisting of the priority and MAC address of the designated bridge z Designated port ID designated port...

Page 80: ...riority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configuration BPDU has a higher priority than that of the configuration BPDU generated by the port the device replaces the content of the configuration BPDU generated by the port with the content of the rece...

Page 81: ... device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be defined and acts depending on the comparison result z If the calculated configuration BPDU is superior the device considers this port as the designated port and replaces the configuration BPDU on the po...

Page 82: ... port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received configuration BPDU and therefore discards the received configuration BPDU z Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is super...

Page 83: ...port BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port 2 0 2 CP1 and updates the configuration BPDU of CP1 z Port CP2 receives the configuration BPDU of port BP2 of Device B 1 0 1 BP2 before the configuration BPDU is updated Device C...

Page 84: ...nning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With priority 2 BP1 BP2 CP2 5 4 The spanning tree calculation process in this example is only simplified process The BPDU forwarding mechanism in STP z Upon network initiation every switch regards itself a...

Page 85: ...te transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propagated throughout the network z Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault free z Max age is a parameter used to...

Page 86: ...ngs of STP and RSTP In addition to the support for rapid network convergence it allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharing mechanism for redundant links For description about VLANs refer to VLAN Configuration in the Access Volume MSTP features the following z MSTP supports mapping VLANs to spanning tree instances by means of a VLA...

Page 87: ... tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the same region name z They have the same VLAN to instance mapping configuration z They have the same MSTP revision level configuration and z They are physically linked with one another For example all the...

Page 88: ... constitute the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to as a multiple spanning tree instance MSTI In Figure 1 4 for example multiple spanning trees can exist in each MST region each spanning tree corresponding to the specific VLAN s These spanning trees ar...

Page 89: ...nate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a designated port When the designated port is blocked the backup port becomes a new designated port and starts forwarding data without delay A loop occurs when two ports of the same MSTP device are interc...

Page 90: ... are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only difference between the two protocols is that an MSTP BPDU carries the MSTP configuration on the device from which this BPDU is sent CIST calculation The calculation of a CIST tree is also the process of config...

Page 91: ... List Before configuring MSTP you need to know the role of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes Complete these tasks to configure MSTP Task Remarks Configuring an MST Region Required Configuring the Root Bridge or a Secondary Root Bridge Optional Configuring the Work Mode of an MSTP Device Opt...

Page 92: ...ance mapping table For the detailed information of GVRP refer to GVRP Configuration of the Access Volume z MSTP is mutually exclusive with any of the following functions on a port service loopback RRPP Smart Link and BPDU tunnel z Configurations made in system view take effect globally configurations made in Ethernet interface view take effect on the current interface only configurations made in p...

Page 93: ...urations of currently activated MST regions display stp region configuration The display command can be executed in any view z Two or more MSTP enabled devices belong to the same MST region only if they are configured to have the same format selector 0 by default not configurable MST region name the same VLAN to instance mapping entries in the MST region and the same MST region revision level and ...

Page 94: ...er if you specify a new primary root bridge for the instance then the secondary root bridge will not become the root bridge If you have specified multiple secondary root bridges for an instance when the root bridge fails MSTP will select the secondary root bridge with the lowest MAC address as the new root bridge Configuring the current device as the root bridge of a specific spanning tree Follow ...

Page 95: ...he device send out MSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will automatically migrate to STP compatible mode Make this configuration on the root bridge and on the leaf nodes separately Follow these steps to configure the MSTP work mode To do Use the command Remarks Enter system view system view Configure the work...

Page 96: ...spanning tree calculation and thereby the size of the MST region is confined Make this configuration on the root bridge only All the devices other than the root bridge in the MST region use the maximum hop value set for the root bridge Follow these steps to configure the maximum number of hops of an MST region To do Use the command Remarks Enter system view system view Configure the maximum hops o...

Page 97: ...f the peer occur in a synchronized manner z Hello time is the time interval at which a device sends configuration BPDUs to the surrounding devices to ensure that the paths are fault free If a device fails to receive configuration BPDUs within a certain period of time it starts a new spanning tree calculation process z MSTP can detect link failures and automatically restore blocked redundant links ...

Page 98: ... to timely launch spanning tree calculations thus reducing the auto sensing capability of the network We recommend that you use the default setting The settings of hello time forward delay and max age must meet the following formulae otherwise network instability will frequently occur z 2 forward delay 1 second ú max age z Max age ú 2 hello time 1 second We recommend that you specify the network d...

Page 99: ...imit Required 10 by default The higher the maximum port rate is the more BPDUs will be sent within each hello time and the more system resources will be used By setting an appropriate maximum port rate you can limit the rate at which the port sends BPDUs and prevent MSTP from using excessive network resources when the network becomes instable We recommend that you use the default setting Configuri...

Page 100: ...h costs in different MSTIs Setting appropriate path costs allows VLAN traffic flows to be forwarded along different physical links thus achieving VLAN based load balancing The device can automatically calculate the default path cost alternatively you can also configure the path cost for ports Make the following configurations on the leaf nodes only Specifying a standard that the device uses when c...

Page 101: ...666 500 2 1 1 1 When calculating path cost for an aggregate interface 802 1d 1998 does not take into account the number of member ports in its aggregation group as 802 1t does The calculation formula of 802 1t is Path Cost 200 000 000 link speed in 100 kbps where link speed is the sum of the link speed values of the non blocked ports in the aggregation group Configuring path costs of ports Follow ...

Page 102: ... elected as the root port of a device If all other conditions are the same the port with the highest priority will be elected as the root port On an MSTP enabled device a port can have different priorities in different MSTIs and the same port can play different roles in different MSTIs so that data of different VLANs can be propagated along different physical paths thus implementing per VLAN load ...

Page 103: ...iew system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command Configure the link type of ports stp point to point auto force false force true Optional The default setting is auto namely the port automatically detec...

Page 104: ...acy Required auto by default z MSTP provides the MSTP packet format incompatibility guard function In MSTP mode if a port is configured to recognize send MSTP packets in a mode other than auto and receives a packet in a format different from the specified type the port will become a designated port and remain in the discarding state to prevent the occurrence of a loop z MSTP provides the MSTP pack...

Page 105: ...anual port group name Required Use either command Enable the MSTP feature for the ports stp enable Optional By default MSTP is enabled for all ports z MSTP takes effect when it is enabled both globally and on the port z To control MSTP flexibly you can use the undo stp enable command to disable the MSTP feature for certain ports so that they will not take part in spanning tree calculation and thus...

Page 106: ... RSTP or MSTP mode Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the MST region related configurations domain name revision level VLAN to instance mappings on them are identical An MSTP enabled device identifies devices in the same MST region by checking the configuration ID in BPDU packets The configuration ID includes the region nam...

Page 107: ...bled by default z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to instance mappings must be the same on associated ports z With global Digest Snooping enabled modification of VLAN to instance mappings and removing of the current region configuration using the undo stp region configuration command are not allowed ...

Page 108: ...ooping on Device B DeviceB system view DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 stp config digest snooping DeviceB GigabitEthernet1 0 1 quit DeviceB stp config digest snooping Configuring No Agreement Check In RSTP and MSTP two types of messages are used for rapid state transition on designated ports z Proposal sent by designated ports to request rapid transition z Agre...

Page 109: ...TP and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream device As a result the designated port of the upstream device fails to transit rapidly and can only change to the forwarding state after a period twice the Forward Delay In this case you can enable the No Agreement Check ...

Page 110: ...ream device Figure 1 9 No Agreement Check configuration 2 Configuration procedure Enable No Agreement Check on GigabitEthernet 1 0 1 of Device A DeviceA system view DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 stp no agreement check Configuring Protection Functions An MSTP enabled device supports the following protection functions z BPDU guard z Root guard z Loop guard z TC...

Page 111: ...ndary root bridge are generally put in a high bandwidth core region during network design However due to possible configuration errors or malicious attacks in the network the legal root bridge may receive a configuration BPDU with a higher priority In this case the current legal root bridge will be superseded by another device causing an undesired change of the network topology As a result the tra...

Page 112: ...forwarding state resulting in loops in the switched network The loop guard function can suppress the occurrence of such loops If a loop guard enabled port fails to receive BPDUs from the upstream device and if the port takes part in STP calculation all the instances on the port no matter what roles the port plays will be set to and stay in the Discarding state Make this configuration on the root p...

Page 113: ...ushes that the device can perform within a specific time period after it receives the first TC BPDU stp tc protection threshold number Optional 6 by default We recommend that you keep this feature enabled Enabling BPDU Dropping In a STP enabled network some users may send BPDU packets to the switch continuously in order to destroy the network When a switch receives the BPDU packets it will forward...

Page 114: ...w View the MST region configuration information that has taken effect display stp region configuration Available in any view View the root bridge information of all MSTIs display stp root Available in any view Clear the statistics information of MSTP reset stp interface interface list Available in user view MSTP Configuration Example Network requirements z All devices on the network are in the sam...

Page 115: ... MSTI 1 MSTI 3 and MSTI 4 respectively and configure the revision level of the MST region as 0 DeviceA system view DeviceA stp region configuration DeviceA mst region region name example DeviceA mst region instance 1 vlan 10 DeviceA mst region instance 3 vlan 30 DeviceA mst region instance 4 vlan 40 DeviceA mst region revision level 0 Activate MST region configuration DeviceA mst region active reg...

Page 116: ...ew DeviceC stp region configuration DeviceC mst region region name example DeviceC mst region instance 1 vlan 10 DeviceC mst region instance 3 vlan 30 DeviceC mst region instance 4 vlan 40 DeviceC mst region revision level 0 Activate MST region configuration DeviceC mst region active region configuration DeviceC mst region quit Specify the current device as the root bridge of MSTI 4 DeviceC stp in...

Page 117: ...STID Port Role STP State Protection 0 GigabitEthernet1 0 1 DESI FORWARDING NONE 0 GigabitEthernet1 0 2 DESI FORWARDING NONE 0 GigabitEthernet1 0 3 DESI FORWARDING NONE 1 GigabitEthernet1 0 2 DESI FORWARDING NONE 1 GigabitEthernet1 0 3 ROOT FORWARDING NONE 3 GigabitEthernet1 0 1 DESI FORWARDING NONE 3 GigabitEthernet1 0 3 DESI FORWARDING NONE Display brief spanning tree information on Device C Devi...

Page 118: ... 0 2 ALTE DISCARDING NONE 4 GigabitEthernet1 0 3 ROOT FORWARDING NONE Based on the above information you can draw the MSTI corresponding to each VLAN as shown in Figure 1 11 Figure 1 11 MSTIs corresponding to different VLANs ...

Page 119: ... 8 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address and Its Encoding Format 1 9 Setting Other LLDP Parameters 1 10 Setting an Encapsulation Format for LLDPDUs 1 10 Configuring CDP Compatibility 1 11 Configuration Prerequisites 1 11 Configuring CDP Compatibility 1 12 Configuring LLDP Trapping 1 12 Displaying and Maintaining LLDP 1 13 LLDP Config...

Page 120: ...her and exchange configuration for interoperability and management sake This calls for a standard configuration exchange platform To address the needs the IETF drafted the Link Layer Discovery Protocol LLDP in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its ma...

Page 121: ...he MAC address to which the LLDPDU is advertised It is fixed to 0x0180 C200 000E a multicast MAC address Source MAC address The MAC address of the sending port If the port does not have a MAC address the MAC address of the sending bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to d...

Page 122: ...sis ID TLV port ID TLV TTL TLV and end of LLDPDU TLV end TLV in the figure are mandatory TLVs that must be carried and other TLVs are optional TLVs TLVs are type length and value sequences that carry information elements where the type field identifies the type of information the length field indicates the length of the information field in octets and the value field contains the information itsel...

Page 123: ...t and the interface number and OID object identifier associated with the address Optional 2 IEEE 802 1 organizationally specific TLVs Table 1 4 IEEE 802 1 organizationally specific TLVs Type Description Port VLAN ID PVID of the sending port Port And Protocol VLAN ID Port and protocol VLAN IDs VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently Swi...

Page 124: ...ion according to IEEE 802 3AF Hardware Revision Allows a MED endpoint device to advertise its hardware version Firmware Revision Allows a MED endpoint to advertise its firmware version Software Revision Allows a MED endpoint to advertise its software version Serial Number Allows an LLDP MED endpoint device to advertise its serial number Manufacturer Name Allows a MED endpoint to advertise its vend...

Page 125: ...ved carrying device information new to the local device z The LLDP operating mode of the port changes from Disable Rx to TxRx or Tx This is the fast sending mechanism of LLDP With this mechanism a specific number of LLDP frames are sent successively at the 1 second interval to help LLDP neighbors discover the local device as soon as possible Then the normal LLDP frame transmit interval resumes Rec...

Page 126: ...e command Remarks Enter system view system view Enable LLDP globally lldp enable Required By default LLDP is enabled global Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port group name Required Use either command Enable LLDP lldp enable Optional By default LLDP is enabled on a port S...

Page 127: ... system view system view Set the LLDP re initialization delay lldp timer reinit delay delay Optional 2 seconds by default Enabling LLDP Polling With LLDP polling enabled a device checks for local configuration changes periodically Upon detecting a configuration change the device sends LLDP frames to inform the neighboring devices of the change Follow these steps to enable LLDP polling To do Use th...

Page 128: ...mat If a neighbor encoded its management address in character string format you can configure the encoding format of the management address as string on the connecting port to guarantee normal communication with the neighbor Follow these steps to configure a management address to be advertised and its encoding format on one or a group of ports To do Use the command Remarks Enter system view system...

Page 129: ...onal 2 seconds by default Set the number of LLDP frames sent each time fast LLDPDU transmission is triggered lldp fast count count Optional 3 by default Both the LLDPDU transmit interval and delay must be less than the TTL to ensure that the LLDP neighbors can receive LLDP frames to update information about the device you are configuring before it is aged out Setting an Encapsulation Format for LL...

Page 130: ...th Cisco IP phones As your LLDP enabled device cannot recognize CDP packets it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device This can cause a requesting Cisco IP phone to send voice traffic without any tag to your device disabling your device to differentiate the voice traffic from other types of traffic By configuring CDP compatibility you can ...

Page 131: ...command Configure CDP compatible LLDP to operate in TxRx mode lldp compliance admin status cdp txrx Required By default CDP compatible LLDP operates in disable mode As the maximum TTL allowed by CDP is 255 seconds ensure that the product of the TTL multiplier and the LLDPDU transmit interval is less than 255 seconds for CDP compatible LLDP to work properly with Cisco IP phones Configuring LLDP Tra...

Page 132: ... name Available in any view Display LLDP statistics display lldp statistics global interface interface type interface number Available in any view Display LLDP status of a port display lldp status interface interface type interface number Available in any view Display types of advertisable optional LLDP TLVs display lldp tlv config interface interface type interface number Available in any view LL...

Page 133: ...hB system view SwitchB lldp enable Enable LLDP on GigabitEthernet1 0 1 you can skip this step because LLDP is enabled on ports by default and set the LLDP operating mode to Tx SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 lldp enable SwitchB GigabitEthernet1 0 1 lldp admin status tx SwitchB GigabitEthernet1 0 1 quit 3 Verify the configuration Display the global LLDP status a...

Page 134: ...operate in Rx mode that is they only receive LLDP frames Tear down the link between Switch A and Switch B and then display the global LLDP status and port LLDP status on Switch A SwitchA display lldp status Global status of LLDP Enable The current number of LLDP neighbors 1 The current number of CDP neighbors 0 LLDP neighbor information last changed time 0 days 0 hours 5 minutes 20 seconds Transmi...

Page 135: ...hones to automatically configure the voice VLAN thus confining their voice traffic within the voice VLAN to be isolated from other types of traffic Figure 1 5 Network diagram for CDP compatible LLDP configuration Configuration procedure 1 Configure a voice VLAN on Switch A Create VLAN 2 SwitchA system view SwitchA vlan 2 SwitchA vlan2 quit Set the link type of GigabitEthernet 1 0 1 and GigabitEthe...

Page 136: ...thernet1 0 2 lldp enable SwitchA GigabitEthernet1 0 2 lldp admin status txrx SwitchA GigabitEthernet1 0 2 lldp compliance admin status cdp txrx SwitchA GigabitEthernet1 0 2 quit 3 Verify the configuration Display the neighbor information on Switch A SwitchA display lldp neighbor information CDP neighbor information of port 1 GigabitEthernet1 0 1 CDP neighbor index 1 Chassis ID SEP00141CBCDBFE Port...

Page 137: ...nfiguration 1 15 Introduction 1 15 Configuring an IP Subnet Based VLAN 1 15 Displaying and Maintaining VLAN 1 16 VLAN Configuration Example 1 16 2 Isolate User VLAN Configuration 2 1 Overview 2 1 Configuring Isolate User VLAN 2 1 Displaying and Maintaining Isolate User VLAN 2 3 Isolate User VLAN Configuration Example 2 3 3 Voice VLAN Configuration 3 1 Overview 3 1 OUI Addresses 3 1 Voice VLAN Assi...

Page 138: ... and excessive broadcasts cannot be avoided on an Ethernet To address the issue virtual LAN VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN VLANs are isolated from each other at Layer 2 A VLAN is a bridging domain and all broadcast traffic is contained within it as shown in...

Page 139: ...E 802 1Q inserts a four byte VLAN tag after the DA SA field as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority canonical format indicator CFI and VLAN ID z The 16 bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged z The 3 bit priority field indicates the 802 1p priority of the frame...

Page 140: ...at the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs protocol based VLANs and port based VLANs Configuring Basic VLAN Settings Follow these steps to configure basic VLAN settings To do Use the command Remarks Enter system view system view Create VLANs vlan vlan id1 t...

Page 141: ...an create one VLAN interface You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the VLAN Follow these steps to configure basic settings of a VLAN interface To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface vlan...

Page 142: ...y multiple VLANs to receive and send traffic for them Except traffic of the default VLAN traffic sent through a trunk port will be VLAN tagged Usually ports connecting network devices are configured as trunk ports As shown in Figure 1 4 because Device A and Device B need to transmit packets of VLAN 2 and VLAN 3 you need to configure the ports interconnecting Device A and Device B as trunk ports an...

Page 143: ...for a hybrid or trunk port but not for an access port Therefore after you remove the VLAN that an access port resides in with the undo vlan command the default VLAN of the port changes to VLAN 1 The removal of the VLAN specified as the default VLAN of a trunk or hybrid port however does not affect the default VLAN setting on the port z Do not set the voice VLAN as the default VLAN of a port in aut...

Page 144: ...frame if its VLAN is not carried on the port Send the frame if its VLAN is carried on the port The frame is sent with the VLAN tag removed or intact depending on your configuration with the port hybrid vlan command This is true of the default VLAN Assigning an Access Port to a VLAN You can assign an access port to a VLAN in VLAN view interface view or port group view 1 In VLAN view Follow these st...

Page 145: ...onfigure the link type of the port or ports as access port link type access Optional The link type of a port is access by default Assign the current access port s to a VLAN port access vlan vlan id Optional By default all access ports belong to VLAN 1 z Before assigning an access port to a VLAN create the VLAN first z After you configure a command on a Layer 2 aggregate interface the system starts...

Page 146: ...efault VLAN by default z To change the link type of a port from trunk to hybrid or vice versa you must set the link type to access first z After you use the port link type access hybrid trunk command to change the link type of an interface the loopback detection action configured on the interface with the loopback detection action command will be restored to the default For details about the port ...

Page 147: ...d port port hybrid pvid vlan vlan id Optional VLAN 1 is the default by default z To change the link type of a port from trunk to hybrid or vice versa you must set the link type to access first z Before assigning a hybrid port to a VLAN create the VLAN first z After you use the port link type access hybrid trunk command to change the link type of an interface the loopback detection action configure...

Page 148: ...LANs to make the forwarding decision z When receiving a tagged frame the receiving port forwards the frame if it is assigned to the corresponding VLAN or drops the frame if it is not In this case port based VLAN applied Approaches to Creating MAC Address to VLAN Mappings In addition to creating MAC address to VLAN mappings at the CLI you can use an authentication server to automatically issue MAC ...

Page 149: ...vlan id priority priority Required Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port group name Use either command In Ethernet interface view the subsequent configurations apply only to the current port in port group view the subsequent configurations apply to all ports in the port g...

Page 150: ...ackets of a port based VLAN z If the port permits the VLAN ID of the packet to pass through the port forwards the packet z If the port does not permit the VLAN ID of the packet to pass through the port drops the packet This feature is mainly used to assign packets of the specific service type to a specific VLAN Configuring a Protocol Based VLAN Follow these steps to configure a protocol based VLAN...

Page 151: ... of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively z When you use the mode keyword to configure a user defined protocol template do not set etype id in ethernetii etype etype id to 0x0800 0x8137 0x809b or 0x86dd Otherwise the encapsulation format of the matching packets will be the same as that of the IPv4 IPX AppleTalk and IPv6 packets respectively z ...

Page 152: ... be a multicast network segment or a multicast address Return to system view quit Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command z In Ethernet interface view the subs...

Page 153: ...ress mac address mask mac mask static vlan vlan id Available in any view Display all interfaces with MAC based VLAN enabled display mac vlan interface Available in any view Display protocol information and protocol indexes of the specified VLANs display protocol vlan vlan vlan id to vlan id all Available in any view Display protocol based VLAN information on specified interfaces display protocol v...

Page 154: ...ault the packets of VLAN 1 are permitted to pass through on all the ports DeviceA GigabitEthernet1 0 1 undo port trunk permit vlan 1 Configure GigabitEthernet 1 0 1 to permit packets from VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass through DeviceA GigabitEthernet1 0 1 port trunk permit vlan 2 6 to 50 100 Please wait Done DeviceA GigabitEthernet1 0 1 quit DeviceA quit 2 Configure Device B as...

Page 155: ... seconds output 0 packets sec 0 bytes sec Input total 0 packets 0 bytes 0 unicasts 0 broadcasts 0 multicasts Input normal 0 packets bytes 0 unicasts 0 broadcasts 0 multicasts Input 0 input errors 0 runts 0 giants 0 throttles 0 CRC 0 frame overruns 0 aborts ignored parity errors Output total 0 packets 0 bytes 0 unicasts 0 broadcasts 0 multicasts 0 pauses Output normal 0 packets bytes 0 unicasts 0 b...

Page 156: ... of only the isolate user VLAN but not the secondary VLANs network configuration is simplified and VLAN resources are saved z You can isolate the Layer 2 traffic of different users by assigning the ports connected to them to different secondary VLANs To enable communication between secondary VLANs associated with the same isolate user VLAN you can enable local proxy ARP on the upstream device to r...

Page 157: ... least one port takes the isolate user VLAN as its default VLAN Hybrid port Refer to Assigning a Hybrid Port to a VLAN Use either approach Return to system view quit Create secondary VLANs vlan vlan id1 to vlan id2 all Required Quit to system view quit Access port Refer to Assigning an Access Port to a VLAN Assign ports to each secondary VLAN and ensure that at least one port in a secondary VLAN t...

Page 158: ...1 to VLAN 3 z Configure VLAN 6 on Device C as an isolate user VLAN assign the uplink port GigabitEthernet 1 0 5 to VLAN 6 and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4 Assign GigabitEthernet 1 0 3 to VLAN 3 and GigabitEthernet 1 0 4 to VLAN 4 z For Device A Device B only has VLAN 5 and Device C only has VLAN 6 Figure 2 2 Network diagram for isolate user VLAN configuration Configurati...

Page 159: ...an4 port gigabitethernet 1 0 4 Associate the isolate user VLAN with the secondary VLANs DeviceC vlan4 quit DeviceC isolate user vlan 6 secondary 3 to 4 Verification Display the isolate user VLAN configuration on Device B DeviceB display isolate user vlan Isolate user VLAN VLAN ID 5 Secondary VLAN ID 2 3 VLAN ID 5 VLAN Type static Isolate user VLAN type isolate user VLAN Route Interface not configu...

Page 160: ... gigabitethernet 1 0 5 VLAN ID 3 VLAN Type static Isolate user VLAN type secondary Route Interface not configured Description VLAN 0003 Name VLAN 0003 Tagged Ports none Untagged Ports gigabitethernet 1 0 1 gigabitethernet 1 0 5 ...

Page 161: ...vice QoS parameters for the voice traffic thus improving transmission priority and ensuring voice quality Common voice devices include IP phones and integrated access devices IADs Only IP phones are used in the voice VLAN configuration examples in this chapter OUI Addresses A device determines whether a received packet is a voice packet by checking its source MAC address A packet whose source MAC ...

Page 162: ...onfigure voice VLAN aging time on the device The system will remove a port from the voice VLAN if no packet is received from the port during the aging time Assigning removing ports to from a voice VLAN are automatically performed by the system The automatic mode is suitable for scenarios where PCs and IP phones connected in series access the network through the device and ports on the device trans...

Page 163: ...Automatic Access Manual No Automatic Configure the default VLAN of the port which cannot be the voice VLAN and assign the port to its default VLAN Trunk Manual Yes Make all the configurations required for the automatic mode in addition assign the port to the voice VLAN Automatic Configure the default VLAN of the port which cannot be the voice VLAN and configure the port to permit packets of its de...

Page 164: ...z If an IP phone sends untagged voice traffic to realize the voice VLAN feature you must configure the default VLAN of the connecting port as the voice VLAN In this case 802 1X authentication function cannot be realized z The default VLANs for all ports are VLAN 1 You can configure the default VLAN of a port and configure a port to permit a certain VLAN to pass through with commands For more infor...

Page 165: ...to pass through Configuring a Voice VLAN Configuration Prerequisites 1 Create a VLAN Before configuring a VLAN as a voice VLAN create the VLAN first 2 Configure the voice VLAN assignment mode For details see Setting a Port to Operate in Automatic Voice VLAN Assignment Mode and Setting a Port to Operate in Manual Voice VLAN Assignment Mode z A port can belong to only one voice VLAN at a time z Voic...

Page 166: ... in automatic mode on a hybrid port can process only tagged voice traffic Therefore do not configure a VLAN as both a protocol based VLAN and a voice VLAN For more information refer to Protocol Based VLAN Configuration z Do not configure the default VLAN of a port in automatic voice VLAN assignment mode as the voice VLAN Setting a Port to Operate in Manual Voice VLAN Assignment Mode Follow these s...

Page 167: ...igured with only one voice VLAN and this voice VLAN must be a static VLAN that already exists on the device z Voice VLAN is mutually exclusive with Link Aggregation Control Protocol LACP on a port z To make voice VLAN take effect on a port which is enabled with voice VLAN and operates in manual voice VLAN assignment mode you need to assign the port to the voice VLAN manually Displaying and Maintai...

Page 168: ...c at the same time to ensure the quality of voice packets and effective bandwidth use configure voice VLANs to work in security mode that is configure the voice VLANs to transmit only voice packets Optional By default voice VLANs work in security mode DeviceA voice vlan security enable Configure the allowed OUI addresses as MAC addresses prefixed by 0011 1100 0000 or 0011 2200 0000 In this way Dev...

Page 169: ...000 Philips NEC phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current states of voice VLANs DeviceA display voice vlan state Maximum of Voice VLANs 8 Current Voice VLANs 2 Voice VLAN security mode Security Voice VLAN aging time 30 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthernet1 0 1 2 AUTO GigabitEthernet1 0 2 3 A...

Page 170: ... 1 0 1 as a hybrid port DeviceA GigabitEthernet1 0 1 port link type hybrid Configure the voice VLAN VLAN 2 as the default VLAN of GigabitEthernet 1 0 1 and configure GigabitEthernet 1 0 1 to permit the voice traffic of VLAN 2 to pass through untagged DeviceA GigabitEthernet1 0 1 port hybrid pvid vlan 2 DeviceA GigabitEthernet1 0 1 port hybrid vlan 2 untagged Enable voice VLAN on GigabitEthernet 1 ...

Page 171: ...bb00 0000 ffff ff00 0000 3com phone Display the current voice VLAN state DeviceA display voice vlan state Maximum of Voice VLANs 8 Current Voice VLANs 1 Voice VLAN security mode Security Voice VLAN aging time 1440 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthernet1 0 1 2 MANUAL ...

Page 172: ...Protocols and Standards 1 4 GVRP Configuration Task List 1 4 Configuring GVRP Functions 1 4 Configuring GARP Timers 1 5 Displaying and Maintaining GVRP 1 6 GVRP Configuration Examples 1 7 GVRP Configuration Example I 1 7 GVRP Configuration Example II 1 8 GVRP Configuration Example III 1 9 ...

Page 173: ...rt is regarded as a GARP participant GARP messages and timers 1 GARP messages A GARP application entity exchanges information with other GARP application entities by z Sending Join messages to register with other entities its attributes the attributes received from other GARP application entities and the attributes manually configured on it z Sending Leave messages to have its attributes deregiste...

Page 174: ...timer starts again z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z On a GARP enabled network a device may send LeaveAll messages at the interval set by its LeaveAll timer or the LeaveAll timer on another device on the network whichever is smaller This is because each time a device on the network receives a LeaveAll message it resets its LeaveAll timer Operating...

Page 175: ...ute Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Number of octets occupied by an attribute inclusive of the attribute length field 2 to 255 in bytes Attribute Event Event described by the attribute z 0 LeaveAll event z 1 JoinEmpty event z 2 JoinIn event z 3 LeaveEmpty event z 4 LeaveIn event z 5 Empty event Attribute Value Attribute value VLAN ID for G...

Page 176: ...ynamically register and deregister VLANs and to propagate VLAN information except information about VLAN 1 A trunk port with forbidden registration type thus allows only VLAN 1 to pass through even though it is configured to carry all VLANs Protocols and Standards GVRP is described in IEEE 802 1Q GVRP Configuration Task List Complete these tasks to configure GVRP Task Remarks Configuring GVRP Func...

Page 177: ... remote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more information about port mirroring refer to Port Mirroring Configuration in the Access Volume z Enabling GVRP on a Layer 2 aggregate interface enables both the aggregate interface and all selected member ports in the corresponding link aggregation group to participate in dynamic VLAN ...

Page 178: ...or a timer you may change the value range by tuning the value of another related timer z If you want to restore the default settings of the timers restore the Hold timer first and then the Join Leave and LeaveAll timers Table 1 2 Dependencies of GARP timers Timer Lower limit Upper limit Hold 10 centiseconds No greater than half of the Join timer setting Join No less than two times the Hold timer s...

Page 179: ...onfiguration Examples GVRP Configuration Example I Network requirements Configure GVRP for dynamic VLAN information registration and update among devices adopting the normal registration mode on ports Figure 1 2 Network diagram for GVRP configuration Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view DeviceA gvrp Configure port GigabitEthernet 1 0 1 as a trunk po...

Page 180: ...ic Now the following dynamic VLAN exist s 2 GVRP Configuration Example II Network requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP registration on Device A and normal GVRP registration on Device B Figure 1 3 Network diagram for GVRP configuration Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view De...

Page 181: ... a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B DeviceB display vlan dynamic Now the following dynamic VLAN exist s 2 GVRP Configuration Example III Network requirements To prevent dynamic VLAN information registration and update among devices set t...

Page 182: ...RP globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a trunk port allowing all VLANs to pass through DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 DeviceB GigabitEthernet1 0 1 gvrp DeviceB GigabitEthernet1 0 1 quit Create VLAN 3 a ...

Page 183: ...the TPID in a VLAN Tag 1 3 Protocols and Standards 1 4 QinQ Configuration Task List 1 5 Configuring Basic QinQ 1 5 Enabling Basic QinQ 1 5 Configuring Selective QinQ 1 5 Configuring an Outer VLAN Tagging Policy 1 5 Configuring the TPID Value in VLAN Tags 1 6 QinQ Configuration Examples 1 6 Basic QinQ Configuration Example 1 6 Comprehensive Selective QinQ Configuration Example 1 9 ...

Page 184: ...rivate networks so that the Ethernet frames will travel across the service provider network public network with double VLAN tags QinQ enables a service provider to use a single SVLAN to serve customers who have multiple CVLANs Background and Benefits In the VLAN tag field defined in IEEE 802 1Q only 12 bits are used for VLAN IDs As a result a device can support a maximum of 4094 VLANs This is far ...

Page 185: ...he SVLAN allocated by the service provider for customer network A is SVLAN 3 and that for customer network B is SVLAN 4 When a tagged Ethernet frame of customer network A enters the service provider network it is tagged with outer VLAN 3 when a tagged Ethernet frame of customer network B enters the service provider network it is tagged with outer VLAN 4 In this way there is no overlap of VLAN IDs ...

Page 186: ...rt the port tags it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame is already tagged it becomes a double tagged frame if it is untagged it becomes a frame tagged with the port s default VLAN tag 2 Selective QinQ Selective QinQ is a more flexible VLAN based implementation of QinQ In addition to all the functions of basic QinQ selective Q...

Page 187: ...r compatibility with these systems you can modify the TPID value so that the QinQ frames when sent to the public network carry the TPID value identical to the value of a particular vendor to allow interoperability with the devices of that vendor The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag To avoid problems in packet forwarding and ...

Page 188: ...figuring Basic QinQ Enabling Basic QinQ Follow these steps to enable basic QinQ To do Use the command Remarks Enter system view system view Enter Ethernet or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command Enable QinQ on the port s qinq enable Requi...

Page 189: ... must delete the old outer VLAN tag configuration and configure a new outer VLAN tag Configuring the TPID Value in VLAN Tags You can configure the TPID value in VLAN tags in system view where the configuration takes effect on all ports of the device Follow these steps to configure a TPID value globally To do Use the command Remarks Enter system view system view Configure the TPID value in the CVLA...

Page 190: ...figured to allow QinQ packets to pass through 1 Configuration on Provider A z Configure GigabitEthernet 1 0 1 Configure VLAN 10 as the default VLAN of GigabitEthernet 1 0 1 ProviderA system view ProviderA interface gigabitethernet 1 0 1 ProviderA GigabitEthernet1 0 1 port access vlan 10 Enable basic QinQ on GigabitEthernet 1 0 1 ProviderA GigabitEthernet1 0 1 qinq enable ProviderA GigabitEthernet1...

Page 191: ...gure GigabitEthernet 1 0 2 Configure GigabitEthernet 1 0 2 as a hybrid port and configure VLAN 10 as the default VLAN of the port ProviderB interface gigabitethernet 1 0 2 ProviderB GigabitEthernet1 0 2 port link type hybrid ProviderB GigabitEthernet1 0 2 port hybrid pvid vlan 10 ProviderB GigabitEthernet1 0 2 port hybrid vlan 10 untagged Enable basic QinQ on GigabitEthernet 1 0 2 ProviderB Gigabi...

Page 192: ...r across SVLAN 2000 Figure 1 5 Network diagram for comprehensive selective QinQ configuration GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 Customer A VLAN 10 20 Customer C VLAN 20 Provider B Provider A VLAN 1000 2000 TPID 0x8200 Public network Customer B VLAN 10 Configuration procedure Make sure that the devices in the service provider network have been configured to allow QinQ packets to pass through ...

Page 193: ...bitEthernet1 0 2 quit z Configure GigabitEthernet 1 0 3 Configure GigabitEthernet 1 0 3 as a trunk port to permit frames of VLAN 1000 and VLAN 2000 to pass through ProviderA interface gigabitethernet 1 0 3 ProviderA GigabitEthernet1 0 3 port link type trunk Sysname GigabitEthernet1 0 3 port trunk permit vlan 1000 2000 Set the TPID value in the outer tag to 0x8200 ProviderA GigabitEthernet1 0 3 qui...

Page 194: ...rA GigabitEthernet1 0 3 quit ProviderA qinq ethernet type 8200 3 Configuration on third party devices Configure the third party devices between Provider A and Provider B as follows configure the port connecting GigabitEthernet 1 0 3 of Provider A and that connecting GigabitEthernet 1 0 1 of Provider B to allow tagged frames of VLAN 1000 and VLAN 2000 to pass through ...

Page 195: ...eling Implementation 1 2 Configuring BPDU Tunneling 1 4 Configuration Prerequisites 1 4 Enabling BPDU Tunneling 1 4 Configuring Destination Multicast MAC Address for BPDUs 1 5 BPDU Tunneling Configuration Examples 1 5 BPDU Tunneling for STP Configuration Example 1 5 BPDU Tunneling for PVST Configuration Example 1 6 ...

Page 196: ...n Layer 2 networks As a result very often a customer network is broken down into parts located at different sides of the service provider network As shown in Figure 1 1 User A has two devices CE 1 and CE 2 both of which belong to VLAN 100 User A s network is divided into network 1 and network 2 which are connected by the service provider network When Layer 2 protocol packets cannot be transparentl...

Page 197: ...P z Per VLAN Spanning Tree PVST z Spanning tree protocol STP z Uni directional Link Direction UDLD z VLAN Trunking Protocol VTP BPDU Tunneling Implementation The BPDU tunneling implementations for different protocols are all similar This section describes how BPDU tunneling is implemented by taking the Spanning Tree Protocol STP as an example z The term STP in this document is in a broad sense It ...

Page 198: ...he edge devices PE 1 and PE 2 in the service provider network allows BPDUs of the customer network to be transparently transmitted in the service provider network thus ensuring consistent spanning tree calculation of User A network without affecting the spanning tree calculation of the service provider network Assume a BPDU is sent from User A network 1 to User A network 2 z At the ingress of the ...

Page 199: ...col before enabling BPDU tunneling for PVST on a port you must also disable STP and then enable BPDU tunneling for STP on the port first z Before enabling BPDU tunneling for LACP on a member port of a link aggregation group remove the port from the link aggregation group first Enabling BPDU tunneling for a protocol in Ethernet interface view or port group view Follow these steps to enable BPDU tun...

Page 200: ...nel dmac mac address Optional 0x010F E200 0003 by default For BPDUs to be recognized the destination multicast MAC addresses configured for BPDU tunneling must be the same on the edge devices on the service provider network BPDU Tunneling Configuration Examples BPDU Tunneling for STP Configuration Example Network requirements As shown in Figure 1 3 z CE 1 and CE 2 are edges devices on the geograph...

Page 201: ...et1 0 1 bpdu tunnel dot1q stp 2 Configuration on PE 2 Configure the destination multicast MAC address for BPDUs as 0x0100 0CCD CDD0 PE2 system view PE2 bpdu tunnel tunnel dmac 0100 0ccd cdd0 Create VLAN 2 and assign GigabitEthernet1 0 2 to VLAN 2 PE2 vlan 2 PE2 vlan2 quit PE2 interface gigabitethernet 1 0 2 PE2 GigabitEthernet1 0 2 port access vlan 2 Disable STP on GigabitEthernet1 0 2 and then en...

Page 202: ...sign it to all VLANs PE1 interface gigabitethernet 1 0 1 PE1 GigabitEthernet1 0 1 port link type trunk PE1 GigabitEthernet1 0 1 port trunk permit vlan all Disable STP on GigabitEthernet1 0 1 and then enable BPDU tunneling for STP and PVST on it PE1 GigabitEthernet1 0 1 undo stp enable PE1 GigabitEthernet1 0 1 bpdu tunnel dot1q stp PE1 GigabitEthernet1 0 1 bpdu tunnel dot1q pvst 2 Configuration on ...

Page 203: ... on the Destination Device 1 6 Displaying and Maintaining Port Mirroring 1 7 Port Mirroring Configuration Examples 1 7 Local Port Mirroring Configuration Example 1 7 Remote Port Mirroring Configuration Example 1 8 2 Traffic Mirroring Configuration 2 1 Traffic Mirroring Overview 2 1 Configuring Traffic Mirroring 2 1 Mirroring Traffic to an Interface 2 1 Mirroring Traffic to the CPU 2 2 Applying a Q...

Page 204: ...he mirroring port or ports and the monitor port can be located on the same device or different devices Currently remote port mirroring can be implemented only at Layer 2 As a monitor port can monitor multiple ports it may receive multiple duplicates of a packet in some cases Suppose that port P 1 is monitoring bidirectional traffic on ports P 2 and P 3 on the same device If a packet travels from P...

Page 205: ...ource device is the device where the mirroring ports are located On it you must create a remote source mirroring group to hold the mirroring ports The source device copies the packets passing through the mirroring ports broadcasts the packets in the remote probe VLAN for remote mirroring and transmits the packets to the next device which could be an intermediate device if any or the destination de...

Page 206: ...ring local port mirroring is to configure local mirroring groups A local mirroring group comprises one or multiple mirroring ports and one monitor port These ports must not have been assigned to any other mirroring group Follow these steps to configure a local mirroring group To do Use the command Remarks Enter system view system view Create a local mirroring group mirroring group groupid local Re...

Page 207: ...is enabled GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates For information on GVRP refer to GVRP Configuration in the Access Volume Configuration Prerequisites Create a static VLAN for the probe VLAN on the source and destination device To ensure correct packet handling ensure that the VLANs you created on the two devices use the same ID and function o...

Page 208: ...itor egress monitor egress port id interface interface type interface number mirroring group groupid monitor egress Configure the egress port In interface view quit Required Use either approach Configure the probe VLAN mirroring group groupid remote probe vlan rprobe vlan id Required When configuring the mirroring ports note that z The mirroring ports and the egress port must be located on the sam...

Page 209: ...id remote destination Required Configure the remote probe VLAN mirroring group groupid remote probe vlan rprobe vlan id Required In system view mirroring group groupid monitor port monitor port id interface interface type interface number mirroring group groupid monitor port Configure the monitor port In interface view quit Required Use either approach Enter the interface view of the monitor port ...

Page 210: ...guration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Ethernet switches z Research and Development R D department is connected to Switch C through GigabitEthernet 1 0 1 z Marketing department is connected to Switch C through GigabitEthernet 1 0 2 z Data monitoring device is connected to Switch C through GigabitE...

Page 211: ...l the port mirroring groups SwitchC display mirroring group all mirroring group 1 type local status active mirroring port GigabitEthernet1 0 1 both GigabitEthernet1 0 2 both monitor port GigabitEthernet1 0 3 After finishing the configuration you can monitor all the packets received and sent by R D department and Marketing department on the Data monitoring device Remote Port Mirroring Configuration...

Page 212: ...ination mirroring group on Switch C Configure VLAN 2 as the remote port mirroring VLAN and port GigabitEthernet 1 0 2 to which the data monitoring device is connected as the destination port Figure 1 4 Network diagram for remote port mirroring configuration Configuration procedure 1 Configure Switch A the source device Create a remote source port mirroring group SwitchA system view SwitchA mirrori...

Page 213: ... port GigabitEthernet 1 0 1 as a trunk port and configure the port to permit the packets of VLAN 2 SwitchC system view SwitchC interface GigabitEthernet 1 0 1 SwitchC GigabitEthernet1 0 1 port link type trunk SwitchC GigabitEthernet1 0 1 port trunk permit vlan 2 SwitchC GigabitEthernet1 0 1 quit Create a remote destination port mirroring group SwitchC mirroring group 1 remote destination Create VL...

Page 214: ...ing traffic to the CPU copies the matching packets on an interface to a CPU the CPU of the device where the traffic mirroring enabled interface resides Configuring Traffic Mirroring To configure traffic mirroring you must enter the view of an existing traffic behavior In a traffic behavior the action of mirroring traffic to an interface and the action of mirroring traffic to a CPU is mutually excl...

Page 215: ...affic to the CPU Follow these steps to mirror traffic to the CPU To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Required By default no traffic class exists Configure the match criteria if match match criteria Required By default no match criterion is configured in a traffic class Exit class view quit Creat...

Page 216: ...rface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Apply a policy to the interface or all ports in the port group qos apply policy policy name inbound Required For...

Page 217: ...Displaying and Maintaining Traffic Mirroring To do Use the command Remarks Display traffic behavior configuration information display traffic behavior user defined behavior name Available in any view Display QoS policy configuration information display qos policy user defined policy name classifier tcl name Available in any view Traffic Mirroring Configuration Examples Example for Mirroring Traffi...

Page 218: ...cl 2000 Sysname classifier 1 quit Create behavior 1 and configure the action of mirroring traffic to GigabitEthernet1 0 2 in the traffic behavior Sysname traffic behavior 1 Sysname behavior 1 mirror to interface GigabitEthernet 1 0 2 Sysname behavior 1 quit Create QoS policy 1 and associate traffic behavior 1 with class 1 in the QoS policy Sysname qos policy 1 Sysname policy 1 classifier 1 behavio...

Page 219: ... on a client server model in which the client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client This document describes z DHCP relay agent configuration z DHCP Client configuration z DHCP Snooping configuration z BOOTP Client configuration DNS Used in the TCP IP application Domain Name System DNS is a distributed ...

Page 220: ...asic IPv6 functions configuration z IPv6 NDP configuration z PMTU discovery configuration z IPv6 TCP properties configuration z ICMPv6 packet sending configuration z IPv6 DNS Client configuration Dual Stack A network node that supports both IPv4 and IPv6 is called a dual stack node A dual stack node configured with an IPv4 address and an IPv6 address can have both IPv4 and IPv6 packets transmitted...

Page 221: ... Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 IP Addressing Configuration Example 1 4 Displaying and Maintaining IP Addressing 1 5 ...

Page 222: ...example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net ID The first several bits of the IP address defining a network also known as class bits z Host id Identifies a host o...

Page 223: ...tes the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For example a packet with the destination address of 192 168 1 255 will be broadcasted to all the hosts on the network 192 168 1 0 Subnetting and Masking Subnetting was developed to address the risk of IP addr...

Page 224: ... IP address to the VLAN interface you may configure the VLAN interface to obtain one through BOOTP or DHCP as alternatives If you change the way an interface obtains an IP address from manual assignment to BOOTP for example the IP address obtained from BOOTP will overwrite the old one manually assigned This chapter only covers how to assign an IP address manually For the other two approaches refer...

Page 225: ...sts on the two network segments to communicate with the external network through the switch and the hosts on the LAN can communicate with each other do the following z Assign two IP addresses to VLAN interface 1 on the switch z Set the switch as the gateway on all PCs in the two networks Figure 1 3 Network diagram for IP addressing configuration Configuration procedure Assign a primary IP address ...

Page 226: ...tes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 5 ttl 255 time 26 ms 172 16 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 25 25 26 ...

Page 227: ...1 5 Configuring ARP Quick Notify 1 5 ARP Configuration Example 1 6 Configuring Gratuitous ARP 1 7 Introduction to Gratuitous ARP 1 7 Configuring Gratuitous ARP 1 7 Displaying and Maintaining ARP 1 7 2 Proxy ARP Configuration 2 1 Proxy ARP Overview 2 1 Proxy ARP 2 1 Local Proxy ARP 2 2 Enabling Proxy ARP 2 2 Displaying and Maintaining Proxy ARP 2 3 Proxy ARP Configuration Examples 2 3 Proxy ARP Con...

Page 228: ...e Address Resolution Protocol ARP is used to resolve an IP address into an Ethernet MAC address or physical address In a LAN when a host or other network device is to send data to another host or device the sending host or device must know the network layer address that is the IP address of the destination host or device Because IP datagrams must be encapsulated within Ethernet frames before they ...

Page 229: ... Target protocol address This field specifies the protocol address of the device the message is being sent to ARP Address Resolution Process Suppose that Host A and Host B are on the same subnet and Host A sends a packet to Host B as shown in Figure 1 2 The resolution process is as follows 1 Host A looks into its ARP table to see whether there is an ARP entry for Host B If yes Host A uses the MAC ...

Page 230: ...created and maintained by ARP It can get aged be updated by a new ARP packet or be overwritten by a static ARP entry When the aging timer expires or the interface goes down the corresponding dynamic ARP entry will be removed Static ARP entry A static ARP entry is manually configured and maintained It cannot get aged or be overwritten by a dynamic ARP entry Using static ARP entries enhances communi...

Page 231: ...d if non permanent and resolved will become unresolved Follow these steps to configure a static ARP entry To do Use the command Remarks Enter system view system view Configure a permanent static ARP entry arp static ip address mac address vlan id interface type interface number Required No permanent static ARP entry is configured by default Configure a non permanent static ARP entry arp static ip ...

Page 232: ...l 20 minutes by default Enabling the ARP Entry Check The ARP entry check function disables the device from learning multicast MAC addresses With the ARP entry check enabled the device cannot learn any ARP entry with a multicast MAC address and configuring such a static ARP entry is not allowed otherwise the system displays error messages After the ARP entry check is disabled the device can learn t...

Page 233: ...sabled by default You are recommended to enable ARP quick notify in WLANs only ARP Configuration Example Network requirements z Enable the ARP entry check z Set the aging time for dynamic ARP entries to 10 minutes z Set the maximum number of dynamic ARP entries that VLAN interface 10 can learn to 1 000 z Add a static ARP entry with the IP address being 192 168 1 1 24 the MAC address being 000f e20...

Page 234: ...ies A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache Configuring Gratuitous ARP Follow these steps to configure gratuitous ARP To do Use the command Remarks Enter system view system view Enable the device to send gratuitous ARP packets when receiving ARP requests...

Page 235: ...rks Clear ARP entries from the ARP table For distributed devices reset arp all dynamic static interface interface type interface number Available in user view Clearing ARP entries from the ARP table may cause communication failures ...

Page 236: ...work Proxy ARP involves common proxy ARP and local proxy ARP which are described in the following sections The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless otherwise specified Proxy ARP A proxy ARP enabled device allows hosts that reside on different subnets to communicate As shown in Figure 2 1 Switch connects to two subnets through VLAN interface 1 a...

Page 237: ...en the two hosts Figure 2 2 Application environment of local proxy ARP VLAN 2 Vlan int2 192 168 10 100 16 Switch B GE1 0 3 GE1 0 1 GE1 0 2 Host A 192 168 10 99 16 Host B 192 168 10 200 16 VLAN 2 port isolate group Switch A In one of the following cases you need to enable local proxy ARP z Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3 z If an i...

Page 238: ...w Proxy ARP Configuration Examples Proxy ARP Configuration Example Network requirements Host A and Host D have the same IP prefix and mask Host A belongs to VLAN 1 Host D belongs to VLAN 2 Configure proxy ARP on the switch to enable the communication between the two hosts Figure 2 3 Network diagram for proxy ARP Configuration procedure Configure Proxy ARP on Switch to enable the communication betw...

Page 239: ...nd Host B Figure 2 4 Network diagram for local proxy ARP between isolated ports Switch A Switch B GE1 0 2 GE1 0 3 GE1 0 1 Host A 192 168 10 99 24 Host B 192 168 10 200 24 GE1 0 2 VLAN 2 Vlan int2 192 168 10 100 24 Configuration procedure 1 Configure Switch B Add GigabitEthernet 1 0 3 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to VLAN 2 Host A and Host B are isolated and unable to exchange Lay...

Page 240: ...user vlan which includes uplink port GigabitEthernet 1 0 1 and two secondary VLANs VLAN 2 and VLAN 3 GigabitEthernet 1 0 2 belongs to VLAN 2 and GigabitEthernet 1 0 3 belongs to VLAN 3 z Configure local proxy ARP on Switch A to implement Layer 3 communication between VLAN 2 and VLAN 3 Figure 2 5 Network diagram for local proxy ARP configuration in isolate user vlan Switch A Switch B Host A 192 168...

Page 241: ...dd GigabitEthernet 1 0 1 to it SwitchA system view SwitchA vlan 5 SwitchA vlan5 port gigabitethernet 1 0 1 SwitchA vlan5 interface vlan interface 5 SwitchA Vlan interface5 ip address 192 168 10 100 255 255 0 0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2 Configure local proxy ARP to implement communication between VLAN 2 and VLAN 3 SwitchA Vlan inte...

Page 242: ...e 2 4 Configuring the DHCP Relay Agent Security Functions 2 5 Configuring the DHCP Relay Agent to Send a DHCP Release Request 2 7 Configuring the DHCP Relay Agent to Support Option 82 2 7 Displaying and Maintaining DHCP Relay Agent Configuration 2 9 DHCP Relay Agent Configuration Examples 2 9 DHCP Relay Agent Configuration Example 2 9 DHCP Relay Agent Option 82 Support Configuration Example 2 10 T...

Page 243: ... 4 7 DHCP Snooping Option 82 Support Configuration Example 4 8 5 BOOTP Client Configuration 5 1 Introduction to BOOTP Client 5 1 BOOTP Application 5 1 Obtaining an IP Address Dynamically 5 2 Protocols and Standards 5 2 Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP 5 2 Displaying and Maintaining BOOTP Client Configuration 5 3 BOOTP Client Configuration Example 5 3 ...

Page 244: ...omplexity of networks result in scarce IP addresses assignable to hosts Meanwhile as many people need to take their laptops across networks the IP addresses need to be changed accordingly Therefore related configurations on hosts become more complex The Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which a client sends a c...

Page 245: ... Dynamic IP address allocation process As shown in Figure 1 2 a DHCP client obtains an IP address from a DHCP server via four steps 1 The client broadcasts a DHCP DISCOVER message to locate a DHCP server 2 A DHCP server offers configuration parameters including an IP address to the client in a DHCP OFFER message The sending mode of the DHCP OFFER message is determined by the flag field in the DHCP...

Page 246: ...cast to extend the lease duration Upon availability of the IP address the DHCP server returns a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast denying the request If the client receives no reply it broadcasts another DHCP REQUEST message for lease extension after 7 8 lease duration elapses The DHCP server handles the request as above mentioned ...

Page 247: ...ormat as the Bootstrap Protocol BOOTP message for compatibility but differs from it in the option field which identifies new features for DHCP DHCP uses the option field in DHCP messages to carry control information and network configuration parameters implementing dynamic address allocation and providing more network configuration information for clients Figure 1 4 shows the DHCP option format Fi...

Page 248: ...iguration Server ACS parameters including the ACS URL username and password z Service provider identifier acquired by the customer premises equipment CPE from the DHCP server and sent to the ACS for selecting vender specific configurations and parameters z Preboot Execution Environment PXE server address for further obtaining the bootfile or other control information from the PXE server 1 Format o...

Page 249: ...ate the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients Option 82 involves at most 255 sub options At least one sub option is defined Currently the DHCP relay agent supports two sub options sub option 1 Circuit ID and sub option ...

Page 250: ... interface that received the client s request Its format is shown in Figure 1 10 Figure 1 10 Sub option 1 in verbose padding format In Figure 1 10 except that the VLAN ID field has a fixed length of 2 bytes all the other padding contents of sub option 1 are length variable z Sub option 2 Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device th...

Page 251: ...or not z Sub option 4 Failover route that specifies the destination IP address and the called number SIP users use such IP addresses and numbers to communicate with each other that a SIP user uses to reach another SIP user when both the primary and backup calling processors are unreachable You must define the sub option 1 to make other sub options effective Protocols and Standards z RFC 2131 Dynam...

Page 252: ...pported only on VLAN interfaces Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same subnet Therefore a DHCP server must be available on each subnet which is not practical DHCP relay agent solves the problem Via a relay agent DHCP clients communicate with a DHCP server on another subn...

Page 253: ...IP address and forwards the message to the designated DHCP server in unicast mode 2 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters to the relay agent which conveys them to the client DHCP Relay Agent Support for Option 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implemen...

Page 254: ...e Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent Task Remarks Enabling DHCP Required Enabling the DHCP Relay Agent on an Interface Required Cor...

Page 255: ... an IP address via the DHCP relay agent the address pool of the subnet to which the IP address of the DHCP relay agent belongs must be configured on the DHCP server Otherwise the DHCP client cannot obtain a correct IP address Correlating a DHCP Server Group with a Relay Agent Interface To improve reliability you can specify several DHCP servers as a group on the DHCP relay agent and correlate a re...

Page 256: ...dance of invalid IP address configuration you can configure the DHCP relay agent to check whether a requesting client s IP and MAC addresses match a binding dynamic or static on the DHCP relay agent With this feature enabled the DHCP relay agent can dynamically record clients IP to MAC bindings after clients get IP addresses It also supports static bindings that is you can manually configure IP to...

Page 257: ...ly send a DHCP REQUEST message to the DHCP server z If the server returns a DHCP ACK message or does not return any message within a specified interval which means the IP address is assignable now the DHCP relay agent will update its bindings by aging out the binding entry of the IP address z If the server returns a DHCP NAK message which means the IP address is still in use the relay agent will n...

Page 258: ... After you configure this task the DHCP relay agent actively sends a DHCP RELEASE request that contains the client s IP address to be released Upon receiving the DHCP RELEASE request the DHCP server then releases the IP address for the client meanwhile the client s IP to MAC binding entry is removed from the DHCP relay agent Follow these steps to configure the DHCP relay agent in system view to se...

Page 259: ...non user defined Option 82 Configure the code type for the remote ID sub option dhcp relay information remote id format type ascii hex Optional By default the code type is hex This code type configuration applies to non user defined Option 82 only Configure the padding content for the circuit ID sub option dhcp relay information circuit id string circuit id Optional By default the padding content ...

Page 260: ...dings display dhcp relay security tracker Display information about the configuration of a specified or all DHCP server groups display dhcp relay server group group id all Display packet statistics on relay agent display dhcp relay statistics server group group id all Available in any view Clear packet statistics from relay agent reset dhcp relay statistics server group group id Available in user ...

Page 261: ... requirements z As shown in Figure 2 3 Enable Option 82 on the DHCP relay agent Switch A z Configure the handling strategy for DHCP requests containing Option 82 as replace z Configure the padding content for the circuit ID sub option as company001 and for the remote ID sub option as device001 z Switch A forwards DHCP requests to the DHCP server after replacing Option 82 in the requests so that th...

Page 262: ...g DHCP Relay Agent Configuration Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent Analysis Some problems may occur with the DHCP relay agent or server configuration Enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information for locating the problem Solution Check that z The addre...

Page 263: ...t recommended to enable both the DHCP client and the DHCP snooping on the same device Otherwise DHCP snooping entries may fail to be generated or the DHCP client may fail to obtain an IP address Introduction to DHCP Client With the DHCP client enabled on an interface the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server Enabling the DHCP Client o...

Page 264: ...e UP again by first executing the shutdown command and then the undo shutdown command or the DHCP client is enabled on the interface by executing the undo ip address dhcp alloc and ip address dhcp alloc commands in sequence Displaying and Maintaining the DHCP Client To do Use the command Remarks Display specified configuration information display dhcp client verbose interface interface type interf...

Page 265: ...3 3 SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address dhcp alloc ...

Page 266: ...he following 1 Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers 2 Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is an unauthorized DHCP server on a network the DHCP clients may obtain invalid IP addresses and network configuration parameters and cannot normally communicate with other network ...

Page 267: ...ing through For details refer to IP Source Guard Configuration in the Security Volume Application Environment of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 4 1 Configure trusted and untrusted ports Trusted DHCP server DHCP snooping Untrusted Untrusted Unauthorized DHCP server DHCP client DHCP reply messages As shown in Figure 4 1 a DHCP snooping device s port that i...

Page 268: ... Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent option Option 82 If DHCP snooping supports Option 82 it will handle a client s request according to the contents defined in Option 82 if any The handling strategies are described in the table below...

Page 269: ...d the message after adding the Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 The handling strategy and padding format for Option 82 on the DHCP snooping device are the same as those on the relay agent Configuring DHCP Snooping Basic Functions Fol...

Page 270: ...ted Layer 2 Ethernet interface to an aggregation group z Configuring both the DHCP snooping and QinQ function on the switch is not recommended because it may result in malfunctioning of DHCP snooping Configuring DHCP Snooping to Support Option 82 Prerequisites You need to enable the DHCP snooping function before configuring DHCP snooping to support Option 82 Configuring DHCP Snooping to Support Op...

Page 271: ...nooping information vlan vlan id circuit id string circuit id Optional By default the padding content depends on the padding format of Option 82 Configure user defined Option 82 Configure the padding content for the remote ID sub option dhcp snooping information vlan vlan id remote id string remote id sysname Optional By default the padding content depends on the padding format of Option 82 z You ...

Page 272: ...acket statistics Available in user view DHCP Snooping Configuration Examples DHCP Snooping Configuration Example Network requirements z As shown in Figure 4 3 Switch B is connected to a DHCP server through GigabitEthernet 1 0 1 and to two DHCP clients through GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 z GigabitEthernet 1 0 1 forwards DHCP server responses while the other two do not z Switch B...

Page 273: ...hernet 1 0 1 as trusted SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 to support Option 82 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 dhcp snooping information enable SwitchB GigabitEthernet1 0 2 dhcp snooping information strategy replace SwitchB GigabitEthernet1 0...

Page 274: ... Introduction to BOOTP Client This section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards BOOTP Application After you specify an interface of a device as a BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to confi...

Page 275: ... the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP client 3 The BOOTP client obtains the IP address from the received response Protocols and Standards Some protocols and standards related to BOOTP include z RFC 951 Bootstrap Protocol BOOTP z RFC 2132 DHCP Options and BOOTP Vendor Extensions z RFC 1542 Clarifications and Extensions for the Bootstrap Protocol Configuring a...

Page 276: ...o the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Figure 5 1 Network diagram for BOOTP WINS server 10 1 1 4 25 Client Switch B Client DNS server 10 1 1 2 25 DHCP server Vlan int1 10 1 1 1 25 Vlan int1 Gateway A 10 1 1 126 25 Configuration procedure The following describes only the configuration on Switch B serving as a client Configure VLAN interface 1 to dynamic...

Page 277: ...Configuring Static Domain Name Resolution 1 4 Configuring Dynamic Domain Name Resolution 1 4 Configuring the DNS Proxy 1 5 Displaying and Maintaining DNS 1 5 DNS Configuration Examples 1 5 Static Domain Name Resolution Configuration Example 1 5 Dynamic Domain Name Resolution Configuration Example 1 6 DNS Proxy Configuration Example 1 9 Troubleshooting DNS Configuration 1 10 ...

Page 278: ... checks the local static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution Therefore some frequently queried name to IP address mappings are stored in the local static name resolution table to improve efficiency Static Domain Name Resolution The static domain name resolution...

Page 279: ...is valid and the DNS client gets the aging information from DNS messages DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resolved is incomplete The resolver can supply the missing part For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The...

Page 280: ...ation on the DNS proxy instead of on each DNS client Figure 1 2 DNS proxy networking application Operation of a DNS proxy 1 A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy that is the destination address of the request is the IP address of the DNS proxy 2 The DNS proxy searches the local static domain name resolution table and dynamic domain name res...

Page 281: ...ous one if there is any You may create up to 50 static mappings between domain names and IP addresses Configuring Dynamic Domain Name Resolution Follow these steps to configure dynamic domain name resolution To do Use the command Remarks Enter system view system view Enable dynamic domain name resolution dns resolve Required Disabled by default Specify a DNS server dns server ip address Required N...

Page 282: ...lable in any view Clear the information of the dynamic domain name cache reset dns dynamic host Available in user view DNS Configuration Examples Static Domain Name Resolution Configuration Example Network requirements Switch uses the static domain name resolution to access Host with IP address 10 1 1 2 through domain name host com Figure 1 3 Network diagram for static domain name resolution Confi...

Page 283: ...x is com The mapping between domain name Host and IP address 3 1 1 1 16 is stored in the com domain z Switch serves as a DNS client and uses the dynamic domain name resolution and the suffix to access the host with the domain name host com and the IP address 3 1 1 1 16 Figure 1 4 Network diagram for dynamic domain name resolution Configuration procedure z Before performing the following configurat...

Page 284: ...ructions to create a new zone named com Figure 1 5 Create a zone Create a mapping between the host name and IP address Figure 1 6 Add a host In Figure 1 6 right click zone com and then select New Host to bring up a dialog box as shown in Figure 1 7 Enter host name host and IP address 3 1 1 1 ...

Page 285: ...ost is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56 Sequence 1 ttl 126 time 3 ms Reply from 3 1 1 1 bytes 56 Sequence 2 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 3 ttl 126 time 1 ms Reply from ...

Page 286: ...er and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 1 8 1 Configure the DNS server This configuration may vary with different DNS servers When a Windows server 2000 acts as the DNS server refer to Dynamic Domain Name Resolution Configuration Example for related configuration information 2 Configure the DNS proxy Specify the DNS serve...

Page 287: ...4 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 5 ttl 126 time 1 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 1 3 ms Troubleshooting DNS Configuration Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to verify that the ...

Page 288: ...a Directly Connected Network 1 1 Enabling Reception of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configuration Example 1 2 Configuring TCP Optional Parameters 1 3 Configuring ICMP to Send Error Packets 1 4 Displaying and Maintaining IP Performance Optimization 1 6 ...

Page 289: ...specific network In the destination IP address of a directed broadcast the network ID is a network ID identifies the target network and the host ID is all one If a device is allowed to forward directed broadcasts to a directly connected network hackers may mount attacks to the network Therefore the device is disabled from receiving and forwarding directed broadcasts to a directly connected network...

Page 290: ...mand executed last time does not include the acl acl number the ACL configured previously will be removed Configuration Example Network requirements As shown in Figure 1 1 the host s interface and VLAN interface 3 of Switch A are on the same network segment 1 1 1 0 24 VLAN interface 2 of Switch A and VLAN interface 2 of Switch B are on another network segment 2 2 2 0 24 The default gateway of the ...

Page 291: ... configured include z synwait timer When sending a SYN packet TCP starts the synwait timer If no response packet is received within the synwait timer interval the TCP connection cannot be created z finwait timer When a TCP connection is changed into FIN_WAIT_2 state the finwait timer is started If no FIN packets is received within the timer interval the TCP connection will be terminated If a FIN p...

Page 292: ...to find out the best route 2 Sending ICMP timeout packets If the device received an IP packet with a timeout error it drops the packet and sends an ICMP timeout packet to the source The device will send an ICMP timeout packet under the following conditions z If the device finds the destination of a packet is not itself and the TTL field of the packet is 1 it will send a TTL timeout ICMP error mess...

Page 293: ... it to send ICMP error packets its performance will be reduced z As the redirection function increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large z If a host sends malicious ICMP destination unreachable packets end users may be affected To prevent such problems you can disable the device from sending ICMP error packets Follow the...

Page 294: ... Display socket information display ip socket socktype sock type task id socket id Display FIB information display fib begin include exclude regular expression acl acl number ip prefix ip prefix name Display FIB information matching the specified destination IP address display fib ip address mask mask length Available in any view Clear statistics of IP packets reset ip statistics Available in user...

Page 295: ...ontents 1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 1 Displaying and Maintaining UDP Helper 1 2 UDP Helper Configuration Examples 1 2 UDP Helper Configuration Example 1 2 ...

Page 296: ... relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the one pre configured on the device the device modifies the destinati...

Page 297: ...tion of all UDP ports is removed if you disable UDP Helper z You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port numbers z You can configure up to 20 destination servers on an interface Displaying and Maintaining UDP Helper To do Use the command Remarks Displays the information of forwarded UDP packets display udp helper server interface interface t...

Page 298: ... 0 16 is available Enable UDP Helper SwitchA system view SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port 55 SwitchA udp helper port 55 Specify the destination server 10 2 1 1 on VLAN interface 1 SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 110 1 1 16 SwitchA Vlan interface1 udp helper server 10 2 1 1 ...

Page 299: ... to RA Messages 1 12 Configuring the Maximum Number of Attempts to Send an NS Message for DAD 1 15 Configuring PMTU Discovery 1 15 Configuring a Static PMTU for a Specified IPv6 Address 1 15 Configuring the Aging Time for Dynamic PMTUs 1 15 Configuring IPv6 TCP Properties 1 16 Configuring ICMPv6 Packet Sending 1 16 Configuring the Maximum ICMPv6 Error Packets Sent in an Interval 1 16 Enable Sendin...

Page 300: ...ew Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits This section covers the following z IPv6 Features z Introduction to IPv6 Address z Introduction to IP...

Page 301: ...tateful and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from a server for example a DHCP server z Stateless address configuration means that a host automatically generates an IPv6 address and related information on the basis of its own link layer address and the prefix information advertised by a router In addi...

Page 302: ...can be represented in a shorter format as 2001 0 130F 0 0 9C0 876A 130B z If an IPv6 address contains two or more consecutive groups of zeros they can be replaced by a double colon For example the above mentioned address can be represented in the shortest format as 2001 0 130F 9C0 876A 130B A double colon can be used only once in an IPv6 address Otherwise the device is unable to determine how many...

Page 303: ...addresses including aggregatable global unicast address link local address and site local address z The aggregatable global unicast addresses equivalent to public IPv4 addresses are provided for network service providers This type of address allows efficient prefix aggregation to restrict the number of global routing entries z The link local addresses are used for communication between link local ...

Page 304: ...0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 unicast or anycast address Interface identifier in IEEE EUI 64 format An interface identifier is used to identify a unique interface on a link and is 64 bits long An interface identifier in IEEE EUI 64 format is derived from the link layer address MAC of an interface A MAC address is 48 bits long and theref...

Page 305: ...sed to respond to an RS message Router advertisement RA message 134 With the RA message suppression disabled the router regularly sends an RA message containing information such as prefix information options and flag bits Redirect message 137 When a certain condition is satisfied the default gateway sends a redirect message to the source host so that the host can reselect a correct next hop router...

Page 306: ...ion The DAD procedure is as follows 1 Node A sends an NS message whose source address is the unassigned address and destination address is the corresponding solicited node multicast address of the IPv6 address to be detected The NS message contains the IPv6 address 2 If node B uses this IPv6 address node B returns an NA message The NA message contains the IPv6 address of node B 3 Node A learns tha...

Page 307: ...the source host so that the host can select a better next hop to forward packets similar to the ICMP redirection function in IPv4 The gateway sends an IPv6 ICMP redirect message when the following conditions are satisfied z The receiving interface is the forwarding interface z The selected route itself is not created or modified by an IPv6 ICMP redirect message z The selected route is not the defa...

Page 308: ...dresses but also AAAA records IPv6 addresses The DNS server can convert domain names into IPv4 addresses or IPv6 addresses In this way the DNS server implements the functions of both IPv6 DNS and IPv4 DNS Protocols and Standards Protocols and standards related to IPv6 include z RFC 1881 IPv6 Address Allocation Management z RFC 1887 An Architecture for IPv6 Unicast Address Allocation z RFC 1981 Pat...

Page 309: ...IPv6 site local addresses or aggregatable global unicast addresses are configured manually IPv6 link local addresses can be configured in either of the following ways z Automatic generation The device automatically generates a link local address for an interface according to the link local address prefix FE80 10 and the link layer address of the interface z Manual assignment IPv6 link local addres...

Page 310: ...st adopt manual assignment and then automatic generation the automatically generated link local address will not take effect and the link local address of an interface is still the manually assigned one If you delete the manually assigned address the automatically generated link local address is validated z The undo ipv6 address auto link local command can only remove the link local addresses gene...

Page 311: ...cquire the link layer address of a neighbor node through NS and NA messages and add it into the neighbor table Too large a neighbor table may reduce the forwarding performance of the device You can restrict the size of the neighbor table by setting the maximum number of neighbors that an interface can dynamically learn When the number of dynamically learned neighbors reaches the threshold the inte...

Page 312: ... hosts use the stateless autoconfiguration to acquire information other than IPv6 addresses Router lifetime This field is used to set the lifetime of the router that sends RA messages to serve as the default router of hosts According to the router lifetime in the received RA messages hosts determine whether the router sending RA messages can serve as the default router Retrans timer If the device ...

Page 313: ...es is used as the prefix information Set the M flag bit to 1 ipv6 nd autoconfig managed address flag Optional By default the M flag bit is set to 0 that is hosts acquire IPv6 addresses through stateless autoconfiguration Set the O flag bit to 1 ipv6 nd autoconfig other flag Optional By default the O flag bit is set to 0 that is hosts acquire other information through stateless autoconfiguration Co...

Page 314: ...guring a Static PMTU for a Specified IPv6 Address You can configure a static PMTU for a specified destination IPv6 address When a source host sends a packet through an interface it compares the interface MTU with the static PMTU of the specified destination IPv6 address If the packet size is larger than the smaller one between the two values the host fragments the packet according to the smaller v...

Page 315: ...Set the finwait timer tcp ipv6 timer fin timeout wait time Optional 675 seconds by default Set the synwait timer tcp ipv6 timer syn timeout wait time Optional 75 seconds by default Set the size of the IPv6 TCP sending receiving buffer tcp ipv6 window size Optional 8 KB by default Configuring ICMPv6 Packet Sending Configuring the Maximum ICMPv6 Error Packets Sent in an Interval If too many ICMPv6 e...

Page 316: ... system view system view Enable sending of multicast echo replies ipv6 icmpv6 multicast echo reply enable Not enabled by default Enabling Sending of ICMPv6 Time Exceeded Packets A device sends an ICMPv6 time exceeded packet in the following cases z If a received IPv6 packet s destination IP address is not the local address and its hop count is 1 the device sends an ICMPv6 time to live count exceed...

Page 317: ...er for resolution The system can support at most six DNS servers You can configure a DNS suffix so that you only need to enter part of a domain name and the system can automatically add the preset suffix for address resolution The system can support at most 10 DNS suffixes Follow these steps to configure dynamic IPv6 domain name resolution To do Use the command Remarks Enter system view system vie...

Page 318: ...face interface type interface number vlan vlan id count Display the PMTU information of an IPv6 address display ipv6 pathmtu ipv6 address all dynamic static Display socket information display ipv6 socket socktype socket type task id socket id Display the statistics of IPv6 packets and ICMPv6 packets display ipv6 statistics Display the IPv6 TCP connection statistics display tcp ipv6 statistics Disp...

Page 319: ... is 3001 2 64 and a route to Host is available z IPv6 is enabled for Host to automatically get an IPv6 address through IPv6 NDP and a route to Switch B is available Figure 1 6 Network diagram for IPv6 address configuration The VLAN interfaces have been created on the switch Configuration procedure z Configure Switch A Enable IPv6 SwitchA system view SwitchA ipv6 Specify an aggregatable global unic...

Page 320: ...2001 15B E0EA 3524 E791 0015 e9a6 7d14 1 GE1 0 2 STALE D 1248 The above information shows that the IPv6 aggregatable global unicast address that Host obtained is 2001 15B E0EA 3524 E791 Verification Display the IPv6 interface settings on Switch A SwitchA Vlan interface1 display ipv6 interface vlan interface 2 verbose Vlan interface2 current state UP Line protocol current state UP IPv6 is enabled l...

Page 321: ...E80 20F E2FF FE00 1C0 Global unicast address es 2001 1 subnet is 2001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 1 FF02 1 FF00 1C0 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds N...

Page 322: ...erface2 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1234 Global unicast address es 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 2 FF02 1 FF00 1234 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hos...

Page 323: ...itchB Vlan interface2 ping ipv6 c 1 3001 1 PING 3001 1 56 data bytes press CTRL_C to break Reply from 3001 1 bytes 56 Sequence 1 hop limit 64 time 2 ms 3001 1 ping statistics 1 packet s transmitted 1 packet s received 0 00 packet loss round trip min avg max 2 2 2 ms SwitchB Vlan interface2 ping ipv6 c 1 2001 15B E0EA 3524 E791 PING 2001 15B E0EA 3524 E791 56 data bytes press CTRL_C to break Reply ...

Page 324: ...mmand in any view or the display this command in system view to verify that IPv6 is enabled z Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up z Use the debugging ipv6 packet command in user view to enable the debugging for IPv6 packets to help locate the cause ...

Page 325: ...i Table of Contents 1 Dual Stack Configuration 1 1 Dual Stack Overview 1 1 Configuring Dual Stack 1 1 ...

Page 326: ... be selected at the transport layer while IPv6 stack is preferred at the network layer Figure 1 1 illustrates the IPv4 IPv6 dual stack in relation to the IPv4 stack Figure 1 1 IPv4 IPv6 dual stack in relation to IPv4 stack on Ethernet IPv4 application IPv4 IPv6 application TCP UDP TCP UDP IPv4 IPv4 IPv6 Ethernet Ethernet Protocol ID 0x0800 Protocol ID 0x0800 Protocol ID 0x86DD IPv4 stack Dual stac...

Page 327: ...an interface Automatically create an IPv6 link local address ipv6 address auto link local Configure an IPv6 address on the interface Configure an IPv6 link local address Manually specify an IPv6 link local address ipv6 address ipv6 address link local Optional By default after you configured an IPv6 site local address or global unicast address a link local address is automatically created z For inf...

Page 328: ... Overview 1 1 Introduction to sFlow 1 1 Operation of sFlow 1 1 Configuring sFlow 1 2 Displaying and Maintaining sFlow 1 2 sFlow Configuration Example 1 3 Troubleshooting sFlow Configuration 1 4 The Remote sFlow Collector Cannot Receive sFlow Packets 1 4 ...

Page 329: ...ow packets and displays the results sFlow has the following two sampling mechanisms z Packet based sampling An sFlow enabled port samples one packet out of a configurable number of packets passing through it z Time based sampling The sFlow agent samples the statistics of all sFlow enabled ports at a configurable interval As a traffic monitoring technology sFlow has the following advantages z Suppo...

Page 330: ...w enabled ports sflow interval interval time Optional 20 seconds by default Enter Ethernet port view interface interface type interface number Specify the sFlow version sflow version 4 5 Optional 5 by default Enable sFlow in the inbound or outbound direction sflow enable inbound outbound Required Not enabled by default Specify the sFlow sampling mode sflow sampling mode determine random Optional r...

Page 331: ...results Network diagram Figure 1 1 Network diagram for sFlow configuration Configuration procedure Configure an IP address for the sFlow agent Switch system view Switch sflow agent ip 3 3 3 1 Specify the IP address and port number of the sFlow collector Switch sflow collector ip 3 3 3 2 Set the sFlow interval to 30 seconds Switch sflow interval 30 Enable sFlow in both the inbound and outbound dire...

Page 332: ...f the sFlow collector specified on the sFlow agent is different from that of the remote sFlow collector z No IP address is configured for the Layer 3 interface on the device or the IP address is configured but the UDP packets with the IP address being the source cannot reach the sFlow collector z The physical link between the device and the sFlow collector fails Solution 1 Check whether sFlow is c...

Page 333: ... used in small sized networks This document describes z RIP basic functions configuration z RIP advanced functions configuration z RIP network optimization configuration IPv6 Static Routing Static routes are special routes that are manually configured by network administrators Similar to IPv4 static routes IPv6 static routes work well in simple IPv6 network environments This document describes z I...

Page 334: ...Routing Overview 1 1 Routing 1 1 Routing Table and FIB Table 1 1 Routing Protocol Overview 1 3 Static Routing and Dynamic Routing 1 3 Routing Protocols and Routing Priority 1 3 Displaying and Maintaining a Routing Table 1 4 i ...

Page 335: ...tes and IS IS routes to the OSPF routing table and then z ting Routing in the Internet is achieved through routers Upon receiving a packet a router finds route based on the destination address and forwards the packet to the next r Routing provides the path inform ng Table and FIB Table Routing tables play a key role in route selection and forwarding informatio in p cket forwarding Each router main...

Page 336: ...t can be expressed in dotted decimal format or by the number of the 1s Outbound interface Specifies the interface through which the IP packets are to be forwarded IP address of the next hop Specifies the address of the next router on the path If only the outbound interface is configured its address will be the IP address z Priority for the route Routes to the same destinatio different priorities a...

Page 337: ...twork topology changes it cannot adjust to network changes by itself Dynamic routing is based on dynamic routing protocols which can detect network topology changes and recalculate the routes accordingly Therefore dynamic routing is suitable for large networks Its disadvantages are that it is difficult to configure and that it not only imposes higher requirements on the system but also consumes a ...

Page 338: ... routing table ip address1 mask length mask ip address2 mask length mask verbose Available in any view Display information about routes permitted by an IPv4 basic ACL display ip routing table acl acl number verbose Available in any view Display routing information permitted by an IPv4 prefix list display ip routing table ip prefix ip prefix name verbose Available in any view Display routes of a ro...

Page 339: ...6 routing information of a routing protocol display ipv6 routing table protocol protocol inactive verbose Available in any view Display IPv6 routing statistics display ipv6 routing table statistics Available in any view Display IPv6 routing information for an IPv6 address range display ipv6 routing table ipv6 address1 prefix length1 ipv6 address2 prefix length2 verbose Available in any view Clear ...

Page 340: ...ic Routing 1 2 Configuring a Static Route 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 3 Detecting Reachability of the Static Route s Nexthop 1 3 Detecting Nexthop Reachability Through Track 1 3 Displaying and Maintaining Static Routes 1 4 Static Route Configuration Example 1 5 Basic Static Route Configuration Example 1 5 ...

Page 341: ...opological change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded After a default route is configured on a router any packet whose destination IP address matches no...

Page 342: ...ic occasion For a NULL0 interface if the output interface has already been configured there is no need to configure the next hop address In fact all the route entries must have a next hop address When forwarding a packet a router first searches the routing table for the route to the destination address of the packet The system can find the corresponding link layer address and forward the packet on...

Page 343: ...an flexibly control static routes by configuring tag values and using the tag values in the routing policy z If the destination IP address and mask are both configured as 0 0 0 0 with the ip route static command the route is the default route Detecting Reachability of the Static Route s Nexthop If a static route fails due to a topology change or a fault the connection will be interrupted To improv...

Page 344: ...r an existing static route simply associate the static route with a track entry For a non existent static route configure it and associate it with a Track entry z If a static route needs route recursion the associated track entry must monitor the nexthop of the recursive route instead of that of the static route otherwise a valid route may be mistakenly considered invalid Displaying and Maintainin...

Page 345: ...ch A SwitchA system view SwitchA ip route static 0 0 0 0 0 0 0 0 1 1 4 2 Configure two static routes on Switch B SwitchB system view SwitchB ip route static 1 1 2 0 255 255 255 0 1 1 4 1 SwitchB ip route static 1 1 3 0 255 255 255 0 1 1 5 6 Configure a default route on Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the th...

Page 346: ... 1 1 5 5 Vlan600 1 1 5 5 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 1 1 6 0 24 Direct 0 0 1 1 6 1 Vlan100 1 1 6 1 32 Direct 0 0 127 0 0 1 InLoop0 Use the ping command on Host B to check reachability to Host A assuming Windows XP runs on the two hosts C Documents and Settings Administrator ping 1 1 2 2 Pinging 1 1 2 2 with 32 b...

Page 347: ...1 7 1 1 ms 1 ms 1 ms 1 1 6 1 2 1 ms 1 ms 1 ms 1 1 4 1 3 1 ms 1 ms 1 ms 1 1 2 2 Trace complete ...

Page 348: ... Priority for RIP 1 11 Configuring RIP Route Redistribution 1 11 Configuring RIP Network Optimization 1 11 Configuring RIP Timers 1 12 Configuring Split Horizon and Poison Reverse 1 12 Enabling Zero Field Check on Incoming RIPv1 Messages 1 13 Enabling Source IP Address Check on Incoming RIP Updates 1 13 Configuring RIPv2 Message Authentication 1 14 Specifying a RIP Neighbor 1 14 Configuring RIP to...

Page 349: ...of RIP Introduction RIP is a distance vector routing protocol using UDP packets for exchanging information through port 520 RIP uses a hop count to measure the distance to a destination The hop count from a router to a directly connected network is 0 The hop count from a router to a directly connected router is 1 To limit convergence time the range of RIP metric value is from 0 to 15 A metric valu...

Page 350: ...e will be deleted from the routing table Routing loops prevention RIP is a distance vector D V routing protocol Since a RIP router advertises its own routing table to neighbors routing loops may occur RIP uses the following mechanisms to prevent routing loops z Counting to infinity The metric value of 16 is defined as unreachable When a routing loop occurs the metric value of the route will increm...

Page 351: ...s of message transmission broadcast and multicast Multicast is the default type using 224 0 0 9 as the multicast address The interface working in the RIPv2 broadcast mode can also receive RIPv1 messages RIP Message Format A RIPv1 message consists of a header and up to 25 route entries A RIPv2 authentication message uses the first route entry as the authentication entry so it has up to 24 route ent...

Page 352: ...indicates that the originator of the route is the best next hop otherwise it indicates a next hop better than the originator of the route RIPv2 authentication RIPv2 sets the AFI field of the first route entry to 0xFFFF to identify authentication information See Figure 1 3 Figure 1 3 RIPv2 Authentication Message z Authentication Type A value of 2 represents plain text authentication while a value o...

Page 353: ...s z RFC 1722 RIP Version 2 Protocol Applicability Statement z RFC 1724 RIP Version 2 MIB Extension z RFC 2082 RIPv2 MD5 Authentication z RFC2453 RIP Version 2 Configuring RIP Basic Functions Configuration Prerequisites Before configuring RIP basic functions complete the following tasks z Configure the link layer protocol z Configure an IP address on each interface and make sure all adjacent router...

Page 354: ...iew interface interface type interface number Enable the interface to receive RIP messages rip input Optional Enabled by default Enable the interface to send RIP messages rip output Optional Enabled by default Configuring a RIP version You can configure a RIP version in RIP or interface view z If neither global nor interface RIP version is configured the interface sends RIPv1 broadcasts and can re...

Page 355: ...es effect If no global RIP version is specified the interface can send RIPv1 broadcasts and receive RIPv1 broadcasts unicasts RIPv2 broadcasts multicasts and unicasts Configuring RIP Route Control In complex networks you need to configure advanced RIP features This section covers the following topics z Configuring an Additional Routing Metric z Configuring RIPv2 Route Summarization z Disabling Hos...

Page 356: ...y default Configuring RIPv2 Route Summarization Route summarization means that subnets in a natural network are summarized into a natural network that is sent to other networks This feature can reduce the size of routing tables Enabling RIPv2 route automatic summarization You can disable RIPv2 route automatic summarization if you want to advertise all subnet routes Follow these steps to enable RIP...

Page 357: ...ving host routes undo host route Required Enabled by default RIPv2 can be disabled from receiving host routes but RIPv1 cannot Advertising a Default Route You can configure RIP to advertise a default route with a specified metric to RIP neighbors z In RIP view you can configure all the interfaces of the RIP process to advertise a default route in interface view you can configure a RIP interface of...

Page 358: ...erencing an ACL or IP prefix list You can also configure the router to receive only routes from a specified neighbor Follow these steps to configure route filtering To do Use the command Remarks Enter system view system view Enter RIP view rip process id Configure the filtering of incoming routes filter policy acl number gateway ip prefix name ip prefix ip prefix name gateway ip prefix name import...

Page 359: ...Follow these steps to configure RIP route redistribution To do Use the command Remarks Enter system view system view Enter RIP view rip process id Configure a default metric for redistributed routes default cost value Optional The default metric of a redistributed route is 0 by default Redistribute routes from another protocol import route protocol process id all processes cost cost route policy r...

Page 360: ...on Configuring Split Horizon and Poison Reverse If both split horizon and poison reverse are configured only the poison reverse function takes effect Enabling split horizon The split horizon function disables an interface from sending routes received from the interface to prevent routing loops between adjacent routers Follow these steps to enable split horizon To do Use the command Remarks Enter s...

Page 361: ...eck on incoming RIPv1 messages To do Use the command Remarks Enter system view system view Enter RIP view rip process id Enable zero field check on received RIPv1 messages checkzero Optional Enabled by default Enabling Source IP Address Check on Incoming RIP Updates You can enable source IP address check on incoming RIP updates For a message received RIP compares the source IP address of the messa...

Page 362: ...figuration does not take effect Specifying a RIP Neighbor Usually RIP sends messages to broadcast or multicast addresses On non broadcast or multicast links you need to manually specify RIP neighbors If a specified neighbor is not directly connected you must disable source address check on incoming updates Follow these steps to specify a RIP neighbor To do Use the command Remarks Enter system view...

Page 363: ...t sending rate To do Use the command Remarks Enter system view system view Enable a RIP process and enter RIP view rip process id Configure the maximum number of RIP packets that can be sent at the specified interval output delay time count count Optional By default an interface sends up to three RIP packets every 20 milliseconds Displaying and Maintaining RIP To do Use the command Remarks Display...

Page 364: ...tchA interface vlan interface 101 SwitchA Vlan interface101 ip address 172 17 1 1 24 SwitchA Vlan interface101 quit SwitchA interface vlan interface 102 SwitchA Vlan interface102 ip address 172 16 1 1 24 Configure Switch B SwitchB system view SwitchB interface vlan interface 100 SwitchB Vlan interface100 ip address 192 168 1 2 24 SwitchB Vlan interface100 quit SwitchB interface vlan interface 101 ...

Page 365: ...p SwitchB rip 1 version 2 SwitchB rip 1 undo summary Display the RIP routing table on Switch A SwitchA display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 2 on Vlan interface100 Destination Mask Nexthop Cost Tag Flags Sec 10 0 0 0 8 192 168 1 2 1 0 RA 50 10 2 1 0 24 192 168 1 2 1 0 RA 16 10 1 1 0 24 192 168 1 2 1 0 RA 16 From the routing t...

Page 366: ...nd specify RIP version 2 on Switch A SwitchA system view SwitchA rip 100 SwitchA rip 100 network 10 0 0 0 SwitchA rip 100 network 11 0 0 0 SwitchA rip 100 version 2 SwitchA rip 100 undo summary SwitchA rip 100 quit Enable RIP 100 and RIP 200 and specify RIP version 2 on Switch B SwitchB system view SwitchB rip 100 SwitchB rip 100 network 11 0 0 0 SwitchB rip 100 version 2 SwitchB rip 100 undo summ...

Page 367: ...1 12 3 1 1 Vlan200 11 1 1 0 24 RIP 100 1 12 3 1 1 Vlan200 12 3 1 0 24 Direct 0 0 12 3 1 2 Vlan200 12 3 1 2 32 Direct 0 0 127 0 0 1 InLoop0 16 4 1 0 24 Direct 0 0 16 4 1 1 Vlan400 16 4 1 1 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 Configure an filtering policy to filter redistributed routes Configure ACL 2000 to filter route...

Page 368: ...rom Switch C to Switch D Configure an additional metric for RIP routes received through VLAN interface 200 on Switch A so that Switch A prefers the 1 1 5 0 24 network learned from Switch B Figure 1 6 Network diagram for RIP interface additional metric configuration Configuration procedure 1 Configure IP addresses for the interfaces omitted 2 Configure RIP basic functions Configure Switch A SwitchA...

Page 369: ...splay shows that there are two RIP routes to network 1 1 5 0 24 Their next hops are Switch B 1 1 1 2 and Switch C 1 1 2 2 respectively with the same cost of 2 Switch C is the next hop router to reach network 1 1 4 0 24 with a cost of 1 3 Configure an additional metric for the RIP interface Configure an additional metric of 3 for VLAN interface 200 on Switch A SwitchA interface vlan interface 200 S...

Page 370: ...mmand to check whether some interface is disabled Route Oscillation Occurred Symptom When all links work well route oscillation occurs on the RIP network After displaying the routing table you may find some routes appear and disappear in the routing table intermittently Analysis In the RIP network make sure all the same timers within the whole network are identical and relationships between timers...

Page 371: ...6 Static Routing 1 1 Features of IPv6 Static Routes 1 1 Default IPv6 Route 1 1 Configuring an IPv6 Static Route 1 1 Configuration prerequisites 1 1 Configuring an IPv6 Static Route 1 2 Displaying and Maintaining IPv6 Static Routes 1 2 IPv6 Static Routing Configuration Example 1 2 ...

Page 372: ...in unavailable routes requiring the network administrator to manually configure and modify the static routes Features of IPv6 Static Routes Similar to IPv4 static routes IPv6 static routes work well in simple IPv6 network environments Their major difference lies in the destination and next hop addresses IPv6 static routes use IPv6 addresses whereas IPv4 static routes use IPv4 addresses Default IPv...

Page 373: ...emarks Display IPv6 static route information display ipv6 routing table protocol static inactive verbose Available in any view Remove all IPv6 static routes delete ipv6 static routes all Available in system view z Using the undo ipv6 route static command can delete a single IPv6 static route while using the delete ipv6 static routes all command deletes all IPv6 static routes including the default ...

Page 374: ...hC SwitchC system view SwitchC ipv6 route static 0 5 2 3 Configure the IPv6 addresses of hosts and gateways Configure the IPv6 addresses of all the hosts based upon the network diagram configure the default gateway of Host A as 1 1 that of Host B as 2 1 and that of Host C as 3 1 4 Display configuration information Display the IPv6 routing table of SwitchA SwitchA display ipv6 routing table Routing...

Page 375: ...tchA ping ipv6 3 1 PING 3 1 56 data bytes press CTRL_C to break Reply from 3 1 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 5 hop limit 254 time 63 ms 3 1 ping statistics 5 packet s trans...

Page 376: ...4 Configuring an Additional Routing Metric 1 4 Configuring RIPng Route Summarization 1 5 Advertising a Default Route 1 5 Configuring a RIPng Route Filtering Policy 1 6 Configuring a Priority for RIPng 1 6 Configuring RIPng Route Redistribution 1 6 Tuning and Optimizing the RIPng Network 1 7 Configuring RIPng Timers 1 7 Configuring Split Horizon and Poison Reverse 1 7 Configuring Zero Field Check o...

Page 377: ...Next hop 128 bit IPv6 address z Source address RIPng uses FE80 10 as the link local source address RIPng Working Mechanism RIPng is a routing protocol based on the distance vector D V algorithm RIPng uses UDP packets to exchange routing information through port 521 RIPng uses a hop count to measure the distance to a destination The hop count is referred to as metric or cost The hop count from a ro...

Page 378: ...figuration in the IP Routing Volume RIPng Packet Format Basic format A RIPng packet consists of a header and multiple route table entries RTEs The maximum number of RTEs in a packet depends on the IPv6 MTU of the sending interface Figure 1 1 shows the packet format of RIPng Figure 1 1 RIPng basic packet format z Command Type of message 0x01 indicates Request 0x02 indicates Response z Version Versi...

Page 379: ...uested routing information to the requesting router in the response packet Response packet The response packet containing the local routing table information is generated as z A response to a request z An update periodically z A trigged update caused by route change After receiving a response a router checks the validity of the response before adding the route to its routing table such as whether ...

Page 380: ...g a Default Route z Configuring a RIPng Route Filtering Policy z Configuring a Priority for RIPng z Configuring RIPng Route Redistribution Before the configuration accomplish the following tasks first z Configure an IPv6 address on each interface and make sure all nodes are reachable to one another z Configure RIPng basic functions z Define an IPv6 ACL before using it for route filtering Refer to ...

Page 381: ... Summarization Follow these steps to configure RIPng route summarization To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Advertise a summary IPv6 prefix ripng summary address ipv6 address prefix length Required Advertising a Default Route Follow these steps to advertise a default route To do Use the command Remarks Enter sy...

Page 382: ...uting information Configuring a Priority for RIPng Any routing protocol has its own protocol priority used for optimal route selection You can set a priority for RIPng manually The smaller the value is the higher the priority is Follow these steps to configure a RIPng priority To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure a RIPng priority p...

Page 383: ...nd Remarks Enter system view system view Enter RIPng view ripng process id Configure RIPng timers timers garbage collect garbage collect value suppress suppress value timeout timeout value update update value Optional The RIPng timers have the following defaults z 30 seconds for the update timer z 180 seconds for the timeout timer z 120 seconds for the suppress timer z 120 seconds for the garbage ...

Page 384: ...these steps to configure poison reverse To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable the poison reverse function ripng poison reverse Required Disabled by default Configuring Zero Field Check on RIPng Packets Some fields in the RIPng packet must be zero These fields are called zero fields With zero field check on ...

Page 385: ...irements As shown in Figure 1 4 all switches run RIPng Configure Switch B to filter the route 3 64 learnt from Switch C which means the route will not be added to the routing table of Switch B and Switch B will not forward it to Switch A Figure 1 4 Network diagram for RIPng configuration Configuration procedure 1 Configure the IPv6 address for each interface omitted 2 Configure basic RIPng functio...

Page 386: ... enable SwitchC Vlan interface600 quit Display the routing table of Switch B SwitchB display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 6 Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 6 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 3 64 via FE80 20F E2...

Page 387: ...SwitchB display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 4 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 5 Sec Dest 5 64 via FE80 20F E2FF FE00 100 cost 1 ...

Page 388: ...x List 1 3 Configuring a Route Policy 1 4 Prerequisites 1 4 Creating a Route Policy 1 5 Defining if match Clauses 1 5 Defining apply Clauses 1 6 Displaying and Maintaining the Route Policy 1 7 Route Policy Configuration Example 1 7 Applying a Route Policy to IPv4 Route Redistribution 1 7 Applying a Route Policy to IPv6 Route Redistribution 1 9 Troubleshooting Route Policy Configuration 1 10 IPv4 R...

Page 389: ...icy A route policy is used on a router for route filtering and attributes modification when routes are received advertised or redistributed Route Policy Application A route policy is applied on a router to z Filter routes when they are advertised z Filter routes when they are received thus to reduce the number of route entries and enhance network security z Filter routes when they are redistribute...

Page 390: ...are in logic OR relationship Each route policy node is a match unit and a node with a smaller number is matched first Once a node is matched the route policy is passed and the packet will not go to the next node A route policy node comprises a set of if match and apply clauses z The if match clauses define the match criteria The matching objects are some attributes of routing information The if ma...

Page 391: ...ne an IPv4 prefix list To do Use the command Remarks Enter system view system view Define an IPv4 prefix list ip ip prefix ip prefix name index index number permit deny ip address mask length greater equal min mask length less equal max mask length Required Not defined by default If all the items are set to the deny mode no routes can pass the IPv4 prefix list Therefore you need to define the perm...

Page 392: ...ass For example the following configuration filters routes 2000 1 48 2000 2 48 and 2000 3 48 but allows other routes to pass Sysname system view Sysname ip ipv6 prefix abc index 10 deny 2000 1 48 Sysname ip ipv6 prefix abc index 20 deny 2000 2 48 Sysname ip ipv6 prefix abc index 30 deny 2000 3 16 Sysname ip ipv6 prefix abc index 40 permit 0 less equal 128 Configuring a Route Policy A route policy ...

Page 393: ...if match clauses of the node it cannot pass the node or go to the next node If route information cannot match all the if match clauses of the node it will go to the next node for a match z When a route policy has more than one node at least one node should be configured with the permit keyword If the route policy is used to filter routing information routing information that does not meet any node...

Page 394: ...nformation having the specified tag value if match tag value Optional Not configured by default z The if match clauses of a route policy node are in logic AND relationship namely routing information has to satisfy all its if match clauses before being executed with its apply clauses z You can specify no or multiple if match clauses for a route policy node If no if match clause is specified and the...

Page 395: ...routes respectively Displaying and Maintaining the Route Policy To do Use the command Remarks Display IPv4 prefix list statistics display ip ip prefix ip prefix name Display IPv6 prefix list statistics display ip ipv6 prefix ipv6 prefix name Display route policy information display route policy route policy name Available in any view Clear IPv4 prefix list statistics reset ip ip prefix ip prefix n...

Page 396: ...c 40 0 0 0 255 0 0 0 172 17 1 2 Configure an ACL SwitchA acl number 2000 SwitchA acl basic 2000 rule deny source 30 0 0 0 0 255 255 255 SwitchA acl basic 2000 rule permit source any SwitchA acl basic 2000 quit Redistribute static routes SwitchA rip SwitchA rip 1 import route static Apply ACL 2000 to filter the routing information to be advertised to Switch B SwitchA rip 1 filter policy 2000 export...

Page 397: ...figure three static routes and apply a route policy to static route redistribution to permit routes 20 0 32 and 40 0 32 and deny route 30 0 32 z Display RIPng routing table information on Switch B to verify the configuration Figure 1 2 Network diagram for route policy application to route redistribution Configuration procedure 1 Configure Switch A Configure IPv6 addresses for VLAN interface 100 an...

Page 398: ...v6 address for VLAN interface 100 SwitchB ipv6 SwitchB interface vlan interface 100 SwitchB Vlan interface100 ipv6 address 10 2 32 Enable RIPng on VLAN interface 100 SwitchB Vlan interface100 ripng 1 enable SwitchB Vlan interface100 quit Enable RIPng SwitchB ripng Display RIPng routing table information SwitchB ripng 1 display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer F...

Page 399: ... to display route policy information IPv6 Routing Information Filtering Failure Symptom Filtering routing information failed while the routing protocol runs normally Analysis At least one item of the IPv6 prefix list should be configured as permit mode and at least one node of the Route policy should be configured as permit mode Solution 1 Use the display ip ipv6 prefix command to display IP prefi...

Page 400: ...used for multicast group management and control This document describes z Configuring Basic Functions of IGMP Snooping z Configuring IGMP Snooping Port Functions z Configuring IGMP Snooping Querier z Configuring IGMP Snooping Policy Multicast VLAN Multicast VLAN configuration MLD Snooping Multicast Listener Discovery Snooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on La...

Page 401: ...of Information Transmission Techniques 1 1 Features of Multicast 1 4 Common Notations in Multicast 1 5 Advantages and Applications of Multicast 1 5 Multicast Models 1 5 Multicast Architecture 1 6 Multicast Addresses 1 7 Multicast Protocols 1 11 Multicast Packet Forwarding Mechanism 1 13 ...

Page 402: ...ultipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added services such as live Webcasting Web TV distance learning telemedicine Web radio real time videoconferencing and other bandwidth and time critical information services Comparison of Information Transmission...

Page 403: ...d over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information to each of these users This means a tremendous pressure on the information source and the network bandwidth As we can see from the information transmission process unicast is not suitable for batch tr...

Page 404: ...ificant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multicast can well solve this problem When some hosts on the network need multicast information the information sender or multicast source sends only one copy of the information Multicast distribution tree...

Page 405: ...of Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast address Hosts join a multicast group to become members of the multicast group before they can receive the multicast data addressed to that multicast group Typically a multicast source does not need to join a multicast group z An information sender is referred to as a mult...

Page 406: ...e G represents a specific multicast group z S G Indicates a shortest path tree SPT or a multicast packet that multicast source S sends to multicast group G Here S represents a specific multicast source while G represents a specific multicast group Advantages and Applications of Multicast Advantages of multicast Advantages of the multicast technique include z Enhanced efficiency reduces the CPU loa...

Page 407: ... locations of the multicast sources by some other means In addition the SSM model uses a multicast address range that is different from that of the ASM SFM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources Multicast Architecture IP multicast addresses the following questions z Where should the multicast source transmit information ...

Page 408: ... TTL value in the IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8 Glop group addresses 239 0 0 0 to 239 255 255 255 Administratively scoped multicast addresses These addresses are considered to be locally rather than globally unique and can be reused in domains adm...

Page 409: ...lticast address are as follows z 0xFF The most significant 8 bits are 11111111 indicating that this address is an IPv6 multicast address Figure 1 5 Format of the Flags field z Flags Referring to Figure 1 5 the following table describes the four bits of the Flags field Table 1 4 Description on the bits of the Flags field Bit Description 0 Reserved set to 0 R z When set to 0 it indicates that this a...

Page 410: ...cal scope E Global scope z Group ID 112 bits IPv6 multicast group identifier that uniquely identifies an IPv6 multicast group in the scope defined by the Scope field Ethernet multicast MAC addresses When a unicast IP packet is transmitted over Ethernet the destination MAC address is the MAC address of the receiver When a multicast packet is transmitted over Ethernet however the destination address...

Page 411: ...same MAC address Therefore in Layer 2 multicast forwarding a device may receive some multicast data addressed for other IPv4 multicast groups and such redundant data needs to be filtered by the upper layer 2 IPv6 multicast MAC addresses The high order 16 bits of an IPv6 multicast MAC address are 0x3333 and the low order 32 bits are the low order 32 bits of a multicast IPv6 address Figure 1 7 shows...

Page 412: ...n a network Layer 3 multicast protocols Layer 3 multicast protocols include multicast group management protocols and multicast routing protocols Figure 1 8 describes where these multicast protocols are in a network Figure 1 8 Positions of Layer 3 multicast protocols 1 Multicast management protocols Typically the internet group management protocol IGMP or multicast listener discovery protocol MLD i...

Page 413: ...ticast information transport Layer 2 multicast protocols Layer 2 multicast protocols include IGMP Snooping MLD Snooping and multicast VLAN IPv6 multicast VLAN Figure 1 9 shows where these protocols are in the network Figure 1 9 Position of Layer 2 multicast protocols Source Receiver Receiver IPv4 IPv6 multicast packets IGMP Snooping MLD Snooping Multicast VLAN IPv6 Multicast VLAN 1 IGMP Snooping M...

Page 414: ...multicast model is more complex in the following aspects z To ensure multicast packet transmission in the network unicast routing tables or multicast routing tables for example the MBGP routing table specially provided for multicast must be used as guidance for multicast forwarding z To process the same multicast information from different peers received on different interfaces of the same device ...

Page 415: ...1 11 Enabling IGMP Snooping Querier 1 11 Configuring IGMP Queries and Responses 1 12 Configuring Source IP Address of IGMP Queries 1 13 Configuring an IGMP Snooping Policy 1 13 Configuration Prerequisites 1 13 Configuring a Multicast Group Filter 1 14 Configuring Multicast Source Port Filtering 1 14 Configuring the Function of Dropping Unknown Multicast Data 1 15 Configuring IGMP Report Suppressio...

Page 416: ... and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 1 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 Figure 1 1 Before and af...

Page 417: ...ce DR or IGMP querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its router port list z Member port A member port is a port on an Ethernet switch that leads the switch towards multicast group members In the figure GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Switch A and GigabitEthe...

Page 418: ...r age out How IGMP Snooping Works A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows The description about adding or deleting a port in this section is only for a dynamic port Static ports can be added or deleted only through the corresponding configurations For details see Configuring Static Ports When receiving a general query The IGMP q...

Page 419: ...stening to the reported multicast address will suppress their own reports upon receiving this report and this will prevent the switch from knowing whether the reported multicast group still has active members attached to that port When receiving a leave message When an IGMPv1 host leaves a multicast group the host does not send an IGMP leave message so the switch cannot know immediately that the h...

Page 420: ...ist of the forwarding table entry for that multicast group when the aging timer expires Protocols and Standards IGMP Snooping is documented in z RFC 4541 Considerations for Internet Group Management Protocol IGMP and Multicast Listener Discovery MLD Snooping Switches IGMP Snooping Configuration Task List Complete these tasks to configure IGMP Snooping Task Remarks Enabling IGMP Snooping Required C...

Page 421: ...gate port view or port group view z For IGMP Snooping configurations made on a Layer 2 aggregate port do not interfere with configurations made on its member ports nor do they take part in aggregation calculations configurations made on a member port of the aggregate group will not take effect until it leaves the aggregate group Configuring Basic Functions of IGMP Snooping Configuration Prerequisi...

Page 422: ...he version of IGMP Snooping igmp snooping version version number Optional Version 2 by default If you switch IGMP Snooping from version 3 to version 2 the system will clear all IGMP Snooping forwarding entries from dynamic joins and will z Keep forwarding entries for version 3 static G joins z Clear forwarding entries from version 3 static S G joins which will be restored when IGMP Snooping is swi...

Page 423: ...aging time interval Optional 105 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow these steps to configure aging timers for dynamic ports in a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure dynamic router port aging...

Page 424: ...mber ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running IGMP responds to IGMP queries from the IGMP querier If a host fails to respond due to some reasons the multicast router may deem that no member of this multicast group exists on the network segment and therefore will remove the...

Page 425: ...an IGMP leave message on a port the switch immediately removes that port from the outgoing port list of the forwarding table entry for the indicated group Then when receiving IGMP group specific queries for that multicast group the switch will not forward them to that port In VLANs where only one host is attached to each port fast leave processing helps improve bandwidth and resource usage However...

Page 426: ...urce address of IGMP group specific queries Enabling IGMP Snooping Querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch i...

Page 427: ...d by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For IGMP general queries you can configure the maximum response time to fill their Max Response time field z For IGMP group specific queries you can configure the IGMP last member query interval to fill their Max Response time field Namely for IGMP group specific queries the maximum re...

Page 428: ...and cause multicast traffic forwarding failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem you are commended to configure a non all zero IP address as the source IP address of IGMP queries Follow these steps to configure source IP address of IGMP queries To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Con...

Page 429: ...ure a multicast group filter globally To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Configure a multicast group filter group policy acl number vlan vlan list Required By default no group filter is globally configured that is hosts in VLANs can join any valid multicast group Configuring a multicast group filter on a port or a group of ports Follo...

Page 430: ...Use either approach Enable multicast source port filtering igmp snooping source deny Required Disabled by default 3Com Switch 4500G family when enabled to filter IPv4 multicast data based on the source ports are automatically enabled to filter IPv6 multicast data based on the source ports Configuring the Function of Dropping Unknown Multicast Data Unknown multicast data refers to multicast data fo...

Page 431: ...ed over the network Follow these steps to configure IGMP report suppression To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Enable IGMP report suppression report aggregation Optional Enabled by default Configuring Maximum Multicast Groups that Can Be Joined on a Port By configuring the maximum number of multicast groups that can be joined on a por...

Page 432: ...ddition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically A typical example is channel switching namely by joining a new multicast group a user automatically switches from the current multicast group to the new one To address such situations you can enable the multicast group replacement function on the switch or c...

Page 433: ...e the multicast group replacement functionality will not take effect Displaying and Maintaining IGMP Snooping To do Use the command Remarks View IGMP Snooping multicast group information display igmp snooping group vlan vlan id verbose Available in any view View the statistics information of IGMP messages learned by IGMP Snooping display igmp snooping statistics Available in any view Clear IGMP Sn...

Page 434: ...1 can be forwarded through GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch A even if Host A and Host B accidentally temporarily stop receiving multicast data Network diagram Figure 1 3 Network diagram for group policy simulated joining configuration Configuration procedure 1 Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure 1 3 The detailed c...

Page 435: ...tchA acl basic 2001 quit SwitchA igmp snooping SwitchA igmp snooping group policy 2001 vlan 100 SwitchA igmp snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts for multicast group 224 1 1 1 SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 igmp snooping host join 224 1 1 1 vlan 100 SwitchA GigabitEthernet1 0 3 quit SwitchA interface gigabi...

Page 436: ...bitEthernet 1 0 5 on Switch C are required to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked under normal conditions and multicast traffic flows to the receivers attached to Switch C only along the path of Sw...

Page 437: ...IM DM on each interface and enable IGMP on GigabitEthernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit 3 Configure Switch A ...

Page 438: ...itEthernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable IGMP Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 igmp snooping enable SwitchC vlan100 quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 5 as static member ports for multicast group 224 1 1 1 SwitchC interface GigabitEthernet 1 0 3 SwitchC G...

Page 439: ... 100 on Switch C SwitchC display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 2 D 00 01 23 IP group s the following ip group s match to one mac group IP gr...

Page 440: ...known multicast data packets z Because a switch does not enlist a port that has heard an IGMP query with a source IP address of 0 0 0 0 default as a dynamic router port configure a non all zero IP address as the source IP address of IGMP queries to ensure normal creation of Layer 2 multicast forwarding entries Network diagram Figure 1 5 Network diagram for IGMP Snooping querier configuration Confi...

Page 441: ...gmp snooping enable SwitchB vlan100 igmp snooping drop unknown SwitchB vlan100 quit Configurations on Switch C and Switch D are similar to the configuration on Switch B 3 Verify the configuration After the IGMP Snooping querier starts to work all the switches but the querier can receive IGMP general queries By using the display igmp snooping statistics command you can view the statistics informati...

Page 442: ...s to join specific multicast groups the hosts can still receive multicast data addressed to other multicast groups Analysis z The ACL rule is incorrectly configured z The multicast group policy is not correctly applied z The function of dropping unknown multicast data is not enabled so unknown multicast data is flooded Solution 1 Use the display acl command to check the configured ACL rule Make su...

Page 443: ... Prerequisites 1 3 Configuring Sub VLAN Based Multicast VLAN 1 3 Configuring Port Based Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 4 Configuring Multicast VLAN Ports 1 5 Displaying and Maintaining Multicast VLAN 1 6 Multicast VLAN Configuration Examples 1 6 Sub VLAN Based Multicast VLAN Configuration 1 6 Port Based Multicast VLAN Configuration 1 10 ...

Page 444: ...Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without multicast VLAN The multicast VLAN feature configured on the Layer 2 device is the solution to this issue With the multicast VLAN feature the Layer 3 device needs to replicate the multicast traffic only in the multicast VLAN instead of mak...

Page 445: ...st A Host B and Host C are in three different user VLANs All the user ports ports with attached hosts on Switch A are hybrid ports On Switch A configure VLAN 10 as a multicast VLAN assign all the user ports to this multicast VLAN and enable IGMP Snooping in the multicast VLAN and all the user VLANs Figure 1 3 Port based multicast VLAN After the configuration upon receiving an IGMP message on a use...

Page 446: ...on is given preference Configuring Sub VLAN Based Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based multicast VLAN complete the following tasks z Create VLANs as required z Enable IGMP Snooping in the VLAN to be configured as a multicast VLAN Configuring Sub VLAN Based Multicast VLAN In this approach you need to configure a VLAN as a multicast VLAN and then configure use...

Page 447: ...te port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port based multicast VLAN complete the following tasks z Create VLANs as required z Enable IGMP Snooping in the VLAN to be configured as a multicast VLAN z Enable IGMP Snooping in all the user VLANs Conf...

Page 448: ...y packets of VLAN 1 to pass For details about the port link type port hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring Multicast VLAN Ports In this approach you need to configure a VLAN as a multicast VLAN and then assign user ports to this multicast VLAN by either adding the user ports in the multicast VLAN or specifying the multicast VLAN on ...

Page 449: ...z A port can belong to only one multicast VLAN Displaying and Maintaining Multicast VLAN To do Use the command Remarks Display information about a multicast VLAN display multicast vlan vlan id Available in any view Multicast VLAN Configuration Examples Sub VLAN Based Multicast VLAN Configuration Network requirements z Router A connects to a multicast source through GigabitEthernet1 0 1 and to Swit...

Page 450: ...esses Configure an IP address and subnet mask for each interface as per Figure 1 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMP on the host side interface GigabitEthernet 1 0 2 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1...

Page 451: ...onfiguration Display information about the multicast VLAN SwitchA display multicast vlan Total 1 multicast vlan s Multicast vlan 10 subvlan list vlan 2 4 port list no port View the IGMP Snooping multicast group information on Switch A SwitchA display igmp snooping group Total 4 IP Group s Total 4 IP Source s Total 4 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Re...

Page 452: ...s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port GE1 0 4 Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host p...

Page 453: ...e port based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the multicast data to the receivers that belong to different user VLANs Network diagram Figure 1 5 Network diagram for port based multicast VLAN configuration Source Receiver Host A VLAN 2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A IGMP querier Router A GE1 0 1 1 1 1 2 ...

Page 454: ...t 1 0 2 to permit packets of VLAN 2 and VLAN 10 to pass and untag the packets when forwarding them SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link type hybrid SwitchA GigabitEthernet1 0 2 port hybrid pvid vlan 2 SwitchA GigabitEthernet1 0 2 port hybrid vlan 2 untagged SwitchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The conf...

Page 455: ...ort C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 3 port GE1 0 2 GE...

Page 456: ...figuration Prerequisites 1 11 Enabling MLD Snooping Querier 1 11 Configuring MLD Queries and Responses 1 12 Configuring Source IPv6 Addresses of MLD Queries 1 13 Configuring an MLD Snooping Policy 1 14 Configuration Prerequisites 1 14 Configuring an IPv6 Multicast Group Filter 1 14 Configuring IPv6 Multicast Source Port Filtering 1 15 Configuring MLD Report Suppression 1 16 Configuring Maximum Mul...

Page 457: ...ween ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As shown in Figure 1 1 when MLD Snooping is not running IPv6 multicast packets are broadcast to all devices at Layer 2 When MLD Snooping runs multicast packets for known IPv6 multicast groups are multicast to the receivers at Layer 2 Figure 1 1 Before and after MLD Snooping is enabled on the Layer 2 dev...

Page 458: ...ts Router port Member port Ports involved in MLD Snooping as shown in Figure 1 2 are described as follows z Router port A router port is a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or MLD querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its ro...

Page 459: ...itialized to the dynamic router port aging time MLD general query of which the source address is not 0 0 or IPv6 PIM hello The switch removes this port from its router port list Dynamic member port aging timer When a port dynamically joins an IPv6 multicast group the switch sets a timer for the port which is initialized to the dynamic member port aging time MLD report message The switch removes th...

Page 460: ...ed IPv6 multicast group the switch creates an entry adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exists for the reported IPv6 multicast group but the port is not included in the outgoing port list for that group the switch adds the port as a dynamic member port to the outgoing port list and starts ...

Page 461: ...n the port suppose it is a dynamic member port before its aging timer expires this means that some host attached to the port is receiving or expecting to receive IPv6 multicast data for that IPv6 multicast group The switch resets the aging timer for the port z If no MLD report in response to the MLD multicast address specific query is received on the port before its aging timer expires this means ...

Page 462: ...oup view are effective only for all the ports in the current port group For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet port view Layer 2 aggregate port view or port group view z For MLD Snooping configurations made on a Layer 2 aggregate port do not interfere with configurations made on its member ports nor do they tak...

Page 463: ... MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of MLD Snooping mld snooping version version number Optional Version 1 by default If you switch MLD Snooping from version 2 to version 1 the system will clear all MLD Snooping forwarding entries from dyn...

Page 464: ...gure aging timers for dynamic ports globally To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Configure dynamic router port aging time router aging time interval Optional 260 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow ...

Page 465: ...ember ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running MLD responds to MLD queries from the MLD querier If a host fails to respond due to some reasons the multicast router will deem that no member of this IPv6 multicast group exists on the network segment and therefore will remove...

Page 466: ...ber port Configuring Fast Leave Processing The fast leave processing feature allows the switch to process MLD done messages in a fast way With the fast leave processing feature enabled when receiving an MLD done message on a port the switch immediately removes that port from the outgoing port list of the forwarding table entry for the indicated IPv6 multicast group Then when receiving MLD done mul...

Page 467: ...ing querier prepare the following data z MLD general query interval z MLD last member query interval z Maximum response time for MLD general queries z Source IPv6 address of MLD general queries and z Source IPv6 address of MLD multicast address specific queries Enabling MLD Snooping Querier In an IPv6 multicast network running MLD a multicast router or Layer 3 multicast switch is responsible for s...

Page 468: ...wn to 0 the host sends an MLD report to the corresponding IPv6 multicast group An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids bursts of MLD traffic on the network caused by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For MLD general queries you can configure t...

Page 469: ...se time for MLD general queries otherwise undesired deletion of IPv6 multicast members may occur Configuring Source IPv6 Addresses of MLD Queries This configuration allows you to change the source IPv6 address of MLD queries Follow these steps to configure source IPv6 addresses of MLD queries To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the sou...

Page 470: ... entry for this port in the MLD Snooping forwarding table otherwise the switch drops this report message Any IPv6 multicast data that fails the ACL check will not be sent to this port In this way the service provider can control the VOD programs provided for multicast users Configuring an IPv6 multicast group filter globally Follow these steps to configure an IPv6 multicast group globally To do Us...

Page 471: ...ort filtering globally Follow these steps to configure IPv6 multicast source port filtering To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable IPv6 multicast source port filtering source deny port interface list Required Disabled by default Configuring IPv6 multicast source port filtering on a port or a group of ports Follow these steps to confi...

Page 472: ...port suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default Configuring Maximum Multicast Groups that Can Be Joined on a Port By configuring the maximum number of IPv6 multicast groups that can be joined on a port or a group of ports you can limit the number of multica...

Page 473: ... in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joining the new multicast group a user automatically switches from the current IPv6 multicast group to the new one To address this situation you can enable the IPv6 multicast group replacement function on ...

Page 474: ...ing IPv6 multicast group replacement Otherwise the IPv6 multicast group replacement functionality will not take effect Displaying and Maintaining MLD Snooping To do Use the command Remarks View MLD Snooping multicast group information display mld snooping group vlan vlan id verbose Available in any view View the statistics information of MLD messages learned by MLD Snooping display mld snooping st...

Page 475: ...even if Host A and Host B accidentally temporarily stop receiving IPv6 multicast data Network diagram Figure 1 3 Network diagram for IPv6 group policy simulated joining configuration Source Router A Switch A Receiver Receiver Host B Host A Host C GE1 0 1 GE1 0 4 GE1 0 2 GE1 0 3 MLD querier 1 1 64 GE1 0 1 2001 1 64 GE1 0 2 1 2 64 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 a...

Page 476: ... group policy 2001 vlan 100 SwitchA mld snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts for IPv6 multicast group FF1E 101 SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 mld snooping host join ff1e 101 vlan 100 SwitchA GigabitEthernet1 0 3 quit SwitchA interface gigabitethernet 1 0 4 SwitchA GigabitEthernet1 0 4 mld snooping host join...

Page 477: ...ired to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked under normal conditions and IPv6 multicast traffic flows to the receivers attached to Switch C only along the path of Switch A Switch B Switch C z It is ...

Page 478: ...PIM DM on each interface and enable MLD on GigabitEthernet 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 mld enable RouterA GigabitEthernet1 0 1 pim ipv6 dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim ipv6 dm RouterA GigabitEthernet1 0 2 quit 3 Confi...

Page 479: ...thernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable MLD Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 mld snooping enable SwitchC vlan100 quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 5 as static member ports for IPv6 multicast group FF1E 101 SwitchC interface GigabitEthernet 1 0 3 SwitchC Gi...

Page 480: ...00 on Switch C SwitchC display mld snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 2 D 00 01 23 IP group s the following ip group s match to one mac group IP group...

Page 481: ...he MLD Snooping querier Network diagram Figure 1 5 Network diagram for MLD Snooping querier configuration Configuration procedure 1 Configure Switch A Enable IPv6 forwarding and enable MLD Snooping globally SwitchA system view SwitchA ipv6 SwitchA mld snooping SwitchA mld snooping quit Create VLAN 100 and assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 SwitchA vlan 100 Switc...

Page 482: ...al queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 12 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right and wrong records 0 Received MLDv2 specific queries 0 Received MLDv2 specific sg queries 0 Sent MLDv2 specific queries 0 Sent MLDv2 specific sg queries 0 Received error MLD messages 0 Troubleshooting MLD Snooping Swit...

Page 483: ...gured z The IPv6 multicast group policy is not correctly applied Solution 1 Use the display acl ipv6 command to check the configured IPv6 ACL rule Make sure that the IPv6 ACL rule conforms to the IPv6 multicast group policy to be implemented 2 Use the display this command in MLD Snooping view or the corresponding port view to check whether the correct IPv6 multicast group policy has been applied I...

Page 484: ...uisites 1 3 Configuring Sub VLAN Based IPv6 Multicast VLAN 1 3 Configuring Port Based IPv6 Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 4 Configuring IPv6 Multicast VLAN Ports 1 5 Displaying and Maintaining IPv6 Multicast VLAN 1 6 IPv6 Multicast VLAN Configuration Examples 1 6 Sub VLAN Based Multicast VLAN Configuration Example 1 6 Port Based Multicast VLAN...

Page 485: ... to the Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without IPv6 multicast VLAN The IPv6 multicast VLAN feature configured on the Layer 2 device is the solution to this issue With the IPv6 multicast VLAN feature the Layer 3 device needs to replicate the multicast traffic only in the IPv6 m...

Page 486: ... in Figure 1 3 Host A Host B and Host C are in three different user VLANs All the user ports are hybrid ports On Switch A configure VLAN 10 as an IPv6 multicast VLAN assign all the user ports to this IPv6 multicast VLAN and enable MLD Snooping in the IPv6 multicast VLAN and all the user VLANs Figure 1 3 Port based IPv6 multicast VLAN After the configuration upon receiving an MLD message on a user ...

Page 487: ...icast VLAN on a device the port based IPv6 multicast VLAN configuration is given preference Configuring IPv6 Sub VLAN Based IPv6 Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based IPv6 multicast VLAN complete the following tasks z Create VLANs as required z Enable MLD Snooping in the VLAN to be configured as an IPv6 multicast VLAN Configuring Sub VLAN Based IPv6 Multicast...

Page 488: ...e effective only for the current port configurations made in Layer 2 aggregate port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port based IPv6 multicast VLAN complete the following tasks z Create VLANs as required z Enable MLD Snooping in the VLAN to be ...

Page 489: ...rt hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring IPv6 Multicast VLAN Ports In this approach you need to configure a VLAN as an IPv6 multicast VLAN and then assign user ports to this IPv6 multicast VLAN by either adding the user ports in the IPv6 multicast VLAN or specifying the IPv6 multicast VLAN on the user ports These two methods give the...

Page 490: ...belong to only one IPv6 multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN To do Use the command Remarks Display information about an IPv6 multicast VLAN display multicast vlan ipv6 vlan id Available in any view IPv6 Multicast VLAN Configuration Examples Sub VLAN Based Multicast VLAN Configuration Example Network requirements z As shown in Figure 1 4 Router A connects to an IPv6 multica...

Page 491: ...igure an IPv6 address and address prefix for each interface as per Figure 1 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IPv6 multicast routing enable IPv6 PIM DM on each interface and enable MLD on the host side interface GigabitEthernet 1 0 2 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEtherne...

Page 492: ... display multicast vlan ipv6 Total 1 IPv6 multicast vlan s IPv6 Multicast vlan 10 subvlan list vlan 2 4 port list no port View the MLD Snooping IPv6 multicast group information on Switch A SwitchA display mld snooping group Total 4 IP Group s Total 4 IP Source s Total 4 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 2 Total 1 IP Group ...

Page 493: ...Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 0 port MAC group s MAC group address 3333 0000 0101 Host port s total 0 port As shown above MLD Snooping is maintaining the router port in the IPv6 multicast VLAN VLAN 10 and the member ports in the sub VLANs VL...

Page 494: ... 2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A MLD querier Router A GE1 0 1 1 2 64 GE1 0 2 2001 1 64 1 1 64 Receiver Host B VLAN 3 Receiver Host C VLAN 4 GE1 0 1 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding on each device and configure the IPv6 address and address prefix for each interface as per Figure 1 5 The detailed configuration steps are omitted h...

Page 495: ...SwitchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration steps are omitted Configure VLAN 10 as an IPv6 multicast VLAN SwitchA multicast vlan ipv6 10 Assign GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to IPv6 multicast VLAN 10 SwitchA ipv6 mvlan 10 port...

Page 496: ...MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC group s MAC group address 3333 0000 0101 Host port s total 3 port GE1 0 2 GE1 0 3 GE1 0 4 As shown above MLD Snooping is maintaining router ports and member ports in VLAN 10 ...

Page 497: ...ng the delay jitter and packet loss rate This document describes z QoS overview z QoS policy configuration z Priority mapping configuration z Traffic policing Configuration z Line rate configuration z Congestion management z Traffic filtering configuration z Priority marking configuration z Traffic redirecting configuration z Class Based accounting configuration User Profile User profile provides ...

Page 498: ...ng Overview 3 1 Introduction to Priority Mapping 3 1 Priority Mapping Tables 3 1 Priority Trust Mode on a Port 3 2 Priority Mapping Procedure 3 2 Priority Mapping Configuration Tasks 3 3 Configuring Priority Mapping 3 4 Configuring a Priority Mapping Table 3 4 Configuring the Priority Trust Mode on a Port 3 4 Configuring the Port Priority of a Port 3 5 Displaying and Maintaining Priority Mapping 3...

Page 499: ...Example 6 2 Traffic Filtering Configuration Example 6 2 7 Priority Marking Configuration 7 1 Priority Marking Overview 7 1 Configuring Priority Marking 7 1 Priority Marking Configuration Example 7 2 Priority Marking Configuration Example 7 2 8 Traffic Redirecting Configuration 8 1 Traffic Redirecting Overview 8 1 Traffic Redirecting 8 1 Configuring Traffic Redirecting 8 1 9 Class Based Accounting ...

Page 500: ...e QoS techniques used most widely Using these techniques reasonably in the specific environments you can improve the QoS effectively Introduction to QoS Service Models This section covers three typical QoS service models z Best effort service z Integrated service IntServ z Differentiated service DiffServ Best Effort Service Model Best effort is a single service model and also the simplest service ...

Page 501: ...Positions of the QoS techniques in a network As shown in Figure 1 1 traffic classification traffic shaping traffic policing congestion management and congestion avoidance mainly implement the following functions z Traffic classification uses certain match criteria to organize packets with different characteristics into different classes Traffic classification is the basis for providing differentia...

Page 502: ...gestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port As congestion becomes worse it actively reduces the amount of traffic by dropping packets ...

Page 503: ...uring QoS policies A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these concepts class traffic behavior and policy Class Classes are used to identify traffic A class is identified by a class name and contains some match criteria for traffic identification The relationsh...

Page 504: ...er tcl name operator and or Required By default the relationship between match criteria is AND Configure match criteria if match match criteria Required match criteria Match criterion Table 2 1 shows the available criteria Table 2 1 The keyword and argument combinations for the match criteria argument Form Description acl access list number name acl name Specifies to match an IPv4 ACL specified by...

Page 505: ... Specifies to match packets by DSCP precedence The dscp list argument is a list of DSCP values in the range of 0 to 63 ip precedence ip precedence list Specifies to match packets by IP precedence The ip precedence list argument is a list of IP precedence values in the range of 0 to 7 protocol protocol name Specifies to match the packets of a specified protocol The protocol name argument can be IP ...

Page 506: ...eria listed above ensure that the operator of the class is OR Defining a Traffic Behavior To define a traffic behavior you must first create it and then configure QoS actions such as priority marking and redirect in traffic behavior view Follow these steps to define a traffic behavior To do Use the command Remarks Enter system view system view Create a traffic behavior and enter traffic behavior v...

Page 507: ...To check whether a QoS policy has been applied successfully use the display qos policy interface command z The switch may save the applications of some QoS policies that have failed to be applied due to insufficient hardware resources in the configuration file After the switch reboots these policies may preempt other user configurations for resources resulting in loss of configurations Suppose tha...

Page 508: ...an be applied To modify a QoS policy already applied in a certain direction remove the QoS policy application first Follow these steps to apply the QoS policy to online users To do Use the command Remarks Enter system view system view Enter user profile view user profile profile name Required The configuration made in user profile view takes effect when the user profile is activated and there are ...

Page 509: ... apply the QoS policy to a VLAN To do Use the command Remarks Enter system view system view Apply the QoS policy to VLANs qos vlan policy policy name vlan vlan id list inbound Required z QoS policies cannot be applied to dynamic VLANs for example VLANs created by GVRP z Do not apply a QoS policy to a VLAN and the ports in the VLAN at the same time Applying the QoS policy globally You can apply a Q...

Page 510: ...raffic behavior user defined behavior name Available in any view Display information about a class display traffic classifier user defined classifier name Available in any view Display information about QoS policies applied to VLANs display qos vlan policy name policy name vlan vlan id inbound Available in any view Display information about QoS policies applied globally display qos policy global i...

Page 511: ...lly scheduled z Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a port the device assigns a set of QoS priority parameters to the packet based on a certain priority and sometimes may modify its priority according to certain rules depending on device status This process is called priori...

Page 512: ... carried in packets There are three priority trust modes on Switch 4500G series switches z dot1p Uses the 802 1p priority carried in packets for priority mapping z dscp Uses the DSCP carried in packets for priority mapping z undo qos trust Uses the port priority as the 802 1p priority for priority mapping The port priority is user configurable The priority mapping procedure varies with the priorit...

Page 513: ...e port priority as the 802 1p priority for priority mapping Look up the dot1p dp and dot1p lp mapping tables Mark the packet with local precedence and drop precedence Port priority The priority mapping procedure presented above applies in the absence of priority marking If priority marking is configured the device performs priority marking before priority mapping and then uses the re marked packet...

Page 514: ...ping table display qos map table dot1p dp dot1p lp dscp dot1p dscp dp dscp dscp Optional Available in any view You cannot configure mapping any DSCP value to drop precedence 1 Configuring the Priority Trust Mode on a Port Follow these steps to configure the trusted packet priority type on an interface port group To do Use the command Remarks Enter system view system view Enter interface view inter...

Page 515: ...oup name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure the port priority qos priority priority value Required The default port priority is 0 Display the trusted packet priority type and the priorities of an interface display qos trust interface interface type interface number Optio...

Page 516: ...o 4 z The management department connects to GigabitEthernet 1 0 3 of Device which sets the 802 1p priority of traffic from the management department to 5 Configure port priority 802 1p to local priority mapping table and priority marking to implement the plan as described in Table 3 1 Table 3 1 Configuration plan Queuing plan Traffic destination Traffic Priority order Traffic source Output queue Q...

Page 517: ...igabitethernet 1 0 2 Device GigabitEthernet1 0 2 qos priority 4 Device GigabitEthernet1 0 2 quit Set the port priority of GigabitEthernet 1 0 3 to 5 Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 3 qos priority 5 Device GigabitEthernet1 3 quit 2 Configure the priority mapping table Configure the 802 1p to local priority mapping table to map 802 1p priority values 3 4 and 5 to local...

Page 518: ...avior admin quit Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 0 3 qos apply policy admin inbound Configure a priority marking policy for the marketing department and apply the policy to the incoming traffic of GigabitEthernet 1 0 1 Device traffic behavior market Device behavi...

Page 519: ... is analogous to a container holding a certain number of tokens The system puts tokens into the bucket at a set rate When the token bucket is full the extra tokens overflows Evaluating traffic with the token bucket The evaluation of traffic specifications is based on whether the number of tokens in the bucket can meet the need of packet forwarding Generally one token is associated with a 1 bit for...

Page 520: ...E bucket has enough tokens packets are colored yellow z If neither the C bucket nor the E bucket has sufficient tokens packets are colored red Traffic Policing A typical application of traffic policing is to supervise the specification of certain traffic entering a network and limit it within a reasonable range or to discipline the extra traffic In this way the network resources and the interests ...

Page 521: ...ns are available in the token bucket if tokens are inadequate packets cannot be transmitted until the required number of tokens are generated in the token bucket Thus traffic rate is restricted to the rate for generating tokens thus limiting traffic rate and allowing bursty traffic Line rate can only limit the total traffic rate on a physical port while traffic policing can limit the rate of a flo...

Page 522: ...1 0 1 to limit the rate of received HTTP traffic to 512 kbps and drop the exceeding traffic Enter system view Sysname system view Configure advanced ACL 3000 to match HTTP traffic Sysname acl number 3000 Sysname acl adv 3000 rule permit tcp destination port eq 80 Sysname acl adv 3000 quit Create a class named http and reference ACL 3000 in the class to match HTTP traffic Sysname traffic classifier...

Page 523: ...rmation rate cbs committed burst size Required Configuration Example Limit the outbound line rate of GigabitEthernet 1 0 1 to 512 kbps Enter system view Sysname system view Enter interface view Sysname interface gigabitethernet 1 0 1 Limit the outbound line rate of GigabitEthernet 1 0 1 to 512 kbps Sysname GigabitEthernet1 0 1 qos lr outbound cir 512 Displaying and Maintaining Traffic Policing GTS...

Page 524: ...wo common cases Figure 5 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100M 100M 100M 50M 10M 10M 1 2 Congestion may bring these negative results z Increased delay and jitter during packet transmission z Decreased network throughput and resource use efficiency z Network resource memory in particular exhaustion and even system breakdown Congestion is unavoidable in switched networks and mu...

Page 525: ...ueuing As shown in Figure 5 2 SP queuing classifies eight queues on a port into eight classes numbered 7 to 0 in descending priority order SP queuing schedules the eight queues strictly according to the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packets in the queue with the second highest pr...

Page 526: ...tage of SP queuing that packets in low priority queues may fail to be served for a long time Another advantage of WRR queuing is that while the queues are scheduled in turn the service time for each queue is not fixed that is if a queue is empty the next queue will be scheduled immediately This improves bandwidth resource use efficiency WFQ queuing Figure 5 4 Schematic diagram for WFQ queuing WFQ ...

Page 527: ...e port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z The assignable bandwidth 10 Mbps 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps 9 5 Mbps z The total assignable bandwidth quota is the sum of all the precedence value 1 s that is 1 2 3 4 5 15 z The bandwidth percentage assigned to each fl...

Page 528: ...ce settings in port group view take effect on all ports in the port group Configure SP queuing qos sp Required By default all the ports adopt the WRR queue scheduling algorithm with the weight values assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration example 1 Network requirements Configure GigabitEthernet 1 0 1 to use SP queuing 2 Configuration procedure Enter system vi...

Page 529: ... group with their weights being 1 2 4 6 8 10 12 and 14 2 Configuration procedure Enter system view Sysname system view Configure the WRR queues on port GigabitEthernet1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos wrr Sysname GigabitEthernet1 0 1 qos wrr 0 group 1 weight 1 Sysname GigabitEthernet1 0 1 qos wrr 1 group 1 weight 2 Sysname GigabitEthernet1 0 1 qos wrr 2...

Page 530: ...2 4 6 8 10 12 and 14 respectively z Set the minimum guaranteed bandwidth of queue 0 to 128 kbps 2 Configuration procedure Enter system view Sysname system view Configure WFQ queues on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos wfq Sysname GigabitEthernet1 0 1 qos wfq 0 weight 1 Sysname GigabitEthernet1 0 1 qos wfq 1 weight 2 Sysname GigabitEthern...

Page 531: ...assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration Example Network requirements z Configure to adopt SP WRR queue scheduling algorithm on GigabitEthernet1 0 1 z Configure queue 0 queue 1 queue 2 and queue 3 on GigabitEthernet1 0 1 to be in SP queue scheduling group z Configure queue 4 queue 5 queue 6 and queue 7 on GigabitEthernet1 0 1 to be in WRR queue scheduling group...

Page 532: ...nfiguration information display qos wrr interface interface type interface number Display SP queue configuration information display qos sp interface interface type interface number Display WFQ queue configuration information display qos wfq interface interface type interface number Available in any view ...

Page 533: ...ffic filtering Alternatively you can implement traffic filtering on a port by directly applying an ACL on the port For the configuration procedure refer to ACL Configuration in the Security Volume Configuring Traffic Filtering Follow these steps to configure traffic filtering To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name...

Page 534: ...e effect Traffic Filtering Configuration Example Traffic Filtering Configuration Example Network requirements As shown in Figure 6 1 Host is connected to GigabitEthernet 1 0 1 of Device Configure traffic filtering to filter the packets whose source port is 21 received on GigabitEthernet 1 0 1 Figure 6 1 Network diagram for traffic filtering configuration Configuration procedure Create advanced ACL...

Page 535: ...or_1 quit Create a policy named policy and associate class classifier_1 with behavior behavior_1 in the policy DeviceA qos policy policy DeviceA qospolicy policy classifier classifier_1 behavior behavior_1 DeviceA qospolicy policy quit Apply the policy named policy to the incoming traffic of GigabitEthernet 1 0 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 qos apply policy...

Page 536: ...change its transmission priority in the network To configure priority marking you can associate a class with a behavior configured with the priority marking action to set the priority fields or flag bits of the class of packets Configuring Priority Marking Follow these steps to configure priority marking To do Use the command Remarks Enter system view system view Create a class and enter class vie...

Page 537: ...pplying the QoS policy to a VLAN Display the priority marking configuration display traffic behavior user defined behavior name Optional Available in any view Priority Marking Configuration Example Priority Marking Configuration Example Network requirements As shown in Figure 7 1 the enterprise network of a company interconnects hosts with servers through Device The network is described as follows...

Page 538: ... destination IP address 192 168 0 3 Device acl number 3002 Device acl adv 3002 rule permit ip destination 192 168 0 3 0 Device acl adv 3002 quit Create a class named classifier_dbserver and reference ACL 3000 in the class Device traffic classifier classifier_dbserver Device classifier classifier_dbserver if match acl 3000 Device classifier classifier_dbserver quit Create a class named classifier_m...

Page 539: ...r behavior_fserver Device behavior behavior_fserver remark local precedence 2 Device behavior behavior_fserver quit Create a policy named policy_server and associate classes with behaviors in the policy Device qos policy policy_server Device qospolicy policy_server classifier classifier_dbserver behavior behavior_dbserver Device qospolicy policy_server classifier classifier_mserver behavior behavi...

Page 540: ...e to only Layer 2 packets and the target interface should be a Layer 2 interface Configuring Traffic Redirecting Follow these steps to configure traffic redirecting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and...

Page 541: ...ng traffic to the CPU and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior z You can use the display traffic behavior command to view the traffic redirecting configuration ...

Page 542: ...ing Follow these steps to configure class based accounting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic behavior behavior name Required Configure the accounting action accounting Op...

Page 543: ... 1 DeviceA system view DeviceA acl number 2000 DeviceA acl basic 2000 rule permit source 1 1 1 1 0 DeviceA acl basic 2000 quit Create a class named classifier_1 and reference ACL 2000 in the class DeviceA traffic classifier classifier_1 DeviceA classifier classifier_1 if match acl 2000 DeviceA classifier classifier_1 quit Create behavior behavior_1 and configure an accounting action in the behavio...

Page 544: ...configuration DeviceA display qos policy interface gigabitethernet 1 0 1 Interface GigabitEthernet1 0 1 Direction Inbound Policy policy Classifier classifier_1 Operator AND Rule s If match acl 2000 Behavior behavior_1 Accounting Enable 58 Packets ...

Page 545: ...Class Based Weighted Fair Queuing CE Customer Edge CIR Committed Information Rate CQ Custom Queuing DAR Deeper Application Recognition DiffServ Differentiated Service DSCP Differentiated Services Codepoint EACL Enhanced ACL EBS Excess Burst Size EF Expedited Forwarding FEC Forwarding Equivalence Class FIFO First in First out GTS Generic Traffic Shaping IntServ Integrated Service ISP Internet Servi...

Page 546: ...c Shaping VoIP Voice over IP VPN Virtual Private Network WFQ Weighted Fair Queuing WRED Weighted Random Early Detection Appendix B Default Priority Mapping Tables Uncolored Priority Mapping Tables For the default dscp dscp priority mapping table an input value yields a target value that is equal to it Table 10 2 The default dot1p lp dot1p dp dot1p dscp and dot1p rpr priority mapping tables Input p...

Page 547: ...to 39 0 4 40 to 47 0 5 48 to 55 0 6 56 to 63 0 7 Appendix C Introduction to Packet Precedences IP Precedence and DSCP Values Figure 10 1 ToS and DS fields As shown in Figure 10 1 the ToS field of the IP header contains eight bits and the first three bits 0 to 2 represent IP precedence from 0 to 7 According to RFC 2474 the ToS field of the IP header is redefined as the differentiated services DS fi...

Page 548: ...7 111 network Table 10 5 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 ...

Page 549: ...f the 802 1Q tag header The Priority field in the 802 1Q tag header is called the 802 1p priority because its use is defined in IEEE 802 1p Table 10 6 presents the values for 802 1p priority Figure 10 3 802 1Q tag header 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID TPID Tag protocol identifier TCI Tag control information Byte 1 Byte 2 0 Byte 3 Byte 4 CFI 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 7 5 4 3 2...

Page 550: ...ion 1 1 User Profile Overview 1 1 User Profile Configuration 1 1 User Profile Configuration Task List 1 1 Creating a User Profile 1 2 Applying a QoS Policy to User Profile 1 2 Enabling a User Profile 1 3 Displaying and Maintaining User Profile 1 3 ...

Page 551: ... access no users pass the authentication or users have logged out user profile does not take effect as it is a predefined configuration With user profile you can z Make use of system resources more granularly For example without user profile you can apply a QoS policy based on interface VLAN globally and so on This QoS policy is applicable to a group of users With user profile however you can appl...

Page 552: ...ts you will directly enter the corresponding user profile view The configuration made in user profile view takes effect when the user profile is enabled and the corresponding users are online Refer to 802 1X Configuration in the Security Volume for detailed information about 802 1X authentication Applying a QoS Policy to User Profile After a user profile is created you need to configure detailed i...

Page 553: ...r being enabled Follow these steps to enable a user profile To do Use the command Remarks Enter system view system view Enable a user profile user profile profile name enable Required A user profile is disabled by default z Only an enabled user profile can be used by a user You cannot modify or remove the configuration items in a user profile until the user profile is disabled z Disabling a user p...

Page 554: ...simplified as 802 1X is a port based network access control protocol that is used as the standard for LAN user access authentication This document describes z 802 1X overview z 802 1X configuration z 802 1X Guest VLAN configuration HABP On an HABP capable switch HABP packets can bypass 802 1X authentication and MAC authentication allowing communication among switches in a cluster This document des...

Page 555: ...ent z Configuring an SFTP Server z Configuring an SFTP Client PKI The Public Key Infrastructure PKI is a hierarchical framework designed for providing information security through public key technologies and digital certificates and verifying the identities of the digital certificate owners This document describes PKI related configuration SSL Secure Sockets Layer SSL is a security protocol provid...

Page 556: ...an ISP Domain 1 15 Configuring AAA Accounting Methods for an ISP Domain 1 17 Configuring Local User Attributes 1 18 Configuring User Group Attributes 1 21 Tearing down User Connections Forcibly 1 21 Displaying and Maintaining AAA 1 21 Configuring RADIUS 1 22 Creating a RADIUS Scheme 1 22 Specifying the RADIUS Authentication Authorization Servers 1 23 Specifying the RADIUS Accounting Servers and Re...

Page 557: ...nfiguring Attributes Related to the Data Sent to HWTACACS Server 1 34 Setting Timers Regarding HWTACACS Servers 1 35 Displaying and Maintaining HWTACACS 1 36 AAA Configuration Examples 1 36 AAA for Telnet Users by a HWTACACS Server 1 36 AAA for Telnet Users by Separate Servers 1 38 AAA for SSH Users by a RADIUS Server 1 39 Troubleshooting AAA 1 42 Troubleshooting RADIUS 1 42 Troubleshooting HWTACA...

Page 558: ...ion Task List z Configuring AAA z Configuring RADIUS z Configuring HWTACACS z AAA Configuration Examples z Troubleshooting AAA Introduction to AAA Authentication Authorization and Accounting AAA provides a uniform framework for configuring these three security functions to implement network security management AAA usually uses a client server model where the client runs on the network access serve...

Page 559: ...ed to configure an accounting server As described above AAA provides a uniform framework to implement network security management It is a security mechanism that enables authenticated and authorized entities to access specific resources and records operations of the entities The AAA framework thus allows for excellent scalability and centralized user information management AAA can be implemented t...

Page 560: ...values Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key which is never transmitted over the network This enhances the information exchange security In addition to prevent user passwords from being intercepted in non secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports...

Page 561: ...horization information If the authentication fails it returns an Access Reject message 4 The RADIUS client permits or denies the user according to the returned authentication result If it permits the user it sends a start accounting request Accounting Request to the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response and starts accounting 6 The user accesses t...

Page 562: ...esponse 4 Accounting Request From the client to the server A packet of this type carries user information for the server to start stop accounting for the user It contains the Acct Status Type attribute which indicates whether the server is requested to start the accounting or to end the accounting 5 Accounting Response From the server to the client The server sends to the client a packet of this t...

Page 563: ...e Type and Length fields Table 1 2 RADIUS attributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Terminate Cause 6 Service Type 50 Acct Multi Session Id 7 Framed Protocol 51 Acct Link Count 8 Framed IP Address 52 Acct Input Gigawords 9 Framed IP Netmask ...

Page 564: ...el Server Auth id The attribute types listed in Table 1 2 are defined by RFC 2865 RFC 2866 RFC 2867 and RFC 2568 Extended RADIUS Attributes The RADIUS protocol features excellent extensibility Attribute 26 Vender Specific defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple type...

Page 565: ...shared keys for user information security and having good flexibility and extensibility Meanwhile they also have differences as listed in Table 1 3 Table 1 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP providing higher transport efficiency Encrypts the entire packet except for the HWTACACS header Encrypts only the u...

Page 566: ...ng request 19 Stop accounting response 10 Authentication continuance packet with the login password 1 A Telnet user sends an access request to the NAS 2 Upon receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS server 3 The HWTACACS server sends back an authentication response requesting the username 4 Upon receiving the response the HWTACACS client asks th...

Page 567: ...to AAA RADIUS HWTACACS include z RFC 2865 Remote Authentication Dial In User Service RADIUS z RFC 2866 RADIUS Accounting z RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support z RFC 2868 RADIUS Attributes for Tunnel Protocol Support z RFC 2869 RADIUS Extensions z RFC 1492 An Access Control Protocol Sometimes Called TACACS AAA Configuration Task List The basic procedure to configure...

Page 568: ...Attributes Optional Configuring User Group Attributes Optional Tearing down User Connections Forcibly Optional Displaying and Maintaining AAA Optional RADIUS Configuration Task List Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication Authorization Servers Required Specifying the RADIUS Accounting Servers and Relevant Parameters Optional Setting the Shared Key for RA...

Page 569: ...orization accounting policies for all the other types of users For a user who has logged in to the device AAA can provide the command authorization service to enhance device security Allows the authorization server to check each command executed by the login user and only authorized commands can be successfully executed Configuration Prerequisites For remote authentication authorization or account...

Page 570: ...s a username without an ISP domain name the device uses the authentication method configured for the default ISP domain to authenticate the user Configuring ISP Domain Attributes Follow these steps to configure ISP domain attributes To do Use the command Remarks Enter system view system view Create an ISP domain and enter ISP domain view domain isp name Required Place the ISP domain to the state o...

Page 571: ...or extended RADIUS protocol in collaboration with systems like iMC to implement user authentication Remote authentication features centralized information management high capacity high reliability and support for centralized authentication for multiple devices You can configure local authentication as the backup method in case the remote server is not available You can configure AAA authentication...

Page 572: ...SP Domain In AAA authorization is a separate process at the same level as authentication and accounting Its responsibility is to send authorization requests to the specified authorization server and to send authorization information to users Authorization method configuration is optional in AAA configuration AAA supports the following authorization methods z No authorization Every user is trusted ...

Page 573: ...AAA authorization methods for an ISP domain To do Use the command Remarks Enter system view system view Create an ISP domain and enter ISP domain view domain isp name Required Specify the default authorization method for all types of users authorization default hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Optional local by default Specify the command...

Page 574: ...iguring AAA Accounting Methods for an ISP Domain In AAA accounting is a separate process at the same level as authentication and authorization Its responsibility is to send accounting start update end requests to the specified accounting server Accounting is not required and therefore accounting method configuration is optional AAA supports the following accounting methods z No accounting The syst...

Page 575: ...l command configured a user to be disconnected can still use the network resources even when there is no available accounting server or communication with the current accounting server fails z The local accounting is not used for accounting implementation but together with the attribute access limit command for limiting the number of local user connections However with the accounting optional comm...

Page 576: ...all attributes of the group such as authorization attributes For details about local user group refer to Configuring User Group Attributes z Binding attributes Binding attributes including the ISDN calling number IP address access port MAC address and VLAN of a user are checked during authentication If a requesting user s attributes do not match the binding attributes configured for it on the acce...

Page 577: ...ed for a local user Set the expiration time of the user expiration date time Optional Not set by default Specify the user group for the local user group group name Optional By default a local user belongs to default user group system Note that z With the local user password display mode cipher force command configured a local user password is always displayed in cipher text regardless of the confi...

Page 578: ...ded local user belongs to the user group of system and bears all attributes of the group User group system is automatically created by the device Follow these steps to configure the attributes for a user group To do Use the command Remarks Enter system view system view Create a user group and enter user group view user group group name Required Configure the authorization attributes for the user g...

Page 579: ...the scheme The servers include authentication authorization servers and accounting servers or primary servers and secondary servers In other words the attributes of a RADIUS scheme mainly include IP addresses of primary and secondary servers shared key and RADIUS server type Actually the RADIUS protocol configurations only set the parameters necessary for the information interaction between a NAS ...

Page 580: ...ified the secondary one is used when the primary one is unreachable z In practice you may specify two RADIUS servers as the primary and secondary authentication authorization servers respectively At one time a server can be the primary authentication authorization server for a scheme and the secondary authentication authorization servers for another scheme z The IP addresses of the primary and sec...

Page 581: ...t transmission buffer allowing the device to buffer and resend a stop accounting request until it receives a response or the number of transmission retries reaches the configured limit In the latter case the device discards the packet z You can set the maximum number of accounting request transmission attempts on the device allowing the device to disconnect a user when the number of accounting req...

Page 582: ...ADIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Set the number of retransmission attempts of RADIUS packets retry retry times Optional 3 by default z The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 z Refer to the timer response timeout command...

Page 583: ...ver if accounting has already started no matter whether the primary server recovers or not z When the primary server and secondary server are both in block state the device communicates with the primary server If the primary server is available its status changes to active otherwise the status of the primary server remains the same z If one server is in active state while the other is in block sta...

Page 584: ...reate a RADIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Specify the format of the username to be sent to a RADIUS server user name format keep original with domain without domain Optional By default the ISP domain name is included in the username Specify the unit for data flows or packets to be sent to a RADIUS server data flow format dat...

Page 585: ...ting request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval z Primary server quiet timer timer quiet If the primary server is not reachable its state changes to blocked and the device will turn to the specified secondary server If the secondary server is reach...

Page 586: ... RADIUS Accounting On With the accounting on feature enabled a device sends whenever it reboots accounting on packets to the RADIUS server so that the server logs out users that have logged in through the device before the reboot This solves the problem that users online before the reboot cannot re log in after the reboot Once configured the accounting on feature functions immediately after the de...

Page 587: ...security policy server use the same IP address you need not configure this task To implement EAD you need to use the security policy server command to specify the IP addresses of the iMC policy server and iMC configuration platform Follow these steps to specify a security policy server To do Use the command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius sche...

Page 588: ...buffered stop accounting requests that get no responses reset stop accounting buffer radius scheme radius server name session id session id time range start time stop time user name user name Available in user view Configuring HWTACACS Different from RADIUS except for deleting HWTACACS schemes and changing the IP addresses of the HWTACACS servers you can make any changes to HWTACACS parameters whe...

Page 589: ...nded to specify only the primary HWTACACS authentication server if backup is not required z If both the primary and secondary authentication servers are specified the secondary one is used when the primary one is not reachable z The IP addresses of the primary and secondary authentication servers cannot be the same Otherwise the configuration fails z You can remove an authentication server only wh...

Page 590: ...sing it Specifying the HWTACACS Accounting Servers Follow these steps to specify the HWTACACS accounting servers and perform related configurations To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the primary HWTACACS accounting server primary accounting i...

Page 591: ...packets Only when the same key is used can they properly receive the packets and make responses Follow these steps to set the shared key for HWTACACS packets To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Set the shared keys for HWTACACS authentication authoriza...

Page 592: ...re sending the username to the server z The nas ip command in HWTACACS scheme view is only for the current HWTACACS scheme while the hwtacacs nas ip command in system view is for all HWTACACS schemes However the nas ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas ip command Setting Timers Regarding HWTACACS Servers Follow these steps to set timers regarding HWTA...

Page 593: ... stop accounting buffer hwtacacs scheme hwtacacs scheme name Available in any view Clear HWTACACS statistics reset hwtacacs statistics accounting all authentication authorization Available in user view Clear buffered stop accounting requests that get no responses reset stop accounting buffer hwtacacs scheme hwtacacs scheme name Available in user view AAA Configuration Examples AAA for Telnet Users...

Page 594: ...g 10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the AAA methods for the domain Switch domain bbb Switch isp bbb authentication login hwtacacs scheme hwtac Switch isp bbb authorization login hwtacacs schem...

Page 595: ...for packets exchanged with the RADIUS server to expert Configuration of separate AAA for other types of users is similar to that given in this example The only difference lies in the access type Figure 1 8 Configure AAA by separate servers for Telnet users Configuration procedure Configure the IP addresses of various interfaces omitted Enable the Telnet server on the switch Switch system view Swit...

Page 596: ...accounting default radius scheme imc When telneting into the switch a user enters username telnet bbb for authentication using domain bbb AAA for SSH Users by a RADIUS Server Network requirements As shown in Figure 1 9 configure the switch to use the RADIUS server to provide authentication authorization and accounting services to SSH users z Configure an iMC server to act as the RADIUS server to p...

Page 597: ...ervice as the service type z Select 3Com as the access device type z Select the access device from the device list or manually add the device with the IP address of 10 1 1 2 z Click OK to finish the operation Figure 1 10 Add an access device Add a user for device management Log into the iMC management platform select the User tab and select Access User View Device Mgmt User from the navigation tre...

Page 598: ...0 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure the switch to use AAA for SSH users Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Configure the user interfaces to support SSH Switch ui vty0 4 protocol inbound...

Page 599: ...e username is not in the format of userid isp name or no default ISP domain is specified for the NAS 3 The user is not configured on the RADIUS server 4 The password of the user is incorrect 5 The RADIUS server and the NAS are configured with different shared key Solution Check that 1 The NAS and the RADIUS server can ping each other 2 The username is in the userid isp name format and a default IS...

Page 600: ...uthorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization server and the accounting server are not correct on the NAS For example one server is configured on the NAS to provide all the services of authentication authorization and accounting but in fact the services are provided by different servers S...

Page 601: ...guring 802 1X for a Port 1 12 Configuring an 802 1X Guest VLAN 1 14 Displaying and Maintaining 802 1X 1 15 802 1X Configuration Example 1 15 Guest VLAN and VLAN Assignment Configuration Example 1 17 ACL Assignment Configuration Example 1 19 2 802 1X based EAD Fast Deployment Configuration 2 1 EAD Fast Deployment Overview 2 1 Overview 2 1 EAD Fast Deployment Implementation 2 1 Configuring EAD Fast ...

Page 602: ...ed on Ethernet as a common port access control mechanism As a port based access control protocol 802 1X authenticates devices connected to the 802 1X enabled LAN ports to control their access to the LAN The port security feature provides rich security modes that combine or extend 802 1X and MAC address authentication In a networking environment that requires flexible use of 802 1X and MAC address ...

Page 603: ...uthentication information between the client device and authentication server z Between the client and the device EAP protocol packets are encapsulated using EAPOL to be transferred on the LAN z Between the device and the RADIUS server EAP protocol packets can be handled in two modes EAP relay and EAP termination In EAP relay mode EAP protocol packets are encapsulated by using the EAP over RADIUS ...

Page 604: ...e access control modes include z authorized force Places the port in the authorized state allowing users of the ports to access the network without authentication z unauthorized force Places the port in the unauthorized state denying any access requests from users of the ports z auto Places the port in the unauthorized state initially to allow only EAPOL frames to pass and turns the ports into the...

Page 605: ...value of 0x02 Frame for logoff request present between a client and a device z Length Length of the data that is length of the Packet body field in bytes If the value of this field is 0 no subsequent data field is present z Packet body Content of the packet The format of this field varies with the value of the Type field EAP Packet Format An EAPOL frame of the type of EAP Packet carries an EAP pac...

Page 606: ...arded Figure 1 6 Encapsulation format of the Message Authenticator attribute 802 1X Authentication Triggering 802 1X authentication can be initiated by either a client or the device Unsolicited triggering of a client A client initiates authentication by sending an EAPOL Start frame to the device The destination address of the frame is 01 80 C2 00 00 03 the multicast address specified by the IEEE 8...

Page 607: ... EAP relay mode EAPOL EAPOR EAPOL Start EAP Request Identity EAP Response Identity EAP Request MD5 challenge EAP Success EAP Response MD5 challenge RADIUS Access Request EAP Response Identity RADIUS Access Challenge EAP Request MD5 challenge RADIUS Access Accept EAP Success RADIUS Access Request EAP Response MD5 challenge Handshake request EAP Request Identity Handshake response EAP Response Ident...

Page 608: ...erated by itself If the two are identical the authentication server considers the user valid and sends to the device a RADIUS Access Accept packet 10 Upon receiving the RADIUS Access Accept packet the device opens the port to grant the access request of the client After the client gets online the device periodically sends handshake requests to the client to check whether the client is still online...

Page 609: ...is section describes the timers used on an 802 1X device to guarantee that the client the device and the RADIUS server can interact with each other in a reasonable manner z Username request timeout timer tx period The device starts this timer when it sends an EAP Request Identity frame to a client If it receives no response before this timer expires the device retransmits the request When cooperat...

Page 610: ...hentication server sends authorization information to the device If the authorization information contains VLAN authorization information the device adds the port connecting the client to the assigned VLAN This neither changes nor affects the configurations of the port The only result is that the assigned VLAN takes precedence over the manually configured one that is the assigned VLAN takes effect...

Page 611: ... device adds a PGV configured port into the guest VLAN according to the port s link type in the similar way as described in VLAN assignment If a user of a port in the guest VLAN initiates authentication and passes authentication successfully the port leaves the guest VLAN and z If the authentication server assigns a VLAN the port joins the assigned VLAN After the user goes offline the port returns...

Page 612: ...different ports even if the user certificates are from the same certificate authority that is the user domain names are the same This allows you to deploy 802 1X access policies flexibly Configuring 802 1X Configuration Prerequisites 802 1X provides a user identity authentication scheme However 802 1X cannot implement the authentication scheme solely by itself RADIUS or local authentication must b...

Page 613: ...face view z You can also enable 802 1X and set port access control parameters that is the port access control mode port access method and the maximum number of users for a port in Ethernet interface view For detailed configuration refer to Configuring 802 1X for a Port The only difference between configuring 802 1X globally and configuring 802 1X for a port lies in the applicable scope If both a g...

Page 614: ...t trigger dot1x multicast trigger Optional Enabled by default Enable periodic re authentication dot1x re authenticate Required Disabled by default Specify the mandatory authentication domain for the port dot1x mandatory domain domain name Optional No mandatory authentication domain is specified by default Note that z Enabling 802 1X on a port is mutually exclusive with adding the port to an aggreg...

Page 615: ...s are configured on the access port you are recommended to configure different VLAN IDs for the voice VLAN default VLAN of the port and 802 1X guest VLAN This is to ensure the normal use of the functions Configuration prerequisites z Create the VLAN to be specified as the guest VLAN z To configure a port based guest VLAN make sure that the port access control method is portbased and the 802 1X mul...

Page 616: ...device The IP addresses of the servers are 10 1 1 1 and 10 1 1 2 respectively Use the former as the primary authentication accounting server and the latter as the secondary authentication accounting server z Set the shared key for the device to exchange packets with the authentication server as name and that for the device to exchange packets with the accounting server as money z Specify the devic...

Page 617: ...hange packets with the authentication server Device radius radius1 key authentication name Specify the shared key for the device to exchange packets with the accounting server Device radius radius1 key accounting money Set the interval for the device to retransmit packets to the RADIUS server and the maximum number of transmission attempts Device radius radius1 timer response timeout 5 Device radi...

Page 618: ...erver which is in VLAN 10 is for client software download and upgrade z Port GigabitEthernet 1 0 3 of the device which is in VLAN 5 is for accessing the Internet As shown in Figure 1 11 z On port GigabitEthernet 1 0 2 enable 802 1X and set VLAN 10 as the guest VLAN of the port If the device sends an EAP Request Identity packet from the port for the maximum number of times but still receives no res...

Page 619: ...procedure uses many AAA RADIUS commands For detailed configuration of these commands refer to AAA Configuration in the Security Volume z Configurations on the 802 1X client and RADIUS server are omitted Configure RADIUS scheme 2000 Device system view Device radius scheme 2000 Device radius 2000 primary authentication 10 11 1 1 1812 Device radius 2000 primary accounting 10 11 1 1 1813 ...

Page 620: ...o use VLAN 10 as its guest VLAN Device dot1x guest vlan 10 interface GigabitEthernet 1 0 2 You can use the display current configuration or display interface GigabitEthernet 1 0 2 command to view your configuration You can also use the display vlan 10 command in the following cases to verify whether the configured guest VLAN functions z When no users log in z When a user goes offline After a user ...

Page 621: ...radius scheme 2000 Device isp 2000 authorization default radius scheme 2000 Device isp 2000 accounting default radius scheme 2000 Device isp 2000 quit Configure ACL 3000 to deny packets destined for 10 0 0 1 Device acl number 3000 Device acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Enable 802 1X globally Device dot1x Enable 802 1X for port GigabitEthernet 1 0 1 Device interface GigabitEthern...

Page 622: ...1 21 C ...

Page 623: ...device which tends to be time consuming and inefficient To address the issue quick EAD deployment was developed In conjunction with 802 1X it can have an access switch to force all attached devices to download and install the EAD client before permitting them to access the network EAD Fast Deployment Implementation To support the fast deployment of EAD schemes 802 1X provides the following two mec...

Page 624: ...s before passing 802 1X authentication Once a free IP is configured the fast deployment of EAD is enabled Follow these steps to configure a freely accessible network segment To do Use the command Remarks Enter system view system view Configure a freely accessible network segment dot1x free ip ip address mask address mask length Required No freely accessible network segment is configured by default...

Page 625: ...started If the user neither downloads client software nor performs authentication before the timer expires the occupied ACL will be released so that other users can use it When there are a large number of users you can shorten the timeout time to improve the ACL usage efficiency Follow these steps to set the EAD rule timeout time To do Use the command Remarks Enter system view system view Set EAD ...

Page 626: ...2 3 Enable 802 1X globally Device dot1x Enable 802 1X on the port Device interface GigabitEthernet 1 0 1 Device GigabitEthernet1 0 1 dot1x 3 Verify your configuration Use the ping command to ping an IP address within the network segment specified by free IP to check that the user can access that segment before passing 802 1X authentication C ping 192 168 2 3 Pinging 192 168 2 3 with 32 bytes of da...

Page 627: ... X The redirection function does redirect this kind of ARP request z The address is within the freely accessible network segment In this case the device regards that the user is trying to access a host in the freely accessible network segment and redirection will not take place even if no host is present with the address z The redirect URL is not in the freely accessible network segment no server ...

Page 628: ...f Contents 1 HABP Configuration 1 1 Introduction to HABP 1 1 Configuring HABP 1 2 Configuring the HABP Server 1 2 Configuring an HABP Client 1 2 Displaying and Maintaining HABP 1 3 HABP Configuration Example 1 3 ...

Page 629: ...ot supported which is typical of network devices the communication between them will fail because they cannot pass 802 1X authentication and their packets will be blocked on Switch A To allow the two switches to communicate you can use HABP Figure 1 1 Network diagram for HABP application Internet Switch B Switch C Authenticator Supplicant Switch A Supplicant Supplicant Switch D Switch E Authentica...

Page 630: ...r is usually configured on the authentication device enabled with 802 1X authentication or MAC address authentication The HABP server sends HABP requests to the attached switches at a specified interval collecting their MAC addresses from the responses HABP packets are transmitted in the VLAN specified on the HABP server You can configure the interval of sending HABP requests on the administrative...

Page 631: ...address table entries display habp table Available in any view Display HABP packet statistics display habp traffic Available in any view HABP Configuration Example Network requirements As shown in Figure 1 2 Switch A is attached with access devices Switch B and Switch C 802 1X authentication is configured on Switch A for central authentication and management of users Host A through Host D In this ...

Page 632: ...ment Configuration in the System Volume SwitchA habp server vlan 1 Set the interval to send HABP request packets to 50 seconds SwitchA habp timer 50 2 Configure Switch B and Switch C Configure Switch B and Switch C to work in HABP client mode This configuration is usually unnecessary because HABP is enabled and works in client mode by default 3 Verify your configuration Display HABP configuration ...

Page 633: ... Authentication 1 2 ACL Assigning 1 3 Configuring MAC Authentication 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 Configuring a Guest VLAN 1 4 Configuration Prerequisites 1 4 Configuration Procedure 1 4 Displaying and Maintaining MAC Authentication 1 5 MAC Authentication Configuration Examples 1 5 Local MAC Authentication Configuration Example 1 5 RADIUS Based MAC Authentication...

Page 634: ... modes Remote Authentication Dial In User Service RADIUS based MAC authentication and local MAC authentication For detailed information about RADIUS authentication and local authentication refer to AAA Configuration of the Security Volume MAC authentication supports two types of usernames z MAC address where the MAC address of a user serves as both the username and password z Fixed username where ...

Page 635: ...response from the RADIUS server in this period it assumes that its connection to the RADIUS server has timed out and forbids the user to access the network Quiet MAC Address When a user fails MAC authentication the MAC address becomes a quiet MAC address which means that any packets from the MAC address will be discarded silently by the device until the quiet timer expires This prevents the device...

Page 636: ...RADIUS server Configuring MAC Authentication Configuration Prerequisites z Create and configure an ISP domain z For local authentication create the local users and configure the passwords z For RADIUS authentication ensure that a route is available between the device and the RADIUS server and add the usernames and passwords on the server When adding usernames and passwords on the device or server ...

Page 637: ...s as the username and password with in the MAC address z You can configure MAC authentication for ports first However the configuration takes effect only after you enable MAC authentication globally z Enabling MAC authentication on a port is mutually exclusive with adding the port to an aggregation group z For details about the default ISP domain refer to AAA Configuration in the Security Volume C...

Page 638: ... in EAD fast deployment on a port For the free IP configuration refer to 802 1X Configuration in the Security Volume Displaying and Maintaining MAC Authentication To do Use the command Remarks Display the global MAC authentication information or the MAC authentication information about specified ports display mac authentication interface interface list Available in any view Clear the MAC authentic...

Page 639: ...hentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Specify the MAC authentication username format as MAC address that is using the MAC address with hyphens of a user as the username and password for MAC authentication of the user Device mac authentication user name format mac address with hyphen 2 Verify the configuration Display global ...

Page 640: ...S Configuration procedure It is required that the RADIUS server and the device are reachable to each other and the username and password are configured on the server 1 Configure MAC authentication on the device Configure a RADIUS scheme Device system view Device radius scheme 2000 Device radius 2000 primary authentication 10 1 1 1 1812 Device radius 2000 primary accounting 10 1 1 2 1813 Device rad...

Page 641: ...ser number is 1024 per slot Current user number amounts to 1 Current domain is 2000 Silent Mac User info MAC Addr From Port Port Index GigabitEthernet1 0 1 is link up MAC address authentication is enabled Authenticate success 1 failed 0 Current online user number is 1 MAC Addr Authenticate state Auth Index 00e0 fc12 3456 MAC_AUTHENTICATOR_SUCCESS 29 ACL Assignment Configuration Example Network req...

Page 642: ... abc Sysname radius 2000 key accounting abc Sysname radius 2000 user name format without domain Sysname radius 2000 quit Create an ISP domain and specify the AAA schemes Sysname domain 2000 Sysname isp 2000 authentication default radius scheme 2000 Sysname isp 2000 authorization default radius scheme 2000 Sysname isp 2000 accounting default radius scheme 2000 Sysname isp 2000 quit Configure ACL 30...

Page 643: ...Ethernet1 0 1 mac authentication After completing the above configurations you can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss C ...

Page 644: ...nfiguring Port Security Features 1 8 Configuring NTK 1 8 Configuring Intrusion Protection 1 9 Configuring Trapping 1 9 Configuring Secure MAC Addresses 1 10 Configuration Prerequisites 1 10 Configuration Procedure 1 10 Ignoring Authorization Information from the Server 1 10 Displaying and Maintaining Port Security 1 11 Port Security Configuration Examples 1 11 Configuring the autoLearn Mode 1 11 C...

Page 645: ...whose source MAC addresses cannot be learned by the device in a security mode are considered illegal the events that users do not pass 802 1X authentication or MAC authentication are considered illegal Upon detection of illegal frames or events the device takes the pre defined action automatically While enhancing the system security this reduces your maintenance efforts greatly The security modes ...

Page 646: ...security mode searches the MAC address table for the source MAC address If a match is found the port forwards the packet If no match is found the port learns the MAC address or performs authentication according to the security mode Upon detecting illegal packets or events the port takes the pre defined action configured in NTK intrusion protection or trap sending Table 1 1 describes the port secur...

Page 647: ...nd A secure MAC addresses never ages out by default When the number of secure MAC addresses reaches the upper limit the port turns to secure mode In addition you can configure MAC addresses manually by using the mac address dynamic and mac address static commands for a port in autoLearn mode In autoLearn mode dynamic MAC address learning function on the port in MAC address management is disabled 2...

Page 648: ... port in this mode supports multiple 802 1X and MAC authentication users 3 macAddressElseUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication having a higher priority as the Else keyword implies For non 802 1X frames a port in this mode performs only MAC authentication For 802 1X frames it performs MAC authentication and then if...

Page 649: ...N that a user is in after failing authentication For a security mode that supports MAC authentication you can configure a MAC based guest VLAN MAC authentication MGV For details about MAC authentication MGV refer to MAC Authentication Configuration in the Security Volume Port Security Configuration Task List Complete the following tasks to configure port security Task Remarks Enabling Port Securit...

Page 650: ...z For detailed MAC based authentication configuration refer to MAC Authentication Configuration in the Security Volume Setting the Maximum Number of Secure MAC Addresses With port security enabled more than one authenticated user is allowed on a port The number of authenticated users allowed however cannot exceed the specified upper limit By setting the maximum number of secure MAC addresses allow...

Page 651: ...port security mode of a port when any user is present on the port z Before configuring the port to operate in autoLearn mode set the maximum number of secure MAC addresses allowed on a port Configuring Procedure Follow these steps to enable any other port security mode To do Use the command Remarks Enter system view system view Set an OUI value for user authentication port security oui oui value i...

Page 652: ...destination MAC addresses in outbound frames to allow frames to be forwarded to only devices passing authentication The NTK feature supports three modes z ntkonly Forwards only frames destined for authenticated MAC addresses z ntk withbroadcasts Forwards only frames destined for authenticated MAC addresses or the broadcast address z ntk withmulticasts Forwards only frames destined for authenticate...

Page 653: ...s disabled Return to system view quit Set the silence timeout during which a port remains disabled port security timer disableport time value Optional 20 seconds by default On a port operating in either the macAddressElseUserLoginSecure mode or the macAddressElseUserLoginSecureExt mode intrusion protection is triggered only after both MAC authentication and 802 1X authentication for the same frame...

Page 654: ...m view In system view port security mac address security mac address interface interface type interface number vlan vlan id interface interface type interface number Configure a secure MAC address In interface view port security mac address security mac address vlan vlan id Required Use either approach No secure MAC address is configured by default The configured secure MAC addresses are saved in ...

Page 655: ...erface type interface number vlan vlan id count Available in any view Port Security Configuration Examples Configuring the autoLearn Mode Network requirements Restrict port GigabitEthernet 1 0 1 of the switch as follows z Allow up to 64 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as secure MAC addresses z After the number of s...

Page 656: ...on protection trap is enabled and the intrusion protection action is to disable the port DisablePortTemporarily for 30 seconds You can also use the above command repeatedly to track the number of MAC addresses learned by the port or use the display this command in interface view to display the secure MAC addresses learned as shown below Switch system view Switch interface gigabitethernet 1 0 1 Swi...

Page 657: ...gh port GigabitEthernet 1 0 1 The switch authenticates the client by the RADIUS server If the authentication succeeds the client is authorized to access the Internet z RADIUS server 192 168 1 2 functions as the primary authentication server and the secondary accounting server and RADIUS server 192 168 1 3 functions as the secondary authentication server and the primary accounting server The shared...

Page 658: ...92 168 1 2 Switch radius radsun key authentication name Switch radius radsun key accounting money Switch radius radsun timer response timeout 5 Switch radius radsun retry 5 Switch radius radsun timer realtime accounting 15 Switch radius radsun user name format without domain Switch radius radsun quit Configure an ISP domain named sun Switch domain sun Switch isp sun authentication default radius s...

Page 659: ...Server Encryption Key name Acct Server Encryption Key money Interval for timeout second 5 Retransmission times for timeout 5 Interval for realtime accounting minute 15 Retransmission times of realtime accounting packet 5 Retransmission times of stop accounting packet 500 Quiet interval min 5 Username format without domain Data flow unit Byte Packet unit one Use the following command to view the co...

Page 660: ... timeout 30m The maximum 802 1X user resource number is 1024 per slot Total current used 802 1X resource number is 1 GigabitEthernet1 0 1 is link up 802 1X protocol is enabled Handshake is enabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac based 802 1X Multicast trigger is enabled Mandatory authentication domain NOT configured Guest VLAN NOT configured Max nu...

Page 661: ... on the host and RADIUS servers are omitted 1 Configure the RADIUS protocol The required RADIUS authentication accounting configurations are the same as those in Configuring the userLoginWithOUI Mode 2 Configure port security Enable port security Switch system view Switch port security enable Configure a MAC authentication user setting the user name and password to aaa and 123456 respectively Swit...

Page 662: ...ame aaa Fixed password 123456 Offline detect period is 300s Quiet period is 60s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 3 Current domain is sun Silent MAC User info MAC Addr From Port Port Index GigabitEthernet1 0 1 is link up MAC address authentication is enabled Authenticate success 3 failed 7 Current online user number is...

Page 663: ...APOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0011 Controlled User s amount to 1 In addition as NTK is enabled frames with unknown destination MAC addresses multicast addresses and broadcast addresses should be discarded Troubleshooting Port Security Cannot Set the Port Security Mode Symptom Cannot...

Page 664: ...port security mac address security 1 1 2 vlan 1 Cannot Change Port Security Mode When a User Is Online Symptom Port security mode cannot be changed when an 802 1X authenticated or MAC authenticated user is online Switch GigabitEthernet1 0 1 undo port security port mode Error Cannot configure port security for there is 802 1X user s on line on port GigabitEthernet1 0 1 Analysis Changing port securi...

Page 665: ...ring Dynamic Binding Function 1 2 Displaying and Maintaining IP Source Guard 1 3 IP Source Guard Configuration Examples 1 3 Static Binding Entry Configuration Example 1 3 Dynamic Binding Function Configuration Example 1 4 Troubleshooting IP Source Guard 1 6 Failed to Configure Static Binding Entries and Dynamic Binding Function 1 6 ...

Page 666: ...on a port it is effective only on the port IP source guard filters packets based on the following types of binding entries z IP port binding entry z MAC port binding entry z IP MAC port binding entry z IP VLAN port binding entry z MAC VLAN port binding entry z IP MAC VLAN port binding entry An IP source guard binding entry can be static or dynamic depending on how the entry is created z A static b...

Page 667: ... After the dynamic binding function is enabled on a port IP source guard will obtain binding entries through cooperation with DHCP protocols z Cooperating with DHCP snooping IP source guard will automatically obtain the DHCP snooping entries that are generated during dynamic IP address allocation on an Ethernet port z Cooperating with DHCP Relay IP source guard will automatically obtain the DHCP R...

Page 668: ...tion Examples Static Binding Entry Configuration Example Network requirements As shown in Figure 1 1 Host A and Host B are connected to ports GigabitEthernet 1 0 2 and GigabitEthernet 1 0 1 of Switch B respectively Host C is connected to port GigabitEthernet 1 0 2 of Switch A and Switch B is connected to port GigabitEthernet 1 0 1 of Switch A Configure static binding entries on Switch A and Switch...

Page 669: ...2 168 0 1 mac address 0001 0203 0406 SwitchB GigabitEthernet1 0 2 quit Configure port GigabitEthernet 1 0 1 of Switch B to allow only IP packets with the source MAC address of 00 01 02 03 04 07 and the source IP address of 192 168 0 2 to pass SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration O...

Page 670: ...er as a trusted port SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping trust SwitchA GigabitEthernet1 0 2 quit 2 Verify the configuration Display dynamic binding function is configured successfully on port GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 display this interface GigabitEthernet1 0 1 ip check source ip address...

Page 671: ...igured with dynamic binding function Troubleshooting IP Source Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring static binding entries and dynamic binding function fails on a port Analysis IP Source Guard is not supported on the port which has joined an aggregation group Neither static binding entries nor dynamic binding function can be configured o...

Page 672: ... and Maintaining SSH 1 11 SSH Server Configuration Examples 1 11 When Switch Acts as Server for Password Authentication 1 11 When Switch Acts as Server for Publickey Authentication 1 13 SSH Client Configuration Examples 1 18 When Switch Acts as Client for Password Authentication 1 18 When Switch Acts as Client for Publickey Authentication 1 20 2 SFTP Service 2 1 SFTP Overview 2 1 Configuring an SF...

Page 673: ...sers to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH versions SSH2 0 and SSH1 When acting as an SSH client the device supports SSH2 0 only Operation of SSH The session establishment and interaction between an SSH client and the SSH server involves the following five stages Table 1 1 Stages in session esta...

Page 674: ...use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation otherwise the server breaks the TCP connection All the packets involved in the above steps are transferred in plain text Key and algorithm negotiation z The server and the client send key algorithm negotiation packets to each other which include th...

Page 675: ... server sends a message to the client to inform the success or failure of the authentication Currently the device supports two publickey algorithms for digital signature RSA and DSA The following gives the steps of the authentication stage 1 The client sends to the server an authentication request which includes the username authentication method password authentication or publickey authentication...

Page 676: ...e commands by saving the text as a configuration file uploading the configuration file to the server through SFTP and then using the configuration file to restart the server Configuring the Device as an SSH Server SSH Server Configuration Task List Complete the following tasks to configure an SSH server Task Remarks Generating a DSA or RSA Key Pair Required Enabling SSH Server Required Configuring...

Page 677: ...e in the range 512 to 2048 bits Some SSH2 clients require that the length of the key modulus be at least 768 bits on the SSH server side z The public key local create dsa command generates only the host key pair SSH1 does not support the DSA algorithm z The length of the modulus of DSA host keys must be in the range 512 to 2048 bits Some SSH2 clients require that the length of the key modulus be a...

Page 678: ...r SSH users using publickey authentication For each SSH user that uses publickey authentication to login you must configure the client s DSA or RSA host public key on the server and configure the client to use the corresponding private key To configure the public key of an SSH client you can z Configure it manually You can input or copy the public key to the local host The copied public key must h...

Page 679: ...c key file public key peer keyname import sshkey filename Required For information about client side public key configuration and the relevant commands refer to Public Key Configuration in the Security Volume Configuring an SSH User This configuration allows you to create an SSH user and specify the service type and authentication mode Follow these steps to configure an SSH user and specify the se...

Page 680: ...e ssh user command z The configured authentication method takes effect only for users logging in after the configuration For users using publickey authentication z You must configure on the device the corresponding username and public keys z After login the commands available for a user are determined by the user privilege level which is configured with the user privilege level command on the user...

Page 681: ...iguration Task List Complete the following tasks to configure an SSH client Task Remarks Specifying a Source IP address Interface for the SSH client Optional Configuring Whether First time Authentication is Supported Optional Establishing a Connection Between the SSH Client and the Server Required Specifying a Source IP address Interface for the SSH client This configuration task allows you to spe...

Page 682: ...n For successful authentication of an SSH client not supporting first time authentication the server host public key must be configured on the client and the public key name must be specified Follow these steps to disable first time authentication To do Use the command Remarks Enter system view system view Disable first time authentication support undo ssh client first time Optional By default fir...

Page 683: ...ble in any view Display the mappings between SSH servers and their host public keys saved on an SSH client display ssh server info Available in any view Display information about a specified or all SSH users on the SSH server display ssh user information username Available in any view Display the public keys of the local key pairs display public key local dsa rsa public Available in any view Displ...

Page 684: ...ty0 4 protocol inbound ssh Switch ui vty0 4 quit Create local user client001 and set the user command privilege level to 3 Switch local user client001 Switch luser client001 password simple aabbcc Switch luser client001 service type ssh Switch luser client001 authorization attribute level 3 Switch luser client001 quit Specify the service type for user client001 as Stelnet and the authentication mo...

Page 685: ...y Authentication Network requirements z As shown in Figure 1 3 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data exchange z Publickey authentication is used the algorithm is RSA Figure 1 3 Switch acts as server for publickey authentication Configuration procedure During SSH server configuration the client public key is required Ther...

Page 686: ...A and click Generate Figure 1 4 Generate a key pair on the client 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 5 Otherwise the process bar stops moving and the key pair generating process will be stopped ...

Page 687: ... file name as key pub to save the public key Figure 1 6 Generate a key pair on the client 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the key private in this case ...

Page 688: ...itch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Import the client s public key from file key pub and name it Switch001 Switch public key peer Switch001 import sshkey key pub Specify the authentication type for user client0...

Page 689: ...8 SSH client configuration interface 1 Select Connection SSH Auth from the navigation tree The following window appears Click Browse to bring up the file selection window navigate to the private key file and click OK ...

Page 690: ...ication Network requirements z As shown in Figure 1 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the password is aabbcc Password authentication is required Figure 1 10 Switch acts as client for password authentication Configuration procedure 1 Configure the SSH server Create RSA and DSA key pairs and...

Page 691: ...server Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 255 255 255 0 SwitchA Vlan interface1 quit SwitchA quit z If the client support first time authentication you can directly establish a connection from the client to the server Establish an SSH connection to server 10 165 87 136 SwitchA ssh2 10 ...

Page 692: ...hA pkey key code D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 SwitchA pkey key code E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D SwitchA pkey key code 485348 SwitchA pkey key code public key code end SwitchA pkey public key peer public key end Specify the host public key for the SSH server 10 165 87 136 as key1 SwitchA ssh c...

Page 693: ...itchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client will use as the destination for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme E...

Page 694: ... 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n Later you will find that you have logged into Switch B successfully ...

Page 695: ...FTP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detailed configuration procedure refer to Configuring the Device as an SSH Server z You have used the ssh user service type command to set the service type of SSH users to sftp or all For configuration pr...

Page 696: ...or the SFTP Client You can configure a client to use only a specified source IP address or interface to access the SFTP server thus enhancing the service manageability Follow these steps to specify a source IP address or interface for the SFTP client To do Use the command Remarks Enter system view system view Specify a source IPv4 address or interface for the SFTP client sftp client source ip ip a...

Page 697: ...g files under a specified directory or the directory information z Changing the name of a specified directory on the server z Creating or deleting a directory Follow these steps to work with the SFTP directories To do Use the command Remarks Enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh ...

Page 698: ...ile Optional dir a l remote path Display the files under a specified directory ls a l remote path Optional The dir command functions as the ls command delete remote file 1 10 Delete a file from the SFTP server remove remote file 1 10 Optional The delete command functions as the remove command Displaying Help Information This configuration task is to display a list of all commands or the help infor...

Page 699: ...in Figure 2 1 an SSH connection is established between Switch A and Switch B Switch A an SFTP client logs in to Switch B for file management and file transfer An SSH user uses publickey authentication with the public key algorithm being RSA Figure 2 1 Network diagram for SFTP client configuration Configuration procedure During SFTP server configuration the client public key is required Therefore y...

Page 700: ...ey For user client001 set the service type as SFTP authentication type as publickey public key as Switch001 and working folder as flash SwitchB ssh user client001 service type sftp authentication type publickey assign publickey Switch001 work directory flash 3 Establish a connection between the SFTP client and the SFTP server Establish a connection to the remote SFTP server and enter SFTP client v...

Page 701: ...ully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Download the file pubkey2 from the server and change the name to public sft...

Page 702: ...onfigure an IP address for VLAN interface 1 which the client will use as the destination for SSH connection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 45 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode of the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support...

Page 703: ... supports only password authentication Establish a connection with the remote SFTP server Run the psftp exe to launch the client interface as shown in Figure 2 3 and enter the following command open 192 168 1 45 Enter username client002 and password aabbcc as prompted to log into the SFTP server Figure 2 3 SFTP client interface ...

Page 704: ...de 1 7 Retrieving a Certificate Manually 1 8 Configuring PKI Certificate Verification 1 9 Destroying a Local RSA Key Pair 1 10 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 11 Displaying and Maintaining PKI 1 11 PKI Configuration Examples 1 12 Requesting a Certificate from a CA Running RSA Keon 1 12 Requesting a Certificate from a CA Running Windows 2003 Server 1 15 Configurin...

Page 705: ...heir owners helping distribute public keys in large networks securely With digital certificates the PKI system provides network communication and e commerce with security services such as user authentication data non repudiation data confidentiality and data integrity PKI Terms Digital certificate A digital certificate is a file signed by a certificate authority CA for an entity It includes mainly...

Page 706: ... certification practice statement CPS A CA policy can be acquired through out of band means such as phone disk and e mail As different CAs may use different methods to check the binding of a public key with an entity make sure that you understand the CA policy before selecting a trusted CA for certificate request Architecture of PKI A PKI system consists of entities a CA a registration authority R...

Page 707: ...sions S MIME which is based on PKI and allows for transfer of encrypted mails with signature Web security For Web security two peers can establish a Secure Sockets Layer SSL connection first for transparent and secure communications at the application layer With PKI SSL enables encrypted communications between a browser and a server Both the communication parties can verify the identity of each ot...

Page 708: ...ntity a standard 2 character code For example CN represents China and US represents the United States of America z Fully qualified domain name FQDN of the entity a unique identifier of an entity on the network It consists of a host name and a domain name and can be resolved to an IP address For example www whatever com is an FQDN where www is a host name and whatever com a domain name z IP address...

Page 709: ...d by default z Currently up to two entities can be created on a device z The Windows 2000 CA server has some restrictions on the data length of a certificate request If the entity DN in a certificate request goes beyond a certain limit the server will not respond to the certificate request Configuring a PKI Domain Before requesting a PKI certificate an entity needs to be configured with some enrol...

Page 710: ...KI domain the entity will reject the root certificate Follow these steps to configure a PKI domain To do Use the command Remarks Enter system view system view Create a PKI domain and enter its view pki domain domain name Required No PKI domain exists by default Specify the trusted CA ca identifier name Required No trusted CA is specified by default Specify the entity for certificate request certif...

Page 711: ...ure an entity to submit a certificate request in auto mode To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Set the certificate request mode to auto certificate request mode auto key length key length password cipher simple password Required Manual by default After the certificate is to expire or has expired the entity does not initiate a re ...

Page 712: ...domain has already a local certificate you cannot request another certificate for it This is to avoid inconsistency between the certificate and the registration information resulting from configuration changes To request a new certificate use the pki delete certificate command to delete the existing local certificate and the CA certificate stored locally z When it is impossible to request a certif...

Page 713: ...f the certificate so that the certificate is valid Configuring PKI Certificate Verification A certificate needs to be verified before being used Verifying a certificate is to check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked Before verifying a certificate you need to retrieve the CA certificate You can specify whether CRL checking is requi...

Page 714: ...omain name Required z The CRL update period refers to the interval at which the entity downloads CRLs from the CRL server The CRL update period configured manually is prior to that specified in the CRLs z The pki retrieval crl domain configuration will not be saved in the configuration file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local ...

Page 715: ... exists by default Configure an attribute rule for the certificate issuer name certificate subject name or alternative subject name attribute id alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject name by default Return to system view quit Create a certifi...

Page 716: ...entity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain you need to use the certificate request from ca command to specify that the entity requests a certificate from a CA Requesting a Certificate from a CA Running RSA Keon The CA server runs RSA Keon in this configuration example Network requirements z The device...

Page 717: ...ommon name as switch Switch system view Switch pki entity aaa Switch pki entity aaa common name switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter its view Switch pki domain torsa Configure the name of the trusted CA as myca Switch pki domain torsa ca identifier myca Configure the URL of the registration server in the format of http host port Issuing Jur...

Page 718: ...ificate domain torsa challenge word Certificate is being requested please wait Switch Enrolling the local certificate please wait a while Certificate request Successfully Saving the local certificate to device Done 3 Verify your configuration Use the following command to view information about the local certificate acquired Switch display pki certificate local domain torsa Certificate Data Version...

Page 719: ...lated to display pki certificate ca domain and display pki crl domain commands in PKI Commands of the Security Volume Requesting a Certificate from a CA Running Windows 2003 Server The CA server runs the Windows 2003 server in this configuration example Network requirements Configure PKI entity Switch to request a local certificate from the CA server Figure 1 3 Request a certificate from a CA runn...

Page 720: ...isting services After completing the above configuration check that the system clock of the switch is synchronous to that of the CA server ensuring that the switch can request a certificate normally 2 Configure the switch z Configure the entity DN Configure the entity name as aaa and the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa common name switch Switch ...

Page 721: ... Successfully Saving the local certificate to device Done 3 Verify your configuration Use the following command to view information about the local certificate acquired Switch display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 48FA0FD9 00000000 000C Signature Algorithm sha1WithRSAEncryption Issuer CN myca Validity Not Before Nov 21 12 32 16 2007 GMT Not After N...

Page 722: ...Algorithm sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B Omitted You can also use some other display commands to view detailed information about the CA certificate Refer to the display pki certificate ca domain command in PKI Commands of the Security Volume Configuring a Certificate Attribute Based Access Control Policy Network requirements z The client accesses the remote HTTP Security...

Page 723: ...witch pki cert attribute group mygroup1 quit Create certificate attribute group mygroup2 and add two attribute rules The first rule defines that the FQDN of the alternative subject name does not include the string of apple and the second rule defines that the DN of the certificate issuer name includes the string aabbcc Switch pki certificate attribute group mygroup2 Switch pki cert attribute group...

Page 724: ...quest z Synchronize the system clock of the device with that of the CA Failed to Request a Local Certificate Symptom Failed to request a local certificate Analysis Possible reasons include these z The network connection is not proper For example the network cable may be damaged or loose z No CA certificate has been retrieved z The current key pair has been bound to a certificate z No trusted CA is...

Page 725: ... certificate has been retrieved before you try to retrieve CRLs z The IP address of LDAP server is not configured z The CRL distribution URL is not configured z The LDAP server version is wrong Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LDAP server z Specify the CRL distribution URL z Re configure the LDAP versi...

Page 726: ...k List 1 2 Configuring an SSL Server Policy 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 6 Configuration Prerequisites 1 6 Configuration Procedure 1 6 Displaying and Maintaining SSL 1 6 Troubleshooting SSL 1 7 SSL Handshake Failure 1 7 ...

Page 727: ...signatures The SSL server and client obtain certificates from a certificate authority CA through the Public Key Infrastructure PKI z Reliability SSL uses the key based message authentication code MAC to verify message integrity A MAC algorithm transforms a message of any length to a fixed length message Figure 1 1 illustrates how SSL uses a MAC algorithm to verify message integrity With the key th...

Page 728: ...tity authentication of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the session ID peer certificate cipher suite and master secret z SSL change cipher spec protocol Used for notification between a client and the server that the subsequent packets are to be protected and transmit...

Page 729: ...and enter its view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy Specify the cipher suite s for the SSL server policy to support ciphersuite rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional By default an SSL server policy supports all ci...

Page 730: ...ce it is required that users use HTTPS HTTP Security which uses SSL to log in to the Web interface of the device and use SSL for identity authentication to ensure that data will not be eavesdropped or tampered with To achieve the goal perform the following configurations z Configure Device to work as the HTTPS server and request a certificate for Device z Request a certificate for Host so that Dev...

Page 731: ...Create an SSL server policy named myssl Device ssl server policy myssl Specify the PKI domain for the SSL server policy as 1 Device ssl server policy myssl pki domain 1 Enable client authentication Device ssl server policy myssl client verify enable Device ssl server policy myssl quit Configure HTTPS service to use SSL server policy myssl Device ip https ssl server policy myssl Enable HTTPS servic...

Page 732: ...must configure a PKI domain For details about PKI domain configuration refer to PKI Configuration in the Security Volume Configuration Procedure Follow these steps to configure an SSL client policy To do Use the command Remarks Enter system view system view Create an SSL client policy and enter its view ssl client policy policy name Required Specify a PKI domain for the SSL client policy pki domai...

Page 733: ... the debugging ssl command and view the debugging information to locate the problem z If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate request one for it z If the server s certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server or let the server requests a certific...

Page 734: ... Asymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer 1 3 Displaying and Maintaining Public Keys 1 4 Public Key Configuration Examples 1 5 Configuring the Public Key of a Peer Manually 1 5 Importing the Public Key of a Peer from a Public Key File 1 6 ...

Page 735: ...entiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types of key algorithms based on whether the keys for encryption and decryption are the same z Symmetric key algorithm The same key is used for both encryption and decryption Commonly used symmetric key algorithms include ...

Page 736: ...mir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption decryption and signature whereas DSA are used for signature only Asymmetric key algorithms are usually used in digital signature applications for peer identity authentication because they involve complex calculations and are time consuming symmetric key algorithms are...

Page 737: ...the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public key To do Use the command Remarks Enter system view system view Display the local RSA host public key on the screen in a specified format or export it to a specified file public key local export rsa openssh ssh1 ssh2 filename Display the local DSA host public key on the s...

Page 738: ...blic key of a peer manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public key of the peer Type or copy the key Required Spaces and carriage returns are allowed between characters Return to public key view public key code end When you exit public key code view the system a...

Page 739: ...2 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair created 09 50 06 2007 08 07 Key name HOST_KEY Key type RSA Encryption Key Key code 30819F300D06092A864886F70D010101050003818D0...

Page 740: ...D1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 DeviceB pkey key code public key code end DeviceB pkey public key peer public key end Display the host public key of Device A saved on Device B DeviceB display public key peer name devicea Key Name devicea Key Type RSA Key Module 1024 Key Code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE47...

Page 741: ...6F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Export the RSA host public key to a file named devicea pub DeviceA public key local export rsa ssh2 devicea pub DeviceA quit 2 Enable the FTP server function on Dev...

Page 742: ...e key file devicea pub to Device B DeviceB public key peer devicea import sshkey devicea pub Display the host public key of Device A saved on Device B DeviceB display public key peer name devicea Key Name devicea Key Type RSA Key Module 1024 Key Code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E3...

Page 743: ...ge 2 1 Configuration Procedure 2 1 Configuration Example 2 2 Configuring a Basic IPv4 ACL 2 2 Configuration Prerequisites 2 2 Configuration Procedure 2 3 Configuration Example 2 3 Configuring an Advanced IPv4 ACL 2 4 Configuration Prerequisites 2 4 Configuration Procedure 2 4 Configuration Example 2 5 Configuring an Ethernet Frame Header ACL 2 6 Configuration Prerequisites 2 6 Configuration Proced...

Page 744: ...net Frame Header ACL 3 4 Copying an IPv6 ACL 3 4 Configuration Prerequisites 3 4 Configuration Procedure 3 4 Displaying and Maintaining IPv6 ACLs 3 5 IPv6 ACL Configuration Example 3 5 Network Requirements 3 5 Network Diagram 3 5 Configuration Procedure 3 6 4 ACL Application for Packet Filtering 4 1 Filtering IPv4 Packets 4 1 Filtering IPv6 Packets 4 2 ACL Application Example 4 3 Applying an ACL t...

Page 745: ...Pv6 ACL Configuration Unless otherwise stated ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document Introduction to ACL Introduction As network scale and network traffic are increasingly growing network security and bandwidth allocation become more and more critical to network management Packet filtering can be used to efficiently prevent illegal users from accessing networks and to ...

Page 746: ...to a piece of hardware and referenced by a QoS policy for traffic classification the switch does not take action according to the traffic behavior definition on a packet that does not match the ACL z When an ACL is referenced by a piece of software to control Telnet SNMP and Web login users the switch denies all packets that do not match the ACL z For details of ACL application for packet filterin...

Page 747: ...ets against the rule configured with more zeros in the source IP address wildcard 2 If two rules are present with the same number of zeros in their source IP address wildcards compare packets against the rule configured first Depth first match for an advanced IPv4 ACL The following shows how your device performs depth first match in an advanced IPv4 ACL 1 Look at the protocol carried over IP A rul...

Page 748: ...enumbering mechanism you do not need to assign numbers to rules when defining them The system will assign a newly defined rule a number that is the smallest multiple of the step bigger than the current biggest number For example with a step of five if the biggest number is currently 28 the newly defined rule will get a number of 30 If the ACL has no rule defined already the first defined rule will...

Page 749: ... an IPv6 ACL you can specify a unique name for it Afterwards you can identify the IPv6 ACL by its name An IPv6 ACL can have only one name Whether to specify a name for an ACL is up to you After creating an ACL you cannot specify a name for it nor can you change or remove its name The name of an IPv6 ACL must be unique among IPv6 ACLs However an IPv6 ACL and an IPv4 ACL can share the same name IPv6...

Page 750: ...h the highest precedence 2 In case of a tie look at the source IPv6 address prefixes Then compare packets against the rule configured with a longer prefix for the source IPv6 address 3 If the prefix lengths for the source IPv6 addresses are the same look at the destination IPv6 address prefixes Then compare packets against the rule configured with a longer prefix for the destination IPv6 address 4...

Page 751: ...equired Display the configuration and status of one or all time ranges display time range time range name all Optional Available in any view You may create a maximum of 256 time ranges A time range can be one of the following z Periodic time range created using the time range time range name start time to end time days command A time range thus created recurs periodically on the day or days of the...

Page 752: ...ge ends at the latest time that the system supports namely 24 00 12 31 2100 Configuration Example Create a time range that is active from 8 00 to 18 00 every working day Sysname system view Sysname time range test 8 00 to 18 00 working day Verify the configuration Sysname display time range test Current time is 22 17 42 1 5 2006 Thursday Time range test Inactive 08 00 to 18 00 working day Create a...

Page 753: ...iption text Optional By default a basic IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of the settings in which case the other set...

Page 754: ...he time range command first Configuration Procedure Follow these steps to configure an advanced IPv4 ACL To do Use the command Remarks Enter system view system view Create an advanced IPv4 ACL and enter its view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name ...

Page 755: ...auto a newly created rule will be inserted among the existing rules in the depth first match order Note that the IDs of the rules still remain the same z You can modify the match order of an ACL with the acl number acl number name acl name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command must already exist Configurati...

Page 756: ... order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name command to enter the view of the ACL later Create or modify a rule rule rule id deny permit cos vlan pri dest mac dest addr dest mask lsap lsap code lsap wildcard source mac sour addr source mask time range time range name type type code type wildcard Required To create or modify multiple...

Page 757: ...exist Configuration Example Configure ACL 4000 to deny frames with the 802 1p priority of 3 Sysname system view Sysname acl number 4000 Sysname acl ethernetframe 4000 rule deny cos 3 Verify the configuration Sysname acl ethernetframe 4000 display acl 4000 Ethernet frame ACL 4000 named none 1 rule ACL s step is 5 rule 0 deny cos excellent effort 5 times matched Copying an IPv4 ACL This feature allo...

Page 758: ...l Available in any view Clear statistics about a specified or all IPv4 ACLs that are referenced by upper layer software reset acl counter acl number all name acl name Available in user view IPv4 ACL Configuration Example Network Requirements As shown in Figure 2 1 a company interconnects its departments through the switch Configure an ACL to deny access of all departments but the President s offic...

Page 759: ...IPv4 ACL 3000 Switch traffic classifier c_rd Switch classifier c_rd if match acl 3000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure class c_market for packets matching IPv4 ACL 3001 Switch traffic classifier c_market Switch classifier c_market if match acl 3001 S...

Page 760: ...tch GigabitEthernet1 0 2 qos apply policy p_rd inbound Switch GigabitEthernet1 0 2 quit Apply QoS policy p_market to interface GigabitEthernet 1 0 3 Switch interface GigabitEthernet 1 0 3 Switch GigabitEthernet1 0 3 qos apply policy p_market inbound ...

Page 761: ... want to reference a time range in a rule define it with the time range command first Configuration Procedure Follow these steps to configure an IPv6 ACL To do Use the command Remarks Enter system view system view Create a basic IPv6 ACL view and enter its view acl ipv6 number acl6 number name acl6 name match order auto config Required The default match order is config If you specify a name for an...

Page 762: ... be inserted among the existing rules in the depth first match order Note that the IDs of the rules still remain the same z You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6 number name acl6 name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command must already exist Configuration Example Configu...

Page 763: ...n creating the ACL you can use the acl ipv6 name acl6 name command to enter the view of the ACL later Create or modify a rule rule rule id deny permit protocol established ack ack value fin fin value psh psh value rst rst value syn syn value urg urg value destination dest dest prefix dest dest prefix any destination port operator port1 port2 dscp dscp fragment icmpv6 type icmpv6 type icmpv6 code i...

Page 764: ...tion Example Configure IPv6 ACL 3000 to permit TCP packets with the source address of 2030 5060 9050 64 Sysname system view Sysname acl ipv6 number 3000 Sysname acl6 adv 3000 rule permit tcp source 2030 5060 9050 64 Verify the configuration Sysname acl6 adv 3000 display acl ipv6 3000 Advanced IPv6 ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 2030 5060 9050 64 5 times matched...

Page 765: ...ll name acl6 name Available in any view Display information about ACL uses of a switch display acl resource Available in any view Display the configuration and status on time range display time range time range name all Available in any view Clear statistics about a specified or all IPv6 ACLs that are referenced by upper layer software reset acl ipv6 counter acl6 number all name acl6 name Availabl...

Page 766: ...pv6 2000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Apply QoS policy p_rd to interface GigabitEthe...

Page 767: ...odify rules and the edited rules take effect immediately You can configure an interval for collecting and outputting packet filtering logs The log information includes the number of matching packets and the ACL rules used The system only logs traffic filtered by basic and advanced ACL rules with the logging keyword configured Filtering IPv4 Packets Follow these steps to apply an IPv4 ACL to an int...

Page 768: ... introduction and configuration of the information center refer to Information Center Configuration in the System Volume Filtering IPv6 Packets Follow these steps to apply an IPv6 ACL to an interface to filter IPv6 packets To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter interface view Enter VLAN interface vie...

Page 769: ... everyday from 8 00 to 18 00 the interface allows only packets sourced from Host A to pass through Configure Device A to output IPv4 packet filtering logs to the console at an interval of 10 minutes Figure 4 1 Network diagram for applying an ACL to an Ethernet interface for filtering IP network GE1 0 1 Host A 192 168 1 2 24 Device A Host B 192 168 1 3 24 Configuration procedure Create a time range...

Page 770: ...to Server from 14 00 to 18 00 during working days without affecting communication between Host A and Host B Figure 4 2 Network diagram for applying an ACL to a VLAN interface Vlan int100 192 168 1 1 Host A 192 168 1 2 Host B 192 168 1 3 Server 192 168 5 100 Configuration procedure Create a time range named study setting it to become active from 14 00 to 18 00 on working days DeviceA system view De...

Page 771: ...ction 1 4 Configuration Procedure 1 4 Displaying and Maintaining Source MAC Address Based ARP Attack Detection 1 5 Configuring ARP Packet Source MAC Address Consistency Check 1 5 Introduction 1 5 Configuration Procedure 1 5 Configuring ARP Active Acknowledgement 1 5 Introduction 1 5 Configuring the ARP Active Acknowledgement Function 1 5 Configuring ARP Detection 1 6 Introduction to ARP Detection ...

Page 772: ...ttacks An attacker can send z ARP packets by acting as a trusted user or gateway As a result the receiving device obtains incorrect ARP entries and thus a communication failure occurs z A large number of IP packets with unreachable destinations As a result the receiving device continuously resolves destination IP addresses and thus its CPU is overloaded z A large number of ARP packets to bring a g...

Page 773: ...increases the load of the destination subnets z The device keeps trying to resolve destination IP addresses which increases the load of the CPU To protect the device from IP packet attacks you can enable the ARP source suppression function or ARP black hole routing function If the packets have the same source address you can enable the ARP source suppression function With the function enabled when...

Page 774: ... suppression configuration information display arp source suppression Available in any view Configuring ARP Packet Rate Limit Introduction This feature allows you to limit the rate of ARP packets to be delivered to the CPU For example if an attacker sends a large number of ARP packets to an ARP detection enabled device the CPU of the device may become overloaded because all the ARP packets are red...

Page 775: ...rded you can specify the MAC address of the gateway or server as a protected MAC address A protected MAC address is excluded from ARP attack detection even if it is an attacker Only the ARP packets delivered to the CPU are detected Configuration Procedure Follow these steps to configure source MAC address based ARP attack detection To do Use the command Remarks Enter system view system view Enable...

Page 776: ...tack valid check enable Required Disabled by default Configuring ARP Active Acknowledgement Introduction Typically the ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets With this feature enabled the gateway upon receiving an ARP packet with a different source MAC address from that in the corresponding ARP entry checks whether the ARP entry has been...

Page 777: ...1 After you enable ARP detection based on DHCP snooping entries for a VLAN z Upon receiving an ARP packet from an ARP untrusted port the device compares the ARP packet against the DHCP snooping entries If a match is found that is the parameters such as IP address MAC addresses port index and VLAN ID are consistent the ARP packet passes the check if not the ARP packet cannot pass the check z Upon r...

Page 778: ...n pass ARP detection based on DHCP snooping entries or 802 1X security entries are considered to be valid The last two detection types are used to prevent user spoofing You can select detection types according to the networking environment z If all access clients acquire IP addresses through DHCP it is recommended that you enable DHCP snooping and ARP detection based on DHCP snooping entries on yo...

Page 779: ...atic IP to MAC binding for ARP detection arp detection static bind ip address mac address Optional Not configured by default If the ARP attack detection mode is static bind you need to configure static IP to MAC bindings for ARP detection During the DHCP assignment process when the client receives the DHCP ACK message from the DHCP server it broadcasts a gratuitous ARP packet to detect address con...

Page 780: ...s in the Ethernet header If they are identical the packet is forwarded otherwise the packet is discarded z dst mac Checks the target MAC address of ARP replies If the target MAC address is all zero all one or inconsistent with the destination MAC address in the Ethernet header the packet is considered invalid and discarded z ip Checks both the source and destination IP addresses in an ARP packet T...

Page 781: ...ess of VLAN interface 10 on Switch A the configuration procedure is omitted 2 Configure a DHCP server the configuration procedure is omitted 3 Configure Host A and Host B as DHCP clients the configuration procedure is omitted 4 Configure Switch B Enable DHCP snooping SwitchB system view SwitchB dhcp snooping SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust S...

Page 782: ...050 Enable ARP detection based on both DHCP snooping entries and static IP to MAC bindings SwitchB arp detection mode dhcp snooping SwitchB arp detection mode static bind Enable the checking of the MAC addresses and IP addresses of ARP packets SwitchB arp detection validate dst mac ip src mac ARP Detection Configuration Example II Network requirements z Enable 802 1X on Switch B Enable ARP detecti...

Page 783: ...witchB GigabitEthernet1 0 2 quit Add local access user test SwitchB local user test SwitchB luser test service type lan access SwitchB luser test password simple test SwitchB luser test quit Enable ARP detection for VLAN 10 SwitchB vlan 10 SwitchB vlan10 arp detection enable Configure the upstream port as a trusted port and the downstream ports as untrusted ports a port is an untrusted port by def...

Page 784: ...ce to be aware of the up down state change of the ports on an indirectly connected link This document describes z Monitor Link Overview z Configuring Monitor Link RRPP RRPP is a link layer protocol designed for Ethernet rings RRPP can prevent broadcast storms caused by data loops when an Ethernet ring is healthy and rapidly restore the communication paths between the nodes after a link is disconne...

Page 785: ...net OAM Functions z Configuring Link Monitoring z Enabling OAM Loopback Testing CFD CFD is an end to end per VLAN link layer OAM mechanism for link connectivity detection fault verification and fault location This document describes z Connectivity Fault Detection Overview z Basic Configuration Tasks z Configuring CC on MEPs z Configuring LB on MEPs z Configuring LT on MEPs Track The track module i...

Page 786: ...orts for a Smart Link Group 1 6 Configuring Role Preemption for a Smart Link Group 1 7 Enabling the Sending of Flush Messages 1 7 Smart Link Device Configuration Example 1 8 Configuring an Associated Device 1 9 Enabling the Receiving of Flush Messages 1 9 Associated Device Configuration Example 1 9 Displaying and Maintaining Smart Link 1 10 Smart Link Configuration Examples 1 10 Single Smart Link ...

Page 787: ...vice connects to two different upstream devices as shown in Figure 1 1 Figure 1 1 Diagram for a dual uplink network GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 A dual uplink network demonstrates high reliability but it may contain network loops In most cases Spanning Tree Protocol STP or Rapid Ring Protection Protocol RRPP is used to remove network loops The problem with STP however is that ST...

Page 788: ...ach form a smart link group with GE1 0 1 being active and GE1 0 2 being standby Master slave port Master port and slave port are two port roles in a smart link group When both ports in a smart link group are up the master port preferentially transits to the forwarding state while the slave port stays in the standby state Once the master port fails the slave port takes over to forward traffic As sh...

Page 789: ...ange z To keep traffic forwarding stable the master port that has been blocked due to link failure does not take over immediately upon its recovery Instead link switchover will occur at next link switchover Topology change mechanism As link switchover can outdate the MAC address forwarding entries and ARP ND entries on all devices you need a forwarding entry update mechanism to ensure proper trans...

Page 790: ... Ports for a Smart Link Group Required Configuring Role Preemption for a Smart Link Group Optional Configuring a Smart Link Device Enabling the Sending of Flush Messages Optional Configuring an Associated Device Enabling the Receiving of Flush Messages Required z A smart link device is a device that supports Smart Link and is configured with a smart link group and a transmit control VLAN for flush...

Page 791: ... MSTIs To view VLAN to MSTI mappings use the display stp region configuration command For VLAN to MSTI mapping configuration refer to MSTP Configuration in the Access Volume Configuring Member Ports for a Smart Link Group You can configure member ports for a smart link group either in smart link group view or in interface view The configurations made in these two views have the same effect In smar...

Page 792: ...ink group view smart link group group id Enable role preemption preemption mode role Required Disabled by default Configure the preemption delay preemption delay delay time Optional 1 second by default The preemption delay configuration takes effect only after role preemption is enabled Enabling the Sending of Flush Messages Follow these steps to enable the sending of flush messages To do Use the ...

Page 793: ...tEthernet 1 0 2 as the slave port z Configure VLAN 20 for flush update Configuration procedure Sysname system view Sysname vlan 20 Sysname vlan20 quit Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 undo stp enable Sysname GigabitEthernet1 0 1 port link type trunk Sysname GigabitEthernet1 0 1 port trunk permit vlan 20 Sysname GigabitEthernet1 0 1 quit Sysname interface gigabit...

Page 794: ...ified for processing flush messages the device forwards the received flush messages without processing them z Make sure that the receive control VLAN is the same as the transmit control VLAN configured on the smart link device If they are not the same the associated device will forward the received flush messages directly without any processing z Do not remove the control VLANs Otherwise flush mes...

Page 795: ...I 2 respectively z Traffic of VLANs 1 through 30 on Device C and Device D are dually uplinked to Device A z Configure Smart Link on the devices for dual uplink backup using VLAN 1 the default for flush update Figure 1 2 Single smart link group configuration Device A Device E Device D Device C Device B GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 M...

Page 796: ...2 Configure GigabitEthernet 1 0 1 as the master port and GigabitEthernet 1 0 2 as the slave port for smart link group 1 DeviceC smlk group1 port gigabitethernet 1 0 1 master DeviceC smlk group1 port gigabitethernet 1 0 2 slave Enable flush message sending in smart link group 1 DeviceC smlk group1 flush enable DeviceC smlk group1 quit 2 Configuration on Device D Create VLANs 1 through 30 map VLANs ...

Page 797: ...0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as trunk ports that permit VLANs 1 through 30 and enable flush message receiving on them DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan 1 to 30 DeviceB GigabitEthernet1 0 1 smart link flush enable DeviceB GigabitEthernet1 0 1 quit DeviceB interface giga...

Page 798: ...trunk ports that permit VLANs 1 through 30 and enable flush message receiving on them DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 port link type trunk DeviceA GigabitEthernet1 0 1 port trunk permit vlan 1 to 30 DeviceA GigabitEthernet1 0 1 smart link flush enable DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port lin...

Page 799: ...traffic of VLANs 101 through 200 over different links to Device A z Implement dual uplink backup on Device C traffic of VLANs 1 through 100 mapped to MSTI 0 is uplinked to Device A by Device B traffic of VLANs 101 through 200 mapped to MSTI 2 is uplinked to Device A by Device D Smart link group 1 references MSTI 0 and smart link group 2 references MSTI 2 z The control VLAN of smart link group 1 is...

Page 800: ...or smart link group 1 DeviceC smlk group1 port gigabitethernet 1 0 1 master DeviceC smlk group1 port gigabitethernet 1 0 2 slave Enable role preemption in smart link group 1 enable flush message sending and configure VLAN 10 as the transmit control VLAN DeviceC smlk group1 preemption mode role DeviceC smlk group 1 flush enable control vlan 10 DeviceC smlk group 1 quit Create smart link group 2 and...

Page 801: ...s the receive control VLANs DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 port link type trunk DeviceD GigabitEthernet1 0 1 port trunk permit vlan 1 to 200 DeviceD GigabitEthernet1 0 1 smart link flush enable control vlan 10 101 DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2 port link type trunk DeviceD GigabitEthernet1...

Page 802: ...21 GigabitEthernet1 0 2 SLAVE STANDBY 1 17 45 20 2009 02 21 Smart link group 2 information Device ID 000f e23d 5af0 Preemption mode ROLE Control VLAN 101 Protected VLAN Reference Instance 2 Member Role State Flush count Last flush time GigabitEthernet1 0 2 MASTER ACTVIE 5 16 37 20 2009 02 21 GigabitEthernet1 0 1 SLAVE STANDBY 1 17 45 20 2009 02 21 You can use the display smart link flush command t...

Page 803: ...Terminology 1 1 How Monitor Link Works 1 2 Configuring Monitor Link 1 2 Configuration Prerequisites 1 2 Creating a Monitor Link Group 1 2 Configuring Monitor Link Group Member Ports 1 3 Displaying and Maintaining Monitor Link 1 3 Monitor Link Configuration Example 1 4 ...

Page 804: ...ate of uplink ports triggering link switchover on the downstream device in time as shown in Figure 1 1 Figure 1 1 Network diagram for monitor link application scenario Device A Device D Device B Core network GE1 0 1 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 GE1 0 3 GE1 0 3 User network Uplink Downlink Monitor link group Device C GE1 0 1 GE1 0 2 GE1 0 2 Terminology Monitor link group A monitor link group is ...

Page 805: ...e link that connects the uplink ports in a monitor link group while the downlink is the link that connects the downlink ports How Monitor Link Works A monitor link group works independently of other monitor link groups When a monitor link group contains no uplink port or all its uplink ports are down the monitor link group goes down and forces all downlink ports down at the same time When any upli...

Page 806: ...ber ports for a monitor link group in interface view To do Use the command Remarks Enter system view system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Configure the current interface as a member of a monitor link group port monitor link group group id uplink downlink Required z You can assign a Layer 2 Ethernet interface or Laye...

Page 807: ...Network diagram for smart link in combination with monitor link configuration Configuration procedure 1 Configuration on Device C Create VLANs 1 through 30 map VLANs 1 through 10 to MSTI 0 VLANs 11 through 20 to MSTI 1 and VLANs 21 through 30 to MSTI 2 and activate MST region configuration DeviceC system view DeviceC vlan 1 to 30 DeviceC stp region configuration DeviceC mst region instance 0 vlan ...

Page 808: ...ges DeviceC smlk group1 flush enable DeviceC smlk group1 quit 2 Configuration on Device A Create VLANs 1 through 30 DeviceA system view DeviceA vlan 1 to 30 Configure GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as trunk ports assign them to VLANs 1 through 30 and enable flush message receiving on them DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 port link type trunk Dev...

Page 809: ...et 1 0 1 DeviceD GigabitEthernet1 0 1 port link type trunk DeviceD GigabitEthernet1 0 1 port trunk permit vlan 1 to 30 DeviceD GigabitEthernet1 0 1 smart link flush enable DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2 port link type trunk DeviceD GigabitEthernet1 0 2 port trunk permit vlan 1 to 30 DeviceD GigabitEthernet1 0 2 smart link flus...

Page 810: ...k information about monitor link group 1 on Device D DeviceD display monitor link group 1 Monitor link group 1 information Group status DOWN Last up time 16 35 27 2009 4 21 Last down time 16 37 19 2009 4 21 Member Role Status GigabitEthernet1 0 1 UPLINK DOWN GigabitEthernet1 0 2 DOWNLINK DOWN ...

Page 811: ...figuring Control VLANs 1 11 Configuring Protected VLANs 1 11 Configuring RRPP Rings 1 12 Configuring RRPP Ports 1 12 Configuring RRPP Nodes 1 13 Activating an RRPP Domain 1 15 Configuring RRPP Timers 1 15 Configuring an RRPP Ring Group 1 16 Displaying and Maintaining RRPP 1 17 RRPP Configuration Examples 1 17 Single Ring Configuration Example 1 17 Intersecting Ring Configuration Example 1 19 Inter...

Page 812: ...ee protocols RRPP features the following z Fast topology convergence z Convergence time independent of Ethernet ring size Background Metropolitan area networks MANs and enterprise networks usually use the ring structure to improve reliability However services will be interrupted if any node in the ring network fails A ring network usually uses Resilient Packet Ring RPR or Ethernet rings RPR is hig...

Page 813: ...one of the following two states z Health state All the physical links on the Ethernet ring are connected z Disconnect state Some physical links on the Ethernet ring are broken As shown in Figure 1 1 Domain 1 contains two RRPP rings Ring 1 and Ring 2 The level of Ring 1 is set to 0 that is Ring 1 is configured as the primary ring the level of Ring 2 is set to 1 that is Ring 2 is configured as a sub...

Page 814: ...o detect the integrity of the primary ring and perform loop guard As shown in Figure 1 1 Ring 1 is the primary ring and Ring 2 is a subring Device A is the master node of Ring 1 Device B Device C and Device D are the transit nodes of Ring 1 Device E is the master node of Ring 2 Device B is the edge node of Ring 2 and Device C is the assistant edge node of Ring 2 Primary port and secondary port Eac...

Page 815: ...ring group configured on an assistant edge node is called an assistant edge node RRPP ring group Up to one subring in an edge node RRPP ring group is allowed to send Edge Hello packets RRPPDUs Table 1 1 shows the types of RRPPDUs and their functions Table 1 1 RRPPDU types and their functions Type Description Hello The master node initiates Hello packets to detect the integrity of a ring in a netwo...

Page 816: ...ved Hello packets ensuring that all nodes in the ring network are consistent in the two timer settings How RRPP Works Polling mechanism The polling mechanism is used by the master node of an RRPP ring to check the Health state of the ring network The master node sends Hello packets out its primary port periodically and these Hello packets travel through each transit node on the ring in turn z If t...

Page 817: ...traffic by transmitting traffic of different VLANs along different paths By configuring an individual RRPP domain for transmitting the traffic of the specified VLANs referred to as protected VLANs in a ring network traffic of different VLANs can be transmitted according to different topologies in the ring network In this way load balancing is achieved As shown in Figure 1 6 Ring 1 is configured as...

Page 818: ...As shown in Figure 1 3 there are two or more rings in the network topology and only one common node between rings In this case you need to define an RRPP domain for each ring Figure 1 3 Schematic diagram for a tangent ring network Intersecting rings As shown in Figure 1 4 there are two or more rings in the network topology and two common nodes between rings In this case you only need to define an ...

Page 819: ...m for a dual homed ring network Single ring load balancing In a single ring network you can achieve load balancing by configuring multiple domains As shown in Figure 1 6 Ring 1 is configured as the primary ring of both Domain 1 and Domain 2 Domain 1 and Domain 2 are configured with different protected VLANs In Domain 1 Device A is configured as the master node of Ring 1 in Domain 2 Device B is con...

Page 820: ... Device E is configured as the master node of Ring 2 in both Domain 1 and Domain 2 However different ports on Device E are blocked in Domain 1 and Domain 2 With the configurations you can enable traffic of different VLANs to travel over different paths in the subring and primary ring thus achieving intersecting ring load balancing Figure 1 7 Schematic diagram for an intersecting ring load balancin...

Page 821: ...er node in the RRPP domain Configuring an RRPP Ring Group Optional Perform this task on the edge node and assistant edge node in the RRPP domain z RRPP does not have an auto election mechanism so you must configure each node in the ring network properly for RRPP to monitor and protect the ring network z Before configuring RRPP you need to construct a ring shaped Ethernet topology physically Creati...

Page 822: ...red with RRPP you must ensure only the two ports connecting the device to the RRPP ring permit the packets of the control VLANs Otherwise the packets from other VLANs may go into the control VLANs in transparent transmission mode and strike the RRPP ring Configuring Protected VLANs Before configuring RRPP rings in an RRPP domain configure the same protected VLANs for all nodes in the RRPP domain f...

Page 823: ...ng RRPP Ports Perform this configuration on each node s ports intended for accessing RRPP rings Follow these steps to configure RRPP ports To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the link type of the interface as trunk port link type trunk Required By default the link type of an interface is access Configu...

Page 824: ... Configuring RRPP Nodes z The maximum number of rings that can be configured on a device in all RRPP domains is 16 z If a device carries multiple RRPP rings in an RRPP domain only one ring can be configured as the primary ring on the device and the role of the device on a subring can only be an edge node or an assistant edge node Specifying a master node Perform this configuration on a device to b...

Page 825: ...e interface number secondary port interface type interface number level level value Required Specify the current device as the edge node of a subring and specify the edge port ring ring id node mode edge edge port interface type interface number Required Specifying an assistant edge node When configuring an assistant edge node you must first configure the primary ring before configuring the subrin...

Page 826: ...s master node before enabling the subrings on their separate master nodes On an edge node or assistant edge node enable disable the primary ring and subrings separately as follows z Enable the primary ring of an RRPP domain before enabling the subrings of the RRPP domain z Disable the primary ring of an RRPP domain after disabling all subrings of the RRPP domain Configuring RRPP Timers Perform thi...

Page 827: ...emarks Enter system view system view Create an RRPP ring group and enter RRPP ring group view rrpp ring group ring group id Required Assign the specified subrings to the RRPP ring group domain domain id ring ring id list Required z You can assign a subring to only one RRPP ring group Make sure that the RRPP ring group configured on the edge node and that configured on the assistant edge node must ...

Page 828: ...te RRPP domain 1 specify the primary control VLAN of RRPP domain 1 as VLAN 4092 and RRPP domain 1 protects all VLANs z Device A Device B Device C and Device D constitute primary ring 1 z Specify Device A as the master node of primary ring 1 GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port z Specify Device B Device C and Device D as the transit nodes of prim...

Page 829: ...y port and enable ring 1 DeviceA rrpp domain1 ring 1 node mode master primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceA rrpp domain1 ring 1 enable DeviceA rrpp domain1 quit Enable RRPP DeviceA rrpp enable 2 Configuration on Device B Disable STP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 configure the two ports as trunk ports and assign them to all VLAN...

Page 830: ...formation on each device Intersecting Ring Configuration Example Networking requirements As shown in Figure 1 9 z Device A Device B Device C and Device D constitute RRPP domain 1 VLAN 4092 is the primary control VLAN of RRPP domain 1 and RRPP domain 1 protects all the VLANs z Device A Device B Device C and Device D constitute primary ring 1 and Device B Device C and Device E constitute subring 2 z...

Page 831: ...et1 0 2 undo stp enable DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 port trunk permit vlan all DeviceA GigabitEthernet1 0 2 qos trust dot1p DeviceA GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and configure the VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1 DeviceA rrpp...

Page 832: ...B GigabitEthernet1 0 3 qos trust dot1p DeviceB GigabitEthernet1 0 3 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and configure the VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1 DeviceB rrpp domain 1 DeviceB rrpp domain1 control vlan 4092 DeviceB rrpp domain1 protected vlan reference instance 0 to 16 Configure Device B as a ...

Page 833: ...omain 1 DeviceC rrpp domain 1 DeviceC rrpp domain1 control vlan 4092 DeviceC rrpp domain1 protected vlan reference instance 0 to 16 Configure Device C as a transit node of primary ring 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceC rrpp domain1 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port giga...

Page 834: ...iguration on Device E Disable STP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 configure the two ports as trunk ports and assign them to all VLANs and configure them to trust the 802 1p precedence of the received packets DeviceE system view DeviceE interface gigabitethernet 1 0 1 DeviceE GigabitEthernet1 0 1 undo stp enable DeviceE GigabitEthernet1 0 1 port link type trunk DeviceE GigabitEth...

Page 835: ...node of the subring Ring 3 Device B is the assistant edge node of the subring Ring 3 z Device A Device B Device C Device D and Device E constitute RRPP domain 2 and VLAN 105 is the primary control VLAN of the RRPP domain Device A is the master node of the primary ring Ring 1 Device D is the transit node of the primary ring Ring 1 Device E is the master node of the subring Ring 2 Device C is the ed...

Page 836: ...t1p DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 undo stp enable DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 undo port trunk permit vlan 1 DeviceA GigabitEthernet1 0 2 port trunk permit vlan 10 20 DeviceA GigabitEthernet1 0 2 qos trust dot1p DeviceA GigabitEthernet1 0 2 quit Create RRPP domain 1 configure ...

Page 837: ...1 0 1 and GigabitEthernet 1 0 2 configure the two ports as trunk ports remove them from VLAN 1 and assign them to VLAN 10 and VLAN 20 and configure them to trust the 802 1p precedence of the received packets DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 undo stp enable DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 undo port trunk permit vlan ...

Page 838: ...0 2 as the secondary port and enable ring 1 DeviceB rrpp domain1 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceB rrpp domain1 ring 1 enable Configure Device B as the assistant edge node of subring 3 in RRPP domain 1 with GigabitEthernet 1 0 4 as the edge port and enable subring 3 DeviceB rrpp domain1 ring 3 node mode assistant edge e...

Page 839: ...ust dot1p DeviceC GigabitEthernet1 0 1 quit DeviceC interface gigabitethernet 1 0 2 DeviceC GigabitEthernet1 0 2 undo stp enable DeviceC GigabitEthernet1 0 2 port link type trunk DeviceC GigabitEthernet1 0 2 undo port trunk permit vlan 1 DeviceC GigabitEthernet1 0 2 port trunk permit vlan 10 20 DeviceC GigabitEthernet1 0 2 qos trust dot1p DeviceC GigabitEthernet1 0 2 quit Disable STP on GigabitEth...

Page 840: ...ing 3 node mode edge edge port gigabitethernet 1 0 4 DeviceC rrpp domain1 ring 3 enable DeviceC rrpp domain1 quit Create RRPP domain 2 configure VLAN 105 as the primary control VLAN of RRPP domain 2 and configure the VLAN mapped to MSTI 2 as the protected VLAN of RRPP domain 2 DeviceC rrpp domain 2 DeviceC rrpp domain2 control vlan 105 DeviceC rrpp domain2 protected vlan reference instance 2 Confi...

Page 841: ...tEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 100 as the primary control VLAN of RRPP domain 1 and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1 DeviceD rrpp domain 1 DeviceD rrpp domain1 control vlan 100 DeviceD rrpp domain1 protected vlan reference instance 1 Configure Device D as the transit node of primary ring 1 in RRPP domain 1 with GigabitEthernet 1 0 ...

Page 842: ...bitEthernet1 0 1 quit DeviceE interface gigabitethernet 1 0 2 DeviceE GigabitEthernet1 0 2 undo stp enable DeviceE GigabitEthernet1 0 2 port link type trunk DeviceE GigabitEthernet1 0 2 undo port trunk permit vlan 1 DeviceE GigabitEthernet1 0 2 port trunk permit vlan 20 DeviceE GigabitEthernet1 0 2 qos trust dot1p DeviceE GigabitEthernet1 0 2 quit Create RRPP domain 2 configure VLAN 105 as the pri...

Page 843: ...abitEthernet1 0 2 port trunk permit vlan 10 DeviceF GigabitEthernet1 0 2 qos trust dot1p DeviceF GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 100 as the primary control VLAN and configure the VLAN mapped to MSTI 1 as the protected VLAN DeviceF rrpp domain 1 DeviceF rrpp domain1 control vlan 100 DeviceF rrpp domain1 protected vlan reference instance 1 Configure Device F as the mast...

Page 844: ...D is not the same for the nodes in the same RRPP ring z Some ports are abnormal Solution z Use the display rrpp brief command to check whether RRPP is enabled for all nodes If not use the rrpp enable command and the ring enable command to enable RRPP and RRPP rings for all nodes z Use the display rrpp brief command to check whether the domain ID and primary control VLAN ID are the same for all nod...

Page 845: ... 8 Enabling DLDP 1 9 Setting DLDP Mode 1 9 Setting the Interval for Sending Advertisement Packets 1 10 Setting the DelayDown Timer 1 10 Setting the Port Shutdown Mode 1 11 Configuring DLDP Authentication 1 12 Resetting DLDP State 1 12 Displaying and Maintaining DLDP 1 13 DLDP Configuration Example 1 13 Troubleshooting 1 16 ...

Page 846: ... can receive packets from the other end but the other end cannot For example if two switches Switch A and Switch B are connected via a fiber pair one used for sending packets from A to B and the other for sending packets from B to A the link between the two switches is a bidirectional link two way link If one of these fibers gets broken the link becomes a unidirectional link one way link Unidirect...

Page 847: ...auto negotiation mechanism provided by the physical layer detects physical signals and faults DLDP performs operations such as identifying peer devices detecting unidirectional links and shutting down unreachable ports The cooperation of physical layer protocols and DLDP ensures that physical logical unidirectional links can be detected and shut down and prevents failure of other protocols such as...

Page 848: ...SY tags that can be sent successively is 5 Advertisement timer Determines the interval to send advertisement packets which defaults to 5 seconds Probe timer Determines the interval to send Probe packets which defaults to 0 5 seconds That is a device in the probe state sends two Probe packets every second by default The maximum number of Probe packets that can be sent successively is 10 Echo timer ...

Page 849: ...moves the corresponding neighbor entry and sends an Advertisement packet with the RSY tag z In enhanced DLDP mode when an entry timer expires the Enhanced timer is triggered and the device sends up to eight Probe packets at the frequency of one packet per second to test the neighbor If no Echo packet is received from the neighbor when the Echo timer expires the device transits to the Disable state...

Page 850: ...e Authentication type field of DLDP packets to 0 The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the corresponding local configuration z Plain text authentication In this mode before sending a DLDP packet the sending side sets the Authentication field to the password configured in plain text and sets the Aut...

Page 851: ...ponding neighbor entry does not exist creates the neighbor entry triggers the Entry timer and transits to Probe state Advertisement packet with RSY tag Retrieving the neighbor information If the corresponding neighbor entry already exists resets the Entry timer and transits to Probe state If the corresponding neighbor entry does not exist creates the neighbor entry triggers the Entry timer and tra...

Page 852: ...nformation If not no process is performed LinkDown packet Check to see if the local port operates in Enhanced mode If yes and the local port is not in Disable state the local transits to Disable state 3 If no echo packet is received from the neighbor DLDP performs the following processing Table 1 6 Processing procedure when no echo packet is received from the neighbor No echo packet received from ...

Page 853: ...states described in Table 1 7 Table 1 7 Description on DLDP neighbor states DLDP neighbor state Description Unknown A neighbor is in this state when it is just detected and is being probed No information indicating the state of the neighbor is received A neighbor is in this state only when it is being probed It transits to Two way state or Unidirectional state after the probe operation finishes Tw...

Page 854: ...y default Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name Either of the two is required Configurations made in Ethernet port view apply to the current port only configurations performed in port group view apply to all the ports in the port group Enable DLDP dldp enable Required Di...

Page 855: ... advertisement packets will increase In most cases you are recommended to use the default Follow these steps to set the interval for sending Advertisement packets To do Use the command Remarks Enter system view system view Set the interval for sending Advertisement packets dldp interval time Optional 5 seconds by default z The interval for sending Advertisement packets applies to all DLDP enabled ...

Page 856: ...state only after you manually shut down unidirectional link ports with the shutdown command z Auto mode In this mode when a unidirectional link is detected DLDP transits to Disable state generates log and traps and sets the port state to DLDP Down Follow these steps to set port shutdown mode To do Use the command Remarks Enter system view system view Set port shutdown mode dldp unidirectional shut...

Page 857: ...enable the port to perform DLDP detect again you can reset the DLDP state of the port in one of the following methods z If the port is shut down with the shutdown command manually run the undo shutdown command on the port z If the port is shut down by DLDP automatically run the dldp reset command on the port Alternatively you can leave the work to DLDP which can enable the port automatically upon ...

Page 858: ...te dldp reset Required Displaying and Maintaining DLDP To do Use the command Remarks Display the DLDP configuration of a port display dldp interface type interface number Available in any view Display the statistics on DLDP packets passing through a port display dldp statistics interface type interface number Available in any view Clear the statistics on DLDP packets passing through a port reset d...

Page 859: ... 2 Configuration on Device B Enable DLDP globally and then on GigabitEthernet1 0 50 and GigabitEthernet 1 0 51 respectively DeviceB system view DeviceB dldp enable DeviceB interface gigabitethernet 1 0 50 DeviceB GigabitEthernet1 0 50 dldp enable DeviceB GigabitEthernet1 0 50 quit DeviceB interface gigabitethernet 1 0 51 DeviceB GigabitEthernet1 0 51 dldp enable DeviceB GigabitEthernet1 0 51 quit ...

Page 860: ...re thus shut down Correct the fiber connections on detecting the unidirectional link problem As a result the ports shut down by DLDP automatically recover Display the DLDP configuration information on all the DLDP enabled ports of Device A DeviceA display dldp DLDP global status enable DLDP interval 6s DLDP work mode enhance DLDP authentication mode none DLDP unidirectional shutdown auto DLDP dela...

Page 861: ...ice B are connected through two fiber pairs in which two fibers are cross connected The unidirectional links cannot be detected all the four ports involved are in Advertisement state Analysis The problem can be caused by the following z The intervals for sending Advertisement packets on Device A and Device B are not the same z DLDP authentication modes passwords on Device A and Device B are not th...

Page 862: ...ration Task List 1 6 Configuring Basic Ethernet OAM Functions 1 6 Configuring Link Monitoring 1 7 Configuring Errored Symbol Event Detection 1 7 Configuring Errored Frame Event Detection 1 7 Configuring Errored Frame Period Event Detection 1 7 Configuring Errored Frame Seconds Event Detection 1 8 Enabling OAM Remote Loopback 1 8 Displaying and Maintaining Ethernet OAM Configuration 1 9 Ethernet OA...

Page 863: ...rnet has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance OAM on Ethernet networks has now become an urgent matter As a tool monitoring Layer 2 link status Ethernet OAM is mainly used to address common link related issues on the last mile You can monitor the status of the point to point link between two directly connected ...

Page 864: ... be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the encapsulated protocol in the Ethernet OAMPDU The value is 0x8809 Subtype The specific protocol being encapsulated in the Ethernet OAMPDU The value is 0x03 Flags Status information of an Ethernet OAM entity Code Type of the Ethernet OAMPD...

Page 865: ... interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM connections can be established An Ethernet OAM connection can be established only when the settings concerning Loopback link detecting and link event of the both sides match After an Ethernet OAM connect...

Page 866: ...nk faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 1 4 the local OAM entity sends an Event Notification OAMPDU to notify the remote OAM entity With the log information network administrators can keep track of network status in time Table 1 4 describes the link events Table 1 ...

Page 867: ...encies of the corresponding OAMPDUs Table 1 5 Critical link error events Ethernet OAM link events Description Link Fault Peer link signal is lost Dying Gasp An unexpected fault such as power failure occurred Critical event An undetermined critical event happened The support of 3Com Switch 4500G family for information OAMPDUs carrying critical link events is as follows z 3Com Switch 4500G family ar...

Page 868: ...al Configuring Link Monitoring Configuring Errored Frame Seconds Event Detection Optional Enabling OAM Remote Loopback Optional Configuring Basic Ethernet OAM Functions As for Ethernet OAM connection establishment a device can operate in active mode or passive mode After Ethernet OAM is enabled on an Ethernet port according to its Ethernet OAM mode the Ethernet port establishes an Ethernet OAM con...

Page 869: ...ol threshold threshold value Optional 1 by default Configuring Errored Frame Event Detection An errored frame event occurs when the number of detected error frames over a specific interval exceeds the predefined threshold Follow these steps to configure errored frame event detection To do Use the command Remarks Enter system view system view Configure the errored frame event detection interval oam...

Page 870: ...nds period period value Optional 60 second by default Configure the errored frame seconds event triggering threshold oam errored frame seconds threshold threshold value Optional 1 by default Make sure the errored frame seconds triggering threshold is less than the errored frame seconds detection interval Otherwise no errored frame seconds event can be generated Enabling OAM Remote Loopback After e...

Page 871: ...where Ethernet OAM remote loopback is being performed to link aggregation groups For more information about link aggregation groups refer to Ethernet Link Aggregation Configuration in the Access Volume z Enabling internal loopback test on a port in remote loopback test can terminate the remote loopback test For more information about loopback test refer to Ethernet Interface Configuration in the A...

Page 872: ...quit Set the errored frame detection interval to 20 seconds and set the errored frame event triggering threshold to 10 DeviceA oam errored frame period 20 DeviceA oam errored frame threshold 10 2 Configure Device B Configure GigabitEthernet 1 0 1 to operate in active Ethernet OAM mode the default and enable Ethernet OAM for it DeviceB system view DeviceB interface gigabitethernet 1 0 1 DeviceA Gig...

Page 873: ... critical event Port GigabitEthernet1 0 1 Link Status Up Event statistic Link Fault 0 Dying Gasp 0 Critical Event 0 According to the above output information no critical link event occurred on the link between Device A and Device B You can use the display oam link event command to display the statistics of Ethernet OAM link error events For example Display Ethernet OAM link event statistics of the...

Page 874: ...isites 1 7 Configuring Procedure 1 7 Configuring LB on MEPs 1 8 Configuration Prerequisites 1 8 Configuration Procedure 1 8 Configuring LT on MEPs 1 8 Configuration Prerequisites 1 9 Finding the Path Between a Source MEP and a Target MEP 1 9 Enabling Automatic LT Messages Sending 1 9 Displaying and Maintaining CFD 1 9 CFD Configuration Examples 1 10 Configuring Service Instance 1 10 Configuring ME...

Page 875: ...le The MD boundary is defined by some maintenance association end points MEPs configured on the ports An MD is identified by an MD name To accurately locate faults CFD introduces eight levels from 0 to 7 to MDs The bigger the number the higher the level and the larger the area covered Domains can touch or nest if the outer domain has a higher level than the nested one but cannot intersect or overl...

Page 876: ...ssociation end points MEPs and maintenance association intermediate points MIPs z MEP Each MEP is identified by an integer called a MEP ID The MEPs of an MD define the range and boundary of the MD The MA and MD that a MEP belongs to define the VLAN attribute and level of the packets sent by the MEP MEPs fall into inward facing MEPs and outward facing MEPs The level of a MEP determines the levels o...

Page 877: ...gure 1 4 demonstrates a grading example of the CFD module In the figure there are six devices labeled A through F respectively Suppose each device has two ports and MEPs and MIPs are configured on some of these ports Four levels of MDs are designed in this example the bigger the number the higher the level and the larger the area covered In this example Port 1 of device B is configured with the fo...

Page 878: ...s and LBRs are unicast messages Linktrace Linktrace is responsible for identifying the path between the source MEP and the destination MEP This function is implemented in the following way the source MEP multicasts linktrace messages LTMs to the destination MEP After receiving the messages the destination MEP and the MIPs that the LTMs pass send back linktrace reply messages LTRs to the source MEP...

Page 879: ...CM messages even if it is blocked by STP z Only Ethernet ports support CFD Basic Configuration Tasks Basic configuration tasks include z Configuring Service Instance z Configuring MEP z Configuring MIP Generation Rules Based on the network design you should configure MEPs or the rules for generating MIPs on each device However before doing this you must first configure the service instance Configu...

Page 880: ...AN attribute of the service instance become the attribute of the MEP Follow these steps to configure a MEP To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure a MEP cfd mep mep id service instance instance id inbound outbound Required Not configured by default Configure a remote MEP for a MEP in the same service i...

Page 881: ... of the following actions or cases can cause MIPs to be created or deleted after you have configured the cfd mip rule command z Enabling CFD use the cfd enable command z Creating or deleting the MEPs on a port z Changes occur to the VLAN attribute of a port z The rule specified in the cfd mip rule command changes Configuring CC on MEPs After the CC function is configured MEPs can send CCMs mutuall...

Page 882: ...ices the MEPs belonging to the same MD and MA should be configured with the same time interval for CCMs sending Configuring LB on MEPs The LB function can verify the link state between two ends after CC detects a link fault Configuration Prerequisites Before configuring this function you should first complete the MEP and MIP configuration tasks Configuration Procedure Follow these steps to configu...

Page 883: ...arget MEP cfd linktrace service instance instance id mep mep id target mep target mep id target mac mac address ttl ttl value hw only Required Enabling Automatic LT Messages Sending Follow these steps to enable automatic LT messages sending To do Use the command Remarks Enter system view system view Enable automatic LT messages sending cfd linktrace auto detection size size value Required Disabled...

Page 884: ...he light blue square frame and the blue one specify two different MDs z Two MDs MD_A indicated by the light blue square frame with level 5 and MD_B indicated by the blue square frame with level 3 are designed in this network z Define the edge ports of each MD and define the MD of each port z The VLAN IDs of each MA in the two MDs are all 100 According to the network diagram as shown in Figure 1 5 ...

Page 885: ...ervice instance to verify your configuration Configuring MEP and Enabling CC on it Network requirements After finishing service instance configuration you can start to design the MEPs z MEPs are configured at the edge or border of MDs Find the edge port of each MD z Decide the MEP direction inward facing or outward facing on each edge port based on the MD position z Assign a unique ID to each MEP ...

Page 886: ...enable DeviceB GigabitEthernet1 0 3 cfd cc service instance 2 mep 2001 enable 3 On Device D DeviceD system view DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 cfd mep 4001 service instance 2 outbound DeviceD GigabitEthernet1 0 1 cfd remote mep 2001 service instance 2 mep 4001 DeviceD GigabitEthernet1 0 1 cfd mep service instance 2 mep 4001 enable DeviceD GigabitEthernet1 0 1 ...

Page 887: ...ould choose the default rule If MIPs are to be configured only when the low level MDs having MEP you should choose the explicit rule According to the diagram as shown in Figure 1 7 perform the following configurations z In MD_A Device B is designed to have MIPs when its port is configured with low level MEPs In this case port GigabitEthernet 1 0 3 is configured with MEPs of MD_B and the MIPs of MD...

Page 888: ...A system view DeviceA cfd loopback service instance 1 mep 1001 target mep 4002 Configuring LT on MEPs Network requirements Use the LT function to find the path and locate the fault after you obtain the state of the entire network through the CC As shown in Figure 1 6 enable LT on Device A so that Device A can send LTM messages to the MEP on Device D Configuration procedure Configure Device A Devic...

Page 889: ...ration Task List 1 2 Configuring Collaboration Between the Track Module and the Detection Modules 1 2 Configuring Track NQA Collaboration 1 2 Configuring Collaboration Between the Track Module and the Application Modules 1 3 Configuring Track Static Routing Collaboration 1 3 Displaying and Maintaining Track Object s 1 4 Track Configuration Examples 1 4 Static Routing Track NQA Collaboration Config...

Page 890: ...ugh the Track module More specifically the detection modules probe the link status network performance and so on and inform the application modules of the detection result through the Track module After the application modules are aware of the changes of network status they deal with the changes accordingly to avoid communication interruption and network performance degradation The Track module wo...

Page 891: ...ween the Track module and the detection modules and between the Track module and the application modules Complete these tasks to configure Track module Task Remarks Configuring Collaboration Between the Track Module and the Detection Modules Configuring Track NQA Collaboration Required Configuring Collaboration Between the Track Module and the Application Modules Configuring Track Static Routing C...

Page 892: ... of the static route according to the status of the Track object z If the status of the Track object is Positive then the next hop of the static route is reachable and the configured static route is valid z If the status of the Track object is Negative then the next hop of the static route is unreachable and the configured static route is invalid Follow these steps to configure the Track Static Ro...

Page 893: ...tion refer to Static Routing Configuration in the IP Routing Volume Displaying and Maintaining Track Object s To do Use the command Remarks Display information about the specified Track object or all Track objects display track track entry number all Available in any view Track Configuration Examples Static Routing Track NQA Collaboration Configuration Example Network requirements z The next hop o...

Page 894: ...A nqa admin test icmp echo reaction 1 checked element probe fail threshold type consecutive 5 action type trigger only SwitchA nqa admin test icmp echo quit Start NQA probes SwitchA nqa schedule admin test start time now lifetime forever 4 Configure a Track object on Switch A Configure Track object 1 and associate it with Reaction entry 1 of the NQA test group with the administrator admin and the ...

Page 895: ...on Switch A SwitchA display track all Track ID 1 Status Negative Reference object NQA entry admin test Reaction 1 Display the routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 4 Routes 4 Destination Mask Proto Pre Cost NextHop Interface 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan3 10 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0...

Page 896: ...ackets z Controlling Login Users Basic System Configuration Basic system configuration involves the configuration of device name system clock welcome message user privilege levels and so on This document describes z Configuration display z Basic configurations z CLI features Device Management Through the device management function you can view the current condition of your device and configure run...

Page 897: ...MAC Address Table A switch maintains a MAC address table for fast forwarding packets This document describes z MAC address table overview z Configuring MAC Address Entries z Configuring the Aging Timer for Dynamic MAC Address Entries z Configuring the MAC Learning Limit z Configuring MAC Information System Maintenance and Debugging For the majority of protocols and features supported the system pr...

Page 898: ...ing Optional Parameters Common to an NQA Test Group z Scheduling an NQA Test Group NTP Network Time Protocol NTP is the TCP IP that advertises the accurate time throughout the network This document describes z NTP overview z Configuring the Operation Modes of NTP z Configuring Optional Parameters of NTP z Configuring Access Control Rights z Configuring NTP Authentication Hotfix Hotfix is a fast co...

Page 899: ... Configuration Overview z Configuring the Master Device of a Stack z Configuring Stack Ports of a Slave Device z Logging In to the CLI of a Slave from the Master Automatic Configuration Automatic configuration enables a device to automatically obtain and execute the configuration file when it starts up without loading the configuration file This document describes z Introduction to Automatic Confi...

Page 900: ...7 Configuration Example 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 Configuring Command Authorization 2 11 Configuring Command Accounting 2 12 3 Logging In Through Telnet SSH 3 1 Logging In Through Telnet 3 1 Introduction 3 1 Telnet Connection Establishment 3 1 Common Configuration 3 4 Telnet Login Configurat...

Page 901: ... source IP address Interface Specified for Telnet Packets 7 2 8 Controlling Login Users 8 1 Introduction 8 1 Controlling Telnet Users 8 1 Prerequisites 8 1 Controlling Telnet Users by Source IP Addresses 8 1 Controlling Telnet Users by Source and Destination IP Addresses 8 2 Controlling Telnet Users by Source MAC Addresses 8 3 Configuration Example 8 3 Controlling Network Management Users by Sourc...

Page 902: ...s of user interfaces AUX and VTY z AUX port Used to manage and monitor users logging in via the console port The device provides AUX ports of EIA TIA 232 DTE type The port is usually used for the first access to the switch z VTY virtual type terminal Used to manage and monitor users logging in via VTY VTY port is usually used when you access the device by means of Telnet or SSH Table 1 1 Descripti...

Page 903: ...ws you to uniquely specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in the sequence of AUX port and VTY Relative numbering Relative numbering can specify a user interface or a group of user interfaces of a specific type The number is valid only when used under that type ...

Page 904: ... user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configuration of the current a specified user interface display user interface type number number summary You can execute this command in any view ...

Page 905: ...the prerequisite to configure other login methods By default you can log in to an 3Com Switch 4500G through its Console port only To log in to an Ethernet switch through its Console port the related configuration of the user terminal must be in accordance with that of the Console port Table 2 1 lists the default settings of a Console port Table 2 1 The default settings of a Console port Setting De...

Page 906: ...yperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the connection ...

Page 907: ... the information about the switch by executing commands You can also acquire help by type the character Refer to the following chapters for information about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port login Configuration Description Enter system view system view Ent...

Page 908: ...ging in to the AUX user interface user privilege level level Optional By default commands of level 3 are available to the users logging in to the AUX user interface Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines Set history command buffer size history command max size value Optional By default the history...

Page 909: ...locally or remotely Configure the authentication mode Scheme Create or enter a local user set the authentication password specifies the level and service type for AUX users Refer to Console Port Login Configuration with Authentication Mode Being Scheme for details Changes of the authentication mode of Console port login will not take effect unless you exit and enter again the CLI Console Port Logi...

Page 910: ...ork diagram Figure 2 5 Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure Enter system view Sysname system view Enter AUX user interface view Sysname user interface aux 0 Specify not to authenticate the user logging in through the Console port Sysname ui aux0 authentication mode none Specify commands of level 2 are available to the ...

Page 911: ...logging in through the Console port are not authenticated while users logging in through the Telnet need to pass the password authentication Set the local password set authentication password cipher simple password Required By default no password is configured Configuration Example Network requirements Assume the switch is configured to allow you to login through Telnet and your user level is set ...

Page 912: ...in to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user ...

Page 913: ...system view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuratio...

Page 914: ... level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z Configure the name of the local user to be guest z Set the authentication password of the local user to 123456 in plain text z Set the service type of the local user to Terminal z Configure to authenticate the user logging in through the Console port in the ...

Page 915: ...igure 2 4 thus ensuring the consistency between the configurations of the terminal emulation utility and those of the switch Otherwise you will fail to log in to the switch Configuring Command Authorization By default command level for a login user depends on the user level The user is authorized the command with the default level not higher than the user level With the command authorization confi...

Page 916: ...e enabled only the authorized and executed commands will be recorded on the HWTACACS server The command accounting configuration involves three steps 1 Enable command accounting See the following table for details 2 Configure a HWTACACS scheme Specify the IP addresses of the HWTACACS accounting servers and other related parameters For details refer to the section Configuring HWTACACS of AAA Config...

Page 917: ...igured and the route between the switch and the Telnet terminal is available Switch The authentication mode and other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Telnet Connection Establishment Telnetting to a Switch from a Terminal You can telnet to a switch and then configure the switc...

Page 918: ...o pass the password authentication to login Step 3 Connect your PC to the Switch as shown in Figure 3 1 Make sure the Ethernet port to which your PC is connected belongs to the management VLAN of the switch and the route between your PC and the switch is available Figure 3 1 Network diagram for Telnet connection establishment Step 4 Launch Telnet on your PC with the IP address of the management VL...

Page 919: ... by executing the telnet command and then to configure the later Figure 3 3 Network diagram for Telnetting to another switch from the current switch Step 1 Configure the user name and password for Telnet on the switch operating as the Telnet server Refer to section Telnet Login Configuration with Authentication Mode Being None section Telnet Login Configuration with Authentication Mode Being Passw...

Page 920: ... Optional By default Telnet and SSH protocol are supported Define a shortcut key for terminating tasks escape key default character Optional By default you can use Ctrl C to terminate a task Configure the type of terminal display under the current user interface terminal type ansi vt100 Optional By default the terminal display type is ANSI Configure the command level available to users logging in ...

Page 921: ...de Being None Configuration Procedure Follow these steps to perform Telnet configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure not to authenticate users logging in to VTY user interfaces authentication mode none Required By default VTY users are...

Page 922: ...m number of lines the screen can contain to 30 Sysname ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to perform Telnet confi...

Page 923: ... Figure 3 5 Network diagram for Telnet configuration with the authentication mode being password 3 Configuration procedure Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the local password Sysname ui vty0 authentication mode passwo...

Page 924: ...heme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuration in the Security Volume for details z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Create a local user and enter local user view local user user name No local...

Page 925: ...screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes 2 Network diagram Figure 3 6 Network diagram for Telnet configuration with the authentication mode being scheme 3 Configuration procedure z Configure the switch Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Create a l...

Page 926: ...mmand level for a login user is decided by both the user level and AAA authorization If a user executes a command of the corresponding user level the authorization server checks whether the command is authorized If yes the command can be executed The authorization server checks the commands authorized for users through the username and thus the command authorization configuration involves four ste...

Page 927: ...mmand accounting See the following table for details 2 Configure a HWTACACS scheme Specify the IP addresses of the HWTACACS accounting servers and other related parameters For details refer to the section Configuring HWTACACS of AAA Configuration in the Security Volume 3 Configure the ISP domain to use the HWTACACS scheme for command line users For details refer to the section Configuring AAA Acco...

Page 928: ...1 Network diagram for configuring user authentication Configuration procedure Assign an IP address to Device to make Device be reachable from Host A Host B Host C and RADIUS server The configuration is omitted Enable telnet services on Device Device system view Device telnet server enable Set that no authentication is needed when users use the console port to log in to Device Set the privilege lev...

Page 929: ...tication as the backup Device domain system Device isp system authentication login radius scheme rad local Device isp system authorization login radius scheme rad local Device isp system quit Add a local user named monitor set the user password to 123 and specify to display the password in cipher text Authorize user monitor to use the telnet service and specify the level of the user as 1 that is t...

Page 930: ...standard Specify Device to remove the domain name in the username sent to the HWTACACS server for the scheme Device hwtacacs scheme tac Device hwtacacs tac primary authentication 192 168 2 20 49 Device hwtacacs tac primary authorization 192 168 2 20 49 Device hwtacacs tac key authentication expert Device hwtacacs tac key authorization expert Device hwtacacs tac server type standard Device hwtacacs...

Page 931: ...evice user interface aux 0 Device ui aux0 command accounting Device ui aux0 quit Enable command accounting for users logging in through telnet or SSH Device user interface vty 0 4 Device ui vty0 4 command accounting Device ui vty0 4 quit Create a HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme Ensure that the port number be co...

Page 932: ...t Create ISP domain system and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users Device domain system Device isp system accounting command hwtacacs scheme tac Device isp system quit ...

Page 933: ...tch is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging in to the Web based network management system are configured IE is available PC operating as the network management terminal The IP address of the management VLAN interface of the swit...

Page 934: ...ess to the management VLAN interface of the switch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the following commands in the terminal window to assign an IP address to the management VLAN interface of the switch Configure the IP address of the management VLAN interface to be 10 153 17 82 with the ma...

Page 935: ...s http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 5 2 appears enter the user name and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Figure 5 2 The login page of the Web based network management system ...

Page 936: ...protocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the management VLAN of the switch is configured The route between the NMS and the switch is available Switch The basic SNMP functions are co...

Page 937: ... source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface for Telnet Packets The configuration can be performed in user view and system view The configuration performed in user view only applies to the current session Whereas the configuration performed in...

Page 938: ...for Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reachable Displaying the source IP address Interface Specified for Telnet Packets Follow these steps to display the source IP address interface specified for Telnet packets To do Use the command Remarks D...

Page 939: ...ough Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses Controlling Telnet Users Prerequisites The controlling policy against Telnet users is determined including the source and destination IP addresses to be controlled and the controlling actions permitting or denying Controlling ...

Page 940: ...CL refer to ACL Configuration in the Security Volume Follow these steps to control Telnet users by source and destination IP addresses To do Use the command Remarks Enter system view system view Create an advanced ACL or enter advanced ACL view acl ipv6 number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule r...

Page 941: ...ine rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by source MAC addresses acl acl number inbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch Layer 2 ACL is invalid for this function if the source IP ...

Page 942: ...rol users accessing the switch through SNMP Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying Controlling Network Management Users by Source IP Addresses Follow these steps to control network management users by source IP addresses To do Use the command Remarks Ent...

Page 943: ...tailed configuration refer to SNMP Configuration in the System Volume Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are permitted to access the switch Figure 8 2 Network diagram for controlling SNMP users using ACLs Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Configuration procedure Define a basic ACL Sys...

Page 944: ...ing Web users by source IP addresses To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl ipv6 number acl number match order config auto Required The config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Required Quit to system view quit ...

Page 945: ... network Host B 10 110 100 52 Configuration procedure Create a basic ACL Sysname system view Sysname acl number 2030 match order config Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Reference the ACL to allow only Web users using IP address 10 110 100 52 to access the switch Sysname ip http acl 2030 ...

Page 946: ... 7 Configuring CLI Hotkeys 1 8 Configuring Command Alias 1 9 Configuring User Privilege Levels and Command Levels 1 10 Introduction 1 10 Configuring user privilege level 1 11 Switching user privilege level 1 15 Modifying command level 1 16 Displaying and Maintaining Basic Configurations 1 16 2 CLI Features 2 1 Introduction to CLI 2 1 Online Help with Command Lines 2 1 Synchronous Information Outpu...

Page 947: ...configuration tasks without following the order in this chapter Configuration Display To avoid duplicate configuration you can use the display commands to view the current configuration of the device before configuring the device The configurations of a device fall into the following categories z Factory defaults When devices are shipped they are installed with some basic configurations which are ...

Page 948: ...rations and Telnet operations To perform further configurations of the device enter system view Follow the step below to enter system view To do Use the command Remarks Enter system view from user view system view Required Available in user view Exiting the Current View The system divides the command line interface into multiple command views which adopts a hierarchical structure For example there...

Page 949: ...e the command Remarks Enter system view system view Configure the device name sysname sysname Optional The device name is 4500G by default Configuring the System Clock Configuring the system clock The system clock displayed by system time stamp is decided by the configured relative time time zone and daylight saving time You can view the system clock by using the display clock command Follow these...

Page 950: ...configuration z The default system clock is 2005 1 1 1 00 00 in the example Table 1 1 Relationship between the configuration and display of the system clock Configuration System clock displayed by the display clock command Example 1 date time Configure clock datetime 1 00 2007 1 1 Display 01 00 00 UTC Mon 01 01 2007 2 The original system clock zone offset Configure clock timezone zone time add 1 D...

Page 951: ... saving time range If the value of date time summer offset is not in the summer time range date time summer offset is displayed If the value of date time summer offset is in the summer time range date time is displayed Configure clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and...

Page 952: ...he summer time range date time is displayed Configure clock timezone zone time add 1 clock summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 3 00 2008 1 1 Display 03 00 00 ss Tue 01 01 2008 Enabling Disabling the Display of Copyright Information z With the display of copyright information enabled the copyright information is displayed when a user logs in through Telnet or SSH...

Page 953: ...gin If entering Y or pressing the Enter key the user enters the authentication or login process if entering N the user quits the authentication or login process Y and N are case insensitive Configuring a banner When you configure a banner the system supports two input modes One is to input all the banner information right after the command keywords The start and end characters of the input text mu...

Page 954: ...view Configure CLI hotkeys hotkey CTRL_G CTRL_L CTRL_O CTRL_T CTRL_U command Optional The Ctrl G Ctrl L and Ctrl O hotkeys are specified with command lines by default Display hotkeys display hotkey Available in any view Refer to Table 1 2 for hotkeys reserved by the system By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with command line and the Ctrl T and Ctrl U commands are NULL z...

Page 955: ... you press Enter Esc P Moves the cursor up by one line available before you press Enter Esc Specifies the cursor as the beginning of the clipboard Esc Specifies the cursor as the ending of the clipboard These hotkeys are defined by the device When you interact with the device from terminal software these keys may be defined to perform other operations If so the definition of the terminal software ...

Page 956: ...nd is not saved and restored in its alias z If you press Tab after you input the keyword of an alias the original format of the keyword will be displayed z At present the device supports up to 20 command aliases In addition different commands must be configured with different aliases Configuring User Privilege Levels and Command Levels Introduction To restrict the different users access to the dev...

Page 957: ...parameters If the user interface authentication mode is scheme when a user logs in and username and password are needed at login then the user privilege level is specified in the configuration of AAA authentication Follow these steps to configure user privilege level by using AAA authentication parameters To do Use the command Remarks Enter system view system view Enter user interface view user in...

Page 958: ... verify their usernames and passwords locally and specify the user privilege level as 3 Sysname system view Sysname user interface vty 1 Sysname ui vty1 authentication mode scheme Sysname ui vty1 quit Sysname local user test Sysname luser test password cipher 123 Sysname luser test service type telnet After the above configuration when users telnet to the device through VTY 1 they need to input us...

Page 959: ...faces is 0 Follow these steps to configure the user privilege level under a user interface none or password authentication mode To do Use the command Remarks Enter system view system view Enter user interface view user interface type first number last number Configure the authentication mode when a user uses the current user interface to log in to the device authentication mode none password Optio...

Page 960: ...resh Do soft reset reset Reset operation screen length Specify the lines displayed on one screen send Send information to other user terminal interface ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection terminal Set the terminal line characteristics tracert Trace route function undo Cancel current setting z Authenticate ...

Page 961: ...vilege level to a high user privilege level only the console login users do not have to enter the password and users that log in from VTY user interfaces need to enter the password for security s sake This password is for level switching only and is different from the login password If the entered password is incorrect or no password is configured the switching fails Therefore before switching a u...

Page 962: ...s Display information on system version display version Display information on the system clock display clock Display defined command aliases and the corresponding commands display command alias Display information on terminal users display users all Display the valid configuration under current view display this by linenum Display clipboard information display clipboard Display and save statistic...

Page 963: ...he System Volume z Support for the display configure user and display current configuration command depends on the device model z The display commands discussed above are for the global configuration Refer to the corresponding section for the display command for specific protocol and interface ...

Page 964: ...agnosis z Saving and executing commands that have been executed z Fuzzy match for convenience of input When you execute a command you can input part of the characters in a keyword However to enable you to confirm your operation the command can be executed only when you input enough characters to make the command unique Take the commands save startup saved configuration and system view which start ...

Page 965: ...s position The command is then repeated in the next command line and executed if you press Enter 4 Enter a character string followed by a All the commands starting with this string are displayed Sysname c cd clock copy 5 Enter a command followed by a character string and a All the keywords starting with this string are listed Sysname display ver version 6 Press Tab after entering the first several...

Page 966: ...10 characters Table 2 1 lists these functions Table 2 1 Edit functions Key Function Common keys If the editing buffer is not full insert the character at the position of the cursor and move the cursor to the right Backspace Deletes the character to the left of the cursor and move the cursor back one character Left arrow key or Ctrl B The cursor moves one character space to the left Right arrow key...

Page 967: ...ar expression and all the subsequent lines z exclude Displays the lines that do not match the regular expression z include Displays only the lines that match the regular expression The regular expression is a string of 1 to 256 characters case sensitive It also supports special characters as shown in Table 2 2 Table 2 2 Special characters in a regular expression Character Meaning Remarks string St...

Page 968: ...ng from 1 from left to right of the character group before if only one character group appears before then index can only be 1 if n character groups appear before index then index can be any integer from 1 to n For example string 1 means to repeat string for once and string 1 must match a string containing stringstring string1 string2 2 means to repeat string2 for once and string1 string2 2 must m...

Page 969: ...screens Generally 24 lines are displayed on one screen and you can also use the screen length command to set the number of lines displayed on the next screen For the details of this command refer to Login Commands in the System Volume You can follow the step below to disable the multiple screen output function of the current user To do Use the command Remarks Disable the multiple screen output fun...

Page 970: ...complete z If you execute a command for multiple times successively the CLI saves the earliest one However if you execute the different forms of a command the CLI saves each form of this command For example if you execute the display cu command for multiple times successively the CLI saves only one history command if you execute the display cu command and then the display current configuration com...

Page 971: ...found Parameter type error Unrecognized command found at position The parameter value is beyond the allowed range Incomplete command found at position Incomplete command Ambiguous command found at position Ambiguous command Too many parameters Too many parameters Wrong parameter found at position Wrong parameter ...

Page 972: ...ommand Lines 1 4 Upgrading the Boot File Through Command Lines 1 5 Disabling Boot ROM Access 1 5 Configuring a Detection Interval 1 6 Clearing the 16 bit Interface Indexes Not Used in the Current System 1 6 Identifying and Diagnosing Pluggable Transceivers 1 7 Introduction to pluggable transceivers 1 7 Identifying pluggable transceivers 1 7 Diagnosing pluggable transceivers 1 8 Displaying and Main...

Page 973: ...he current working state of a device configure running parameters and perform daily device maintenance and management Device Management Configuration Task List Complete these tasks to configure device management Task Remarks Configuring the Exception Handling Method Optional Rebooting a Device Optional Configuring the Scheduled Automatic Execution Function Optional Upgrading the Boot ROM Program T...

Page 974: ... lot Powering off a running device will cause data loss and hardware damages It is not recommended z Trigger the immediate reboot through command lines z Enable the scheduled reboot function through command lines You can set a time at which the device can automatically reboot or set a delay so that the device can automatically reboot within the delay The last two methods are command line operation...

Page 975: ...ied command at a specified time in a specified view This function is used for scheduled system upgrade or configuration Follow these steps to configure the scheduled automatic execution function To do Use the command Remarks Automatically execute the specified command at the specified time schedule job at time date view view command Automatically execute the specified command after the specified d...

Page 976: ... is powered on the Boot ROM program initialize the hardware and display the hardware information Then runs the boot file The boot file provides hardware driver and adaptation for the system and provides the support for the different functions The Boot ROM program and system boot file are required for the startup and running of a device Figure 1 1 illustrates their relationship Figure 1 1 Relations...

Page 977: ...t of the device 3 Reboot the device to make the boot file take effect Follow the step below to upgrade the boot file To do Use the command Remarks Specify a boot file for the next boot boot loader file file url main backup Required Available in user view When multiple Boot ROM files are available on the storage media you can specify a file for the next device boot by executing the following comman...

Page 978: ...timer times out the device will automatically bring up the port Follow these steps to configure a detection interval To do Use the command Remarks Enter system view system view Configure a detection interval shutdown interval time Optional The detection interval is 30 seconds by default Clearing the 16 bit Interface Indexes Not Used in the Current System In practical networks the network managemen...

Page 979: ...n be an optical transceiver Whether can be an electrical transceiver SFP Small Form factor Pluggable Generally used for 100M 1000M Ethernet interfaces or POS 155M 622M 2 5G interfaces Yes Yes GBIC Gigabit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit small Form factor Pluggable Generally used for 10G Ethernet interfaces Yes No XENPAK 10 Gigabit Ethernet Tr...

Page 980: ...he digital diagnosis function which monitors the key parameters of a transceiver such as temperature voltage laser bias current TX power and RX power When these parameters are abnormal you can take corresponding measures to prevent transceiver faults Follow these steps to diagnose pluggable transceivers To do Use the command Remarks Display the current alarm information of the pluggable transceive...

Page 981: ... detailed configurations of the scheduled automatic execution function display schedule job Available in any view Display the exception handling method display system failure Available in any view Device Management Configuration Examples Remote Scheduled Automatic Upgrade Configuration Example Network requirement z As shown in Figure 1 2 the current software version is soft version1 for Device Upg...

Page 982: ...ello FTP Server luser aaa service type ftp FTP Server luser aaa authorization attribute work directory flash aaa z Use text editor on the FTP server to edit batch file auto update txt The following is the content of the batch file return startup saved configuration new config cfg boot loader file soft version2 bin main reboot 2 Configuration on Device Log in to the FTP server note that the prompt ...

Page 983: ...update bat To ensure correctness of the file you can use the more command to view the content of the file Execute the scheduled automatic execution function to enable the device to be automatically upgraded at 3 am Device schedule job at 03 00 view system execute auto update bat Info Command execute auto update bat in system view will be executed at 03 00 12 11 2007 in 12 hours and 0 minutes After...

Page 984: ...or the Next Startup 1 10 Restoring the Startup Configuration File 1 11 Displaying and Maintaining Device Configuration 1 11 2 FTP Configuration 2 1 FTP Overview 2 1 Introduction to FTP 2 1 Operation of FTP 2 1 Configuring the FTP Client 2 3 Establishing an FTP Connection 2 3 Configuring the FTP Client 2 4 FTP Client Configuration Example 2 6 Configuring the FTP Server 2 7 Configuring FTP Server Op...

Page 985: ...ses problems such as data loss or corruption the file system will prompt you to confirm the operation by default Depending on the managed object file system operations fall into Directory Operations File Operations Batch Operations Storage Medium Operations and Setting File System Prompt Modes Filename Formats When you specify a file you must enter the filename in one of the following formats File...

Page 986: ...y or file information and so on Displaying directory information To do Use the command Remarks Display directory or file information dir all file url Required Available in user view Displaying the current working directory To do Use the command Remarks Display the current working directory pwd Required Available in user view Changing the current working directory To do Use the command Remarks Chan...

Page 987: ...ecified directory or file information displaying file contents renaming copying moving removing restoring and deleting files You can create a file by copying downloading or using the save command Displaying file information To do Use the command Remarks Display file or directory information dir all file url Required Available in user view Displaying the contents of a file To do Use the command Rem...

Page 988: ...nally belongs It is recommended to empty the recycle bin timely with the reset recycle bin command to save storage space z The delete unreserved file url command deletes a file permanently and the action cannot be undone Execution of this command equals that you execute the delete file url command and then the reset recycle bin command in the same directory Restoring a file from the recycle bin To...

Page 989: ...ired Execution of a batch file does not guarantee the successful execution of every command in the batch file If a command has error settings or the conditions for executing the command are not satisfied this command will fail to be executed and the system will skip the command to the next one Storage Medium Operations Managing space of the storage medium When some space of a storage medium become...

Page 990: ...rom misoperations the alert mode is preferred To do Use the command Remarks Enter system view system view Set the operation prompt mode of the file system file prompt alert quiet Optional The default is alert File System Operations Example Display the files and the subdirectories under the current directory Sysname dir Directory of flash 0 drw Feb 16 2006 11 45 36 logfile 1 rw 1218 Feb 16 2006 11 ...

Page 991: ...n of a device falls into two types z Startup configuration a configuration file used for initialization when the device boots If this file does not exist the system boots using default configuration file z Current configuration which refers to the currently running configuration of the system The current configuration may include the startup configuration if the startup configuration is not modifi...

Page 992: ... current configuration For detailed configuration refer to Saving the Current Configuration z Specify them when specifying the startup configuration file for the next system startup For detailed configuration refer to Specifying a Startup Configuration File for the Next System Startup Startup with the configuration file The device takes the following steps when it boots 1 If the main startup confi...

Page 993: ...guration file to be used at the next system startup may be lost if the device reboots or the power supply fails In this case the device will boot with the null configuration and after the device reboots you need to re specify a startup configuration file for the next system startup refer to Specifying a Startup Configuration File for the Next System Startup Specifying a Startup Configuration File ...

Page 994: ...p command in user view to see whether you have set the startup configuration file If the file is set as NULL or does not exist the backup operation will fail Deleting the Startup Configuration File for the Next Startup You can delete the startup configuration file to be used at the next system startup using commands You can choose to delete either the main or backup startup configuration file Howe...

Page 995: ...rc filename Required Available in user view z The restore operation restores the main startup configuration file z Before restoring a configuration file you should ensure that the server is reachable the server is enabled with TFTP service and the client has read and write permission z After the command is successfully executed you can use the display startup command in user view to verify that th...

Page 996: ...e the command Remarks Display the current configuration display current configuration configuration configuration interface interface type interface number by linenum begin include exclude text Available in any view ...

Page 997: ...or btm z ASCII mode for text file transmission like files with the suffixes txt bat or cfg Operation of FTP FTP adopts the client server model Your device can function either as the client or as the server as shown in Figure 2 1 z When the device serves as the FTP client the user first connects to the device from a PC through Telnet or an emulation program and then executes the ftp command to esta...

Page 998: ... FTP server configuration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP for security reasons Therefore you must use a valid username and password By default authenticated users can access the root directory of the device Device FTP server Configure the FTP server operat...

Page 999: ...e matched route as the source IP address to communicate with an FTP server z If the source address is specified with the ftp client source or ftp command this source address is used to communicate with an FTP server z If you use the ftp client source command and the ftp command to specify a source address respectively the source address specified with the ftp command is used to communicate with an...

Page 1000: ...le in user view and the open ipv6 command is available in FTP client view Configuring the FTP Client After a device serving as the FTP client has established a connection with the FTP server For how to establish an FTP connection refer to Establishing an FTP Connection you can perform the following operations in the authorized directories of the FTP server To do Use the command Remarks Display hel...

Page 1001: ...Delete specified directory on the FTP server rmdir directory Optional Disconnect from the FTP server without exiting the FTP client view disconnect Optional Equal to the close command Disconnect from the FTP server without exiting the FTP client view close Optional Equal to the disconnect command Disconnect from the FTP server and exit to user view bye Optional Terminate the connection with the re...

Page 1002: ...mory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following operations Log in to the server through FTP Sysname ftp 10 1 1 1 Trying 10 1 1 1 Connected to 10 1 1 1 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User 10 1 1 1 none abc 331 Give me you...

Page 1003: ...after a file is transferred to the memory This prevents the existing file on the FTP server from being corrupted in the event that anomaly power failure for example occurs during a file transfer z In normal mode the FTP server writes data to the storage medium while receiving data This means that any anomaly power failure for example during file transfer might result in file corruption on the FTP ...

Page 1004: ...tailed configuration refer to AAA Configuration in the Security Volume Follow these steps to configure authentication and authorization for FTP server To do Use the command Remarks Enter system view system view Create a local user and enter its view local user user name Required No local user exists by default and the system does not support FTP anonymous user access Assign a password to the user ...

Page 1005: ...PC z PC keeps the updated startup file of the device Use FTP to upgrade the device and back up the configuration file z Set the username to abc and the password to pwd for the FTP client to log in to the FTP server Figure 2 3 Upgrading using the FTP server Internet Device FTP server PC FTP client 1 2 1 1 16 1 1 1 1 16 Configuration procedure 1 Configure Device FTP Server Create an FTP user account...

Page 1006: ...ile config cfg of the device to the PC for backup ftp get config cfg back config cfg Upload the configuration file newest bin to Device ftp put newest bin ftp bye z You can take the same steps to upgrade configuration file with FTP When upgrading the configuration file with FTP put the new file under the root directory of the storage medium z After you finish upgrading the Boot ROM program through...

Page 1007: ...loader command refer to Device Management Commands in the System Volume Displaying and Maintaining FTP To do Use the command Remarks Display the configuration of the FTP client display ftp client configuration Available in any view Display the configuration of the FTP server display ftp server Available in any view Display detailed information about logged in FTP users display ftp user Available i...

Page 1008: ...is initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In a normal file uploading process the client sends a write request to the TFTP server sends data to the server and receives the acknowledgement from the server TFTP transfers files in two modes z Binar...

Page 1009: ...he secure mode or if you use the normal mode specify a filename not existing in the current directory as the target filename when downloading the startup file or the startup configuration file Source address binding means to configure an IP address on a stable interface such as a loopback interface and then use this IP address as the source IP address of a TFTP connection The source address bindin...

Page 1010: ...tional Available in user view Download or upload a file in an IPv6 network tftp ipv6 tftp ipv6 server i interface type interface number get put source file destination file Optional Available in user view z If no primary IP address is configured on the source interface no TFTP connection can be established z If you use the ftp client source command to first configure the source interface and then ...

Page 1011: ...les not in use and then perform the following operations Enter system view Sysname system view Download application file newest bin from PC Sysname tftp 1 2 1 1 get newest bin Upload a configuration file config cfg to the TFTP server Sysname tftp 1 2 1 1 put config cfg configback cfg Specify newest bin as the main startup file to be used at the next startup Sysname boot loader file newest appbbb b...

Page 1012: ...laying and Maintaining HTTP 1 3 HTTP Configuration Example 1 3 2 HTTPS Configuration 2 1 HTTPS Overview 2 1 HTTPS Configuration Task List 2 1 Associating the HTTPS Service with an SSL Server Policy 2 2 Enabling the HTTPS Service 2 2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy 2 3 Configuring the Port Number of the HTTPS Service 2 3 Associating the HTTPS Service...

Page 1013: ...cally the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP You can log onto the device using the HTTP protocol with HTTP service enabled accessing and controlling the device with Web based network management To implement security management on the device you...

Page 1014: ... HTTP service is 80 If you execute the ip http port command for multiple times the last configured port number is used Associating the HTTP Service with an ACL By associating the HTTP service with an ACL only the clients that pass ACL filtering are allowed to access the device Follow these steps to associate the HTTP service with an ACL To do Use the command Remarks Enters system view system view ...

Page 1015: ...st A 10 1 1 2 24 10 2 1 2 24 Device Host B 10 2 1 1 24 Configuration procedure 1 Configure the HTTP server Device Create a basic ACL 2000 allowing packets with the source IP address in 10 1 1 0 24 Device system view Device acl number 2000 Device acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Device acl basic 2000 quit Associate the HTTP service to ACL 2000 Device ip http acl 2000 Enable the ...

Page 1016: ...1 1 ...

Page 1017: ...ess the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security management of the device z Defines certificate attribute based access control policy for the device to control the access right of the client in order to further avoid attacks from illegal clients z The ...

Page 1018: ...only associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again you need to re associate the HTTPS service with an SSL server policy z When the HTTPS service is enabled no modification of its associated SSL server policy takes effect Enabling the HTTPS Service The...

Page 1019: ...associate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute access control policy ip https certificate access control policy policy name Required Not associated by default z If the ip https certificate access control policy command is executed repeatedly the HTTPS...

Page 1020: ...efault z If you execute the ip https acl command for multiple times to associate the HTTPS service with different ACLs the HTTPS service is only associated with the last specified ACL z For the detailed introduction to ACL refer to ACL Configuration in the Security Volume Displaying and Maintaining HTTPS To do Use the command Remarks Display information about HTTPS display ip https Available in an...

Page 1021: ...N as ssl security com Device system view Device pki entity en Device pki entity en common name http server1 Device pki entity en fqdn ssl security com Device pki entity en quit Configure a PKI domain 1 specify the trusted CA as new ca the URL of the server for certificate request as http 10 1 2 2 certsrv mscep mscep dll the authority for certificate request as RA and the entity name as en Device p...

Page 1022: ... server policy myssl Associate the HTTPS service with certificate attribute access control policy myacp ensuring that only HTTPS clients retrieving a certificate from new ca can access the HTTPS server Device ip https certificate access control policy myacp Enable the HTTPS service Device ip https enable Create a local user usera set the password to 123 and service type to telnet Device local user...

Page 1023: ...NMP Logging 1 5 Introduction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 SNMP Trap Configuration 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 8 SNMP Configuration Example 1 9 SNMP Logging Configuration Example 1 10 2 MIB Style Configuration 2 1 Setting the MIB Style 2 1 Displaying and Maintaining MIB 2 1 ...

Page 1024: ... the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially in small high speed and low cost network environments SNMP Mechanism An SNMP enabled network comprises a Network Management Station NMS and an agent z An NMS is a station that runs the SNMP client software It offers a user friendly interface making it easier for network ...

Page 1025: ... and agent preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy authentication without privacy or no authentication no privacy Successful interaction between NMS and agent requires consistency of SNMP versions configured on them You can configure multiple SNMP versions for an agent to interact with diff...

Page 1026: ...are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configure an SNMP agent group snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Required Convert the user defined plain text password to a cipher text password snmp agent calculate password plain password ...

Page 1027: ... v3 all Required The defaults are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configur e directly Create an SNMP commun ity snmp agent community read write community name acl acl number mib view view name Configur e an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl...

Page 1028: ...dex of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the information center set the output rules for SNMP logs are decided that is whether the logs are permitted to output and the output destinations SNMP logs GET request SET request and SET response but does not ...

Page 1029: ... specific modules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information output destinations By default traps of all modules are allowed to be output to the console monitor terminal monitor loghost and logfile traps of all modules and with level equal to or higher than warnings are a...

Page 1030: ...cedure After traps are sent to the SNMP module the SNMP module saves the traps in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destination host usually the NMS Follow these steps to configure trap parameters To do Use the command Remarks Enter system view system view Configure target host attribute ...

Page 1031: ... Display SNMP agent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent statistics Display the SNMP agent engine ID display snmp agent local engineid Display SNMP agent group information display snmp agent group group name Display basic information of the trap queue display s...

Page 1032: ...sname snmp agent community write private Configure VLAN interface 2 with the IP address of 1 1 1 1 24 Add the port GigabitEthernet 1 0 1 to VLAN 2 Sysname vlan 2 Sysname vlan2 port GigabitEthernet 1 0 1 Sysname Vlan2 quit Sysname interface vlan interface 2 Sysname Vlan interface2 ip address 1 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure the contact person and physical location inform...

Page 1033: ...VLAN interface on the agent is 1 1 1 1 24 z Configure community name access right and SNMP version on the agent Figure 1 4 Network diagram for SNMP logging Configuration procedure The configurations for the NMS and agent are omitted Enable logging display on the terminal This function is enabled by default so that you can omit this configuration Sysname terminal monitor Sysname terminal logging En...

Page 1034: ...n 1 02 49 40 566 2006 The time when SNMP log is generated seqNO Sequence number of the SNMP log srcIP IP address of NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID of the instance erroIndex Error index with 0 meaning no error errorstatus Error status with noError meaning no error value Value set when the SET operation is performed This field is null meaning the ...

Page 1035: ...lexible management of the device the device allows you to configure MIB style that is you can switch between the two styles of MIBs However you need to ensure that the MIB style of the device is the same as that of the NMS Setting the MIB Style Follow these steps to set the MIB style To do Use the command Remarks Enter system view system view Set the MIB style of the device mib style new compatibl...

Page 1036: ...guration 1 1 RMON Overview 1 1 Introduction 1 1 Working Mechanism 1 1 RMON Groups 1 2 Configuring RMON 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 Displaying and Maintaining RMON 1 5 RMON Configuration Example 1 5 ...

Page 1037: ...rk monitor or a network probe It monitors and collects statistics on traffic over the network segments connected to its interfaces such as the total number of packets passed through a network segment over a specified period or the total number of good packets sent to a host Working Mechanism RMON allows multiple monitors A monitor provides two ways of data gathering z Using RMON probes NMSs can ob...

Page 1038: ... an upper event is triggered if the sampled value of the monitored variable is lower than or equal to the lower threshold a lower event is triggered The event is then handled as defined in the event group The following is how the system handles entries in the RMON alarm table 1 Samples the alarm variables at the specified interval 2 Compares the sampled values with the predefined threshold and tri...

Page 1039: ...s undersize oversize packets broadcasts multicasts bytes received packets received bytes sent packets sent and so on After the creation of a statistics entry on an interface the statistics group starts to collect traffic statistics on the current interface The result of the statistics is a cumulative sum Configuring RMON Configuration Prerequisites Before configuring RMON configure the SNMP agent ...

Page 1040: ... that can be created the creation fails z When you create an entry in the history table if the specified buckets number argument exceeds the history table size supported by the device the entry will be created However the validated value of the buckets number argument corresponding to the entry is the history table size supported by the device Table 1 1 Restrictions on the configuration of RMON En...

Page 1041: ...og entry number Available in any view RMON Configuration Example Network requirements Agent is connected to a configuration terminal through its console port and to a remote NMS across the Internet Create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1 0 1 and enable logging after received bytes exceed the specified threshold Figure 1 1 Network diagram for ...

Page 1042: ...ysname rmon event 1 log owner 1 rmon Configure an alarm group to sample received bytes on GigabitEthernet 1 0 1 When the received bytes exceed the upper or below the lower limit logging is enabled Sysname rmon alarm 1 1 3 6 1 2 1 16 1 1 1 4 1 10 delta rising threshold 1000 1 falling threshold 100 1 owner 1 rmon Sysname display rmon alarm 1 Alarm table 1 owned by 1 rmon is VALID Samples type delta ...

Page 1043: ...e MAC Learning Limit 1 4 Displaying and Maintaining MAC Address Table 1 5 MAC Address Table Configuration Example 1 5 2 MAC Information Configuration 2 1 Overview 2 1 Introduction to MAC Information 2 1 How MAC Information Works 2 1 Configuring MAC Information 2 1 Enabling MAC Information Globally 2 1 Enabling MAC Information on an Interface 2 2 Configuring MAC Information Mode 2 2 Configuring the...

Page 1044: ...and ID of the VLAN to which the interface belongs When forwarding a frame the device looks up the MAC address table according to the destination MAC address of the frame to rapidly determine the egress port thus reducing broadcasts How a MAC Address Table Entry is Generated A MAC address table entry can be dynamically learned or manually configured Dynamically learn a MAC address table entry Usual...

Page 1045: ...nd specific user devices to the port thus preventing hackers from stealing data using forged MAC addresses Manually configured MAC address table entries have a higher priority than dynamically learned ones Types of MAC Address Table Entries A MAC address table may contain the following types of entries z Static entries which are manually configured and never age out z Dynamic entries which can be ...

Page 1046: ...ese steps to add modify or remove entries in the MAC address table globally To do Use the command Remarks Enter system view system view mac address blackhole mac address vlan vlan id Add modify a MAC address entry mac address dynamic static mac address interface interface type interface number vlan vlan id Required Follow these steps to add modify or remove entries in the MAC address table on an i...

Page 1047: ... address entries learned or administratively configured only Configuring the MAC Learning Limit To prevent a MAC address table from getting so large that it may degrade forwarding performance you may restrict the number of MAC addresses that can be learned on a per port port group basis Follow these steps to configure the MAC learning limit To do Use the command Remarks Enter system view system vi...

Page 1048: ...ics Available in any view MAC Address Table Configuration Example Network requirements Log onto your device from the Console port to configure MAC address table management as follows z Set the aging timer to 500 seconds for dynamic MAC address entries z Add a static entry 000f e235 dc71 for port GigabitEthernet 1 0 1 in VLAN 1 Configuration procedure Add a static MAC address entry Sysname system v...

Page 1049: ...1 6 ...

Page 1050: ...ation Works When a new MAC address is learned or an existing MAC address is deleted on a device the device writes related information about the MAC address to the buffer area used to store user information When the timer set for sending MAC address monitoring Syslog or Trap messages expires or when the buffer is used up the device sends the Syslog or Trap messages to the monitor end immediately Co...

Page 1051: ...ng the Interval for Sending Syslog or Trap Messages To prevent Syslog or Trap messages being sent too frequently and thus affecting system performance you can set the interval for sending Syslog or Trap messages Follow these steps to set the interval for sending Syslog or Trap messages To do Use the command Remarks Enter system view system view Set the interval for sending Syslog or Trap messages ...

Page 1052: ...etwork requirements z Host A is connected to a remote server Server through Device z Enable MAC Information on GigabitEthernet 1 0 1 on Device Device sends MAC address change information using Syslog messages to Host B through GigabitEthernet 1 0 3 Host B analyzes and displays the Syslog messages Figure 2 1 Network diagram for MAC Information configuration Configuration procedure 1 Configure Devic...

Page 1053: ...thernet1 0 1 mac address information enable added Device GigabitEthernet1 0 1 mac address information enable deleted Device GigabitEthernet1 0 1 quit Set the MAC Information queue length to 100 Device mac address information queue length 100 Set the interval for sending Syslog or Trap messages to 20 seconds Device mac address information interval 20 ...

Page 1054: ... Debugging 1 1 System Maintaining and Debugging Overview 1 1 Introduction to System Maintaining 1 1 Introduction to System Debugging 1 2 System Maintaining and Debugging 1 3 System Maintaining 1 3 System Debugging 1 3 System Maintaining Example 1 4 ...

Page 1055: ...tistics Output of the ping command falls into the following z The ping command can be applied to the destination s name or IP address If the destination s name is unknown the prompt information is displayed z Information on the destination s responses towards each ICMP echo request If the source device does not receive an ICMP echo reply within the timeout time it displays the prompt information I...

Page 1056: ...information to help users diagnose errors The following two switches control the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging information on a certain screen As Figure 1 1 illustrates suppose the device can provide debugging for the three modules 1 2 and 3 O...

Page 1057: ...ute from the source to the destination tracert ipv6 f first ttl m max ttl p port q packet number w timeout remote system Optional Used in IPv6 network Available in any view z For a low speed network you are recommended to set a larger value for the timeout timer indicated by the t parameter in the command when configuring the ping command z Only the directly connected segment address can be pinged...

Page 1058: ...y the detailed debugging information on the terminal For the detailed description on the terminal debugging and terminal monitor commands refer to Information Center Commands in the System Volume System Maintaining Example Network requirements z The IP address of the destination device is 10 1 1 4 z Display the Layer 3 devices involved while packets are forwarded from the source device to the dest...

Page 1059: ...stem Information to a Log Host 1 8 Outputting System Information to the Trap Buffer 1 9 Outputting System Information to the Log Buffer 1 10 Outputting System Information to the SNMP Module 1 11 Configuring Synchronous Information Output 1 11 Disabling a Port from Generating Link Up Down Logging Information 1 12 Displaying and Maintaining Information Center 1 13 Information Center Configuration Ex...

Page 1060: ...odule z Outputs the above information to different information channels according to the user defined output rules z Outputs the information to different destinations based on the information channel to destination associations To sum up information center assigns the log trap and debugging information to the ten information channels according to the eight severity levels and then outputs the info...

Page 1061: ...stem information The system supports six information output destinations including the console monitor terminal monitor log buffer log host trap buffer and SNMP module The specific destinations supported vary with devices The system supports ten channels The six channels 0 through 5 are configured with channel names output rules and are associated with output destinations by default The channel na...

Page 1062: ... information source modules Default output rules of system information The default output rules define the source modules allowed to output information on each output destination the output information type and the output information level as shown in Table 1 3 which indicates that by default and in terms of all modules z Log information with severity level equal to or higher than informational is...

Page 1063: ...ions z If the output destination is not the log host such as console monitor terminal logbuffer trapbuffer SNMP the system information is in the following format timestamp sysname module level digest content For example a monitor terminal connects to the device When a terminal logs in to the device the log information in the following format is displayed on the monitor terminal Jun 26 17 08 35 809...

Page 1064: ...econds sysname Sysname is the system name of the current host You can use the sysname command to modify the system name Refer to Basic System Configuration Commands in the System Volume for details This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn This field is a version identifier of syslog It is displayed only when the output desti...

Page 1065: ...itor Terminal Optional Outputting System Information to a Log Host Optional Outputting System Information to the Trap Buffer Optional Outputting System Information to the Log Buffer Optional Outputting System Information to the SNMP Module Optional Configuring Synchronous Information Output Optional Outputting System Information to the Console Outputting system information to the console To do Use...

Page 1066: ...he command Remarks Enable the monitoring of system information on the console terminal monitor Optional Enabled on the console and disabled on the monitor terminal by default Enable the display of debugging information on the console terminal debugging Required Disabled by default Enable the display of log information on the console terminal logging Optional Enabled by default Enable the display o...

Page 1067: ... monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the display of system information on a monitor terminal To do Use the command Remarks Enable the monitoring of system information on a monitor terminal terminal monitor Required Enabled on the console and disabled on the monitor termin...

Page 1068: ...primary IP address of this interface is the source IP address of the log information Configure the format of the time stamp for system information output to the log host info center timestamp loghost date no year date none Optional date by default Outputting System Information to the Trap Buffer The trap buffer receives the trap information only and discards the log and debugging information even ...

Page 1069: ...tion center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be output to the log buffer and specify the buffer size info center logbuffer channel channel number channel name size buffers...

Page 1070: ...module info center snmp channel channel number channel name Optional By default system information is output to the SNMP module through channel 5 known as snmpagent Configure the output rules of the system information info center source module name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Optional Re...

Page 1071: ...on in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable the other ports from generating link up down logging information z The state of a port is not stable and therefore redundant logging information will be generated In this case you can use this function to disable the port from generating link up down logging information...

Page 1072: ...log file display logfile summary Available in any view Display the state of the trap buffer and the trap information recorded display trapbuffer reverse size buffersize Available in any view Reset the log buffer reset logbuffer Available in user view Reset the trap buffer reset trapbuffer Available in user view Information Center Configuration Examples Outputting Log Information to a Unix Log Host...

Page 1073: ...output to the log host Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel loghost log level informational state on Sysname info center source ip channel loghost log level informational state on 2 Configure the log host The following configurations were performed on SunOS 4 0 which has similar configurations to the Unix opera...

Page 1074: ...ct ps ae grep syslogd 147 kill HUP 147 syslogd r After the above configurations the system will be able to record log information into the log file Outputting Log Information to a Linux Log Host Network requirements z Send log information to a Linux log host with an IP address of 1 2 0 1 16 z Log information with severity higher than informational will be output to the log host z All modules can o...

Page 1075: ... Device info log Step 3 Edit file etc syslog conf and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the logging facility used by the log host to receive logs info is the information level The Linux system will record the log information with severity level equal to or higher than informational to file v...

Page 1076: ...put of log trap and debugging information of all modules on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configurations for different channels are different you need to disable the output of log trap and debugging information of all modules on the specified channel console in this example first and then config...

Page 1077: ... terminal monitor Current terminal monitor is on Sysname terminal logging Current terminal logging is on After the above configuration takes effect if the specified module generates log information the information center automatically sends the log information to the console which then displays the information ...

Page 1078: ... Interfaces Through a PoE Configuration File 1 3 Configuring PoE Power Management 1 5 Configuring PD Power Management 1 5 Configuring the PoE Monitoring Function 1 6 Configuring PSE Power Monitoring 1 6 Monitoring PD 1 6 Upgrading PSE Processing Software Online 1 6 Configuring a PD Disconnection Detection Mode 1 7 Enabling the PSE to Detect Nonstandard PDs 1 7 Displaying and Maintaining PoE 1 8 Po...

Page 1079: ...net interfaces through twisted pair cables Advantages z Reliable Power is supplied in a centralized way so that it is very convenient to provide a backup power supply z Easy to connect A network terminal requires only one Ethernet cable but no external power supply z Standard In compliance with IEEE 802 3af and a globally uniform power interface is adopted z Promising It can be applied to IP telep...

Page 1080: ...ional z When the PoE power or PSE fails you cannot configure PoE z Turning off of the PoE power during the startup of the device might result in the failure to restore the PoE Profile Configuring the PoE Interface You can configure a PoE interface in either of the following two ways z Adopting the command line z Configuring a PoE configuration file and applying the file to the specified PoE interf...

Page 1081: ...ault Configure a description for the PD connected to the PoE interface poe pd description string Optional By default no description for the PD connected to the PoE interface is available Configuring PoE Interfaces Through a PoE Configuration File A PoE configuration file is used to configure at the same time multiple PoE interfaces with the same attributes to simplify operations This configuration...

Page 1082: ...nfigur ation file to the PoE interface s Apply the PoE configuration file to the current PoE interface in PoE interface view apply poe profile index index name profile name Use either approach z After a PoE configuration file is applied to a PoE interface other PoE configuration files can not take effect on this PoE interface z If a PoE configuration file is already applied to a PoE interface you ...

Page 1083: ...d for a PoE interface the interface with a higher priority can preempt the power of the interface with a lower priority to ensure the normal working of the higher priority interface z If the sudden increase of the power of the PD results in PSE power overload power supply to the PD on the PoE interface with a lower priority will be stopped If the guaranteed remaining PSE power maximum PSE power po...

Page 1084: ...alue exceeds the limited range the system will automatically take some measures to protect itself Configuring PSE Power Monitoring The system sends a Trap message when the percentage of power utilization exceeds the alarm threshold If the percentage of the power utilization always keeps above the alarm threshold the system does not send any Trap message Instead when the percentage of the power uti...

Page 1085: ...on Mode To detect the PD connection with PSE PoE provides two detection modes AC detection and DC detection The AC detection mode is energy saving relative to the DC detection mode Follow these steps to configure a PD disconnection detection mode To do Use the command Remarks Enter system view system view Configure a PD disconnection detection mode poe disconnect ac dc Optional The default PD disc...

Page 1086: ...oe pse pse id interface power Display all information of the configurations and applications of the PoE configuration file display poe profile index index name profile name Display all information of the configurations and applications of the PoE configuration file applied to the specified PoE interface display poe profile interface interface type interface number Available in any view PoE Configu...

Page 1087: ...2 Sysname GigabitEthernet1 0 12 poe enable Sysname GigabitEthernet1 0 12 quit Set the power priority level of GigabitEthernet 1 0 2 to critical Sysname system view Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 poe priority critical Sysname GigabitEthernet1 0 2 quit Set the maximum power of GigabitEthernet 1 0 11 to 9 000 milliwatts Sysname interface GigabitEthernet 1 0 11 Sy...

Page 1088: ...t the configuration requirements of the PoE interface z Another PoE configuration file is already applied to the PoE interface Solution z In the first case you can solve the problem by removing the original configurations of those configurations z In the second case you need to modify some configurations in the PoE configuration file z In the third case you need to remove the application of the un...

Page 1089: ...on 1 6 Step by Step Patch Installation Task List 1 6 Configuring the Patch File Location 1 6 Loading a Patch File 1 6 Activating Patches 1 7 Confirming Running Patches 1 7 One Step Patch Uninstallation 1 7 Step by Step Patch Uninstallation 1 8 Step by Step Patch Uninstallation Task List 1 8 Stop Running Patches 1 8 Deleting Patches 1 8 Displaying and Maintaining Hotfix 1 9 Hotfix Configuration Exa...

Page 1090: ...its they will be numbered as 1 2 and 3 respectively Incremental patch Patches in a patch file are all incremental patches An incremental patch means that the patch is dependent on the previous patch units For example if a patch file has three patch units patch 3 can be running only after patch 1 and 2 take effect You cannot run patch 3 separately Common patch and temporary patch Patches fall into ...

Page 1091: ...s turn to the ACTIVE state Figure 1 1 Relationship between patch state changes and command actions Information about patch states is saved in file patchstate on the flash It is recommended not to operate this file IDLE state Patches in the IDLE state are not loaded You cannot install or run the patches as shown in Figure 1 2 suppose the memory patch area can load up to eight patches The patches th...

Page 1092: ...ate At this time the patch states in the system are as shown in Figure 1 3 The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot Figure 1 3 A patch file is loaded to the memory patch area ACTIVE state Patches in the ACTIVE state are those that have run temporarily in the system and will become DEACTIVE after system reboot For the seven patches in Figure...

Page 1093: ...s of the system are as shown in Figure 1 5 Figure 1 5 Patches are running The patches that are in the RUNNING state will be still in the RUNNING state after system reboot Hotfix Configuration Task List Task Remarks One Step Patch Installation Install patches Step by Step Patch Installation Use either approach The step by step patch installation allows you to control the patch status One Step Patch...

Page 1094: ... patch name 4500G PATCH XXX patch_xxx bin One Step Patch Installation You can use the patch install command to install patches in one step After you execute the command the system displays the message Do you want to continue running patches after reboot Y N z Entering y or Y All the specified patches are installed and turn to the RUNNING state from IDLE This equals execution of the commands patch ...

Page 1095: ...lt The patch install command changes patch file location specified with the patch location command to the directory specified by the patch location argument of the patch install command For example if you execute the patch location xxx command and then the patch install yyy command the patch file location automatically changes from xxx to yyy Loading a Patch File Loading the right patch files is t...

Page 1096: ...view system view Activate the specified patches patch active patch number Required Confirming Running Patches After you confirm the running of a patch the patch state becomes RUNNING and the patch is in the normal running stage After the switch is reset or rebooted the patch is still valid Follow the steps below to confirm the running of the patches To do Use the command Remarks Enter system view ...

Page 1097: ...p by Step Patch Uninstallation Task List Task Remarks Stop Running Patches Required Deleting Patches Required Stop Running Patches After you stop running a patch the patch state becomes DEACTIVE and the system runs in the way before it is installed with the patch Follow the steps below to stop running patches To do Use the command Remarks Enter system view system view Stop running the specified pa...

Page 1098: ...ion procedure 1 Configure TFTP Server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server function z Save the patch file patch_xxx bin to the directory of the TFTP server 2 Configure Device Make sure the free flash space of the switch is big enough to store the patch file Before upgrading the software use the save command ...

Page 1099: ...1 10 Installing patches Installation completed and patches will continue to run after reboot ...

Page 1100: ...ng a Voice Test 1 15 Configuring a DLSw Test 1 17 Configuring the Collaboration Function 1 18 Configuring Trap Delivery 1 19 Configuring the NQA Statistics Function 1 20 Configuring Optional Parameters Common to an NQA Test Group 1 20 Scheduling an NQA Test Group 1 22 Displaying and Maintaining NQA 1 23 NQA Configuration Examples 1 23 ICMP Echo Test Configuration Example 1 23 DHCP Test Configurati...

Page 1101: ...ansfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagnose and locate network faults Features of NQA Supporting multiple test types Ping can use only the Internet Control Message Protocol ICMP to test the reachability of the destination host and the roundtrip time of a packet to the destination As an enhancement to the Ping tool...

Page 1102: ...ed Take static routing as an example You have configured a static route with the next hop 192 168 0 88 If 192 168 0 88 is reachable the static route is valid if 192 168 0 88 is unreachable the static route is invalid With the collaboration between NQA Track module and application modules real time monitoring of reachability of the static route can be implemented 1 Monitor reachability of the desti...

Page 1103: ...test one probe means to carry out a corresponding function z For an ICMP echo or UDP echo test one packet is sent in one probe z For an SNMP test three packets are sent in one probe NQA client and server NQA client is the device initiating an NQA test and the NQA test group is created on the NQA client NQA server processes the test packets sent from the NQA client as shown in Figure 1 2 The NQA se...

Page 1104: ...ke the following configurations on the NQA client 1 Enable the NQA client 2 Create a test group and configure test parameters according to the test type The test parameters may vary with test types 3 Start the NQA test After the test you can view test results using the display or debug commands Complete these tasks to configure NQA client Task Remarks Enabling the NQA Client Required Creating an N...

Page 1105: ...er tcp connect udp echo ip address port number Required The IP address and port number must be consistent with those configured on the NQA client and must be different from those of an existing listening service Enabling the NQA Client Configurations on the NQA client take effect only when the NQA client is enabled Follow these steps to enable the NQA client To do Use the command Remarks Enter sys...

Page 1106: ...echo and enter test type view type icmp echo Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation Configure the size of probe packets sent data size size Optional 100 bytes by default Configure the filler string of a probe packet sent data fill string Optional By default the filler...

Page 1107: ...f a DHCP server on the network as well as the time necessary for the DHCP server to respond to a client request and assign an IP address to the client Configuration prerequisites Before performing a DHCP test you need to configure the DHCP server If the NQA DHCP client and the DHCP server are not in the same network segment you need to configure a DHCP relay For the configuration of DHCP server an...

Page 1108: ... example you need to configure the username and password used to log onto the FTP server For the FTP server configuration see File System Management Configuration in the System Volume Configuring an FTP test Follow these steps to configure an FTP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as ...

Page 1109: ... the get command the device does not save the files obtained from the FTP server z When you execute the get command the FTP test cannot succeed if a file named file name does not exist on the FTP server z When you execute the get command please use a file with a smaller size as a big file may result in test failure because of timeout or may affect other services because of occupying too much netwo...

Page 1110: ...e for the HTTP is get that is obtaining data from the HTTP server Configure the website that an HTTP test visits url url Required Configure the HTTP version used in the HTTP test http version v1 0 Optional By default HTTP 1 0 is used in an HTTP test Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional The TCP port number for the HTTP server ...

Page 1111: ...er system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as UDP jitter and enter test type view type udp jitter Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation The destination IP address must be consistent with that of the...

Page 1112: ...parameters See Configuring Optional Parameters Common to an NQA Test Group Optional The number of probes made in a UDP jitter test depends on the probe count command while the number of probe packets sent in each probe depends on the configuration of the probe packet number command Configuring an SNMP Test An SNMP query test is used to test the time the NQA client takes to send an SNMP query packe...

Page 1113: ...etween the client and the specified port on the NQA server and the setup time for the connection thus judge the availability and performance of the services provided on the specified port on the server Configuration prerequisites A TCP test requires cooperation between the NQA server and the NQA client The TCP listening function needs to be configured on the NQA server before the TCP test For the ...

Page 1114: ...connectivity and roundtrip time of a UDP echo packet from the client to the specified UDP port on the NQA server Configuration prerequisites A UDP echo test requires cooperation between the NQA server and the NQA client The UDP listening function needs to be configured on the NQA server before the UDP echo test For the configuration of the UDP listening function see Configuring the NQA Server Conf...

Page 1115: ... an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring a Voice Test It is recommended not to perform an NQA UDP jitter test on known ports namely ports from 1 to 1023 Otherwise the NQA test will fail or the corresponding services of these ports wi...

Page 1116: ...d when you evaluate the voice quality Configuration prerequisites A voice test requires cooperation between the NQA server and the NQA client Before a voice test make sure that the UDP listening function is configured on the NQA server For the configuration of UDP listening function see Configuring the NQA Server Configuring a voice test Follow these steps to configure a voice test To do Use the c...

Page 1117: ...1 µ law codec type and is 32 bytes for G 729 A law codec type Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadecimal number 00010203040506070809 Configure the number of packets sent in a voice probe probe packet number packet number Optional 1000 by default Configure the interval for sending packets in a voice ...

Page 1118: ... be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring the Collaboration Function Collaboration is implemented by establishing collaboration objects to monitor the detection results of the current test group If the number of consecutive probe failures reaches the threshold the configured action i...

Page 1119: ...the snmp agent target host command create an NQA test group and configure related parameters For the introduction to the snmp agent target host command see SNMP Commands in the System Volume Configuring trap delivery Follow these steps to configure trap delivery To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type ...

Page 1120: ...function To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of the test group type dlsw ftp http icmp echo snmp tcp udp echo udp jitter voice Configure the interval for collecting the statistics of the test results statistics interval interval Optional 60 minutes by default Configure the maximum number of st...

Page 1121: ...robes in an NQA test probe count times Optional By default one probe is performed in a test Only one probe can be made in one voice test Therefore this command is not available in a voice test Configure the NQA probe timeout time probe timeout timeout Optional By default the timeout time is 3000 milliseconds This parameter is not available for a UDP jitter test Configure the maximum number of hist...

Page 1122: ... use the display clock command to view the current system time Configuration prerequisites Before scheduling an NQA test group make sure z Required test parameters corresponding to a test type have been configured z For the test which needs the cooperation with the NQA server configuration on the NQA server has been completed Scheduling an NQA test group Follow these steps to schedule an NQA test ...

Page 1123: ...undtrip time of packets Figure 1 3 Network diagram for ICMP echo tests Configuration procedure Create an ICMP echo test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type icmp echo DeviceA nqa admin test icmp echo destination ip 10 2 2 2 Configure optional parameters DeviceA nqa admin test icmp echo probe count 10 DeviceA nqa ad...

Page 1124: ...nse Status Time 370 3 Succeeded 2007 08 23 15 00 01 2 369 3 Succeeded 2007 08 23 15 00 01 2 368 3 Succeeded 2007 08 23 15 00 01 2 367 5 Succeeded 2007 08 23 15 00 01 2 366 3 Succeeded 2007 08 23 15 00 01 2 365 3 Succeeded 2007 08 23 15 00 01 2 364 3 Succeeded 2007 08 23 15 00 01 1 363 2 Succeeded 2007 08 23 15 00 01 1 362 3 Succeeded 2007 08 23 15 00 01 1 361 2 Succeeded 2007 08 23 15 00 01 1 DHCP...

Page 1125: ...ures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Packet s arrived late 0 Display the history of DHCP tests SwitchA display nqa history admin test NQA entry admin admin tag test history record s Index Response Status Time 1 624 Succeeded 2007 11 22 09 56 03 2 FTP Test C...

Page 1126: ... tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 173 173 173 Square Sum of round trip time 29929 Last succeeded probe time 2007 11 22 10 07 28 6 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures d...

Page 1127: ...eA undo nqa schedule admin test Display results of the last HTTP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 64 64 64 Square Sum of round trip time 4096 Last succeeded probe time 2007 11 22 10 12 47 9 Extended results Packet lost in test 0 Failu...

Page 1128: ... admin test udp jitter destination ip 10 2 2 2 DeviceA nqa admin test udp jitter destination port 9000 DeviceA nqa admin test udp jitter frequency 1000 DeviceA nqa admin test udp jitter quit Enable UDP jitter test DeviceA nqa schedule admin test start time now lifetime forever Disable UDP jitter test after the test begins for a period of time DeviceA undo nqa schedule admin test Display the result...

Page 1129: ...D delay 15 Max DS delay 16 Min SD delay 7 Min DS delay 7 Number of SD delay 10 Number of DS delay 10 Sum of SD delay 78 Sum of DS delay 85 Square sum of SD delay 666 Square sum of DS delay 787 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 Display the statistics of UDP jitter tests DeviceA display nqa statistics admin test NQA entry admin admin tag test test statistics NO...

Page 1130: ...f DS delay 3891 Square sum of SD delay 45987 Square sum of DS delay 49393 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 The display nqa history command cannot show you the results of UDP jitter tests Therefore to know the result of a UDP jitter test you are recommended to use the display nqa result command to view the probe results of the latest NQA test or use the displ...

Page 1131: ...dmin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 50 50 50 Square Sum of round trip time 2500 Last succeeded probe time 2007 11 22 10 24 41 1 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to ...

Page 1132: ...ceA nqa schedule admin test start time now lifetime forever Disable TCP test after the test begins for a period of time DeviceA undo nqa schedule admin test Display results of the last TCP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 13 13 13 Squ...

Page 1133: ...elated test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type udp echo DeviceA nqa admin test udp echo destination ip 10 2 2 2 DeviceA nqa admin test udp echo destination port 8000 DeviceA nqa admin test udp echo quit Enable UDP echo test DeviceA nqa schedule admin test start time now lifetime forever Disable UDP echo test after the test begins for a period of...

Page 1134: ...s Configuration procedure 1 Configure Device B Enable the NQA server and configure the listening IP address as 10 2 2 2 and port number as 9000 DeviceB system view DeviceB nqa server enable DeviceB nqa server udp echo 10 2 2 2 9000 2 Configure Device A Create a voice test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type voice ...

Page 1135: ...verage 6 Positive SD square sum 54127 Positive DS square sum 1691967 Min negative SD 1 Min negative DS 1 Max negative SD 203 Max negative DS 1297 Negative SD number 255 Negative DS number 259 Negative SD sum 759 Negative DS sum 1796 Negative SD average 2 Negative DS average 6 Negative SD square sum 53655 Negative DS square sum 1691776 One way results Max SD delay 343 Max DS delay 985 Min SD delay ...

Page 1136: ...negative DS 1297 Negative SD number 1028 Negative DS number 1022 Negative SD sum 1028 Negative DS sum 1022 Negative SD average 4 Negative DS average 5 Negative SD square sum 495901 Negative DS square sum 5419 One way results Max SD delay 359 Max DS delay 985 Min SD delay 0 Min DS delay 0 Number of SD delay 4 Number of DS delay 4 Sum of SD delay 1390 Sum of DS delay 1079 Square sum of SD delay 4832...

Page 1137: ...do nqa schedule admin test Display the result of the last DLSw test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 19 19 19 Square Sum of round trip time 361 Last succeeded probe time 2007 11 22 10 40 27 7 Extended results Packet lost in test 0 Failures...

Page 1138: ... NQA test group Create an NQA test group with the administrator name being admin and operation tag being test SwitchA nqa entry admin test Configure the test type of the NQA test group as ICMP echo SwitchA nqa admin test type icmp echo Configure the destination IP address of the ICMP echo test operation as 10 2 1 1 SwitchA nqa admin test icmp echo destination ip 10 2 1 1 Configure the interval bet...

Page 1139: ... 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the static route with the next hop 10 2 1 1 is active and the status of the track entry is positive The static route configuration works Remove the IP address of VLAN interface 3 on Switch B SwitchB system view SwitchB interface vlan interface 3 SwitchB Vlan interface3 undo ip address On Switch A display information about ...

Page 1140: ... 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the next hop 10 2 1 1 of the static route is not reachable and the status of the track entry is negative The static route does not work ...

Page 1141: ...ace for NTP Messages 1 11 Disabling an Interface from Receiving NTP Messages 1 12 Configuring the Maximum Number of Dynamic Sessions Allowed 1 12 Configuring Access Control Rights 1 13 Configuration Prerequisites 1 13 Configuration Procedure 1 13 Configuring NTP Authentication 1 14 Configuration Prerequisites 1 14 Configuration Procedure 1 14 Displaying and Maintaining NTP 1 16 NTP Configuration E...

Page 1142: ...Applications of NTP An administrator can by no means keep time synchronized among all the devices within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within the entire network while it ensures a high clock precision NTP is used when all devices within the netw...

Page 1143: ...lock ranges from 1 to 15 The clock accuracy decreases as the stratum number increases A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock z The local clock of an 3Com Switch 4500G cannot operate as a reference clock It can serve as a NTP server only after synchronized ...

Page 1144: ...server namely Device A synchronizes its clock to that of Device B z It takes 1 second for an NTP message to travel from one device to the other Figure 1 1 Basic work flow of NTP IP network IP network IP network IP network Device B Device A Device B Device A Device B Device A Device B Device A 10 00 00 am 11 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP messag...

Page 1145: ...ot a must for clock synchronization it will not be discussed in this document All NTP messages mentioned in this document refer to NTP clock synchronization messages A clock synchronization message is encapsulated in a UDP message in the format shown in Figure 1 2 Figure 1 2 Clock synchronization message format Main fields are described as follows z LI 2 bit leap indicator When set to 11 it warns ...

Page 1146: ...mit Timestamp the local time at which the reply departed from the service host for the client z Authenticator authentication information Operation Modes of NTP Devices running NTP can implement clock synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the IP address ...

Page 1147: ...After receiving the first broadcast message the client sends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and the server and enters the broadcast client mode Periodically broadcasts clock synchronization messages Mode 5 Receives broadcast messages and synchronizes its loc...

Page 1148: ...ves the first multicast message the client and the server start to exchange messages with the Mode field set to 3 client mode and 4 server mode to calculate the network delay between client and the server Then the client enters the multicast client mode and continues listening to multicast messages and synchronizes its local clock based on the received multicast messages In symmetric peers mode br...

Page 1149: ...e when you carry out a command to synchronize the time to a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creating an association static or dynamic In the symmetric mode static associations will be created at the symmetric active peer side and dynamic associations will be created at the symmetric passive peer...

Page 1150: ...symmetric active device To do Use the command Remarks Enter system view system view Specify a symmetric passive peer for the device ntp service unicast peer ip address peer name authentication keyid keyid priority source interface interface type interface number version number Required No symmetric passive peer is specified by default z In the symmetric mode you should use any NTP configuration co...

Page 1151: ...umber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast server To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter the interface used to send NTP broadcast messages Configure the ...

Page 1152: ... NTP multicast server mode ntp service multicast server ip address authentication keyid keyid ttl ttl number version number Required z A multicast server can synchronize broadcast clients only after its clock has been synchronized z You can configure up to 1024 multicast clients among which 128 can take effect at the same time Configuring Optional Parameters of NTP Specifying the Source Interface ...

Page 1153: ...st or multicast NTP messages is the interface configured with the respective command z If the specified source interface for NTP messages is down the source IP address for an NTP message that is sent out is the primary IP address of the outgoing interface of the NTP message Disabling an Interface from Receiving NTP Messages When NTP is enabled NTP messages can be received from all the interfaces b...

Page 1154: ... full access This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that of a peer device From the highest NTP service access control right to the lowest one are peer server synchronization and query When a device receives an NTP request it will perform an access control right match...

Page 1155: ...the symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode or multicast server mode you need to associate the specified authentication key on the broadcast server or multicast server with the corresponding NTP server Otherwise the NTP authentication feature cannot be normally enabled z For the client server mode if the NTP authentica...

Page 1156: ...ver Follow these steps to configure NTP authentication for a server To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disabled by default Configure an NTP authentication key ntp service authentication keyid keyid authentication mode md5 value Required No NTP authentication key by default Configure the key as a trusted k...

Page 1157: ...Configuration Examples Configuring NTP Client Server Mode Network requirements Perform the following configurations to synchronize the time between Device B and Device A z The local clock of Switch A is to be used as a master clock with the stratum level of 2 z Switch B works in the client server mode and Switch A is to be used as the NTP server of Switch B Figure 1 7 Network diagram for NTP clien...

Page 1158: ...k stratum level of Switch B is 3 while that of Switch A is 2 View the NTP session information of Switch B which shows that an association has been set up between Switch B and Switch A SwitchB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 63 64 3 75 5 31 0 16 5 note 1 source master 2 source peer 3 selected 4 candidate 5 configured...

Page 1159: ...Root delay 15 00 ms Root dispersion 775 15 ms Peer dispersion 34 29 ms Reference time 15 22 47 083 UTC Sep 19 2005 C6D95647 153F7CED As shown above Device B has been synchronized to Device A and the clock stratum level of Device B is 3 4 Configuration on Device C after Device B is synchronized to Device A Configure Device B as a symmetric peer after local synchronization DeviceC ntp service unicas...

Page 1160: ... 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Broadcast Mode Network requirements As shown in Figure 1 9 Switch C functions as the NTP server for multiple devices on a network segment and synchronizes the time among multiple devices To realize this requirement perform the following configurations z Switch C s local clock is to be used as a ...

Page 1161: ...h A gets synchronized upon receiving a broadcast message from Switch C View the NTP status of Switch A after clock synchronization SwitchA Vlan interface2 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 8 31 ms P...

Page 1162: ...devices To realize this requirement perform the following configurations z The local clock of Switch C is to be used as the master clock with a stratum level of 2 z Switch C works in the multicast server mode and sends out multicast messages from VLAN interface 2 z Switch A and Switch D work in the multicast client mode and receive multicast messages through VLAN interface 3 and VLAN interface 2 r...

Page 1163: ... 2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service multicast client Because Switch D and Switch C are on the same subnet Switch D can receive the multicast messages from Switch C without being enabled with the multicast functions and can be synchronized to Switch C View the NTP status of Switch D after clock synchronization SwitchD Vlan interface2 display...

Page 1164: ...enable SwitchB interface vlan interface 2 SwitchB Vlan interface2 pim dm SwitchB Vlan interface2 quit SwitchB vlan 3 SwitchB vlan3 port gigabitethernet 1 0 1 SwitchB vlan3 quit SwitchB interface vlan interface 3 SwitchB Vlan interface3 igmp enable SwitchB Vlan interface3 quit SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 igmp snooping static group 224 0 1 1 vlan 3 5 Configur...

Page 1165: ...lient Server Mode with Authentication Network requirements As shown in Figure 1 11 perform the following configurations to synchronize the time between Device B and Device A and ensure network security z The local clock of Switch A is to be used as the master clock with a stratum level of 2 z Switch B works in the client mode and Switch A is to be used as the NTP server of Switch B with Switch B a...

Page 1166: ...0000 ms Root delay 31 00 ms Root dispersion 1 05 ms Peer dispersion 7 81 ms Reference time 14 53 27 371 UTC Sep 19 2005 C6D94F67 5EF9DB22 As shown above Switch B has been synchronized to Switch A and the clock stratum level of Switch B is 3 while that of Switch A is 2 View the NTP session information of Switch B which shows that an association has been set up Switch B and Switch A SwitchB display ...

Page 1167: ...Specify Switch C as an NTP broadcast server and specify an authentication key SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server authentication keyid 88 3 Configuration on Switch D Configure NTP authentication SwitchD system view SwitchD ntp service authentication enable SwitchD ntp service authentication keyid 88 authentication mode md5 123456 SwitchD ntp serv...

Page 1168: ...9 2005 C6D95F6F B6872B02 As shown above Switch D has been synchronized to Switch C and the clock stratum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interface2 display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 ...

Page 1169: ...tween the Management Device and the Member Devices Within a Cluster 1 11 Configuring Cluster Management Protocol Packets 1 11 Cluster Member Management 1 12 Configuring the Member Devices 1 13 Enabling NDP 1 13 Enabling NTDP 1 13 Manually Collecting Topology Information 1 13 Enabling the Cluster Function 1 13 Deleting a Member Device from a Cluster 1 13 Configuring Access Between the Management De...

Page 1170: ...ing topology discovery and display function which is useful for network monitoring and debugging z Allowing simultaneous software upgrading and parameter configuration on multiple devices free of topology and distance limitations Roles in a Cluster The devices in a cluster play different roles according to their different functions and status You can specify the following three roles for the devic...

Page 1171: ...ment is implemented through HW Group Management Protocol version 2 HGMPv2 which consists of the following three protocols z Neighbor Discovery Protocol NDP z Neighbor Topology Discovery Protocol NTDP z Cluster A cluster configures and manages the devices in it through the above three protocols Cluster management involves topology information collection and the establishment and maintenance of a cl...

Page 1172: ...information of all its neighbors The information collected will be used by the management device or the network management software to implement required functions When a member device detects a change on its neighbors through its NDP table it informs the management device through handshake packets Then the management device triggers its NTDP to collect specific topology information so that its NT...

Page 1173: ...saves the state information of its member device and identifies it as Active And the member device also saves its state information and identifies itself as Active z After a cluster is created its management device and member devices begin to send handshake packets Upon receiving the handshake packets from the other side the management device or a member device simply remains its state as Active w...

Page 1174: ...the management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the cascade ports connecting the management device and the member candidate devices prohibit the packets from the management VLAN you can set the packets from the management VLAN to pass the ports on candidate devices with the management VLAN auto negotiation fu...

Page 1175: ...er Optional Configuring Cluster Management Protocol Packets Optional Configuring the Management Device Cluster Member Management Optional Enabling NDP Optional Enabling NTDP Optional Manually Collecting Topology Information Optional Enabling the Cluster Function Optional Configuring the Member Devices Deleting a Member Device from a Cluster Optional Configuring Access Between the Management Device...

Page 1176: ...ded to a cluster that is the entry with the destination address as the management device cannot be added to the routing table the candidate device will be added to and removed from the cluster repeatedly Configuring the Management Device Enabling NDP Globally and for Specific Ports For NDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to enable NDP gl...

Page 1177: ...ackets otherwise the NDP table may become instable Enabling NTDP Globally and for Specific Ports For NTDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to enable NTDP globally and for specific ports To do Use the command Remarks Enter system view system view Enable NTDP globally ntdp enable Optional Enabled by default interface interface type interfac...

Page 1178: ...l 3 by default Configure the interval to collect topology information ntdp timer interval time Optional 1 minute by default Configure the delay to forward topology collection request packets on the first port ntdp timer hop delay time Optional 200 ms by default Configure the port delay to forward topology collection request on other ports ntdp timer port delay time Optional 20 ms by default The tw...

Page 1179: ...a cluster in two ways manually and automatically With the latter you can establish a cluster according to the prompt information The system 1 Prompts you to enter a name for the cluster you want to establish 2 Lists all the candidate devices within your predefined hop count 3 Starts to automatically add them to the cluster You can press Ctrl C anytime during the adding process to exit the cluster ...

Page 1180: ... packets and the holdtime of a device on the management device This configuration applies to all member devices within the cluster For a member device in Connect state z If the management device does not receive handshake packets from a member device within the holdtime it changes the state of the member device to Disconnect When the communication is recovered the member device needs to be re adde...

Page 1181: ...by default Configure the interval to send MAC address negotiation broadcast packets cluster mac syn interval interval time Optional One minute by default When you configure the destination MAC address for cluster management protocol packets z If the interval for sending MAC address negotiation broadcast packets is 0 the system automatically sets it to 1 minute z If the interval for sending MAC add...

Page 1182: ...bling NDP Refer to Enabling NDP Globally and for Specific Ports Enabling NTDP Refer to Enabling NTDP Globally and for Specific Ports Manually Collecting Topology Information Refer to Manually Collecting Topology Information Enabling the Cluster Function Refer to Enabling the Cluster Function Deleting a Member Device from a Cluster To do Use the command Remarks Enter system view system view Enter c...

Page 1183: ...thentication is passed z When a candidate device is added to a cluster and becomes a member device its super password will be automatically synchronized to the management device Therefore after a cluster is established it is not recommended to modify the super password of any member including the management device and member devices of the cluster otherwise the switching may fail because of an aut...

Page 1184: ...included in the blacklist the MAC address and access port of the latter are also included in the blacklist The candidate devices in a blacklist can be added to a cluster only if the administrator manually removes them from the list The whitelist and blacklist are mutually exclusive A whitelist member cannot be a blacklist member and vice versa However a topology node can belong to neither the whit...

Page 1185: ...re an NM host for a cluster the member devices in the cluster send their Trap messages to the shared SNMP NM host through the management device If the port of an access NM device including FTP TFTP server NM host and log host does not allow the packets from the management VLAN to pass the NM device cannot manage the devices in a cluster through the management device In this case on the management ...

Page 1186: ... devices at one time simplifying the configuration process Follow these steps to configure the SNMP configuration synchronization function To do Use the command Remarks Enter system view system view Enter cluster view cluster Configure the SNMP community name shared by a cluster cluster snmp agent community read write community name mib view view name Required Configure the SNMPv3 group shared by ...

Page 1187: ...ronize the configurations to the member devices in the whitelist This operation is equal to performing the configurations on the member devices You need to enter your username and password when you log in to the devices including the management device and member devices in a cluster through Web Follow these steps to configure Web user accounts in batches To do Use the command Remarks Enter system ...

Page 1188: ...ay the current topology information or the topology path between two devices display cluster current topology mac address mac address to mac address mac address member id member number to member id member number Display members in a cluster display cluster members member number verbose Available in any view Clear NDP statistics reset ndp statistics interface interface list Available in user view C...

Page 1189: ...rnet 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As the configurations of the member devices are the same the configuration procedure of Switch C is omitted here 3 Configure the management device Switch B Enable NDP globally and for ports GigabitEthernet 1 0 2 and GigabitE...

Page 1190: ...witchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Configure the management VLAN of the cluster as VLAN 10 SwitchB vlan 10 SwitchB vlan10 quit SwitchB management vlan 10 Configure ports GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as Trunk ports and allow packets from the management VLAN to pass SwitchB interface gigabitether...

Page 1191: ...55 1 abc_0 SwitchB cluster tftp server 63 172 55 1 abc_0 SwitchB cluster logging host 69 172 55 4 abc_0 SwitchB cluster snmp host 69 172 55 4 Add the device whose MAC address is 00E0 FC01 0013 to the blacklist abc_0 SwitchB cluster black list add mac 00e0 fc01 0013 abc_0 SwitchB cluster quit Add port GigabitEthernet 1 0 1 to VLAN 2 and configure the IP address of VLAN interface 2 abc_0 SwitchB vla...

Page 1192: ...2 Configuring the Master Device of a Stack 1 3 Configuring a Private IP Address Pool for a Stack 1 3 Configuring Stack Ports 1 3 Creating a Stack 1 3 Configuring Stack Ports of a Slave Device 1 4 Logging In to the CLI of a Slave from the Master 1 4 Displaying and Maintaining Stack Configuration 1 5 Stack Configuration Example 1 5 Stack Configuration Example 1 5 ...

Page 1193: ...Configuration z Stack Configuration Example Stack Configuration Overview A stack is a set of network devices Administrators can group multiple network devices into a stack and manage them as a whole Therefore stack management can help reduce customer investments and simplify network management Introduction to Stack A stack is a management domain that comprises several network devices connected to ...

Page 1194: ...llows z Configure a private IP address pool for a stack and create the stack on the network device which is desired to be the master device z Configure ports between the stack devices as stack ports z The master device automatically adds the slave devices into the stack and assigns a number for each stack member z The administrator can log in to any slave device from the master device of the stack...

Page 1195: ...es in the address pool needs to be equal to or greater than the number of devices to be added to the stack Otherwise some devices may not be able to join the stack automatically for lack of private IP addresses Configuring Stack Ports On the master device configure ports that connect to slave devices as stack ports Follow the steps below to configure stack ports To do Use the command Remarks Enter...

Page 1196: ...specified ports as stack ports stack stack port stack port num port interface list Required By default a port is not a stack port After a device joins a stack and becomes a slave device of the stack the prompt changes to stack_n Sysname where n is the stack number assigned by the master device and Sysname is the system name of the device Logging In to the CLI of a Slave from the Master In a stack ...

Page 1197: ... stack where Switch A is the master device Switch B Switch C and Switch D are slave devices An administrator can log in to Switch B Switch C and Switch D through Switch A to perform remote configurations Figure 1 2 Network diagram for stack management XGE1 2 1 XGE1 2 2 SwitchB Slave device XGE1 1 1 XGE1 1 1 SwitchC Slave device SwitchD Slave device Stack XGE1 1 1 XGE1 1 1 SwitchA Master device Con...

Page 1198: ... D configure local port Ten GigabitEthernet 1 1 1 as a stack port SwitchD system view SwitchD stack stack port 1 port Ten GigabitEthernet 1 1 1 3 Verify the configuration Display stack information of the stack members on Switch A stack_0 SwitchA display stack members Number 0 Role Master Sysname stack_0 SwitchA Switch type Switch 4500G 24 Port MAC address 000f e200 1000 Number 1 Role Slave Sysname...

Page 1199: ...al Networking of Automatic Configuration 1 1 How Automatic Configuration Works 1 2 Work Flow of Automatic Configuration 1 2 Obtaining the IP Address of an Interface and Related Information Through DHCP 1 3 Obtaining the Configuration File from the TFTP Server 1 5 Executing the Configuration File 1 7 ...

Page 1200: ...configuration files on a specified server and the device can automatically obtain and execute the configuration files therefore greatly reducing the workload of administrators Typical Networking of Automatic Configuration Figure 1 1 Network diagram for automatic configuration As shown in Figure 1 1 the device implements automatic configuration with the cooperation of a DHCP server TFTP server and ...

Page 1201: ...eters such as an IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device will send a TFTP request to obtain the configuration file from the specified TFTP server for system initialization If the client cannot get such parameters it performs system initialization without loading any configuration file z To impleme...

Page 1202: ...hen a device starts up without loading the configuration file the system automatically configures the first active interface if an active Layer 2 Ethernet interface exists this first interface is a virtual interface corresponding with the default VLAN of the device as obtaining its IP address through DHCP The device broadcasts a DHCP request through this interface The Option 55 field specifies the...

Page 1203: ... The DHCP server will select an address pool where an IP address is statically bound to the MAC address or ID of the client and assign the statically bound IP address and other configuration parameters to the client You can configure an address allocation mode as needed z Different devices with the same configuration file You can configure dynamic address allocation on the DHCP server to assign IP...

Page 1204: ...d z The configuration file specified by the Option 67 or file field in the DHCP response z The intermediate file with the file name as network cfg used to save the mapping between the IP address and the host name The mapping is defined in the following format ip host hostname ip address For example the intermediate file can include the following ip host host1 101 101 101 101 ip host host2 101 101 ...

Page 1205: ... its host name first and then requests the configuration file corresponding with the host name The device can obtain its host name in two steps obtaining the intermediate file from the TFTP server and then searching in the intermediated file for its host name corresponding with the IP address of the device if fails the device obtains the host name from the DNS server z If the device fails to obtai...

Page 1206: ...if the device performs the automatic configuration and the TFTP server are not in the same segment because broadcasts can only be transmitted in a segment For the detailed description of the UDP Helper function refer to UDP Helper Configuration in the IP Services Volume Executing the Configuration File Upon successfully obtaining the configuration file the device removes the temporary configuratio...

Search results

Summary of Contents for 4500G Series

Reviews:

Related manuals for 4500G Series

Brands by name

Popular brands

3Com 4500G Series, Configuration Manual

Search results

Summary of Contents for 4500G Series

Reviews:

Related manuals for 4500G Series

Brands by name

Popular brands