manualshive.com logo in svg

3Com 4510G, Configuration Manual

The 3Com 4510G Configuration Manual is available as a free download from manualshive.com. Unlock the full potential of your 3Com 4510G with this comprehensive manual, providing step-by-step instructions and valuable insights to ensure seamless setup and configuration. Get your manual today for efficient and hassle-free operations.

Share
Download
background image

 

11-3 

Configuring an SSL Server Policy 

An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server 

policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for 

example. 

Configuration Prerequisites 

When configuring an SSL server policy, you need to specify the PKI domain to be used for obtaining 

the server side certificate. Therefore, before configuring an SSL server policy, you must configure a 

PKI domain. For details about PKI domain configuration, refer to 

PKI Configuration

 in the 

Security 

Volume

Configuration Procedure 

Follow these steps to configure an SSL server policy: 

To do... 

Use the command... 

Remarks 

Enter system view 

system-view

 — 

Create an SSL server policy 
and enter its view 

ssl server-policy policy-name

Required 

Specify a PKI domain for the 
SSL server policy 

pki-domain domain-name

 

Required 

By default, no PKI domain is 
specified for an SSL server 
policy. 

Specify the cipher suite(s) for 
the SSL server policy to 
support 

ciphersuite

 

rsa_aes_128_cbc_sha

 | 

rsa_des_cbc_sha

 | 

rsa_rc4_128_md5

 | 

rsa_rc4_128_sha

 ] 

*

 

Optional 

By default, an SSL server 
policy supports all cipher 
suites. 

Set the handshake timeout 
time for the SSL server 

handshake timeout time

 

Optional 

3,600 seconds by default 

Configure the SSL connection 
close mode 

close-mode wait 

Optional 

Not wait by default 

Set the maximum number of 
cached sessions and the 
caching timeout time 

session 

{

 cachesize size 

timeout time

 } *

 

Optional 

The defaults are as follows: 

500 for the maximum number 
of cached sessions, 

3600 seconds for the caching 
timeout time. 

Enable certificate-based SSL 
client authentication 

client-verify enable 

Optional 

Not enabled by default 

 

Summary of Contents for 4510G

Page 1: ...h 4510G Family Configuration Guide Switch 4510G 24 Port Switch 4510G 48 Port Product Version Release 2202 Manual Version 6W100 20100112 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...rcial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered tr...

Page 3: ... Routing RIP IPv6 Static Routing 03 IP Routing Volume RIPng Policy Routing Mulitcast Overview IGMP Snooping Multicast VLAN MLD Snooping 04 Multicast Volume IPv6 Multicast VLAN QoS Overview QoS Configuration Approaches Priority Mapping Traffic Policing Traffic Shaping and Line Rate Congestion Management Traffic Filtering Priority Marking Traffic Redirecting 05 QoS Volume Traffic Mirroring Class Bas...

Page 4: ...e manual uses the following conventions Command conventions Convention Description Boldface The keywords of a command line are in Boldface italic Command arguments are in italic Items keywords or arguments in square brackets are optional x y Alternative items are grouped in braces and separated by vertical bars One is selected x y Optional alternative items are grouped in square brackets and separ...

Page 5: ...n may cause data loss or damage to equipment Means a complementary description Related Documentation In addition to this manual each 3com Switch 4510G documentation set includes the following Manual Description 3Com Switch 4510G Family Command Reference Guide Provide detailed descriptions of command line interface CLI commands that you require to manage your switch 3Com Switch 4510G Family Getting...

Page 6: ...ty Feature Lists The Switch 4510G supports abundant features and the related documents are divided into the volumes as listed in Table 1 1 Table 1 1 Feature list Volume Features 00 Product Overview Product Overview Acronyms Ethernet Port Link Aggregation Port Isolation MSTP LLDP VLAN Isolate User VL AN Voice VLAN 01 Access Volume GVRP QinQ BPDU Tunneling Port Mirroring IP Addressing ARP Proxy ARP ...

Page 7: ...mart Link Monitor Link RRPP DLDP 07 High Availability Volume Ethernet OAM Connectivity Fault Detection Track Logging In to an Ethernet Switch Logging In Through the Console Port Logging In Through Telnet SSH User Interface Configuration Examples Logging in Through Web based Network Management System Logging In Through NMS Specifying Source for Telnet Packets Controlling Login Users Basic System Co...

Page 8: ... z Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an Ethernet Interface Link aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link This document describes z Basic Concepts of Link Aggregation z Configuring a S...

Page 9: ...ure quality of service QoS parameters for the voice traffic thus improving transmission priority and ensuring voice quality This document describes z Overview z Configuring a Voice VLAN z Displaying and Maintaining Voice VLAN GVRP GVRP is a GARP application This document describes z GARP GVRP overview z GVRP configuration z GARP Timers configuration QinQ As defined in IEEE802 1Q 12 bits are used t...

Page 10: ...escribes z Configuring ARP Source Suppression z Configuring ARP Defense Against IP Packet Attacks z Configuring ARP Active Acknowledgement z Configuring Source MAC Address Based ARP Attack Detection z Configuring ARP Packet Source MAC Address Consistency Check z Configuring ARP Packet Rate Limit z Configuring ARP Detection DHCP Overview DHCP is built on a client server model in which the client se...

Page 11: ...rding of Directed Broadcasts to a Directly Connected Network z Configuring TCP Attributes z Configuring ICMP to Send Error Packets UDP Helper UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified server This document describes z UDP Helper overview z UDP Helper configuration IPv6 Basics Internet protocol version 6 IPv6 also ...

Page 12: ... static routes IPv6 static routes work well in simple IPv6 network environments This document describes z IPv6 static route configuration RIPng RIP next generation RIPng is an extension of RIP 2 for IPv4 RIPng for IPv6 is IPv6 RIPng This document describes z Configuring RIPng Basic Functions z Configuring RIPng Route Control z Tuning and Optimizing the RIPng Network Policy Routing Policy routing i...

Page 13: ... QoS Overview For network traffic the Quality of Service QoS involves bandwidth delay and packet loss rate during traffic forwarding process This document describes z Introduction to QoS z Introduction to QoS Service Models z QoS Techniques Overview QoS Configuration Approaches Two approaches are available for you to configure QoS policy based and non policy based This document describes z QoS Con...

Page 14: ...monitoring This document describes how to configure traffic mirroring Class Based Accounting Class based accounting collects statistics on a per traffic class basis This document describes how to configure class based accounting User Profile User profile provides a configuration template to save predefined configurations This document describes z Creating a User Profile z Configuring a User Profil...

Page 15: ...es z Configuring Secure MAC Addresses z Ignoring Authorization Information from the Server IP Source Guard By filtering packets on a per port basis IP source guard prevents illegal packets from traveling through thus improving the network security This document describes z Configuring a Static Binding Entry z Configuring Dynamic Binding Function SSH2 0 SSH ensures secure login to a remote device i...

Page 16: ...irection of an ethernet interface or VLAN interface to filter received or sent packets such as Ethernet frames IPv4 packets and IPv6 packets This document describes z Filtering Ethernet Frames z Filtering IPv4 Packets z Filtering IPv6 Packets z Configuring Packet Filtering Statistics Function High Availability Volume Table 2 7 Features in the High Availability volume Features Description Smart Lin...

Page 17: ...DP Authentication z Resetting DLDP State Ethernet OAM Ethernet OAM is a tool monitoring Layer 2 link status It helps network administrators manage their networks effectively This document describes z Ethernet OAM overview z Configuring Basic Ethernet OAM Functions z Configuring Link Monitoring z Enabling OAM Loopback Testing Connectivity Fault Detection Connectivity fault detection is an end to en...

Page 18: ...uring Command Accounting User Interface Configuration Examples This document describes z User Authentication Configuration Example z Command Authorization Configuration Example z Command Accounting Configuration Example Logging in Through Web based Network Management System An switch 4510G has a built in Web server You can log in to an switch 4510G through a Web browser and manage and maintain the...

Page 19: ... current system z Identifying and diagnosing pluggable transceivers File System Management A major function of the file system is to manage storage devices mainly including creating the file system creating deleting modifying and renaming a file or a directory and opening a file This document describes z File system management z Configuration File Management FTP Configuration The File Transfer Pro...

Page 20: ...ation Configuration To monitor a network you need to monitor users joining and leaving the network This document describes z Overview z Configuring MAC Information System Maintenance and Debugging For the majority of protocols and features supported the system provides corresponding debugging information to help users diagnose errors This document describes z Maintenance and debugging overview z M...

Page 21: ...large numbers of distributed network devices This document describes z Cluster Management Overview z Configuring the Management Device z Configuring the Member Devices z Configuring Access Between the Management Device and Its Member Devices z Adding a Candidate Device to a Cluster z Configuring Advanced Cluster Functions IRF Intelligent Resilient Framework IRF allows you to build an IRF namely a ...

Page 22: ...G Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router ASCII American Standard Code for Information Interchange ASE Application service element ASIC Application Specific Integrated Circuit ASM Any Source Multicast ASN Auxiliary Signal Network AT Advanced...

Page 23: ...e and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain Routing CIR Committed Information Rate CIST Common and Internal Spanning Tree CLNP Connectionless Network Protocol CPOS Channelized POS CPU Central Processing Unit CQ Custom Queuing CRC Cyclic Redunda...

Page 24: ...point Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavelength Division Multiplexing E Return EACL Enhanced ACL EAD Endpoint Admission Defense EAP Extensible Authentication Protocol EAPOL Extensible Authentication Protocol over LAN EBGP External Border Gat...

Page 25: ...hernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC High level Data Link Control HEC Header Error Control HoPE Hiberarchy of PE HoVPN Hiberarchy of VPN HQoS Hierarchical Quality of Service HSB Hot Standby HTTP Hyper Text Transport Protocol H VPLS Hiber...

Page 26: ...ion IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRF Intelligent Resilient Framework IS Intermediate System ISATAP Intra Site Automatic Tunnel Addressing Protocol ISDN Integrated Services Digital Network IS IS Intermediate System to Intermediate System intra domain routing information exchange protocol ISO International Organizatio...

Page 27: ...Rate LRTT Loop Round Trip Time LSA Link State Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data Unit LSPM Label Switch Path Management LSR Link State Request LSR Label Switch Router LSR ID Label Switch Router Identity LSU Link State Update M Return MAC Media Access Control MAN Metropolitan ...

Page 28: ...ion Overhead MSTI Multi Spanning Tree Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Multicast VPN Routing and Forwarding N Return NAPT Network Address Port Translation NAS Network Access Server NAT Net Address Translation NBMA Non Broadcast Multi Access NBT NetBIOS over TCP IP NCP N...

Page 29: ... OC 3 OC 3 OID Object Identifier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB Printed Circuit Board PCM Pulse Code Modulation PD Powered Device PDU Protocol Data Unit PE Provider Edge PHP Penultimate Hop Popping PHY Physical layer PIM Protocol Independent Multicast PIM DM...

Page 30: ...t Virtual Channel PW Pseudo wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority RADIUS Remote Authentication Dial in User Service RAM random access memory RD Routing Domain RD Router Distinguisher RED Random Early Detection RFC Request For comments RIP Routing Information Pr...

Page 31: ...Choke Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicast Distribution Tree SIP Session Initiation Protocol Site of Origin Site of Origin SLA Service Level Agreement SMB Standby Main Board SMTP Simple Mail Transfer Protocol SNAP Sub Network Access Po...

Page 32: ... Distribution Tree T Return TA Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBase TFTP Trivial File Transfer Protocol TLS Transparent LAN Service TLV Type Length Value ToS Type of Service TPID Tag Protocol Identifier TRIP Trigger RIP TS Traffic Shaping TTL Time to Live TTY...

Page 33: ...ork VPI Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary VTY Virtual Type Terminal W Return WAN Wide Area Network WFQ Weighted Fair Queuing WINS Windows Internet Naming Service WLAN wireless local area network WRED Weighted Random Early Detection WRR...

Page 34: ...guration 2 1 Overview 2 1 Basic Concepts of Link Aggregation 2 1 Link Aggregation Modes 2 4 Load Sharing Mode of an Aggregation Group 2 5 Link Aggregation Configuration Task List 2 5 Configuring an Aggregation Group 2 6 Configuring a Static Aggregation Group 2 6 Configuring a Dynamic Aggregation Group 2 7 Configuring an Aggregate Interface 2 8 Configuring the Description of an Aggregate Interface ...

Page 35: ...work 4 20 Configuring Timers of MSTP 4 21 Configuring the Timeout Factor 4 22 Configuring the Maximum Port Rate 4 23 Configuring Ports as Edge Ports 4 23 Configuring Path Costs of Ports 4 24 Configuring Port Priority 4 26 Configuring the Link Type of Ports 4 27 Configuring the Mode a Port Uses to Recognize Send MSTP Packets 4 27 Enabling the Output of Port State Transition Information 4 28 Enablin...

Page 36: ...3 Configuring Basic VLAN Settings 6 3 Configuring Basic Settings of a VLAN Interface 6 4 Port Based VLAN Configuration 6 5 Introduction to Port Based VLAN 6 5 Assigning an Access Port to a VLAN 6 6 Assigning a Trunk Port to a VLAN 6 8 Assigning a Hybrid Port to a VLAN 6 9 MAC Based VLAN Configuration 6 10 Introduction to MAC Based VLAN 6 10 Configuring a MAC Address Based VLAN 6 11 Protocol Based ...

Page 37: ...ion Example I 9 7 GVRP Configuration Example II 9 8 GVRP Configuration Example III 9 9 10 QinQ Configuration 10 1 Introduction to QinQ 10 1 Background 10 1 QinQ Mechanism and Benefits 10 1 QinQ Frame Structure 10 2 Implementations of QinQ 10 3 Modifying the TPID in a VLAN Tag 10 3 QinQ Configuration Task List 10 5 Configuring Basic QinQ 10 5 Enabling Basic QinQ 10 5 Configuring Selective QinQ 10 5...

Page 38: ...ssification of Port Mirroring 12 1 Implementing Port Mirroring 12 1 Configuring Local Port Mirroring 12 3 Configuring Remote Port Mirroring 12 4 Configuration Prerequisites 12 4 Configuring a Remote Source Mirroring Group on the Source Device 12 4 Configuring a Remote Destination Mirroring Group on the Destination Device 12 6 Displaying and Maintaining Port Mirroring 12 7 Port Mirroring Configurat...

Page 39: ...Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port Inside the device there is only one forwarding interface For a Combo port the electrical port and the corresponding optical port are TX SFP multiplexed You can specify a Combo port to operate as an electrical port or an optical port That is a Combo port cannot operate as bot...

Page 40: ...mission rate is determined through auto negotiation too For a Gigabit Ethernet interface you can specify the transmission rate by its auto negotiation capacity For details refer to Configuring an Auto negotiation Transmission Rate Follow these steps to configure an Ethernet interface To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type ...

Page 41: ...the ingress and egress interfaces Follow these steps to enable flow control on an Ethernet interface To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enable flow control flow control Required Disabled by default Configuring the Suppression Time of Physical Link State Change on an Ethernet Interface An Ethernet inter...

Page 42: ...t interface view interface interface type interface number Enable loopback testing loopback external internal Optional Disabled by default z As for the internal loopback test and external loopback test if an interface is down only the former is available on it if the interface is shut down both are unavailable z The speed duplex mdi and shutdown commands are not applicable during loopback testing ...

Page 43: ... the network card transmission rate of the server group Server 1 Server 2 and Server 3 is 1000 Mbps and the transmission rate of GigabitEthernet 1 0 4 which provides access to the external network for the server group is 1000 Mbps too If you do not specify an auto negotiation range the transmission rate on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 through negotiation wi...

Page 44: ...id if you enable the storm constrain for the interface For information about the storm constrain function see Configuring the Storm Constrain Function on an Ethernet Interface Follow these steps to set storm suppression ratios for one or multiple Ethernet interfaces To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number E...

Page 45: ...umbo Frames Due to tremendous amount of traffic occurring on an Ethernet interface it is likely that some frames greater than the standard Ethernet frame size are received Such frames called jumbo frames will be dropped With forwarding of jumbo frames enabled the system does not drop all the jumbo frames Instead it continues to process jumbo frames with a size greater than the standard Ethernet fr...

Page 46: ...nk port or a hybrid port trap messages are sent to the terminal If the loopback detection control function is also enabled on the port the port will be blocked trap messages will be sent to the terminal and the corresponding MAC address forwarding entries will be removed Follow these steps to configure loopback detection To do Use the command Remarks Enter system view system view Enable global loo...

Page 47: ...d for transmitting signals pin 3 and pin 6 are used for receiving signals You can change the pin roles through setting the MDI mode For an Ethernet interface in normal mode the pin roles are not changed For an Ethernet interface in across mode pin 1 and pin 2 are used for receiving signals pin 3 and pin 6 are used for transmitting signals To enable normal communication you should connect the local...

Page 48: ...Storm Constrain Function on an Ethernet Interface The storm constrain function suppresses packet storms in an Ethernet With this function enabled on an interface the system detects the multicast traffic or broadcast traffic passing through the interface periodically and takes corresponding actions that is blocking or shutting down the interface and sending trap messages and logs when the traffic d...

Page 49: ...e number Enable the storm constrain function and set the lower threshold and the upper threshold storm constrain broadcast multicast pps kbps ratio max pps values min pps values Required Disabled by default Set the action to be taken when the traffic exceeds the upper threshold storm constrain control block shutdown Optional Disabled by default Specify to send trap messages when the traffic detect...

Page 50: ...mmary of an interface display brief interface interface type interface number begin exclude include regular expression Available in any view Display information about discarded packets on an interface display packet drop interface interface type interface number Available in any view Display summary information about discarded packets on all interfaces display packet drop summary Available in any ...

Page 51: ...these member ports can dynamically back up each other Basic Concepts of Link Aggregation Aggregate interface An aggregate interface is a logical Layer 2 or Layer 3 aggregate interface Aggregation group An aggregation group is a collection of Ethernet interfaces When you create an aggregate interface an aggregation group numbered the same is created automatically depending on the type of the aggreg...

Page 52: ...eceived information with the information received on other ports This allows the two systems to reach an agreement on which link aggregation member ports should be placed in the selected state 2 Extended LACP functions By using expansion fields in LACPDUs you can expand the functions of LACP For example by defining a new Type Length Value TLV data field among the expansion fields of the LACPDUs yo...

Page 53: ...rations Port isolation Whether a port has joined an isolation group QinQ QinQ enable state enable disable outer VLAN tags to be added inner to outer VLAN priority mappings inner to outer VLAN tag mappings inner VLAN ID substitution mappings VLAN Permitted VLAN IDs default VLAN link type trunk hybrid or access IP subnet based VLAN configuration protocol based VLAN configuration tag mode MAC address...

Page 54: ...te selected ports become selected ports When the limit is exceeded set the candidate selected ports with smaller port numbers in the selected state and those with greater port numbers in the unselected state z If all the member ports are down set their states to unselected z Set the ports that cannot aggregate with the reference port to the unselected state A port that joins the aggregation group ...

Page 55: ...cted state When the limit is exceeded the system selects the candidate selected ports with smaller port IDs as the selected ports and set other candidate selected ports to unselected state At the same time the peer device being aware of the changes changes the state of its ports accordingly 2 Set the ports that cannot aggregate with the reference port to the unselected state For static and dynamic...

Page 56: ...t reflector ports refer to Port Mirroring Configuration in the Access Volume Configuring a Static Aggregation Group Follow these steps to configure a Layer 2 static aggregation group To do Use the command Remarks Enter system view system view Create a Layer 2 aggregate interface and enter the Layer 2 aggregate interface view interface bridge aggregation interface number Required When you create a ...

Page 57: ...te a Layer 2 aggregate interface and enter the Layer 2 aggregate interface view interface bridge aggregation interface number Required When you create a Layer 2 aggregate interface a Layer 2 static aggregation group numbered the same is created automatically Configure the aggregation group to work in dynamic aggregation mode link aggregation mode dynamic Required By default an aggregation group wo...

Page 58: ...To do Use the command Remarks Enter system view system view Enter Layer 2 aggregate interface view interface bridge aggregation interface number Configure the description of the aggregate interface description text Optional By default the description of an interface is interface name Interface such as Bridge Aggregation1 Interface Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface...

Page 59: ... shutdown command and then the undo shutdown command on the member interfaces of the corresponding link aggregation group Otherwise the member interfaces may be brought up Configuring a Load Sharing Mode for Load Sharing Link Aggregation Groups The hash algorithm is adopted to calculate load sharing for load sharing link aggregation groups Hash keys used for calculation could be service port numbe...

Page 60: ...ace number Configure the load sharing mode for the aggregation group link aggregation load sharing mode destination ip destination mac source ip source mac Required By default the load sharing mode of an aggregation group is the global load sharing mode After you configure this command the load sharing modes in current link aggregation group change accordingly Displaying and Maintaining Link Aggre...

Page 61: ...Ethernet1 0 1 to GigabitEthernet1 0 3 Aggregate the ports on each device to form a static link aggregation group thus balancing outgoing traffic across the member ports In addition perform load sharing based on source and destination MAC addresses Figure 2 1 Network diagram for Layer 2 static aggregation Configuration procedure 1 Configure Device A Configure the device to perform load sharing base...

Page 62: ...n addition perform load sharing based on source and destination MAC addresses Figure 2 2 Network diagram for Layer 2 dynamic aggregation Configuration procedure 1 Configure Device A Configure the device to perform load sharing based on source and destination MAC addresses for link aggregation groups DeviceA system view DeviceA link aggregation load sharing mode source mac destination mac Create a ...

Page 63: ...or Layer 2 aggregation load sharing mode configuration GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 4 GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 4 Configuration procedure 1 Configure Device A Configure the global link aggregation load sharing mode as the source MAC based load sharing mode DeviceA system view DeviceA link aggregation load sharing mode source mac Create Layer 2 aggregate interface Bridge aggregation 1 DeviceA ...

Page 64: ...et 1 0 3 and GigabitEthernet 1 0 4 to aggregation group 2 DeviceA interface gigabitethernet 1 0 3 DeviceA GigabitEthernet1 0 3 port link aggregation group 2 DeviceA GigabitEthernet1 0 3 quit DeviceA interface gigabitethernet 1 0 4 DeviceA GigabitEthernet1 0 4 port link aggregation group 2 2 Configure Device B The configuration on Device B is similar to the configuration on Device A ...

Page 65: ...een a port inside an isolation group and a port outside the isolation group but not between ports inside the isolation group Configuring the Isolation Group Assigning a Port to the Isolation Group Follow these steps to add a port to the isolation group To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Layer 2 a...

Page 66: ...that Host A Host B and Host C cannot communicate with one another at Layer 2 but can access the Internet Figure 3 1 Networking diagram for port isolation configuration Configuration procedure Add ports GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to the isolation group Device system view Device interface GigabitEthernet 1 0 1 Device GigabitEthernet1 0 1 port isolate enable...

Page 67: ...3 3 Uplink port support NO Group ID 1 Group members GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3 ...

Page 68: ...oops at the data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking certain ports to prune the loop structure into a loop free tree structure This avoids proliferation and infinite cycling of packets that would occur in a loop network and prevents decreased performan...

Page 69: ... port The root bridge has no root port Designated bridge and designated port The following table describes designated bridges and designated ports Table 4 1 Description of designated bridges and designated ports Classification Designated bridge Designated port For a device A device directly connected with the local device and responsible for forwarding BPDUs to the local device The port through wh...

Page 70: ...e spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the root bridge denoted by the root identifier from the transmitting bridge z Designated bridge ID consisting of the priority and MAC address of the designated bridge z Designated port ID designated port...

Page 71: ...riority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configuration BPDU has a higher priority than that of the configuration BPDU generated by the port the device replaces the content of the configuration BPDU generated by the port with the content of the rece...

Page 72: ... device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be defined and acts depending on the comparison result z If the calculated configuration BPDU is superior the device considers this port as the designated port and replaces the configuration BPDU on the po...

Page 73: ... port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received configuration BPDU and therefore discards the received configuration BPDU z Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is super...

Page 74: ...port BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port 2 0 2 CP1 and updates the configuration BPDU of CP1 z Port CP2 receives the configuration BPDU of port BP2 of Device B 1 0 1 BP2 before the configuration BPDU is updated Device C...

Page 75: ...nning tree with Device A as the root bridge is established as shown in Figure 4 3 Figure 4 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With priority 2 BP1 BP2 CP2 5 4 The spanning tree calculation process in this example is only simplified process The BPDU forwarding mechanism in STP z Upon network initiation every switch regards itself a...

Page 76: ...te transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propagated throughout the network z Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault free z Max age is a parameter used to...

Page 77: ...ngs of STP and RSTP In addition to the support for rapid network convergence it allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharing mechanism for redundant links For description about VLANs refer to VLAN Configuration in the Access Volume MSTP features the following z MSTP supports mapping VLANs to spanning tree instances by means of a VLA...

Page 78: ... tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the same region name z They have the same VLAN to instance mapping configuration z They have the same MSTP revision level configuration and z They are physically linked with one another For example all the...

Page 79: ... constitute the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to as a multiple spanning tree instance MSTI In Figure 4 4 for example multiple spanning trees can exist in each MST region each spanning tree corresponding to the specific VLAN s These spanning trees ar...

Page 80: ...nate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a designated port When the designated port is blocked the backup port becomes a new designated port and starts forwarding data without delay A loop occurs when two ports of the same MSTP device are interc...

Page 81: ... are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only difference between the two protocols is that an MSTP BPDU carries the MSTP configuration on the device from which this BPDU is sent CIST calculation The calculation of a CIST tree is also the process of config...

Page 82: ... List Before configuring MSTP you need to know the role of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes Complete these tasks to configure MSTP Task Remarks Configuring an MST Region Required Configuring the Root Bridge or a Secondary Root Bridge Optional Configuring the Work Mode of an MSTP Device Opt...

Page 83: ...ance mapping table For the detailed information of GVRP refer to GVRP Configuration of the Access Volume z MSTP is mutually exclusive with any of the following functions on a port service loopback RRPP Smart Link and BPDU tunnel z Configurations made in system view take effect globally configurations made in Ethernet interface view take effect on the current interface only configurations made in p...

Page 84: ...urations of currently activated MST regions display stp region configuration The display command can be executed in any view z Two or more MSTP enabled devices belong to the same MST region only if they are configured to have the same format selector 0 by default not configurable MST region name the same VLAN to instance mapping entries in the MST region and the same MST region revision level and ...

Page 85: ...er if you specify a new primary root bridge for the instance then the secondary root bridge will not become the root bridge If you have specified multiple secondary root bridges for an instance when the root bridge fails MSTP will select the secondary root bridge with the lowest MAC address as the new root bridge Configuring the current device as the root bridge of a specific spanning tree Follow ...

Page 86: ...he device send out MSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will automatically migrate to STP compatible mode Make this configuration on the root bridge and on the leaf nodes separately Follow these steps to configure the MSTP work mode To do Use the command Remarks Enter system view system view Configure the work...

Page 87: ...spanning tree calculation and thereby the size of the MST region is confined Make this configuration on the root bridge only All the devices other than the root bridge in the MST region use the maximum hop value set for the root bridge Follow these steps to configure the maximum number of hops of an MST region To do Use the command Remarks Enter system view system view Configure the maximum hops o...

Page 88: ...f the peer occur in a synchronized manner z Hello time is the time interval at which a device sends configuration BPDUs to the surrounding devices to ensure that the paths are fault free If a device fails to receive configuration BPDUs within a certain period of time it starts a new spanning tree calculation process z MSTP can detect link failures and automatically restore blocked redundant links ...

Page 89: ... to timely launch spanning tree calculations thus reducing the auto sensing capability of the network We recommend that you use the default setting The settings of hello time forward delay and max age must meet the following formulae otherwise network instability will frequently occur z 2 forward delay 1 second ú max age z Max age ú 2 hello time 1 second We recommend that you specify the network d...

Page 90: ...imit Required 10 by default The higher the maximum port rate is the more BPDUs will be sent within each hello time and the more system resources will be used By setting an appropriate maximum port rate you can limit the rate at which the port sends BPDUs and prevent MSTP from using excessive network resources when the network becomes instable We recommend that you use the default setting Configuri...

Page 91: ...c flows to be forwarded along different physical links thus achieving VLAN based load balancing The device can automatically calculate the default path cost alternatively you can also configure the path cost for ports Make the following configurations on the leaf nodes only Specifying a standard that the device uses when calculating the default path cost You can specify a standard for the device t...

Page 92: ...666 500 2 1 1 1 When calculating path cost for an aggregate interface 802 1d 1998 does not take into account the number of member ports in its aggregation group as 802 1t does The calculation formula of 802 1t is Path Cost 200 000 000 link speed in 100 kbps where link speed is the sum of the link speed values of the non blocked ports in the aggregation group Configuring path costs of ports Follow ...

Page 93: ... elected as the root port of a device If all other conditions are the same the port with the highest priority will be elected as the root port On an MSTP enabled device a port can have different priorities in different MSTIs and the same port can play different roles in different MSTIs so that data of different VLANs can be propagated along different physical paths thus implementing per VLAN load ...

Page 94: ...iew system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command Configure the link type of ports stp point to point auto force false force true Optional The default setting is auto namely the port automatically detec...

Page 95: ...acy Required auto by default z MSTP provides the MSTP packet format incompatibility guard function In MSTP mode if a port is configured to recognize send MSTP packets in a mode other than auto and receives a packet in a format different from the specified type the port will become a designated port and remain in the discarding state to prevent the occurrence of a loop z MSTP provides the MSTP pack...

Page 96: ...anual port group name Required Use either command Enable the MSTP feature for the ports stp enable Optional By default MSTP is enabled on all ports z MSTP takes effect when it is enabled both globally and on the port z To control MSTP flexibly you can use the undo stp enable command to disable the MSTP feature for certain ports so that they will not take part in spanning tree calculation and thus ...

Page 97: ... RSTP or MSTP mode Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the MST region related configurations domain name revision level VLAN to instance mappings on them are identical An MSTP enabled device identifies devices in the same MST region by checking the configuration ID in BPDU packets The configuration ID includes the region nam...

Page 98: ...bled by default z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to instance mappings must be the same on associated ports z With global Digest Snooping enabled modification of VLAN to instance mappings and removing of the current region configuration using the undo stp region configuration command are not allowed ...

Page 99: ...ooping on Device B DeviceB system view DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 stp config digest snooping DeviceB GigabitEthernet1 0 1 quit DeviceB stp config digest snooping Configuring No Agreement Check In RSTP and MSTP two types of messages are used for rapid state transition on designated ports z Proposal sent by designated ports to request rapid transition z Agre...

Page 100: ...TP and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream device As a result the designated port of the upstream device fails to transit rapidly and can only change to the forwarding state after a period twice the Forward Delay In this case you can enable the No Agreement Check ...

Page 101: ...vice that has different MSTP implementation Both devices are in the same region z Device B is the regional root bridge and Device A is the downstream device Figure 4 9 No Agreement Check configuration 2 Configuration procedure Enable No Agreement Check on GigabitEthernet 1 0 1 of Device A DeviceA system view DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 stp no agreement chec...

Page 102: ... default BPDU guard does not take effect on loopback test enabled ports For information about loopback test refer to Ethernet Interface Configuration in the Access Volume Enabling Root guard The root bridge and secondary root bridge of a spanning tree should be located in the same MST region Especially for the CIST the root bridge and secondary root bridge are generally put in a high bandwidth cor...

Page 103: ...twork The loop guard function can suppress the occurrence of such loops If a loop guard enabled port fails to receive BPDUs from the upstream device and if the port takes part in STP calculation all the instances on the port no matter what roles the port plays will be set to and stay in the Discarding state Make this configuration on the root port or an alternate port of a device Follow these step...

Page 104: ...continuously in order to destroy the network When a switch receives the BPDU packets it will forward them to other switches As a result STP calculation is performed repeatedly which may occupy too much CPU of the switches or cause errors in the protocol state of the BPDU packets In order to avoid this problem you can enable BPDU dropping on Ethernet ports Once the function is enabled on a port the...

Page 105: ...ration information that has taken effect display stp region configuration Available in any view View the root bridge information of all MSTIs display stp root Available in any view Clear the statistics information of MSTP reset stp interface interface list Available in user view MSTP Configuration Example Network requirements z All devices on the network are in the same MST region Device A and Dev...

Page 106: ... MSTI 1 MSTI 3 and MSTI 4 respectively and configure the revision level of the MST region as 0 DeviceA system view DeviceA stp region configuration DeviceA mst region region name example DeviceA mst region instance 1 vlan 10 DeviceA mst region instance 3 vlan 30 DeviceA mst region instance 4 vlan 40 DeviceA mst region revision level 0 Activate MST region configuration DeviceA mst region active reg...

Page 107: ...ew DeviceC stp region configuration DeviceC mst region region name example DeviceC mst region instance 1 vlan 10 DeviceC mst region instance 3 vlan 30 DeviceC mst region instance 4 vlan 40 DeviceC mst region revision level 0 Activate MST region configuration DeviceC mst region active region configuration DeviceC mst region quit Specify the current device as the root bridge of MSTI 4 DeviceC stp in...

Page 108: ...STID Port Role STP State Protection 0 GigabitEthernet1 0 1 DESI FORWARDING NONE 0 GigabitEthernet1 0 2 DESI FORWARDING NONE 0 GigabitEthernet1 0 3 DESI FORWARDING NONE 1 GigabitEthernet1 0 2 DESI FORWARDING NONE 1 GigabitEthernet1 0 3 ROOT FORWARDING NONE 3 GigabitEthernet1 0 1 DESI FORWARDING NONE 3 GigabitEthernet1 0 3 DESI FORWARDING NONE Display brief spanning tree information on Device C Devi...

Page 109: ... 0 2 ALTE DISCARDING NONE 4 GigabitEthernet1 0 3 ROOT FORWARDING NONE Based on the above information you can draw the MSTI corresponding to each VLAN as shown in Figure 4 11 Figure 4 11 MSTIs corresponding to different VLANs ...

Page 110: ... in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major functions management IP address device ID and port ID as TLV type length and value triplets in LLDPDUs to the directly connected devices and at the same time stores the device information received in LL...

Page 111: ...ing bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame 2 SNAP encapsulated LLDP frame format Figure 5 2 SNAP encapsulated LLDP frame format Data LLDPU n bytes 0 Destination MAC address Source MAC address Type 15 31 FCS The fields...

Page 112: ...information field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and LLDP MED media endpoint discovery TLVs Basic management TLVs are essential to device management Organizationally specific TLVs and LLDP MED TLVs are used for enhanced device management they are defi...

Page 113: ...ly 3Com switches 4510G support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 5 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Configuration Status Contains the rate and duplex capabilities of the sending port support for auto negotiation enabling status of auto negotiation and the current rate and duplex mode Power Via MDI ...

Page 114: ...sset ID The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advertise the appropriate location identifier information for an endpoint to use in the context of location based applications Management address The management address of a device is used by the network managemen...

Page 115: ... resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information is saved and an aging timer is set for it based on the time to live TTL TLV carried in the LLDPDU If the TTL TLV is zero the information is aged out immediately Protocols and Standards The protocols and standar...

Page 116: ... port group manual port group name Required Use either command Enable LLDP lldp enable Optional By default LLDP is enabled on a port Setting LLDP Operating Mode LLDP can operate in one of the following modes z TxRx mode A port in this mode sends and receives LLDP frames z Tx mode A port in this mode only sends LLDP frames z Rx mode A port in this mode only receives LLDP frames z Disable mode A por...

Page 117: ...sends LLDP frames to inform the neighboring devices of the change Follow these steps to enable LLDP polling To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port group name Required Use either command Enable LLDP polling and set...

Page 118: ...ing format of the management address as string on the connecting port to guarantee normal communication with the neighbor Follow these steps to configure a management address to be advertised and its encoding format on one or a group of ports To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Ethernet interface ...

Page 119: ...onal 2 seconds by default Set the number of LLDP frames sent each time fast LLDPDU transmission is triggered lldp fast count count Optional 3 by default Both the LLDPDU transmit interval and delay must be less than the TTL to ensure that the LLDP neighbors can receive LLDP frames to update information about the device you are configuring before it is aged out Setting an Encapsulation Format for LL...

Page 120: ...th Cisco IP phones As your LLDP enabled device cannot recognize CDP packets it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device This can cause a requesting Cisco IP phone to send voice traffic without any tag to your device disabling your device to differentiate the voice traffic from other types of traffic By configuring CDP compatibility you can ...

Page 121: ...command Configure CDP compatible LLDP to operate in TxRx mode lldp compliance admin status cdp txrx Required By default CDP compatible LLDP operates in disable mode As the maximum TTL allowed by CDP is 255 seconds ensure that the product of the TTL multiplier and the LLDPDU transmit interval is less than 255 seconds for CDP compatible LLDP to work properly with Cisco IP phones Configuring LLDP Tra...

Page 122: ... name Available in any view Display LLDP statistics display lldp statistics global interface interface type interface number Available in any view Display LLDP status of a port display lldp status interface interface type interface number Available in any view Display types of advertisable optional LLDP TLVs display lldp tlv config interface interface type interface number Available in any view LL...

Page 123: ...y SwitchB system view SwitchB lldp enable Enable LLDP on GigabitEthernet1 0 1 you can skip this step because LLDP is enabled on ports by default and set the LLDP operating mode to Tx SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 lldp enable SwitchB GigabitEthernet1 0 1 lldp admin status tx SwitchB GigabitEthernet1 0 1 quit 3 Verify the configuration Display the global LLDP s...

Page 124: ...ports operate in Rx mode that is they only receive LLDP frames Tear down the link between Switch A and Switch B and then display the global LLDP status and port LLDP status on Switch A SwitchA display lldp status Global status of LLDP Enable The current number of LLDP neighbors 1 The current number of CDP neighbors 0 LLDP neighbor information last changed time 0 days 0 hours 5 minutes 20 seconds T...

Page 125: ...o allow the Cisco IP phones to automatically configure the voice VLAN thus confining their voice traffic within the voice VLAN to be isolated from other types of traffic Figure 5 5 Network diagram for CDP compatible LLDP configuration Configuration procedure 1 Configure a voice VLAN on Switch A Create VLAN 2 SwitchA system view SwitchA vlan 2 SwitchA vlan2 quit Set the link type of GigabitEthernet...

Page 126: ...1 0 2 SwitchA GigabitEthernet1 0 2 lldp enable SwitchA GigabitEthernet1 0 2 lldp admin status txrx SwitchA GigabitEthernet1 0 2 lldp compliance admin status cdp txrx SwitchA GigabitEthernet1 0 2 quit 3 Verify the configuration Display the neighbor information on Switch A SwitchA display lldp neighbor information CDP neighbor information of port 1 GigabitEthernet1 0 1 CDP neighbor index 1 Chassis I...

Page 127: ... and excessive broadcasts cannot be avoided on an Ethernet To address the issue virtual LAN VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN VLANs are isolated from each other at Layer 2 A VLAN is a bridging domain and all broadcast traffic is contained within it as shown in...

Page 128: ...E 802 1Q inserts a four byte VLAN tag after the DA SA field as shown in Figure 6 3 Figure 6 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority canonical format indicator CFI and VLAN ID z The 16 bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged z The 3 bit priority field indicates the 802 1p priority of the frame...

Page 129: ...at the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs protocol based VLANs and port based VLANs Configuring Basic VLAN Settings Follow these steps to configure basic VLAN settings To do Use the command Remarks Enter system view system view Create VLANs vlan vlan id1 t...

Page 130: ...an create one VLAN interface You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the VLAN Follow these steps to configure basic settings of a VLAN interface To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface vlan...

Page 131: ...a hybrid port can carry multiple VLANs to receive and send traffic for them Unlike a trunk port a hybrid port allows traffic of all VLANs to pass through VLAN untagged You can configure a port connected to a network device or user terminal as a hybrid port for access link connectivity or trunk connectivity Default VLAN By default VLAN 1 is the default VLAN for all ports You can configure the defau...

Page 132: ...emove the tag and send the frame if the frame carries the default VLAN tag and the port belongs to the default VLAN z Send the frame without removing the tag if its VLAN is carried on the port but is different from the default one Hybrid Check whether the default VLAN is permitted on the port z If yes tag the frame with the default VLAN tag z If not drop the frame z Receive the frame if its VLAN i...

Page 133: ...ace type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command z In Ethernet interface view the subsequent configurations apply to the current port z In port group view the subsequent configurations apply to all ports in the por...

Page 134: ...Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command z In Ethernet interface view the subsequent configurations apply to the current port z In port group view the subsequen...

Page 135: ...e VLANs You can assign it to a VLAN in interface view or port group view Follow these steps to assign a hybrid port to one or multiple VLANs To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view En...

Page 136: ... z When receiving an untagged frame the device looks up the list of MAC to VLAN mappings based on the source MAC address of the frame for a match Two matching modes are available exact matching and fuzzy matching In exact matching mode the device searches the MAC to VLAN mappings whose masks are all Fs If the MAC address in a MAC to VLAN mapping matches the source MAC address of the untagged frame...

Page 137: ...w these steps to configure a MAC based VLAN To do Use the command Remarks Enter system view system view Associate MAC addresses with a VLAN mac vlan mac address mac address vlan vlan id priority priority Required Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port group name Use either...

Page 138: ...plate the packet will be tagged with the default VLAN ID of the port The port processes a tagged packet as it processes tagged packets of a port based VLAN z If the port permits the VLAN ID of the packet to pass through the port forwards the packet z If the port does not permit the VLAN ID of the packet to pass through the port drops the packet This feature is mainly used to assign packets of the ...

Page 139: ...nfiguring the user defined template for llc encapsulation Otherwise the encapsulation format of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively z When you use the mode keyword to configure a user defined protocol template do not set etype id in ethernetii etype etype id to 0x0800 0x8137 0x809b or 0x86dd Otherwise the encapsulation format of the matching...

Page 140: ...k segment or IP address to be associated with a VLAN cannot be a multicast network segment or a multicast address Return to system view quit Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group name Requir...

Page 141: ...an interface vlan interface id Available in any view Display hybrid ports or trunk ports on the device display port hybrid trunk Available in any view Display MAC address to VLAN entries display mac vlan all dynamic mac address mac address static vlan vlan id Available in any view Display all interfaces with MAC based VLAN enabled display mac vlan interface Available in any view Display protocol i...

Page 142: ... 100 to pass through Figure 6 4 Network diagram for port based VLAN configuration Configuration procedure 1 Configure Device A Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 DeviceA system view DeviceA vlan 2 DeviceA vlan2 quit DeviceA vlan 100 DeviceA vlan100 vlan 6 to 50 Please wait Done Enter GigabitEthernet 1 0 1 interface view DeviceA interface GigabitEthernet 1 0 1 Configure GigabitEthern...

Page 143: ...isted pair Port hardware type is 1000_BASE_T Unknown speed mode unknown duplex mode Link speed type is autonegotiation link duplex type is autonegotiation Flow control is not enabled The Maximum Frame Length is 9216 Broadcast MAX ratio 100 Unicast MAX ratio 100 Multicast MAX ratio 100 Allow jumbo frame to pass PVID 100 Mdi type auto Link delay is 0 sec Port link type trunk VLAN passing 2 6 50 100 ...

Page 144: ...nderruns buffer failures 0 aborts 0 deferred 0 collisions 0 late collisions 0 lost carrier no carrier The output above shows that z The port GigabitEthernet 1 0 1 is a trunk port z The default VLAN of the port is VLAN 100 z The port permits packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass through Therefore the configuration is successful ...

Page 145: ... of only the isolate user VLAN but not the secondary VLANs network configuration is simplified and VLAN resources are saved z You can isolate the Layer 2 traffic of different users by assigning the ports connected to them to different secondary VLANs To enable communication between secondary VLANs associated with the same isolate user VLAN you can enable local proxy ARP on the upstream device to r...

Page 146: ... least one port takes the isolate user VLAN as its default VLAN Hybrid port Refer to Assigning a Hybrid Port to a VLAN Use either approach Return to system view quit Create secondary VLANs vlan vlan id1 to vlan id2 all Required Quit to system view quit Access port Refer to Assigning an Access Port to a VLAN Assign ports to each secondary VLAN and ensure that at least one port in a secondary VLAN t...

Page 147: ...1 to VLAN 3 z Configure VLAN 6 on Device C as an isolate user VLAN assign the uplink port GigabitEthernet 1 0 5 to VLAN 6 and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4 Assign GigabitEthernet 1 0 3 to VLAN 3 and GigabitEthernet 1 0 4 to VLAN 4 z For Device A Device B only has VLAN 5 and Device C only has VLAN 6 Figure 7 2 Network diagram for isolate user VLAN configuration Configurati...

Page 148: ...an4 port gigabitethernet 1 0 4 Associate the isolate user VLAN with the secondary VLANs DeviceC vlan4 quit DeviceC isolate user vlan 6 secondary 3 to 4 Verification Display the isolate user VLAN configuration on Device B DeviceB display isolate user vlan Isolate user VLAN VLAN ID 5 Secondary VLAN ID 2 3 VLAN ID 5 VLAN Type static Isolate user VLAN type isolate user VLAN Route Interface not configu...

Page 149: ... gigabitethernet 1 0 5 VLAN ID 3 VLAN Type static Isolate user VLAN type secondary Route Interface not configured Description VLAN 0003 Name VLAN 0003 Tagged Ports none Untagged Ports gigabitethernet 1 0 1 gigabitethernet 1 0 5 ...

Page 150: ... OUI Addresses A device determines whether a received packet is a voice packet by checking its source MAC address A packet whose source MAC address complies with the voice device Organizationally Unique Identifier OUI address is regarded as voice traffic You can configure the OUI addresses in advance or use the default OUI addresses Table 8 1 lists the default OUI address for each vendor s devices...

Page 151: ...t from the voice VLAN if no packet is received from the port after the aging time expires Assigning removing ports to from a voice VLAN are automatically performed by the system z In manual mode you should assign an IP phone connecting port to a voice VLAN manually Then the system matches the source MAC addresses in the packets against the OUI addresses If a match is found the system issues ACL ru...

Page 152: ...ort untagged If an IP phone sends tagged voice traffic and its connecting port is configured with 802 1X authentication and Guest VLAN you should assign different VLAN IDs for the voice VLAN the default VLAN of the connecting port and the 802 1X Guest VLAN z The default VLANs for all ports are VLAN 1 You can configure the default VLAN of a port and configure a port to permit a certain VLAN to pass...

Page 153: ...h Configuring a Voice VLAN Configuration Prerequisites Before configuring a VLAN as a voice VLAN create the VLAN first Note that you cannot configure VLAN 1 the system default VLAN as a voice VLAN Setting a Port to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to set a port to operate in automatic voice VLAN assignment mode To do Use the command Remarks Enter system view syste...

Page 154: ...rate in Manual Voice VLAN Assignment Mode Follow these steps to set a port to operate in manual voice VLAN assignment mode To do Use the command Remarks Enter system view system view Enable the voice VLAN security mode voice vlan security enable Optional Enabled by default Add a recognizable OUI address voice vlan mac address oui mask oui mask description text Optional By default each voice VLAN h...

Page 155: ...splaying and Maintaining Voice VLAN To do Use the command Remarks Display the voice VLAN state display voice vlan state Available in any view Display the OUI addresses currently supported by system display voice vlan oui Available in any view Voice VLAN Configuration Examples Automatic Voice VLAN Mode Configuration Example Network requirements As shown in Figure 8 1 z The MAC address of IP phone A...

Page 156: ...rity enable Configure the allowed OUI addresses as MAC addresses prefixed by 0011 1100 0000 or 0011 2200 0000 In this way Device A identifies packets whose MAC addresses match any of the configured OUI addresses as voice packets DeviceA voice vlan mac address 0011 1100 0001 mask ffff ff00 0000 description IP phone A DeviceA voice vlan mac address 0011 2200 0001 mask ffff ff00 0000 description IP p...

Page 157: ...fff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current states of voice VLANs DeviceA display voice vlan state Maximum of Voice VLANs 16 Current Voice VLANs 2 Voice VLAN security mode Security Voice VLAN aging time 1440 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthernet1 0 1 2 AUTO GigabitEthernet1 0 2 3 AUTO Manual Voice VLAN Assignment Mo...

Page 158: ... 1 undo voice vlan mode auto Configure GigabitEthernet 1 0 1 as a hybrid port DeviceA GigabitEthernet1 0 1 port link type access Please wait Done DeviceA GigabitEthernet1 0 1 port link type hybrid Configure the voice VLAN VLAN 2 as the default VLAN of GigabitEthernet 1 0 1 and configure GigabitEthernet 1 0 1 to permit the voice traffic of VLAN 2 to pass through untagged DeviceA GigabitEthernet1 0 ...

Page 159: ... 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current voice VLAN state DeviceA display voice vlan state Maximum of Voice VLANs 16 Current Voice VLANs 2 Voice VLAN security mode Security Voice VLAN aging time 100 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthernet1 0 1 2 MANUAL ...

Page 160: ...rt is regarded as a GARP participant GARP messages and timers 1 GARP messages A GARP application entity exchanges information with other GARP application entities by z Sending Join messages to register with other entities its attributes the attributes received from other GARP application entities and the attributes manually configured on it z Sending Leave messages to have its attributes deregiste...

Page 161: ...timer starts again z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z On a GARP enabled network a device may send LeaveAll messages at the interval set by its LeaveAll timer or the LeaveAll timer on another device on the network whichever is smaller This is because each time a device on the network receives a LeaveAll message it resets its LeaveAll timer Operating...

Page 162: ...1 for GVRP indicating the VLAN ID attribute Attribute List Contains one or multiple attributes Attribute Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Number of octets occupied by an attribute inclusive of the attribute length field 2 to 255 in bytes Attribute Event Event described by the attribute z 0 LeaveAll event z 1 JoinEmpty event z 2 JoinIn event...

Page 163: ...xed registration type thus allows only manually configured VLANs to pass through even though it is configured to carry all VLANs z Forbidden Disables the port to dynamically register and deregister VLANs and to propagate VLAN information except information about VLAN 1 A trunk port with forbidden registration type thus allows only VLAN 1 to pass through even though it is configured to carry all VL...

Page 164: ...e port mirroring are used GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more information about port mirroring refer to Port Mirroring Configuration in the Access Volume z Enabling GVRP on a Layer 2 aggregate interface enables both the aggregate interface and all selected member ports in the corresponding link ag...

Page 165: ...or a timer you may change the value range by tuning the value of another related timer z If you want to restore the default settings of the timers restore the Hold timer first and then the Join Leave and LeaveAll timers Table 9 2 Dependencies of GARP timers Timer Lower limit Upper limit Hold 10 centiseconds No greater than half of the Join timer setting Join No less than two times the Hold timer s...

Page 166: ...onfiguration Examples GVRP Configuration Example I Network requirements Configure GVRP for dynamic VLAN information registration and update among devices adopting the normal registration mode on ports Figure 9 2 Network diagram for GVRP configuration Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view DeviceA gvrp Configure port GigabitEthernet 1 0 1 as a trunk po...

Page 167: ...ic Now the following dynamic VLAN exist s 2 GVRP Configuration Example II Network requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP registration on Device A and normal GVRP registration on Device B Figure 9 3 Network diagram for GVRP configuration Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view De...

Page 168: ... a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B DeviceB display vlan dynamic Now the following dynamic VLAN exist s 2 GVRP Configuration Example III Network requirements To prevent dynamic VLAN information registration and update among devices set t...

Page 169: ...RP globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a trunk port allowing all VLANs to pass through DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 DeviceB GigabitEthernet1 0 1 gvrp DeviceB GigabitEthernet1 0 1 quit Create VLAN 3 a ...

Page 170: ... can support a maximum of 4094 VLANs In actual applications however a large number of VLANs are required to isolate users especially in metropolitan area networks MANs and 4094 VLANs are far from satisfying such requirements QinQ Mechanism and Benefits The QinQ feature is a flexible easy to implement Layer 2 VPN technique It enables the edge device on the service provider network to encapsulate an...

Page 171: ...ovider network it is tagged with outer VLAN 4 In this way there is no overlap of VLAN IDs among customers and traffic from different customers does not become mixed By tagging tagged frames QinQ expands the available VLAN space from 4094 to 4094 4094 and thus satisfies the requirement for VLAN space in MAN It mainly addresses the following issues z Releases the stress on the SVLAN resource z Enabl...

Page 172: ...port the port tags it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame is already tagged it becomes a double tagged frame if it is untagged it becomes a frame tagged with the port s default VLAN tag 2 Selective QinQ Selective QinQ is a more flexible VLAN based implementation of QinQ In addition to all the functions of basic QinQ selective...

Page 173: ...TPID of the outer VLAN tag of QinQ frames to different values For compatibility with these systems you can modify the TPID value so that the QinQ frames when sent to the public network carry the TPID value identical to the value of a particular vendor to allow interoperability with the devices of that vendor The TPID in an Ethernet frame has the same position with the protocol type field in a fram...

Page 174: ...n all member ports in the current port group z Basic and selective QinQ should both be configured on the ports connecting customer networks z Do not configure QinQ on a reflector port For information about reflector ports refer to Port Mirroring Configuration in the Access Volume Configuring Basic QinQ Enabling Basic QinQ Follow these steps to enable basic QinQ To do Use the command Remarks Enter ...

Page 175: ... port group name Required Use either command Enter QinQ view and configure the SVLAN tag for the port to add qinq vid vlan id Required By default the SVLAN tag to be added is the default VLAN tag of the receiving port Tag frames of the specified CVLANs with the current SVLAN raw vlan id inbound all vlan list Required z An inner VLAN tag corresponds to only one outer VLAN tag z If you want to chang...

Page 176: ... aggregate interface view interface interface type interface number Enter the Ethernet port view of the customer network side port Enter port group view port group manual port group name Enter the Ethernet port view of the customer network side port Enable basic QinQ qing enable Required Apply the QoS policy in the inbound direction qos apply policy policy name inbound Required z For detailed info...

Page 177: ...rough trunk ports They belong to SVLAN 10 and 50 z Customer A1 Customer A2 Customer B1 and Customer B2 are edge devices on the customer network z Third party devices with a TPID value of 0x8200 are deployed between Provider A and Provider B Make configuration to achieve the following z Frames of VLAN 200 through VLAN 299 can be exchanged between Customer A1 and Customer A2 through VLAN 10 of the s...

Page 178: ...viderA GigabitEthernet1 0 2 port hybrid vlan 50 untagged Enable basic QinQ on GigabitEthernet 1 0 2 ProviderA GigabitEthernet1 0 2 qinq enable ProviderA GigabitEthernet1 0 2 quit z Configure GigabitEthernet 1 0 3 Configure GigabitEthernet 1 0 3 as a trunk port to permit frames of VLAN 10 and 50 to pass through ProviderA interface gigabitethernet 1 0 3 ProviderA GigabitEthernet1 0 3 port link type ...

Page 179: ...iderB qinq ethernet type 8200 3 Configuration on third party devices Configure the third party devices between Provider A and Provider B as follows configure the port connecting GigabitEthernet 1 0 3 of Provider A and that connecting GigabitEthernet 1 0 3 of Provider B to allow tagged frames of VLAN 10 and 50 to pass through Selective QinQ Configuration Example Port Based Configuration Network req...

Page 180: ... ProviderA GigabitEthernet1 0 1 port link type hybrid ProviderA GigabitEthernet1 0 1 port hybrid vlan 1000 2000 untagged Tag CVLAN 10 frames with SVLAN 1000 ProviderA GigabitEthernet1 0 1 qinq vid 1000 ProviderA GigabitEthernet1 0 1 vid 1000 raw vlan id inbound 10 ProviderA GigabitEthernet1 0 1 vid 1000 quit Tag CVLAN 20 frames with SVLAN 2000 ProviderA GigabitEthernet1 0 1 qinq vid 2000 ProviderA...

Page 181: ... and VLAN 2000 to pass through ProviderB system view ProviderB interface gigabitethernet 1 0 1 ProviderB GigabitEthernet1 0 1 port link type trunk ProviderB GigabitEthernet1 0 1 port trunk permit vlan 1000 2000 z Configure GigabitEthernet 1 0 2 Configure GigabitEthernet 1 0 2 as a hybrid port to permit frames of VLAN 2000 to pass through and configure GigabitEthernet 1 0 2 to send packets of VLAN ...

Page 182: ...and Provider B with a TPID value of 0x8200 The expected result of the configuration is as follows z VLAN 10 of Customer A and Customer B can intercommunicate across VLAN 1000 on the public network z VLAN 20 of Customer A and Customer C can intercommunicate across VLAN 2000 on the public network z Frames of the VLANs other than VLAN 10 and VLAN 20 of Customer A can be forwarded to Customer D across...

Page 183: ...or the traffic behavior ProviderA traffic behavior P1000 ProviderA behavior P1000 nest top most vlan id 1000 ProviderA behavior P1000 quit Create a class A20 to match frames of VLAN 20 of Customer A ProviderA traffic classifier A20 ProviderA classifier A20 if match customer vlan id 20 ProviderA classifier A20 quit Create a traffic behavior P2000 and configure the action of tagging frames with the ...

Page 184: ... pass through ProviderB system view ProviderB interface gigabitethernet 1 0 1 ProviderB GigabitEthernet1 0 1 port link type trunk ProviderB GigabitEthernet1 0 1 port trunk permit vlan 1000 2000 3000 To enable interoperability with the third party devices in the public network set the TPID of the service provider network VLAN tags to 0x8200 Therefore the port tags the received frames with the outer...

Page 185: ...nfiguration that should be made on the devices Configure that device connecting with GigabitEthernet 1 0 3 of Provider A and the device connecting with GigabitEthernet 1 0 1 of Provider B so that their corresponding ports send tagged frames of VLAN 1000 VLAN 2000 and VLAN 3000 The configuration steps are omitted here ...

Page 186: ... 2 protocol packets cannot be transparently transmitted in the service provider network User A s network cannot implement independent Layer 2 protocol calculation for example STP spanning tree calculation In this case the Layer 2 protocol calculation in User A s network is mixed with that in the service provider network Figure 11 1 BPDU tunneling application scenario ISP network User A network 1 V...

Page 187: ...s the topology of a network by transmitting BPDUs among devices in the network For details refer to MSTP Configuration in the Access Volume To avoid loops in your network you can enable STP on your devices When the topology changes at one side of the customer network the devices at this side of the customer network send BPDUs to devices on the other side of the customer network to ensure consisten...

Page 188: ...cting the spanning tree calculation of the service provider network Assume a BPDU is sent from User A network 1 to User A network 2 z At the ingress of the service provider network PE 1 changes the destination MAC address of the BPDU from 0x0180 C200 0000 to a special multicast MAC address 0x010F E200 0003 the default multicast MAC address for example In the service provider network the modified B...

Page 189: ...unneling for LACP on a dynamic aggregation group member port remove the port from the dynamic aggregation group first Enabling BPDU tunneling for a protocol in Ethernet interface view or port group view Follow these steps to enable BPDU tunneling for a protocol in Ethernet interface view or port group view To do Use the command Remarks Enter system view system view Enter Ethernet interface view in...

Page 190: ...ac address Optional 0x010F E200 0003 by default For BPDUs to be recognized the destination multicast MAC addresses configured for BPDU tunneling must be the same on the edge devices on the service provider network BPDU Tunneling Configuration Examples BPDU Tunneling for STP Configuration Example Network requirements As shown in Figure 11 3 z CE 1 and CE 2 are edges devices on the geographically di...

Page 191: ...et1 0 1 bpdu tunnel dot1q stp 2 Configuration on PE 2 Configure the destination multicast MAC address for BPDUs as 0x0100 0CCD CDD0 PE2 system view PE2 bpdu tunnel tunnel dmac 0100 0ccd cdd0 Create VLAN 2 and assign GigabitEthernet 1 0 2 to VLAN 2 PE2 vlan 2 PE2 vlan2 quit PE2 interface gigabitethernet 1 0 2 PE2 GigabitEthernet1 0 2 port access vlan 2 Disable STP on GigabitEthernet 1 0 2 and then ...

Page 192: ...erface gigabitethernet 1 0 1 PE1 GigabitEthernet1 0 1 port link type trunk PE1 GigabitEthernet1 0 1 port trunk permit vlan all Disable STP on GigabitEthernet 1 0 1 and then enable BPDU tunneling for STP and PVST on it PE1 GigabitEthernet1 0 1 undo stp enable PE1 GigabitEthernet1 0 1 bpdu tunnel dot1q stp PE1 GigabitEthernet1 0 1 bpdu tunnel dot1q pvst 2 Configuration on PE 2 Configure the destinat...

Page 193: ... port are located on the same device z In remote port mirroring the mirroring port or ports and the monitor port can be located on the same device or different devices Currently remote port mirroring can be implemented only at Layer 2 As a monitor port can monitor multiple ports it may receive multiple duplicates of a packet in some cases Suppose that port P 1 is monitoring bidirectional traffic o...

Page 194: ...2 Figure 12 2 Remote port mirroring implementation Remote mirroring involves the following device roles z Source device The source device is the device where the mirroring ports are located On it you must create a remote source mirroring group to hold the mirroring ports The source device copies the packets passing through the mirroring ports broadcasts the packets in the remote probe VLAN for rem...

Page 195: ...agement Commands in the System Volume Configuring Local Port Mirroring Configuring local port mirroring is to configure local mirroring groups A local mirroring group comprises one or multiple mirroring ports and one monitor port These ports must not have been assigned to any other mirroring group Follow these steps to configure a local mirroring group To do Use the command Remarks Enter system vi...

Page 196: ...the source device and the cooperating remote destination mirroring group on the destination device If GVRP is enabled GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates For information on GVRP refer to GVRP Configuration in the Access Volume Configuration Prerequisites Create a static VLAN for the probe VLAN on the source and destination device To ensure ...

Page 197: ...repeat the step In system view mirroring group groupid monitor egress monitor egress port id interface interface type interface number mirroring group groupid monitor egress Configure the egress port In interface view quit Required Use either approach Configure the probe VLAN mirroring group groupid remote probe vlan rprobe vlan id Required When configuring the mirroring ports note that z The mirr...

Page 198: ...id remote destination Required Configure the remote probe VLAN mirroring group groupid remote probe vlan rprobe vlan id Required In system view mirroring group groupid monitor port monitor port id interface interface type interface number mirroring group groupid monitor port Configure the monitor port In interface view quit Required Use either approach Enter the interface view of the monitor port ...

Page 199: ...e Available in any view Port Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Ethernet switches z Research and Development R D department is connected to Switch C through GigabitEthernet 1 0 1 z Marketing department is connected to Switch C through GigabitEthernet 1 0 2 z Data monitoring devi...

Page 200: ...ll the port mirroring groups SwitchC display mirroring group all mirroring group 1 type local status active mirroring port GigabitEthernet1 0 1 both GigabitEthernet1 0 2 both monitor port GigabitEthernet1 0 3 After finishing the configuration you can monitor all the packets received and sent by R D department and Marketing department on the Data monitoring device Remote Port Mirroring Configuratio...

Page 201: ...ports and configure them to permit packets of VLAN 2 z Create a remote destination mirroring group on Switch C Configure VLAN 2 as the remote port mirroring VLAN and port GigabitEthernet 1 0 2 to which the data monitoring device is connected as the destination port Figure 12 4 Network diagram for remote port mirroring configuration Configuration procedure 1 Configure Switch A the source device Cre...

Page 202: ... trunk permit vlan 2 3 Configure Switch C the destination device Configure port GigabitEthernet 1 0 1 as a trunk port and configure the port to permit the packets of VLAN 2 SwitchC system view SwitchC interface GigabitEthernet 1 0 1 SwitchC GigabitEthernet1 0 1 port link type trunk SwitchC GigabitEthernet1 0 1 port trunk permit vlan 2 SwitchC GigabitEthernet1 0 1 quit Create a remote destination p...

Page 203: ...2 5 ARP Configuration Example 2 5 Configuring Gratuitous ARP 2 5 Introduction to Gratuitous ARP 2 5 Configuring Gratuitous ARP 2 6 Displaying and Maintaining ARP 2 6 3 Proxy ARP Configuration 3 1 Proxy ARP Overview 3 1 Proxy ARP 3 1 Local Proxy ARP 3 2 Enabling Proxy ARP 3 2 Displaying and Maintaining Proxy ARP 3 3 Proxy ARP Configuration Examples 3 3 Proxy ARP Configuration Example 3 3 Local Prox...

Page 204: ...bjects 4 8 Displaying and Maintaining ARP Detection 4 9 ARP Detection Configuration Example I 4 9 ARP Detection Configuration Example II 4 10 5 DHCP Overview 5 1 Introduction to DHCP 5 1 DHCP Address Allocation 5 2 Allocation Mechanisms 5 2 Dynamic IP Address Allocation Process 5 2 IP Address Lease Extension 5 3 DHCP Message Format 5 3 DHCP Options 5 4 DHCP Options Overview 5 4 Introduction to DHC...

Page 205: ...CP Snooping 8 7 DHCP Snooping Configuration Examples 8 7 DHCP Snooping Configuration Example 8 7 DHCP Snooping Option 82 Support Configuration Example 8 8 9 BOOTP Client Configuration 9 1 Introduction to BOOTP Client 9 1 BOOTP Application 9 1 Obtaining an IP Address Dynamically 9 2 Protocols and Standards 9 2 Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP 9 2 Displaying...

Page 206: ...DNS 13 9 Protocols and Standards 13 9 IPv6 Basics Configuration Task List 13 10 Configuring Basic IPv6 Functions 13 10 Enabling IPv6 13 10 Configuring an IPv6 Unicast Address 13 10 Configuring IPv6 NDP 13 12 Configuring a Static Neighbor Entry 13 12 Configuring the Maximum Number of Neighbors Dynamically Learned 13 12 Configuring Parameters Related to RA Messages 13 13 Configuring the Maximum Numb...

Page 207: ... sFlow Configuration 15 1 sFlow Overview 15 1 Introduction to sFlow 15 1 Operation of sFlow 15 1 Configuring sFlow 15 2 Displaying and Maintaining sFlow 15 2 sFlow Configuration Example 15 3 Troubleshooting sFlow Configuration 15 4 The Remote sFlow Collector Cannot Receive sFlow Packets 15 4 ...

Page 208: ...example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net ID The first several bits of the IP address defining a network also known as class bits z Host id Identifies a host o...

Page 209: ...tes the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For example a packet with the destination address of 192 168 1 255 will be broadcasted to all the hosts on the network 192 168 1 0 Subnetting and Masking Subnetting was developed to address the risk of IP addr...

Page 210: ...ace needs an IP address to communicate with other devices You can assign an IP address to a VLAN interface or a loopback interface on a switch Besides directly assigning an IP address to the VLAN interface you may configure the VLAN interface to obtain one through BOOTP or DHCP as alternatives If you change the way an interface obtains an IP address from manual assignment to BOOTP for example the ...

Page 211: ...sts on the two network segments to communicate with the external network through the switch and the hosts on the LAN can communicate with each other do the following z Assign two IP addresses to VLAN interface 1 on the switch z Set the switch as the gateway on all PCs in the two networks Figure 1 3 Network diagram for IP addressing configuration Configuration procedure Assign a primary IP address ...

Page 212: ...tes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 5 ttl 255 time 26 ms 172 16 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 25 25 26 ...

Page 213: ... device Because IP datagrams must be encapsulated within Ethernet frames before they can be transmitted over physical networks the sending host or device also needs to know the physical address of the destination host or device Therefore a mapping between the IP address and the physical address is needed ARP is the protocol to implement the mapping function ARP Message Format Figure 2 1 ARP messag...

Page 214: ... B Host A buffers the packet and broadcasts an ARP request in which the sender IP address and the sender MAC address are the IP address and the MAC address of Host A respectively and the target IP address and the target MAC address are the IP address of Host B and an all zero MAC address respectively Because the ARP request is a broadcast all hosts on this subnet can receive the request but only t...

Page 215: ...in the static ARP entry Thus communications between the protected device and the specified device are ensured Static ARP entries can be classified into permanent or non permanent z A permanent static ARP entry can be directly used to forward packets When configuring a permanent static ARP entry you must configure a VLAN and an outbound interface for the entry besides the IP address and the MAC add...

Page 216: ... the command Remarks Enter system view system view Enter interface view interface interface type interface number Set the maximum number of dynamic ARP entries that a interface can learn arp max learning num number Optional 256 by default Setting the Aging Time for Dynamic ARP Entries To keep pace with the network changes the ARP table is refreshed Each dynamic ARP entry in the ARP table has a lim...

Page 217: ... of dynamic ARP entries that VLAN interface 10 can learn to 1 000 z Add a static ARP entry with the IP address being 192 168 1 1 24 the MAC address being 000f e201 0000 and the outbound interface being GigabitEthernet 1 0 1 of VLAN 10 Configuration procedure Sysname system view Sysname arp check enable Sysname arp timer aging 10 Sysname vlan 10 Sysname vlan10 quit Sysname interface gigabitethernet...

Page 218: ...packets when receiving ARP requests from another network segment Enable the gratuitous ARP packet learning function gratuitous arp learning enable Optional Enabled by default Displaying and Maintaining ARP To do Use the command Remarks Display ARP entries in the ARP table display arp all dynamic static slot slot number vlan vlan id interface interface type interface number begin exclude include re...

Page 219: ...work Proxy ARP involves common proxy ARP and local proxy ARP which are described in the following sections The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless otherwise specified Proxy ARP A proxy ARP enabled device allows hosts that reside on different subnets to communicate As shown in Figure 3 1 Switch connects to two subnets through VLAN interface 1 a...

Page 220: ...he two hosts Figure 3 2 Application environment of local proxy ARP Switch Vlan int2 192 168 10 100 24 Switch GE1 0 3 GE1 0 1 GE1 0 2 Host A 192 168 10 99 24 Host B 192 168 10 200 24 VLAN 2 port isolate group In one of the following cases you need to enable local proxy ARP z Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3 z If an isolate user vla...

Page 221: ...w Proxy ARP Configuration Examples Proxy ARP Configuration Example Network requirements Host A and Host D have the same IP prefix and mask Host A belongs to VLAN 1 Host D belongs to VLAN 2 Configure proxy ARP on the switch to enable the communication between the two hosts Figure 3 3 Network diagram for proxy ARP Configuration procedure Configure Proxy ARP on Switch to enable the communication betw...

Page 222: ...nd Host B Figure 3 4 Network diagram for local proxy ARP between isolated ports Switch A Switch B GE1 0 2 GE1 0 3 GE1 0 1 Host A 192 168 10 99 24 Host B 192 168 10 200 24 GE1 0 2 VLAN 2 Vlan int2 192 168 10 100 24 Configuration procedure 1 Configure Switch B Add GigabitEthernet 1 0 3 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to VLAN 2 Host A and Host B are isolated and unable to exchange Lay...

Page 223: ...user vlan which includes uplink port GigabitEthernet 1 0 1 and two secondary VLANs VLAN 2 and VLAN 3 GigabitEthernet 1 0 2 belongs to VLAN 2 and GigabitEthernet 1 0 3 belongs to VLAN 3 z Configure local proxy ARP on Switch A to implement Layer 3 communication between VLAN 2 and VLAN 3 Figure 3 5 Network diagram for local proxy ARP configuration in isolate user vlan Switch A Switch B Host A 192 168...

Page 224: ...dd GigabitEthernet 1 0 1 to it SwitchA system view SwitchA vlan 5 SwitchA vlan5 port gigabitethernet 1 0 1 SwitchA vlan5 interface vlan interface 5 SwitchA Vlan interface5 ip address 192 168 10 100 255 255 0 0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2 Configure local proxy ARP to implement communication between VLAN 2 and VLAN 3 SwitchA Vlan inte...

Page 225: ...to unreachable destinations z The device sends large numbers of ARP requests to the destination subnets which increases the load of the destination subnets z The device continuously resolves destination IP addresses which increases the load of the CPU To protect the device from such attacks you can enable the ARP source suppression function With the function enabled whenever the number of packets ...

Page 226: ...g chip simply drops all packets matching the next hop during the age time of the black hole route Enabling ARP Defense Against IP Packet Attacks The ARP defense against IP packet attack function applies to packets to be forwarded and those originated by the device Follow these steps to configure ARP defense against IP packet attacks To do Use the command Remarks Enter system view system view Enabl...

Page 227: ...ed to the CPU are detected Configuration Procedure Enabling source MAC address based ARP attack detection After this feature is enabled for a device if the number of ARP packets it receives from a MAC address within five seconds exceeds the specified value it generates an alarm and filters out ARP packets sourced from that MAC address in filter mode or only generates an alarm in monitor mode Follo...

Page 228: ...threshold To do Use the command Remarks Enter system view system view Configure the threshold arp anti attack source mac threshold threshold value Optional 50 by default Displaying and Maintaining Source MAC Address Based ARP Attack Detection To do Use the command Remarks Display attacking entries detected display arp anti attack source mac slot slot number interface interface type interface numbe...

Page 229: ...it the rate of ARP packets to be delivered to the CPU Configuring the ARP Packet Rate Limit Function Follow these steps to configure ARP packet rate limit To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure ARP packet rate limit arp rate limit disable rate pps drop Required By default the ARP packet rate limit is ...

Page 230: ...ries Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function For details refer to DHCP Configuration in the IP Service Volume Static IP Source Guard binding entries are created by using the user bind command For details refer to IP Source Guard Configuration in the Security Volume 2 After you enable ARP detection based on 802 1X security entries the device upon...

Page 231: ...nd ip address mac address Optional Not configured by default If the ARP attack detection mode is static bind you need to configure static IP to MAC bindings for ARP detection z If all the detection types are specified the system uses IP to MAC bindings first then DHCP snooping entries and then 802 1X security entries If an ARP packet fails to pass ARP detection based on static IP to MAC bindings i...

Page 232: ...er the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header If they are identical the packet is forwarded otherwise the packet is discarded z dst mac Checks the target MAC address of ARP replies If the target MAC address is all zero all one or inconsistent with the destination MAC address in the Ethernet header the packet is considered invalid and disca...

Page 233: ...ng and Maintaining ARP Detection To do Use the command Remarks Display the VLANs enabled with ARP detection display arp detection Available in any view Display the ARP detection statistics display arp detection statistics interface interface type interface number Available in any view Clear the ARP detection statistics reset arp detection statistics interface interface type interface number Availa...

Page 234: ...a static IP Source Guard binding entry on GigabitEthernet 1 0 2 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 user bind ip address 10 1 1 5 mac address 0001 0203 0405 vlan 10 SwitchB GigabitEthernet1 0 2 quit Configure a static IP Source Guard binding entry on GigabitEthernet 1 0 3 SwitchB interface gigabitethernet 1 0 3 SwitchB GigabitEthernet1 0 3 user bind ip address 10 1...

Page 235: ...1 SwitchB GigabitEthernet1 0 1 dot1x SwitchB GigabitEthernet1 0 1 quit SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 dot1x SwitchB GigabitEthernet1 0 2 quit Add local access user test SwitchB local user test SwitchB luser test service type lan access SwitchB luser test password simple test SwitchB luser test quit Enable ARP detection for VLAN 10 Configure the upstream port a...

Page 236: ... on hosts become more complex The Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which a client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client A typical DHCP application as shown in Figure 5 1 includes a DHCP server and multiple clients ...

Page 237: ...P server via four steps 2 The client broadcasts a DHCP DISCOVER message to locate a DHCP server 3 A DHCP server offers configuration parameters including an IP address to the client in a DHCP OFFER message The sending mode of the DHCP OFFER message is determined by the flag field in the DHCP DISCOVER message Refer to DHCP Message Format for related information 4 If several DHCP servers send offers...

Page 238: ...cast to extend the lease duration Upon availability of the IP address the DHCP server returns a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast denying the request If the client receives no reply it broadcasts another DHCP REQUEST message for lease extension after 7 8 lease duration elapses The DHCP server handles the request as above mentioned ...

Page 239: ...ormat as the Bootstrap Protocol BOOTP message for compatibility but differs from it in the option field which identifies new features for DHCP DHCP uses the option field in DHCP messages to carry control information and network configuration parameters implementing dynamic address allocation and providing more network configuration information for clients Figure 5 4 shows the DHCP option format Fi...

Page 240: ...iguration Server ACS parameters including the ACS URL username and password z Service provider identifier acquired by the customer premises equipment CPE from the DHCP server and sent to the ACS for selecting vender specific configurations and parameters z Preboot Execution Environment PXE server address for further obtaining the bootfile or other control information from the PXE server 1 Format o...

Page 241: ...ate the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients Option 82 involves at most 255 sub options At least one sub option is defined Currently the DHCP relay agent supports two sub options sub option 1 Circuit ID and sub option ...

Page 242: ... interface that received the client s request Its format is shown in Figure 5 10 Figure 5 10 Sub option 1 in verbose padding format In Figure 5 10 except that the VLAN ID field has a fixed length of 2 bytes all the other padding contents of sub option 1 are length variable z Sub option 2 Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device th...

Page 243: ...or not z Sub option 4 Failover route that specifies the destination IP address and the called number SIP users use such IP addresses and numbers to communicate with each other that a SIP user uses to reach another SIP user when both the primary and backup calling processors are unreachable You must define the sub option 1 to make other sub options effective Protocols and Standards z RFC 2131 Dynam...

Page 244: ...pported only on VLAN interfaces Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same subnet Therefore a DHCP server must be available on each subnet which is not practical DHCP relay agent solves the problem Via a relay agent DHCP clients communicate with a DHCP server on another subn...

Page 245: ...IP address and forwards the message to the designated DHCP server in unicast mode 3 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters to the relay agent which conveys them to the client DHCP Relay Agent Support for Option 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implemen...

Page 246: ...e Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent Task Remarks Enabling DHCP Required Enabling the DHCP Relay Agent on an Interface Required Cor...

Page 247: ... an IP address via the DHCP relay agent the address pool of the subnet to which the IP address of the DHCP relay agent belongs must be configured on the DHCP server Otherwise the DHCP client cannot obtain a correct IP address Correlating a DHCP Server Group with a Relay Agent Interface To improve reliability you can specify several DHCP servers as a group on the DHCP relay agent and correlate a re...

Page 248: ...mmand Configuring the DHCP Relay Agent Security Functions Creating static bindings and enable IP address check The DHCP relay agent can dynamically record clients IP to MAC bindings after clients get IP addresses It also supports static bindings which means you can manually configure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses For a...

Page 249: ... a specified interval The DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a DHCP REQUEST message to the DHCP server z If the server returns a DHCP ACK message or does not return any message within a specified interval which means the IP address is assignable now the DHCP relay agent will update its bindings by aging out the bind...

Page 250: ... After you configure this task the DHCP relay agent actively sends a DHCP RELEASE request that contains the client s IP address to be released Upon receiving the DHCP RELEASE request the DHCP server then releases the IP address for the client meanwhile the client s IP to MAC binding entry is removed from the DHCP relay agent Follow these steps to configure the DHCP relay agent in system view to se...

Page 251: ... to non user defined Option 82 only Configure non user defined Option 82 Configure the code type for the remote ID sub option dhcp relay information remote id format type ascii hex Optional By default the code type is hex This code type configuration applies to non user defined Option 82 only Configure the padding content for the circuit ID sub option dhcp relay information circuit id string circu...

Page 252: ...ion about the refreshing interval for entries of dynamic IP to MAC bindings display dhcp relay security tracker Display information about the configuration of a specified or all DHCP server groups display dhcp relay server group group id all Display packet statistics on relay agent display dhcp relay statistics server group group id all Available in any view Clear packet statistics from relay agen...

Page 253: ...server select 1 Because the DHCP relay agent and server are on different subnets you need to configure a static route or dynamic routing protocol to make them reachable to each other DHCP Relay Agent Option 82 Support Configuration Example Network requirements z As shown in Figure 6 3 Enable Option 82 on the DHCP relay agent Switch A z Configure the handling strategy for DHCP requests containing O...

Page 254: ... company001 SwitchA Vlan interface1 dhcp relay information remote id string device001 You need to perform corresponding configurations on the DHCP server to make the Option 82 configurations function normally Troubleshooting DHCP Relay Agent Configuration Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent Analysis Some problems may occur with the DHCP relay ag...

Page 255: ...t recommended to enable both the DHCP client and the DHCP snooping on the same device Otherwise DHCP snooping entries may fail to be generated or the DHCP client may fail to obtain an IP address Introduction to DHCP Client With the DHCP client enabled on an interface the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server Enabling the DHCP Client o...

Page 256: ...Remarks Display specified configuration information display dhcp client verbose interface interface type interface number Available in any view DHCP Client Configuration Example Network requirements As shown in Figure 7 1 on a LAN Switch A contacts the DHCP server via VLAN interface 2 to obtain an IP address DNS server address and static route information The IP address resides on network 10 1 1 0...

Page 257: ... 11 06 35 DHCP server 10 1 1 1 Transaction ID 0x410090f0 Classless static route Destination 20 1 1 0 Mask 255 255 255 0 NextHop 10 1 1 2 DNS server 20 1 1 1 Client ID 3030 3066 2e65 3230 302e 3030 3032 2d45 7468 6572 6e65 7430 2f30 T1 will timeout in 4 days 23 hours 59 minutes 50 seconds Use the display ip routing table command to view the route information on Switch A A static route to network 20...

Page 258: ...ing can implement the following 1 Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers 2 Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is an unauthorized DHCP server on a network the DHCP clients may obtain invalid IP addresses and network configuration parameters and cannot normally communicate ...

Page 259: ...ing through For details refer to IP Source Guard Configuration in the Security Volume Application Environment of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 8 1 Configure trusted and untrusted ports Trusted DHCP server DHCP snooping Untrusted Untrusted Unauthorized DHCP server DHCP client DHCP reply messages As shown in Figure 8 1 a DHCP snooping device s port that i...

Page 260: ... Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent option Option 82 If DHCP snooping supports Option 82 it will handle a client s request according to the contents defined in Option 82 if any The handling strategies are described in the table below...

Page 261: ...d the message after adding the Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 The handling strategy and padding format for Option 82 on the DHCP snooping device are the same as those on the relay agent Configuring DHCP Snooping Basic Functions Fol...

Page 262: ...ayer 2 Ethernet interface to an aggregation group z Configuring both the DHCP snooping and selective QinQ function on the switch is not recommended because it may result in malfunctioning of DHCP snooping Configuring DHCP Snooping to Support Option 82 Prerequisites You need to enable the DHCP snooping function before configuring DHCP snooping to support Option 82 Configuring DHCP Snooping to Suppo...

Page 263: ...nooping information vlan vlan id circuit id string circuit id Optional By default the padding content depends on the padding format of Option 82 Configure user defined Option 82 Configure the padding content for the remote ID sub option dhcp snooping information vlan vlan id remote id string remote id sysname Optional By default the padding content depends on the padding format of Option 82 z You ...

Page 264: ...HCP snooping device reset dhcp snooping packet statistics slot slot number Available in user view DHCP Snooping Configuration Examples DHCP Snooping Configuration Example Network requirements z As shown in Figure 8 3 Switch B is connected to a DHCP server through GigabitEthernet 1 0 1 and to two DHCP clients through GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 z GigabitEthernet 1 0 1 forwards D...

Page 265: ...hernet 1 0 1 as trusted SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 to support Option 82 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 dhcp snooping information enable SwitchB GigabitEthernet1 0 2 dhcp snooping information strategy replace SwitchB GigabitEthernet1 0...

Page 266: ... Introduction to BOOTP Client This section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards BOOTP Application After you specify an interface of a device as a BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to confi...

Page 267: ... the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP client 3 The BOOTP client obtains the IP address from the received response Protocols and Standards Some protocols and standards related to BOOTP include z RFC 951 Bootstrap Protocol BOOTP z RFC 2132 DHCP Options and BOOTP Vendor Extensions z RFC 1542 Clarifications and Extensions for the Bootstrap Protocol Configuring a...

Page 268: ...o the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Figure 9 1 Network diagram for BOOTP WINS server 10 1 1 4 25 Client Switch B Client DNS server 10 1 1 2 25 DHCP server Vlan int1 10 1 1 1 25 Vlan int1 Gateway A 10 1 1 126 25 Configuration procedure The following describes only the configuration on Switch B serving as a client Configure VLAN interface 1 to dynamic...

Page 269: ...e checks the local static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution Therefore some frequently queried name to IP address mappings are stored in the local static name resolution table to improve efficiency Static Domain Name Resolution The static domain name resolutio...

Page 270: ...g is valid and the DNS client gets the aging information from DNS messages DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resolved is incomplete The resolver can supply the missing part For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com T...

Page 271: ...n the DNS proxy instead of on each DNS client Figure 10 2 DNS proxy networking application Operation of a DNS proxy 1 A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy that is the destination address of the request is the IP address of the DNS proxy 2 The DNS proxy searches the local static domain name resolution table after receiving the request If th...

Page 272: ...ous one if there is any You may create up to 50 static mappings between domain names and IP addresses Configuring Dynamic Domain Name Resolution Follow these steps to configure dynamic domain name resolution To do Use the command Remarks Enter system view system view Enable dynamic domain name resolution dns resolve Required Disabled by default Specify a DNS server dns server ip address Required N...

Page 273: ...lable in any view Clear the information of the dynamic domain name cache reset dns dynamic host Available in user view DNS Configuration Examples Static Domain Name Resolution Configuration Example Network requirements Switch uses the static domain name resolution to access Host with IP address 10 1 1 2 through domain name host com Figure 10 3 Network diagram for static domain name resolution Conf...

Page 274: ... is com The mapping between domain name Host and IP address 3 1 1 1 16 is stored in the com domain z Switch serves as a DNS client and uses the dynamic domain name resolution and the suffix to access the host with the domain name host com and the IP address 3 1 1 1 16 Figure 10 4 Network diagram for dynamic domain name resolution Configuration procedure z Before performing the following configurat...

Page 275: ...uctions to create a new zone named com Figure 10 5 Create a zone Create a mapping between the host name and IP address Figure 10 6 Add a host In Figure 10 6 right click zone com and then select New Host to bring up a dialog box as shown in Figure 10 7 Enter host name host and IP address 3 1 1 1 ...

Page 276: ...host is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56 Sequence 1 ttl 126 time 3 ms Reply from 3 1 1 1 bytes 56 Sequence 2 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 3 ttl 126 time 1 ms Reply from...

Page 277: ...ver and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 10 8 1 Configure the DNS server This configuration may vary with different DNS servers When a Windows server 2000 acts as the DNS server refer to Dynamic Domain Name Resolution Configuration Example for related configuration information 2 Configure the DNS proxy Specify the DNS ser...

Page 278: ... 4 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 5 ttl 126 time 1 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 1 3 ms Troubleshooting DNS Configuration Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to verify that the...

Page 279: ... specific network In the destination IP address of a directed broadcast the network ID is a network ID identifies the target network and the host ID is all one If a device is allowed to forward directed broadcasts to a directly connected network hackers may mount attacks to the network Therefore the device is disabled from receiving and forwarding directed broadcasts to a directly connected networ...

Page 280: ... effect only If the command executed last time does not include the acl acl number the ACL configured previously will be removed Configuration Example Network requirements As shown in Figure 11 1 the host s interface and VLAN interface 3 of Switch A are on the same network segment 1 1 1 0 24 VLAN interface 2 of Switch A and VLAN interface 2 of Switch B are on another network segment 2 2 2 0 24 The...

Page 281: ...ing TCP Optional Parameters TCP optional parameters that can be configured include z synwait timer When sending a SYN packet TCP starts the synwait timer If no response packet is received within the synwait timer interval the TCP connection cannot be created z finwait timer When a TCP connection is changed into FIN_WAIT_2 state the finwait timer is started If no FIN packets is received within the ...

Page 282: ...ICMP redirect packet z The selected route is not the default route of the device z There is no source route option in the packet ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing table to find out the best route 2 Sending ICMP timeout packets If the device received an IP packet with a timeout error it drops the packet and sends ...

Page 283: ...r packets facilitates network control and management it still has the following disadvantages z Sending a lot of ICMP packets will increase network traffic z If a device receives a lot of malicious packets that cause it to send ICMP error packets its performance will be reduced z As the redirection function increases the routing table size of a host the host s performance will be reduced if its ro...

Page 284: ... Display socket information display ip socket socktype sock type task id socket id slot slot number Display FIB information display fib begin include exclude regular expression acl acl number ip prefix ip prefix name Display FIB information matching the specified destination IP address display fib ip address mask mask length Available in any view Clear statistics of IP packets reset ip statistics ...

Page 285: ...a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the one pre configured on the device the device modifies the destinat...

Page 286: ...ation of all UDP ports is removed if you disable UDP Helper z You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port numbers z You can configure up to 20 destination servers on an interface Displaying and Maintaining UDP Helper To do Use the command Remarks Displays the information of forwarded UDP packets display udp helper server interface interface ...

Page 287: ...0 0 16 is available Enable UDP Helper SwitchA system view SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port 55 SwitchA udp helper port 55 Specify the destination server 10 2 1 1 on VLAN interface 1 SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 110 1 1 16 SwitchA Vlan interface1 udp helper server 10 2 1 1 ...

Page 288: ...erview Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits This section covers the following z IPv6 Features z Introduction to IPv6 Address z Introduction t...

Page 289: ...ts stateful and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from a server for example a DHCP server z Stateless address configuration means that a host automatically generates an IPv6 address and related information on the basis of its own link layer address and the prefix information advertised by a router In ...

Page 290: ...ses can be handled as follows z Leading zeros in each group can be removed For example the above mentioned address can be represented in a shorter format as 2001 0 130F 0 0 9C0 876A 130B z If an IPv6 address contains two or more consecutive groups of zeros they can be replaced by a double colon For example the above mentioned address can be represented in the shortest format as 2001 0 130F 9C0 876...

Page 291: ...l unicast address other forms Multicast address 11111111 FF00 8 Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses Unicast address There are several types of unicast addresses including aggregatable global unicast address link local address and site local address z The aggregatable global unicast addresses equival...

Page 292: ... same link and is also used for duplicate address detection DAD Each IPv6 unicast or anycast address has a corresponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 unicast or anycast address Interface identifier in IEEE EUI 64 ...

Page 293: ...node initiates an NA message to notify neighbor nodes of the node information change Router solicitation RS message 133 After started a node sends an RS message to request the router for an address prefix and other configuration information for the purpose of autoconfiguration Used to respond to an RS message Router advertisement RA message 134 With the RA message suppression disabled the router r...

Page 294: ... layer address of its neighbor node B node A can verify whether node B is reachable according to NS and NA messages 1 Node A sends an NS message whose destination address is the IPv6 address of node B 2 If node A receives an NA message from node B node A considers that node B is reachable Otherwise node B is unreachable Duplicate address detection After node A acquires an IPv6 address it will perf...

Page 295: ...d other configuration parameters in the RA message z In addition to an address prefix the prefix information option also contains the preferred lifetime and valid lifetime of the address prefix After receiving a periodic RA message the node updates the preferred lifetime and valid lifetime of the address prefix accordingly z An automatically generated address is applicable within the valid lifetim...

Page 296: ... Name System DNS is responsible for translating domain names into IPv6 addresses instead of IPv4 addresses Like IPv4 DNS IPv6 DNS also involves static domain name resolution and dynamic domain name resolution The function and implementation of these two types of domain name resolution are the same as those of IPv4 DNS For details refer to DNS Configuration in the IP Services Volume Usually the DNS...

Page 297: ...ing IPv6 related configurations you need to Enable IPv6 Otherwise an interface cannot forward IPv6 packets even if it has an IPv6 address configured Follow these steps to Enable IPv6 To do Use the command Remarks Enter system view system view Enable IPv6 ipv6 Required Disabled by default Configuring an IPv6 Unicast Address IPv6 site local addresses and aggregatable global unicast addresses can be ...

Page 298: ...automatically The automatically generated link local address is the same as the one generated by using the ipv6 address auto link local command If a link local address is manually assigned to an interface this manual link local address takes effect If the manually assigned link local address is removed the automatically generated link local address takes effect z Manual assignment takes precedence...

Page 299: ...tion of the VLAN interface z If you adopt the second method you should ensure that the corresponding VLAN interface exists and that the Layer 2 port specified by port type port number belongs to the VLAN specified by vlan id After a static neighbor entry is configured the device relates the VLAN interface to the IPv6 address to uniquely identify a static neighbor entry Configuring the Maximum Numb...

Page 300: ...sts use the stateful autoconfiguration to acquire information other than IPv6 addresses If the O flag is set to 1 hosts use the stateful autoconfiguration to acquire information other than IPv6 addresses for example through a DHCP server Otherwise hosts use the stateless autoconfiguration to acquire information other than IPv6 addresses Router lifetime This field is used to set the lifetime of the...

Page 301: ...onal By default no prefix information is configured for RA messages and the IPv6 address of the interface sending RA messages is used as the prefix information Set the M flag bit to 1 ipv6 nd autoconfig managed address flag Optional By default the M flag bit is set to 0 that is hosts acquire IPv6 addresses through stateless autoconfiguration Set the O flag bit to 1 ipv6 nd autoconfig other flag Op...

Page 302: ...message for DAD ipv6 nd dad attempts value Optional 1 by default When the value argument is set to 0 DAD is disabled Configuring PMTU Discovery Configuring a Static PMTU for a Specified IPv6 Address You can configure a static PMTU for a specified destination IPv6 address When a source host sends a packet through an interface it compares the interface MTU with the static PMTU of the specified desti...

Page 303: ... connection is terminated after the finwait timer expires z Size of the IPv6 TCP sending receiving buffer Follow these steps to configure IPv6 TCP properties To do Use the command Remarks Enter system view system view Set the finwait timer tcp ipv6 timer fin timeout wait time Optional 675 seconds by default Set the synwait timer tcp ipv6 timer syn timeout wait time Optional 75 seconds by default S...

Page 304: ...t echo requests by default Follow these steps to enable sending of multicast echo replies To do Use the command Remarks Enter system view system view Enable sending of multicast echo replies ipv6 icmpv6 multicast echo reply enable Not enabled by default Enabling Sending of ICMPv6 Time Exceeded Packets A device sends an ICMPv6 time exceeded packet in the following cases z If a received IPv6 packet ...

Page 305: ...er for resolution The system can support at most six DNS servers You can configure a DNS suffix so that you only need to enter part of a domain name and the system can automatically add the preset suffix for address resolution The system can support at most 10 DNS suffixes Follow these steps to configure dynamic IPv6 domain name resolution To do Use the command Remarks Enter system view system vie...

Page 306: ...ic slot slot number interface interface type interface number vlan vlan id count Display the PMTU information of an IPv6 address display ipv6 pathmtu ipv6 address all dynamic static Display socket information display ipv6 socket socktype socket type task id socket id slot slot number Display the statistics of IPv6 packets and ICMPv6 packets display ipv6 statistics slot slot number Display the IPv6...

Page 307: ...lobal unicast addresses of VLAN interface 2 and VLAN interface 1 on Switch A are 3001 1 64 and 2001 1 64 respectively z The aggregatable global unicast address of VLAN interface 2 on Switch B is 3001 2 64 and a route to Host is available z IPv6 is enabled for Host to automatically get an IPv6 address through IPv6 NDP and a route to Switch B is available Figure 13 6 Network diagram for IPv6 address...

Page 308: ...v6 neighbors interface gigabitethernet 1 0 2 Type S Static D Dynamic IPv6 Address Link layer VID Interface State T Age FE80 215 E9FF FEA6 7D14 0015 e9a6 7d14 1 GE1 0 2 STALE D 1238 2001 15B E0EA 3524 E791 0015 e9a6 7d14 1 GE1 0 2 STALE D 1248 The above information shows that the IPv6 aggregatable global unicast address that Host obtained is 2001 15B E0EA 3524 E791 Verification Display the IPv6 int...

Page 309: ...1 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1C0 Global unicast address es 2001 1 subnet is 2001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 1 FF02 1 FF00 1C0 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertis...

Page 310: ...n Switch B SwitchB Vlan interface2 display ipv6 interface vlan interface 2 verbose Vlan interface2 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1234 Global unicast address es 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 2 FF02 1 FF00 1234 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempt...

Page 311: ...them When you ping a link local address you should use the i parameter to specify an interface for the link local address SwitchB Vlan interface2 ping ipv6 c 1 3001 1 PING 3001 1 56 data bytes press CTRL_C to break Reply from 3001 1 bytes 56 Sequence 1 hop limit 64 time 2 ms 3001 1 ping statistics 1 packet s transmitted 1 packet s received 0 00 packet loss round trip min avg max 2 2 2 ms SwitchB V...

Page 312: ... IPv6 address cannot be pinged Solution z Use the display current configuration command in any view or the display this command in system view to verify that IPv6 is enabled z Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up z Use the debugging ipv6 packet command in user view to enable the debugging for IPv6 pac...

Page 313: ... and IPv6 either TCP or UDP can be selected at the transport layer while IPv6 stack is preferred at the network layer Figure 14 1 illustrates the IPv4 IPv6 dual stack in relation to the IPv4 stack Figure 14 1 IPv4 IPv6 dual stack in relation to IPv4 stack on Ethernet IPv4 application IPv4 IPv6 application TCP UDP TCP UDP IPv4 IPv4 IPv6 Ethernet Ethernet Protocol ID 0x0800 Protocol ID 0x0800 Protoc...

Page 314: ...nicast address is configured on an interface Automatically create an IPv6 link local address ipv6 address auto link local Configure an IPv6 address on the interface Configure an IPv6 link local address Manually specify an IPv6 link local address ipv6 address ipv6 address link local Optional By default after you configured an IPv6 site local address or global unicast address a link local address is...

Page 315: ... the sFlow packets and displays the results sFlow has the following two sampling mechanisms z Packet based sampling An sFlow enabled port samples one packet out of a configurable number of packets passing through it z Time based sampling The sFlow agent samples the statistics of all sFlow enabled ports at a configurable interval As a traffic monitoring technology sFlow has the following advantages...

Page 316: ...t collects the statistics of sFlow enabled ports sflow interval interval time Optional 20 seconds by default Enter Ethernet port view interface interface type interface number Enable sFlow in the inbound or outbound direction sflow enable inbound outbound Required Not enabled by default Specify the sFlow sampling mode sflow sampling mode determine random Optional random by default Currently the de...

Page 317: ...he results Network diagram Figure 15 1 Network diagram for sFlow configuration Configuration procedure Configure an IP address for the sFlow agent Switch system view Switch sflow agent ip 3 3 3 1 Specify the IP address and port number of the sFlow collector Switch sflow collector ip 3 3 3 2 Set the sFlow interval to 30 seconds Switch sflow interval 30 Enable sFlow in both the inbound and outbound ...

Page 318: ...of the sFlow collector specified on the sFlow agent is different from that of the remote sFlow collector z No IP address is configured for the Layer 3 interface on the device or the IP address is configured but the UDP packets with the IP address being the source cannot reach the sFlow collector z The physical link between the device and the sFlow collector fails Solution 1 Check whether sFlow is ...

Page 319: ...taining Static Routes 2 4 Static Route Configuration Example 2 4 Basic Static Route Configuration Example 2 4 3 RIP Configuration 3 1 RIP Overview 3 1 Operation of RIP 3 1 Operation of RIP 3 2 RIP Version 3 2 RIP Message Format 3 3 Supported RIP Features 3 5 Protocols and Standards 3 5 Configuring RIP Basic Functions 3 5 Configuration Prerequisites 3 5 Configuration Procedure 3 5 Configuring RIP R...

Page 320: ...es 4 1 Configuring an IPv6 Static Route 4 2 Displaying and Maintaining IPv6 Static Routes 4 2 IPv6 Static Routing Configuration Example 4 2 5 RIPng Configuration 5 1 Introduction to RIPng 5 1 RIPng Working Mechanism 5 1 RIPng Packet Format 5 2 RIPng Packet Processing Procedure 5 3 Protocols and Standards 5 3 Configuring RIPng Basic Functions 5 3 Configuration Prerequisites 5 3 Configuration Proced...

Page 321: ... Policy 6 4 Prerequisites 6 4 Creating a Route Policy 6 4 Defining if match Clauses 6 5 Defining apply Clauses 6 6 Displaying and Maintaining the Route Policy 6 7 Route Policy Configuration Example 6 7 Applying a Route Policy to IPv4 Route Redistribution 6 7 Applying a Route Policy to IPv6 Route Redistribution 6 8 Troubleshooting Route Policy Configuration 6 10 IPv4 Routing Information Filtering F...

Page 322: ...ext router or the directly connected destination Routes in a routing table can be divided into three categories by origin z Direct routes Routes discovered by data link protocols also known as interface routes z Static routes Routes that are manually configured z Dynamic routes Routes that are discovered dynamically by routing protocols Contents of a routing table A routing table includes the foll...

Page 323: ...n is not directly connected to the router To prevent the routing table from getting too large you can configure a default route All packets without matching any entry in the routing table will be forwarded through the default route In Figure 1 1 the IP address on each cloud represents the address of the network Router G is connected to three networks and therefore has three IP addresses for its th...

Page 324: ...uniquely determine the current optimal route to the destination For the purpose of route selection each routing protocol including static routes is assigned a priority The route found by the routing protocol with the highest priority is preferred The following table lists some routing protocols and the default priorities for routes found by them Routing approach Priority DIRECT 0 STATIC 60 RIP 100...

Page 325: ...routing table Available in any view Display verbose IPv6 routing table information display ipv6 routing table verbose Available in any view Display routing information for a specified destination IPv6 address display ipv6 routing table ipv6 address prefix length longer match verbose Available in any view Display routing information permitted by an IPv6 ACL display ipv6 routing table acl acl6 numbe...

Page 326: ...opological change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded After a default route is configured on a router any packet whose destination IP address matches no...

Page 327: ...asion For a NULL0 or loopback interface if the output interface has already been configured there is no need to configure the next hop address In fact all the route entries must have a next hop address When forwarding a packet a router first searches the routing table for the route to the destination address of the packet The system can find the corresponding link layer address and forward the pac...

Page 328: ...You can flexibly control static routes by configuring tag values and using the tag values in the routing policy z If the destination IP address and mask are both configured as 0 0 0 0 with the ip route static command the route is the default route Detecting Reachability of the Static Route s Nexthop If a static route fails due to a topology change or a fault the connection will be interrupted To i...

Page 329: ...ociate it with a Track entry z If a static route needs route recursion the associated track entry must monitor the nexthop of the recursive route instead of that of the static route otherwise a valid route may be mistakenly considered invalid Displaying and Maintaining Static Routes To do Use the command Remarks Display the current configuration information display current configuration Display th...

Page 330: ...tem view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the three hosts A B and C are 1 1 2 3 1 1 6 1 and 1 1 3 1 respectively The configuration procedure is omitted 4 Display the configuration Display the IP routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHo...

Page 331: ...0 1 InLoop0 Use the ping command on Host B to check reachability to Host A assuming Windows XP runs on the two hosts C Documents and Settings Administrator ping 1 1 2 2 Pinging 1 1 2 2 with 32 bytes of data Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Ping statisti...

Page 332: ...of RIP Introduction RIP is a distance vector routing protocol using UDP packets for exchanging information through port 520 RIP uses a hop count to measure the distance to a destination The hop count from a router to a directly connected network is 0 The hop count from a router to a directly connected router is 1 To limit convergence time the range of RIP metric value is from 0 to 15 A metric valu...

Page 333: ...e will be deleted from the routing table Routing loops prevention RIP is a distance vector D V routing protocol Since a RIP router advertises its own routing table to neighbors routing loops may occur RIP uses the following mechanisms to prevent routing loops z Counting to infinity The metric value of 16 is defined as unreachable When a routing loop occurs the metric value of the route will increm...

Page 334: ...broadcast and multicast Multicast is the default type using 224 0 0 9 as the multicast address The interface working in the RIPv2 broadcast mode can also receive RIPv1 messages RIP Message Format A RIPv1 message consists of a header and up to 25 route entries A RIPv2 authentication message uses the first route entry as the authentication entry so it has up to 24 route entries RIPv1 message format ...

Page 335: ...indicates that the originator of the route is the best next hop otherwise it indicates a next hop better than the originator of the route RIPv2 authentication RIPv2 sets the AFI field of the first route entry to 0xFFFF to identify authentication information See Figure 3 3 Figure 3 3 RIPv2 Authentication Message z Authentication Type A value of 2 represents plain text authentication while a value o...

Page 336: ...s z RFC 1722 RIP Version 2 Protocol Applicability Statement z RFC 1724 RIP Version 2 MIB Extension z RFC 2082 RIPv2 MD5 Authentication z RFC2453 RIP Version 2 Configuring RIP Basic Functions Configuration Prerequisites Before configuring RIP basic functions complete the following tasks z Configure the link layer protocol z Configure an IP address on each interface and make sure all adjacent router...

Page 337: ...iew interface interface type interface number Enable the interface to receive RIP messages rip input Optional Enabled by default Enable the interface to send RIP messages rip output Optional Enabled by default Configuring a RIP version You can configure a RIP version in RIP or interface view z If neither global nor interface RIP version is configured the interface sends RIPv1 broadcasts and can re...

Page 338: ...nfiguring RIPv2 Route Summarization z Disabling Host Route Reception z Advertising a Default Route z Configuring Inbound Outbound Route Filtering z Configuring a Priority for RIP z Configuring RIP Route Redistribution Before configuring RIP routing feature complete the following tasks z Configure an IP address for each interface and make sure all neighboring routers are reachable to each other z C...

Page 339: ...on You can disable RIPv2 route automatic summarization if you want to advertise all subnet routes Follow these steps to enable RIPv2 route automatic summarization To do Use the command Remarks Enter system view system view Enter RIP view rip process id Enable RIPv2 automatic route summarization summary Optional Enabled by default Advertising a summary route You can configure RIPv2 to advertise a s...

Page 340: ...u can configure RIP to advertise a default route with a specified metric to RIP neighbors z In RIP view you can configure all the interfaces of the RIP process to advertise a default route in interface view you can configure a RIP interface of the RIP process to advertise a default route The latter takes precedence over the former on the interface z If a RIP process is enabled to advertise a defau...

Page 341: ... id Configure the filtering of incoming routes filter policy acl number gateway ip prefix name ip prefix ip prefix name gateway ip prefix name import interface type interface number Required Not configured by default Configure the filtering of outgoing routes filter policy acl number ip prefix ip prefix name export protocol process id interface type interface number Required Not configured by defa...

Page 342: ...e default metric of a redistributed route is 0 by default Redistribute routes from another protocol import route protocol process id all processes cost cost route policy route policy name tag tag Required No redistribution is configured by default Only active routes can be redistributed You can use the display ip routing table protocol command to display route state information Configuring RIP Net...

Page 343: ...rse function takes effect Enabling split horizon The split horizon function disables an interface from sending routes received from the interface to prevent routing loops between adjacent routers Follow these steps to enable split horizon To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable split horizon rip split horizon...

Page 344: ... RIP view rip process id Enable zero field check on received RIPv1 messages checkzero Optional Enabled by default Enabling Source IP Address Check on Incoming RIP Updates You can enable source IP address check on incoming RIP updates For a message received RIP compares the source IP address of the message with the IP address of the interface If they are not in the same network segment RIP discards...

Page 345: ...icast addresses On non broadcast or multicast links you need to manually specify RIP neighbors If a specified neighbor is not directly connected you must disable source address check on incoming updates Follow these steps to specify a RIP neighbor To do Use the command Remarks Enter system view system view Enter RIP view rip process id Specify a RIP neighbor peer ip address Required Disable source...

Page 346: ...Configure the maximum number of RIP packets that can be sent at the specified interval output delay time count count Optional By default an interface sends up to three RIP packets every 20 milliseconds Displaying and Maintaining RIP To do Use the command Remarks Display RIP current status and configuration information display rip process id Display all active routes in RIP database display rip pro...

Page 347: ...nterface102 ip address 172 16 1 1 24 Configure Switch B SwitchB system view SwitchB interface vlan interface 100 SwitchB Vlan interface100 ip address 192 168 1 2 24 SwitchB Vlan interface100 quit SwitchB interface vlan interface 101 SwitchB Vlan interface101 ip address 10 2 1 1 24 SwitchB Vlan interface101 quit 2 Configure basic RIP functions Configure Switch A SwitchA rip SwitchA rip 1 network 19...

Page 348: ...8 192 168 1 2 1 0 RA 50 10 2 1 0 24 192 168 1 2 1 0 RA 16 10 1 1 0 24 192 168 1 2 1 0 RA 16 From the routing table you can see RIPv2 uses classless subnet mask Since the routing information advertised by RIPv1 has a long aging time it will still exist until it ages out after RIPv2 is configured Configuring RIP Route Redistribution Network requirements As shown in the following figure z Two RIP pro...

Page 349: ...itchB system view SwitchB rip 100 SwitchB rip 100 network 11 0 0 0 SwitchB rip 100 version 2 SwitchB rip 100 undo summary SwitchB rip 100 quit SwitchB rip 200 SwitchB rip 200 network 12 0 0 0 SwitchB rip 200 version 2 SwitchB rip 200 undo summary SwitchB rip 200 quit Enable RIP 200 and specify RIP version 2 on Switch C SwitchC system view SwitchC rip 200 SwitchC rip 200 network 12 0 0 0 SwitchC ri...

Page 350: ...1 1 Vlan400 16 4 1 1 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 Configure an filtering policy to filter redistributed routes Configure ACL 2000 to filter routes redistributed from RIP 100 on Switch B making the route 10 2 1 0 24 not advertised to Switch C SwitchB acl number 2000 SwitchB acl basic 2000 rule deny source 10 2 1...

Page 351: ...s the 1 1 5 0 24 network learned from Switch B Figure 3 6 Network diagram for RIP interface additional metric configuration Configuration procedure 1 Configure IP addresses for the interfaces omitted 2 Configure RIP basic functions Configure Switch A SwitchA system view SwitchA rip 1 SwitchA rip 1 network 1 0 0 0 SwitchA rip 1 version 2 SwitchA rip 1 undo summary SwitchA rip 1 quit Configure Switc...

Page 352: ...C is the next hop router to reach network 1 1 4 0 24 with a cost of 1 3 Configure an additional metric for the RIP interface Configure an additional metric of 3 for VLAN interface 200 on Switch A SwitchA interface vlan interface 200 SwitchA Vlan interface200 rip metricin 3 SwitchA Vlan interface200 display rip 1 database 1 0 0 0 8 cost 0 ClassfulSumm 1 1 1 0 24 cost 0 nexthop 1 1 1 1 Rip interface...

Page 353: ...ll route oscillation occurs on the RIP network After displaying the routing table you may find some routes appear and disappear in the routing table intermittently Analysis In the RIP network make sure all the same timers within the whole network are identical and relationships between timers are reasonable For example the timeout timer value should be greater than the update timer value Solution ...

Page 354: ...in unavailable routes requiring the network administrator to manually configure and modify the static routes Features of IPv6 Static Routes Similar to IPv4 static routes IPv6 static routes work well in simple IPv6 network environments Their major difference lies in the destination and next hop addresses IPv6 static routes use IPv6 addresses whereas IPv4 static routes use IPv4 addresses Default IPv...

Page 355: ...tic routes is 60 Displaying and Maintaining IPv6 Static Routes To do Use the command Remarks Display IPv6 static route information display ipv6 routing table protocol static inactive verbose Available in any view Remove all IPv6 static routes delete ipv6 static routes all Available in system view Using the undo ipv6 route static command can delete a single IPv6 static route while using the delete ...

Page 356: ...hC SwitchC system view SwitchC ipv6 route static 0 5 2 3 Configure the IPv6 addresses of hosts and gateways Configure the IPv6 addresses of all the hosts based upon the network diagram configure the default gateway of Host A as 1 1 that of Host B as 2 1 and that of Host C as 3 1 4 Display configuration information Display the IPv6 routing table of SwitchA SwitchA display ipv6 routing table Routing...

Page 357: ...tchA ping ipv6 3 1 PING 3 1 56 data bytes press CTRL_C to break Reply from 3 1 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 5 hop limit 254 time 63 ms 3 1 ping statistics 5 packet s trans...

Page 358: ...Next hop 128 bit IPv6 address z Source address RIPng uses FE80 10 as the link local source address RIPng Working Mechanism RIPng is a routing protocol based on the distance vector D V algorithm RIPng uses UDP packets to exchange routing information through port 521 RIPng uses a hop count to measure the distance to a destination The hop count is referred to as metric or cost The hop count from a ro...

Page 359: ...figuration in the IP Routing Volume RIPng Packet Format Basic format A RIPng packet consists of a header and multiple route table entries RTEs The maximum number of RTEs in a packet depends on the IPv6 MTU of the sending interface Figure 5 1 shows the packet format of RIPng Figure 5 1 RIPng basic packet format z Command Type of message 0x01 indicates Request 0x02 indicates Response z Version Versi...

Page 360: ...uested routing information to the requesting router in the response packet Response packet The response packet containing the local routing table information is generated as z A response to a request z An update periodically z A trigged update caused by route change After receiving a response a router checks the validity of the response before adding the route to its routing table such as whether ...

Page 361: ...g a Default Route z Configuring a RIPng Route Filtering Policy z Configuring a Priority for RIPng z Configuring RIPng Route Redistribution Before the configuration accomplish the following tasks first z Configure an IPv6 address on each interface and make sure all nodes are reachable to one another z Configure RIPng basic functions z Define an IPv6 ACL before using it for route filtering Refer to ...

Page 362: ... Summarization Follow these steps to configure RIPng route summarization To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Advertise a summary IPv6 prefix ripng summary address ipv6 address prefix length Required Advertising a Default Route Follow these steps to advertise a default route To do Use the command Remarks Enter sy...

Page 363: ...uting information Configuring a Priority for RIPng Any routing protocol has its own protocol priority used for optimal route selection You can set a priority for RIPng manually The smaller the value is the higher the priority is Follow these steps to configure a RIPng priority To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure a RIPng priority p...

Page 364: ...nd Remarks Enter system view system view Enter RIPng view ripng process id Configure RIPng timers timers garbage collect garbage collect value suppress suppress value timeout timeout value update update value Optional The RIPng timers have the following defaults z 30 seconds for the update timer z 180 seconds for the timeout timer z 120 seconds for the suppress timer z 120 seconds for the garbage ...

Page 365: ...these steps to configure poison reverse To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable the poison reverse function ripng poison reverse Required Disabled by default Configuring Zero Field Check on RIPng Packets Some fields in the RIPng packet must be zero These fields are called zero fields With zero field check on ...

Page 366: ...irements As shown in Figure 5 4 all switches run RIPng Configure Switch B to filter the route 3 64 learnt from Switch C which means the route will not be added to the routing table of Switch B and Switch B will not forward it to Switch A Figure 5 4 Network diagram for RIPng configuration Configuration procedure 1 Configure the IPv6 address for each interface omitted 2 Configure basic RIPng functio...

Page 367: ... enable SwitchC Vlan interface600 quit Display the routing table of Switch B SwitchB display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 6 Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 6 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 3 64 via FE80 20F E2...

Page 368: ...SwitchB display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 4 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 5 Sec Dest 5 64 via FE80 20F E2FF FE00 100 cost 1 ...

Page 369: ...v6 route policy Introduction to Route Policy Route Policy A route policy is used on a router for route filtering and attributes modification when routes are received advertised or redistributed To configure a route policy you need to define some filters based on the attributes of routing information such as destination address advertising router s address and so on The filters can be set beforehan...

Page 370: ... matched first Once a node is matched the route policy is passed and the packet will not go to the next node A route policy node comprises a set of if match and apply clauses The if match clauses define the match criteria The matching objects are some attributes of routing information The if match clauses of a route policy node is in logical AND relationship That is a packet must match all the if ...

Page 371: ...w other IPv4 routing information to pass For example the following configuration filters routes 10 1 0 0 16 10 2 0 0 16 and 10 3 0 0 16 but allows other routes to pass Sysname system view Sysname ip ip prefix abc index 10 deny 10 1 0 0 16 Sysname ip ip prefix abc index 20 deny 10 2 0 0 16 Sysname ip ip prefix abc index 30 deny 10 3 0 0 16 Sysname ip ip prefix abc index 40 permit 0 0 0 0 0 less equ...

Page 372: ...of a route policy can be configured by referencing filters above mentioned A route policy can comprise multiple nodes and each route policy node contains z if match clauses Define the match criteria that routing information must satisfy The matching objects are some attributes of routing information z apply clauses Specify the actions to be taken on routing information that has satisfied the match...

Page 373: ...efine if match clauses for a route policy node To do Use the command Remarks Enter system view system view Enter route policy node view route policy route policy name permit deny node node number Required Match IPv4 routing information specified in the ACL if match acl acl number Match IPv4 routing information specified in the IP prefix list if match ip prefix ip prefix name Optional Not configure...

Page 374: ...s Enter system view system view Enter route policy node view route policy route policy name permit deny node node number Required Not created by default for IPv4 routes apply ip address next hop ip address Optional Not set by default The setting does not apply to redistributed routing information Set the next hop for IPv6 routes apply ipv6 next hop ipv6 address Optional Not set by default The sett...

Page 375: ...cate with each other at the network layer through RIPv2 Switch A has static routes to networks 20 0 0 0 8 30 0 0 0 8 and 40 0 0 0 8 Switch B needs to access these networks through Switch A while Switch A allows Switch B to access networks 20 0 0 0 8 and 40 0 0 0 8 but not 30 0 0 0 8 Figure 6 1 Network diagram for route policy application to route redistribution Configuration procedure 1 Configure ...

Page 376: ...routing table of Switch B and verify the configuration SwitchB display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 3 on Vlan interface100 Destination Mask Nexthop Cost Tag Flags Sec 20 0 0 0 8 192 168 1 3 1 0 RA 14 40 0 0 0 8 192 168 1 3 1 0 RA 14 The display shows that Switch B has only the routing information permitted by ACL 2000 Theref...

Page 377: ...an interface100 quit Configure three static routes SwitchA ipv6 route static 20 32 11 2 SwitchA ipv6 route static 30 32 11 2 SwitchA ipv6 route static 40 32 11 2 Configure a route policy SwitchA ip ipv6 prefix a index 10 permit 30 32 SwitchA route policy static2ripng deny node 0 SwitchA route policy if match ipv6 address prefix list a SwitchA route policy quit SwitchA route policy static2ripng per...

Page 378: ...ocol runs normally Analysis At least one item of the IP prefix list should be configured as permit mode and at least one node in the Route policy should be configured as permit mode Solution 1 Use the display ip ip prefix command to display IP prefix list information 2 Use the display route policy command to display route policy information IPv6 Routing Information Filtering Failure Symptom Filter...

Page 379: ...sion of IGMP Snooping 2 7 Configuring IGMP Snooping Port Functions 2 7 Configuration Prerequisites 2 7 Configuring Aging Timers for Dynamic Ports 2 8 Configuring Static Ports 2 8 Configuring Simulated Joining 2 9 Configuring Fast Leave Processing 2 10 Configuring IGMP Snooping Querier 2 11 Configuration Prerequisites 2 11 Enabling IGMP Snooping Querier 2 11 Configuring IGMP Queries and Responses 2...

Page 380: ...Configuration 3 10 4 MLD Snooping Configuration 4 1 MLD Snooping Overview 4 1 Introduction to MLD Snooping 4 1 Basic Concepts in MLD Snooping 4 2 How MLD Snooping Works 4 3 Protocols and Standards 4 5 MLD Snooping Configuration Task List 4 5 Configuring Basic Functions of MLD Snooping 4 6 Configuration Prerequisites 4 6 Enabling MLD Snooping 4 6 Configuring the Version of MLD Snooping 4 7 Configur...

Page 381: ...icy Fails to Take Effect 4 27 5 IPv6 Multicast VLAN Configuration 5 1 Introduction to IPv6 Multicast VLAN 5 1 IPv6 Multicast VLAN Configuration Task List 5 3 Configuring IPv6 Sub VLAN Based IPv6 Multicast VLAN 5 3 Configuration Prerequisites 5 3 Configuring Sub VLAN Based IPv6 Multicast VLAN 5 3 Configuring Port Based IPv6 Multicast VLAN 5 4 Configuration Prerequisites 5 4 Configuring User Port At...

Page 382: ...ultipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added services such as live Webcasting Web TV distance learning telemedicine Web radio real time videoconferencing and other bandwidth and time critical information services Comparison of Information Transmission...

Page 383: ...d over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information to each of these users This means a tremendous pressure on the information source and the network bandwidth As we can see from the information transmission process unicast is not suitable for batch tr...

Page 384: ...ificant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multicast can well solve this problem When some hosts on the network need multicast information the information sender or multicast source sends only one copy of the information Multicast distribution tree...

Page 385: ...of Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast address Hosts join a multicast group to become members of the multicast group before they can receive the multicast data addressed to that multicast group Typically a multicast source does not need to join a multicast group z An information sender is referred to as a mult...

Page 386: ...e G represents a specific multicast group z S G Indicates a shortest path tree SPT or a multicast packet that multicast source S sends to multicast group G Here S represents a specific multicast source while G represents a specific multicast group Advantages and Applications of Multicast Advantages of multicast Advantages of the multicast technique include z Enhanced efficiency reduces the CPU loa...

Page 387: ... locations of the multicast sources by some other means In addition the SSM model uses a multicast address range that is different from that of the ASM SFM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources Multicast Architecture IP multicast addresses the following questions z Where should the multicast source transmit information ...

Page 388: ... TTL value in the IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8 Glop group addresses 239 0 0 0 to 239 255 255 255 Administratively scoped multicast addresses These addresses are considered to be locally rather than globally unique and can be reused in domains adm...

Page 389: ...lticast address are as follows z 0xFF The most significant 8 bits are 11111111 indicating that this address is an IPv6 multicast address Figure 1 5 Format of the Flags field z Flags Referring to Figure 1 5 the following table describes the four bits of the Flags field Table 1 4 Description on the bits of the Flags field Bit Description 0 Reserved set to 0 R z When set to 0 it indicates that this a...

Page 390: ... the scope defined by the Scope field Ethernet multicast MAC addresses When a unicast IP packet is transmitted over Ethernet the destination MAC address is the MAC address of the receiver When a multicast packet is transmitted over Ethernet however the destination address is a multicast MAC address because the packet is directed to a group formed by a number of receivers rather than to one specifi...

Page 391: ...mple of IPv6 to MAC address mapping Multicast Protocols z Generally we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols which include IGMP MLD PIM IPv6 PIM MSDP and MBGP IPv6 MBGP we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as La...

Page 392: ...liver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in two modes dense mode often referred to as PIM DM and sparse mode often referred to as PIM SM z An inter domain multicast routing protocol is used for delivery of multicast information between two ASs ...

Page 393: ... on the Layer 2 device This avoids waste of network bandwidth and extra burden on the Layer 3 device Multicast Packet Forwarding Mechanism In a multicast model a multicast source sends information to the host group identified by the multicast group address in the destination address field of IP multicast packets Therefore to deliver multicast packets to receivers located in different parts of the ...

Page 394: ... and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 2 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 Figure 2 1 Before and af...

Page 395: ...ce DR or IGMP querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its router port list z Member port A member port is a port on an Ethernet switch that leads the switch towards multicast group members In the figure GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Switch A and GigabitEthe...

Page 396: ...r age out How IGMP Snooping Works A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows The description about adding or deleting a port in this section is only for a dynamic port Static ports can be added or deleted only through the corresponding configurations For details see Configuring Static Ports When receiving a general query The IGMP q...

Page 397: ...stening to the reported multicast address will suppress their own reports upon receiving this report and this will prevent the switch from knowing whether the reported multicast group still has active members attached to that port When receiving a leave message When an IGMPv1 host leaves a multicast group the host does not send an IGMP leave message so the switch cannot know immediately that the h...

Page 398: ...ist of the forwarding table entry for that multicast group when the aging timer expires Protocols and Standards IGMP Snooping is documented in z RFC 4541 Considerations for Internet Group Management Protocol IGMP and Multicast Listener Discovery MLD Snooping Switches IGMP Snooping Configuration Task List Complete these tasks to configure IGMP Snooping Task Remarks Enabling IGMP Snooping Required C...

Page 399: ...gate port view or port group view z For IGMP Snooping configurations made on a Layer 2 aggregate port do not interfere with configurations made on its member ports nor do they take part in aggregation calculations configurations made on a member port of the aggregate group will not take effect until it leaves the aggregate group Configuring Basic Functions of IGMP Snooping Configuration Prerequisi...

Page 400: ...he version of IGMP Snooping igmp snooping version version number Optional Version 2 by default If you switch IGMP Snooping from version 3 to version 2 the system will clear all IGMP Snooping forwarding entries from dynamic joins and will z Keep forwarding entries for version 3 static G joins z Clear forwarding entries from version 3 static S G joins which will be restored when IGMP Snooping is swi...

Page 401: ...aging time interval Optional 105 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow these steps to configure aging timers for dynamic ports in a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure dynamic router port aging...

Page 402: ...mber ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running IGMP responds to IGMP queries from the IGMP querier If a host fails to respond due to some reasons the multicast router may deem that no member of this multicast group exists on the network segment and therefore will remove the...

Page 403: ...an IGMP leave message on a port the switch immediately removes that port from the outgoing port list of the forwarding table entry for the indicated group Then when receiving IGMP group specific queries for that multicast group the switch will not forward them to that port In VLANs where only one host is attached to each port fast leave processing helps improve bandwidth and resource usage However...

Page 404: ...urce address of IGMP group specific queries Enabling IGMP Snooping Querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch i...

Page 405: ...d by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For IGMP general queries you can configure the maximum response time to fill their Max Response time field z For IGMP group specific queries you can configure the IGMP last member query interval to fill their Max Response time field Namely for IGMP group specific queries the maximum re...

Page 406: ...and cause multicast traffic forwarding failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem you are commended to configure a non all zero IP address as the source IP address of IGMP queries Follow these steps to configure source IP address of IGMP queries To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Con...

Page 407: ...ure a multicast group filter globally To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Configure a multicast group filter group policy acl number vlan vlan list Required By default no group filter is globally configured that is hosts in VLANs can join any valid multicast group Configuring a multicast group filter on a port or a group of ports Follo...

Page 408: ...se either approach Enable multicast source port filtering igmp snooping source deny Required Disabled by default For the Switch 4510G Family when enabled to filter IPv4 multicast data based on the source ports are automatically enabled to filter IPv6 multicast data based on the source ports Configuring the Function of Dropping Unknown Multicast Data Unknown multicast data refers to multicast data ...

Page 409: ...ed over the network Follow these steps to configure IGMP report suppression To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Enable IGMP report suppression report aggregation Optional Enabled by default Configuring Maximum Multicast Groups that Can Be Joined on a Port By configuring the maximum number of multicast groups that can be joined on a por...

Page 410: ...ddition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically A typical example is channel switching namely by joining a new multicast group a user automatically switches from the current multicast group to the new one To address such situations you can enable the multicast group replacement function on the switch or c...

Page 411: ...ticast group replacement functionality will not take effect Displaying and Maintaining IGMP Snooping To do Use the command Remarks View IGMP Snooping multicast group information display igmp snooping group vlan vlan id slot slot number verbose Available in any view View the statistics information of IGMP messages learned by IGMP Snooping display igmp snooping statistics Available in any view Clear...

Page 412: ...1 can be forwarded through GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch A even if Host A and Host B accidentally temporarily stop receiving multicast data Network diagram Figure 2 3 Network diagram for group policy simulated joining configuration Configuration procedure 1 Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure 2 3 The detailed c...

Page 413: ...tchA acl basic 2001 quit SwitchA igmp snooping SwitchA igmp snooping group policy 2001 vlan 100 SwitchA igmp snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts for multicast group 224 1 1 1 SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 igmp snooping host join 224 1 1 1 vlan 100 SwitchA GigabitEthernet1 0 3 quit SwitchA interface gigabi...

Page 414: ...bitEthernet 1 0 5 on Switch C are required to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked under normal conditions and multicast traffic flows to the receivers attached to Switch C only along the path of Sw...

Page 415: ...IM DM on each interface and enable IGMP on GigabitEthernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit 3 Configure Switch A ...

Page 416: ...itEthernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable IGMP Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 igmp snooping enable SwitchC vlan100 quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 5 as static member ports for multicast group 224 1 1 1 SwitchC interface GigabitEthernet 1 0 3 SwitchC G...

Page 417: ... 100 on Switch C SwitchC display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 2 D 00 01 23 IP group s the following ip group s match to one mac group IP gr...

Page 418: ...known multicast data packets z Because a switch does not enlist a port that has heard an IGMP query with a source IP address of 0 0 0 0 default as a dynamic router port configure a non all zero IP address as the source IP address of IGMP queries to ensure normal creation of Layer 2 multicast forwarding entries Network diagram Figure 2 5 Network diagram for IGMP Snooping querier configuration Confi...

Page 419: ...gmp snooping enable SwitchB vlan100 igmp snooping drop unknown SwitchB vlan100 quit Configurations on Switch C and Switch D are similar to the configuration on Switch B 3 Verify the configuration After the IGMP Snooping querier starts to work all the switches but the querier can receive IGMP general queries By using the display igmp snooping statistics command you can view the statistics informati...

Page 420: ...s to join specific multicast groups the hosts can still receive multicast data addressed to other multicast groups Analysis z The ACL rule is incorrectly configured z The multicast group policy is not correctly applied z The function of dropping unknown multicast data is not enabled so unknown multicast data is flooded Solution 1 Use the display acl command to check the configured ACL rule Make su...

Page 421: ...Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 3 1 Multicast transmission without multicast VLAN The multicast VLAN feature configured on the Layer 2 device is the solution to this issue With the multicast VLAN feature the Layer 3 device needs to replicate the multicast traffic only in the multicast VLAN instead of mak...

Page 422: ...st A Host B and Host C are in three different user VLANs All the user ports ports with attached hosts on Switch A are hybrid ports On Switch A configure VLAN 10 as a multicast VLAN assign all the user ports to this multicast VLAN and enable IGMP Snooping in the multicast VLAN and all the user VLANs Figure 3 3 Port based multicast VLAN After the configuration upon receiving an IGMP message on a use...

Page 423: ...on is given preference Configuring Sub VLAN Based Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based multicast VLAN complete the following tasks z Create VLANs as required z Enable IGMP Snooping in the VLAN to be configured as a multicast VLAN Configuring Sub VLAN Based Multicast VLAN In this approach you need to configure a VLAN as a multicast VLAN and then configure use...

Page 424: ...te port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port based multicast VLAN complete the following tasks z Create VLANs as required z Enable IGMP Snooping in the VLAN to be configured as a multicast VLAN z Enable IGMP Snooping in all the user VLANs Conf...

Page 425: ...y packets of VLAN 1 to pass For details about the port link type port hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring Multicast VLAN Ports In this approach you need to configure a VLAN as a multicast VLAN and then assign user ports to this multicast VLAN by either adding the user ports in the multicast VLAN or specifying the multicast VLAN on ...

Page 426: ...z A port can belong to only one multicast VLAN Displaying and Maintaining Multicast VLAN To do Use the command Remarks Display information about a multicast VLAN display multicast vlan vlan id Available in any view Multicast VLAN Configuration Examples Sub VLAN Based Multicast VLAN Configuration Network requirements z Router A connects to a multicast source through GigabitEthernet1 0 1 and to Swit...

Page 427: ...esses Configure an IP address and subnet mask for each interface as per Figure 3 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMP on the host side interface GigabitEthernet 1 0 2 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1...

Page 428: ...the configuration Display information about the multicast VLAN SwitchA display multicast vlan Total 1 multicast vlan s Multicast vlan 10 subvlan list vlan 2 4 port list no port View the IGMP Snooping multicast group information on Switch A SwitchA display igmp snooping group Total 4 IP Group s Total 4 IP Source s Total 4 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags...

Page 429: ...roup s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port GE1 0 4 Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 H...

Page 430: ...e port based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the multicast data to the receivers that belong to different user VLANs Network diagram Figure 3 5 Network diagram for port based multicast VLAN configuration Source Receiver Host A VLAN 2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A IGMP querier Router A GE1 0 1 1 1 1 2 ...

Page 431: ...t 1 0 2 to permit packets of VLAN 2 and VLAN 10 to pass and untag the packets when forwarding them SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link type hybrid SwitchA GigabitEthernet1 0 2 port hybrid pvid vlan 2 SwitchA GigabitEthernet1 0 2 port hybrid vlan 2 untagged SwitchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The conf...

Page 432: ...ort C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 3 port GE1 0 2 GE...

Page 433: ...ween ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As shown in Figure 4 1 when MLD Snooping is not running IPv6 multicast packets are broadcast to all devices at Layer 2 When MLD Snooping runs multicast packets for known IPv6 multicast groups are multicast to the receivers at Layer 2 Figure 4 1 Before and after MLD Snooping is enabled on the Layer 2 dev...

Page 434: ...ts Router port Member port Ports involved in MLD Snooping as shown in Figure 4 2 are described as follows z Router port A router port is a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or MLD querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its ro...

Page 435: ...itialized to the dynamic router port aging time MLD general query of which the source address is not 0 0 or IPv6 PIM hello The switch removes this port from its router port list Dynamic member port aging timer When a port dynamically joins an IPv6 multicast group the switch sets a timer for the port which is initialized to the dynamic member port aging time MLD report message The switch removes th...

Page 436: ...ed IPv6 multicast group the switch creates an entry adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exists for the reported IPv6 multicast group but the port is not included in the outgoing port list for that group the switch adds the port as a dynamic member port to the outgoing port list and starts ...

Page 437: ...n the port suppose it is a dynamic member port before its aging timer expires this means that some host attached to the port is receiving or expecting to receive IPv6 multicast data for that IPv6 multicast group The switch resets the aging timer for the port z If no MLD report in response to the MLD multicast address specific query is received on the port before its aging timer expires this means ...

Page 438: ...oup view are effective only for all the ports in the current port group For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet port view Layer 2 aggregate port view or port group view z For MLD Snooping configurations made on a Layer 2 aggregate port do not interfere with configurations made on its member ports nor do they tak...

Page 439: ... MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of MLD Snooping mld snooping version version number Optional Version 1 by default If you switch MLD Snooping from version 2 to version 1 the system will clear all MLD Snooping forwarding entries from dyn...

Page 440: ...gure aging timers for dynamic ports globally To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Configure dynamic router port aging time router aging time interval Optional 260 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow ...

Page 441: ...ember ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running MLD responds to MLD queries from the MLD querier If a host fails to respond due to some reasons the multicast router will deem that no member of this IPv6 multicast group exists on the network segment and therefore will remove...

Page 442: ...ber port Configuring Fast Leave Processing The fast leave processing feature allows the switch to process MLD done messages in a fast way With the fast leave processing feature enabled when receiving an MLD done message on a port the switch immediately removes that port from the outgoing port list of the forwarding table entry for the indicated IPv6 multicast group Then when receiving MLD done mul...

Page 443: ...ing querier prepare the following data z MLD general query interval z MLD last member query interval z Maximum response time for MLD general queries z Source IPv6 address of MLD general queries and z Source IPv6 address of MLD multicast address specific queries Enabling MLD Snooping Querier In an IPv6 multicast network running MLD a multicast router or Layer 3 multicast switch is responsible for s...

Page 444: ...wn to 0 the host sends an MLD report to the corresponding IPv6 multicast group An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids bursts of MLD traffic on the network caused by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For MLD general queries you can configure t...

Page 445: ...se time for MLD general queries otherwise undesired deletion of IPv6 multicast members may occur Configuring Source IPv6 Addresses of MLD Queries This configuration allows you to change the source IPv6 address of MLD queries Follow these steps to configure source IPv6 addresses of MLD queries To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the sou...

Page 446: ... entry for this port in the MLD Snooping forwarding table otherwise the switch drops this report message Any IPv6 multicast data that fails the ACL check will not be sent to this port In this way the service provider can control the VOD programs provided for multicast users Configuring an IPv6 multicast group filter globally Follow these steps to configure an IPv6 multicast group globally To do Us...

Page 447: ...ort filtering globally Follow these steps to configure IPv6 multicast source port filtering To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable IPv6 multicast source port filtering source deny port interface list Required Disabled by default Configuring IPv6 multicast source port filtering on a port or a group of ports Follow these steps to confi...

Page 448: ...port suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default Configuring Maximum Multicast Groups that Can Be Joined on a Port By configuring the maximum number of IPv6 multicast groups that can be joined on a port or a group of ports you can limit the number of multica...

Page 449: ... in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joining the new multicast group a user automatically switches from the current IPv6 multicast group to the new one To address this situation you can enable the IPv6 multicast group replacement function on ...

Page 450: ...multicast group replacement Otherwise the IPv6 multicast group replacement functionality will not take effect Displaying and Maintaining MLD Snooping To do Use the command Remarks View MLD Snooping multicast group information display mld snooping group vlan vlan id slot slot number verbose Available in any view View the statistics information of MLD messages learned by MLD Snooping display mld sno...

Page 451: ...even if Host A and Host B accidentally temporarily stop receiving IPv6 multicast data Network diagram Figure 4 3 Network diagram for IPv6 group policy simulated joining configuration Source Router A Switch A Receiver Receiver Host B Host A Host C GE1 0 1 GE1 0 4 GE1 0 2 GE1 0 3 MLD querier 1 1 64 GE1 0 1 2001 1 64 GE1 0 2 1 2 64 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 a...

Page 452: ... group policy 2001 vlan 100 SwitchA mld snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts for IPv6 multicast group FF1E 101 SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 mld snooping host join ff1e 101 vlan 100 SwitchA GigabitEthernet1 0 3 quit SwitchA interface gigabitethernet 1 0 4 SwitchA GigabitEthernet1 0 4 mld snooping host join...

Page 453: ...ired to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked under normal conditions and IPv6 multicast traffic flows to the receivers attached to Switch C only along the path of Switch A Switch B Switch C z It is ...

Page 454: ...PIM DM on each interface and enable MLD on GigabitEthernet 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 mld enable RouterA GigabitEthernet1 0 1 pim ipv6 dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim ipv6 dm RouterA GigabitEthernet1 0 2 quit 3 Confi...

Page 455: ...thernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable MLD Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 mld snooping enable SwitchC vlan100 quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 5 as static member ports for IPv6 multicast group FF1E 101 SwitchC interface GigabitEthernet 1 0 3 SwitchC Gi...

Page 456: ...00 on Switch C SwitchC display mld snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 2 D 00 01 23 IP group s the following ip group s match to one mac group IP group...

Page 457: ...he MLD Snooping querier Network diagram Figure 4 5 Network diagram for MLD Snooping querier configuration Configuration procedure 1 Configure Switch A Enable IPv6 forwarding and enable MLD Snooping globally SwitchA system view SwitchA ipv6 SwitchA mld snooping SwitchA mld snooping quit Create VLAN 100 and assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 SwitchA vlan 100 Switc...

Page 458: ...al queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 12 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right and wrong records 0 Received MLDv2 specific queries 0 Received MLDv2 specific sg queries 0 Sent MLDv2 specific queries 0 Sent MLDv2 specific sg queries 0 Received error MLD messages 0 Troubleshooting MLD Snooping Swit...

Page 459: ...gured z The IPv6 multicast group policy is not correctly applied Solution 1 Use the display acl ipv6 command to check the configured IPv6 ACL rule Make sure that the IPv6 ACL rule conforms to the IPv6 multicast group policy to be implemented 2 Use the display this command in MLD Snooping view or the corresponding port view to check whether the correct IPv6 multicast group policy has been applied I...

Page 460: ... the Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 5 1 Multicast transmission without IPv6 multicast VLAN The IPv6 multicast VLAN feature configured on the Layer 2 device is the solution to this issue With the IPv6 multicast VLAN feature the Layer 3 device needs to replicate the multicast traffic only in the IPv6 mult...

Page 461: ... in Figure 5 3 Host A Host B and Host C are in three different user VLANs All the user ports are hybrid ports On Switch A configure VLAN 10 as an IPv6 multicast VLAN assign all the user ports to this IPv6 multicast VLAN and enable MLD Snooping in the IPv6 multicast VLAN and all the user VLANs Figure 5 3 Port based IPv6 multicast VLAN After the configuration upon receiving an MLD message on a user ...

Page 462: ...ast VLAN on a device the port based IPv6 multicast VLAN configuration is given preference Configuring IPv6 Sub VLAN Based IPv6 Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based IPv6 multicast VLAN complete the following tasks z Create VLANs as required z Enable MLD Snooping in the VLAN to be configured as an IPv6 multicast VLAN Configuring Sub VLAN Based IPv6 Multicast V...

Page 463: ...e effective only for the current port configurations made in Layer 2 aggregate port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port based IPv6 multicast VLAN complete the following tasks z Create VLANs as required z Enable MLD Snooping in the VLAN to be ...

Page 464: ...rt hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring IPv6 Multicast VLAN Ports In this approach you need to configure a VLAN as an IPv6 multicast VLAN and then assign user ports to this IPv6 multicast VLAN by either adding the user ports in the IPv6 multicast VLAN or specifying the IPv6 multicast VLAN on the user ports These two methods give the...

Page 465: ...belong to only one IPv6 multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN To do Use the command Remarks Display information about an IPv6 multicast VLAN display multicast vlan ipv6 vlan id Available in any view IPv6 Multicast VLAN Configuration Examples Sub VLAN Based Multicast VLAN Configuration Example Network requirements z As shown in Figure 3 4 Router A connects to an IPv6 multica...

Page 466: ...igure an IPv6 address and address prefix for each interface as per Figure 3 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IPv6 multicast routing enable IPv6 PIM DM on each interface and enable MLD on the host side interface GigabitEthernet 1 0 2 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEtherne...

Page 467: ... display multicast vlan ipv6 Total 1 IPv6 multicast vlan s IPv6 Multicast vlan 10 subvlan list vlan 2 4 port list no port View the MLD Snooping IPv6 multicast group information on Switch A SwitchA display mld snooping group Total 4 IP Group s Total 4 IP Source s Total 4 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 2 Total 1 IP Group ...

Page 468: ...Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 0 port MAC group s MAC group address 3333 0000 0101 Host port s total 0 port As shown above MLD Snooping is maintaining the router port in the IPv6 multicast VLAN VLAN 10 and the member ports in the sub VLANs VL...

Page 469: ... 2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A MLD querier Router A GE1 0 1 1 2 64 GE1 0 2 2001 1 64 1 1 64 Receiver Host B VLAN 3 Receiver Host C VLAN 4 GE1 0 1 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding on each device and configure the IPv6 address and address prefix for each interface as per Figure 5 5 The detailed configuration steps are omitted h...

Page 470: ...SwitchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration steps are omitted Configure VLAN 10 as an IPv6 multicast VLAN SwitchA multicast vlan ipv6 10 Assign GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to IPv6 multicast VLAN 10 SwitchA ipv6 mvlan 10 port...

Page 471: ...MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC group s MAC group address 3333 0000 0101 Host port s total 3 port GE1 0 2 GE1 0 3 GE1 0 4 As shown above MLD Snooping is maintaining router ports and member ports in VLAN 10 ...

Page 472: ...view 3 1 Introduction to Priority Mapping 3 1 Priority Mapping Tables 3 1 Priority Trust Mode on a Port 3 2 Priority Mapping Procedure 3 2 Priority Mapping Configuration Tasks 3 3 Configuring Priority Mapping 3 4 Configuring a Priority Mapping Table 3 4 Configuring the Priority Trust Mode on a Port 3 4 Configuring the Port Priority of a Port 3 5 Displaying and Maintaining Priority Mapping 3 5 Prio...

Page 473: ...ltering Configuration Example 6 2 Traffic Filtering Configuration Example 6 2 7 Priority Marking Configuration 7 1 Priority Marking Overview 7 1 Configuring Priority Marking 7 1 Priority Marking Configuration Example 7 2 Priority Marking Configuration Example 7 2 8 Traffic Redirecting Configuration 8 1 Traffic Redirecting Overview 8 1 Traffic Redirecting 8 1 Configuring Traffic Redirecting 8 1 9 T...

Page 474: ... 11 1 Creating a User Profile 11 2 Applying a QoS Policy to User Profile 11 2 Enabling a User Profile 11 3 Displaying and Maintaining User Profile 11 3 12 Appendix 12 1 Appendix A Acronym 12 1 Appendix B Default Priority Mapping Tables 12 2 Uncolored Priority Mapping Tables 12 2 Appendix C Introduction to Packet Precedences 12 3 IP Precedence and DSCP Values 12 3 802 1p Priority 12 5 ...

Page 475: ...k resources effectively The following part introduces the QoS service models and some mature QoS techniques used most widely Using these techniques reasonably in the specific environments you can improve the QoS effectively Introduction to QoS Service Models This section covers three typical QoS service models z Best effort service z Integrated service IntServ z Differentiated service DiffServ Bes...

Page 476: ...affic shaping line rate congestion management and congestion avoidance The following part briefly introduces these QoS techniques Positions of the QoS Techniques in a Network Figure 1 1 Positions of the QoS techniques in a network As shown in Figure 1 1 traffic classification traffic shaping traffic policing congestion management and congestion avoidance mainly implement the following functions z ...

Page 477: ...when congestion occurs Congestion management is usually applied to the outgoing traffic of a port z Congestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port As congestion becomes worse it actively reduces the amount of traffic by dropping packets ...

Page 478: ...ing QoS policies A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these concepts class traffic behavior and policy Class Classes are used to identify traffic A class is identified by a class name and contains some match criteria for traffic identification The relationship...

Page 479: ... Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Required By default the relationship between match criteria is AND Configure match criteria if match match criteria Required match criteria Match criterion Table 2 1 shows the available criteria Table 2 1 The keyword and argument combinations for the match criteria argument Form D...

Page 480: ...rgument at a time VLAN ID is in the range 1 to 4094 In a class configured with the operator and the logical relationship between the customer VLAN IDs specified for the customer vlan id keyword is or destination mac mac address Specifies to match the packets with a specified destination MAC address dscp dscp list Specifies to match packets by DSCP precedence The dscp list argument is a list of DSC...

Page 481: ...ckets with a specified source MAC address Suppose the logical relationship between classification rules is and Note the following when using the if match command to define matching rules z If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class the actual logical relationship between these rules is or when the policy is applied z If multiple matching rules with...

Page 482: ... the class regardless of whether the match mode of the if match clause is deny or permit z In a QoS policy with multiple class to traffic behavior associations if the action of creating an outer VLAN tag the action of setting customer network VLAN ID or the action of setting service provider network VLAN ID is configured in a traffic behavior we recommend you not to configure any other action in t...

Page 483: ...d configuration may be lost due to insufficient resources Applying the QoS policy to an interface A policy can be applied to multiple ports Only one policy can be applied in inbound direction of a port port group Follow these steps to apply the QoS policy to an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter...

Page 484: ...ive by default z If a user profile is active the QoS policy except ACLs referenced in the QoS policy applied to it cannot be configured or removed If the user profile is being used by online users the referenced ACLs cannot be modified either z The QoS policies applied in user profile view support only the remark car and filter actions z Do not apply an empty policy in user profile view because a ...

Page 485: ...pplied globally Displaying and Maintaining QoS Policies To do Use the command Remarks Display information about a class and the corresponding actions associated by a policy display qos policy user defined policy name classifier classifier name Available in any view Display information about the policies applied on a port display qos policy interface interface type interface number inbound Availabl...

Page 486: ...emarks Clear the statistics of a global QoS policy reset qos policy global inbound Available in user view Clear the statistics of QoS policies applied to VLANs reset qos vlan policy vlan vlan id inbound Available in user view ...

Page 487: ...lly scheduled z Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a port the device assigns a set of QoS priority parameters to the packet based on a certain priority and sometimes may modify its priority according to certain rules depending on device status This process is called priori...

Page 488: ...elds carried in packets There are three priority trust modes on Switch 4510G series z dot1p Uses the 802 1p priority carried in packets for priority mapping z dscp Uses the DSCP carried in packets for priority mapping z undo qos trust Uses the port priority as the 802 1p priority for priority mapping The port priority is user configurable The priority mapping procedure varies with the priority mod...

Page 489: ...e port priority as the 802 1p priority for priority mapping Look up the dot1p dp and dot1p lp mapping tables Mark the packet with local precedence and drop precedence Port priority The priority mapping procedure presented above applies in the absence of priority marking If priority marking is configured the device performs priority marking before priority mapping and then uses the re marked packet...

Page 490: ...ping table display qos map table dot1p dp dot1p lp dscp dot1p dscp dp dscp dscp Optional Available in any view You cannot configure mapping any DSCP value to drop precedence 1 Configuring the Priority Trust Mode on a Port Follow these steps to configure the trusted packet priority type on an interface port group To do Use the command Remarks Enter system view system view Enter interface view inter...

Page 491: ...er port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure the port priority qos priority priority value Required The default port priority is 0 Displaying and Maintaining Priority Mapping To do Use the command Remarks Display priority mappin...

Page 492: ... to GigabitEthernet 1 0 3 of Device which sets the 802 1p priority of traffic from the management department to 5 Configure port priority 802 1p to local priority mapping table and priority marking to implement the plan as described in Table 3 1 Table 3 1 Configuration plan Queuing plan Traffic destination Traffic Priority order Traffic source Output queue Queue priority R D department 6 High Mana...

Page 493: ...et1 0 1 quit Set the port priority of GigabitEthernet 1 0 2 to 4 Device interface gigabitethernet 1 0 2 Device GigabitEthernet1 0 2 qos priority 4 Device GigabitEthernet1 0 2 quit Set the port priority of GigabitEthernet 1 0 3 to 5 Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 3 qos priority 5 Device GigabitEthernet1 3 quit 2 Configure the priority mapping table Configure the 802 ...

Page 494: ...avior admin quit Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 0 3 qos apply policy admin inbound Configure a priority marking policy for the marketing department and apply the policy to the incoming traffic of GigabitEthernet 1 0 1 Device traffic behavior market Device behavi...

Page 495: ...t is shaped or policed to ensure that it is under the specifications Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Buckets Token bucket features A token bucket is analogous to a container holding a certain number of tokens The system puts tokens into the bucket at a set rate When the token bucket is full the extra tokens overflows Evaluating traff...

Page 496: ...Excess burst size EBS Size of the E bucket that is transient burst of traffic that the E bucket can forward CBS and EBS are carried by two different token buckets In each evaluation packets are measured against the buckets z If the C bucket has enough tokens packets are colored green z If the C bucket does not have enough tokens but the E bucket has enough tokens packets are colored yellow z If ne...

Page 497: ...g traffic Traffic shaping provides measures to adjust the rate of outbound traffic actively A typical traffic shaping application is to limit the local traffic output rate according to the downstream traffic policing parameters The difference between traffic policing and GTS is that packets to be dropped in traffic policing are cached in a buffer or queue in GTS as shown in Figure 4 2 When there a...

Page 498: ...ecifies the maximum rate for forwarding packets including critical packets Line rate also uses token buckets for traffic control With line rate configured on an interface all packets to be sent through the interface are firstly handled by the token bucket at line rate If there are enough tokens in the token bucket packets can be forwarded otherwise packets are put into QoS queues for congestion ma...

Page 499: ...havior view traffic behavior behavior name Configure a traffic policing action car cir committed information rate cbs committed burst size ebs excess burst size pir peak information rate green action red action yellow action Required Exit behavior view quit Create a policy and enter policy view qos policy policy name Associate the class with the traffic behavior in the QoS policy classifier tcl na...

Page 500: ...he Switch 4510G series traffic shaping is implemented as queue based GTS that is configuring GTS parameters for packets of a certain queue Follow these steps to configure queue based GTS To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group...

Page 501: ...size Required Configuration Example Limit the outbound line rate of GigabitEthernet 1 0 1 to 512 kbps Enter system view Sysname system view Enter interface view Sysname interface gigabitethernet 1 0 1 Limit the outbound line rate of GigabitEthernet 1 0 1 to 512 kbps Sysname GigabitEthernet1 0 1 qos lr outbound cir 512 Displaying and Maintaining Traffic Policing GTS and Line Rate On the Switch 4510...

Page 502: ...4 8 ...

Page 503: ... two common cases Figure 5 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100M 100M 100M 50M 10M 10M 1 2 Congestion may bring these negative results z Increased delay and jitter during packet transmission z Decreased network throughput and resource use efficiency z Network resource memory in particular exhaustion and even system breakdown Congestion is unavoidable in switched networks and ...

Page 504: ...P queuing As shown in Figure 5 2 SP queuing classifies eight queues on a port into eight classes numbered 7 to 0 in descending priority order SP queuing schedules the eight queues strictly according to the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packets in the queue with the second highest...

Page 505: ... advantage of WRR queuing is that while the queues are scheduled in turn the service time for each queue is not fixed that is if a queue is empty the next queue will be scheduled immediately This improves bandwidth resource use efficiency WFQ queuing Figure 5 4 Schematic diagram for WFQ queuing Queue 1 Band width 1 Queue2 Band width 2 Queue N 1 Band width N 1 Queue N Band width N Packets to be sen...

Page 506: ...ive flows on the port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z The assignable bandwidth 10 Mbps 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps 9 5 Mbps z The total assignable bandwidth quota is the sum of all the precedence value 1 s that is 1 2 3 4 5 15 z The bandwidth percentage assi...

Page 507: ... current interface settings in port group view take effect on all ports in the port group Configure SP queuing qos sp Required By default all the ports adopt the WRR queue scheduling algorithm with the weight values assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration example 1 Network requirements Configure GigabitEthernet 1 0 1 to use SP queuing 2 Configuration procedure...

Page 508: ... group with their weights being 1 2 4 6 8 10 12 and 14 2 Configuration procedure Enter system view Sysname system view Configure the WRR queues on port GigabitEthernet1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos wrr Sysname GigabitEthernet1 0 1 qos wrr 0 group 1 weight 1 Sysname GigabitEthernet1 0 1 qos wrr 1 group 1 weight 2 Sysname GigabitEthernet1 0 1 qos wrr 2...

Page 509: ...2 4 6 8 10 12 and 14 respectively z Set the minimum guaranteed bandwidth of queue 0 to 128 kbps 2 Configuration procedure Enter system view Sysname system view Configure WFQ queues on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos wfq Sysname GigabitEthernet1 0 1 qos wfq 0 weight 1 Sysname GigabitEthernet1 0 1 qos wfq 1 weight 2 Sysname GigabitEthern...

Page 510: ...assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration Example Network requirements z Configure to adopt SP WRR queue scheduling algorithm on GigabitEthernet1 0 1 z Configure queue 0 queue 1 queue 2 and queue 3 on GigabitEthernet1 0 1 to be in SP queue scheduling group z Configure queue 4 queue 5 queue 6 and queue 7 on GigabitEthernet1 0 1 to be in WRR queue scheduling group...

Page 511: ...nfiguration information display qos wrr interface interface type interface number Display SP queue configuration information display qos sp interface interface type interface number Display WFQ queue configuration information display qos wfq interface interface type interface number Available in any view ...

Page 512: ...s to configure traffic filtering To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic behavior behavior name Configure the traffic filtering action filter deny permit Required z deny Drops ...

Page 513: ... filtering configuration Configuration procedure Create advanced ACL 3000 and configure a rule to match packets whose source port number is 21 DeviceA system view DeviceA acl number 3000 DeviceA acl basic 3000 rule 0 permit tcp source port eq 21 DeviceA acl basic 3000 quit Create a class named classifier_1 and reference ACL 3000 in the class DeviceA traffic classifier classifier_1 DeviceA classifi...

Page 514: ...viceA qospolicy policy quit Apply the policy named policy to the incoming traffic of GigabitEthernet 1 0 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 qos apply policy policy inbound ...

Page 515: ...change its transmission priority in the network To configure priority marking you can associate a class with a behavior configured with the priority marking action to set the priority fields or flag bits of the class of packets Configuring Priority Marking Follow these steps to configure priority marking To do Use the command Remarks Enter system view system view Create a class and enter class vie...

Page 516: ... QoS policy Globally Applying the QoS policy globally Display the priority marking configuration display traffic behavior user defined behavior name Optional Available in any view Priority Marking Configuration Example Priority Marking Configuration Example Network requirements As shown in Figure 7 1 the enterprise network of a company interconnects hosts with servers through Device The network is...

Page 517: ... destination IP address 192 168 0 3 Device acl number 3002 Device acl adv 3002 rule permit ip destination 192 168 0 3 0 Device acl adv 3002 quit Create a class named classifier_dbserver and reference ACL 3000 in the class Device traffic classifier classifier_dbserver Device classifier classifier_dbserver if match acl 3000 Device classifier classifier_dbserver quit Create a class named classifier_m...

Page 518: ...r behavior_fserver Device behavior behavior_fserver remark local precedence 2 Device behavior behavior_fserver quit Create a policy named policy_server and associate classes with behaviors in the policy Device qos policy policy_server Device qospolicy policy_server classifier classifier_dbserver behavior behavior_dbserver Device qospolicy policy_server classifier classifier_mserver behavior behavi...

Page 519: ...e to only Layer 2 packets and the target interface should be a Layer 2 interface Configuring Traffic Redirecting Follow these steps to configure traffic redirecting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and...

Page 520: ...he CPU and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior z You can use the display traffic behavior command to view the traffic redirecting configuration z A QoS policy that contains a traffic redirecting action can be applied only to the incoming traffic ...

Page 521: ...nterface z Mirroring traffic to the CPU copies the matching packets on an interface to a CPU the CPU of the device where the traffic mirroring enabled interface resides Configuring Traffic Mirroring To configure traffic mirroring you must enter the view of an existing traffic behavior In a traffic behavior the action of mirroring traffic to an interface and the action of mirroring traffic to a CPU...

Page 522: ...w these steps to mirror traffic to the CPU To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic behavior behavior name Required Mirror traffic to the CPU mirror to cpu Required Exit behavio...

Page 523: ...h a data monitoring device is connected to GigabitEthernet1 0 2 of the switch Monitor and analyze packets sent by Host A on the data monitoring device Figure 9 1 Network diagram for configuring traffic mirroring to a port Configuration Procedure Configure Switch Enter system view Sysname system view Configure basic IPv4 ACL 2000 to match packets with the source IP address 192 168 0 1 Sysname acl n...

Page 524: ...class 1 in the QoS policy Sysname qos policy 1 Sysname policy 1 classifier 1 behavior 1 Sysname policy 1 quit Apply the QoS policy to the incoming traffic of GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos apply policy 1 inbound After the configurations you can monitor all packets sent from Host A on the data monitoring device ...

Page 525: ... steps to configure class based accounting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic behavior behavior name Required Configure the accounting action accounting Optional The class...

Page 526: ...ts with source IP address 1 1 1 1 DeviceA system view DeviceA acl number 2000 DeviceA acl basic 2000 rule permit source 1 1 1 1 0 DeviceA acl basic 2000 quit Create a class named classifier_1 and reference ACL 2000 in the class DeviceA traffic classifier classifier_1 DeviceA classifier classifier_1 if match acl 2000 DeviceA classifier classifier_1 quit Create behavior behavior_1 and configure an a...

Page 527: ...s to verify the configuration DeviceA display qos policy interface gigabitethernet 1 0 1 Interface GigabitEthernet1 0 1 Direction Inbound Policy policy Classifier classifier_1 Operator AND Rule s If match acl 2000 Behavior behavior_1 Accounting Enable 28529 Packets ...

Page 528: ...r access no users pass the authentication or users have logged out user profile does not take effect as it is a predefined configuration With user profile you can z Make use of system resources more granularly For example without user profile you can apply a QoS policy based on interface VLAN globally and so on This QoS policy is applicable to a group of users With user profile however you can app...

Page 529: ...he corresponding user profile view The configuration made in user profile view takes effect when the user profile is enabled and the corresponding users are online Refer to 802 1x Configuration in the Security Volume for detailed information about 802 1x authentication Applying a QoS Policy to User Profile After a user profile is created you need to configure detailed items in user profile view to...

Page 530: ...r being enabled Follow these steps to enable a user profile To do Use the command Remarks Enter system view system view Enable a user profile user profile profile name enable Required A user profile is disabled by default z Only an enabled user profile can be used by a user You cannot modify or remove the configuration items in a user profile until the user profile is disabled z Disabling a user p...

Page 531: ...Class Based Weighted Fair Queuing CE Customer Edge CIR Committed Information Rate CQ Custom Queuing DAR Deeper Application Recognition DiffServ Differentiated Service DSCP Differentiated Services Codepoint EACL Enhanced ACL EBS Excess Burst Size EF Expedited Forwarding FEC Forwarding Equivalence Class FIFO First in First out GTS Generic Traffic Shaping IntServ Integrated Service ISP Internet Servi...

Page 532: ...c Shaping VoIP Voice over IP VPN Virtual Private Network WFQ Weighted Fair Queuing WRED Weighted Random Early Detection Appendix B Default Priority Mapping Tables Uncolored Priority Mapping Tables For the default dscp dscp priority mapping table an input value yields a target value that is equal to it Table 12 2 The default dot1p lp dot1p dp dot1p dscp and dot1p rpr priority mapping tables Input p...

Page 533: ...to 39 0 4 40 to 47 0 5 48 to 55 0 6 56 to 63 0 7 Appendix C Introduction to Packet Precedences IP Precedence and DSCP Values Figure 12 1 ToS and DS fields As shown in Figure 12 1 the ToS field of the IP header contains eight bits and the first three bits 0 to 2 represent IP precedence from 0 to 7 According to RFC 2474 the ToS field of the IP header is redefined as the differentiated services DS fi...

Page 534: ...7 111 network Table 12 5 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 ...

Page 535: ...f the 802 1Q tag header The Priority field in the 802 1Q tag header is called the 802 1p priority because its use is defined in IEEE 802 1p Table 12 6 presents the values for 802 1p priority Figure 12 3 802 1Q tag header 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID TPID Tag protocol identifier TCI Tag control information Byte 1 Byte 2 0 Byte 3 Byte 4 CFI 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 7 5 4 3 2...

Page 536: ...Domain 1 15 Configuring AAA Accounting Methods for an ISP Domain 1 17 Configuring Local User Attributes 1 19 Configuring User Group Attributes 1 20 Tearing down User Connections Forcibly 1 21 Displaying and Maintaining AAA 1 21 Configuring RADIUS 1 22 Creating a RADIUS Scheme 1 22 Specifying the RADIUS Authentication Authorization Servers 1 23 Specifying the RADIUS Accounting Servers and Relevant ...

Page 537: ...thentication Triggering 2 5 Authentication Process of 802 1X 2 6 802 1X Timers 2 9 Extensions to 802 1X 2 10 Features Working Together with 802 1X 2 10 Configuring 802 1X 2 12 Configuration Prerequisites 2 12 Configuring 802 1X Globally 2 12 Configuring 802 1X for a Port 2 14 Configuring an 802 1X Port based Guest VLAN 2 15 Displaying and Maintaining 802 1X 2 16 802 1X Configuration Example 2 16 G...

Page 538: ...CL Assignment Configuration Example 5 7 6 Port Security Configuration 6 1 Introduction to Port Security 6 1 Port Security Overview 6 1 Port Security Features 6 2 Port Security Modes 6 2 Port Security Configuration Task List 6 4 Enabling Port Security 6 5 Configuration Prerequisites 6 5 Configuration Procedure 6 5 Setting the Maximum Number of Secure MAC Addresses 6 5 Setting the Port Security Mode...

Page 539: ...ing SSH Server 8 5 Configuring the User Interfaces for SSH Clients 8 5 Configuring a Client Public Key 8 6 Configuring an SSH User 8 7 Setting the SSH Management Parameters 8 8 Configuring the Device as an SSH Client 8 9 SSH Client Configuration Task List 8 9 Specifying a Source IP address Interface for the SSH client 8 9 Configuring Whether First time Authentication is Supported 8 10 Establishing...

Page 540: ...erification 10 10 Destroying a Local RSA Key Pair 10 11 Deleting a Certificate 10 11 Configuring an Access Control Policy 10 12 Displaying and Maintaining PKI 10 12 PKI Configuration Examples 10 13 Requesting a Certificate from a CA Running RSA Keon 10 13 Requesting a Certificate from a CA Running Windows 2003 Server 10 16 Configuring a Certificate Attribute Based Access Control Policy 10 20 Troub...

Page 541: ...uction to ACL 13 1 Introduction 13 1 Application of ACLs on the Switch 13 1 Introduction to IPv4 ACL 13 2 IPv4 ACL Classification 13 2 IPv4 ACL Naming 13 2 IPv4 ACL Match Order 13 3 IPv4 ACL Step 13 4 Effective Period of an IPv4 ACL 13 4 IP Fragments Filtering with IPv4 ACL 13 4 Introduction to IPv6 ACL 13 5 IPv6 ACL Classification 13 5 IPv6 ACL Naming 13 5 IPv6 ACL Match Order 13 5 IPv6 ACL Step ...

Page 542: ...iguration Example 15 2 Configuring an Advanced IPv6 ACL 15 2 Configuration Prerequisites 15 3 Configuration Procedure 15 3 Configuration Example 15 4 Copying an IPv6 ACL 15 4 Configuration Prerequisites 15 4 Configuration Procedure 15 4 Displaying and Maintaining IPv6 ACLs 15 5 IPv6 ACL Configuration Example 15 5 Network Requirements 15 5 Configuration Procedure 15 5 16 ACL Application for Packet ...

Page 543: ...he network access server NAS and the server maintains user information centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA networking diagram When a user tries to establish a connection to the NAS and to obtain the rights to access other networks or some network resources the NAS authenticates the user or the corresponding ...

Page 544: ...ls Currently the device supports using RADIUS HWTACACS for AAA and RADIUS is often used in practice Introduction to RADIUS Remote Authentication Dial In User Service RADIUS is a distributed information interaction protocol in a client server model RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are re...

Page 545: ... secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods for example the Password Authentication Protocol PAP and Challenge Handshake Authentication Protocol CHAP Moreover a RADIUS server can act as the client of another AAA server to provide authentication proxy services Basic Message Exchange Process of RADIUS Figure 1 3 il...

Page 546: ...RADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 9 The RADIUS server returns a stop accounting response Accounting Response and stops accounting for the user 10 The user stops access to network resources RADIUS Packet Format RADIUS uses UDP to transmit messages It ensures the smooth message exchange between the ...

Page 547: ...or and Attribute fields The value of the field is in the range 20 to 4096 Bytes beyond the length are considered the padding and are neglected upon reception If the length of a received packet is less than that indicated by the Length field the packet is dropped 5 The Authenticator field 16 byte long is used to authenticate replies from the RADIUS server and is also used in the password hiding alg...

Page 548: ...70 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Timeout 74 ARAP Security Data 28 Idle Timeout 75 Password Retry 29 Termination Action 76 Prompt 30 Called Station Id 77 Connect Info 31 Calling Station Id 78 Configuration Token 32 NAS Identifier 79 EAP Message 33 Proxy State 80 Message Authenticator 34 Login LAT Service 81 Tunnel...

Page 549: ... a code complying with RFC 1700 z Vendor Type Indicates the type of the sub attribute z Vendor Length Indicates the length of the sub attribute z Vendor Data Indicates the contents of the sub attribute Figure 1 5 Segment of a RADIUS packet containing an extended attribute Introduction to HWTACACS HW Terminal Access Controller Access Control System HWTACACS is an enhanced security protocol based on...

Page 550: ...ts only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authentication Authentication and authorization can be deployed on different HWTACACS servers Protocol packets are simple and authorization is combined with authentication Supports authorized use of configuration commands For example an authenticated login user can be au...

Page 551: ...continuance packet with the login password 2 A Telnet user sends an access request to the NAS 3 Upon receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS server 4 The HWTACACS server sends back an authentication response requesting the username 5 Upon receiving the response the HWTACACS client asks the user for the username 6 The user inputs the username 7 ...

Page 552: ...odifications for Tunnel Protocol Support z RFC 2868 RADIUS Attributes for Tunnel Protocol Support z RFC 2869 RADIUS Extensions z RFC 1492 An Access Control Protocol Sometimes Called TACACS AAA Configuration Task List The basic procedure to configure AAA is as follows 1 Configure the required AAA schemes z Local authentication Configure local users and related attributes including usernames and pas...

Page 553: ...n User Connections Forcibly Optional Displaying and Maintaining AAA Optional RADIUS Configuration Task List Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication Authorization Servers Required Specifying the RADIUS Accounting Servers and Relevant Parameters Optional Setting the Shared Key for RADIUS Packets Required Setting the Upper Limit of RADIUS Request Retransmis...

Page 554: ...orization accounting policies for all the other types of users For a user who has logged in to the device AAA can provide the command authorization service to enhance device security Allows the authorization server to check each command executed by the login user and only authorized commands can be successfully executed Configuration Prerequisites For remote authentication authorization or account...

Page 555: ... an ISP domain name the device uses the authentication method configured for the default ISP domain to authenticate the user Configuring ISP Domain Attributes Follow these steps to configure ISP domain attributes To do Use the command Remarks Enter system view system view Create an ISP domain and enter ISP domain view domain isp name Required Place the ISP domain to the state of active or blocked ...

Page 556: ...or HWTACACS server to authenticate users As for RADIUS the device can use the standard RADIUS protocol or extended RADIUS protocol in collaboration with systems like iMC to implement user authentication Remote authentication features centralized information management high capacity high reliability and support for centralized authentication for multiple devices You can configure local authenticati...

Page 557: ...keyword and argument combination configured local authentication is the backup method and is used only when the remote server is not available z If the primary authentication method is local or none the system performs local authentication or does not perform any authentication and will not use any RADIUS or HWTACACS authentication scheme Configuring AAA Authorization Methods for an ISP Domain In ...

Page 558: ...u can configure an authorization scheme specifically for each access mode and service type limiting the authorization protocols that can be used for access 3 Determine whether to configure an authorization method for all access modes or service types Follow these steps to configure AAA authorization methods for an ISP domain To do Use the command Remarks Enter system view system view Create an ISP...

Page 559: ... ISP Domain In AAA accounting is a separate process at the same level as authentication and authorization Its responsibility is to send accounting start update end requests to the specified accounting server Accounting is not required and therefore accounting method configuration is optional AAA supports the following accounting methods z No accounting The system does not perform accounting for th...

Page 560: ...ed by default z With the accounting optional command configured a user to be disconnected can still use the network resources even when there is no available accounting server or communication with the current accounting server fails z The local accounting is not used for accounting implementation but together with the attribute access limit command for limiting the number of local user connection...

Page 561: ...An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view Follow these steps to configure the attributes for a local user To do Use the command Remarks Enter system view system view Set the password display mode for all local users local user password display mode auto cipher force Optional auto by default indicating to display ...

Page 562: ... accounting is used z Local authentication checks the service types of a local user If the service types are not available the user cannot pass authentication z In the authentication method that requires the username and password including local authentication RADIUS authentication and HWTACACS authentication the commands that a login user can use after logging in depend on the level of the user I...

Page 563: ...n attribute is configured for a user group Tearing down User Connections Forcibly Follow these steps to tear down user connections forcibly To do Use the command Remarks Enter system view system view Tear down AAA user connections forcibly cut connection access type dot1x mac authentication all domain isp name interface interface type interface number ip ip address mac mac address ucibindex ucib i...

Page 564: ...US scheme mainly include IP addresses of primary and secondary servers shared key and RADIUS server type Actually the RADIUS protocol configurations only set the parameters necessary for the information interaction between a NAS and a RADIUS server For these settings to take effect you must reference the RADIUS scheme containing those settings in ISP domain view For information about the commands ...

Page 565: ...US servers as the primary and secondary authentication authorization servers respectively At one time a server can be the primary authentication authorization server for a scheme and the secondary authentication authorization servers for another scheme z The IP addresses of the primary and secondary authentication authorization servers for a scheme cannot be the same Otherwise the configuration fa...

Page 566: ...top accounting request until it receives a response or the number of transmission retries reaches the configured limit In the latter case the device discards the packet z You can set the maximum number of accounting request transmission attempts on the device allowing the device to disconnect a user when the number of accounting request transmission attempts for the user reaches the limit but it s...

Page 567: ...ADIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Set the number of retransmission attempts of RADIUS packets retry retry times Optional 3 by default z The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 z Refer to the timer response timeout command...

Page 568: ... server remains the same z If the secondary server fails the device restores the status of the primary server to active immediately If the primary server has resumed the device turns to use the primary server and stops communicating with the secondary server After accounting starts the communication between the client and the secondary server remains unchanged Follow these steps to set the status ...

Page 569: ...e the command Remarks Enter system view system view Enable the RADIUS trap function radius trap accounting server down authentication server down Optional Disabled by default Create a RADIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Specify the format of the username to be sent to a RADIUS server user name format keep original with domain ...

Page 570: ...ting request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval z Primary server quiet timer timer quiet If the primary server is not reachable its state changes to blocked and the device will turn to the specified secondary server If the secondary server is reach...

Page 571: ...ission attempts of RADIUS packets refer to the command retry in the command manual Specifying a Security Policy Server The core of the EAD solution is integration and cooperation and the security policy server system is the management and control center As a collection of software the security policy server system can run on Windows and Linux to provide functions such as user management security p...

Page 572: ...ics slot slot number Available in any view Display information about buffered stop accounting requests that get no responses display stop accounting buffer radius scheme radius server name session id session id time range start time stop time user name user name slot slot number Available in any view Clear RADIUS statistics reset radius statistics slot slot number Available in user view Clear buff...

Page 573: ...HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the primary HWTACACS authentication server primary authentication ip address port number Specify the secondary HWTACACS authentication server secondary authentication ip address port number Required Configure at least one of the commands No authentication server by default z ...

Page 574: ... secondary authorization servers cannot be the same Otherwise the configuration fails z You can remove an authorization server only when no active TCP connection for sending authorization packets is using it Specifying the HWTACACS Accounting Servers Follow these steps to specify the HWTACACS accounting servers and perform related configurations To do Use the command Remarks Enter system view syst...

Page 575: ...packets Only when the same key is used can they properly receive the packets and make responses Follow these steps to set the shared key for HWTACACS packets To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Set the shared keys for HWTACACS authentication authoriza...

Page 576: ...re sending the username to the server z The nas ip command in HWTACACS scheme view is only for the current HWTACACS scheme while the hwtacacs nas ip command in system view is for all HWTACACS schemes However the nas ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas ip command Setting Timers Regarding HWTACACS Servers Follow these steps to set timers regarding HWTA...

Page 577: ...buffer hwtacacs scheme hwtacacs scheme name slot slot number Available in any view Clear HWTACACS statistics reset hwtacacs statistics accounting all authentication authorization slot slot number Available in user view Clear buffered stop accounting requests that get no responses reset stop accounting buffer hwtacacs scheme hwtacacs scheme name slot slot number Available in user view AAA Configura...

Page 578: ...g 10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the AAA methods for the domain Switch domain bbb Switch isp bbb authentication login hwtacacs scheme hwtac Switch isp bbb authorization login hwtacacs schem...

Page 579: ...nting Its IP address is 10 1 1 1 On the switch set the shared keys for packets exchanged with the RADIUS server to expert Configuration of separate AAA for other types of users is similar to that given in this example The only difference lies in the access type Figure 1 8 Configure AAA by separate servers for Telnet users Configuration procedure Configure the IP addresses of various interfaces omi...

Page 580: ...ods for all types of users Switch domain bbb Switch isp bbb authentication default local Switch isp bbb authorization default hwtacacs scheme hwtac Switch isp bbb accounting default radius scheme imc When telneting into the switch a user enters username telnet bbb for authentication using domain bbb AAA for SSH Users by a RADIUS Server Network requirements As shown in Figure 1 9 configure the swit...

Page 581: ...t Access Service Access Device from the navigation tree to enter the Access Device page Then click Add to enter the Add Access Device window and perform the following configurations z Set both the shared keys for authentication and accounting packets to expert z Specify the ports for authentication and accounting as 1812 and 1813 respectively z Select Device Management Service as the service type ...

Page 582: ... the navigation tree to enter the Device Management User page Then click Add to enter the Add Device Management User window and perform the following configurations z Add a user named hello bbb and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed as 192 168 1 0 to 192 168 1 255 and click Add to finish the operation ...

Page 583: ... of VLAN interface 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure the switch to use AAA for SSH users Switch user interfa...

Page 584: ...gured account to access the user interface of the switch The commands that the user can access depend on the settings for EXEC users on the iMC server Troubleshooting AAA Troubleshooting RADIUS Symptom 1 User authentication authorization always fails Analysis 1 A communication failure exists between the NAS and the RADIUS server 2 The username is not in the format of userid isp name or no default ...

Page 585: ...n the NAS are the same as those configured on the RADIUS server 18 The port numbers of the RADIUS server for authentication authorization and accounting are available Symptom 3 A user is authenticated and authorized but accounting for the user is not normal Analysis 19 The accounting port number is not correct 20 Configuration of the authentication authorization server and the accounting server ar...

Page 586: ...ort security feature provides rich security modes that combine or extend 802 1X and MAC address authentication In a networking environment that requires flexible use of 802 1X and MAC address authentication you are recommended to configure the port security feature In a network environment that requires only 802 1X authentication you are recommended to configure the 802 1X directly rather than con...

Page 587: ...n relayed to the RADIUS server In EAP termination mode EAP protocol packets are terminated at the device repackaged in the Password Authentication Protocol PAP or Challenge Handshake Authentication Protocol CHAP attributes of RADIUS packets and then transferred to the RADIUS server Basic Concepts of 802 1X These basic concepts are involved in 802 1X controlled port uncontrolled port authorized sta...

Page 588: ...ts z auto Places the port in the unauthorized state initially to allow only EAPOL frames to pass and turns the ports into the authorized state to allow access to the network after the users pass authentication This is the most common choice Control direction In the unauthorized state the controlled port can be set to deny traffic to and from the client or just the traffic from the client Currently...

Page 589: ...ogoff a value of 0x02 Frame for logoff request present between a client and a device z Length Length of the data that is length of the Packet body field in bytes If the value of this field is 0 no subsequent data field is present z Packet body Content of the packet The format of this field varies with the value of the Type field EAP Packet Format An EAPOL frame of the type of EAP Packet carries an...

Page 590: ...lume EAP Message The EAP Message attribute is used to encapsulate EAP packets Figure 2 6 shows its encapsulation format The value of the Type field is 79 The String field can be up to 253 bytes If the EAP packet is longer than 253 bytes it can be fragmented and encapsulated into multiple EAP Message attributes Figure 2 6 Encapsulation format of the EAP Message attribute Message Authenticator Figur...

Page 591: ...0 seconds by default This method can be used to authenticate clients which cannot send EAPOL Start frames and therefore cannot trigger authentication for example the 802 1X client provided by Windows XP Authentication Process of 802 1X An 802 1X device communicates with a remotely located RADIUS server in two modes EAP relay and EAP termination The following description takes the EAP relay as an e...

Page 592: ... packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the device 5 Upon receiving the EAP Response Identity packet the device relays the packet in a RADIUS Access Request packet to the authentication server 6 When receiving the RADIUS Access Request packet the RADIUS server compares the identify information against its user information table to obtain the ...

Page 593: ...has gone offline and performs the necessary operations guaranteeing that the device always knows when a client goes offline 12 The client can also send an EAPOL Logoff frame to the device to go offline unsolicitedly In this case the device changes the status of the port from authorized to unauthorized and sends an EAP Failure frame to the client In EAP relay mode a client must use the same authent...

Page 594: ...is section describes the timers used on an 802 1X device to guarantee that the client the device and the RADIUS server can interact with each other in a reasonable manner z Username request timeout timer tx period The device starts this timer when it sends an EAP Request Identity frame to a client If it receives no response before this timer expires the device retransmits the request When cooperat...

Page 595: ...thentication server sends authorization information to the device If the authorization information contains VLAN authorization information the device adds the port connecting the client to the assigned VLAN This neither changes nor affects the configurations of the port The only result is that the assigned VLAN takes precedence over the manually configured one that is the assigned VLAN takes effec...

Page 596: ... s link type in the similar way as described in VLAN assignment When a user of a port in the guest VLAN initiates an authentication if the authentication is not successful the port stays in the guest VLAN if the authentication is successful the port leaves the guest VLAN and z If the authentication server assigns a VLAN the port joins the assigned VLAN After the user goes offline the port returns ...

Page 597: ...tion that uses certificates the certificate of a user determines the authentication domain of the user However you can specify different mandatory authentication domains for different ports even if the user certificates are from the same certificate authority that is the user domain names are the same This allows you to deploy 802 1X access policies flexibly Configuring 802 1X Configuration Prereq...

Page 598: ... timer 100 seconds for the server timeout timer 30 seconds for the client timeout timer and 30 seconds for the username request timeout timer Enable the quiet timer dot1x quiet period Optional Disabled by default Note that z For 802 1X to take effect on a port you must enable it both globally in system view and for the port in system view or Ethernet interface view z You can also enable 802 1X and...

Page 599: ...d portbased Optional macbased by default Set the maximum number of users for the port dot1x max user user number Optional 256 by default Enable online user handshake dot1x handshake Optional Enabled by default Enable the online handshake security function dot1x handshake secure Optional Disabled by default Enable multicast trigger dot1x multicast trigger Optional Enabled by default Enable periodic...

Page 600: ... voice VLAN function and 802 1X are mutually exclusive and cannot be configured together on the same port For details about voice VLAN refer to VLAN Configuration in the Access Volume Configuring an 802 1X Port based Guest VLAN Configuration prerequisites z Enable 802 1X z Create the VLAN to be specified as the guest VLAN z Set the port access control method to portbased z Ensure that the 802 1X m...

Page 601: ... RADIUS server is received If the RADIUS accounting fails the device gets users offline z A server group with two RADIUS servers is connected to the device The IP addresses of the servers are 10 1 1 1 and 10 1 1 2 respectively Use the former as the primary authentication secondary accounting server and the latter as the secondary authentication primary accounting server z Set the shared key for th...

Page 602: ...ssword simple localpass Device luser localuser attribute idle cut 20 Device luser localuser quit Create RADIUS scheme radius1 and enter its view Device radius scheme radius1 Configure the IP addresses of the primary authentication and accounting RADIUS servers Device radius radius1 primary authentication 10 1 1 1 Device radius radius1 primary accounting 10 1 1 2 Configure the IP addresses of the s...

Page 603: ...al Set the maximum number of users for the domain as 30 Device isp aabbcc net access limit enable 30 Enable the idle cut function and set the idle cut interval Device isp aabbcc net idle cut enable 20 Device isp aabbcc net quit Configure aabbcc net as the default domain Device domain default enable aabbcc net Enable 802 1X globally Device dot1x Enable 802 1X for port GigabitEthernet 1 0 1 Device i...

Page 604: ...h in VLAN 10 so that the host can access the update server and download the 802 1X client As shown in Figure 2 13 z After the host passes the authentication and logs in the host is added to VLAN 5 In this case the host and GigabitEthernet 1 0 3 are both in VLAN 5 so that the host can access the Internet Figure 2 11 Network diagram for guest VLAN configuration Internet Update server Authenticator s...

Page 605: ...entication 10 11 1 1 1812 Device radius 2000 primary accounting 10 11 1 1 1813 Device radius 2000 key authentication abc Device radius 2000 key accounting abc Device radius 2000 user name format without domain Device radius 2000 quit Configure authentication domain system and specify to use RADIUS scheme 2000 for users of the domain Device domain system Device isp system authentication default rad...

Page 606: ...the configured guest VLAN functions z When no users log in z When a user goes offline After a user passes the authentication successfully you can use the display interface GigabitEthernet 1 0 2 command to verity that port GigabitEthernet 1 0 2 has been added to the assigned VLAN 5 ACL Assignment Configuration Example Network requirements As shown in Figure 2 14 a host is connected to port GigabitE...

Page 607: ...e isp 2000 authorization default radius scheme 2000 Device isp 2000 accounting default radius scheme 2000 Device isp 2000 quit Configure ACL 3000 to deny packets destined for 10 0 0 1 Device acl number 3000 Device acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Enable 802 1X globally Device dot1x Enable 802 1X for port GigabitEthernet 1 0 1 Device interface GigabitEthernet 1 0 1 Device GigabitE...

Page 608: ...which tends to be time consuming and inefficient To address the issue quick EAD deployment was developed In conjunction with 802 1X it can have an access switch to force all attached devices to download and install the EAD client before permitting them to access the network EAD Fast Deployment Implementation To support the fast deployment of EAD schemes 802 1X provides the following two mechanisms...

Page 609: ...s before passing 802 1X authentication Once a free IP is configured the fast deployment of EAD is enabled Follow these steps to configure a freely accessible network segment To do Use the command Remarks Enter system view system view Configure a freely accessible network segment dot1x free ip ip address mask address mask length Required No freely accessible network segment is configured by default...

Page 610: ...ork segment but fail the authentication ACLs will soon be used up and new users will be rejected An EAD rule timeout timer is designed to solve this problem When a user accesses the network this timer is started If the user neither downloads client software nor performs authentication before the timer expires the occupied ACL will be released so that other users can use it When there are a large n...

Page 611: ... 192 168 2 0 24 GE1 0 1 Configuration procedure 1 Configure the WEB server Before using the EAD fast deployment function you need to configure the WEB server to provide the download service of 802 1X client software 2 Configure the device to support EAD fast deployment Configure the IP addresses of the interfaces omitted Configure the free IP Device system view Device dot1x free ip 192 168 2 0 24 ...

Page 612: ...ecified URL Analysis z The address is in the string format In this case the operating system of the host regards the string a website name and tries to have it resolved If the resolution fails the operating system sends an ARP request with the address in the format other than X X X X The redirection function does redirect this kind of ARP request z The address is within the freely accessible netwo...

Page 613: ... devices of the cluster to bypass 802 1X authentication because network devices usually do not support 802 1 client Otherwise the management device will fail to perform centralized management of the cluster member devices For more information about the cluster function refer to Cluster Configuration in the System Volume As shown in Figure 4 1 802 1X authenticator Switch A has two switches attached...

Page 614: ...en link layer frames exchanged between the clients can bypass the 802 1X authentication on ports of the server without affecting the normal operation of the whole network All HABP packets must travel in a VLAN which is called the management VLAN Communication between the HABP server and the HABP clients is implemented through the management VLAN Configuring HABP Complete the following tasks to con...

Page 615: ...by default Configure HABP to work in client mode undo habp server Optional HABP works in client mode by default Displaying and Maintaining HABP To do Use the command Remarks Display HABP configuration information display habp Available in any view Display HABP MAC address table entries display habp table Available in any view Display HABP packet statistics display habp traffic Available in any vie...

Page 616: ...onfigure Switch B and Switch C Configure Switch B and Switch C to work in HABP client mode This configuration is usually unnecessary because HABP is enabled and works in client mode by default 3 Verify your configuration Display HABP configuration information SwitchA display habp Global HABP information HABP Mode Server Sending HABP request packets every 50 seconds Bypass VLAN 2 Display HABP MAC a...

Page 617: ... and password z Fixed username where all users use the same preconfigured username and password for authentication regardless of the MAC addresses RADIUS Based MAC Authentication In RADIUS based MAC authentication the device serves as a RADIUS client and requires a RADIUS server to cooperate with it z If the type of username is MAC address the device forwards a detected MAC address as the username...

Page 618: ...quiet MAC address is the same as a static MAC address configured or an MAC address that has passed another type of authentication the quiet function does not take effect VLAN Assigning For separation of users from restricted network resources users and restricted resources are usually put into different VLANs After a user passes identity authentication the authorization server assigns to the user ...

Page 619: ...interface list Enable MAC authentication for specified ports interface interface type interface number mac authentication quit Required Use either approach Disabled by default Specify the ISP domain for MAC authentication mac authentication domain isp name Optional The default ISP domain is used by default Set the offline detect timer mac authentication timer offline detect offline detect value Op...

Page 620: ...interface list Available in user view MAC Authentication Configuration Examples Local MAC Authentication Configuration Example Network requirements As illustrated in Figure 5 1 a supplicant is connected to the device through port GigabitEthernet 1 0 1 z Local MAC authentication is required on every port to control user access to the Internet z All users belong to domain aabbcc net z Local users us...

Page 621: ...sername format as MAC address that is using the MAC address with hyphens of a user as the username and password for MAC authentication of the user Device mac authentication user name format mac address with hyphen 2 Verify the configuration Display global MAC authentication information Device display mac authentication MAC address authentication is enabled User name format is MAC address like xx x...

Page 622: ...123456 Figure 5 2 Network diagram for MAC authentication using RADIUS Configuration procedure It is required that the RADIUS server and the device are reachable to each other and the username and password are configured on the server 1 Configure MAC authentication on the device Configure a RADIUS scheme Device system view Device radius scheme 2000 Device radius 2000 primary authentication 10 1 1 1...

Page 623: ...ntication MAC address authentication is enabled User name format is fixed account Fixed username aaa Fixed password 123456 Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is 2000 Silent Mac User info MAC Addr From Port Port Index GigabitEthernet1 0 1 is link up MAC ...

Page 624: ...password of each user on the RADIUS server correctly z You need to configure the RADIUS server to assign ACL 3000 as the authorization ACL Configure the RADIUS scheme Sysname system view Sysname radius scheme 2000 Sysname radius 2000 primary authentication 10 1 1 1 1812 Sysname radius 2000 primary accounting 10 1 1 2 1813 Sysname radius 2000 key authentication abc Sysname radius 2000 key accountin...

Page 625: ...r MAC authentication of the user Sysname mac authentication user name format mac address Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentication After completing the above configurations you can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions C ping 10 0 0 1 Pinging ...

Page 626: ... needed When a port security enabled device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This reduces your maintenance workload and greatly enhances system security The following types of frames are classified as illegal z Received frames with unknown source MAC addresses when MAC address learning is disabled z Received f...

Page 627: ...noRestrictions Port security is disabled on the port and access to the port is not restricted In this mode neither the NTK nor the intrusion protection feature is triggered autoLearn In this mode a port can learn a specified number of MAC addresses and save those addresses as secure MAC addresses It permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses con...

Page 628: ...authentication upon receiving 802 1X frames macAddressElseUs erLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication having a higher priority z Upon receiving a non 802 1X frame a port in this mode performs only MAC authentication z Upon receiving an 802 1X frame the port performs MAC authentication and then if MAC authentication fai...

Page 629: ...ntication fails the protocol type of the authentication request determines whether to turn to the authentication method following the Else z In a security mode with Or the protocol type of the authentication request determines which authentication method is to be used However 802 1X authentication is preferred by wireless users z userLogin with Secure specifies MAC based 802 1X authentication z Ex...

Page 630: ...gurations on a port to the bracketed defaults z Port security mode noRestrictions z 802 1X disabled port access control method macbased and port access control mode auto z MAC authentication disabled 3 Port security cannot be disabled if there is any user present on a port z For detailed 802 1X configuration refer to 802 1X Configuration in the Security Volume z For detailed MAC based authenticati...

Page 631: ...ty mode ensure that z 802 1X is disabled the port access control method is macbased and the port access control mode is auto z MAC authentication is disabled z The port does not belong to any aggregation group The above requirements must be all met Otherwise you will see an error message and your configuration will fail On the other hand after setting the port security mode on a port you cannot ch...

Page 632: ...irst 24 bits of the MAC address and uniquely identifies a device vendor z You can configure multiple OUI values However a port in userLoginWithOUI mode allows only one 802 1X user and one user whose MAC address contains a specified OUI z After enabling port security you can change the port security mode of a port only when the port is operating in noRestrictions mode the default mode To change the...

Page 633: ... the following security policies when it detects illegal frames z blockmac Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards frames with blocked source MAC addresses A blocked MAC address is restored to normal after being blocked for three minutes which is fixed and cannot be changed z disableport Disables the port permanently z disableport temporarily ...

Page 634: ...rt security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon Required By default no port security trap is enabled Configuring Secure MAC Addresses Secure MAC addresses are special MAC addresses They never age out or get lost if saved before the device restarts One secure MAC address can be added to only one port in the same VLAN Thus you can ...

Page 635: ...n the RADIUS server delivers the authorization information to the device You can configure a port to ignore the authorization information from the RADIUS server Follow these steps to configure a port to ignore the authorization information from the RADIUS server To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Ignore the...

Page 636: ...gram for configuring the autoLearn mode Configuration procedure 1 Configure port security Enable port security Switch system view Switch port security enable Enable intrusion protection trap Switch port security trap intrusion Switch interface gigabitethernet 1 0 1 Set the maximum number of secure MAC addresses allowed on the port to 64 Switch GigabitEthernet1 0 1 port security max mac count 64 Se...

Page 637: ...y this interface GigabitEthernet1 0 1 port security max mac count 64 port security port mode autolearn port security intrusion mode disableport temporarily port security mac address security 0002 0000 0015 vlan 1 port security mac address security 0002 0000 0014 vlan 1 port security mac address security 0002 0000 0013 vlan 1 port security mac address security 0002 0000 0012 vlan 1 port security ma...

Page 638: ... client is authorized to access the Internet z RADIUS server 192 168 1 2 functions as the primary authentication server and the secondary accounting server and RADIUS server 192 168 1 3 functions as the secondary authentication server and the primary accounting server The shared key for authentication is name and that for accounting is money z All users belong to default domain sun which can accom...

Page 639: ...retry 5 Switch radius radsun timer realtime accounting 15 Switch radius radsun user name format without domain Switch radius radsun quit Configure an ISP domain named sun Switch domain sun Switch isp sun authentication default radius scheme radsun Switch isp sun authorization default radius scheme radsun Switch isp sun accounting default radius scheme radsun Switch isp sun access limit enable 30 S...

Page 640: ...val for realtime accounting minute 15 Retransmission times of realtime accounting packet 5 Retransmission times of stop accounting packet 500 Quiet interval min 5 Username format without domain Data flow unit Byte Packet unit one Use the following command to view the configuration information of the ISP domain named sun Switch display domain sun Domain sun State Active Access limit 30 Accounting m...

Page 641: ... Timer is disabled Supp Timeout 30 s Server Timeout 100 s The maximal retransmitting times 2 EAD quick deploy configuration EAD timeout 30m The maximum 802 1X user resource number is 1024 per slot Total current used 802 1X resource number is 1 GigabitEthernet1 0 1 is link up 802 1X protocol is enabled Handshake is enabled The port is an authenticator Authentication Mode is Auto Port Control Type i...

Page 642: ...perform MAC authentication first and then if MAC authentication fails 802 1X authentication Allow only one 802 1X user to log on z Set fixed username and password for MAC based authentication Set the total number of MAC authenticated users and 802 1X authenticated users to 64 z Enable NTK to prevent frames from being sent to unknown MAC addresses See Figure 6 2 Configuration procedure z Configurat...

Page 643: ...ode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Use the following command to view MAC authentication information Switch display mac authentication interface gigabitethernet 1 0 1 GigabitEthernet1 0 1 is link up MAC address authentication is enabled Aut...

Page 644: ...ackets 4 Fail Packets 5 Received EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0011 Controlled User s amount to 1 In addition as NTK is enabled frames with unknown destination MAC addresses multicast addresses and broadcast addresses should be discarded Troubleshooting Port S...

Page 645: ...ax mac count 64 Switch GigabitEthernet1 0 1 port security port mode autolearn Switch GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Cannot Change Port Security Mode When a User Is Online Symptom Port security mode cannot be changed when an 802 1X authenticated or MAC authenticated user is online Switch GigabitEthernet1 0 1 undo port security port mode Error Cannot configure p...

Page 646: ...guard If there is a match the port forwards the packet Otherwise the port discards the packet IP source guard filters packets based on the following types of binding entries z IP port binding entry z MAC port binding entry z IP MAC port binding entry z IP VLAN port binding entry z MAC VLAN port binding entry z IP MAC VLAN port binding entry You can manually set static binding entries or use DHCP s...

Page 647: ...r 0 0 0 0 z A static binding entry can be configured on only Layer 2 Ethernet ports Configuring Dynamic Binding Function After the dynamic binding function is enabled on a port IP source guard will receive and process corresponding DHCP snooping or DHCP relay entries which contain such information as MAC address IP address VLAN tag port information or entry type It adds the obtained information to...

Page 648: ...re static binding entries on Switch A and Switch B to meet the following requirements z On port GigabitEthernet 1 0 2 of Switch A only IP packets from Host C can pass z On port GigabitEthernet 1 0 1 of Switch A only IP packets from Host A can pass z On port GigabitEthernet 1 0 2 of Switch B only IP packets from Host A can pass z On port GigabitEthernet 1 0 1 of Switch B only IP packets from Host B...

Page 649: ... SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static binding entries are configured successfully SwitchA display user bind Total entries found 2 MAC IP Vlan Port Status 0001 0203 0405 192 168 0 3 N A GigabitEthernet1 0 2 Static 0001 0203 0406 192 168 0 1 N A GigabitEthernet1 0...

Page 650: ...ce gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping trust SwitchA GigabitEthernet1 0 2 quit 2 Verify the configuration Display dynamic binding function is configured successfully on port GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 display this interface GigabitEthernet1 0 1 ip check source ip address mac address return Display the dyna...

Page 651: ...ated by DHCP snooping after it is configured with dynamic binding function Troubleshooting IP Source Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring static binding entries and dynamic binding function fails on a port Analysis IP Source Guard is not supported on the port which has joined an aggregation group Neither static binding entries nor dynami...

Page 652: ...ients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH versions SSH2 0 and SSH1 When acting as an SSH client the device supports SSH2 0 only Operation of SSH The session establishment and interaction between an SSH client and the SSH server involves the followi...

Page 653: ...upports the version the server and client will use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation otherwise the server breaks the TCP connection All the packets involved in the above steps are transferred in plain text Key and algorithm negotiation z The server and the client send key algorithm neg...

Page 654: ...alid the authentication fails otherwise the server authenticates the client by the digital signature Finally the server sends a message to the client to inform the success or failure of the authentication Currently the device supports two publickey algorithms for digital signature RSA and DSA The following gives the steps of the authentication stage 1 The client sends to the server an authenticati...

Page 655: ...st be within 2000 bytes It is recommended that the commands are in the same view otherwise the server may not be able to perform the commands correctly z If the command text exceeds 2000 bytes you can execute the commands by saving the text as a configuration file uploading the configuration file to the server through SFTP and then using the configuration file to restart the server Configuring the...

Page 656: ...r and client respectively no session key transmission is required in SSH2 and the server key pair is not used z The length of the modulus of RSA server keys and host keys must be in the range 512 to 2048 bits Some SSH2 clients require that the length of the key modulus be at least 768 bits on the SSH server side z The public key local create dsa command generates only the host key pair SSH1 does n...

Page 657: ...SH you cannot change the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a Client Public Key This configuration task is only necessary for SSH users using publickey authentication For each SSH user that uses publickey authentication to login you must configure the client s DSA or RSA host public key on the server and configure the client t...

Page 658: ...public key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end Importing a client public key from a public key file Follow these steps to import a public key from a public key file To do Use the command Remarks Enter system view system view Import the public key from a public key file public key pe...

Page 659: ...service type sftp if the client uses SSH1 to log into the server you must set the service type to stelnet or all on the server Otherwise the client will fail to log in z The working folder of an SFTP user is subject to the user authentication method For a user using only password authentication the working folder is the AAA authorized one For a user using only publickey authentication or using bot...

Page 660: ... Set the SSH user authentication timeout period ssh server authentication timeout time out value Optional 60 seconds by default Set the maximum number of SSH authentication attempts ssh server authentication retries times Optional 3 by default Authentication will fail if the number of authentication attempts including both publickey and password authentication exceeds that specified in the ssh ser...

Page 661: ...lient will use the saved server host public key to authenticate the server z Without first time authentication a client not configured with the server host public key will deny to access the server To access the server a user must configure in advance the server host public key locally and specify the public key name for authentication Enable the device to support first time authentication Follow ...

Page 662: ...cryption algorithms preferred HMAC algorithms and preferred key exchange algorithm For an IPv4 IPv6 server ssh2 ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Use either command in user view Displaying...

Page 663: ...the SSH server for secure data exchange z Password authentication is required The username and password are saved on the switch Figure 8 1 Switch acts as server for password authentication Configuration procedure 1 Configure the SSH server Generate RSA and DSA key pairs and enable the SSH server Switch system view Switch public key local create rsa Switch public key local create dsa Switch ssh ser...

Page 664: ...y the service type for user client001 as Stelnet and the authentication mode as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Configure the SSH client There are many kinds of SSH client software such as PuTTY and OpenSSH The following is an example of configuring SSH client using Putty Version 0 58 Establish a connection with the SSH s...

Page 665: ...hentication Network requirements z As shown in Figure 8 3 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data exchange z Publickey authentication is used the algorithm is RSA Figure 8 3 Switch acts as server for publickey authentication SSH client SSH server Host Switch 192 168 1 56 24 Vlan int1 192 168 1 40 24 Configuration procedure...

Page 666: ...0 4 user privilege level 3 Switch ui vty0 4 quit Before performing the following tasks you must use the client software to generate an RSA key pair on the client save the public key in a file named key pub and then upload the file to the SSH server through FTP or TFTP For details refer to Configure the SSH client below Import the client s public key from file key pub and name it Switch001 Switch p...

Page 667: ... key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 8 5 Otherwise the process bar stops moving and the key pair generating process will be stopped ...

Page 668: ...8 17 Figure 8 5 Generate a client key pair 2 After the key pair is generated click Save public key and specify the file name as key pub to save the public key Figure 8 6 Generate a client key pair 3 ...

Page 669: ...4 After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client Specify the private key file and establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP addres...

Page 670: ...rname After entering the correct username client002 you can enter the configuration interface SSH Client Configuration Examples When Switch Acts as Client for Password Authentication Network requirements z As shown in Figure 8 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the password is aabbcc Passwo...

Page 671: ...bbcc SwitchB luser client001 service type ssh SwitchB luser client001 authorization attribute level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication type as password This step is optional SwitchB ssh user client001 service type stelnet authentication type password 2 Configure the SSH client Configure an IP address for VLAN interface 1 Swi...

Page 672: ...2932E69D3B1F18517AD95 SwitchA pkey key code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 SwitchA pkey key code B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 SwitchA pkey key code E1E570A3F6B1C2411948B3B4FFA256699B3BF871221C...

Page 673: ...on for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh Set the user command privilege leve...

Page 674: ...ic key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client Establish an SSH connection to the server 10 165 87 136...

Page 675: ...n SFTP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detailed configuration procedure refer to Configuring the Device as an SSH Server z You have used the ssh user service type command to set the service type of SSH users to sftp or all For configuration...

Page 676: ...or the SFTP Client You can configure a client to use only a specified source IP address or interface to access the SFTP server thus enhancing the service manageability Follow these steps to specify a source IP address or interface for the SFTP client To do Use the command Remarks Enter system view system view Specify a source IPv4 address or interface for the SFTP client sftp client source ip ip a...

Page 677: ...include z Changing or displaying the current working directory z Displaying files under a specified directory or the directory information z Changing the name of a specified directory on the server z Creating or deleting a directory Follow these steps to work with the SFTP directories To do Use the command Remarks Enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos...

Page 678: ...pher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view Change the name of a specified file or directory on the SFTP server rename old name new name Optional Download a file from the remote server and save it locally get remote file local file Optional Upload a local file to the remote SFTP server put local file remote file Optional dir a l remote path Di...

Page 679: ...P server To do Use the command Remarks Enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view bye exit Terminate the connection to the remote SFTP s...

Page 680: ...itchB ui vty0 4 quit Before performing the following tasks you must generate use the client software to generate RSA key pairs on the client save the host public key in a file named pubkey and then upload the file to the SSH server through FTP or TFTP For details refer to Configure the SFTP client Switch A below Import the peer public key from the file pubkey SwitchB public key peer Switch001 impo...

Page 681: ...ver delete the file named z and check if the file has been deleted successfully sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub rwxrwxrwx 1 noone nogroup 0 Sep 01 08 00 z sftp client ...

Page 682: ...new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Download the file pubkey2 from the server and change the name to public sftp client get pubkey2 public Remote file pubkey2 Local file public Downloading file successfully ended Upload the local file pu to the server save it as puk and check if the file has been uploaded successfully sftp client put pu...

Page 683: ... server enable Configure an IP address for VLAN interface 1 which the client will use as the destination for SSH connection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 45 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode of the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user inter...

Page 684: ... supports only password authentication Establish a connection with the remote SFTP server Run the psftp exe to launch the client interface as shown in Figure 9 3 and enter the following command open 192 168 1 45 Enter username client002 and password aabbcc as prompted to log into the SFTP server Figure 9 3 SFTP client interface ...

Page 685: ...solve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI system provides network communication and e commerce with security services such as user authentication data non repudiation data confidentiality and data integrity PKI Terms Digital certificate A digital certificate is a...

Page 686: ...s is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of these CRLs CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests issuing and revoking certificates and publishing CRLs Usually a CA advertises its policy in the form of certification practice statement CPS A CA poli...

Page 687: ... PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private network VPN is a private data communication network built on the public communication infrastructure A VPN can leverage network layer security protocols for instance IPSec in conjunction with PKI based encryp...

Page 688: ...tting a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting a Certificate Optional Configuring an Access Control Policy Optional Configuring an Entity DN A certificate is the binding of a public key and the identity information of an entity where the identit...

Page 689: ...y fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locality locality name Optional No locality is specified by default Configure the organization name for the entity organization org name Optional No organization is specified by default Configure the unit ...

Page 690: ... a dedicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certificate request manually During this period the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed You can configu...

Page 691: ...ification root certificate fingerprint md5 sha1 string Required when the certificate request mode is auto and optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is configured by default z Currently up to two PKI domains can be created on a device z The CA name ...

Page 692: ... and validity of a local certificate Generating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed information about RSA key pair configuration refer to Public Key Configuration in the Security Volume Follow t...

Page 693: ...n command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of the certificate will be abnormal z The pki request certificate domain configuration will not be saved in the configuration file Retrieving a Certificate Manually You can download an existing CA cert...

Page 694: ...CRL checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verification To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Specify the URL of the CRL distribution point crl url url string Optional No CRL distri...

Page 695: ...n file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the private key leaks or the certificate is about to expire you can destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Us...

Page 696: ...ject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject name by default Return to system view quit Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Required No access control policy exists by default Configure a certifica...

Page 697: ...red when RSA Keon is used In this case when configuring a PKI domain you need to use the certificate request from ca command to specify that the entity requests a certificate from a CA Requesting a Certificate from a CA Running RSA Keon The CA server runs RSA Keon in this configuration example Network requirements z The device submits a local certificate request to the CA server z The device acqui...

Page 698: ...nd the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa common name switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter its view Switch pki domain torsa Configure the name of the trusted CA as myca Switch pki domain torsa ca identifier myca Configure the URL of the registration server in the format of http host port Iss...

Page 699: ... domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certificate is being requested please wait Switch Enrolling the local certificate please wait a while Certificate request Successfully Saving the local certificate to device Done 3 Verify your configuration U...

Page 700: ...RSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to view detailed information about the CA certificate...

Page 701: ... Policy Module Click Properties and then select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate z Modify the Internet Information Services IIS attributes From the start menu select Control Panel Administrative Tools Internet Information Services IIS Manager and then select Web Sites from the navigation tree Right click on Default Web Site...

Page 702: ...24 Generating Keys z Apply for certificates Retrieve the CA certificate and save it locally Switch pki retrieval certificate ca domain torsa Retrieving CA RA certificates Please wait a while The trusted CA s finger print is MD5 fingerprint 766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint 97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct Y N y Saving CA RA certif...

Page 703: ...ponent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier keyid 9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points URI http l00192b CertEnroll CA 20server crl URI file l00192b CertEnroll CA server crl Authority Information Access CA Issuers URI http l00192b CertEnroll l00192b_CA 20serve...

Page 704: ...y must be created in advance For detailed configuration of the PKI domain refer to Configure the PKI domain 1 Configure the HTTPS server Configure the SSL policy for the HTTPS server to use Switch system view Switch ssl server policy myssl Switch ssl server policy myssl pki domain 1 Switch ssl server policy myssl client verify enable Switch ssl server policy myssl quit 2 Configure the certificate ...

Page 705: ...tribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy myssl to HTTPS service Switch ip https ssl server policy myssl Apply the certificate attribute based access control policy of myacp to HTTPS service Switch ip https certificate access control policy myacp Enable HTTPS service Switch ip https enable Troubleshooting PKI Failed to Retrieve a CA Certi...

Page 706: ...Retrieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Specify the authority for certificate request z Configure the required entity DN parameters Failed to Retrieve CRLs Symptom Failed to retrieve CRLs Analysis Possible reasons include these z The network connection is not proper For example the network cable may ...

Page 707: ...r and client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key Infrastructure PKI z Reliability SSL uses the key based message authentication code MAC to verify message integrity A MAC algorithm transforms a message of any length to a fixed length message Figure 1...

Page 708: ...entity authentication of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the session ID peer certificate cipher suite and master secret z SSL change cipher spec protocol Used for notification between a client and the server that the subsequent packets are to be protected and transm...

Page 709: ... and enter its view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy Specify the cipher suite s for the SSL server policy to support ciphersuite rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional By default an SSL server policy supports all c...

Page 710: ...or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z Device works as the HTTPS server z A host works as the client and accesses the HTTPS server through HTTP secured with SSL z A certificate authority CA issues a certificate to Device In this instance Windows Server works as the CA and the Simple Certificate Enrollment Protocol SCEP plug in is in...

Page 711: ...myssl client verify enable Device ssl server policy myssl quit 3 Associate HTTPS service with the SSL server policy and enable HTTPS service Configure HTTPS service to use SSL server policy myssl Device ip https ssl server policy myssl Enable HTTPS service Device ip https enable 4 Verify your configuration Launch IE on the host and enter https 10 1 1 1 in the address bar You should be able to log ...

Page 712: ...or the SSL client policy pki domain domain name Required No PKI domain is configured by default Specify the preferred cipher suite for the SSL client policy prefer cipher rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional rsa_rc4_128_md5 by default Specify the SSL protocol version for the SSL client policy version ssl3 0 tls1 0 Optional TLS 1 0 by default If you enable cl...

Page 713: ...ne for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server or let the server requests a certificate from the CA that the SSL client trusts z If the SSL server is configured to authenticate the client but the certificate of the SSL client does not exist or cannot be trusted request and install ...

Page 714: ... 12 1 the information is encrypted before being sent for confidentiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 12 1 Encryption and decryption There are two types of key algorithms based on whether the keys for encryption and decryption are the same z Symmetric key algorithm The same key is used for both encryptio...

Page 715: ...nature is correct the data is considered from user 1 Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption decryption and signature whereas DSA are used for signature only Asymmetric key algorithms are usually used in digital signature applications for peer identity authentication because they involve complex c...

Page 716: ... the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public key To do Use the command Remarks Enter system view system view Display the local RSA host public key on the screen in a specified format or export it to a specified file public key local export rsa openssh ssh1 ssh2 filename Display the local DSA host public key on the ...

Page 717: ...ublic key of a peer manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public key of the peer Type or copy the key Required Spaces and carriage returns are allowed between characters Return to public key view public key code end When you exit public key code view the system ...

Page 718: ... local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair created 09 50 06 2007 08 07 Key name HOST_KEY Key type RSA Encryption Key ...

Page 719: ...03818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A 9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326 470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 DeviceB pkey key code public key code end DeviceB pkey public key peer public key end Display the host publi...

Page 720: ... Time of Key pair created 09 50 06 2007 08 07 Key name HOST_KEY Key type RSA Encryption Key Key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A...

Page 721: ... logged in ftp binary 200 Type set to I ftp put devicea pub 227 Entering Passive Mode 10 1 1 2 5 148 125 BINARY mode data connection already open transfer starting for devicea pub 226 Transfer complete FTP 299 byte s sent in 0 189 second s 1 00Kbyte s sec 4 Import the host public key of Device A to Device B Import the host public key of Device A from the key file devicea pub to Device B DeviceB pu...

Page 722: ...control network traffic and save network resources Access control lists ACL are often used to filter packets with configured matching rules ACLs are sets of rules or sets of permit or deny statements that decide what packets can pass and what should be rejected based on matching criteria such as source MAC address destination MAC address source IP address destination IP address and port number App...

Page 723: ...o IPv4 ACL This section covers these topics z IPv4 ACL Classification z IPv4 ACL Naming z IPv4 ACL Match Order z IPv4 ACL Step z Effective Period of an IPv4 ACL z IP Fragments Filtering with IPv4 ACL IPv4 ACL Classification IPv4 ACLs identified by ACL numbers fall into three categories as shown in Table 13 1 Table 13 1 IPv4 ACL categories Category ACL number Matching criteria Basic IPv4 ACL 2000 t...

Page 724: ... Depth first match for an advanced IPv4 ACL The following shows how your device performs depth first match in an advanced IPv4 ACL 1 Sort rules by VPN instance first and compare packets against the rule configured with a VPN instance 2 In case of a tie look at the protocol carried over IP A rule with no limit to the protocol type that is configured with the ip keyword has the lowest precedence Rul...

Page 725: ...l assign a newly defined rule a number that is the smallest multiple of the step bigger than the current biggest number For example with a step of five if the biggest number is currently 28 the newly defined rule will get a number of 30 If the ACL has no rule defined already the first defined rule will get a number of 0 Another benefit of using the step is that it allows you to insert new rules be...

Page 726: ...her to specify a name for an ACL is up to you After creating an ACL you cannot specify a name for it nor can you change or remove its name The name of an IPv6 ACL must be unique among IPv6 ACLs However an IPv6 ACL and an IPv4 ACL can share the same name IPv6 ACL Match Order Similar to IPv4 ACLs an IPv6 ACL consists of multiple rules each of which specifies different matching criteria These criteri...

Page 727: ...es are the same look at the destination IPv6 address prefixes Then compare packets against the rule configured with a longer prefix for the destination IPv6 address 4 If the prefix lengths for the destination IPv6 addresses are the same look at the Layer 4 port number ranges namely the TCP UDP port number ranges Then compare packets against the rule configured with the smaller port number range 5 ...

Page 728: ...e2 Required Display the configuration and status of one or all time ranges display time range time range name all Optional Available in any view You may create a maximum of 256 time ranges A time range can be one of the following z Periodic time range created using the time range time range name start time to end time days command A time range thus created recurs periodically on the day or days of...

Page 729: ... range ends at the latest time that the system supports namely 24 00 12 31 2100 Configuration Example Create a time range that is active from 8 00 to 18 00 every working day Sysname system view Sysname time range test 8 00 to 18 00 working day Verify the configuration Sysname display time range test Current time is 22 17 42 1 5 2006 Thursday Time range test Inactive 08 00 to 18 00 working day Crea...

Page 730: ...c IPv4 ACL description text Optional By default a basic IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of the settings in which ca...

Page 731: ...ckets based on three priority criteria type of service ToS IP precedence and differentiated services codepoint DSCP priority Advanced IPv4 ACLs are numbered in the range 3000 to 3999 Compared with basic IPv4 ACLs they allow of more flexible and accurate filtering Configuration Prerequisites If you want to reference a time range in a rule define it with the time range command first Configuration Pr...

Page 732: ...ion for the advanced IPv4 ACL description text Optional By default an advanced IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of t...

Page 733: ...L To do Use the command Remarks Enter system view system view Create an Ethernet frame header ACL and enter its view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name command to enter the view of the ACL later Create or modify a rule rule rule id deny p...

Page 734: ... contain any rules z The rule specified in the rule comment command must already exist Configuration Example Configure ACL 4000 to deny frames with the 802 1p priority of 3 Sysname system view Sysname acl number 4000 Sysname acl ethernetframe 4000 rule deny cos 3 Verify the configuration Sysname acl ethernetframe 4000 display acl 4000 Ethernet frame ACL 4000 named none 1 rule ACL s step is 5 rule ...

Page 735: ...lable in any view Display information about ACL uses of a switch display acl resource Available in any view Display the configuration and state of a specified or all time ranges display time range time range name all Available in any view Clear statistics about a specified or all IPv4 ACLs that are referenced by upper layer software reset acl counter acl number all name acl name Available in user ...

Page 736: ...witch acl adv 3000 rule deny ip source 192 168 2 0 0 0 0 255 destination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3000 quit Configure a rule to control access of the Marketing Department to the salary query server Switch acl number 3001 Switch acl adv 3001 rule deny ip source 192 168 3 0 0 0 0 255 destination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3001 quit 3 Apply the IP...

Page 737: ... b_rd Switch qospolicy p_rd quit Configure QoS policy p_market to use traffic behavior b_market for class c_market Switch qos policy p_market Switch qospolicy p_market classifier c_market behavior b_market Switch qospolicy p_market quit Apply QoS policy p_rd to interface GigabitEthernet 1 0 2 Switch interface GigabitEthernet 1 0 2 Switch GigabitEthernet1 0 2 qos apply policy p_rd inbound Switch Gi...

Page 738: ...edure Follow these steps to configure an IPv6 ACL To do Use the command Remarks Enter system view system view Create a basic IPv6 ACL view and enter its view acl ipv6 number acl6 number name acl6 name match order auto config Required The default match order is config If you specify a name for an IPv6 ACL when creating the ACL you can use the acl ipv6 name acl6 name command to enter the view of the...

Page 739: ...cl ipv6 number acl6 number name acl6 name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command must already exist Configuration Example Configure IPv6 ACL 2000 to permit IPv6 packets with the source address of 2030 5060 9050 64 and deny IPv6 packets with the source address of fe80 5060 8050 96 Sysname system view Sysname ...

Page 740: ...ype icmpv6 type icmpv6 code icmpv6 message logging source source source prefix source source prefix any source port operator port1 port2 time range time range name Required To create or modify multiple rules repeat this step Note that if the ACL is to be referenced by a QoS policy for traffic classification the logging and fragment keywords are not supported and the operator argument cannot be z n...

Page 741: ... tcp source 2030 5060 9050 64 Verify the configuration Sysname acl6 adv 3000 display acl ipv6 3000 Advanced IPv6 ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 2030 5060 9050 64 5 times matched Copying an IPv6 ACL This feature allows you to copy an existing IPv6 ACL to generate a new one which is of the same type and has the same match order rules rule numbering step and descr...

Page 742: ...e name all Available in any view Clear statistics about a specified or all IPv6 ACLs that are referenced by upper layer software reset acl ipv6 counter acl6 number all name acl6 name Available in user view IPv6 ACL Configuration Example Network Requirements As shown in Figure 15 1 a company interconnects its departments through the switch Configure an ACL to deny access of the R D department to ex...

Page 743: ...r b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Apply QoS policy p_rd to interface GigabitEthernet 1 0 1 Switch interface GigabitEthernet 1 0 1 Switch GigabitEthernet1 0 1 qos apply policy p_rd inbound ...

Page 744: ...hernet interface view interface interface type interface number Enter interface view Enter VLAN interface view interface vlan interface vlan id Use either command Apply an Ethernet frame header ACL to the interface to filter Ethernet frames packet filter acl number name acl name inbound outbound Required By default an interface does not filter Ethernet frames Filtering IPv4 Packets Follow these st...

Page 745: ...n takes effect for only rules with the logging keyword specified z The packet filtering statistics are managed and output as device log information by the information center z The packet filtering statistics are of the severity level of 6 that is informational Informational messages are not output to the console by default therefore you need to modify the log information output rule for the inform...

Page 746: ... network GE1 0 1 Host A 192 168 1 2 24 Device A Host B 192 168 1 3 24 Configuration procedure Create a time range named study setting it to become active from 08 00 to 18 00 everyday DeviceA system view DeviceA time range study 8 00 to 18 00 daily Create basic IPv4 ACL 2009 DeviceA acl number 2009 Create a basic IPv4 ACL rule to deny packets sourced from 192 168 1 2 32 during time range study Devi...

Page 747: ...int100 192 168 1 1 Host A 192 168 1 2 Host B 192 168 1 3 Server 192 168 5 100 Configuration procedure Create a time range named study setting it to become active from 08 00 to 18 00 of the working days DeviceA system view DeviceA time range study 14 00 to 18 00 working day Create basic IPv4 ACL 2010 DeviceA acl number 2010 Create a basic IPv4 ACL rule to deny packets sourced from 192 168 1 2 32 du...

Page 748: ...taining Smart Link 1 8 Smart Link Configuration Examples 1 9 Single Smart Link Group Configuration Example 1 9 Multiple Smart Link Groups Load Sharing Configuration Example 1 13 2 Monitor Link Configuration 2 1 Overview 2 1 Terminology 2 1 How Monitor Link Works 2 1 Configuring Monitor Link 2 2 Configuration Prerequisites 2 2 Configuration Procedure 2 2 Monitor Link Configuration Example 2 2 Displ...

Page 749: ...etting DLDP State 4 11 Resetting DLDP State in System View 4 12 Resetting DLDP State in Port view Port Group View 4 12 Displaying and Maintaining DLDP 4 12 DLDP Configuration Example 4 13 Troubleshooting 4 15 5 Ethernet OAM Configuration 5 1 Ethernet OAM Overview 5 1 Background 5 1 Major Functions of Ethernet OAM 5 1 Ethernet OAMPDUs 5 1 How Ethernet OAM Works 5 3 Standards and Protocols 5 5 Ether...

Page 750: ...ration Examples 6 10 Configuring Service Instance 6 10 Configuring MEP and Enabling CC on it 6 11 Configuring the Rules for Generating MIPs 6 13 Configuring LB on MEPs 6 14 Configuring LT on MEPs 6 14 7 Track Configuration 7 1 Track Overview 7 1 Collaboration Between the Track Module and the Detection Modules 7 1 Collaboration Between the Track Module and the Application Modules 7 2 Track Configur...

Page 751: ...sually dual uplinked to upstream devices That is a downstream device connects to two different upstream devices as shown in Figure 1 1 Figure 1 1 Diagram for a dual uplink network GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 A dual uplink network demonstrates high reliability but it may contain network loops In most cases Spanning Tree Protocol STP or Rapid Ring Protection Protocol RRPP is used...

Page 752: ...0 1 and GE1 0 2 of Device C and GE1 0 1 and GE1 0 2 of Device D each form a smart link group with GE1 0 1 being active and GE1 0 2 being standby Master slave port Master port and slave port are two port roles in a smart link group When both ports in a smart link group are up the master port preferentially transits to the forwarding state while the slave port stays in the standby state Once the mas...

Page 753: ...ailure does not take over immediately upon its recovery Instead link switchover will occur at next link switchover Topology change mechanism As link switchover can outdate the MAC address forwarding entries and ARP ND entries on all devices you need a forwarding entry update mechanism to ensure proper transmission By far the following two update mechanisms are provided z Uplink traffic triggered M...

Page 754: ...g the Sending of Flush Messages Optional Configuring an Associated Device Enabling the Receiving of Flush Messages Required z A smart link device is a device that supports Smart Link and is configured with a smart link group and a transmit control VLAN for flush message transmission Device C and Device D in Figure 1 1 are two examples of smart link devices z An associated device is a device that s...

Page 755: ...guration in the Access Volume Configuring Member Ports for a Smart Link Group You can configure member ports for a smart link group either in smart link group view or in interface view The configurations made in these two views have the same effect In smart link group view Follow these steps to configure member ports for a smart link group in smart link group view To do Use the command Remarks Ent...

Page 756: ...ption mode role Required Disabled by default Configure the preemption delay preemption delay delay time Optional 1 second by default The preemption delay configuration takes effect only after role preemption is enabled Enabling the Sending of Flush Messages Follow these steps to enable the sending of flush messages To do Use the command Remarks Enter system view system view Create a smart link gro...

Page 757: ... undo stp enable Sysname GigabitEthernet1 0 1 port link type trunk Sysname GigabitEthernet1 0 1 port trunk permit vlan 20 Sysname GigabitEthernet1 0 1 quit Sysname interface gigabitethernet 1 0 2 Sysname GigabitEthernet1 0 2 undo stp enable Sysname GigabitEthernet1 0 2 port link type trunk Sysname GigabitEthernet1 0 2 port trunk permit vlan 20 Sysname GigabitEthernet1 0 2 quit Sysname smart link g...

Page 758: ...ges directly without any processing z Do not remove the control VLANs Otherwise flush messages cannot be sent properly z Make sure that the control VLANs are existing VLANs and assign the ports capable of receiving flush messages to the control VLANs Associated Device Configuration Example Network requirements Configure GigabitEthernet 1 0 1 to receive and process flush messages in VLAN 20 Configu...

Page 759: ...evice E Device D Device C Device B GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 Master link Slave link Smart link group Configuration procedure 1 Configuration on Device C Create VLANs 1 through 30 map VLANs 1 through 10 VLANs 11 through 20 and VLANs 21 through 30 to MSTI 0 MSTI 1 and MSTI 2 respectively and activate the MST region configuration D...

Page 760: ...viceC smlk group1 flush enable DeviceC smlk group1 quit 2 Configuration on Device D Create VLANs 1 through 30 map VLANs 1 through 10 VLANs 11 through 20 and VLANs 21 through 30 to MSTI 0 MSTI 1 and MSTI 2 respectively and activate the MST region configuration DeviceD system view DeviceD vlan 1 to 30 DeviceD stp region configuration DeviceD mst region instance 0 vlan 1 to 10 DeviceD mst region inst...

Page 761: ...ceB GigabitEthernet1 0 1 smart link flush enable DeviceB GigabitEthernet1 0 1 quit DeviceB interface gigabitethernet 1 0 2 DeviceB GigabitEthernet1 0 2 port link type trunk DeviceB GigabitEthernet1 0 2 port trunk permit vlan 1 to 30 DeviceB GigabitEthernet1 0 2 smart link flush enable DeviceB GigabitEthernet1 0 2 quit DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 port link t...

Page 762: ...ace gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 port trunk permit vlan 1 to 30 DeviceA GigabitEthernet1 0 2 smart link flush enable DeviceA GigabitEthernet1 0 2 quit 6 Verifying the configurations You can use the display smart link group command to display the smart link group configuration on each device For example Display the smart link g...

Page 763: ... link group 2 is VLAN 101 Figure 1 3 Multiple smart link groups load sharing configuration Device A Device D Device B GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 Device C GE1 0 1 GE1 0 2 Configuration procedure 1 Configuration on Device C Create VLAN 1 through VLAN 200 map VLAN 1 through VLAN 100 to MSTI 0 and VLAN 101 through VLAN 200 to MSTI 2 and activate MST region configuration DeviceC sy...

Page 764: ... 2 DeviceC smart link group 2 DeviceC smlk group2 protected vlan reference instance 2 Configure GigabitEthernet 1 0 1 as the slave port and GigabitEthernet 1 0 2 as the master port for smart link group 2 DeviceC smlk group2 port gigabitethernet 1 0 2 master DeviceC smlk group2 port gigabitethernet 1 0 1 slave Enable role preemption in smart link group 2 enable flush message sending and configure V...

Page 765: ... enable control vlan 10 101 DeviceD GigabitEthernet1 0 2 quit 4 Configuration on Device A Create VLAN 1 through VLAN 200 DeviceA system view DeviceA vlan 1 to 200 Configure GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as trunk ports and assign them to VLANs 1 through 200 enable flush message receiving on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 and configure VLAN 10 and VLAN 101 as the r...

Page 766: ...ate Flush count Last flush time GigabitEthernet1 0 2 MASTER ACTVIE 5 16 37 20 2009 02 21 GigabitEthernet1 0 1 SLAVE STANDBY 1 17 45 20 2009 02 21 You can use the display smart link flush command to display the flush messages received on each device For example Display the flush messages received on Device B DeviceB display smart link flush Received flush packets 5 Receiving interface of the last f...

Page 767: ... port can be assigned to only one monitor link group Both Layer 2 Ethernet ports and Layer 2 aggregate interfaces can be assigned to a monitor link group Uplink The uplink is the link monitored by the monitor link group The monitor link group is down when the group has no uplink ports or all uplink ports are down The monitor link group is up when any uplink port is up Downlink The downlink is the ...

Page 768: ...ports In monitor link group view port interface type interface number downlink Configure the downlink for the monitor link group In Ethernet port view or Layer 2 aggregate interface view port monitor link group group id downlink Use either approach Repeat this step to add more downlink ports z A port can be assigned to only one monitor link group z You are recommended to configure uplink ports pri...

Page 769: ...ver in the smart link group For detailed information about smart link refer to Smart Link Configuration in the High Availability Volume Figure 2 1 Network diagram for smart link in combination with monitor link configuration Device A Device B Device C Device D GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 2 Configuration procedure 1 Configuration on Device C Disable STP on GigabitE...

Page 770: ...0 2 DeviceA GigabitEthernet1 0 2 smart link flush enable 3 Configuration on Device B Create monitor link group 1 DeviceB system view DeviceB monitor link group 1 Configure GigabitEthernet 1 0 1 as an uplink port and GigabitEthernet 1 0 2 as a downlink port for monitor link group 1 DeviceB mtlk group1 port gigabitethernet 1 0 1 uplink DeviceB mtlk group1 port gigabitethernet 1 0 2 downlink DeviceB ...

Page 771: ... 1 and GigabitEthernet 1 0 2 separately DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 smart link flush enable DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2 smart link flush enable ...

Page 772: ...ee protocols RRPP features the following z Fast topology convergence z Convergence time independent of Ethernet ring size Background Metropolitan area networks MANs and enterprise networks usually use the ring structure to improve reliability However services will be interrupted if any node in the ring network fails A ring network usually uses Resilient Packet Ring RPR or Ethernet rings RPR is hig...

Page 773: ...one of the following two states z Health state All the physical links on the Ethernet ring are connected z Disconnect state Some physical links on the Ethernet ring are broken As shown in Figure 3 1 Domain 1 contains two RRPP rings Ring 1 and Ring 2 The level of Ring 1 is set to 0 that is Ring 1 is configured as the primary ring the level of Ring 2 is set to 1 that is Ring 2 is configured as a sub...

Page 774: ...o detect the integrity of the primary ring and perform loop guard As shown in Figure 3 1 Ring 1 is the primary ring and Ring 2 is a subring Device A is the master node of Ring 1 Device B Device C and Device D are the transit nodes of Ring 1 Device E is the master node of Ring 2 Device B is the edge node of Ring 2 and Device C is the assistant edge node of Ring 2 Primary port and secondary port Eac...

Page 775: ...ode RRPP ring group Up to one subring in an edge node RRPP ring group is allowed to send Edge Hello packets RRPPDUs Table 3 1 shows the types of RRPPDUs and their functions Table 3 1 RRPPDU types and their functions Type Description Hello The master node initiates Hello packets to detect the integrity of a ring in a network Link Down The transit node the edge node or the assistant edge node initia...

Page 776: ... to check the Health state of the ring network The master node sends Hello packets out its primary port periodically and these Hello packets travel through each transit node on the ring in turn z If the ring is complete the secondary port of the master node will receive Hello packets before the Fail timer expires and the master node will keep the secondary port blocked z If the ring is torn down t...

Page 777: ... VLANs referred to as protected VLANs in a ring network traffic of different VLANs can be transmitted according to different topologies in the ring network In this way load balancing is achieved As shown in Figure 3 6 Ring 1 is configured as the primary ring of Domain 1 and Domain 2 which are configured with different protected VLANs Device A is the master node of Ring 1 in Domain 1 Device B is th...

Page 778: ... or more rings in the network topology and only one common node between rings In this case you need to define an RRPP domain for each ring Figure 3 3 Schematic diagram for a tangent ring network Intersecting rings As shown in Figure 3 4 there are two or more rings in the network topology and two common nodes between rings In this case you only need to define an RRPP domain and configure one ring a...

Page 779: ...m for a dual homed ring network Single ring load balancing In a single ring network you can achieve load balancing by configuring multiple domains As shown in Figure 3 6 Ring 1 is configured as the primary ring of both Domain 1 and Domain 2 Domain 1 and Domain 2 are configured with different protected VLANs In Domain 1 Device A is configured as the master node of Ring 1 in Domain 2 Device B is con...

Page 780: ... Device E is configured as the master node of Ring 2 in both Domain 1 and Domain 2 However different ports on Device E are blocked in Domain 1 and Domain 2 With the configurations you can enable traffic of different VLANs to travel over different paths in the subring and primary ring thus achieving intersecting ring load balancing Figure 3 7 Schematic diagram for an intersecting ring load balancin...

Page 781: ...er node in the RRPP domain Configuring an RRPP Ring Group Optional Perform this task on the edge node and assistant edge node in the RRPP domain z RRPP does not have an auto election mechanism so you must configure each node in the ring network properly for RRPP to monitor and protect the ring network z Before configuring RRPP you need to construct a ring shaped Ethernet topology physically Creati...

Page 782: ...red with RRPP you must ensure only the two ports connecting the device to the RRPP ring permit the packets of the control VLANs Otherwise the packets from other VLANs may go into the control VLANs in transparent transmission mode and strike the RRPP ring Configuring Protected VLANs Before configuring RRPP rings in an RRPP domain configure the same protected VLANs for all nodes in the RRPP domain f...

Page 783: ...s Perform this configuration on each node s ports intended for accessing RRPP rings Follow these steps to configure RRPP ports To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the link type of the interface as trunk port link type trunk Required By default the link type of an interface is access Configure the trunk...

Page 784: ...me Configuring RRPP Nodes z The maximum number of rings that can be configured on a device in all RRPP domains is 16 z If a device carries multiple RRPP rings in an RRPP domain only one ring can be configured as the primary ring on the device and the role of the device on a subring can only be an edge node or an assistant edge node Specifying a master node Perform this configuration on a device to...

Page 785: ...e interface number secondary port interface type interface number level level value Required Specify the current device as the edge node of a subring and specify the edge port ring ring id node mode edge edge port interface type interface number Required Specifying an assistant edge node When configuring an assistant edge node you must first configure the primary ring before configuring the subrin...

Page 786: ...de or assistant edge node enable disable the primary ring and subrings separately as follows z Enable the primary ring of an RRPP domain before enabling subrings of the RRPP domain z Disable the primary ring of an RRPP domain after disabling all subrings of the RRPP domain Configuring RRPP Timers Perform this configuration on the master node of an RRPP domain Follow these steps to configure RRPP t...

Page 787: ...emarks Enter system view system view Create an RRPP ring group and enter RRPP ring group view rrpp ring group ring group id Required Assign the specified subrings to the RRPP ring group domain domain id ring ring id list Required z You can assign a subring to only one RRPP ring group Make sure that the RRPP ring group configured on the edge node and that configured on the assistant edge node must ...

Page 788: ...y control VLAN of RRPP domain 1 as VLAN 4092 and RRPP domain 1 protects all VLANs z Device A Device B Device C and Device D constitute primary ring 1 z Specify Device A as the master node of primary ring 1 GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port z Specify Device B Device C and Device D as the transit nodes of primary ring 1 their GigabitEthernet 1 ...

Page 789: ...ing 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceA rrpp domain1 ring 1 node mode master primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceA rrpp domain1 ring 1 enable DeviceA rrpp domain1 quit Enable RRPP DeviceA rrpp enable 2 Configuration on Device B Configure the suppression time of p...

Page 790: ...d here 5 Verification After the above configuration you can use the display command to view RRPP configuration and operational information on each device Intersecting Ring Configuration Example Networking requirements As shown in Figure 3 9 z Device A Device B Device C and Device D constitute RRPP domain 1 VLAN 4092 is the primary control VLAN of RRPP domain 1 and RRPP domain 1 protects all the VL...

Page 791: ... interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 link delay 0 DeviceA GigabitEthernet1 0 2 undo stp enable DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 port trunk permit vlan all DeviceA GigabitEthernet1 0 2 qos trust dot1p DeviceA GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and confi...

Page 792: ...tEthernet1 0 2 quit DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 link delay 0 DeviceB GigabitEthernet1 0 3 undo stp enable DeviceB GigabitEthernet1 0 3 port link type trunk DeviceB GigabitEthernet1 0 3 port trunk permit vlan all DeviceB GigabitEthernet1 0 3 qos trust dot1p DeviceB GigabitEthernet1 0 3 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN...

Page 793: ... interface gigabitethernet 1 0 3 DeviceC GigabitEthernet1 0 3 link delay 0 DeviceC GigabitEthernet1 0 3 undo stp enable DeviceC GigabitEthernet1 0 3 port link type trunk DeviceC GigabitEthernet1 0 3 port trunk permit vlan all DeviceC GigabitEthernet1 0 3 qos trust dot1p DeviceC GigabitEthernet1 0 3 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and confi...

Page 794: ...PP domain 1 and configure VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1 DeviceD rrpp domain 1 DeviceD rrpp domain1 control vlan 4092 DeviceD rrpp domain1 protected vlan reference instance 0 to 16 Configure Device D as the transit node of primary ring 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 Devic...

Page 795: ...al information on each device Intersecting Ring Load Balancing Configuration Example Networking requirements z Device A Device B Device C Device D and Device F constitute RRPP domain 1 and VLAN 100 is the primary control VLAN of the RRPP domain Device A is the master node of the primary ring Ring 1 Device D is the transit node of the primary ring Ring 1 Device F is the master node of the subring R...

Page 796: ...figure the suppression time of physical link state changes on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as zero disable STP configure the two ports as trunk ports remove them from VLAN 1 and assign them to VLAN 10 and VLAN 20 and configure them to trust the 802 1p precedence of the received packets DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 link delay 0 DeviceA Giga...

Page 797: ...rpp domain1 ring 1 enable DeviceA rrpp domain1 quit Create RRPP domain 2 configure VLAN 105 as the primary control VLAN of RRPP domain 2 and configure the VLAN mapped to MSTI 2 as the protected VLAN of RRPP domain 2 DeviceA rrpp domain 2 DeviceA rrpp domain2 control vlan 105 DeviceA rrpp domain2 protected vlan reference instance 2 Configure Device A as the master node of primary ring 1 with Gigabi...

Page 798: ...gure the port as a trunk port remove it from VLAN 1 and assign it to VLAN 20 and configure it to trust the 802 1p precedence of the received packets DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 link delay 0 DeviceB GigabitEthernet1 0 3 undo stp enable DeviceB GigabitEthernet1 0 3 port link type trunk DeviceB GigabitEthernet1 0 3 undo port trunk permit vlan 1 DeviceB Gigabit...

Page 799: ... node of primary ring 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceB rrpp domain2 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceB rrpp domain2 ring 1 enable Configure Device B as the assistant edge node of subring 2 in RRPP domain 2 with GigabitEthernet 1 0 3...

Page 800: ...ce of the received packets DeviceC interface gigabitethernet 1 0 3 DeviceC GigabitEthernet1 0 3 link delay 0 DeviceC GigabitEthernet1 0 3 undo stp enable DeviceC GigabitEthernet1 0 3 port link type trunk DeviceC GigabitEthernet1 0 3 undo port trunk permit vlan 1 DeviceC GigabitEthernet1 0 3 port trunk permit vlan 20 DeviceC GigabitEthernet1 0 3 qos trust dot1p DeviceC GigabitEthernet1 0 3 quit Con...

Page 801: ...bitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceC rrpp domain2 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceC rrpp domain2 ring 1 enable Configure Device C as the edge node of subring 2 in RRPP domain 2 with GigabitEthernet 1 0 3 as the edge port and enable subring 2 DeviceC rrpp domain2 ring 2 node mode edge edge po...

Page 802: ...rence instance 1 Configure Device D as the transit node of primary ring 1 in RRPP domain 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceD rrpp domain1 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceD rrpp domain1 ring 1 enable DeviceD rrpp domain1 quit Create RR...

Page 803: ...1 0 2 undo stp enable DeviceE GigabitEthernet1 0 2 port link type trunk DeviceE GigabitEthernet1 0 2 undo port trunk permit vlan 1 DeviceE GigabitEthernet1 0 2 port trunk permit vlan 20 DeviceE GigabitEthernet1 0 2 qos trust dot1p DeviceE GigabitEthernet1 0 2 quit Create RRPP domain 2 configure VLAN 105 as the primary control VLAN and configure the VLAN mapped to MSTI 2 as the protected VLAN Devic...

Page 804: ...k permit vlan 10 DeviceF GigabitEthernet1 0 2 qos trust dot1p DeviceF GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 100 as the primary control VLAN and configure the VLAN mapped to MSTI 1 as the protected VLAN DeviceF rrpp domain 1 DeviceF rrpp domain1 control vlan 100 DeviceF rrpp domain1 protected vlan reference instance 1 Configure Device F as the master node of subring 3 in RRP...

Page 805: ...me RRPP ring z Some ports are abnormal Solution z Use the display rrpp brief command to check whether RRPP is enabled for all nodes If not use the rrpp enable command and the ring enable command to enable RRPP and RRPP rings for all nodes z Use the display rrpp brief command to check whether the domain ID and primary control VLAN ID are the same for all nodes If not set the same domain ID and prim...

Page 806: ...ting Overview Background Sometimes unidirectional links may appear in networks On a unidirectional link one end can receive packets from the other end but the other end cannot Unidirectional links result in problems such as loops in an STP enabled network As for fiber links two kinds of unidirectional links exist One occurs when fibers are cross connected as shown in Figure 4 1 The other occurs wh...

Page 807: ...th ends of a link are operating normally at the physical layer DLDP detects whether the link is correctly connected at the link layer and whether the two ends can exchange packets properly This is beyond the capability of the auto negotiation mechanism at the physical layer How DLDP Works DLDP link states A device is in one of these DLDP link states Initial Inactive Active Advertisement Probe Disa...

Page 808: ... timer This timer is set to 10 seconds and is triggered when a device transits to the Probe state or an enhanced detect is launched When the Echo timer expires and no Echo packet has been received from a neighbor device the state of the link is set to unidirectional and the device transits to the Disable state In this case the device sends Disable packets prompts the user to shut down the port or ...

Page 809: ...entry timer expires the Enhanced timer is triggered and the device sends up to eight Probe packets at a frequency of one packet per second to test the neighbor If no Echo packet is received from the neighbor when the Echo timer expires the device transits to the Disable state Table 4 3 DLDP mode and neighbor entry aging DLDP mode Detecting a neighbor after the corresponding neighbor entry ages out...

Page 810: ... with the corresponding local configuration z Plain text authentication In this mode before sending a DLDP packet the sending side sets the Authentication field to the password configured in plain text and sets the Authentication type field to 1 The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the correspondi...

Page 811: ... information If the corresponding neighbor entry already exists resets the Entry timer If yes no process is performed Flush packet Determines whether or not the local port is in Disable state If not removes the corresponding neighbor entry if any If the corresponding neighbor entry does not exist creates the neighbor entry transits to Probe state and returns Echo packets Probe packet Retrieves the...

Page 812: ... port and removes the corresponding neighbor entry Link auto recovery mechanism If the port shutdown mode upon detection of a unidirectional link is set to auto DLDP sets the state of the port where a unidirectional link is detected to DLDP down automatically A DLDP down port cannot forward service traffic or send receive any PDUs except DLDPDUs On a DLDP down port DLDP monitors the unidirectional...

Page 813: ...Authentication Optional Resetting DLDP State Optional Note that z DLDP takes effects only on Ethernet interfaces z DLDP can detect unidirectional links only after all links are connected Therefore before enabling DLDP make sure that optical fibers or copper twisted pairs are connected z To ensure unidirectional links can be detected make sure these settings are the same on the both sides DLDP stat...

Page 814: ...re are two DLDP modes z Normal mode In this mode DLDP does not actively detect neighbors when the corresponding neighbor entries age out The system can identify only one type of unidirectional links cross connected fibers z Enhanced mode In this mode DLDP actively detects neighbors when the corresponding neighbor entries age out The system can identify two types of unidirectional links cross conne...

Page 815: ...e Tx line fails the port goes down and then comes up again causing optical signal jitters on the Rx line When a port goes down due to a Tx failure the device transits to the DelayDown state instead of the Inactive state to prevent the corresponding neighbor entries from being removed In the same time the device triggers the DelayDown timer If the port goes up before the timer expires the device re...

Page 816: ...mode z If the device is busy or the CPU utilization is high normal links may be treated as unidirectional links In this case you can set the port shutdown mode to manual mode to eliminate the effects caused by false unidirectional link report Configuring DLDP Authentication Follow these steps to configure DLDP authentication To do Use the command Remarks Enter system view system view Configure DLD...

Page 817: ...state dldp reset Required Resetting DLDP State in Port view Port Group View Resetting DLDP state in port view or port group view applies to the current port or all the ports in the port group shut down by DLDP Follow these steps to reset DLDP state in port view port group view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface nu...

Page 818: ... Device A Enable DLDP on GigabitEthernet1 0 50 and GigabitEthernet 1 0 51 DeviceA system view DeviceA interface gigabitethernet 1 0 50 DeviceA GigabitEthernet1 0 50 dldp enable DeviceA GigabitEthernet1 0 50 quit DeviceA interface gigabitethernet 1 0 51 DeviceA GigabitEthernet1 0 51 dldp enable DeviceA GigabitEthernet1 0 51 quit Set the interval for sending Advertisement packets to 6 seconds Device...

Page 819: ...port is 0 The output information indicates that both GigabitEthernet 1 0 50 and GigabitEthernet 1 0 51 are in Disable state and the links are down which means unidirectional links are detected and the two ports are thus shut down Correct the fiber connections after detecting the problem and perform the following operations Reset DLDP state for the ports shut down by DLDP DeviceA dldp reset Display...

Page 820: ... the two ports are restored Troubleshooting Symptom Two DLDP enabled devices Device A and Device B are connected through two fiber pairs in which two fibers are cross connected The unidirectional links cannot be detected all the four ports involved are in Advertisement state Analysis The problem can be caused by the following z The intervals for sending Advertisement packets on Device A and Device...

Page 821: ...rnet has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance OAM on Ethernet networks has now become an urgent matter As a tool monitoring Layer 2 link status Ethernet OAM is mainly used to address common link related issues on the last mile You can monitor the status of the point to point link between two directly connected ...

Page 822: ... be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the encapsulated protocol in the Ethernet OAMPDU The value is 0x8809 Subtype The specific protocol being encapsulated in the Ethernet OAMPDU The value is 0x03 Flags Status information of an Ethernet OAM entity Code Type of the Ethernet OAMPD...

Page 823: ... interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM connections can be established An Ethernet OAM connection can be established only when the settings concerning Loopback link detecting and link event of the both sides match After an Ethernet OAM connect...

Page 824: ...nk faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 5 4 the local OAM entity sends an Event Notification OAMPDU to notify the remote OAM entity With the log information network administrators can keep track of network status in time Table 5 4 describes the link events Table 5 ...

Page 825: ...ly across established OAM connections an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs Therefore the network administrator can keep track of link status in time through the log information and troubleshoot in time Remote loopback Remote loopback is available only after the Ethernet OAM connection is established With remote loopback enabled the Ether...

Page 826: ...e Ethernet port establishes an Ethernet OAM connection with its peer port Follow these steps to configure basic Ethernet OAM functions To do Use the command Remarks Enter system view System view Enter Ethernet port view interface interface type interface number Set Ethernet OAM operating mode oam mode active passive Optional The default is active Ethernet OAM mode Enable Ethernet OAM on the curren...

Page 827: ...tem view Configure the errored frame event detection interval oam errored frame period period value Optional 1 second by default Configure the errored frame event triggering threshold oam errored frame threshold threshold value Optional 1 by default Configuring Errored Frame Period Event Detection An errored frame period event occurs if the number of frame errors in specific number of received fra...

Page 828: ...ss than the errored frame seconds detection interval Otherwise no errored frame seconds event can be generated Enabling OAM Remote Loopback After enabling OAM remote loopback on a port you can send loopback frames from the port to a remote port and then observe how many of these loopback frames are returned In this way you can calculate the packet loss ratio on the link thus evaluating the link pe...

Page 829: ...e z Enabling internal loopback test on a port in remote loopback test can terminate the remote loopback test For more information about loopback test refer to Ethernet Interface Configuration in the Access Volume Displaying and Maintaining Ethernet OAM Configuration To do Use the command Remarks Display global Ethernet OAM configuration display oam configuration Display the statistics on critical ...

Page 830: ...view DeviceB interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 oam mode active DeviceB GigabitEthernet1 0 1 oam enable DeviceB GigabitEthernet1 0 1 quit 3 Verify the configuration Use the display oam configuration command to display the Ethernet OAM configuration For example Display the Ethernet OAM configuration on Device A DeviceA display oam configuration Configuration of the link ev...

Page 831: ...sp 0 Critical Event 0 According to the above output information no critical link event occurred on the link between Device A and Device B Display Ethernet OAM link event statistics of the remote end of Device B DeviceB display oam link event remote Port GigabitEthernet1 0 1 Link Status Up OAMRemoteErrFrameEvent ms milliseconds Event Time Stamp 5789 Errored FrameWindow 10 100ms Errored Frame Thresh...

Page 832: ...fined by some maintenance association end points MEPs configured on the ports A MD is identified by an MD name To locate faults exactly CFD introduces eight levels from 0 to 7 to MDs The bigger the number the higher the level and the larger the area covered Domains can touch or nest if the outer domain has a higher level than the nested one but cannot intersect or overlap MD levels facilitate faul...

Page 833: ...EP ID The MEPs of an MD define the range and boundary of the MD The MA and MD that a MEP belongs to define the VLAN attribute and level of the packets sent by the MEP MEPs fall into inward facing MEPs and outward facing MEPs The level of a MEP determines the levels of packets that the MEP can process The packets transmitted from a MEP carry the level of the MEP An MEP forwards packets at a higher ...

Page 834: ... forwards packets at a higher level without any processing Figure 6 4 demonstrates a grading example of the CFD module In the figure there are six devices labeled 1 through 6 respectively Suppose each device has two ports and MEPs and MIPs are configured on some of these ports Four levels of MDs are designed in this example the bigger the number the higher the level and the larger the area covered...

Page 835: ...e MEPs send CCMs at the same time the multipoint to multipoint link check is achieved Loopback Similar to ping at the IP layer loopback is responsible for verifying the connectivity between a local device and a remote device To implement this function the local MEP sends loopback messages LBMs to the remote MEP Depending on whether the local MEP can receive a loopback reply message LBR from the re...

Page 836: ...d be designed at the device port MEPs can be designed on devices or ports that are not at the edges Complete the following tasks to configure CFD Tasks Remarks Basic Configuration Tasks Required These configurations are the foundation for other configuration tasks Configuring CC on MEPs Required Configuring the MEPs to send CCMs to manage link connectivity Configuring LB on MEPs Optional Checking ...

Page 837: ...ted by default Create a service instance cfd service instance instance id md md name ma ma name Required Not created by default z These configuration tasks are the foundation for other CFD configuration tasks z The last three steps in the table above must be performed strictly in order Configuring MEP MEPs are functional entities in a service instance CFD is implemented through operations on MEPs ...

Page 838: ...fd mip rule explicit default service instance instance id Required By default neither the MIPs nor the rules for generating MIPs are configured MIPs are generated on each port automatically according to the rules specified in the cfd mip rule command If a port has no MIP the system will check the MAs in each MD from low to high levels and follow the rules in Table 6 1 to create or not create MIPs ...

Page 839: ... sending on a MEP cfd cc service instance instance id mep mep id enable Required Disabled by default The relationship between the interval field value in the CCM messages the interval between CCM messages and the timeout time of the remote MEP is illustrated in Table 6 2 Table 6 2 Relationship of the interval field value the interval between CCM messages and the timeout time of the remote MEP The ...

Page 840: ...latter case after LT messages automatic sending is enabled if a MEP fails to receive the CCMs from the remote MEP within 3 5 sending intervals the link between the two is regarded as faulty and LTMs will be sent out Based on the LTRs that echo back the fault source can be located Configuration Prerequisites Before configuring this function you should first complete MEP and MIP configuration tasks ...

Page 841: ...mep service instance instance id mep mep id Available in any view Display the content of the LTR that responds to LTM messages display cfd linktrace reply auto detection size size value Available in any view CFD Configuration Examples Configuring Service Instance Network requirements As shown in Figure 6 5 there are five devices in the MDs Each device has four ports belonging to VLAN 100 The light...

Page 842: ...e B DeviceB system view DeviceB cfd enable DeviceB cfd md MD_A level 5 DeviceB cfd ma MA_MD_A md MD_A vlan 100 DeviceB cfd service instance 1 md MD_A ma MA_MD_A DeviceB cfd md MD_B level 3 DeviceB cfd ma MA_MD_B md MD_B vlan 100 DeviceB cfd service instance 2 md MD_B ma MA_MD_B After the above configuration you can use the commands display cfd md display cfd ma and display cfd service instance to ...

Page 843: ... 1001 DeviceA GigabitEthernet1 0 1 cfd remote mep 4002 service instance 1 mep 1001 DeviceA GigabitEthernet1 0 1 cfd mep service instance 1 mep 1001 enable DeviceA GigabitEthernet1 0 1 cfd cc service instance 1 mep 1001 enable 2 On Device B DeviceB system view DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 cfd mep 2001 service instance 2 outbound DeviceB GigabitEthernet1 0 3 c...

Page 844: ...etwork requirements After finishing MEP configuration you can continue to configure the MIPs MIPs which are generated by some rules are configured in the following way z Decide the device on which MIPs are to be configured z Choose suitable rules for MIP generation By default MIP is not configured on a device If MIPs are to be configured on each port in the MD you should choose the default rule If...

Page 845: ...own in Figure 6 6 enable LB on Device A so that Device A can send LBM messages to MEPs on Device D Configuration procedure Configure Device A DeviceA system view DeviceA cfd loopback service instance 1 mep 1001 target mep 4002 Configuring LT on MEPs Network requirements Use the LT function to find the path and locate the fault after you obtain the state of the entire network through the CC As show...

Page 846: ...ugh the Track module More specifically the detection modules probe the link status network performance and so on and inform the application modules of the detection result through the Track module After the application modules are aware of the changes of network status they deal with the changes accordingly to avoid communication interruption and network performance degradation The Track module wo...

Page 847: ...onfiguring Collaboration Between the Track Module and the Detection Modules Configuring Track NQA Collaboration Required Configuring Collaboration Between the Track Module and the Application Modules Configuring Track Static Routing Collaboration Required Configuring Collaboration Between the Track Module and the Detection Modules Configuring Track NQA Collaboration Through the following configura...

Page 848: ...Static Routing collaboration so as to check the reachability of the next hop of the static route ip route static dest address mask mask length next hop address track track entry number preference preference value tag tag value description description text Required Not configured by default z For the configuration of Track Static Routing collaboration the specified static route can be an existent o...

Page 849: ... int3 10 2 1 1 24 Switch C Vlan int3 10 2 1 2 24 Switch B Switch A Configuration procedure 1 Configure the IP address of each interface as shown in Figure 7 2 2 Configure a static route on Switch A and associate it with the Track object Configure the address of the next hop of the static route to Switch C as 10 2 1 1 and configure the static route to associate with Track object 1 SwitchA system vi...

Page 850: ...s Positive Reference object NQA entry admin test Reaction 1 Display the routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 10 1 1 0 24 Static 60 0 10 2 1 1 Vlan3 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan3 10 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 D...

Page 851: ... Interface 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan3 10 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The output information above indicates the NQA test result that is the next hop 10 2 1 1 is unreachable the status of the Track object is Negative and the configured static route is invalid ...

Page 852: ...7 Configuration Example 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 Configuring Command Authorization 2 11 Configuring Command Accounting 2 12 3 Logging In Through Telnet SSH 3 1 Logging In Through Telnet 3 1 Introduction 3 1 Telnet Connection Establishment 3 1 Common Configuration 3 3 Telnet Login Configurat...

Page 853: ...sers by Source and Destination IP Addresses 8 2 Controlling Telnet Users by Source MAC Addresses 8 3 Configuration Example 8 3 Controlling Network Management Users by Source IP Addresses 8 4 Prerequisites 8 4 Controlling Network Management Users by Source IP Addresses 8 4 Configuration Example 8 5 Controlling Web Users by Source IP Addresses 8 6 Prerequisites 8 6 Controlling Web Users by Source IP...

Page 854: ...uggable transceivers 10 7 Identifying pluggable transceivers 10 8 Diagnosing pluggable transceivers 10 9 Displaying and Maintaining Device Management Configuration 10 9 Device Management Configuration Examples 10 10 Remote Scheduled Automatic Upgrade Configuration Example Centralized Device 10 10 Remote Scheduled Automatic Upgrade Configuration Example Centralized IRF Device 10 11 11 File System M...

Page 855: ...1 Configuring the TFTP Client 13 2 Displaying and Maintaining the TFTP Client 13 3 TFTP Client Configuration Example 13 4 Single Device Upgrade 13 4 IRF System Upgrade 13 5 14 HTTP Configuration 14 1 HTTP Overview 14 1 How HTTP Works 14 1 Logging In to the Device Through HTTP 14 1 Protocols and Standards 14 1 Enabling the HTTP Service 14 1 Configuring the Port Number of the HTTP Service 14 2 Assoc...

Page 856: ...ocedure 17 3 Displaying and Maintaining RMON 17 5 RMON Configuration Example 17 5 18 MAC Address Table Management Configuration 18 1 Introduction to MAC Address Table 18 1 How a MAC Address Table Entry is Generated 18 1 Types of MAC Address Table Entries 18 2 MAC Address Table Based Frame Forwarding 18 2 Configuring MAC Address Table Management 18 3 Configuring MAC Address Table Entries 18 3 Disab...

Page 857: ... 21 6 Outputting System Information to the Console 21 6 Outputting System Information to a Monitor Terminal 21 7 Outputting System Information to a Log Host 21 8 Outputting System Information to the Trap Buffer 21 9 Outputting System Information to the Log Buffer 21 10 Outputting System Information to the SNMP Module 21 11 Configuring Synchronous Information Output 21 11 Disabling a Port from Gene...

Page 858: ... Configuring an ICMP Echo Test 22 6 Configuring a DHCP Test 22 7 Configuring an FTP Test 22 8 Configuring an HTTP Test 22 9 Configuring a UDP Jitter Test 22 10 Configuring an SNMP Test 22 12 Configuring a TCP Test 22 13 Configuring a UDP Echo Test 22 14 Configuring a Voice Test 22 15 Configuring a DLSw Test 22 17 Configuring the Collaboration Function 22 18 Configuring Trap Delivery 22 19 Configur...

Page 859: ...ring Access Control Rights 24 11 Configuration Prerequisites 24 12 Configuration Procedure 24 12 Configuring NTP Authentication 24 12 Configuration Prerequisites 24 12 Configuration Procedure 24 13 Displaying and Maintaining NTP 24 14 NTP Configuration Examples 24 15 Configuring NTP Client Server Mode 24 15 Configuring the NTP Symmetric Mode 24 16 Configuring NTP Broadcast Mode 24 18 Configuring N...

Page 860: ... Synchronization Function 25 17 Configuring Web User Accounts in Batches 25 18 Displaying and Maintaining Cluster Management 25 19 Cluster Management Configuration Example 25 19 26 IRF Configuration 25 1 IRF Overview 25 1 Introduction 25 1 Application and Advantages 25 1 IRF Working Process 25 2 IRF Connections 25 2 Topology Collection 25 7 Role Election 25 7 IRF Management 25 8 IRF Configuration ...

Page 861: ...ion to Automatic Configuration 28 1 Typical Networking of Automatic Configuration 28 1 How Automatic Configuration Works 28 2 Work Flow of Automatic Configuration 28 2 Obtaining the IP Address of an Interface and Related Information Through DHCP 28 3 Obtaining the Configuration File from the TFTP Server 28 5 Executing the Configuration File 28 7 ...

Page 862: ...rts two types of user interfaces AUX and VTY z AUX port Used to manage and monitor users logging in via the console port The device provides AUX ports of EIA TIA 232 DTE type The port is usually used for the first access to the switch z VTY virtual type terminal Used to manage and monitor users logging in via VTY VTY port is usually used when you access the device by means of Telnet or SSH Table 1...

Page 863: ...lows you to uniquely specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in the sequence of AUX port and VTY Relative numbering Relative numbering can specify a user interface or a group of user interfaces of a specific type The number is valid only when used under that typ...

Page 864: ... user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configuration of the current a specified user interface display user interface type number number summary You can execute this command in any view ...

Page 865: ...gin methods By default you can log in to an 3Com Switch 4510G family through its Console port only To log in to an Ethernet switch through its Console port the related configuration of the user terminal must be in accordance with that of the Console port Table 2 1 lists the default settings of a Console port Table 2 1 The default settings of a Console port Setting Default Baud rate 19 200 bps Flow...

Page 866: ...yperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the connection ...

Page 867: ... information about the switch by executing commands You can also acquire help by type the character Refer to the following chapters for information about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port login Configuration Description Enter system view system view Enter A...

Page 868: ...ging in to the AUX user interface user privilege level level Optional By default commands of level 3 are available to the users logging in to the AUX user interface Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines Set history command buffer size history command max size value Optional By default the history...

Page 869: ... locally or remotely Configure the authentication mode Scheme Create or enter a local user set the authentication password specifies the level and service type for AUX users Refer to Console Port Login Configuration with Authentication Mode Being Scheme for details Changes of the authentication mode of Console port login will not take effect unless you exit and enter again the CLI Console Port Log...

Page 870: ...ork diagram Figure 2 5 Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure Enter system view Sysname system view Enter AUX user interface view Sysname user interface aux 0 Specify not to authenticate the user logging in through the Console port Sysname ui aux0 authentication mode none Specify commands of level 2 are available to the ...

Page 871: ...logging in through the Console port are not authenticated while users logging in through the Telnet need to pass the password authentication Set the local password set authentication password cipher simple password Required By default no password is configured Configuration Example Network requirements Assume the switch is configured to allow you to login through Telnet and your user level is set ...

Page 872: ...in to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user ...

Page 873: ...system view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuratio...

Page 874: ... level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z Configure the name of the local user to be guest z Set the authentication password of the local user to 123456 in plain text z Set the service type of the local user to Terminal z Configure to authenticate the user logging in through the Console port in the ...

Page 875: ...running on the user PC accordingly as shown in Figure 2 4 thus ensuring the consistency between the configurations of the terminal emulation utility and those of the switch Otherwise you will fail to log in to the switch Configuring Command Authorization By default command level for a login user depends on the user level The user is authorized the command with the default level not higher than the...

Page 876: ...HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands will be recorded on the HWTACACS server The command accounting configuration involves two steps 1 Enable command accounting See the following table for details 2 Configure a command accounting scheme Specify the IP address and other related parameters for the accounting server...

Page 877: ...d Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Telnet Connection Establishment Telnetting to a Switch from a Terminal You can telnet to a switch and then configure the switch if the interface of the management VLAN of the switch is assigned with an IP address By default VLAN 1 is the management VLAN Following ar...

Page 878: ...able Figure 3 1 Network diagram for Telnet connection establishment Configuration PC running Telnet Ethernet Workstation Server Workstation Ethernet port Step 4 Launch Telnet on your PC with the IP address of the management VLAN interface of the switch as the parameter as shown in the following figure Figure 3 2 Launch Telnet Step 5 Enter the password when the Telnet window displays Login authenti...

Page 879: ... user name and password for Telnet on the switch operating as the Telnet server Refer to section Telnet Login Configuration with Authentication Mode Being None section Telnet Login Configuration with Authentication Mode Being Password and Telnet Login Configuration with Authentication Mode Being Scheme for details By default Telnet users need to pass the password authentication to login Step 2 Tel...

Page 880: ...ng tasks escape key default character Optional By default you can use Ctrl C to terminate a task Configure the type of terminal display under the current user interface terminal type ansi vt100 Optional By default the terminal display type is ANSI Configure the command level available to users logging in to the VTY user interface user privilege level level Optional By default commands of level 0 a...

Page 881: ...Telnet configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure not to authenticate users logging in to VTY user interfaces authentication mode none Required By default VTY users are authenticated after logging in Note that if you configure not to au...

Page 882: ... command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to perform Telnet configuration with authentication mode being password To do Use the command Remarks Enter system view system view Enter one or more...

Page 883: ...edure Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the local password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sysname ui vty0 set authentication password simple 123456 Specify c...

Page 884: ...heme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuration in the Security Volume for details z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Create a local user and enter local user view local user user name No local...

Page 885: ...screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes 2 Network diagram Figure 3 6 Network diagram for Telnet configuration with the authentication mode being scheme 3 Configuration procedure z Configure the switch Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Create a l...

Page 886: ... with the default level not higher than the user level With the command authorization configured the command level for a login user is decided by both the user level and AAA authorization If a user executes a command of the corresponding user level the authorization server checks whether the command is authorized If yes the command can be executed The authorization server checks the commands autho...

Page 887: ...ds will be recorded on the HWTACACS server The command accounting configuration involves two steps 1 Enable command accounting See the following table for details 2 Configure a command accounting scheme Specify the IP address and other related parameters for the accounting server For details refer to the AAA Configuration in the Security Volume Follow these steps to enable command accounting To do...

Page 888: ...1 Network diagram for configuring user authentication Configuration procedure Assign an IP address to Device to make Device be reachable from Host A Host B Host C and RADIUS server The configuration is omitted Enable telnet services on Device Device system view Device telnet server enable Set that no authentication is needed when users use the console port to log in to Device Set the privilege lev...

Page 889: ...tication as the backup Device domain system Device isp system authentication login radius scheme rad local Device isp system authorization login radius scheme rad local Device isp system quit Add a local user named monitor set the user password to 123 and specify to display the password in cipher text Authorize user monitor to use the telnet service and specify the level of the user as 1 that is t...

Page 890: ...standard Specify Device to remove the domain name in the username sent to the HWTACACS server for the scheme Device hwtacacs scheme tac Device hwtacacs tac primary authentication 192 168 2 20 49 Device hwtacacs tac primary authorization 192 168 2 20 49 Device hwtacacs tac key authentication expert Device hwtacacs tac key authorization expert Device hwtacacs tac server type standard Device hwtacacs...

Page 891: ...evice user interface aux 0 Device ui aux0 command accounting Device ui aux0 quit Enable command accounting for users logging in through telnet or SSH Device user interface vty 0 4 Device ui vty0 4 command accounting Device ui vty0 4 quit Create a HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme Ensure that the port number be co...

Page 892: ...t Create ISP domain system and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users Device domain system Device isp system accounting command hwtacacs scheme tac Device isp system quit ...

Page 893: ...h is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging in to the Web based network management system are configured IE is available PC operating as the network management terminal The IP address of the management VLAN interface of the switch...

Page 894: ...ess to the management VLAN interface of the switch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the following commands in the terminal window to assign an IP address to the management VLAN interface of the switch Configure the IP address of the management VLAN interface to be 10 153 17 82 with the ma...

Page 895: ...s http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 5 2 appears enter the user name and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Figure 5 2 The login page of the Web based network management system ...

Page 896: ...protocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the management VLAN of the switch is configured The route between the NMS and the switch is available Switch The basic SNMP functions are co...

Page 897: ... source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface for Telnet Packets The configuration can be performed in user view and system view The configuration performed in user view only applies to the current session Whereas the configuration performed in...

Page 898: ...for Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reachable Displaying the source IP address Interface Specified for Telnet Packets Follow these steps to display the source IP address interface specified for Telnet packets To do Use the command Remarks D...

Page 899: ...ough Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses Controlling Telnet Users Prerequisites The controlling policy against Telnet users is determined including the source and destination IP addresses to be controlled and the controlling actions permitting or denying Controlling ...

Page 900: ...CL refer to ACL Configuration in the Security Volume Follow these steps to control Telnet users by source and destination IP addresses To do Use the command Remarks Enter system view system view Create an advanced ACL or enter advanced ACL view acl ipv6 number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule r...

Page 901: ...ine rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by source MAC addresses acl acl number inbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch Layer 2 ACL is invalid for this function if the source IP ...

Page 902: ...control users accessing the switch through SNMP Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying Controlling Network Management Users by Source IP Addresses Follow these steps to control network management users by source IP addresses To do Use the command Remarks...

Page 903: ...tailed configuration refer to SNMP Configuration in the System Volume Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are permitted to access the switch Figure 8 2 Network diagram for controlling SNMP users using ACLs Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Configuration procedure Define a basic ACL Sys...

Page 904: ...g Web users by source IP addresses To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl ipv6 number acl number match order config auto Required The config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Required Quit to system view quit Re...

Page 905: ... network Host B 10 110 100 52 Configuration procedure Create a basic ACL Sysname system view Sysname acl number 2030 match order config Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Reference the ACL to allow only Web users using IP address 10 110 100 52 to access the switch Sysname ip http acl 2030 ...

Page 906: ...he configuration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved in the startup configuration file Follow these steps to display device configurations To do Use the command Remarks Display the factory defaults of the device display default configuration Display the current validated configurations of the device di...

Page 907: ...command or press the hot key Ctrl Z to return to user view Configuring the Device Name The device name is used to identify a device in a network Inside the system the device name corresponds to the prompt of the CLI For example if the device name is Sysname the prompt of user view is Sysname Follow these steps to configure the device name To do Use the command Remarks Enter system view system view...

Page 908: ...the clock timezone command and the offset time is zone offset z 3 indicates daylight saving time has been configured with the clock summer time command and the offset time is summer offset z 1 indicates the clock datetime command is an optional configuration z The default system clock is 2005 1 1 1 00 00 in the example Table 9 1 Relationship between the configuration and display of the system cloc...

Page 909: ...mer time range date time is displayed Configure clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 Display 02 00 00 zone time Sat 01 01 2005 If the value of the original system clock zone offset is not in the summer time...

Page 910: ...iew after logging in to the device through the console port AUX port or asynchronous serial interface The copyright information will not be displayed under other circumstances The display format of copyright information is as shown below Copyright c 2004 2009 3Com Corp and its licensors All rights reserved This software is protected by copyright law and international treaties Without the prior wri...

Page 911: ...n right after the command keywords The start and end characters of the input text must be the same but are not part of the banner information In this case the input text together with the command keywords cannot exceed 510 characters The other is to input all the banner information in multiple lines by pressing the Enter key In this case up to 2000 characters can be input The latter input mode can...

Page 912: ...z Ctrl G corresponds to the display current configuration command z Ctrl L corresponds to the display ip routing table command z Ctrl O corresponds to the undo debugging all command Table 9 2 Hotkeys reserved by the system Hotkey Function Ctrl A Moves the cursor to the beginning of the current line Ctrl B Moves the cursor one character to the left Ctrl C Stops performing a command Ctrl D Deletes t...

Page 913: ...eyword by configuring the command alias function For example if you configure show as the replacement of the display keyword for each display command you can input the command alias show xx to execute the display xx command Note the following when you configure command aliases z When you input a command alias the system displays and saves the command in its original format instead of its alias Tha...

Page 914: ...this level include ping tracert telnet and ssh2 1 Monitor Includes commands for system maintenance and service fault diagnosis Commands at this level are not allowed to be saved after being configured After the device is restarted the commands at this level will be restored to the default settings Commands at this level include debugging terminal refresh reset and send 2 System Provides service co...

Page 915: ... authentication server User either approach z For local authentication if you do not configure the user level the user level is 0 that is users of this level can use commands with level 0 only z For remote authentication if you do not configure the user level the user level depends on the default configuration of the authentication server z For the description of user interface refer to Login Conf...

Page 916: ...curity Volume Required if users adopt the SSH login mode and only username instead of password is needed at authentication After the configuration the authentication mode of the corresponding user interface must be set to scheme Enter system view system view Enter user interface view user interface type first number last number Configure the authentication mode when a user uses the current user in...

Page 917: ...sname User view commands cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function After you set the user privilege level under the user interface users can log in to the dev...

Page 918: ...estores to the original level To avoid misoperations the administrators are recommended to log in to the device by using a lower privilege level and view device operating parameters and when they have to maintain the device they can switch to a higher level temporarily when the administrators need to leave for a while or ask someone else to manage the device temporarily they can switch to a lower ...

Page 919: ...nd level in a specified view command privilege level level view view command Required Refer to Table 9 3 for the default settings You are recommended to use the default command level or modify the command level under the guidance of professional staff otherwise the change of command level may bring inconvenience to your maintenance and operation or even potential security problem Displaying and Ma...

Page 920: ...ynchronous Information Output z Undo Form of a Command z Editing Features z CLI Display z Saving History Command z Command Line Error Information Introduction to CLI CLI is an interaction interface between devices and users Through CLI you can configure your devices by entering commands and view the output information and verify your configurations thus facilitating your configuration and manageme...

Page 921: ...s delete Delete a file dir List files on a file system display Show running system information omitted 2 Enter a command and a separated by a space If is at the position of a keyword all the keywords are given with a brief description Sysname terminal debugging Send debug information to terminal logging Send log information to terminal monitor Send information output to current terminal trapping S...

Page 922: ...em Volume Undo Form of a Command Adding the keyword undo can form an undo command Almost every configuration command has an undo form undo commands are generally used to restore the system default disable a function or cancel a configuration For example the info center enable command is used to enable the information center while the undo info center enable command is used to disable the informati...

Page 923: ...put information The device provides the function to filter the output information You can specify a regular expression that is the output rule to search information you need You can use one of the following two ways to filter the output information z Input the keyword begin exclude or include as well as the regular expression at the command line to filter the output information z Input slash minus...

Page 924: ...example 16A can match a string containing any character among 1 6 and A 1 36A can match a string containing any character among 1 2 3 6 and A with being a hyphen can be matched only when it is put at the beginning of if it is used as a common character in for example string There is no such limit on A character group It is usually used with or For example 123A means a character group 123A 408 12 c...

Page 925: ...ed in this table follow the specific meanings of the characters will be removed For example can match a string containing can match a string containing and b can match a string containing b Multiple screen output When there is a lot of information to be output the system displays the information in multiple screens Generally 24 lines are displayed on one screen and you can also use the screen leng...

Page 926: ... CLI saves the commands in the format that you have input that is if you input a command in its incomplete form the saved history command is also incomplete z If you execute a command for multiple times successively the CLI saves the earliest one However if you execute the different forms of a command the CLI saves each form of this command For example if you execute the display cu command for mul...

Page 927: ... line errors Error information Cause The command was not found The keyword was not found Parameter type error Unrecognized command found at position The parameter value is beyond the allowed range Incomplete command found at position Incomplete command Ambiguous command found at position Ambiguous command Too many parameters Too many parameters Wrong parameter found at position Wrong parameter ...

Page 928: ... device management function you can view the current working state of a device configure running parameters and perform daily device maintenance and management Device Management Configuration Task List Complete these tasks to configure device management Task Remarks Configuring the Exception Handling Method Optional Rebooting a Device Optional Configuring the Scheduled Automatic Execution Function...

Page 929: ...r IRF members Rebooting a Device When a fault occurs to a running device you can remove the fault by rebooting the device depending on the actual situation This operation equals to powering on the device after powering it off It is mainly used to reboot a device in remote maintenance without performing hardware reboot of the device According to the actual environment z You can reboot a member devi...

Page 930: ...he backup boot file to restart the device z If you are performing file operations when the device is to be rebooted the system does not execute the command for the sake of security Configuring the Scheduled Automatic Execution Function The scheduled automatic execution function means that the system automatically executes a specified command at a specified time in a specified view This function is...

Page 931: ...r the automatic execution function is configured the scheduled automatic execution configuration turns invalid automatically z Only the last configuration takes effect if you execute the schedule job command repeatedly z After you configure this feature on the master the configuration is not backed up to the slaves after the change of the master this configuration will be ineffective Upgrading Dev...

Page 932: ...ion configuration information to ensure a successful upgrade Follow these steps to upgrade the Boot ROM program To do Use the command Remarks Enter system view system view Enable the validity check function when upgrading the Boot ROM bootrom update security check enable Optional By default the validity check function is enabled at the time of upgrading Boot ROM Return to user view quit Upgrade th...

Page 933: ... to the device Therefore the device provides the function of disabling the Boot ROM access to enhance security of the device After this function is configured no matter whether you press Ctrl B or not the system does not enter the Boot ROM menu but enters the command line configuration interface directly In addition you need to set the Boot ROM access password when you enter the Boot ROM menu for ...

Page 934: ...void such a case you can clear all 16 bit interface indexes saved but not used in the current system in user view After the above operation z For a re created interface the new interface index may not be consistent with the original one z For existing interfaces their interface indexes remain unchanged Follow these steps to clear the 16 bit interface indexes not used in the current system To do Us...

Page 935: ...er distance and vendor name or name of the vendor who customizes the transceivers to identify the pluggable transceivers Follow these steps to identify pluggable transceivers To do Use the command Remarks Display key parameters of the pluggable transceiver s display transceiver interface interface type interface number Available for all pluggable transceivers Display part of the electrical label i...

Page 936: ... To do Use the command Remarks Display information of the boot file display boot loader slot slot number Available in any view Display the statistics of the CPU usage display cpu usage number offset verbose from device Available in any view Display history statistics of the CPU usage in a chart display cpu usage history task task id slot slot number cpu cpu number Available in any view Display inf...

Page 937: ...ved under the aaa directory of the FTP server z The IP address of Device is 1 1 1 1 24 the IP address of the FTP server is 2 2 2 2 24 and the FTP server is reachable z User can log in to Device via Telnet and a route exists between User and Device Figure 10 2 Network diagram for remote scheduled automatic upgrade FTP Client FTP Server User Telnet Device 1 1 1 1 24 2 2 2 2 24 Internet Configuration...

Page 938: ...t new config cfg Download file soft version2 bin on the FTP server ftp binary ftp get soft version2 bin ftp bye Device Modify the extension of file auto update txt as bat Device rename auto update txt auto update bat To ensure correctness of the file you can use the more command to view the content of the file Execute the scheduled automatic execution function to enable the device to be automatica...

Page 939: ...nload file new config cfg on the TFTP server to Master Note that configurations may vary with different types of servers IRF tftp 2 2 2 2 get new config cfg File will be transferred in binary mode Downloading file from remote TFTP server please wait TFTP 917 bytes received in 1 second s File downloaded successfully Download file new config cfg to Slave with the member ID of 2 IRF tftp 2 2 2 2 get ...

Page 940: ...t boot for all members IRF boot loader file soft version2 bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on slot 1 The specified file will be used as the main boot file at the next reboot on slot 2 Reboot the device The software version is upgraded now IRF reboot ...

Page 941: ...nd file copy and display If an operation delete or overwrite for example causes problems such as data loss or corruption the file system will prompt you to confirm the operation by default Depending on the managed object file system operations fall into Directory Operations File Operations Batch Operations Storage Medium Operations and Setting File System Prompt Modes Filename Formats When you spe...

Page 942: ...characters flash test a txt Indicates that a file named a txt is in the test folder under the root directory of the flash memory on the master To read and write the a txt file under the root directory of the flash on a slave with the member ID 2 input slot2 flash a txt for the filename For the S4510G series when you specify a configuration file cfg file startup file bin file or Boot ROM file by in...

Page 943: ...emoved must be empty meaning that before you remove a directory you must delete all the files and the subdirectory under this directory For file deletion refer to the delete command for subdirectory deletion refer to the rmdir command z After you execute the rmdir command successfully the files in the recycle bin under the directory will be automatically deleted File Operations File operations inc...

Page 944: ...ew Renaming a file To do Use the command Remarks Rename a file rename fileurl source fileurl dest Required Available in user view Copying a file To do Use the command Remarks Copy a file copy fileurl source fileurl dest Required Available in user view Moving a file To do Use the command Remarks Move a file move fileurl source fileurl dest Required Available in user view Deleting a file To do Use t...

Page 945: ...bin To do Use the command Remarks Enter the original working directory of the file to be deleted cd directory Optional If the original directory of the file to be deleted is not the current working directory this command is required Available in user view Delete the file under the current directory and in the recycle bin reset recycle bin force Required Available in user view Batch Operations A ba...

Page 946: ...Use the command Remarks Restore the space of a storage medium fixdisk device Optional Available in user view Format a storage medium format device Optional Available in user view z When you format a storage medium all the files stored on it are erased and cannot be restored In particular if there is a startup configuration file on the storage medium formatting the storage medium results in loss of...

Page 947: ...bin 4 drw Apr 26 2007 19 58 11 test 31496 KB total 9943 KB free Create a new folder called mytest under the test directory Sysname cd test Sysname mkdir mytest Created dir flash test mytest Display the current working directory Sysname pwd flash test Display the files and the subdirectories under the test directory Sysname dir Directory of flash test 0 drw Apr 26 2007 19 58 39 mytest 31496 KB tota...

Page 948: ... text file It z Saves configuration in the form of commands z Saves only non default configuration settings z Lists commands in sections by views usually in the order of system view interface view and routing protocol view Sections are separated with one or multiple blank lines or comment lines that start with a pound sign z Ends with a return Coexistence of multiple configuration files Multiple c...

Page 949: ...figuration on your device using command line interface However the current configuration is temporary To make the modified configuration take effect at the next boot of the device you must save the current configuration to the startup configuration file before the device reboots Complete these tasks to save the current configuration Task Remarks Enabling configuration file auto save Optional Modes...

Page 950: ... root directories of the storage media of all the member devices and specify the file as the startup configuration file that will be used at the next system startup save safely backup main Required Use either command Available in any view z The configuration file must be with extension cfg z Whether the save safely backup main command or the save filename all command Enter takes effect on all the ...

Page 951: ...n two ways the system saves the current running configuration at a specified interval or you can save the current running configuration as needed 3 Roll back the current running configuration to the configuration state based on a saved configuration file When the related command is entered the system first compares and then processes the differences between the current running configuration and th...

Page 952: ...00 it restarts from 1 If you change the path or filename prefix or reboot the device the saved file serial number restarts from 1 and the system recounts the saved configuration files If you change the path of the saved configuration files the files in the original path become common configuration files and are not processed as saved configuration files The number of saved configuration files has ...

Page 953: ...rent running configuration automatically You can configure the system to save the current running configuration at a specified interval and use the display archive configuration command to view the filenames and save time of the saved configuration files so as to roll back the current configuration to a previous configuration state Configure an automatic saving interval according to the storage me...

Page 954: ...nning configuration manually otherwise the operation fails Setting configuration rollback Follow these steps to set configuration rollback To do Use the command Remarks Enter system view system view Set configuration rollback configuration replace file filename Required Configuration rollback may fail if one of the following situations is present if a command cannot be rolled back the system skips...

Page 955: ...m startup To do Use the command Remarks Specify a startup configuration file for the next system startup of all the member devices startup saved configuration cfgfile backup main Required Available in user view A configuration file must use cfg as its extension name and the startup configuration file must be saved under the root directory of the storage medium Backing Up the Startup Configuration ...

Page 956: ...ecified in the command to NULL You may need to delete the startup configuration file for the next startup for one of these reasons z After you upgrade system software the existing configuration file does not match the new system software z The configuration file is corrupted often caused by loading a wrong configuration file After the startup configuration file is deleted the system will use the n...

Page 957: ...e restored startup configuration file exists Displaying and Maintaining Device Configuration To do Use the command Remarks Display the information about configuration rollback display archive configuration Available in any view Display the currently running configuration file saved on the storage medium of the device display saved configuration by linenum Available in any view Display the configur...

Page 958: ...or btm z ASCII mode for text file transmission like files with the suffixes txt bat or cfg Operation of FTP FTP adopts the client server model Your device can function either as the client or as the server as shown in Figure 12 1 z When the device serves as the FTP client the user first connects to the device from a PC through Telnet or an emulation program and then executes the ftp command to est...

Page 959: ...he FTP server configuration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP for security reasons Therefore you must use a valid username and password By default authenticated users can access the root directory of the device Device FTP server Configure the FTP server oper...

Page 960: ...mined by the matched route as the source IP address to communicate with an FTP server z If the source address is specified with the ftp client source or ftp command this source address is used to communicate with an FTP server z If you use the ftp client source command and the ftp command to specify a source address respectively the source address specified with the ftp command is used to communic...

Page 961: ...and is available in FTP client view Configuring the FTP Client After a device serving as the FTP client has established a connection with the FTP server For how to establish an FTP connection refer to Establishing an FTP Connection you can perform the following operations in the authorized directories of the FTP server To do Use the command Remarks Display help information of FTP related commands ...

Page 962: ...server rmdir directory Optional Disconnect from the FTP server without exiting the FTP client view disconnect Optional Equal to the close command Disconnect from the FTP server without exiting the FTP client view close Optional Equal to the disconnect command Disconnect from the FTP server and exit to user view bye Optional Terminate the connection with the remote FTP server and exit to user view ...

Page 963: ...from an FTP server Configuration procedure If the available memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following operations Log in to the server through FTP Sysname ftp 10 1 1 1 Trying 10 1 1 1 Connected to 10 1 1 1 220 WFTPD 2 0 service by Texas Imperial Soft...

Page 964: ...tory of the storage medium You can copy or move a file to the root directory of the storage medium For the details of the boot loader command refer to Device Management Commands in the System Volume IRF System Upgrade Network requirements z As shown in Figure 12 3 use Device as an FTP client and PC as the FTP server Their IP addresses are 10 2 1 1 16 and 10 1 1 1 16 respectively An available route...

Page 965: ...et newest bin z Download the startup file newest bin from PC to the root directory of the storage medium of a slave with member ID of 2 ftp get newest bin slot2 flash newest bin Upload the configuration file config cfg of the device to the server for backup ftp ascii ftp put config cfg back config cfg 227 Entering Passive Mode 10 1 1 1 4 2 125 ASCII mode data connection already open transfer start...

Page 966: ... mode the FTP server writes data to the storage medium while receiving data This means that any anomaly power failure for example during file transfer might result in file corruption on the FTP server This mode however consumes less memory space than the fast mode Follow these steps to configure the FTP server To do Use the command Remarks Enter system view system view Enable the FTP server ftp se...

Page 967: ...olume Follow these steps to configure authentication and authorization for FTP server To do Use the command Remarks Enter system view system view Create a local user and enter its view local user user name Required No local user exists by default and the system does not support FTP anonymous user access Assign a password to the user password simple cipher password Required Assign the FTP service t...

Page 968: ...s are 1 2 1 1 16 and 1 1 1 1 16 respectively An available route exists between Device and PC z PC keeps the updated startup file of the device Use FTP to upgrade the device and back up the configuration file z Set the username to ftp and the password to pwd for the FTP client to log in to the FTP server Figure 12 4 Smooth upgrading using the FTP server Configuration procedure 1 Configure Device FT...

Page 969: ...ent Log in to the FTP server through FTP c ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none abc 331 Password required for abc Password 230 User logged in Download the configuration file config cfg of the device to the PC for backup ftp get config cfg back config cfg Upload the configuration file newest bin to Device ftp put newest bin ftp bye z You can take the same steps t...

Page 970: ... Use FTP to upgrade the device and back up the configuration file z Set the username to ftp and the password to pwd for the FTP client to log in to the FTP server Figure 12 5 Smooth upgrading using the FTP server Configuration procedure 1 Configure Device FTP Server Create an FTP user account ftp set its password to pwd and the user privilege level to level 3 the manage level Sysname system view S...

Page 971: ...2337 Apr 26 2000 13 47 32 archive_1 cfg 6 rw 478164 Apr 26 2000 14 52 35 4510G_505 btm 7 rw 368 Apr 26 2000 12 04 04 patch_xxx bin 8 rw 2337 Apr 26 2000 14 16 48 sfp cfg 9 rw 2195 Apr 26 2000 14 10 41 4510G cfg 31496 KB total 11004 KB free 2 Configure the PC FTP Client Log in to the FTP server through FTP c ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none abc 331 Password r...

Page 972: ...oard Continue Y N y The specified file will be used as the main boot file at the next reboot on slot 1 The specified file will be used as the main boot file at the next reboot on slot 2 Reboot the device and the startup file is updated at the system reboot Sysname reboot The startup file used for the next startup must be saved under the root directory of the storage medium You can copy or move a f...

Page 973: ...is initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In a normal file uploading process the client sends a write request to the TFTP server sends data to the server and receives the acknowledgement from the server TFTP transfers files in two modes z Binar...

Page 974: ...the secure mode or if you use the normal mode specify a filename not existing in the current directory as the target filename when downloading the startup file or the startup configuration file Source address binding means to configure an IP address on a stable interface such as a loopback interface and then use this IP address as the source IP address of a TFTP connection The source address bindi...

Page 975: ...address get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Available in user view Download or upload a file in an IPv6 network tftp ipv6 tftp ipv6 server i interface type interface number get put source file destination file Optional Available in user view z If no primary IP address is configured on the source interface ...

Page 976: ...is omitted z On the PC enable the TFTP server z Configure a TFTP working directory 2 Configure Device TFTP Client If the available memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following operations Enter system view Sysname system view Download application file n...

Page 977: ...Device and PC z Device downloads a startup file from PC for upgrading and uploads a configuration file named config cfg to PC for backup Figure 13 3 Smooth upgrading using the TFTP client function Configuration procedure 1 Configure PC TFTP Server the configuration procedure is omitted z On the PC enable the TFTP server z Configure a TFTP working directory 2 Configure Device TFTP Client If the ava...

Page 978: ...o be used at the next startup for all the member devices Sysname boot loader file newest bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on slot 1 The specified file will be used as the main boot file at the next reboot on slot 2 Reboot the device and the software is upgraded Sysnam...

Page 979: ...ically the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP You can log onto the device using the HTTP protocol with HTTP service enabled accessing and controlling the device with Web based network management To implement security management on the device yo...

Page 980: ...ort number Required By default the port number of the HTTP service is 80 If you execute the ip http port command for multiple times the last configured port number is used Associating the HTTP Service with an ACL By associating the HTTP service with an ACL only the clients that pass ACL filtering are allowed to access the device Follow these steps to associate the HTTP service with an ACL To do Us...

Page 981: ...ses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security management of the device z Defines certificate attribute based access control policy for the device to control the access right of the client in ord...

Page 982: ...sl server policy command is executed repeatedly the HTTPS service is only associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again you need to re associate the HTTPS service with an SSL server policy z When the HTTPS service is enabled no modification of its ass...

Page 983: ... associate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute access control policy ip https certificate access control policy policy name Required Not associated by default z If the ip https certificate access control policy command is executed repeatedly the HTTP...

Page 984: ...he HTTPS service with an ACL To do Use the command Remarks Enter system view system view Associate the HTTPS service with an ACL ip https acl acl number Required Not associated by default Displaying and Maintaining HTTPS To do Use the command Remarks Display information about HTTPS display ip https Available in any view HTTPS Configuration Example Network requirements z Host acts as the HTTPS clie...

Page 985: ...ificate request entity en Device pki domain 1 quit Generate a local RSA key pair Device public key local create rsa Obtain a server certificate from CA Device pki retrieval certificate ca domain 1 Apply for a local certificate Device pki request certificate domain 1 2 Configure an SSL server policy associated with the HTTPS service Configure an SSL server policy Device ssl server policy myssl Devi...

Page 986: ...th certificate attribute access control policy myacp Device ip https certificate access control policy myacp 6 Enable the HTTPS service Enable the HTTPS service Device ip https enable 7 Verify the configuration Launch the IE explorer on Host and enter https 10 1 1 1 You can log in to Device and control it z The URL of the HTTPS server starts with https and that of the HTTP server starts with http ...

Page 987: ...d the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially in small high speed and low cost network environments SNMP Mechanism An SNMP enabled network comprises a Network Management Station NMS and an agent z An NMS is a station that runs the SNMP client software It offers a user friendly interface making it easier for network...

Page 988: ...ween the NMS and agent preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy authentication without privacy or no authentication no privacy Successful interaction between NMS and agent requires consistency of SNMP versions configured on them You can configure multiple SNMP versions for an agent to intera...

Page 989: ... are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configure an SNMP agent group snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Required Convert the user defined plain text password to a cipher text password snmp agent calculate password plain password...

Page 990: ... v3 all Required The defaults are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configur e directly Create an SNMP commun ity snmp agent community read write community name acl acl number mib view view name Configur e an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl...

Page 991: ...ndex of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the information center set the output rules for SNMP logs are decided that is whether the logs are permitted to output and the output destinations SNMP logs GET request SET request and SET response but does not...

Page 992: ...e specific modules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information output destinations By default traps of all modules are allowed to be output to the console monitor terminal monitor loghost and logfile traps of all modules and with level equal to or higher than warnings are ...

Page 993: ...NMP module the SNMP module saves the traps in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destination host usually the NMS Follow these steps to configure trap parameters To do Use the command Remarks Enter system view system view Configure target host attribute for traps snmp agent target host tra...

Page 994: ...s Display SNMP agent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent statistics Display the SNMP agent engine ID display snmp agent local engineid Display SNMP agent group information display snmp agent group group name Display basic information of the trap queue display ...

Page 995: ...snmp agent community write private Configure VLAN interface 2 with the IP address of 1 1 1 1 24 Add the port GigabitEthernet 1 0 1 to VLAN 2 Sysname vlan 2 Sysname vlan2 port GigabitEthernet 1 0 1 Sysname Vlan2 quit Sysname interface vlan interface 2 Sysname Vlan interface2 ip address 1 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure the contact person and physical location information ...

Page 996: ...VLAN interface on the agent is 1 1 1 1 24 z Configure community name access right and SNMP version on the agent Figure 16 4 Network diagram for SNMP logging Configuration procedure The configurations for the NMS and agent are omitted Enable logging display on the terminal This function is enabled by default so that you can omit this configuration Sysname terminal monitor Sysname terminal logging E...

Page 997: ...an 1 02 49 40 566 2006 The time when SNMP log is generated seqNO Sequence number of the SNMP log srcIP IP address of NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID of the instance erroIndex Error index with 0 meaning no error errorstatus Error status with noError meaning no error value Value set when the SET operation is performed This field is null meaning the...

Page 998: ...exible management of the device the device allows you to configure MIB style that is you can switch between the two styles of MIBs However you need to ensure that the MIB style of the device is the same as that of the NMS Setting the MIB Style Follow these steps to set the MIB style To do Use the command Remarks Enter system view system view Set the MIB style of the device mib style new compatible...

Page 999: ...ork monitor or a network probe It monitors and collects statistics on traffic over the network segments connected to its interfaces such as the total number of packets passed through a network segment over a specified period or the total number of good packets sent to a host Working Mechanism RMON allows multiple monitors A monitor provides two ways of data gathering z Using RMON probes NMSs can o...

Page 1000: ... an upper event is triggered if the sampled value of the monitored variable is lower than or equal to the lower threshold a lower event is triggered The event is then handled as defined in the event group The following is how the system handles entries in the RMON alarm table 1 Samples the alarm variables at the specified interval 2 Compares the sampled values with the predefined threshold and tri...

Page 1001: ...s undersize oversize packets broadcasts multicasts bytes received packets received bytes sent packets sent and so on After the creation of a statistics entry on an interface the statistics group starts to collect traffic statistics on the current interface The result of the statistics is a cumulative sum Configuring RMON Configuration Prerequisites Before configuring RMON configure the SNMP agent ...

Page 1002: ...s that can be created the creation fails z When you create an entry in the history table if the specified buckets number argument exceeds the history table size supported by the device the entry will be created However the validated value of the buckets number argument corresponding to the entry is the history table size supported by the device Table 17 1 Restrictions on the configuration of RMON ...

Page 1003: ...og entry number Available in any view RMON Configuration Example Network requirements Agent is connected to a configuration terminal through its console port and to a remote NMS across the Internet Create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1 0 1 and enable logging after received bytes exceed the specified threshold Figure 17 1 Network diagram for...

Page 1004: ...ysname rmon event 1 log owner 1 rmon Configure an alarm group to sample received bytes on GigabitEthernet 1 0 1 When the received bytes exceed the upper or below the lower limit logging is enabled Sysname rmon alarm 1 1 3 6 1 2 1 16 1 1 1 4 1 10 delta rising threshold 1000 1 falling threshold 100 1 owner 1 rmon Sysname display rmon alarm 1 Alarm table 1 owned by 1 rmon is VALID Samples type delta ...

Page 1005: ...y in this table indicates the MAC address of a connected device ID of the interface to which this device is connected and ID of the VLAN to which the interface belongs When forwarding a frame the device looks up the MAC address table according to the destination MAC address of the frame to rapidly determine the egress port thus reducing broadcasts How a MAC Address Table Entry is Generated A MAC a...

Page 1006: ...ntries into the MAC address table of the device to bind specific user devices to the port thus preventing hackers from stealing data using forged MAC addresses Manually configured MAC address table entries have a higher priority than dynamically learned ones Types of MAC Address Table Entries A MAC address table may contain the following types of entries z Static entries which are manually configu...

Page 1007: ...fy or remove entries in the MAC address table globally To do Use the command Remarks Enter system view system view mac address blackhole mac address vlan vlan id Add modify a MAC address entry mac address dynamic static mac address interface interface type interface number vlan vlan id Required Follow these steps to add modify or remove entries in the MAC address table on an interface To do Use th...

Page 1008: ...latest network changes a short interval may result in removal of valid entries and hence unnecessary broadcasts which may affect device performance Follow these steps to configure the aging timer for dynamic MAC address entries To do Use the command Remarks Enter system view system view Configure the aging timer for dynamic MAC address entries mac address timer aging seconds no aging Optional 300 ...

Page 1009: ...ormation display mac address mac address vlan vlan id dynamic static interface interface type interface number vlan vlan id count Display the aging timer for dynamic MAC address entries display mac address aging time Display MAC address statistics display mac address statistics Available in any view MAC Address Table Management Configuration Example Network requirements Log onto your device from t...

Page 1010: ...18 6 000f e235 dc71 1 Config static GigabitEthernet 1 0 1 NOAGED 1 mac address es found ...

Page 1011: ...mation Works When a new MAC address is learned or an existing MAC address is deleted on a device the device writes related information about the MAC address to the buffer area used to store user information When the timer set for sending MAC address monitoring Syslog or Trap messages expires or when the buffer is used up the device sends the Syslog or Trap messages to the monitor end immediately C...

Page 1012: ...ng the Interval for Sending Syslog or Trap Messages To prevent Syslog or Trap messages being sent too frequently and thus affecting system performance you can set the interval for sending Syslog or Trap messages Follow these steps to set the interval for sending Syslog or Trap messages To do Use the command Remarks Enter system view system view Set the interval for sending Syslog or Trap messages ...

Page 1013: ...etwork requirements z Host A is connected to a remote server Server through Device z Enable MAC Information on GigabitEthernet 1 0 1 on Device Device sends MAC address change information using Syslog messages to Host B through GigabitEthernet 1 0 3 Host B analyzes and displays the Syslog messages Figure 19 1 Network diagram for MAC Information configuration Configuration procedure 1 Configure Devi...

Page 1014: ...thernet1 0 1 mac address information enable added Device GigabitEthernet1 0 1 mac address information enable deleted Device GigabitEthernet1 0 1 quit Set the MAC Information queue length to 100 Device mac address information queue length 100 Set the interval for sending Syslog or Trap messages to 20 seconds Device mac address information interval 20 ...

Page 1015: ...o the destination device 2 The source device determines whether the destination is reachable based on whether it receives an ICMP echo reply if the destination is reachable the source device determines the link quality based on the numbers of ICMP echo requests sent and replies received determines the distance between the source and destination based on the round trip time of ping packets Configur...

Page 1016: ...m Device A to Device C Figure 20 1 Ping network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING 1 1 2 2 56 data bytes press CTRL_C to break Reply from 1 1 2 2 bytes 56 Sequence 1 ttl 254 time 205 ms Reply from 1 1 2 2 bytes 56 Sequence 2 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 3...

Page 1017: ...tatistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 11 53 ms The principle of ping r is as shown in Figure 20 1 1 The source Device A sends an ICMP echo request with the RR option being empty to the destination Device C 2 The intermediate device Device B adds the IP address 1 1 2 1 of its outbound interface to the RR option of the ICMP echo request and fo...

Page 1018: ...ves the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated In this way the source device can get the address 1 1 1 2 of the first Layer 3 device 4 The source device sends a packet with a TTL value of 2 to the destination device 5 The second hop Device C responds with a TTL expired ICMP error message which gives the source device the a...

Page 1019: ... functions For the majority of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The following two switches control the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging information on a certain...

Page 1020: ...al monitor Optional The terminal monitoring on the console is enabled by default and that on the monitoring terminal is disabled by default Available in user view Enable the terminal display of debugging information terminal debugging Required Disabled by default Available in user view Enable debugging for a specified module debugging all timeout time module name option Required Disabled by defaul...

Page 1021: ... DeviceA ip ttl expires enable DeviceA ip unreachables enable DeviceA tracert 1 1 2 2 traceroute to 1 1 2 2 1 1 2 2 30 hops max 40 bytes packet press CTRL_C to bre ak 1 1 1 1 2 14 ms 10 ms 20 ms 2 3 4 5 DeviceA The above output shows that no available route exists between Device A and Device C an available router exists between Device A and Device B an error occurred on the connection between Devi...

Page 1022: ...module z Outputs the above information to different information channels according to the user defined output rules z Outputs the information to different destinations based on the information channel to destination associations To sum up information center assigns the log trap and debugging information to the ten information channels according to the eight severity levels and then outputs the inf...

Page 1023: ... system information The system supports six information output destinations including the console monitor terminal monitor log buffer log host trap buffer and SNMP module The specific destinations supported vary with devices The system supports ten channels The six channels 0 through 5 are configured with channel names output rules and are associated with output destinations by default The channel...

Page 1024: ...fault output rules of system information The default output rules define the source modules allowed to output information on each output destination the output information type and the output information level as shown in Table 21 3 which indicates that by default and in terms of all modules z Log information with severity level equal to or higher than informational is allowed to be output to the ...

Page 1025: ...tions z If the output destination is not the log host such as console monitor terminal logbuffer trapbuffer SNMP the system information is in the following format timestamp sysname module level digest content For example a monitor terminal connects to the device When a terminal logs in to the device the log information in the following format is displayed on the monitor terminal Jun 26 17 08 35 80...

Page 1026: ...seconds sysname Sysname is the system name of the current host You can use the sysname command to modify the system name Refer to Basic System Configuration Commands in the System Volume for details This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn This field is a version identifier of syslog It is displayed only when the output dest...

Page 1027: ...n to a Monitor Terminal Optional Outputting System Information to a Log Host Optional Outputting System Information to the Trap Buffer Optional Outputting System Information to the Log Buffer Optional Outputting System Information to the SNMP Module Optional Configuring Synchronous Information Output Optional Outputting System Information to the Console Outputting system information to the console...

Page 1028: ...he command Remarks Enable the monitoring of system information on the console terminal monitor Optional Enabled on the console and disabled on the monitor terminal by default Enable the display of debugging information on the console terminal debugging Required Disabled by default Enable the display of log information on the console terminal logging Optional Enabled by default Enable the display o...

Page 1029: ... monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the display of system information on a monitor terminal To do Use the command Remarks Enable the monitoring of system information on a monitor terminal terminal monitor Required Enabled on the console and disabled on the monitor termin...

Page 1030: ...primary IP address of this interface is the source IP address of the log information Configure the format of the time stamp for system information output to the log host info center timestamp loghost date no year date none Optional date by default Outputting System Information to the Trap Buffer The trap buffer receives the trap information only and discards the log and debugging information even ...

Page 1031: ...tion center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 21 2 for default channel names Configure the channel through which system information can be output to the log buffer and specify the buffer size info center logbuffer channel channel number channel name size buffer...

Page 1032: ... module info center snmp channel channel number channel name Optional By default system information is output to the SNMP module through channel 5 known as snmpagent Configure the output rules of the system information info center source module name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Optional R...

Page 1033: ...ion in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable the other ports from generating link up down logging information z The state of a port is not stable and therefore redundant logging information will be generated In this case you can use this function to disable the port from generating link up down logging informatio...

Page 1034: ...splay the configuration of the log file display logfile summary Available in any view Display the state of the trap buffer and the trap information recorded display trapbuffer reverse size buffersize Available in any view Reset the log buffer reset logbuffer Available in user view Reset the trap buffer reset trapbuffer Available in user view Information Center Configuration Examples Outputting Log...

Page 1035: ...ational to be output to the log host Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel loghost log level informational state on Sysname info center source ip channel loghost log level informational state on 2 Configure the log host The following configurations were performed on SunOS 4 0 which has similar configurations to ...

Page 1036: ...d r After the above configurations the system will be able to record log information into the log file Outputting Log Information to a Linux Log Host Network requirements z Send log information to a Linux log host with an IP address of 1 2 0 1 16 z Log information with severity higher than informational will be output to the log host z All modules can output log information Figure 21 2 Network dia...

Page 1037: ...conf and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the logging facility used by the log host to receive logs info is the information level The Linux system will record the log information with severity level equal to or higher than informational to file var log Device info log Be aware of the follow...

Page 1038: ... the output of log trap and debugging information of all modules on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configurations for different channels are different you need to disable the output of log trap and debugging information of all modules on the specified channel console in this example first and the...

Page 1039: ...Sysname terminal monitor Current terminal monitor is on Sysname terminal logging Current terminal logging is on After the above configuration takes effect if the specified module generates log information the information center automatically sends the log information to the console which then displays the information ...

Page 1040: ...s they will be numbered as 1 2 and 3 respectively Incremental patch Patches in a patch file are all incremental patches An incremental patch means that the patch is dependent on the previous patch units For example if a patch file has three patch units patch 3 can be running only after patch 1 and 2 take effect You cannot run patch 3 separately Common patch and temporary patch Patches fall into tw...

Page 1041: ...s turn to the ACTIVE state Figure 22 1 Relationship between patch state changes and command actions Information about patch states is saved in file patchstate on the flash It is recommended not to operate this file IDLE state Patches in the IDLE state are not loaded You cannot install or run the patches as shown in Figure 22 2 suppose the memory patch area can load up to eight patches The patches ...

Page 1042: ...te At this time the patch states in the system are as shown in Figure 22 3 The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot Figure 22 3 A patch file is loaded to the memory patch area ACTIVE state Patches in the ACTIVE state are those that have run temporarily in the system and will become DEACTIVE after system reboot For the seven patches in Figur...

Page 1043: ...es of the system are as shown in Figure 22 5 Figure 22 5 Patches are running The patches that are in the RUNNING state will be still in the RUNNING state after system reboot Hotfix Configuration Task List Task Remarks One Step Patch Installation Install patches Step by Step Patch Installation Use either approach The step by step patch installation allows you to control the patch status One Step Pa...

Page 1044: ...atch name for device Table 22 1 Default patch names for device Product PATCH FLAG Default patch name 4510G PATCH XXX patch_xxx bin The loading and installation are performed on all member devices Before these operations save the same patch files to the root directories in the storage media of all member devices One Step Patch Installation You can use the patch install command to install patches in...

Page 1045: ... patch file location patch location patch location Optional flash by default z The directory specified by the patch location argument must exist on each member device If one member device does not have such directory the system cannot locate the patch file on the member device z The patch install command changes patch file location specified with the patch location command to the directory specifi...

Page 1046: ... is of some problem you can reboot the device to deactivate the patch so as to avoid a series of running faults resulting from patch error Follow the steps below to activate patches To do Use the command Remarks Enter system view system view Activate the specified patches patch active patch number slot slot number Required Confirm Running Patches After you confirm the running of a patch the patch ...

Page 1047: ...u stop running a patch the patch state becomes DEACTIVE and the system runs in the way before it is installed with the patch Follow the steps below to stop running patches To do Use the command Remarks Enter system view system view Stop running the specified patches patch deactive patch number slot slot number Required Deleting Patches Deleting patches only removes the patches from the memory patc...

Page 1048: ...tfix configuration Configuration procedure 1 Configure TFTP Server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server function z Save the patch file patch_xxx bin to the directory of the TFTP server 2 Configure Device Make sure the free flash space of the device is big enough to store the patch file Before upgrading the s...

Page 1049: ...Configuration procedure 1 Configure the TFTP server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server function z Save the patch file patch_xxx bin to the directory of TFTP server 2 Configure Device Make sure the free flash space of the device is big enough to store the patch files Before upgrading the software use the sa...

Page 1050: ...ice patch install flash Patches will be installed Continue Y N y Do you want to continue running patches after reboot Y N y Installing patches Installation completed and patches will continue to run after reboot ...

Page 1051: ...ransfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagnose and locate network faults Features of NQA Supporting multiple test types Ping can use only the Internet Control Message Protocol ICMP to test the reachability of the destination host and the roundtrip time of a packet to the destination As an enhancement to the Ping too...

Page 1052: ...e static routing as an example You have configured a static route with the next hop 192 168 0 88 If 192 168 0 88 is reachable the static route is valid if 192 168 0 88 is unreachable the static route is invalid With the collaboration between NQA Track module and application modules real time monitoring of reachability of the static route can be implemented 2 Monitor reachability of the destination...

Page 1053: ...test one probe means to carry out a corresponding function z For an ICMP echo or UDP echo test one packet is sent in one probe z For an SNMP test three packets are sent in one probe NQA client and server NQA client is the device initiating an NQA test and the NQA test group is created on the NQA client NQA server processes the test packets sent from the NQA client as shown in Figure 23 2 The NQA s...

Page 1054: ...ke the following configurations on the NQA client 1 Enable the NQA client 2 Create a test group and configure test parameters according to the test type The test parameters may vary with test types 3 Start the NQA test After the test you can view test results using the display or debug commands Complete these tasks to configure NQA client Task Remarks Enabling the NQA Client Required Creating an N...

Page 1055: ...ver tcp connect udp echo ip address port number Required The IP address and port number must be consistent with those configured on the NQA client and must be different from those of an existing listening service Enabling the NQA Client Configurations on the NQA client take effect only when the NQA client is enabled Follow these steps to enable the NQA client To do Use the command Remarks Enter sy...

Page 1056: ...echo and enter test type view type icmp echo Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation Configure the size of probe packets sent data size size Optional 100 bytes by default Configure the filler string of a probe packet sent data fill string Optional By default the filler...

Page 1057: ...of a DHCP server on the network as well as the time necessary for the DHCP server to respond to a client request and assign an IP address to the client Configuration prerequisites Before performing a DHCP test you need to configure the DHCP server If the NQA DHCP client and the DHCP server are not in the same network segment you need to configure a DHCP relay For the configuration of DHCP server a...

Page 1058: ...r example you need to configure the username and password used to log onto the FTP server For the FTP server configuration see File System Management Configuration in the System Volume Configuring an FTP test Follow these steps to configure an FTP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as...

Page 1059: ... the get command the device does not save the files obtained from the FTP server z When you execute the get command the FTP test cannot succeed if a file named file name does not exist on the FTP server z When you execute the get command please use a file with a smaller size as a big file may result in test failure because of timeout or may affect other services because of occupying too much netwo...

Page 1060: ...pe for the HTTP is get that is obtaining data from the HTTP server Configure the website that an HTTP test visits url url Required Configure the HTTP version used in the HTTP test http version v1 0 Optional By default HTTP 1 0 is used in an HTTP test Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional The TCP port number for the HTTP server...

Page 1061: ...er system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as UDP jitter and enter test type view type udp jitter Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation The destination IP address must be consistent with that of the...

Page 1062: ...parameters See Configuring Optional Parameters Common to an NQA Test Group Optional The number of probes made in a UDP jitter test depends on the probe count command while the number of probe packets sent in each probe depends on the configuration of the probe packet number command Configuring an SNMP Test An SNMP query test is used to test the time the NQA client takes to send an SNMP query packe...

Page 1063: ...etween the client and the specified port on the NQA server and the setup time for the connection thus judge the availability and performance of the services provided on the specified port on the server Configuration prerequisites A TCP test requires cooperation between the NQA server and the NQA client The TCP listening function needs to be configured on the NQA server before the TCP test For the ...

Page 1064: ... connectivity and roundtrip time of a UDP echo packet from the client to the specified UDP port on the NQA server Configuration prerequisites A UDP echo test requires cooperation between the NQA server and the NQA client The UDP listening function needs to be configured on the NQA server before the UDP echo test For the configuration of the UDP listening function see Configuring the NQA Server Con...

Page 1065: ... an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring a Voice Test It is recommended not to perform an NQA UDP jitter test on known ports namely ports from 1 to 1023 Otherwise the NQA test will fail or the corresponding services of these ports wi...

Page 1066: ...ed when you evaluate the voice quality Configuration prerequisites A voice test requires cooperation between the NQA server and the NQA client Before a voice test make sure that the UDP listening function is configured on the NQA server For the configuration of UDP listening function see Configuring the NQA Server Configuring a voice test Follow these steps to configure a voice test To do Use the ...

Page 1067: ...11 µ law codec type and is 32 bytes for G 729 A law codec type Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadecimal number 00010203040506070809 Configure the number of packets sent in a voice probe probe packet number packet number Optional 1000 by default Configure the interval for sending packets in a voice...

Page 1068: ... be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring the Collaboration Function Collaboration is implemented by establishing collaboration objects to monitor the detection results of the current test group If the number of consecutive probe failures reaches the threshold the configured action i...

Page 1069: ...the snmp agent target host command create an NQA test group and configure related parameters For the introduction to the snmp agent target host command see SNMP Commands in the System Volume Configuring trap delivery Follow these steps to configure trap delivery To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type ...

Page 1070: ...function To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of the test group type dlsw ftp http icmp echo snmp tcp udp echo udp jitter voice Configure the interval for collecting the statistics of the test results statistics interval interval Optional 60 minutes by default Configure the maximum number of st...

Page 1071: ...probes in an NQA test probe count times Optional By default one probe is performed in a test Only one probe can be made in one voice test Therefore this command is not available in a voice test Configure the NQA probe timeout time probe timeout timeout Optional By default the timeout time is 3000 milliseconds This parameter is not available for a UDP jitter test Configure the maximum number of his...

Page 1072: ... use the display clock command to view the current system time Configuration prerequisites Before scheduling an NQA test group make sure z Required test parameters corresponding to a test type have been configured z For the test which needs the cooperation with the NQA server configuration on the NQA server has been completed Scheduling an NQA test group Follow these steps to schedule an NQA test ...

Page 1073: ...undtrip time of packets Figure 23 3 Network diagram for ICMP echo tests Configuration procedure Create an ICMP echo test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type icmp echo DeviceA nqa admin test icmp echo destination ip 10 2 2 2 Configure optional parameters DeviceA nqa admin test icmp echo probe count 10 DeviceA nqa a...

Page 1074: ...nse Status Time 370 3 Succeeded 2007 08 23 15 00 01 2 369 3 Succeeded 2007 08 23 15 00 01 2 368 3 Succeeded 2007 08 23 15 00 01 2 367 5 Succeeded 2007 08 23 15 00 01 2 366 3 Succeeded 2007 08 23 15 00 01 2 365 3 Succeeded 2007 08 23 15 00 01 2 364 3 Succeeded 2007 08 23 15 00 01 1 363 2 Succeeded 2007 08 23 15 00 01 1 362 3 Succeeded 2007 08 23 15 00 01 1 361 2 Succeeded 2007 08 23 15 00 01 1 DHCP...

Page 1075: ...ures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Packet s arrived late 0 Display the history of DHCP tests SwitchA display nqa history admin test NQA entry admin admin tag test history record s Index Response Status Time 1 624 Succeeded 2007 11 22 09 56 03 2 FTP Test C...

Page 1076: ... tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 173 173 173 Square Sum of round trip time 29929 Last succeeded probe time 2007 11 22 10 07 28 6 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures d...

Page 1077: ...ceA undo nqa schedule admin test Display results of the last HTTP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 64 64 64 Square Sum of round trip time 4096 Last succeeded probe time 2007 11 22 10 12 47 9 Extended results Packet lost in test 0 Fail...

Page 1078: ...a admin test udp jitter destination ip 10 2 2 2 DeviceA nqa admin test udp jitter destination port 9000 DeviceA nqa admin test udp jitter frequency 1000 DeviceA nqa admin test udp jitter quit Enable UDP jitter test DeviceA nqa schedule admin test start time now lifetime forever Disable UDP jitter test after the test begins for a period of time DeviceA undo nqa schedule admin test Display the resul...

Page 1079: ...D delay 15 Max DS delay 16 Min SD delay 7 Min DS delay 7 Number of SD delay 10 Number of DS delay 10 Sum of SD delay 78 Sum of DS delay 85 Square sum of SD delay 666 Square sum of DS delay 787 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 Display the statistics of UDP jitter tests DeviceA display nqa statistics admin test NQA entry admin admin tag test test statistics NO...

Page 1080: ...f DS delay 3891 Square sum of SD delay 45987 Square sum of DS delay 49393 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 The display nqa history command cannot show you the results of UDP jitter tests Therefore to know the result of a UDP jitter test you are recommended to use the display nqa result command to view the probe results of the latest NQA test or use the displ...

Page 1081: ...dmin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 50 50 50 Square Sum of round trip time 2500 Last succeeded probe time 2007 11 22 10 24 41 1 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to ...

Page 1082: ...iceA nqa schedule admin test start time now lifetime forever Disable TCP test after the test begins for a period of time DeviceA undo nqa schedule admin test Display results of the last TCP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 13 13 13 Sq...

Page 1083: ...related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type udp echo DeviceA nqa admin test udp echo destination ip 10 2 2 2 DeviceA nqa admin test udp echo destination port 8000 DeviceA nqa admin test udp echo quit Enable UDP echo test DeviceA nqa schedule admin test start time now lifetime forever Disable UDP echo test after the test begins for a period o...

Page 1084: ...ts Configuration procedure 1 Configure Device B Enable the NQA server and configure the listening IP address as 10 2 2 2 and port number as 9000 DeviceB system view DeviceB nqa server enable DeviceB nqa server udp echo 10 2 2 2 9000 2 Configure Device A Create a voice test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type voice...

Page 1085: ...verage 6 Positive SD square sum 54127 Positive DS square sum 1691967 Min negative SD 1 Min negative DS 1 Max negative SD 203 Max negative DS 1297 Negative SD number 255 Negative DS number 259 Negative SD sum 759 Negative DS sum 1796 Negative SD average 2 Negative DS average 6 Negative SD square sum 53655 Negative DS square sum 1691776 One way results Max SD delay 343 Max DS delay 985 Min SD delay ...

Page 1086: ...negative DS 1297 Negative SD number 1028 Negative DS number 1022 Negative SD sum 1028 Negative DS sum 1022 Negative SD average 4 Negative DS average 5 Negative SD square sum 495901 Negative DS square sum 5419 One way results Max SD delay 359 Max DS delay 985 Min SD delay 0 Min DS delay 0 Number of SD delay 4 Number of DS delay 4 Sum of SD delay 1390 Sum of DS delay 1079 Square sum of SD delay 4832...

Page 1087: ...ndo nqa schedule admin test Display the result of the last DLSw test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 19 19 19 Square Sum of round trip time 361 Last succeeded probe time 2007 11 22 10 40 27 7 Extended results Packet lost in test 0 Failure...

Page 1088: ...an NQA test group Create an NQA test group with the administrator name being admin and operation tag being test SwitchA nqa entry admin test Configure the test type of the NQA test group as ICMP echo SwitchA nqa admin test type icmp echo Configure the destination IP address of the ICMP echo test operation as 10 2 1 1 SwitchA nqa admin test icmp echo destination ip 10 2 1 1 Configure the interval b...

Page 1089: ... 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the static route with the next hop 10 2 1 1 is active and the status of the track entry is positive The static route configuration works Remove the IP address of VLAN interface 3 on Switch B SwitchB system view SwitchB interface vlan interface 3 SwitchB Vlan interface3 undo ip address On Switch A display information about ...

Page 1090: ... 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the next hop 10 2 1 1 of the static route is not reachable and the status of the track entry is negative The static route does not work ...

Page 1091: ...es within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within the entire network while it ensures a high clock precision NTP is used when all devices within the network must be consistent in timekeeping for example z In analysis of the log information and debu...

Page 1092: ...11 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of system clock synchronization is as follows z Device A sends Device B an NTP message which is timestamped when it leaves Device A The time stamp is 10 00 00 am T1 z When this NTP message arrives at Device B it is timestamped by Device B The times...

Page 1093: ...icator optional 96 bits Reference timestamp 64 bits Originate timestamp 64 bits 1 4 Main fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit version number indicating the version of NTP The latest version is version 3 z Mode a 3 bit code indicating the wo...

Page 1094: ...lement clock synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the IP address of the NTP server or peer is unknown and many devices in the network need to be synchronized you can adopt the broadcast or multicast mode while in the client server and symmetric peers m...

Page 1095: ... message the client sends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and the server and enters the broadcast client mode Periodically broadcasts clock synchronization messages Mode 5 Receives broadcast messages and synchronizes its local clock In the broadcast mode a se...

Page 1096: ...3 client mode and 4 server mode to calculate the network delay between client and the server Then the client enters the multicast client mode and continues listening to multicast messages and synchronizes its local clock based on the received multicast messages In symmetric peers mode broadcast mode and multicast mode the client or the symmetric active peer and the server the symmetric passive pee...

Page 1097: ...the client server mode for example when you carry out a command to synchronize the time to a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creating an association static or dynamic In the symmetric mode static associations will be created at the symmetric active peer side and dynamic associations will be crea...

Page 1098: ...e device To do Use the command Remarks Enter system view system view Specify a symmetric passive peer for the device ntp service unicast peer vpn instance vpn instance name ip address peer name authentication keyid keyid priority source interface interface type interface number version number Required No symmetric passive peer is specified by default z In the symmetric mode you should use any NTP ...

Page 1099: ...umber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast server To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter the interface used to send NTP broadcast messages Configure the ...

Page 1100: ...n synchronized z You can configure up to 1024 multicast clients among which 128 can take effect at the same time Configuring Optional Parameters of NTP Specifying the Source Interface for NTP Messages If you specify the source interface for NTP messages the device sets the source IP address of the NTP messages as the primary IP address of the specified interface when sending the NTP messages When ...

Page 1101: ...ynamic Sessions Allowed To do Use the command Remarks Enter system view system view Configure the maximum number of dynamic sessions allowed to be established locally ntp service max dynamic sessions number Required 100 by default Configuring Access Control Rights With the following command you can configure the NTP service access control right to the local device There are four access control rig...

Page 1102: ...hanism provides only a minimum degree of security protection for the system running NTP A more secure method is identity authentication Configuring NTP Authentication The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand This feature enhances the network security by means of client server key authentication which prohibits a cl...

Page 1103: ...ntication for a client To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disabled by default Configure an NTP authentication key ntp service authentication keyid keyid authentication mode md5 value Required No NTP authentication key by default Configure the key as a trusted key ntp service reliable authentication keyid ...

Page 1104: ...id Associate the specified key with an NTP server Multicast server mode ntp service multicast server authentication keyid keyid Required You can associate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server The procedure of configuring NTP authentication on a server is the same a...

Page 1105: ... 0000 Hz Actual frequency 64 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer dispersion 0 00 ms Reference time 00 00 00 000 UTC Jan 1 1900 00000000 00000000 Specify Switch A as the NTP server of Switch B so that Switch B is synchronized to Switch A SwitchB system view SwitchB ntp service unicast server 1 0 1 11 View the NTP status of Switch B afte...

Page 1106: ...ks in the client mode and Switch A is to be used as the NTP server of Switch B z Switch C works in the symmetric active mode and Switch B will act as peer of Switch C Switch C is the symmetric active peer while Switch B is the symmetric passive peer Figure 24 8 Network diagram for NTP symmetric peers mode configuration Switch A Switch B Switch C 3 0 1 31 24 3 0 1 32 24 3 0 1 33 24 Configuration pr...

Page 1107: ...cision 2 7 Clock offset 21 1982 ms Root delay 15 00 ms Root dispersion 775 15 ms Peer dispersion 34 29 ms Reference time 15 22 47 083 UTC Sep 19 2005 C6D95647 153F7CED As shown above Switch B has been synchronized to Switch C and the clock stratum level of Switch B is 2 while that of Switch C is 1 View the NTP session information of Switch B which shows that an association has been set up between ...

Page 1108: ...Switch A Switch B Switch C Switch D Configuration procedure 1 Configuration on Switch C Configure Switch C to work in the broadcast server mode and send broadcast messages through VLAN interface 2 SwitchC system view SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server 2 Configuration on Switch D Configure Switch D to work in the broadcast client mode and receive...

Page 1109: ...el of Switch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interface2 display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 2 254 64 62 16 0 32 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 config...

Page 1110: ...SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service multicast client Because Switch D and Switch C are on the same subnet Switch D can receive the multicast messages from Switch C without being enabled with the multicast functions and can be synchronized to Switch C View the NTP status of Switch D after clock synchronization SwitchD Vlan interface2 display ntp service status Clo...

Page 1111: ...enable SwitchB interface vlan interface 2 SwitchB Vlan interface2 pim dm SwitchB Vlan interface2 quit SwitchB vlan 3 SwitchB vlan3 port gigabitethernet 1 0 1 SwitchB vlan3 quit SwitchB interface vlan interface 3 SwitchB Vlan interface3 igmp enable SwitchB Vlan interface3 quit SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 igmp snooping static group 224 0 1 1 vlan 3 4 Configur...

Page 1112: ...M Configuring NTP Client Server Mode with Authentication Network requirements z The local clock of Switch A is to be used as the master clock with a stratum level of 2 z Switch B works in the client mode and Switch A is to be used as the NTP server of Switch B with Switch B as the client z NTP authentication is to be enabled on both Switch A and Switch B Figure 24 11 Network diagram for configurat...

Page 1113: ...ncy 64 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 1 05 ms Peer dispersion 7 81 ms Reference time 14 53 27 371 UTC Sep 19 2005 C6D94F67 5EF9DB22 As shown above Switch B has been synchronized to Switch A and the clock stratum level of Switch B is 3 while that of Switch A is 2 View the NTP session information of Switch B which shows that an association has ...

Page 1114: ...pecify an authentication key SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server authentication keyid 88 2 Configuration on Switch D Configure NTP authentication SwitchD system view SwitchD ntp service authentication enable SwitchD ntp service authentication keyid 88 authentication mode md5 123456 SwitchD ntp service reliable authentication keyid 88 Configure Sw...

Page 1115: ...As shown above Switch D has been synchronized to Switch C and the clock stratum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interface2 display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 3 254 64 6...

Page 1116: ...ding topology discovery and display function which is useful for network monitoring and debugging z Allowing simultaneous software upgrading and parameter configuration on multiple devices free of topology and distance limitations Roles in a Cluster The devices in a cluster play different roles according to their different functions and status You can specify the following three roles for the devi...

Page 1117: ...agement is implemented through HW Group Management Protocol version 2 HGMPv2 which consists of the following three protocols z Neighbor Discovery Protocol NDP z Neighbor Topology Discovery Protocol NTDP z Cluster A cluster configures and manages the devices in it through the above three protocols Cluster management involves topology information collection and the establishment and maintenance of a...

Page 1118: ...information of all its neighbors The information collected will be used by the management device or the network management software to implement required functions When a member device detects a change on its neighbors through its NDP table it informs the management device through handshake packets Then the management device triggers its NTDP to collect specific topology information so that its NT...

Page 1119: ...e saves the state information of its member device and identifies it as Active And the member device also saves its state information and identifies itself as Active z After a cluster is created its management device and member devices begin to send handshake packets Upon receiving the handshake packets from the other side the management device or a member device simply remains its state as Active...

Page 1120: ... the management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the cascade ports connecting the management device and the member candidate devices prohibit the packets from the management VLAN you can set the packets from the management VLAN to pass the ports on candidate devices with the management VLAN auto negotiation f...

Page 1121: ...er Optional Configuring Cluster Management Protocol Packets Optional Configuring the Management Device Cluster Member Management Optional Enabling NDP Optional Enabling NTDP Optional Manually Collecting Topology Information Optional Enabling the Cluster Function Optional Configuring the Member Devices Deleting a Member Device from a Cluster Optional Configuring Access Between the Management Device...

Page 1122: ...ded to a cluster that is the entry with the destination address as the management device cannot be added to the routing table the candidate device will be added to and removed from the cluster repeatedly Configuring the Management Device Enabling NDP Globally and for Specific Ports For NDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to enable NDP gl...

Page 1123: ...ackets otherwise the NDP table may become instable Enabling NTDP Globally and for Specific Ports For NTDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to enable NTDP globally and for specific ports To do Use the command Remarks Enter system view system view Enable NTDP globally ntdp enable Optional Enabled by default interface interface type interfac...

Page 1124: ...l 3 by default Configure the interval to collect topology information ntdp timer interval time Optional 1 minute by default Configure the delay to forward topology collection request packets on the first port ntdp timer hop delay time Optional 200 ms by default Configure the port delay to forward topology collection request on other ports ntdp timer port delay time Optional 20 ms by default The tw...

Page 1125: ...a cluster in two ways manually and automatically With the latter you can establish a cluster according to the prompt information The system 1 Prompts you to enter a name for the cluster you want to establish 2 Lists all the candidate devices within your predefined hop count 3 Starts to automatically add them to the cluster You can press Ctrl C anytime during the adding process to exit the cluster ...

Page 1126: ...ke packets and the holdtime of a device on the management device This configuration applies to all member devices within the cluster For a member device in Connect state z If the management device does not receive handshake packets from a member device within the holdtime it changes the state of the member device to Disconnect When the communication is recovered the member device needs to be re ad...

Page 1127: ...A by default Configure the interval to send MAC address negotiation broadcast packets cluster mac syn interval interval time Optional One minute by default When you configure the destination MAC address for cluster management protocol packets z If the interval for sending MAC address negotiation broadcast packets is 0 the system automatically sets it to 1 minute z If the interval for sending MAC a...

Page 1128: ...bling NDP Refer to Enabling NDP Globally and for Specific Ports Enabling NTDP Refer to Enabling NTDP Globally and for Specific Ports Manually Collecting Topology Information Refer to Manually Collecting Topology Information Enabling the Cluster Function Refer to Enabling the Cluster Function Deleting a Member Device from a Cluster To do Use the command Remarks Enter system view system view Enter c...

Page 1129: ...uthentication is passed z When a candidate device is added to a cluster and becomes a member device its super password will be automatically synchronized to the management device Therefore after a cluster is established it is not recommended to modify the super password of any member including the management device and member devices of the cluster otherwise the switching may fail because of an au...

Page 1130: ... included in the blacklist the MAC address and access port of the latter are also included in the blacklist The candidate devices in a blacklist can be added to a cluster only if the administrator manually removes them from the list The whitelist and blacklist are mutually exclusive A whitelist member cannot be a blacklist member and vice versa However a topology node can belong to neither the whi...

Page 1131: ...ure an NM host for a cluster the member devices in the cluster send their Trap messages to the shared SNMP NM host through the management device If the port of an access NM device including FTP TFTP server NM host and log host does not allow the packets from the management VLAN to pass the NM device cannot manage the devices in a cluster through the management device In this case on the management...

Page 1132: ...r devices at one time simplifying the configuration process Follow these steps to configure the SNMP configuration synchronization function To do Use the command Remarks Enter system view system view Enter cluster view cluster Configure the SNMP community name shared by a cluster cluster snmp agent community read write community name mib view view name Required Configure the SNMPv3 group shared by...

Page 1133: ...hronize the configurations to the member devices in the whitelist This operation is equal to performing the configurations on the member devices You need to enter your username and password when you log in to the devices including the management device and member devices in a cluster through Web Follow these steps to configure Web user accounts in batches To do Use the command Remarks Enter system...

Page 1134: ...ay the current topology information or the topology path between two devices display cluster current topology mac address mac address to mac address mac address member id member number to member id member number Display members in a cluster display cluster members member number verbose Available in any view Clear NDP statistics reset ndp statistics interface interface list Available in user view C...

Page 1135: ...ernet 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As the configurations of the member devices are the same the configuration procedure of Switch C is omitted here 3 Configure the management device Switch B Enable NDP globally and for ports GigabitEthernet 1 0 2 and Gigabit...

Page 1136: ...rt as 15 ms SwitchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Configure the management VLAN of the cluster as VLAN 10 SwitchB vlan 10 SwitchB vlan10 quit SwitchB management vlan 10 Configure ports GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as Trunk ports and allow packets from the management VLAN to pass SwitchB interface...

Page 1137: ...erver 63 172 55 1 abc_0 SwitchB cluster tftp server 63 172 55 1 abc_0 SwitchB cluster logging host 69 172 55 4 abc_0 SwitchB cluster snmp host 69 172 55 4 Add the device whose MAC address is 00E0 FC01 0013 to the blacklist abc_0 SwitchB cluster black list add mac 00e0 fc01 0013 abc_0 SwitchB cluster quit Add port GigabitEthernet 1 0 1 to VLAN 2 and configure the IP address of VLAN interface 2 abc_...

Page 1138: ...ing the united device In an IRF every single device is an IRF member and plays one of the following two roles according to its function z Master A member device It is elected to manage the entire IRF An IRF has only one master at one time z Slave A member device It is managed by the master and operates as a backup of the master In an IRF except for the master all the other devices are the slaves F...

Page 1139: ...aggregated but also the physical links between the IRF system and the upper or lower layer devices can be aggregated and thus the reliability of the IRF system is increased through the link backup The IRF system comprises multiple member devices the master runs manages and maintains the IRF whereas the slaves process services as well as functioning as the backups When the master fails the IRF syst...

Page 1140: ...ssively from left to right ports on the interface module in slot 1 are numbered 1 and 2 and ports on the interface module in slot 2 are numbered 3 and 4 as shown in Figure 26 2 which illustrates an example of inserting a CX4 dual port interface module Figure 26 2 Numbering physical IRF ports If you insert a one port interface module into the slot then the number of the physical IRF port correspond...

Page 1141: ... four Switch 4510G series switches to form an IRF Correspondence between an IRF port and a physical IRF port The connection of IRF ports is based on that of physical IRF ports therefore you need to bind an IRF port with physical IRF port s AN IRF port can be bound to one physical IRF port or to realize link backup and bandwidth expansion bound to two physical IRF ports aggregated as an aggregate I...

Page 1142: ...al port interface module is installed you need to bind IRF port 1 to physical IRF port 1 and IRF port 2 to physical IRF port 2 as shown in Figure 26 5 because the serial number of the physical IRF port bound to IRF port 1 must be smaller than that of the physical IRF port bound to IRF port 2 Therefore you cannot bind IRF port 1 to physical IRF port 2 and IRF port 2 to physical port 1 z If only one...

Page 1143: ...nterface modules z If two single port interface modules are installed you need to bind IRF port 1 to physical IRF port 1 and IRF port 2 to physical IRF port 3 z If one dual port interface module and one single port interface module are installed the correspondence is the same with that when you install two dual port interface modules In this situation IRF port 2 or IRF port 1 can be bound to any p...

Page 1144: ...ted neighbor updates the local topology information The collection process lasts for a period of time When all members have obtained the complete topology information known as topology convergence the IRF will enter the next stage role election Role Election An IRF is composed of multiple member devices each member has a role which is either master or slave The process of defining the role of IRF ...

Page 1145: ...terface changes to GigabitEthernet 2 0 1 where the first number indicates the member ID of the device A member ID is a natural number in the range 1 to 10 the default member ID is 1 To ensure the uniqueness of member IDs you can plan and configure member IDs for IRF members before they join the IRF After multiple devices form an IRF a logical distributed device is formed Each member device acts as...

Page 1146: ... type trunk For an IRF member the interface name also adopts the previously introduced format member ID slot number interface serial number where z The member ID identifies the IRF member on which the interface resides z Meaning and value of the subslot number and the interface serial number are the same as those on an independently operating device For example GigabitEthernet 1 0 1 is an interfac...

Page 1147: ...ctory of the flash on IRF member slave 3 perform the following steps Master mkdir slot3 flash test Created dir slot3 flash test Master cd slot3 flash test Master pwd slot3 flash test Or Master cd slot3 flash Master mkdir test Created dir slot3 flash test 3 To copy the test bin file on the master to the root directory of the flash on IRF member slave 3 perform the following steps Master pwd slot3 f...

Page 1148: ...ration When a slave applies the port configuration on the master it cares about the configuration related to its own port for example the slave with the member ID of 3 only cares about the configuration related to the GigabitEthernet 3 0 x port on the master If there is a configuration related to its own port it will apply the configuration if not no matter what configuration has been made to the ...

Page 1149: ...mmended or fibers and then power on the devices Logging In to the Master Required Logging In to an IRF Logging In to a Slave Optional IRF Configuration Configuring IRF Ports IRF can be enabled on a device only after the IRF ports are bound with physical IRF ports For how to bind the IRF port and physical IRF port s on an Switch 4510G series see Correspondence between an IRF port and a physical IRF...

Page 1150: ...decided first and then the member IDs of slaves are decided one by one according to their distances to the master that is the nearest slave gets the smallest available ID and the nearer slave gets the smaller available ID and so forth after the IRF is established if the newly added device and another member have duplicated IDs the IRF system assigns the smallest available ID for the new member You...

Page 1151: ...election a member with the greatest priority will be elected as the master The priority of a device defaults to 1 You can modify the priority through command lines The greater the priority value the higher the priority A member with a higher priority is more likely to be a master and more likely to preserve its ID in a member ID collision Follow these steps to specify a priority for an IRF member ...

Page 1152: ...aster does not come back after six minutes the IRF system will use the bridge MAC address of the newly elected master as that of the IRF z Preserve permanently No matter the master leaves the IRF or not the IRF bridge MAC address remains unchanged z Not preserved As soon as the master leaves the system will use the bridge MAC address of the newly elected master as that of the IRF Follow these step...

Page 1153: ...a slave configures the file as the boot file for the next boot and reboots automatically z Because system boot file occupies large memory space to make the auto upgrade succeed ensure that there is enough space on the storage media of the slave Setting the Delay Time for the Link Layer to Report a Link Down Event During the suppression time the system cannot be aware of the switch between IRF link...

Page 1154: ... slave device instead of that of the master device The system enters user view of the salve device and the command prompt is changed to Sysname member ID for example Sysname 2 What you have input on the access terminal will be redirected to the specified slave device for processing At present only the following commands are allowed to be executed on a slave device z display z quit z return z syste...

Page 1155: ...able in any view IRF Configuration Examples IRF Connection Configuration Example Network requirements Three Switch 4510G series switches in an IRF form a bus connection Their member IDs are 1 2 and 3 as shown in Figure 26 9 Figure 26 9 Network diagram for IRF 1 Switch 1 Switch 2 2 4 3 Switch 3 1 3 2 4 3 1 2 4 Configuration procedure 1 The three devices are not connected Power them on and configure...

Page 1156: ...f member 1 irf port 2 port 3 Configure Switch 3 Switch3 system view Switch3 irf member 1 renumber 3 Warning Renumbering the switch number may result in configuration change or loss Continue Y N y Switch3 irf member 1 irf port 2 port 3 2 Power off the three devices Connect them as shown in Figure 26 9 with IRF cables Power them on and the IRF is formed ...

Page 1157: ... multiple CPUs Some distributed devices may be available with multiple CPUs for example service CPU and OAM CPU Therefore a distributed device corresponds to multiple nodes Therefore in actual application IPC is mainly applied on an IRF or distributed device it provides a reliable transmission mechanism between different devices and boards Link An IPC link is a connection between any two IPC nodes...

Page 1158: ...oup needs to be created first Multicasts will be sent to all the nodes in the multicast group An application can create multiple multicast groups The creation and deletion of a multicast group and multicast group members depend on the application module z Mixcast namely both unicast and multicast are supported Enabling IPC Performance Statistics When IPC performance statistics is enabled the syste...

Page 1159: ...of a node display ipc multicast group node node id self node Display packet information of a node display ipc packet node node id self node Display link status information of a node display ipc link node node id self node Display IPC performance statistics information of a node display ipc performance node node id self node channel channel id Available in any view Clear IPC performance statistics ...

Page 1160: ...configuration files on a specified server and the device can automatically obtain and execute the configuration files therefore greatly reducing the workload of administrators Typical Networking of Automatic Configuration Figure 28 1 Network diagram for automatic configuration As shown in Figure 28 1 the device implements automatic configuration with the cooperation of a DHCP server TFTP server an...

Page 1161: ...eters such as an IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device will send a TFTP request to obtain the configuration file from the specified TFTP server for system initialization If the client cannot get such parameters it performs system initialization without loading any configuration file z To impleme...

Page 1162: ...When a device starts up without loading the configuration file the system automatically configures the first active interface if an active Layer 2 Ethernet interface exists this first interface is a virtual interface corresponding with the default VLAN of the device as obtaining its IP address through DHCP The device broadcasts a DHCP request through this interface The Option 55 field specifies th...

Page 1163: ... The DHCP server will select an address pool where an IP address is statically bound to the MAC address or ID of the client and assign the statically bound IP address and other configuration parameters to the client You can configure an address allocation mode as needed z Different devices with the same configuration file You can configure dynamic address allocation on the DHCP server to assign IP...

Page 1164: ...ed z The configuration file specified by the Option 67 or file field in the DHCP response z The intermediate file with the file name as network cfg used to save the mapping between the IP address and the host name The mapping is defined in the following format ip host hostname ip address For example the intermediate file can include the following ip host host1 101 101 101 101 ip host host2 101 101...

Page 1165: ...n its host name first and then requests the configuration file corresponding with the host name The device can obtain its host name in two steps obtaining the intermediate file from the TFTP server and then searching in the intermediated file for its host name corresponding with the IP address of the device if fails the device obtains the host name from the DNS server z If the device fails to obta...

Page 1166: ...if the device performs the automatic configuration and the TFTP server are not in the same segment because broadcasts can only be transmitted in a segment For the detailed description of the UDP Helper function refer to UDP Helper Configuration in the IP Services Volume Executing the Configuration File Upon successfully obtaining the configuration file the device removes the temporary configuratio...

Reviews:

No comments

Related manuals for 4510G

FAAC 593 Quick Start Manual preview
593
Brand: FAAC Pages: 2
Qlogic SANbox 5802V Installation Manual preview
SANbox 5802V
Brand: Qlogic Pages: 124
Qlogic SANbox 5800V Series User Manual preview
SANbox 5800V Series
Brand: Qlogic Pages: 158
Qlogic SANbox 5602 User Manual preview
SANbox 5602
Brand: Qlogic Pages: 324
Qlogic SANbox 5600 Series Quick Start Manual preview
SANbox 5600 Series
Brand: Qlogic Pages: 8
Qlogic SANbox 5600 Series Supplementary Manual preview
SANbox 5600 Series
Brand: Qlogic Pages: 10
Qlogic SANbox 5200 Series Supplementary Manual preview
SANbox 5200 Series
Brand: Qlogic Pages: 2
Qlogic SANbox 3810 Installation Manual preview
SANbox 3810
Brand: Qlogic Pages: 92
Qlogic SANbox 3810 User Manual preview
SANbox 3810
Brand: Qlogic Pages: 142
Qlogic SANbox 3050 Specifications preview
SANbox 3050
Brand: Qlogic Pages: 2
Qlogic SANbox 1400 Series Specifications preview
SANbox 1400 Series
Brand: Qlogic Pages: 2
Qlogic QLogic Fibre Channel Switch Quick Start Manual preview
QLogic Fibre Channel Switch
Brand: Qlogic Pages: 8
Qlogic SANbox 5000 Series Interface Manual preview
SANbox 5000 Series
Brand: Qlogic Pages: 350
Qlogic SANbox 5000 Series Installation Manual preview
SANbox 5000 Series
Brand: Qlogic Pages: 130
Qlogic QLogic 12000 Series Reference Manual preview
QLogic 12000 Series
Brand: Qlogic Pages: 144
H3C S5800-EI Series Installation Manual preview
S5800-EI Series
Brand: H3C Pages: 61
SAL PIXIE Smart Switch G3 Quick Start Manual preview
PIXIE Smart Switch G3
Brand: SAL Pages: 2
Zamel GRG-01 Quick Start Manual preview
GRG-01
Brand: Zamel Pages: 2

Brands by name

Popular brands

Load more brands