3Com 8800 SERIES Configuration Manual Download

Page: 742 / 773

3Com Switch 8800 Configuration Guide

Chapter 50 SSH Terminal Service

50-4

Num

Item

Command

Description

Entering VTY type of user
interface view

[SW8800]

user-interface

vty

X X

–

Configure the protocol
supported by current user
interface

[SW8800-ui-vtyX-X]

protocol inbound

{

all

ssh

telnet

}

Optional

Returning to system view

[SW8800-ui-vtyX-X] quit

–

Generating a local RSA
key pair

[SW8800]

rsa

local-key-pair create

Destroying a local RSA
key pair

[SW8800]

rsa

local-key-pair destroy

Required

Configure the SSH user
authentication mode

[SW8800]

ssh user

username

authentication-type

{

password

rsa

password-publickey

all

}

Required

By default,
users are
unable to log
in.

Configure the updating
cycle of the server key

[SW8800]

ssh server

rekey-interval hours

Optional

By default, the
system does
not update the
server key.

Configure the SSH
authentication timeout

[SW8800]

ssh server

timeout seconds

Optional

By default, it is
60 seconds.

Configure the number of
SSH authentication retries

[SW8800]

ssh server

authentication-retries
times

Optional

By default, it is
three times.

Enter public key view

[SW8800]

rsa

peer-public-key key

name

Generate RSA key using
key generator tool

See Generating the Client
Public Key.

Required

Entering public key edit
view to edit the key

[SW8800-rsa-public-key]

public-key-code begin

Required

Exiting public key edit
view

[SW8800-rsa-public-key]

public-key-code end

Required

Specifying the public key
for an SSH user

[SW8800]

ssh

user

username

assign rsa-key

keyname

Required

Configure
first-authentication SSH
server

[SW8800]

ssh client

first-time enable

Optional

By default, the
system does
not perform
the first
authentication.

Summary of Contents for 8800 SERIES

Page 1: ...3Com Switch 8800 Configuration Guide www 3com com Part No DUA1750 2BAA01 Published December 2005 ...

Page 2: ...ited States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed solely at private expense Software is delivered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or as a commercial item as defined in FAR 2 101 a and as such is...

Page 3: ...ndex Organization 3Com Switch 8800 Configuration Guide consists of the following parts z MPLS This module introduces the configuration on MPLS and BGP MPLS VPN features z STP This module introduces the configuration on STP feature z Security This module presents the configuration on 802 1x AAA and RADIUS protocols and TACACS protocol z Reliability This module focuses on VRRP and HA configurations ...

Page 4: ...onventions Convention Description Arial Normal paragraphs are in Arial Boldface Headings are in Boldface Courier New Terminal Display is in Courier New II Command conventions Convention Description Boldface The keywords of a command line are in Boldface italic Command arguments are in italic Items keywords or arguments in square brackets are optional x y Alternative items are grouped in braces and...

Page 5: ...OK button Window names menu items data table and field names are inside square brackets For example pop up the New User window Multi level menus are separated by forward slashes For example File Create Folder IV Keyboard operation Format Description Key Press the key with the key name inside angle brackets For example Enter Tab Backspace or A Key1 Key2 Press the keys concurrently For example Ctrl ...

Page 6: ...le Click Press the primary mouse button twice continuously and quickly without moving the pointer Drag Press and hold the primary mouse button and move the pointer to a certain position VI Symbols Eye catching symbols are also used in the manual to highlight the points worthy of special attention during the operation They are defined as follows Caution Means reader be extremely careful during the ...

Page 7: ... 9 3 3 3 History Command of Command Line 3 9 3 3 4 Common Command Line Error Messages 3 10 3 3 5 Editing Characteristics of Command Line 3 10 Chapter 4 User Interface Configuration 4 1 4 1 User Interface Overview 4 1 4 2 User Interface Configuration 4 2 4 2 1 Entering User Interface View 4 2 4 2 2 Define the Login Header 4 2 4 2 3 Configuring Asynchronous Port Attributes 4 3 4 2 4 Configuring Term...

Page 8: ...ration Example 6 8 6 5 Ethernet Port Troubleshooting 6 9 Chapter 7 Link Aggregation Configuration 7 1 7 1 Overview 7 1 7 1 1 Introduction to Link Aggregation 7 1 7 1 2 Introduction to LACP 7 1 7 1 3 Aggregation Types 7 1 7 1 4 Load Sharing 7 2 7 2 Link Aggregation Configuration 7 3 7 2 1 Enabling Disabling LACP at Port 7 4 7 2 2 Creating Deleting an Aggregation Group 7 4 7 2 3 Adding Deleting an E...

Page 9: ...ng a Super VLAN 10 1 10 2 2 Super VLAN Configuration Example 10 3 Chapter 11 IP Address Configuration 11 2 11 1 Introduction to IP Address 11 2 11 1 1 IP Address Classification and Representation 11 2 11 1 2 Subnet and Mask 11 5 11 2 Configuring IP Address 11 6 11 2 1 Configuring the Hostname and Host IP Address 11 6 11 2 2 Configuring the IP Address of the VLAN Interface 11 7 11 3 Displaying and ...

Page 10: ...lients 13 17 13 3 11 Configuring Parameters for DHCP Server to Send Ping Packets 13 17 13 3 12 Displaying and Debugging the DHCP Server 13 18 13 3 13 Clearing the Configuration Information of the DHCP Server 13 19 13 3 14 DHCP Server Configuration Example 13 19 13 4 Configuring DHCP Relay 13 21 13 4 1 Introduction to DHCP Relay 13 21 13 4 2 Configuring DHCP Relay 13 22 13 4 3 Displaying and Debugg...

Page 11: ...ging Static Route 17 4 17 4 Typical Static Route Configuration Example 17 4 17 5 Troubleshooting Static Route Faults 17 5 Chapter 18 RIP Configuration 18 1 18 1 Introduction to RIP 18 1 18 1 1 RIP Operation Mechanism 18 1 18 1 2 RIP Enabling and Running 18 2 18 2 Configuring RIP 18 2 18 2 1 Enabling RIP and Entering RIP View 18 3 18 2 2 Enabling RIP on the Specified Network Segment 18 3 18 2 3 Con...

Page 12: ...Network Type on the OSPF Interface 19 17 19 2 12 Configuring NBMA Neighbors for OSPF 19 18 19 2 13 Setting the Interface Priority for DR Election 19 18 19 2 14 Configuring an Interval Required for Sending LSU Packets 19 20 19 2 15 Configuring the Cost for Sending Packets on an Interface 19 20 19 2 16 Configuring to Fill the MTU Field When an Interface Transmits DD Packets 19 20 19 2 17 Setting a S...

Page 13: ...l 20 12 20 2 13 Configuring IS IS Route Metric Type 20 13 20 2 14 Setting IS IS Link State Routing Cost 20 13 20 2 15 Configuring IS IS Timers 20 13 20 2 16 Setting IS IS Authentication 20 16 20 2 17 Setting the Mesh Group of the Interface 20 17 20 2 18 Setting Overload Flag Bit 20 18 20 2 19 Setting to Discard the LSPs with Checksum Errors 20 18 20 2 20 Setting to Log the Peer Changes 20 19 20 2 ...

Page 14: ... 21 24 21 3 Displaying and Debugging BGP 21 24 21 4 Typical BGP Configuration Example 21 26 21 4 1 Configuring BGP AS Confederation Attribute 21 26 21 4 2 Configuring BGP Route Reflector 21 28 21 4 3 Configuring BGP Routing 21 30 21 5 Troubleshooting BGP 21 33 Chapter 22 IP Routing Policy Configuration 22 1 22 1 Introduction to IP Routing Policy 22 1 22 1 1 Filter 22 1 22 1 2 Routing Policy Applic...

Page 15: ...GMP Snooping 24 7 24 5 Troubleshoot IGMP Snooping 24 8 Chapter 25 Multicast VLAN Configuration 25 1 25 1 Multicast VLAN Overview 25 1 25 2 Multicast VLAN Configuration 25 1 25 3 Multicast VLAN Configuration Example 25 2 Chapter 26 Common Multicast Configuration 26 1 26 1 Introduction to Common Multicast Configuration 26 1 26 2 Common Multicast Configuration 26 1 26 2 1 Enabling Multicast 26 1 26 2...

Page 16: ...Intervals for Ports to Send Hello Packets 28 4 28 2 4 Entering the PIM View 28 4 28 2 5 Configuring the Filtering of Multicast Source Group 28 5 28 2 6 Configuring the Filtering of PIM Neighbor 28 5 28 2 7 Configuring the Maximum Number of PIM Neighbor on an Interface 28 5 28 2 8 Clearing multicast route entries from PIM routing table 28 6 28 2 9 Clearing PIM Neighbors 28 6 28 3 Displaying and Deb...

Page 17: ...d 30 7 30 2 9 Controlling the Source Information Forwarded 30 8 30 2 10 Controlling the Received Source Information 30 9 30 2 11 Configuring MSDP Mesh Group 30 10 30 2 12 Configuring the MSDP Connection Retry Period 30 10 30 2 13 Shutting MSDP Peers Down 30 11 30 2 14 Clearing MSDP Connections Statistics and SA Caching Configuration 30 11 30 3 Displaying and Debugging MSDP 30 12 30 4 MSDP Configur...

Page 18: ... Network Structure 35 6 35 3 2 Forwarding Labeled Packets 35 7 35 3 3 Establishing LSP 35 7 35 3 4 LSP Tunnel and Hierarchy 35 9 35 4 MPLS and other Protocols 35 10 35 4 1 MPLS and Routing Protocols 35 10 35 5 MPLS Application 35 10 35 5 1 MPLS VPN 35 10 Chapter 36 MPLS Basic Capability Configuration 36 1 36 1 MPLS Basic Capability Overview 36 1 36 2 MPLS Configuration 36 1 36 2 1 Defining MPLS LS...

Page 19: ...figuration Example 37 40 37 4 4 Hub Spoke Configuration Example 37 44 37 4 5 CE Dual home Configuration Example 37 50 37 4 6 Cross domain BGP MPLS VPN Configuration Example 37 56 37 4 7 Cross Domain BGP MPLS VPN Configuration Example Option C 37 61 37 4 8 Hierarchical BGP MPLS VPN Configuration Example 37 68 37 4 9 OSPF Multi instance sham link Configuration Example 37 72 37 4 10 Nested BGP MPLS V...

Page 20: ...02 1x Configuration 39 2 39 1 802 1x Overview 39 2 39 1 1 802 1x Standard Overview 39 2 39 1 2 802 1x System Architecture 39 3 39 1 3 802 1x Authentication Process 39 4 39 1 4 Implementing 802 1x on Ethernet Switches 39 4 39 2 802 1x Configuration 39 5 39 2 1 Enabling Disabling 802 1x 39 5 39 2 2 Setting the Port Access Control Mode 39 6 39 2 3 Setting Port Access Control Method 39 7 39 2 4 Checki...

Page 21: ... Request40 19 40 3 11 Setting the Supported Type of RADIUS Server 40 20 40 3 12 Setting RADIUS Server State 40 20 40 3 13 Setting the Username Format Transmitted to RADIUS Server 40 21 40 3 14 Setting the Unit of Data Flow that Transmitted to RADIUS Server 40 21 40 3 15 Creating Deleting a Local RADIUS authentication Server 40 22 40 4 Configuring TACACS Protocol 40 22 40 4 1 Creating a HWTACAS Sch...

Page 22: ... 41 13 41 5 Troubleshooting VRRP 41 14 Chapter 42 HA Configuration 42 1 42 1 Introduction to HA 42 1 42 2 Configuring HA 42 1 42 2 1 Restarting the Slave System Manually 42 2 42 2 2 Starting the Master Slave Switchover Manually 42 2 42 2 3 Enabling Disabling Automatic Synchronization 42 2 42 2 4 Synchronizing the Configuration File Manually 42 3 42 2 5 Configuring the Load Mode of the Fabric and S...

Page 23: ... by Ethernet Port and Forwarding Option Configuration 44 3 44 3 1 Maximum MAC Address Number Learned by a Port and Forwarding Option Configuration Tasks 44 4 44 3 2 Configuring Maximum MAC Address Number Learned by Ethernet Port and Forwarding Option Example 44 5 44 4 Displaying and Debugging MAC Address Tables 44 5 44 5 Resetting MAC Addresses 44 6 44 6 MAC Address Table Management Configuration ...

Page 24: ...ion to the Trap Buffer 46 23 46 5 8 Sending the Configuration Information to SNMP Network Management 46 25 46 5 9 Displaying and Debugging Info center 46 27 46 5 10 Configuration Examples of Sending Log to the Unix Loghost 46 28 46 5 11 Configuration examples of sending log to Linux loghost 46 30 46 5 12 Configuration Examples of Sending Log to the Console Terminal 46 32 Chapter 47 SNMP Configurat...

Page 25: ...uring NTP ID Authentication 49 6 49 2 3 Setting NTP Authentication Key 49 6 49 2 4 Setting Specified Key as Reliable 49 7 49 2 5 Designating an Interface to Transmit NTP Messages 49 7 49 2 6 Setting NTP Master Clock 49 8 49 2 7 Setting Authority to Access a Local Ethernet Switch 49 8 49 2 8 Setting Maximum Local Sessions 49 9 49 3 Displaying and Debugging NTP 49 9 49 4 NTP Configuration Example 49...

Page 26: ...figuration Example 51 5 Chapter 52 PoE PSU Supervision Configuration 52 1 52 1 Introduction to PoE PSU Supervision 52 1 52 2 AC Input Alarm Thresholds Configuration 52 1 52 2 1 AC Input Alarm Thresholds Configuration Tasks 52 1 52 2 2 AC Input Alarm Thresholds Configuration Example 52 2 52 3 DC Output Alarm Thresholds Configuration 52 2 52 3 1 DC Output Alarm Thresholds Configuration Tasks 52 3 52...

Page 27: ...2 Function Features Table 1 1 Function features Features Implementation VLAN Supports VLAN compliant with IEEE 802 1Q Standard Supports port based and MAC based VLAN Supports GARP VLAN Registration Protocol GVRP STP protocol Supports Spanning Tree Protocol STP Multiple Spanning Tree Protocol MSTP compliant with IEEE 802 1D IEEE 802 1s Standard Flow control Supports IEEE 802 3x flow control full du...

Page 28: ...n Supports queues of different priority on the port Queue scheduling supports Strict Priority Queuing SP Weighted Round Robin WRR and SP WRR Security features Supports Multi level user management and password protect Supports 802 1X authentication Supports Packet filtering MPLS Supports Multiprotocol Label Switching MPLS basic function Supports MPLS L3 VPN Management and Maintenance Supports Comma...

Page 29: ...Console port of the switch with the Console cable Console port RS 232 Serial port Console cable Figure 2 1 Set up the local configuration environment through the Console port Step 2 Run terminal emulator such as Terminal on Windows 3X or the Hyper Terminal on Windows 9X on the Computer Set the terminal communication parameters as follows Set the baud rate to 9600 databit to 8 parity check to none ...

Page 30: ...cation parameters Step 3 The switch is powered on Display self test information of the switch and prompt you to press Enter to show the command line prompt such as SW8800 Step 4 Input a command to configure the switch or view the operation state Input a for an immediate help For details of specific commands refer to the following chapters ...

Page 31: ...uthenticating the Telnet user to log in the switch If a user logs in via the Telnet without password he will see the prompt Login password has not been set SW8800 system view Enter system view return user view with Ctrl Z SW8800 user interface vty 0 SW8800 ui vty0 set authentication password simple xxxx xxxx is the preset login password of Telnet user Step 2 To set up the configuration environment...

Page 32: ...mmediate help For details of specific commands refer to the following chapters Note z When configuring the switch via Telnet do not modify the IP address of it unless necessary for the modification might cut the Telnet connection z By default when a Telnet user passes the password authentication to log on to the switch he can access the commands at Level 0 2 2 2 Telneting a Switch Through Another ...

Page 33: ...C to the Switch through Telnet Step 3 Perform the following operations on the Telnet Client SW8800 telnet xxxx xxxx can be the hostname or IP address of the Telnet Server If it is the hostname you need to use the ip host command to specify Step 4 Enter the preset login password and you will see the prompt such SW8800 If the prompt All user interfaces are used please try later The connection was cl...

Page 34: ...tion password simple xxxx xxxx is the preset login password of the Modem user Step 2 As shown in the figure below to set up the remote configuration environment connect the Modems to a PC or a terminal serial port and the switch AUX port respectively Modem Telephone line Modem Modem serial port line Remote tel 82882285 AUX port PSTN Figure 2 8 Set up remote configuration environment Step 3 Dial fo...

Page 35: ... PC Step 4 Enter the preset login password on the remote terminal emulator and wait for the prompt such as SW8800 Then you can configure and manage the switch Enter to get the immediate help For details of specific commands refer to the following chapters Note By default when a Modem user logs in he can access the commands at Level 0 ...

Page 36: ...mand z The command line interpreter searches for target not fully matching the keywords It is ok for you to key in the whole keyword or part of it as long as it is unique and not ambiguous 3 2 Command Line View The Switch 8800 provides hierarchy protection for the command lines to avoid unauthorized user accessing illegally Commands are classified into four levels namely visit level monitoring lev...

Page 37: ...e higher level is needed Suppose the user has set the super password level level simple cipher password For the sake of confidentiality on the screen the user cannot see the password that he entered Only when correct password is input for three times can the user switch to the higher level Otherwise the original user level will remain unchanged Different command views are implemented according to ...

Page 38: ...VSI LDP view z VSI view z TACACS view z Port group view z Lanswitch view The following table describes the function features of different views and the ways to enter or quit Table 3 1 Function feature of command view Command view Function Prompt Command to enter Command to exit User view Show the basic information about operation and statistics SW8800 Enter right after connecting the switch quit d...

Page 39: ...interface parameters for a VLAN or a VLAN aggregation SW8800 Vlan interf ace1 Key in interface vlan interface 1 in system view quit returns to system view return returns to user view Local user view Configure local user parameters SW8800 l user user 1 Key in local user user1 in system view quit returns to system view return returns to user view User interface view Configure user interface paramete...

Page 40: ...o system view return returns to user view OSPF view Configure OSPF parameters SW8800 ospf Key in ospf in system view quit returns to system view return returns to user view OSPF area view Configure OSPF area parameters SW8800 ospf 0 0 0 1 Key in area 1 in OSPF view quit returns to OSPF view return returns to user view BGP view Configure BGP parameters SW8800 bgp Key in bgp 100 in system view quit ...

Page 41: ...l 0 Key in qos conform level 0 in system view quit returns to system view return returns to user view WRED index view Configure WRED parameters SW8800 wred 0 Key in wred 0 in system view quit returns to system view return returns to user view RADIUS server group view Configure radius parameters SW8800 radius 1 Key in radius scheme 1 in system view quit returns to system view return returns to user...

Page 42: ...view Specify VPLS mode SW8800 vsi 3Com Key in vsi 3Com in system view quit returns to system view return returns to user view TACACS view Configure TACACS protocol parameters SW8800 t acacs 3 Com Key in tacacs scheme 3Com in system view quit returns to system view return returns to user view Port group view Combine the ports with the same configuration omitting repeated configuration procedure SW8...

Page 43: ...space If this position is for parameters all the parameters and their brief descriptions will be listed SW8800 garp timer leaveall INTEGER 65 32765 Value of timer in centiseconds LeaveAllTime LeaveTime On all ports Time must be multiple of 5 centiseconds SW8800 garp timer leaveall 300 cr cr indicates no parameter in this position The next command line repeats the command you can press Enter to exe...

Page 44: ...and Line Command line interface provides the function similar to that of DosKey The commands entered by users can be automatically saved by the command line interface and you can invoke and execute them at any time later History command buffer is defaulted as 10 The operations are shown in the table below Table 3 3 Retrieve history command Operation Key Result Display history command display histo...

Page 45: ... Too many parameters Enter too many parameters Ambiguous command The parameters entered are not specific 3 3 5 Editing Characteristics of Command Line Command line interface provides the basic command editing function and supports to edit multiple lines A command cannot longer than 256 characters See the table below Table 3 5 Editing functions Key Function Common keys Insert from the cursor positi...

Page 46: ...stem will execute the partial help If the key word matching the typed one is unique the system will replace the typed one with the complete key word and display it in a new line if there is not a matched key word or the matched key word is not unique the system will do no modification but display the originally typed word in a new line ...

Page 47: ...to log in the switch locally or remotely with a modem via the AUX port A switch can only have one AUX user interface The local configuration for it is similar to that for the Console user interface z VTY user interface VTY user interface is used to telnet the switch A switch can have up to five VTY user interface User interface is numbered in the following two ways absolute number and relative num...

Page 48: ...is designated as VTY 1 and so on 4 2 User Interface Configuration The following sections describe the user interface configuration tasks z Entering User Interface View z Define the Login Header z Configuring Asynchronous Port Attributes z Configuring Terminal Attributes z Managing Users z Configuring Modem Attributes z Configuring Redirection 4 2 1 Entering User Interface View The following comman...

Page 49: ...ents of the login information instead of identifying header type 4 2 3 Configuring Asynchronous Port Attributes The following commands can be used for configuring the attributes of the asynchronous port in asynchronous interactive mode including speed flow control parity stop bit and data bit Perform the following configurations in user interface Console and AUX user interface only view I Configur...

Page 50: ...t stop bit undo stopbits By default an asynchronous port supports 1 stop bit Note that setting 1 5 stop bits is not available on the Switch 8800 V Configuring the data bit Table 4 7 Configure the data bit Operation Command Configure the data bit databits 7 8 Restore the default data bit undo databits By default an asynchronous port supports 8 data bits 4 2 4 Configuring Terminal Attributes The fol...

Page 51: ...shell command can only be used on the user interfaces other than Console user interface z You cannot use this command on the user interface via which you log in z You will be asked to confirm before using undo shell on any legal user interface II Configuring idle timeout Table 4 9 Configure idle timeout Operation Command Configure idle timeout idle timeout minutes seconds Restore the default idle ...

Page 52: ...buffer size Operation Command Set the history command buffer size history command max size value Restore the default history command buffer size undo history command max size By default the size of the history command buffer is 10 that is 10 history commands can be saved 4 2 5 Managing Users The management of users includes the setting of user logon authentication method level of command which a u...

Page 53: ...d undo set authentication password Configure for password authentication when a user logs in through a VTY 0 user interface and set the password to 3Com SW8800 user interface vty 0 SW8800 ui vty0 authentication mode password SW8800 ui vty0 set authentication password simple 3Com 2 Perform local or remote authentication of username and password to the user interface Using authentication mode scheme...

Page 54: ...ogging in service type telnet level level Restore the default command level used after a user logging in undo service type telnet level By default the specified logon user can access the commands at Level 0 III Setting the command level used after a user logs in from a user interface You can use the following command to set the command level after a user logs in from a specific user interface so t...

Page 55: ...els include visit monitoring configuration and management which are identified with 0 through 3 respectively An administrator assigns authorities as per user requirements Perform the following configuration in system view Table 4 17 Set the command priority Operation Command Set the command priority in a specified view command privilege level level view view command Restore the default command lev...

Page 56: ...dem call in Configure to permit call in and call out modem both Configure to disable call in and call out undo modem both 4 2 7 Configuring Redirection I Send command The following command can be used for sending messages between user interfaces Perform the following configuration in user view Table 4 20 Configure to send messages between different user interfaces Operation Command Configure to se...

Page 57: ...e configuration Telnet 10 110 100 1 after the user logs in through VTY0 automatically SW8800 ui vty0 auto execute command telnet 10 110 100 1 When a user logs on via VTY 0 the system will run telnet 10 110 100 1 automatically 4 3 Displaying and Debugging User Interface After the above configuration execute display command in any view to display the running of the user interface configuration and t...

Page 58: ... debugging or a remote network management station for remote system management 5 2 Management Interface Configuration The following sections describe management interface configuration tasks z Configuring interface IP address z Enabling disabling the interface z Setting interface description z Displaying current system information z Test network connectivity ping tracert See the Port and System Ma...

Page 59: ...eed on the Ethernet Port z Setting the Cable Type for the Ethernet Port z Enabling Disabling Flow Control for the Ethernet Port z Permitting Forbidding Jumbo Frame to Pass the Ethernet Port z Setting the Ethernet Port Broadcast Suppression Ratio z Setting the Ethernet Port Mode z Setting the Link Type for the Ethernet Port z Adding the Ethernet Port to Specified VLANs z Setting the Default VLAN ID...

Page 60: ...rform the following configuration in Ethernet port group view Table 6 3 Set Ethernet port description Operation Command Set an Ethernet port description description text Delete the Ethernet port description undo description By default an Ethernet port has no description 6 2 4 Setting the Duplex Attribute of the Ethernet Port To configure a port to send and receive data packets at the same time set...

Page 61: ...rt Operation Command Set Ethernet port speed speed 10 100 1000 10000 auto Restore the default speed on Ethernet port undo speed Note that the 10 100 Mbps electrical Ethernet port can operate at 10 Mbps 100 Mbps and in auto mode You can set it accordingly The 10 100 1000Mbps electrical Ethernet port can operate at 10 Mbps 100 Mbps or 1000 Mbps as per different requirements However in half duplex mo...

Page 62: ... Ethernet port can be enabled or disabled through the following command Perform the following configuration in Ethernet port view Table 6 7 Enable disable flow control for the Ethernet port Operation Command Enable Ethernet port flow control flow control Disable Ethernet port flow control undo flow control By default Ethernet port flow control is disabled 6 2 8 Permitting Forbidding Jumbo Frame to...

Page 63: ...the smaller the broadcast traffic is allowed If the ratio is 100 it means not to perform broadcast storm suppression on the port Perform the following configuration in Ethernet port view Table 6 9 Set the Ethernet port broadcast suppression ratio Operation Command Set Ethernet port broadcast suppression ratio broadcast suppression pct Restore the default Ethernet port broadcast suppression ratio u...

Page 64: ... Command Configure the port as access port port link type access Configure the port as hybrid port port link type hybrid Configure the port as trunk port port link type trunk Restore the default link type that is the access port undo port link type You can configure three types of ports concurrently on the same switch but you cannot switch between trunk port and hybrid port You must turn it first ...

Page 65: ...t Since the access port can only be included in one VLAN only its default VLAN is the one to which it belongs The hybrid port and the trunk port can be included in several VLANs it is necessary to configure the default VLAN ID If the default VLAN ID has been configured the packets without VLAN Tag will be forwarded to the port that belongs to the default VLAN When sending the packets with VLAN Tag...

Page 66: ...itches can meet the requirement of MAN If VLAN VPN is enabled on a port all the packets no matter whether it carries a VLAN Tag or not will be given a new Tag that specifies the default VLAN of this port Therefore the packets that have had a VLAN Tag get two Tags and the packets that have not had a VLAN Tag get one Perform the following configuration in Ethernet port view Table 6 14 Set the VLAN V...

Page 67: ...ics Traffic mirroring QoS setting Rate limiting Permitted VLAN ID Default VLAN ID Add ports to VLAN Default 802 1p priority Port speed duplex mode Port setting Port link type LACP Enable disable LACP on the port Note z Using copy configuration command will clear protocol VLAN attributes of the destination port but it can not copy protocol VLAN attributes of source port to the destination port z Us...

Page 68: ... Setting Port Hold Time When you use the shutdown undo shutdown command on ports too frequently the switch may fail Therefore you can configure port hold time to prohibit frequent change of the port status Perform the following configuration in system view Table 6 17 Set the port hold time Operation Command Set the port hold time link status hold hold time Restore the default value undo link statu...

Page 69: ...ion of the port display counters rate inbound outbound interface interface type Clear the statistics information of the port reset counters interface interface_type interface_type interface_num interface_name Note z The Switch 8800 does not support external loopback mode z When 802 1x is enabled on the port its statistics information can not be cleared z By default the display counters command dis...

Page 70: ...t2 1 1 port trunk permit vlan 2 6 to 50 100 Create the VLAN 100 SW8800 vlan 100 Configure the default VLAN ID of GigabitEthernet2 1 1 as 100 SW8800 GigabitEthernet2 1 1 port trunk pvid vlan 100 6 5 Ethernet Port Troubleshooting Symptom 1 Default VLAN ID configuration fails Solution Take the following steps z Execute the display interface or display port command to check if the port is a trunk port...

Page 71: ...th assurance congestion avoidance traffic redirection traffic statistics The VLAN setting includes permitted VLAN types default VLAN ID The port setting includes port link type One Switch 8800 can support up to 728 aggregation groups seven load sharing aggregation groups at most with each group containing a maximum of eight ports Note The Switch 8800 also supports trans board aggregation The trans...

Page 72: ...p is removed the member ports will form one or more dynamic LACP aggregation groups with LACP enabled You are prohibited to disable the LACP for the static aggregation port In the manual and static aggregation groups a port maybe in active or inactive state The port in active state can tranceive user service packets but the port in inactive state cannot The active port with the minimum port number...

Page 73: ...rts can be added in an aggregation group then if the current member ports in an aggregation group exceed the maximum threshold for that group the system shall set some ports with smaller device ID system priority system MAC address and smaller port ID port priority port number as active ports and others as inactive ports If the maximum threshold is not exceeded all member ports are active ports Bo...

Page 74: ...s normally without occupying hardware resources they shall not occupy the resources II Port state In a aggregation group its ports may be in active or inactive state and only the active ports can transceive user service packets but not inactive ports The active port with the minimum port number serves as the master port while others as slave ports In a aggregation group the system sets the ports t...

Page 75: ...tus of GVRP feature on both the group and port is reserved when a slave port leaves an aggregation group the GVRP feature on the port is disabled z When configuring GVRP feature on any port in an aggregation group the configuration is mapped to the master port of the group z When querying the GVRP feature configured on any port in an aggregation group the returned result is about the master port o...

Page 76: ...ng configuration in system view Table 7 2 Create delete an aggregation group Operation Command Create an aggregation group link aggregation group agg id mode manual static Delete an aggregation group undo link aggregation group agg id During creating an aggregation group if it already exists in the system but contains no member port it changes to the new type if it already exists in the system and...

Page 77: ... aggregation group contains only one port z When master port enables VLAN VPN aggregation is permitted in the system Because the link type of slave port will always keep same as that of master port When master port and slave port disable VLAN VPN aggregation is permitted in the system it is average aggregation After the port enabling VLAN VPN aggregation is not permitted in the system at the same ...

Page 78: ...uration in system view Table 7 5 Configure system priority Operation Command Configure system priority lacp system priority system priority value Restore the default system priority undo lacp system priority By default system priority is 32 768 7 2 6 Configuring Port Priority The LACP compares system IDs first and then port IDs if system IDs are the same to determine if the member ports are active...

Page 79: ...D display lacp system id Display detailed link aggregation information at the port display link aggregation interface interface type interface number interface name to interface type interface num interface name Clear LACP statistics on the port reset lacp statistics interface interface type interface number interface name to interface type interface num interface name Disable enable LACP state de...

Page 80: ...manual Add Ethernet ports Ethernet2 1 1 to Ethernet2 1 3 into aggregation group 1 SW8800 interface ethernet2 1 1 SW8800 Ethernet2 1 1 port link aggregation group 1 SW8800 Ethernet2 1 1 interface ethernet2 1 2 SW8800 Ethernet2 1 2 port link aggregation group 1 SW8800 Ethernet2 1 2 interface ethernet2 1 3 SW8800 Ethernet2 1 3 port link aggregation group 1 2 In static LACP aggregation mode Create agg...

Page 81: ...W8800 Ethernet2 1 1 lacp enable SW8800 Ethernet1 1 1 interface ethernet2 1 2 SW8800 Ethernet2 1 2 lacp enable SW8800 Ethernet2 1 2 interface ethernet2 1 3 SW8800 Ethernet2 1 3 lacp enable You must set basic configuration rate and duplex attribute consistent at both ends to aggregate successfully the LACP enabled ports into a dynamic aggregation group and achieve load sharing ...

Page 82: ...lticast based A multicast group can be a VLAN z Network layer based A VLAN can be established by the network layer addresses or protocols of the hosts With the VLAN technology the broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs This is helpful to control network traffic save device investment simplify network management and enhance security 8 2 Configuring VLAN The...

Page 83: ...fault description of the current VLAN or VLAN interface undo description By default the description character string of a VLAN is the VLAN ID of the VLAN such as VLAN 0001 The description character string of a VLAN interface is the VLAN interface name such as Vlan interface1 Interface 8 2 3 Creating Removing a VLAN Interface You can use the following commands to create remove a VLAN interface To i...

Page 84: ...ernet ports in a VLAN are in the DOWN state this VLAN interface is also DOWN When there are one or more Ethernet ports in the UP state this VLAN interface is also UP 8 3 Configuring Port Based VLAN 8 3 1 Adding Ethernet Ports to a VLAN You can use the following commands to add the Ethernet ports to a VLAN Perform the following configuration in VLAN view Table 8 5 Add Ethernet ports to a VLAN Opera...

Page 85: ...Operation Command Create a VLAN protocol type protocol vlan protocol ip ip_address net_mask mode ethernetii etype etype_id llc dsap dsap_id ssap ssap_id snap etype etype_id Delete an existing VLAN protocol type undo protocol vlan protocol protocol_index to protocol_end all 8 4 2 Associating Dissociating a Port with from a Protocol Based VLAN Perform the following configuration in Ethernet port vie...

Page 86: ...e port is associated with the VLAN 8 5 Displaying VLAN After the above configuration execute the display command in any view to display the running of the VLAN configuration and to verify the configuration Table 8 8 Display VLAN Operation Command Display the related information about the VLAN interface display interface vlan interface vlan_id Display the related information about the VLAN display ...

Page 87: ...o VLAN3 II Network diagram VLAN 3 Switch E3 1 2 E4 1 1 VLAN 2 E4 1 2 E3 1 1 Figure 8 1 Network diagram for VLAN configuration III Configuration procedure Create VLAN 2 and enter its view SW8800 vlan 2 Add Ethernet3 1 1 and Ethernet4 1 1 to VLAN2 SW8800 vlan2 port ethernet3 1 1 ethernet4 1 1 Create VLAN 3 and enters its view SW8800 vlan2 vlan 3 Add Ethernet3 1 2 and Ethernet4 1 2 to VLAN3 SW8800 vl...

Page 88: ...ers according to the received declarations withdrawn declarations GARP members exchange information by sending messages There are mainly three types of GARP messages Join Leave and LeaveAll When a GARP participant wants to register its attribute information with other switches it sends the Join message outward When it wants to remove some attribute information from other switches it sends the Leav...

Page 89: ...l message is sent upon timeout so that other GARP participants remove all the attribute values of this participant Then LeaveAll timer is restarted and a new cycle begins When the switch receives some GARP registration information it does not send the Join Message immediately Instead it enables a Hold timer and sends the Join Message upon timeout of the Hold timer In this way all the VLAN registra...

Page 90: ...alue of Join timer and LeaveAll timer respectively z The upper limit of LeaveAll timer is 32765 centiseconds You can change its lower limit by changing the value of Leave timer 9 1 3 Displaying and Debugging GARP After the above configuration execute the display command in any view to display the running of GARP configuration and to verify the configuration Execute the reset command in user view t...

Page 91: ... Setting the GVRP Registration Type In the above mentioned configuration tasks GVRP should be enabled globally before it is enabled on the port Configuration of GVRP registration type can only take effect after the port GVRP is enabled Besides GVRP must be configured on the Trunk port Note z When you configure an aggregation group the GVRP feature configured on the master port is unchanged but tha...

Page 92: ...ing the GVRP Registration Type The GVRP registration types include normal fixed and forbidden refer to IEEE 802 1Q z When an Ethernet port is set to be in normal registration mode the dynamic and manual creation registration and deregistration of VLAN are allowed on this port z When a Trunk port is set as fixed the port is not allowed to dynamically register deregister a VLAN it only propagates in...

Page 93: ...ging command in user view to debug the configuration of GVRP Table 9 6 Display and debug GVRP Operation Command Display GVRP statistics information display gvrp statistics interface interface list Display GVRP global status information display gvrp status Enable GVRP packet or event debugging debugging gvrp packet event Disable GVRP packet or event debugging undo debugging gvrp packet event 9 2 6 ...

Page 94: ...t3 1 1 SW8800 Ethernet3 1 1 port link type trunk SW8800 Ethernet3 1 1 port trunk permit vlan all Enable GVRP on the Trunk port SW8800 Ethernet3 1 1 gvrp Configure Switch B Enable GVRP globally SW8800 gvrp Set Ethernet4 1 1 as a Trunk port and allows all the VLANs to pass through SW8800 interface ethernet4 1 1 SW8800 Ethernet4 1 1 port link type trunk SW8800 Ethernet4 1 1 port trunk permit vlan all...

Page 95: ...communicates with other networks you must enable ARP proxy by default it is disabled The address resolution protocol ARP proxy can forward and process ARP request and response packets so that the isolated sub VLANs can communicate with each other at Layer 3 10 2 Configuring a Super VLAN Super VLAN configuration includes z Configuring a Super VLAN 10 2 1 Configuring a Super VLAN Note z You can conf...

Page 96: ...id Optional You can execute the display super vlan command in any view To cancel the configurations use the corresponding undo commands Caution z Super VLANs cannot contain ports z After you set the VLAN type to super VLAN the ARP proxy is automatically enabled on the VLAN port and you do not need to configure the proxy z When a super VLAN exists the ARP proxy should be enabled on the correspondin...

Page 97: ... these sub VLANs communicate with each other at Layer 3 II Network diagram Omitted III Configuration procedure SW8800 vlan 10 SW8800 vlan10 supervlan SW8800 vlan10 vlan 2 SW8800 vlan2 port ethernet3 1 1ethernet3 1 2 SW8800 vlan2 vlan 3 SW8800 vlan3 port Ethernet3 1 3 ethernet3 1 4 SW8800 vlan3 vlan 5 SW8800 vlan5 port ethernet3 1 5 ethernet3 1 6 SW8800 vlan5 vlan 10 SW8800 vlan10 subvlan 2 3 5 SW8...

Page 98: ...id Class A Class B Class C Class D Class E net id network ID host id Host ID 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 1 0 1 1 0 1 1 1 0 1 1 1 1 0 net id net id net id Multicast address Reserv ed host id host id host id Class A Class B Class C Class D Class E net id network ID host id Host ID Figure 11 1 Five classes of IP address Here Class A Class B ...

Page 99: ... by the router without knowing its network number The IP addresses with the format of 127 X Y Z are reserved for self loop test and the packets sent to these addresses are not output to the line The packets are processed internally and regarded as input packets B 128 0 0 0 to 191 255 2 55 255 128 0 0 0 to 191 254 0 0 Host ID with all the digits being 0 indicates that the IP address is the network ...

Page 100: ...ailable IP addresses the concept of mask and subnet is proposed A mask is a 32 bit number corresponding to an IP address The number consists of 1s and 0s Principally these 1s and 0s can be combined randomly However the first consecutive bits are set to 1s when you design a mask The mask divides the IP address into two parts subnet address and host address The part of IP address that corresponds to...

Page 101: ...et address 138 38 64 0 011 Subnet address 138 38 96 0 100 Subnet address 138 38 128 0 101 Subnet address 138 38 160 0 110 Subnet address 138 38 192 0 111 Subnet address 138 38 224 0 Subnet number Host number Subnet address Figure 11 2 Subnet division of an IP address 11 2 Configuring IP Address The following sections describe IP address configuration tasks z Configuring the Hostname and Host IP Ad...

Page 102: ...LAN interface ip address ip address mask mask length sub Delete an IP address of a VLAN interface undo ip address ip address mask mask length sub By default the IP address of a VLAN interface is null 11 3 Displaying and debugging IP Address After the above configuration execute the display command in any view to display the IP addresses configured on interfaces of the network device and to verify ...

Page 103: ...n host in the LAN Troubleshooting can be performed as follows 1 Check the configuration of the switch Use the display arp command to view the ARP entry table that the switch maintains 2 Check which VLAN includes the port of the switch used to connect to the host Check whether the VLAN has been configured with a VLAN interface Then check whether the IP address of the VLAN interface and that of the ...

Page 104: ...ten the interval for the switch to search ARP mapping table Suppose there are two hosts on the same network segment Host A and Host B The IP address of Host A is IP_A and the IP address of Host B is IP_B Host A will transmit messages to Host B Host A checks its own ARP mapping table first to know whether there are corresponding ARP entries of IP_B in the table If the corresponding MAC address is f...

Page 105: ... Static ARP Mapping Entries Perform the following configuration in system view Table 12 1 Manually add delete static ARP mapping entries Operation Command Manually add a static ARP mapping entry arp static ip address mac address vlan id interface_type interface_num interface_name vpn instance name Manually delete a static ARP mapping entry undo arp ip address By default the ARP mapping table is em...

Page 106: ...me of dynamic ARP aging timer is 20 minutes 12 2 3 Enabling Disabling the Checking Function of ARP Entry You can use the following command to control the device whether to learn the ARP entry where the MAC address is a multicast MAC address Perform the following configuration in system view Table 12 3 Enable Disable the checking function of ARP entry Operation Command Enable the checking of ARP en...

Page 107: ...ket 12 4 Enabling Disabling the Scheme of Preventing Attack from Packets 12 4 1 Introduction to the Scheme of Preventing Attack from Packets A scheme of preventing attack from packets is designed against some typical attack modes on the 8800 series switches The scheme can prevent attacks from IP ARP 802 1x and unknown multicast packets z IP packet attack Means that a Switch 8800 receives too many ...

Page 108: ...heme of preventing attack from packets Operation Command Enable Disable the scheme of preventing attack from packets anti attack arp dot1x ip disable enable By default the scheme of preventing attack from IP packets is enabled the scheme of preventing attack from ARP packets and dot1x packets is disabled ...

Page 109: ...e DHCP server in turn returns corresponding configuration information such as IP addresses according to the policies configured for it A typical DHCP implementation comprises a DHCP server and multiple DHCP clients PCs or laptops Figure 13 1 illustrates a network that employs DHCP LAN DHCP Server DHCP Client DHCP Client DHCP Client DHCP Client Figure 13 1 Network diagram for DHCP I IP address assi...

Page 110: ...ypes of IP addresses when assigning an IP address 2 Types of address pools of DHCP server z Global address pool valid for the entire switch An address pool of this type is created using the dhcp server ip pool command in system view z VLAN interface address pool valid for a specific VLAN interface An address pool of this type is created by the system when the VLAN interface is configured with a le...

Page 111: ...tead of a DHCP_Discover packet z Upon receiving the DHCP_Request packet if the IP address carried in the packet is still available the DHCP server owning the IP address answers with a DHCP_ACK packet to enable the DHCP client to use the IP address again z If the IP address is not available for example it is occupied by other DHCP client the DHCP server answers with a DHCP_NAK packet which enables ...

Page 112: ...ods you have configured Perform the following configuration in VLAN interface view to configure the processing method of DHCP packets for current VLAN interface Table 13 2 Configure the processing method for current VLN interface Operation Command Specify to forward DHCP packets to local DHCP server and let the local server assign IP addresses in global address pools to DHCP clients dhcp select gl...

Page 113: ... processing mode undo dhcp select interface vlan interface vlan_id to vlan interface vlan_id all By default DHCP packets are processed in global method That is DHCP packets are forwarded to local DHCP server and IP addresses in global address pools are assigned 13 2 3 Enabling Disabling Fake DHCP Server Detection If an unauthorized DHCP server exists in a network it also answers when users in the ...

Page 114: ...ient domain names z Configuring DNS server address for DHCP clients z Configuring NetBIOS server address for DHCP clients z Configuring NetBIOS node type for DHCP clients z Configuring DHCP custom options 13 3 1 Creating a Global DHCP IP Address Pool An IP address pool contains IP addresses that can be assigned to DHCP clients In response to DHCP request sent by a DHCP client the DHCP server selec...

Page 115: ...e and you specify to assign IP addresses in VLAN interface address pool by using the dhcp select interface command in VLAN interface view 13 3 2 Configuring IP Address Assignment Mode IP address can be assigned in two modes static binding and dynamic assignment You can statically bind an IP address in an address pool to the MAC address of a client or configure a address range to allow the DHCP ser...

Page 116: ...ust be used together as a pair when you configure static binding entries When you re execute the command pair with the same IP address MAC address the newly configured IP address MAC address overwrites the existing one II Configuring static address binding for a VLAN interface address pool At present a VLAN interface DHCP address pool supports one to multiple MAC IP address binding Perform the fol...

Page 117: ...work By default no IP address range is configured for dynamic IP address assignment Each DHCP address pool can be configured with only one address range If you execute the network command multiple times then only the last configured address range works 13 3 3 Forbidding Specified IP Addresses to Be Automatically Assigned You can use the command here to prevent a DHCP server from assigning IP addre...

Page 118: ...ur hour minute minute unlimited Restore the lease time of a global DHCP address pool to the default value undo expired II Configuring a lease time for current VLAN interface Perform the following configuration in VLAN interface view Table 13 11 Configure a lease time for current VLAN interface Operation Command Configure a lease time for DHCP address pool of current VLAN interface dhcp server expi...

Page 119: ...e a DHCP client domain name for a global DHCP address pool Operation Command Configure a DHCP client domain name for a global DHCP address pool domain name domain name Remove the DHCP client domain name configured for a global DHCP address pool undo domain name II Configuring a DHCP client domain name for current VLAN interface Perform the following configuration in VLAN interface view Table 13 14...

Page 120: ...he existing one 13 3 6 Configuring DNS Server Address for DHCP Clients When a host uses a domain name to access the Internet the domain name must be translated into an IP address Domain name system DNS is responsible for the translation Therefore when a DHCP server assigns an IP address to a DHCP client it must also send a DNS server address to the client At present you can configure up to eight D...

Page 121: ... vlan_id to vlan interface vlan_id all Remove one or all DNS server addresses configured for the DHCP address pools of multiple VLAN interfaces undo dhcp server dns list ip address all interface vlan interface vlan_id to vlan interface vlan_id all By default no DNS server address is configured for global and VLAN interface address pools If you execute the dhcp server dns list command multiple time...

Page 122: ...rver addresses configured for the DHCP address pool of the current VLAN interface undo dhcp server nbns list ip address all III Configuring NetBIOS server address for multiple VLAN interfaces Perform the following configuration in system view Table 13 21 Configure NetBIOS server address for multiple VLAN interfaces Operation Command Configure one or more NetBIOS server addresses for the DHCP addre...

Page 123: ...IOS node type for a global DHCP address pool Perform the following configuration in DHCP address pool view Table 13 22 Configure a NetBIOS node type for a global DHCP address pool Operation Command Configure the NetBIOS node type for a global DHCP address pool netbios type b node h node m node p node Cancel the NetBIOS node type configuration for a global DHCP address pool undo netbios type II Con...

Page 124: ...hem to the property list of a DHCP server I Configuring custom DHCP options for a global DHCP address pool Perform the following configuration in DHCP address pool view Table 13 25 Configure a custom DHCP options for a global DHCP address pool Operation Command Configure a custom DHCP option for a global DHCP address pool option code ascii ascii string hex hex string ip address ip address ip addre...

Page 125: ...tined for external networks are forwarded by outbound gateways At present you can configure up to eight IP addresses for outbound gateways Perform the following configuration in DHCP address pool view Table 13 28 Configure outbound gateway address for DHCP clients Operation Command Configure one or more outbound gateway addresses for DHCP clients gateway list ip address ip address Remove one or al...

Page 126: ...o 500 milliseconds before it sends another ping packet Note that the DHCP server detects address conflict by ping packets whereas a DHCP client does this by ARP packets 13 3 12 Displaying and Debugging the DHCP Server After the above configuration yYou can execute the display command in any view to display operating information about the DHCP server to verify your configuration and execute the deb...

Page 127: ...r the DHCP server debugging dhcp server all error event packet 13 3 13 Clearing the Configuration Information of the DHCP Server You can clear the configuration information of the DHCP server by executing the reset command in user view Perform the following configuration in user view Table 13 32 Clear the configuration information of the DHCP server Operation Command Clear the statistics about DHC...

Page 128: ...800 system view Create VLAN2 SW8800 vlan 2 Enter VLAN interface view and create Vlan interface 2 SW8800 interface Vlan interface 2 Assign an IP address to Vlan interface 2 SW8800 Vlan interface2 ip address 10 110 1 1 255 255 0 0 Specify to assign IP addresses in the interface address pool to DHCP clients SW8800 Vlan interface2 dhcp select interface Specify to assign IP addresses in global address ...

Page 129: ...HCP server in each subnet and this is obviously uneconomical DHCP Relay is designed to resolve this problem Through a DHCP relay DHCP clients in a LAN can communicate with DHCP servers in other subnets to acquire IP addresses This enables DHCP clients of multiple networks to share a common DHCP server and thus enables you to save your cost and perform centralized administration Figure 13 3 illustr...

Page 130: ... server for a VLAN interface Perform the following configuration in VLAN interface view Table 13 33 Configure a corresponding DHCP server for a VLAN interface Operation Command Configure a corresponding DHCP server for current VLAN interface ip relay address ip_address Remove the DHCP server configured for current VLAN interface undo ip relay address ip_address all No DHCP server is configured for...

Page 131: ... 13 35 Enable disable DHCP security on a VLAN interface Operation Command Enable DHCP security on a VLAN interface dhcp relay security address check enable Disable DHCP security on a VLAN interface dhcp relay security address check disable DHCP security is disabled on a VLAN interface by default 13 4 3 Displaying and Debugging DHCP Relay After the above configuration you can execute the display co...

Page 132: ...hernet Internet DHCP client DHCP client Sw itch DHCP Relay 10 110 0 0 DHCP Server 202 38 1 2 10 110 1 1 202 38 0 0 202 38 1 1 Ethernet Ethernet Internet DHCP client DHCP client Sw itch DHCP Relay 10 110 0 0 DHCP Server 202 38 1 2 10 110 1 1 202 38 0 0 202 38 1 1 Figure 13 4 Network diagram for DHCP Relay III Configuration procedure Enter system view SW8800 system view Create VLAN 2 SW8800 vlan 2 C...

Page 133: ...800 Vlan interface2 ip relay address 202 38 1 2 Note Besides the above configurations for DHCP Relay you need to configure address pool on the DHCP server and make sure the DHCP server and the switch interface connecting the two DHCP clients is routing reachable with each other ...

Page 134: ...inquiring the domain name server As a DNS client the switch sends an inquiry request to the domain name server and the domain name server searches the related IP address of the domain name in its own database and sends it back to the switch If the domain name server judges that the domain name does not belong to the local domain it forwards the request to the upper level domain name resolution ser...

Page 135: ...haracters before the rather than matches the domain name In this sense the last is also called search terminator 14 2 Configuring Static Domain Name Resolution You can use this command to map the host name to the host IP address When you use applications like Telnet you can use the host name directly and the system translates it into the IP address rather than the obscure IP address Perform the fo...

Page 136: ...ts to the appropriate sever The system supports up to six domain name severs Perform the following configuration in system view Table 14 3 Configure the IP address of the domain name sever Operation Command Configure the IP address of the domain name sever dns server ip address Delete the IP address of the domain name sever undo dns server ip address 14 3 3 Configure Domain Name Suffix You can use...

Page 137: ...y ip host Display the information on domain name sever display dns server dynamic Display the information on domain name suffix list display dns domain dynamic Display the information on the dynamic domain name buffer display dns dynamic host Clear dynamic domain name buffer reset dns dynamic host Enable the debugging for the domain name resolution debugging dns Disable the debugging for the domai...

Page 138: ...Reply from 200 200 200 200 bytes 56 Sequence 4 ttl 128 time 2 ms Reply from 200 200 200 200 bytes 56 Sequence 5 ttl 128 time 2 ms ftp com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 2 2 2 ms The routing configuration between the switch and the domain name sever is omitted here and refer to the related chapter for the configuration 14 6 Trouble...

Page 139: ...ed before finwait timer timeout the TCP connection is terminated The timeout of finwait timer ranges from 76 to 3600 seconds and it is 675 seconds by default z The receiving sending buffer size of the connection oriented socket is in the range from 1 to 32 KB and is 8 KB by default Perform the following configuration in System view Table 15 1 Configure TCP attributes Operation Command Configure ti...

Page 140: ...type sock type task id socket id Display the summary of the Forwarding Information Base FIB display fib Display the FIB entries matching the destination IP address range display fib ip_address1 mask1 mask length1 ip_address2 mask2 mask length2 longer longer Display the FIB entries matching a specific ACL display fib acl number name Display the FIB entries which are output from the buffer according...

Page 141: ...gging of the MD5 authentication undo debugging md5 15 3 Troubleshooting IP Performance Fault IP layer protocol works normally but TCP and UDP cannot work normally Troubleshoot In the event of such a fault you can enable the corresponding debugging information output to view the debugging information z Use the display command to view the running information of IP performance and make sure that the ...

Page 142: ...e TCP packets received or sent can be checked in real time Specific packet formats include TCP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 Sequence number 4185089 Ack number 0 Flag SYN Packet length 60 Data offset 10 task ROUT 15 socketid 5 state Established src 172 16 1 2 Source port 1025 dst 172 16 1 1 Destination port 4...

Page 143: ...hrough a network according to the destination address of the packet it receives and forwards the packet to the next router The last router in the path is responsible for submitting the packet to the destination host In Figure 16 1 R stands for a router A packet sent from Host A to Host C should go through two routers and the packet is transmitted through two hops Therefore when a node router is co...

Page 144: ...aster than that through two low speed WAN route segments 16 1 2 Route Selection through the Routing Table The key for a router to forward packets is the routing table Each router saves a routing table in its memory and each entry of this table specifies the physical port of the router through which the packet is sent to a subnet or a host Therefore it can reach the next router via a particular pat...

Page 145: ...on resides In order to limit the size of the routing table an option is available to set a default route All the packets that fail to find the suitable entry will be forwarded through this default route In a complicated Internet as shown in Figure 16 2 the number in each network is the network address and R stands for a router The router R8 is connected with three networks so it has three IP addre...

Page 146: ...rent routing protocols can also be shared with each other 16 2 1 Routing Protocols and the Preferences of the Corresponding Routes Different routing protocols as well as the static configuration may generate different routes to the same destination but not all these routes are optimal In fact at a certain moment only one routing protocol can determine a current route to a specific destination Thus...

Page 147: ...nce and different next hops If the routing protocol has the highest precedence among all active routing protocols these multiple routes will be regarded as currently valid routes Thus load sharing of IP traffic is ensured in terms of routing protocols The Switch 8800 supports eight routes to implement load sharing II Route backup The Switch 8800 supports route backup When the main route fails the ...

Page 148: ... generate different routes thus bringing about the problem of how to resolve the differences when different routes are generated by different routing protocols The Switch 8800 can import the information of another routing protocol Each protocol has its own route importing mechanism For details refer to the description about Importing an External Route in the operation manual of the corresponding r...

Page 149: ...ribute all the IP packets to this destination will be discarded and the source host will be informed that the destination is unreachable z Blackhole route If a static route to a destination has the blackhole attribute the outgoing interface of this route is the Null 0 interface regardless of the next hop address and any IP packets addressed to this destination are dropped without notifying the sou...

Page 150: ...e Delete a static route undo ip route static vpn instance vpn instance name ip address mask mask length interface type interface number vpn instance vpn instance name gateway address preference preference value reject blackhole The parameters are explained as follows z IP address and mask The IP address and mask are in a dotted decimal format As 1 s in the 32 bit mask is required to be consecutive...

Page 151: ...s in system view Table 17 2 Configure a default route Operation Command Configure a default route ip route static 0 0 0 0 0 0 0 0 0 interface type interface number gateway address preference value reject blackhole Delete a default route undo ip route static 0 0 0 0 0 0 0 0 0 interface type interface number gateway address preference value The meanings of parameters in the command are the same as t...

Page 152: ...e Display the route filtered through the specified basic access control list ACL display ip routing table acl acl number acl name verbose Display the route information that is filtered through the specified ip prefix list display ip routing table ip prefix ip prefix number verbose Display the routing information discovered by the specified protocol display ip routing table protocol protocol inacti...

Page 153: ...e static 1 1 3 0 255 255 255 0 1 1 2 2 Switch A ip route static 1 1 4 0 255 255 255 0 1 1 2 2 Switch A ip route static 1 1 5 0 255 255 255 0 1 1 2 2 Configure the static route for Switch B Switch B ip route static 1 1 2 0 255 255 255 0 1 1 3 1 Switch B ip route static 1 1 5 0 255 255 255 0 1 1 3 1 Switch B ip route static 1 1 1 0 255 255 255 0 1 1 3 1 Configure the static route for Switch C Switch...

Page 154: ...e switch is not configured with the dynamic routing protocol and both the physical status and the link layer protocol status of the interface is UP but the IP packets cannot be forwarded normally Solution z Use the display ip routing table protocol static command to view whether the configured static route is correct and in effect ...

Page 155: ...nging from 0 to 15 The hop count equal to or exceeding 16 is defined as infinite that is the destination network or the host is unreachable To improve the performance and avoid route loop RIP supports Split Horizon and allows importing the routes discovered by other routing protocols II RIP route database Each router running RIP manages a route database which contains routing entries to all the re...

Page 156: ...h has sent the request will modify its own routing table At the same time the router sends trigger modification packets to its adjacent routers running RIP and broadcasts modification information following split horizon mechanism After receiving trigger modification packets the adjacent routers send trigger modification packets to their respective adjacent routers As a result each router can obtai...

Page 157: ...onfiguration z Configuring the RIP precedence z Configuring RIP timers z Configuring RIP 1 zero field check of the interface packet z Specifying RIP version of the interface 4 Configuration related to security You can select the following configurations to improve RIP security during exchanging routing information or control the area to transmit RIP packets z Setting RIP 2 packet authentication z ...

Page 158: ...lay current configuration or using display rip command By default RIP is disabled on all the interfaces after it is started up 18 2 3 Configuring Unicast of the Packets Usually RIP sends packets using broadcast or multicast addresses It exchanges routing information with non broadcasting networks in unicast mode Perform the following configuration in RIP view Table 18 3 Configure unicast of the pa...

Page 159: ... metricin value Disable the additional routing metric of the route when the interface receives an RIP packet undo rip metricin Set the additional routing metric of the route when the interface sends an RIP packet rip metricout value Disable the additional routing metric of the route when the interface sends an RIP packet undo rip metricout By default the additional routing metric added to the rout...

Page 160: ...ute filtering function You can configure the filter policy rules through specifying the ACL and ip prefix for route import and advertisement Besides to import a route the RIP packet of a specific router can also be received by designating a neighbor router Perform the following configuration in RIP view I Configuring RIP to filter the received routes Table 18 7 Configure RIP to filter the received...

Page 161: ...nd will not be advertised to the neighbors z The filter policy export command filters all the advertised routes including routes imported by the import route command and RIP routes learned from the neighbors z If the filter policy export command does not specify which route to be filtered then all the routes imported by the import route command and the advertised RIP routes will be filtered 18 2 8...

Page 162: ...ggregation function of RIP 2 undo summary By default RIP 2 route summarization is enabled 18 2 10 Setting the RIP Preference Each kind of routing protocol has its own preference by which the routing policy will select the optimal one from the routes of different protocols The greater the preference value is the lower the preference becomes The preference of RIP can be set manually Perform the foll...

Page 163: ...iously RIP has three timers Period update Timeout and Garbage collection Modification of these timers affects RIP convergence speed Perform the following configuration in RIP view Table 18 13 Configure RIP timers Operation Command Configure RIP timers timers update update timer length timeout timeout timer length Restore the default settings of RIP timers undo timers update timeout The modificatio...

Page 164: ...s invalid for RIP 2 Perform the following configuration in RIP view Table 18 14 Configure zero field check of the interface packet Operation Command Configure zero field check on the RIP 1 packet checkzero Disable zero field check on the RIP 1 packet undo checkzero By default RIP 1 performs zero field check on the packet 18 2 14 Specifying the Operating State of the Interface In interface view you...

Page 165: ...tication But when the interface operates RIP 2 the packet authentication can be configured RIP 2 supports two authentication modes Simple authentication and MD5 authentication MD5 authentication uses two packet formats One follows RFC1723 and the other follows the RFC2082 The simple authentication does not ensure security The authentication key not encrypted is sent together with the packet so the...

Page 166: ...the RIP packet debugging information undo debugging rip packet Enable the debugging of RIP receiving packets debugging rip receive Disable the debugging of RIP receiving packets undo debugging rip receive Enable the debugging of RIP sending packet debugging rip send Disable the debugging of RIP sending packet undo debugging rip send Reset the system configuration parameters of RIP reset 18 4 Typic...

Page 167: ... 11 2 3 24 Interface address Figure 18 1 Network diagram for RIP configuration III Configuration procedure Note The following configuration only shows the operations related to RIP Before performing the following configuration make sure the Ethernet link layer can work normally 1 Configure Switch A Configure RIP Switch A rip Switch A rip network 110 11 2 0 Switch A rip network 155 10 1 0 2 Configu...

Page 168: ...he peer routing device is normal Solution RIP does not operate on the corresponding interface for example the undo rip work command is executed or this interface is not enabled through the network command The peer routing device is configured to be in the multicast mode for example the rip version 2 multicast command is executed but the multicast mode has not been configured on the corresponding i...

Page 169: ...al cost multi route Support multiple equal cost routes to a destination z Routing hierarchy OSPF has a four level routing hierarchy It prioritizes the routes to be intra area inter area external type 1 and external type 2 routes z Authentication It supports the interface based packet authentication so as to guarantee the security of the route calculation z Multicast transmission Support multicast ...

Page 170: ...ute calculation Also it transmits and receives packets by IP multicast 224 0 0 5 and 224 0 0 6 19 1 3 OSPF Packets OSPF uses five types of packets z Hello Packet It is the commonest packet which is periodically sent by a router to its neighbor It contains the values of some timers DR BDR and the known neighbor z Database Description DD Packet When two routers synchronize their databases they use t...

Page 171: ...ASBRs generate AS external LSAs which describe the routes to other ASs AS external LSA packets are transmitted to the whole AS except Stub areas AS external LSAs can also describe the default route of an AS II Type 7 LSA RFC1587 OSPF NSSA Option adds a new LSA type Type 7 LSAs According to RFC1587 Type 7 LSAs differ from Type 5 LSAs as follows z Type 7 LSAs are generated and released within a Not ...

Page 172: ...also exchanged between them After the existing DR fails the BDR will become a DR immediately III Area The network size grows increasingly larger If all the routers on a huge network are running OSPF the large number of routers will result in an enormous LSDB which will consume an enormous storage space complicate the SPF algorithm and add the CPU load as well Furthermore as a network grows larger ...

Page 173: ... 0 24 The three routes are summarized into one route 19 1 0 0 16 after you configured route summary The RTA only generates an LSA describing the summarized route Area 12 Area 8 Area 19 Area 0 Virtual Link 19 1 1 0 24 19 1 2 0 24 19 1 3 0 24 RTA Figure 19 1 Area and route aggregation 19 1 6 OSPF Features Supported by the Switch 8800 The Switch 8800 supports the following OSPF features z Support stu...

Page 174: ... the area of any AS When reconfiguring a default parameter on one router make sure that the same change is made on all other involved routers In various configurations you must first enable OSPF specify the interface and area ID before configuring other functions But the configuration of the functions related to the interface is not restricted by whether the OSPF is enabled or not It should be not...

Page 175: ...nfigured manually If router ID is not configured the system will select the IP address of an interface automatically When you do that manually you must guarantee that the IDs of any two routers in the AS are unique A common undertaking is to set the router ID to be the IP address of an interface on the router Perform the following configuration in system view Table 19 1 Configure router ID Operati...

Page 176: ... in the format of IP address Regardless of how it is specified it is displayed in the format of IP address Note that when you configure OSPF routers in the same area you should apply most configuration data to the whole area Otherwise the neighboring routers cannot exchange information This may even block routing information or create routing loops 19 2 4 Specifying an Interface to Run OSPF After ...

Page 177: ...ost and the route cost of the OSPF itself are comparable That is cost to reach the external route type 1 cost to reach the corresponding ASBR from the local router cost to reach the destination address of the route from the ASBR The external routes type 2 refers to the imported EGP routes Since these routes have lower credibility OSPF assumes that the cost spent from the ASBR to reach the destinat...

Page 178: ...ing such as default route cost and default tag of route distribution Route tag can be used to identify the protocol related information For example OSPF can use it to identify the AS number when receiving BGP Perform the following configuration in OSPF view Table 19 6 Configure parameters for OSPF to import external routes Operation Command Configure the default cost for the OSPF to import externa...

Page 179: ...ime undo default limit By default the interval for importing external routes is 1 second The upper limit to the external routes imported is 1000 at a time 19 2 6 Configuring OSPF to Import Default Routes By default there are no default routes in a common OSPF area either a backbone area or a non backbone area Besides the import route command cannot be used to import the default route Use the defau...

Page 180: ... generated during SPF calculation there is no default route in the OSPF route on this router To ensure the correct routing information you should configure to import the default route on the router only connected to the external network Note z After the default route advertise command is configured on the OSPF router this router becomes an ASBR For the OSPF router the default route advertise and i...

Page 181: ... This command only takes effect on ABR z The filter policy export command only takes effect on the routes imported by the import route command If you configure the switch with only the filter policy export command but without configuring the import route command to import other external routes including OSPF routes of different process then the filter policy export command does not take effect z I...

Page 182: ...Cancel route summary of OSPF area undo abr summary ip address mask By default route summary is disabled on ABRs II Configuring summarization of imported routes by OSPF OSPF of the Switch 8800 supports route summarization of imported routes Perform the following configurations in OSPF view Table 19 12 Configure summarization of imported routes by OSPF Operation Command Configure summarization of im...

Page 183: ...ing OSPF Timers I Setting the interval for Hello packet transmission Hello packets are a kind of most frequently used packets which are periodically sent to the adjacent router for discovering and maintaining the adjacency and for electing DR and BDR The user can set the hello timer According to RFC2328 the consistency of hello intervals between network neighbors should be kept The hello interval ...

Page 184: ...e to the default values after the user modify the network type III Setting an interval for LSA retransmission between neighboring routers If a router transmits a Link State Advertisements LSA to the peer it requires the acknowledgement packet from the peer If it does not receive the acknowledgement packet within the retransmit time it will retransmit this LSA to the neighbor The value of retransmi...

Page 185: ... the polling interval to specify the interval for sending polling hello packets before the adjacency of the neighboring routers is formed Set the network type to NBMA if routers not supporting multicast addresses exist in a broadcast network Set the interface type to p2mp if not all the routers are directly accessible on an NBMA network Change the interface type to p2p if the router has only one p...

Page 186: ...e 19 18 Configure the NBMA neighbors for OSPF Operation Command Configure the NBMA neighbors for OSPF peer ip address dr priority dr priority number Remove the configured NBMA neighbors undo peer ip address By default the preference for NBMA neighbor is 1 19 2 13 Setting the Interface Priority for DR Election On a broadcast or NBMA network a designated router DR and a backup designated router BDR ...

Page 187: ... become the DR even if it has the highest priority z DR is based on the router interface in a certain segment Maybe a router is a DR on one interface but can be a BDR or DROther on another interface z DR election is only required for the broadcast or NBMA interfaces For the p2p or p2mp interfaces DR election is not required Perform the following configuration in interface view Table 19 19 Set the ...

Page 188: ...s are transmitted per second 19 2 15 Configuring the Cost for Sending Packets on an Interface The user can control the network traffic by configuring different packet sending costs for different interfaces Perform the following configuration in interface view Table 19 21 Configure the cost for sending packets on an interface Operation Command Configure the cost for sending packets on an interface ...

Page 189: ...sting the SPF calculation interval however can restrain the resource consumption due to frequent network changes Perform the following configuration in OSPF view Table 19 23 Set the SPF calculation interval Operation Command Set the SPF calculation interval spf schedule interval seconds Restore the SPF calculation interval undo spf schedule interval seconds By default the interval of SPF recalcula...

Page 190: ...e same authentication key To configure a simple text authentication key use the authentication mode simple command Use the authentication mode md5 command to configure the MD5 cipher text authentication key if the area is configured to support MD5 cipher text authentication mode Perform the following configuration in OSPF area view Table 19 25 Configure the OSPF area to support packet authenticati...

Page 191: ...up through the area of a non backbone internal route between two ABRs Both ends of the logic channel should be ABRs and the connection can take effect only when both ends are configured The virtual link is identified by the ID of the remote router The area which provides the ends of the virtual link with a non backbone area internal route is called the transit area The ID of the transit area shoul...

Page 192: ...area conforms to the configuration condition Generally stub areas located at the AS boundaries are those non backbone areas with only one ABR Even if this area has multiple ABRs no virtual links are established between these ABRs To ensure that the routes to the destinations outside the AS are still reachable the ABR in this area will generate a default route 0 0 0 0 and advertise it to the non AB...

Page 193: ...ised in NSSA area When Type 7 LSA reaches ABR of NSSA ABR will select whether to transform Type 7 LSA into AS External LSA so as to advertise to other areas For example in the network below the AS running OSPF comprises three areas Area 1 Area 2 and Area 0 Among them Area 0 is the backbone area Also there are other two ASs respectively running RIP Area 1 is defined as an NSSA area After RIP routes...

Page 194: ...table On an ASBR however a default type 7 LSA route can be generated only if the default route 0 0 0 0 is in the routing table Executing the keyword no import route on the ASBR will prevent the external routes that OSPF imported through the import route command from being advertised to the NSSA Generally if an NSSA router is both ASBR and ABR this keyword will be used The keyword default cost is u...

Page 195: ... nbrstatechange virnbrstatechange ifcfgerror virifcfgerror ifauthfail virifauthfail ifrxbadpkt virifrxbadpkt txretransmit viriftxretransmit originatelsa maxagelsa lsdboverflow lsdbapproachoverflow By default OSPF TRAP function is disabled That is the switch does not send TRAP packets when any OSPF process is abnormal The configuration is valid to all OSPF processes if you do not specify a process ...

Page 196: ...ospf process id nexthop Display OSPF routing table display ospf process id routing Display OSPF virtual links display ospf process id vlink Display OSPF request list display ospf process id request queue Display OSPF retransmission list display ospf process id retrans queue Display the information of OSPF ABR and ASBR display ospf process id abr asbr Display the summary information of OSPF importe...

Page 197: ...Switch C and Switch D which can perform the router functions and run OSPF are located on the same segment as shown in the following figure Configure Switch A and Switch C as DR and BDR respectively The priority of Switch A is 100 which is the highest on the network so it is elected as the DR Switch C has the second highest priority that is 2 so it is elected as the BDR The priority of Switch B is ...

Page 198: ...nterface1 ip address 196 1 1 3 255 255 255 0 Switch C Vlan interface1 ospf dr priority 2 Switch C router id 3 3 3 3 Switch C ospf Switch C ospf 1 area 0 Switch C ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 Configure Switch D Switch D interface Vlan interface 1 Switch D Vlan interface1 ip address 196 1 1 4 255 255 255 0 Switch D router id 4 4 4 4 Switch D ospf Switch D ospf 1 area 0 Switch D os...

Page 199: ...ches on the network are removed and added back again Switch B will be elected as the DR with the priority of 200 and Switch A becomes the BDR with a priority of 100 To switch off and restart all of the switches will bring about a new round of DR BDR selection 19 4 2 Configuring OSPF Virtual Link I Network requirements In Figure 19 4 Area 2 and Area 0 are not directly connected Area 1 is required t...

Page 200: ...er id 2 2 2 2 Switch B ospf Switch B ospf 1 area 0 Switch B ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 Switch B ospf 1 area 0 0 0 0 quit Switch B ospf 1 area 1 Switch B ospf 1 area 0 0 0 1 network 197 1 1 0 0 0 0 255 Switch B ospf 1 area 0 0 0 1 vlink peer 3 3 3 3 Configure Switch C Switch C interface Vlan interface 1 Switch C Vlan interface1 ip address 152 1 1 1 255 255 255 0 Switch C interf...

Page 201: ...r protocol are normal check the OSPF parameters configured on the interface The parameters should be the same parameters configured on the router adjacent to the interface The same area ID should be used and the networks and the masks should also be consistent The p2p or virtually linked segment can have different segments and masks z Ensure that the dead timer on the same interface is at least fo...

Page 202: ... be set up between RTC and RTB Ensure that area2 and area0 backbone area is connected RTA RTB RTC RTD area0 area1 area2 RTA RTB RTC RTD area0 area1 area2 Figure 19 5 OSPF areas z The backbone area area 0 cannot be configured as the stub area and the virtual link cannot pass through the stub area That is if a virtual link has been set up between RTB and RTC neither area1 nor area0 can be configured...

Page 203: ...ng information and generating routes In the following text the IS shares the same meaning with the router z End System ES It equals the host system of TCP IP ES does not process the IS IS routing protocol and therefore it can be ignored in the IS IS protocol z Routing Domain RD A group of ISs exchange routing information with the same routing protocol in a routing domain z Area Area is the divisio...

Page 204: ...vel 1 router maintains a Level 1 LSDB This LSDB contains intra area routing information The packets sent to other areas are forwarded to the closest Level 2 router z Level 2 router The Level 2 router is responsible for inter area route The Level 2 router and Level 2 routers or Level 1 2 routers in other areas are neighbors The Level 2 router maintains a Level 2 LSDB This LSDB contains inter area r...

Page 205: ... ES Routing Domain Boundary IS IS Area End system Subnetwork Path Level 1 IS IS Routing Level 2 IS IS Routing Interdomain Routing Intermediate system ES IS Area 1 Area 2 Area 3 Routing Domain 1 Routing Domain 2 ES ES IS IS IS IS IS IS IS ES ES ES ES ES IS IS Figure 20 1 IS IS topology ...

Page 206: ...ute area so the combination is called an area address In general you only need to configure an area address for a router The area addresses of all nodes are the same in an area To support the seamless combination segmentation and conversion the Switch 8800 supports up to three area addresses z System ID System ID uniquely identifies terminal system or router in a route area You can select length f...

Page 207: ...If you will redivide an area combine multiple areas or divide an area into multiple areas you can configure multiple NETs to ensure correct routes in the case of reconfiguration Because you can configure up to three area addresses you can only configure up to three NETs For example there is a NET 47 0001 aaaa bbbb cccc 00 in which Area 47 0001 System ID aaaa bbbb cccc SEL 00 For example there is a...

Page 208: ...detecting asynchronous LSDBs the system asks neighbors to send new LSPs by PSNPs CSNP contains all LSP digest information in a LSDB synchronizing LSDBs for neighbor routers On a broadcast network a DIS sends CSNPs periodically the default sending period is 10 seconds On the point to point line a DIS sends CSNPs only when the neighbors are established for the first time 20 2 Configuring Integrated ...

Page 209: ...on z Setting Router Type z Setting Interface Circuit Level 2 Configuration related to IS IS route z Configuring IS IS to Import Routes of Other Protocols z Configuring IS IS Route Filtering z Configuring IS IS Routing Leak z Setting IS IS Route Summary z Setting to Generate Default Route 3 Default route generation z Setting the Preference of IS IS Protocol z ...

Page 210: ...S Peer 20 2 1 Enabling IS IS and Entering the IS IS View After creating an IS IS routing process you should also activate this routing process at an interface that may correlate with another router After that the IS IS protocol can be started and run Perform the following configuration in system view Table 20 1 Enable IS IS and enter the IS IS view Operation Command Enable the IS IS and enter the ...

Page 211: ...figuration 20 9 Delete a NET undo network entity network entity title The format of the network entity title argument is X X XXXXXXXXXXXX XX among which the first X X is the area address the twelve Xs in the middle is the System ID of the router The last XX should be 00 ...

Page 212: ...ority in the broadcast network the one with the greatest MAC address will be selected If all the adjacent routers priorities are 0 the one with the greatest MAC address will be selected The DISs of Level 1 and Level 2 are elected separately You can set different priorities for DIS election at different levels Perform the following configuration in interface view Table 20 4 Set priority for DIS ele...

Page 213: ... relation You can set the circuit level to limit what adjacency can be established for the interface For example Level 1 interface can only have Level 1 adjacency Level 2 interface can only have Level 2 adjacency For the Level 1 2 router you can configure some interfaces to Level 2 to prevent transmitting Level 1 Hello packets to Level 2 backbone so as to save the bandwidth However Level 1 and Lev...

Page 214: ...ls For more about importing routing information refer to the Configuring IP Routing Policy part 20 2 8 Configuring IS IS Route Filtering IS IS protocol can filter the received and advertised routes according to the access control list specified by acl number Perform the following configuration in IS IS view I Configuring to filter the routes received by IS IS Table 20 8 Configure to filter the rec...

Page 215: ...iltered then the all the routes imported by the import route command will be filtered 20 2 9 Configuring IS IS Routing Leak By virtual of IS IS routing leak function a Level 2 router can advertise the routing information of Level 1 areas and the Level 2 area it knows to a Level 1 router Perform the following configuration in IS IS view Table 20 10 Configure IS IS routing leak Operation Command Ena...

Page 216: ...te default route Operation Command Set to generate default route default route advertise route policy route policy name Set not to generate default route undo default route advertise route policy route policy name The default route generated by this command will only be imported to the router at the same level 20 2 12 Setting the Preference of IS IS Protocol In a router on which several routing pr...

Page 217: ... packets whose route metric is in narrow style 20 2 14 Setting IS IS Link State Routing Cost Users can configure the interface cost namely the default routing cost Perform the following configuration in interface view Table 20 15 Set IS IS link state routing cost Operation Command Set the routing cost of the interface isis cost value level 1 level 2 Restore the default routing cost of the interfac...

Page 218: ...d level 2 on the p2p links the attribute of the packets need not be set either By default Hello packets are transmitted on an interface every 10 seconds II Setting the CSNP packet broadcast interval The CSNP packet is transmitted by the DIS over the broadcast network to synchronize the link state database LSDB The CSNP packet is regularly broadcast over the broadcast network at an interval which c...

Page 219: ...ation Command Set the retransmission interval of the LSP packet over p2p links isis timer retransmit seconds Restore the default retransmission interval of the LSP packet over p2p links undo isis timer retransmit By default the LSP packet is transmitted every five seconds over the p2p link V Configuringnumber of invalid Hello packets for the interface The router maintains the adjacency by sending ...

Page 220: ...e interface is not configured with any authentication password nor performs authentication If the level is not specified it defaults to setting the authentication password of Level 1 II Setting IS IS area or IS IS routing domain authentication password Users can configure the IS IS area or the IS IS routing domain with authentication password If area authentication is needed the area authenticatio...

Page 221: ...he devices of other vendors using MD5 algorithm in IS IS Perform the following configuration in IS IS view Table 20 23 Set the IS IS to use the MD5 algorithm compatible with that of the other vendors Operation Command Set the IS IS to use the MD5 algorithm compatible with that of the other vendors md5 compatible Set the IS IS to use the default MD5 algorithm undo md5 compatible By default the syst...

Page 222: ...ou can set the overload flag bit for this router When the overload threshold is set other routers should not send this router the packets which should be forwarded by it Perform the following configurations in IS IS view Table 20 25 Set overload flag bit Operation Command Set overload flag bit set overload Remove the overload flag bit undo set overload By default no over load bit is set 20 2 19 Se...

Page 223: ...changes log undo log peer change By default the peer changes log is disabled 20 2 21 Setting LSP Refreshment Interval In order to ensure that the LSPs in the whole area can maintain the synchronization all the current LSPs will be transmitted periodically Perform the following configuration in IS IS view Table 20 28 Set LSP refreshment interval Operation Command Set LSP refreshment interval timer ...

Page 224: ... the SPF interval times out Perform the following configuration in IS IS view Table 20 30 Set SPF calculation interval Operation Command Set SPF calculation interval timer spf second level 1 level 2 Restore default SPF calculation interval undo timer spf level 1 level 2 If the level is not specified it defaults to setting the SPF calculation interval of Level 1 By default SPF calculation runs ever...

Page 225: ... routes will be calculated in one second Perform the following configuration in IS IS view Table 20 32 Set SPF to release CPU actively Operation Command Specify the number of routes to process before releasing CPU spf delay interval number Restore the default configuration undo spf delay interval By default CPU is released once when every 5000 routes are processed by the SPF of IS IS 20 2 24 Enabl...

Page 226: ...it is necessary to connect a specified peer again perform the following configuration in user view Table 20 35 Reset the specified IS IS peer Operation Command Reset the specified IS IS peer reset isis peer system id By default the IS IS peer is not cleared 20 3 Displaying and Debugging Integrated IS IS After completing the above configuration execute the display command in any view to display the...

Page 227: ...acket content snp packet spf event spf summary spf timer task error timer update packet Disable IS IS debugging undo debugging isis adjacency all authentication error checksum error circuit information configuration error datalink receiving packet datalink sending packet general error interface information memory allocating receiving packet content self originate update sending packet content snp ...

Page 228: ...n interface100 ip address 100 10 0 1 255 255 255 0 Switch A Vlan interface100 isis enable Switch A interface vlan interface 101 Switch A Vlan interface101 ip address 100 0 0 1 255 255 255 0 Switch A Vlan interface101 isis enable Switch A interface vlan interface 102 Switch A Vlan interface102 ip address 100 20 0 1 255 255 255 0 Switch A Vlan interface102 isis enable Configure Switch B Switch B isi...

Page 229: ...ble Switch C interface vlan interface 100 Switch C Vlan interface100 ip address 200 20 0 1 255 255 255 0 Switch C Vlan interface100 isis enable Configure Switch D Switch D isis Switch D isis network entity 86 0001 0000 0000 0008 00 Switch D interface vlan interface 102 Switch D Vlan interface102 ip address 100 20 0 2 255 255 255 0 Switch D Vlan interface102 isis enable Switch D interface vlan inte...

Page 230: ...utes are updated BGP only transmits updated routes which greatly reduces bandwidth occupation by route propagation and can be applied to propagation of a great amount of routing information on the Internet z BGP 4 supports CIDR which is an important improvement to BGP 3 z In consideration of management and security users desire to perform control over outgoing and incoming routing information of e...

Page 231: ... the first startup of the BGP system the BGP router exchanges routing information with its peers by transmitting the complete BGP routing table after that only update messages are exchanged In the operating of the system keepalive messages are received and transmitted to check the connections between various neighbors The router transmitting BGP messages is called a BGP speaker which receives and ...

Page 232: ...s the practical exterior gateway protocol is widely used in interconnection between autonomous systems The traditional BGP 4 can only manage the routing information of IPv4 and has limitation in inter AS routing when used in the application of other network layer protocols such as IPv6 etc In order to support multiple network layer protocols IETF extended BGP 4 and formed MBGP Multiprotocol Extens...

Page 233: ...eer Group I Definition of peer and peer group A BGP speaker calls peers other BGP speakers which exchange information with it and multiple related peers compose a peer group II Relationship between peer configuration and peer group configuration In the Switch 8800 a BGP peer must belong to a peer group If you want to configure a BGP peer you need first to create a peer group and then add a peer in...

Page 234: ... Route Reflector z Configuring BGP AS Confederation Attribute 7 Others z Clearing BGP Connection z Refreshing BGP Routes 21 2 1 Enabling BGP To enable BGP local AS number should be specified After the enabling of BGP local router listens to BGP connection requests sent by adjacent routers To make the local router send BGP connection requests to adjacent routers refer to the configuration of the pe...

Page 235: ...uring AS number of an EBGP peer group You can specify AS number for an EBGP peer group but IBGP needs no AS number When a peer group is specified with an AS number all its member peers inherit the AS number Table 21 3 Configure AS number of a EBGP peer group Operation Command Configure the AS number of the EBGP peer group peer group name as number as number Delete the AS number of the EBGP peer gr...

Page 236: ...me peer address enable Disable a peer peer group undo peer group name peer address enable By default only BGP peer groups of IPv4 unicast address family are enabled Other peer types or peer group types are disabled consequently exchanging no routing information When exchanging routing information between BGP speakers the peer group must be enabled first and then the peer should be added to the ena...

Page 237: ...l at which route update messages are sent by a peer group Table 21 8 Configure the interval at which route update messages are sent by a peer group Operation Command Configure the route update message interval of a peer group peer group name route update interval seconds Restore the default route update message interval of a peer group undo peer group name route update interval By default the inte...

Page 238: ...igure a peer group to be a client of a route reflector peer group name reflect client Cancel the configuration of making the peer group as the client of the BGP route reflector undo peer group name reflect client This configuration can be applied to IBGP peer groups only By default all IBGP peers in the autonomous system must be fully connected Moreover neighbors do not notify the learned IBGP rou...

Page 239: ...nfigure itself as the next hop when advertising routes peer group name next hop local Disable the specification of itself as the next hop when advertising routes undo peer group name next hop local V Removing private AS numbers while transmitting BGP update messages Generally the AS numbers public AS numbers or private AS numbers are included in the AS paths while transmitting BGP update messages ...

Page 240: ...ration Command Configure the repeating time of local AS peer group name peer address allow as loop number Remove the repeating time of local AS undo peer group name peer address allow as loop By default the allowed repeating time of local AS is set to 1 VIII Specifying the source interface of a route update packet Generally the system specified the source interface of a route update packet When th...

Page 241: ...ed in setting up TCP connections by default Note The multicast extension configured in BGP view is also available in MBGP since they use the same TCP link 21 2 4 Configuring Route Filtering of a Peer group The Switch 8800 supports filtering imported and advertised routes for peers groups through Route policy AS path list ACL and ip prefix list The route filtering policy of advertised routes config...

Page 242: ...port Remove the egress route filtering policy based on IP ACL for a peer group undo peer group name filter policy acl number export III Configuring route filtering policy based on AS path list for a peer group Table 21 20 Configure route filtering policy based on AS path list for a peer group Operation Command Configure the ingress route filtering policy based on AS path list for a peer group peer...

Page 243: ...a peer group undo peer group name ip prefix prefixname export By default route filtering based on address prefix list for a peer group is disabled 21 2 5 Configuring Network Routes for BGP Distribution Perform the following configuration in BGP view Table 21 22 Configure network routes for BGP distribution Operation Command Configure the local network route for BGP distribution network ip address ...

Page 244: ...f the local BGP is not set synchronous with the IGP and the next hop of the learned BGP route is reachable the local BGP will add this BGP route into its routing table immediately after it learns the route rather than waiting till the IGP also learns the route Perform the following configuration in BGP view Table 21 24 Configure not to synchronize with IGP Operation Command Cancel the synchronizat...

Page 245: ...P will not perform local route aggregation 21 2 8 Configuring BGP Route Filtering I Configuring BGP to filter the received route information The routes received by the BGP can be filtered and only those routes that meet the certain conditions will be received by the BGP Perform the following configuration in BGP view Table 21 26 Configure imported route filtering Operation Command Configure receiv...

Page 246: ... using the import route command and BGP routes learned from the neighbors z If the filter policy export command does not specify which route to be filtered then the all the routes imported by the import route command and the advertised BGP routes will be filtered 21 2 9 Configuring BGP Route Dampening I Configure BGP route dampening The main possible reason for unstable route is the intermittent d...

Page 247: ...dampening By default route dampening is disabled II Clear route attenuation information Perform the following configuration in user view to clear route attenuation information Table 21 29 Clear route attenuation information Operation Command Clear route attenuation information reset bgp dampening network address mask After you use the reset bgp dampening command the command will release the suppre...

Page 248: ...llowing configuration in BGP view Table 21 31 Configure BGP timers Operation Command Configure BGP timers timer keep alive keepalive interval hold holdtime interval Restore the default timer value undo timer By default the interval of sending keepalive packet is 60 seconds The interval of sending holdtime packet is 180 seconds The reasonable maximum interval of sending Keepalive packets is one thi...

Page 249: ... metric of the system undo default med By default MED metric is 0 The router configured above only compares the route MED metrics of different EBGP peers in the same AS Using the compare different as med command you can compare the route MED metrics of the peers in different ASs 21 2 14 Comparing the MED Routing Metrics from the Peers in Different ASs It is used to select the best route The route ...

Page 250: ...ute reflector diagram In Figure 21 1 Router C is a route reflector with two peer clients Router A and Router B Router A sends to Router C the update packet from an external peer Router C sends the update packet to Router B After using reflecting technology you do not need to establish a connection between Router A and Router B You only need to connect Router C to Router A and Router B respectively...

Page 251: ...void loop inside the AS One is to use the cluster ID the other is to use Originator_ID of a route reflector If you configure Originator_ID improperly the originator will discard the update packet when the update packet goes back to the originator You do not need to configure Originator_ID Originator_ID automatically takes effect when BGP is enabled 21 2 16 Configuring BGP AS Confederation Attribut...

Page 252: ...number n Cancel the specified sub AS in the confederation undo confederation peer as as number 1 as number n By default no autonomous system is configured as a member of the confederation The configured sub AS number is valid only inside the confederation In addition the number cannot be the same as the AS number of a peer in the peer group for which you have not configured an AS number III Config...

Page 253: ...BGP Routes It is required to re compute associated route information when BGP routing policy changes Perform the following configuration in user view Table 21 41 Refresh BGP routes Operation Command Refresh general BGP routes refresh bgp all peer address group group name import export The import keyword means to refresh the routes learned from the peers and the export keyword means to refresh rout...

Page 254: ...ceived network address mask statistic Display the routes matching with the specified access list display bgp routing table as path acl acl number Display route flapping statistics information display bgp routing table flap info regular expression as regular expression as path acl acl number network address mask longer match Display routes with different source ASs display bgp routing table differe...

Page 255: ...undo debugging bgp route refresh receive send verbose Enable Disable information debugging of BGP normal functions undo debugging bgp normal Enable Disable BGP Update packet debugging undo debugging bgp update receive send verbose Reset BGP flap information reset bgp flap info regular expression as regular expression as path acl acl number network address mask 21 4 Typical BGP Configuration Exampl...

Page 256: ...er as 1002 1003 Switch A bgp group confed1002 external Switch A bgp peer confed1002 as number 1002 Switch A bgp group confed1003 external Switch A bgp peer confed1003 as number 1003 Switch A bgp peer 172 68 10 2 group confed1002 Switch A bgp peer 172 68 10 3 group confed1003 Configure Switch B Switch B bgp 1002 Switch B bgp confederation id 100 Switch B bgp confederation peer as 1001 1003 Switch B...

Page 257: ...t passing EBGP and transmits it to Switch C Switch C is a reflector with two clients Switch B and Switch D When Switch C receives a route update from Switch B it will transmit such information to Switch D It is required to establish an IBGP connection between Switch B and Switch D because Switch C reflects information to Switch D II Network diagram IBGP IBGP EBGP Client Client Route reflector VLAN...

Page 258: ...er 192 1 1 1 group ex as number 100 Switch B bgp group in internal Switch B bgp peer 193 1 1 1 group in 3 Configure Switch C Configure VLAN 3 Switch C interface Vlan interface 3 Switch C Vlan interface3 ip address 193 1 1 1 255 255 255 0 Configure VLAN 4 Switch C interface vlan Interface 4 Switch C Vlan interface4 ip address 194 1 1 1 255 255 255 0 Configure BGP peers and route reflector Switch C ...

Page 259: ... B Switch C and Switch D operate IBGP II Network diagram VLAN 4 194 1 1 2 24 VLAN 2 192 1 1 1 24 VLAN 3 193 1 1 1 24 VLAN 3 193 1 1 2 24 VLAN 5 195 1 1 2 24 VLAN 2 192 1 1 2 24 2 2 2 2 4 4 4 4 3 3 3 3 1 1 1 1 AS100 AS200 VLAN 4 194 1 1 1 24 VLAN 5 195 1 1 1 24 IBGP IBGP EBGP EBGP To network 1 0 0 0 To network 2 0 0 0 To network 4 0 0 0 To network 3 0 0 0 Switch A Switch B Switch C Switch D Figure ...

Page 260: ... policy if match acl 2000 Switch A route policy apply cost 100 Switch A route policy quit z Apply route policy set_med_50 to egress route update of Switch C 193 1 1 2 and apply route policy set_med_100 on the egress route of Switch B 192 1 1 2 Switch A bgp 100 Switch A bgp peer ex193 route policy apply_med_50 export Switch A bgp peer ex192 route policy apply_med_100 export 2 Configure Switch B Swi...

Page 261: ...tch D ospf Switch D ospf 1 area 0 Switch D ospf 1 area 0 0 0 0 network 194 1 1 0 0 0 0 255 Switch D ospf 1 area 0 0 0 0 network 195 1 1 0 0 0 0 255 Switch D ospf 1 area 0 0 0 0 network 4 0 0 0 0 255 255 255 Switch D bgp 200 Switch D bgp group ex external Switch D bgp peer ex as number 200 Switch D bgp peer 195 1 1 2 group ex Switch D bgp peer 194 1 1 2 group ex To enable the configuration all BGP ...

Page 262: ...79 and exchange Open packets correctly Perform the check according to the following steps z Check whether the configuration of the neighbor s AS number is correct z Check whether the neighbor s IP address is correct z If using the Loopback interface check whether the connect source loopback command has been configured By default the router uses the optimal local interface to establish the TCP conn...

Page 263: ...3Com Switch 8800 Configuration Guide Chapter 21 BGP Configuration 21 34 covering large network segment cannot be imported For example route 10 1 1 0 24 can be imported while 10 0 0 0 8 may cause error ...

Page 264: ...rules based on such attributes like destination address and source address of the information The matching rules can be set in advance and then used in the routing policy to advertise receive and import the route information 22 1 1 Filter In the Switch 8800 five kinds of filters Route policy acl as path community list and ip prefix are provided to be called by the routing protocols The following s...

Page 265: ...on packet of the BGP includes an autonomous system path domain During the process of routing information exchanging of the BGP the autonomous system paths the routing information has passed through will be recorded in this domain Targeting at the AS path domain the as path specifies the match condition IV community list The community list is only used in the BGP The routing information packet of t...

Page 266: ...match the node before passing this node z The apply clauses define the executed action after the routing information passes the matching test That is the clause sets the routing information attribute I Defining a route policy Perform the following configuration in system view Table 22 1 Define a route policy Operation Command Enter Route policy view route policy route policy name permit deny node ...

Page 267: ... is the filtering conditions that the routing information should satisfy for passing the route policy The matching objects are some attributes of routing information Perform the following configuration in route policy view Table 22 2 Define if match conditions Operation Command Match the AS path domain of the BGP routing information if match as path acl number Cancel the matched AS path domain of ...

Page 268: ...match the node before the actions specified by the apply clauses can be executed z If no if match clauses are specified all the routes will pass the filtering on the node III Defining apply clauses for a route policy The apply clauses specify actions which are the configuration commands executed after a route satisfies the filtering conditions specified by the if match clauses Thereby some attribu...

Page 269: ...et the cost type of the routing information apply cost type internal external Remove the setting of the cost type undo apply cost type Set the route origin of the BGP routing information apply origin igp egp as number incomplete Cancel the route origin of the BGP routing information undo apply origin Set the tag domain of the OSPF routing information apply tag value Cancel the tag domain of the OS...

Page 270: ...ter the testing of the next list item Note that if more than one ip prefix item are defined then the match mode of at least one list item should be the permit mode The list items of the deny mode can be firstly defined to rapidly filter the routing information not satisfying the requirement but if all the items are in the deny mode no route will pass the ip prefix filtering You can define an item ...

Page 271: ...unity list ip community list basic comm list number permit deny aa nn internet no export subconfed no advertise no export Configure an advanced community list ip community list adv comm list number permit deny comm regular expression Cancel a community list undo ip community list basic comm list number adv comm list number By default a BGP community attribute list is not configured 22 2 5 Importin...

Page 272: ... received Table 22 8 Configure to filter the received routes Operation Command Configure to filter the received routing information advertised by the specified address filter policy gateway ip prefix name import Cancel the filtering of the received routing information advertised by the specified address undo filter policy gateway ip prefix name import Configure to filter the received global routin...

Page 273: ...igured statically rip Route discovered by RIP ospf Route discovered by OSPF ospf ase External route discovered by OSPF ospf nssa NSSA route discovered by OSPF isis Route discovered by IS IS bgp Route acquired by BGP By default the filtering of the received and advertised routes will not be performed 22 3 Displaying and Debugging the Routing Policy After the above configuration execute the display ...

Page 274: ...0 0 8 Router ID 1 1 1 1 10 0 0 2 8 Switch A Switch B Vlan interface200 12 0 0 1 8 Router ID 2 2 2 2 Vlan interface100 10 0 0 1 8 Vlan interface100 Figure 22 1 Network diagram for filtering the received routing information III Configuration procedure 1 Configure Switch A Configure the IP address of VLAN interface Switch A interface vlan interface 100 Switch A Vlan interface100 ip address 10 0 0 1 2...

Page 275: ... routing protocol Solution Check for the following faults z The if match mode of at least one node of the Route policy should be the permit mode When a Route policy is used for the routing information filtering if a piece of routing information does not pass the filtering of any node then it means that the route information does not pass the filtering of the Route policy When all the nodes of the ...

Page 276: ...romoted the emergence of new services like e commerce network conference online auction vedio on demand VoD and tele education These services require higher information security and greater rewards I Data transmission in unicast mode In unicast mode every user that needs the inforamtion receives a copy through the channels the system separately establishes for them See Figure 23 1 Server Unicast U...

Page 277: ...o receive the information In that case information security and rewards to services are not guaranteed Moreover bandwidth is terribly wasted when only a few part of users are in need of the information In short the unicast mode is useful in networks with scattered users and the multicast mode is suitable for networks with dense users When the number of users is uncertain the adoption of unicast or...

Page 278: ...he network the multicast group therefore has no geographical limitation It should be noted that a multicast source does not necessarily belong to a multicast group It sends data to multicast groups but is not necessarily a receiver Multiple sources can send packets to a multicast group simultaneously II Advantages The main advantages of multicast are z Enhanced efficiency It reduces network traffi...

Page 279: ...P addresses of Class A Class B or Class C depending on specific packet scales Multicast packets use IP addresses of Class D as their destination addresses but Class D IP addresses cannot be contained in the source IP field of IP packets During unicast data transmission a packet is transmitted hop by hop from the source address to the destination address However in IP multicast environment a packet...

Page 280: ...re valid only in the specified local range Reserved multicast addresses that are commonly used are described in the following table Table 23 2 Reserved multicast address list Class D address range Description 224 0 0 0 Base Address Reserved 224 0 0 1 Addresses of all hosts 224 0 0 2 Addresses of all multicast routers 224 0 0 3 Not for allocation 224 0 0 4 DVMRP routers 224 0 0 5 OSPF routers 224 0...

Page 281: ...t IP address The high twenty fifth bit is 0 a fixed value 1110XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX 32 bit IP address 5 bits unmapped 23 bitsmapped 48 bit MAC address Figure 23 4 Mapping between a multicast IP address and an Ethernet MAC address The first four bits of the multicast address are 1110 representing the multicast identifier Among...

Page 282: ...ion that is a distribution tree As in unicast routing the multicast routing can also be intra domain or inter domain Intra domain multicast routing is rather mature and protocol independent multicast PIM is the most wildly used intra domain protocol which can work in collaboration with unicast routing protocols The inter domain routing first needs to solve how to transfer routing information betwe...

Page 283: ...receiving interface is on the shortest path from the receiving station to the source If a source tree is used the source address is the address of the source host sending the multicast packet If a shared tree is used the source address is the RP address of the shared tree A multicast packet arriving at the router will be forwarded according to the multicast forwarding entry if it passes the RPF ch...

Page 284: ...corresponding multicast table If the switch hears IGMP leave message from an IGMP host it will remove the host from the corresponding multicast table The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2 And then it can forward the multicast packets transmitted from the upstream router according to the MAC multicast address table When IG...

Page 285: ...he multicast group is identified with MAC multicast address and maintained by the Ethernet switch z Router port aging time Time set on the router port aging timer If the switch has not received any IGMP general query message before the timer times out it considers the port no longer as a router port z Multicast group member port aging time When a port joins an IP multicast group the aging timer of...

Page 286: ...rt receives the IGMP general query message the Ethernet switch will notify the multicast router that a port is ready to join a multicast group and starts the aging timer for the port z IGMP specific query message Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member When received IGMP specific query message the switch only tran...

Page 287: ...der to check if the host still has some other member of this group and meanwhile starts a maximum response timer If the switch has not receive any report message from the multicast group after the timer expires the port will be removed from the corresponding MAC multicast group If the MAC multicast group does not have any member the switch will notify the multicast router to remove the branch from...

Page 288: ... Configuring Router Port Aging Time This task is to manually configure the router port aging time If the switch has not received any general query message from the router before the router port is aged it will remove the port from all MAC multicast groups Perform the following configuration in system view Table 24 2 Configuring router port aging time Operation Command Configure router port aging t...

Page 289: ...nfigure aging time of the multicast member igmp snooping host aging time seconds Restore the default setting undo igmp snooping host aging time By default the aging time of the multicast member is 260 seconds 24 2 5 Configuring Unknown Multicast Packets not Broadcasted within a VLAN This configuration task is to enable disable the function of not broadcasting unknown multicast packets within a VLA...

Page 290: ...g nonflooding enable Disable multicast packets not to be broadcasted within a VLAN undo igmp snooping nonflooding enable By default unknown multicast packets are broadcasted within the VLAN 24 3 Displaying and debugging IGMP Snooping After the above configuration execute display command in any view to display the running of the IGMP Snooping configuration and to verify the effect of the configurat...

Page 291: ...ocedures are as follows Display the current state of IGMP Snooping SW8800 display igmp snooping configuration If IGMP Snooping is not enabled enable it in system view SW8800 igmp snooping enable Display the status of the VLAN1 interface to check if PIM or IGMP is enabled on it SW8800 display current configuration interface Vlan interface 1 If PIM or IGMP is not running on VLAN1 you can enable IGMP...

Page 292: ...mand to display if the multicast group is the expected one z If the multicast group created by IGMP Snooping is not correct turn to professional maintenance personnel for help z Continue with diagnosis 3 if the second step is completed 3 Multicast forwarding table set up on the bottom layer is wrong z In any view execute the display mac address vlan command to check whether the MAC multicast forwa...

Page 293: ...LANs this guarantees both security and enough bandwidth After you configure the multicast VLAN multicast information flow can be transmitted to users continuously 25 2 Multicast VLAN Configuration Multicast VLAN is based on layer 2 multicast The following table describes the multicast VLAN configuration tasks Table 25 1 Configure multicast VLAN for a layer 2 switch Item Command Description Enter s...

Page 294: ...e Description Requirement Switch A Layer 3 switch The IP address of VLAN 2 interface is 168 10 1 1 The port E1 1 1 belongs to VLAN 2 and is connected to the Workstation The IP address of VLAN 10 interface is 168 20 1 1 The port E1 1 10 belongs to VLAN 10 and is connected to Switch B Configure layer 3 multicast PIM DM and IGMP on VLAN 10 Switch B Layer 2 switch VLAN 2 contains the port E1 1 1 and V...

Page 295: ...erforming the following configurations you should configure the IP addresses and connect the devices correctly 1 Configure Switch A Configure the IP address of the VLAN 2 interface to 168 10 1 1 Enable the PIM DM protocol Switch A system view Switch A multicast routing enable Switch A vlan 2 Switch A vlan2 interface vlan interface 2 Switch A Vlan interface2 ip address 168 10 1 1 255 255 255 0 Swit...

Page 296: ... 1 10 port trunk vlan 10 Switch B Ethernet 1 1 10 quit Define Ethernet 1 1 1 as hybrid port Add the port to VLAN 2 and VLAN 10 Make the port carry no VLAN label when it transmits packets of VLAN 2 and VLAN 10 Set the default VLAN ID of the port to VLAN 2 Switch B interface Ethernet 1 1 1 Switch B Ethernet 1 1 1 port link type hybrid Switch B Ethernet 1 1 1 port hybrid vlan 2 10 untagged Switch B E...

Page 297: ...onfiguration includes z Enabling multicast z Configuring multicast route limit z Clearing MFC Multicast Forwarding Cache forwarding entries or its statistic information z Configuring controlled multicast z Clearing route entries from the kernel multicast routing table 26 2 1 Enabling Multicast Enable multicast first before enabling multicast routing protocol Perform the following configuration in ...

Page 298: ...ng configuration in user view Table 26 3 Clearing MFC forwarding entries or its statistic information Operation Command Clear MFC forwarding entries or its statistic information reset multicast forwarding table statistics all group address mask group mask group mask length source address mask source mask source mask length incoming interface null NULL interface number interface type interface numb...

Page 299: ...ntralized mode are migrated to run in the distributed environment to make the controlled multicast operate in distributed mode If no user interfaces is added the CLI commands under controlled multicast in distributed mode are consistent with that in centralized mode Prerequisites of multicast authentication 1 DOT1X is enabled both globally and on ports Otherwise when you enable controlled multicas...

Page 300: ... on LSA and LSC II Network diagram LSD LSB LSC LSA HostA HostB VLAN11 VLAN12 VLAN10 VLAN10 VLAN11 VLAN12 VLAN12 VLAN10 VLAN11 LSD LSB LSC LSA HostB VLAN11 VLAN12 VLAN10 VLAN10 VLAN11 VLAN12 VLAN12 VLAN10 VLAN11 Host A LSD LSB LSC LSA HostA HostB VLAN11 VLAN12 VLAN10 VLAN10 VLAN11 VLAN12 VLAN12 VLAN10 VLAN11 LSD LSB LSC LSA HostB VLAN11 VLAN12 VLAN10 VLAN10 VLAN11 VLAN12 VLAN12 VLAN10 VLAN11 Host A...

Page 301: ...icast configuration and to verify the effect of the configuration Execute debugging command in user view for the debugging of multicast Table 26 6 Displaying and Debugging Common Multicast Configuration Operation Command Display the multicast routing table display multicast routing table group address mask mask mask length source address mask mask mask length incoming interface vlan interface vlan...

Page 302: ...ered as follows z Each multicast routing protocol has a multicast routing table of itself z All the multicast routing tables can be summarized into the multicast kernel routing tables z The multicast kernel routing tables should keep consistent with the multicast forwarding tables which actually control the forwarding of the multicast data packets The multicast forwarding tables are mainly used fo...

Page 303: ...d to respond to IGMP query messages from the multicast router i e report the group membership to the router The router needs to send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages When the router receives the report that hosts leave the group the router will send a group specific query packet IGMP...

Page 304: ...address domain in the packet is also the IP address of the multicast group This prevents the hosts of members of other multicast groups from sending response messages IV Max response time The Max Response Time is added in IGMP Version 2 It is used to dynamically adjust the allowed maximum time for a host to respond to the group query message 27 2 IGMP Configuration After the multicast function is ...

Page 305: ...n in VLAN interface view Table 27 1 Enabling Disabling IGMP on an interface Operation Command Enable IGMP on an interface igmp enable Disable IGMP on an interface undo igmp enable By default IGMP is not enabled 27 2 3 Configuring the IGMP Version Perform the following configuration in VLAN interface view Table 27 2 Configuring the IGMP version Operation Command Select the IGMP version that the rou...

Page 306: ... to configure the interval and times of sending IGMP group specific query packets for the querier when it receives an IGMP leave message from a host z The host sends the IGMP Leave message z Upon receiving the message IGMP querier sends the group specific IGMP query message for specified times defined by the robust value in igmp robust count with the default value as 2 and at a time interval defin...

Page 307: ... Configuring the Present Time of IGMP Querier The IGMP querier present timer defines the period of time before the router takes over as the querier sending query messages after the previous querier has stopped doing so Perform the following configuration in VLAN interface view Table 27 6 Configuring the present time of IGMP querier Operation Command Change the present time of IGMP querier igmp tim...

Page 308: ...P groups on an interface If there is no limit to the number of IGMP groups added on a router interface or a router the router memory may be exhausted which may cause router failure You can set number limit for the IGMP groups added on the interface but not the number limit for the IGMP groups added in the router which is defined by the system Perform the following configuration in VLAN interface v...

Page 309: ...LAN interface view undo igmp host join group address port interface_type interface_ num interface_name to interface_type interface_ num interface_name Configure the router to join a specified multicast group in Ethernet port view igmp host join group address vlan vlanid Cancel the configuration in Ethernet port view undo igmp host join group address vlan vlanid Note The above two configuration met...

Page 310: ...ult You can select any one By default no filter is configured that is all multicast groups are allowed on the interface The port keyword only takes effect on VLAN interfaces The port specified by the port keyword must belong to this VLAN interface For the configuration in Ethernet port view the port must belong to the VLAN interface specified by the command Besides IGMP is enabled on this VLAN int...

Page 311: ...MP Table 27 12 Displaying and debugging IGMP Operation Command Display the information about members of IGMP multicast groups any views display igmp group group address interface vlan interface interface number Display the IGMP configuration and running information about the interface any views display igmp interface vlan interface interface number Enable the IGMP information debugging user view d...

Page 312: ...icast packets the router will perform RPF check according to the unicast routing table first If the RPF check is passed the router will create an S G entry and then flood the data to all downstream PIM DM nodes If the RPF check is not passed that is multicast packets enter from an error interface the packets will be discarded After this process an S G entry will be created in the PIM DM multicast ...

Page 313: ... learned by RIP and OSPF III Assert mechanism As shown in the following figure both routers A and B on the LAN have their own receiving paths to multicast source S In this case when they receive a multicast packet sent from multicast source S they will both forward the packet to the LAN Multicast Router C at the downstream node will receive two copies of the same multicast packet Receiver Router A...

Page 314: ...bor on an interface z Clearing PIM neighbors 28 2 1 Enabling Multicast Refer to Chapter 26 Common Multicast Configuration 28 2 2 Enabling PIM DM PIM DM needs to be enabled in configuration of all interfaces After PIM DM is enabled on an interface it will send PIM Hello messages periodically and process protocol packets sent by PIM neighbors Perform the following configuration in VLAN interface vie...

Page 315: ...actual networks By default the time interval for sending Hello packets is 30 seconds In general you need not modify the parameter seconds Note When you configure the time interval for a port to send Hello packets the pim neighbor hold time value automatically turns into 3 5 times the time interval value Therefore you need not configure a value for pim neighbor hold time The time interval can be co...

Page 316: ... be discarded If resource address filtering is configured as well as advanced ACLs then the router filters the resource and group addresses of all multicast data packets received Those not matched will be discarded 28 2 6 Configuring the Filtering of PIM Neighbor You can configure basic ACLs to filter the routers which can be PIM neighbors of the current interface Perform the following configurati...

Page 317: ...iguration in user view Table 28 7 Clearing multicast route entries from PIM routing table Operation Command Clear multicast route entries from PIM routing table reset pim routing table all group address mask group mask group mask length source address mask source mask source mask length incoming interface interface type interface number null 28 2 9 Clearing PIM Neighbors Perform the following conf...

Page 318: ...ay BSR information display pim bsr info Display RP information display pim rp info group address Enable the PIM debugging debugging pim common all event packet timer Disable the PIM debugging undo debugging pim common all event packet timer Enable the PIM DM debugging debugging pim dm alert all mbr mrt timer warning recv send all assert graft graft ack join prune Disable the PIM DM debugging undo ...

Page 319: ...similar Enable the multicast routing protocol SW8800 multicast routing enable Enable IGMP and PIM DM on the interface SW8800 vlan 10 SW8800 vlan10 port ethernet 2 1 2 SW8800 vlan10 quit SW8800 vlan 11 SW8800 vlan11 port ethernet 2 1 4 SW8800 vlan11 quit SW8800 vlan 12 SW8800 vlan12 port ethernet 2 1 6 SW8800 vlan12 quit SW8800 interface vlan interface 10 SW8800 vlan interface10 ip address 1 1 1 1 ...

Page 320: ... can switch over to the SPT Shortest Path Tree rooted on the source to reduce network delay PIM SM does not depend on the specified unicast routing protocol but uses the present unicast routing table to perform the RPF check Note that the creation and interaction of the RPs and BSRs are implemented through periodical RP advertisements and BSR Bootstrap packets respectively You can view the packets...

Page 321: ... as shown in the following figure Multicast Source S RPT join Multicast source registration RP Receiver Figure 29 1 RPT schematic diagram II Multicast source registration When multicast source S sends a multicast packet to the multicast group G the PIM SM multicast router directly connected to S will encapsulate the received packet into a registration packet and send it to the corresponding RP in ...

Page 322: ...ic RP The router that serves as the RP is the core router of multicast routes If the dynamic RP elected by BSR mechanism is invalid for some reason the static RP can be configured to specify RP As the backup of dynamic RP static RP improves network robusticity and enhances the operation and management capability of multicast network 29 2 PIM SM Configuration 1 PIM SM basic configuration includes z...

Page 323: ...erface at a time Once enabled PIM SM on an interface PIM DM cannot be enabled on the same interface and vice versa 29 2 3 Entering the PIM View Refer to 28 2 4 Entering the PIM View 29 2 4 Configuring the Time Intervals for Ports to Send Hello Packets In general PIM SM broadcasts Hello packets on the PIM SM enabled port periodically to detect PIM neighbors and determine the designated router DR Fo...

Page 324: ...IM view Table 29 2 Configuring candidate BSRs Operation Command Configure a candidate BSR c bsr Vlan interface Vlan interface number hash mask len priority Remove the candidate BSR configured undo c bsr Candidate BSRs should be configured on the routers in the network backbone By default no BSR is set The default priority is 0 Caution One router can only be configured with one candidate BSR When a...

Page 325: ...ove the configured static RP undo static rp Basic ACL can control the range of multicast group served by static RP If static RP is in use all routers in the PIM domain must adopt the same configuration If the configured static RP address is the interface address of the local router whose state is UP the router will function as the static RP It is unnecessary to enable PIM on the interface that fun...

Page 326: ...e RP i e RP can filter the register messages sent by DR to accept specified messages only Perform the following configuration in PIM view Table 29 6 Configuring RP to filter the register messages sent by DR Operation Command Configure RP to filter the register messages sent by DR register policy acl number Cancel the configured filter of messages undo register policy If an entry of a source group ...

Page 327: ...e following configuration in PIM view Table 29 8 Limiting the range of legal C RP Operation Command Set the limit legal C RP range crp policy acl number Restore to the default setting undo crp policy For detailed information of crp policy please refer to the command manual 29 2 14 Clearing multicast route entries from PIM routing table Refer to Chapter 28 PIM DM Configuration 29 2 15 Clearing PIM ...

Page 328: ... mrt probe spt 29 4 PIM SM Configuration Example I Networking requirements In actual network we assume that the switches can intercommunicate and the IP address of each VLAN interface has been configured z LS_A is connected to LS_B through VLAN interface10 connected to HostA through VLAN interface11 and connected to LS_C through VLAN interface12 z LS_B is connected to LS_A through VLAN interface10...

Page 329: ...e SW8800 vlan 10 SW8800 vlan10 port ethernet 2 1 2 to ethernet 2 1 3 SW8800 vlan10 quit SW8800 interface vlan interface 10 SW8800 vlan interface10 igmp enable SW8800 vlan interface10 pim sm SW8800 vlan interface10 quit SW8800 vlan 11 SW8800 vlan11 port ethernet 2 1 4 to ethernet 2 1 5 SW8800 vlan11 quit SW8800 interface vlan interface 11 SW8800 vlan interface11 igmp enable SW8800 vlan interface11 ...

Page 330: ...0 vlan interface11 quit SW8800 vlan 12 SW8800 vlan12 port ethernet 2 1 6 to ethernet 2 1 7 SW8800 vlan12 quit SW8800 interface vlan interface 12 SW8800 vlan interface12 igmp enable SW8800 vlan interface12 pim sm SW8800 vlan interface12 quit Configure the C BSR SW8800 pim SW8800 pim c bsr vlan interface 10 30 2 Configure the C RP SW8800 acl number 2000 SW8800 acl basic 2000 rule permit source 225 0...

Page 331: ...vlan interface10 pim sm SW8800 vlan interface10 quit SW8800 vlan 11 SW8800 vlan11 port ethernet 2 1 4 to ethernet 2 1 5 SW8800 vlan11 quit SW8800 interface vlan interface 11 SW8800 vlan interface11 igmp enable SW8800 vlan interface11 pim sm SW8800 vlan interface11 quit SW8800 vlan 12 SW8800 vlan12 port ethernet 2 1 6 to ethernet 2 1 7 SW8800 vlan12 quit SW8800 interface vlan interface 12 SW8800 vl...

Page 332: ...ion between MSDP peers is TCP connection MSDP makes a PIM SM domain independent of the RP in another PIM SM domain After getting multicast source information in that domain the receiver here can join directly to the SPT of the multicast source in that domain Another application of MSDP is Anycast RP In a domain configure a certain interface usually Loopback interface on different routers with a sa...

Page 333: ...es the datagram into a Register packet and forward to the RP in domain 1 3 The RP in domain 1 decapsulates the packet and forwards it along the RPT to all the members within the domain The domain members can choose to take the path along SPT 4 The RP in domain 1 generates an SA Source Active message for the MSDP peers the RPs in PIM SM domain 2 and domain 3 The SA message contains multicast source...

Page 334: ...rce mesh group Static peer Figure 30 2 MSDP working principles II The SA message forwarding and RPF check among these MSDP peers are illustrated as follows 1 If the SA message is from a MSDP peer that is the RP of the multicast source as from Switch A to Switch B it is received and forwarded to other peers 2 If the SA message is from a MSDP peer that has only one peer as from Switch B to Switch A ...

Page 335: ... a static RPF peer should be configured 30 2 MSDP Configuration 1 Basic configuration tasks of MSDP include z Enable MSDP z Configure MSDP peers 2 Advanced configuration tasks of MSDP include z Configure static RPF peers z Configure Originating RP z Configure SA caching state z Configure the maximum number of SA caching z Request the source information of MSDP peers z Control the source informatio...

Page 336: ...MBGP so long as they have a BGP or MBGP route between them If no BGP of MBGP route exists between them then you must configure static RPF peers 30 2 3 Configuring Static RPF Peers Please perform the following configurations in MSDP view Table 30 3 Configuring static RPF peers Operation Command Configure static RPF peers static rpf peer peer address rp policy list Remove static RPF peer configurati...

Page 337: ...address in its SA message Please perform the following configurations in MSDP view Table 30 4 Configuring Originating RP Operation Command Configure an MSDP peer to use the IP address of a specified interface as the RP address of its SA message originating rp interface type interface number Remove the above operation undo originating rp By default the RP address in SA message is the one configured...

Page 338: ...he MSDP peer does not enable the SA caching the configuration is invalid Please perform the following configurations in MSDP view Table 30 7 Requesting source information of MSDP peers Operation Command Configure the router to send SA request message to the specified MSDP peer when receiving the join message of a group peer peer address request sa enable Restore the default configuration undo peer...

Page 339: ...ecified MSDP peer peer peer address sa request policy Filter the SA request messages of the groups of a specified MSDP peer permitted by the basic ACL from peer peer address sa request policy acl acl number Remove the configuration of filtering SA request messages undo peer peer address sa request policy By default only the routers which caches SA messages can repond to SA request messages Routers...

Page 340: ...lated data can reach the specified MSDP peer only when the TTL in its IP header is no less than the threshold Therefore the forwarding of SA messages with encapsulated data can be controlled by configuring the TTL threshold For example you can set the TTL theshold for intra domain multicast traffic as 10 if you wish to restrict SA messages with TTL less than or equal to 10 carrying encapsulated da...

Page 341: ...ng MSDP peers is required but SA message flooding shall be prevented In a Mesh group the SA messages from outside the group are forwarded to other members in the group but the SA messages from peers inside the group will not be performed with Peer RPF check or forwarded in the group In this case the overflow of SA messages is avoided and Peer RPF is simplified as BGP or MBGP is not required betwee...

Page 342: ...fort but the configuration information will be reserved Please perform the following configurations in MSDP view Table 30 15 Shutting MSDP peers down Operation Command Shut a specified MSDP peer down shutdown peer address Turn the MSDP peer up undo shutdown peer address By default MSDP peer is enabled 30 2 14 Clearing MSDP Connections Statistics and SA Caching Configuration Perform the following c...

Page 343: ... peer state display msdp brief Enable MSDP debugging debugging msdp all connect event packet source active Note that only after the cache sa enable command is executed will the display msdp sa count command have output II Tracing the Transmission Path of SA Messages on the Network The mtracert command can be used in any view to trace the network path of multicast data from multicast source to dest...

Page 344: ...corresponding filtering policy from its static RPF peers II Networking diagram PIM SM Domain 3 SA SwitchC 10 25 1 1 PIM SM Domain 4 SwitchD Vlan interface30 PIM SM Domain 1 SwitchA 10 10 1 1 PIM SM Domain 2 SwitchB 10 21 1 1 Static RPF peer Vlan interface10 Vlan interface20 SA SA Static RPF peer Static RPF peer Static RPF peer PIM SM Domain 3 SA SwitchC 10 25 1 1 PIM SM Domain 4 SwitchD Vlan inter...

Page 345: ...sdp static rpf peer 10 25 1 1 rp policy list c 30 4 2 Configuring Anycast RP I Networking requirements To configure Anycast RP in the PIM SM domain establish MSDP peer relationship between Switch A and Switch B use the address of loopback0 on Switch A and Switch B to send SA messages outside set Loopback10 interface on Switch A and Switch B as BSR RP and configure the Anycast RP address In this wa...

Page 346: ...itchB SwitchD SwitchA SRC B SwitchC Vlan interface20 10 21 2 1 24 Loopback0 10 21 1 1 Loopback10 10 1 1 1 Vlan interface10 10 21 3 1 24 Vlan interface10 10 10 2 1 24 E1 1 3 E1 1 2 E1 1 3 E1 1 2 Figure 30 4 Networking diagram for Anycast RP configuration III Configuration procedure 1 Configure SwitchB Configure VLAN SwitchB system view SwitchB vlan 10 SwitchB vlan10 port ethernet1 1 2 SwitchB vlan1...

Page 347: ...255 255 0 SwitchB Vlan interface20 igmp enable SwitchB Vlan interface20 pim sm SwitchB Vlan interface20 undo shutdown SwitchB Vlan interface20 quit Configure OSPF SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 10 2 0 0 255 255 255 SwitchB ospf 1 area 0 0 0 0 network 10 10 3 0 0 255 255 255 SwitchB ospf 1 area 0 0 0 0 network 10 1 1 1 0 0 0 0 SwitchB ospf 1 area 0 0 0 0 n...

Page 348: ...Vlan interface20 and enable IGMP and PIM SM SwitchA interface Vlan interface20 SwitchA Vlan interface20 ip address 10 21 2 1 255 255 255 0 SwitchA Vlan interface20 igmp enable SwitchA Vlan interface20 pim sm SwitchA Vlan interface20 undo shutdown SwitchA Vlan interface20 quit Configure the IP address of Vlan interface10 and enable IGMP and PIM SM SwitchA interface Vlan interface10 SwitchA Vlan int...

Page 349: ...iginating rp loopback0 SwitchA msdp quit Configure C RP and BSR SwitchA pim SwitchA pim c rp loopback 10 SwitchA pim c bsr loopback 10 30 30 4 3 MSDP Integrated Networking I Networking requirement In the following network enable MSDP and configure an Anycast RP in PIM SM domain 1 establish MSDP peer relationship among RPs across PIM SM domains and use MBGP between domains For the related commands ...

Page 350: ...nterface20 Vlan interface10 PIM SM domain 4 Loopback10 10 1 1 1 Loopback0 10 25 1 1 Loopback0 10 25 1 2 Ethernet 10 25 2 0 Loopback0 10 26 1 1 Loopback0 10 28 1 1 Loopback0 10 29 1 1 Vlan interface20 Vlan interface10 SwitchI PIM SM domain 3 SwitchH PIM SM domain 2 SwitchG SwitchA PIM SM domain 1 SwitchB SwitchC SRC B SwitchD Loopback0 10 27 1 1 SRC C Ethernet 10 26 2 0 Ethernet 10 27 2 0 SwitchE L...

Page 351: ...10 25 2 3 255 255 255 0 SwitchA Vlan interface30 igmp enable SwitchA Vlan interface30 pim sm SwitchA Vlan interface30 undo shutdown SwitchA Vlan interface30 quit Configure the IP address of Vlan interface10 and enable IGMP and PIM SM SwitchA interface Vlan interface10 SwitchA Vlan interface10 ip address 10 25 3 1 255 255 255 0 SwitchA Vlan interface10 igmp enable SwitchA Vlan interface10 pim sm Sw...

Page 352: ...chA bgp af mul peer 10 28 1 1 group ex SwitchA bgp af mul peer ex next hop local SwitchA bgp af mul quit SwitchA bgp quit Configure MSDP peer Mess Group and Originating RP SwitchA msdp SwitchA msdp peer 10 28 1 1 connect interface loopback 0 SwitchA msdp peer 10 26 1 2 connect interface loopback 0 SwitchA msdp peer 10 27 1 2 connect interface loopback 0 SwitchA msdp peer 10 26 1 2 mesh group net S...

Page 353: ...mp enable SwitchE Vlan interface10 pim sm SwitchE Vlan interface10 undo shutdown SwitchE Vlan interface10 quit Configure the IP address of Vlan interface20 and enable IGMP and PIM SM SwitchE interface Vlan interface20 SwitchE Vlan interface20 ip address 10 26 3 1 255 255 255 0 SwitchE Vlan interface20 igmp enable SwitchE Vlan interface20 pim sm SwitchE Vlan interface20 undo shutdown SwitchE Vlan i...

Page 354: ...hop local SwitchE bgp af mul quit SwitchE bgp quit Configure MSDP peer Mess Group and Originating RP SwitchE msdp SwitchE msdp peer 10 29 1 1 connect interface loopback 0 SwitchE msdp static rpf peer 10 29 1 1 SwitchE msdp peer 10 25 1 1 connect interface loopback 0 SwitchE msdp peer 10 27 1 2 connect interface loopback 0 SwitchE msdp peer 10 25 1 1 mesh group net SwitchE msdp peer 10 27 1 2 mesh ...

Page 355: ...ten as BGP 4 can not only carry IPv4 unicast routing information but also the routing information of other network layer protocols such as multicast IPv6 Carrying multicast routing information is only one of the extended functions This chapter describes mainly MBGP extension for multicast MBGP enables unicast and multicast routing information to be exchanged through the same process but stored in ...

Page 356: ...utes These two attributes enables MBGP to carry multi protocol information MSGP therefore supports both unicast and multicast by constructing different topology maps to implement appropriate policies Besides MBGP may construct different inter domain routes for unicast and multicast under a same policy 31 1 3 MBGP Operating Mode and Message Type MBGP runs on a router in the following two modes z IB...

Page 357: ...Configure the interaction between MBGP and IGP z Define AS path list and routing policy z Configure MBGP route filtering z Reset BGP connections Note Only configuration tasks in IPv4 multicast sub address family view are detailed below Other tasks configured in BGP or system view are only briefed For the detailed configuration refer to the BGP Configuration and IP Routing policy sections in Routin...

Page 358: ... MBGP network ip address address mask route policy route policy name Remove the network routes to be advertised by the local MBGP undo network ip address address mask route policy route policy name By default no route is advertised by the local MBGP The network command advertises only the precisely matched route the one with prefix and mask completely conforming to the configuration If no mask is ...

Page 359: ...eived through this connection as appropriate Therefore the Keepalive message sending interval and MBGP connection Holdtime are two parameters of great importance in MBGP mechanism The configuration works both in unicast and multicast For the details of this configuration refer to BGP Configuration of the Routing Protocol part of this manual 31 2 7 Configuring MBGP Peer Group The use of MBGP peer g...

Page 360: ...ng MBGP community attributes to a peer group Please perform the following configurations in IPV4 multicast sub address family view Table 31 5 Configuring to advertise the community attributes to a peer group Operation Command Advertise the community attributes to a peer group peer group name advertise community Configure not to advertise the community attributes to a peer group undo peer group nam...

Page 361: ...the local address as the next hop when advertising routing information peer group name next hop local Remove the above configuration undo peer group name next hop local VII Specifying the routing policy for a peer group Please perform the following configurations in IPV4 multicast sub address family view Table 31 8 Specifying the routing policy for a peer group Operation Command Configure routing ...

Page 362: ...filtering policy for a peer group Operation Command Configure filteriing policy for incoming packets peer group name peer address as path acl acl number import Remove incoming policy cnfiguration undo peer group name peer address as path acl acl number import Configure routing policy for outgoing packets peer group name as path acl acl number export Remove outgoing policy cnfiguration undo peer gr...

Page 363: ... attribute policy route policy name detail suppressed origin policy route policy name suppress policy route policy name By default MBGP does not aggregate local routes 31 2 9 Configuring an MBGP Route Reflector To ensure the interconnectivity among MBGP peers it is necessary to establish fully closed network among IBGP multicast peers However some internal MBGP multicast networks are very large an...

Page 364: ...By default MBGP does not import any route of other protocols Parameter Protocol specifies the source routing protocols of import which can be direct static rip isis ospf ospf ase or ospf nssa at present 31 2 12 Defining AS Path List and Routing Policy To configure AS path list and routing polity you need to z Configure the regular expression of autonomous systems in system view The UPDATE informat...

Page 365: ... domain routing display bgp multicast routing table cidr Display the routing information about the specified MBGP community display bgp multicast routing table community aa nn no export subconfed no advertise no export whole match Display the routes permitted by the specified MBGP community list display bgp multicast routing table community list community list number whole match Display the routes...

Page 366: ...in AS200 Switch D is also in AS200 II Networking diagram Figure 31 1 Networking diagram for MBGP path selection configuration III Configuration procedure 1 Configure Switch A SwitchA vlan 20 SwitchA vlan20 port ethernet1 1 2 SwitchA vlan20 quit SwitchA interface vlan interface 20 SwitchA Vlan interface20 ip address 192 1 1 1 255 255 255 0 SwitchA Vlan interface20 quit SwitchA vlan 30 SwitchA vlan3...

Page 367: ...d set_med_100 providing two MED values for network 1 0 0 0 50 and 100 respectively SwitchA route policy set_med_50 permit node 10 SwitchA route policy if match acl 2000 SwitchA route policy apply cost 50 SwitchA route policy quit SwitchA route policy set_med_100 permit node 10 SwitchA route policy if match acl 2000 SwitchA route policy apply cost 100 z Apply the routing policy set_med_50 to the ex...

Page 368: ...1 1 1 2 group b2 SwitchB bgp ipv4 family multicast SwitchB bgp af mul peer b1 enable SwitchB bgp af mul peer b2 enable 3 Configure Switch C SwitchC vlan 30 SwitchC vlan30 port ethernet3 1 3 SwitchC vlan30 quit SwitchC interface vlan interface 30 SwitchC Vlan interface30 ip address 193 1 1 2 255 255 255 0 SwitchC Vlan interface30 quit SwitchC vlan 50 SwitchC vlan50 port ethernet3 1 5 SwitchC vlan50...

Page 369: ...ly local preference 200 SwitchC route policy quit SwitchC route policy localpref permit node 20 SwitchC route policy apply local preference 100 z Apply this routing policy to the inbound traffic from BGP neighbor 193 1 1 1 Switch A SwitchC bgp 200 SwitchC bgp ipv4 family multicast SwitchC bgp af mul peer 193 1 1 1 route policy localpref import 4 Configure Switch D SwitchD vlan 40 SwitchD vlan40 po...

Page 370: ...hD ospf 1 quit SwitchD bgp 200 SwitchD bgp undo synchronization SwitchD bgp group d1 internal SwitchD bgp peer 194 1 1 2 group d1 SwitchD bgp peer 195 1 1 2 group d1 SwitchD bgp ipv4 family multicast SwitchD bgp af mul peer d1 enable To make the configuration effective you need to use the reset bgp all command on all MBGP neighbors ...

Page 371: ...classification rules in QoS An ACL rule can include many sub rules which may be defined for packets within different address ranges Matching order is involved in matching an ACL I ACLs being activated directly on hardware ACLs can be delivered to hardware for traffic filtering and classification The cases when ACLs are sent directly to hardware include referencing ACLs to provide for QoS functions...

Page 372: ... source addresses are equal then the port IDs if the wildcards of destination addresses are still equal Follow config order if port IDs are also equal Note The user defined ACL matching order takes effect only when multiple rules of one ACL are applied at the same time For example an ACL has two rules If the two rules are not applied simultaneously even if you configure the matching order to be de...

Page 373: ...XENPAK Advanced 2 port 10GBASE X XFP Advanced 24 port 1000BASE X SFP Advanced 24 port 10 100 1000BASE T RJ45 Advanced 48 port 10 100 1000BASE T RJ45 Access 1012 1 port 10GBASE X XENPAK 2 port 10GBASE X XFP 4 port 10GBASE X XFP 12 port 1000BASE X SFP 24 port 1000BASE X SFP 24 port 10 100 1000BASE T RJ45 48 port 10 100 1000BASE T RJ45 1024 or 2048 ACL rules are based on the number of Packet Processo...

Page 374: ...flow template has been previously defined 8 Activate the ACL SW8800 Ethernet5 1 1 packet filter inbound Required 32 2 1 Configuring Time Range You may set such items in time range configuration The defined time range includes absolute time range and period time range The absolute time range is in the form of hh mm YYYY MM DD the period time range is in the format of hh mm day Perform the following...

Page 375: ...pecified the time range is 24 hours 0 00 to 24 00 If no end date is specified the time range is from the date of configuration till the largest date available in the system Currently the largest time range is 1970 01 01 to 2100 12 31 in the system 32 2 2 Defining and Applying Flow Template I Defining Flow Template Flow template defines useful information used in flow classification For example a t...

Page 376: ...in IP packet header 1 byte sip Source IP field in IP packet header 4 bytes smac MAC field in Ethernet packet header 6 bytes sport Source port field 2 bytes tcp flag Flag field in TCP packet header 1 byte vlanid Vlan ID of the packet 2 bytes c tag cos 802 1p priority in the Internal 802 1Q tag internal tag of QinQ tag in tag application 2 bytes c tag vlanid Vlan ID in the internal 802 1Q tag intern...

Page 377: ...cannot modify or delete the default flow template II Applying Flow Template Perform the following configurations in Ethernet port view or port group view to apply the user defined flow template to current port or current port group Table 32 7 Apply flow template Operation Command Apply the user defined flow template flow template user defined Cancel the applied flow template undo flow template use...

Page 378: ...s packets according to the source IP addresses Perform the following configurations in the specified views Table 32 8 Define basic ACL Operation Command Enter basic ACL view system view acl number acl number name acl name basic match order config auto Define an ACL rule basic ACL view rule rule id permit deny source source addr wildcard any fragment time range name vpn instance instance name Delet...

Page 379: ...ort2 parameters in the command should be TCP UDP ports for advanced applications For some common ports you can use mnemonic symbols to replace numbers For example you can use bgp to represent TCP port 179 which is for BGP protocol III Defining L2 ACLs L2 ACLs define the Layer 2 information such as source and destination MAC addresses source VLAN ID and L2 protocol type in their rules and process p...

Page 380: ...packet filter inbound ip group acl number acl name rule rule link group acl number acl name rule rule link group acl number acl name rule rule Activate link group ACL packet filter inbound link group acl number acl name rule rule system index index Deactivate link group ACL undo packet filter inbound link group acl number acl name rule rule system index index here is the system index for an ACL ru...

Page 381: ...traffic statistic commands to view the ACL matching information during data forwarding See the corresponding Command Manual for description of parameters 32 4 ACL Configuration Example 32 4 1 Advanced ACL Configuration Example I Network requirements The departments in the intranet are connected through 100 Mbps ports of the switches The research and development R D department is connected through ...

Page 382: ...the wage server SW8800 acl adv traffic of payserver rule 1 deny ip source any destination 129 110 1 2 0 0 0 0 time range 3Com 3 Activate the ACL Activate the ACL traffic of payserver SW8800 Ethernet2 1 1 packet filter inbound ip group traffic of payserver 32 4 2 Basic ACL Configuration Example I Network requirements With proper basic ACL configuration during the time range from 8 00 to 18 00 every...

Page 383: ...c of host rule 1 deny source 10 1 1 1 0 time range 3Com 3 Activate the ACL Activate the ACL traffic of host SW8800 Ethernet2 1 1 packet filter inbound ip group traffic of host 32 4 3 L2 ACL Configuration Example I Network requirements With proper L2 ACL configuration during the time range from 8 00 to 18 00 everyday the switch filters the packets with source MAC 00e0 fc01 0101 and destination MAC ...

Page 384: ...ic of link and enter it SW8800 acl name traffic of link link Define ACL rule for the traffic with source MAC 00e0 fc01 0101 and destination MAC 00e0 fc01 0303 SW8800 acl link traffic of link rule 1 deny ingress 00e0 fc01 0101 0 0 0 egress 00e0 fc01 0303 0 0 0 time range 3Com SW8800 acl link traffic of link quit 4 Apply the user defined flow template to the port and activate the ACL Apply the user ...

Page 385: ... those which are sensitive to delay and jitter The following terms are involved in QoS I Flow It refers to all packets passing thought the switch II Traffic classification Traffic classification is the technology that identifies the packets with a specified attribute according to a specific rule Classification rule refers to a packet filtering rule configured by an administrator A classification r...

Page 386: ...rent QoS models The following describes IP priority ToS priority DCSP priority Exp priority and 802 1p priority 1 IP priority ToS priority DSCP priority and Exp priority Figure 33 1 DS field and ToS byte As shown in Figure 33 1 the ToS field in the IP header contains 8 bits The first three bits represent IP priority in the range of 0 to 7 bits 3 6 stand for ToS priority in the range of 0 to 15 RFC...

Page 387: ...ntents of 802 1Q tag header are shown in Figure 33 3 Figure 33 3 802 1Q tag header In the figure the priority field in TCI stands for 802 1p priority which consists of three bits There are eight priority levels numbered as 0 to 7 for determining to send which packets first when switch congestion takes place Since their applications are defined in detail in the 802 1p Recommendation they are named ...

Page 388: ...h priority queue and non key service packets into low priority queue does ensure that key service packets are sent first while non key service packets are sent during the interval when no key service packets needs to be processed SP algorithm also has its disadvantages If high priority queues always have packets for a long period then the packets in low queues may die of hunger for being processed...

Page 389: ...o configure QACL for a port group on the Switch 8800 you only need to create a port group and configure QACL for the group Then the configuration becomes valid for all members in the group This group based QACL configuration saves you from configuring QACL for individual ports After this configuration the QACL configuration of each member port remains consistent forever 33 2 1 Group Based QoS Conf...

Page 390: ...nal Refer to section 33 3 3 Configuring Traffic Shaping Configure traffic priority traffic priority inbound Optional Refer to section 33 3 4 Configuring Traffic Priority Configure traffic redirection traffic redirect inbound Optional Refer to section 33 3 5 Configuring Traffic Redirection Configure queue scheduling algorithm queue scheduler wrr group1 queue id queue weight 1 8 group2 queue id queu...

Page 391: ...uration is applied again when new ports are added For the XP4 board the system creates two port groups by default One group contains ports 0 and 1 and the other contains ports 2 and 3 Their group numbers are 300 2 x slot no and 300 2 x slot no 1 slot no is the slot where the XP4 board locates respectively which are automatically assigned by the system For example when the XP4 board locates in slot...

Page 392: ...e traffic from PC1 Create a number based basic ACL 2000 and enter it SW8800 acl number 2000 Define ACL rule for the traffic from PC1 SW8800 acl basic 2000 rule 0 permit source 1 0 0 1 0 time range 3Com SW8800 acl basic 2000 quit 3 Create a port group Create port group 1 and enter the port group view SW8800 port group 1 Add the ports GE7 1 1and GE7 1 2 to port group 1 SW8800 port group1 port Gigabi...

Page 393: ...rity local precedence and drop precedence Drop precedence One of service parameters ranging from 0 to 2 Drop precedence is allocated when the switch receives the packet and may be when the packet is processed Allocating drop precedence to the packet is also called coloring the packet the packet with drop precedence 2 as red that with drop precedence 1 as yellow and that with drop precedence 0 as g...

Page 394: ...dence mapping table I Configuring mapping table Perform the following configurations in system view Table 33 3 Configure mapping tables Operation Command Configure the CoS Drop precedence mapping table qos cos drop precedence map cos0 map drop prec cos1 map drop prec cos2 map drop prec cos3 map drop prec cos4 map drop prec cos5 map drop prec cos6 map drop prec cos7 map drop prec Restore the defaul...

Page 395: ...u should configure these three mapping tables or use their default values I Configuring mapping tables Perform the following configurations in the specified views Table 33 5 Configure mapping table Operation Command Enter conform level view System view qos conform level conform level value Configure the DSCP Conform Level Service parameters mapping table conform level view dscp dscp list dscp valu...

Page 396: ...rop Remove traffic policing setting which only applies IP group ACL undo traffic limit inbound ip group acl number acl name rule rule Configure traffic policing which applies IP group ACL and link group ACL at same time traffic limit inbound ip group acl number acl name rule rule link group acl number acl name rule rule system index index link group acl number acl name rule rule tc index index cir...

Page 397: ...ndex here is the system index for an ACL rule When delivering a rule the system assigns an index to it for convenience of later retrieval You can also assign a system index for it when delivering an ACL rule with this command However you are not recommended to assign a system index if not urgently necessary tc index index here is traffic policing index in the range of 0 to 12288 If you configure t...

Page 398: ...earching the mapping table based on the packet DSCP value re allocating service parameters by searching the mapping table based on the specified DSCP value and EXP value customizing service parameters for the packets For interface cards perform the following configurations in Ethernet port view or port group view Table 33 8 Configure traffic priority Operation Command Configure traffic priority wh...

Page 399: ... system index for an ACL rule When delivering a rule the system assigns an index to it for convenience of later retrieval You can also assign a system index for it when delivering an ACL rule with this command However you are not recommended to assign a system index if not urgently necessary Note z For MPLS packets other than that the dscp value stands for their DSCP priority value the three low o...

Page 400: ...roup acl number acl name rule rule link group acl number acl name rule rule or undo traffic redirect inbound link group acl number acl name rule rule ip group acl number acl name ip group acl number acl name rule rule Configure traffic redirection which only applies link group ACL traffic redirect inbound link group acl number acl name rule rule system index index cpu interface interface name inte...

Page 401: ... WRR groups use WRR algorithm The select one queue respectively from SP group WRR group 1 and WRR group 2 and schedule them using SP algorithm Perform the following configurations in Ethernet port view or port group view Table 33 10 Configure queue scheduling Operation Command Configuring queue scheduling queue scheduler wrr group1 queue id queue weight 1 8 group2 queue id queue weight 1 8 Restore...

Page 402: ...reshold red min threshold green max threshold yellow max threshold red max threshold green max prob yellow max prob red max prob and exponent Red yellow and green packets respectively refer to those with drop precedence levels 2 1 and 0 Perform the following configurations in the specified views Table 33 11 Configure WRED parameters Operation Command Enter WRED index view system view wred wred ind...

Page 403: ...ve traffic mirroring setting which only applies IP group ACL undo mirrored to inbound ip group acl number acl name rule rule Configure traffic mirroring which applies IP group ACL and link group ACL at same time mirrored to inbound ip group acl number acl name rule rule link group acl number acl name rule rule system index index link group acl number acl name rule rule cpu Remove traffic mirroring...

Page 404: ... undo mirroring group groupId You can implement port mirroring configuration by setting mirroring groups at the port Up to 20 mirroring groups can be configured at a port with each group including one monitoring port and multiple monitored ports Note The Switch 8800 supports cross board mirroring that is the monitoring and monitored ports can be at different boards Consider these issues when confi...

Page 405: ...owed on the same GV48 board For the XP4 board the system creates two port groups by default One group contains ports 0 and 1 and the other contains ports 2 and 3 Pay attention to the following limitation on port mirroring z Port mirroring across groups are not supported That is in a port monitoring group the monitoring port and monitored port can only be ports 0 and 1 or ports 2 and 3 z A port gro...

Page 406: ...y necessary See the corresponding Command Manual for details of the commands 33 3 11 Displaying and Debugging QoS Configuration After these configurations are completed you can use the display command in any view to view QoS running and check configuration result You can clear QoS statistics using the reset traffic statistic command in Ethernet port view or port group view Table 33 16 Display and ...

Page 407: ...fic limit Display traffic direction configuration of a VLAN display qos vlan vlan id traffic redirect Display traffic statistics of a VLAN display qos vlan vlan id traffic statistic Display the DSCP Conform level Service parameter EXP Conform level Service parameter and Local precedence Conform level 802 1p priority mapping tables display qos conform level conform level value dscp policed service ...

Page 408: ...N3 2 0 0 1 8 PC1 PC2 Figure 33 6 Network diagram for QoS configuration III Configuration procedure 1 Enter Ethernet port view SW8800 interface GigabitEthernet 7 1 8 SW8800 GigabitEthernet7 1 8 2 Set traffic shaping for the outbound queue 2 at the port maximum rate 500 Kbps burst size 12 KB SW8800 GigabitEthernet7 1 8 traffic shape queue 2 500 12 33 4 2 Port Mirroring Configuration Example I Networ...

Page 409: ...und gigabitethernet3 1 1 gigabitethernet3 1 2 mirrored to gigabitethernet3 1 8 SW8800 mirroring group 2 outbound gigabitethernet3 1 1 gigabitethernet3 1 2 mirrored to gigabitethernet3 1 8 33 4 3 Traffic Priority Configuration Example I Network requirements Re allocate service parameters according to the mapping table for DSCP 63 for the packets from PC1 IP 1 0 0 1 during the time range 8 00 to 18 ...

Page 410: ... Level mapping table Table 33 17 Modified CoS Conform Level mapping table CoS Value Drop precedence 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 4 Define the DSCP Conform Level Service parameter mapping table Define the DSCP Conform Level Service parameter mapping table Allocate a set of service parameters for the packets from PC1 according the mapping table for DSCP 63 SW8800 qos conform level 0 SW8800 confor...

Page 411: ... 0 1 8 PC1 PC2 GE7 1 8 GE7 1 1 GE7 1 2 VLAN2 1 0 0 1 8 VLAN3 2 0 0 1 8 PC1 PC2 Figure 33 9 Network diagram for traffic redirection configuration III Configuration procedure 1 Define the time range Define the time range from 8 00 to 18 00 SW8800 time range 3Com 8 00 to 18 00 daily 2 Define the traffic from PC1 Create a number based basic ACL 2000 and enter it SW8800 acl number 2000 Define ACL rule ...

Page 412: ...espectively as 20 20 and 30 set the queues 3 4 and 5 into WRR queue 2 with weight respectively as 20 20 and 40 The queues 6 and 7 use SP algorithm See Queue Scheduling for the default mapping Table 33 19 802 1p priority Local precedence mapping table 802 1p priority Local precedence 0 7 1 6 2 5 3 4 4 3 5 2 6 1 7 0 II Network diagram GE7 1 8 GE7 1 1 GE7 1 2 VLAN2 1 0 0 1 8 VLAN3 2 0 0 1 8 PC1 PC2 G...

Page 413: ... wrr group1 30 3 wrr group2 20 4 wrr group2 20 5 wrr group2 40 6 sp 0 7 sp 0 33 4 6 WRED Parameters Configuration Example I Network requirements Set WRED parameters and drop algorithm for packets at the port GE7 1 1 Configure parameters for WRED 0 outbound queue ID is 7 green min threshold is 150 green max threshold is 500 green max prob is 5 yellow min threshold is 100 yellow max threshold is 150...

Page 414: ... 1 and that of PC2 is 2 0 0 1 The switch is up linked through the port GE7 1 8 Count the packets sent from the switch to PC1 during the time range from 8 00 to 18 00 every day II Network diagram GE7 1 8 GE7 1 1 GE7 1 2 VLAN2 1 0 0 1 8 VLAN3 2 0 0 1 8 PC1 PC2 GE7 1 8 GE7 1 1 GE7 1 2 VLAN2 1 0 0 1 8 VLAN3 2 0 0 1 8 PC1 PC2 Figure 33 12 Network diagram for traffic statistics configuration III Configu...

Page 415: ...igabitEthernet7 1 1 traffic statistic inbound ip group 2000 rule 0 SW8800 display qos interface GigabitEthernet7 1 1 traffic statistic GigabitEthernet7 1 1 traffic statistic Inbound Matches Acl 2000 rule 0 running 12002688 bytes green 1270244416 byte s yellow 1895874880 byte s red 704683968 byte s 3333270 packets green 0 byte s yellow 0 byte s red 0 byte s ...

Page 416: ... only if he can pass the password authentication This chapter mainly introduces how to configure the first level security control over these access measures that is how to configure to filter the logon users with ACL For detailed description about how to configure the first level security refer to getting started module of Operation Manual 34 2 Configuring ACL for Telnet Users This configuration c...

Page 417: ...pn instance instance name Delete a sub rule advanced ACL view undo rule rule id source destination source port destination port icmp type precedence tos dscp fragment time range vpn instance Delete an ACL or all ACLs system view undo acl number acl number name acl name all You can define multiple rules for an ACL by using the rule command several times 34 2 2 Importing ACL You can import a defined...

Page 418: ...ic 2000 rule 2 permit source 10 110 100 46 0 SW8800 acl basic 2000 rule 3 deny source any SW8800 acl basic 2000 quit Import the ACL SW8800 user interface vty 0 4 SW8800 user interface vty0 4 acl 2000 inbound 34 3 Configuring ACL for SNMP Users The Switch 8800 supports remote network management NM and the user can use SNMP to access them Proper ACL configuration can prevent illegal users from loggi...

Page 419: ...ite view write view notify view notify view acl acl number Import the defined ACL into the commands with SNMP username configured snmp agent usm user v1 v2c user name group name acl acl number snmp agent usm user v3 user name group name authentication mode md5 sha auth password privacy mode des56 priv password acl acl number SNMP community is one of the features of SNMP v1 and SNMP v2 so you impor...

Page 420: ...nfiguration for SNMP users III Configuration procedure Define a basic ACL SW8800 acl number 2000 match order config SW8800 acl baisc 2000 rule 1 permit source 10 110 100 52 0 SW8800 acl baisc 2000 rule 2 permit source 10 110 100 46 0 SW8800 acl basic 2000 rule 3 deny source any SW8800 acl baisc 2000 quit Import the ACL SW8800 snmp agent community read 3Com acl 2000 SW8800 snmp agent group v3 3Comg...

Page 421: ...p procedures with IP MPLS brings together the advantages of the connectionless control with IP and the connection oriented forwarding with ATM In addition to the support from IP routing and control protocols its powerful and flexible routing functions allows it to accommodate to various emerging applications MPLS was initially proposed to accelerate the packet forwarding on routers but it has been...

Page 422: ...rchical label structure namely multi layer label Value 1 refers to the label of bottom layer TTL eight bits with the same meaning as TTL in IP packet III Label operations 1 Label mapping There are two types of label mapping label mapping at ingress routers and label mapping in MPLS domain The first type of mapping is implemented at ingress label switching routers LSR The ingress LSRs group the inc...

Page 423: ...d by the downstream LSR and the assigned label is distributed from downstream to upstream Two label distribution modes are available in MPLS downstream unsolicited DU mode and downstream on demand DoD mode z For a specific FEC if LSR originates label assignment and distribution even without receiving label request message from upstream it is in DU mode z For a specific FEC if LSR begins label assi...

Page 424: ... and Ru saves this binding then it is the liberal label retention And if Ru discards this binding then it is the conservative label retention mode In case it is required that LSR is capable of adapting route variation rapidly you can use the liberal label retention mode In case it is required that a few labels are saved in LSR you can use the conservative label retention mode Note Currently the Sw...

Page 425: ... LSR Ingress Egress MPLS edge router LER Figure 35 3 MPLS basic principle 35 3 2 Forwarding Labeled Packets At the ingress the packets entering the network are classified into FECs according to their characteristics Usually packets are classified into FECs according to the IP address prefix or host address Packets in the same FEC pass through the same path that is LSP in MPLS area LSR assigns a sh...

Page 426: ...e router LSR Ingress Egress LDP session LSP2 Label request message Label map message A B C D E F G H MPLS edge router LER LSP1 MPLS core router LSR Ingress Egress LDP session LSP2 Label request message Label map message A B C D E F G H Figure 35 4 Label distribution process For the label distribution mentioned previously there are two modes DoD and DU The main difference between these two modes is...

Page 427: ...ocess for establishing LSP is terminated The path vector method refers to that the path information is recorded in the message bound with the forwarding label and for every hop the corresponding router checks if its ID is contained in this record If not the router adds its ID into the record and if yes it indicates that a loop presents and the process for establishing LSP is terminated 35 3 4 LSP ...

Page 428: ...out in the label stack and MPLS processes the labels beginning from the top of the stack If the depth of the label stack for a packet is m it indicates that the label at the bottom of that stack is level 1 label and the label at the top of the stack is level m label A packet with no label can be regarded as a packet with empty label stack that is the depth of its label stack is 0 35 4 MPLS and oth...

Page 429: ...basic structure of MPLS based VPN is shown in Figure 35 6 CE is the customer edge device and it may either be a router or a switch or perhaps a host PE is a service provider edge router which is located on the backbone network PE is responsible for the management of VPN customers establishing LSP connection between various PEs route allocation among different branches of the same VPN customer Usua...

Page 430: ... or enable some special functions for example manually creating LSP or explicit route you can configure according to the methods in configuration list For some complicated functions configuration combination may be required 36 2 MPLS Configuration The following sections describe the required configuration tasks for MPLS basic capability z Defining MPLS LSR ID z Enabling MPLS and Entering MPLS View...

Page 431: ... view system view Enable MPLS on a VLAN interface VLAN interface view mpls Disable MPLS globally or on a VLAN interface system or VLAN interface view undo mpls By default MPLS is not enabled 36 2 3 Configuring the Topology Driven LSP Setup Policy It refers to specifying filtering policy as all or ip prefix Perform the following configuration in MPLS view Table 36 3 Configure the topology driven LS...

Page 432: ... node along the specified LSP static lsp transit lsp name l2vpn incoming interface interface type interface num in label in label value nexthop next hop addr out label out label value Cancel the intermediate node setting of the specified LSP undo static lsp transit lsp name Set the current LSR to the egress node of the specified LSP static lsp egress lsp name l2vpn incoming interface interface typ...

Page 433: ... deleted So you must use this command with cautiously Perform the following configuration in the interface view Table 36 6 Enable disable LDP on interface Operation Command Enable LDP function on interface mpls ldp enable Disable LDP function on interface mpls ldp disable By default the interface LDP function is disabled 36 3 3 Configuring Remote Peer for Extended Discovery Mode The remote peer co...

Page 434: ...4 Configuring session parameters I Configuring session hold time The LDP entity on the interface sends Hello packets periodically to find out LDP peer and the established sessions must also maintain their existence by periodic message if there is no LDP message then Keepalive message must be sent Note There are two types of LDP sessions basic and remote Basic session can be established only on two...

Page 435: ... holdtime is 45 seconds and the interval is 13 seconds II Configuring hello transport address The transport address discussed here refers to the address carried in the transport address TLV in hello messages Generally you can configure the transport address to the MPLS LSR ID of the current LSR but you can also configure the transport address to other address flexibly as required by some applicati...

Page 436: ...s ID into the record and if yes it indicates that a loop presents and the process for establishing LSP is terminated When this method is used if the defined maximum value is exceeded it is considered that a loop happens and the LSP establishment fails Perform the following configuration in the system view Table 36 12 Enable loop detection Operation Command Enable loop detection mpls ldp loop detec...

Page 437: ... count in path vector mode undo mpls ldp path vectors The maximum hop count defaults to 32 36 3 6 Configuring LDP Authentication Mode Between Every Two Routers Perform the following configuration in VLAN interface view or remote peer view Table 36 15 Configure LDP authentication mode Operation Command Configure LDP authentication Mode mpls ldp password cipher simple password Remove LDP authenticat...

Page 438: ...splaying LSP Execute the following commands in any view to display the information related to MPLS LSP Table 36 18 Display the information about MPLS LSP Operation Command Display the information about MPLS LSP display mpls lsp include text verbose IV Debugging MPLS You may execute the debugging command in user view to debug the information concerning all interfaces with MPLS function enabled As e...

Page 439: ...undant MPLS monitoring commands for monitoring states of LSRs LDP sessions interfaces and peers These commands are the powerful debugging and diagnosing tools After accomplishing the configuration tasks described earlier you can execute the display command in any view to view the running state of LDP and thus to evaluate the effect of the configurations Table 36 21 Display LDP Operation Command Di...

Page 440: ...essing LDP advertisements session Displays debugging information in processing LDP session pdu Displays debugging information in processing PDU packets notification Displays debugging information in processing notifications remote Displays debugging information about all remote peers interface type Interface num Port type and port ID Use the mpls ldp reset session command in VLAN interface to rese...

Page 441: ...DP SW8800 mpls lsr id 168 1 1 1 SW8800 mpls SW8800 mpls quit SW8800 mpls ldp Configure IP address and enable MPLS and LDP for VLAN interface 201 SW8800 vlan 201 SW8800 vlan201 port gigabitethernet 2 1 1 SW8800 vlan201 quit SW8800 interface Vlan interface 201 SW8800 Vlan interface201 ip address 168 1 1 1 255 255 0 0 SW8800 Vlan interface201 mpls SW8800 Vlan interface201 mpls ldp enable SW8800 Vlan ...

Page 442: ... 1 1 255 255 0 0 SW8800 Vlan interface203 mpls SW8800 Vlan interface203 mpls ldp enable SW8800 Vlan interface203 mpls ldp transport ip interface Configure IP address and enable MPLS and LDP for VLAN interface 202 SW8800 vlan 202 SW8800 vlan202 port gigabitethernet 2 1 2 SW8800 vlan202 quit SW8800 interface Vlan interface 202 SW8800 Vlan interface202 ip address 100 10 1 2 255 255 255 0 SW8800 Vlan ...

Page 443: ...connecting Switch C with Switch B SW8800 Router id 100 10 1 1 SW8800 ospf SW8800 ospf 1 area 0 SW8800 ospf 1 area 0 0 0 0 network 100 10 1 0 0 0 0 255 4 Configure Switch D Configure LSR ID and enable MPLS and LDP SW8800 mpls lsr id 172 17 1 2 SW8800 mpls SW8800 mpls quit SW8800 mpls ldp Configure IP address and enable MPLS and LDP for VLAN interface 203 SW8800 vlan 203 SW8800 vlan203 port gigabite...

Page 444: ...t at the two ends Solution Check loop detection configuration at both ends to see if one end is configured while the other end is not this will result in session negotiation failure Cause 2 Local machine cannot get the route to peer LSR ID so TCP connection cannot be set up and session cannot be established Solution The default address for session transfer is MPLS LSR ID The local machine should i...

Page 445: ...ce providers can implement the IP based VPN services easily and enable their networks to meet the expansibility and manageability requirement for VPN The VPN constructed by using MPLS also provides the possibility for the implementation of value added service Multiple VPNs can be formed from a single access point and each VPN represents a different service making the network able to transmit servi...

Page 446: ...E PE P PE P P PE PE site 1 CE site 2 CE VPN1 site 3 CE VPN2 site 1 VPN1 CE site 2 VPN 2 CE PE P PE P P PE PE Backbone network of the service provider site 1 CE site 2 CE VPN1 site 3 CE VPN2 Figure 37 1 MPLS VPN model As shown in Figure 37 1 MPLS VPN model contains three parts CE PE and P z CE Customer Edge device It is a composing part of the customer network which is usually connected with the se...

Page 447: ...LS VPN implementation each site corresponds to a specific vpn instance on PE their association is implemented by binding vpn instance to the VALN interface If subscribers on one site belong to multiple VPNs then the corresponding vpn instance includes information about all these VPNs Specifically such information should be included in vpn instance label forwarding table IP routing table the interf...

Page 448: ...tiate routes When the RD is 0 a VPN IPv4 address is just a IPv4 address in general sense The route received by PE from CE is the IPv4 route that needs to be redistributed into vpn instance routing table and in this case a RD needs to be added It is recommended that the same RD be configured for all routes from the same user site IV VPN Target attribute VPN Target attribute is one of the MBGP exten...

Page 449: ...owing are introductions to BGP MPLS implementation from two aspects advertising VPN routing information and forwarding VPN packets I Advertising VPN routing information Routing information exchange has the following four types 1 Between CE and PE A PE router can learn routing information about the CE connected to it through static route RIP supporting multi instance OSPF supporting multi instance ...

Page 450: ...om the designated interface to the designated CE or site by searching for the target MPLS forwarding table according to the labels contained Exterior layer label known as LSP initialization label distributed by MPLS LDP is at the top of the label stack and indicates an LSP from the ingress PE to egress PE By the switching of exterior layer label VPN packets can be forwarded along the LSP to the pe...

Page 451: ...te the following tasks z Configuring IGP on the MPLS backbone network including provider PE and P routers to implement the IP connectivity on the backbone network z Configuring basic MPLS capability on the MPLS backbone network z Configuring MPLS LDP and setting up LDP LSP on the MPLS backbone network z Configuring BGP on the MPLS backbone network create EBGP peers between provider PEs z Configuri...

Page 452: ...1 UPE Upper VPN Lower VPN MPLS backbone network MPLS骨干网 PE PE SPE UPE CE CE CE CE VPN1 Site1 VPN2 Site1 VPN1 Site1 VPN2 Site1 UPE PE PE SPE UPE CE CE CE CE VPN1 Site1 VPN2 Site1 VPN1 Site1 VPN2 Site1 UPE MPLS骨干网 PE PE SPE UPE CE CE CE CE VPN1 Site1 VPN2 Site1 VPN1 Site1 VPN2 Site1 UPE PE PE SPE UPE CE CE CE CE VPN1 Site1 VPN2 Site1 VPN1 Site1 VPN2 Site1 UPE MPLS骨干网 PE PE SPE UPE CE CE CE CE VPN1 S...

Page 453: ... VPN RED OSPF 200 VPN GREEN Area 1 MPLS VPN Backbone VPN RED Site1 OSPF Area0 VPN G R EEN Si t e1 O SPF Ar ea1 VPN G R EEN Si t e2 O SPF Ar ea2 VPN R ED Si t e2 O SPF Ar ea1 Area 2 OSPF 100 VPN GREEN Area 0 OSPF 100 VPN RED OSPF 200 VPN GREEN Area 1 CE11 CE12 CE31 CE21 CE22 PE1 PE2 PE3 Area 0 OSPF 100 VPN RED OSPF 200 VPN GREEN Area 1 Figure 37 6 OSPF multi instance application in MPLS BGP VPN PE ...

Page 454: ...gical or physical link with IP capabilities from PE to PE advertise and update VPN network information I CE router The configuration on CE is relative simple Only static route RIP OSPF or EBGP configuration is needed for VPN routing information exchange with the PE connected MPLS configuration is not needed II PE router The configuration on PE is relative complex After the configuration the PE imp...

Page 455: ... a static route II Configuring RIP If you select RIP mode for CE PE route switching you should then configure RIP on CE For detailed RIP configuration steps see the RIP section in this guide III Configuring OSPF If you select OSPF mode for CE PE route switching you should then configure OSPF on CE For configuring OSPF see the routing protocol section of this guide You must configure OSPF multi ins...

Page 456: ...eate a vpn instance and enter vpn instance view ip vpn instance vpn instance name Delete a vpn instance undo ip vpn instance vpn instance name By default no vpn instance is defined 2 Configure RD for the vpn instance After PE router is configured with RD when a VPN route learned from CE is imported into BGP BGP attaches the RD in front of the IPv4 address Then the general IPv4 address which may ov...

Page 457: ...tcommunity in VPN target defines the acceptable route range and import it z VPN instance modifies VPN target attributes for the routes to be advertised according to the export extcommunity in VPN target Like an RD an extension community includes an ASN plus an arbitrary number or an IP address plus an arbitrary number There are two types of formats The first one is related to autonomous system num...

Page 458: ... number limitation undo routing table limit Integer is in the range of 1 to 65536 and alarm integer is in the range of 1 to 100 Note Changing the maximum route limit for VPN instance will not affect the existing routing table To make the new configuration take effect immediately you should rebuild the corresponding routing protocol or perform shutdown undo shutdown operation on the corresponding i...

Page 459: ...ce fragment time range z Add Ethernet ports on the B card into a VLAN Perform the following configuration in VLAN view Table 37 10 Add Ethernet ports into a VLAN Operation Command Add one or a group of ports into a VLAN port interface_list Remove one or a group of ports from a VLAN undo port interface_list z Configure virtual interfaces for the above mentioned VLAN Perform the following configurat...

Page 460: ...irect connect site through interface binding When the packets from the site reach the PE router though the interface bound then the PE can look routing information including next hop label egress interface and so on up in the corresponding vpn instance This command can associate a vpn instance with an interface Perform the following configuration in VLAN interface view Table 37 13 Associate interf...

Page 461: ...an also specify another preference for the static route you are configuring 2 Configure RIP multi instance If you select RIP mode for CE PE route switching you should then specify running environment for RIP instance on PE With this command you can enter RIP view and import and advertise RIP instance in the view Perform the following configuration in the RIP view Table 37 15 Configure PE CE RIP in...

Page 462: ...N instance while one VPN instance may contain multiple OSPF procedures By default an OSPF procedure belongs to public network Step 2 Configure domain ID The domain ID is used to identify an OSPF autonomous system AS and the same OSPF domain must have the same domain ID One process can be configured with only one domain ID different processes can be configured with the same domain ID or different d...

Page 463: ...ted VPN route route tag tag number Return to the default value undo route tag tag number is used to identify tag value by default the first two bytes are fixed that is 0xD000 and the last two bytes is AS number of local BGP For example the AS number of local BGP is 100 and then its default tag value is 3489661028 in decimal notation This value is an integer ranging from 0 to 4294967295 Step 4 Conf...

Page 464: ...y view Table 37 20 Configure peer group Operation Command Configure a peer group group group name internal external Delete the specified peer group undo group group name By default the peer group is configured as internal When BGP mode is used for PE CE route switching they often belong to different ASs so you should configure EBGP peer as external Step 2 Configure AS number for a specific neighbo...

Page 465: ...ic route in VPN instance address family sub view of MBGP import route static If RIP is run between PE and CE PE must import an RIP route in VPN instance view of MBGP import route rip If BGP is run between PE and CE MBGP imports a direct connect route Perform the following configuration in VPN instance address family sub view Table 37 23 Import IGP route Operation Command Import IGP route import ro...

Page 466: ...oop peer group name peer address allow as loop asn_limit Configure to disable routing loop undo peer group name peer address allow as loop asn_limit By default the received route update information is not allowed to generate loop information Step 7 Configure BGP features IV Configuring PE PE route exchanging To exchange VPN IPv4 routing information between PEs you should configure MP IBGP on PEs P...

Page 467: ...nfigure MP IBGP Step 1 Enter protocol address family view Perform the following configuration in BGP view Table 37 27 Configure VPNv4 address family Operation Command Enter VPNv4 sub address family view ipv4 family vpnv4 unicast Delete VPNv4 sub address family view configuration undo ipv4 family vpnv4 unicast Step 2 Configure MBGP neighbor Configure internal neighbor of MBGP in VPNv4 sub address f...

Page 468: ...peer address group name next hop localpeer peer address group name next hop local Remove the configuration undo peer peer address group name next hop local Step 5 Transfer BGP update packet without AS number optional Perform the following configuration in VPNv4 sub address family view Table 37 31 Transfer BGP update packet without AS number Operation Command Transfer BGP update packet without AS n...

Page 469: ...k and coordinate with PE in creating LSPs These configurations are required on P router Step 1 Configure MPLS basic capacity and enable LDP on the interfaces connecting P router to PE router for forwarding MPLS packets See Chapter 36 MPLS Basic Capability Configuration Step 2 Enable OSPF protocol at the interfaces connecting P router to PE router and import direct connect routes See OSPF part in R...

Page 470: ...e related information including its RD description the interfaces associated with it and so on You can view the information to verify the configuration effect Table 37 36 Display vpn instance related information Operation Command Display the vpn instance related information including its RD description the interfaces associated with it and so on display ip vpn instance vpn instance name verbose IV...

Page 471: ...splay sham link display ospf process id sham link 37 4 Typical BGP MPLS VPN Configuration Example 37 4 1 Integrated BGP MPLS VPN Configuration Example I Network requirements z VPN A includes CE1 and CE3 VPN B includes CE2 and CE4 z Subscribers in different VPNs cannot access each other The VPN target attribute for VPN A is 111 1 and that for VPN B is 222 2 z The PEs and P are switches supporting M...

Page 472: ...6 VLAN201 172 2 1 1 16 VLAN201 172 4 1 1 16 VLAN304 VLAN303 VLAN201 172 3 1 1 16 AS 100 PE2 RD 100 2 PE4 RD 100 4 PE3 RD 100 3 Loopback0 202 100 1 1 32 Loopback0 202 100 1 3 32 Loopback0 202 100 1 2 32 Loopback0 202 100 1 4 32 VLAN201 168 4 1 1 16 VLAN201 168 2 1 1 16 VLAN202 168 4 1 2 16 VLAN202 168 2 1 2 16 AS 65440 VPN B CE4 PE1 RD 100 1 P VPN A CE3 VLAN202 168 3 1 2 16 VLAN302 Figure 37 8 Netw...

Page 473: ...oup 168 as number 65410 PE1 bgp af vpn instance quit PE1 bgp quit Bind the VLAN interface connecting PE1 and CE1 to the VPN A Note that you should first configure association between the VLAN interface and VPN instance and then configure the IP address of the VLAN interface PE1 vlan 202 PE1 vlan202 port gigabitethernet 2 1 2 PE1 vlan202 quit PE1 interface Vlan interface 202 PE1 Vlan interface202 i...

Page 474: ...172 1 0 0 0 0 255 255 PE1 ospf 1 area 0 0 0 0 network 202 100 1 1 0 0 0 0 PE1 ospf 1 area 0 0 0 0 quit PE1 ospf 1 import route direct PE1 ospf 1 quit Set up MP IBGP adjacency between PEs to exchange inter PE VPN routing information and activate MP IBGP peer in VPNv4 sub address family view PE1 bgp 100 PE1 bgp group 202 internal PE1 bgp peer 202 100 1 3 group 202 PE1 bgp peer 202 100 1 3 connect in...

Page 475: ...et 3 1 3 P vlan303 quit P interface Vlan interface 303 P Vlan interface303 ip address 172 3 1 2 255 255 0 0 P Vlan interface303 mpls P Vlan interface303 mpls ldp enable P Vlan interface303 quit P vlan 304 P vlan304 port gigabitethernet 3 1 4 P vlan304 quit P interface Vlan interface 304 P Vlan interface304 ip address 172 4 1 2 255 255 0 0 P Vlan interface304 mpls P Vlan interface304 mpls ldp enabl...

Page 476: ...ort intra CE3 VPN routes learned into MBGP VPN instance address family PE3 bgp 100 PE3 bgp ipv4 family vpn instance vpna PE3 bgp af vpn instance import route direct PE3 bgp af vpn instance group 168 external PE3 bgp af vpn instance peer 168 3 1 1 group 168 as number 65430 PE3 bgp af vpn instance quit PE3 bgp quit Bind the interface connecting PE3 and CE3 to VPN A PE3 vlan 202 PE3 vlan202 port giga...

Page 477: ... 3 0 0 0 0 255 255 PE3 ospf 1 area 0 0 0 0 network 202 100 1 3 0 0 0 0 PE3 ospf 1 area 0 0 0 0 quit PE3 ospf 1 import route direct PE3 ospf 1 area 0 0 0 0 import route direct Set up MP IBGP adjacency between PEs to exchange inter PE VPN routing information PE3 bgp 100 PE3 bgp group 202 internal PE3 bgp peer 202 100 1 1 group 202 as number 100 PE3 bgp peer 202 100 1 1 connect interface loopback0 PE...

Page 478: ...loopback0 1 1 1 9 32 vlan 100 192 168 1 1 24 CE 2 CE 1 CE 3 CE 4 vlan 100 192 168 1 2 24 loopback0 2 2 2 9 32 vlan 10 vlan 20 vlan 10 vlan 20 Figure 37 9 Network diagram for hybrid BGP MPLS VPN III Configure procedure 1 Configure CE 1 Create EBGP neighborhood between CE 1 and PE 1 import direct connect routes and static routes to import the VPN routes inside CE 1 to BGP and to advertise to PE 1 li...

Page 479: ... permit source any PE1 acl basic 2000 quit PE1 interface Ethernet 2 1 1 PE1 Ethernet2 1 1 traffic redirect inbound ip group 2000 rule 0 interface GigabitEthernet 3 3 3 10 l3 vpn Create EBGP neighborhood between PE 1 and CE 1 and import the direct routes of the VPN instance PE1 bgp 100 PE1 bgp ipv4 family vpn instance vpna PE1 bgp af vpn instance group 20 external PE1 bgp af vpn instance peer 20 1 ...

Page 480: ...1 and PE 2 PE1 ospf 1 route id 1 1 1 9 PE1 ospf 1 area 0 PE1 ospf 1 area 0 0 0 0 network 192 168 1 0 0 255 255 255 PE1 ospf 1 area 0 0 0 0 network 1 1 1 9 0 0 0 0 PE1 ospf 1 area 0 0 0 0 import route direct 3 Configure PE 2 Note Successful redirection configuration clears the VLAN configuration on the destination port z If the destination port is not a trunk port the redirection configuration chan...

Page 481: ...configuration PE2 flow template user defined slot 3 vlanid PE2 acl number 4000 PE2 acl link 4000 rule 0 permit ingress 10 egress any PE2 acl link 4000 quit PE2 interface Ethernet 2 1 1 PE2 Ethernet2 1 1 port link type trunk PE2 Ethernet2 1 1 flow template user defined PE2 Ethernet2 1 1 traffic redirect inbound link group 4000 rule 0 interface GigabitEthernet 3 3 3 10 l3 vpn Import the routes of th...

Page 482: ...E2 vlan100 port GigabitEthernet 3 1 1 PE2 vlan100 interface vlan interface 100 PE2 vlan interface100 ip address 192 168 1 2 255 255 255 0 PE2 vlan interface100 mpls PE2 vlan interface100 mpls ldp enable PE2 vlan interface100 quit Enable OSPF on the interface connecting PE 1 and PE 2 and on the loopback interface import direct routes to allow information exchange between PE 1 and PE 2 PE2 ospf 1 ro...

Page 483: ...e the shutdown command is used before making another redirection configuration z You are recommended to bind the VLAN interface to the VPN after making MPLS VPN redirection configuration to enable your configuration z You cannot configure MPLS VPN redirection and protocol VLAN on the same port That is you cannot configure MPLS VPN redirection if you have enabled protocol VLAN and vice versa MPLS V...

Page 484: ...fferent PEs II Network diagram PC CE B PC PC CE C PC PC CE A PC PC PC CE B PC PC CE C PC PC CE A PC PC VPN 1 VPN 2 PE A 10 1 1 1 PE B 30 1 1 1 PE C 20 1 1 1 City A City C City B 10 11 1 0 24 10 12 1 0 24 VLAN301 172 15 0 1 16 VLAN201 172 15 1 1 16 VLAN301 172 16 0 1 16 VLAN201 172 16 1 1 16 172 17 0 1 16 VLAN201 172 17 1 1 16 AS100 AS65011 AS65012 AS65013 VLAN301 SP network VPN 1 VPN 2 PE A 10 1 1...

Page 485: ...amily PE A bgp 100 PE A bgp ipv4 family vpn instance vpn instance1 PE A bgp af vpn instance import route direct PE A bgp af vpn instance import route static PE A bgp af vpn instance group 172 external PE A bgp af vpn instance peer 172 15 1 1 group 172 as number 65011 PE A bgp af vpn instance quit PE A bgp quit Bind VPN instance1 with virtual interface of VLAN301 which connects CE A PE A vlan 301 P...

Page 486: ...100 2 PE C vpn 2 vpn target 111 1 both PE C vpn 2 vpn target 222 2 both PE C vpn 2 quit Set up MP EBGP adjacency between PE C and CE C import intra CE C VPN routes learned into MBGP VPN instance address family PE C bgp 100 PE C bgp ipv4 family vpn instance vpn instance2 PE C bgp af vpn instance import route direct PE C bgp af vpn instance import route static PE C bgp af vpn instance group 172 exte...

Page 487: ... bgp af vpn peer 10 1 1 1 group 10 PE C bgp af vpn peer 30 enable PE C bgp af vpn peer 30 1 1 1 group 30 PE C bgp af vpn quit 3 Configure PE B Create VPN instance 3 for VPN2 on PE B so that it can transceive VPN routing information of VPN target 222 2 PE B ip vpn instance vpn instance 3 PE B vpn 3 route distinguisher 100 3 PE B vpn 3 vpn target 222 2 both PE B vpn 3 quit Set up MP EBGP adjacency b...

Page 488: ... 1 1 1 connect interface loopback 0 PE B bgp ipv4 family vpnv4 PE B bgp af vpn peer 20 enable PE B bgp af vpn peer 20 1 1 1 group 20 PE B bgp af vpn quit 37 4 4 Hub Spoke Configuration Example I Network requirements Hub Spoke networking is also called central server networking The site in the center is called hub site while the one not in the center is called spoke site The hub site knows the rout...

Page 489: ...2 Then PE2 and PE3 can only learn their neighbor s routes through PE1 Note In this case the configuration is focused on four points z Route advertisement can be controlled by VPN target settings on different PEs z Routing loop is permitted only once so that PE can receive route update messages with AS number included from CE z In Hub Spoke networking vpn target of VPN instance VPN instance3 which ...

Page 490: ... procedure Note The following contents are omitted in this case MPLS basic capacity configuration between PEs configuration between PE and P configuration between CEs For the details refer to 37 4 1 1 Configure PE1 Configure two VPN instances on PE1 set specified VPN target for the routes received from PE2 and PE3 PE1 ip vpn instance vpn instance2 PE1 vpn vpn instance2 route distinguisher 100 2 PE...

Page 491: ...e interface of the VLAN to which the Ethernet port Gigabitethernet 2 1 1 belongs to vpn instance2 bind the interface of the VLAN to which the Ethernet port Gigabitethernet 2 1 2 belongs to vpn instance3 PE1 vlan 201 PE1 vlan201 port gigabitethernet 2 1 1 PE1 vlan201 quit PE1 interface Vlan interface 201 PE1 Vlan interface201 ip binding vpn instance vpn instance2 PE1 Vlan interface201 ip address 17...

Page 492: ...tcommunity PE2 vpn vpn instance1 vpn target 100 2 import extcommunity PE2 vpn vpn instance1 quit Set up MP EBGP adjacency between PE2 and CE2 import intra CE2 VPN routes learned into MBGP VPN instance address family PE2 bgp 100 PE2 bgp ipv4 family vpn instance vpn instance1 PE2 bgp af vpn instance import route static PE2 bgp af vpn instance import route direct PE2 bgp af vpn instance group 172 ext...

Page 493: ...00 4 PE3 vpn vpn instance2 vpn target 100 12 export extcommunity PE3 vpn vpn instance2 vpn target 100 2 import extcommunity PE3 vpn vpn instance2 quit Set up MP EBGP adjacency between PE3 and CE3 import intra CE3 VPN routes learned into MBGP VPN instance address family PE3 bgp 100 PE3 bgp ipv4 family vpn instance vpn instance2 PE3 bgp af vpn instance import route static PE3 bgp af vpn instance imp...

Page 494: ...ily vpnv4 PE3 bgp af vpn peer 11 enable PE2 bgp af vpn peer 11 1 1 1 group 11 PE2 bgp af vpn peer 11 1 1 1 allow as loop 1 PE3 bgp af vpn quit PE3 bgp quit 37 4 5 CE Dual home Configuration Example I Network requirements For the applications which require high robustness of network you may use CE dual home networking mode CE1 and CE2 are dual homed they are connected to both PE1 and PE2 Three PEs ...

Page 495: ... 172 21 21 1 24 AS 65002 AS 65001 172 12 12 1 24 VLAN212 172 12 12 2 24 VLAN211 172 22 22 2 24 172 22 22 1 24 VLAN213 10 1 1 1 24 10 1 1 2 24 VLAN214 30 1 1 2 24 30 1 1 1 24 20 1 1 1 24 20 1 1 2 24 AS 65003 CE3 AS 65004 CE4 VLAN211 192 168 13 2 24 VLAN311 192 168 13 1 24 192 168 23 1 24 VLAN211 192 168 23 2 24 VLAN213 VLAN212 VLAN214 VLAN211 VLAN312 VLAN313 VLAN314 Figure 37 12 Network diagram for...

Page 496: ...af vpn instance import route static PE1 bgp af vpn instance group 17221 external PE1 bgp af vpn instance peer 172 21 21 2 group 17221 as number 65002 PE1 bgp af vpn quit PE1 bgp quit Bind the interface connecting PE1 and CE1 to VPN instance 1 1 and interface connecting PE1 and CE2 to VPN instance 1 2 PE1 vlan 211 PE1 vlan211 port gigabitethernet 2 1 1 PE1 vlan211 quit PE1 interface Vlan interface ...

Page 497: ...14 PE1 Vlan interface214 mpls PE1 Vlan interface214 mpls ldp enable PE1 Vlan interface214 mpls ldp transport ip interface PE1 Vlan interface214 ip address 30 1 1 2 255 255 255 0 PE1 Vlan interface214 quit Enable OSPF on the interface connecting PE1 and PE2 and the interface connecting PE1 and PE3 and the loopback interface to achieve inter PE communication PE1 Router id 1 1 1 1 PE1 ospf PE1 ospf 1...

Page 498: ...2 1 vpn target 1 1 1 1 1 PE2 vpn vpn instance2 1 quit PE2 ip vpn instance vpn instance2 2 PE2 vpn vpn instance2 2 route distinguisher 2 2 2 2 2 PE2 vpn vpn instance2 2 vpn target 2 2 2 2 2 PE2 vpn vpn instance2 2 quit Set up MP EBGP adjacency between PE2 and CE1 import intra CE1 VPN routes learned into VPN instance2 1 PE2 bgp 100 PE2 bgp ipv4 family vpn instance vpn instance2 1 PE2 bgp af vpn inst...

Page 499: ...e211 ip binding vpn instance vpn instance2 2 PE2 Vlan interface211 ip address 172 22 22 1 255 255 255 0 PE2 Vlan interface211 quit 3 Configure PE3 Note Only the VPN instance configuration of PE3 is detailed here other configurations are similar to that of the PE1 and PE2 and are omitted here Create two VPN instances 3 1 and 3 2 respectively for CE3 and CE4 on PE3 configure different VPN targets fo...

Page 500: ...PE3 and CE4 to VPN instance 3 2 PE3 vlan 311 PE3 vlan311 port gigabitethernet 3 1 1 PE3 vlan311 quit PE3 interface Vlan interface 311 PE3 Vlan interface311 ip binding vpn instance vpn instance3 1 PE3 Vlan interface311 ip address 192 168 13 1 255 255 255 0 PE3 Vlan interface311 quit PE3 vlan 314 PE3 vlan314 port gigabitethernet 3 1 4 PE3 vlan314 quit PE3 interface Vlan interface 314 PE3 Vlan interf...

Page 501: ... 172 12 12 1 24 172 22 22 1 24 98 98 98 1 24 98 98 98 2 24 VLAN205 VLAN205 172 11 11 2 24 172 22 22 2 24 P1 PE1 1 1 1 1 32 10 1 1 2 24 20 1 1 1 24 CE1 CE2 172 12 12 2 24 PC1 PC2 CE4 PC4 CE3 172 21 21 2 24 PC3 192 168 11 10 192 168 21 10 192 168 12 10 192 168 22 10 P1 3 3 3 3 32 VLAN201 PE2 2 2 2 2 32 10 1 1 2 24 20 1 1 1 24 AS 100 CE1 CE2 172 12 12 2 24 PC1 PC2 CE4 PC4 CE3 172 21 21 2 24 PC3 192 1...

Page 502: ...n interface202 quit Enable EBGP between PE and CE PE1 bgp 100 PE1 bgp ipv4 family vpn instance vpna PE1 bgp af vpn instance import route direct PE1 bgp af vpn instance group 172 11 external PE1 bgp af vpn instance peer 172 11 11 2 group 172 11 as number 65011 PE1 bgp af vpn quit PE1 bgp ipv4 family vpn instance vpnb PE1 bgp af vpn instance import route direct PE1 bgp af vpn instance group 172 21 e...

Page 503: ... 200 2 PE2 vpn vpnb vpn target 100 2 both Configure the VLAN interface connecting PE2 and P2 PE1 vlan 205 PE1 vlan205 port gigabitethernet 2 2 1 PE1 vlan205 quit PE1 interface Vlan interface 205 PE1 Vlan interface205 mpls PE1 Vlan interface205 mpls ldp enable PE1 Vlan interface205 ip address 20 1 1 2 255 255 255 0 Bind the VLAN interface with the VPN instance PE2 interface Vlan interface 203 PE2 V...

Page 504: ...nterface loopback0 PE2 bgp ipv4 family vpnv4 PE2 bgp af vpn peer 4 enable PE2 bgp af vpn peer 4 4 4 4 group 4 3 Configure P1 P2 in similar way Configure MPLS basic capability P1 mpls lsr id 3 3 3 3 P1 mpls P1 mpls quit P1 mpls ldp Configure the interface loopback 0 P1 interface loopback 0 P1 LoopBack0 ip address 3 3 3 3 255 255 255 255 Configure VLAN interface connecting PE1 P1 vlan 205 P1 vlan205...

Page 505: ...aged by the Multi hop MP EBGP which advertise label VPN IPv4 routes between PEs II Network diagram PE2 LSR ID 162 1 1 2 ASBR PE2 LSR ID 162 1 1 1 BGP MPLS Backbone AS 200 ASBR PE1 LSR ID 172 1 1 1 PE1 LSR ID 172 1 1 2 BGP MPLS Backbone AS 100 Ethernet2 1 0 168 1 1 1 16 Loopback0 202 100 1 2 32 Pos1 0 0 172 1 1 2 16 Pos2 1 0 192 1 1 1 24 Loopback0 202 100 1 1 32 Pos1 1 0 172 1 1 1 16 Loopback0 202 ...

Page 506: ...1 1 0 quit PE1 ospf PE1 ospf 1 area 0 PE1 ospf 1 area 0 0 0 0 network 172 1 0 0 0 0 255 255 PE1 ospf 1 area 0 0 0 0 network 202 100 1 2 0 0 0 0 PE1 ospf 1 area 0 0 0 0 quit PE1 ospf 1 quit Configure ASBR PE1 ASBR PE1 interface loopback0 ASBR PE1 LoopBack 0 ip address 202 100 1 1 255 255 255 255 ASBR PE1 LoopBack 0 quit ASBR PE1 interface pos1 1 0 ASBR PE1 Pos1 1 0 ip address 172 1 1 1 255 255 0 0 ...

Page 507: ... 255 0 0 ASBR PE2 Pos1 1 0 quit ASBR PE2 interface Pos 2 1 0 ASBR PE2 Pos2 1 0 ip address 192 1 1 2 255 255 255 0 ASBR PE2 Pos2 1 0 quit ASBR PE2 ospf ASBR PE2 ospf 1 area 0 ASBR PE2 ospf 1 area 0 0 0 0 network 162 1 0 0 0 0 255 255 ASBR PE2 ospf 1 area 0 0 0 0 network 202 200 1 1 0 0 0 0 ASBR PE2 ospf 1 area 0 0 0 0 quit ASBR PE2 ospf 1 quit 2 Configure basic MPLS capability on the MPLS backbone ...

Page 508: ...pls ASBR PE1 Pos2 1 0 quit Configure basic MPLS capability on ASBR PE2 enable LDP on the interface connected to PE2 and enable MPLS on the interface connected to ASBR PE1 ASBR PE2 mpls lsr id 162 1 1 1 ASBR PE2 mpls lsp trigger all ASBR PE2 mpls quit ASBR PE2 mpls ldp ASBR PE2 mpls ldp quit ASBR PE2 interface pos1 1 0 ASBR PE2 Pos1 1 0 mpls ASBR PE2 Pos1 1 0 mpls ldp ASBR PE2 Pos1 1 0 quit ASBR PE...

Page 509: ...ce ethernet 2 1 0 PE1 Ethernet2 1 0 ip binding vpn instance vpna PE1 Ethernet2 1 0 ip address 168 1 1 1 255 255 0 0 PE1 Ethernet2 1 0 quit Configure CE2 CE2 interface ethernet 1 CE2 Ethernet1 ip address 168 2 2 2 255 255 0 0 CE2 Ethernet1 quit Create a VPN instance on PE2 and bind it to the interface connected to CE2 PE2 ip vpn instance vpna PE2 vpn instance route distinguisher 200 2 PE2 vpn insta...

Page 510: ... set up EBGP peer relation with CE1 IBGP peer relation with ASBR PE1 and Multihop MP EBGP peer relation with PE2 PE1 bgp 100 PE1 bgp ipv4 family vpn instance vpna PE1 bgp af vpn instance group 10 external PE1 bgp af vpn instance peer 168 1 1 2 group 10 as number 65001 PE1 bgp af vpn instance import route direct PE1 bgp af vpn instance quit PE1 bgp group 20 PE1 bgp peer 20 label route capability PE...

Page 511: ...1 2 group 10 as number 200 ASBR PE1 bgp group 20 ASBR PE1 bgp peer 20 label route capability ASBR PE1 bgp peer 20 next hop local ASBR PE1 bgp peer 20 route policy rtp ibgp export ASBR PE1 bgp peer 202 100 1 2 group 20 ASBR PE1 bgp peer 202 100 1 2 connect interface loopback0 ASBR PE1 bgp quit Configure CE2 CE2 bgp 65002 CE2 bgp group 10 external CE2 bgp peer 168 2 2 1 group 10 as number 200 CE2 bg...

Page 512: ... rtp ibgp permit node 10 ASBR PE2 route policy if match mpls label ASBR PE2 route policy apply mpls label ASBR PE2 route policy quit Configure ASBR PE2 set up EBGP peer relation with ASBR PE1 and IBGP peer relation with PE2 ASBR PE2 bgp 200 ASBR PE2 bgp import route ospf ASBR PE2 bgp group 10 external ASBR PE2 bgp peer 10 label route capability ASBR PE2 bgp peer 10 route policy rtp ebgp export ASB...

Page 513: ...PLS骨干网 PE PE SPE Upper VPN Lower VPN UPE CE CE CE CE VPN1 Site1 VPN2 Site1 VPN1 Site1 VPN2 Site1 UPE VLAN201 10 0 0 1 8 VLAN301 10 0 0 2 8 Loopback0 10 0 0 2 Loopback0 1 0 0 1 MPLS backbone PE PE SPE UPE CE CE CE CE VPN1 Site1 VPN2 Site1 VPN1 Site1 VPN2 Site1 UPE VLAN201 10 0 0 1 8 VLAN301 10 0 0 2 8 Loopback0 10 0 0 2 MPLS骨干网 PE PE SPE Upper VPN Lower VPN UPE CE CE CE CE VPN1 Site1 VPN2 Site1 VPN...

Page 514: ...lan interface201 quit SPE interface loopback0 SPE LoopBack 0 ip address 1 0 0 2 255 255 255 255 SPE LoopBack 0 quit Configure BGP SPE bgp 100 SPE import direct SPE bgp group 1 internal SPE bgp peer 1 0 0 1 group 1 SPE bgp peer 1 connect interface LoopBack0 SPE bgp ipv4 family vpn instance vpn1 SPE bgp af vpn instance import direct SPE bgp af vpn instance quit SPE bgp ipv4 family vpnv4 SPE bgp af v...

Page 515: ...pls ldp enable UE1 Vlan interface301 mpls ldp transport ip interface UPE Vlan interface301 ip address 10 0 0 2 255 0 0 0 UPE Vlan interface301 quit UPE interface loopback0 UPE LoopBack 0 ip address 1 0 0 1 255 255 255 255 Configure BGP UPE bgp 100 UPE bgp group 1 internal UPE bgp peer 1 0 0 2 group 1 UPE bgp ipv4 family vpn instance vpn1 UPE bgp af vpn instance import direct UPE bgp ipv4 family vp...

Page 516: ...opBack1 50 1 1 3 1 1 1 1 VLAN203 168 1 12 2 24 VLAN202 168 1 13 2 24 VLAN202 168 1 23 2 24 VLAN201 168 1 23 1 24 VLAN201 20 1 1 2 24 VLAN201 20 1 1 1 24 VLAN202 12 1 1 2 24 CE1 10 10 10 10 CE2 20 20 20 20 12 1 1 0 24 PE1 PE3 3 3 3 3 PE2 2 2 2 2 VLAN201 10 1 1 1 24 168 1 1 0 24 20 2 1 0 24 VLAN202 12 1 1 1 24 MPLS VPN Backbone LoopBack0 1 1 1 1 LoopBack0 2 2 2 2 LoopBack0 3 3 3 3 VLAN201 10 1 1 2 2...

Page 517: ...t 2 1 2 PE1 vlan202 quit PE1 interface Vlan interface 202 PE1 Vlan interface202 ip address 168 1 13 1 255 255 255 0 PE1 Vlan interface202 ospf cost 1 PE1 Vlan interface202 mpls PE1 Vlan interface202 mpls ldp enable PE1 Vlan interface202 mpls ldp transport ip interface PE1 Vlan interface202 quit PE1 interface loopback0 PE1 LoopBack0 ip binding vpn instance vpn1 PE1 LoopBack0 ip address 1 1 1 1 255 ...

Page 518: ... 0 0 0 0 network 10 1 1 0 0 0 0 255 Configuring sham link PE1 ospf 100 area 0 0 0 1 sham link 1 1 1 1 2 2 2 2 Configure the routes distributed to PE2 and PE3 PE1 ospf 1000 PE1 ospf 1000 area 0 SW8800 ospf 1000 area 0 0 0 0 network 168 12 1 0 0 0 0 255 SW8800 ospf 1000 area 0 0 0 0 network 50 1 1 1 0 0 0 0 2 Configure PE2 Enable MPLS and LDP PE2 mpls lsr id 50 1 1 2 PE2 mpls PE2 mpls quit PE2 mpls ...

Page 519: ...ace202 mpls ldp enable PE2 Vlan interface202 quit PE2 interface LoopBack0 PE2 LoopBack0 ip binding vpn instance vpn1 PE2 LoopBack0 ip address 2 2 2 2 255 255 255 255 PE2 LoopBack0 quit PE2 interface LoopBack1 PE2 LoopBack1 ip address 50 1 1 2 255 255 255 255 Configure BGP PE2 bgp 100 PE2 bgp undo synchronization PE2 bgp group fc internal PE2 bgp peer 50 1 1 1 group fc PE2 bgp peer 50 1 1 1 connect...

Page 520: ...255 255 255 255 168 1 23 3 Configure the routes distributed to PE1 and PE3 PE1 ospf 1000 PE1 ospf 1000 area 0 SW8800 ospf 1000 area 0 0 0 0 network 168 12 1 0 0 0 0 255 SW8800 ospf 1000 area 0 0 0 0 network 50 1 1 1 0 0 0 0 3 Configure CE1 Configure interfaces CE1 vlan 202 CE1 vlan202 port gigabitethernet 2 1 2 CE1 vlan202 quit CE1 interface Vlan interface 202 CE1 Vlan interface202 ip address 12 1...

Page 521: ...1 1 255 255 255 0 CE2 Vlan interface201 ospf cost 1 Configure OSPF CE2 ospf 100 router id 20 20 20 20 CE2 ospf 100 area 0 0 0 0 CE2 ospf 100 area 0 0 0 0 network 12 1 1 0 0 0 0 255 CE2 ospf 100 area 0 0 0 0 network 20 1 1 0 0 0 0 255 37 4 10 Nested BGP MPLS VPN Configuration Example I Network requirements A VPN user has multiple nodes to access the service provider s BGP MPLS backbone network And ...

Page 522: ...pe2 4 4 4 4 Pos1 1 0 10 1 1 1 8 Pos1 1 0 10 1 1 2 8 Pos2 1 0 18 1 1 1 8 Pos1 1 0 18 1 1 2 8 AS100 Pos3 1 0 1 1 1 2 8 Pos1 1 0 1 1 1 1 8 Pos2 1 0 15 1 1 2 8 Pos1 1 0 15 1 1 1 8 Pos3 1 0 2 1 1 2 8 Pos1 1 0 2 1 1 1 8 Pos2 1 0 16 1 1 2 8 Pos1 1 0 16 1 1 1 8 AS600 AS500 Figure 37 17 Network diagram for nested VPN III Configuration procedure Note This procedure omits part of the configuration for CE rou...

Page 523: ...e basic MPLS capability and MPLS LDP on the backbone network Configure prov_pe1 prov_pe1 mpls lsr id 5 5 5 5 prov_pe1 mpls ldp prov_pe1 interface pos 1 1 0 prov_pe1 Pos1 1 0 mpls prov_pe1 Pos1 1 0 mpls ldp prov_pe1 Pos1 1 0 quit Configure prov_pe2 prov_pe2 mpls lsr id 4 4 4 4 prov_pe2 mpls ldp prov_pe2 interface pos 1 1 0 prov_pe2 Pos1 1 0 mpls prov_pe2 Pos1 1 0 mpls ldp prov_pe2 Pos1 1 0 quit Con...

Page 524: ...nguisher 3 3 prov_pe1 vpn instance vpn target 3 3 prov_pe1 vpn instance quit prov_pe1 ip vpn instance vpn1 prov_pe1 vpn instance route distinguisher 1 1 prov_pe1 vpn instance vpn target 1 1 prov_pe1 vpn instance vpn target 3 3 prov_pe1 vpn instance quit prov_pe1 interface pos 3 1 0 prov_pe1 Pos3 1 0 ip binding vpn instance customer_vpn prov_pe1 Pos3 1 0 link protocol ppp prov_pe1 Pos3 1 0 ip addre...

Page 525: ... SW8800 sysname cust_pe2 cust_pe2 interface LoopBack0 cust_pe2 LoopBack0 ip address 7 7 7 7 255 255 255 255 cust_pe2 LoopBack0 quit cust_pe2 mpls lsr id 7 7 7 7 cust_pe2 interface pos 1 1 0 cust_pe2 Pos1 1 0 link protocol ppp cust_pe2 Pos1 1 0 ip address 2 1 1 1 255 0 0 0 cust_pe2 Pos1 1 0 mpls cust_pe2 Pos1 1 0 quit 3 Configure EBGP between provider PE and customer PE Configure prov_pe1 to access...

Page 526: ...rov_pe2 bgp af vpn instance group ebgp external prov_pe2 bgp af vpn instance undo peer ebgp enable prov_pe2 bgp af vpn instance peer 2 1 1 1 group ebgp as number 500 prov_pe2 bgp ipv4 family vpnv4 prov_pe2 bgp af vpn nesting vpn prov_pe2 bgp af vpn peer ebgp vpn instance customer_vpn enable prov_pe2 bgp af vpn peer 2 1 1 1 vpn instance customer_vpn group ebgp prov_pe2 bgp af vpn peer 2 1 1 1 vpn i...

Page 527: ...t_pe1 bgp af vpn instance peer 15 1 1 1 group cegroup as number 50001 cust_pe1 bgp af vpn instance quit cust_pe1 bgp quit Configure cust_pe2 cust_pe2 ip vpn instance vpn1 cust_pe2 vpn instance route distinguisher 1 1 cust_pe2 vpn instance vpn target 1 1 cust_pe2 interface pos 2 1 0 cust_pe2 Pos2 1 0 ip binding vpn instance vpn1 cust_pe2 Pos2 1 0 link protocol ppp cust_pe2 Pos2 1 0 ip address 16 1 ...

Page 528: ...te distinguisher 100 1 CE vpn vpn1 vpn target 100 1 export extcommunity CE vpn vpn1 vpn target 100 1 import extcommunity Configure instance vpn2 CE ip vpn instance vpn2 CE vpn vpn2 route distinguisher 200 1 CE vpn vpn2 vpn target 200 1 export extcommunity CE vpn vpn2 vpn target 200 1 import extcommunity Configure VLAN201 CE vlan 201 CE vlan201 port gigabitethernet 2 1 1 CE vlan201 quit CE interfac...

Page 529: ...255 0 Configure ospf 100 CE ospf 100 vpn instance vpn1 CE ospf 100 vpn instance capability simple CE ospf 100 area 0 0 0 0 CE ospf 100 area 0 0 0 0 network 10 1 1 0 0 0 0 255 CE ospf 100 area 0 0 0 0 network 10 2 1 0 0 0 0 255 Configure ospf 300 CE ospf 300 vpn instance vpn2 CE ospf 300 vpn instance capability simple CE ospf 300 area 0 0 0 1 CE ospf 300 area 0 0 0 1 network 20 1 1 0 0 0 0 255 CE o...

Page 530: ... PE2 PC3 172 19 0 1 16 Ethernet2 1 0 172 19 0 2 Ethernet1 1 0 20 3 1 1 24 CE3 Ethernet2 1 0 20 3 1 2 24 Loopback0 1 1 1 9 32 Loopback0 2 2 2 9 32 PC1 172 18 0 1 16 Ethernet2 1 0 172 18 0 2 16 CE1 Ethernet3 1 0 20 2 1 2 24 Ethernet1 1 0 20 2 1 1 24 AS100 AS65420 AS65410 AS65430 Ethernet1 1 0 Ethernet1 1 0 PC2 172 16 0 1 16 192 168 1 1 24 192 168 1 2 24 Ethernet2 1 0 20 1 1 2 24 Ethernet2 1 0 172 16...

Page 531: ...ldp PE1 mpls ldp quit PE1 interface Ethernet1 1 0 PE1 Ethernet1 1 0 mpls PE1 Ethernet1 1 0 mpls ldp PE1 Ethernet1 1 0 quit Create VPN instances for VPN1 and VPN2 on PE1 bind Ethernet3 1 0 to VPN1 and bind Ethernet2 1 0 to VPN2 PE1 ip vpn instance vpn1 PE1 vpn vpn1 route distinguisher 100 1 PE1 vpn vpn1 vpn target 100 1 both PE1 vpn vpn1 quit PE1 ip vpn instance vpn2 PE1 vpn vpn2 route distinguishe...

Page 532: ...rnet2 1 0 PE2 Ethernet2 1 0 ip binding vpn instance vpn1 PE2 Ethernet2 1 0 ip address 20 3 1 2 24 PE2 Ethernet2 1 0 quit Configure BGP Configure CE1 CE1 interface Ethernet1 1 0 CE1 Ethernet1 1 0 ip address 20 2 1 1 24 CE1 Ethernet1 1 0 quit CE1 bgp 65410 CE1 bgp import route direct CE1 bgp group 10 external CE1 bgp peer 20 2 1 2 group 10 as number 100 CE1 bgp quit Configure CE2 CE2 interface Ether...

Page 533: ... external PE1 bgp af vpn instance peer 20 2 1 1 group 20 as number 65410 PE1 bgp af vpn instance quit PE1 bgp ipv4 family vpn instance vpn2 PE1 bgp af vpn instance import route direct PE1 bgp af vpn instance group 30 external PE1 bgp af vpn instance peer 20 1 1 1 group 30 as number 65420 PE1 bgp af vpn instance quit PE1 bgp quit Configure PE2 set up IBGP peer relation with PE1 in BGP VPNv4 sub add...

Page 534: ...nnot learn the routing information of the peer end switch spoke PE Solution z Check whether the BGP adjacent of spoke PE and hub PE is created correctly z Check whether the routing attributes import export relation of each VPN instance is correct z Check from the hub PE that whether the routing information between two VPN instances can be learnt by each other if not perform the following operation...

Page 535: ...loopback interface at the peer end can be pinged using the ping command z Check whether the configuration information is correct using the display current configuration bgp command confirm that you have specified the local loopback interface as the interface to create adjacent interface with the peer end by using the peer peer address connect interface command confirm that you have activate the ne...

Page 536: ... tree MSTP makes up for the drawback of STP and RSTP It not only converges fast but also allows the traffic of different VLANs to be distributed along their respective paths which provides a better load balance mechanism for the redundant links MSTP keeps a VLAN mapping table to associate VLANs with their spanning trees Using MSTP you can divide one switching network into multiple regions each of ...

Page 537: ...can group several switches into a MST region using MSTP configuration commands For example in Figure 38 1 the four switches in MST region A0 are configured with the same region name the same VLAN mapping table VLAN1 is mapped to instance 1 VLAN 2 is mapped to instance 2 other VLANs is mapped to instance CIST and the same revision level not indicated in Figure 38 1 II VLAN mapping table The VLAN ma...

Page 538: ...T region have different topology and their region roots may also be different For example the region root of the STI 1 is the switch B and that of the STI 2 is the switch C as shown in Figure 38 1 VIII Common Root Bridge The Common Root Bridge refers to the root bridge of CIST For example the common root bridge is a certain switch in A0 as shown in Figure 38 1 IX Edge port The edge port refers to ...

Page 539: ...better understanding In this figure the switch A B C and D make up a MST region Port 1 and 2 on switch A connects to the common root bridge port 5 and 6 on switch C forms a loop port 3 and 4 on switch D connects to other MST regions in the downstream direction C A B D Port 1 Port 2 Master port Alternate port Port 3 Port 4 Port 5 Port 6 Backup port Edge port Designated port Connect to the root MST ...

Page 540: ...mat Figure 38 4 MSTI information format of the last part in BPDU packets Besides field root bridge priority root path cost local bridge priority and port priority the field flags which takes one byte in an instance is also used for role selection The following figure describes the meaning of its eight bits ...

Page 541: ...ning trees the difference is that it is the MSTP configuration information on the switches that is carried in the configuration messages I CIST calculation The CIST root is the highest priority switch elected from the switches on the entire network through comparing their configuration BPDUs MSTP calculates and generates IST in each MST region at the same time it regards each MST region as a singl...

Page 542: ...nated port is AP1 In the figure Switch B and Switch C are connected to the LAN and Switch B forwards BPDU to LAN So the designated bridge of LAN is Switch B and the designated port is BP2 z The specific calculation process of STP algorithm The following example illustrates the calculation process of STP Figure 38 7 illustrates the practical network Switch A with priority 0 Switch C with priority 2...

Page 543: ...n the received configuration BPDU to change the content of the local BPDU of this port Then the switch compare the configuration BPDU of this port to those of other ports on it to elect the optimum configuration BPDU The comparison rules are z The configuration BPDU with a smaller root ID has a higher priority z If the root IDs are the same perform the comparison based on root path costs The cost ...

Page 544: ...he root retains the configuration BPDU of each port and transmits configuration BPDU to others regularly thereafter By now the configuration BPDUs of the two ports are as follows Configuration BPDU of AP1 0 0 0 AP1 Configuration BPDU of AP2 0 0 0 AP2 Switch B BP1 receives the configuration BPDU from Switch A and finds that the received BPDU has a higher priority than the local one so it updates it...

Page 545: ...rom Switch B Since this configuration BPDU is better then the old one the old BPDU will be updated to 0 5 1 BP2 Meanwhile CP1 receives the configuration BPDU from Switch A but its configuration BPDU is not updated and retain 0 10 0 AP2 By comparison 0 9 1 BP2 the configuration BPDU of CP2 is elected as the optimum one Thus CP2 is elected as the root port whose BPDU will not change while CP1 is blo...

Page 546: ...w recalculated will not be propagated throughout the network right away so the old root ports and designated ports that have not detected the topology change will still forward the data through the old path If the new root port and designated port begin to forward data immediately after they are elected an occasional loop may still occur In STP a transitional state mechanism is thus adopted to ens...

Page 547: ...es z Configuring the MST Region for a Switch z Specifying the Switch as a Primary or a Secondary Root bridge z Configuring the MSTP Running Mode z Configuring the Bridge Priority for a Switch z Configuring the Max Hops in an MST Region z Configuring the Switching Network Diameter z Configuring the Time Parameters of a Switch z ...

Page 548: ...ffective even after resetting MSTP The check region configuration command can display the region parameters that have not yet taken effect The display current configuration command shows the parameters configured before MSTP is enabled For those configured after MSTP is enabled you can use the related display commands For detailed information refer to the Display and Debug MSTP section Note When G...

Page 549: ...is IST and the Instances 1 through 48 are MSTIs Upon the completion of the above configurations the current switch is put into a specified MST region Note that two switches belong to the same MST region only if they have been configured with the same MST region name STI VLAN mapping tables of an MST region and the same MST region revision level Configuring the related parameters especially the VLA...

Page 550: ...the switch as a primary or a secondary root bridge Operation Command Specify the current switch as the primary root bridge of the specified spanning tree stp instance instance id root primary bridge diameter bridgenum hello time centi senconds Specify the current switch as the secondary root bridge of the specified spanning tree stp instance instance id root secondary bridge diameter bridgenum hel...

Page 551: ...es Generally you are recommended to designate one primary root and more than one secondary root for a spanning tree By default a switch is neither the primary root nor the secondary root of the spanning tree 38 2 3 Configuring the MSTP Running Mode MSTP and RSTP are compatible and they can recognize the packets of each other However STP cannot recognize MSTP packets To implement the compatibility ...

Page 552: ...e the Bridge priorities of the Designated bridge in different STIs Perform the following configuration in system view Table 38 6 Configure the Bridge priority for a switch Operation Command Configure the Bridge priority of the Designated bridge stp instance instance id priority priority Restore the default Bridge priority of the Designated bridge undo stp instance instance id priority When configu...

Page 553: ... Configuring the Switching Network Diameter Any two hosts on the switching network are connected with a specific path carried by a series of switches Among these paths the one passing more switches than all others is the network diameter expressed as the number of passed switches You can use the following command to configure the diameter of the switching network Perform the following configuratio...

Page 554: ...o forwarding state The Forward Delay guarantees a period of time during which the new configuration BPDU can be propagated throughout the network The switch sends Hello packet periodically at an interval specified by Hello Time to check if there is any link fault Max Age specifies when the configuration BPDU will expire The switch will discard the expired configuration BPDU You can use the followi...

Page 555: ...ver for too short a Hello Time the switch frequently sends configuration BPDU which adds its burden and wastes the network resources Too short a Max Age may cause the network device frequently calculate the spanning tree and mistake the congestion as a link fault However if the Max Age is too long the network device may not be able to discover the link fault and recalculate the spanning tree in ti...

Page 556: ...h Operation Command Set the timeout factor of a specified switch stp timer factor number Restore the default timeout factor undo stp timer factor It is recommended to set 5 6 or 7 as the timeout factor in the steady network By default the timeout factor of the switch is 3 38 2 9 Configuring the Max Transmission Speed on a Port The max transmission speed on a port specifies how many MSTP packets wi...

Page 557: ...ces will be occupied The default value is recommended By default the max transmission speed on every Ethernet port of the switch is 3 38 2 10 Configuring a Port as an Edge Port or Non edge Port An edge port refers to the port not directly connected to any switch or indirectly connected to a switch over the connected network You can configure a port as an edge port or non edge port in the following...

Page 558: ...f a port is configured as an edge port or non edge port it is configured the same on all the STIs It is better to configure the BPDU protection on the edged port so as to prevent the switch from being attacked Before BPDU protection is enabled on the switch the port runs as a non edge port when it receives BPDU even if the user has set it as an edge port If BPDU protection is enabled on the switch...

Page 559: ...r mentioned measures Upon the change of path cost of a port MSTP will recalculate the port role and transit the state When instance id takes 0 it indicates to set the path cost on the CIST By default MSTP is responsible for calculating the path cost of a port 38 2 12 STP Path Cost Calculation Standards on STP port The Switch 8800 uses its own legacy path calculation but both DOT1T and DOT1D 1998 p...

Page 560: ...ion group If all the ports in the aggregation group are down the rate of the aggregation port is 0 z Non aggregation port The actual rate counts 2 Calculating the path cost Table 38 17 details the correspondence between the rate range and the path cost values of the ports Table 38 17 Correspondence between the rate range and the path cost values Rate range Path cost value 0 10 99 for full duplex p...

Page 561: ...standard to be followed in path cost calculation Operation Command Specify the standard to be adopted when the switch calculates the default path cost for the connected link stp pathcost standard dot1d 1998 dot1t legacy Restore the default standard to be used undo stp pathcost standard By default the switch calculates the default path cost of a port by the DOT1T standard 38 2 13 Configuring the Pr...

Page 562: ...maller value represents a higher priority If all the Ethernet ports of a switch are configured with the same priority value the priorities of the ports will be differentiated by the index number The change of Ethernet port priority will lead to spanning tree recalculation You can configure the port priority according to actual networking requirements By default the priority of all the Ethernet por...

Page 563: ...tly connected with the point to point link as defaulted undo stp point to point You can configure the port not to connect with the point to point link with either of the earlier mentioned measures For the ports connected with the point to point link upon some port role conditions met they can transit to forwarding state fast through transmitting synchronization packet thereby reducing the unnecess...

Page 564: ...system view Table 38 24 Configure the mCheck variable of a port Operation Command Perform mCheck operation on a port stp interface interface list mcheck Note By default MSTP runs in MSTP mode which is compatible with RSTP and STP This mode can recognize MSTP BPDU STP config BPDU and RSTP config BPDU However the STP switch can only recognize config BPDU STP BPDU sent by the STP and RSTP bridges Aft...

Page 565: ...dges of the spanning tree especially those of ICST shall be located in the same region It is because the primary and secondary roots of CIST are generally placed in the core region with a high bandwidth in network design In case of configuration error or malicious attack the legal primary root may receive the BPDU with a higher priority and then loose its place which causes network topology change...

Page 566: ...fied interval the switch shall not run the delete operation till the specified interval is reached This can avoid frequent delete operations on the MAC address table and ARP table You can use the following command to configure the protection functions of the switch Perform the following configuration in corresponding configuration modes Table 38 26 Configure the switch protection function Operatio...

Page 567: ...o the port is disconnected If the port has not received any higher priority BPDU for a certain period of time thereafter it will resume the normal state For one port only one configuration can be effective among loop protection Root protection and Edge port configuration at the same moment Note The port configured with loop protection can only turn into discarding state on every instance That such...

Page 568: ...emoves the instance s ARP entry By default this function is disabled Perform the following configuration in Ethernet port view Table 38 28 Enable disable the reset of MAC and dynamic ARP address tables on a port Operation Command Enable Disable the reset of MAC and dynamic ARP address tables on a port of the device stp reset arp enable disable By default this function is disabled 38 2 19 Enabling ...

Page 569: ...emoves MAC and ARP entries of the port after receiving TC TCN packets 38 2 20 Enabling Disabling MSTP on a Port You can use the following command to enable disable MSTP on a port You may disable MSTP on some Ethernet ports of a switch to spare them from spanning tree calculation This is a measure to flexibly control MSTP operation and save the CPU resources of the switch MSTP can be enabled disabl...

Page 570: ...Table 38 32 Display and debug MSTP Operation Command Display the MSTP information about the current switch display stp Display the configuration information about the current port and the switch display stp instance instance id interface interface list brief Display the current configurations of the specified service board display stp slot number brief Display the configuration information about t...

Page 571: ...tance 0 In the following network diagram Switch A and Switch B are devices of the convergence layer Switch C and Switch D are devices of the access layer VLAN 10 and 30 function at the distribution and access layers and VLAN 40 functions at the access layer only So the root of instance 1 can be configured as Switch A root of instance 3 can be Switch B and root of instance 4 can be Switch C II Netw...

Page 572: ... SW8800 mst region region name example SW8800 mst region instance 1 vlan 10 SW8800 mst region instance 3 vlan 30 SW8800 mst region instance 4 vlan 40 SW8800 mst region revision level 0 Manually activate MST region configuration SW8800 mst region active region configuration Specify Switch B as the root of instance 3 SW8800 stp instance 3 root primary 3 Configurations on Switch C MST region SW8800 s...

Page 573: ... stp region configuration SW8800 mst region region name example SW8800 mst region instance 1 vlan 10 SW8800 mst region instance 3 vlan 30 SW8800 mst region instance 4 vlan 40 SW8800 mst region revision level 0 Manually activate MST region configuration SW8800 mst region active region configuration ...

Page 574: ...fines port based network access control protocol and only defines the point to point connection between the access device and the access port The port can be either physical or logical The typical application environment is as follows Each physical port of the LAN Switch only connects to one user workstation based on the physical port and the wireless LAN access environment defined by the IEEE 802...

Page 575: ...L Controlled Port Port unauthorized LAN Uncontrolled Port Services offered by Authenticators System Figure 39 1 802 1x system architecture 39 1 3 802 1x Authentication Process 802 1x configures EAP frame to carry the authentication information The Standard defines the following types of EAP frames z EAP Packet Authentication information frame used to carry the authentication information z EAPoL St...

Page 576: ...rt to connect several End Stations in the downstream via a physical port z The access control or the user authentication method can be based on port or MAC address In this way the system becomes much securer and easier to manage 39 2 802 1x Configuration The configuration tasks of 802 1x itself can be fulfilled in system view of the Ethernet switch After the global 802 1x is enabled the user can c...

Page 577: ...Users that Log on the Switch via Proxy z Setting Supplicant Number on a Port z Setting the Authentication in DHCP Environment z Configuring Authentication Method for 802 1x User z Enabling Disabling Guest VLAN z Setting the Maximum times of authentication request message retransmission z ...

Page 578: ...owing configuration in system view or Ethernet port view Table 39 1 Enable Disable 802 1x Operation Command Enable the 802 1x dot1x interface interface list Disable the 802 1x undo dot1x interface interface list By default 802 1x authentication has not been enabled globally and on any port You cannot configure 802 1x on a port before you enable it globally And you must disable 802 1x on each port ...

Page 579: ...performing access control on the port is auto automatic identification mode 39 2 3 Setting Port Access Control Method The following commands are used for setting 802 1x access control method on the specified port When no port is specified in system view the access control method of all ports is configured Perform the following configuration in system view or Ethernet port view Table 39 3 Set port ...

Page 580: ... and control in system view only if you enable this feature on a specific port can this configuration take effects on the port 39 2 5 Setting Supplicant Number on a Port The following commands are used for setting number of users allowed by 802 1x on specified port When no port is specified all the ports accept the same number of supplicants Perform the following configuration in system view or Et...

Page 581: ...to RADIUS server in the form of EAP packets directly and RADIUS server must support EAP authentication Perform the following configuration in system view Table 39 7 Configure authentication method for 802 1x user Operation Command Configure authentication method for 802 1x user dot1x authentication method chap pap eap md5 challenge Restore the default authentication method for 802 1x user undo dot...

Page 582: ... VLAN ID and the corresponding VLAN cannot be a super VLAN z You must perform corresponding configuration manually to isolate the Guest VLAN from other VLAN interfaces 39 2 9 Setting the Maximum times of authentication request message retransmission The following commands are used for setting the maximum retransmission times of the authentication request message that the switch sends to the suppli...

Page 583: ... units of second and defaults to 30 quiet period Specifies the quiet timer If an 802 1x user has not passed the authentication the Authenticator will keep quiet for a while which is specified by quiet period timer before launching the authentication again During the quiet period the Authenticator does not do anything related to 802 1x authentication quiet period value Specifies how long the quiet ...

Page 584: ...1x user has not passed the authentication the Authenticator will keep quiet for a while which is specified by dot1x timer quiet period command before launching the authentication again During the quiet period the Authenticator does not do anything related to 802 1x authentication Perform the following configuration in system view Table 39 11 Enable Disable a quiet period timer Operation Command En...

Page 585: ...hen the user is accessed the domain name does not follow the user name Normally if the user s traffic is less than 2000 Byte s consistently over 20 minutes he will be disconnected A server group consisting of two RADIUS servers at 10 11 1 1 and 10 11 1 2 respectively is connected to the switch The former one acts as the primary authentication secondary accounting server The latter one acts as the ...

Page 586: ...rkstation is omitted RADIUS server configuration is carried out in terms of RADIUS schemes A RADIUS scheme actually can either be a stand alone RADIUS server or two mutually backed up RADIUS servers with the same configuration and different IP addresses So for each RADIUS scheme you need to configure the IP addresses for the primary and secondary RADIUS servers and the shared key Enable 802 1x glo...

Page 587: ... interval for the system to transmit real time accounting packets to the RADIUS server SW8800 radius radius1 timer realtime accounting 15 Configure the system to transmit the user name to the RADIUS server after removing the domain name SW8800 radius radius1 user name format without domain SW8800 radius radius1 quit Create the user domain 3Com163 net and enters its configuration mode SW8800 domain...

Page 588: ...rchitecture with its client running at the managed side and its server centralizes and stores the user information Therefore AAA framework takes good scalability and is easy to realize the control and centralized management of user information 40 1 2 RADIUS Protocol Overview As mentioned above AAA is a management framework so it can be implemented by some protocols RADIUS is such a protocol freque...

Page 589: ... separately II RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication The operation process is as follows First the user send request message the client username and encrypted password is included in the message to RADIUS server Second the user will receive from RADIUS server various kinds of response messages in which the ACCE...

Page 590: ...name and password to the TACACS server for authentication as shown in the following figure TACACS Server 129 7 66 66 TACACS Server 129 7 66 67 User Terminal User TACACS Client TACACS Server 129 7 66 66 TACACS Server 129 7 66 67 User Terminal User TACACS Client Figure 40 1 Network diagram for TACACS II Basic message exchange procedures in TACACS For example use TACACS to implement authentication au...

Page 591: ...erver z The TACACS server sends back the authorization response indicating that the user has passed the authorization z Upon receipt of the response indicating an authorization success the TACACS client pushes the configuration interface of the switch to the user z The TACACS client sends a start accounting request to the TACACS server z The TACACS server sends back an accounting response indicati...

Page 592: ...cation start packet Authentication response packet requesting username The user inputs username Authentication continuance packet sending username to the server Authentication response packet requesting password Requests the user for password User inputs the password Authentication continuance packet sending password to the server Authentication response packet Authentication succeeds Authorizatio...

Page 593: ...s Internet Service Provider ISP domain To make it simple ISP domain is a group of users belonging to the same ISP Generally for a username in the userid isp name format taking gw20010608 3Com163 net as an example the isp name i e 3Com163 net following the is the ISP domain name When a Switch 8800 controls user access as for an ISP user whose username is in userid isp name format the system will ta...

Page 594: ...scheme ISP domain state maximum number of supplicants accounting optional enable disable state address pool definition IP address assignment for PPP domain users and user idle cut enable disable state where z The adopted RADIUS scheme is the one used by all the users in the ISP domain The RADIUS scheme can be used for RADIUS authentication or accounting By default the default RADIUS scheme is used...

Page 595: ...sed by an ISP domain undo scheme radius scheme TACACS scheme none Specify the ISP domain state to be used state active block Set a limit to the amount of supplicants access limit disable enable max user number Restore the limit to the default setting undo access limit Enable accounting to be optional accounting optional Disable accounting to be optional undo accounting optional Set the idle idle c...

Page 596: ...ice server URL self service url disable By default self service server URL is not configured on the switch Note that if is contained in the URL you must replace it with when inputting the URL in the command line The Change user password option is available only when the user passes the authentication otherwise this option is in grey and unavailable 40 2 4 Creating Deleting a Local User A local use...

Page 597: ...d cipher force means that the password display mode of all the accessing users must be in cipher text II Setting Removing the attributes of a local user Perform the following configuration in local user view Table 40 7 Set Remove the attributes concerned with a specified user Operation Command Set a password for a specified user password simple cipher password Remove the password set for the speci...

Page 598: ...n Command Disconnect a user by force cut connection all access type dot1x gcm mac authentication domain domain name interface interface type interface number ip ip address mac mac address radius scheme radius scheme name vlan vlanid ucibindex ucib index user name user name 40 2 7 Configuring Dynamic VLAN Delivering Dynamic VLAN delivering enables an Ethernet switch to monitor network resources ava...

Page 599: ...Server To make these parameters take effect on an ISP domain you must configure the ISP domain to use the RADIUS scheme configured with these parameters in ISP domain view For more about the configuration commands refer to the AAA Configuration section above The following sections describe RADIUS protocol configuration tasks z Creating Deleting a RADIUS scheme z Setting IP Address and Port Number ...

Page 600: ...radius server name Delete a RADIUS server group undo radius scheme radius server name Several ISP domains can use a RADIUS server group at the same time You can configure up to 16 RADIUS schemes including the default server group named as System By default the system has a RADIUS scheme named system whose attributes are all default values 40 3 2 Setting IP Address and Port Number of a RADIUS Serve...

Page 601: ...dary authentication Set IP address and port number of secondary RADIUS accounting server secondary accounting ip address port number Restore IP address and port number of secondary RADIUS accounting server or server to the default values undo secondary accounting By default as for the system RADIUS scheme created by the system The IP address of the primary authentication server is 127 0 0 1 and th...

Page 602: ...arlier RADIUS TACACS Servers authentication authorization port number is often set to 1645 and accounting port number is 1646 The RADIUS TACACS service port settings on the Switch 8800 are supposed to be consistent with the port settings on the RADIUS server Normally RADIUS accounting service port is 1813 and the authentication authorization service port is 1812 Note For a Switch 8800 the default ...

Page 603: ... RADIUS server Operation Command Set response timeout timer of RADIUS server timer second Restore the response timeout timer of RADIUS server to default value undo timer By default timeout timer of a RADIUS server is 3 seconds 40 3 5 Setting the Retransmission Times of RADIUS Request Packets Since RADIUS protocol uses UDP packet to carry the data the communication process is not reliable If the RA...

Page 604: ...me Accounting Interval To implement real time accounting it is necessary to set a real time accounting interval After the attribute is set NAS will transmit the accounting information of online users to the RADIUS server regularly You can use the following command to set a real time accounting interval Perform the following configuration in RADIUS scheme view Table 40 16 Set a real time accounting...

Page 605: ...ounting request failing to be responded NAS will disconnect the user if it has not received real time accounting response from RADIUS server for some specified times You can use the following command to set the maximum times of real time accounting request failing to be responded Perform the following configuration in RADIUS scheme view Table 40 18 Set the maximum times of real time accounting req...

Page 606: ...undo stop accounting buffer enable By default the stopping accounting request will be saved in the buffer 40 3 10 Setting the Maximum Retransmitting Times of Stopping Accounting Request Because the stopping accounting request concerns account balance and will affect the amount of charge which is very important for both the subscribers and the ISP NAS shall make its best effort to send the message ...

Page 607: ...matter it is an authentication authorization server or accounting server if the primary is disconnected to NAS for some fault NAS will automatically turn to exchange packets with the secondary server However after the primary one recovers NAS will not resume the communication with it at once instead it continues communicating with the secondary one When the secondary one fails to communicate NAS w...

Page 608: ...thout domain Note If a RADIUS scheme is configured not to allow usernames including ISP domain names the RADIUS scheme shall not be simultaneously used in more than one ISP domain Otherwise the RADIUS server will regard two users in different ISP domains as the same user by mistake if they have the same username excluding their respective domain names By default as for the newly created RADIUS sch...

Page 609: ...RADIUS authentication server local server nas ip ip address key password Delete a local RADIUS authentication server undo local server nas ip ip address By default the IP address of local RADIUS authentication server group is 127 0 0 1 and the password is 3Com When using local RADIUS server function note that 1 The number of UDP port used for authentication authorization is 1645 and that for accou...

Page 610: ...rver has no key In the above configuration tasks creating TACACS scheme and configuring TACACS authentication authorization server are required all other tasks are optional and you can determine whether to perform these configurations as needed 40 4 1 Creating a HWTACAS Scheme As aforementioned TACACS protocol is configured scheme by scheme Therefore you must create a TACACS scheme and enter TACAC...

Page 611: ...d secondary authentication servers cannot use the same IP address The default port number is 49 If you execute this command repeatedly the new settings will replace the old settings A TACACS scheme authentication server can be deleted only when no active TCP connection used to send authentication packets is using the server 40 4 3 Configuring TACACS Authorization Servers Perform the following conf...

Page 612: ... 29 Configure TACACS accounting servers Operation Command Configure the primary TACACS accounting server primary accounting ip address port Delete the primary TACACS accounting server undo primary accounting Configure the secondary TACACS accounting server secondary accounting ip address port Delete the secondary TACACS accounting server undo secondary accounting Do not configure the same IP addre...

Page 613: ...ckets sent by the NAS Operation Command Configure the source address for TACACS packets sent from the NAS TACACS view nas ip ip address Delete the configured source address for TACACS packets sent from the NAS TACACS view undo nas ip Configure the source address for TACACS packets sent from the NAS System view TACACS nas ip ip address Cancel the configured source address for TACACS packets sent fr...

Page 614: ...and resend it to the TACACS server Perform the following configuration in TACACS view Table 40 33 Set the username format acceptable to the TACACS server Operation Command Send username with domain name user name format with domain Send username without domain name user name format without domain By default each username sent to a TACACS server contains a domain name 40 4 8 Setting the Unit of Dat...

Page 615: ...CS server Operation Command Set the quiet timer for the primary TACACS server timer quiet minutes Restore the default setting undo timer quiet The timer quiet command is used to make the switch ignore users requests for server within the time configured in this command in case the communication between the switch and the server is terminated In that case the switch can send users requests to the s...

Page 616: ... The following table lists the numbers of users and the recommended intervals Table 40 38 Numbers of users and the recommended intervals Number of users Real time accounting interval in minutes 1 to 99 3 100 to 499 6 500 to 999 12 ƒ1000 ƒ15 The real time accounting interval defaults to 12 minutes 40 5 Displaying and Debugging AAA and RADIUS Protocol After the above configuration execute display co...

Page 617: ...tistics Display the stop accounting requests saved in buffer without response display stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name user name Reset the statistics of RADIUS server reset radius statistics Display the specified or all the TACACS schemes display TACACS TACACS server name Display the TACACS stop accounting reque...

Page 618: ...CACS protocol and 802 1x protocol refer to section 39 4 802 1x Configuration Example It will not be detailed here 40 6 1 Configuring Authentication at Remote RADIUS Server Note Configuring Telnet user authentication at the remote server is similar to configuring FTP users The following description is based on Telnet users I Network Requirements In the environment as illustrated in the following fi...

Page 619: ...to User Interface Configuration of Getting Started Operation in this manual Configure remote authentication mode for the Telnet user i e scheme mode SW8800 ui vty0 4 authentication mode scheme Configure domain SW8800 domain cams SW8800 isp cams quit Configure RADIUS scheme SW8800 radius scheme cams SW8800 radius cams primary authentication 10 110 91 146 1812 SW8800 radius cams key authentication e...

Page 620: ...eting a Local RADIUS authentication Server 40 6 3 Configuring Authentication at Remote TACACS Server I Network requirements Configure the switch to use a TACACS server to provide authentication and authorization services to login users see the following figure Connect the switch to one TACACS server which acting as a AAA server with the IP address 10 110 91 164 On the switch set the shared key for...

Page 621: ... hwtac 40 7 Troubleshooting AAA and RADIUS TACACS RADIUS TACACS protocol is located on the application layer of TCP IP protocol suite It mainly specifies how to exchange user information between NAS and RADIUS TACACS server of ISP So it is very likely to be invalid I Symptom User authentication authorization always fails Solution z The username may not be in the userid isp name format or NAS has n...

Page 622: ...ss of the corresponding RADIUS TACACS server may not have been set on NAS Please set a proper IP address for RADIUS TACACS server z UDP ports of authentication authorization and accounting services may not be set properly So make sure they are consistent with the ports provided by RADIUS TACACS server III Symptom After being authenticated and authorized the user cannot send charging bill to the RA...

Page 623: ...he Layer 3 Switch implementing communication between the host and the external network If Switch is down all the hosts on this segment taking Switch as the next hop on the default route will be disconnected from the external network Ethernet Switch Host 1 Host 2 Host 3 10 100 10 7 10 100 10 8 10 100 10 9 10 100 10 1 Network Figure 41 1 Network diagram for LAN VRRP designed for LANs with multicast ...

Page 624: ...switch They configure their own default routes as the IP address of this virtual router 10 100 10 1 Therefore hosts within the network will communicate with the external network through this virtual router If a Master switch in the virtual group breaks down another Backup switch will function as the new Master switch to continue serving the host with routing to avoid interrupting the communication...

Page 625: ...ping the virtual IP address is disabled You should set the ping function before configuring the virtual router If a virtual router is already established on the switch you cannot perform this configuration any more 41 2 2 Enabling Disabling the Check of TTL Value of VRRP Packet This operation configures whether to check TTL value of VRRP packet on the switch The TTL value must be 225 If the switch...

Page 626: ...ult the virtual IP address of the virtual router corresponds to the virtual MAC address You should set correspondence between the virtual IP address of the virtual router and the MAC address before configuring the virtual router Otherwise you cannot configure the correspondence If you set correspondence between the IP address of the virtual router and the real MAC address you can configure only on...

Page 627: ... its priority in VRRP The switch with the highest priority will become the Master Perform the following configuration in VLAN interface view Table 41 5 Configure the priority of switches in the virtual router Operation Command Configure the priority of switches in the virtual router vrrp vrid virtual router ID priority priority Clear the priority of switches in the virtual router undo vrrp vrid vi...

Page 628: ...er ID preempt mode timer delay delay value Disable the preemption mode undo vrrp vrid virtual router ID preempt mode The delay ranges from 0 to 255 measured in seconds By default the preemption mode is preemption with a delay of 0 second Note If preemption mode is cancelled the delay time will automatically become 0 second 41 2 7 Configuring Authentication Type and Authentication Key VRRP provides...

Page 629: ...irtual router 41 2 8 Configuring Virtual Router Timer The Master switch advertises its normal operation state to the switches within the VRRP virtual router by sending them VRRP packets regularly at adver interval And the backup switch only receives VRRP packets If the Backup has not received any VRRP packet from the Master after a period of time specified by master down interval it will consider ...

Page 630: ...luding the interface will reduce automatically by the value specified by value reduced thus resulting in comparatively higher priorities of other switches within the virtual router one of which will turn to Master switch so as to track this interface Perform the following configuration in VLAN interface view Table 41 9 Configure switch to track a specified interface Operation Command Configure the...

Page 631: ... statistics information about VRRP reset vrrp statistics vlan interface interface num virtual router ID Enable VRRP debugging debugging vrrp state packet error Disable VRRP debugging undo debugging vrrp state packet error You can enable VRRP debugging to check its running You may choose to enable VRRP packet debugging option as packet VRRP state debugging option as state and or VRRP error debuggin...

Page 632: ...for VRRP configuration III Configuration Procedure Configure switch A Configure VLAN 2 LSW A vlan 2 LSW A vlan2 interface vlan 2 LSW A vlan interface2 ip address 202 38 160 1 255 255 255 0 LSW A vlan interface2 quit Configure VRRP LSW A vrrp ping enable LSW A interface vlan 2 LSW_A vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 LSW_A vlan interface2 vrrp vrid 1 priority 110 LSW A vlan inter...

Page 633: ...hat it can resume its gateway function as the Master after recovery 41 4 2 VRRP Tracking Interface Example I Networking requirements Even when switch A is still functioning it may want switch B to function as gateway when the Internet interface connected with it does not function properly This can be implemented by configuration of tracking interface In simple language the virtual router ID is set...

Page 634: ...eate a virtual router LSW B interface vlan 2 LSW_B vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the authentication key for the virtual router LSW_B vlan interface2 vrrp authentication mode md5 switch Set Master to send VRRP packets every 5 seconds LSW_B vlan interface2 vrrp vrid 1 timer advertise 5 Under normal conditions switch A functions as the gateway but when the interface vlan i...

Page 635: ...tual router 1 LSW_A vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the priority for the virtual router LSW_A vlan interface2 vrrp vrid 1 priority 150 Create virtual router 2 LSW_A vlan interface2 vrrp vrid 2 virtual ip 202 38 160 112 Configure switch B Configure VLAN2 LSW B vlan 2 LSW B vlan2 interface vlan 2 LSW B vlan interface2 ip address 202 38 160 2 255 255 255 0 Create virtual rou...

Page 636: ...d be resorted to II Fault 2 More than one Masters existing within the same virtual router There are also 2 reasons One is short time coexistence of many Master switches which is normal and needs no manual intervention Another is the long time coexistence of many Master switches which may be because switches in the virtual router cannot receive VRRP packets from each other or receive some illegal p...

Page 637: ...can recover as soon as possible The Switch 8800 supports hot swap of Fabric and slave board The hot swap of Fabricss will cause master slave switchover The Switch 8800 supports manual master slave switchover You can change the current board state manually by executing command The configuration file of slave is copied from the Fabric at the same time This can ensure that the slave system continues ...

Page 638: ...to operate in place of the Fabric After the switchover the slave board will control the system and the original Fabric will be forced to reset Perform the following configuration in user view Table 42 2 Start the master slave switchover manually Operation Command Start the master slave switchover manually slave switchover The switchover manually will be ineffective if user set the system forbid ma...

Page 639: ...Perform the following configuration in user view Table 42 4 Synchronize the configuration file manually Operation Command Synchronize the configuration file manually slave update configuration This operation can backup the configuration file to the slave board only if a slave system is available The configuration file will be fully copied once at every time the operation is executed 42 2 5 Configu...

Page 640: ... the configuration Execute debugging command in user view to enable HA module debugging function Perform the following configuration in relevant view Table 42 6 Display and debug HA configuration Operation Command Display the status of the Fabric and slave board any view display switchover state slot id Display the load mode of the Fabric and slave board system view display xbar Enable the debuggi...

Page 641: ...ribe the file system configuration tasks z Directory Operation z File Operation z Storage Device Operation z Note The error message Device can t be found or file can t be found in the directory can indicate that the CF card is not formatted z Setting the Prompt Mode of the File System Note The Switch 8800 supports master board and slave board The two boards both have file system User can operate t...

Page 642: ...ory cd directory 43 1 3 File Operation The file system can be used to delete or undelete a file and permanently delete a file Also it can be used to display file contents rename copy and move a file and display the information about a specified file You can use the following commands to perform file operations Perform the following configuration in user view Table 43 2 File operation Operation Com...

Page 643: ...directory name and file name is 136 characters z The move command takes effect only when the source and destination files are in the same device 43 1 4 Storage Device Operation The file system can be used to format a specified memory device You can use the following commands to format a specified memory device Switch supports compact flash CF card After a CF card is inserted successfully you can u...

Page 644: ... of commands is based on command views The commands in the same command mode are sorted in one section The sections are separated with a blank line or a comment line A comment line begins with exclamation mark z Generally the sections in the file are arranged in the following order system configuration Ethernet port configuration vlan interface configuration routing protocol configuration and so o...

Page 645: ...et switch display current configuration controller interface interface type interface number configuration configuration begin exclude include regular expression Display the running configuration of the current view display this Note The configuration files are displayed in their corresponding saving formats 43 2 3 Modifying and Saving the Current Configuration You can modify the current configura...

Page 646: ...iguration files in flash are damaged A common case is that a wrong configuration file has been downloaded 43 2 5 Configuring the Name of the Configuration File Used for the Next Startup Perform the following configuration in user view Table 43 8 Configure the name of the configuration file used for the next startup Operation Command Configure the name of the configuration file used for the next st...

Page 647: ... FTP services z FTP server You can run FTP client program to log in the server and access the files on it z FTP client You can run the ftp X X X X command where X X X X represents the IP address of the remote FTP server to set up a connection between the Ethernet switch and a remote FTP server to access the files on the remote server Switch PC Network Switch Switch PC Network Figure 43 1 FTP confi...

Page 648: ...te for normal FTP function is that the switch and PC are reachable 43 3 2 Enabling Disabling FTP Server You can use the following commands to enable disable the FTP server on the switch Perform the following configuration in system view Table 43 12 Enable disable FTP Server Operation Command Enable the FTP server ftp server enable Disable the FTP server undo ftp server FTP server supports multiple...

Page 649: ...or local user local user view service type ftp ftp directory directory lan access telnet level level Cancel password for local user local user view undo password Cancel service type for local user local user view undo service type ftp ftp directory lan access telnet level level Only the clients who have passed the authentication and authorization successfully can access the FTP server 43 3 4 Confi...

Page 650: ...ected FTP users 43 3 6 Disconnecting an FTP User Perform the following configuration in system view Table 43 16 Disconnect an FTP user Operation Command Disconnect an FTP user ftp disconnect user name 43 3 7 Introduction to FTP Client As an additional function provided by Ethernet switch FTP client is an application module and has no configuration functions The switch connects the FTP clients and ...

Page 651: ...read and write authority over the Switch directory on the PC 2 Configure the switch Log into the switch through the Console port locally or Telnet remotely Then type in the right command in user view to establish FTP connection then correct username and password to log into the FTP server SW8800 ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software rea...

Page 652: ...es as FTP server and the remote PC as FTP client The configuration on FTP server Configure an FTP user named as switch with password hello and with read write authority over the flash root directory on the PC The IP address of a VLAN interface on the switch is 1 1 1 1 and that of the PC is 2 2 2 2 The switch and PC are reachable The switch application switch app is stored on the PC Using FTP the P...

Page 653: ...FTP Overview Trivial File Transfer Protocol TFTP is a simple file transmission protocol It is initially designed for the booting of free disk systems work stations or X terminals in general Compared with FTP another file transmission protocol TFTP has no complicated interactive access interface or authentication control and therefore it can be used when there is no complicated interaction between ...

Page 654: ...er Switch Use the tftp command to log into the remote TFTP server for file uploading and downloading PC Start TFTP server and set authorized TFTP directory 43 4 2 Downloading Files by Means of TFTP To download a file the client sends a request to the TFTP server and then receives data from it and sends acknowledgement to it You can use the following commands to download files by means of TFTP Perf...

Page 655: ...server 43 4 4 TFTP Client Configuration Example I Network requirements The switch serves as TFTP client and the remote PC as TFTP server Authorized TFTP directory is set on the TFTP server The IP address of a VLAN interface on the switch is 1 1 1 1 and that of the PC is 1 1 1 2 The switch application switch app is stored on the PC Using TFTP the switch can download the switch app from the remote T...

Page 656: ...n this VALN VLAN 1 in this example SW8800 interface vlan 1 SW8800 vlan interface1 ip address 1 1 1 1 255 255 255 0 SW8800 vlan interface1 quit Enter system view and download the switch app from the TFTP server to the Flash Memory of the switch SW8800 tftp 1 1 1 2 get switch app switch app Upload the vrpcfg cfg to the TFTP server SW8800 tftp 1 1 1 2 put vrpcfg cfg vrpcfg cfg Use the boot boot loade...

Page 657: ...rwise it will add the new MAC address and the corresponding forwarding port as a new entry to the table The system forwards the packets whose destination addresses can be found in the MAC address table directly through the hardware and broadcasts those packets whose addresses are not contained in the table The network device will respond after receiving a broadcast packet and the response contains...

Page 658: ... add modify or delete the entries in MAC address table Perform the following configuration in system view Table 44 1 Set MAC address table entries Operation Command Add Modify an address entry mac address static dynamic mac addr interface interface name interface type interface num vlan vlan id Delete an address entry undo mac address static dynamic mac addr interface interface name interface type...

Page 659: ...ommand performs no aging on the MAC address entries Caution The dynamic MAC address aging is completed during the second aging cycle 44 3 Maximum MAC Address Number Learned by Ethernet Port and Forwarding Option Configuration With MAC address learning an Ethernet switch can obtain MAC addresses of every network devices on network segments connecting to a port As for packets destined to those MAC a...

Page 660: ...bitEthernet port Ethernet port view prompt is related to the port you choose 3 Set the maximum number of MAC addresses learned by an Ethernet port SW8800 EthernetX 1 X mac address max mac count count or SW8800 GigabitEther netX 1 X mac address max mac count count By default the switch has no limit on the maximum number of MAC addresses learned by a port 4 Set the switch to drop the packets whose s...

Page 661: ...quirements z Set the maximum number of MAC addresses learned by Ethernet port Ethernet3 1 3 to 600 z Set the switch to drop the packets whose source MAC addresses are not learned by the port when the number of MAC addresses learned exceeds 600 II Configuration procedure 1 Enter system view SW8800 system view SW8800 2 Enter Ethernet port view SW8800 interface ethernet 3 1 3 3 Set the maximum number...

Page 662: ...splay mac address aging time 44 5 Resetting MAC Addresses After configuration use the reset mac address command in user view to reset the configured mac address table information Table 44 5 Reset MAC addresses Operation Command Reset mac address table information reset mac address all dynamic static interface interface_type interface_num interface_name Vlan vlan_number 44 6 MAC Address Table Manag...

Page 663: ...VLAN port and state SW8800 mac address static 00e0 fc35 dc71 interface ethernet2 1 2 vlan 1 Set the address aging time to 500s SW8800 mac address timer 500 Display the MAC address configurations in any view SW8800 display mac address interface ethernet2 1 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 00 e0 fc 35 dc 71 1 Static Ethernet2 1 2 NOAGED 00 e0 fc 17 a7 d6 1 Learned Ethernet2 1 2 500 0...

Page 664: ...of the switch The following sections describe the configuration tasks for device management z Rebooting the Ethernet Switch z Enabling the Timing Reboot Function z Designating the APP Adopted on Next Booting z Upgrading BootROM z Setting Slot Temperature Limit z Updating Service Processing Boards 45 2 1 Rebooting the Ethernet Switch It would be necessary for users to reboot the Ethernet switch whe...

Page 665: ...ng the APP Adopted on Next Booting APP refers to the host application deployed on switch In the case that there are several APPs in the Flash Memory you can use this command to designate the APP adopted when booting the Ethernet switch next time Perform the following configuration in user view Table 45 3 Designate the APP adopted when booting the Ethernet switch next time Operation Command Designa...

Page 666: ... the No is the slave board number For example suppose slot 1 is slave board text txt file URL on slave board should be slot1 flash text txt When you are upgrading the BootROM on a slave board the boot code file must be present in the local flash 45 2 5 Setting Slot Temperature Limit The switch system alarms when the temperature on a slot exceeds the preset limit Perform the following configuration...

Page 667: ... can indicate that the CF card is not formatted Perform the following configuration in system view Table 45 6 Update service processing boards Operation Command Download the host software of service processing board to the system memory update l3plus slot slot no filename file name ftpserver server name username user name password password port port num 45 3 Displaying and Debugging Device Managem...

Page 668: ...tch root directory on the PC The IP address of a VLAN interface on the switch is 1 1 1 1 and the IP address of the PC is 2 2 2 2 The switch and PC are reachable with each other The switch applications switch app and boot app are stored on the PC Using FTP these files can be downloaded from the remote FTP server to the switch II Network diagram Switch PC Network Switch Switch PC Network Figure 45 1...

Page 669: ...rd please Password 230 Logged in successfully ftp Enter the authorized directory of the FTP server ftp cd switch Use the get command to download the switch app and boot app files from the FTP server to the flash directory on the FTP client ftp get switch app ftp get boot app Use the quit command to release FTP connection and return to user view ftp quit SW8800 Upgrade the BootROM of main board 0 S...

Page 670: ...t on the switch can be downloaded to the PC as a backup II Network diagram Switch PC Network Switch Switch PC Network Figure 45 2 Network diagram for FTP configuration III Configuration procedure 1 Configure the switch Log into the switch through the console port locally or through telnet remotely refer to the getting start module for details about the login modes SW8800 Enable FTP on the switch c...

Page 671: ...ram in the flash before uploading the new one into the flash of the switch 3 After uploading performs upgrading on the switch SW8800 You can use the boot boot loader command to specify the new file as the application program on the next booting and reboot the switch to implement the upgrading of the application program SW8800 boot boot loader switch app SW8800 reboot ...

Page 672: ...mand in the system view Table 46 1 set a name for a Switch Operation Command Set the switch name sysname sysname Restore the switch name to default value undo sysname 46 1 2 Setting the System Clock Perform the following configuration in user view Table 46 2 Set the system clock Operation Command Set the system clock clock datetime HH MM SS YYYY MM DD 46 1 3 Setting the Time Zone You can configure...

Page 673: ... time end date offset time Remove the setting of the summer time undo clock summer time By default the summer time is not set 46 2 Displaying the State and Information of the System The switch provides the display command for displaying the the system state and statistics information For the display commands related to each protocols and different ports refer to the relevant chapters The following...

Page 674: ...he supported protocols and functions which can help you diagnose and address the errors The following switches can control the outputs of the debugging information z Protocol debugging switch controls the debugging output of a protocol z Terminal debugging switch controls the debugging output on a specified user screen The figure below illustrates the relationship between two switches 1 2 3 Protoc...

Page 675: ...able the debugging without necessity especially use the debugging all command with caution When the debugging is over disable all the debugging 46 3 2 Displaying Diagnostic Information When the Ethernet switch does not run well you can collect all sorts of information about the switch to locate the source of fault However each module has its corresponding display command you can use display diagno...

Page 676: ...uest time out information appears Otherwise the data bytes the packet sequence number TTL and the round trip time of the response packet will be displayed z The final statistics including the number of the packets the switch sent out and received the packet loss ratio the round trip time in its minimum value mean value and maximum value 46 4 2 ping distribute enable Use the ping distribute enable ...

Page 677: ...ion Command Trace route tracert a source IP f first TTL m max TTL p port q num packet vpn instance vpn instance name w timeout string 46 5 Logging Function 46 5 1 Introduction to Info center The Info center is an indispensable part of the Ethernet switch It serves as an information center of the system software modules The logging system is responsible for most of the information outputs and it al...

Page 678: ...t of timestamp is Mmm dd hh mm ss yyyy Mmm is month field such as Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec dd is day field if the day is little than 10th one blank should be added such as 7 hh mm ss is time field hh is from 00 to 23 mm and ss are from 00 to 59 yyyy is year field 4 Sysname The sysname is the host name the default value is SW8800 User can change the host name through sysname ...

Page 679: ...private LAN service drive module ETH Ethernet module FTPS FTP server module HA High availability module IFNET Interface management module IGSP IGMP snooping module IP Internet protocol module ISIS Intermediate system to intermediate system intradomain routing protocol module L2INF L2 interface management module L2V L2 VPN module LACL LAN switch ACL module LDP label distribution protocol module LIN...

Page 680: ...M Routing management module RMON Remote monitor module RSA RSA Revest Shamir and Adleman encryption module RTPRO Routing protocol module SHELL User interface module SNMP Simple network management protocol module SOCKET Socket module SSH Secure shell module SYSM System manage veneer module SYSMIB System MIB module TAC Terminal access controller module TELNET Telnet module USERLOG User calling loggi...

Page 681: ...lue Description emergencies 1 The extremely emergent errors alerts 2 The errors that need to be corrected immediately critical 3 Critical errors errors 4 The errors that need to be concerned but not critical warnings 5 Warning there might exist some kinds of errors notifications 6 The information should be concerned informational 7 Common prompting information debugging 8 Debugging information Not...

Page 682: ... language can be selected between Chinese and English 1 Sending the configuration information to the loghost Table 46 14 Send the configuration information to the loghost Device Configuration Default value Configuration description Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set the information output direction to the logho...

Page 683: ... display function 3 Sending the configuration information to the monitor terminal Table 46 16 Send the configuration information to the monitor terminal Device Configuration Default value Configuration description Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set the information output direction to the monitor Set information...

Page 684: ...ormation to the trap buffer Table 46 18 Send the configuration information to the trap buffer Device Configuration Default value Configuration description Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set the information output direction to the trapbuffer You can configure the size of the trap buffer at the same time Switch S...

Page 685: ... SNMP configuration of the switch 46 5 3 Sending the Configuration Information to the Loghost To send configuration information to the loghost follow the steps below 1 Enabling info center Perform the following configuration in system view Table 46 20 Enable disable info center Operation Command Enable info center info center enable Disable info center undo info center enable Note Info center is e...

Page 686: ...information type information level and so on Perform the following configuration in system view Table 46 22 Define information source Operation Command Define information source info center source modu name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Cancel the configuration of information source undo i...

Page 687: ...the time stamp output format of trap information This configuration will affect the timestamp of the displayed information Perform the following configuration in system view Table 46 23 Configure the output format of time stamp Operation Command Configure the output format of the time stamp info center timestamp log trap debugging boot date none Output time stamp is disabled undo info center times...

Page 688: ...m view Table 46 26 Define information source Operation Command Define information source info center source modu name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Cancel the configuration of information source undo info center source modu name default all channel channel number channel name modu name spe...

Page 689: ...e output format of the time stamp info center timestamp log trap debugging boot date none Output time stamp is disabled undo info center timestamp log trap debugging 4 Enable terminal display function To view the output information at the console terminal you must first enable the corresponding log debugging and trap information functions at the switch For example if you have set the log informati...

Page 690: ...o center is enabled system performances are affected when the system processes much information because of information classification and outputting 2 Configuring to output information to Telnet terminal or dumb terminal Perform the following configuration in system view Table 46 30 Configure to output information to Telnet terminal or dumb terminal Operation Command Output information to Telnet t...

Page 691: ...erminal or dumb terminal channel number or channel name must be set to the channel that corresponds to monitor direction Every channel has been set with a default record whose module name is default and the module number is 0xffff0000 However for different channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a ...

Page 692: ...the terminal display function and the terminal logging command to enable the terminal display function of log information on the switch then you can view the information at the Telnet terminal or dumb terminal Perform the following configuration in user view Table 46 33 Enable terminal display function Operation Command Enable terminal display function of log debugging and trap information termina...

Page 693: ... Operation Command Output information to log buffer info center logbuffer channel channel number channel name size buffersize Cancel the configuration of outputting information to log buffer undo info center logbuffer channel size 3 Configuring information source on the switch By this configuration you can define the information that sent to log buffer is generated by which modules information typ...

Page 694: ...specific configuration record for a module in the channel use the default one Note If you want to view the debugging information of some modules on the switch you must select debugging as the information type when configuring information source meantime using the debugging command to turn on the debugging switch of those modules You can use the following commands to configure log information debug...

Page 695: ...is generated by which modules information type information level and so on Perform the following configuration in system view Table 46 40 Define information source Operation Command Define information source info center source modu name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Cancel the configuratio...

Page 696: ... can use the following commands to configure log information debugging information and the time stamp output format of trap information This configuration will affect the timestamp of the displayed information Perform the following configuration in system view Table 46 41 Configuring the output format of time stamp Operation Command Configure the output format of the time stamp info center timesta...

Page 697: ... information level and so on Perform the following configuration in system view Table 46 44 Define information source Operation Command Define information source info center source modu name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Cancel the configuration of information source undo info center sourc...

Page 698: ...on Perform the following configuration in system view Table 46 45 Configure the output format of time stamp Operation Command Configure the output format of the time stamp info center timestamp log trap debugging boot date none Output time stamp is disabled undo info center timestamp log trap debugging 4 Configuring of SNMP and network management workstation on the switch You have to configure SNM...

Page 699: ...everity Display the attribute of trapbuffer and the information recorded in trapbuffer display trapbuffer summary level levelnum emergencies alerts critical debugging errors informational notifications warnings size sizenum Clear information in memory buffer reset logbuffer Clear information in trap buffer reset trapbuffer 46 5 10 Configuration Examples of Sending Log to the Unix Loghost I Network...

Page 700: ... on SunOS 4 0 Step 1 Perform the following command as the super user root mkdir var log SW8800 touch var log SW8800 information Step 2 Edit file etc syslog conf as the super user root add the following selector actor pairs SW8800 configuration messages local4 info var log SW8800 information Note Note the following points when editing etc syslog conf z The note must occupy a line and start with the...

Page 701: ... of the loghost is 202 38 1 10 z The information with the severity level above informational will be sent to the loghost z The output language is English z All modules are allowed to output information II Network diagram Switch PC Network Switch Switch PC Network Figure 46 3 Network diagram III Configuration procedure 1 Configuration on the switch Enable info center SW8800 info center enable Set t...

Page 702: ... the separator in selector actor pairs z No redundant space after file name z The device name and the acceptant log information level specified in etc syslog conf must be consistent with info center loghost and info center loghost a b c d facility configured on the switch Otherwise the log information probably cannot be output to the loghost correctly Step 3 After the establishment of information ...

Page 703: ...rminal z The output language is English The modules that allowed to output information are ARP and IP II Network diagram console PC Switch console PC Switch console PC Switch console PC Switch Figure 46 4 Network diagram III Configuration procedure 1 Configuration on the switch Enable info center SW8800 info center enable Configure console terminal log output allow modules ARP and IP to output inf...

Page 704: ...can be divided into two parts namely Network Management Station and Agent Network Management Station is the workstation for running the client program At present the commonly used NM platforms include Sun NetManager and IBM NetView Agent is the server software operated on network devices Network Management Station can send GetRequest GetNextRequest and SetRequest messages to the Agent Upon receivi...

Page 705: ...e figure the managed object B can be uniquely specified by a string of numbers 1 2 1 1 The number string is the Object Identifier of the managed object The current SNMP Agent of Ethernet switch supports SNMP V1 V2C and V3 The MIBs supported are listed in the following table Table 47 1 MIBs supported by the Ethernet Switch MIB attribute MIB content References MIB II based on TCP IP network device R...

Page 706: ...eting a View z Setting the Size of the SNMP Packet Sent Received by an Agent z Disabling SNMP Agent 47 3 1 Setting Community Names z SNMP V1 and SNMPV2C adopt the community name authentication scheme SNMP Community is named with a character string which is called community name SNMP community name defines the relationship between SNMP manager and SNMP agent The community name functions like a pass...

Page 707: ... as to contact the manufacturer in case the device is in trouble You can use the following command to set the contact information The location information of the Ethernet switch is a management variable of the system group in MIB which represents the location of the managed device Perform the following configuration in system view Table 47 3 Set the system information Operation Command Set the sys...

Page 708: ...LAN interface view undo enable snmp trap updown By default the current port or VLAN interface sends trap messages 47 3 4 Setting the Destination Address of Trap You can use the following commands to set or delete the destination address of the trap Perform the following configuration in system view Table 47 5 Set the destination address of trap Operation Command Set the destination address of trap...

Page 709: ...ult engine ID of the device undo snmp agent local engineid The engine ID of the device is in hexadecimal notation and has at least five characters which can be IP address MAC address or self defined text It defaults to the enterprise number the device information 47 3 7 Setting Deleting an SNMP Group You can use the following commands to set or delete an SNMP group Perform the following configurat...

Page 710: ...rm the following configuration in system view Table 47 10 Add Delete a user to from an SNMP group Operation Command Add a user to an SNMP group snmp agent usm user v1 v2c username groupname acl acl list snmp agent usm user v3 username groupname authentication mode md5 sha authpassstring privacy mode des56 privpassstring acl acl list Delete a user from an SNMP group undo snmp agent usm user v1 v2c ...

Page 711: ...eceived by an Agent You can use the following commands to set the size of SNMP packet sent received by an agent Perform the following configuration in system view Table 47 12 Set the size of the SNMP packet sent received by an agent Operation Command Set the size of the SNMP packet sent received by an agent snmp agent packet max size byte count Restore the default size of the SNMP packet sent rece...

Page 712: ...ormation in the group user table display snmp agent usm user engineid engineid group groupname username username Display the current community name display snmp agent community read write Display the current MIB view display snmp agent mib view exclude include viewname mib view Display the contact character strings location character strings and the SNMP version of the system display snmp agent sy...

Page 713: ...ddress of VLAN interface 2 as 129 102 0 1 SW8800 vlan 2 SW8800 vlan2 port gigabitethernet 2 1 3 SW8800 vlan2 interface vlan 2 SW8800 Vlan interface2 ip address 129 102 0 1 255 255 0 0 Enable SNMP agent to send the trap to network management station whose IP address is 129 102 149 23 The SNMP community is public SW8800 snmp agent trap enable standard authentication SW8800 snmp agent trap enable sta...

Page 714: ... 8800 Configuration Guide Chapter 47 SNMP Configuration 47 11 Users can query and configure the Ethernet switch through the network management system For details see the manuals for the network management products ...

Page 715: ... NMS and the agent thus facilitates an effective management over the large interconnected networks RMON allows multiple monitors It can collect data in two ways z One is to collect data with a special RMON probe NMS directly obtains the management information from the RMON probe and controls the network resource In this way it can obtain all the information of RMON MIB z Another way is to implant ...

Page 716: ...owing ways z Keeping logs z Sending the trap messages to NMS z Keeping logs and sending the trap messages to NMS Perform the following configuration in system view Table 48 1 Add delete an entry to from the event table Operation Command Add an entry to the event table rmon event event entry description string log trap trap community log trap log trapcommunity none owner rmon station Delete an entr...

Page 717: ...g them in the way described in the following table Table 48 3 Handling the alarm entry Case Processing The sampled value is greater than the configured upper limit threshold value1 The defined event event entry1 is triggered The sampled value is less than the configured lower limit threshold value2 The defined event event entry2 is triggered 48 2 3 Adding Deleting an Entry to from the Extended RMO...

Page 718: ...e with the configured threshold and handling them in the way described in the following table Table 48 5 Handling the extended alarm entry Case Processing The result is greater than the configured upper limit threshold value1 The defined event event entry1 is triggered The result is less than the configured lower limit threshold value2 The defined event event entry2 is triggered 48 2 4 Adding Dele...

Page 719: ...le 48 7 Add delete an entry to from the statistics table Operation Command Add an entry to the statistics table rmon statistics entry number owner text string Delete an entry from the statistics table undo rmon statistics entry number Statistics entry calculates the accumulated information starting from the time defined by an event You can use the display rmon history command to view the informati...

Page 720: ... Internet Figure 48 1 Network diagram for RMON configuration III Configuration procedure Configure RMON SW8800 Ethernet2 1 1 rmon statistics 1 owner 3Com rmon View the configurations in user view SW8800 display rmon statistics Ethernet 2 1 1 Statistics entry 1 owned by 3Com rmon is VALID Gathers statistics of interface Ethernet2 1 1 Received octets 270149 packets 1954 broadcast packets 1570 multic...

Page 721: ...3Com Switch 8800 Configuration Guide Chapter 48 RMON Configuration 48 7 Packets received according to length in octets 64 644 65 127 518 128 255 688 256 511 101 512 1023 3 1024 1518 0 ...

Page 722: ...them to reference the same clock and guarantee the right order of the event z Guarantee the normal operation of the inter system Remote Procedure Call z Record for an application when a user logs in to a system a file is modified or some other operation is performed 49 1 2 Basic Operating Principle of NTP The following figure illustrates the basic operating principle of NTP Network Network NTP pac...

Page 723: ...Ethernet Switch A collects enough information to calculate the following two important parameters z The delay for a round trip of an NTP packet traveling between the Switch A and B Delay T4 T1 T3 T2 z Offset of Ethernet Switch A clock relative to Ethernet Switch B clock offset T2 T1 T4 T3 2 In this way Ethernet Switch A uses the above information to set the local clock and synchronize it with the ...

Page 724: ... multicast server mode z Configure NTP multicast client mode I Configuring NTP Server Mode Set a remote server whose ip address is ip address as the local time server ip address specifies a host address other than a broadcast multicast or reference clock IP address In this case the local Ethernet Switch operates in client mode In this mode only the local client synchronizes its clock with the cloc...

Page 725: ... 1 to 4294967295 interface name or interface type interface number specifies an interface from which the source IP address of the NTP packets sent from the local Ethernet Switch to the peer will be taken the interface can be VLAN interface and Loopback interface priority indicates the peer will be the first choice for time server III Configuring NTP Broadcast Server Mode Designate an interface on ...

Page 726: ...d can only be configured on the interface where the NTP broadcast packets will be received V Configuring NTP Multicast Server Mode Designate an interface on the local Ethernet Switch to transmit NTP multicast packets In this case the local equipment operates in multicast mode and serves as a multicast server to multicast messages to its clients regularly Perform the following configuration in VLAN...

Page 727: ...NTP multicast client mode ntp service multicast client ip address Cancel NTP multicast client mode undo ntp service multicast client Multicast IP address ip address defaults to 224 0 1 1 this command can only be configured on the interface where the NTP multicast packets will be received Actually for the Switch 8800 you can set 224 0 1 1 as the multicast IP address only 49 2 2 Configuring NTP ID A...

Page 728: ...iable key undo ntp service reliable authentication keyid key number Key number key number ranges from 1 to 4294967295 49 2 5 Designating an Interface to Transmit NTP Messages If the local equipment is configured to transmit all the NTP messages these packets will have the same source IP address which is taken from the IP address of the designated interface Perform the following configuration in sy...

Page 729: ...ges from 1 to 15 The IP address defaults 127 127 1 0 and the stratum defaults to 8 49 2 7 Setting Authority to Access a Local Ethernet Switch Set authority to access the NTP services on a local Ethernet Switch This is a basic and brief security measure compared to authentication An access request will be matched with peer server server only and query only in an ascending order of the limitation Th...

Page 730: ...e the maximum number of local sessions undo ntp service max dynamic sessions number specifies the maximum number of local sessions ranges from 0 to 100 and defaults to 100 49 3 Displaying and Debugging NTP After completing the above configurations you can use the display command to show how NTP runs and verify the configurations according to the outputs In user view you can use the debugging comma...

Page 731: ...y5 Vlan interface2 1 0 1 12 Vlan interface2 3 0 1 31 Vlan interface2 3 0 1 32 Vlan interface2 3 0 1 33 1 0 1 2 3 0 1 2 Figure 49 2 Typical NTP configuration network diagram III Configuration procedure Configure Ethernet Switch SW88001 Enter system view SW88001 system view Set the local clock as the NTP master clock at stratum 2 SW88001 ntp service refclock master 2 Configure Ethernet Switch SW8800...

Page 732: ...n 49 29 ms Peer dispersion 10 94 ms Reference time 19 21 32 287 UTC Oct 24 2004 C5267F3C 49A61E0C By this time SW88002 has been synchronized by SW88001 and is at stratum 3 higher than SW88001 by 1 Display the sessions of SW88002 and you will see SW88002 has been connected with SW88001 SW88002 display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 LOCAL...

Page 733: ... SW88005 system view Set the local clock as the NTP master clock at stratum 1 SW88005 ntp service refclock master 1 After performing local synchronization set SW88004 as a peer SW88005 ntp service unicast peer 3 0 1 32 The above examples configure SW88004 and SW88005 as peers and configure SW88005 as in active peer mode and SW88004 in passive peer mode Since SW88005 is at stratum 1 and SW88004 is ...

Page 734: ...lock as the NTP master clock at stratum 2 and configure to broadcast packets from Vlan interface2 Configure SW88004 and SW88001 to listen to the broadcast from their Vlan interface2 respectively Note SW88003 supports to configure the local clock as the master clock II Network diagram See Figure 7 2 III Configuration procedure Configure Ethernet Switch SW88003 Enter system view SW88003 system view ...

Page 735: ...clock ID LOCAL 0 nominal frequency 100 0000 Hz actual frequency 100 0000 Hz clock precision 2 17 clock offset 0 0000 ms root delay 0 00 ms root dispersion 10 94 ms peer dispersion 10 00 ms reference time 20 54 25 156 UTC Mar 7 2002 C0325201 2811A112 By this time SW88004 has been synchronized by SW88003 and it is at stratum 3 higher than SW88003 by 1 Display the status of SW88004 sessions and you w...

Page 736: ...et Switch SW88004 Enter system view SW88004 system view Enter Vlan interface2 view SW88004 interface vlan interface 2 Enable multicast client mode SW88004 Vlan Interface2 ntp service multicast client Configure Ethernet Switch SW88001 Enter system view SW88001 system view Enter Vlan interface2 view SW88001 interface vlan interface 2 Enable multicast client mode SW88001 Vlan Interface2 ntp service m...

Page 737: ...ock at stratum 2 SW88001 ntp service refclcok master 2 Configure Ethernet Switch SW88002 Enter system view SW88002 system view Set SW88001 as time server SW88002 ntp service unicast server 1 0 1 11 Enable authentication SW88002 ntp service authentication enable Set the key SW88002 ntp service authentication keyid 42 authentication mode md5 aNiceKey Set the key as reliable SW88002 ntp service relia...

Page 738: ...0 Configuration Guide Chapter 49 NTP Configuration 49 17 SW88001 ntp service authentication keyid 42 authentication mode md5 aNiceKey Configure the key as reliable SW88001 ntp service reliable authentication keyid 42 ...

Page 739: ...eption attacks The switch can act as either SSH server or SSH client When used as an SSH server the switch supports multiple connections with SSH clients when used as an SSH client the switch supports SSH connections with the SSH server enabled switch UNIX hosts and so on Currently the switch supports SSH 2 0 Figure 50 1 and Figure 50 2 illustrate two methods for establishing an SSH channel betwee...

Page 740: ...s a RSA key pair randomly and sends the public key in the key pair to the client z The client uses the public key from the server and a random number generated locally in length of eight bytes as parameters to calculate the session key z Using the public key from the server the client encrypts the random number for calculating the session key and sends the result to the server z Using the local pr...

Page 741: ...erver z The server performs validity authentication on the member module If the authentication succeeds the server generates a random number encrypts it using the RSA public key from the client and sends the encrypted information back to the client z Both the server and the client uses the random number and the session ID with the length of 16 characters as parameters to calculate the authenticati...

Page 742: ...r rekey interval hours Optional By default the system does not update the server key 8 Configure the SSH authentication timeout SW8800 ssh server timeout seconds Optional By default it is 60 seconds 9 Configure the number of SSH authentication retries SW8800 ssh server authentication retries times Optional By default it is three times Enter public key view SW8800 rsa peer public key key name 10 Ge...

Page 743: ...pports all protocols Caution z If the supported protocol configured in the user interface is SSH make sure to configure the authentication mode for logging into the user interface to authentication mode scheme using AAA authentication mode z If the authentication mode is configured as authentication mode password or authentication mode none the configuration of protocol inbound ssh will fail and v...

Page 744: ...lace it III Configuring the user authentication mode Use this configuration task to specify the authentication mode for an SSH user You must specify an authentication mode for a new user otherwise the new user will not be able to log in Perform the following configuration in system view Table 50 4 Configure the authentication mode for an SSH user Operation Command Configure the authentication mode...

Page 745: ...eout undo ssh server timeout By default the authentication timeout is 60 seconds VI Configuring the number of authentication retries Use this configuration task to set the number of authentication retries an SSH user can request for a connection thereby preventing illegal behaviors such as malicious guessing Perform the following configuration in system view Table 50 7 Configure the number of SSH ...

Page 746: ... the public key code begin command to enter the public key edit view and input the public key of the client When inputting the public key you may type spaces between the characters the system will delete the spaces automatically or press Enter and then continue to input the key Note that the public key must be a hexadecimal string coded in the public key format Perform the following configuration ...

Page 747: ...nfiguration Guide Chapter 50 SSH Terminal Service 50 9 While the Generator is running move your mouse over the blank area of the window Save the pair of keys as publickey and privatekey File names are aaa pub and aaa pri ...

Page 748: ...E784 SW8800 rsa key code 49917115 DBBE5965 18BC245D AB066A87 3AE94D25 98383A35 SW8800 rsa key code 64A35FEC 7A69A650 DE1B73CE 18C50201 25 SW8800 rsa key code SW8800 rsa key code public key code end SW8800 rsa public key peer public key end Exit from editing the peer public key SW8800 rsa public key peer public key end SW8800 SW8800 dis rsa peer public key Key name aaa Key address Key Code 308186 0...

Page 749: ...Use this configuration task to specify an existing public key for an SSH user Perform the following configuration in system view Table 50 12 Specify the public key for an SSH user Operation Command Specify the public key for an SSH user ssh user username assign rsa key keyname Cancel the corresponding relationship between the user and the public key undo ssh user username assign rsa key XII Config...

Page 750: ...r_stoc_hmac sha1 sha1_96 md5 md5_96 II Specifying the public key of the server Use this configuration task to allocate a existent public key to the client Perform the following configuration in system view Table 50 15 Specify the public key of the server Operation Command Specify the public key of the server ssh client server ip assign rsa key keyname Cancel the corresponding relationship between ...

Page 751: ...erforming the debugging command in user view Table 50 17 Display information relevant to SSH Operation Command Display the public key of the host key pair and the server key pair of the server display rsa local key pair public Display the public key of the specified RSA key pair of the client display rsa peer public key brief name keyname Display the SSH status information and session information ...

Page 752: ... Set the user login authentication mode The following shows the configuration methods for both password authentication and RSA public key authentication z Password authentication Create the local user client001 and set the authentication mode of the user interface to AAA SW8800 user interface vty 0 4 SW8800 ui vty0 4 authentication mode scheme Specify the login protocol for user client001 as SSH S...

Page 753: ...ent software randomly generate an RSA key pair and send the public key to the server Configure the public key of the client Refer to Generating the Client Public Key for details SW8800 rsa peer public key SW8800002 SW8800 rsa public key public key code begin SW8800 rsa key code 308186028180739A291ABDA704F5D93DC8FDF84C427463 SW8800 rsa key code 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 SW8800 ...

Page 754: ... SSH client III Configuration procedure Configure the client to perform the first time authentication of the server z Employ password authentication mode and start using the default encryption algorithm Log onto the SSH2 server with IP address 10 165 87 136 SW8800 ssh2 10 165 87 136 Please input the username sshuser1 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 Enter passw...

Page 755: ...rse engineering shall be allowed SW8800 Configure the client to authenticate the server for the first time SW8800 sys SW8800 ssh client first time enable Access the remote server and perform operations 50 2 SFTP Service 50 2 1 SFTP Overview Secure FTP is established on SSH connections which makes remote users able to securely log in to the switch and perform file management and transfer operations...

Page 756: ...Start the SFTP server Operation Command Start the SFTP server sftp server enable Shut down the SFTP server undo sftp server enable By default the SFTP server is shut down 50 2 3 SFTP Client Configuration The following table describes the SFTP client configuration tasks Table 50 20 SFTP client configuration tasks Num Item Command Description 1 Enter system view SW8800 system view 2 Starting the SFT...

Page 757: ...ir remote path Change the name of the specified file on the server sftp client rename oldname newname Download a file from the remote server sftp client get remote file local file Upload a local file to the remote server sftp client put local file remote file sftp client dir remote path Display the file list in the specified directory sftp client ls remote path sftp client remove remote file 5 SFT...

Page 758: ...tion in SFTP client view Table 50 22 Shut down the SFTP client Operation Command bye exit Shut down the SFTP client quit Note The three commands bye exit and quit have the same functionality You can also use the quit command in port group view III SFTP directory operations As shown in Table 50 23 available SFTP directory operations include change or display the current directory create or delete a...

Page 759: ...ile operations Operation Command Change the name of the specified file on the server rename old name new name Download a file from the remote server get remote file local file Upload a local file to the remote server put local file remote file dir remote path Display the list of files in the specified directory ls remote path delete remote file Delete a file from the server remove remote file Note...

Page 760: ...er is configured with the username 8040 and password SW8800 II Network diagram PC IP address SFTP client Switch B SFTP server Switch A PC IP address 10 111 27 91 Switch B Switch A Figure 50 5 Network diagram for SFTP III Configuration procedure 1 Configure Switch B Start the SFTP server SW8800 sftp server enable Specify the service type as SFTP SW8800 ssh user 8040 service type sftp Set the authen...

Page 761: ...h2 Please input the username 8040 Trying Press CTRL K to abort Connected to 10 111 27 91 Enter password SW8800 All rights reserved 1997 2004 Without the owner s prior written consent no decompiling or reverse engineering shall be allowed SW8800 Establish a connection with the remote SFTP server and enter the SFTP client view SW8800 sys SW8800 sftp 10 111 27 91 Display the current directory of the ...

Page 762: ... sftp client rename new1 new2 sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 vrpcfg cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Download file pubkey2 from the server to a local device a...

Page 763: ...3Com Switch 8800 Configuration Guide Chapter 50 SSH Terminal Service 50 25 sftp client Exit SFTP sftp client quit Bye SW8800 ...

Page 764: ... mean time through the signal lines 1 3 2 and 6 of the category 3 5 twisted pairs Using converters they can also supply power to the PDs that can be powered only through spare lines 4 5 7 and 8 z The Switch 8800 supplies power through the Ethernet electrical ports on the service cards Each service card can supply power to up to 48 remote devices at the maximum distance of 100 m 328 feet z The maxi...

Page 765: ...rovides a power of 1500 W 51 2 PoE Configuration The Switch 8800 can automatically detect any connected device that needs a remote power supply and feeds power to this device z Depending on your actual network requirement you can set the maximum PoE power totally supplied by the switch through the command line z You can set the maximum PoE power supplied by a card through the command line z You ca...

Page 766: ...e By default the PoE mode on a port is signal 6 Set the PoE priority on the port poe priority critical high low You can set the PoE priority on a port depending on the practical situation By default the PoE priority on a port is low 7 Display the PoE state of a specific or all ports of the switch display poe interface interface name interface type interface num You can execute this command in any ...

Page 767: ...card into the slot z When a card is almost fully loaded and a new PD is added the switch will respond to the PD according to the PoE priority set on the port z The PoE priority of each port is based on its card In other words the switch cannot compare the priorities of ports on different cards 51 3 Comprehensive Configuration Example I Network requirements z Two PoE capable cards are installed in ...

Page 768: ...ble Go on the configuration till the port GigabitEthernet3 1 48 Enable PoE on the ports GigabitEthernet5 1 1 through GigabitEthernet5 1 48 SW8800 GigabitEthernet5 1 1 poe enable SW8800 GigabitEthernet5 1 2 poe enable SW8800 GigabitEthernet5 1 3 poe enable Go on the configuration till the port GigabitEthernet5 1 48 Set the PoE priority of the port GigabitEthernet3 1 48 to critical the PD connected ...

Page 769: ...an set the AC input alarm thresholds for the PoE PSUs to enable the Switch 8800 to monitor the AC input voltages of the PSUs in real time through the PoE supervision module 52 2 1 AC Input Alarm Thresholds Configuration Tasks Table 52 1 AC input alarm thresholds configuration tasks No Item Command Description 1 Enter system view system view 2 Set the overvoltage alarm threshold of AC input upper t...

Page 770: ...arm threshold of AC input for PoE PSUs to 264 0 V z Set the undervoltage alarm threshold of AC input for PoE PSUs to 181 0 V II Configuration procedure Enter system view SW8800 system view Set the overvoltage alarm threshold of AC input for PoE PSUs to 264 0 V SW8800 poe power input thresh upper 264 0 Set the undervoltage alarm threshold of AC input for PoE PSUs to 181 0 V SW8800 poe power input t...

Page 771: ...e power dc output state Optional and you can execute this command in any view 5 Display the DC output voltage current value of the PoE PSUs display poe power dc output value Optional and you can execute this command in any view Note For both 220 VAC and 110 VAC input it is recommended to set the upper threshold to 57 0 V and the lower threshold to 45 0 V 52 3 2 DC Output Alarm Thresholds Configura...

Page 772: ...play PoE supervision information No Operation Command Description 1 Display the basic information about the PoE PSUs display supervision module information You can execute this command in any view 2 Display detailed alarm information about the PoE PSUs display poe power alarm You can execute this command in any view 3 Display the number and state of the switches of the PoE PSUs display poe power s...

Page 773: ...tage alarm threshold of AC input for PoE PSUs to 264 0 V SW8800 poe power input thresh upper 264 0 Set the undervoltage alarm threshold of AC input for PoE PSUs to 181 0 V SW8800 poe power input thresh lower 181 0 Set the overvoltage alarm threshold of DC output for the PoE PSUs to 57 0 V SW8800 poe power output thresh upper 57 0 Set the undervoltage alarm threshold of DC output for the PoE PSUs t...

Search results

Summary of Contents for 8800 SERIES

Reviews:

Related manuals for 8800 SERIES

Brands by name

Popular brands

3Com 8800 SERIES, Configuration Manual

Search results

Summary of Contents for 8800 SERIES

Reviews:

Related manuals for 8800 SERIES

Brands by name

Popular brands