manualshive.com logo in svg

3Com 4800G Series, Configuration Manual

The 3Com 4800G Series provides exceptional network performance and scalability. With its advanced features and reliability, this product is perfect for various networking needs. Browse our website today to download the free user manual and datasheet, ensuring seamless setup and operation of your 3Com 4800G Series devices.

Share
Download
background image

720

C

HAPTER

 50: 802.1

X

 C

ONFIGURATION

Message-Authenticator

Figure 216 shows the encapsulation format of the Message-Authenticator 
attribute. The Message-Authenticator attribute is used to prevent access requests 
from being snooped during EAP or CHAP authentication. It must be included in 
any packet with the EAP-Message attribute; otherwise, the packet will be 
considered invalid and get discarded.

Figure 216   

Encapsulation format of the Message-Authenticator attribute

 

Authentication Process

of 802.1x

802.1x authentication can be initiated by either a supplicant or the authenticator 
system. A supplicant initiates authentication by launching the 802.1x client 
software to send an EAPOL-Start frame to the authenticator system, while the 
authenticator system sends an EAP-Request/Identity packet to an unauthenticated 
supplicant when detecting that the supplicant is trying to login.

An 802.1x authenticator system communicates with a remotely located RADIUS 
server in two modes: EAP relay and EAP termination. The following description 
takes the first case as an example to show the 802.1x authentication process.

EAP relay

EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried 
in an upper layer protocol, such as RADIUS, so that they can go through complex 
networks and reach the authentication server. Generally, EAP relay requires that 
the RADIUS server support the EAP attributes of EAP-Message and 
Message-Authenticator.

At present, the EAP relay mode supports four authentication methods: EAP-MD5, 
EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security), 
and PEAP (Protected Extensible Authentication Protocol).

EAP-MD5: EAP-MD5 authenticates the identity of a supplicant. The RADIUS 
server sends an MD5 challenge (through an EAP-Request/MD5 Challenge 
packet) to the supplicant. Then the supplicant encrypts the password with the 
offered challenge.

EAP-TLS: With EAP-TLS, a supplicant and the RADIUS server verify each other’s 
security certificates and identities, guaranteeing that EAP packets are sent to 
the intended destination and thus preventing network traffic from being 
snooped.

EAP-TTLS: EAP-TTLS extends EAP-TLS. EAP-TLS allows for mutual 
authentication between a supplicant and the authentication server. EAP-TTLS 
extends this implementation by transferring packets through the secure tunnels 
set up by TLS.

PEAP: With PEAP, the RADIUS server sets up a TLS tunnel with a supplicant 
system for integrity protection and then performs a new round of EAP 
negotiation with the supplicant system for identity authentication.

Figure 217 shows the message exchange procedure with EAP-MD5.

0

2

Type

String

1

Length

18 bytes

Summary of Contents for 4800G Series

Page 1: ...m Part Number 10015265 Rev AB Published March 2008 3Com Switch 4800G Family Configuration Guide Switch 4800G 24 Port Switch 4800G PWR 24 Port Switch 4800G 48 Port Switch 4800G PWR 48 Port Switch 4800G 24 Port SFP ...

Page 2: ... 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com ...

Page 3: ...uration 33 Console Port Login Configuration with Authentication Mode Being None 35 Console Port Login Configuration with Authentication Mode Being Password 38 Console Port Login Configuration with Authentication Mode Being Scheme 41 3 LOGGING IN THROUGH TELNET Introduction 47 Telnet Configuration with Authentication Mode Being None 49 Telnet Configuration with Authentication Mode Being Password 52...

Page 4: ...nt Users by Source IP Addresses 78 Controlling Web Users by Source IP Address 79 9 VLAN CONFIGURATION Introduction to VLAN 83 Configuring Basic VLAN Attributes 86 Basic VLAN Interface Configuration 86 Port Based VLAN Configuration 87 MAC Address Based VLAN Configuration 91 Protocol Based VLAN Configuration 92 Configuring IP Subnet Based VLAN 94 Displaying and Maintaining VLAN 95 VLAN Configuration...

Page 5: ...s 137 QinQ Configuration Example 137 15 BPDU TUNNELING CONFIGURATION Introduction to BPDU Tunneling 141 Configuring BPDU Isolation 142 Configuring BPDU Transparent Transmission 143 Configuring Destination Multicast MAC Address for BPDU Tunnel Frames 144 BPDU Tunneling Configuration Example 144 16 PORT CORRELATION CONFIGURATION Ethernet Port Configuration 147 Maintaining and Displaying an Ethernet ...

Page 6: ... Binding Function 178 Displaying IP Source Guard 178 IP Source Guard Configuration Examples 178 Troubleshooting 182 22 DLDP CONFIGURATION Overview 183 DLDP Configuration Task List 190 Displaying and Maintaining DLDP 193 DLDP Configuration Example 193 Troubleshooting 195 23 MSTP CONFIGURATION MSTP Overview 197 Configuration Task List 212 Configuring the Root Bridge 213 Configuring Leaf Nodes 224 Pe...

Page 7: ...ntaining RIP 269 RIP Configuration Examples 269 Troubleshooting RIP 271 28 OSPF CONFIGURATION Introduction to OSPF 273 OSPF Configuration Task List 292 Configuring OSPF Basic Functions 293 Configuring OSPF Area Parameters 294 Configuring OSPF Network Types 295 Configuring OSPF Route Control 297 Configuring OSPF Network Optimization 300 Configuring OSPF Graceful Restart 306 Displaying and Maintaini...

Page 8: ...422 Troubleshooting Routing Policy Configuration 425 32 IPV6 STATIC ROUTING CONFIGURATION Introduction to IPv6 Static Routing 427 Configuring an IPv6 Static Route 427 Displaying and Maintaining IPv6 Static Routes 428 IPv6 Static Routing Configuration Example 428 33 IPV6 RIPNG CONFIGURATION Introduction to RIPng 431 Configuring RIPng Basic Functions 433 Configuring RIPng Route Control 434 Tuning an...

Page 9: ... BGP Configuration Examples 483 Troubleshooting IPv6 BGP Configuration 486 37 ROUTING POLICY CONFIGURATION Introduction to Routing Policy 489 Defining Filtering Lists 490 Configuring a Routing Policy 492 Displaying and Maintaining the Routing Policy 495 Routing Policy Configuration Example 495 Troubleshooting Routing Policy Configuration 497 38 IPV6 BASICS CONFIGURATION IPv6 Overview 499 IPv6 Basi...

Page 10: ...P Snooping Querier 563 Configuring an IGMP Snooping Policy 565 Displaying and Maintaining IGMP Snooping 569 IGMP Snooping Configuration Examples 570 Troubleshooting IGMP Snooping Configuration 577 43 MLD SNOOPING CONFIGURATION MLD Snooping Overview 579 MLD Snooping Configuration Task List 583 Configuring Basic Functions of MLD Snooping 584 Configuring MLD Snooping Port Functions 585 Configuring ML...

Page 11: ...uration Examples 659 Troubleshooting PIM Configuration 669 48 MSDP CONFIGURATION MSDP Overview 673 MSDP Configuration Task List 679 Configuring Basic Functions of MSDP 679 Configuring an MSDP Peer Connection 680 Configuring SA Messages Related Parameters 682 Displaying and Maintaining MSDP 685 MSDP Configuration Examples 685 Troubleshooting MSDP 697 49 MULTICAST ROUTING AND FORWARDING CONFIGURATIO...

Page 12: ...ACACS CONFIGURATION AAA RADIUS HWTACACS Overview 747 AAA RADIUS HWTACACS Configuration Task List 756 Configuring AAA 758 Configuring RADIUS 765 Configuring HWTACACS 771 Displaying and Maintaining AAA RADIUS HWTACACS 775 AAA RADIUS HWTACACS Configuration Examples 776 Troubleshooting AAA RADIUS HWTACACS 779 54 ARP CONFIGURATION ARP Overview 781 Configuring ARP 783 Configuring Gratuitous ARP 785 Disp...

Page 13: ...nt Configuration 819 DHCP Relay Agent Configuration Example 820 Troubleshooting DHCP Relay Agent Configuration 821 59 DHCP CLIENT CONFIGURATION Introduction to DHCP Client 823 Enabling the DHCP Client on an Interface 823 Displaying and Maintaining the DHCP Client 824 DHCP Client Configuration Example 824 60 DHCP SNOOPING CONFIGURATION DHCP Snooping Overview 825 Configuring DHCP Snooping Basic Func...

Page 14: ...e 854 65 QOS OVERVIEW Introduction 857 Traditional Packet Forwarding Service 857 New Requirements Brought forth by New Services 857 Occurrence and Influence of Congestion and the Countermeasures 858 Major Traffic Management Techniques 859 66 TRAFFIC CLASSIFICATION TP AND LR CONFIGURATION Traffic Classification Overview 861 TP and LR Overview 864 Traffic Evaluation and Token Bucket 864 LR Configura...

Page 15: ...c Mirroring 892 Traffic Mirroring Configuration Examples 892 72 PORT MIRRORING CONFIGURATION Introduction to Port Mirroring 895 Configuring Local Port Mirroring 897 Configuring Remote Port Mirroring 898 Displaying and Maintaining Port Mirroring 899 Port Mirroring Configuration Examples 900 73 CLUSTER MANAGEMENT CONFIGURATION Cluster Management Overview 905 Cluster Configuration Task List 911 Confi...

Page 16: ...figuration Task list 953 Configuring the Operation Modes of NTP 953 Configuring Optional Parameters of NTP 956 Configuring Access Control Rights 957 Configuring NTP Authentication 958 Displaying and Maintaining NTP 960 NTP Configuration Examples 960 78 DNS CONFIGURATION DNS Overview 971 Configuring the DNS Client 973 Configuring the DNS Proxy 974 Displaying and Maintaining DNS 974 DNS Configuratio...

Page 17: ...ntaining and Debugging Overview 1033 System Maintaining and Debugging 1035 System Maintaining Example 1036 85 DEVICE MANAGEMENT Device Management Overview 1039 Configuring Device Management 1039 Displaying and Maintaining Device Management Configuration 1043 Device Management Configuration Example 1043 86 NQA CONFIGURATION NQA Overview 1047 NQA Configuration Task List 1050 Configuring the NQA Serv...

Page 18: ...ation Example 1135 90 RRPP CONFIGURATION RRPP Overview 1139 RRPP Configuration Task List 1146 Configuring Master Node 1147 Configuring Transit Node 1148 Configuring Edge Node 1149 Configuring Assistant Edge Node 1151 Displaying and Maintaining RRPP 1152 RRPP Typical Configuration Examples 1152 91 PORT SECURITY CONFIGURATION Introduction to Port Security 1161 Port Security Configuration Task List 1...

Page 19: ...aining PoE 1199 PoE Configuration Example 1199 Troubleshooting PoE 1200 94 SFLOW CONFIGURATION sFlow Overview 1203 Configuring sFlow 1204 Displaying sFlow 1204 sFlow Configuration Example 1204 Troubleshooting sFlow Configuration 1206 95 SSL CONFIGURATION SSL Overview 1207 SSL Configuration Task List 1208 Configuring an SSL Server Policy 1208 Configuring an SSL Client Policy 1210 Displaying and Mai...

Page 20: ... RSA Key Pair 1228 Deleting a Certificate 1229 Configuring an Access Control Policy 1229 Displaying and Maintaining PKI 1229 PKI Configuration Examples 1230 Troubleshooting PKI 1235 98 TRACK CONFIGURATION Track Overview 1237 Track Configuration Task List 1238 Configuring Collaboration Between the Track Module and the Detection Modules 1238 Configuring Collaboration Between the Track Module and the...

Page 21: ... conventions that are used throughout this guide Related Documentation The following manuals offer additional information necessary for managing your Switch Switch 4800G Switch 4800G Command Reference Guide Provides detailed descriptions of command line interface CLI commands that you require to manage your Switch 4800G Switch 4800G Configuration Guide Describes how to configure your Switch 4800G ...

Page 22: ...ct If information in this guide differs from information in the release notes use the information in the Release Notes These documents are available in Adobe Acrobat Reader Portable Document Format PDF on the CD ROM that accompanies your router or on the 3Com World Wide Web site http www 3com com ...

Page 23: ...ing functions and can also be used for connecting server groups in data centers Product Models NETWORKING APPLICATIONS Table 2 Models in the 3Com Switch 4800G Family Model Number of service ports Ports Console port 3Com 3CRS48G 24 91 28 24 10 100 1 000 M electrical ports 4 Gigabit SFP Combo ports 2 10GE module slots 1 3Com 3CRS48G 48 91 52 48 10 100 1 000 M electrical ports 4 Gigabit SFP Combo por...

Page 24: ...ng applications are described as follows Serving as a Convergence Layer Device In medium and large sized enterprises or campus networks the the Switch 4800G can serve as convergence layer switches that provide high performance and large capacity switching service and support 10GE uplink interfaces which provide larger bandwidth for the devices Figure 1 Application of the Switch 4800G at the conver...

Page 25: ...Serving as a Access Layer Device 25 Figure 2 Application of Switch 4800G at access layer Core Aggregation Access S5600 HI S5600 PWR HI ...

Page 26: ...26 CHAPTER NETWORKING APPLICATIONS ...

Page 27: ...er Interface Number Two kinds of user interface index exist absolute user interface index and relative user interface index 1 The absolute user interface indexes are as follows AUX user interface 0 VTY user interfaces Numbered after AUX user interfaces and increases in the step of 1 2 A relative user interface index can be obtained by appending a number to the identifier of a user interface type I...

Page 28: ... Optional The default shortcut key combination for aborting tasks is Ctrl C Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is ...

Page 29: ...e VT 100 Display the information about the current user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configuration of the current a specified user interface display user interface type number number summary You can execute this command in any view Display the information about the current web users display web users Yo...

Page 30: ...30 CHAPTER 1 LOGGING IN TO AN ETHERNET SWITCH ...

Page 31: ...u can perform configuration for AUX users Refer to section Console Port Login Configuration on page 33 for more Setting Up the Connection to the Console Port Connect the serial port of your PC terminal to the console port of the switch as shown in Figure 3 Figure 3 Diagram for setting the connection to the console port If you use a PC to connect to the console port launch a terminal emulation util...

Page 32: ...32 CHAPTER 2 LOGGING IN THROUGH THE CONSOLE PORT Figure 4 Create a connection Figure 5 Specify the port used to establish the connection ...

Page 33: ... help by type the character Refer to the following chapters for information about the commands Console Port Login Configuration Common Configuration Table 5 lists the common configuration of console port login Table 5 Common configuration of console port login Configuration Description Console port configuration Baud rate Optional The default baud rate is 9 600 bps Check mode Optional By default t...

Page 34: ...ng terminal sessions Optional By default pressing Enter key starts the terminal session Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain ...

Page 35: ...or local remote users Required The user name and password of a local user are configured on the switch The user name and password of a remote user are configured on the RADIUS server Refer to Configuring RADIUS on page 765 Manage AUX users Set service type for AUX users Required Perform common configuration Perform common configuration for console port login Optional Refer to section Common Config...

Page 36: ...t key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the ...

Page 37: ... port Commands of level 2 are available to user logging in to the AUX user interface The baud rate of the console port is 19 200 bps The screen can contain up to 30 lines The history command buffer can contain up to 20 commands The timeout time of the AUX user interface is 6 minutes Network diagram Figure 7 Network diagram for AUX user interface configuration with the authentication mode being non...

Page 38: ...ux0 idle timeout 6 After the above configuration to ensure a successful login the console user needs to change the corresponding configuration of the terminal emulation program running on the PC to make the configuration consistent with that on the switch Refer to section Setting Up the Connection to the Console Port on page 31 for more Console Port Login Configuration with Authentication Mode Bei...

Page 39: ...er Optional By default pressing Enter key starts the terminal session Define a shortcut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available to the user interface shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can co...

Page 40: ...in to the AUX user interface The baud rate of the console port is 19 200 bps The screen can contain up to 30 lines The history command buffer can store up to 20 commands The timeout time of the AUX user interface is 6 minutes Network diagram Figure 8 Network diagram for AUX user interface configuration with the authentication mode being password Configuration procedure Enter system view SW4800G sy...

Page 41: ...imum number of lines the screen can contain to 30 SW4800G ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 SW4800G ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes SW4800G ui aux0 idle timeout 6 After the above configuration to ensure a successful login the console user needs to change the correspo...

Page 42: ...guring AAA on page 758 Specify the AAA scheme to be applied to the domain authentication default hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Quit to system view quit Create a local user Enter local user view local user user name Required No local user exists by default Set the authentication password for the local user password simple cipher passwor...

Page 43: ...fine a shortcut key for starting terminal sessions activation key character Optional By default pressing Enter key starts the terminal session Define a shortcut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available to the user interface shell Optional By default terminal services are available...

Page 44: ... performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Table 9 Determine the command level Scenario Command level Authentication mode User type Command authentication mod e scheme command authorization Users logging in to the console port and pass AAA RADIUS or local authentication The user privilege level level command is not exec...

Page 45: ...Network diagram for AUX user interface configuration with the authentication mode being scheme Configuration procedure Enter system view SW4800G system view Create a local user named guest and enter local user view SW4800G local user guest Set the authentication password to 123456 in plain text SW4800G luser guest password simple 123456 Set the service type to Terminal Specify commands of level 2 ...

Page 46: ...ds the history command buffer can store to 20 SW4800G ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes SW4800G ui aux0 idle timeout 6 After the above configuration to ensure a successful login the console user needs to change the corresponding configuration of the terminal emulation program running on the PC to make the configuration consistent with t...

Page 47: ...h and reboot the switch with this configuration file For details refer to Configuration File Management on page 985 The way to log in to a switch using Telnet based on IPv6 is the same as that based on IPv4 Common Configuration Table 11 lists the common Telnet configuration Table 10 Requirements for Telnet to a switch Item Requirement Switch Start the Telnet Server The IP address of the VLAN of th...

Page 48: ...cuted when a user logs into the user interface Optional By default no command is automatically executed when a user logs into a user interface VTY terminal configuration Define a shortcut key for aborting tasks Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available Optional By default terminal services are available in all user interfaces Set th...

Page 49: ...le 12 Telnet configurations for different authentication modes Authentication mode Telnet configuration Description To do Use the command Remarks Enter system view system view Enable the Telnet server function telnet server enable Required Enter one or more VTY user interface views user interface vty first number last number Configure not to authenticate users logging in to VTY user interfaces aut...

Page 50: ...can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time of the VTY user interface idle timeout minutes seconds Optiona...

Page 51: ...t server enable Enter VTY 0 user interface view SW4800G user interface vty 0 Configure not to authenticate Telnet users logging in to VTY 0 SW4800G ui vty0 authentication mode none Specify commands of level 2 are available to users logging in to VTY 0 SW4800G ui vty0 user privilege level 2 Configure Telnet protocol is supported SW4800G ui vty0 protocol inbound telnet Set the maximum number of line...

Page 52: ...face protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automatically executed when a user logs into a user interface Define a shortcut key for aborting tasks escape key default character Optional Th...

Page 53: ...0 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 11 Network diagram for Telnet configuration with the authentication mode being password Set the timeout time of the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no opera...

Page 54: ...nds of level 2 are available to users logging in to VTY 0 SW4800G ui vty0 user privilege level 2 Configure Telnet protocol is supported SW4800G ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 SW4800G ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 SW4800G ui vty0 history command max size 20 Set the ...

Page 55: ...or the local user password simple cipher password Required Specify the service type for VTY users service type telnet level level Required Quit to system view quit Enter one or more VTY user interface views user interface vty first number last number Configure to authenticate users locally or remotely authentication mode scheme Required The specified AAA scheme determines whether to authenticate u...

Page 56: ...n screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for t...

Page 57: ...that are authenticated in the RSA mode of SSH The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user privilege level level command is not executed and the service type command specifies the available command level The user privilege level level command is executed and the service type command does not specif...

Page 58: ...twork diagram Figure 12 Network diagram for Telnet configuration with the authentication mode being scheme Configuration procedure Enter system view and enable the Telnet service SW4800G system view SW4800G telnet server enable Create a local user named guest and enter local user view SW4800G local user guest Set the authentication password of the local user to 123456 in plain text SW4800G luser g...

Page 59: ...minal window to enable the Telnet server function and assign an IP address to the management VLAN interface of the switch Enable the Telnet server function and configure the IP address of the management VLAN interface as 202 38 160 92 and the subnet mask as 255 255 255 0 SW4800G system view SW4800G telnet server enable SW4800G interface vlan interface 1 SW4800G Vlan interface1 ip address 202 38 16...

Page 60: ...figure the switch or display the information about the switch by executing corresponding commands You can also type at any time for help Refer to the following chapters for the information about the commands n A Telnet connection will be terminated if you delete or modify the IP address of the VLAN interface in the Telnet session By default commands of level 0 are available to Telnet users authent...

Page 61: ... on page 54 for more By default Telnet users need to pass the password authentication to login Step 2 Telnet to the switch operating as the Telnet client Step 3 Execute the following command on the switch operating as the Telnet client SW4800G telnet xxxx Where xxxx is the IP address or the host name of the switch operating as the Telnet server You can use the ip host to assign a host name to a sw...

Page 62: ...62 CHAPTER 3 LOGGING IN THROUGH TELNET ...

Page 63: ...tion on the Switch Side Modem Configuration Perform the following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Set DSR to high level by force ATEQ1 W Disable the modem from returning command response and the r...

Page 64: ...none Refer to section Console Port Login Configuration with Authentication Mode Being None on page 35 Configuration on switch when the authentication mode is password Refer to section Console Port Login Configuration with Authentication Mode Being Password on page 38 Configuration on switch when the authentication mode is scheme Refer to section Console Port Login Configuration with Authentication...

Page 65: ...ise packets may get lost Step 3 Connect your PC the modems and the switch as shown in the following figure Figure 16 Establish the connection by using modems Step 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 17 and Figure 18 Note that you need to set the telephone number to that of the modem direc...

Page 66: ...rs You can then configure or manage the switch You can also enter the character at anytime for help Refer to the following chapters for information about the configuration commands n If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to Configuring User Levels and Command Levels on page 1026 for information about command level ...

Page 67: ...window to assign an IP address to the management VLAN interface of the switch Configure the IP address of the management VLAN interface to be 10 153 17 82 with the mask 255 255 255 0 SW4800G system view SW4800G interface vlan interface 1 SW4800G Vlan interface1 ip address 10 153 17 82 255 255 255 0 Step 2 Configure the user name and the password for the Web based network management system Table 17...

Page 68: ... enter the IP address of the management VLAN interface of the switch here it is http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 20 appears enter the user name and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Fi...

Page 69: ...to display the information about Web users and thus to verify the configuration effect Start the Web server ip http enable Required Execute this command in system view To do Use the command Remarks Table 18 Display information about Web users To do Use the command Display information about Web users display web users ...

Page 70: ...70 CHAPTER 5 LOGGING IN THROUGH WEB BASED NETWORK MANAGEMENT SYSTEM ...

Page 71: ...guration on both the NMS and the switch Connection Establishment Using NMS Figure 21 Network diagram for logging in through an NMS Table 19 Requirements for logging in to a switch through an NMS Item Requirement Switch The IP address of the management VLAN of the switch is configured The route between the NMS and the switch is available Refer to the module IP Addressing Configuration on page 121 a...

Page 72: ...72 CHAPTER 6 LOGGING IN THROUGH NMS ...

Page 73: ... interface used As a result external attacks are guarded and the security is improved On the other hand you can configure the Telnet server to accept only Telnet service packets with specific source IP addresses to make sure specific users can log in to the switch Configuring Source IP Address for Telnet Service Packets This feature can be configured in either user view or system view The configur...

Page 74: ...source IP address Interface Specified for Telnet Packets Follow these steps to display the source IP address interface specified for Telnet packets Specify the source IP address or source interface for the switch for it to log in to another device as a Telnet client telnet client source ip ip address interface interface type interface number Optional Not specified by default Table 21 Configure a s...

Page 75: ...olling Telnet Users by Source IP Addresses on page 75 By source and destination IP addresses Through advanced ACLs Section Controlling Telnet Users by Source and Destination IP Addresses on page 76 By source MAC addresses Through Layer 2 ACLs Section Controlling Telnet Users by Source MAC Addresses on page 76 SNMP By source IP addresses Through basic ACLs Section Controlling Network Management Use...

Page 76: ...6 acl number inbound outbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch To do Use the command Remarks To do Use the command Remarks Enter system view system view Create an advanced ACL or enter advanced ACL view acl ipv6 number acl number...

Page 77: ...y the ACL SW4800G user interface vty 0 4 SW4800G ui vty0 4 acl 2000 inbound To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id permit deny rule string Required You can define rules as needed ...

Page 78: ...ty name the SNMP group name and the SNMP user name To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Requ...

Page 79: ...NMP group name and SNMP user name Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are permitted to access the switch Network diagram Figure 23 Network diagram for controlling SNMP users using ACLs Configuration procedure Define a basic ACL SW4800G system view SW4800G acl number 2000 match order config SW4800G acl basic 200...

Page 80: ...work requirements Only the users sourced from the IP address of 10 110 100 52 are permitted to access the switch Network diagram Figure 24 Network diagram for controlling Web users using ACLs To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specifi...

Page 81: ...G system view SW4800G acl number 2030 match order config SW4800G acl basic 2030 rule 1 permit source 10 110 100 52 0 SW4800G acl basic 2030 rule 2 deny source any Apply the ACL to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch SW4800G ip http acl 2030 ...

Page 82: ...82 CHAPTER 8 CONTROLLING LOGIN USERS ...

Page 83: ...llision Detect CSMA CD mechanism As the medium is shared in an Ethernet network performance may degrade as the number of hosts on the network is increasing If the number of the hosts in the network reaches a certain level problems caused by collisions broadcasts and so on emerge which may cause the network operating improperly In addition to the function that suppresses collisions which can also b...

Page 84: ...me physical area making network construction and maintenance much easier and more flexible VLAN Fundamental To enable packets being distinguished by the VLANs they belong to The VLAN tag fields used to identify VLANs are added to packets As common switches operate on the data link layer of the OSI model they only process data link layer encapsulation information and the VLAN tag thus needs to be i...

Page 85: ... is 0 by default The VLAN ID field 12 bits in length and with its value ranging from 0 to 4095 identifies the ID of the VLAN a packet belongs to As VLAN IDs of 0 and 4095 are reserved by the protocol the value of this field actually ranges from 1 to 4094 A network device determines the VLAN to which a packet belongs to by the VLAN ID field the packet carries The VLAN Tag determines the way a packe...

Page 86: ...teroperability between different VLANs Each VLAN can have one VLAN interface Packets of a VLAN can be forwarded on network layer through the corresponding VLAN interface As each VLAN forms a broadcast domain a VLAN can be an IP network segment and the VLAN interface can be the gateway to enable IP address based Layer 3 forwarding Follow these steps to configure VLAN interface basic attributes To d...

Page 87: ... multiple VLANs used to connect either user or network devices The differences between Hybrid and Trunk port A Hybrid port allows packets of multiple VLANs to be sent without the Tag label A Trunk port only allows packets from the default VLAN to be sent without the Tag label Configure an IP address for the VLAN interface ip address ip address mask mask length sub Optional Not configured by defaul...

Page 88: ...hernet port view port group view Follow these steps to configure the Access port based VLAN in VLAN view Port type Inbound packets handling Outbound packets handling If no tag is carried in the packet If a tag is carried in the packet Access Port Tag the packet with the default VLAN ID Receive the packet if its VLAN ID is the same as the default VLAN ID Discard the packet if its VLAN ID is differe...

Page 89: ...t port view interface interface type interface number Use either command In Ethernet port view the subsequent configurations only apply to the current port In port group view the subsequent configurations apply to all ports in the port group Enter port group view port group manual port group name aggregation agg id Configure the port link type as Access port link type access Optional The link type...

Page 90: ...erwise packets cannot be transmitted properly Allow the specified VLANs to pass through the current Trunk port port trunk permit vlan vlan id list all Required By default all Trunk ports only allow packets of VLAN 1 to pass Configure the default VLAN for the Trunk port port trunk pvid vlan vlan id Optional VLAN 1 is the default by default To do Use the command Remarks To do Use the command Remarks...

Page 91: ...he port or drops the packet if the VLAN corresponding to the VLAN tag is not permitted by the port The ways to create MAC address based VLANs A MAC address based VLAN can be created in one of the following two ways Static configuration through CLI You can associate MAC addresses and VLANs by using corresponding commands Auto configuration though the authentication server that is VLAN issuing The d...

Page 92: ...late the packet will be tagged with the default VLAN ID of the port To do Use the command Remarks Enter system view system view Associate MAC addresses with a VLAN mac vlan mac address mac addr mask mac mask vlan vlan id priority priority Required Enter Ethernet interface view or port group view Enter Ethernet interface view interface interface type interface number Use either command The configur...

Page 93: ...oes not exist this command creates the VLAN and then enters its view Configure the protocol based VLAN and specify the protocol template protocol vlan protocol index at ipv4 ipv6 ipx ethernetii llc raw snap mode ethernetii etype etype id llc dsap dsap id ssap ssap id ssap ssap id snap etype etype id Required Exit the VLAN view quit Required Enter Ethernet port view or port group view Enter Etherne...

Page 94: ...packet from a port the device identifies the VLAN the packet belongs to based on the source address contained in the packet and then forwards the packet in the VLAN This allows packets from a certain network segment or with certain IP addresses to be forwarded in a specified VLAN Configuring an IP Subnet Based VLAN n This feature is only applicable to Hybrid ports Follow these steps to configure a...

Page 95: ...ny view Display all the ports with MAC address based VLAN enabled display mac vlan interface Available in any view Display the information about specific MAC address to VLAN entries display mac vlan all dynamic mac address mac addr mask mac mask static vlan vlan id Available in any view Display the protocol information and protocol indexes of specified VLANs display protocol vlan vlan vlan id to v...

Page 96: ...ss through GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 port trunk permit vlan 2 6 to 50 100 Please wait Done 1 Configure Device B following similar steps as that of Device A Verification Verifying the configuration of Device A is similar to that of Device B So only Device A is taken for example here Display the information about GigabitEthernet 1 0 1 of Device A to verify the above configur...

Page 97: ...nput errors 0 runts 0 giants 0 throttles 0 CRC 0 frame overruns 0 aborts ignored parity errors Output total 175995 packets 31290143 bytes 47 broadcasts 68494 multicasts 0 pauses Output normal 175995 packets bytes 47 broadcasts 68494 multicasts 0 pauses Output 0 output errors underruns buffer failures 0 aborts 0 deferred 0 collisions 0 late collisions 0 lost carrier no carrier The output above show...

Page 98: ...98 CHAPTER 9 VLAN CONFIGURATION ...

Page 99: ...re regarded as voice traffic and are forwarded to the voice VLAN You can configure the OUI addresses in advance or use the default OUI addresses which are listed as follows n As the first 24 bits of a MAC address in binary format an OUI address is a globally unique identifier assigned to a vendor by IEEE Institute of Electrical and Electronics Engineers You can add or remove default OUI address ma...

Page 100: ... voice VLAN mode Voice traffic type Port link type Automatic mode Tagged voice traffic Access not supported Trunk supported provided that the default VLAN of the access port exists and is not the voice VLAN and that the access port belongs to the voice VLAN Hybrid supported provided that the default VLAN of the access port exists and is not the voice VLAN and is in the list of tagged VLANs whose p...

Page 101: ...ts process untagged packets and packets with the voice VLAN tags in different ways as shown in the following table In the two modes the port processes a packet with other VLAN tag in the same way that is forwards the packet if the VLAN is allowed on the port or discards the packet if the VLAN is not allowed on the port It is recommended that you do not mix voice packets with other types of data in...

Page 102: ... mask description text Optional By default each voice VLAN has default OUI addresses configured Refer to Table 23 for the default OUI addresses of different vendors Enable the voice VLAN feature globally voice vlan vlan id enable Required Enter Ethernet port view interface interface type interface number Configure the port voice VLAN mode as automatic voice vlan mode auto Optional Automatic mode b...

Page 103: ...Configure the working mode as manual undo voice vlan mode auto Required Disabled by default Add the ports in manual mode to the voice VLAN Access port Refer to Configuring an Access Port Based VLAN on page 88 Use one of the three approaches After you add an Access port to the voice VLAN the voice VLAN becomes the default VLAN of the port automatically Trunk port Refer to Configuring a Trunk Port B...

Page 104: ...iceA voice vlan 2 enable Configure the voice VLAN mode on GigabitEthernet 1 0 1 as automatic Optional by default the voice VLAN mode on a port is automatic mode DeviceA interface GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 voice vlan mode auto Configure GigabitEthernet 1 0 1 as a Hybrid port DeviceA GigabitEthernet1 0 1 port link type access Please wait Done DeviceA GigabitEthernet1 0 1 por...

Page 105: ...0 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current Voice VLAN state DeviceA display voice vlan state Voice VLAN status ENABLE Voice VLAN ID 2 Voice VLAN security mode Security Voice VLAN aging time 100 minutes Voice VLAN enabled port and its mode PORT MODE GigabitEthernet1 0 1 AUTO DeviceA Manual Voice VLAN Mode Configuration Example Network requirement Create VLAN 2 and ...

Page 106: ...eviceA vlan2 quit DeviceA voice vlan 2 enable Configure GigabitEthernet 1 0 1 to work in manual mode DeviceA interface GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 undo voice vlan mode auto Configure GigabitEthernet 1 0 1 as a Hybrid port DeviceA GigabitEthernet1 0 1 port link type access Please wait Done DeviceA GigabitEthernet1 0 1 port link type hybrid Configure the default VLAN of Gigabi...

Page 107: ...000 ffff ff00 0000 Avaya phone 0011 2200 0000 ffff ff00 0000 test 0060 b900 0000 ffff ff00 0000 Philips NEC phone 00d0 1e00 0000 ffff ff00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current voice VLAN state DeviceA display voice vlan state Voice VLAN status ENABLE Voice VLAN ID 2 Voice VLAN security mode Security Voice VLAN a...

Page 108: ...108 CHAPTER 10 VOICE VLAN CONFIGURATION ...

Page 109: ...ice as an entity GARP compliant participants are known as GARP applications One example is GVRP When a GARP participant is present on a port on your device the port is regarded as a GARP participant GARP messages and timers 1 GARP messages GARP participants exchange information through the following three types of messages Join message Leave message and LeaveAll message A GARP participant uses Joi...

Page 110: ...mer Starts upon receipt of a Leave message sent for deregistering some attribute information If no Join message is received before this timer expires the GARP participant removes the attribute information as requested LeaveAll timer Starts when a GARP participant starts When this timer expires the entity sends a LeaveAll message so that other participants can re register its attribute information ...

Page 111: ...ibute Type Defined by the concerned GARP application 0x01 for GVRP indicating the VLAN ID attribute Attribute List Contains one or multiple attributes Attribute Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Number of octets occupied by an attribute inclusive of the attribute length field 2 to 255 in bytes Attribute Event Event described by the attribute...

Page 112: ...but allows the port to propagate information about static VLANs A trunk port with fixed registration type thus allows only manually configured VLANs to pass through even though it is configured to carry all VLANs Forbidden Disables the port to dynamically register and deregister VLANs and to propagate VLAN information except information about VLAN 1 A trunk port with forbidden registration type th...

Page 113: ...view the subsequent configurations apply to all ports in the port group Enter port group view port group aggregation agg id manual port group name Enable GVRP on the port gvrp Required Disabled by default Configure the GVRP registration mode on the port gvrp registration fixed forbidden normal Optional The default is normal To do Use the command Remarks Enter system view system view Configure the ...

Page 114: ... Display statistics about GARP display garp statistics interface interface list Available in any view Display GARP timers for specified or all ports display garp timer interface interface list Available in any view Display the local VLAN information maintained by GVRP display gvrp local vlan interface interface type interface number Available in any view Display the current GVRP state display gvrp...

Page 115: ... 2 Configure Device B Enable GVRP globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a Trunk port allowing all VLANs to pass DeviceB interface GigabitEthernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 the Trunk port DeviceB GigabitEthernet1 0 1 gvrp DeviceB Giga...

Page 116: ...0 1 DeviceA GigabitEthernet1 0 1 port link type trunk DeviceA GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 gvrp Set the GVRP registration type to fixed on the port DeviceA GigabitEthernet1 0 1 gvrp registration fixed DeviceA GigabitEthernet1 0 1 quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP glob...

Page 117: ...ration mode to forbidden on Device A and normal on Device B Network diagram Figure 34 Network diagram for GVRP configuration Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view DeviceA gvrp Configure port GigabitEthernet 1 0 1 as a Trunk port allowing all VLANs to pass DeviceA interface GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 port link type trunk Device...

Page 118: ...wed on GigabitEthernet 1 0 1 DeviceA display interface GigabitEthernet 1 0 1 GigabitEthernet1 0 1 current state DOWN IP Packet Frame Type PKTFMT_ETHNT_2 Hardware Address 00e0 fc55 0010 Description GigabitEthernet1 0 1 Interface Loopback is not set Media type is twisted pair Port hardware type is 1000_BASE_T Unknown speed mode unknown duplex mode Link speed type is autonegotiation link duplex type ...

Page 119: ...GVRP Configuration Examples 119 DeviceB display vlan dynamic No dynamic vlans exist ...

Page 120: ...120 CHAPTER 11 GVRP CONFIGURATION ...

Page 121: ...ary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts Net id First several bits of the IP address defining a network also known as class bits Host id Identifies a host on a network For administration sake IP addresses are divid...

Page 122: ...the host id to create a subnet id To identify the boundary between the host id and the combination of net id and subnet id masking is used When subnetting is not adopted a mask identifies the boundary between the host id and the host id Each subnet mask comprises 32 bits related to the corresponding bits in an IP address In a subnet mask the part containing consecutive ones identifies the combinat...

Page 123: ...t id and thus have only 126 27 2 hosts in each subnet The maximum number of hosts is thus 64 512 512 126 1022 less after the network is subnetted Class A B and C networks before being subnetted use these default masks also called natural masks 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively Configuring IP Addresses Besides directly assigning an IP address to an interface you may configure the...

Page 124: ...ng Configuration Example Network requirements As shown in Figure 37 VLAN interface 1 on Switch is connected to a LAN comprising two segments 172 16 1 0 24 and 172 16 2 0 24 To enable the hosts on the two network segments to access the external network through the switch and enable the hosts on the two network segments to communicate with each other do the following Assign a primary IP address and ...

Page 125: ... Switch ping 172 16 1 2 PING 172 16 1 2 56 data bytes press CTRL_C to break Reply from 172 16 1 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 1 2 bytes 56 Sequence 2 ttl 255 time 27 ms Reply from 172 16 1 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 1 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 1 2 bytes 56 Sequence 5 ttl 255 time 26 ms 172 16 1 2 ping sta...

Page 126: ... 0 00 packet loss round trip min avg max 25 25 26 ms The information shown above indicates the switch can communicate with the hosts on the subnet 172 16 2 0 24 Use the ping command to verify the connectivity between hosts on the subnet 172 16 1 0 24 and hosts on subnet 172 16 2 0 24 Ping Host B on Host A to verify that the ping operation is successful Displaying and Maintaining IP Addressing To d...

Page 127: ... Broadcasts to a Directly Connected Network Directed broadcasts refer to broadcast packets sent to a specific network In the destination IP address of a directed broadcast the network ID is a network specific number and the host ID is all ones Enabling the device to receive and forward directed broadcasts to a directly connected network will give hackers an opportunity to attack the network Theref...

Page 128: ...nterface 3 IP address 1 1 1 2 24 of Switch A Configure a static route on Switch B to enable the reachability between host and Switch B Network diagram Figure 38 Network diagram for receiving and forwarding directed broadcasts Configuration procedure Configure Switch A Enable Switch A to receive directed broadcasts SwitchA system view SwitchA ip forward broadcast Configure IP addresses for VLAN int...

Page 129: ...interface 2 of Switch B However if you disable the ip forward broadcast command the ping packets can not be received by the VLAN interface 2 of Switch B Configuring TCP Attributes Configuring TCP Optional Parameters TCP optional parameters that can be configured include synwait timer When sending a SYN packet TCP starts the synwait timer If no response packets are received within the synwait timer...

Page 130: ...ckets if the following conditions are satisfied The receiving and forwarding interfaces are the same The selected route has not been created or modified by ICMP redirect packet The selected route is not the default route of the device There is no source route option in the packet ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing...

Page 131: ...source uses strict source routing to send packets but the intermediate device finds the next hop specified by the source is not directly connected the device will send the source a source routing failure ICMP error packet When forwarding a packet if the MTU of the sending interface is smaller than the packet but the packet has been set Don t Fragment the device will send the source a fragmentation...

Page 132: ...ommand Remarks Display current TCP connection state display tcp status Available in any view Display TCP connection statistics display tcp statistics Display UDP statistics display udp statistics Display IP packets statistics display ip statistics Display ICMP flows statistics display icmp statistics Display socket information display ip socket socktype sock type task id socket id Display FIB forw...

Page 133: ...ble easy to implement Layer 2 VPN technique which enables the access point to encapsulate an outer VLAN tag in Ethernet frames from customer networks private networks so that the Ethernet frames will travel across the service provider s backbone network public network with double VLAN tags The inner VLAN tag is the customer network VLAN tag while the outer one is the VLAN tag assigned by the servi...

Page 134: ...egardless of whether the frame is tagged or untagged If the received frame is already tagged this frame becomes a double tagged frame if it is an untagged frame it is tagged with the port s default VLAN tag 2 Selective QinQ Selective QinQ is a more flexible VLAN based implementation of QinQ In addition to all the functions of basic QinQ selective QinQ can tag the frame with different outer VLAN ta...

Page 135: ...f the outer VLAN tag of QinQ frames to different values For compatibility with these systems you can modify the TPID value so that the QinQ frames when sent to the public network carry the TPID value identical to the value of a particular vendor to allow interoperability with the devices of that vendor The TPID in an Ethernet frame has the same position with the protocol type field in a frame with...

Page 136: ...elective QinQ mapping rule To do Use the command Remarks Enter system view system view Enter Ethernet port view or port group view Enter Ethernet port view interface interface type interface number Required Use either command Configurations made in Ethernet port view will take effect on the current port only configuration made in port group view will take effect on all ports in the port group Ente...

Page 137: ... network and Provider B belongs to VLAN 2000 of the service provider network Third party devices are deployed between Provider A and Provider B with a TPID value of 0x8200 After configuration the network should satisfy the following requirement Frames of VLAN 10 of Customer A and frames of VLAN 10 of Customer B can be forwarded to each other through VLAN 1000 of the provider network frames of VLAN...

Page 138: ... configure the port to remove the outer tag of the frames when sending them out ProviderA interface GigabitEthernet 1 0 1 ProviderA GigabitEthernet1 0 1 port link type hybrid ProviderA GigabitEthernet1 0 1 port hybrid vlan 1000 2000 untagged Configure the port to tag frames from VLAN 10 with an outer tag with the VLAN ID of 1000 ProviderA GigabitEthernet1 0 1 qinq vid 1000 ProviderA GigabitEtherne...

Page 139: ...oviderA interface GigabitEthernet 1 0 3 ProviderA GigabitEthernet1 0 3 port link type trunk ProviderA GigabitEthernet1 0 3 port trunk permit vlan 1000 2000 To enable interoperability with the third party devices in the public network set the TPID value to be carried in VLAN Tags to 0x8200 ProviderA GigabitEthernet1 0 3 quit ProviderA qinq ethernet type service tag 8200 2 Configuration on Provider ...

Page 140: ...3 Configuration on devices on the public network As third party devices are deployed between Provider A and Provider B what we discuss here is only the basic configuration that should be made on the devices Configure that device connecting with GigabitEthernet 1 0 3 of Provider A and the device connecting with GigabitEthernet 1 0 1 of Provider B so that their corresponding ports send tagged frames...

Page 141: ... be received and processed by all STP enabled devices on the network This prevents each network from correctly calculating its spanning tree As a result when redundant links exist in a network data loops will unavoidably occur By allowing each network to have its own spanning tree while running STP BPDU tunneling can resolve this problem BPDU tunneling can isolate BPDUs of different customer netwo...

Page 142: ...g At the BPDU input side the device changes the destination MAC address of a BPDU from a customer network from 0x0180 C200 0000 to a special multicast MAC address 0x010F E200 0003 by default In the service provider s network the modified BPDUs are forwarded as data packets in the user VLAN At the packet output side the device recognizes the BPDU with the destination MAC address of 0x010F E200 0003...

Page 143: ...either command Configurations made in Ethernet port view will take effect on the current port only configurations made in port group view will take effect on all ports in the port group Enter port group view port group manual port group name aggregation agg id Enable BPDU tunneling for the port s bpdu tunnel dot1q enable Required Disabled by default To do Use the command Remarks To do Use the comm...

Page 144: ...fy it to 0x0100 0CCD CDD0 0x0100 0CCD CDD1 or 0x0100 0CCD CDD2 through the following configuration Follow these steps to configure destination multicast MAC address for BPDU tunnel frames BPDU Tunneling Configuration Example Network requirements Customer A Customer B Customer C and Customer D are customer network access devices Provider A Provider B and Provider C are service provider network acce...

Page 145: ...n on GigabitEthernet 1 0 2 ProviderB system view ProviderB interface GigabitEthernet 1 0 2 ProviderB GigabitEthernet1 0 2 port access vlan 4 ProviderB GigabitEthernet1 0 2 undo ntdp enable ProviderB GigabitEthernet1 0 2 bpdu tunnel dot1q enable 3 Configuration on Provider C Configure BPDU transparent transmission on GigabitEthernet 1 0 3 ProviderC system view ProviderC interface GigabitEthernet 1 ...

Page 146: ...able ProviderC GigabitEthernet1 0 4 undo ntdp enable ProviderC GigabitEthernet1 0 4 bpdu tunnel dot1q enable ProviderC GigabitEthernet1 0 4 bpdu tunnel dot1q stp n When STP works stably on the customer network if Customer A acts as the root bridge the ports of Customer C and Customer D connected with Provider C can receive BPDUs from Customer A Since BPDU isolation is enabled on Customer B the por...

Page 147: ...auto keyword specified the transmission rate is determined through auto negotiation too Follow these steps to perform basic Ethernet port configuration Task Remarks Performing Basic Ethernet Port Configuration on page 147 Optional Combo Port Configuration on page 148 Optional Configuring the Suppression Time of Physical Link State Change on an Ethernet Port on page 149 Optional Enabling Loopback T...

Page 148: ... a Layer 3 Ethernet interface Dual Combo port the two Ethernet interfaces in the device panel correspond to two interface views State switchover can be realized in user s own interfaces view A double Combo port can only be a layer 2 Ethernet interface n Currently only Dual Combo ports are supported on the Switch 4800G Configuring Combo port state Follow these steps to configure the state for a dou...

Page 149: ... This functionality reduces the extra overhead occurred due to frequent physical link state changes within a short period of time Follow these steps to configure the suppression time of physical link state changes on an Ethernet port Enabling Loopback Test on an Ethernet Port You can enable loopback testing to check whether the Ethernet port functions properly Note that no data packets can be forw...

Page 150: ... port group view the user only needs to input the configuration command once on one port and that configuration will apply to all ports in the port group This effectively reduces redundant configurations A Port group belongs to one of the following two categories Manual port group manually created by users Multiple Ethernet ports can be added to the same port group Dynamic port group dynamically c...

Page 151: ...set the broadcast multicast unknown unicast storm suppression ratios To do Use the command Remarks Enter system view system view Enter port group view Enter manual port group view port group manual port group name Enter aggregation port group view port group aggregation agg id To do Use the command Remarks Enter system view system view Create a manual port group and enter manual port group view po...

Page 152: ...es effect on all ports in the port group Follow these steps to enable the forwarding of jumbo frames Configure multicast storm suppression ratio multicast suppression ratio pps max pps Optional By default all multicast traffic is allowed to pass through a port that is multicast traffic is not suppressed Configure unknown unicast storm suppression ratio unicast suppression ratio pps max pps Optiona...

Page 153: ...oth system view and the port view of the port Loopback detection on all ports will be disabled after the issuing of the undo loopback detection enable command in system view If the system detects loopback in multiple VLANs on a port in a detection interval it sends only one trap to the terminal rather than one trap per VLAN The aggregation port can not support loopback detection Configuring the Ca...

Page 154: ...ribed in this section on one of the Ethernet ports forming the link You can enable the test on the cable connected with an Ethernet port to check Whether the RX and TX of the cable are short circuited Whether the cable is open circuited The length of the faulty cable if there is any fault The system will return the check result in 5 seconds Follow these steps to test the current operating state of...

Page 155: ... is lower than the threshold Note that a port blocked by the storm constrain function can still forward other types of traffic and monitor the blocked traffic Shutting down the port In this case the port is shut down and stops forwarding all types of traffics Ports shut down by the storm constrain function can only be brought up by using the undo shutdown command or disabling the storm constrain f...

Page 156: ...old or drops down below the lower threshold from a point higher than the upper threshold To do Use the command Remarks To do Use the command Remarks Display the current state of a specified port and related information display interface interface type interface number Available in any view Display a summary of a specified port display brief interface interface type interface number begin include e...

Page 157: ... created automatically by the system as Isolation Group 1 The user can neither delete the isolation group nor create other isolation groups There is no restriction on the number of ports to be added to an isolation group A port inside an isolation group and a port outside the isolation group can communicate with each other at Layer 2 and Layer 3 Ports of the isolation group cannot communicate with...

Page 158: ... diagram for port isolation configuration Configuration procedure Add ports GigabitEthernet1 0 1 GigabitEthernet1 0 2 and GigabitEthernet1 0 3 to the isolation group Device system view Device interface GigabitEthernet1 0 1 Device GigabitEthernet1 0 1 port isolate enable Device GigabitEthernet1 0 1 quit Device interface GigabitEthernet1 0 2 Device GigabitEthernet1 0 2 port isolate enable Device Gig...

Page 159: ...ernet1 0 3 Device GigabitEthernet1 0 3 port isolate enable Display the information about the isolation group Device display port isolate group Port isolate group information Uplink port support No Group ID 1 GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3 ...

Page 160: ...160 CHAPTER 17 PORT ISOLATION CONFIGURATION ...

Page 161: ...its system LACP priority system MAC address port LACP priority port number and operational key Upon receipt of an LACPDU the remote system compares the received information with the information received on other ports to determine the ports that can operate as selected ports This allows the two systems to reach agreement on the states of the related ports When aggregating ports link aggregation co...

Page 162: ...priority SP queuing Weighted round robin WRR queuing Port priority Policy setting on the port Port trust mode GVRP GVRP state on ports enabled or disabled GVRP registration type GARP timers Q in Q State of Q in Q enabled or disabled Added outer VLAN tag Policy of appending outer VLAN tag according to inner VLAN IDs BPDU tunnel BPDU tunnel state on ports enabled or disabled BPDU tunnel state for ST...

Page 163: ...ecome selected ports while the other candidates become unselected ports The selected port with the lowest port number serves as the master port of the aggregation group and the other ports serve as the member ports of the aggregation group If all the ports of an aggregations port are down the port with the lowest port number is the master port In this case all of them are unselected ports In addit...

Page 164: ... If two ports with the same port LACP priority are present compare their port numbers The one with the smaller port ID wins out to become the reference port 7 Select the candidates for selected ports To be a candidate a port must be in the up state with the same speed duplex mode link state and basic configuration as the reference port in addition their peer ports on the other system must have the...

Page 165: ...Load sharing is implemented through the selected ports in an aggregation group However the way of selecting forwarding ports varies by packet type For a Layer 2 unicast packet with a known destination MAC address if the packet carries an IP datagram the switch selects the forwarding port according to the source IP address and destination IP address otherwise the switch selects the forwarding port ...

Page 166: ... are removed to ensure ongoing service Aggregation Port Group As mentioned earlier in a manual or static aggregation group a port can be selected only when its configuration is the same as that of the reference port in terms of duplex speed pair link state and other basic configurations Their configuration consistency requires administrative maintenance which is troublesome after you change some c...

Page 167: ...roup by changing the type of an existing static aggregation group When you create a manual aggregation group in this way and the static aggregation group contains ports LACP is disabled on the ports after the manual aggregation group is created An aggregation group cannot contain the following ports RRPP enabled ports ports configured with static MAC addresses or black hole MAC addresses voice VLA...

Page 168: ...on group changes to a non load balancing group due to resources exhaustion either of the following may happen Forwarding anomaly resulted from inconsistency of the two ends in the number of selected ports Some protocols such as GVRP malfunction because the state of the remote port connected to the master port is unselected Configuring an Aggregation Group Name Follow these steps to configure a nam...

Page 169: ...To do Use the command Remarks To do Use the command Remarks Enter system view system view Create a manual aggregation group link aggregation group agg id mode manual Required Specify the aggregation group as a service loop group that is of specific type link aggregation group agg id service type tunnel Required Enter Ethernet port view interface interface type interface number Add the Ethernet por...

Page 170: ...Add ports GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to the group SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 port link aggregation group 1 SwitchA GigabitEthernet1 0 1 interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link aggregation group 1 SwitchA GigabitEthernet1 0 2 interface GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 port link aggreg...

Page 171: ...link aggregation group 1 SwitchA GigabitEthernet1 0 2 interface GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 port link aggregation group 1 3 Configure a service loop group Create a manual aggregation group SwitchA system view SwitchA link aggregation group 1 mode manual Specify this group to be a tunnel service loop group SwitchA link aggregation group 1 service type tunnel Assign port Gigab...

Page 172: ...172 CHAPTER 19 LINK AGGREGATION CONFIGURATION ...

Page 173: ... connected and to which VLAN the port belongs A MAC address table consists of two types of entries static and dynamic Static entries are manually configured and never age out Dynamic entries can be manually configured or dynamically learned and may age out The following is how a switch learns a MAC address after it receives a frame from a port port A for example 1 Check the frame for the source MA...

Page 174: ...stination MAC address Figure 46 Forward frames using the MAC address table Configuring MAC Address Table Management This section covers these topics Configuring MAC Address Entries on page 174 Configuring MAC Address Aging Timer on page 175 Configuring the Maximum Number of MAC Addresses an Ethernet Port or a Port Group Can Learn on page 175 Configuring MAC Address Entries Follow these steps to ad...

Page 175: ... a MAC address table from getting so large that it may degrade forwarding performance you may restrict the number of MAC addresses that can be learned One approach is to do this on a per port or port group basis Follow these steps to configure the maximum number of MAC addresses that an Ethernet port or port group can learn To do Use the command Remarks Enter system view system view Configure the ...

Page 176: ...1 interface GigabitEthernet 1 0 1 vlan 1 Set the aging timer for dynamic MAC address entries to 500 seconds Sysname mac address timer aging 500 Display the MAC address entry for port GigabitEthernet 1 0 1 Sysname display mac address interface GigabitEthernet 1 0 1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 000f e235 dc71 1 Config static GigabitEthernet 1 0 1 NOAGED 1 mac address es found To do...

Page 177: ...ress and VLAN tag of the packet in the binding entries of the IP source guard If there is a matching entry the port will forward the packet Otherwise the port will abandon the packet IP source guard filters packets based on the following types of binding entries IP port binding entry MAC port binding entry IP MAC port binding entry You can manually set static binding entries or use DHCP Snooping t...

Page 178: ...e 47 switches A and B and Hosts A B and C are on an Ethernet Host A and Host B are connected to ports GigabitEthernet1 0 1 and GigabitEthernet1 0 2 of Switch B respectively Host C is connected to port GigabitEthernet1 0 2 of Switch A while Switch B is connected to port GigabitEthernet1 0 1 of Switch A Detailed requirements are as follows Configure a static binding entry user bind ip address ip add...

Page 179: ...guration procedure 1 Configure Switch A Configure the IP addresses of various interfaces omitted Configure port GigabitEthernet1 0 2 of Switch A to allow only IP packets with the source MAC address of 00 01 02 03 04 05 and the source IP address of 192 168 0 3 to pass SwitchA system view SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 user bind ip address 192 168 0 3 mac addres...

Page 180: ...d MAC IP Vlan Port Status 0001 0203 0405 192 168 0 3 N A GigabitEthernet1 0 2 Static 0001 0203 0406 192 168 0 1 N A GigabitEthernet1 0 1 Static 2 binding entries queried 2 listed On Switch B static binding entries are configured successfully SwitchB display user bind The following user address bindings have been configured MAC IP Vlan Port Status 0001 0203 0406 192 168 0 1 N A GigabitEthernet1 0 1...

Page 181: ...lay the dynamic binding entries that port GigabitEthernet1 0 1 has obtained from DHCP Snooping SwitchA display ip check source The following user address bindings have been configured MAC IP Vlan Port Status 0001 0203 0406 192 168 0 1 1 GigabitEthernet1 0 1 DHCP SNP 1 binding entries queried 1 listed Display the dynamic entries of DHCP Snooping and check it is identical with the dynamic entries th...

Page 182: ...iguring static binding entries and dynamic binding function fails on a port Analysis IP Source Guard is not supported on the port which has joined an aggregation group Neither static binding entries nor dynamic binding function can be configured on the port which has joined an aggregation group Solution Remove the port from the aggregation group ...

Page 183: ...DP Configuration Example on page 193 Troubleshooting on page 195 Overview A special kind of links namely unidirectional links may occur in a network When a unidirectional link appears the local device can receive packets from the peer device through the link layer but the peer device cannot receive packets from the local device Unidirectional link can cause problems such as loops in a Spanning Tre...

Page 184: ...tus of a device The auto negotiation mechanism provided by physical layer protocols detects physical signals and faults DLDP however performs operations such as identifying peer devices detecting unidirectional links and shutting down unreachable ports The cooperation of physical layer protocols and DLDP ensures that physical logical unidirectional links be detected and shut down For a link with t...

Page 185: ...e in the Active Advertisement or Probe DLDP link state transits to this state rather than remove the corresponding neighbor entry and transits to the Inactive state when it detects a port down event When a device transits to this state the DelayDown timer is triggered Table 31 DLDP timers DLDP timer Description Active timer Determines the Interval to send Advertisement packets with RSY tag which d...

Page 186: ...et is received from a neighbor when the entry aging timer expires Enhanced timer is set to 10 seconds After the Enhanced timer is triggered the device sends up to eight probe packets to the neighbor at a frequency of one packet per second If no Echo packet is received from the neighbor when the Echo timer expires the link is set as a unidirectional link and the device transits to the Disable state...

Page 187: ...ise DLDP cannot take effect When a fiber of a fiber pair is not connected or gets disconnected the port that can receive optical signals is in Disable state the other port is in Inactive state DLDP authentication mode You can prevent network attacks and illegal detect through DLDP authentication Three DLDP authentication modes exist as described below Non authentication In this mode the sending si...

Page 188: ...es Table 33 DLDP packet types and DLDP states DLDP state Type of DLDP packets sent Active Advertisement packet with RSY tag Advertisement Normal Advertisement packet Probe Probe packet Disable Disable packet and RecoverProbe packet Table 34 Procedures for processing different types of DLDP packets Packet type Processing procedure Advertisement packet with RSY tag Retrieving the neighbor informatio...

Page 189: ...able state If not no process is performed If yes the local port transits to Active state if the neighbor information the packet carries is consistent with the local port information LinkDown packet Check to see if the local port operates in Enhanced mode If not no process is performed If yes and the local port is not in Disable state the local transits to Disable state Table 34 Procedures for proc...

Page 190: ...eceives response from its peer This state indicates the link is a two way link Unidirectional A neighbor is in this state when the link connecting it is detected to be a unidirectional link After a device transits to this state the corresponding neighbor entries maintained on other devices are removed Table 36 Description on DLDP neighbor states DLDP neighbor state Description Task Remarks Enablin...

Page 191: ... Tx line fails the port goes down and then comes up again causing optical signal jitters on the Rx line When a port goes down due to a Tx failure the device transits to the DelayDown state instead of the Inactive state to prevent the corresponding neighbor entries from being removed In the same time the device triggers the DelayDown timer If the port goes up before the timer expires the device res...

Page 192: ...g remote OAM loopback to operate improperly To prevent this you need to set the port shutdown mode to auto mode If the device is busy or the CPU utilization is high normal links may be treated as unidirectional links In this case you can set the port shutdown mode to manual mode to eliminate the effects caused by false unidirectional link report Configuring DLDP Authentication Follow these steps t...

Page 193: ...tion Example DLDP Configuration Example Network requirements Device A and Device B are connected through two fiber pairs in which two fibers are cross connected as shown in Figure 52 To do Use the command Remarks Enter system view system view Reset DLDP state dldp reset Required To do Use the command Remarks Enter system view system view Enter Ethernet port view port group view Enter Ethernet port...

Page 194: ...interface gigabitethernet 1 0 50 DeviceA GigabitEthernet1 0 50 dldp enable DeviceA GigabitEthernet1 0 50 interface gigabitethernet 1 0 51 DeviceA GigabitEthernet1 0 51 dldp enable DeviceA GigabitEthernet1 0 51 quit Set the interval for sending Advertisement packets to 6 seconds DeviceA dldp interval 6 Set the DelayDown timer to 2 seconds DeviceA dldp delaydown timer 2 Set the DLDP mode as enhanced...

Page 195: ...hus shut down Reset DLDP state for the ports shut down by DLDP DeviceA dldp reset 2 Configuration on Device B The configuration on Device B is the same as that on Device A and is thus omitted n If two fibers are cross connected all the four ports involved will be shut down by DLDP Troubleshooting Symptom Two DLDP enabled devices Device A and Device B are connected through two fiber pairs in which ...

Page 196: ...196 CHAPTER 22 DLDP CONFIGURATION ...

Page 197: ...tion and infinite recycling of packets that would occur in a loop network and prevents deterioration of the packet processing capability of network devices caused by duplicate packets received In the narrow sense STP refers to the STP protocol defined in IEEE 802 1d in the broad sense it refers to the STP protocol defined in IEEE 802 1d and various enhanced spanning tree protocols derived from the...

Page 198: ...The following table describes a designated bridge and a designated port Figure 53 shows designated bridges and designated ports In the figure AP1 and AP2 BP1 and BP2 and CP1 and CP2 are ports on Device A Device B and Device C respectively If Device A forwards BPDUs to Device B through AP1 the designated bridge for Device B is Device A and the designated port is the port AP1 on Device A Two devices...

Page 199: ...lds in a configuration BPDU include Root bridge ID consisting of root bridge priority and MAC address Root path cost the cost of the shortest path to the root bridge Designated bridge ID designated bridge priority plus MAC address Designated port ID designated port priority plus port name Message age age of the configuration BPDU while it propagates in the network Max age maximum age of the config...

Page 200: ...en the IDs of the ports on which they are received The smaller the ID the higher message priority Selection of the root bridge At network initialization each STP compliant device on the network assumes itself to be the root bridge with the root bridge ID being its own device ID By exchanging configuration BPDUs the devices compare one another s root bridge ID The device with the smallest root brid...

Page 201: ...U and the path cost of the root port the device calculates a designated port configuration BPDU for each of the rest ports The root bridge ID is replaced with that of the configuration BPDU of the root port The root path cost is replaced with that of the configuration BPDU of the root port plus the path cost corresponding to the root port The designated bridge ID is replaced with the ID of this de...

Page 202: ...P1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the configuration received message and discards the received configuration BPDU Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is superior to the received configuration BPDU and discards the received configuration BPDU Device A finds that...

Page 203: ...ines that the configuration BPDU of BP1 is the optimum configuration BPDU Then it uses BP1 as the root port the configuration BPDUs of which will not be changed Based on the configuration BPDU of BP1 and the path cost of the root port 5 Device B calculates a designated port configuration BPDU for BP2 0 5 1 BP2 Device B compares the calculated configuration BPDU 0 5 1 BP2 with the configuration BPD...

Page 204: ...d configuration BPDU Root port CP1 0 0 0 AP2 Designated port CP2 0 10 2 CP2 Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison...

Page 205: ... old configuration BPDUs will be discarded due to timeout In this case the device will generate a configuration BPDU with itself as the root and sends out the BPDU This triggers a new spanning tree calculation process so that a new path is established to restore the network connectivity However the newly calculated configuration BPDU will not be propagated throughout the network immediately so the...

Page 206: ... root port on the device has stopped forwarding data and the upstream designated port has started forwarding data In RSTP a newly elected designated port can enter the forwarding state rap idly if this condition is met The designated port is an edge port or a port con nected with a point to point link If the designated port is an edge port it can enter the forwarding state directly if the designat...

Page 207: ...twork and network segments among them These devices have the following characteristics All are MSTP enabled They have the same region name They have the same VLAN to instance mapping configuration They have the same MSTP revision level configuration and They are physically linked with one another For example all the devices in region A0 in Figure 56 have the same MST region configuration CST Regio...

Page 208: ... In Figure 56 for example the CIST has a section in each MST region and this section is the IST in the respective MST region 4 CST The CST is a single spanning tree that connects all MST regions in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP For example the red lines in Figure 56 describe the CST 5 CIST Joi...

Page 209: ...y port 10 Roles of ports In the MSTP calculation process port roles include root port designated port master port alternate port backup port and so on Root port a port responsible for forwarding data to the root bridge Designated port a port responsible for forwarding data to the downstream network segment or device A master port connects an MST region to the common root The path from the master p...

Page 210: ...c n When in different MST instances a port can be in different states The role a boundary port plays in an MSTI is consistent with the role it plays in the CIST The master port which is a root port in the CIST while a master port in the other MSTIs is an exception For example in Figure 57 port 1 on switch A is a boundary port It is a root port in the CIST while a master port in all the other MSTIs...

Page 211: ... MSTI calculation Within an MST region MSTP generates different spanning tree instances for different VLANs based on the VLAN to instance mappings MSTP performs a separate calculation process which is similar to spanning tree calculation in STP for each spanning tree For details refer to How STP works on page 199 In MSTP a VLAN packet is forwarded along the following paths Within an MST region the...

Page 212: ...ing the Work Mode of MSTP Device on page 216 Optional Configuring the Priority of the Current Device on page 216 Optional Configuring the Maximum Hops of an MST Region on page 217 Optional Configuring the Network Diameter of a Switched Network on page 218 Optional Configuring Timers of MSTP on page 218 Optional Configuring the Timeout Factor on page 219 Optional Configuring the Maximum Transmissio...

Page 213: ...on Rate of Ports on page 220 Optional Configuring Ports as Edge Ports on page 221 Optional Configuring Path Costs of Ports on page 225 Optional Configuring Port Priority on page 226 Optional Configuring Whether Ports Connect to Point to Point Links on page 221 Optional Configuring the Mode a Port Uses to Recognize Send MSTP Packets on page 227 Optional Enabling the Output of Port State Transition ...

Page 214: ...active region configuration command or enable MSTP using the stp enable command Configuration example Configure the MST region name to be info the MSTP revision level to be 1 and VLAN 2 through VLAN 10 to be mapped to instance 1 and VLAN 20 through VLAN 30 to instance 2 Sysname system view Sysname stp region configuration Sysname mst region region name info Sysname mst region instance 1 vlan 2 to ...

Page 215: ...t bridge of another instance However the same device cannot be the root bridge and a secondary root bridge in the same instance at the same time There is one and only one root bridge in effect in a spanning tree instance If two or more devices have been designated to be root bridges of the same spanning tree instance MSTP will select the device with the lowest MAC address as the root bridge You ca...

Page 216: ...ze each other s protocol packets so they are mutually compatible However STP is unable to recognize MSTP packets For hybrid networking with legacy STP devices and full interoperability with RSTP compliant devices MSTP supports three work modes STP compatible mode RSTP mode and MSTP mode In STP compatible mode all ports of the device send out STP BPDUs In RSTP mode all ports of the device send out ...

Page 217: ...ion BPDU with a hop count set to the maximum value When a switch receives this configuration BPDU it decrements the hop count by 1 and uses the new hop count as the remaining hop count in the BPDUs it propagates When the hop count of a BPDU reaches 0 it is discarded by the device that received it Thus devices beyond the reach of the maximum hop are unable to take part in spanning tree calculation ...

Page 218: ...rk size Based on the network diameter you configured MSTP automatically sets an optimal hello time forward delay and max age for the device The configured network diameter is effective for the CIST only and not for MSTIs Configuration example Set the network diameter of the switched network to 6 Sysname system view Sysname stp bridge diameter 6 Configuring Timers of MSTP MSTP involves three timers...

Page 219: ...uently launch spanning tree calculation and may take network congestion to a link failure if the max age setting is too large the network may fail to timely detect link failures and fail to timely launch spanning tree calculation thus reducing the auto sensing capability of the network We recommend that you use the default setting The setting of hello time forward delay and max age must meet the f...

Page 220: ...ort is related to the physical status of the port and the network structure Configuration procedure Follow these steps to configure the maximum transmission rate of a port or a group of ports n If the maximum transmission rate setting of a port is too big the port will send a large number of MSTP packets within each hello time thus using excessive network resources We recommend that you use the de...

Page 221: ...be an edge port and enable BPDU guard for it This enables the port to transition to the forwarding state while ensuring network security Configuration example Configure GigabitEthernet 1 0 1 to be an edge port Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp edged port enable Configuring Whether Ports Connect to Point to Point Links A point to point link...

Page 222: ...ckets of two formats 802 1s compliant standard format and Compatible format By default the packet format recognition mode of a port is auto namely the port automatically distinguishes the two MSTP packet formats and determines the format of packets it will send based on the recognized format You can configure the MSTP packet format to be used by a port After the configuration when working in MSTP ...

Page 223: ... In a large scale MSTP enabled network there are a large number of MSTP instances so ports may frequently transition from one state to another In this situation you can enable the device to output the port state transition information of all SPT instances or the specified SPT instance so as to monitor the port states in real time Follow these steps to enable output of port state transition informa...

Page 224: ...configuration Configuring the Work Mode of MSTP Refer to Configuring the Work Mode of MSTP Device on page 216 in the section about root bridge configuration Configuring the Timeout Factor Refer to Configuring Timers of MSTP on page 218 in the section about root bridge configuration To do Use the command Remarks Enter system view system view Enable the MSTP feature for the device stp enable Require...

Page 225: ...alculation for the default path cost The device supports the following standards dot1d 1998 The device calculates the default path cost for ports based on IEEE 802 1d 1998 dot1t The device calculates the default path cost for ports based on IEEE 802 1t legacy The device calculates the default path cost for ports based on a private standard Follow these steps to specify a standard for the device to...

Page 226: ...that determines whether the port can be elected as the root port of device If all other conditions are the same the port with the highest priority will be elected as the root port 1000 Mbps Single Port Aggregated Link 2 Ports Aggregated Link 3 Ports Aggregated Link 4 Ports 4 4 4 4 20 000 10 000 6 666 5 000 20 18 16 14 10 Gbps Single Port Aggregated Link 2 Ports Aggregated Link 3 Ports Aggregated L...

Page 227: ...ew Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp instance 1 port priority 16 Configuring Whether Ports Connect to Point to Point Links Refer to Configuring Whether Ports Connect to Point to Point Links on page 221 in the section about root bridge configuration Configuring the Mode a Port Uses to Recognize Send MSTP Packets Refer to Configuring the Mode a Port Uses to Rec...

Page 228: ...the same result Configuration Prerequisites MSTP has been correctly configured on the device Configuration Procedure Performing mCheckglobally Follow these steps to perform global mCheck Performing mCheck in Ethernet interface view Follow these steps to perform mCheck in Ethernet interface view c CAUTION The stp mcheck command is meaningful only when the device works in the MSTP or RSTP mode not i...

Page 229: ...AUTION You can only enable the Digest Snooping feature on the device connected to another vendor s device that uses a private key to calculate the configuration digest With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to instance mappings must be the same on associated ports With global Digest Snooping enabled modific...

Page 230: ...Enable Digest Snooping on Device A and Device B so that the three routers can communicate with one another Network diagram Figure 58 Digest Snooping configuration Configuration procedure 1 Enable Digest Snooping on Device A Enable Digest Snooping on GigabitEthernet1 0 1 DeviceA system view DeviceA interface GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 stp config digest snooping Enable global...

Page 231: ... For example when the upstream device adopts RSTP the downstream device adopts MSTP and does not support RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream device As a result the designated port of the upstream switch fails to transit rapidly and can only change to the forwarding state after a p...

Page 232: ...ce A is the downstream device Network diagram Figure 61 No Agreement Check configuration Configuration procedure Enable No Agreement Check on GigabitEthernet1 0 1 of Device A DeviceA system view DeviceA interface GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 stp no agreement check To do Use the command Remarks Enter system view system view Enter Ethernet interface or port group view Enter Eth...

Page 233: ...provides the BPDU guard function to protect the system against such attacks With the BPDU guard function enabled on the devices when edge ports receive configuration BPDUs MSTP will close these ports and notify the NMS that these ports have been closed by MSTP Those ports closed thereby can be restored only by the network administers n It is recommended that you enable the BPDU guard on your devic...

Page 234: ...downstream device will reselect the port roles those ports failed to receive upstream BPDUs will become designated ports and the blocked ports will transition to the forwarding state resulting in loops in the switched network The loop guard function can suppress the occurrence of such loops If a loop guard enabled port fails to receive BPDUs from the upstream device and if the port took part in ST...

Page 235: ...We recommend that you keep this feature enabled Displaying and Maintaining MSTP Enter Ethernet interface view or port group view Enter Ethernet interface view interface interface type interface number Required Use either command Configurations made in Ethernet interface view will take effect on the current port only configurations made in port group view will take effect on all ports in the port g...

Page 236: ...for MSTP configuration n Permit beside each link in the figure is followed by the VLANs the packets of which are permitted to pass this link View the information of port role calculation history for the specified MSTP instance or all MSTP instances display stp instance instance id history Available in any view View the statistics of TC TCN BPDUs sent and received by all ports in the specified MSTP...

Page 237: ...information that has taken effect DeviceA display stp region configuration Oper configuration Format selector 0 Region name example Revision level 0 Instance Vlans Mapped 0 1 to 9 11 to 29 31 to 39 41 to 4094 1 10 3 30 4 40 2 Configuration on Device B Enter MST region view DeviceB system view DeviceB stp region configuration Configure the region name VLAN to instance mappings and revision level of...

Page 238: ...on configuration manually DeviceC mst region active region configuration DeviceC mst region quit Define Device C as the root bridge of MST instance 4 DeviceC stp instance 4 root primary View the MST region configuration information that has taken effect DeviceC display stp region configuration Oper configuration Format selector 0 Region name example Revision level 0 Instance Vlans Mapped 0 1 to 9 ...

Page 239: ...region configuration DeviceD mst region quit View the MST region configuration information that has taken effect DeviceD display stp region configuration Oper configuration Format selector 0 Region name example Revision level 0 Instance Vlans Mapped 0 1 to 9 11 to 29 31 to 39 41 to 4094 1 10 3 30 4 40 ...

Page 240: ...240 CHAPTER 23 MSTP CONFIGURATION ...

Page 241: ...tined for a certain destination should go out to reach the next hop the next router or the directly connected destination Routes in a routing table can be divided into three categories by origin Direct routes Routes discovered by data link protocols also known as interface routes Static routes Routes that are manually configured Dynamic routes Routes that are discovered dynamically by routing prot...

Page 242: ...nto two categories by destination Subnet routes The destination is a subnet Host routes The destination is a host Based on whether the destination is directly connected to a given router routes can be divided into Direct routes The destination is directly connected to the router Indirect routes The destination is not directly connected to the router To prevent the routing table from getting too la...

Page 243: ... large networks Its disadvantages are that it is complicated to configure and that it not only imposes higher requirements on the system but also eats away a certain amount of network resources Classification of Dynamic Routing Protocols Dynamic routing protocols can be classified based on the following standards Destination Network Next hop Interface 11 0 0 0 11 0 0 1 2 12 0 0 0 12 0 0 1 1 13 0 0...

Page 244: ...chapter focuses on unicast routing protocols For information on multicast routing protocols refer to the Multicast Routing and Forwarding Overview on page 701 Version of IP protocol IPv4 routing protocols RIP OSPFv2 BGP4 and IS IS IPv6 routing protocols RIPng OSPFv3 IPv6 BGP and IPv6 IS IS Routing Protocols and Routing Priority Different routing protocols may find different routes to the same dest...

Page 245: ...with the highest priority to be the main route and all the rest backup routes Under normal circumstances packets are forwarded through the main route When the main route goes down the route with the highest priority among the backup routes is selected to forward packets When the main route recovers the route selection process is performed again and the main route is selected again to forward packe...

Page 246: ...the routing table reset ip routing table statistics protocol all protocol Available in user view Display the information of recursive routes display ip relay route Available in any view Display IPv6 recursive route information display ipv6 relay route Display brief IPv6 routing table information display ipv6 routing table Display verbose IPv6 routing table information display ipv6 routing table ve...

Page 247: ...e whole system can forward IP packets continuously Hence it is called Graceful Restart Basic Concepts in Graceful Restart A router with the Graceful Restart feature enabled is called a Graceful Restart capable router It can perform a Graceful Restart when its routing protocol restarts Routers that are not Graceful Restart capable will follow the normal restart procedures after a routing protocol r...

Page 248: ... procedure between the GR Restarter and the GR Helper works as follows 1 A GR session is established between the GR Restarter and the GR Helper Figure 64 A GR session is established between the GR Restarter and the GR Helper As illustrated in Figure 64 Router A works as GR Restarter Router B Router C and Router D are the GR Helpers of Router A A GR session is established between the GR Restarter a...

Page 249: ...r 3 GR Restarter signaling to GR Helper Figure 66 The GR Restarter signals to the GR Helper s after restart As illustrated in Figure 66 after the GR Restarter has recovered it will signal to all its neighbors and will reestablish GR Session 4 The GR Restarter obtaining topology and routing information from the GR Helper GR helper Router D Router B Router C Router A GR helper GR helper GR restarter...

Page 250: ...ceful Restart Mechanism for Several Commonly Used Protocols The switch supports Graceful Restart based on Boarder Gateway Protocol BGP Open Shortest Path First OSPF and Intermediate System to Intermediate System IS IS For the implementation and configuration procedure of the Graceful Restart mechanism of the above protocols refer to BGP Configuration on page 365 OSPF Configuration on page 273 and ...

Page 251: ...cations The disadvantage of using static routes is that they cannot adapt to network topology changes If a fault or a topological change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the static routes manually Default Route A router selects the default route only when it cannot find any matching entry in the routing...

Page 252: ... link layer address and forward the packet only after the next hop address is specified When specifying the output interface note that If the output interface is a NULL 0 interface there is no need to configure the next hop address You are not recommended to specify a broadcast interface such as VLAN interface as the output interface because a broadcast interface may have multiple next hops If you...

Page 253: ...interface when configuring a static route you can associate the static route with a track entry to check the static route validity When the track entry is positive the static route s nexthop is reachable and the static route takes effect When the track entry is negative the static route s nexthop is unreachable and the static route is invalid For details about track refer to Track Configuration on...

Page 254: ... the static route with a track entry ip route static dest address mask mask length next hop address track track entry number preference preference value tag tag value description description text Required Not configured by default To do Use the command Remarks To do Use the command Remarks Display the current configuration information display current configuration Available in any view Display the...

Page 255: ... ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 0 0 0 0 0 Static 60 0 1 1 4 2 Vlan500 1 1 2 0 24 Direct 0 0 1 1 2 3 Vlan300 1 1 2 3 32 Direct 0 0 127 0 0 1 InLoop0 1 1 4 0 30 Direct 0 0 1 1 4 1 Vlan500 1 1 4 1 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 Display t...

Page 256: ...256 CHAPTER 26 STATIC ROUTING CONFIGURATION From Host A use the ping command to verify the network layer reachability to Host B and Host C ...

Page 257: ...er implementation configuration and maintenance than OSPF and IS IS RIP Working Mechanism Basic concepts RIP is a distance vector routing protocol using UDP packets for exchanging information through port 520 RIP uses a hop count to measure the distance to a destination The hop count is known as the metric The hop count from a router to a directly connected network is 0 The hop count from one rout...

Page 258: ...ved by the router to replace unreachable routes The garbage collect timer defines the interval from when the metric of a route becomes 16 to when it is deleted from the routing table During the garbage collect timer length RIP advertises the route with the routing metric set to 16 If no update is announced for that route after the garbage collect timer expires the route will be deleted from the ro...

Page 259: ... which means it can only recognize routing information of natural networks such as Class A B C That is why RIPv1 does not support discontiguous subnets RIPv2 is a classless routing protocol Compared with RIPv1 RIPv2 has the following advantages Supporting route tags Route tags are used in routing policies to flexibly control routes Supporting masks route summarization and Classless Inter Domain Ro...

Page 260: ...RIP For RIPv2 the value is 0x02 Route Tag Route Tag IP Address Destination IP address It could be a natural network address subnet address or host address Subnet Mask Mask of the destination address Next Hop If set to 0 0 0 0 it indicates that the originator of the route is the best next hop otherwise it indicates a next hop better than the originator of the route RIPv2 authentication RIPv2 sets t...

Page 261: ...RIP Features The current implementation supports RIPv1 and RIPv2 Protocols and Standards RFC 1058 Routing Information Protocol RFC 1723 RIP Version 2 Carrying Additional Information RFC 1721 RIP Version 2 Protocol Analysis RFC 1722 RIP Version 2 Protocol Applicability Statement RFC 1724 RIP Version 2 MIB Extension RFC 2082 RIPv2 MD5 Authentication Configuring RIP Basic Functions Configuration Prer...

Page 262: ...gured an interface sends RIPv1 broadcasts and can receive RIPv1 broadcasts and RIPv1 unicasts With RIPv2 configured a multicast interface sends RIPv2 multicasts and can receive RIPv2 unicasts broadcasts and multicasts With RIPv2 configured a broadcast interface sends RIPv2 broadcasts and can receive RIPv1 unicasts and broadcasts and RIPv2 broadcasts multicasts and unicasts Follow these steps to co...

Page 263: ...n be added to the metric of an inbound or outbound RIP route The outbound additional metric is added to the metric of a sent route the route s metric in the routing table is not changed The inbound additional metric is added to the metric of a received route before the route is added into the routing table so the route s metric is changed Follow these steps to configure additional routing metrics ...

Page 264: ...helpful for routing and occupy a large amount of network resources In this case you can disable RIP from receiving host routes to save network resources To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Define an inbound additional routing metric rip metricin route policy route policy name value Optional 0 by default Define a...

Page 265: ...pecified neighbor Follow these steps to configure route filtering To do Use the command Remarks Enter system view system view Enter RIP view rip process id Disable RIP from receiving host routes undo host route Required Enabled by default To do Use the command Remarks Enter system view system view Enter RIP view rip process id Enable RIP to advertise a default route default route originate cost va...

Page 266: ...ing nodes reachable to each other Configure RIP basic functions Configuring RIP Timers Follow these steps to configure RIP timers To do Use the command Remarks Enter system view system view Enter RIP view rip process id Configure a priority for RIP preference route policy route policy name value Optional 100 by default To do Use the command Remarks Enter system view system view Enter RIP view rip ...

Page 267: ...enable poison reverse Configuring the Maximum Number of Load Balanced Routes Follow these steps to configure the maximum number of load balanced routes Enabling Zero Field Check on Incoming RIPv1 Messages Some fields in the RIPv1 message must be zero These fields are called zero fields You can enable zero field check on received RIPv1 messages If such a field contains a non zero value the RIPv1 me...

Page 268: ...age Authentication RIPv2 supports two authentication modes plain text and MD5 In plain text authentication the authentication information is sent with the RIP message which however cannot meet high security needs Follow these steps to configure RIPv2 message authentication Specifying a RIP Neighbor Usually RIP sends messages to broadcast or multicast addresses On non broadcast or multicast links y...

Page 269: ...ify a RIP neighbor peer ip address Required By default RIP sends no updates to any IP address Disable source address check on incoming RIP updates undo validate source address Required Not disabled by default To do Use the command Remarks Display RIP current status and configuration information display rip process id Available in any view Display all active routes in RIP database display rip proce...

Page 270: ... TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 2 on Vlan interface100 Destination Mask Nexthop Cost Tag Flags Sec 10 0 0 0 8 192 168 1 2 1 0 RA 11 From the routing table you can find RIPv1 uses natural mask 3 Configure RIP version Configure RIPv2 on Switch A SwitchA rip SwitchA rip 1 version 2 SwitchA rip 1 undo summary Configure RIPv2 on Switch B SwitchB rip SwitchB rip 1...

Page 271: ...figured on the local end Solution Use the display current configuration command to check RIP configuration Use the display rip command to check whether some interface is disabled Route Oscillation Occurred Symptom When all links work well route oscillation occurs on the RIP network After displaying the routing table you may find some routes appear and disappear in the routing table intermittently ...

Page 272: ...272 CHAPTER 27 RIP CONFIGURATION ...

Page 273: ... Restart on page 306 Displaying and Maintaining OSPF on page 309 OSPF Configuration Examples on page 309 Troubleshooting OSPF Configuration on page 323 Introduction to OSPF n Unless otherwise noted OSPF refers to OSPFv2 throughout this document OSPF has the following features Wide scope Supports networks of various sizes and up to several hundred routers in an OSPF routing domain Fast convergence ...

Page 274: ...ach router uses the SPF algorithm to compute a Shortest Path Tree that shows the routes to the nodes in the autonomous system The router itself is the root of the tree Router ID To run OSPF a router must have a Router ID which is a 32 bit unsigned integer the unique identifier of the router in the AS You may assign a Router ID to an OSPF router manually If no Router ID is specified the system auto...

Page 275: ... to another AS NSSA External LSA Type 7 LSA as defined in RFC 1587 originated by ASBRs in NSSAs Not So Stubby Areas and flooded throughout a single NSSA NSSA LSAs describe routes to other ASs Opaque LSA A proposed type of LSA the format of which consists of a standard LSA header and application specific information Opaque LSAs are used by the OSPF protocol or by some application to distribute info...

Page 276: ... A network segment or a link can only reside in one area in other words an OSPF interface must be specified to belong to its attached area as shown in the figure below Figure 73 OSPF area partition After area partition area border routers perform route summarization to reduce the number of LSAs advertised to other areas and minimize the effect of topology changes Classification of Routers The OSPF...

Page 277: ...ckbone areas must be forwarded by the backbone area Therefore OSPF requires that All non backbone areas must maintain connectivity to the backbone area The backbone area itself must maintain connectivity In practice due to physical limitations the requirements may not be satisfied In this case configuring OSPF virtual links is a solution A virtual link is established between two area border router...

Page 278: ...OSPF routers in between simply convey these OSPF packets as normal IP packets Totally Stub area The ABR in a stub area does not distribute Type 5 LSAs into the area so the routing table size and amount of routing information in this area are reduced significantly You can configure the stub area as a totally stub area where the ABR advertises neither the destinations in other areas nor the external...

Page 279: ...On the left of the figure RIP routes are translated into Type 5 LSAs by the ASBR of Area 2 and distributed into the OSPF AS However Area 1 is an NSSA area so these Type 5 LSAs cannot travel to Area 1 Like stub areas virtual links cannot transit NSSA areas Figure 77 NSSA area Route summarization Route summarization An ABR or ASBR summarizes routes with the same prefix with a single route and distri...

Page 280: ... to destinations outside the AS OSPF classifies external routes into two types Type 1 and Type 2 A Type 1 external route is an IGP route such as a RIP or static route which has high credibility and whose cost is comparable with the cost of an OSPF internal route The cost from a router to the destination of the Type 1 external route the cost from the router to the corresponding ASBR the cost from t...

Page 281: ...nly one neighbor Differences between NBMA and P2MP networks NBMA networks are fully meshed non broadcast and multi access P2MP networks are not required to be fully meshed It is required to elect the DR and BDR on NBMA networks while DR and BDR are not available on P2MP networks NBMA is the default network type while P2MP is a conversion from other network types such as NBMA in general On NBMA net...

Page 282: ... 0 are election candidates The election votes are hello packets Each router sends the DR elected by itself in a hello packet to all the other routers If two routers on the network declare themselves as the DR the router with the higher DR priority wins If DR priorities are the same the router with the higher router ID wins In addition a router with the priority 0 cannot become the DR BDR n The DR ...

Page 283: ...xt authentication and MD5 authentication respectively Authentication Information determined by authentication type It is not defined for authentication type 0 It is defined as password information for authentication type 1 and defined as Key ID MD5 authentication data length and sequence number for authentication type 2 n MD5 authentication data is added following an OSPF packet rather than contai...

Page 284: ...eighbors Designated Router IP address of the DR interface Backup Designated Router IP address of the BDR interface Neighbor Router ID of the neighbor router DD packet Two routers exchange database description DD packets describing their LSDBs for database synchronization contents in DD packets including the header of each LSA uniquely representing a LSA The LSA header occupies small part of an LSA...

Page 285: ...r is the slave DD Sequence Number Used to sequence the collection of database description packets for ensuring reliability and intactness of DD packets between the master and slave The initial value is set by the master The DD sequence number then increments until the complete database description has been sent LSR packet After exchanging DD packets any two routers know which LSAs of the peer rout...

Page 286: ...packet format is shown below Figure 85 LSU packet format LSAck packet LSAack Link State Acknowledgment packets are used to acknowledge received LSU packets contents including LSA headers to describe the corresponding LSAs Multiple LSAs can be acknowledged in a single Link State Acknowledgment packet The following figure gives its format Version 3 Router ID Area ID Checksum AuType Packet length Aut...

Page 287: ...mission LS type Type of the LSA Link State ID The contents of this field depend on the LSA s type LS sequence number Used by other routers to judge new and old LSAs LS checksum Checksum of the LSA except the LS age field Length Length in bytes of the LSA including the LSA header Version 5 Router ID Area ID Checksum AuType Packet length Authentication Authentication LSA header 0 7 15 31 LSA header ...

Page 288: ... Type Link type A value of 1 indicates a point to point link to a remote router a value of 2 indicates a link to a transit network a value of 3 indicates a link to a stub network a value of 4 indicates a virtual link TOS Number of different TOS metrics given for this link metric Cost of using this router link TOS IP Type of Service that this metric refers to TOS metric TOS specific metric informat...

Page 289: ...field the format of type 3 and 4 summary LSAs is identical Figure 90 Summary LSA format Major fields Link State ID For a Type 3 LSA it is an IP address outside the area for a type 4 LSA it is the router ID of an ASBR outside the area Network Mask The network mask for the type 3 LSA set to 0 0 0 0 for the Type 4 LSA metric The metric to the destination Network mask Attached router LS age Linke stat...

Page 290: ...tric value which is set to 1 for type 2 external routes and set to 0 for type 1 external routes Refer to Route types on page 280 for description about external route types metric The metric to the destination Forwarding Address Data traffic for the advertised destination will be forwarded to this address External Route Tag A tag attached to each external route This is not used by the OSPF protocol...

Page 291: ...identical Authentication types include non authentication plaintext authentication and MD5 ciphertext authentication The authentication password for interfaces attached to a network segment must be identical OSPF Graceful Restart n For GR information refer to GR Overview on page 247 After an OSPF GR Restarter restarts OSPF it needs to perform the following two tasks in order to re synchronize its ...

Page 292: ...tisement OSPF Configuration Task List Complete the following tasks to configure OSPF Task Remarks Configuring OSPF Basic Functions on page 293 Required Configuring OSPF Area Parameters on page 294 Optional Configuring OSPF Network Types on page 295 Configuring the OSPF Network Type for an Interface on page 296 Optional Configuring an NBMA Neighbor on page 296 Optional Configuring a Router Priority...

Page 293: ...l Specifying the LSA Generation Interval on page 303 Optional Disabling Interfaces from Sending OSPF Packets on page 303 Optional Configuring Stub Routers on page 304 Optional Configuring OSPF Authentication on page 304 Optional Adding the Interface MTU into DD Packets on page 305 Optional Configuring the Maximum Number of External LSAs in LSDB on page 305 Optional Making External Route Selection ...

Page 294: ...n It is recommended to configure a description for each area to help identify purposes of areas and for ease of management and memorization Configuring OSPF Area Parameters Splitting an OSPF AS into multiple areas reduces the number of LSAs in the networks and extends the OSPF application For those non backbone areas residing on the AS boundary you can configure them as stub areas to further reduc...

Page 295: ...ypes OSPF classifies networks into four types upon link layer protocols Since an NBMA network must be fully meshed namely any two routers in the network must have a virtual link in between In most cases however the requirement cannot be satisfied so you need to change the network type using commands To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router ...

Page 296: ...gured as the broadcast NBMA or P2MP type they can not establish the neighbor relationship unless they are on the same network segment Configuring an NBMA Neighbor For NBMA interfaces that cannot broadcast hello packets to find neighbors you need to specify the IP addresses and DR priorities of neighbors manually Follow these steps to configure a neighbor and its DR priority Configuring a Router Pr...

Page 297: ...d IP addresses for interfaces OSPF basic functions Corresponding filters if routing information filtering is needed Configuring OSPF Route Summarization OSPF route summarization includes Configuring route summarization between OSPF areas on an ABR Configuring route summarization when redistributing routes into OSPF on an ASBR Follow these steps to configure route summarization between OSPF areas o...

Page 298: ...BR route summarization asbr summary ip address mask mask length tag tag not advertise cost cost Required Available on an ASBR only Not configured by default To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Required Configure inbound route filtering filter policy acl number ip prefix ip prefix name gateway ip prefix name import Required...

Page 299: ...ute found by several routing protocols the route found by the protocol with the highest priority will be selected Follow these steps to configure a priority for OSPF To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure a bandwidth reference value bandwidth reference value Optional The value defaults to 100 Mbps To do Use the comm...

Page 300: ...ays Configure a priority for OSPF preference ase route policy route policy name value Optional The priority of OSPF internal routes defaults to 10 The priority of OSPF external routes defaults to 150 To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure OSPF to redistribute routes from another protoco...

Page 301: ...ad Poll timer Interval for sending hello packets to the neighbor that is down on the NBMA network Dead timer Interval within which if the interface receives no hello packet from the neighbor it declares the neighbor is down LSA retransmission timer Interval within which if the interface receives no acknowledgement packets after sending a LSA to the neighbor it will retransmit the LSA Follow these ...

Page 302: ...on interval for the network to reduce negative influence Follow these steps to configure SPF calculation interval n With this task configured when network changes are not frequent SPF calculation applies at the minimum interval If network changes become frequent SPF calculation interval is incremented by incremental interval 2n 2 n is the number of calculation times each time a calculation occurs ...

Page 303: ... process rather than interfaces associated with other processes After an OSPF interface is set to silent other interfaces on the router can still advertise direct routes of the interface in Router LSAs but no OSPF packet can be advertised for the interface to find a neighbor This configuration can enhance adaptability of OSPF networking and reduce resource consumption To do Use the command Remarks...

Page 304: ...ass the authentication only so failed packets cannot establish neighboring relationships Follow these steps to configure OSPF authentication n The authentication mode and password for all interfaces attached to the same area must be identical To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure the router as a stub router stub ro...

Page 305: ...F Network Management Follow these steps to configure OSPF network management To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable OSPF to add the interface MTU into DD packets ospf mtu enable Optional Not enabled by default that is the interface fills in a value of 0 To do Use the command Remarks Enter system view system ...

Page 306: ...th OSPF MIB by default Enable OSPF trap snmp agent trap enable ospf process id ifauthfail ifcfgerror ifrxbadpkt ifstatechange iftxretransmit lsdbapproachoverflow lsdboverflow maxagelsa nbrstatechange originatelsa vifcfgerror virifauthfail virifrxbadpkt virifstatechange viriftxretransmit virnbrstatechange Optional Enabled by default Enter OSPF view ospf process id router id router id Enable message...

Page 307: ...l timer Optional 120 seconds by default To do Use the command Remarks To do Use the command Remarks Enter system view system view Enable OSPF and enter its view ospf process id router id router id Enable the use of link local signaling enable link local signaling Required Disabled by default Enable out of band re synchronization enable out of band resynchroniza tion Required Disabled by default En...

Page 308: ...ronization Opaque LSA advertisement IETF GR capability Follow these steps to trigger OSPF Graceful Restart Configure for which OSPF neighbors the current router can serve as a GR Helper graceful restart help acl number prefix prefix list Optional The router can server as a GR Helper for any OSPF neighbor by default To do Use the command Remarks To do Use the command Remarks Trigger OSPF Graceful R...

Page 309: ...nformation display ospf process id routing interface interface type interface number nexthop nexthop address Display virtual link information display ospf process id vlink Display OSPF request queue information display ospf process id request queue interface type interface number neighbor id Display OSPF retransmission queue information display ospf process id retrans queue interface type interfac...

Page 310: ...pf 1 area 0 SwitchA ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 quit SwitchA ospf 1 area 1 SwitchA ospf 1 area 0 0 0 1 network 10 2 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 1 quit SwitchA ospf 1 quit Configure Switch B SwitchB system view SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ...

Page 311: ... 1 1 2 GR State Normal State Full Mode Nbr is Master Priority 1 DR 10 1 1 1 BDR 10 1 1 2 MTU 0 Dead timer due in 37 sec Neighbor is up for 06 03 59 Authentication Sequence 0 Neighbor state change count 5 Neighbors Area 0 0 0 1 interface 10 2 1 1 Vlan interface200 s neighbors Router ID 10 4 1 1 Address 10 2 1 2 GR State Normal State Full Mode Nbr is Master Priority 1 DR 10 2 1 1 BDR 10 2 1 2 MTU 0 ...

Page 312: ...4 Sum Net 10 1 1 0 10 2 1 1 1069 28 8000000F 2 Sum Asbr 10 3 1 1 10 2 1 1 1069 28 8000000F 2 Display OSPF routing information on Switch D SwitchD display ospf routing OSPF Process 1 with Router ID 10 5 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10 2 1 0 24 22 Inter 10 3 1 1 10 3 1 1 0 0 0 2 10 3 1 0 24 10 Transit 10 3 1 2 10 3 1 1 0 0 0 2 10 4 1 0 24 25 Int...

Page 313: ...witchD ospf 1 import route static SwitchD ospf 1 quit Display ABR ASBR information on Switch C SwitchC display ospf abr asbr OSPF Process 1 with Router ID 10 4 1 1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10 2 1 1 0 0 0 1 3 10 2 1 1 ABR Inter 10 3 1 1 0 0 0 1 5 10 2 1 1 ABR Inter 10 5 1 1 0 0 0 1 7 10 2 1 1 ASBR Display OSPF routing table information on Switch ...

Page 314: ...chC ospf 1 area 0 0 0 1 quit SwitchC ospf 1 quit Display OSPF routing information on Switch C SwitchC display ospf routing OSPF Process 1 with Router ID 10 4 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 0 0 0 0 0 4 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 2 1 0 24 3 Transit 10 2 1 2 10 2 1 1 0 0 0 1 10 3 1 0 24 7 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 4 1 0 24 3 Stub 1...

Page 315: ...to forward routing information between areas It is required to configure Area 1 as an NSSA area and configure Router C as the ASBR to redistribute static routes into the AS Network diagram Figure 95 Network diagram for OSPF NSSA area configuration Configuration procedure 1 Configure IP addresses for interfaces 2 Configure OSPF basic functions refer to Configuring OSPF Basic Functions on page 310 3...

Page 316: ...tub 10 4 1 1 10 4 1 1 0 0 0 1 Total Nets 3 Intra Area 2 Inter Area 1 ASE 0 NSSA 0 4 Configure Switch C to redistribute static routes SwitchC ip route static 3 1 3 1 24 11 1 1 1 SwitchC ospf SwitchC ospf 1 import route static SwitchC ospf 1 quit Display OSPF routing information on Switch D SwitchD ospf 1 display ospf routing OSPF Process 1 with Router ID 10 5 1 1 Routing Tables Routing for Network ...

Page 317: ...witch A ospf Switch A ospf 1 area 0 Switch A ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 quit SwitchA ospf 1 quit Configure Switch B SwitchB system view SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Configure Switch C SwitchC system view Switch...

Page 318: ...tate Normal State Full Mode Nbr is Master Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 01 28 Authentication Sequence 0 Neighbor state change count 2 Router ID 4 4 4 4 Address 192 168 1 4 GR State Normal State Full Mode Nbr is Master Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 01 28 Authentication S...

Page 319: ... MTU 0 Dead timer due in 33 sec Neighbor is up for 00 11 15 Authentication Sequence 0 Neighbor state change count 5 The DR and BDR have no change n In the above output you can find the priority configuration does not take effect immediately 4 Restart OSPF process omitted Display neighbor information on Switch D SwitchD display ospf peer verbose OSPF Process 1 with Router ID 4 4 4 4 Neighbors Area ...

Page 320: ... display ospf interface OSPF Process 1 with Router ID 2 2 2 2 Interfaces Area 0 0 0 0 IP Address Type State Cost Pri DR BDR 192 168 1 2 Broadcast DROther 1 0 192 168 1 1 192 168 1 3 n The interface state DROther means the interface is not the DR BDR Configuring OSPF Virtual Links Network requirements In Figure 97 Area 2 has no direct connection to Area 0 and Area 1 acts as the Transit Area to conn...

Page 321: ...0 0 2 quit Display OSPF routing information on Switch A SwitchA display ospf routing OSPF Process 1 with Router ID 1 1 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10 0 0 0 8 1 Stub 10 1 1 1 1 1 1 1 0 0 0 0 192 168 1 0 24 1562 Stub 192 168 1 1 1 1 1 1 0 0 0 1 Total Nets 2 Intra Area 2 Inter Area 0 ASE 0 NSSA 0 n Since Area 2 has no direct connection to Area 0...

Page 322: ...s Switch B and Switch C are the GR Helpers and remain OOB synchronized with Switch A through the GR mechanism Network diagram Figure 98 Network diagram for OSPF based GR configuration Configuration procedure 1 Configure Switch A SwitchA system view SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 1 1 1 255 255 255 0 SwitchA Vlan interface100 quit SwitchA router id 1 1 ...

Page 323: ...chC ospf 100 enable link local signaling SwitchC ospf 100 enable out of band resynchronization SwitchC ospf 100 area 0 SwitchC ospf 100 area 0 0 0 0 network 192 1 1 0 0 0 0 255 SwitchC ospf 100 area 0 0 0 0 quit 4 Verify the configuration After the configurations on Switch A Switch B and Switch C are completed and the switches are running steadily perform OSPF GR on Switch A SwitchA reset ospf 100...

Page 324: ... cannot be configured as a Stub area In a Stub area all routers cannot receive external routes and all interfaces connected to the Stub area must belong to the Stub area Solution 1 Use the display ospf peer command to display neighbors 2 Use the display ospf interface command to display OSPF interface information 3 Use the display ospf lsdb command to display the Link State Database to check its i...

Page 325: ...g protocol has been modified and extended in RFC 1195 by the International Engineer Task Force IETF for application in both TCP IP and OSI reference models and the new one is called Integrated IS IS or Dual IS IS IS IS is an interior gateway protocol IGP used within an Autonomous System It adopts the Shortest Path First SPF algorithm for route calculation Basic Concepts IS IS terminology Intermedi...

Page 326: ... IDP and the Domain Specific Part DSP The IDP is equal to the network ID of the IP address and the DSP is equal to the subnet and host IDs The IDP defined by ISO includes the Authority and Format Identifier AFI and the Initial Domain Identifier IDI The DSP includes the High Order DSP HODSP the System ID and SEL where the HODSP identifies the area the System ID identifies the host and the SEL indic...

Page 327: ...ed to the Level 2 router The Level 1 router makes routing decisions based on the system ID If the destination is not in the area the packet is forwarded to the nearest Level 1 2 router The Level 2 router routes packets across areas according to the area address NET The Network Entity Title NET is an NSAP with SEL of 0 It indicates the network layer information of the IS itself where SEL 0 means no...

Page 328: ...outing domain 3 Level 1 2 router A router with both Level 1 and Level 2 router functions is called a Level 1 2 router It can establish the Level 1 neighbor relationship with the Level 1 and Level 1 2 routers in the same area or establish Level 2 neighbor relationship with the Level 2 and Level 1 2 routers in different areas A Level 1 router must be connected to other areas via a Level 1 2 router T...

Page 329: ...reas Figure 101 IS IS topology n The IS IS backbone does not need to be a specific Area Both the IS IS Level 1 and Level 2 routers use the SPF algorithm to generate the Shortest Path Tree SPT Interface routing hierarchy type You can configure the routing type for each interface For a Level 1 2 router one interface may establish Level 1 adjacency with a router and another one may establish Level 2 ...

Page 330: ...he Level 2 router can advertise the Level 2 routing information to a specified Level 1 area By having the routing information of other areas the Level 1 router can make a better routing choice for the packets destined outside the area IS IS Network Type Network type IS IS supports two network types Broadcast network such as Ethernet Token Ring Point to point network such as PPP HDLC n For the Non ...

Page 331: ...jacent with each other The DIS is responsible for the synchronization of their LSDBs IS IS PDU Format PDU header format The IS IS packets are encapsulated into link layer frames The Protocol Data Unit PDU consists of two parts the headers and the variable length field where the headers can be further divided into the common header and the specific header The common headers are the same for all PDU...

Page 332: ...el 1 router uses the Level 1 LAN IIH and the Level 2 router uses the Level 2 LAN IIH The P2P IIH is used on point to point network Figure 105 illustrates the hello packet format in broadcast networks where the blue fields are the common header Table 44 PDU type Type PDU Type Acronym 15 Level 1 LAN IS IS hello PDU L1 LAN IIH 16 Level 2 LAN IS IS hello PDU L2 LAN IIH 17 Point to Point IS IS hello PD...

Page 333: ...thin the holding time the neighbor is considered dead PDU Length The total length of the PDU in bytes Priority DIS priority LAN ID Includes the system ID and one byte pseudonode ID Figure 106 shows the hello packet format on the point to point network Intradomain routing protocol discriminator Reserved Version R ID length Version Protocol ID extension Length indicator Maximum area address R R PDU ...

Page 334: ...LSP is sent by the Level 2 router and the Level 1 LSP is sent by the Level 1 router The level 1 2 router can sent both types of the LSPs Two types of LSPs have the same format as shown in Figure 107 Intradomain routing protocol discriminator Reserved Version R ID length Version Protocol ID extension Length indicator Maximum area address R R PDU type No of Octets 1 1 1 1 1 1 1 1 Reserved Circuit ty...

Page 335: ...outer is running out of system resources In this condition other routers will not send packets to the overloaded router except packets destined to the networks directly connected to the router For example in Figure 108 Router A uses Router B to forward its packets to Router C in normal condition Once other routers know the OL field on Router B is set to 1 Router A will send packets to Router C via...

Page 336: ...ically 10s by default On point to point networks CSNP is only sent during the first adjacency establishment The CSNP packet format is shown in Figure 109 Figure 109 L1 L2 CSNP format PSNP only contains the sequence numbers of one or multiple latest received LSPs It can acknowledge multiple LSPs at one time When LSDBs are not synchronized a PSNP is used to request new LSPs from neighbors Router A R...

Page 337: ...SP 6 IS Neighbors MAC Address LAN IIH 7 IS Neighbors SNPA Address LAN IIH 8 Padding IIH 9 LSP Entries SNP 10 Authentication Information IIH LSP SNP 128 IP Internal Reachability Information LSP 129 Protocols Supported IIH LSP 130 IP External Reachability Information L2 LSP 131 Inter Domain Routing Protocol Information L2 LSP 132 IP Interface Address IIH LSP Intradomain routing protocol discriminato...

Page 338: ...the GR Restarter will update its own routing table and forwarding table based on the new routing information and remove the stale routes In this way the IS IS routing convergence is complete Management tag Management tag carries the management information of the IP address prefixes and BGP community attribute It controls the redistribution from other routing protocols LSP fragment extension IS IS ...

Page 339: ...where some routers do not support LSP fragment extension In this mode adjacency is formed between the originating system and each virtual system with the link cost from the originating system to each virtual system as 0 Thus each virtual system acts as a router connected to the originating system in the network but the virtual system is reachable through the originating system only Therefore the I...

Page 340: ...e display command Protocols and Standards ISO 10589 ISO IS IS Routing Protocol ISO 9542 ES IS Routing Protocol ISO 8348 Ad2 Network Services Access Points RFC 1195 Use of OSI IS IS for Routing in TCP IP and Dual Environments RFC 2763 Dynamic Hostname Exchange Mechanism for IS IS RFC 2966 Domain wide Prefix Distribution with Two Level IS IS RFC 2973 IS IS Mesh Groups RFC 3277 IS IS Transient Blackh...

Page 341: ...e 345 Optional Configuring IS IS Route Leaking on page 346 Optional Tuning and Optimizing IS IS Network on page 346 Configuring a DIS Priority for an Interface on page 346 Optional Configuring IS IS Timers on page 347 Optional Disabling an Interface from Sending Receiving IS IS Hello Packets on page 347 Optional Configuring LSP Parameters on page 348 Optional Configuring SPF Parameters on page 349...

Page 342: ... For information about routing policy refer to Routing Policy Configuration on page 415 Follow these steps to configure the IS IS protocol priority Assign a network entity title NET network entity net Required Not assigned by default Specify a router type is level level 1 level 1 2 level 2 Optional The default type is level 1 2 Return to system view quit Enter interface view interface interface ty...

Page 343: ... cost calculation To do Use the command Remarks Enter system view system view Enter IS IS view isis process id Specify a cost style cost style narrow wide wide compatible compatible narrow compatible relax spf limit Optional narrow by default Return to system view quit Enter interface view interface interface type interface number Required Specify a cost for the interface isis cost value level 1 l...

Page 344: ...the Maximum Number of Equal Cost Routes If there are more than one equal cost routes to the same destination the traffic can be load balanced to enhance efficiency Follow these steps to configure the maximum number of equal cost routes Configuring IS IS Route Summarization This task is to configure a summary route so routes falling into the network range of the summary route are summarized with on...

Page 345: ... To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter IS IS view isis process id Advertise a default route default route advertise route policy route policy name level 1 level 2 level 1 2 Optional Level 2 router generates a default route by default To do Use the command Remarks Enter system view system view Enter IS IS view isis process id Configure inbou...

Page 346: ...adcast network a router should be selected as the DIS at a specific level Level 1 or Level 2 You can specify a DIS priority at a level for an interface The bigger the interface s priority value the more likelihood it becomes the DIS Follow these steps to configure a DIS priority for an interface Configure a filtering policy to filter redistributed routes filter policy acl number ip prefix ip prefi...

Page 347: ...o point link if there is no response to a LSP sent by the local router within the specified retransmission interval the LSP is considered lost and the same LSP will be retransmitted On broadcast links responses to the sent LSPs are not required The interval between hello packets sent by the DIS is 1 3 the hello interval set by the isis timer hello command Disabling an Interface from Sending Receiv...

Page 348: ...mesh group Follow these steps to configure the LSP parameters Enter interface view interface interface type interface number Disable the interface from sending and receiving hello packets isis silent Required Not disabled by default To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter IS IS view isis process id Specify a LSP refresh interval timer lsp ref...

Page 349: ...amic Host Name Mapping Follow these steps to configure the dynamic host name mapping Enable LSP fragment extension lsp fragments extend level 1 level 2 level 1 2 mode 1 mode 2 Optional Disabled by default Create a virtual system virtual system virtual system id Optional Not created by default Return to system view quit Enter interface view interface interface type interface number Add the interfac...

Page 350: ...low these steps to configure the authentication function Assign a local host name is name sys name Required No name is assigned by default This command also enables the mapping between the local system ID and host name Assign a remote host name and create a mapping between the host name and a system ID is name map sys id map sys name Optional One system ID only maps to one name No name is assigned...

Page 351: ...ll Hello Packets Follow these steps to enable an interface to send small hello packets without the padding field Specify the routing domain authentication mode domain authentication mo de simple md5 password ip osi Required No authentication is enabled for Level 2 routing information and no password is specified by default Return to system view quit Enter interface view interface interface type in...

Page 352: ...uter is used as the holdtime in the IS IS Hello PDUs so that its neighbors can maintain the adjacencies within the interval after the router restarts By setting the SA Suppress Advertisement bit in the hello PDUs sent by the GR Restarter its neighbors will not advertise adjacencies within the specified period until the completion of LSDB synchronization between the GR Restarter and its neighbors T...

Page 353: ...id LSPID lsp name lspname local verbose process id Available in any view Display IS IS mesh group information display isis mesh group process id Available in any view Display the host name to system ID mapping table display isis name table process id Available in any view Display IS IS neighbor information display isis peer verbose process id Available in any view Display IS IS routing information...

Page 354: ...tchA isis 1 SwitchA isis 1 is level level 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA isis 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 isis enable 1 SwitchA Vlan interface100 quit Configure Switch B SwitchB system view SwitchB isis 1 SwitchB isis 1 is level level 1 SwitchB isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 quit SwitchB interface vl...

Page 355: ...s enable 1 SwitchD Vlan interface300 quit 3 Verify the configuration Display the IS IS LSDB of each switch to check the LSP integrity SwitchA display isis lsdb Database information for ISIS 1 Level 1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT P OL 0000 0000 0001 00 00 0x00000004 0xdf5e 1096 68 0 0 0 0000 0000 0002 00 00 0x00000004 0xee4d 1102 68 0 0 0 0000 0000 0002 01 00 0x000...

Page 356: ...ATT Attached P Partition OL Overload SwitchD display isis lsdb Database information for ISIS 1 Level 2 Link State Database LSPID Seq Num Checksum Holdtime Length ATT P OL 0000 0000 0003 00 00 0x00000013 0xc73d 1003 100 0 0 0 0000 0000 0004 00 00 0x0000003c 0xd647 1194 84 0 0 0 0000 0000 0004 01 00 0x00000002 0xec96 1007 55 0 0 0 Self LSP Self LSP Extended ATT Attached P Partition OL Overload Displ...

Page 357: ... 2 R Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set SwitchD display isis route Route information for ISIS 1 ISIS 1 IPv4 Level 2 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 192 168 0 0 24 10 NULL Vlan300 Direct D L 10 1 1 0 24 20 NULL Vlan300 192 168 0 1 R 10 1 2 0 24 20 NULL Vlan300 192 168 0 1 R 172 16 0 0 16 10 NULL Vlan100 Direct D L Flags ...

Page 358: ...tchB system view SwitchB isis 1 SwitchB isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 isis enable 1 SwitchB Vlan interface100 quit Configure Switch C SwitchC system view SwitchC isis 1 SwitchC isis 1 network entity 10 0000 0000 0003 00 SwitchC isis 1 is level level 1 SwitchC isis 1 quit SwitchC interface vlan interface...

Page 359: ...RI 64 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0004 01 State Up HoldTime 28s Type L2 L1L2 PRI 64 System Id 0000 0000 0004 Interface Vlan interface100 Circuit Id 0000 0000 0004 01 State Up HoldTime 30s Type L2 PRI 64 Display information about IS IS interfaces of Switch A SwitchA display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id I...

Page 360: ... 0000 0003 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 27s Type L1 PRI 64 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 28s Type L2 L1L2 PRI 64 System Id 0000 0000 0004 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 30s Type L2 PRI 64 Display information about IS IS interfaces of Switch...

Page 361: ...Up HoldTime 9s Type L2 PRI 100 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 28s Type L2 PRI 64 SwitchD display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No No IS IS Graceful Restart Configuration Example Network requirements Switch A Switch B and Swi...

Page 362: ...rations for Switch B and Switch C are similar and therefore are omitted here 3 Verify the configuration After Router A establishes adjacencies with Router B and Router C they begin to exchange routing information Restart IS IS on Router A which enters into the restart state and sends connection requests to its neighbors through the Graceful Restart mechanism to synchronize the LSDB Using the displ...

Page 363: ... 2 Restart Status Restart Interval 150 SA Bit Supported Total Number of Interfaces 1 Restart Status RESTARTING T3 Timer Status Remaining Time 65535 T2 Timer Status Remaining Time 59 Interface Vlan1 T1 Timer Status Remaining Time 1 RA Not Received Complete CSNP Not Received Number of T1 Pre Expiry 0 ...

Page 364: ...364 CHAPTER 29 IS IS CONFIGURATION ...

Page 365: ...generic sense or a Layer 3 switch running routing protocols BGP Overview Three early versions of BGP are BGP 1 RFC1105 BGP 2 RFC1163 and BGP 3 RFC1267 The current version in use is BGP 4 RFC1771 BGP 4 is rapidly becoming the defacto Internet exterior routing protocol standard and is commonly used between ISPs n BGP refers to BGP 4 in this document The characteristics of BGP are as follows Focusing...

Page 366: ...sociated peers form a peer group BGP runs on a router in one of the following two modes IBGP Interior BGP EBGP External BGP BGP is called IBGP when it runs within an AS and is called EBGP when it runs between ASs Formats of BGP Messages Header BGP has five types of messages Open Update Notification Keep alive Route refresh They have the same header as shown below Figure 115 BGP message header Mark...

Page 367: ...n BGP Identifier In IP address format identifying the BGP router Opt Parm Len Optional Parameters Length Length of optional parameters set to 0 if no optional parameter is available Update The Update messages are used to exchange routing information between peers It can advertise a feasible route or remove multiple unfeasible routes Its format is shown below Figure 117 BGP Update message format Ea...

Page 368: ...nformation is encoded as one or more 2 tuples of the form length prefix Notification A Notification message is sent when an error is detected The BGP connection is closed immediately after sending it Notification message format is shown below Figure 118 BGP Notification message format Error Code Type of Notification Error Subcode Specific information about the nature of the reported error Data Use...

Page 369: ...hree types IGP Has the highest priority Routes added to the BGP routing table using the network command have the IGP attribute EGP Has the second highest priority Routes obtained via EGP have the EGP attribute incomplete Has the lowest priority The source of routes with this attribute is unknown which does not mean such routes are unreachable The routes redistributed from other routing protocols h...

Page 370: ...8 0 0 0 In some applications you can apply a routing policy to control BGP route selection by modifying the AS_PATH length By configuring an AS path filtering list you can filter routes based on AS numbers contained in the AS_PATH attribute 3 NEXT_HOP Different from IGP the NEXT_HOP attribute of BGP may not be the IP address of a neighboring router It involves three types of values as shown in Fig...

Page 371: ...s the route with the smallest MED value the best route if other conditions are the same As shown below traffic from AS10 to AS20 travels through Router B that is selected according to MED Figure 122 MED attribute In general BGP compares MEDs of routes to the same AS only n You can use the compare different as med command to force BGP to compare MED values of routes to different ASs 5 LOCAL_PREF AS...

Page 372: ...nternet By default all routes belong to the Internet community Routes with this attribute can be advertised to all BGP peers No_Export After received routes with this attribute cannot be advertised out the local AS or out the local confederation but can be advertised to other sub ASs in the confederation for confederation information refer to Settlements for Problems Caused by Large Scale BGP Netw...

Page 373: ...e process of finding a reliable route to reach a next hop is route recursion Currently the switch supports BGP load balancing based on route recursion namely if reliable routes are load balanced suppose three next hop addresses BGP generates the same number of next hops to forward packets Note that BGP load balancing based on route recursion is always enabled on the switch rather than configured u...

Page 374: ...o all BGP peers including both EBGP and IBGP peers A BGP speaker does not advertise IBGP routes to IBGP peers A BGP speaker advertises IBGP routes to EBGP peers Note that if BGP and IGP synchronization is disabled IBGP routes are advertised to EBGP peers directly If the feature is enabled only IGP advertises the IBGP routes can BGP advertise these routes to EBGP peers A BGP speaker advertises all ...

Page 375: ...table size By summarizing multiple routes with one route a BGP router advertises only the summary route rather than all routes Currently the system supports both manual and automatic summarization The latter provides for controlling the attribute of a summary route and deciding whether to advertise the route Route dampening BGP route dampening is used to solve the issue of route instability such a...

Page 376: ...shold value the route is added into the routing table and advertised to other BGP peers in update packets Figure 126 BGP route dampening Peer group A peer group is a collection of peers with the same attributes When a peer joins the peer group the peer obtains the same configuration as the peer group If configuration of the peer group is changed configuration of group members is also changed There...

Page 377: ...s will be consumed Using route reflectors can solve the issue In an AS a router acts as a route reflector and other routers act as clients connecting to the route reflector The route reflector forwards reflects routing information between clients BGP connections between clients need not be established The router neither a route reflector nor a client is a non client which has to establish connecti...

Page 378: ...nfederation is another method to deal with growing IBGP connections in ASs It splits an AS into multiple sub ASs In each sub AS IBGP peers are fully meshed and EBGP connections are established between sub ASs as shown below Figure 129 Confederation network diagram From the perspective of a non confederation speaker it needs not know sub ASs in the confederation The ID of the confederation is the n...

Page 379: ...ting information from its peer is recollected 4 After the restart the GR Restarter will reestablish a GR session with its peer and send a new GR message notifying the completion of restart Routing information is exchanged between them for the GR Restarter to create a new routing table and forwarding table with stale routing information removed Thus the BGP routing convergence is complete MP BGP Ov...

Page 380: ...ities Advertisement with BGP 4 RFC2918 Route Refresh Capability for BGP 4 RFC2439 BGP Route Flap Damping RFC1997 BGP Communities Attribute RFC2796 BGP Route Reflection RFC3065 Autonomous System Confederations for BGP draft ietf idr restart 08 Graceful Restart Mechanism for BGP BGP Configuration Task List Complete the following tasks to configure BGP Task Remarks Configuring BGP Basic Functions on ...

Page 381: ... Route Reflector on page 392 Optional Configuring a BGP Confederation on page 392 Optional Configuring BGP GR on page 392 Optional Task Remarks To do Use the command Remarks Enter system view system view Enable BGP and enter BGP view bgp as number Required Not enabled by default Specify a Router ID router id ip address Optional If no IP addresses are configured for loopback interface and other int...

Page 382: ...pback interfaces for peer relationship establishment If you both reference a routing policy and use the peer group name ip address preferred value value command to set a preferred value for routes from a peer the routing policy sets a non zero preferred value for routes matching it Other routes not matching the routing policy uses the value set with the command If the preferred value in the routin...

Page 383: ...P Route Summarization To reduce the routing table size on medium and large BGP networks you need to configure route summarization on peers BGP supports two summarization modes automatic and manual Automatic summarization Summarizes redistributed IGP subnets With the feature configured BGP advertises only summary natural networks rather than subnets The default route and routes injected with the ne...

Page 384: ...s number Configure BGP route summarization Configure automatic route summarization summary automatic Required No route summarization is configured by default Choose either as needed if both are configured the manual route summarization takes effect Configure manual route summarization aggregate ip address mask mask length as set attribute policy route policy name detail suppressed origin policy ro...

Page 385: ...h acl number export Reference an IP prefix list to filer routing information to a peer peer group peer group name ip address ip prefix ip prefix name export To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Filter incoming routes with an ACL or IP prefix list filter policy acl number ip prefix ip prefix name import Required to ch...

Page 386: ...ou can configure BGP route attributes to influence BGP route selection Follow these steps to configure BGP route attributes To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable synchronization between BGP and IGP synchronization Required Not enabled by default To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configu...

Page 387: ... hop while routes to an IBGP peer peer group do not take the local router as the next hop Configure the AS_PATH attribute Configure repeating times of local AS number in routes from a peer peer group peer group name ip address allow as loop number Optional The local AS number can not be repeated in routes from the peer peer group Disable the router from taking AS_PATH as a factor for best route se...

Page 388: ...a router receives no keepalive message from the peer after the holdtime elapses it tears down the connection When establishing a BGP connection the two parties compare their holdtime values taking the shorter one as the common holdtime 2 Reset BGP connections After modifying a route selection policy you have to reset BGP connections to make the new one take effect causing short time disconnections...

Page 389: ... seconds respectively Configure BGP soft reset Disable BGP route refresh and multi protocol extensions for a peer peer group peer group name ip address capability advertise conventional Optional Enabled by default Enable BGP route refresh for a peer peer group peer group name ip address capability advertise route refresh Optional Enabled by default Keep all original routes from a peer peer group r...

Page 390: ...agement easier and improves route distribution efficiency Peer group includes IBGP peer group where peers belong to the same AS and EBGP peer group where peers belong to different ASs If peers in an EBGP group belong to the same external AS the EBGP peer group is a pure EBGP peer group and if not a mixed EBGP peer group Configuring BGP community can also help simplify routing policy management and...

Page 391: ...roup group name external Optional You can add multiple peers into the group The system will create these peers automatically and specify the local AS number as their AS in BGP view Specify the AS number for the group peer group name as number as number Add a peer into the group peer ip address group group name as number as number Configure a mixed EBGP peer group Create an EBGP peer group group gr...

Page 392: ...onstandard command to make the local router compatible with these routers Configuring BGP GR n A device can act as both a GR Restarter and GR Helper at the same time Follow these steps to configure BGP GR To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure the router as a route reflector and specify a peer peer group as its client peer group name ip a...

Page 393: ...e updates To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable GR Capability for BGP graceful restart Required Disabled by default Configure the maximum time allowed for the peer to reestablish a BGP session graceful restart timer restart timer Optional 150 seconds by default Configure the maximum time to wait for the End of RIB marker graceful restart ti...

Page 394: ...dvertise no export no export subconfed whole match Display routing information matching a BGP community list display bgp routing table community list basic community list number whole match adv community list number 1 16 Display BGP dampened routing information display bgp routing table dampened Display BGP dampening parameter information display bgp routing table dampening parameter Display BGP r...

Page 395: ...t bgp group group name Reset all IBGP connections reset bgp internal Reset all IPv4 unicast BGP connections reset bgp ipv4 all To do Use the command Remarks Clear dampened MBGP routing information and release suppressed routes reset bgp dampening ip address mask mask length Available in user view Clear route flap information reset bgp flap info regexp as path regexp as path acl as path acl number ...

Page 396: ...Configure Switch D SwitchD system view SwitchD bgp 65009 SwitchD bgp router id 4 4 4 4 SwitchD bgp peer 9 1 1 1 as number 65009 SwitchD bgp peer 9 1 2 1 as number 65009 SwitchD bgp quit 3 Configure the EBGP connection Configure Switch A SwitchA system view SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 200 1 1 1 as number 65009 Inject network 8 0 0 0 8 to the BGP routing table Sw...

Page 397: ... table Total Number of Routes 1 BGP Local router ID is 2 2 2 2 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 8 0 0 0 200 1 1 2 0 0 65008i Display the BGP routing table on Switch C SwitchC display bgp routing table Total Number of Routes 1 BGP Local router ID is 3 3 3 3 Status codes valid best d d...

Page 398: ... 2 0 100 0 65008i i 9 1 1 0 24 9 1 3 1 0 100 0 i 9 1 3 0 24 9 1 3 1 0 100 0 i 200 1 1 0 9 1 3 1 0 100 0 You can find the route 8 0 0 0 becomes valid with the next hop being Switch A Ping 8 1 1 1 on Switch C SwitchC ping 8 1 1 1 PING 8 1 1 1 56 data bytes press CTRL_C to break Reply from 8 1 1 1 bytes 56 Sequence 1 ttl 254 time 31 ms Reply from 8 1 1 1 bytes 56 Sequence 2 ttl 254 time 47 ms Reply f...

Page 399: ...witchB system view SwitchB bgp 65009 SwitchB bgp peer 3 1 1 2 as number 65008 SwitchB bgp quit 4 Configure BGP and IGP synchronization Configure BGP to redistribute routes from OSPF on Switch B SwitchB bgp 65009 SwitchB bgp import route ospf 1 SwitchB bgp quit Display routing table information on Switch A SwitchA display bgp routing table Total Number of Routes 3 BGP Local router ID is 1 1 1 1 Sta...

Page 400: ...32 Direct 0 0 127 0 0 1 InLoop0 5 Configure route automatic summarization Configure route automatic summarization on Switch B SwitchB bgp 65009 SwitchB bgp summary automatic Display BGP routing table information on Switch A SwitchA display bgp routing table Total Number of Routes 2 BGP Local router ID is 1 1 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IG...

Page 401: ...es omitted 2 Configure BGP connections Configure Switch A SwitchA system view SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 200 1 1 1 as number 65009 SwitchA bgp peer 200 1 2 1 as number 65009 Inject route 8 0 0 0 8 to BGP routing table SwitchA bgp network 8 0 0 0 255 0 0 0 SwitchA bgp quit Configure Switch B SwitchB system view SwitchB bgp 65009 SwitchB bgp router id 2 2 2 2 Sw...

Page 402: ...1 2 1 0 0 65009i Two routes to 9 1 1 0 24 are available and the one with the next hop being 200 1 1 1 is the optimal because the ID of Switch B is smaller 3 Configure loading balancing Configure Switch A SwitchA bgp 65008 SwitchA bgp balance 2 SwitchA bgp quit Display the routing table on Switch A SwitchA display bgp routing table Total Number of Routes 3 BGP Local router ID is 1 1 1 1 Status code...

Page 403: ...witch B BGP Community Configuration Network requirements Switch B establishes EBGP connections with Switch A and C Configure No_Export community attribute on Switch A to make routes from AS 10 not advertised by AS 20 to any other AS Network diagram Figure 133 Network diagram for BGP community configuration Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure EBGP Con...

Page 404: ...m 200 1 2 1 1 1 1 1 Original nexthop 200 1 2 1 AS path 10 Origin igp Attribute value MED 0 pref val 0 pre 255 State valid external best Advertised to such 1 peers 200 1 3 2 Switch B advertised routes to Switch C in AS30 Display the routing table on Switch C SwitchC display bgp routing table Total Number of Routes 1 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i interna...

Page 405: ...ilable in the routing table of Switch C BGP Route Reflector Configuration Network requirements In the following figure all switches run BGP Between Switch A and Switch B is an EBGP connection between Switch C and Switch B and between Switch C and Switch D are IBGP connections Switch C is a route reflector with clients Switch B and D Switch D can learn route 1 0 0 0 8 from Switch C Network diagram ...

Page 406: ...itchC bgp 200 SwitchC bgp router id 3 3 3 3 SwitchC bgp peer 193 1 1 2 as number 200 SwitchC bgp peer 194 1 1 2 as number 200 SwitchC bgp quit Configure Switch D SwitchD system view SwitchD bgp 200 SwitchD bgp router id 4 4 4 4 SwitchD bgp peer 194 1 1 1 as number 200 SwitchD bgp quit 3 Configure the route reflector Configure Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 2 reflect client Switc...

Page 407: ...diagram Figure 135 Network diagram for BGP confederation configuration Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure BGP confederation Device Interface IP address Device Interface IP address Switch A Vlan int100 200 1 1 1 24 Switch D Vlan int400 10 1 3 2 24 Vlan int200 10 1 1 1 24 Vlan int200 10 1 5 1 24 Vlan int300 10 1 2 1 24 Switch E Vlan int500 10 1 4 2 24...

Page 408: ...65001 SwitchB bgp quit Configure Switch C SwitchC system view SwitchC bgp 65003 SwitchC bgp router id 3 3 3 3 SwitchC bgp confederation id 200 SwitchC bgp confederation peer as 65001 65002 SwitchC bgp peer 10 1 2 1 as number 65001 SwitchC bgp quit 3 Configure IBGP connections in AS77001 Configure Switch A SwitchA bgp 65001 SwitchA bgp peer 10 1 3 2 as number 65001 SwitchA bgp peer 10 1 3 2 next ho...

Page 409: ...er ID is 2 2 2 2 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 9 1 1 0 24 10 1 1 1 0 100 0 65001 100i SwitchB display bgp routing table 9 1 1 0 BGP local router ID 2 2 2 2 Local AS number 65002 Paths 1 available 1 best BGP routing table entry information of 9 1 1 0 24 From 10 1 1 1 1 1 1 1 Rela...

Page 410: ...tween Switch D and Switch C are IBGP connections OSPF is the IGP protocol in AS 200 Configure routing policies making Switch D use the route 1 0 0 0 8 from Switch C as the optimal Network diagram Figure 136 Network diagram for BGP path selection configuration Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF on Switch B C and D Configure Switch B Device Inter...

Page 411: ...tchD ospf area 0 SwitchD ospf 1 area 0 0 0 0 network 194 1 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 network 195 1 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 quit SwitchD ospf 1 quit 3 Configure BGP connections Configure Switch A SwitchA system view SwitchA bgp 100 SwitchA bgp peer 192 1 1 2 as number 200 SwitchA bgp peer 193 1 1 2 as number 200 Inject network 1 0 0 0 8 to the BGP routing table on ...

Page 412: ...e policy apply_med_100 permit node 10 SwitchA route policy if match acl 2000 SwitchA route policy apply cost 100 SwitchA route policy quit Apply routing policy apply_med_50 to the route advertised to peer 193 1 1 2 Switch C and apply_med_100 to the route advertised to peer 192 1 1 2 Switch B SwitchA bgp 100 SwitchA bgp peer 193 1 1 2 route policy apply_med_50 export SwitchA bgp peer 192 1 1 2 rout...

Page 413: ...suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 1 0 0 0 193 1 1 1 0 200 0 100i i 192 1 1 1 0 100 0 100i You can find route 1 0 0 0 8 from Switch D to Switch C is the optimal Troubleshooting BGP No BGP Peer Relationship Established Symptom Display BGP peer information using the display bgp peer command The state of the connection to a peer cannot becom...

Page 414: ...414 CHAPTER 30 BGP CONFIGURATION 6 Use the ping command to check connectivity 7 Use the display tcp status command to check the TCP connection 8 Check whether an ACL disabling TCP port 179 is configured ...

Page 415: ... are described in related sections Introduction to Routing Policy Routing Policy and Policy Routing A routing policy is used on the router for route inspection filtering attributes modifying when routes are received advertised or redistributed Policy routing is a routing mechanism based on the user defined policies This chapter describes only routing policy configuration and usage refer to Static ...

Page 416: ...twork prefix format The index number indicates the matching sequence of items in the IP prefix list During matching the router compares the packet with the items in the ascending order If one item is matched the IP prefix list filter is passed and the packet will not go to the next item AS path AS path is only applicable to BGP There is an AS path field in the BGP packet An AS path list specifies ...

Page 417: ...licy to filter routing information Routing Policy Configuration Task List Complete the following tasks to configure a routing policy Defining Filtering Lists Prerequisites Before configuring this task you need to decide on IP prefix list name Matching address range Extcommunity list sequence number Defining an IPv4 prefix List Identified by name each IPv4 prefix list can comprise multiple items Ea...

Page 418: ... ACL Defining a Community List You can define multiple items for a community list that is identified by number During matching the relation between items is logic OR that is if routing information matches one of these items it passes the community list Follow these steps to define a community list To do Use the command Remarks Enter system view system view Define an IPv4 prefix list ip ip prefix i...

Page 419: ...quisites Before configuring this task you have completed Filtering list configuration Routing protocol configuration You also need to decide on Name of the routing policy node sequence numbers Match criteria Attributes to be modified Creating a Routing Policy Follow these steps to create a routing policy n If a node has the permit keyword specified routing information meeting the node s conditions...

Page 420: ...Optional Not configured by default Match IPv4 routes having destinations specified in the IP prefix list if match ip prefix ip prefix name Match IPv4 routes having next hops or sources specified in the ACL or IP prefix list if match ip next hop route source acl acl number ip prefix ip prefix name Optional Not configured by default Match routes having AS path attributes specified in the AS path lis...

Page 421: ... if match tag value Optional Not configured by default To do Use the command Remarks To do Use the command Remarks Enter system view system view Create a routing policy and enter its view route policy route policy name permit deny node node number Required Not created by default Set AS_Path attribute for BGP routes apply as path as number 1 10 replace Optional Not set by default Specify a communit...

Page 422: ...nce preference Optional Not set by default Set an origin attribute for BGP routes apply origin igp egp as number incomplete Optional Not set by default Set a preference for the matched routing protocol apply preference preference Optional Not set by default Set a preferred value for BGP routes apply preferred value preferred value Optional Not set by default Set a tag value for RIP OSPF or IS IS r...

Page 423: ...face201 quit SwitchC interface vlan interface 202 SwitchC Vlan interface202 isis enable SwitchC Vlan interface202 quit SwitchC interface vlan interface 203 SwitchC Vlan interface203 isis enable SwitchC Vlan interface203 quit Configure Switch B SwitchB system view SwitchB isis SwitchB isis 1 is level level 2 SwitchB isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 quit SwitchB interface vl...

Page 424: ...2 17 1 0 24 1 Type2 1 192 168 1 2 192 168 2 2 172 17 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 172 17 3 0 24 1 Type2 1 192 168 1 2 192 168 2 2 192 168 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 Total Nets 5 Intra Area 1 Inter Area 0 ASE 4 NSSA 0 4 Configure filtering lists Configure an ACL with the number of 2002 letting pass route 172 17 2 0 24 SwitchB acl number 2002 SwitchB acl basic 2002 rule per...

Page 425: ...1 1 0 0 0 0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172 17 1 0 24 100 Type2 1 192 168 1 2 192 168 2 2 172 17 2 0 24 1 Type2 20 192 168 1 2 192 168 2 2 172 17 3 0 24 1 Type2 1 192 168 1 2 192 168 2 2 192 168 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 Total Nets 5 Intra Area 1 Inter Area 0 ASE 4 NSSA 0 Troubleshooting Routing Policy Configuration IPv4 Routing Information Filtering...

Page 426: ...426 CHAPTER 31 ROUTING POLICY CONFIGURATION ...

Page 427: ...c routes use IPv6 addresses whereas IPv4 static routes use IPv4 addresses Default IPv6 Route The IPv6 static route that has the destination address configured as 0 indicating a prefix length of 0 is the default IPv6 route If the destination address of an IPv6 packet does not match any entry in the routing table this default route will be used to forward the packet Configuring an IPv6 Static Route ...

Page 428: ...all VLAN interfaces Omitted 2 Configure IPv6 static routes Configure the default IPv6 static route on Switch A SwitchA system view SwitchA ipv6 SwitchA ipv6 route static 0 4 2 Configure two IPv6 static routes on Switch B SwitchB system view SwitchB ipv6 SwitchB ipv6 route static 1 64 4 1 SwitchB ipv6 route static 3 64 5 1 To do Use the command Remarks Display IPv6 static route information display ...

Page 429: ... Preference 0 Interface InLoop0 Cost 0 Destination 1 64 Protocol Direct NextHop 1 1 Preference 0 Interface Vlan100 Cost 0 Destination 1 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination 4 64 Protocol Direct NextHop 4 1 Preference 0 Interface Vlan200 Cost 0 Destination 4 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination FE80 10 Protoco...

Page 430: ...430 CHAPTER 32 IPV6 STATIC ROUTING CONFIGURATION 3 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 62 62 63 ms ...

Page 431: ... The hop count is referred to as metric or cost The hop count from a router to a directly connected network is 0 The hop count between two directly connected routers is 1 When the hop count is greater than or equal to 16 the destination network or host is unreachable By default the routing update is sent every 30 seconds If the router receives no routing updates from a neighbor after 180 seconds t...

Page 432: ...e of message 0x01 indicates Request 0x02 indicates Response Version Version of RIPng It can only be 0x01 currently RTE Route table entry 20 bytes for each entry RTE format There are two types of RTE in RIPng Next hop RTE Defines the IPv6 address of a next hop IPv6 prefix RTE Describes the destination IPv6 address route tag prefix length and metric in the RIPng routing table Figure 140 shows the fo...

Page 433: ...equested routing information to the requesting router in the response packet Response packet The response packet containing the local routing table information is generated as A response to a request An update periodically A trigged update caused by route change After receiving a response a router checks the validity of the response before adding the route to its routing table such as whether the ...

Page 434: ...ed information Configuring an Additional Routing Metric An additional routing metric can be added to the metric of an inbound or outbound RIP route namely the inbound and outbound additional metric The outbound additional metric is added to the metric of a sent route the route s metric in the routing table is not changed The inbound additional metric is added to the metric of a received route befo...

Page 435: ...igher the priority is Follow these steps to configure a RIPng priority Specify an outbound routing additional metric ripng metricout value Optional 1 by default To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Advertise a summary IPv6 prefix ripng summary address ipv6 address prefix length Requi...

Page 436: ...utes for Load Balancing on page 438 Configuring RIPng Timers You can adjust RIPng timers to optimize the performance of the RIPng network Follow these steps to configure RIPng timers To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure a RIPng priority preference route policy route policy name preference Optional By default the RIPng priority is 1...

Page 437: ...verse function The poison reverse function enables a route learned from an interface to be advertised via the interface However the metric of the route is set to 16 That is to say the route is unreachable Follow these steps to configure poison reverse Configure RIPng timers timers garbage collect garbage collect value suppress suppress value timeout timeout value update update value Optional The R...

Page 438: ...ill not be added to the routing table of Switch B and Switch B will not forward it to Switch A Enable the poison reverse function ripng poison reverse Required Disabled by default To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Enable the zero field check checkzero Optional Enabled by default To do Use the command Remarks ...

Page 439: ... quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 ripng 1 enable SwitchB Vlan interface200 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 ripng 1 enable SwitchB Vlan interface100 quit Configure Switch C SwitchC system view SwitchC ipv6 SwitchC ripng 1 SwitchC ripng 1 quit SwitchC interface vlan interface 200 SwitchC Vlan interface200 ripng 1 enable SwitchC V...

Page 440: ...2FF FE64 8904 on Vlan interface100 Dest 1 64 via FE80 200 2FF FE64 8904 cost 1 tag 0 A 31 Sec Dest 4 64 via FE80 200 2FF FE64 8904 cost 2 tag 0 A 31 Sec Dest 5 64 via FE80 200 2FF FE64 8904 cost 2 tag 0 A 31 Sec Dest 3 64 via FE80 200 2FF FE64 8904 cost 1 tag 0 A 31 Sec 1 Configure Switch B to filter incoming and outgoing routes SwitchB acl ipv6 number 2000 SwitchB acl6 basic 2000 rule deny source...

Page 441: ...a FE80 20F E2FF FE00 100 cost 1 tag 0 A 5 Sec SwitchA display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE00 1235 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE00 1235 cost 1 tag 0 A 2 Sec Dest 4 64 via FE80 20F E2FF FE00 1235 cost 2 tag 0 A 2 Sec Dest 5 64 via FE80 20F E2FF FE00 1235 cost 2 tag 0 A 2 Sec ...

Page 442: ...442 CHAPTER 33 IPV6 RIPNG CONFIGURATION ...

Page 443: ...s and establishing adjacencies Mechanisms for LSA flooding and aging Differences between OSPFv3 and OSPFv2 OSPFv3 now runs on a per link basis instead of on a per IP subnet basis OSPFv3 supports multiple instances per link OSPFv3 identifies neighbors by Router ID while OSPFv2 by IP address OSPFv3 Packets OSPFv3 has also five types of packets hello DD LSR LSU and LSAck The five packets have the sam...

Page 444: ...o Type 4 LSA of OSPFv2 originated by ABRs and flooded throughout the LSA s associated area Each Inter Area Router LSA describes a route to ASBR Autonomous System Boundary Router AS external LSAs Originated by ASBRs and flooded throughout the AS except Stub and NSSA areas Each AS external LSA describes a route to another Autonomous System A default route can be described by an AS external LSA Link ...

Page 445: ...peration efficiency of routers You can adjust SPF calculation interval and delay time to protect networks from being overloaded due to frequent changes OSPFv3 Features Supported Basic features defined in RFC2740 OSPFv3 stub area Related RFCs RFC2740 OSPF for IPv6 RFC2328 OSPF Version 2 IPv6 OSPFv3 Configuration Task List Complete the following tasks to configure OSPFv3 Task Remarks Configuring OSP...

Page 446: ...tub areas to further reduce the size of routing tables on routers in these areas and the number of LSAs Non backbone areas exchange routing information via the backbone area Therefore the backbone and non backbone areas including the backbone itself must maintain connectivity In practice necessary physical links may not be available for connectivity You can configure virtual links to address it Tu...

Page 447: ...n as totally stub area Configuring OSPFv3 Virtual Links You can configure virtual links to maintain connectivity between non backbone areas and the backbone or in the backbone itself Follow these steps to configure a virtual link n Both ends of a virtual link are ABRs that are configured with the vlink peer command Configuring OSPFv3 Routing Information Management This section is to configure mana...

Page 448: ...command can only filter routes computed by OSPFv3 Only routes not filtered can be added into the local routing table Configuring Link Costs for OSPFv3 Interfaces You can configure OSPFv3 link costs for interfaces to adjust routing calculation Follow these steps to configure the link cost for an OSPFv3 interface To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 pr...

Page 449: ...nter OSPFv3 view ospfv3 process id Specify the maximum number of load balanced routes maximum load balancing maximum Optional 4 by default To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Configure a priority for OSPFv3 preference ase route policy route policy name preference Optional By default the priority of OSPFv3 interval routes is 10 and priorit...

Page 450: ...ork you can configure DR priorities for interfaces to affect DR BDR election By disabling an interface from sending OSPFv3 packets you can make other routers on the network obtain no information from the interface Prerequisites Enable IPv6 packet forwarding Configure OSPFv3 basic functions Configuring OSPFv3 Timers Follow these steps to configure OSPFv3 timers To do Use the command Remarks Enter s...

Page 451: ...tised in Intra Area Prefix LSAs via other interfaces but other OSPFv3 packets cannot be advertised Therefore no neighboring relationship can be established on the interface This feature can enhance the adaptability of OSPFv3 networking Enable the Logging on Neighbor State Changes Follow these steps to enable the logging on neighbor state changes To do Use the command Remarks Enter system view syst...

Page 452: ...d peer interface type interface number verbose peer router id Display OSPFv3 neighbor statistics display ospfv3 peer statistic Display OSPFv3 routing table information display ospfv3 process id routing ipv6 address prefix length ipv6 address prefix length abr routes asbr routes all statistics Display OSPFv3 area topology information display ospfv3 process id topology area area id Display OSPFv3 vi...

Page 453: ...asic functions Configure Switch A SwitchA system view SwitchA ipv6 SwitchA ospfv3 SwitchA ospfv3 1 router id 1 1 1 1 SwitchA ospfv3 1 quit SwitchA interface vlan interface 300 SwitchA Vlan interface300 ospfv3 1 area 1 SwitchA Vlan interface300 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 ospfv3 1 area 1 SwitchA Vlan interface200 quit Configure Switch B SwitchB system view Sw...

Page 454: ...uter id 4 4 4 4 SwitchD ospfv3 1 quit SwitchD interface Vlan interface 400 SwitchD Vlan interface400 ospfv3 1 area 2 SwitchD Vlan interface400 quit Display OSPFv3 neighbor information on Switch B SwitchB display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 3 3 3 3 1 Full DR 00 00 39 Vlan100 0 OSPFv3 Area ID 0 0 0 1 Process 1 Neighbor ID Pri Sta...

Page 455: ... C and specify the cost of the default route sent to the stub area as 10 SwitchC ospfv3 SwitchC ospfv3 1 area 2 SwitchC ospfv3 1 area 0 0 0 2 stub SwitchC ospfv3 1 area 0 0 0 2 default cost 10 Display OSPFv3 routing table information on Switch D You can find a default route is added whose cost is the cost of the directly connected route plus the configured cost SwitchD display ospfv3 routing E1 Ty...

Page 456: ...A Cost 11 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 2 64 Type I Cost 1 NextHop directly connected Interface Vlan400 Configuring OSPFv3 DR Election Network requirements In the following figure The priority of Switch A is 100 the highest priority on the network so it will be the DR The priority of Switch C is 2 the second highest priority on the network so it will be the BDR The ...

Page 457: ...nterface100 ospfv3 1 area 0 SwitchC Vlan interface100 quit Configure Switch D SwitchD system view SwitchD ipv6 SwitchD ospfv3 SwitchD ospfv3 1 router id 4 4 4 4 SwitchD ospfv3 1 quit SwitchD interface vlan interface 200 SwitchD Vlan interface200 ospfv3 1 area 0 SwitchD Vlan interface200 quit Display neighbor information on Switch A You can find the switches have the same default DR priority 1 In t...

Page 458: ...100 quit Display neighbor information on Switch A You can find DR priorities have been updated but DR and BDR are not changed SwitchA display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 2 2 2 2 0 2 Way DROther 00 00 38 Vlan200 0 3 3 3 3 2 Full Backup 00 00 32 Vlan100 0 4 4 4 4 1 Full DR 00 00 36 Vlan200 0 Display neighbor information on Switch...

Page 459: ...segment and mask network type If the network type is broadcast at least one interface must have a DR priority higher than 0 Process steps 1 Display neighbor information using the display ospfv3 peer command 2 Display OSPFv3 interface information using the display ospfv3 interface command 3 Ping the neighbor router s IP address to check connectivity 4 Check OSPF timers The dead interval on an inter...

Page 460: ...b command to display Link State Database information to check integrity 4 Display information about area configuration using the display current configuration configuration command If more than two areas are configured at least one area is connected to the backbone 5 In a Stub area all routers are configured with the stub command 6 If a virtual link is configured use the display ospf vlink command...

Page 461: ...ng information exchange protocol supports multiple network protocols including IPv6 IS IS with IPv6 support is called IPv6 IS IS dynamic routing protocol The international switch fabric task force IETF defines two type length values TLVs and a new network layer protocol identifier NLPID to enable IPv6 support for IS IS TLV is a variable field in the link state PDU or link state packet LSP The two ...

Page 462: ...gured by default Enable IPv6 for the IS IS process ipv6 enable Required Disabled by default Return to system view quit Enter interface view interface interface type interface number Enable IPv6 for an IS IS process on the interface isis ipv6 enable process id Required Disabled by default To do Use command to Remarks Enter system view system view Enter IS IS view isis process id Define the priority...

Page 463: ...balanced routes ipv6 maximum load balancing number Optional 4 by default To do Use command to Remarks To do Use the command Remarks Display brief IPv6 IS IS information display isis brief Available in any view Display the status of the debug switches display isis debug switches process id Available in any view Display IS IS enabled interface information display isis interface verbose process id Av...

Page 464: ...A system view SwitchA isis 1 SwitchA isis 1 is level level 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA isis 1 ipv6 enable SwitchA isis 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 isis ipv6 enable 1 SwitchA Vlan interface100 quit Configure Switch B SwitchB system view SwitchB isis 1 SwitchB isis 1 is level level 1 SwitchB isis 1 network entity 10 0000 0000...

Page 465: ... SwitchC interface vlan interface 200 SwitchC Vlan interface200 isis ipv6 enable 1 SwitchC Vlan interface200 quit SwitchC interface vlan interface 300 SwitchC Vlan interface300 isis ipv6 enable 1 SwitchC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 is level level 2 SwitchD isis 1 network entity 20 0000 0000 0004 00 SwitchD isis 1 ipv6 enable SwitchD i...

Page 466: ...466 CHAPTER 35 IPV6 IS IS CONFIGURATION ...

Page 467: ...n page 486 IPv6 BGP Overview BGP 4 manages only IPv4 routing information thus other network layer protocols such as IPv6 are not supported To support multiple network layer protocols IETF extended BGP 4 by introducing IPv6 BGP that is defined in RFC 2858 multiprotocol extensions for BGP 4 To implement IPv6 support IPv6 BGP puts IPv6 network layer information into the attributes of network layer re...

Page 468: ...72 Optional Advertising a Default Route to a Peer Peer Group on page 472 Optional Configuring Route Distribution Policy on page 472 Optional Configuring Route Reception Policy on page 473 Optional Configuring IPv6 BGP and IGP Route Synchronization on page 473 Optional Configuring Route Dampening on page 474 Optional Configuring IPv6 BGP Route Attributes on page 474 Configuring IPv6 BGP Preference ...

Page 469: ...o do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Not enabled by default Specify a router ID router id router id Optional Required if no IP addresses configured for Loopback interface and other interfaces Enter IPv6 address family view ipv6 family Specify an IPv6 peer and its AS number peer ipv6 address as number as number Required Not configured by d...

Page 470: ...P router otherwise the local BGP router may fail to establish TCP connections to the peers when using the outbound interfaces of the best routes as the source interfaces Allowing the establishment of a Non Direct EBGP connection Follow these steps to allow the establishment of EBGP connection to a non directly connected peer peer group c CAUTION In general direct links should be available between ...

Page 471: ...ou have Enabled the IPv6 function Configured the IPv6 BGP basic functions To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Configure a description for a peer peer group peer ipv6 group name ipv6 address description description text Optional Not configured by default To do Use the command Remarks Enter syste...

Page 472: ... routing protocol import route protocol process id med med value route policy route policy name Required Not enabled by default To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Advertise a default route to a peer peer group peer ipv6 group name ipv6 address default route advertise route policy route policy ...

Page 473: ...ute be advertised to EBGP peers Specify an IPv6 prefix list to filer routes advertised to a peer peer group peer ipv6 group name ipv6 address ipv6 prefix ipv6 prefix name export Required Not specified by default To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Configure inbound route fi...

Page 474: ...tem view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Enable route synchronization between IPv6 BGP and IGP synchronization Required Not enabled by default To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Configure IPv6 BGP route dampening parameters dampening half life r...

Page 475: ...the local router as the next hop peer ipv6 group name ipv6 address next hop local Required By default the feature is available for routes advertised to the EBGP peer peer group but not available to the IBGP peer peer group To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Config...

Page 476: ...er the router advertises a route refresh message to its peers which then send their routing information back to the router Therefore the local router can perform dynamic routing information update and apply the new policy without tearing down connections If a router not supporting route refresh exists in the network you need to configure the peer keep all routes command on the router to save all r...

Page 477: ... address timer keepalive keepalive hold holdtime Configure the interval for sending the same update to a peer peer group peer ipv6 group name ipv6 address route update interval seconds Optional The interval for sending the same update to an IBGP peer or an EBGP peer defaults to 15 seconds or 30 seconds To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Require...

Page 478: ...mmunity attribute can make a set of IPv6 BGP routers in multiple ASs enjoy the same policy because sending of community between IPv6 BGP peers is not limited by AS To guarantee connectivity between IBGP peers you need to make them fully meshed but it becomes unpractical when there are too many IBGP peers Using route reflectors or confederation can solve it In a large scale AS both of them can be u...

Page 479: ...rks Enter system view system view Enter BGP view bgp as number Required Not enabled by default Enter IPv6 address family view ipv6 family Create an EBGP peer group group ipv6 group name external Required Configure the AS number for the peer group peer ipv6 group name as number as number Required Not configured by default Add an IPv6 peer into the peer group peer ipv6 address group ipv6 group name ...

Page 480: ... as number Required Not enabled by default Enter IPv6 address family view ipv6 family Advertise community attribute to a peer peer group peer ipv6 group name ipv6 address advertise community Required Not advertised by default Advertise extended community attribute to a peer peer group peer ipv6 group name ipv6 address advertise ext community Required Not advertised by default To do Use the command...

Page 481: ...fully meshed it is recommended to disable route reflection between clients to reduce routing costs If a cluster has multiple route reflectors you need to specify the same cluster ID for these route reflectors to avoid routing loops Configure the cluster ID of the route reflector reflector cluster id cluster id Optional By default a route reflector uses its router ID as the cluster ID To do Use the...

Page 482: ...ch Display IPv6 BGP routing information matching an IPv6 BGP community list display bgp ipv6 routing table community list basic community list number whole match adv community list number 1 16 Display dampened IPv6 BGP routing information display bgp ipv6 routing table dampened Display IPv6 BGP dampening parameter information display bgp ipv6 routing table dampening parameter Display IPv6 BGP rout...

Page 483: ...re Switch B To do Use the command Remarks Perform soft reset on IPv6 BGP connections refresh bgp ipv6 ipv6 address all external group ipv6 group name internal export import Available in user view Reset IPv6 BGP connections reset bgp ipv6 as number ipv6 address flap info all group ipv6 group name external internal To do Use the command Remarks Clear dampened IPv6 BGP routing information and release...

Page 484: ...itchC bgp quit Configure Switch D SwitchD system view SwitchD ipv6 SwitchD bgp 65009 SwitchD bgp router id 4 4 4 4 SwitchD bgp ipv6 family SwitchD bgp af ipv6 peer 9 1 1 as number 65009 SwitchD bgp af ipv6 peer 9 2 1 as number 65009 SwitchD bgp af ipv6 quit SwitchD bgp quit 3 Configure the EBGP connection Configure Switch A SwitchA system view SwitchA ipv6 SwitchA bgp 65008 SwitchA bgp router id 1...

Page 485: ...nection Switch B C and D established IBGP connections with each other IPv6 BGP Route Reflector Configuration Network requirements Switch B receives an EBGP update and sends it to Switch C which is configured as a route reflector with two clients Switch B and Switch D Switch B and Switch D need not establish an IBGP connection because Switch C reflects updates between them Network diagram Figure 14...

Page 486: ...itch D SwitchD system view SwitchD ipv6 SwitchD bgp 200 SwitchD bgp router id 4 4 4 4 SwitchD bgp ipv6 family SwitchD bgp af ipv6 peer 102 1 as number 200 3 Configure route reflector Configure Switch C as a route reflector Switch B and Switch D as its clients SwitchC bgp af ipv6 peer 101 2 reflect client SwitchC bgp af ipv6 peer 102 2 reflect client Use the display bgp ipv6 routing table command o...

Page 487: ...ck interface is used check whether the peer connect interface command is configured 4 If the peer is not directly connected check whether the peer ebgp max hop command is configured 5 Check whether a route to the peer is available in the routing table 6 Use the ping command to check connectivity 7 Use the display tcp ipv6 status command to check the TCP connection 8 Check whether an ACL for disabl...

Page 488: ...488 CHAPTER 36 IPV6 BGP CONFIGURATION ...

Page 489: ... routing policy for route distribution reception and redistribution Filters Routing protocols can use six filters ACL IP prefix list AS path ACL community list extended community list and routing policy ACL When defining an ACL you can specify IP addresses and prefixes to match destinations or next hops of routing information For ACL configuration refer to IPv6 ACL Configuration on page 851 IP pre...

Page 490: ...mpares each node to a packet in the order of node sequence number Once a node is matched the routing policy is passed and the packet will not go through the next node Each node comprises a set of if match and apply clauses The if match clauses define the match criteria The matching objects are some attributes of routing information The different if match clauses on a node is in logical AND relatio...

Page 491: ... prefix abc index 30 deny 2000 3 48 Sysname ip ipv6 prefix abc index 40 permit 0 less equal 128 Defining an AS Path List You can define multiple items for an AS path ACL that is identified by number During matching the relation between items is logical OR that is if the route matches one of these items it passes the AS path ACL Follow these steps to define an AS path ACL Defining a Community List ...

Page 492: ...objects are some attributes of routing information apply clauses Specify the actions performed after specified match criteria are satisfied concerning attribute settings for passed routing information Prerequisites Before configuring this task you have completed Filtering list configuration Routing protocol configuration You also need to decide on Name of the routing policy node sequence numbers M...

Page 493: ...to define if match clauses for a route policy To do Use the command Remarks Enter system view system view Create a routing policy and enter its view route policy route policy name permit deny node node number Required To do Use the command Remarks Enter system view system view Enter routing policy view route policy route policy name permit deny node node number Required Match IPv6 routes having th...

Page 494: ...ter system view system view Create a routing policy and enter its view route policy route policy name permit deny node node number Required Not created by default Set AS_Path attribute for IPv6 BGP routes apply as path as number 1 10 replace Optional Not set by default Specify a community list according to which to delete community attributes of IPv6 BGP routing information apply comm list comm li...

Page 495: ...gin igp egp as number incomplete Optional Not set by default Set a preference for the matched routing protocol apply preference preference Optional Not set by default Set a preferred value for IPv6 BGP routes apply preferred value preferred value Optional Not set by default Set a tag value for the routes apply tag value Optional Not set by default To do Use the command Remarks To do Use the comman...

Page 496: ...rface 100 SwitchA Vlan interface100 ripng 1 enable SwitchA Vlan interface100 quit Configure three static routes SwitchA ipv6 route static 20 32 11 2 SwitchA ipv6 route static 30 32 11 2 SwitchA ipv6 route static 40 32 11 2 Configure routing policy SwitchA ip ipv6 prefix a index 10 permit 30 32 SwitchA route policy static2ripng deny node 0 SwitchA route policy if match ipv6 address prefix list a Sw...

Page 497: ... via FE80 7D58 0 CA03 1 cost 1 tag 0 A 18 Sec Dest 20 32 via FE80 7D58 0 CA03 1 cost 1 tag 0 A 8 Sec Dest 40 32 via FE80 7D58 0 CA03 1 cost 1 tag 0 A 3 Sec Troubleshooting Routing Policy Configuration IPv6 Routing Information Filtering Failure Symptom Filtering routing information failed while routing protocol runs normally Analysis At least one item of the IPv6 prefix list should be configured as...

Page 498: ...498 CHAPTER 37 ROUTING POLICY CONFIGURATION ...

Page 499: ...ol IPv6 Overview Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits This section covers the following IPv6 Features on page 499 Introduction to IPv6 Addres...

Page 500: ...onfiguration means that a host acquires an IPv6 address and related information from a server for example DHCP server Stateless address configuration means that a host automatically configures an IPv6 address and related information on basis of its own link layer address and the prefix information advertised by a router In addition a host can generate a link local address on basis of its own link ...

Page 501: ...s of each group are represented by four hexadecimal numbers which are separated by colons for example 2001 0000 130F 0000 0000 09C0 876A 130B To simplify the representation of IPv6 addresses zeros in IPv6 addresses can be handled as follows Leading zeros in each group can be removed For example the above mentioned address can be represented in shorter format as 2001 0 130F 0 0 9C0 876A 130B If an ...

Page 502: ...providers The type of address allows efficient route prefix aggregation to restrict the number of global routing entries The link local address is used for communication between link local nodes in neighbor discovery and stateless autoconfiguration Routers must not forward any packets with link local source or destination addresses to other links IPv6 unicast site local addresses are similar to pr...

Page 503: ... bits long An interface identifier in IEEE EUI 64 format is derived from the link layer address of that interface Interface identifiers in IPv6 addresses are 64 bits long while MAC addresses are 48 bits long Therefore the hexadecimal number FFFE needs to be inserted in the middle of MAC addresses behind the 24 high order bits To ensure the interface identifier obtained from a MAC address is unique...

Page 504: ...sage Number Function Neighbor solicitation NS message 135 Used to acquire the link layer address of a neighbor Used to verify whether the neighbor is reachable Used to perform a duplicate address detection Neighbor advertisement NA message 136 Used to respond to an NS message When the link layer changes the local node initiates an NA message to notify neighbor nodes of the node information change ...

Page 505: ...ress of its neighbor node B node A can verify whether node B is reachable according to NS and NA messages 1 Node A sends an NS message whose destination address is the IPv6 address of node B 2 If node A receives an NA message from node B node A considers that node B is reachable Otherwise node B is unreachable Duplicate address detection After node A acquires an IPv6 address it will perform duplic...

Page 506: ...quest the router for the address prefix and other configuration information for the purpose of autoconfiguration 2 The router returns an RA message containing information such as prefix information option The router also regularly sends an RA message 3 The node automatically configures an IPv6 address and other information for its interface according to the address prefix and other configuration p...

Page 507: ...ce MTU to the source host 3 After receiving the ICMPv6 error packet the source host uses the returned MTU to fragment the packet again and then sends it 4 Step 2 to step 3 are repeated until the destination host receives the packet In this way the minimum MTU of all links in the path from the source host to the destination host is determined Introduction to IPv6 DNS In the IPv6 network a Domain Na...

Page 508: ...asics Configuration Task List Complete the following tasks to perform IPv6 basics configuration Configuring Basic IPv6 Functions Enabling the IPv6 Packet Forwarding Function Before IPv6 related configurations you must enable the IPv6 packet forwarding function Otherwise an interface cannot forward IPv6 packets even if an IPv6 address is configured resulting in communication failures in the IPv6 ne...

Page 509: ...manual assignment takes precedence over the automatic generation That is if you first adopt the automatic generation and then the manual assignment the manually assigned link local address will overwrite the automatically generated one If you first adopt the manual assignment and then the automatic generation the automatically generated link local address will not take effect and the link local ad...

Page 510: ...y is configured by using the first method the device needs to resolve the corresponding Layer 2 port information of the VLAN interface If you adopt the second method to configure a static neighbor entry you should ensure that the corresponding VLAN interface exists and that the layer 2 port specified by port type port number belongs to the VLAN specified by vlan id After a static neighbor entry is...

Page 511: ...form stateless autoconfiguration operations M flag This field determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses If the M flag is set to 1 hosts use the stateful autoconfiguration to acquire IPv6 addresses Otherwise hosts use the stateless autoconfiguration to acquire IPv6 addresses that is hosts configure IPv6 addresses according to their own link layer addresse...

Page 512: ...rval Configure the prefix information options in RA messages ipv6 nd ra prefix ipv6 address prefix length ipv6 address prefix length valid lifetime preferred lifetime no autoconfig off link Optional By default no prefix information is configured in RA messages and the IPv6 address of the interface sending RA messages is used as the prefix information Set the M flag bit to 1 ipv6 nd autoconfig mana...

Page 513: ...tic PMTU of the specified destination IPv6 address If the packet size is larger than the smaller one between the two values the host fragments the packet according to the smaller value Follow these steps to configure a static PMTU for a specified address Configuring the Aging Time for PMTU After the MTU of the path from the source host to the destination host is dynamically determined refer to IPv...

Page 514: ...it timer expires Size of the IPv6 TCP sending receiving buffer Follow these steps to configure IPv6 TCP properties Configuring ICMPv6 Packet Sending Configuring the Maximum ICMPv6 Error Packets Sent in an Interval If too many ICMPv6 error packets are sent within a short time in a network network congestion may occur To avoid network congestion you can control the maximum number of ICMPv6 error pac...

Page 515: ...atic IPv6 Domain Name Resolution Configuring static IPv6 domain name resolution is to establish the mapping between host name and IPv6 address When applying such applications as Telnet you can directly use a host name and the system will resolve the host name into an IPv6 address Each host name can correspond to only one IPv6 address Follow these steps to configure static IPv6 domain name resoluti...

Page 516: ...c domain name resolution function dns resolve Required Disabled by default Configure an IPv6 DNS server dns server ipv6 ipv6 address interface type interface number Required If the IPv6 address of the DNS server is a link local address you need to specify a value for interface type and interface number Configure the DNS suffix dns domain domain name Required By default no DN suffix is configured t...

Page 517: ...pe interface number static vlan vlan id count Available in any view Display the PMTU information of an IPv6 address display ipv6 pathmtu ipv6 address all dynamic static Display information related to a specified socket display ipv6 socket socktype socket type task id socket id Display the statistics of IPv6 packets and ICMPv6 packets display ipv6 statistics Display the IPv6 TCP connection statisti...

Page 518: ...on SwitchB system view SwitchB ipv6 Configure VLAN interface 2 to automatically generate a link local address SwitchB interface vlan interface 2 SwitchB Vlan interface2 ipv6 address auto link local Configure an EUI 64 address for VLAN interface 2 SwitchB Vlan interface2 ipv6 address 2001 64 eui 64 Configure an aggregatable global unicast address for VLAN interface 2 SwitchB Vlan interface2 ipv6 ad...

Page 519: ...s you should use the i parameter to specify an interface for the link local address SwitchA Vlan interface2 ping ipv6 FE80 20F E2FF FE00 1 i vlan interface2 PING FE80 20F E2FF FE00 1 56 data bytes press CTRL_C to break Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence 1 hop limit 255 time 80 ms Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence 2 hop limit 255 time 60 ms Reply from FE80 20F E2FF FE...

Page 520: ...from 3001 2 bytes 56 Sequence 5 hop limit 255 time 60 ms 3001 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 50 60 70 ms Troubleshooting IPv6 Basics Configuration Symptom The peer IPv6 address cannot be pinged Solution Use the display current configuration command in any view or the display this command in system view to check that the IPv6 pac...

Page 521: ...an upper layer application supporting both IPv4 and IPv6 either TCP or UDP can be selected at the transport layer while IPv6 stack is preferred at the network layer Figure 156 illustrates the IPv4 IPv6 dual stack in relation to the IPv4 stack Figure 156 IPv4 IPv6 dual stack in relation to IPv4 stack on Ethernet Configuring Dual Stack You must enable the IPv6 packet forwarding function before dual ...

Page 522: ... IPv6 address ipv6 address ipv6 address prefix length ipv6 address prefix length Use either command By default no local address or global unicast address is configured on an interface Configure an IPv6 address in the EUI 64 format ipv6 address ipv6 address prefix length eui 64 Configure IPv6 link local address Automatically create an IPv6 link local address ipv6 address auto link local Optional By...

Page 523: ... interface that supports only point to point connections is called tunnel interface One tunnel provides one channel to transfer encapsulated packets Packets can be encapsulated and decapsulated at both ends of a tunnel Tunneling refers to the whole process from data encapsulation to data transfer to data decapsulation n NTP related commands are available in tunnel interface view on 3Com Switch 480...

Page 524: ...ocessing Configured tunnel and automatic tunnel An IPv6 over IPv4 tunnel can be established between hosts between hosts and devices and between devices The tunnel destination needs to forward packets if the tunnel destination is not the eventual destination of the IPv6 packet According to the way the IPv4 address of the tunnel destination is acquired tunnels are divided into configured tunnel and ...

Page 525: ...umber of the 64 bit address prefix in 6to4 addresses can be customized and the first 48 bits in the address prefix are fixed by a permanent value and the IPv4 address of the tunnel source or destination it is possible that IPv6 packets can be forwarded by the tunnel 3 ISATAP tunnel With the application of the IPv6 technology there will be more and more IPv6 hosts in the existing IPv4 network The I...

Page 526: ...ault the IPv6 packet forwarding function is disabled Create a tunnel interface and enter tunnel interface view interface tunnel number Required By default there is no tunnel interface on the device Configure an IPv6 address for the tunnel interface Configure a global unicast IPv6 address or a site local address ipv6 address ipv6 address prefix length ipv6 address prefix length Required Use any com...

Page 527: ... Before configuring dynamic routes you must enable the dynamic routing protocol on the tunnel interfaces at both ends For related configurations refer to Routing Policy Configuration on page 489 Before referencing a link aggregation group on the tunnel interface to receive and send packets make sure that the aggregation group has been configured Otherwise the tunnel interface will not be up to com...

Page 528: ...hernet1 0 1 quit Configure an IPv4 address for VLAN interface 100 SwitchA vlan 100 SwitchA vlan100 port GigabitEthernet 1 0 2 SwitchA vlan100 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 168 100 1 255 255 255 0 SwitchA Vlan interface100 quit Configure a manual IPv6 tunnel SwitchA interface tunnel 0 SwitchA Tunnel0 ipv6 address 3001 1 64 SwitchA Tunnel0 source ...

Page 529: ...unnel SwitchB interface tunnel 0 SwitchB Tunnel0 ipv6 address 3001 2 64 SwitchB Tunnel0 source vlan interface 100 SwitchB Tunnel0 destination 192 168 100 1 SwitchB Tunnel0 tunnel protocol ipv6 ipv4 Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchB Tunnel0 aggregation group 1 Configuration verification After the above configurations display the status of th...

Page 530: ...ce 2 hop limit 64 time 16 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 64 time 1 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 15 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 15 ms 3001 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 15 31 ms Configuring 6to4 Tunnel Configuration Prerequisites IP addresses are ...

Page 531: ...interface view interface tunnel number Required By default there is no tunnel interface on the device Configure an IPv6 address for the tunnel interface Configure an IPv6 global unicast address or site local address ipv6 address ipv6 address prefix length ipv6 address prefix length Required Use either command By default no IPv6 global unicast address or site local address is configured for the tun...

Page 532: ... Network diagram Figure 160 Network diagram for a 6to4 tunnel Configuration procedure Configuration on Switch A Enable IPv6 SwitchA system view SwitchA ipv6 Configure a link aggregation group Disable STP on the port before adding it into the link aggregation group SwitchA link aggregation group 1 mode manual SwitchA link aggregation group 1 service type tunnel SwitchA interface GigabitEthernet 1 0...

Page 533: ...urce vlan interface 100 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchA Tunnel0 quit Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchA Tunnel0 aggregation group 1 SwitchA Tunnel0 quit Configure a static route whose destination address is 2002 16 and next hop is the tunnel interface SwitchA ipv6 route static 2002 16 tunnel 0 Configuration on Switch B...

Page 534: ...501 0101 1 64 SwitchB Tunnel0 source vlan interface 100 SwitchB Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchB Tunnel0 quit Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchB Tunnel0 aggregation group 1 SwitchB Tunnel0 quit Configure a static route whose destination address is 2002 16 and the next hop is the tunnel interface SwitchB ipv6 route static 2002 1...

Page 535: ...s prefix lengt h Required Use either command By default no IPv6 global unicast address is configured for the tunnel interface ipv6 address ipv6 address prefix lengt h eui 64 Configure an IPv6 link local address ipv6 address auto link local Optional By default a link local address will automatically be generated when an IPv6 global unicast address or link local address is configured ipv6 address ip...

Page 536: ...the tunnel interface to receive and send packets make sure that the aggregation group has been configured Otherwise the tunnel interface will not be up to communicate Configuration Example Network requirements The destination address of a tunnel is an ISATAP address It is required that IPv6 hosts in the IPv4 network can access the IPv6 network via an ISATAP tunnel Network diagram Figure 161 Networ...

Page 537: ... can acquire information such as the address prefix from the RA message released by the ISATAP switch Switch Tunnel0 undo ipv6 nd ra halt Configuration on the ISATAP host The specific configuration on the ISATAP host is related to its operating system The following example shows the configuration of the host running the Windows XP On a Windows XP based host the ISATAP interface is usually interfac...

Page 538: ...tically generates the address 2001 5efe 2 1 1 2 Meanwhile uses Switch Discovery is displayed indicating that the switch discovery function is enabled on the host At this time ping the IPv6 address of the tunnel interface of the switch If the address is successfully pinged an ISATAP tunnel is established Configuration verification After the above configurations the ISATAP host can access the host i...

Page 539: ...to view the cause 2 Another possible cause is that the tunnel destination is unreachable Use the display ipv6 routing table or display ip routing table command to view whether the tunnel destination is reachable If no routing entry is available for tunnel communication in the routing table configure related routes ...

Page 540: ...540 CHAPTER 40 TUNNELING CONFIGURATION ...

Page 541: ... technology a network operator can easily provide new value added services such as live Webcasting Web TV distance learning telemedicine Web radio real time videoconferencing and other bandwidth and time critical information services Comparison of Information Transmission Techniques Unicast In unicast the information source sends a separate copy of information to each host that needs the informati...

Page 542: ... source broadcasts the information Hosts A and C also receive it In addition to information security issues this also causes traffic flooding on the same network Therefore broadcast is disadvantageous in transmitting data to specific hosts moreover broadcast transmission is a significant usage of network resources Multicast As discussed above the unicast and broadcast techniques are unable to prov...

Page 543: ...it multicast uses the network bandwidth reasonably and brings no waste of network resources and enhances network security Roles in Multicast The following roles are involved in multicast transmission An information sender is referred to as a Multicast Source Source in Figure 164 Each receiver is a Multicast Group Member Receiver in Figure 164 All receivers interested in the same information form a...

Page 544: ...l applications stock quotes Any other point to multiple point data distribution application Multicast Models Based on how the receivers treat the multicast sources there are two multicast models ASM model In the ASM model any sender can send information to a multicast group as a multicast source and numbers of receivers can join a multicast group identified by a group address and obtain multicast ...

Page 545: ...nd to end service The multicast architecture involves the following four parts 1 Addressing mechanism Information is sent from a multicast source to a group of receivers through a multicast address 2 Host registration Receiver hosts are allowed to join and leave multicast groups dynamically This mechanism is the basis for group membership management 3 Multicast routing A multicast distribution tre...

Page 546: ...sses 232 0 0 0 8 SSM group addresses and 233 0 0 0 8 Glop group addresses for details see RFC 2770 239 0 0 0 to 239 255 255 255 Administratively scoped multicast addresses These addresses are considered to be locally rather than globally unique and can be reused in domains administered by different organizations without causing conflicts For details refer to RFC 2365 Table 53 Some reserved multica...

Page 547: ...tifying the multicast group For details about this field refer to RFC 3306 Ethernet multicast MAC addresses When a unicast IP packet is transmitted over Ethernet the destination MAC address is the MAC address of the receiver When a multicast packet is transmitted over Ethernet however the destination address is a multicast MAC address because the packet is directed to a group formed by a number of...

Page 548: ... FF1E F30E 0101 to a MAC address Figure 167 An example of IPv6 to MAC address mapping Multicast Protocols n Generally we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols which include IGMP MLD PIM IPv6 PIM and MSDP we refer to IP multicast working at the data link layer as Layer 2 multicast and the corr...

Page 549: ... protocol runs on Layer 3 multicast devices to establish and maintain multicast routes and forward multicast packets correctly and efficiently Multicast routes constitute a loop free data transmission path from a data source to multiple receivers namely a multicast distribution tree In the ASM model multicast routes come in intra domain routes and inter domain routes An intra domain multicast rout...

Page 550: ... the traditional multicast on demand mode when users in different VLANs on a Layer 2 device need multicast information the upstream Layer 3 device needs to forward a separate copy of the multicast data to each VLAN of the Layer 2 device With the multicast VLAN or IPv6 multicast VLAN feature enabled on the Layer 2 device the Layer 3 multicast device needs to send only one copy of multicast to the m...

Page 551: ...cast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check on the incoming interface The result of the RPF check determines whether the packet will be forwarded or discarded The RPF check mechanism is the basis for most multicast routing protocols to implement multicast forwarding n For details ...

Page 552: ...552 CHAPTER 41 MULTICAST OVERVIEW ...

Page 553: ...ping IGMP Snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups Principle of IGMP Snooping By analyzing received IGMP messages a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast IP addresses and forwards multicast data based on these mappings As shown in Figure 170 when IGMP Snooping is not running on...

Page 554: ...s Router port A router port is a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or IGMP querier In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B are router ports The Multicast packet transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiver Multicast packets Layer 2 switch Multicast packet transmi...

Page 555: ...rent IGMP messages as follows When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers 224 0 0 1 on the local subnet to find out whether active multicast group members exist on the subnet Upon receiving an IGMP general query the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiv...

Page 556: ...eport through a non router port The reason is as follows Due to the IGMP report suppression mechanism if the switch forwards a report message through a member port all the attached hosts listening to the reported multicast address will suppress their own reports upon hearing this report and this will prevent the switch from knowing whether any hosts attached to that port are still active members o...

Page 557: ...eard on a member port before its aging timer expires this means that no hosts attached to the port are still listening to that group address the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer expires Processing of Multicast Protocol Messages With Layer 3 multicast routing enabled an IGMP Snooping switch processes mult...

Page 558: ...ew Task Remarks Configuring Basic Functions of IGMP Snooping on page 559 Enabling IGMP Snooping on page 559 Required Configuring the Version of IGMP Snooping on page 559 Optional Configuring IGMP Snooping Port Functions on page 560 Configuring Aging Timers for Dynamic Ports on page 560 Optional Configuring Static Ports on page 561 Optional Configuring Simulated Joining on page 561 Optional Configu...

Page 559: ...oping version you actually configure the version of IGMP messages that IGMP Snooping can process IGMP Snooping version 2 can process IGMPv1 and IGMPv2 messages but not IGMPv3 messages which will be flooded in the VLAN IGMP Snooping version 3 can process IGMPv1 IGMPv2 and IGMPv3 messages Follow these steps to configure the version of IGMP Snooping c CAUTION If you switch IGMP Snooping from version ...

Page 560: ...lo messages on a dynamic router port the switch removes the port from the router port list when the aging timer of the port expires If the switch receives no IGMP reports for a multicast group on a dynamic member port the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer of the port for that group expires If multicast gr...

Page 561: ... ports never age out To remove such a port you need to use the corresponding command Configuring Simulated Joining Generally a host running IGMP responds to IGMP queries from the IGMP querier If a host fails to respond due to some reasons the multicast router may deem that no member of this multicast group exists on the network segment and therefore will remove the corresponding forwarding path To...

Page 562: ...atic member port a port configured as a simulated member host will age out like a dynamic member port Configuring Fast Leave Processing The fast leave processing feature allows the switch to process IGMP leave group messages in a fast way With the fast leave processing feature enabled when receiving an IGMP leave group message on a port the switch immediately removes that port from the outgoing po...

Page 563: ...an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called IGMP querier However a Layer 2 multicast switch does not support IGMP...

Page 564: ...nds an IGMP report to the corresponding multicast group An appropriate setting of the maximum response time for IGMP queries allows hosts to respond to queries quickly and avoids bursts of IGMP traffic on the network caused by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously For IGMP general queries you can configure the maximum response ti...

Page 565: ...e source address of IGMP query messages may affect IGMP querier selection within the segment Configuring an IGMP Snooping Policy Configuration Prerequisites Before configuring an IGMP Snooping policy complete the following task Enable IGMP Snooping in the VLAN or enable IGMP on the desired VLAN interface To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Confi...

Page 566: ...ter globally Follow these steps to configure a multicast group filter globally Configuring a multicast group filter on a port or a group of ports Follow these steps to configuring a multicast group filter on a port or a group of ports Configuring Multicast Source Port Filtering With the multicast source port filtering feature enabled on a port the port can be connected with multicast receivers onl...

Page 567: ...icast data received With the function of dropping unknown multicast data disabled the switch floods unknown multicast data in the VLAN which the unknown multicast data belongs to Follow these steps to configure the function of dropping unknown multicast data in a VLAN n When enabled to drop unknown IPv4 multicast data the device is automatically enabled to drop unknown IPv6 multicast data To do Us...

Page 568: ...um number of multicast groups that can be joined on a port or ports n When the number of multicast groups a port has joined reaches the maximum number configured the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table and the hosts on this port need to join the multicast groups again If you have configured static or simulated joins on a port ho...

Page 569: ...ollow these steps to configure multicast group replacement globally Configuring multicast group replacement on a port or a group of ports Follow these steps to configure multicast group replacement on a port or a group of ports c CAUTION Be sure to configure the maximum number of multicast groups allowed on a port refer to Configuring Maximum Multicast Groups that Can Be Joined on a Port on page 5...

Page 570: ... the following configuration so that multicast data can be forwarded through GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 even if Host A and Host B temporarily stop receiving multicast data for some unexpected reasons Network diagram Figure 172 Network diagram for simulated joining configuration View the statistics information of IGMP messages learned by IGMP Snooping display igmp snooping stat...

Page 571: ...P Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port GigabitEthernet 1 0 1 to GigabitEthernet 1 0 4 SwitchA vlan100 igmp snooping enable SwitchA vlan100 quit Enable simulated host joining on GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 respectively SwitchA interface GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 igmp snooping host join 224 1 1 1 vlan 100 SwitchA GigabitEthernet1 0 3...

Page 572: ...P querier Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked under normal conditions and multicast traffic flows to the receivers Host A and Host C attached to Switch C only along the path of Switch A Switch B Switch C Now it is required to configure GigabitEthernet 1 0 3 that connects Switch A to Switch C as a static router port so that mu...

Page 573: ...hernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface GigabitEthernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 100 assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to this VLAN and enable IGMP Snooping in t...

Page 574: ...tchC igmp snooping SwitchC igmp snooping quit Create VLAN 100 assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable IGMP Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port GigabitEthernet 1 0 1 to GigabitEthernet 1 0 5 SwitchC vlan100 igmp snooping enable SwitchC vlan100 quit 6 Verify the configuration View the detailed information about IGMP Snooping multicast...

Page 575: ...h A acts as the IGMP Snooping querier Configure a non all zero IP address as the source IP address of IGMP queries to ensure normal creation of multicast forwarding entries Network diagram Figure 174 Network diagram for IGMP Snooping querier configuration Configuration procedure 1 Configure switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit ...

Page 576: ...bally SwitchC system view SwitchC igmp snooping SwitchC igmp snooping quit Create VLAN 100 add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 and enable IGMP Snooping in this VLAN SwitchC vlan 100 SwitchC vlan100 port GigabitEthernet 1 0 1 to GigabitEthernet 1 0 3 SwitchC vlan100 igmp snooping enable 4 Verify the configuration View the IGMP message statistics on Switch C SwitchC v...

Page 577: ... rule is incorrectly configured The multicast group policy is not correctly applied The function of dropping unknown multicast data is not enabled so unknown multicast data is flooded Certain ports have been configured as static member ports of multicasts groups and this configuration conflicts with the configured multicast group policy Solution 1 Use the display acl command to check the configure...

Page 578: ...78 CHAPTER 42 IGMP SNOOPING CONFIGURATION whether this configuration conflicts with the configured multicast group policy If any conflict exists remove the port as a static member of the multicast group ...

Page 579: ... Snooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups Introduction to MLD Snooping By analyzing received MLD messages a Layer 2 device running MLD Snooping establishes mappings between ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As shown in Figure 175 when MLD Snoopi...

Page 580: ...ort A router port is a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or MLD querier In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B are router ports The IPv6 multicast packet transmission without MLD Snooping Source Multicast router Host A Receiver Host B Host C Receiver IPv6 multicast packets Layer 2 switch IPv6 multicast packet tran...

Page 581: ...s follows General queries The MLD querier periodically sends MLD general queries to all hosts and routers FF02 1 on the local subnet to find out whether IPv6 multicast group members exist on the subnet Upon receiving an MLD general query the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port If the receiving port is a router ...

Page 582: ... through a non router port The reason is as follows Due to the MLD report suppression mechanism if the switch forwards a report message through a member port all the attached hosts listening to the reported IPv6 multicast address will suppress their own reports upon hearing this report and this will prevent the switch from knowing whether any hosts attached to that port are still active members of...

Page 583: ...at IPv6 multicast group address The switch removes the port from the outgoing port list of the forwarding table entry for that IPv6 multicast group when the aging timer expires Protocols and Standards MLD Snooping is documented in RFC 4541 Considerations for Internet Group Management Protocol IGMP and Multicast Listener Discovery MLD Snooping Switches MLD Snooping Configuration Task List Complete ...

Page 584: ...p view Configuring Basic Functions of MLD Snooping Configuration Prerequisites Before configuring the basic functions of MLD Snooping complete the following tasks Configure the corresponding VLANs Before configuring the basic functions of MLD Snooping prepare the following data The version of MLD Snooping Enabling MLD Snooping Follow these steps to enable MLD Snooping Configuring an MLD Snooping P...

Page 585: ...sion 1 the system will clear all MLD Snooping forwarding entries from dynamic joins and will Keep forwarding entries from version 2 static G joins Clear forwarding entries from version 2 static S G joins which will be restored when MLD Snooping is switched back to version 2 For details about static joins Refer to Configuring Static Ports on page 586 Configuring MLD Snooping Port Functions Configur...

Page 586: ...llow these steps to configure aging timers for dynamic ports in a VLAN Configuring Static Ports If all the hosts attached to a port is interested in the IPv6 multicast data addressed to a particular IPv6 multicast group you can configure that port as a static member port for that IPv6 multicast group You can configure a port of a switch to be static router port through which the switch can forward...

Page 587: ...ulated member host for an IPv6 multicast group When an MLD query is heard simulated host gives a response Thus the switch can continue receiving IPv6 multicast data A simulated host acts like a real host as follows When a port is configured as a simulated member host the switch sends an unsolicited MLD report through that port After a port is configured as a simulated member host the switch respon...

Page 588: ...ocessing helps improve bandwidth and resource usage Configuring fast leave processing globally Follow these steps to configure fast leave processing globally Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports Enter the corresponding view Enter Ethernet port view interface interface type interface numbe...

Page 589: ... Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called MLD querier However a Layer 2 multicast switch does not support MLD and therefore cannot send MLD general queries by default By enabling MLD Snooping querier on a Layer 2 switch in a VLAN where multicast traffic ...

Page 590: ...time to fill their Max Response time field For MLD multicast address specific queries you can configure the MLD last member query interval to fill their Max Response time field Namely for MLD multicast address specific queries the maximum response time equals to the MLD last member query interval Configuring MLD queries and responses globally Follow these steps to configure MLD queries and respons...

Page 591: ...vice provider to define limits of multicast programs available to different users In an actual application when a user requests a multicast program the user s host initiates an MLD report Upon receiving this report message the switch checks the report against the configured ACL rule If the port on which the report was heard can join this IPv6 multicast group the switch adds an entry for this port ...

Page 592: ... a port or a group of ports Follow these steps to configure IPv6 multicast source port filtering on a port or a group of ports To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Configure an IPv6 multicast group filter group policy acl6 number vlan vlan list Required No IPv6 filter configured by default namely hosts can join any IPv6 multicast group To...

Page 593: ...ticast group member the Layer 2 device forwards the message to the Layer 3 device directly connected with it Thus when multiple members belonging to an IPv6 multicast group exist on the Layer 2 device the Layer 3 device directly connected with it will receive duplicate MLD reports from these members With the MLD report suppression function enabled within a query interval the Layer 2 device forward...

Page 594: ...ial reasons the number of IPv6 multicast groups passing through a switch or port may exceed the number configured for the switch or the port In addition in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joining the new multicast a user automatically switch...

Page 595: ... do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Configure IPv6 multicast group replacement overflow replace vlan vlan list Required Disabled by default To do Use the command Remarks Enter system view system view Enter the corresponding view Enter Ethernet port view interface interface type interface number Use either command Enter port group view port...

Page 596: ...IPv6 forwarding and configure the IPv6 address of each interface Enable IPv6 forwarding and configure an IPv6 address and prefix length for each interface as per Figure 177 The detailed configuration steps are omitted 2 Configure Router A Enable IPv6 multicast routing enable IPv6 PIM DM on each interface and enable MLDv1 on GigabitEthernet 1 0 1 RouterA system view RouterA multicast ipv6 routing e...

Page 597: ...LAN 100 on Switch A SwitchA display mld snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port A Aggregation port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D 00 01 30 IP group s the following ip group s match t...

Page 598: ...receivers along the new path of Switch A Switch C namely IPv6 multicast delivery will be interrupted during this process Network diagram Figure 178 Network diagram for static router port configuration Configuration procedure 1 Enable IPv6 forwarding and configure the IPv6 address of each interface Enable IPv6 forwarding and configure an IP address and prefix length for each interface as per Figure...

Page 599: ...ld snooping quit Create VLAN 100 assign GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to this VLAN and enable MLD Snooping in the VLAN SwitchB vlan 100 SwitchB vlan100 port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 SwitchB vlan100 mld snooping enable SwitchB vlan100 quit 5 Configure Switch C Enable MLD Snooping globally SwitchC system view SwitchC mld snooping SwitchC mld snooping quit Create ...

Page 600: ... 174 in a Layer 2 only network environment Switch C is attached to the multicast source Source through GigabitEthernet 1 0 3 At least one receiver is connected to Switch B and Switch C respectively MLDv1 is enabled on all the receivers Switch A Switch B and Switch C run MLD Snooping Switch A acts as the MLD Snooping querier Network diagram Figure 179 Network diagram for MLD Snooping querier config...

Page 601: ...tch C Enable IPv6 forwarding and enable MLD Snooping globally SwitchC system view SwitchC ipv6 SwitchC mld snooping SwitchC mld snooping quit Create VLAN 100 add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 and enable MLD Snooping in this VLAN SwitchC vlan 100 SwitchC vlan100 port GigabitEthernet 1 0 1 to GigabitEthernet 1 0 3 SwitchC vlan100 mld snooping enable 4 Verify the con...

Page 602: ...IPv6 multicast group policy is not correctly applied The function of dropping unknown IPv6 multicast data is not enabled so unknown IPv6 multicast data is flooded Certain ports have been configured as static member ports of IPv6 multicasts groups and this configuration conflicts with the configured IPv6 multicast group policy Solution 1 Use the display acl ipv6 command to check the configured IPv6...

Page 603: ...roubleshooting MLD Snooping 603 whether this configuration conflicts with the configured IPv6 multicast group policy If any conflict exists remove the port as a static member of the IPv6 multicast group ...

Page 604: ...604 CHAPTER 43 MLD SNOOPING CONFIGURATION ...

Page 605: ...hosts belong as sub VLANs of a multicast VLAN on the Layer 2 device and enable Layer 2 multicast in the multicast VLAN After this configuration Router A replicates the multicast data only within the multicast VLAN instead of forwarding a separate copy of the multicast data to each VLAN This saves the network bandwidth and lessens the burden of the Layer 3 device Configuring Multicast VLAN Follow t...

Page 606: ...ticast source through GigabitEthernet 1 0 2 and to Switch A through GigabitEthernet 1 0 1 IGMP is required on Router A and IGMP Snooping is required on Switch A Router A is the IGMP querier Switch A s GigabitEthernet 1 0 1 belongs to VLAN 1024 GigabitEthernet 1 0 2 through GigabitEthernet 1 0 4 belong to VLAN 11 through VLAN 13 respectively and Host A through Host C are attached to GigabitEthernet...

Page 607: ...Ethernet 1 0 1 RouterA GigabitEthernet 1 0 1 pim dm RouterA GigabitEthernet 1 0 1 igmp enable RouterA GigabitEthernet 1 0 1 quit RouterA interface GigabitEthernet 1 0 2 RouterA GigabitEthernet 1 0 2 pim dm RouterA GigabitEthernet 1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 11 and assign GigabitEthern...

Page 608: ... SwitchA vlan1024 port GigabitEthernet 1 0 1 SwitchA vlan1024 igmp snooping enable SwitchA vlan1024 quit Configure VLAN 1024 as multicast VLAN and configure VLAN 11 through VLAN 13 as its sub VLANs SwitchA multicast vlan 1024 enable SwitchA multicast vlan 1024 subvlan 11 to 13 4 Verify the configuration Display information about the multicast VLAN and its sub VLANs SwitchA display multicast vlan m...

Page 609: ...ng as sub VLANs of an IPv6 multicast VLAN on the Layer 2 device and enable IPv6 Layer 2 multicast in the IPv6 multicast VLAN After this configuration Router A replicates the IPv6 multicast data only within the IPv6 multicast VLAN instead of forwarding a separate copy of the IPv6 multicast data to each VLAN This saves the network bandwidth and lessens the burden of the Layer 3 device Configuring IP...

Page 610: ...gh GigabitEthernet 1 0 2 and to Switch A through GigabitEthernet 1 0 1 Router A is an IPv6 multicast router while Switch A is a Layer 2 switch Router A acts as the MLD querier on the subnet Switch A s GigabitEthernet 1 0 1 belongs to VLAN 1024 GigabitEthernet 1 0 2 through GigabitEthernet 1 0 4 belong to VLAN 11 through VLAN 13 respectively and Host A through Host C are attached to GigabitEthernet...

Page 611: ... 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 pim ipv6 dm RouterA GigabitEthernet1 0 1 mld enable RouterA GigabitEthernet1 0 1 quit RouterA interface GigabitEthernet1 0 2 RouterA GigabitEthernet1 0 2 pim ipv6 dm RouterA GigabitEthernet1 0 2 quit 3 Configure Switch A Enable MLD Snooping globally SwitchA system v...

Page 612: ...g in this VLAN SwitchA vlan 1024 SwitchA vlan1024 port GigabitEthernet 1 0 1 SwitchA vlan1024 mld snooping enable SwitchA vlan1024 quit Configure VLAN 1024 as an IPv6 multicast VLAN and configure VLAN 11 through VLAN 13 as its sub VLANs SwitchA multicast vlan ipv6 1024 enable SwitchA multicast vlan ipv6 1024 subvlan 11 to 13 4 Verify the configuration Display IPv6 multicast VLAN and sub VLAN infor...

Page 613: ...umented in RFC 1112 IGMPv2 documented in RFC 2236 IGMPv3 documented in RFC 3376 All IGMP versions support the Any Source Multicast ASM model In addition IGMPv3 can be directly used to implement the Source Specific Multicast SSM model Work Mechanism of IGMPv1 IGMPv1 manages multicast group memberships mainly based on the query and response mechanism Of multiple multicast routers on the same subnet ...

Page 614: ...me multicast group because the IGMP routers Router A and Router B already know that at least one host on the local subnet is interested in G1 This mechanism known as IGMP report suppression helps reduce traffic over the local subnet 4 At the same time because Host A is interested in G2 it sends a report to the multicast group address of G2 5 Through the above mentioned query report process the IGM...

Page 615: ...r known as other querier present timer If a router receives an IGMP query from the querier before the timer expires it resets this timer otherwise it assumes the querier to have timed out and initiates a new querier election process Leave group mechanism In IGMPv1 when a host leaves a multicast group it does not send any notification to the multicast router The multicast router relies on host resp...

Page 616: ...ends a report with the Filter Mode denoted as Exclude Sources S1 S2 As shown in Figure 185 the network comprises two multicast sources Source 1 S1 and Source 2 S2 both of which can send multicast data to multicast group G Host B is interested only in the multicast data that Source 1 sends to G but not in the data from Source 2 Figure 185 Flow paths of source and group specific multicast traffic In...

Page 617: ...ude namely the report sender requests the multicast data from any sources but those defined in the specified multicast source list TO_IN The filter mode has changed from Exclude to Include TO_EX The filter mode has changed from Include to Exclude ALLOW The Source Address fields in this Group Record contain a list of the additional sources that the system wishes to hear from for packets sent to the...

Page 618: ... PIM SM Before configuring the basic functions of IGMP prepare the following data IGMP version Multicast group and multicast source addresses for static group member configuration ACL rule for multicast group filtering Enabling IGMP First IGMP must be enabled on the interface on which the multicast group memberships are to be established and maintained Follow these steps to enable IGMP Task Descri...

Page 619: ...ected member of a multicast group Enable IP multicast routing multicast routing enable Required Disabled by default Enter interface view interface interface type interface number Enable IGMP igmp enable Required Disabled by default To do Use the command Description To do Use the command Description Enter system view system view Enter IGMP view igmp Configure an IGMP version globally version versio...

Page 620: ... in both IGMP view and interface view the configuration performed in interface view is given priority regardless of the configuration sequence Configuration Prerequisites Before adjusting IGMP performance complete the following tasks Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer Configure basic functions of IGMP Before adjusting IGM...

Page 621: ... querier sends startup query count IGMP general queries at the startup query interval which is 1 4 of the IGMP query interval Upon receiving an IGMP leave message the IGMP querier sends last member query count IGMP group specific queries at the IGMP last member query interval Both startup query count and last member query count are set to the IGMP querier robustness variable To do Use the command ...

Page 622: ...p specific queries the maximum response time equals the IGMP last member query interval When multiple multicast routers exist on the same subnet the IGMP querier is responsible for sending IGMP queries If a non querier router receives no IGMP query from the querier within the other querier present interval it will assume the querier to have expired and a new querier election process is launched ot...

Page 623: ...or IGMPv2 or IGMPv3 Configuring IGMP Fast Leave Processing Fast leave processing is implemented by IGMP Snooping For details see Configuring Fast Leave Processing on page 562 Displaying and Maintaining IGMP To do Use the command Description Enter system view system view Enter interface view interface interface type interface number Configure IGMP query interval igmp timer query interval Optional 6...

Page 624: ...1 Switch B and Switch C connect to N2 through their respective VLAN interface 200 and to other devices in the PIM network through VLAN interface 201 and VLAN interface 202 respectively IGMPv3 is required between Switch A and N1 IGMPv2 is required between the other two switches and N2 with Switch B as the IGMP querier View IGMP configuration and running information display igmp interface interface ...

Page 625: ...lticast routing and enable IGMP on the host side interfaces Enable IP multicast routing on Switch A and enable IGMP version 3 on VLAN interface 100 SwitchA system view SwitchA multicast routing enable SwitchA interface vlan interface 100 SwitchA Vlan interface100 igmp enable SwitchA Vlan interface100 igmp version 3 SwitchA Vlan interface100 quit Enable IP multicast routing on Switch B and enable I...

Page 626: ...here is no member information of the multicast group G on the router closest to that host Analysis The correctness of networking and interface connections directly affects the generation of group member information Multicast routing must be enabled on the router If the igmp group policy command has been configured on the interface the interface cannot receive report messages that fail to pass filt...

Page 627: ...nning IGMP maintains multiple parameters for each interface and these parameters influence one another forming very complicated relationships Inconsistent IGMP interface parameter configurations for routers on the same subnet will surely result in inconsistency of memberships In addition although IGMP routers are compatible with hosts all routers on the same subnet must run the same version of IGM...

Page 628: ...628 CHAPTER 46 IGMP CONFIGURATION ...

Page 629: ...ndent of the unicast routing protocols running on the device multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes PIM uses the reverse path forwarding RPF mechanism to implement multicast forwarding When a multicast packet arrives on an interface of the device it is subject to an RPF check If the RPF check succeeds the devic...

Page 630: ...h other routers and builds and maintains SPTs by periodically multicasting hello messages to all other PIM routers 224 0 0 13 n Every activated interface on a router sends hello messages periodically and thus learns the PIM neighboring information pertinent to the interface SPT establishment The process of building an SPT is the process of flood and prune 1 In a PIM DM domain when a multicast sour...

Page 631: ... a graft mechanism to resume data forwarding to that branch The process is as follows 1 The node that needs to receive multicast data sends a graft message hop by hop toward the source as a request to join the SPT again 2 Upon receiving this graft message the upstream node puts the interface on which the graft was received into the forwarding state and responds with a graft ack message to the graf...

Page 632: ...to the source the router with a smaller metric to the source wins 3 If there is a tie in route metric to the source the router with a higher IP address of the local interface wins Introduction to PIM SM PIM DM uses the flood and prune principle to build SPTs for multicast data distribution Although an SPT has the shortest path it is built with a low efficiency Therefore the PIM DM mode is not suit...

Page 633: ...is summarized as follows Neighbor discovery DR election RP discovery RPT building Multicast source registration Switchover from RPT to SPT Assert Neighbor discovery PIM SM uses exactly the same neighbor discovery mechanism as PIM DM does Refer to Neighbor discovery on page 630 DR election PIM SM also uses hello messages to elect a designated router DR for a multi access network The elected DR will...

Page 634: ...raffic needs to be forwarded through the RP To lessen the RP burden and optimize the topological structure of the RPT each multicast group should have its own RP Therefore a bootstrap mechanism is needed for dynamic RP election For this purpose a bootstrap router BSR should be configured As the administrative core of a PIM SM domain the BSR collects advertisement messages C RP Adv messages from ca...

Page 635: ... it uses an IGMP message to inform the directly connected DR 2 Upon getting the receiver information the DR sends a join message which is hop by hop forwarded to the RP corresponding to the multicast group 3 The routers along the path from the DR to the RP form an RPT branch Each router on this branch generates a G entry in its forwarding table The means any multicast source The RP is the root whi...

Page 636: ...ends the first multicast packet to a multicast group G the DR directly connected with the multicast source upon receiving the multicast packet encapsulates the packet in a PIM register message and sends the message to the corresponding RP by unicast 2 When the RP receives the register message it extracts the multicast packet from the register message and forwards the multicast packet down the RPT ...

Page 637: ...M DM does through the flood and prune mechanism Assert PIM SM uses exactly the same assert mechanism as PIM DM does Refer to Assert on page 631 Introduction to BSR Admin scope Regions in PIM SM Division of PIM SM domains Typically a PIM SM domain contains only one BSR which is responsible for advertising RP set information within the entire PIM SM domain The information for all multicast groups is...

Page 638: ...min scope regions and the global scope zone in group address ranges In Figure 194 the group address ranges of admin scope scope regions BSR1 and BSR2 have no intersection whereas the group address range of BSR3 is a subset of the address range of BSR1 The group address range of the global scope zone covers all the group addresses other than those of all the BSR admin scope regions That is the grou...

Page 639: ...the PIM SM technique The SSM model provides a solution for source specific multicast It maintains the relationships between hosts and routers through IGMPv3 In actual application part of the PIM SM technique is adopted to implement the SSM model In the SSM model receivers know exactly where a multicast source is located by means of advertisements consultancy and so on Therefore no RP is needed no ...

Page 640: ...on all routers on the path from the DR to the source Thus an SPT is built in the network with the source S as its root and receivers as its leaves This SPT is the transmission channel in PIM SSM If not the PIM SM process is followed the DR needs to send a G join message to the RP and a multicast source registration process is needed n In PIM SSM the channel concept is used to refer to a multicast ...

Page 641: ...e TTL value of state refresh messages Graft retry period Enabling PIM DM With PIM DM enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors When deploying a PIM DM domain you are recommended to enable PIM DM on all interfaces of non border routers border routers are PIM enabled routers located on the boundary of BSR admin scope region...

Page 642: ...eived within the waiting time the router will discard it if this timer times out the router will accept a new state refresh message refresh its own PIM state and reset the waiting timer The TTL value of a state refresh message decrements by 1 whenever it passes a router before it is forwarded to the downstream node until the TTL value comes down to 0 In a small network a state refresh message may ...

Page 643: ...nicast routing protocol so that all devices in the domain are interoperable at the network layer To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure graft retry period pim timer graft retry interval Optional 3 seconds by default Task Remarks Configuring PIM SM on page 643 Required Configuring a BSR on page 644 Perform...

Page 644: ...m PIM neighbors When deploying a PIM SM domain you are recommended to enable PIM SM on all interfaces of non border routers border routers are PIM enabled routers located on the boundary of BSR admin scope regions Follow these steps to enable PIM SM c CAUTION All the interfaces of the same router must work in the same PIM mode Configuring a BSR n The BSR is dynamically elected from a number of C B...

Page 645: ...tself to be the BSR Configuring a legal range of BSR addresses enables filtering of BSR messages based on the address range thus to prevent malicious hosts from initiating attacks by disguising themselves as legitimate BSRs To protect legitimate BSRs from being maliciously replaced preventive measures are taken specific to the following two situations 1 Some malicious hosts intend to fool routers ...

Page 646: ...s In a network divided into BSR admin scope regions BSRs are elected from multitudinous C BSRs to serve different multicast groups The C RPs in a BSR admin scope region send C RP Adv messages to only the corresponding BSR The BSR summarizes the advertisement messages into an RP set and advertises it to all the routers in the BSR admin scope region All the routers use the same algorithm to get the ...

Page 647: ...these steps to configure global C BSR parameters n About the bootstrap timeout time Enable BSR administrative scoping c bsr admin scope Required Disabled by default Configure an admin scope C BSR c bsr group group address mask mask length hash length hash length priority priority Optional No admin scope BSRs by default To do Use the command Remarks Enter system view system view Enter interface vie...

Page 648: ...etwork Configuring a static RP If there is only one dynamic RP in a network manually configuring a static RP can avoid communication interruption due to single point failures and avoid frequent message exchange between C RPs and the BSR To enable a static RP to work normally you must perform this configuration on all the devices in the PIM SM domain and specify the same RP address Follow these ste...

Page 649: ...ion from the received messages and encapsulates its own IP address together with the RP set information in its bootstrap messages The BSR then floods the bootstrap messages to all PIM routers 224 0 0 13 in the network Each C RP encapsulates a timeout value in its C RP Adv message Upon receiving this message the BSR obtains this timeout value and starts a C RP timeout timer If the BSR fails to hear...

Page 650: ...t is the RP stops serving the receivers of a specific multicast group or when the RP formally starts receiving multicast data from the multicast source the RP sends a register stop message to the source side DR Upon receiving this message the DR stops sending register messages encapsulated with multicast data and enters the register suppression state In a probe suppression cycle the DR can send a ...

Page 651: ...the DR election and on the C RPs that may win RP elections If the multicast source is learned through MSDP the device will switch to the SPT immediately after it receives the first multicast packet from the RPT no matter how big the traffic rate threshold is set this threshold is not configurable on a switch Configure a filtering rule for register messages register policy acl number Optional No re...

Page 652: ...the boundary of BSR admin scope regions Follow these steps to enable PIM SM c CAUTION All the interfaces of the same router must work in the same PIM mode Configuring the SSM Group Range As for whether the information from a multicast source is delivered to the receivers based on the PIM SSM model or the PIM SM model this depends on whether the group address in the S G channel subscribed by the re...

Page 653: ...e view is given priority regardless of the configuration sequence PIM Common Information Configuration Task List Complete these tasks to configure PIM common information Configuration Prerequisites Before configuring PIM common information complete the following tasks Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer Configure PIM DM or...

Page 654: ...lts in a more remarkable filtering effect This filter works not only on independent multicast data but also on multicast data encapsulated in register messages Configuring PIM Hello Options No matter in a PIM DM domain or a PIM SM domain the hello messages sent among routers contain many configurable options including DR_Priority for PIM SM only priority for DR election The device with the highest...

Page 655: ... on which the hello message is sent Normally the generation ID of a PIM router does not change unless the status of the router changes for example when PIM is just enabled on the interface or the device is restarted When the router starts or restarts sending hello messages it generates a new generation ID If a PIM router finds that the generation ID in a hello message from the upstream router has ...

Page 656: ...face when this timer times out When a router fails to receive subsequent multicast data from the multicast source S the router will not immediately delete the corresponding S G entries instead it maintains S G entries for a period of time namely the multicast source lifetime before deleting the S G entries Configuring PIM common timers globally Follow these steps to configure PIM common timers glo...

Page 657: ...nterval Optional 180 seconds by default Configure the join prune interval timer join prune interval Optional 60 seconds by default Configure the join prune timeout time holdtime join prune interval Optional 210 seconds by default Configure the multicast source lifetime source lifetime interval Optional 210 seconds by default To do Use the command Remarks Enter system view system view Enter interfa...

Page 658: ...ed graft messages display pim grafts Available in any view View the PIM information on an interface or all interfaces display pim interface interface type interface number verbose Available in any view View the information of join prune messages to send display pim join prune mode sm flags flag value ssm interface interface type interface number neighbor neighbor address verbose Available in any v...

Page 659: ...rough their respective VLAN interface 200 and to Switch D through VLAN interface 101 and VLAN interface 102 respectively IGMPv2 is to run between Switch A and N1 and between Switch B Switch C and N2 Network diagram Figure 196 Network diagram for PIM DM configuration Device Interface IP address Device Interface IP address Switch A Vlan int100 10 110 1 1 24 Switch D Vlan int300 10 110 5 1 24 Vlan in...

Page 660: ...chA Vlan interface100 pim dm SwitchA Vlan interface100 quit SwitchA interface vlan interface 103 SwitchA Vlan interface103 pim dm SwitchA Vlan interface103 quit The configuration on Switch B and Switch C is similar to that on Switch A Enable IP multicast routing on Switch D and enable PIM DM on each interface SwitchD system view SwitchD multicast routing enable SwitchD interface vlan interface 300...

Page 661: ...pim routing table command to view the PIM routing table information on each switch For example View the PIM routing table information on Switch A SwitchA display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 Protocol pim dm Flag WC UpTime 00 04 25 Upstream interface NULL Upstream neighbor NULL RPF prime neighbor NULL Downstream interface s information Total number of downstreams 1 1 Vlan...

Page 662: ...rent BSR admin scope regions Host A and Host C are multicast receivers in two stub networks Switch D connects to the network that comprises the multicast source Source through VLAN interface 300 Switch A connects to stub network N1 through VLAN interface 100 and to Switch D and Switch E through VLAN interface 101 and VLAN interface 102 respectively Switch B and Switch C connect to stub network N2 ...

Page 663: ...e IP multicast routing on Switch A enable PIM SM on each interface and enable IGMPv2 on VLAN interface 100 which connects Switch A to the stub network Device Interface IP address Device Interface IP address Switch A Vlan int100 10 110 1 1 24 Switch D Vlan int300 10 110 5 1 24 Vlan int101 192 168 1 1 24 Vlan int101 192 168 1 2 24 Vlan int102 192 168 9 1 24 Vlan int105 192 168 4 2 24 Switch B Vlan i...

Page 664: ...c 2005 rule permit source 225 1 1 0 0 0 0 255 SwitchE acl basic 2005 quit SwitchE pim SwitchE pim c bsr vlan interface 102 SwitchE pim c rp vlan interface 102 group policy 2005 SwitchE pim quit 4 Verify the configuration Carry out the display pim interface command to view the PIM configuration and running status on each interface For example View the PIM configuration information on Switch A Switc...

Page 665: ...he multicast group G 225 1 1 1 24 An RPT will be built between Switch A and Switch E When the multicast source S 10 110 5 100 24 registers with the RP an SPT will be built between Switch D and Switch E Upon receiving multicast data Switch A immediately switches from the RPT to the SPT Switches on the RPT path Switch A and Switch E have a G entry while switches on the SPT path Switch A and Switch D...

Page 666: ...l pim sm Flag WC UpTime 00 13 16 Upstream interface Register Upstream neighbor 192 168 4 2 RPF prime neighbor 192 168 4 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface102 Protocol pim sm UpTime 00 13 16 Expires 00 03 22 PIM SSM Configuration Example Network requirements Receivers receive VOD information through multicast The receiver groups of different organiza...

Page 667: ...ailed configuration steps are omitted here 2 Enable IP multicast routing and enable PIM SM on each interface Device Interface IP address Device Interface IP address Switch A Vlan int100 10 110 1 1 24 Switch D Vlan int300 10 110 5 1 24 Vlan int101 192 168 1 1 24 Vlan int101 192 168 1 2 24 Vlan int102 192 168 9 1 24 Vlan int105 192 168 4 2 24 Switch B Vlan int200 10 110 2 1 24 Switch E Vlan int104 1...

Page 668: ...ber 2000 SwitchA acl basic 2000 rule permit source 232 1 1 0 0 0 0 255 SwitchA acl basic 2000 quit SwitchA pim SwitchA pim ssm policy 2000 SwitchA pim quit The configuration on Switch B Switch C Switch D and Switch E is similar to that on Switch A 4 Verify the configuration Carry out the display pim interface command to view the PIM configuration and running status on each interface For example Vi...

Page 669: ...ast distribution tree cannot be built correctly and clients cannot receive multicast data Analysis When PIM DM runs on the entire network multicast data is flooded from the first hop router connected with the multicast source to the last hop router connected with the clients along the SPT When the multicast data is flooded to a router no matter which router is it creates S G entries only if it has...

Page 670: ... PIM DM or PIM SM 3 Check that the RPF neighbor is a PIM neighbor Use the display pim neighbor command to view the PIM neighbor information 4 Check that PIM and IGMP are enabled on the interfaces directly connecting to the multicast source and to the receivers 5 Check that the same PIM mode is enabled on related interfaces Use the display pim interface verbose command to check whether the same PIM...

Page 671: ...ise multicast forwarding will fail Solution 1 Check that a route is available to the RP Carry out the display ip routing table command to check whether a route is available on each router to the RP 2 Check the dynamic RP information Use the display pim rp info command to check whether the RP information is consistent on all routers 3 Check the configuration of static RPs Use the display pim rp inf...

Page 672: ...vailable between the RP and the BSR Make sure that each C RP has a unicast route to the BSR the BSR has a unicast route to each C RP and all the routers in the entire network have a unicast route to the RP 2 Check the RP and BSR information PIM SM needs the support of the RP and BSR Use the display pim bsr info command to check whether the BSR information is available on each router and then use t...

Page 673: ...omain is isolated from that of another domain As a result the RP is aware of the source information only within the local domain and a multicast distribution tree is built only within the local domain to deliver multicast data from a local multicast source to local receivers If there is a mechanism that allows RPs of different PIM SM domains to share their multicast source information the local RP...

Page 674: ...de MSDP peer resolves the multicast source information carried in the message and joins the SPT rooted at the source across the PIM SM domain When multicast data from the multicast source arrives the receiver side MSDP peer forwards the data to the receivers along the RPT 4 Intermediate MSDP peer an MSDP peer with multicast remote MSDP peers like RP 2 An intermediate MSDP peer forwards SA messages...

Page 675: ... gets aware of the information related to the multicast source 2 As the source side RP RP 1 creates SA messages and periodically sends the SA messages to its MSDP peer An SA message contains the source address S the multicast group address G and the address of the RP which has created this SA message namely RP 1 3 On MSDP peers each SA message is subject to a reverse path forwarding RPF check and ...

Page 676: ...o longer relies on RPs in other PIM SM domains The receivers can override the RPs in other domains and directly join the multicast source based SPT RPF check rules for SA messages As shown in Figure 201 there are five autonomous systems in the network AS 1 through AS 5 with IGP enabled on routers within each AS and EBGP as the interoperation protocol among different ASs Each AS contains at least o...

Page 677: ...s RP 6 accepts only the SA message from RP 5 5 When RP 7 receives the SA message from RP 6 Because the SA message is from a static RPF peer RP 6 RP 7 accepts the SA message and forwards it to other peer RP 8 6 When RP 8 receives the SA message from RP 7 An EBGP route exists between two MSDP peers in different ASs Because the SA message is from an MSDP peer RP 7 in a different AS and the MSDP peer ...

Page 678: ...at the multicast source In this example RP 2 forwards the multicast data down the RPT When Receiver receives the multicast data from Source it directly joins the SPT rooted at Source The significance of Anycast RP is as follows Optimal RP path A multicast source registers with the nearest RP so that an SPT with the optimal path is built a receiver joins the nearest RP so that an RPT with the optim...

Page 679: ...PIM SM to enable intra domain multicast forwarding Before configuring the basic functions of MSDP prepare the following data IP addresses of MSDP peers Address prefix list for an RP address filtering policy Enabling MSDP Follow these steps to enable MSDP Task Remarks Configuring Basic Functions of MSDP on page 679 Enabling MSDP on page 679 Required Creating an MSDP Peer Connection on page 680 Requ...

Page 680: ...tatic RPF peer Configuring an MSDP Peer Connection Configuration Prerequisites Before configuring MSDP peer connection complete the following tasks Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer Configuring basic functions of MSDP To do Use the command Remarks Enter system view system view Enable IP multicast routing multicast routin...

Page 681: ...nside the group without performing an RPF check and does not forward the message within the mesh group either This mechanism not only avoids SA flooding but also simplifies the RPF check mechanism because BGP is not needed to run between these MSDP peers By configuring the same mesh group name for multiple MSDP peers you can create a mesh group with these MSDP peers Follow these steps to create an...

Page 682: ...all devices in the domain are interoperable at the network layer Configuring basic functions of MSDP Before configuring SA message delivery prepare the following data ACL as a filtering rule for SA request messages ACL as an SA message creation rule ACL as a filtering rule for receiving or forwarding SA messages Minimum TTL value of multicast packets encapsulated in SA messages Maximum SA message ...

Page 683: ... Request Messages By default upon receiving a new Join message a router does not send an SA request message to its designated MSDP peer instead it waits for the next SA message from its MSDP peer This will cause the receiver to delay obtaining multicast source information To enable a new receiver to get the currently active multicast source information as early as possible you can configure router...

Page 684: ...s Configuring SA Message Cache To reduce the time spent in obtaining the multicast source information you can have SA messages cached on the router However the more SA messages are cached the larger memory space of the router is used With the SA cache mechanism enabled when receiving a new Join message the router will not send an SA request message to its MSDP peer instead it acts as follows If th...

Page 685: ...stem view Enter MSDP view msdp Enable the SA message cache mechanism cache sa enable Optional Enabled by default Configure the maximum number of SA messages the router can cache peer peer address sa cache maximum sa limit Optional 8192 by default To do Use the command Remarks View the brief information of MSDP peers display msdp brief state connect down listen shutdown up Available in any view Vie...

Page 686: ...e and enable IGMP on the host side interface VLAN interface 200 Device Interface IP address Device Interface IP address Switch A Vlan int103 10 110 1 2 24 Switch D Vlan int104 10 110 4 2 24 Vlan int100 10 110 2 1 24 Vlan int300 10 110 5 1 24 Vlan int200 10 110 3 1 24 Switch E Vlan int105 10 110 6 1 24 Switch B Vlan int103 10 110 1 1 24 Vlan int102 192 168 3 2 24 Vlan int101 192 168 1 1 24 Loop0 3 ...

Page 687: ...C BSRs and C RPs Configure Loopback 0 as a C BSR and a C RP on Switch B SwitchB pim SwitchB pim c bsr loopback 0 SwitchB pim c rp loopback 0 SwitchB pim quit The configuration on Switch C and Switch E is similar to the configuration on Switch B 4 Configure BGP for mutual route redistribution between BGP and OSPF Configure EBGP on Switch B and redistribute OSPF routes SwitchB bgp 100 SwitchB bgp ro...

Page 688: ...tionships between the switches For example View the information about BGP peering relationships on Switch B SwitchB display bgp peer BGP local router ID 1 1 1 1 Local AS number 100 Total number of peers 1 Peers in established state 1 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 192 168 1 2 4 200 24 21 0 6 00 13 09 Established View the information about BGP peering relationships on Switch C...

Page 689: ...ceive the multicast data You can use the display msdp brief command to view the brief information of MSDP peering relationships between the switches For example View the brief information about MSDP peering relationships on Switch B SwitchB display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer s Address State Up Down time AS SA Count Reset Count...

Page 690: ...ackets 0 0 Inter AS Multicast Configuration Leveraging Static RPF Peers Network requirements There are two ASs in the network AS 100 and AS 200 respectively OSPF is running within each AS and BGP is running between the two ASs PIM SM 1 belongs to AS 100 while PIM SM 2 and PIM SM 3 belong to AS 200 Each PIM SM domain has zero or one multicast source and receiver OSPF runs within each domain to prov...

Page 691: ...n the host side interface VLAN interface 200 Device Interface IP address Device Interface IP address Switch A Vlan int103 10 110 1 2 24 Switch D Vlan int104 10 110 4 2 24 Vlan int100 10 110 2 1 24 Vlan int300 10 110 5 1 24 Vlan int200 10 110 3 1 24 Switch E Vlan int105 10 110 6 1 24 Switch B Vlan int103 10 110 1 1 24 Vlan int102 192 168 3 2 24 Vlan int101 192 168 1 1 24 Loop0 3 3 3 3 32 Vlan int10...

Page 692: ...tion on Switch B 3 Configure C BSRs and C RPs Configure Loopback 0 as a C BSR and a C RP on Switch B SwitchB pim SwitchB pim c bsr loopback 0 SwitchB pim c rp loopback 0 SwitchB pim quit The configuration on Switch C and Switch E is similar to the configuration on Switch B 4 Configure a static RPF peer Configure Switch C and Switch E as a static RPF peers of Switch B SwitchB ip ip prefix list df p...

Page 693: ...ss State Up Down time AS SA Count Reset Count 192 168 3 2 Up 01 07 08 8 0 192 168 1 2 Up 00 16 39 13 0 View the brief MSDP peer information on Switch C SwitchC display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer s Address State Up Down time AS SA Count Reset Count 192 168 1 1 Up 01 07 09 8 0 View the brief MSDP peer information on Switch E Swi...

Page 694: ...0 SwitchB system view SwitchB multicast routing enable Device Interface IP address Device Interface IP address Source 1 10 110 5 100 24 Switch C Vlan int101 192 168 1 2 24 Source 2 10 110 6 100 24 Vlan int102 192 168 2 2 24 Switch A Vlan int300 10 110 5 1 24 Switch D Vlan int200 10 110 3 1 24 Vlan int103 10 110 2 2 24 Vlan int104 10 110 4 1 24 Switch B Vlan int100 10 110 1 1 24 Vlan int102 192 168...

Page 695: ...as a C RP on Switch B SwitchB pim SwitchB pim c bsr loopback 10 SwitchB pim c rp loopback 20 SwitchB pim quit The configuration on Switch D is similar to the configuration on Switch B 4 Configure MSDP peers Configure an MSDP peer on Loopback 0 of Switch B SwitchB msdp SwitchB msdp originating rp loopback 0 SwitchB msdp peer 2 2 2 2 connect interface loopback 0 SwitchB msdp quit Configure an MSDP p...

Page 696: ...ULL Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol igmp UpTime 00 15 04 Expires 10 110 5 100 225 1 1 1 RP 10 1 1 1 local Protocol pim sm Flag SPT 2MSDP ACT UpTime 00 46 28 Upstream interface Vlan interface103 Upstream neighbor 10 110 2 2 RPF prime neighbor 10 110 2 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface100 ...

Page 697: ...igured MSDP peers stay in the down state Analysis A TCP connection based MSDP peering relationship is established between the local interface address and the MSDP peer after the configuration The TCP connection setup will fail if there is a consistency between the local interface address and the MSDP peer address configured on the router If no route is available between the MSDP peers the TCP conn...

Page 698: ...aults in Anycast RP Application Symptom RPs fail to exchange their locally registered S G entries with one another in the Anycast RP application Analysis In the Anycast RP application RPs in the same PIM SM domain are configured to be MSDP peers to achieve load balancing among the RPs An MSDP peer address must be different from the anycast RP address and the C BSR and C RP must be configured on di...

Page 699: ...Troubleshooting MSDP 699 4 Verify that the C BSR address is different from the anycast RP address ...

Page 700: ...700 CHAPTER 48 MSDP CONFIGURATION ...

Page 701: ...different multicast routing protocols forms a general multicast routing table The multicast forwarding table is directly used to control the forwarding of multicast packets A multicast forwarding table consists of a set of S G entries each indicating the routing information for delivering multicast data from a multicast source to a multicast group If a router supports multiple multicast protocols ...

Page 702: ...multicast forwarding table 6 If the interface on which the packet actually arrived is the RPF interface the RPF check is successful and the router forwards the packet to all the outgoing interfaces 7 If the interface on which the packet actually arrived is not the RPF interface the RPF check fails and the router discards the packet RPF check The basis for an RPF check is a unicast route or a multi...

Page 703: ...ed tree from the multicast source to the rendezvous point RP packet source means the multicast source For a packet traveling along the rendezvous point tree RPT from the RP to the receivers packet source means the RP For a bootstrap message from the bootstrap router BSR packet source means the BSR For details about the concepts of SPT RPT and BSR refer to PIM Configuration on page 629 Assume that ...

Page 704: ...not guides multicast forwarding so it is also called an RPF static route A multicast static route is effective on the multicast router on which it is configured and will not be broadcast throughout the network or injected to other routers A multicast static route is an important basis for RPF checks With a multicast static route configured on a router the router searches the unicast routing table ...

Page 705: ...Response with the IGMP Type field set to 0x1E Process of multicast traceroute 1 The querier sends a query to the last hop router 2 Upon receiving the query the last hop router turns the query packet into a request packet by adding a response data block containing its interface addresses and packet statistics to the end of the packet and forwards the request packet via unicast to the previous hop f...

Page 706: ...forwarded only through primary IP addresses rather than secondary addresses even if configured on interfaces For details about primary and secondary IP addresses refer to IP Addressing Configuration on page 121 Configuring Multicast Static Routes Based on the application environment a multicast static route has the following two functions Changing an RPF route If the multicast topology structure i...

Page 707: ...ific to a particular multicast group on all interfaces that support multicast forwarding A multicast forwarding boundary sets the boundary condition for the multicast groups in the specified range If the destination address of a multicast packet matches the set boundary condition the packet will not be forwarded Once a multicast boundary is configured on an interface this interface can no longer f...

Page 708: ...le is smaller than the current number the routes in excess of the configured limit will not be deleted immediately instead they must be deleted by the multicast routing protocol In addition newly added route entries cannot be installed to the forwarding table Follow these steps to configure the multicast forwarding table size Tracing a Multicast Path You can run the mtracert command to trace the p...

Page 709: ...oming interface interface type interface number register outgoing interface exclude include match interface type interface number register statistics port info Available in any view View the multicast routing table information display multicast routing table source address mask mask mask length group address mask mask mask length incoming interface interface type interface number register outgoing...

Page 710: ...Ensure the network layer interoperation among the switches in the PIM DM domain Ensure that the switches can dynamically update their routing information by leveraging the unicast routing protocol The specific configuration steps are omitted here 2 Enable IP multicast routing and enable PIM DM and IGMP Enable IP multicast routing on Switch B enable PIM DM on each interface and enable IGMP on the h...

Page 711: ... 1 2 Referenced route mask 50 1 1 0 24 Referenced route type igp Route selection rule preference preferred Load splitting rule disable As shown above the current RPF route on Switch B is contributed by a unicast routing protocol and the RPF neighbor is Switch A 3 Configure a multicast static route Configure a multicast static route on Switch B specifying Switch C as its RPF neighbor on the route t...

Page 712: ...ing the unicast routing protocol The specific configuration steps are omitted here 2 Enable IP multicast routing and enable PIM DM and IGMP Enable IP multicast routing on Switch C enable PIM DM on each interface and enable IGMP on the host side interface VLAN interface 100 SwitchC system view SwitchC multicast routing enable SwitchC interface vlan interface 100 SwitchC Vlan interface100 igmp enabl...

Page 713: ...e to Source 2 SwitchC ip rpf route static 50 1 1 100 24 20 1 1 2 4 Verify the configuration Use the display multicast rpf info command to view the RPF routes to Source 2 on Switch B and Switch C SwitchB display multicast rpf info 50 1 1 100 RPF information about source 50 1 1 100 RPF interface Vlan interface102 RPF neighbor 30 1 1 2 Referenced route mask 50 1 1 0 24 Referenced route type multicast...

Page 714: ...multicast static route 4 Check that the multicast static route matches the specified routing protocol If a protocol was specified in multicast static route configuration enter the display ip routing table command to check if an identical route was added by the protocol 5 Check that the multicast static route matches the specified routing policy If a routing policy was specified when the multicast ...

Page 715: ... access control protocol 802 1x authenticates and controls accessing devices at the level of port A device connected to an 802 1x enabled port of an access control device can access the resources on the LAN only after passing authentication To get more information about 802 1x go to these topics Architecture of 802 1x on page 715 Operation of 802 1x on page 717 EAP Encapsulation over LANs on page ...

Page 716: ...direction PAE Port access entity PAE refers to the entity that performs the 802 1x algorithm and protocol operations The authenticator PAE uses the authentication server to authenticate a supplicant trying to access the LAN and controls the status of the controlled port according to the authentication result putting the controlled port in the state of authorized or unauthorized In authorized state...

Page 717: ...tocol packets are encapsulated using EAP Encapsulation over LANs and transferred over the LAN Between the authenticator PAE and authentication server EAP protocol packets can be handled in two modes EAP relay and EAP termination In EAP relay mode EAP protocol packets are encapsulated by using the EAP Encapsulation over RADIUS Remote Authentication Dial In User Service and then relayed to the RADIU...

Page 718: ...tion EAP Packet a value of 0x00 Frame for carrying authentication information present between an authenticator system and the authentication server A frame of this type is repackaged and transferred by RADIUS to get through complex networks to reach the authentication server EAPOL Start a value of 0x01 Frame for initiating authentication present between a supplicant and an authenticator EAPOL Logo...

Page 719: ...th Length of the EAP packet including the Code Identifier Length and Data fields in bytes Data Content of the EAP packet This field is zero or more bytes and its format is determined by the Code field EAP Encapsulation over RADIUS Two attributes of RADIUS are intended for supporting EAP authentication EAP Message and Message Authenticator For information about RADIUS packet format refer to Configu...

Page 720: ...col such as RADIUS so that they can go through complex networks and reach the authentication server Generally EAP relay requires that the RADIUS server support the EAP attributes of EAP Message and Message Authenticator At present the EAP relay mode supports four authentication methods EAP MD5 EAP TLS Transport Layer Security EAP TTLS Tunneled Transport Layer Security and PEAP Protected Extensible...

Page 721: ...s Request packet the RADIUS server compares the identify information against its user information table to obtain the corresponding password information Then it encrypts the password information using a randomly generated challenge and sends the challenge information through a RADIUS Access Challenge packet to the authenticator 6 After receiving the RADIUS Access Challenge packet the authenticator...

Page 722: ...nds handshake requests to the supplicant to check whether the supplicant is still online By default if two consecutive handshake attempts end up with failure the authenticator concludes that the supplicant has gone offline and performs the necessary operations guaranteeing that the authenticator always knows when a supplicant goes offline 11 The supplicant can also send an EAPOL Logoff frame to th...

Page 723: ...mer tx period This timer is used in two cases one is when an authenticator retransmits an EAP Request Identity frame and the other is when an authenticator multicasts an EAP Request Identity frame Once an authenticator sends an EAP Request Identity frame to a supplicant it starts this timer If this timer expires but it receives no response from the supplicant it retransmits the request To cooperat...

Page 724: ...ed With the portbased method after the first user of a port passes authentication all other users of the port can access the network without authentication and when the first user goes offline all other users get offline at the same time With the macbased method each user of a port must be authenticated separately and when an authenticated user goes offline no other users are affected n After an 8...

Page 725: ...wer the supplicant will fail the authentication If no supplicant on a port passes authentication in a certain period of time 45 seconds by default the port will be added into the guest VLAN If a device with 802 1x enabled and the guest VLAN correctly configured sends an EAP Request Identity packet for the allowed maximum number of times but gets no response it adds the port into the guest VLAN acc...

Page 726: ...figuration of the RADIUS client refer to Configuring RADIUS on page 765 Configuring 802 1x Globally Follow these steps to configure 802 1x globally To do Use the command Remarks Enter system view system view Enable 802 1x globally dot1x Required Disabled by default Set the authentication method dot1x authentication method chap eap pap Optional CHAP by default Set the port access control parameters...

Page 727: ...t Follow these steps to configure 802 1x parameters for a port Set timers dot1x timer handshake period handshake period value quiet period quiet period value server timeout server timeout value supp timeout supp timeout value tx period tx period value Optional The defaults are as follows 15 seconds for the handshake timer 60 seconds for the quiet timer 100 seconds for the server timeout timer 30 s...

Page 728: ... Configuring RADIUS on page 765 If the username of a supplicant contains the version number or one or more blank spaces you can neither retrieve information nor disconnect the supplicant by using the username However you can use items such as IP address and connection index number to do so Configuring a Guest VLAN Configuration Prerequisites Enable 802 1x Set the port access control method to port...

Page 729: ...ants All supplicants belong to default domain aabbcc net which can accommodate up to 30 users RADIUS authentication is performed at first and then local authentication when no response from the RADIUS server is received If the RADIUS accounting fails the authenticator gets users offline A server group with two RADIUS servers is connected to the switch The IP addresses of the servers are 10 1 1 1 a...

Page 730: ...on procedure covers most AAA RADIUS configuration commands for the authenticator while configuration on the supplicant and RADIUS server are omitted For information about AAA RADIUS configuration commands refer to Configuring AAA on page 758 and Configuring RADIUS on page 765 Configure the IP addresses for each interface Omitted Add local access user localuser enable the idle cut function and set ...

Page 731: ... RADIUS server Sysname radius radius1 timer realtime accounting 15 Specify the device to remove the domain name of any username before passing the username to the RADIUS server Sysname radius radius1 user name format without domain Sysname radius radius1 quit Create domain aabbcc net and enter its view Sysname domain aabbcc net Set radius1 as the RADIUS scheme for users of the domain and specify t...

Page 732: ...n Example Network requirements As shown in Figure 220 A host is connected to port GigabitEthernet 1 0 1 of the switch and must pass 802 1x authentication to access the Internet The authentication server run RADIUS and is in VLAN 2 The update server which is in VLAN 10 is for client software download and upgrade Port GigabitEthernet 1 0 2 of the switch which is in VLAN 5 is for accessing the Intern...

Page 733: ...ure 221 Network diagram with VLAN 10 as the guest VLAN Internet Update server Authenticator server Supplicant VLAN 10 GE1 0 4 VLAN 1 GE1 0 1 VLAN 5 GE1 0 2 VLAN 2 GE1 0 3 Switch Internet Update server Authenticator server Supplicant VLAN 10 GE1 0 4 GuestVlan 10 GE1 0 1 VLAN 5 GE1 0 2 VLAN 2 GE1 0 3 VLAN 10 Switch ...

Page 734: ...use RADIUS scheme 2000 for users of the domain Sysname domain system Sysname isp system authentication default radius scheme 2000 Sysname isp system authorization default radius scheme 2000 Sysname isp system accounting default radius scheme 2000 Sysname isp system quit Enable 802 1x globally Sysname dot1x Enable 802 1x for port GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname...

Page 735: ... Configuration Example Network requirements As shown in Figure 223 a host is connected to port GigabitEthernet1 0 1 of the device and must pass 802 1x authentication to access the Internet Configure the RADIUS server to assign ACL 3000 Enable 802 1x authentication on GigabitEthernet1 0 1 of the device and configure ACL 3000 After the host passes 802 1x authentication the RADIUS server assigns ACL ...

Page 736: ...ysname isp 2000 accounting default radius scheme 2000 Sysname isp 2000 quit Configure ACL 3000 to deny packets destined for 10 0 0 1 Sysname acl number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Enable 802 1x globally Sysname dot1x Enable 802 1x for GigabitEthernet1 0 1 Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 dot1x After logging in successfully a user...

Page 737: ...ly the HABP server sends HABP requests to the client periodically to collect the MAC address es of the attached switch es The client responds to the requests and forwards the HABP requests to the attached switch es The HABP server usually runs on the administrative device while the HABP client runs on the attached switches Configuring HABP Complete the following tasks to configure HABP Configuring...

Page 738: ...d Required HABP works in client mode by default Set the interval to send HABP requests habp timer interval Optional 20 seconds by default To do Use the command Remarks To do Use the command Remarks Enter system view system view Enable HABP habp enable Optional Enabled by default Configure HABP to work in client mode undo habp server Optional HABP works in client mode by default To do Use the comma...

Page 739: ...sed MAC authentication Local MAC authentication For detailed information about RADIUS authentication and local authentication refer to Configuring RADIUS on page 765 After determining the authentication mode to be used you can choose the type of MAC authentication username including MAC address where the MAC address of a user serves as both the username and password Fixed username where all users ...

Page 740: ... connection to the RADIUS server has timed out and forbids the user from accessing the network Quiet MAC Address When a user fails MAC authentication the MAC address becomes a quiet MAC address which means that any packets from the MAC address will be discarded simply by the device until the quiet timer expires This prevents the device from authenticating invalid users repeatedly in a short time c...

Page 741: ...s Enter system view system view Enable MAC authentication globally mac authentication Required Disabled by default Enable MAC authentication for specified ports mac authentication interface interface list Required Disabled by default interface interface type interface number mac authentication quit Specify the ISP domain for MAC authentication mac authentication domain isp name Optional The defaul...

Page 742: ...ntication Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes Network Diagram Figure 224 Network diagram for local MAC authentication Configuration Procedure 1 Configure MAC authentication on the switch Add a local user Sysname system view Sysname local user aaa Sysname luser aaa password simple 123456 Sysname luser aaa service type lan access Sysname luser aaa quit Config...

Page 743: ...hentication is Enabled User name format is fixed account Fixed username aaa Fixed password 123456 Offline detect period is 180s Quiet period is 60s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is aabbcc net Silent Mac User info MAC ADDR From Port Port Index GigabitGigabitEthernet1 0 1 is link up MAC address authe...

Page 744: ...s 2000 quit Specify the AAA schemes for the ISP domain Sysname domain 2000 Sysname isp 2000 authentication default radius scheme 2000 Sysname isp 2000 authorization default radius scheme 2000 Sysname isp 2000 accounting default radius scheme 2000 Sysname isp 2000 quit Enable MAC authentication globally Sysname mac authentication Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname mac ...

Page 745: ...failed 0 Current online user number is 1 MAC ADDR Authenticate state AuthIndex 00e0 fc12 3456 MAC_AUTHENTICATOR_SUCCESS 29 ACL Assigning Configuration Example Network requirements As shown in Figure 226 a host is connected to port GigabitEthernet1 0 1 of the switch and must pass MAC authentication to access the Internet Configure the RADIUS server to assign ACL 3000 On port Ethernet 1 0 of the swi...

Page 746: ...cheme 2000 Sysname isp 2000 accounting default radius scheme 2000 Sysname isp 2000 quit Configure ACL 3000 to deny packets destined for 10 0 0 1 Sysname acl number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Sysname acl adv 3000 quit Enable MAC authentication globally Sysname mac authentication Enable MAC authentication for port GigabitEthernet1 0 1 Sysname interface GigabitEth...

Page 747: ...leshooting AAA RADIUS HWTACACS on page 779 AAA RADIUS HWTAC ACS Overview This section covers these topics Introduction to AAA on page 747 Introduction to RADIUS on page 749 Introduction to HWTACACS on page 754 Introduction to AAA Authentication Authorization and Accounting AAA provides a uniform framework for configuring these three security functions to implement network security management AAA u...

Page 748: ...her a user is legal Authorization Grants different users different rights For example a user logging into the server can be granted the permission to access and print the files in the server Accounting Records all network service usage information of users including the service type start and end time and traffic In this way accounting can be used for not only accounting itself but also network se...

Page 749: ...etwork It passes user information to designated RADIUS servers and acts on the response for example rejects or accepts user access requests Server The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access It authenticates a user after receiving a connection request and returns the processing resul...

Page 750: ... an authentication request Access Request to the RADIUS server where the user password is encrypted by the Message Digest 5 MD5 algorithm with the shared key 3 The RADIUS server authenticates the username and password If the authentication succeeds it sends back an Access Accept message containing the information of user s right If the authentication fails it returns an Access Reject message 4 The...

Page 751: ... and their meanings Code Attribute Identifier 0 7 Length Authenticator 16bytes 7 15 31 Table 58 Main values of the Code field Code Packet type Description 1 Access Request From the client to the server A packet of this type carries user information for the server to authenticate the user It must contain the User Name attribute and can optionally contain the attributes of NAS IP Address User Passwo...

Page 752: ... the type of the attribute Commonly used attributes for RADIUS authentication and authorization are listed in Table 59 7 Length One byte for indicating the length of the attribute in bytes including the Type Length and Value fields 8 Value Value of the attribute up to 253 bytes Its format and content depend on the Type and Length fields 5 Accounting Response From the server to the client The serve...

Page 753: ...nt Endpoint 20 Callback ID 67 Tunnel Server Endpoint 21 unassigned 68 Acct Tunnel Connection 22 Framed Route 69 Tunnel Password 23 Framed IPX Network 70 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Timeout 74 ARAP Security Data 28 Idle Timeout 75 Password Retry 29 Termination Action 76 Prompt 30 Called Station Id 77 Connect Inf...

Page 754: ...e device to perform operations Differences between HWTACACS and RADIUS HWTACACS and RADIUS have many common features like implementing AAA using a client server model using shared keys for user information security and having good flexibility and extensibility Meanwhile they also have differences as listed in Table 60 Type Length 0 Vendor ID 7 15 31 Vendor ID continued Vendor Type Vendor Length Ve...

Page 755: ...the request the HWTACACS client asks the user for the username 5 The user enters the username 8VHU 7 6 FOLHQW 7 6 VHUYHU 7KH XVHU ORJV LQ 6WDUW DXWKHQWLFDWLRQ SDFNHW XWKHQWLFDWLRQ UHVSRQVH UHTXHVWLQJ WKH XVHUQDPH 5HTXHVW IRU XVHUQDPH 7KH XVHU HQWHUV WKH XVHUQDPH XWKHQWLFDWLRQ FRQWLQXDQFH SDFNHW ZLWK WKH XVHUQDPH XWKHQWLFDWLRQ UHVSRQVH UHTXHVWLQJ WKH ORJLQ SDVVZRUG 5HTXHVW IRU SDVVZRUG 7KH XVHU HQW...

Page 756: ...ow authorized the HWTACACS client pushes the configuration interface of the NAS to the user 15 The HWTACACS client sends a start accounting request to the HWTACACS server 16 The HWTACACS server sends back an accounting response indicating that it has received the start accounting request 17 The user logs off 18 The HWTACACS client sends a stop accounting request to the HWTACACS server 19 The HWTAC...

Page 757: ...t Parameters on page 766 Optional Setting the Shared Key for RADIUS Packets on page 767 Required Setting the Maximum Number of RADIUS Request Retransmission Attempts on page 767 Optional Setting the Supported RADIUS Server Type on page 768 Optional Setting the Status of RADIUS Servers on page 768 Optional Configuring Attributes Related to the Data Sent to the RADIUS Server on page 769 Optional Set...

Page 758: ...Reference a configured HWTACACS scheme to implement authentication authorization and accounting For HWTACACS scheme configuration refer to Configuring HWTACACS on page 771 Creating an ISP Domain For the NAS each accessing user belongs to an ISP domain Up to 16 ISP domains can be configured on a NAS If a user does not provide the ISP domain name the system considers that the user belongs to the def...

Page 759: ... local and none authentication modes do not require any scheme Determine the access mode or service type to be configured With AAA you can configure an authentication scheme specifically for each access mode and service type limiting the authentication protocols that can be used for access Determine whether to configure an authentication scheme for all access modes or service types Follow these st...

Page 760: ...orization server and to send authorization information to users authorized Authorization scheme configuration is optional in AAA configuration If you do not perform any authorization configuration the system default domain uses the local authorization scheme With the authorization scheme of none the users are not required to be authorized in which case an authenticated user has the default right T...

Page 761: ...n fails the error message returned to the NAS says that the server is not responding With the radius scheme radius scheme name local or hwtacacs scheme hwtacacs scheme name local keyword and argument combination configured the local scheme is the backup scheme and is used only when the RADIUS server or TACACS server is not available To do Use the command Remarks Enter system view system view Creat...

Page 762: ... scheme Before configuring an authorization scheme complete these three tasks 1 For RADIUS or HWTACACS accounting configure the RADIUS or HWTACACS scheme to be referenced first The local and none authentication modes do not require any scheme 2 Determine the access mode or service type to be configured With AAA you can configure an accounting scheme specifically for each access mode and service ty...

Page 763: ...t create a local user and configure the attributes A local user represents a set of users configured on a device which are uniquely identified by the username For a user requesting network service to pass local authentication you must add an entry as required in the local user database of the device Follow these steps to configure the attributes for a local user Specify the accounting scheme for l...

Page 764: ...vels and Command Levels on page 1026 respectively Both the service type and level commands can be used to specify user priority The one used later has the final effect Specify the service types for the user Specify the service types for the user service type lan access ssh telnet terminal level level Required No service is authorized to a user by default Authorize the user to use the FTP service a...

Page 765: ...he parameters necessary for the information interaction between a NAS and a RADIUS server For these settings to take effect you must reference the RADIUS scheme containing those settings in ISP domain view For information about the commands for referencing a scheme refer to Configuring AAA on page 758 Creating a RADIUS Scheme Before performing other RADIUS configurations follow these steps to crea...

Page 766: ...ired The defaults are as follows 0 0 0 0 for the IP address and 1812 for the port Configure the IP address and UDP port of the secondary RADIUS authentication authorization server secondary authentication ip address port number Optional The defaults are as follows 0 0 0 0 for the IP address and 1812 for the port To do Use the command Remarks To do Use the command Remarks Enter system view system v...

Page 767: ... properly receive the packets and make responses Follow these steps to set the shared key for RADIUS packets n The shared key configured on the device must be the same as that configured on the RADIUS server Setting the Maximum Number of RADIUS Request Retransmission Attempts Because RADIUS uses UDP packets to carry data the communication process is not reliable If a NAS receives no response from ...

Page 768: ...ails the primary server turns into the state of block and the device turns to the secondary server In this case If the secondary server is available the device triggers the primary server quiet timer After the quiet timer times out the status of the primary server is active again and the status of the secondary server remains the same If the secondary server fails the device restores the status of...

Page 769: ...IUS accounting server state primary accounting active block Set the status of the secondary RADIUS authentication authorization server state secondary authentication active block Set the status of the secondary RADIUS accounting server state secondary accounting active block To do Use the command Remarks To do Use the command Remarks Enter system view system view Enable the RADIUS trap function ra...

Page 770: ... changes to blocked and the device will communicate with the secondary server with an IP address configured If the secondary server is reachable the primary server will resume active after the period specified by this timer and the secondary server s state does not change Real time accounting interval realtime accounting This timer defines the interval for performing real time accounting of users ...

Page 771: ...led with the accounting on function when you execute the accounting on enable command you need to save the configuration and restart the device so that the command takes effect Otherwise the command takes effect immediately Enabling the Listening Port of the RADIUS Client Follow these steps to enable the listening port of the RADIUS client Configuring HWTACACS Creating a HWTACAS scheme The HWTACAC...

Page 772: ...view hwtacacs scheme hwtacacs scheme name Required Not defined by default Configure the IP address and port of the primary HWTACACS authentication server primary authentication ip address port number Required The defaults are as follows 0 0 0 0 for the IP address and 49 for the TCP port Configure the IP address and port of the secondary HWTACACS authentication server secondary authentication ip ad...

Page 773: ...erify the packets Only when the same key is used can they properly receive the packets and make responses Follow these steps to set the shared key for HWTACACS packets To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Configure the IP address and port of the primar...

Page 774: ...Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the format of the username to be sent to a HWTACACS server user name format with domain without domain Optional By default the ISP domain name is included in the username Specify the unit for data flows or packets to be sent to a HWTACACS server data flow format data...

Page 775: ...ame Available in any view Display information about specified or all user connections display connection access type dot1x mac authentication portal domain isp name interface interface type interface number ip ip address mac mac address ucibindex ucib index user name user name vlan vlan id Available in any view Display information about specified or all local users display local user idle cut disa...

Page 776: ...red stop accounting requests that get no responses reset stop accounting buffer radius scheme radius server name session id session id time range start time stop time user name user name Available in user view Clear the statistics on the local server reset local server statistics Available in user view To do Use the command Remarks To do Use the command Remarks Display configuration information or...

Page 777: ...10 1 1 1 49 Switch hwtacacs hwtac primary accounting 10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Apply the AAA schemes to the domain Switch domain 1 Switch isp 1 authentication login hwtacacs scheme hwtac Switch ...

Page 778: ...rver is used for accounting Its IP address is 10 1 1 1 On the switch set the shared keys for packets exchanged with the RADIUS server to expert Configure the switch to remove the domain name from a user name before sending the user name to the HWTACACS server n Configuration of separate AAA for other types of users is similar to that given in this example The only difference lies in the access typ...

Page 779: ... domain Switch domain 1 Switch isp 1 authentication login local Switch isp 1 authorization login hwtacacs scheme hwtac Switch isp 1 accounting login radius scheme rd Switch isp 1 quit Configure the default AAA schemes for all types of users Switch domain 1 Switch isp 1 authentication default local Switch isp 1 authorization default hwtacacs scheme hwtac Switch isp 1 accounting default radius schem...

Page 780: ... RADIUS server work well at both physical and link layers 2 The IP address of the RADIUS server is correctly configured on the NAS 3 UDP ports for authentication authorization accounting configured on the NAS are the same as those configured on the RADIUS server Symptom3 A user is authenticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not co...

Page 781: ...ion host To this end the IP address must be resolved into the corresponding data link layer address n Unless otherwise stated the data link layer addresses that appear in this chapter refer to the 48 bit Ethernet MAC addresses ARP Message Format Figure 235 ARP message format The following explains the fields in Figure 235 Hardware type This field specifies the hardware address type The value 1 rep...

Page 782: ... to encapsulate the IP packet into a data link layer frame and sends the frame to Host B 2 If Host A finds no entry for Host B Host A buffers the packet and broadcasts an ARP request in which the source IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all zero ...

Page 783: ...nt or non permanent A permanent static ARP entry can be directly used to forward packets When configuring a permanent static ARP entry you must configure a VLAN and outbound port for the entry besides the IP address and MAC address A non permanent static ARP entry cannot be directly used for forwarding data When configuring a non permanent static ARP entry you only need to configure the IP address...

Page 784: ... any ARP entry with a multicast MAC address Configuring such a static ARP entry is not allowed either otherwise the system prompts error information After the ARP entry check is disabled the device can learn the ARP entry with a multicast MAC address and you can also configure such a static ARP entry on the device Follow these steps to enable the ARP entry check Configure a non permanent static AR...

Page 785: ...s a special ARP packet in which the source IP address and destination IP address are both the IP address of the sender the source MAC address is the MAC address of the sender and the destination MAC address is a broadcast address A device can implement the following functions by sending gratuitous ARP packets Determining whether its IP address is already used by another device Informing other devi...

Page 786: ...se the command Remarks To do Use the command Remarks Display the ARP entries in the ARP mapping table display arp all dynamic static vlan vlan id interface interface type interface number begin exclude include string count Available in any view Display the ARP entries for a specified IP address display arp ip address begin exclude include string Available in any view Display the aging time for dyn...

Page 787: ...cases you need to enable the local proxy ARP Devices connected to different isolated Layer 2 ports in the same VLAN on a switch need to implement Layer 3 communication With the isolate user vlan function enabled on a device attached to a switch devices in different secondary VLANs need to implement Layer 3 communication Enabling Proxy ARP Follow these steps to enable proxy ARP or enable local prox...

Page 788: ...tch system view Switch vlan 2 Switch vlan2 quit Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 10 99 255 255 255 0 Switch Vlan interface1 proxy arp enable Switch Vlan interface1 quit Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 20 99 255 255 255 0 Switch Vlan interface2 proxy arp enable Switch Vlan interface2 quit Display whether local pr...

Page 789: ... VLAN 2 Host A and Host B are isolated and unable to exchange Layer 2 packets SwitchB system view SwitchB vlan 2 SwitchB vlan2 port gigabitethernet 1 0 1 SwitchB vlan2 port gigabitethernet 1 0 2 SwitchB vlan2 port gigabitethernet 1 0 3 SwitchB vlan2 quit SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 port isolate enable SwitchB GigabitEthernet1 0 2 quit SwitchB interface giga...

Page 790: ...ich indicates they are isolated at Layer 2 Configure local proxy ARP to let Host A and Host B communicate at Layer 3 SwitchA Vlan interface2 local proxy arp enable SwitchA Vlan interface2 quit Ping Host B on Host A to verify that the two hosts can be pinged through which indicates Layer 3 communication is implemented ...

Page 791: ...on hosts become more complex Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which the client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client A typical DHCP application as shown in Figure 239 includes a DHCP server and multiple clients PCs...

Page 792: ...he sending mode of the DHCP OFFER is determined by the flag field in the DHCP DISCOVER message Refer to DHCP Message Format on page 793 for related information 3 If several DHCP servers send offers to the client the client accepts the first received offer and broadcasts it in a DHCP REQUEST message to formally request the IP address 4 All DHCP servers receive the DHCP REQUEST message but only the ...

Page 793: ...l handle the request as above mentioned DHCP Message Format Figure 241 gives the DHCP message format which is based on the BOOTP message format and involves eight types These types of messages have the same format except that some fields have different values The numbers in parentheses indicate the size of each field in bytes Figure 241 DHCP message format op Message type defined in option field 1...

Page 794: ... BOOTP message for compatibility but differs from it in the option field which identifies new features for DHCP DHCP uses the option field in DHCP messages to carry control information and network configuration parameters implementing dynamic address allocation and providing more network configuration information for clients Figure 242 shows the DHCP option format Figure 242 DHCP option format Int...

Page 795: ... the clients Option 82 involves at most 255 sub options At least one sub option must be defined Now the DHCP relay agent supports two sub options sub option 1 Circuit ID and sub option 2 Remote ID Option 82 has no unified definition Its padding formats vary with vendors Currently the device supports two padding formats normal and verbose 1 Normal padding format The padding contents for sub options...

Page 796: ...ress along with specified voice parameters from the DHCP server Option 184 involves the following sub options Sub option 1 IP address of the primary network calling processor which is a server serving as the network calling control source and providing program downloads Sub option 2 IP address of the backup network calling processor that DHCP clients will contact when the primary one is unreachabl...

Page 797: ...uration is not supported on loopback interfaces DHCP Snooping must be disabled on the DHCP server Introduction to DHCP Server Application Environment The DHCP server is well suited to the network where It is hard to implement manual configuration and centralized management The hosts are more than the assignable IP addresses and it is impossible to assign a fixed IP address to each host For example...

Page 798: ... segment or the smallest address pool that contains the IP address specified in the giaddr field of the client s request if a DHCP relay agent is in between If no IP address is available in such address pool the DHCP server will fail to assign an address to the client because it cannot assign an IP address from the father address pool to the client For the configuration of such address pool refer ...

Page 799: ...connected to the client When the DHCP server and client are on the same subnet the server will With subaddress specified assign an IP address from the address pool of the subnet which the secondary IP address of the server s interface connected to the client belongs to or assign from the first secondary IP address if several secondary IP addresses exist If no secondary IP address is configured for...

Page 800: ...create a static binding of a client s MAC or ID to IP address in the DHCP address pool Task Remarks Creating a DHCP Address Pool on page 800 Required Configuring an Address Allocation Mode on page 800 Configuring manual address allocation on page 800 Required to configure either of the two Configuring dynamic address allocation on page 801 Configuring a Domain Name Suffix for the Client on page 80...

Page 801: ... client cannot obtain an IP address correctly The ID of the static binding must be identical to the ID displayed by using the display dhcp client verbose command on the client Otherwise the client cannot obtain an IP address Configuring dynamic address allocation You need to specify one and only one address range using a mask for the dynamic address allocation To avoid address conflicts the DHCP s...

Page 802: ...name to IP address mappings to get the host IP address You can specify up to eight DNS servers in the DHCP address pool Follow these steps to configure DNS servers in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Specify an IP address range network network address mask length mask mask Required Not speci...

Page 803: ...ination IP address h hybrid node A combination of peer to peer first and broadcast second The h node client unicasts the destination name to the WINS server if no response then broadcasts it to get the destination IP address Follow these steps to configure WINS servers and NetBIOS node type in the DHCP address pool n If b node is specified for the client you need to specify no WINS server address ...

Page 804: ...eters specified in option 184 to the client The client then can initiate a call using parameters in Option 184 Follow these steps to configure option 184 parameters in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Specify the BIMS server IP address port number and shared key bims server ip ip address por...

Page 805: ...cify the IP address and name of a TFTP server and the bootfile name in the DHCP address pool on the DHCP server but you do not need to perform any configuration on the DHCP client When option 55 in the requesting client message contains parameters of option 66 option 67 or option 150 the DHCP server will return the IP address and name of the specified TFTP server and bootfile name to the client Fo...

Page 806: ...the lease duration into seconds in hexadecimal notation Configuring the DHCP Server Security Functions This configuration is necessary to secure DHCP services on the DHCP server To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure a self defined DHCP option option code ascii ascii string hex hex string 1 16 ip address ip a...

Page 807: ...P address conflicts the DHCP server checks whether the address to be assigned is in use via sending ping packets The DHCP server pings the IP address to be assigned using ICMP If the server gets a response within the specified period the server will ping another IP address otherwise the server will ping the IP addresses once again until the specified number of ping packets are sent If still no res...

Page 808: ...DHCP Relay Agent to Support Option 82 on page 818 and Configuring DHCP Snooping to Support Option 82 on page 828 for related configuration details Displaying and Maintaining the DHCP Server To do Use the command Remarks Enter system view system view Enable the server to handle Option 82 dhcp server relay information enable Optional Enabled by default To do Use the command Remarks Display informati...

Page 809: ...tively In the address pool 10 1 1 0 25 the address lease duration is ten days and twelve hours domain name suffix aabbcc com DNS server address 10 1 1 2 gateway 10 1 1 126 and WINS server 10 1 1 4 In the address pool 10 1 1 128 25 the address lease duration is five days domain name suffix aabbcc com DNS server address 10 1 1 2 and gateway address 10 1 1 254 and there is no WINS server address The ...

Page 810: ...server ip pool 0 SwitchA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 SwitchA dhcp pool 0 domain name aabbcc com SwitchA dhcp pool 0 dns list 10 1 1 2 SwitchA dhcp pool 0 quit Configure DHCP address pool 1 address range gateway lease duration and WINS server SwitchA dhcp server ip pool 1 SwitchA dhcp pool 1 network 10 1 1 0 mask 255 255 255 128 SwitchA dhcp pool 1 gateway list 10 1 1 126 Switch...

Page 811: ...ect the client s network cable and ping the client s IP address on another host with a long timeout time to check whether there is a host using the same IP address 2 If a ping response is received the IP address has been manually configured on the host Execute the dhcp server forbidden ip command on the DHCP server to exclude the IP address from dynamic allocation 3 Connect the client s network ca...

Page 812: ...812 CHAPTER 57 DHCP SERVER CONFIGURATION ...

Page 813: ...ted only VLAN interfaces DHCP Snooping must be disabled on the DHCP relay agent Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same subnet Therefore a DHCP server must be available on each subnet It is not practical DHCP relay agent solves the problem Via a relay agent DHCP clients c...

Page 814: ... 2 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters to the relay agent which conveys them to the client DHCP Relay Agent Support for Option 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent optio...

Page 815: ... message Keep Random Forward the message without changing Option 82 Replace normal Forward the message after replacing the original Option 82 with the Option 82 padded in normal format verbose Forward the message after replacing the original Option 82 with the Option 82 padded in verbose format no Option 82 normal Forward the message after adding the Option 82 padded in normal format verbose Forwa...

Page 816: ...n only correlate with one DHCP server group Using the dhcp relay server select command repeatedly overwrites the previous configuration However if the specified DHCP server group does not exist the interface still uses the previous correlation The group id in the dhcp relay server select command was specified by the dhcp relay server group command Configuring the DHCP Relay Agent to Send a DHCP Re...

Page 817: ...agent That is the invalid address check takes effect when this command is executed regardless of whether other commands are used You are recommended to configure IP address check on the interface enabled with the DHCP relay agent otherwise the valid DHCP clients may not be capable of accessing networks When using the dhcp relay security static command to bind a VLAN interface to a static binding e...

Page 818: ... receiving a DHCP request the DHCP relay agent will record the IP address of the DHCP server which assigned an IP address to the DHCP client and the receiving interface The administrator can use this information to check out any DHCP unauthorized servers Follow these steps to enable unauthorized DHCP server detection n With the unauthorized DHCP server detection enabled the device puts a record on...

Page 819: ...ion enable Required Disabled by default Configure the handling strategy for requesting messages containing Option 82 dhcp relay information strategy drop keep replace Optional replace by default Configure the padding format for Option 82 dhcp relay information format normal verbose node identifier mac sysname user defined node identifier Optional normal by default To do Use the command Remarks Dis...

Page 820: ...SwitchA interface vlan interface 1 SwitchA Vlan interface1 dhcp select relay SwitchA Vlan interface1 quit Configure DHCP server group 1 with the DHCP server 10 1 1 1 and correlate the DHCP server group 1 with VLAN interface 1 SwitchA dhcp relay server group 1 ip 10 1 1 1 SwitchA interface vlan interface 1 SwitchA Vlan interface1 dhcp relay server select 1 n Performing the configuration on the DHCP...

Page 821: ...y command on the DHCP relay agent to view the debugging information and interface state information for locating the problem Solution Check that The DHCP is enabled on the DHCP server and relay agent The address pool on the same subnet where DHCP clients reside is available on the DHCP server The routes between the DHCP server and DHCP relay agent are reachable The relay agent interface connected ...

Page 822: ...822 CHAPTER 58 DHCP RELAY AGENT CONFIGURATION ...

Page 823: ...With the DHCP client enabled on an interface the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server For the Switch 4800G operating as DHCP clients the vendor and device information contained in Option 60 of DHCP requests is not configurable instead it is determined by the application program of the switches Refer to Table 62 for different informat...

Page 824: ...s dhcp alloc commands in sequence Displaying and Maintaining the DHCP Client DHCP Client Configuration Example Network requirements On a LAN Switch B contacts the DHCP server via VLAN interface 1 to obtain an IP address Network diagram See Figure 246 Configuration procedure The following is the configuration on Switch B shown in Figure 246 Enable the DHCP client on VLAN interface 1 SwitchB system ...

Page 825: ...HCP relay agent You are not recommended to enable the DHCP client BOOTP client and DHCP Snooping on the same device Otherwise DHCP Snooping entries may fail to be generated or the BOOTP client DHCP client may fail to obtain an IP address DHCP Snooping Overview Function of DHCP Snooping As a DHCP security feature DHCP snooping can implement the following Recording IP to MAC mappings of DHCP clients...

Page 826: ...Switch A a DHCP server GE1 0 1 should be configured as a trusted port so that it can forward replies from Switch A Figure 250 Configure a trusted port connected with the DHCP sever Configuring trusted ports in a cascaded network In a cascaded network involving multiple DHCP snooping devices the ports connected to other DHCP snooping devices should be configured as trusted ports To save system reso...

Page 827: ...egy and padding format for Option 82 on the DHCP Snooping device are the same as those on the relay agent DHCP snooping Switch A DHCP snooping Switch C DHCP client Host D DHCP client Host C DHCP client Host B DHCP server SwitchD DHCP snooping Switch B GE1 0 4 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 4 GE1 0 2 GE1 0 1 GE1 0 3 GE1 0 1 DHCP client Host A GE1 0 1 If a client s requesting message ...

Page 828: ... perform related configuration on both the DHCP server and the device enabled with DHCP Snooping Refer to Configuring the Handling Mode for Option 82 on page 808 for DHCP server configuration of this kind To do Use the command Remarks Enter system view system view Enable DHCP snooping dhcp snooping Required Disabled by default Enter Ethernet port view interface interface type interface number Spec...

Page 829: ...CP server responses while the other two do not Switch B records clients IP to MAC address bindings in DHCP REQUEST messages and DHCP ACK messages received from trusted ports Switch B supports Option 82 After receiving a DHCP request from the client Switch B adds Option 82 padded in verbose format to the request message and forwards the message to the DHCP server Network diagram Figure 252 Network ...

Page 830: ...formation enable Configure the padding format to verbose for Option 82 on GigabitEthernet 1 0 2 SwitchB GigabitEthernet1 0 2 dhcp snooping information format verbose node identifier sysname SwitchB GigabitEthernet1 0 2 quit Configure DHCP Snooping to support Option 82 on GigabitEthernet 1 0 3 SwitchB interface gigabitethernet 1 0 3 SwitchB GigabitEthernet1 0 3 dhcp snooping information enable Conf...

Page 831: ...n on page 831 Obtaining an IP Address Dynamically on page 832 Protocols and Standards on page 832 BOOTP Application After you specify an interface of a device as a BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to configure a BOOTP parameter file for each BOOTP client...

Page 832: ...ons and Extensions for the Bootstrap Protocol Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP Follow these steps to configure an interface to dynamically obtain an IP address Displaying and Maintaining BOOTP Client Configuration BOOTP Client Configuration Example Network requirement Switch B s port belonging to VLAN 1 is connected to the LAN VLAN interface 1 obtains an I...

Page 833: ...P server SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address bootp alloc n To make the BOOTP client to obtain an IP address from the DHCP server you need to perform additional configurations on the DHCP server For details refer to DHCP Server Configuration Examples on page 809 ...

Page 834: ...834 CHAPTER 61 BOOTP CLIENT CONFIGURATION ...

Page 835: ...hat should be rejected based on matching criteria such as source MAC address destination MAC address source IP address destination IP address and port number Application of ACLs on the Switch The switch supports two ACL application modes Hardware based application An ACL is assigned to a piece of hardware For example an ACL can be referenced by QoS for traffic classification Note that when an ACL ...

Page 836: ...ACL is up to you After creating an ACL you cannot specify a name for it nor can you change or remove the name of the ACL n The name of an IPv4 ACL must be unique among IPv4 ACLs However an IPv4 ACL and an IPv6 ACL can share the same name IPv4 ACL Match Order An ACL consists of multiple rules each of which specifies different matching criteria These criteria may have overlapping or conflicting part...

Page 837: ...tion IP address wildcards are the same look at the Layer 4 port number TCP UDP port number Then compare packets against the rule configured with the lower port number prior to the other 5 If the port numbers are the same compare packets against the rule configured first prior to the other Depth first match for an Ethernet frame header ACL The following shows how your switch performs depth first ma...

Page 838: ...e effect only after the time range is defined and comes active IP Fragments Filtering with IPv4 ACL Traditional packet filtering performs match operation on rather than all IP fragments the first ones only All subsequent non first fragments are handled in the way the first fragments are handled This causes security risk as attackers may fabricate non first fragments to attack your network As for t...

Page 839: ...or to other rules 2 If two rules are present with the same prefix length in their source IPv6 address wildcards compare packets against the rule configured first prior to the other Depth first match for an advanced IPv6 ACL The following shows how your switch performs depth first match in an advanced IPv6 ACL 1 Sort rules by protocol range first and compare packets against the rule with the protoc...

Page 840: ...840 CHAPTER 62 ACL OVERVIEW IPv6 ACL Step Refer to IPv4 ACL Step on page 837 Effective Period of an IPv6 ACL Refer to Effective Period of an IPv4 ACL on page 838 ...

Page 841: ...n the day or days of the week Absolute time range which takes effect only in a period of time and does not recur Configuration Procedure Follow these steps to create a time range n Periodic time range created using the time range time name start time to end time days command A time range thus created recurs periodically on the day or days of the week Absolute time range created using the time rang...

Page 842: ... the time the configuration takes effect to the latest time that the system can express that is 24 00 12 31 2100 Up to 256 time ranges can be defined Configuration Examples Create a periodic time range that is active from 8 00 to 18 00 every working day Sysname system view Sysname time range test 8 00 to 18 00 working day Sysname display time range test Current time is 22 17 42 1 5 2006 Thursday T...

Page 843: ...ny source 1 1 1 1 0 Verify the configuration Sysname acl basic 2000 display acl 2000 Basic ACL 2000 named none 1 rule ACL s step is 5 rule 0 deny source 1 1 1 1 0 Create and enter basic IPv4 ACL view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name com...

Page 844: ...atch order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name command to enter the view of the ACL later Create or modify a rule rule rule id deny permit protocol destination dest addr dest wildcard any destination port operator port1 port2 dscp dscp established fragment icmp type icmp type icmp code ...

Page 845: ...5 255 destination 202 38 160 0 0 0 0 255 destination port eq 80 Verify the configuration Sysname acl adv 3000 display acl 3000 Advanced ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 129 9 0 0 0 0 255 255 destination 202 38 160 0 0 0 0 255 destination port eq www Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs filter packets based on Layer 2 protocol header...

Page 846: ...y acl 4000 Ethernet frame ACL 4000 named none 1 rule ACL s step is 5 rule 0 deny cos excellent effort Copying an IPv4 ACL This feature allows you to copy an existent IPv4 ACL to generate a new one which is of the same type and has the same match order match rules rule numbering step and descriptions as the source IPv4 ACL Configuration Prerequisites Make sure that the source IPv4 ACL exists while ...

Page 847: ...0 in working days To do Use the command Remarks Enter system view system view Copy an existing IPv4 ACL to generate a new one of the same type acl copy source acl number name source acl name to dest acl number name dest acl name Required To do Use the command Remarks Display information about a specified or all IPv4 ACLs display acl acl number all name acl name Available in any view Display inform...

Page 848: ... 255 dest ination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3000 quit Configure a rule to control access of the Marketing Department to the salary query server Switch acl number 3001 Switch acl adv 3001 rule deny ip source 192 168 3 0 0 0 0 255 dest ination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3001 quit 3 Apply the IPv4 ACL Configure class c_rd for packets matching IPv4 ...

Page 849: ...traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Configure QoS policy p_market to use traffic behavior b_market for class c_market Switch qos policy p_market Switch qospolicy p_market classifier c_market behavior b_market Switch qospolicy p_market quit Apply QoS policy p_rd to interface GigabitEthernet 1 0 2 ...

Page 850: ...850 CHAPTER 63 IPV4 ACL CONFIGURATION ...

Page 851: ...time range command first Configuration Procedure Follow these steps to configure a basic IPv6 ACL To do Use the command Remarks Enter system view system view Create and enter basic IPv6 ACL view acl ipv6 number acl6 number name acl6 name match order auto config Required The default match order is config If you specify a name for an IPv6 ACL when creating the ACL you can use the acl ipv6 name acl6 ...

Page 852: ... permit source 2030 5060 9050 64 Sysname acl6 basic 2000 rule deny source fe80 5060 8050 96 Verify the configuration Sysname acl6 basic 2000 display acl ipv6 2000 Basic IPv6 ACL 2000 named none 2 rules ACL s step is 5 rule 0 permit source 2030 5060 9050 64 rule 5 deny source FE80 5060 8050 96 Configuring an Advanced IPv6 ACL Advanced ACLs filter packets based on the source IPv6 address destination...

Page 853: ...e match order auto config Required The default match order is config If you specify a name for an IPv6 ACL when creating the ACL you can use the acl ipv6 name acl6 name command to enter the view of the ACL later Create or modify a rule rule rule id deny permit protocol destination dest dest prefix dest dest prefix any destination port operator port1 port2 dscp dscp fragment icmpv6 type icmpv6 type...

Page 854: ...ype The generated IPv6 ACL does not take the name of the source IPv6 ACL Displaying and Maintaining IPv6 ACLs IPv6 ACL Configuration Example Network Requirements As shown in Figure 254 a company interconnects its departments through the switch To do Use the command Remarks Enter system view system view Copy an existing IPv6 ACL to generate a new one of the same type acl ipv6 copy source acl6 numbe...

Page 855: ...affic classifier c_rd Switch classifier c_rd if match acl ipv6 2000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospoli...

Page 856: ...856 CHAPTER 64 IPV6 ACL CONFIGURATION ...

Page 857: ...is known as Best effort which delivers the packets to their destination with the best effort with no assurance and guarantee for delivery delay jitter packet loss ratio reliability and so on The traditional Best Effort service policy is only suitable for applications insensitive to bandwidth and delay such as WWW FTP and E mail New Requirements Brought forth by New Services With the fast developme...

Page 858: ...ternet The diagram below gives two examples Figure 255 Traffic congestion 1 Packets enter a switch over a high speed link and are forwarded out over a low speed link 2 Packets enter a switch through multiple interfaces of the same rate at the same time and are forwarded out on an interface of the same rate If the outbound traffic exceeds the line rate the traffic encounters the bottleneck of resou...

Page 859: ...e are the foundation for providing differentiated services Their main functions are as follows Traffic classification Identifies packets according to certain match rules Traffic classification is the prerequisite of providing differentiated services TP Monitors and controls the specifications of specific traffic entering the device When the traffic exceeds the threshold restrictive or punitive mea...

Page 860: ...860 CHAPTER 65 QOS OVERVIEW ...

Page 861: ...d on the information in the packet header and rarely based on the content of the packet The classification result is unlimited in range They can be a small range specified by a quintuplet source address source port number protocol number destination address and destination port number or all the packets to a certain network segment Generally the precedence of bits in the ToS field of the packet he...

Page 862: ...ackets are processed according to their DSCP values Expedited Forwarding EF class In this class packets can be forwarded regardless of link share of other traffic The class is suitable for preferential services with low delay low packet loss ratio low jitter and assured bandwidth such as virtual leased line Assured forwarding AF class This class is further divided into four subclasses AF1 2 3 4 an...

Page 863: ... 4 byte 802 1Q tag header contains a 2 byte Tag Protocol Identifier TPID whose value is 8100 and a 2 byte Tag Control Information TCI TPID is a new class defined by IEEE to indicate a packet with an 802 1Q tag Figure 258 describes the detailed contents of an 802 1Q tag header Table 66 Description on DSCP precedence values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11...

Page 864: ...raffic can be avoided TP is traffic control policies for limiting traffic and resource usage by supervising the traffic The prerequisite for TP is to determine whether or not the traffic exceeds the set threshold Traffic control policies are adopted only when the traffic exceeds the set threshold Generally token bucket is used for evaluating traffic Traffic Evaluation and Token Bucket Token Bucket...

Page 865: ...than the maximum packet length An evaluation is performed on the arrival of each packet In each evaluation if the bucket has enough tokens for use the traffic is controlled within the specification and a number of tokens equivalent to the packet forwarding authority must be taken out otherwise this means too many tokens have been used the traffic is in excess of the specification Complicated Evalu...

Page 866: ...rwarding the packet Marking a conforming packet with a new IP precedence value and forwarding the packet Marking a conforming packet or a non conforming packet with a new DSCP precedence value and forwarding the packet LR Port rate limiting refers to limiting the total rate of inbound or outbound packets on a port Port rate limiting can be implemented through token buckets That is if you perform p...

Page 867: ...onfigure LR parameter and limit the outbound rate to 640 kbps Sysname GigabitEthernet1 0 1 qos lr outbound cir 640 Displaying and Maintaining LR Configure LR qos lr outbound cir committed information rate cbs committed burst size Required To do Use the command Remarks To do Use the command Remarks Display the LR configuration of an interface display qos lr interface interface type interface number...

Page 868: ...868 CHAPTER 66 TRAFFIC CLASSIFICATION TP AND LR CONFIGURATION ...

Page 869: ...mmands to define a series of rules to classify packets Additionally you can use commands to define the relationship among classification rules and and or and The devices considers a packet to be of a specific class when the packet matches all the specified classification rules or The device considers a packet be of a specific class when the packet matches one of the specified classification rules ...

Page 870: ... class and then define rules in the corresponding class view Table 68 QoS policies Policy name Corresponding class Related command Accounting Use the if match match criteria command to define the class as required for the policy to be associated with accounting TP Use the if match match criteria command to define the class as required for the policy to be associated with car Traffic filtering Use ...

Page 871: ...p list Specifies to match packets by 802 1p precedence of the customer network The 8021p list argument is a list of CoS values You can provide up to eight space separated CoS values for this argument CoS is in the range 0 to 7 customer vlan id vlan id list Specifies to match the packets of specified VLANs of user networks The vlan id list argument specifies a list of VLAN IDs in the form of vlan i...

Page 872: ...Traffic Behavior To define a traffic behavior you need to create a traffic behavior and then configure attributes for it in traffic behavior view Configuration procedure Follow these steps to define a traffic behavior service dot1p 8021p list Specifies to match packets by 802 1p precedence of the service provider network The 8021p list argument is a list of CoS values You can provide up to eight s...

Page 873: ...nfigure traffic filtering behavior filter deny permit Configure traffic mirroring action mirror to cpu interface interface type interface number Configure nested VLAN tag action nest top most vlan id vlan id Configure traffic redirect action redirect cpu interface interface type interface number link aggregation group agg id next hop ipv4 add ipv4 add ipv6 add interface type interface number ipv6 ...

Page 874: ...hese steps to apply a policy on a port Note that when you apply a policy by using the qos apply policy command whether or not the inbound outbound keyword can take effect depends on the actions defined in the traffic behavior as described in Table 70 To do Use the command Remarks Enter system view system view Create a policy This operation leads you to policy view qos policy policy name Specify th...

Page 875: ...uirements Configure a policy named test to associate the traffic behavior named test_behavior with the class named test_class Apply the policy to the inbound direction of GigabitEthernet 1 0 1 port 2 Configuration procedure Enter system view Sysname system view Create a policy This operation leads you to policy view TP Supported Supported Traffic filtering Supported Supported Traffic mirroring Sup...

Page 876: ...s apply policy test inbound Displaying and Maintaining QoS Policy To do Use the command Remarks Display the information about a class and the corresponding actions associated by a policy display qos policy user defined policy name classifier classifier name Available in any view Display the information about the policies applied on a port display qos policy interface interface type interface numbe...

Page 877: ...space to store these packets parts of them will be lost Packet loss may cause the transmitting device to retransmit the packets because the lost packets time out which causes a malicious cycle The core of congestion management is how to schedule the resources and determine the sequence of forwarding packets when congestion occurs Congestion Management Policy Queuing technology is generally adopted...

Page 878: ...g SP sends packets in the queue with higher priority strictly following the priority order from high to low When the queue with higher priority is empty packets in the queue with lower priority are sent You can put critical service packets into the queues with higher priority and put non critical service such as e mail packets into the queues with lower priority In this case critical service packe...

Page 879: ...t packets in low priority queues are possibly not to be served for a long time Another advantage of WRR queue scheduling algorithm is that though the queues are scheduled in turn the service time for each queue is not fixed that is to say if a queue is empty the next queue will be scheduled immediately In this way the bandwidth resources are fully utilized 3Com Switch 4800G Family support the foll...

Page 880: ... all the ports in the port group Enter port group view port group manual port group name aggregation agg id Configure SP queue scheduling algorithm qos sp Required By default all the ports adopt the WRR queue scheduling algorithm with the weight values assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 To do Use the command Remarks To do Use the command Remarks Enter system view syste...

Page 881: ...scheduling group and WRR scheduling group namely group 1 the SP WRR queue scheduling is implemented During the queue scheduling process the queues in the SP scheduling group is scheduled preferentially When no packet is to be sent in the queues in the SP scheduling group the queues in the WRR scheduling group are scheduled The queues in the SP scheduling group are scheduled according to the strict...

Page 882: ... 1 qos wrr 0 group sp Sysname GigabitEthernet1 0 1 qos wrr 1 group sp Sysname GigabitEthernet1 0 1 qos wrr 2 group sp Sysname GigabitEthernet1 0 1 qos wrr 3 group sp Sysname GigabitEthernet1 0 1 qos wrr 4 group 1 weight 2 Sysname GigabitEthernet1 0 1 qos wrr 5 group 1 weight 4 Sysname GigabitEthernet1 0 1 qos wrr 6 group 1 weight 6 Sysname GigabitEthernet1 0 1 qos wrr 7 group 1 weight 8 Displaying...

Page 883: ...ly a packet is dropped the Switch 4800G provide the following two priority trust modes Trusting the DSCP precedence of received packets In this mode the switch searches the dscp dot1p dp dscp mapping table based on the DSCP precedence of the received packet for the 802 1p precedence drop precedence DSCP precedence to be used to mark the packet Then the switch searches the dot1p lp mapping table ba...

Page 884: ...ng table Table 71 The default values of dot1p lp mapping and dot1p dp mapping Imported priority value dot1p lp mapping dot1p dp mapping 802 1p precedence dot1p Local precedence lp Drop precedence dp 0 2 0 1 0 0 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 Table 72 The default values of dscp dp mapping dscp dot1p mapping and dscp dscp mapping Imported priority value dscp dp mapping dscp dot1p mapping dscp d...

Page 885: ...e received packets searches the dot1p lp dp mapping table for the corresponding local precedence and drop precedence according to the 802 1p precedence of the received packets and then marks the received packets with the corresponding local precedence and drop precedence Port priority is in the range 0 to 7 You can set the port priority as required Enter priority mapping table view qos map table d...

Page 886: ...ts Configuration Procedure Follow these steps to configure the port priority trust mode To do Use the command Remarks Enter system view system view Enter port view or port group view Enter port view interface interface type interface number Perform either of the two operations The configuration performed in Ethernet port view applies to the current port only The configuration performed in port gro...

Page 887: ...name GigabitEthernet1 0 1 qos trust dscp Displaying and Maintaining Priority Mapping Configure to trust the DSCP precedence of the received packets qos trust dscp Required By default the 802 1p precedence of the received packets is trusted To do Use the command Remarks To do Use the command Remarks Display the information about a specified priority mapping table display qos map table dot1p dp dot1...

Page 888: ...888 CHAPTER 69 PRIORITY MAPPING ...

Page 889: ...s not effective on dynamic VLANs for example VLANs created by GVRP Applying a QoS Policy to VLANs Configuration Prerequisites The QoS policy to be applied is defined Refer to Configuring a QoS Policy on page 870 for policy defining VLANs where the QoS policy is to be applied are determined Configuration Procedure Follow these steps to apply a QoS policy to VLANs Note that when you apply a QoS poli...

Page 890: ...fier cl1 if match acl 2000 Sysname classifier cl1 quit Create a traffic behavior and enter traffic behavior view Sysname traffic behavior be1 Configure the traffic behavior Sysname behavior be1 car cir 64 Sysname behavior be1 quit Create a QoS policy and enter QoS policy view Sysname qos policy test Associate a class with a traffic behavior Sysname qospolicy test classifier cl1 behavior be1 Sysnam...

Page 891: ...t is replicated and sent to the CPU on the module of the port for further analysis Mirroring to VLAN The desired traffic on a mirrored port is replicated and sent to a VLAN where the traffic is broadcast and all the ports if available in the VLAN will receive the traffic If the destination VLAN does not exist you can still configure the function and the function will automatically take effect afte...

Page 892: ...ch Enter system view Sysname system view Configure basic IPv4 ACL 2000 to match packets with the source IP address 192 168 0 1 Sysname acl number 2000 Sysname acl basic 2000 rule permit source 192 168 0 1 0 Sysname acl basic 2000 quit Configure a traffic classification rule to use ACL 2000 for traffic classification Sysname traffic classfier 1 Sysname classifier 1 if match acl 2000 Sysname classif...

Page 893: ... Sysname behavior 1 quit Configure a QoS policy and associate traffic behavior 1 with classification rule 1 Sysname qos policy 1 Sysname policy 1 classifier 1 behavior 1 Sysname policy 1 quit Apply the policy in the inbound direction of GigabitEthernet1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos apply policy 1 inbound After the configurations you can monitor all p...

Page 894: ...894 CHAPTER 71 TRAFFIC MIRRORING CONFIGURATION ...

Page 895: ...n analyze the packets duplicated to the destination mirroring port on these devices so as to monitor and troubleshoot the network Figure 263 A port mirroring implementation Classification of Port Mirroring There are two kinds of port mirroring local port mirroring and remote port mirroring Local port mirroring copies packets passing through one or more ports known as source ports of a device to th...

Page 896: ...lustrates a remote port mirroring implementation Figure 264 A remote mirroring implementation The devices in Figure 264 function as follows Source device Source device contains source mirroring ports and remote source port mirroring groups are created on source devices A source device duplicates the packets passing the source ports on it and sends them to the outbound port The packets are then bro...

Page 897: ...stination port cannot be the member ports of the current mirroring group Before adding the destination port for a port mirroring group make sure the port mirroring group exists A mirroring group can have only one destination port To do Use the command Remarks Enter system view system view Create a local mirroring group mirroring group group id local Required Add ports to the port mirroring group a...

Page 898: ... belong to only one port mirroring group A VLAN can be the remote port mirroring VLAN of only one port mirroring group To do Use the command Remarks Enter system view system view Create a remote source mirroring group mirroring group group id remote source Required Add ports to the mirroring group as source ports In system view mirroring group group id mirroring port mirroring port list both inbou...

Page 899: ... and Maintaining Port Mirroring To do Use the command Remarks Enter system view system view Create a remote destination port mirroring group mirroring group group id remote destination Required Configure the remote port mirroring VLAN for the port mirroring group mirroring group group id remote probe vlan rprobe vlan id Required Add a port to the port mirroring group as the destination port In sys...

Page 900: ...r the packets received on and sent from the R D department and the marketing department through the data monitoring device Use the local port mirroring function to meet the requirement Perform the following configurations on Switch C Configure GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as mirroring source ports Configure GigabitEthernet 1 0 3 as the mirroring destination port Network diagram ...

Page 901: ...1 0 3 of Switch A connects to GigabitEthernet 1 0 1 of Switch B GigabitEthernet 1 0 2 of Switch B connects to GigabitEthernet 1 0 1 of Switch C The data monitoring device is connected to GigabitEthernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from Department 1 and 2 through the data monitoring device Use the remote port mirroring function to meet the requirement Perfo...

Page 902: ...roup 1 mirroring port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 inbound SwitchA mirroring group 1 monitor egress GigabitEthernet 1 0 3 Configure port GigabitEthernet 1 0 3 as a trunk port and configure the port to permit the packets of VLAN 2 SwitchA interface GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 port link type trunk SwitchA GigabitEthernet1 0 3 port trunk permit vlan 2 1 Configure...

Page 903: ...SwitchC GigabitEthernet1 0 1 port trunk permit vlan 2 SwitchC GigabitEthernet1 0 1 quit Create a remote destination port mirroring group SwitchC mirroring group 1 remote destination Create VLAN 2 SwitchC vlan 2 SwitchC vlan2 quit Configure VLAN 2 as the remote port mirroring VLAN of the remote destination port mirroring group Add port GigabitEthernet 1 0 2 to the remote destination port mirroring ...

Page 904: ...904 CHAPTER 72 PORT MIRRORING CONFIGURATION ...

Page 905: ...nagement Configuration Examples on page 922 Cluster Management Overview Cluster Management Definition A cluster is an aggregation of a group of communication devices Cluster management is to implement management of large numbers of distributed network devices Cluster management is implemented through 3Com Group Management Protocol version 2 Switch Clusteringv2 By employing Switch Clusteringv2 a ne...

Page 906: ...wing three roles exist in a cluster management device member device and candidate device Management device The device providing management interfaces for all devices in the cluster and the only device configured with a public IP address Any configuration management and monitoring of the member devices in a cluster can only be implemented through the management device When a device is specified as ...

Page 907: ...y Discovery Protocol NTDP Cluster A cluster configures and manages the devices in it through the above three protocols Cluster management involves topology information collection and the establishment and maintenance of a cluster Topology information collection and cluster maintenance are independent from each other with the former starting before the cluster is created All devices use NDP to coll...

Page 908: ...s a protocol used to collect network topology information NTDP provides information required for cluster management it collects topology information about the devices within the specified hop count to identify candidate devices for a cluster Based on the neighbor information stored in the neighbor table maintained by NDP NTDP on the management device advertises NTDP topology collection requests to...

Page 909: ...evice before creating a cluster The management device discovers and defines a candidate device through NDP and NTDP protocols The candidate device can be automatically or manually added to the cluster After the candidate device is added to the cluster it can obtain the member number assigned by the management device and the private IP address used for cluster management 2 Communication within a cl...

Page 910: ...to the cluster After that the state of the member device locally and on the management device will be changed to Active Besides the member device informs the management device using handshake packets when there is a neighbor topology change Management VLAN The management VLAN limits the cluster management range Through configuration of the management VLAN the following functions can be implemented...

Page 911: ...P Information on page 913 Optional Enabling the Cluster Function on page 914 Optional Establishing a Cluster on page 914 Required Configuring Communication Between the Management Device and the Member Devices Within a Cluster on page 916 Optional Configuring the Destination MAC Address of Cluster Management Multicast Packets on page 916 Optional Configuring Cluster Member Management on page 916 Op...

Page 912: ...from adding the device which needs not to join the cluster and collecting the topology information of this device Configuring NDP Parameters Follow these steps to configure NDP parameters c CAUTION The time for the receiving device to hold NDP packets cannot be shorter than the interval to send NDP packets otherwise the NDP table may become instable Enabling NTDP Globally and for Specific Ports Fo...

Page 913: ...tion The management device collects topology information periodically after a cluster is created In addition you can configure to manually collect NTDP information to initiate NTDP information collection thus managing and monitoring the device on real time regardless of whether a cluster is created Follow these steps to configure to manually collect NTDP information To do Use the command Remarks E...

Page 914: ...er a device has been added to the cluster you cannot modify the management VLAN To change the management VLAN after the cluster is established you should remove the cluster on the management device re specify the management VLAN and reestablish a cluster For the purpose of security you are not recommended to configure the VLAN ID of the management VLAN as the default VLAN ID of the port connecting...

Page 915: ...ement VLAN Enter cluster view cluster Configure the private IP address range for member devices on a device which is to be configured as the management device ip pool administrator ip address mask mask length Required For a cluster to work normally the IP addresses of the VLAN interfaces of the management device and member devices must not be in the same network segment as that of the cluster addr...

Page 916: ...negotiation broadcast packets to advertise the destination MAC address of the cluster management multicast packets Follow these steps to configure the destination MAC address of the cluster management multicast packets Configuring Cluster Member Management Adding Removing a member device You can manually add a candidate device to a cluster or remove a member device from a cluster These operations ...

Page 917: ...ts on page 912 Enabling NTDP Globally and for Specific Ports Refer to Enabling NTDP Globally and for Specific Ports on page 912 Manually Collecting NTDP Information Refer to Manually Collecting NTDP Information on page 913 Enabling the Cluster Function Refer to Enabling the Cluster Function on page 914 Deleting a Member Device from a Cluster Enter cluster view cluster Add a candidate device to the...

Page 918: ...cally synchronized to the management device Therefore after a cluster is established you are not recommended to modify the super password of the member device including management device and member devices of the cluster otherwise the switch may fail because of authentication failure When you switch the management device to a member device if member n does not exist the system prompts error if the...

Page 919: ...If a blacklist device is connected to network through another device not included in the blacklist the MAC address and access port of the latter are also included in the blacklist A whitelist member cannot be a blacklist member and vice versa However a topology node can belong to neither the whitelist nor the blacklist Nodes of this type are usually newly added nodes whose identities are to be con...

Page 920: ... this case on the management device you need to configure the VLAN interface of the access NM device including FTP TFTP server NM host and log host as the NM interface To do Use the command Remarks Enter system view system view Enter cluster view cluster Add a device to the blacklist black list add mac mac address Optional Remove a device from the blacklist black list delete mac all mac address Op...

Page 921: ...evices outside the cluster and configure the NM interface for the management device Configure the TFTP server shared by the member devices in the cluster tftp server ip address Required By default no TFTP server is configured for a cluster Configure the log host shared by the member devices in the cluster logging host ip address Required By default no log host is configured for a cluster Configure...

Page 922: ...nformation display ndp interface interface list Available in any view Display the global NTDP information display ntdp Display the device information collected through NTDP display ntdp device list verbose Display the detailed NTDP information of a specified device display ntdp single device mac address mac address View cluster state and statistics display cluster View the standard topology inform...

Page 923: ...0 Network diagram for cluster management Configuration procedure 1 Configuring the member device All member devices have the same configuration taking one member as an example Enable NDP globally and for the Ethernet1 1 port Switch system view Switch ndp enable Switch interface Ethernet1 1 Switch Ethernet1 1 ndp enable Switch Ethernet1 1 quit Enable NTDP globally and for the Ethernet1 0 1 port Swi...

Page 924: ...t1 0 3 Switch GigabitEthernet1 0 3 ntdp enable Switch GigabitEthernet1 0 3 quit Configure the hop count to collect topology as 2 Switch ntdp hop 2 Configure the delay time for topology collection request packets to be forwarded on member devices as 150 ms Switch ntdp timer hop delay 150 Configure the delay time for topology collection request packets to be forwarded through the ports of member dev...

Page 925: ...for the cluster aabbcc_0 Switch cluster ftp server 63 172 55 1 aabbcc_0 Switch cluster tftp server 63 172 55 1 aabbcc_0 Switch cluster logging host 69 172 55 4 aabbcc_0 Switch cluster snmp host 69 172 55 4 Add the device whose MAC address is 00E0 FC01 0013 to the blacklist aabbcc_0 Switch cluster black list add mac 00e0 fc01 0013 aabbcc_0 Switch cluster quit Configure the network management interf...

Page 926: ...ONFIGURATION You can execute the cluster switch to administrator command to switch to the operation interface of the management device For detailed information about these configurations refer to the preceding description in this chapter ...

Page 927: ...packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet If the destination port number of the packet matches the one pre configured on the device the device modifies the destination IP address in the IP header and then sen...

Page 928: ...1 16 connecting to the network segment 10 110 0 0 16 Enable the forwarding of broadcast packets with the UDP destination port number 55 to the destination server 10 2 1 1 16 Network diagram Figure 271 Network diagram for UDP Helper configuration Configuration procedure n The following configuration assumes that a route from Switch A to the network segment 10 2 0 0 16 is available Specify the desti...

Page 929: ...ast packets with the UDP destination port number 55 SwitchA udp helper port 55 Specify the server with the IP address of 10 2 1 1 as the destination server to which UDP packets are to be forwarded SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 110 1 1 16 SwitchA Vlan interface1 udp helper server 10 2 1 1 ...

Page 930: ...930 CHAPTER 74 UDP HELPER CONFIGURATION ...

Page 931: ...anagement of products from different manufacturers Offering only the basic set of functions SNMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially in small high speed and low cost network environments SNMP Mechanism An SNMP en...

Page 932: ...M You can set the authentication and privacy functions The former is used to authenticate the validity of the sending end of the authentication packets preventing access of illegal users the latter is used to encrypt packets between the NMS and Agent preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP Agent by authentication with privacy ...

Page 933: ...SNMP Agent through this command or any commands that begin with snmp agent Configure SNMP Agent system information snmp agent sys info contact sys contact location sys location version all v1 v2c v3 Optional The defaults are as follows 3Com Corporation for contact Marlborough MA for location and SNMP v3 for the version Configure an SNMP agent group snmp agent group v3 group name authentication pri...

Page 934: ...marks Enter system view system view Enable SNMP Agent snmp agent Required Disabled by default You can enable SNMP Agent through this command or any commands that begin with snmp agent Configure SNMP Agent system information snmp agent sys info contact sys contact location sys location version v1 v2c v3 all Required The defaults are as follows 3Com Corporation for contact Marlborough MA for locatio...

Page 935: ... of SNMP log is informational meaning it is a common prompt of the device To check SNMP logs enable the information center to output system information with the severity of informational Configure the maximum size of an SNMP packet that can be received or sent by an SNMP agent snmp agent packet max size byte count Optional 15 00 bytes by default Configure the switch fabric ID for a local SNMP agen...

Page 936: ...mission c CAUTION To enable an interface to send SNMP Traps when its state changes you need to enable the Link up down Trap packet transmission function on an interface and globally Use the enable snmp trap updown command to enable this function on an interface and use the snmp agent trap enable standard linkdown linkup command to enable this function globally Configuring Trap transmission paramet...

Page 937: ...the queue size for sending Traps snmp agent trap queue size size Optional 100 by default Configure the lifetime for Traps snmp agent trap life seconds Optional 120 seconds by default To do Use the command Remarks To do Use the command Remarks Display SNMP agent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Available i...

Page 938: ...e snmp agent community write private Configure VLAN interface 2 with the IP address of 1 1 1 1 24 Add the port Ethernet 1 0 to VLAN 2 Sysname vlan 2 Sysname vlan2 port ethernet 1 0 Sysname vlan2 interface vlan interface 2 Sysname Vlan interface2 ip address 1 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure the contact person and physical location information of the switch Sysname snmp ag...

Page 939: ...ng Configuration procedure n The configurations for NMS and Agent are omitted Enable logging display on the terminal optional enabled by default Sysname terminal monitor Sysname terminal logging Enable the information center to output the system information with the severity of informational to the Console port Sysname system view Sysname info center source snmp channel console log level informat ...

Page 940: ...ge 1009 Table 74 Descriptions on the output field of SNMP log Field Description Jan 1 02 49 40 566 2006 The time when SNMP log is generated seqNO Sequence number of the SNMP log srcIP IP address of NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID of the instance erroIndex Error index with 0 meaning no error errorstatus Error status with noError meaning no error v...

Page 941: ...n network management station NMS and agent facilitating large network management RMON comprises two parts NMSs and agents running on network devices Each RMON NMS administers the agents within its administrative domain An RMON agent resides on a network monitor or probe for an interface It monitors and gathers information about traffic over the network segment connected to the interface to provide...

Page 942: ...ON alarm group monitors specified alarm variables such as statistics on a port If the sampled value of the monitored variable is bigger than or equal to the upper threshold an upper event is triggered if the sampled value of the monitored variable is lower than or equal to the lower threshold a lower event is triggered The event is then handled as defined in the event group The following is how th...

Page 943: ...mber of packets received on the current interface The result of the statistics is a cumulative sum Configuring RMON Configuration Prerequisites Before configuring RMON configure the SNMP agent as described in SNMP Configuration on page 931 Configuration Procedure Follow these steps to configure RMON To do Use the command Remarks Enter system view system view Create an event entry in the event tabl...

Page 944: ...ext Optional To do Use the command Remarks Table 75 Restrictions on the configuration of RMON Entry Parameters to be compared Event Event description description string event type log trap logtrap or none and community name trap community or log trapcommunity History Sampling interval interval sampling interval Statistics Only one statistics entry can be created on an interface Alarm Alarm variabl...

Page 945: ...Display RMON statistics for interface GigabitEthernet 1 0 1 Sysname display rmon statistics GigabitEthernet 1 0 1 Statistics entry 1 owned by user1 rmon is VALID Interface GigabitEthernet1 0 1 ifIndex 1 etherStatsOctets 0 etherStatsPkts 0 etherStatsBroadcastPkts 0 etherStatsMulticastPkts 0 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 etherStatsFragments 0 etherStatsJabbers 0 etherStatsCRCAli...

Page 946: ...m 1 1 3 6 1 2 1 16 1 1 1 4 1 delta rising threshold 1000 1 falling threshold 100 1 owner 1 rmon Sysname display rmon alarm 1 Alarm table 1 owned by 1 rmon is VALID Samples type delta Variable formula 1 3 6 1 2 1 16 1 1 1 4 1 etherStatsOctets 1 Sampling interval 10 sec Rising threshold 1000 linked with event 1 Falling threshold 100 linked with event 1 When startup enables risingOrFallingAlarm Lates...

Page 947: ... The purpose of using NTP is to keep consistent timekeeping among all clock dependent devices within the network so that the devices can provide diverse applications based on the consistent time For a local system running NTP its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks Applications of NTP An administrator can by no means...

Page 948: ...ssages How NTP Works Figure 277 shows the basic work flow of NTP Switch A and Switch B are interconnected over a network They have their own independent system clocks which need to be automatically synchronized through NTP For an easy understanding we assume that Prior to system clock synchronization between Switch A and Switch B the clock of Switch A is set to 10 00 00 am while that of Switch B i...

Page 949: ...oundtrip delay of NTP message Delay T4 T1 T3 T2 2 seconds Time difference between Switch A and Switch B Offset T2 T1 T3 T4 2 1 hour Based on these parameters Switch A can synchronize its own clock to the clock of Switch B This is only a rough description of the work mechanism of NTP For details refer to RFC 1305 NTP Message Format NTP uses two types of messages clock synchronization message and NT...

Page 950: ...1 clock has the highest precision and a stratum 16 clock is not synchronized and cannot be used as a reference clock Poll 8 bit signed integer indicating the poll interval namely the maximum interval between successive messages Precision an 8 bit signed integer indicating the precision of the local clock Root Delay roundtrip delay to the primary reference source Root Dispersion the maximum error o...

Page 951: ...its local clock to that of the optimal reference source In this mode a client can be synchronized to a server but not vice versa Symmetric peers mode Figure 280 Symmetric peers mode A switch working in the symmetric active mode periodically sends clock synchronization messages with the Mode field in the message set to 1 symmetric active the switch that receives this message automatically enters th...

Page 952: ...broadcast messages and synchronizes its local clock based on the received broadcast messages Multicast mode Figure 282 Multicast mode In the multicast mode a server periodically sends clock synchronization messages to the user configured multicast address or if no multicast address is configured to the default NTP multicast address 224 0 1 1 with the Mode field in the Network Client Server After r...

Page 953: ...to configure only clients or symmetric active peers for the broadcast or multicast mode you need to configure both servers and clients n A single switch can have a maximum of 128 associations at the same time including static associations and dynamic associations A static association refers to an association that a user has manually created by using an NTP command while a dynamic association is a ...

Page 954: ... symmetric passive on a symmetric active peer Following these steps to configure a symmetric active switch n In the symmetric mode you should use any NTP configuration command in Configuring the Operation Modes of NTP on page 953 to enable NTP otherwise a symmetric passive peer will not process NTP packets from a symmetric active peer In the ntp service unicast peer command ip address must be a ho...

Page 955: ...st server n A broadcast server can synchronize broadcast clients only after its clock has been synchronized Configuring NTP Multicast Mode The multicast server periodically sends NTP multicast messages to multicast clients which send replies after receiving the messages and synchronize their local clocks For switches working in the multicast mode you need to configure both the server and clients T...

Page 956: ...Disabling an Interface from Receiving NTP Messages Enter interface view interface interface type interface number Enter the interface used to receive NTP multicast messages Configure the switch to work in the NTP multicast client mode ntp service multicast client ip address Required To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface ...

Page 957: ... to perform synchronization and control query to the local switch and also permits the local switch to synchronize its clock to the peer switch From the highest NTP service access control right to the lowest one are peer server synchronization and query When a switch receives an NTP request it will perform an access control right match and will use the first matched right Configuration Prerequisit...

Page 958: ...ed to associate the specified authentication key on the client symmetric active peer if in the symmetric peer mode with the corresponding NTP server symmetric passive peer if in the symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled For the broadcast server mode or multicast server mode you need to associate the specified authentication key on the broadcast ser...

Page 959: ... NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server Symmetric peers mode ntp service unicast peer ip address peer name authentication keyid keyid To do Use the command Remarks To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disabled by default Co...

Page 960: ...on on Switch B View the NTP status of Switch B before clock synchronization SwitchB display ntp service status Clock status unsynchronized Clock stratum 16 Reference clock ID none Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer dispersion 0 00 ms Reference time 00 00 00 000 UTC Jan 1 1900 00000000...

Page 961: ...d the clock stratum level of Switch B is 3 while that of Switch A is 2 View the NTP session information of Switch B which shows that an association has been set up between Switch B and Switch A SwitchB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 63 64 3 75 5 31 0 16 5 note 1 source master 2 source peer 3 selected 4 candidate 5 ...

Page 962: ... source with the stratum level of 1 SwitchC system view SwitchC ntp service refclock master 1 Configure Switch B as a symmetric peer after local synchronization SwitchC ntp service unicast peer 3 0 1 32 In the step above Switch B and Switch C are configured as symmetric peers with Switch C in the symmetric active mode and Switch B in the symmetric passive mode Because the stratus level of Switch C...

Page 963: ...ource master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 Configuring NTP Broadcast Mode Network requirements Switch C s local clock is to be used as a reference source with the stratum level of 2 Switch C works in the broadcast server mode and sends out broadcast messages from VLAN interface 2 Switch D and Switch A work in the broadcast client mode and listen to broadcas...

Page 964: ... broadcast messages from Switch C Switch D gets synchronized upon receiving a broadcast message from Switch C View the NTP status of Switch D after clock synchronization SwitchD display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Roo...

Page 965: ...hC system view SwitchC ntp service refclock master 2 Configure Switch C to work in the multicast server mode and send multicast messages through VLAN interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service multicast server 2 Configuration on Switch D Configure Switch D to work in the multicast client mode and receive multicast messages on VLAN interface 2 SwitchD system ...

Page 966: ... 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 3 Configuration on Switch B Because Switch A and Switch C are on different subnets you must enable IGMP on Switch B before Switch A can receive multicast messages from Switch C Enable IP multicast routing and IGMP SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 2 ...

Page 967: ...per 1234 3 0 1 31 127 127 1 0 2 255 64 26 16 0 40 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 n Refer to Multicast Routing and Forwarding Configuration on page 701 for detailed description of the multicast function Configuring NTP Server Client Mode with Authentication Network requirements The local clock of Switch A is to be configured as a r...

Page 968: ...ice authentication enable Set an authentication key SwitchA ntp service authentication keyid 42 authentication mode md5 aNiceKey Specify the key as key as a trusted key SwitchA ntp service reliable authentication keyid 42 View the NTP status of Switch B after clock synchronization SwitchB display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequ...

Page 969: ...ed on both Switch C and Switch D Network diagram Figure 288 Network diagram for configuration of NTP broadcast mode with authentication Configuration procedure 1 Configuration on Switch C Specify the local clock as the reference source with the stratum level of 3 SwitchC system view SwitchC ntp service refclock master 3 Configure NTP authentication SwitchC ntp service authentication enable SwitchC...

Page 970: ... status of Switch D after clock synchronization SwitchD display ntp service status Clock status synchronized Clock stratum 4 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 8 31 ms Peer dispersion 34 30 ms Reference time 16 01 51 713 UTC Apr 20 2007 C6D95F6F B6872B02 As shown above...

Page 971: ...contacts the DNS server for dynamic name resolution which takes more time than static name resolution Therefore some frequently queried name to IP address mappings are stored in the local static name resolution table to improve efficiency Static Domain Name Resolution The static domain name resolution means setting up mappings between domain names and IP addresses IP addresses of the corresponding...

Page 972: ... defined by users It is used when the name to be resolved is incomplete The resolver can supply the missing part For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The resolver can add the suffix and delimiter before passing the name to the DNS server If there is no dot in the domain name for example aabbcc the r...

Page 973: ... 1 A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy that is the destination address of the request is the IP address of the DNS proxy 2 The DNS proxy searches the local static domain name resolution table after receiving the request If the requested information exists in the table the DNS proxy returns a DNS reply to the client 3 If the requested info...

Page 974: ...marks Enter system view system view Enable dynamic domain name resolution dns resolve Required Disabled by default Specify a DNS server dns server ip address Required Not specified by default Configure a domain name suffix dns domain domain name Optional Not configured by default To do Use the command Remarks Enter system view system view Enable DNS proxy dns proxy enable Required Disabled by defa...

Page 975: ...e ping host com PING host com 10 1 1 2 56 data bytes press CTRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 128 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 128 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 128 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 4 ttl 128 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 5 ttl 128 time 2 ms host com ping statistics 5 packet s...

Page 976: ... Figure 292 This configuration may vary with different DNS servers The following configuration is performed on a Windows 2000 server Configure the DNS server Enter DNS server configuration page Select Start Programs Administrative Tools DNS Create zone com In Figure 293 right click Forward Lookup Zones select New zone and then follow the instructions to create a new zone Figure 293 Create a zone C...

Page 977: ...94 right click zone com and then select New Host to bring up a dialog box as shown in Figure 295 Enter host name host and IP address 3 1 1 1 Figure 295 Add a mapping between domain name and IP address 1 Configure the DNS client Enable dynamic domain name resolution ...

Page 978: ... 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56 Sequence 1 ttl 126 time 3 ms Reply from 3 1 1 1 bytes 56 Sequence 2 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 3 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 4 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 5 ttl 126 time 1 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00...

Page 979: ...ution Configuration Example on page 975 for related configuration information 2 Configure the DNS proxy Specify the DNS server 4 1 1 1 SwitchA system view SwitchA dns server 4 1 1 1 Enable DNS proxy SwitchA dns proxy enable 3 Configure the DNS client Enable the domain name resolution function SwitchB system view SwitchB dns resolve Specify the DNS server 2 1 1 2 SwitchB dns server 2 1 1 2 1 Config...

Page 980: ... transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 1 3 ms Troubleshooting DNS Configuration Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution Use the display dns dynamic host command to verify that the specified domain name is in the cache If there is no defined domain name check that dynamic domain name resolution...

Page 981: ...rations on page 983 File System Prompt Mode Setting on page 983 File System Operations Example on page 984 File System Overview A major function of the file system is to manage storage devices It allows you to perform operations such as directory create and delete and file copy and display If an operation delete or overwrite for example may cause problems such as data loss or corruption the file s...

Page 982: ...ble in user view Display files or directories dir all file url Optional Available in user view Change the current path cd directory Optional Available in user view To do Use the command Remarks To do Use the command Remarks Remove a file to the recycle bin or delete it permanently delete unreserved file url Optional Available in user view Restore a file from the recycle bin undelete file url Optio...

Page 983: ...the storage device type and the serial number of the storage device The serial number is displayed in English letters such as a b or c If storage device partitioning is supported on the device the name of the partition device is composed of the physical device name and partition number The serial numbers of partitions are displayed in numbers such as 0 1 or 2 n Currently the storage device on an S...

Page 984: ...config cfg 2 drw Feb 16 2006 15 20 27 test 3 rw 184108 Feb 16 2006 15 30 20 aaa bin 14605 KB total 6890 KB free Create a new folder called mytest under the test directory Sysname cd test Sysname mkdir mytest Created dir flash test mytest Display the current working directory Sysname pwd flash test Display the files and the subdirectory under the test directory Sysname dir Directory of flash test 0...

Page 985: ...s configuration is stored in the flash It is removed when the device is rebooting Format of configuration file Configuration files are saved as text files They Save configuration in the form of commands Save only non default configuration settings List commands in sections by view in this view order system interface routing protocol and so on Sections are separated with one or multiple blank lines...

Page 986: ...y to lose the original configuration file if the device reboots or the power fails during the process Safe mode This is the mode when you use the save command with the safely keyword The mode saves the file slower but can retain the configuration file in the device even if the device reboots or the power fails during the process c CAUTION Device reboot or the power failure during configuration fil...

Page 987: ...e system sets the file as the main configuration file for next startup Erasing the Startup Configuration File With the configuration file erased your device will boot up with the default configuration next time it is powered on You may need to erase the configuration file for one of these reasons After you upgrade software the original configuration file does not match the new software The startup...

Page 988: ...startup c CAUTION The configuration file must use cfg as its extension name and the startup configuration file must be saved under the root directory of the device Backing up Restoring the Configuration File for Next Startup Backup restore function overview The backup restore function allows you to backup or restore a configuration file for next startup through operations at the CLI TFTP is used f...

Page 989: ...stored file exists Displaying and Maintaining Device Configuration n For detailed description of the display this and display current configuration commands refer to Displaying and Maintaining Device Management Configuration on page 1043 To do Use the command Remarks Restore the startup configuration file restore startup configuration from src addr filename Required Available in user view To do Us...

Page 990: ...990 CHAPTER 79 FILE SYSTEM MANAGEMENT CONFIGURATION ...

Page 991: ...ient model Your switch can function either as client or as server as shown in Figure 297 They work in the following way When the switch serves as the FTP client a PC user first telnets or connects to the switch through an emulation program then executes the ftp command to establish the connection to the remote FTP server and gain access to the files on the server If the remote FTP server supports ...

Page 992: ...kets The source address of the transmitted packets is selected following these rules If no source address of the FTP client is specified a device uses the IP address of the interface determined by the routing protocol as the source IP address to communicate with an FTP server If the source address is specified with the ftp client source or ftp command this source address is used to communicate wit...

Page 993: ...iew ftp open server address service port To do Use the command Remarks To do Use the command Remarks Log onto the remote FTP server directly in user view ftp ipv6 server address service port source ipv6 source ipv6 address i interface type interface number Use either approach Available in user view Log onto the remote FTP server indirectly in FTP client view ftp ipv6 open ipv6 server address servi...

Page 994: ...ptional Download a file from the FTP server get remotefile localfile Optional Upload a file to the FTP server put localfile remotefile Optional View the working directory of the remote FTP server pwd Optional Find the working path of the FTP client lcd Optional Create a directory on the FTP server mkdir directory Optional Set the data transfer mode to passive passive Optional Passive by default De...

Page 995: ... 1 Trying 10 1 1 1 Press CTRL K to abort Connected to 10 1 1 1 220 FTP service ready User 10 1 1 1 none abc 331 Give me your password please Password 331 Password required for abc Password 230 User logged in ftp binary 200 Type set to I ftp get aaa bin bbb bin 227 Entering Passive Mode 10 1 1 1 4 1 125 BINARY mode data connection already open transfer starting for aaa bin 226 Transfer complete FTP...

Page 996: ...ter This mode however consumes less memory space than the fast mode Follow these steps to configure the FTP server Configuring Authentication and Authorization for Accessing FTP Server To allow an FTP user to access certain directories on the FTP server you need to create an account for the user authorizing access to the directories and associating the username and password with the account Follow...

Page 997: ...the FTP server Configuration procedure 1 Configure Device FTP Server Create an FTP user account abc setting its password to pwd and setting the priority level to 3 Sysname system view Sysname local user abc Assign a password to the user password simple cipher password Required Assign the FTP service to the user service type ftp Required By default the system does not support anonymous FTP access a...

Page 998: ...cfg 1 Configure the PC FTP Client Upload the startup file to the FTP server and save it under the root directory of the FTP server c ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none abc 331 Password required for abc Password 230 User logged in ftp put aaa bin bbb bin n When upgrading the configuration file with FTP put the new file under the root directory After you finish ...

Page 999: ...e 1040 Displaying and Maintaining FTP To do Use the command Remarks Display the configuration of the FTP client display ftp client configuration Available in any view Display the configuration of the FTP server display ftp server Available in any view Display detailed information about logged in FTP users display ftp user Available in any view ...

Page 1000: ...1000 CHAPTER 80 FTP CONFIGURATION ...

Page 1001: ...d between client and server TFTP uses the UDP port 69 for data transmission For TFTP basic operation refer to RFC 1350 In TFTP file transfer is initiated by the client In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server In a normal file uploading process the client sends a write reque...

Page 1002: ... configuration file Multiple routes may exist for a TFTP client to successfully access the TFTP server You can specify one by configuring the source address of the packets from the TFTP client to meet the requirement of the security policy of the TFTP client You can configure the source address by configuring the source interface or source IP address The primary IP address configured on the source...

Page 1003: ...nd a configuration file config cfg to PC for backup Network diagram Figure 301 Smooth upgrading using the TFTP client function Configure the source address of the TFTP client tftp client source interface interface type interface number ip source ip address Optional A device uses the source address determined by the routing protocol to communicate with the TFTP server by default Return to user view...

Page 1004: ...0 0 Sysname Vlan interface1 return Download an application file aaa bin from the TFTP server Before that make sure that adequate memory is available Sysname tftp 1 2 1 1 get aaa bin bbb bin Upload a configuration file config cfg to the TFTP server Sysname tftp 1 2 1 1 put config cfg configback cfg You can use the boot loader command to specify the uploaded file as the main startup file for next st...

Page 1005: ...lems n By default the information center is enabled An enabled information center affects the system performance in some degree due to information classification and output Such impact becomes more obvious in the event that there is enormous information waiting for processing The information center of the system has the following features Classification of system information The system is availabl...

Page 1006: ...nings notifications 5 Normal information that needs to be noticed informational 6 Informational information to be recorded debugging 7 Information generated during debugging Table 77 Information channels and output destinations Information channel number Default channel name Default output destination 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives...

Page 1007: ...main Name System module ETH Ethernet module FTPS FTP Server module GARP Generic Attribute Registration Protocol module HABP 3Com Authentication Bypass Protocol module HWCM 3Com Configuration Management MIB module IFNET Interface management module IP Internet Protocol module ISIS Intermediate System to Intermediate System intra domain routing information exchange protocol module LAGG Link Aggregati...

Page 1008: ...in from aux0 What follows is a detailed explanation of the fields involved Priority The priority is calculated using the following formula facility 8 severity in which facility represents the logging facility name and can be configured when you set the log host parameters The facility ranges from local0 to local7 16 to 23 in decimal integers and defaults to local7 The facility is mainly used to ma...

Page 1009: ... Digest The digest field is a string of up to 32 characters outlining the system information Note that there is a colon between the digest and content fields Content This field provides the content of the system information Configuring Information Center Information Center Configuration Task List Complete the following tasks to configure information center Setting to Output System Information to t...

Page 1010: ...for the default output rules of system information Configure the format of the time stamp info center timestamp debugging log trap boot date none Optional The time stamp format for log trap and debugging information is date by default To do Use the command Remarks Table 79 Default output rules for different output destinations Output destination Modules allowed LOG TRAP DEBUG Enabled disabled Seve...

Page 1011: ...enter info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 77 for default channel names Configure the channel through which system information can be output to a monitor terminal info center monitor channel channel number channel name Optional System information is output to the ...

Page 1012: ...local number Required By default the system does not output information to a log host If you specify to output system information to a log host the system uses channel 2 loghost by default Configure the source interface through which log information can be output to a log host info center loghost source interface type interface number Optional No source interface is configured by default and the s...

Page 1013: ... command Remarks To do Use the command Remarks Enter system view system view Enable information center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 77 for default channel names Configure the channel through which system information can be output to the log buffer and spec...

Page 1014: ... command line prompt after system information output Enable information center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 77 for default channel names Configure the channel through which system information can be output to the SNMP NMS info center snmp channel channel n...

Page 1015: ...sure that there is a route between Device and PC 1 Configuring the device Enable information center Sysname system view Sysname info center enable To do Use the command Remarks Display channel information for a specified channel display channel channel number channel name Available in any view Display the configurations on each output destination display info center Available in any view Display t...

Page 1016: ... info center source ip channel loghost log level informational state on 2 Configuring the log host The following configurations were performed on SunOS 4 0 which has similar configurations to the Unix operating systems implemented by other vendors Step 1 Issue the following commands as a root user mkdir var log MyDevice touch var log MyDevice information Step 2 Edit the file etc syslog conf as a r...

Page 1017: ...use channel loghost to output log information optional loghost by default and specify local5 as the logging facility Sysname info center loghost 1 2 0 1 channel loghost facility local5 Disable the output of log trap and debugging information of all modules on the channel loghost Sysname info center source default channel loghost debug state off log state off trap state off c CAUTION As the default...

Page 1018: ...center loghost or info center source command otherwise the log information may not be output properly to the log host Step 3 After the log file information has been created and the etc syslog conf file has been modified issue the following commands to display the process ID of syslogd terminate a syslogd process and restart syslogd using the r option ps ae grep syslogd 147 kill 9 147 syslogd r n E...

Page 1019: ...then configure the output rule as needed so that unnecessary information will not be output Configure the information output rule allow log information of ARP and IP modules with severity equal to or higher than informational to be output to the console Sysname info center source arp channel console log level informational state on Sysname info center source ip channel console log level informatio...

Page 1020: ...1020 CHAPTER 82 INFORMATION CENTER CONFIGURATION ...

Page 1021: ...ls on page 1026 Displaying and Maintaining Basic Configurations on page 1027 Entering Exiting System View Follow these steps to enter exit system view n With the quit command you can return to the previous view You can execute the return command or press the hot key Ctrl Z to return to user view Configuring the Device Name Configuring the System Clock Configuring the system clock Follow these step...

Page 1022: ...ock timezone zone name add minus zone offset Set a summer time scheme clock summer time zone name one off start time start date end time end date add time clock summer time zone name repeating start time start date end time end date add time Table 80 Relationship between the configuration and display of the system clock Configuration System clock displayed by the display clock command Example 1 da...

Page 1023: ...00 00 zone time Sat 01 01 2005 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2005 1 1 1 00 2005 8 8 2 Display 04 00 00 ss Sat 01 01 2005 If the value of the original system clock ÐÇ zone offset is in the summer time range the original system clock ÐÇ zone offset summer offset is displayed Configure clock datetime 1 00 2007 1 1 clock timezone zone time add 1 and clo...

Page 1024: ... input text together with the command keywords cannot exceed 510 characters The other is to input all the banner information in multiple lines by pressing the Enter key In this case up to 2000 characters can be input The latter input mode can be achieved in the following three ways Press the Enter key directly after the command keywords and end the setting with the character The Enter and characte...

Page 1025: ...ommand Ctrl D Deletes the character at the current cursor position Ctrl E Moves the cursor to the end of the current line Ctrl F Moves the cursor one character to the right Ctrl H Deletes the character to the left of the cursor Ctrl K Terminates an outgoing connection Ctrl N Displays the next command in the history command buffer Ctrl P Displays the previous command in the history command buffer C...

Page 1026: ...the user level is defaulted to 3 if no user level is specified You can switch to a lower user level unconditionally To switch to a higher user level however you need to enter the password needed The password can be set with the super password command If the entered password is incorrect or no password is configured the switch fails Therefore before switching to a higher user level you should confi...

Page 1027: ...ration Refer to the corresponding section for the display command for specific protocol and interface CLI Features This section covers the following topics Introduction to CLI on page 1028 Online Help with Command Lines on page 1028 Synchronous Information Output on page 1029 undo Form of a Command on page 1029 Edit Features on page 1029 CLI Display on page 1030 Saving History Commands on page 103...

Page 1028: ...he following are the types of online help available with the CLI Full help Fuzzy help To obtain the desired help information you can 1 Enter in any view to access all the commands in this view and brief description about them as well Sysname User view commands backup Backup next startup configuration file to TFTP server boot loader Set boot loader bootrom Update read backup restore bootrom cd Chan...

Page 1029: ...onous information output For the detailed description of this function refer to Configuring Synchronous Information Output on page 1014 undo Form of a Command Adding the keyword undo can form an undo command Almost every configuration command has the undo form undo commands are generally used to restore the system default disable a function or cancel a configuration For example the info center ena...

Page 1030: ...are several matches or no match at all the system does not modify the incomplete keyword and displays it again in the next line Table 83 Edit functions Key Function Table 84 Special characters in a regular expression Character Meaning Remarks Starting sign the string following it appears only at the beginning of a line Regular expression user matches a string begins with user not Auser Ending sign...

Page 1031: ...ws 9X HyperTerminal because they are defined in a different way You can use Ctrl P and Ctrl N instead Command Line Error Information The commands are executed only if they have no syntax error Otherwise error information is reported Table 86 lists some common errors Table 85 Display functions Action Function Press Space when information display pauses Continues to display information of the next s...

Page 1032: ...position The command was not found The keyword was not found Parameter type error The parameter value is beyond the allowed range Incomplete command found at position Incomplete command Ambiguous command found at position Ambiguous command Too many parameters Too many parameters Wrong parameter found at position Wrong parameter ...

Page 1033: ...evice responds by sending an ICMP echo reply to the source device after receiving the ICMP echo request 3 If there is network failure the source device displays timeout or destination unreachable 4 Display related statistics Output of the ping command includes Information on the destination s responses towards each ICMP echo request if the source device has received the ICMP echo reply within the ...

Page 1034: ...the source device the address of the second router 5 The above process continues until the ultimate destination device is reached In this way the source device can trace the addresses of all the routers that have been used to get to the destination device Introduction to System Debugging The device provides various debugging functions For the majority of protocols and features supported the system...

Page 1035: ... 2 3 OFF ON ON Debugging information Protocol debugging switch Screen output switch 1 3 1 2 3 1 3 To do Use the command Remarks Check whether a specified IP address can be reached ping ip a source ip c count f h ttl i interface type interface number m interval n p pad q r s packet size t timeout tos tos v remote system Optional Used in IPv4 network Available in any view ping ipv6 a source ipv6 c c...

Page 1036: ...nation device is 10 1 1 4 Display the routers used while packets are forwarded from the current device to the destination device Network diagram omitted here Configuration procedure Sysname tracert 10 1 1 4 traceroute to 10 1 1 4 30 hops max 40 bytes packet 1 128 3 112 1 19 ms 19 ms 0 ms 2 128 32 216 1 39 ms 39 ms 19 ms 3 128 32 136 23 39 ms 40 ms 39 ms 4 128 32 168 22 39 ms 39 ms 39 ms 5 128 32 1...

Page 1037: ...7 7 129 140 70 13 99 ms 99 ms 80 ms 8 129 140 71 6 139 ms 239 ms 319 ms 9 129 140 81 7 220 ms 199 ms 199 ms 10 10 1 1 4 239 ms 239 ms 239 ms The above output shows that nine routers are used from the source to the destination device ...

Page 1038: ...1038 CHAPTER 84 SYSTEM MAINTAINING AND DEBUGGING ...

Page 1039: ... Through the device management function you can view the current working state of a device configure running parameters and perform daily device maintenance and management Currently the following device management functions are available Rebooting a Device on page 1039 Specifying a Boot ROM File for the Next Device Boot on page 1040 Upgrading Boot ROM on page 1040 Clearing the 16 bit Interface Ind...

Page 1040: ... on the storage device you can specify a file for the next device boot by executing the following command Follow these steps to specify a file for the next device boot c CAUTION The file for the next device boot must be saved under the root directory of the device for a device supporting storage device partition the file must be saved on the first partition You can copy or move a file to change th...

Page 1041: ...sed up which will result in interface creation failures To avoid such a case you can clear all 16 bit interface indexes saved but not used in the current system in user view After the above operation For a re created interface the new interface index may not be consistent with the original one For existing interfaces their interface indexes remain unchanged Follow the step below to clear the 16 bi...

Page 1042: ...en to the storage device of a module during device debugging or test The information includes name of the module device serial number and vendor name or vendor name specified Diagnosing pluggable transceivers The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers Optical transceivers customized by 3Com also support the digital diagnosis function ...

Page 1043: ...or all pluggable transceivers Display the currently measured value of the digital diagnosis parameters of the anti spoofing optical transceiver s customized by 3Com display transceiver diagnosis interface interface type interface number Available for anti spoofing pluggable optical transceiver s customized by 3Com only To do Use the command Remarks Display the Boot ROM file used for the next boot ...

Page 1044: ... Server luser aaa password cipher hello Configure the user to have access to the aaa directory FTP Server luser aaa service type ftp ftp directory flash aaa Configuration on Device c CAUTION If the size of the Flash on the device is not large enough delete the original application programs from the Flash before downloading Enter the following command in user view to log in to FTP Server Device ftp...

Page 1045: ...vice bootrom update security check enable Device quit Upgrade the Boot ROM file of the device Device bootrom update file boot btm Specify the application program for the next boot Device boot loader file aaa bin main Reboot the device The application program is upgraded after the reboot Device reboot Start to check configuration with next startup configuration file please wait This command will re...

Page 1046: ...1046 CHAPTER 85 DEVICE MANAGEMENT ...

Page 1047: ...roduction to NQA Network Quality Analyzer NQA analyzes network performance services and service quality through sending test packets and provides you with network performance and service quality parameters such as jitter TCP connection delay FTP connection delay and file transfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagno...

Page 1048: ...ks between the application modules and the detection modules and is mainly used to obscure the difference of various detection modules to provide a unified interface for application modules The application modules then deal with the changes accordingly based on the status of the Track object and thus collaboration is implemented Take static routing as an example You have configured a static route ...

Page 1049: ...ber of packets sent in one probe depends on the probe packet number command For an FTP HTTP or DHCP test one probe means to carry out a corresponding function For an ICMP echo or UDP echo test one packet is sent in one probe For an SNMP test three packets are sent in one probe NQA client and server NQA client is the device initiating an NQA test and the NQA test group is created on the NQA client ...

Page 1050: ...eed to configure the NQA server on the peer device The NQA server makes a response to the request originated by the NQA client by listening to the specified destination address and port number Follow these steps to configure the NQA server Task Remarks Configuring the NQA Server on page 1050 Required for TCP UDP echo and UDP jitter tests Enabling the NQA Client on page 1051 Optional Creating an NQ...

Page 1051: ...ccording to the ICMP echo reply or timeout information Follow these steps to configure the ICMP echo test To do Use the command Remarks Enter system view system view Enable the NQA server nqa server enable Required Disabled by default Configure the UDP or TCP listening function on the NQA server nqa server tcp connect udp echo ip address port number Required The IP address and port number must be ...

Page 1052: ...ess is specified as the source IP address of ICMP probe requests If you use the source ip command to configure the source IP address of ICMP echo probe requests the source interface command is invalid The interface specified by this command must be up Otherwise the probe will fail Configure the source IP address of a probe request source ip ip address Optional By default no source IP address is sp...

Page 1053: ... FTP server and the time necessary for the FTP client to transfer a file to or download a file from the FTP server Configuration prerequisites Before the FTP test you need to perform some configurations on the FTP server For example you need to configure the username and password used to log onto the FTP server For the FTP server configuration refer to Configuring the FTP Server on page 996 Config...

Page 1054: ...ss of a probe request source ip ip address Required By default no source IP address is specified The source IP address must be that of an interface on the device and the interface must be up Otherwise the test will fail Configure the operation type operation get put Optional By default the operation type for the FTP is get that is obtaining files from the FTP server Configure a login username user...

Page 1055: ...st type as HTTP and enter test type view type http Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation The destination IP address for a test operation is the IP address of the HTTP server Configure the source IP address of a probe request source ip ip address Optional By default n...

Page 1056: ... a test operation destination port port number Required By default no destination port number is configured for a test operation The destination port must be consistent with that of the existing listening service on the NQA server Specify the source port number for a request source port port number Optional By default no source port number is specified Configure the size of a probe packet sent dat...

Page 1057: ...ust be that of an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters Refer to Configuring Optional Parameters Common to an NQA Test Group on page 1062 Optional To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test ty...

Page 1058: ...ional parameters Refer to Configuring Optional Parameters Common to an NQA Test Group on page 1062 Optional To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as TCP and enter test type view type tcp Required Configure the destination address for a test operation destination ...

Page 1059: ...address of a probe request in a test operation source ip ip address Optional By default no source IP address is specified The source IP address must be that of an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters Refer to Configuring Optional Parameters Common to an NQA Test Group on page 1062 Optional To do Use the command Remar...

Page 1060: ...responding with the ASCII code 00 to 09 by default Specify a source port number for a probe request in a test operation source port port number Optional By default no source port number is specified Configure the source IP address of a probe request in a test operation source ip ip address Optional By default no source IP address is specified The source IP address must be that of an interface on t...

Page 1061: ... Configuration on page 931 Configure the source IP address of a probe request in a test operation source ip ip address Optional By default no source IP address is specified The source IP address must be that of an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters Refer to Configuring Optional Parameters Common to an NQA Test Grou...

Page 1062: ...ction trap probe failure consecutive probe failures test complete test failure cumulate probe failures Optional No traps are sent to the network management server by default To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of a test group type dhcp dlsw ftp http icmp echo snmp tcp udp echo udp jitter Confi...

Page 1063: ...ot available for a UDP jitter test Configure the maximum number of history records that can be saved in a test group history records number Optional 50 by default Configure the maximum number of hops a probe packet traverses in the network ttl value Optional 20 by default This parameter is not available for a DHCP test Configure the ToS field in an IP packet header in an NQA probe packet tos value...

Page 1064: ... probe count 10 DeviceA nqa admin test icmp echo probe timeout 500 DeviceA nqa admin test icmp echo quit Enable the ICMP echo test operation DeviceA nqa schedule admin test start time now lifetime forever Display results of an ICMP echo test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 10 Receive response tim...

Page 1065: ...isplay results of one DHCP test SwitchA display nqa result admin test NQA entry admin admin tag test test results Send operation times 1 Receive response times 1 Min Max Average round trip time 624 624 624 Square Sum of round trip time 389376 Last succeeded probe time 2007 03 14 17 47 29 3 Extend results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to n...

Page 1066: ...e now lifetime forever Display results of an FTP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 173 173 173 Square Sum of round trip time 29929 Last succeeded probe time 2007 03 14 13 28 48 5 Extend results Packet lost in test 0 Failures due to tim...

Page 1067: ...lay results of an HTTP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 64 64 64 Square Sum of round trip time 4096 Last succeeded probe time 2007 03 27 13 40 36 2 Extend results Packet lost in test 0 Failures due to timeout 0 Failures due to disconn...

Page 1068: ...e forever Display results of a UDP jitter test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average round trip time 31 47 32 Square Sum of round trip time 10984 Last succeeded probe time 2007 04 29 20 05 49 1 Extend results Packet lost in test 0 Failures due to timeout 0 F...

Page 1069: ... public and the write community to private DeviceB system view DeviceB snmp agent sys info version all DeviceB snmp agent community read public DeviceB snmp agent community write private 2 Configurations on Device A Create an SNMP query test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type snmp DeviceA nqa admin test snmp dest...

Page 1070: ...view DeviceB nqa server enable DeviceB nqa server tcp connect 10 2 2 2 9000 2 Configure Device A Create a TCP test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type tcp DeviceA nqa admin test tcp destination ip 10 2 2 2 DeviceA nqa admin test tcp destination port 9000 DeviceA nqa admin test tcp quit Enable the TCP test DeviceA ...

Page 1071: ... server enable DeviceB nqa server udp echo 10 2 2 2 8000 2 Configure Device A Create a UDP echo test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type udp echo DeviceA nqa admin test udp echo destination ip 10 2 2 2 DeviceA nqa admin test udp echo destination port 8000 DeviceA nqa admin test udp echo quit Enable the UDP echo te...

Page 1072: ...min test type dlsw DeviceA nqa admin test dlsw destination ip 10 2 2 2 DeviceA nqa admin test dlsw quit Enable the DLSw test DeviceA nqa schedule admin test start time now lifetime forever Display results of one DLSw test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average ...

Page 1073: ...es unless otherwise specified Introduction to VRRP VRRP Overview Normally as shown in Figure 318 you can configure a default route with the gateway as the next hop for every host on a network segment allowing all packets destined to the other network segments to be sent over the default route to the gateway and then be forwarded by the gateway This enables hosts on a network segment to communicate...

Page 1074: ...RRP versions VRRPv2 and VRRPv3 VRRPv2 is based on IPv4 while VRRPv3 is based on IPv6 The two versions implement the same functions but provide different commands VRRP Standby Group Overview VRRP combines a group of switches including a master and multiple backups on a LAN into a virtual router called standby group The VRRP standby group has the following features A virtual router has an IP address...

Page 1075: ...When a switch acts as the IP address owner its priority remains 255 That is if there is an IP address owner in a standby group it acts as the master as long as it works properly Working mode A switch in a standby group can work in one of the following two modes Non preemption mode Once a switch in the standby group becomes the master it stays as the master as long as it operates normally even if a...

Page 1076: ...er If a backup switch receives no advertisements in three times the interval the backup switch regards itself as the master switch and sends VRRP advertisements to start a new master switch election VRRP preemption delay timer In an unstable network a backup switch may fail to receive the packets from the master switch due to network congestion thus causing the members in the group to change their...

Page 1077: ...s Number of virtual IP addresses for the standby group A standby group can have multiple virtual IP addresses Auth Type Authentication type 0 means no authentication 1 means simple authentication and 2 means MD5 authentication Adver Int Interval for sending advertisement packets in seconds The default is 1 Checksum 16 bit checksum for validating the data in VRRP packets IP Address Virtual IP addre...

Page 1078: ...al IPv6 addresses Auth Type Authentication type 0 means no authentication 1 means simple authentication VRRPv3 does not support MD5 authentication Adver Int Interval for sending advertisement packets in centiseconds The default is 100 Checksum 16 bit checksum for validating the data in VRRPv3 packets IPv6 Address Virtual IPv6 address entry of the standby group The allowed number is given by the Co...

Page 1079: ...g function expands the backup functionality of VRRP It provides backup not only when the interface to which a standby group is assigned fails but also when other interfaces on the switch become unavailable This is achieved by tracking interfaces When a monitored interface goes down the priority of the switch owning the interface is automatically decreased by a specified value allowing a higher pri...

Page 1080: ...e in multiple standby groups and hold a different priority in different group In Figure 323 three standby groups are present Standby group 1 Switch A is the master Switch B and Switch C are the backups Standby group 2 Switch B is the master Switch A and Switch C are the backups Standby group 3 Switch C is the master Switch A and Switch B are the backups For load balancing among Switch A Switch B a...

Page 1081: ...pes of association between virtual IP address and MAC address Virtual IP address is associated with virtual router MAC address By default a MAC address is created for a standby group after the standby group is created and the virtual IP address is associated with the virtual MAC address With such association adopted the hosts in the internal network need not update the association between IP addre...

Page 1082: ...ual IP address to be configured is in the same network segment as the IP address of the interface Configuration procedure Follow these steps to create standby group and configure virtual IP address c CAUTION The maximum number of standby groups on an interface and the maximum number of virtual IP addresses in a standby group vary by device A standby group is removed after you remove all the virtua...

Page 1083: ...ecide which switch in the standby group serves as the Master c CAUTION The priority of an IP address owner is always 255 and not configurable Interface tracking is not configurable to an IP address owner The priority of a device is restored if the state of the interface under tracking changes from down to up Configuring VRRP Packet Attributes Configuration prerequisites Before configuring the rele...

Page 1084: ...tandby groups send and receive VRRP packets vrrp vrid virtual router id authentication mode md5 simple key Optional Authentication is not performed by default Configure the time interval for the Master in the standby group to send VRRP advertisement vrrp vrid virtual router id timer advertise adver interval Optional 1 second by default Disable TTL check on VRRP packets vrrp un check ttl Optional E...

Page 1085: ...ter MAC address By default a MAC address is created for a standby group after the standby group is created and the virtual IPv6 address is associated with the virtual MAC address With such association adopted the hosts in the internal network need not update the association between IPv6 address and MAC address when the master switch changes Virtual IPv6 address is associated with real MAC address ...

Page 1086: ...ure Follow these steps to create standby group and configure its virtual IPv6 address c CAUTION The maximum number of standby groups on an interface and the maximum number of virtual IPv6 addresses in a standby group vary by device A standby group is removed after you remove all the virtual IPv6 addresses in it In addition configurations on that standby group no longer take effect To do Use the co...

Page 1087: ...ackets you should first create the standby group and configure the virtual IPv6 address Configuration procedure Follow these steps to configure VRRP packet attributes To do Use the command Remarks Enter system view system view Enter the specified interface view interface interface type interface number Configure the priority of the switch in the standby group vrrp ipv6 vrid virtual router id prior...

Page 1088: ...efault gateway Switch A and Switch B belong to standby group 1 with the virtual IP address of 202 38 160 111 24 If Switch A operates normally packets sent from Host A to Host B are forwarded by Switch A if Switch A fails packets sent from Host A to Host B are forwarded by Switch B Configure the authentication mode and authentication key when the standby groups send and transmit VRRP packets vrrp i...

Page 1089: ...160 111 Set the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Set Switch A to work in preemption mode The preemption delay is five seconds SwitchA Vlan interface2 vrrp vrid 1 preempt mode timer delay 5 2 Configure Switch B Configure VLAN 2 SwitchB system view SwitchB vlan 2 SwitchB Vlan2 port GigabitEthernet 1 0 5 SwitchB vlan2 quit SwitchB interfa...

Page 1090: ... 5e00 0101 Master IP 202 38 160 1 Display detailed information of standby group 1 on Switch B SwitchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 5 Auth Type NONE Virtual IP 202 38 160 111 Master IP 202 38...

Page 1091: ...oup 1 with the virtual IP address of 202 38 160 111 If Switch A operates normally packets sent from Host A to Host B are forwarded by Switch A if Switch A is in work but its VLAN interface 3 which connects to the Internet is not available packets sent from Host A to Host B are forwarded by Switch B Network diagram Figure 325 Network diagram for VRRP interface tracking Configuration procedure 1 Con...

Page 1092: ...SwitchB system view SwitchB vlan 2 SwitchB vlan2 port GigabitEthernet 1 0 5 SwitchB vlan2 quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 202 38 160 2 255 255 255 0 Create a standby group 1 and set its virtual IP address to 202 38 160 111 SwitchB Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Configure the authentication mode of the standby group to simple and aut...

Page 1093: ...he master Switch B is the backup and packets sent from Host A to Host B are forwarded by Switch A If Switch A is in work but when its interface VLAN interface 3 that connects to the Internet is not available you can still ping through Host B on Host A Use the display vrrp command to view the detailed information of the standby group If VLAN interface 3 on Switch A is not available the detailed inf...

Page 1094: ...by Group Configuration Example Network requirements In the segment 202 38 160 0 24 some hosts use 202 38 160 111 24 as their default gateway and some hosts use 202 38 160 112 24 as their default gateway Load sharing and mutual backup between default gateways can be implemented by using VRRP standby groups Network diagram Figure 326 Network diagram for multiple VRRP standby group configuration Conf...

Page 1095: ...interface2 ip address 202 38 160 2 255 255 255 0 Create a standby group 1 and set its virtual IP address to 202 38 160 111 SwitchB Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Create a standby group 2 and set its virtual IP address to 202 38 160 112 SwitchB Vlan interface2 vrrp vrid 2 virtual ip 202 38 160 112 Configure the priority of Switch B in standby group 2 to 110 SwitchB Vlan inter...

Page 1096: ...NE Virtual IP 202 38 160 112 Virtual MAC 0000 5e00 0102 Master IP 202 38 160 2 The above information indicates that in standby group 1 Switch A is the master Switch B is the backup and the host with the default gateway of 202 38 160 111 24 accesses the Internet through Switch A in standby group 2 Switch A is the backup Switch B is the master and the host with the default gateway of 202 38 160 112 ...

Page 1097: ...rface vlan interface 2 SwitchA Vlan interface2 ipv6 address fe80 1 link local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its virtual IP address to FE80 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp ipv6 vrid 1 priority 110 Set Switch A to work in preempt...

Page 1098: ...on Switch A SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Virtual MAC 0000 5e00 0201 Master IP FE80 1 Display detailed information of standby group 1 on Swi...

Page 1099: ...2 The above information indicates that if Switch A fails Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B VRRP Interface Tracking Configuration Example Network requirements Host A needs to access Host B on the Internet using FE80 10 as its default gateway Switch A and Switch B belong to standby group 1 with the virtual IP address of FE80 10 If Switch A o...

Page 1100: ... simple and authentication key to hello SwitchA Vlan interface2 vrrp ipv6 vrid 1 authentication mode simpl e hello Set the VRRP advertisement interval to 500 centiseconds SwitchA Vlan interface2 vrrp ipv6 vrid 1 timer advertise 500 Set Switch A work in preemption mode The preemption delay is five seconds SwitchA Vlan interface2 vrrp ipv6 vrid 1 preempt mode timer delay 5 Set the interface to be tr...

Page 1101: ...n Switch A SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 500 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 5 Auth Type SIMPLE TEXT Key hello Track IF Vlan interface3 Pri Reduced 30 Virtual IP FE80 10 Virtual MAC 0000 5e00 0201 Master IP FE80 ...

Page 1102: ...rface VLAN interface 3 is not available the detailed information of standby group 1 on Switch B is displayed SwitchB Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 500 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 5 Auth Type SIMPLE TEXT Key hello Vir...

Page 1103: ... and set its virtual IP address to FE80 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the priority of Switch A in standby group 1 to 110 Switch Vlan interface2 vrrp ipv6 vrid 1 priority 110 Create standby group 2 and set its virtual IP address to FE80 20 SwitchA Vlan interface2 vrrp ipv6 vrid 2 virtual ip fe80 20 link local 2 Configure Switch B Configure VLAN 2 Swit...

Page 1104: ...isplay detailed information of the standby group on Switch A SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Virtual MAC 0000 5e00 0201 Master IP FE80 1 Inter...

Page 1105: ... groups are commonly used in actual networking In IPv6 network you need to manually configure the default gateway for VRRP standby group to share load Troubleshooting VRRP Symptom 1 The console screen displays error prompts frequently Analysis This error is probably due to the inconsistent configuration of the other switch in the standby group or that a device is attempting to send illegitimate VR...

Page 1106: ...nfigurations are consistent in terms of number of virtual IP addresses virtual IP addresses advertisement interval and authentication Symptom 3 Frequent VRRP state transition Analysis The VRRP advertisement interval is set too short Solution Increase the interval to sent VRRP advertisement or introduce a preemption delay ...

Page 1107: ...cting as an SSH server the device supports two SSH versions SSH2 and SSH1 When acting as an SSH client the device supports SSH2 only Algorithm and Key Algorithm is a set of transformation rules for encryption and decryption Information without being encrypted is known as plain text while information that is encrypted is known as cipher text Encryption and decryption are performed using a string of...

Page 1108: ...rimary and secondary protocol version numbers constitute the protocol version number while the software version number is used for debugging The client receives and resolves the packet If the protocol version of the server is lower but supportable the client uses the protocol version of the server otherwise the client uses its own protocol version The client sends to the server a packet that conta...

Page 1109: ...e server informs the client by sending a message which includes a list of available methods for re authentication The client selects a method from the list to initiate another authentication The above process repeats until the authentication succeeds or the authentication times timeout and the session is torn down SSH provides two authentication methods password authentication and publickey authen...

Page 1110: ...ver decrypts and executes the command and then encrypts and sends the result to the client The client decrypts and displays the result on the terminal n During interactive session the client can send the commands to be performed by pasting the text which must be within 2000 bytes It is recommended that the text pasted be commands in the same view otherwise the server may not be able to perform the...

Page 1111: ...e corresponding authentication method with the authentication mode scheme command For a user interface configured to support SSH you cannot configure the authentication mode password command and the authentication mode none command Configuring RSA and DSA Keys Creating RSA or DSA key pairs For successful SSH login you must create the RSA or DSA key pairs first Follow these steps to create an RSA o...

Page 1112: ...A or DSA key pair Configuring a Client Public Key n This configuration task is only necessary for SSH users using publickey authentication To do Use the command Remarks Enter system view system view Create the local RSA key pair public key local create rsa Required Use either command By default there is neither RSA key pair nor DSA key pair Create the local DSA key pair public key local create dsa...

Page 1113: ...onfigure the client public key manually Importing a client public key from a public key file Follow these steps to import a public key from a public key file Configuring an SSH User This configuration allows you to create an SSH user and specify the service type and authentication method Follow these steps to configure an SSH user To do Use the command Remarks Enter system view System view Enter p...

Page 1114: ...therwise the client will fail to log in successfully The working folder of an SFTP user is subject to the user authentication method For a user using only password authentication the working folder is the AAA authorized one For a user using only publickey authentication or using both the publickey and password authentication methods the working folder is the one set by using the ssh user command T...

Page 1115: ...id malicious guess at and cracking of the keys and usernames securing your SSH connections Follow these steps to set the SSH management parameters n Authentication will fail if the number of authentication attempts including both publickey and password authentication exceeds that specified in the ssh server authentication retries command Configuring the Device as an SSH Client SSH Client Configura...

Page 1116: ...me authentication Disable first time authentication For successful authentication of an SSH client not supporting first time authentication the server host public key must be configured on the client and the public key name must be specified Follow these steps to disable first time authentication Task Remarks Specifying a Source IP address Interface for the SSH client on page 1116 Optional Configu...

Page 1117: ...support undo ssh client first time Optional By default first time authentication is supported on a client Configure the server public key Refer to Configuring a Client Public Key on page 1112 Configuring a Client Public Key on page 1112 Required The method of configuring server public key on the client is similar to that of configuring client public key on the server Specify the host public key na...

Page 1118: ...y the preferred key exchange algorithm encryption algorithms and HMAC algorithms for them ssh2 ipv6 server port number identity key dsa rsa prefer ctos ciphe r aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exch ange dh group1 dh group14 prefer stoc ciphe r aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 To do Use the command Remarks Display information about the publi...

Page 1119: ...n IP address for VLAN interface 1 This address will serve as the destination for the SSH client in connecting the server Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 40 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode for the user interface to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfac...

Page 1120: ...cation type password Configure the SSH client n There are a variety of SSH client software such as PuTTY OpenSSH and so on The following is an example of configuring SSH client using PuTT v0 58 Establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 332 SSH client con...

Page 1121: ...t Set the authentication mode for the user interface to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interface to support SSH Switch ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit n Before performing the following tasks you must generate an RSA public key pair us...

Page 1122: ...click Generate Figure 334 Generate a client key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 335 Otherwise the process bar stops moving and the key pair generating process is stopped ...

Page 1123: ...ion Examples 1123 Figure 335 Generate a client key pair 2 After the key pair is generated click Save public key to save the key in a file by entering a file name key pub in this case Figure 336 Generate a client key pair 3 ...

Page 1124: ...t the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client Specify the private key file and establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 338 SSH client configurat...

Page 1125: ...lient Configuration Examples When Using Password Authentication Network requirements As shown in Figure 340 Switch A the SSH client needs to log on to Switch B the SSH server through the SSH protocol The username of the SSH client is client001 and the password is aabbcc Password authentication is required Network diagram Figure 340 Network diagram for SSH client configuration using password authen...

Page 1126: ...hod as password SwitchB ssh user client001 service type stelnet authentication type password 2 Configure the SSH client Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 255 255 255 0 SwitchA Vlan interface1 quit Disable first time authentication SwitchA undo ssh client first time Configure the host ...

Page 1127: ... 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 Enter password Copyright c 2004 2008 3Com Corporation All rights reserved Without the owner s prior written consent no decompiling or reverse switch fabricering shall be allowed SwitchB When Using Publickey Authentication Network requirements As shown in Figure 341 Switch A the SSH client needs to log ...

Page 1128: ...e public key Switch001 for the user SwitchB ssh user client002 service type stelnet authentication type publickey assign publickey Switch001 2 Configure the SSH client Configure an IP address for Vlan interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 255 255 255 0 SwitchA Vlan interface1 quit Generate a DSA key pair SwitchA public k...

Page 1129: ...SSH Client Configuration Examples 1129 SwitchB ...

Page 1130: ...1130 CHAPTER 88 SSH CONFIGURATION ...

Page 1131: ...isites You have configured the SSH server For the detailed configuration procedure refer to Configuring the Device as an SSH Server on page 1110 You have used the ssh user service type command to set the service type of SSH users to sftp or all For configuration procedure refer to Configuring an SSH User on page 1113 Enabling the SFTP Server This configuration task is to enable the SFTP service so...

Page 1132: ...s configuration task is to enable the SFTP client to establish a connection with the remote SFTP server and enter SFTP client view Follow these steps to enable the SFTP client To do Use the command Remarks Enter system view system view Configure the SFTP connection idle timeout period sftp server idle timeout time out value Required 10 minutes by default To do Use the command Remarks Enter system ...

Page 1133: ...dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Use either command in user view Establish a connection to the remote IPv6 SFTP server and enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128...

Page 1134: ...tory from the SFTP server rmdir remote path 1 10 Optional To do Use the command Remarks To do Use the command Remarks Establish a connection to the remote SFTP server and enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefe...

Page 1135: ...nd Remarks To do Use the command Remarks Establish a connection to the remote SFTP server and enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view...

Page 1136: ... SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 SwitchB local user client001 SwitchB luser client001 password simple aabbcc SwitchB luser client001 service type ssh SwitchB luser client001 quit Set the SSH authentication method to password service type to SFTP SwitchB ssh user client001 service type sftp authentication type p assword n If you set the SSH ...

Page 1137: ... a long time Please wait File successfully Removed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Add a directory named new1 and check if it is created successfully sftp client mkdi...

Page 1138: ... uploaded successfully sftp client put pu puk Local file pu Remote file puk Uploading file successfully ended sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogrou...

Page 1139: ...P is an Ethernet ring specific link layer protocol It can not only prevent data loop from causing broadcast storm efficiently when the Ethernet ring is complete but also restore communication channels among nodes on the Ethernet ring rapidly when a link is torn down Compared with Spanning Tree Protocol STP RRPP features Expedited topology convergence Independent of the number of nodes on the Ether...

Page 1140: ...ring and only these ports can join this VLAN IP address configuration is prohibited on the ports of the control VLAN You can configure a control VLAN for the primary ring namely the primary control VLAN However the control VLAN of a sub ring namely the secondary control VLAN is assigned automatically by the system and its VLAN ID is the control VLAN ID of the primary ring plus 1 Data VLAN is a VLA...

Page 1141: ...ransfer of protocol packets and data packets over an RRPP ring As shown in Figure 343 Device A is the master node of Ring 1 Port 1 and port 2 are the primary port and the secondary port of the master node on Ring 1 respectively Device B Device C and Device D are the transit nodes of Ring 1 Their port 1 and port 2 are the primary port and the secondary port on Ring 1 respectively Common port and ed...

Page 1142: ...Type Description Health The master node initiates Health packets to detect the integrity of a ring in a network Link Down The transit node the edge node or the assistant edge node initiates Link Down packets to notify the master node the disappearance of a ring in case of a link failure Common Flush FDB The master node initiates Common Flush FDB packets to notify the transit nodes to update their ...

Page 1143: ...gs There are two or more rings in the network topology and only one common node between rings In this case you need define an RRPP domain for each ring Device A Device B Device C Device D Master node Transit node Domain1 Ring1 Transit node Transit node Ring 2 Ring 1 Device A Device B Device C Device E Domain 1 Transit node Device D Transit node Transit node Device F Master node Domain 2 Transit no...

Page 1144: ...igure 347 Dual homed rings There are two or more rings in the network topology and two similar common nodes between rings In this case you only need to define an RRPP domain and set one ring as the primary ring and other rings as sub rings Device A Device B Device C Device D Device E Edge node Master node Transit node Assistant edge node Domain 1 Ring 1 Ring 2 Master node Device A Device B Device ...

Page 1145: ...the master node will not receive Health packets after the timeout timer expires The master node will release the secondary port from blocking data VLAN while sending Common Flush FDB packets to notify all transit nodes to update their own MAC entries and ARP entries Link down alarm mechanism The transit node the edge node or the assistant edge node sends Link Down packets to the master node immedi...

Page 1146: ...h when the edge port is activated Protocols and Standards Related standard RFC 3619 RRPP Configuration Task List Complete the following tasks to configure RRPP c CAUTION It is recommended to configure the primary ring first and then the sub ring when you configure an RRPP domain Moreover a Ring ID cannot be applied to more than one RRPP ring in one RRPP domain If a device lies on multiple RRPP rin...

Page 1147: ...ccelerate topology convergence n If you need to transparently transmit RRPP packets on a device without enabling RRPP you should ensure only the two ports accessing an RRPP ring permits the packets of the control VLAN Otherwise the packets from other VLANs may go into the control VLAN in transparent transmission mode and strike the RRPP ring Do not set the default VLAN ID of a port accessing an RR...

Page 1148: ...gigabitethernet 1 0 2 Sysname GigabitEthernet1 0 2 link delay 0 Sysname GigabitEthernet1 0 2 quit Sysname rrpp domain 1 Sysname rrpp domain1 control vlan 4092 Sysname rrpp domain1 ring 1 node mode master primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 Sysname rrpp domain1 timer hello timer 2 fail timer 7 Sysname rrpp domain1 ring 1 enable Sysname rrpp domain1 quit S...

Page 1149: ...link delay 0 Sysname GigabitEthernet1 0 2 quit Sysname rrpp domain 1 Sysname rrpp domain1 control vlan 4092 Sysname rrpp domain1 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 Sysname rrpp domain1 ring 1 enable Sysname rrpp domain1 quit Sysname rrpp enable Configuring Edge Node Configuration Procedure Follow these steps to configure edge no...

Page 1150: ...econdary port Specify the device as the edge node of sub ring 2 in RRPP domain 1 GigabitEthernet 1 0 2 as a common port and GigabitEthernet 1 0 4 as an edge port Create an RRPP domain and enter its view rrpp domain domain id Required Specify a control VLAN for the RRPP domain control vlan vlan id Required Specify the current device as the transit node of the primary ring and specify the primary po...

Page 1151: ... these steps to configure assistant edge node c CAUTION The control VLAN configured for an RRPP domain must be a new one To do Use the command Remarks Enter system view system view Create an RRPP domain and enter its view rrpp domain domain id Required Specify a control VLAN for the RRPP domain control vlan vlan id Required Specify the current device as the transit node of the primary ring and spe...

Page 1152: ... GigabitEthernet1 0 1 link delay 0 Sysname GigabitEthernet1 0 1 quit Sysname interface gigabitethernet 1 0 2 Sysname GigabitEthernet1 0 2 link delay 0 Sysname GigabitEthernet1 0 2 quit Sysname interface gigabitethernet 1 0 4 Sysname GigabitEthernet1 0 4 link delay 0 Sysname GigabitEthernet1 0 4 quit Sysname rrpp domain 1 Sysname rrpp domain1 control vlan 4092 Sysname rrpp domain1 ring 1 node mode ...

Page 1153: ...d then perform the following configurations on a per device basis Create an RRPP domain Specify the control VLAN for the RRPP domain Specify the node mode of a device on the primary ring and the ports accessing the RRPP ring on the device Enable the RRPP ring Enable RRPP Configuration procedure 1 Perform the following configuration on Device A Device A system view DeviceA interface gigabitethernet...

Page 1154: ... view DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 link delay 0 DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2 link delay 0 DeviceD GigabitEthernet1 0 2 quit Device D rrpp domain 1 Device D rrpp domain1 control vlan 4092 Device D rrpp domain1 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gi...

Page 1155: ... DeviceA GigabitEthernet1 0 1 link delay 0 DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 link delay 0 DeviceA GigabitEthernet1 0 2 quit Device A rrpp domain 1 Device A rrpp domain1 control vlan 4092 Device A rrpp domain1 ring 1 node mode master primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 Device A rrpp doma...

Page 1156: ...DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 link delay 0 DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2 link delay 0 DeviceD GigabitEthernet1 0 2 quit Device D rrpp domain 1 Device D rrpp domain1 control vlan 4092 Device D rrpp domain1 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabite...

Page 1157: ...0 2 is the secondary port Device F is a transit node on primary ring 2 in RRPP domain 2 GigabitEthernet 1 0 1 is the primary port and GigabitEthernet 1 0 2 is the secondary port Use default values for timers on the primary ring in each domain Figure 351 Networking diagram for multi domain intersecting ring configuration Configuration considerations First determine the node roles on the primary rin...

Page 1158: ...pp domain2 quit Device B rrpp enable 3 Perform the following configuration on Device C Device C system view DeviceC interface gigabitethernet 1 0 1 DeviceC GigabitEthernet1 0 1 link delay 0 DeviceC GigabitEthernet1 0 1 quit DeviceC interface gigabitethernet 1 0 2 DeviceC GigabitEthernet1 0 2 link delay 0 DeviceC GigabitEthernet1 0 2 quit DeviceC interface gigabitethernet 1 0 3 DeviceC GigabitEther...

Page 1159: ...lowing configuration on Device F Device F system view DeviceF interface gigabitethernet 1 0 1 DeviceF GigabitEthernet1 0 1 link delay 0 DeviceF GigabitEthernet1 0 1 quit DeviceF interface gigabitethernet 1 0 2 DeviceF GigabitEthernet1 0 2 link delay 0 DeviceF GigabitEthernet1 0 2 quit Device F rrpp domain 2 Device F rrpp domain2 control vlan 4092 Device F rrpp domain2 ring 2 node mode transit prim...

Page 1160: ...1160 CHAPTER 90 RRPP CONFIGURATION ...

Page 1161: ... frame With port security you can define various port security modes to make a device learn only legal source MAC addresses so that you can implement different network security management as needed When a port security enabled device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This reduces your maintenance workload and g...

Page 1162: ...ss to the port is not restricted In this mode neither the NTK nor the intrusion protection feature is triggered autoLearn In this mode a port can learn a specified number of MAC addresses and save those addresses as secure MAC addresses It permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses configured by using the mac address static command When the numb...

Page 1163: ... mode is the combination of the userLoginSecure and macAddressWithRadius modes with 802 1x authentication having a higher priority the port performs MAC authentication upon receiving non 8021 x frames and performs 802 1x authentication first upon receiving 802 1x frames If 802 1x authentication fails the port performs MAC authentication macAddressElseUs erLoginSecure This mode is the combination o...

Page 1164: ...ol method macbased and port access control mode auto MAC authentication disabled Port security cannot be disabled if there is any user present on a port n For configuration information about 802 1x authentication and MAC authentication refer to 802 1x Configuration on page 715 and MAC Authentication Configuration on page 739 Task Remarks Enabling Port Security on page 1164 Required Setting the Max...

Page 1165: ...ased and the port access control mode is auto MAC authentication is disabled Otherwise you will see an error message and your configuration will fail On the other hand after setting the port security mode on a port you cannot change any of the above configurations n With port security disabled you can configure the port security mode but your configuration does not take effect With port security e...

Page 1166: ...dentifier assigned by IEEE to a certain manufacturer You can configure multiple OUI values Enabling any other Port Security Mode Follow these steps to enable any other port security mode To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the autoLearn mode port security port mode autolearn Required By default a port...

Page 1167: ...ication mac else userlogin secure mac else userlogin secure ext secure userlogin userlogin secure userlogin secure ext userlogin secure or mac userlogin secure or mac ext Required By default a port operates in noRestrictions mode To do Use the command Remarks To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the...

Page 1168: ...ved in the configuration file are maintained even after the device restarts Ignoring the Authorization Information from the Server After an 802 1x user or MAC authenticated user passes RADIUS authentication the RADIUS server delivers the authorization information to the device You can configure a port to ignore the authorization information from the RADIUS server Follow these steps to configure a ...

Page 1169: ...edure 1 Configure port security Enable port security To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Ignore the authorization information from the RADIUS server port security authorization ignore Required By default a port uses the authorization information from the RADIUS server To do Use the command Remarks Display po...

Page 1170: ...nfiguration information Switch display port security interface gigabitethernet 1 0 1 Equipment port security is enabled Intrusion trap is enabled Disableport Timeout 30s OUI value GigabitEthernet1 0 1 is link up Port mode is autoLearn NeedToKnow mode is disabled Intrusion Protection mode is DisablePortTemporarily Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitte...

Page 1171: ...rnet1 0 1 display interface gigabitethernet 1 0 1 GigabitEthernet1 0 1 current state Port Security Disabled IP Packet Frame Type PKTFMT_ETHNT_2 Hardware Address 000f cb00 5558 Description GigabitEthernet1 0 1 Interface The port should be re enabled 30 seconds later Switch GigabitEthernet1 0 1 display interface gigabitethernet 1 0 1 GigabitEthernet1 0 1 current state UP IP Packet Frame Type PKTFMT_...

Page 1172: ...entication 192 168 1 1 Switch radius radsun primary accounting 192 168 1 2 Set the IP addresses of the secondary authentication and accounting servers to 192 168 1 2 and 192 168 1 1 respectively Switch radius radsun secondary authentication 192 168 1 2 Switch radius radsun secondary accounting 192 168 1 1 Set the encryption key for the switch to use when interacting with the authentication server ...

Page 1173: ... security oui 1234 0100 1111 index 1 Switch port security oui 1234 0200 1111 index 2 Switch port security oui 1234 0300 1111 index 3 Switch port security oui 1234 0400 1111 index 4 Switch port security oui 1234 0500 1111 index 5 Switch interface gigabitethernet 1 0 1 Set the port security mode to userLoginWithOUI Switch GigabitEthernet1 0 1 port security port mode userlogin withoui 3 Verify the co...

Page 1174: ...rity is enabled Trap is disabled Disableport Timeout 20s OUI value Index is 1 OUI value is 123401 Index is 2 OUI value is 123402 Index is 3 OUI value is 123403 Index is 4 OUI value is 123404 Index is 5 OUI value is 123405 GigabitEthernet1 0 1 is link up Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MA...

Page 1175: ...ted information Switch display mac address interface gigabitethernet 1 0 1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 1234 0300 0011 1 Learned GigabitEthernet1 0 1 AGING 1 mac address es found Port Security Configuration for macAddressElseUserLogi nSecure Mode Network requirements The client is connected to the switch through GigabitEthernet 1 0 1 The switch authenticates the client by the RAD...

Page 1176: ...o 64 Switch GigabitEthernet1 0 1 port security max mac count 64 Set the port security mode to macAddressElseUserLoginSecure Switch GigabitEthernet1 0 1 port security port mode mac else userlogin secure Set the NTK mode of the port to ntkonly Switch GigabitEthernet1 0 1 port security ntk mode ntkonly 3 Verify the configuration After completing the above configurations you can use the following comm...

Page 1177: ...authentication information Switch display dot1x interface gigabitethernet 1 0 1 Equipment 802 1X protocol is enabled CHAP authentication is enabled Configuration Transmit Period 30 s Handshake Period 15 s Quiet Period 60 s Quiet Period Timer is disabled Supp Timeout 30 s Server Timeout 100 s The maximal retransmitting times 2 The maximum 802 1X user resource number is 1024 per slot Total current u...

Page 1178: ...om Cannot configure secure MAC addresses Switch GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Error Can not operate security MAC address for current port mode is not autoLearn Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn Solution Set the port security mode to autoLearn Switch GigabitEthernet1 0 1 undo port ...

Page 1179: ...tion Use the cut command to forcibly disconnect the user from the port before changing the port security mode Switch GigabitEthernet1 0 1 cut connection interface gigabitethernet 1 0 1 Switch GigabitEthernet1 0 1 undo port security port mode ...

Page 1180: ...1180 CHAPTER 91 PORT SECURITY CONFIGURATION ...

Page 1181: ...ode LLDP can operate in one of the following modes TxRx mode A port in this mode sends and receives LLDPDUs Tx mode A port in this mode only sends LLDPDUs Rx mode A port in this mode only receives LLDPDUs Disable mode A port in this mode does not send or receive LLDPDUs LLDP is initialized when an LLDP enabled port changes to operate in another LLDP operating mode To prevent LLDP from being initia...

Page 1182: ...expression TTL multiplier LLDPDU sending interval You can set the TTL by configuring the TTL multiplier Note that the TTL can be up to 65535 seconds TTLs longer than it will be rounded off to 65535 seconds TLV Types TLVs encapsulated in LLDPDUs fall into these categories basic TLV organization defined TLV and MED media endpoint discovery related TLV Basic TLVs are the base of device management Org...

Page 1183: ...the LLDP MED TLVs that can be encapsulated in LLDPDUs Network policy TLV which carries port VLAN ID supported applications such as voice and video services application priority and the policy adopted Extended power via MDI TLV which carries the information about the power supply capability of the current device Hardware revision TLV which carries the hardware version of an MED device Firmware revi...

Page 1184: ...LDP Follow these steps to enable LLDP Task Remarks Basic LLDP configuration Enabling LLDP on page 1184 Required Setting LLDP Operating Mode on page 1185 Optional Configuring LLDPDU TLVs on page 1185 Optional Enable LLDP Polling on page 1186 Optional Configuring the Parameters Concerning LLDPDU Sending on page 1186 Optional Configuring LLDP Trap on page 1188 Optional To do Use the command Remarks E...

Page 1185: ... Optional TxRx by default To do Use the command Remarks Enter system view system view Set the TTL multiplier lldp hold multiplier value Optional 4 by default Enter Ethernet interface view port group view Enter Ethernet interface view interface interface type interface number Either of the two is required Configuration performed in Ethernet interface view applies to the current port only configurat...

Page 1186: ... Follow these steps to enable LLDP polling Configuring the Parameters Concerning LLDPDU Sending Configuring time related parameters Follow these steps to set time related parameters Specify the management address and specify to send the management address through LLDPDUs lldp management address tlv ip address Optional By default the management address is sent through LLDPDUs and the management add...

Page 1187: ...DUs in SNAP encapsulation and processes only SNAP encapsulated incoming LLDPDUs Follow these steps to configure the encapsulation format for LLDPDUs To do Use the command Remarks Enter system view System view Set the interval to send LLDPDUs lldp timer tx interval value Optional 30 seconds by default Set the delay period to send LLDPDUs lldp timer tx delay value Optional 2 seconds by default To do...

Page 1188: ...view Enter Ethernet interface view interface interface type interface number Either of the two is required Configuration performed in Ethernet interface view applies to the current port only configuration performed in port group view applies to all the ports in the corresponding port group Enter port group view port group aggregation agg id manual port group name Enable LLDP trap sending lldp noti...

Page 1189: ...work diagram Figure 354 Network diagram for LLDP configuration Configuration procedure 1 Configure Switch A Enter system view SwitchA system view Enable LLDP globally SwitchA lldp enable Enable LLDP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 setting the LLDP operating mode to Rx Display LLDP status of a port display lldp status interface interface type interface number Available in any vie...

Page 1190: ...ion Display the global LLDP status and port LLDP status on Switch A SwitchA display lldp status Global status of LLDP Enable The current number of neighbors 2 Neighbor information last changed time 0 days 0 hours 4 minutes 40 seconds Transmit interval 30s Hold multiplier 4 Reinit delay 2s Transmit delay 2s Trap interval 5s Fast start times 3 Port 0 GigabitEthernet1 0 1 Port status of LLDP Enable A...

Page 1191: ...ay 2s Trap interval 5s Fast start times 3 Port 0 GigabitEthernet1 0 1 Port status of LLDP Enable Admin status Rx_Only Trap flag No Roll time 0s Number of neighbors 1 Number of MED neighbors 1 Number of sent optional TLV 0 Number of received unknown TLV 5 Port 1 GigabitEthernet1 0 2 Port status of LLDP Enable Admin status Rx_Only Trap flag No Roll time 0s Number of neighbors 0 Number of MED neighbo...

Page 1192: ...1192 CHAPTER 92 LLDP CONFIGURATION ...

Page 1193: ...Power over Ethernet PoE means that power sourcing equipment PSE supplies power to powered devices PD such as IP telephone wireless LAN access point and web camera from Ethernet interfaces through twisted pair cables Advantages Reliable Power is supplied in a centralized way so that it is very convenient to provide a backup power supply Easy to connect A network terminal requires only one Ethernet ...

Page 1194: ...igure a PoE interface in either of the following two ways Adopting the command line Configuring a PoE configuration file and applying the file to the specified PoE interface s Usually you can adopt the command line to configure a single PoE interface and adopt a PoE configuration file to configure multiple PoE interfaces at the same time c CAUTION You can adopt either mode to configure modify or d...

Page 1195: ...iew interface interface type interface number Enable PoE poe enable Required Disabled by default Configure the maximum power for the PoE interface poe max power max power Optional 15 400 milliwatts by default Configure the PoE mode for the PoE interface poe mode signal Optional signal power over signal cables by default Configure a description for the PD connected to the PoE interface poe pd descr...

Page 1196: ...f the PSE power is overloaded Under the control of a priority policy the PD with a lower priority is first powered off to guarantee the power supply to the new PD with a higher priority when the PSE power is overloaded n If the sudden increase of the power of the PD results in PSE power overload power supply to the PD on the PoE interface with a lower priority will be stopped If the guaranteed rem...

Page 1197: ...es the PSE processing software and reloads it When the PSE processing software is damaged in this case you can execute none of PoE commands successfully you can upgrade the PSE software processing software in full mode to restore the PSE function To do Use the command Remarks Enter system view system view Configure the power priority for a PoE interface Configure the power priority for the PoE int...

Page 1198: ... you adjust the PD disconnection detection mode when the device is running the connected PDs will be powered off Therefore be cautious to do so Enabling the PSE to Detect Nonstandard PDs There are standard PDs and nonstandard PDs Usually the PSE can detect only standard PDs and supply power to them The PSE can detect nonstandard PDs and supply power to them only after the PSE is enabled to detect ...

Page 1199: ...gabitEthernet 1 0 12 Sysname system view Sysname interface GigabitEthernet 1 0 1 To do Use the command Remarks Display the mapping between ID module and slot of all PSEs display poe device Available in any view Display the power state and information of the specified PoE interface display poe interface interface type interface number Display the power information of a PoE interface s display poe i...

Page 1200: ...rnet1 0 11 poe max power 9000 Sysname GigabitEthernet1 0 11 quit After the configuration takes effect the IP phone and AR device are powered and can work normally Troubleshooting PoE Symptom 1 Setting of the priority of a PoE interface to critical fails Analysis The guaranteed remaining power of the PSE is lower than the maximum power of the PoE interface The priority of the PoE interface is alrea...

Page 1201: ...em by removing the original configurations of those configurations In the second case you need to modify some configurations in the PoE configuration file In the third case you need to remove the application of the undesired PoE configuration file to the PoE interface ...

Page 1202: ...1202 CHAPTER 93 POE CONFIGURATION ...

Page 1203: ...rom an sFlow enabled port Time based sampling Samples interface statistics at a specified interval from an sFlow enabled port The sFlow system involves an sFlow agent embedded in a device and a remote sFlow collector The sFlow agent collects traffic from the sFlow enabled ports encapsulates the information into sFlow packets and sends the packets to the sFlow collector The sFlow collector analyzes...

Page 1204: ...n sFlow collector with IP address 3 3 3 2 and port number 6343 and is connected to Switch through GigabitEthernet 1 0 3 To do Use the command Remarks Enter system view system view Configure an IP address for the sFlow agent sflow agent ip ip address Required Not configured by default Specify the IP address and port number of the sFlow collector sflow collector ip ip address port port num Required ...

Page 1205: ...and port number of the sFlow collector Switch sflow collector ip 3 3 3 2 Set the sFlow interval to 30 seconds Switch sflow interval 30 Enable sFlow in both the inbound and outbound directions on GigabitEthernet 1 0 1 Switch interface GigabitEthernet 1 0 1 Switch GigabitEthernet1 0 1 sflow enable both Specify the traffic sampling rate Switch GigabitEthernet1 0 1 sflow sampling rate 100000 Display t...

Page 1206: ...ferent from that of the remote sFlow collector No IP address is configured for the Layer 3 interface on the device or the IP address is configured but the UDP packets with the IP address being the source cannot reach the sFlow collector The physical link between the device and the sFlow collector fails Solution 1 Check whether sFlow is correctly configured by displaying sFlow configuration with th...

Page 1207: ...ent through certificates with the authentication of the client being optional Reliability SSL uses key based message authentication code MAC to verify message integrity As shown in Figure 357 the SSL protocol consists of two layers of protocols the SSL record protocol at the lower layer and the SSL handshake protocol change cipher spec protocol and alert protocol at the upper layer Figure 357 SSL ...

Page 1208: ...ciated with an application layer protocol HTTP protocol for example Configuration Prerequisites Before configuring an SSL server policy you must configure a PKI public key infrastructure domain Configuration Procedure Follow these steps to configure an SSL server policy Task Remarks Configuring an SSL Server Policy on page 1208 Required Configuring an SSL Client Policy on page 1210 Optional To do ...

Page 1209: ...e for the switch Create a PKI entity named en and configure it Sysname system view Sysname pki entity en Sysname pki entity en common name http server1 Sysname pki entity en fqdn ssl security com Sysname pki entity en quit Create a PKI domain and configure it Sysname pki domain 1 Sysname pki domain 1 ca identifier ca1 Sysname pki domain 1 certificate request url http 10 1 2 2 certsrv mscep mscep d...

Page 1210: ... client verify enable Sysname ssl server policy myssl quit 3 Associate HTTPS service with the SSL server policy and enable HTTPS service Configure HTTPS service to use SSL server policy myssl Sysname ip https ssl server policy myssl Enable HTTPS service Sysname ip https enable 4 Verify your configuration Launch IE on the host and enter https 10 1 1 1 in the address bar You should be able to log in...

Page 1211: ...t trusted The cipher suites used by the server and the client do not match Solution 1 You can issue the debugging ssl command and view the debugging information to locate the problem 2 If the SSL server has no certificate request one for it To do Use the command Remarks Enter system view system view Create an SSL client policy and enter its view ssl client policy policy name Required Specify a PKI...

Page 1212: ...lient trusts 4 If the SSL server is configured to authenticate the client but the certificate of the SSL client does not exist or cannot be trusted request and install a certificate for the client 5 You can use the display ssl server policy command to view the cipher suite used by the SSL server policy If the cipher suite used by the SSL server does not match that used by the client use the cipher...

Page 1213: ...e device in the following ways Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security management of the device Defines certificate attribute based access control policy for the device to control the acces...

Page 1214: ... the HTTPS service is enabled you can use the display ip https command to view the state of the HTTPS service and verify the configuration Enabling of the HTTPS service will trigger an SSL handshake negotiation process During the process if the local certificate of the device already exists the SSL negotiation is successfully performed and the HTTPS service can be started normally If no local cert...

Page 1215: ...t least one permit rule Otherwise no HTTPS client can log onto the device For the configuration of an SSL server policy refer to PKI Configuration on page 1219 Associating the HTTPS Service with an ACL Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering Follow these steps to associate the HTTPS service with an ACL...

Page 1216: ... pki entity en Switch pki entity en common name http server1 Switch pki entity en fqdn ssl security com Switch pki entity en quit Configure a PKI domain Switch pki domain 1 Switch pki domain 1 ca identifier ca1 Switch pki domain 1 certificate request url http 10 1 2 2 8080 certsrv mscep mscep dll Switch pki domain 1 certificate request from ra Switch pki domain 1 certificate request entity en Swit...

Page 1217: ...rtificate access control policy myacp Switch pki cert acp myacp rule 1 permit mygroup1 Switch pki cert acp myacp quit 4 Reference an SSL server policy Associate the HTTPS service with the SSL server policy myssl Switch ip https ssl server policy myssl 5 Associate the HTTPS service with a certificate attribute access control policy Associate the HTTPS service with a certificate attribute access con...

Page 1218: ...1218 CHAPTER 96 HTTPS CONFIGURATION ...

Page 1219: ... certificates use certificates and revoke certificates By leveraging digital certificates and relevant services like certificate distribution and blacklist publication PKI supports authentication the entities involved in communication and thus guaranteeing the confidentiality integrity and non repudiation of data PKI Terms Digital certificate A digital certificate is a file signed by a certificate...

Page 1220: ...ests and in issuing revoking and publishing CRLs Usually a CA advertises its policy in the form of certification practice statement CPS which can be acquired through out of band means such as phone disk and e mail or through other means Since different CAs may use different methods to check the binding of a public key with an entity make sure that you understand the CA policy before selecting a tr...

Page 1221: ... data communication network built over the public communication infrastructure A VPN can leverage network layer security protocols for instance IPSec in conjunction with PKI based encryption and digital signature technologies for confidentiality Secure E mail E mails also require confidentiality integrity authentication and non repudiation PKI can address these needs The secure E mail protocol tha...

Page 1222: ...America Fully qualified domain name FQDN of the entity a unique identifier of an entity on the network It consists of a host name and a domain name and can be resolved to an IP address For example www whatever com is an FQDN where www is a host name and whatever com a domain name IP address of the entity Locality where the entity resides Organization to which the entity belongs Unit of the entity ...

Page 1223: ... To do Use the command Remarks Enter system view system view Create an entity and enter its view pki entity entity name Required No entity exists by default Configure the common name for the entity common name name Optional No common name is specified by default Configure the country code for the entity country country code str Optional No country code is specified by default Configure the FQDN fo...

Page 1224: ...s signed You can configure the polling interval and count to query the request status IP address of the LDAP server An LDAP server is usually deployed to store certificates and CRLs If this is the case you need to configure the IP address of the LDAP server Fingerprint for root certificate validation Upon receiving the root certificate of the CA an entity needs to validate the fingerprint of the r...

Page 1225: ... a Certificate Request in Manual Mode In manual mode you need to retrieve a CA certificate generate a local RSA key pair and submit a local certificate request for an entity The goal of retrieving a CA certificate is to verify the authenticity and validity of a local certificate Configure the URL of the server for certificate request certificate request url url string Required No URL is configured...

Page 1226: ...certificate use the pki delete certificate command to delete the existing local certificate and the CA certificate stored locally When it is impossible to request a certificate from the CA through SCEP you can save the request information by using the pki request certificate domain command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means Make sure the ...

Page 1227: ...tificate first The pki retrieval certificate configuration will not be saved in the configuration file Configuring PKI Certificate Validation A certificate needs to be validated before being used Validating a certificate is to check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked Before validating a certificate you need to retrieve the CA cert...

Page 1228: ... CRL distribution point URL is specified by default Set the CRL update period crl update period hours Optional By default the CRL update period depends on the next update field in the CRL file Enable CRL checking crl check enable Optional Enabled by default Return to system view quit Retrieve the CA certificate Refer to Retrieving a Certificate Manually on page 1226 Required Retrieve CRLs pki retr...

Page 1229: ...lete certificate ca local domain domain name Required To do Use the command Remarks Enter system view system view Create a certificate attribute group and enter its view pki certificate attribute groupgroup name Required No certificate attribute group exists by default Configure an attribute rule for the certificate issuer name certificate subject name or alternative subject name attribute id alt ...

Page 1230: ...device submits a local certificate request to the CA server The device acquires the CRLs for certificate validation Network diagram Figure 361 Diagram for configuring a PKI entity to request a certificate from a CA Configuration procedure On the CA server complete the following configurations 1 Create a CA server named myca In this example you need to configure theses basic attributes on the CA se...

Page 1231: ...ion make sure that the system clock of the device is synchronous to that of the CA allowing the device to request certificates and retrieve CRLs properly On the Switch perform the following configurations 4 Configure the entity DN Configure the entity name as aaa and the common name as Switch Switch system view Switch pki entity aaa Switch pki entity aaa common name Switch Switch pki entity aaa qu...

Page 1232: ... The trusted CA s finger print is MD5 fingerprint EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct Y N y Saving CA RA certificates chain please wait a moment CA certificates retrieval success Retrieve CRLs and save them locally Switch pki retrieval crl domain torsa Connecting to server for retrieving CRL Please w...

Page 1233: ...4 133 447 myca crl Signature Algorithm sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to vie...

Page 1234: ...up mygroup1 and add two attribute rules The first rule defines that the DN of the subject name includes the string aabbcc and the second rule defines that the IP address of the certificate issuer is 10 0 0 1 Switch pki certificate attribute group mygroup1 Switch pki cert attribute group mygroup1 attribute 1 subject name dn ctn aabbcc Switch pki cert attribute group mygroup1 attribute 2 issuer name...

Page 1235: ...yacp to HTTPS service Switch ip https certificate access control policy myacp Enable HTTPS service Switch ip https enable Troubleshooting PKI Failed to Retrieve a CA Certificate Symptom Failed to retrieve a CA certificate Analysis Possible reasons include these The network connection is not proper For example the network cable may be damaged or loose No trusted CA is specified The URL of the enrol...

Page 1236: ...r Retrieve a CA certificate Regenerate a key pair Specify a trusted CA Use the ping command to check that the RA server is reachable Configure the RA for certificate request Configure the required entity DN parameters Failed to Retrieve CRLs Symptom Failed to retrieve CRLs Analysis Possible reasons include these The network connection is not proper For example the network cable may be damaged or l...

Page 1237: ...rack module and the detection modules These modules collaborate with one another through collaboration objects That is the detection modules trigger the application modules to perform certain operations through the Track module More specifically the detection modules probe the link status network performance and so on and inform the application modules of the detection result through the Track mod...

Page 1238: ... modules to deal with the change accordingly At present the application modules that can collaborate with the Track module include VRRP Static routing Track Configuration Task List To implement the collaboration function you need to establish collaboration between the Track module and the detection modules and between the Track module and the application modules Complete these tasks to configure T...

Page 1239: ... the master the backup working in the switchover mode will switch to the master immediately to maintain normal communication Configuration prerequisites Before configuring VRRP to monitor a Track object you need to create a VRRP group on an interface and configure the virtual IP address of the VRRP group Configuration procedure Follow these steps to configure Track VRRP collaboration To do Use the...

Page 1240: ...nreachable and the configured static route is invalid Follow these steps to configure the Track Static Routing collaboration n For the configuration of Track Static Routing collaboration the specified static route can be an existent or nonexistent one For an existent static route the static route and the specified Track object are associated directly for a nonexistent static route the system creat...

Page 1241: ...ork diagram Figure 364 Network diagram for VRRP Track NQA collaboration configuration Configuration procedure 1 Configure the IP address of each interface as shown in Figure 364 2 Configure an NQA test group on Switch A SwitchA system view Create an NQA test group with the administrator name admin and the operation tag test SwitchA nqa entry admin test Configure the test type as ICMP echo To do Us...

Page 1242: ... the operation tag test SwitchA track 1 nqa entry admin test reaction 1 4 Configure VRRP on Switch A Create VRRP group 1 and configure the virtual IP address 10 1 1 10 for the group SwitchA interface vlan interface 2 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 10 1 1 10 Set the priority of Switch A in VRRP group 1 to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Set the authentication mo...

Page 1243: ... Host A and you can see that Host B is reachable Use the display vrrp command to view the configuration result Display detailed information about VRRP group 1 on Switch A SwitchA Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mo...

Page 1244: ...ckup Config Pri 110 Run Pri 80 Preempt Mode YES Delay Time 5 Auth Type SIMPLE TEXT Key hello Track Object 1 Pri Reduced 30 Virtual IP 10 1 1 10 Master IP 10 1 1 2 Display detailed information about VRRP group 1 on Switch B when there is a fault on the link between Switch A and Switch C SwitchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enab...

Page 1245: ...iguration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multicast Registration Protocol H Switch Clustering 3Com Group Management Protocol I IAB Internet Architecture Board ICMP Internet Control Message ...

Page 1246: ...KI Public Key Infrastructure Q QoS Quality of Service R RIP Routing Information Protocol RMON Remote Network Monitoring RSTP Rapid Spanning Tree Protocol S SNMP Simple Network Management Protocol SP Strict Priority SSL Secure Socket Layer STP Spanning Tree Protocol T TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UD...

Reviews:

No comments

Related manuals for 4800G Series

IBM TotalStorage SAN16M-R SAN Installation And Service Manual preview
TotalStorage SAN16M-R SAN
Brand: IBM Pages: 116
Hawking CF100W Specifications preview
CF100W
Brand: Hawking Pages: 2
ekwb EK-FC1080 GTX Ti TF6 Installation Manual preview
EK-FC1080 GTX Ti TF6
Brand: ekwb Pages: 2
Patton electronics 6103 User Manual preview
6103
Brand: Patton electronics Pages: 12
Abocom PLS342 Specification Sheet preview
PLS342
Brand: Abocom Pages: 2
ZALMAN CNPS5700D-Cu User Manual preview
CNPS5700D-Cu
Brand: ZALMAN Pages: 7
Advantech 3718HG User Manual preview
3718HG
Brand: Advantech Pages: 68
PairGain T1L2N20A Manual preview
T1L2N20A
Brand: PairGain Pages: 80
RTS AIO-8 Drawings Manual preview
AIO-8
Brand: RTS Pages: 3
Alesis QuadraVerb 2 Setting Up preview
QuadraVerb 2
Brand: Alesis Pages: 11
CyberPower CyberPower RMCARD201 Quick Install Manual preview
CyberPower RMCARD201
Brand: CyberPower Pages: 8
NXP Semiconductors MSC8113 Reference Manual preview
MSC8113
Brand: NXP Semiconductors Pages: 1202
DPS Telecom D-PK-NG432 User Manual preview
D-PK-NG432
Brand: DPS Telecom Pages: 80
Genexis FiberTwist XGS2410 Installation Manual preview
FiberTwist XGS2410
Brand: Genexis Pages: 7
ADLINK Technology aTCA-9710 User Manual preview
aTCA-9710
Brand: ADLINK Technology Pages: 86
E-Lins H820Q Series Quick Start Manual preview
H820Q Series
Brand: E-Lins Pages: 10
Nortel Passport 8608GTE Specifications preview
Passport 8608GTE
Brand: Nortel Pages: 10
JOBO Lift CPE-3 Operating Instruction preview
Lift CPE-3
Brand: JOBO Pages: 12

Brands by name

Popular brands

Load more brands