manualshive.com logo in svg

3Com S7902E, Configuration Manual

The 3Com S7902E is a high-performance networking product designed for seamless connectivity. Its detailed Datasheet and comprehensive user manual are available for free download from manualshive.com. Unlock the full potential of your device by accessing these essential resources today.

Share
Download
background image

Security Volume Organization 

Manual Version 

20091015-C-1.00

 

Product Version 

Release 6605 and Later 

Organization 

The Security Volume is organized as follows: 

Features 

Description 

AAA  

Authentication, Authorization and Accounting (AAA) provide a uniform 
framework used for configuring these three security functions to 
implement the network security management. This document describes:

z

 

Introduction to AAA, RADIUS and HWTACACS 

z

 

AAA configuration  

z

 

RADIUS configuration  

z

 

HWTACACS configuration  

802.1X 

IEEE 802.1X (hereinafter simplified as 802.1X) is a port-based network 
access control protocol that is used as the standard for LAN user access 
authentication. This document describes: 

z

 

802.1X overview 

z

 

802.1X configuration 

z

 

802.1X Guest-VLAN configuration 

MAC Authentication 

MAC authentication provides a way for authenticating users based on 
ports and MAC addresses; it requires no client software to be installed on 
the hosts. This document describes: 

z

 

RADIUS-Based MAC Authentication 

z

 

Local MAC Authentication 

Portal 

Portal authentication, as its name implies, helps control access to the 
Internet. This document describes: 

z

 

Portal overview 

z

 

Portal configuration  

Port Security 

Port security is a MAC address-based security mechanism for network 
access controlling. It is an extension to the existing 802.1X authentication 
and MAC authentication. This document describes: 

z

 

Enabling Port Security 

z

 

Setting the Maximum Number of Secure MAC Addresses 

z

 

Setting the Port Security Mode 

z

 

Configuring Port Security Features 

z

 

Configuring Secure MAC Addresses 

z

 

Ignoring Authorization Information from the Server 

Summary of Contents for S7902E

Page 1: ...S7900E Family Configuration Guide Release 6600 Series S7910E S7906E S7906E V S7903E S7903E S S7902E Manual Version 20091015 C 1 00 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...rcial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered tr...

Page 3: ...DHCPv6 Tunneling 02 IP Services Volume UDP Helper FTP and TFTP sFlow IP Routing Basics Static Routing RIP OSPF IS IS BGP IPv6 Static Routing RIPng OSPFv3 IPv6 IS IS IPv6 BGP Route Policy 03 IP Routing Volume Policy Routing Mulitcast Overview Multicast Routing and Forwarding IGMP PIM MSDP MBGP Multicast VPN IGMP Snooping Multicast VLAN IPv6 Multicast Routing and Forwarding MLD IPv6 PIM 04 Multicast...

Page 4: ...s are optional x y Alternative items are grouped in braces and separated by vertical bars One is selected x y Optional alternative items are grouped in square brackets and separated by vertical bars One or none is selected x y Alternative items are grouped in braces and separated by vertical bars A minimum of one or a maximum of all can be selected x y Optional alternative items are grouped in squ...

Page 5: ...tion to ensure successful configuration or good performance Means a complementary description Means techniques helpful for you to make configuration with ease Related Documentation In addition to this manual each 3Com S7900E Family documentation set includes the following Manual Description 3Com S7900E Family Command Reference Guide Release 6600 Series Provide detailed descriptions of command line...

Page 6: ...ion to Product 1 1 Feature Lists 1 1 2 Features 2 1 Access Volume 2 1 IP Services Volume 2 3 IP Routing Volume 2 4 Multicast Volume 2 6 MPLS Volume 2 8 QoS Volume 2 10 Security Volume 2 10 High Availability Volume 2 12 System Volume 2 13 OAA Volume 2 16 ...

Page 7: ...ation Service Loopback Group Loopback Interface and Null Interface MSTP LLDP VLAN GVRP QinQ BPDU Tunneling VLAN Mapping 01 Access Volume Mirroring EPON OLT IP Addressing IP Performance Optimization ARP DHCP DNS IPv6 Basics DHCPv6 Tunneling 02 IP Services Volume UDP Helper FTP and TFTP sFlow IP Routing Basics Static Routing RIP OSPF IS IS BGP IPv6 Static Routing RIPng OSPFv3 IPv6 IS IS IPv6 BGP Rou...

Page 8: ...URPF Dual SRPU System VRRP Smart Link Monitor Link RRPP DLDP Ethernet OAM Connectivity Fault Detection 08 High Availability Volume BFD Track GR Overview Login Basic System Configuration Device Management File System Management SNMP RMON MAC Address Table Management System Maintenance and Debugging Information Center PoE NQA NTP 09 System Volume Hotfix IRF IPC 10 OAA OAP ACFP ACSEI ...

Page 9: ...net Port z Configuring the MDI Mode for an Ethernet Port z Testing the Cable on an Ethernet Port z Configuring the Storm Constrain Function on an Ethernet Port z Configuring the Connection Mode of an Ethernet Port Link aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link This document describes z Introduction to Link Aggregation z Configuring an Aggregatio...

Page 10: ...VLAN based on Port MAC address Protocol or IP subnet z Introduction and configuration of Super VLAN z Introduction and configuration of Isolate user vlan z Introduction and configuration of Voice VLAN GVRP GVRP is a GARP application This document describes z GARP overview z Introduction and configuration of GVRP QinQ As defined in IEEE802 1Q 12 bits are used to identify a VLAN ID so a device can s...

Page 11: ...onfiguration IP Performance Optimization In some network environments you need to adjust the IP parameters to achieve best network performance This document describes z Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network z Configuring TCP Attributes z Configuring ICMP to Send Error Packets ARP Address Resolution Protocol ARP is used to resolve an IP address int...

Page 12: ...nfiguring a 6to4 Tunnel z Configuring an ISATAP Tunnel z Configuring an IPv4 over IPv4 Tunnel z Configuring an IPv4 over IPv6 Tunnel z Configuring an IPv6 over IPv6 Tunnel z Configuring a GRE over IPv4 Tunnel z Configuring a GRE over IPv6 Tunnel UDP Helper UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified server This doc...

Page 13: ...F algorithm This document describes z Configuring IS IS Basic Functions z Configuring IS IS Routing Information Control z Tuning and Optimizing IS IS Networks z Configuring IS IS Authentication z Configuring System ID to Host Name Mappings z Configuring IS IS GR z Enabling the Logging of Neighbor State Changes z Enabling IS IS SNMP Trap BGP Border gateway protocol BGP is an inter autonomous system...

Page 14: ...nspection filtering attributes modifying when routes are received advertised or redistributed This document describes z Defining Filters z Route policy configuration Policy Routing Policy routing is to make forwarding decisions based on user defined policies Different from the normal destination based routing policy routing can make routing decisions based on the source address and other criteria ...

Page 15: ...nfiguring MBGP Basic Functions z Configuring MBGP Route Attributes z Configuring a Large Scale MBGP Network Multicast VPN Multicast VPN is a technique that implements multicast delivery in MPLS L3VPN networks This document describes z Multicast VPN overview z How MD VPN works z Configuring MD VPN IGMP Snooping Running at the data link layer IGMP Snooping is a multicast control mechanism on the Lay...

Page 16: ...Listener Discovery Snooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups This document describes z Configuring Basic Functions of MLD Snooping z Configuring MLD Snooping Port Functions z Configuring MLD Snooping Querier z Configuring MLD Snooping Proxying z Configuring MLD Snooping Policy IPv6 Multicast VLAN The I...

Page 17: ...solutions This document describes z MPLS L3VPN Overview z Configuring VPN Instances z Configuring Basic MPLS L3VPN z Configuring Inter Provider MPLS L3VPN z Configuring Nested VPN z Configuring HoVPN z Configuring OSPF Sham Link z Configuring BGP AS Number Substitution VPLS VPLS is a technology for delivering point to multipoint L2VPN services over public networks This document describes z VPLS Ov...

Page 18: ...e predefined configurations This document describes z Creating a User Profile z Configuring a User Profile z Enabling a User Profile Security Volume Table 2 7 Features in the Security volume Features Description AAA Authentication Authorization and Accounting AAA provide a uniform framework used for configuring these three security functions to implement the network security management This docume...

Page 19: ...n a non secure network environment By encryption and strong authentication it protects the device against attacks This document describes z Configuring Asymmetric Keys z Configuring the Device as an SSH Server z Configuring the Device as an SSH Client z Configuring an SFTP Server z Configuring an SFTP Client Public Key This document describes Public Key Configuration ACL An ACL is used for identif...

Page 20: ...vice Monitor Link Monitor link is a port collaboration function used to enable a device to be aware of the up down state change of the ports on an indirectly connected link This document describes z Monitor Link Overview z Configuring Monitor Link RRPP RRPP is a link layer protocol designed for Ethernet rings RRPP can prevent broadcast storms caused by data loops when an Ethernet ring is healthy a...

Page 21: ...ollaboration between different modules through established collaboration objects The detection modules trigger the application modules to perform certain operations through the track module This document describes z Track Overview z Configuring Collaboration Between the Track Module and the Detection Modules z Configuring Collaboration Between the Track Module and the Application Modules GR Overvi...

Page 22: ...ers File System Management A major function of the file system is to manage storage devices mainly including creating the file system creating deleting modifying and renaming a file or a directory and opening a file This document describes z File system management z Configuration File Management SNMP Simple network management protocol SNMP offers a framework to monitor network devices through TCP ...

Page 23: ...z Upgrading PSE Processing Software in Service NQA NQA analyzes network performance services and service quality by sending test packets to provide you with network performance and service quality parameters This document describes z NQA Overview z Configuring the NQA Server z Enabling the NQA Client z Creating an NQA Test Group z Configuring an NQA Test Group z Configuring the Collaboration Funct...

Page 24: ...iguration for Enabling IPC Performance Statistics OAA Volume Table 2 10 Features in the OAA volume Features Description OAP Configuration This document describes z OAP Overview z Configuring an OAP Card z Configuring an OAP Subcard ACFP The Application Control Forwarding Protocol ACFP is developed based on the OAA architecture This document describes z Introduction to ACFP z Configuring the ACFP S...

Page 25: ...G Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router ASCII American Standard Code for Information Interchange ASE Application service element ASIC Application Specific Integrated Circuit ASM Any Source Multicast ASN Auxiliary Signal Network AT Advanced...

Page 26: ...e and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain Routing CIR Committed Information Rate CIST Common and Internal Spanning Tree CLNP Connectionless Network Protocol CPOS Channelized POS CPU Central Processing Unit CQ Custom Queuing CRC Cyclic Redunda...

Page 27: ...point Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavelength Division Multiplexing E Return EACL Enhanced ACL EAD Endpoint Admission Defense EAP Extensible Authentication Protocol EAPOL Extensible Authentication Protocol over LAN EBGP External Border Gat...

Page 28: ...hernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC High level Data Link Control HEC Header Error Control HoPE Hiberarchy of PE HoVPN Hiberarchy of VPN HQoS Hierarchical Quality of Service HSB Hot Standby HTTP Hyper Text Transport Protocol H VPLS Hiber...

Page 29: ...ion IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRF Intelligent Resilient Framework IS Intermediate System ISATAP Intra Site Automatic Tunnel Addressing Protocol ISDN Integrated Services Digital Network IS IS Intermediate System to Intermediate System intra domain routing information exchange protocol ISO International Organizatio...

Page 30: ...Rate LRTT Loop Round Trip Time LSA Link State Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data Unit LSPM Label Switch Path Management LSR Link State Request LSR Label Switch Router LSR ID Label Switch Router Identity LSU Link State Update M Return MAC Media Access Control MAN Metropolitan ...

Page 31: ...ion Overhead MSTI Multi Spanning Tree Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Multicast VPN Routing and Forwarding N Return NAPT Network Address Port Translation NAS Network Access Server NAT Net Address Translation NBMA Non Broadcast Multi Access NBT NetBIOS over TCP IP NCP N...

Page 32: ... OC 3 OC 3 OID Object Identifier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB Printed Circuit Board PCM Pulse Code Modulation PD Powered Device PDU Protocol Data Unit PE Provider Edge PHP Penultimate Hop Popping PHY Physical layer PIM Protocol Independent Multicast PIM DM...

Page 33: ...t Virtual Channel PW Pseudo wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority RADIUS Remote Authentication Dial in User Service RAM random access memory RD Routing Domain RD Router Distinguisher RED Random Early Detection RFC Request For comments RIP Routing Information Pr...

Page 34: ...Choke Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicast Distribution Tree SIP Session Initiation Protocol Site of Origin Site of Origin SLA Service Level Agreement SMB Standby Main Board SMTP Simple Mail Transfer Protocol SNAP Sub Network Access Po...

Page 35: ... Distribution Tree T Return TA Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBase TFTP Trivial File Transfer Protocol TLS Transparent LAN Service TLV Type Length Value ToS Type of Service TPID Tag Protocol Identifier TRIP Trigger RIP TS Traffic Shaping TTL Time to Live TTY...

Page 36: ...ork VPI Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary VTY Virtual Type Terminal W Return WAN Wide Area Network WFQ Weighted Fair Queuing WINS Windows Internet Naming Service WLAN wireless local area network WRED Weighted Random Early Detection WRR...

Page 37: ...val for Collecting Ethernet Port Statistics z Enabling Forwarding of Jumbo Frames z Enabling Loopback Detection on an Ethernet Port z Configuring the MDI Mode for an Ethernet Port z Testing the Cable on an Ethernet Port z Configuring the Storm Constrain Function on an Ethernet Port z Configuring the Connection Mode of an Ethernet Port Link aggregation Link aggregation aggregates multiple physical ...

Page 38: ...munications links This document describes z Introduction to LLDP z Performing Basic LLDP Configuration z Configuring CDP Compatibility z Configuring LLDP Trapping VLAN Using the VLAN technology you can partition a LAN into multiple logical LANs This document describes z Introduction and basic configuration of VLAN z Types of VLAN Implement VLAN based on Port MAC address Protocol or IP subnet z Int...

Page 39: ...onfiguring Two to Two VLAN Mapping Port Mirroring Port mirroring copies packets passing through a port to another port connected with a monitoring device for packet analysis to help implement network monitoring and troubleshooting This document describes z Introduction and configuration of Port Mirroring z Introduction and configuration of Traffic Mirroring EPON OLT An S7900E switch installed with...

Page 40: ...n Ethernet Port 1 5 Configuring a Port Group 1 6 Configuring an Auto negotiation Transmission Rate 1 6 Configuring Storm Suppression 1 7 Setting the Interval for Collecting Ethernet Port Statistics 1 8 Enabling Forwarding of Jumbo Frames 1 9 Enabling Loopback Detection on an Ethernet Port 1 9 Configuring the MDI Mode for an Ethernet Port 1 11 Testing the Cable on an Ethernet Port 1 12 Configuring ...

Page 41: ...optical fiber port or an electrical copper port The two ports share one forwarding port and thus they cannot work at the same time If the electrical port is enabled the optical port is disabled automatically and vice versa The 1000 100 Mbps SFP port of a Combo port does not support hot swappable SFP GE T modules For details about hot swappable modules see 3Com S7900E Family Getting Started Guide C...

Page 42: ... interface but because it is located on the main board it provides much faster connection speed than a common Ethernet interface when used for operations such as software loading and network management Configuring a management Ethernet interface Follow these steps to configure a management Ethernet interface To do Use the command Remarks Enter system view system view Enter management Ethernet inte...

Page 43: ...name followed by the interface string GigabitEthernetEthernet1 2 0 1 Interface for example Shut down the port shutdown Optional By default a port is in up state To bring up a port use the undo shutdown command Follow these steps to configure the duplex and speed of an Ethernet port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interfa...

Page 44: ...ort it will send a Pause frame notifying the egress port to temporarily suspend the sending of packets The egress port is expected to stop sending any new packet when it receives the Pause frame In this way flow control helps to avoid dropping of packets Note that this will be possible only after flow control is enabled on both the ingress and egress ports Follow these steps to enable flow control...

Page 45: ... command cannot take effect on ports that are manually disabled using the shutdown command Configuring Loopback Testing on an Ethernet Port You can enable loopback testing to check whether the Ethernet port functions properly Note that no data packets can be forwarded during the testing Loopback testing falls into the following two categories z Internal loopback testing which is performed within s...

Page 46: ...s you made on it apply to all group member ports Note that even though the settings are made on the port group they are saved on a port basis rather than on a port group basis Thus you can only view the settings in the view of each port with the display current configuration command or the display this command Follow these steps to configure a manual port group To do Use the command Remarks Enter ...

Page 47: ... to configure an auto negotiation transmission rate To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the auto negotiation transmission rate range speed auto 10 100 1000 Optional z This function is available for auto negotiation capable 100 MB or Gigabit Layer 2 Ethernet electrical ports only z If you repeatedly...

Page 48: ...re takes effect on the current port only if configured in port group view this feature takes effect on all ports in the port group Set the broadcast storm suppression ratio broadcast suppression ratio pps max pps kbps max bps Optional By default broadcast traffic is not suppressed Set the multicast storm suppression ratio multicast suppression ratio pps max pps kbps max bps Optional By default mul...

Page 49: ... configurations take effect on all ports in the port group Follow these steps to enable the forwarding of jumbo frames To do Use the command Remarks Enter system view system view port group manual port group name In port group view jumboframe enable value interface interface type interface number Enable the forwarding of jumbo frames In Ethernet port view jumboframe enable value Use any command By...

Page 50: ... port group manual port group name Use either command Configurations made in Ethernet port view takes effect on the current port only configurations made in port group view takes effect on all ports in the port group Enable loopback detection on a port loopback detection enable Required Disabled by default Enable loopback detection control on a trunk port or a hybrid port loopback detection contro...

Page 51: ... receiving signals pin 3 and pin 6 are used for transmitting signals To enable normal communication you should connect the local transmit pins to the remote receive pins Therefore you should configure the MDI mode depending on the cable types z Normally the auto mode is recommended The other two modes are useful only when the device cannot determine the cable type z When straight through cables ar...

Page 52: ...trap messages and logs when the traffic detected exceeds the threshold Alternatively you can configure the storm suppression function to control a specific type of traffic As the function and the storm constrain function are mutually exclusive do not enable them at the same time on an Ethernet port For example with unicast storm suppression ratio set on an Ethernet port do not enable the storm con...

Page 53: ...wn below the lower threshold from a point higher than the upper threshold Specify to send log when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher than the upper threshold storm constrain enable log Optional By default the system sends log when the traffic detected exceeds the upper threshold or drops down below the lower threshold from ...

Page 54: ...e command Remarks Display the current state of a port and the related information display interface interface type interface number Available in any view Display the summary of a port display brief interface interface type interface number begin exclude include regular expression Available in any view Display information about discarded packets on a port display packet drop interface interface typ...

Page 55: ... group manual all name port group name Available in any view Display the information about the loopback function display loopback detection Available in any view Display storm constrain information on ports display storm constrain broadcast multicast unicast interface interface type interface number Available in any view ...

Page 56: ...e 1 9 Configuring the Description of an Aggregate Interface 1 10 Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface 1 10 Shutting Down an Aggregate Interface 1 10 Configuring Load Sharing for Link Aggregation Groups 1 11 Configuring a Load Sharing Mode for Load Sharing Link Aggregation Groups 1 11 Configuring the Local First Load Sharing Mechanism for Link Aggregation 1 13 Display...

Page 57: ...rates as a distributed stacking device For introduction of IRF refer to IRF in the System Volume Overview Link aggregation aggregates multiple physical Ethernet ports to increase the link speed beyond the limits of any one single port The Ethernet ports bundled together form an aggregation group To upper layer entities such as applications running on the network they look like a single logical lin...

Page 58: ...s use the same duplex mode For how the state of a member port is determined refer to Static aggregation mode and Dynamic aggregation mode IEEE 802 3ad LACP protocol The IEEE 802 3ad Link Aggregation Control Protocol LACP enables the dynamic aggregation of physical links and uses link aggregation control protocol data units LACPDUs for information exchange between LACP enabled devices With the usag...

Page 59: ... QinQ enable state enable disable TPID values in VLAN tags outer VLAN tags to be added inner to outer VLAN priority mappings inner to outer VLAN tag mappings inner VLAN ID substitution mappings VLAN Permitted VLAN IDs default VLAN link type trunk hybrid or access IP subnet based VLAN configuration protocol based VLAN configuration tag mode MAC address learning MAC address learning capability MAC a...

Page 60: ...t number wins out z Consider the ports in up state with the same port attributes port rate duplex mode and link state configuration and class two configurations as the reference port as candidate selected ports and set all others in the unselected state z Static aggregation limits the number of selected ports in an aggregation group When the number of the candidate selected ports is under the limi...

Page 61: ...n the number of candidate selected ports is under the limit all the candidate selected ports are set to selected state When the limit is exceeded the system selects the candidate selected ports with smaller port IDs as the selected ports and set other candidate selected ports to unselected state At the same time the peer device being aware of the changes changes the state of its ports accordingly ...

Page 62: ...p Select either task Configuring an Aggregation Group Enabling MAC Address Table Synchronization for Cross Card Aggregation Required Configuring the Description of an Aggregate Interface Optional Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface Optional Configuring an Aggregate Interface Shutting Down an Aggregate Interface Optional Configuring a Load Sharing Mode for Load Shari...

Page 63: ...ves the corresponding aggregation group At the same time the member ports of the aggregation group if any leave the aggregation group z To guarantee a successful static aggregation ensure that the ports at the two ends of each link to be aggregated are consistent in the selected unselected state Configuring a Dynamic Aggregation Group Follow these steps to configure a Layer 2 dynamic aggregation g...

Page 64: ...ggregation group becomes a non load sharing aggregation group because of insufficient load sharing resources one of the following problems may occur the number of selected ports of the actor is inconsistent with that of the partner which may result in incorrect traffic forwarding the peer port of a selected port is an unselected one which may result in upper layer protocol and traffic forwarding a...

Page 65: ...chronization between different types of line cards To do Use the command Remarks Enter system view system view Enable MAC address table synchronization synchronization mac address enable Required Disabled by default z For more information MAC address table see Link Aggregation Configuration in the Access Volume z For more information about the operating modes of line cards see Device Management Co...

Page 66: ... the command Remarks Enter system view system view Enable the trap function globally snmp agent trap enable standard linkdown linkup Optional By default linkUp linkDown trap generation is enabled globally and on all interfaces Enter aggregate interface view interface bridge aggregation interface number Enable linkUp linkDown trap generation for the aggregate interface enable snmp trap updown Optio...

Page 67: ...a link aggregation group for different types of traffic as needed You can configure a global load sharing mode for all link aggregation groups or a load sharing mode specific to a link aggregation group as needed Configuring the global load sharing mode for link aggregation groups Follow these steps to configure the global load sharing mode for link aggregation groups To do Use the command Remarks...

Page 68: ...face bridge aggregation interface number Configure the load sharing mode for the aggregation group link aggregation load sharing mode destination ip destination mac mpls label1 mpls label2 source ip source mac Required By default the load sharing mode of an aggregation group is the global load sharing mode This command applies only to the load sharing mode of Layer 3 packets After you configure th...

Page 69: ... view system view Configure the local first load sharing mechanism for link aggregation link aggregation load sharing mode local first Optional The local first load sharing mode takes effect by default Displaying and Maintaining Link Aggregation To do Use the command Remarks Display the local system ID display lacp system id Available in any view Display the global or aggregation group specific lo...

Page 70: ...ee section Class two configurations When you configure cross card link aggregation if link aggregation across different types of cards however you may need to enable MAC address table synchronization manually see section Enabling MAC Address Table Synchronization for Cross Card Aggregation Layer 2 Static Aggregation Configuration Example Network requirements As shown in Figure 1 2 Device A and Dev...

Page 71: ...ggregation Configuration Example Network requirements As shown in Figure 1 3 Device A and Device B are connected through their respective Layer 2 Ethernet ports GigabitEthernet 2 0 1 to GigabitEthernet 2 0 3 Aggregate the ports on each device to form a dynamic link aggregation group thus balancing traffic across the member ports In addition perform load sharing based on source and destination MAC ...

Page 72: ...irements As shown in Figure 1 4 Device A is connection to Device B by their Ethernet ports GigabitEthernet 2 0 1 through GigabitEthernet 2 0 4 Configure the global load sharing mode and aggregation group specific load sharing mode to enable aggregation group 1 to use source MAC based load sharing mode and aggregation group 2 to use destination MAC based load sharing mode Figure 1 4 Network diagram...

Page 73: ...stination MAC based load sharing mode DeviceA interface bridge aggregation 2 DeviceA Bridge Aggregation2 link aggregation load sharing mode destination mac DeviceA Bridge Aggregation2 quit Assign ports GigabitEthernet 2 0 3 and GigabitEthernet 2 0 4 to aggregation group 2 DeviceA interface gigabitethernet 2 0 3 DeviceA GigabitEthernet2 0 3 port link aggregation group 2 DeviceA GigabitEthernet2 0 3...

Page 74: ...solation Configuration 1 1 Introduction to Port Isolation 1 1 Configuring the Isolation Group 1 1 Assigning a Port to the Isolation Group 1 1 Displaying and Maintaining Isolation Groups 1 2 Port Isolation Configuration Example 1 2 ...

Page 75: ...r 2 traffic can be exchanged between a port inside an isolation group and a port outside the isolation group but not between ports inside the isolation group z There is no restriction on the number of ports assigned to an isolation group Configuring the Isolation Group Assigning a Port to the Isolation Group Follow these steps to add a port to the isolation group To do Use the command Remarks Ente...

Page 76: ...it simply skips the port and moves to the next port Displaying and Maintaining Isolation Groups To do Use the command Remarks Display the isolation group information on a single isolation group device display port isolate group Available in any view Port Isolation Configuration Example Network requirements z Users Host A Host B and Host C are connected to GigabitEthernet 2 0 1 GigabitEthernet 2 0 ...

Page 77: ...ort isolate enable Device Gigabitethernet2 0 2 quit Device interface gigabitethernet 2 0 3 Device Gigabitethernet2 0 3 port isolate enable Configure port GigabitEthernet 2 0 4 as the uplink port of the isolation group Device Gigabitethernet2 0 3 quit Device interface gigabitethernet 2 0 4 Device Gigabitethernet2 0 4 port isolate uplink port Device Gigabitethernet2 0 4 return Display the informatio...

Page 78: ...Functions of Service Loopback Groups 1 1 Port Configuration Prerequisites of Service Loopback Groups 1 1 States of the Ports in a Service Loopback Group 1 2 Configuring a Service Loopback Group 1 2 Displaying and Maintaining Service Loopback Groups 1 3 Configuration Example 1 3 ...

Page 79: ...ce redirecting throughput you can bundle multiple service loopback ports into a logical link called a service loopback group Similar to link aggregation a service loopback group can increase bandwidth and implement load sharing Service loopback groups fall into five types z IPv6 supporting IPv6 unicast traffic z IPv6 multicast supporting IPv6 multicast traffic z Tunnel supporting unicast tunnel tr...

Page 80: ...ardware restrictions as candidate selected ports and set the rest ports to unselected state z The number of selected ports is limited in a service loopback group If the number of candidate ports exceeds the limit those with smaller port IDs are set to selected state and the others are set to unselected state The system follows the preemption principle when setting port state in a service loopback ...

Page 81: ...umber Available in any view Configuration Example Network requirements Ports of Device A support the tunnel service Assign GigabitEthernet 2 0 1 through GigabitEthernet 2 0 3 to a service loopback group to increase bandwidth and achieve load sharing Configuration procedure Create service loopback group 1 and specify the service type as Tunnel unicast tunnel service DeviceA system view DeviceA serv...

Page 82: ...1 4 DeviceA interface tunnel 1 DeviceA Tunnel1 service loopback group 1 ...

Page 83: ...onfiguration 1 1 Loopback Interface 1 1 Introduction to Loopback Interface 1 1 Configuring a Loopback Interface 1 1 Null Interface 1 2 Introduction to Null Interface 1 2 Configuring Null 0 Interface 1 2 Displaying and Maintaining Loopback and Null Interfaces 1 3 ...

Page 84: ...re a rule on an authentication or security server to permit or deny packets generated by a device you can streamline the rule by configuring it to permit or deny packets carrying the loopback interface address identifying the device Note that when a loopback interface is used for source address binding that is assigning an IP address to this loopback interface make sure that the route from the loo...

Page 85: ...face is always up However you can neither use it to forward data packets nor configure an IP address or link layer protocol on it With a null interface specified as the next hop of a static route to a specific network segment any packets routed to the network segment are dropped The null interface provides you a simpler way to filter packets than ACL That is you can filter uninteresting traffic by...

Page 86: ...erface is the interface name followed by the Interface string Displaying and Maintaining Loopback and Null Interfaces To do Use the command Remarks Display information about loopback interfaces display interface loopback interface number Available in any view Display information about the null interface display interface null 0 Available in any view Clear the statistics on a loopback interface or ...

Page 87: ...evice 1 19 Configuring the Maximum Hops of an MST Region 1 20 Configuring the Network Diameter of a Switched Network 1 20 Configuring Timers of MSTP 1 21 Configuring the Timeout Factor 1 22 Configuring the Maximum Port Rate 1 23 Configuring Ports as Edge Ports 1 23 Configuring Path Costs of Ports 1 24 Configuring Port Priority 1 26 Configuring the Link Type of Ports 1 27 Configuring the Mode a Por...

Page 88: ...IEEE to eliminate loops at the data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking certain ports to prune the loop structure into a loop free tree structure This avoids proliferation and infinite cycling of packets that would occur in a loop network and prevents ...

Page 89: ... port The root bridge has no root port Designated bridge and designated port The following table describes designated bridges and designated ports Table 1 1 Description of designated bridges and designated ports Classification Designated bridge Designated port For a device A device directly connected with the local device and responsible for forwarding BPDUs to the local device The port through wh...

Page 90: ...e spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the root bridge denoted by the root identifier from the transmitting bridge z Designated bridge ID consisting of the priority and MAC address of the designated bridge z Designated port ID designated port...

Page 91: ...riority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configuration BPDU has a higher priority than that of the configuration BPDU generated by the port the device replaces the content of the configuration BPDU generated by the port with the content of the rece...

Page 92: ... device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be defined and acts depending on the comparison result z If the calculated configuration BPDU is superior the device considers this port as the designated port and replaces the configuration BPDU on the po...

Page 93: ... port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received configuration BPDU and therefore discards the received configuration BPDU z Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is super...

Page 94: ...port BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port 2 0 2 CP1 and updates the configuration BPDU of CP1 z Port CP2 receives the configuration BPDU of port BP2 of Device B 1 0 1 BP2 before the configuration BPDU is updated Device C...

Page 95: ...nning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With priority 2 BP1 BP2 CP2 5 4 The spanning tree calculation process in this example is only simplified process The BPDU forwarding mechanism in STP z Upon network initiation every switch regards itself a...

Page 96: ...te transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propagated throughout the network z Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault free z Max age is a parameter used to...

Page 97: ...ngs of STP and RSTP In addition to the support for rapid network convergence it allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharing mechanism for redundant links For description about VLANs refer to VLAN Configuration in the Access Volume MSTP features the following z MSTP supports mapping VLANs to spanning tree instances by means of a VLA...

Page 98: ... tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the same region name z They have the same VLAN to instance mapping configuration z They have the same MSTP revision level configuration and z They are physically linked with one another For example all the...

Page 99: ... constitute the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to as a multiple spanning tree instance MSTI In Figure 1 4 for example multiple spanning trees can exist in each MST region each spanning tree corresponding to the specific VLAN s These spanning trees ar...

Page 100: ...nate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a designated port When the designated port is blocked the backup port becomes a new designated port and starts forwarding data without delay A loop occurs when two ports of the same MSTP device are interc...

Page 101: ... are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only difference between the two protocols is that an MSTP BPDU carries the MSTP configuration on the device from which this BPDU is sent CIST calculation The calculation of a CIST tree is also the process of config...

Page 102: ...otocol MSTP Configuration Task List Before configuring MSTP you need to know the role of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes Complete these tasks to configure MSTP Task Remarks Configuring an MST Region Required Configuring the Root Bridge or a Secondary Root Bridge Optional Configuring the W...

Page 103: ...ance mapping table For the detailed information of GVRP refer to GVRP Configuration of the Access Volume z MSTP is mutually exclusive with any of the following functions on a port service loopback RRPP Smart Link and BPDU tunnel z Configurations made in system view take effect globally configurations made in Ethernet interface view take effect on the current interface only configurations made in p...

Page 104: ...s to configure an MST region To do Use the command Remarks Enter system view system view Enter MST region view stp region configuration Configure the MST region name region name name Optional The MST region name is the MAC address by default instance instance id vlan vlan list Configure the VLAN to instance mapping table vlan mapping modulo modulo Optional Use either command All VLANs in an MST re...

Page 105: ...e has independent roles in different MSTIs It can act as the root bridge or a secondary root bridge of one MSTI while being the root bridge or a secondary root bridge of another MSTI However the same device cannot be the root bridge and a secondary root bridge in the same MSTI at the same time z There is only one root bridge in effect in a spanning tree instance If two or more devices have been de...

Page 106: ...th legacy STP devices and for full interoperability with RSTP enabled devices MSTP supports three work modes STP compatible mode RSTP mode and MSTP mode z In STP compatible mode all ports of the device send out STP BPDUs z In RSTP mode all ports of the device send out RSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will ...

Page 107: ...ays sends a configuration BPDU with a hop count set to the maximum value When a switch receives this configuration BPDU it decrements the hop count by 1 and uses the new hop count in the BPDUs it propagates When the hop count of a BPDU reaches 0 it is discarded by the device that received it Thus devices beyond the reach of the maximum hop can no longer take part in spanning tree calculation and t...

Page 108: ...iscarding state can transit to the forwarding state it needs to go through the learning state Forward delay is the delay time for port state transition This is to ensure that the state transition of the local port and that of the peer occur in a synchronized manner z Hello time is the time interval at which a device sends configuration BPDUs to the surrounding devices to ensure that the paths are ...

Page 109: ...ecommend that you use the default setting z If the max age time setting is too small the network devices will frequently launch spanning tree calculations and may take network congestion as a link failure if the max age setting is too large the network may fail to timely detect link failures and fail to timely launch spanning tree calculations thus reducing the auto sensing capability of the netwo...

Page 110: ... system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command Configure the maximum rate of the ports stp transmit limit limit Required 10 by default The higher the maximum port rate is the more BPDUs will be sent wit...

Page 111: ...ave different path costs in different MSTIs Setting appropriate path costs allows VLAN traffic flows to be forwarded along different physical links thus achieving VLAN based load balancing The device can automatically calculate the default path cost alternatively you can also configure the path cost for ports Make the following configurations on the leaf nodes only Specifying a standard that the d...

Page 112: ...666 500 2 1 1 1 When calculating path cost for an aggregate interface 802 1d 1998 does not take into account the number of member ports in its aggregation group as 802 1t does The calculation formula of 802 1t is Path Cost 200 000 000 link speed in 100 kbps where link speed is the sum of the link speed values of the non blocked ports in the aggregation group Configuring path costs of ports Follow ...

Page 113: ... elected as the root port of a device If all other conditions are the same the port with the highest priority will be elected as the root port On an MSTP enabled device a port can have different priorities in different MSTIs and the same port can play different roles in different MSTIs so that data of different VLANs can be propagated along different physical paths thus implementing per VLAN load ...

Page 114: ...iew system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command Configure the link type of ports stp point to point auto force false force true Optional The default setting is auto namely the port automatically detec...

Page 115: ...acy Required auto by default z MSTP provides the MSTP packet format incompatibility guard function In MSTP mode if a port is configured to recognize send MSTP packets in a mode other than auto and receives a packet in a format different from the specified type the port will become a designated port and remain in the discarding state to prevent the occurrence of a loop z MSTP provides the MSTP pack...

Page 116: ...w port group manual port group name Required Use either command Enable the MSTP feature for the ports stp enable Optional By default MSTP is enabled for all ports after it is enabled for the device globally To control MSTP flexibly you can use the undo stp enable command to disable the MSTP feature for certain ports so that they will not take part in spanning tree calculation and thus to save the ...

Page 117: ... RSTP or MSTP mode Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the MST region related configurations domain name revision level VLAN to instance mappings on them are identical An MSTP enabled device identifies devices in the same MST region by checking the configuration ID in BPDU packets The configuration ID includes the region nam...

Page 118: ...bled by default z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to instance mappings must be the same on associated ports z With global Digest Snooping enabled modification of VLAN to instance mappings and removing of the current region configuration using the undo stp region configuration command are not allowed ...

Page 119: ...ooping on Device B DeviceB system view DeviceB interface gigabitethernet 2 0 1 DeviceB GigabitEthernet2 0 1 stp config digest snooping DeviceB GigabitEthernet2 0 1 quit DeviceB stp config digest snooping Configuring No Agreement Check In RSTP and MSTP two types of messages are used for rapid state transition on designated ports z Proposal sent by designated ports to request rapid transition z Agre...

Page 120: ...TP and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream device As a result the designated port of the upstream device fails to transit rapidly and can only change to the forwarding state after a period twice the Forward Delay In this case you can enable the No Agreement Check ...

Page 121: ...party device that has different MSTP implementation Both devices are in the same region z Device B is the regional root bridge and Device A is the downstream device Figure 1 9 No Agreement Check configuration 2 Configuration procedure Enable No Agreement Check on GigabitEthernet 2 0 1 of Device A DeviceA system view DeviceA interface gigabitethernet 2 0 1 DeviceA GigabitEthernet2 0 1 stp no agreem...

Page 122: ... by default BPDU guard does not take effect on loopback test enabled ports For information about loopback test refer to Ethernet Port Configuration in the Access Volume Enabling Root guard The root bridge and secondary root bridge of a spanning tree should be located in the same MST region Especially for the CIST the root bridge and secondary root bridge are generally put in a high bandwidth core ...

Page 123: ...s and the blocked ports will transition to the forwarding state resulting in loops in the switched network The loop guard function can suppress the occurrence of such loops With loop guard enabled on a port all instances on it are in the discarding state initially Upon receiving BPDUs it can transition its role normally if receiving no BPDU it stays in the discarding state thus avoiding loops Do n...

Page 124: ...g address entries Follow these steps to enable TC BPDU guard To do Use the command Remarks Enter system view system view Enable the TC BPDU guard function stp tc protection enable Optional Enabled by default Configure the maximum number of forwarding address entry flushes that the device can perform within a specific time period after it receives the first TC BPDU stp tc protection threshold numbe...

Page 125: ...it packet number Optional 10 by default Configure the port as an edge port stp edged port enable Required By default no port is an edge port Configure the path cost of the port stp cost cost Optional By default MSTP automatically calculates the path cost of each port Configure the link type of the port stp point to point auto force false force true Optional The default setting is auto namely the d...

Page 126: ... number brief Available in any view View the MST region configuration information that has taken effect display stp region configuration Available in any view View the root bridge information of all MSTIs display stp root Available in any view Clear the statistics information of MSTP reset stp interface interface list Available in user view MSTP Configuration Example Network requirements z All dev...

Page 127: ... MSTI 1 MSTI 3 and MSTI 4 respectively and configure the revision level of the MST region as 0 DeviceA system view DeviceA stp region configuration DeviceA mst region region name example DeviceA mst region instance 1 vlan 10 DeviceA mst region instance 3 vlan 30 DeviceA mst region instance 4 vlan 40 DeviceA mst region revision level 0 Activate MST region configuration DeviceA mst region active reg...

Page 128: ...ew DeviceC stp region configuration DeviceC mst region region name example DeviceC mst region instance 1 vlan 10 DeviceC mst region instance 3 vlan 30 DeviceC mst region instance 4 vlan 40 DeviceC mst region revision level 0 Activate MST region configuration DeviceC mst region active region configuration DeviceC mst region quit Specify the current device as the root bridge of MSTI 4 DeviceC stp in...

Page 129: ...STID Port Role STP State Protection 0 GigabitEthernet2 0 1 DESI FORWARDING NONE 0 GigabitEthernet2 0 2 DESI FORWARDING NONE 0 GigabitEthernet2 0 3 DESI FORWARDING NONE 1 GigabitEthernet2 0 2 DESI FORWARDING NONE 1 GigabitEthernet2 0 3 ROOT FORWARDING NONE 3 GigabitEthernet2 0 1 DESI FORWARDING NONE 3 GigabitEthernet2 0 3 DESI FORWARDING NONE Display brief spanning tree information on Device C Devi...

Page 130: ... 0 2 ALTE DISCARDING NONE 4 GigabitEthernet2 0 3 ROOT FORWARDING NONE Based on the above information you can draw the MSTI corresponding to each VLAN as shown in Figure 1 11 Figure 1 11 MSTIs corresponding to different VLANs ...

Page 131: ...zation Delay 1 8 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address and Its Encoding Format 1 9 Setting Other LLDP Parameters 1 10 Setting an Encapsulation Format for LLDPDUs 1 10 Configuring CDP Compatibility 1 11 Configuration Prerequisites 1 11 Configuring CDP Compatibility 1 12 Configuring LLDP Trapping 1 12 Displaying and Maintaining LLDP 1 ...

Page 132: ... in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major functions management IP address device ID and port ID as TLV type length and value triplets in LLDPDUs to the directly connected devices and at the same time stores the device information received in LL...

Page 133: ... MAC address the MAC address of the sending bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame 2 SNAP encapsulated LLDP frame format Figure 1 2 SNAP encapsulated LLDP frame format The fields in the frame are described in Table 1 ...

Page 134: ...information field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and LLDP MED media endpoint discovery TLVs Basic management TLVs are essential to device management Organizationally specific TLVs and LLDP MED TLVs are used for enhanced device management they are defi...

Page 135: ...900E support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Configuration Status Contains the rate and duplex capabilities of the sending port support for auto negotiation enabling status of auto negotiation and the current rate and duplex mode Power Via MDI Contains Power sup...

Page 136: ...nt to advertise power related information according to IEEE 802 3AF Hardware Revision Allows a MED endpoint device to advertise its hardware version Firmware Revision Allows a MED endpoint to advertise its firmware version Software Revision Allows a MED endpoint to advertise its software version Serial Number Allows an LLDP MED endpoint device to advertise its serial number Manufacturer Name Allow...

Page 137: ...bor is discovered that is a new LLDP frame is received carrying device information new to the local device z The LLDP operating mode of the port changes from Disable Rx to TxRx or Tx This is the fast sending mechanism of LLDP With this mechanism a specific number of LLDP frames are sent successively at the 1 second interval to help LLDP neighbors discover the local device as soon as possible Then ...

Page 138: ...steps to enable LLDP To do Use the command Remarks Enter system view system view Enable LLDP globally lldp enable Required By default LLDP is disabled globally Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port group name Required Use either command Enable LLDP lldp enable Optional By...

Page 139: ... system view system view Set the LLDP re initialization delay lldp timer reinit delay delay Optional 2 seconds by default Enabling LLDP Polling With LLDP polling enabled a device checks for local configuration changes periodically Upon detecting a configuration change the device sends LLDP frames to inform the neighboring devices of the change Follow these steps to enable LLDP polling To do Use th...

Page 140: ... encoded its management address in character string format you can configure the encoding format of the management address as string on the connecting port to guarantee normal communication with the neighbor Follow these steps to configure a management address to be advertised and its encoding format on one or a group of ports To do Use the command Remarks Enter system view system view Enter Ether...

Page 141: ...er of LLDP frames sent each time fast LLDPDU transmission is triggered lldp fast count count Optional 3 by default z The TTL can be up to 65535 seconds TTLs greater than it will be rounded down to 65535 seconds z LLDPDU transmit delay must be less than the TTL to ensure that the LLDP neighbors can receive LLDP frames to update information about the device you are configuring before it is aged out ...

Page 142: ...need to enable CDP compatibility for your device to work with Cisco IP phones As your LLDP enabled device cannot recognize CDP packets it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device This can cause a requesting Cisco IP phone to send voice traffic without any tag to your device disabling your device to differentiate the voice traffic from other...

Page 143: ...rate in TxRx mode lldp compliance admin status cdp txrx Required By default CDP compatible LLDP operates in disable mode As the maximum TTL allowed by CDP is 255 seconds ensure that the product of the TTL multiplier and the LLDPDU transmit interval is less than 255 seconds for CDP compatible LLDP to work properly with Cisco IP phones Configuring LLDP Trapping LLDP trapping is used to notify the ne...

Page 144: ...stics display lldp statistics global interface interface type interface number Available in any view Display LLDP status of a port display lldp status interface interface type interface number Available in any view Display types of advertisable optional LLDP TLVs display lldp tlv config interface interface type interface number Available in any view LLDP Configuration Examples Basic LLDP Configura...

Page 145: ...ystem view SwitchB lldp enable Enable LLDP on GigabitEthernet2 0 1 you can skip this step because LLDP is enabled on ports by default setting the LLDP operating mode to Tx SwitchB interface gigabitethernet2 0 1 SwitchB GigabitEthernet2 0 1 lldp enable SwitchB GigabitEthernet2 0 1 lldp admin status tx SwitchB GigabitEthernet2 0 1 quit 3 Verify the configuration Display the global LLDP status and po...

Page 146: ...operate in Rx mode that is they only receive LLDP frames Tear down the link between Switch A and Switch B and then display the global LLDP status and port LLDP status on Switch A SwitchA display lldp status Global status of LLDP Enable The current number of LLDP neighbors 1 The current number of CDP neighbors 0 LLDP neighbor information last changed time 0 days 0 hours 5 minutes 20 seconds Transmi...

Page 147: ...IP phones to automatically configure the voice VLAN thus confining their voice traffic within the voice VLAN to be isolated from other types of traffic Figure 1 5 Network diagram for CDP compatible LLDP configuration Configuration procedure 1 Configure a voice VLAN on Switch A Create VLAN 2 SwitchA system view SwitchA vlan 2 SwitchA vlan2 quit Set the link type of GigabitEthernet 2 0 1 and Gigabit...

Page 148: ...thernet2 0 2 lldp enable SwitchA GigabitEthernet2 0 2 lldp admin status txrx SwitchA GigabitEthernet2 0 2 lldp compliance admin status cdp txrx SwitchA GigabitEthernet2 0 2 quit 3 Verify the configuration Display the neighbor information on Switch A SwitchA display lldp neighbor information CDP neighbor information of port 1 GigabitEthernet2 0 1 CDP neighbor index 1 Chassis ID SEP00141CBCDBFE Port...

Page 149: ... Configuration 1 12 Introduction to Protocol Based VLAN 1 12 Configuring a Protocol Based VLAN 1 13 IP Subnet Based VLAN Configuration 1 14 Introduction 1 14 Configuring an IP Subnet Based VLAN 1 14 Displaying and Maintaining VLAN 1 15 VLAN Configuration Example 1 16 2 Super VLAN Configuration 2 1 Overview 2 1 Configuring a Super VLAN 2 1 Displaying and Maintaining Super VLAN 2 2 Super VLAN Config...

Page 150: ...Interface 4 5 Setting a Port to Operate in Manual Voice VLAN Assignment Mode 4 6 Displaying and Maintaining Voice VLAN 4 7 Voice VLAN Configuration Examples 4 7 Automatic Voice VLAN Mode Configuration Example 4 7 Manual Voice VLAN Assignment Mode Configuration Example 4 9 ...

Page 151: ... and excessive broadcasts cannot be avoided on an Ethernet To address the issue virtual LAN VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN VLANs are isolated from each other at Layer 2 A VLAN is a bridging domain and all broadcast traffic is contained within it as shown in...

Page 152: ...tional Ethernet frame IEEE 802 1Q inserts a four byte VLAN tag after the DA SA field as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority canonical format indicator CFI and VLAN ID z The 16 bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged z The 3 bit priority field indicates the 802...

Page 153: ... a port at the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs protocol based VLANs and port based VLANs Configuring Basic VLAN Settings Follow these steps to configure basic VLAN settings To do Use the command Remarks Enter system view system view Create VLANs vlan vl...

Page 154: ...VLAN you can create one VLAN interface You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the VLAN Follow these steps to configure basic settings of a VLAN interface To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view inte...

Page 155: ...a hybrid port can carry multiple VLANs to receive and send traffic for them Unlike a trunk port a hybrid port allows traffic of all VLANs to pass through VLAN untagged You can configure a port connected to a network device or user terminal as a hybrid port for access link connectivity or trunk connectivity Default VLAN By default VLAN 1 is the default VLAN for all ports You can configure the defau...

Page 156: ...and send the frame Trunk z Remove the tag and send the frame if the frame carries the default VLAN tag and the port belongs to the default VLAN z Send the frame without removing the tag if its VLAN is carried on the port but is different from the default one Hybrid Check whether the default VLAN is permitted on the port z If yes tag the frame with the default VLAN tag z If not drop the frame z Rec...

Page 157: ...yer 2 aggregate interface view interface bridge aggregation interface number Enter interface view including Ethernet interface view Layer 2 aggregate interface view or port group view Enter port group view port group manual port group name Required Use either command z In Ethernet interface view the subsequent configurations apply to the current port z In port group view the subsequent configurati...

Page 158: ...Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view including Ethernet interface view Layer 2 aggregate interface view or port group view Enter port group view port group manual port group name Required Use either command z In Ethernet interface view the subsequent configur...

Page 159: ...p view Follow these steps to assign a hybrid port to one or multiple VLANs To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view including Ethernet interface view Layer 2 aggregate interface view or port group view E...

Page 160: ...oks up other types of VLANs to make the forwarding decision MAC based VLANs are mostly used in conjunction with security technologies such as 802 1X to provide secure flexible network access for terminal devices Approaches to Creating MAC Address to VLAN Mappings In addition to creating MAC address to VLAN mappings at the CLI you can use an authentication server to automatically issue MAC address ...

Page 161: ... this packet processing mode has the highest priority the configuration of MAC learning limit and disabling MAC address learning becomes invalid in this case Therefore you are recommended not to configure these two features together with MAC based dynamic port assignment z In MAC based dynamic port assignment the port that receives a packet with an unknown source MAC address can be successfully as...

Page 162: ...able MAC based dynamic port assignment mac vlan trigger enable Optional Disabled by default Disable the default VLAN of the current port from forwarding packets with unknown source MAC addresses that cannot be matched to any MAC address to VLAN mapping port pvid diable Optional By default when a port receives a packet with an unknown source MAC address that cannot be matched to any MAC address to ...

Page 163: ...ap mode ethernetii etype etype id llc dsap dsap id ssap ssap id ssap ssap id snap etype etype id Required Exit VLAN view quit Required Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use...

Page 164: ...r more information refer to Voice VLAN Configuration z After you configure a command on a Layer 2 aggregate interface the system starts applying the configuration to the aggregate interface and its aggregation member ports If the system fails to do that on the aggregate interface it stops applying the configuration to the aggregation member ports If it fails to do that on an aggregation member por...

Page 165: ...member ports Configure port link type as hybrid port link type hybrid Required Configure the hybrid port s to permit the specified IP subnet based VLANs to pass through port hybrid vlan vlan id list tagged untagged Required Associate the hybrid port s with the specified IP subnet based VLAN port hybrid ip subnet vlan vlan vlan id Required After you configure a command on a Layer 2 aggregate interf...

Page 166: ...formation and IP subnet indexes of specified VLANs display ip subnet vlan vlan vlan id to vlan id all Available in any view Display the IP subnet based VLAN information and IP subnet indexes of specified ports display ip subnet vlan interface interface list all Available in any view Clear statistics on a port reset counters interface interface type interface number Available in user view The reset...

Page 167: ...t2 0 1 port trunk permit vlan 2 6 to 50 100 Please wait Done DeviceA GigabitEthernet2 0 1 quit DeviceA quit 2 Configure Device B as you configure Device A Verification Verifying the configuration on Device A is similar to that of Device B So only Device A is taken for example here Display the information about GigabitEthernet 2 0 1 of Device A to verify the above configurations DeviceA display int...

Page 168: ...CRC 0 frame 0 overruns 0 aborts 0 ignored 0 parity errors Output total 0 packets 0 bytes 0 broadcasts 0 multicasts 0 pauses Output normal 0 packets 0 bytes 0 broadcasts 0 multicasts 0 pauses Output 0 output errors 0 underruns 0 buffer failures 0 aborts 0 deferred 0 collisions 0 late collisions 0 lost carrier 0 no carrier The output above shows that z The port GigabitEthernet 2 0 1 is a trunk port ...

Page 169: ... Layer 2 To enable Layer 3 communication between sub VLANs you should configure the VLAN interface IP address of the associated super VLAN as the gateway IP address This enables multiple sub VLANs to share the same gateway address and thus saves IP address resources After creating a super VLAN and the VLAN interface enable local proxy Address Resolution Protocol ARP on the device The super VLAN ca...

Page 170: ...uration in the Security Volume z You can configure Layer 2 multicast for a super VLAN However the configuration cannot take effect z You can configure DHCP Layer 3 multicast dynamic routing and NAT for the VLAN interface of a super VLAN However only DHCP can take effect z Configuring VRRP for the VLAN interface of a super VLAN affects network performance Therefore you are recommended not to config...

Page 171: ...ernet 2 0 1 gigabitethernet 2 0 2 Create VLAN 3 and assign GigabitEthernet 2 0 3 and GigabitEthernet 2 0 4 to it Sysname vlan2 quit Sysname vlan 3 Sysname vlan3 port gigabitethernet 2 0 3 gigabitethernet 2 0 4 Create VLAN 5 and assign GigabitEthernet 2 0 5 and GigabitEthernet 2 0 6 to it Sysname vlan3 quit Sysname vlan 5 Sysname vlan5 port gigabitethernet 2 0 5 gigabitethernet 2 0 6 Configure VLAN...

Page 172: ...on VLAN 0002 Name VLAN 0002 Tagged Ports none Untagged Ports GigabitEthernet2 0 1 GigabitEthernet2 0 2 VLAN ID 3 VLAN Type static It is a Sub VLAN Route Interface not configured Description VLAN 0003 Name VLAN 0003 Tagged Ports none Untagged Ports GigabitEthernet2 0 3 GigabitEthernet2 0 4 VLAN ID 5 VLAN Type static It is a Sub VLAN Route Interface not configured Description VLAN 0005 Name VLAN 000...

Page 173: ... of only the isolate user VLAN but not the secondary VLANs network configuration is simplified and VLAN resources are saved z You can isolate the Layer 2 traffic of different users by assigning the ports connected to them to different secondary VLANs To enable communication between secondary VLANs associated with the same isolate user VLAN you can enable local proxy ARP on the upstream device to r...

Page 174: ...s port Refer to Assigning an Access Port to a VLAN Assign ports to the isolate user VLAN and ensure that at least one port takes the isolate user VLAN as its default VLAN Hybrid port Refer to Assigning a Hybrid Port to a VLAN Use either approach Return to system view quit Create secondary VLANs vlan vlan id1 to vlan id2 all Required Quit to system view quit Access port Refer to Assigning an Access...

Page 175: ...ernet 2 0 5 to VLAN 5 and associate VLAN 5 with secondary VLANs VLAN 2 and VLAN 3 Assign GigabitEthernet 2 0 2 to VLAN 2 and GigabitEthernet 2 0 1 to VLAN 3 z Configure VLAN 6 on Device C as an isolate user VLAN assign the uplink port GigabitEthernet 2 0 5 to VLAN 6 and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4 Assign GigabitEthernet 2 0 3 to VLAN 3 and GigabitEthernet 2 0 4 to VLAN ...

Page 176: ...C vlan6 isolate user vlan enable DeviceC vlan6 port gigabitethernet 2 0 5 DeviceC vlan6 quit Configure the secondary VLANs DeviceC vlan 3 DeviceC vlan3 port gigabitethernet 2 0 3 DeviceC vlan3 quit DeviceC vlan 4 DeviceC vlan4 port gigabitethernet 2 0 4 Associate the isolate user VLAN with the secondary VLANs DeviceC vlan4 quit DeviceC isolate user vlan 6 secondary 3 to 4 Verification Display the ...

Page 177: ...ace not configured Description VLAN 0002 Name VLAN 0002 Tagged Ports none Untagged Ports GigabitEthernet2 0 2 GigabitEthernet2 0 5 VLAN ID 3 VLAN Type static Isolate user VLAN type secondary Route Interface not configured Description VLAN 0003 Name VLAN 0003 Tagged Ports none Untagged Ports GigabitEthernet2 0 1 GigabitEthernet2 0 5 DeviceB ...

Page 178: ...quality A device determines whether a received packet is a voice packet by checking its source MAC address A packet whose source MAC address complies with the voice device Organizationally Unique Identifier OUI address is regarded as voice traffic You can configure the OUI addresses in advance or use the default OUI addresses Table 4 1 lists the default OUI address for each vendor s devices Table ...

Page 179: ... on the device The system will remove a port from the voice VLAN if no packet is received from the port after the aging time expires Assigning removing ports to from a voice VLAN are automatically performed by the system z In manual mode you should assign an IP phone connecting port to a voice VLAN manually Then the system matches the source MAC addresses in the packets against the OUI addresses I...

Page 180: ...ffic to realize the voice VLAN feature you must configure the default VLAN of the connecting port as the voice VLAN In this case 802 1X authentication function cannot be realized z The default VLANs for all ports are VLAN 1 You can configure the default VLAN of a port and configure a port to permit a certain VLAN to pass through with commands For more information refer to Port Based VLAN Configura...

Page 181: ...for the device it is forwarded in the voice VLAN otherwise it is dropped Security mode Packets carrying other tags Forwarded or dropped depending on whether the port allows packets of these VLANs to pass through Untagged packets Packets carrying the voice VLAN tag The port does not check the source MAC addresses of inbound packets All types of packets can be transmitted in the voice VLAN Normal mo...

Page 182: ... mode on a hybrid port can process only tagged voice traffic Therefore do not configure a VLAN as both a protocol based VLAN and a voice VLAN For more information refer to Protocol Based VLAN Configuration Configuring the Priority Trust Setting for Voice VLAN Traffic on an Interface In order to improve transmission quality of voice traffic the device by default does not trust the priority carried ...

Page 183: ...ersed your priority trust setting will fail z The voice vlan qos cos value dscp value command and the voice vlan qos trust command can overwrite the other whichever is configured the last Setting a Port to Operate in Manual Voice VLAN Assignment Mode Follow these steps to set a port to operate in manual voice VLAN assignment mode To do Use the command Remarks Enter system view system view Enable t...

Page 184: ...VLAN and this voice VLAN must be a static VLAN that already exists on the device z Voice VLAN cannot be enabled on a port with Link Aggregation Control Protocol LACP enabled z To make voice VLAN take effect on a port that is enabled with voice VLAN and operates in manual voice VLAN assignment mode you need to assign the port to the voice VLAN manually Displaying and Maintaining Voice VLAN To do Us...

Page 185: ...voice VLANs to work in security mode that is configure the voice VLANs to transmit only voice packets Optional By default voice VLANs work in security mode DeviceA voice vlan security enable Configure the allowed OUI addresses as MAC addresses prefixed by 0011 1100 0000 or 0011 2200 0000 In this way Device A identifies packets whose MAC addresses match any of the configured OUI addresses as voice ...

Page 186: ... Philips NEC phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current states of voice VLANs DeviceA display voice vlan state Maximum of Voice VLANs 128 Current Voice VLANs 2 Voice VLAN security mode Security Voice VLAN aging time 30 minutes Voice VLAN enabled port and its mode PORT VLAN MODE COS DSCP GigabitEthernet2 0 1 2 AUTO 6 46 GigabitEthe...

Page 187: ...d port DeviceA GigabitEthernet2 0 1 port link type hybrid Configure the voice VLAN VLAN 2 as the default VLAN of GigabitEthernet 2 0 1 and configure GigabitEthernet 2 0 1 to permit the voice traffic of VLAN 2 to pass through untagged DeviceA GigabitEthernet2 0 1 port hybrid pvid vlan 2 DeviceA GigabitEthernet2 0 1 port hybrid vlan 2 untagged Enable voice VLAN on GigabitEthernet 2 0 1 DeviceA Gigab...

Page 188: ...one Display the current voice VLAN state DeviceA display voice vlan state Maximum of Voice VLANs 128 Current Voice VLANs 1 Voice VLAN security mode Security Voice VLAN aging time 1440 minutes Voice VLAN enabled port and its mode PORT VLAN MODE COS DSCP GigabitEthernet2 0 1 2 MANUAL 6 46 ...

Page 189: ...P 1 4 Protocols and Standards 1 4 Configuring GVRP 1 4 Configuring GVRP Functions 1 4 Configuring GARP Timers 1 5 Displaying and Maintaining GVRP 1 6 GVRP Configuration Examples 1 7 GVRP Configuration Example I 1 7 GVRP Configuration Example II 1 8 GVRP Configuration Example III 1 9 ...

Page 190: ...GARP messages and timers 1 GARP messages A GARP participant exchanges information with other GARP participants by sending the following three types of messages z Join messages to register with other entities its attributes the attributes received from other GARP application entities and the attributes manually configured on it z Leave messages to have its attributes deregistered on other devices A...

Page 191: ...ch as GVRP on a LAN z Unlike other three timers which are set on a port basis the LeaveAll timer is set in system view and takes effect globally z A GARP participant may send LeaveAll messages at the interval set by its LeaveAll timer or the LeaveAll timer on another device on the network whichever is smaller This is because each time a device on the network receives a LeaveAll message it resets i...

Page 192: ...LAN ID attribute Attribute List Contains one or multiple attributes Attribute Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Number of octets occupied by an attribute inclusive of the attribute length field 2 to 255 in bytes Attribute Event Event described by the attribute 0 LeaveAll event 1 JoinEmpty event 2 JoinIn event 3 LeaveEmpty event 4 LeaveIn eve...

Page 193: ...opagate information about dynamic VLANs but allows the port to propagate information about static VLANs A trunk port with fixed registration type thus allows only manually configured VLANs to pass through even though it is configured to carry all VLANs z Forbidden Disables the port to dynamically register and deregister VLANs and to propagate VLAN information except information about VLAN 1 A trun...

Page 194: ...emote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more information about port mirroring refer to Port Mirroring Configuration in the Access Volume z Enabling GVRP on a Layer 2 aggregate interface enables both the aggregate interface and all selected member ports in the corresponding link aggregation group to participate in dynamic VLAN re...

Page 195: ...e timer When configuring GARP timers note that their values are dependent on each other and must be a multiple of five centiseconds If the value range for a timer is not desired you may change it by tuning the value of another related timer as shown in the following table Table 1 2 Dependencies of GARP timers Timer Lower limit Upper limit Hold 10 centiseconds Not greater than half of the join time...

Page 196: ...ion interface interface type interface number Available in any view Clear the GARP statistics reset garp statistics interface interface list Available in user view GVRP Configuration Examples GVRP Configuration Example I Network requirements Configure GVRP for dynamic VLAN information registration and update among devices adopting the normal registration mode on ports Network diagram Figure 1 2 Ne...

Page 197: ...eate VLAN 3 a static VLAN DeviceB vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic Now the following dynamic VLAN exist s 3 Display dynamic VLAN information on Device B DeviceB display vlan dynamic Now the following dynamic VLAN exist s 2 GVRP Configuration Example II Network requirements Configure GVRP for dynamic VLAN information registr...

Page 198: ...t 2 0 1 as a trunk port allowing all VLANs to pass through DeviceB interface GigabitEthernet 2 0 1 DeviceB GigabitEthernet2 0 1 port link type trunk DeviceB GigabitEthernet2 0 1 port trunk permit vlan all Enable GVRP on GigabitEthernet 2 0 1 DeviceB GigabitEthernet2 0 1 gvrp DeviceB GigabitEthernet2 0 1 quit Create VLAN 3 a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN...

Page 199: ...itEthernet2 0 1 gvrp registration forbidden DeviceA GigabitEthernet2 0 1 quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 2 0 1 as a trunk port allowing all VLANs to pass through DeviceB interface GigabitEthernet 2 0 1 DeviceB GigabitEthernet2 0 1 port link type trunk DeviceB GigabitEthernet2 0...

Page 200: ...1 11 DeviceB display vlan dynamic No dynamic vlans exist ...

Page 201: ... QinQ 1 3 Modification of the TPID Value in VLAN Tags 1 3 Configuring Outer VLAN Tag Priority 1 5 Protocols and Standards 1 5 Configuring Basic QinQ 1 5 Enabling Basic QinQ 1 5 Configuring VLAN Transparent Transmission 1 6 Configuring Selective QinQ 1 7 Configuring the TPID of a VLAN Tag 1 8 Configure Outer VLAN Tag Priority 1 9 QinQ Configuration Example 1 10 ...

Page 202: ...N tag in Ethernet frames from customer networks private networks so that the Ethernet frames will travel across the service provider network public network with double VLAN tags QinQ enables a service provider to use a single SVLAN to serve customers who have multiple CVLANs Background and Benefits In the VLAN tag field defined in IEEE 802 1Q only 12 bits are used for VLAN IDs As a result a device...

Page 203: ...ugh 20 The SVLAN allocated by the service provider for customer network A is SVLAN 3 and that for customer network B is SVLAN 4 When a tagged Ethernet frame of customer network A enters the service provider network it is tagged with outer VLAN 3 when a tagged Ethernet frame of customer network B enters the service provider network it is tagged with outer VLAN 4 In this way there is no overlap of V...

Page 204: ...ther the frame is tagged or untagged If the received frame is already tagged it becomes a double tagged frame if it is untagged it becomes a frame tagged with the port s default VLAN tag 2 Selective QinQ Selective QinQ is an implementation more flexible than basic QinQ In addition to all the functions of basic QinQ selective QinQ can tag frames with different outer VLAN tags based on their inner V...

Page 205: ...as VLAN untagged the switch tags the frame with the default VLAN tag of the receiving port This default VLAN tag uses the TPID that you have configured z The TPID value in service provider network VLAN tags The switch uses it to determine whether a frame received from the service provider network is VLAN tagged In addition the switch uses the configured TPID in the outer VLAN tag for customer netw...

Page 206: ...ased on inner VLAN tag priority configure an action of marking traffic with outer VLAN tag priority in the traffic behavior Protocols and Standards IEEE 802 1Q IEEE standard for local and metropolitan area networks Virtual Bridged Local Area Networks Configuring Basic QinQ Enabling Basic QinQ Follow these steps to enable basic QinQ To do Use the command Remarks Enter system view system view Enter ...

Page 207: ...N Transparent Transmission When basic QinQ is enabled on a port all packets passing through the port will be tagged with the port s default VLAN tag However by configuring the VLAN transparent transmission function on a port you can specify the port not to add its default VLAN tag to packets carrying specific inner VLAN tag s when they pass through it so that these packets are transmitted in the s...

Page 208: ...view Create a class and enter class view traffic classifier classifier name operator and or Required By default the relationship between the match criteria in a class is logical AND Specify the inner VLAN ID s of matching frames if match customer vlan id vlan id list Required Exit to system view quit Create a traffic behavior and enter traffic behavior view traffic behavior behavior name Required ...

Page 209: ...all ports in the port group Enable basic QinQ qing enable Required Apply the QoS policy in the inbound direction qos apply policy policy name inbound Required z Before enabling selective QinQ on a port enable basic QinQ on the port first Selective QinQ enjoys higher priority than basic QinQ Therefore a received frame will be tagged with an outer VLAN ID based on basic QinQ only after it fails to m...

Page 210: ...ault Configure Outer VLAN Tag Priority Following these steps to configure outer VLAN tag priority To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier classifier name operator and or Required By default the keyword and is used Configure to classify traffic based on inner VLAN if match customer vlan id vlan id list Configure the matching...

Page 211: ...the port qos apply policy policy name inbound Required The configuration of outer VLAN tag priority is achieved through QoS policies For more information about QoS policies refer to the part talking about QoS in the QoS Volume QinQ Configuration Example Network requirements z Provider A and Provider B are service provider network access devices z Customer A Customer B Customer C and Customer D are...

Page 212: ...e the port as a hybrid port permitting frames of VLAN 1000 VLAN 2000 and VLAN 3000 to pass through with the outer VLAN tag removed ProviderA interface gigabitethernet 2 0 1 ProviderA GigabitEthernet2 0 1 port link type hybrid ProviderA GigabitEthernet2 0 1 port hybrid vlan 1000 2000 3000 untagged Configure VLAN 3000 as the default VLAN of GigabitEthernet 2 0 1 and enable basic QinQ on GigabitEther...

Page 213: ...derA qospolicy qinq classifier A20 behavior P2000 ProviderA qospolicy qinq quit Apply the QoS policy qinq in the inbound direction of GigabitEthernet 2 0 1 ProviderA interface GigabitEthernet 2 0 1 ProviderA GigabitEthernet2 0 1 qos apply policy qinq inbound z Configuration on GigabitEthernet 2 0 2 Configure VLAN 1000 as the default VLAN ProviderA interface gigabitethernet 2 0 2 ProviderA GigabitE...

Page 214: ... 2 ProviderB GigabitEthernet2 0 2 port access vlan 2000 Enable basic QinQ Tag frames from VLAN 20 with the outer VLAN tag 2000 ProviderB GigabitEthernet2 0 2 qinq enable ProviderB GigabitEthernet2 0 2 quit z Configuration on GigabitEthernet 2 0 3 Configure VLAN 3000 as the default VLAN ProviderB interface GigabitEthernet 2 0 3 ProviderB GigabitEthernet2 0 3 port access vlan 3000 Enable basic QinQ ...

Page 215: ...eling Implementation 1 2 Configuring BPDU Tunneling 1 4 Configuration Prerequisites 1 4 Enabling BPDU Tunneling 1 4 Configuring Destination Multicast MAC Address for BPDUs 1 5 BPDU Tunneling Configuration Examples 1 5 BPDU Tunneling for STP Configuration Example 1 5 BPDU Tunneling for PVST Configuration Example 1 6 ...

Page 216: ...hich belong to VLAN 100 User A s network is divided into network 1 and network 2 which are connected by the service provider network When Layer 2 protocol packets cannot be transparently transmitted in the service provider network User A s network cannot implement independent Layer 2 protocol calculation for example STP spanning tree calculation In this case the Layer 2 protocol calculation in Use...

Page 217: ... protocols are all similar This section describes how BPDU tunneling is implemented by taking the Spanning Tree Protocol STP as an example z The term STP in this document is in a broad sense It includes STP RSTP and MSTP z STP calculates the topology of a network by transmitting BPDUs among devices in the network For details refer to MSTP Configuration in the Access Volume To avoid loops in your n...

Page 218: ...of the customer network to be transparently transmitted in the service provider network thus ensuring consistent spanning tree calculation of User A network without affecting the spanning tree calculation of the service provider network Assume a BPDU is sent from User A network 1 to User A network 2 z At the ingress of the service provider network PE 1 changes the destination MAC address of the BP...

Page 219: ...col before enabling BPDU tunneling for PVST on a port you need to disable STP and then enable BPDU tunneling for STP on the port first z Before enabling BPDU tunneling for LACP on aggregation group member port remove the port from the aggregation group first Enabling BPDU tunneling for a protocol in Ethernet interface view or port group view Follow these steps to enable BPDU tunneling for a protoc...

Page 220: ...nel dmac mac address Optional 0x010F E200 0003 by default For BPDUs to be recognized the destination multicast MAC addresses configured for BPDU tunneling must be the same on the edge devices on the service provider network BPDU Tunneling Configuration Examples BPDU Tunneling for STP Configuration Example Network requirements As shown in Figure 1 3 z CE 1 and CE 2 are edges devices on the geograph...

Page 221: ...et2 0 1 bpdu tunnel dot1q stp 2 Configuration on PE 2 Configure the destination multicast MAC address for BPDUs as 0x0100 0CCD CDD0 PE2 system view PE2 bpdu tunnel tunnel dmac 0100 0ccd cdd0 Create VLAN 2 and assign GigabitEthernet 2 0 2 to VLAN 2 PE2 vlan 2 PE2 vlan2 quit PE2 interface gigabitethernet 2 0 2 PE2 GigabitEthernet2 0 2 port access vlan 2 Disable STP on GigabitEthernet 2 0 2 and then ...

Page 222: ...ign it to all VLANs PE1 interface gigabitethernet 2 0 1 PE1 GigabitEthernet2 0 1 port link type trunk PE1 GigabitEthernet2 0 1 port trunk permit vlan all Disable STP on GigabitEthernet 2 0 1 and then enable BPDU tunneling for STP and PVST on it PE1 GigabitEthernet2 0 1 undo stp enable PE1 GigabitEthernet2 0 1 bpdu tunnel dot1q stp PE1 GigabitEthernet2 0 1 bpdu tunnel dot1q pvst 2 Configuration on ...

Page 223: ...ed 1 4 VLAN Mapping Configuration Task List 1 6 Configuring One to One VLAN Mapping 1 7 Configuring One to One VLAN Mapping 1 7 Configuring Many to One VLAN Mapping 1 9 Configuring Many to One VLAN Mapping 1 9 Configuring One to Two VLAN Mapping 1 11 Configuring Two to Two VLAN Mapping 1 12 VLAN Mapping Configuration Examples 1 15 One to One Many to One VLAN Mapping Configuration Example 1 15 One ...

Page 224: ...e than two VLANs to the same SVLAN ID z One to two VLAN mapping that maps traffic with the inner VLAN ID to the inner VLAN ID and the SVLAN ID z Two to two VLAN mapping that maps traffic with outer and inner VLAN IDs to the service provider outer and the inner VLAN IDs Only SC SD and EB boards support these four types of VLAN mappings The SA and EA boards support only one to one VLAN mapping For d...

Page 225: ... using the same service you need to perform one to one VLAN mapping to map the service traffic to different VLANs by user on the corridor switches However an access device on the distribution layer is likely unable to support the number of VLANs required for this type of VLAN mapping To reduce the number of VLANs required on the edge device at the distribution layer you can adopt many to one VLAN ...

Page 226: ...users to plan their own CVLAN IDs independent of SP network VLAN IDs thus saving the VLAN resources of SPs When the double tagged packet enters the SP 2 network PE 3 replaces the outer VLAN tag VLAN 100 with VLAN 200 the VLAN ID assigned by SP 2 to the VPN A user For the packet to reach the VPN A user in Site 2 which belongs to VLAN 30 PE 3 replaces the inner tag VLAN 10 of the packet with VLAN 30...

Page 227: ...ng downlink traffic z Downlink port A port transmitting downlink traffic and receiving uplink traffic z Uplink policy A QoS policy containing VLAN mappings for uplink traffic z Downlink policy A QoS policy containing VLAN mappings for downlink traffic How VLAN Mapping Is Implemented This section describes how VLAN mapping is implemented on your device One to one VLAN mapping On the downlink port F...

Page 228: ...ink traffic For downlink traffic Do Based on Do Based on Tag the CVLAN tagged traffic with the SVLAN Uplink policy in the inbound direction Forward traffic with the outer VLAN tag the SVLAN removed You need to configure the downlink port as a hybrid port to forward SVLAN frames with the outer VLAN tag removed Two to two VLAN mapping In two to two VLAN mapping the outer VLAN and the inner VLAN carr...

Page 229: ...Configuring One to One VLAN Mapping Optional Perform this configuration on the corridor switches shown in Figure 1 1 Configuring Many to One VLAN Mapping Optional Perform this configuration on the campus switches shown in Figure 1 1 Configuring One to Two VLAN Mapping Optional Perform this configuration on the edge devices from which user traffic enters the SP network Examples are Device A and Dev...

Page 230: ...pping To do Use the command Remarks Enter system view system view Create a VLAN vlan vlan id Create a CVLAN and a SVLAN Exit to system view quit Required By default only the default VLAN VLAN 1 exists Repeat these steps for all CVLANs and SVLANs involved in VLAN mapping Configure an uplink policy to map the CVLAN to the SVLAN Refer to Table 1 1 Required Configure a downlink policy to map the SVLAN...

Page 231: ...red Exit to system view quit Create a traffic behavior and enter traffic behavior view traffic behavior behavior name Required Specify the SVLAN for the VLAN mapping remark service vlan id vlan id value Required Exit to system view quit Create a QoS policy and enter QoS policy view qos policy policy name Required Map the CVLAN to the SVLAN by associating the traffic class with the traffic behavior...

Page 232: ...edure Follow these steps to configure a many to one VLAN mapping To do Use the command Remarks Enter system view system view Enable DHCP snooping dhcp snooping Required Disabled by default Create a VLAN and enter VLAN view vlan vlan id Enable ARP detection arp detection enable Enable ARP detection on the CVLANs and the SVLAN for the VLAN mapping Exit to system view quit Required Disabled by defaul...

Page 233: ...ss through port trunk permit vlan vlan id list all Required By default a trunk port permits only VLAN 1 to pass through Enable service provider side QinQ qinq enable uplink Required Disabled by default Table 1 3 Configure an uplink policy To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator or Required Specify the CVLA...

Page 234: ...rm one to two VLAN mapping on the edge devices from which customer traffic enters SP networks on Device A and Device D in Figure 1 2 for example Follow these steps to configure a one to two VLAN mapping To do Use the command Remarks Enter system view system view Configure an uplink policy for the downlink port to tag CVLAN tagged frames with an SVLAN Refer to Table 1 4 Required Enter the interface...

Page 235: ...or behavior name Required Specify the SVLAN for the VLAN mapping nest top most vlan id vlan id value dot1p dot1p cos value Required Exit to system view quit Create a QoS policy and enter QoS policy view qos policy policy name Required Map the CVLAN to the CVLAN and the SVLAN by associating the traffic class with the traffic behavior classifier tcl name behavior behavior name Required Exit to syste...

Page 236: ... Required By default a trunk port permits only the packets of VLAN 1 to pass through Apply the uplink policy for the downlink port to the inbound direction of the downlink port qos apply policy policy name inbound Required Apply the downlink policy for the downlink port to the outbound direction of the downlink port qos apply policy policy name outbound Required Exit to system view quit Enter the ...

Page 237: ... to the new CVLAN by associating the traffic class with the traffic behavior classifier tcl name behavior behavior name Required Exit to system view quit Table 1 6 Configure an uplink policy for the downlink port To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Required Specify the original CVLAN for the VLA...

Page 238: ...behavior behavior name Required Specify the original CVLAN used for replacing the new CVLAN remark customer vlan id vlan id value Required Specify the original SVLAN used for replacing the new SVLAN remark service vlan id vlan id value Required Exit to system view quit Create a QoS policy and enter QoS policy view qos policy policy name Required Map the new CVLAN and SVLAN to the original CVLAN an...

Page 239: ...1 VLAN 201 300 VLAN 502 VLAN 301 400 VLAN 503 VLAN 1 VLAN 111 VLAN 2 VLAN 211 VLAN 3 VLAN 311 VLAN 1 VLAN 112 VLAN 2 VLAN 212 VLAN 3 VLAN 312 VLAN 111 210 VLAN 501 VLAN 211 310 VLAN 502 VLAN 311 410 VLAN 503 GE2 0 1 GE2 0 2 GE2 0 3 GE2 0 1 GE2 0 2 GE2 0 3 GE2 0 1 GE2 0 2 GE2 0 3 Switch D DHCP client DHCP server Campus switch Corridor switch Corridor switch GE2 0 1 Home gateway Home gateway Home ga...

Page 240: ...olicy p1 classifier c1 behavior b1 SwitchA policy p1 classifier c2 behavior b2 SwitchA policy p1 classifier c3 behavior b3 SwitchA policy p1 quit SwitchA qos policy p2 SwitchA policy p2 classifier c1 behavior b4 SwitchA policy p2 classifier c2 behavior b5 SwitchA policy p2 classifier c3 behavior b6 SwitchA policy p2 quit Configure downlink policies to map the SVLANs to the original CVLANs SwitchA ...

Page 241: ...y the uplink policy p1 to the inbound direction of GigabitEthernet 2 0 1 SwitchA GigabitEthernet2 0 1 qos apply policy p1 inbound Apply the downlink policy p11 to the outbound direction of GigabitEthernet 2 0 1 SwitchA GigabitEthernet2 0 1 qos apply policy p11 outbound SwitchA GigabitEthernet2 0 1 quit Configure GigabitEthernet 2 0 2 to permit frames of the specified CVLANs and SVLANs to pass thro...

Page 242: ...c behavior b3 SwitchB behavior b3 remark service vlan id 311 SwitchB behavior b3 traffic behavior b4 SwitchB behavior b4 remark service vlan id 112 SwitchB behavior b4 traffic behavior b5 SwitchB behavior b5 remark service vlan id 212 SwitchB behavior b5 traffic behavior b6 SwitchB behavior b6 remark service vlan id 312 SwitchB behavior b6 quit SwitchB qos policy p1 SwitchB policy p1 classifier c1...

Page 243: ...ifier c44 behavior b11 SwitchB policy p22 classifier c55 behavior b22 SwitchB policy p22 classifier c66 behavior b33 SwitchB policy p22 quit Configure GigabitEthernet 2 0 1 to permit frames of the specified CVLANs and SVLANs to pass through SwitchB interface gigabitethernet 2 0 1 SwitchB GigabitEthernet2 0 1 port link type trunk SwitchB GigabitEthernet2 0 1 port trunk permit vlan 1 2 3 111 211 311...

Page 244: ...on each VLAN involved in VLAN mapping SwitchC vlan 101 SwitchC vlan101 arp detection enable SwitchC vlan101 vlan 201 SwitchC vlan201 arp detection enable SwitchC vlan201 vlan 301 SwitchC vlan301 arp detection enable SwitchC vlan301 vlan 102 SwitchC vlan102 arp detection enable SwitchC vlan102 vlan 202 SwitchC vlan202 arp detection enable SwitchC vlan202 vlan 302 SwitchC vlan302 arp detection enabl...

Page 245: ...3 SwitchC behavior b3 remark service vlan id 503 SwitchC behavior b3 quit SwitchC qos policy p1 SwitchC policy p1 classifier c1 behavior b1 mode dot1q tag manipulation SwitchC policy p1 classifier c2 behavior b2 mode dot1q tag manipulation SwitchC policy p1 classifier c3 behavior b3 mode dot1q tag manipulation SwitchC policy p1 classifier c4 behavior b1 mode dot1q tag manipulation SwitchC policy p...

Page 246: ...0 3 arp detection trust Enable SP side QinQ on GigabitEthernet 2 0 3 SwitchC GigabitEthernet2 0 3 qinq enable uplink 4 Configuration on Switch D SwitchD system view Enable DHCP snooping SwitchD dhcp snooping Configure GigabitEthernet 2 0 1 to permit frames of the specified SVLANs to pass through SwitchD interface gigabitethernet 2 0 1 SwitchD GigabitEthernet2 0 1 port link type trunk SwitchD Gigab...

Page 247: ...nest quit DeviceA qos policy nest DeviceA qospolicy nest classifier nest behavior nest DeviceA qospolicy nest quit Configure GigabitEthernet 2 0 1 to forward the traffic of VLAN 100 with the outer VLAN tag removed DeviceA interface gigabitethernet 2 0 1 DeviceA GigabitEthernet2 0 1 port link type hybrid DeviceA GigabitEthernet2 0 1 port hybrid vlan 100 untagged Enable basic QinQ on GigabitEthernet...

Page 248: ...ng VPN 1 traffic on GigabitEthernet 2 0 1 DeviceC traffic behavior downlink_in DeviceC behavior downlink_in remark service vlan id 200 DeviceC behavior downlink_in quit Configure an uplink policy to map the original SVLAN and CVLAN to the new SVLAN DeviceC qos policy downlink_in DeviceC qospolicy downlink_in classifier downlink_in behavior downlink_in DeviceC qospolicy downlink_in quit Specify the...

Page 249: ...k policies to GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 DeviceC interface gigabitethernet 2 0 1 DeviceB GigabitEthernet2 0 1 port link type trunk DeviceB GigabitEthernet2 0 1 port trunk permit vlan 200 DeviceC GigabitEthernet2 0 1 qos apply policy downlink_in inbound DeviceC GigabitEthernet2 0 1 qos apply policy downlink_out outbound DeviceC GigabitEthernet2 0 1 quit DeviceC interface gigabi...

Page 250: ...outer VLAN tag removed DeviceD interface gigabitethernet 2 0 2 DeviceD GigabitEthernet2 0 2 port link type hybrid DeviceD GigabitEthernet2 0 2 port hybrid vlan 200 untagged Enable basic QinQ on GigabitEthernet 2 0 2 DeviceD GigabitEthernet2 0 2 qinq enable Apply the uplink policy nest to the inbound direction of GigabitEthernet 2 0 2 DeviceD GigabitEthernet2 0 2 qos apply policy nest inbound Devic...

Page 251: ...Configuring Local Mirroring Groups 1 13 Configuring Mirroring Ports for a Local Mirroring Group 1 13 Configuring the Monitor Port for a Local Mirroring Group 1 14 Configuring Local Port Mirroring for an ONU 1 15 Displaying and Maintaining Port Mirroring 1 16 Port Mirroring Configuration Examples 1 16 Local Port Mirroring Configuration Example in Mirroring Port Mode 1 16 Layer 2 Remote Port Mirrori...

Page 252: ... on the same device z Layer 2 remote port mirroring In Layer 2 remote port mirroring the mirroring port and the monitor port are located on different devices on a same Layer 2 network z Layer 3 remote port mirroring In Layer 3 remote port mirroring the mirroring port and the monitor port are separated by IP networks z As a monitor port can monitor multiple ports it may receive multiple duplicates ...

Page 253: ...ing port are mirrored to the monitor port for the data monitoring device to analyze The mirroring ports and the monitor port in a local mirroring group can be located on different LPUs of a same device Layer 2 remote port mirroring Layer 2 remote port mirroring is implemented through the cooperation between a remote source mirroring group and a remote destination mirroring group as shown in Figure...

Page 254: ... adding the other ports on the source device to the remote probe VLAN z For the mirrored packets to be forwarded to the monitor port ensure that the same probe VLAN is configured in the remote source and destination mirroring groups z To make the port mirroring function work properly before configuring bidirectional traffic mirroring on a port in a mirroring group you need to use the mac address m...

Page 255: ...h the mirroring port or CPU on the source device z For more information about GRE tunnels see Tunnel Configuration in the IP Services Volume z Only the SD and EB series LPUs support Layer 3 remote port mirroring Configuring Local Port Mirroring Local Port Mirroring Configuration Task List Configuring local port mirroring is to configure local mirroring groups A local mirroring group comprises one ...

Page 256: ...ng ports in system view Follow these steps to configure mirroring ports for a local mirroring group in system view To do Use the command Remarks Enter system view system view Configure mirroring ports mirroring group group id mirroring port mirroring port list both inbound outbound Required By default no mirroring port is configured for a mirroring group Configuring a mirroring port in interface v...

Page 257: ...eps to configure the monitor port of a local mirroring group in interface view To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the current port as the monitor port mirroring group group id monitor port Required By default a port does not serve as the monitor port for any mirroring group z A mirroring group contain...

Page 258: ...ce device then configure the remote probe VLAN and the monitor port for the remote destination mirroring group on the destination device Complete these tasks to configure Layer 2 remote port mirroring Task Remarks Creating a remote source mirroring group Required Configuring mirroring ports for the remote source mirroring group Required Configuring the egress port for the remote source mirroring g...

Page 259: ...irroring port in interface view To assign multiple ports to the mirroring group as mirroring ports in interface view repeat the step z Configuring mirroring ports in system view Follow these steps to configure mirroring ports for the remote source mirroring group in system view To do Use the command Remarks Enter system view system view Configure mirroring ports for the remote source mirroring gro...

Page 260: ...efault no egress port is configured for a mirroring group z Configuring the egress port in interface view Follow these steps to configure the egress port for the remote source mirroring group in interface view To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the current port as the egress port mirroring group group...

Page 261: ...g group Follow these steps to create a remote destination mirroring group To do Use the command Remarks Enter system view system view Create a remote destination mirroring group mirroring group group id remote destination Required By default no mirroring group exists on a device Configuring the monitor port for the remote destination mirroring group You can configure the monitor port for a mirrori...

Page 262: ...raffic and normally forwarded traffic z A port connected to an RRPP ring cannot be configured as the monitor port of a port mirroring group Configuring the remote probe VLAN for the remote destination mirroring group Follow these steps to configure the remote probe VLAN for the remote destination mirroring group To do Use the command Remarks Enter system view system view Configure the remote probe...

Page 263: ...onfigure mirroring port and the monitor port for each mirroring group The source and destination devices are connected by a tunnel z On the source device you need to configure the port you want to monitor as the mirroring port and configure the tunnel interface as the monitor port z On the destination device you need to configure the physical port corresponding to the tunnel interface as the mirro...

Page 264: ... you want to monitor as the mirroring ports on the destination device configure the physical port corresponding to the tunnel interface as the mirroring port You can configure a list of mirroring ports for a mirroring group at a time in system view or assign only the current port to it as a mirroring port in interface view To assign multiple ports to the mirroring group as mirroring ports in inter...

Page 265: ... to a mirroring group as the monitor port in interface view The two modes lead to the same result Configuring the monitor port in system view Follow these steps to configure the monitor port for a local mirroring group in system view To do Use the command Remarks Enter system view system view Configure the monitor port mirroring group group id monitor port monitor port id Required By default no mo...

Page 266: ... switch can configure local port mirroring for ONUs to mirror the incoming or outgoing traffic of an UNI of an ONU to another UNI of the ONU Follow these steps to configure local port mirroring for UNIs To do Use the command Remarks Enter system view system view Enter ONU port view interface interface type interface number Configure a mirroring port and the traffic direction to be monitored uni un...

Page 267: ...GigabitEthernet 2 0 3 z Configure local port mirroring in mirroring port mode to enable the server to monitor the bidirectional traffic of the marketing department and the technical department Figure 1 4 Network diagram for local port mirroring configuration Configuration procedure 1 Create a local mirroring group Create local mirroring group 1 DeviceA system view DeviceA mirroring group 1 local C...

Page 268: ...ects to the server through GigabitEthernet 2 0 2 and to the trunk port GigabitEthernet 2 0 2 of Device B through the trunk port GigabitEthernet 2 0 1 z Configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the marketing department Figure 1 5 Network diagram for Layer 2 remote port mirroring configuration Configuration procedure 1 Configure Device A th...

Page 269: ...Ethernet2 0 2 port trunk permit vlan 2 DeviceB GigabitEthernet2 0 2 quit 3 Configure Device C the destination device Configure GigabitEthernet 2 0 1 as a trunk port that permits the packets of VLAN 2 to pass through DeviceC system view DeviceC interface gigabitethernet 2 0 1 DeviceC GigabitEthernet2 0 1 port link type trunk DeviceC GigabitEthernet2 0 1 port trunk permit vlan 2 DeviceC GigabitEther...

Page 270: ...lated ports on the devices Configure IP addresses and subnet masks for related ports and the tunnel interfaces according to the configurations shown in Figure 1 6 2 Configure Device A the source device Create tunnel interface Tunnel 0 and configure an IP address and subnet mask for it DeviceA system view DeviceA interface tunnel 0 DeviceA Tunnel0 ip address 50 1 1 1 24 Configure Tunnel 0 to operat...

Page 271: ...DeviceA mirroring group 1 monitor port tunnel 0 3 Configure Device B the intermediate device Enable the OSPF protocol DeviceB system view DeviceB ospf 1 DeviceB ospf 1 area 0 DeviceB ospf 1 area 0 0 0 0 network 20 1 1 0 0 0 0 255 DeviceB ospf 1 area 0 0 0 0 network 30 1 1 0 0 0 0 255 DeviceB ospf 1 area 0 0 0 0 quit DeviceB ospf 1 quit 4 Configure Device C the destination device Create tunnel inte...

Page 272: ...as a mirroring port and GigabitEthernet 2 0 2 as the monitor port of local mirroring group 1 DeviceC mirroring group 1 mirroring port gigabitethernet 2 0 1 inbound DeviceC mirroring group 1 monitor port gigabitethernet 2 0 2 5 Verify the configurations After the above configurations are completed you can monitor all the packets received and sent by the marketing department on the server Local Port...

Page 273: ...U port view DeviceA interface Onu 3 0 1 1 Configure UNI 1 as the mirroring port for local port mirroring and specify to mirror traffic received on UNI 1 DeviceA Onu3 0 1 1 uni 1 mirroring port inbound Configure UNI 3 as the monitor port for local port mirroring DeviceA Onu3 0 1 1 uni 3 monitor port After the above configurations are completed you can monitor all the packets sent by Host A on the s...

Page 274: ...ring Overview Remote traffic mirroring combines traffic mirroring with remote port mirroring to use a remote mirroring group to mirror local packets matching the specified criteria to the specified destination port on a remote device Remote traffic mirroring is implemented as follows configure traffic mirroring on the local device to mirror packets matching certain criteria to an egress port confi...

Page 275: ... LPUs only support mirroring incoming packets Configuring Remote Traffic Mirroring To implement remote traffic mirroring perform the following configurations on the source device and destination device Configurations on the source device z Traffic mirroring configuration configure traffic mirroring on the source device to mirror packets matching certain criteria to the port connecting to the desti...

Page 276: ...amples Traffic Mirroring Configuration Example Network Requirements The user s network is as described below z Host A with the IP address 192 168 0 1 and Host B are connected to GigabitEthernet 2 0 1 of the switch z The data monitoring device is connected to GigabitEthernet 2 0 2 of the switch It is required to monitor and analyze packets sent by Host A on the data monitoring device Figure 2 1 Net...

Page 277: ...packets from Host A on the data monitoring device Remote Traffic Mirroring Configuration Example Network requirements As shown in Figure 2 2 the customer network is as described below z GigabitEthernet 2 0 2 of Switch A is connected to the 10 1 1 1 24 network segment z GigabitEthernet 2 0 2 of Switch C is connected to the data monitoring device z Switch B connects Switch A and Switch C as shown in...

Page 278: ...n2 quit Configure VLAN 2 as the remote probe VLAN GigabitEthernet 2 0 48 as the mirroring port and GigabitEthernet 2 0 1 as the egress port for the remote source mirroring group SwitchA mirroring group 1 remote probe vlan 2 SwitchA mirroring group 1 mirroring port GigabitEthernet 2 0 48 inbound SwitchA mirroring group 1 monitor egress GigabitEthernet 2 0 1 Configure GigabitEthernet 2 0 1 as a trun...

Page 279: ...stination Create VLAN 2 SwitchC vlan 2 SwitchC vlan2 quit Configure VLAN 2 as the remote probe VLAN and GigabitEthernet 2 0 2 as the monitor port for the remote destination mirroring group and configure GigabitEthernet 2 0 2 as an access port and assign it to VLAN 2 SwitchC mirroring group 1 remote probe vlan 2 SwitchC mirroring group 1 monitor port GigabitEthernet 2 0 2 SwitchC interface GigabitE...

Page 280: ... Parameters 2 3 Configuring Grant filtering on the OLT port 2 4 Configuring the Link Type of an OLT Port 2 5 Enabling Layer 2 Communication Between the ONUs Attached to an OLT Port 2 5 Configuring Fiber Backup 2 6 Displaying and Maintaining OLT Configuration 2 7 OLT Configuration Examples 2 8 OLT Port Isolation Configuration Example 2 8 Fiber Backup Configuration Example 2 9 3 ONU Remote Managemen...

Page 281: ...Configuration Example 3 23 4 UNI Port Configuration 4 1 UNI Port Configuration Task List 4 1 UNI Port Basic Configuration 4 1 Configuring the VLAN Operation Mode for a UNI 4 2 Configuring Fast Leave Processing for a UNI 4 5 Configuring Port Isolation for a UNI 4 5 Displaying and Maintaining UNI Port Configuration 4 6 5 Alarm Configuration 5 1 Introduction to Alarm 5 1 Sampling and Alarms 5 1 Alarm...

Page 282: ... On an S7900E switch installed with an EPON card and operating as an OLT device in this case the switch operates in independent mode if you enable IRF stacking on the switch the switch will reboot to operate in stack mode In this case the IRF stacking function can run normally on the switch and the OLT function fails Introduction to EPON System Ethernet Passive Optical Network EPON is a Passive Op...

Page 283: ...Ns provide optical signal transmission paths between OLTs and ONUs A POS can couple uplink data into a single piece of fiber and distribute downlink data to respective ONUs Benefits of the EPON Technology Lower operation and maintenance costs Compared with a traditional Ethernet broadband access network an EPON network greatly lowers the operation and maintenance costs This is because as passive e...

Page 284: ...es that are dense or need narrowband broadband integrated services FTTH In an FTTH system ONUs are deployed in user offices or homes to implement a fully transparent optical network with the ONUs independent of the transmission mode bandwidth wavelength and transmission technology Therefore FTTH is ideal for the long term development of optical access networks Data Transmission in an EPON System A...

Page 285: ...T sends a general GATE message to the same ONU 6 After receiving the REGISTER message and general GATE message the ONU sends a REGISTER_ACK message in the timeslot assigned in the GATE message to notify the OLT that the REGISTER message is parsed successfully 7 The ONU registration is complete Extended OAM Connection Establishment The EPON cards of the S7900E series Ethernet switches support the O...

Page 286: ... its local status information to the OLT 3 Upon receiving the REPORT message from the ONU the OLT based on the current bandwidth of the system assigns the ONU a data transmission timeslot which contains the start time and length for transmitting data by the ONU 4 The ONU receives the GATE message and waits for the arrival of the start time contained in the GATE message Once the start time is reach...

Page 287: ...he OLT receives no new key notification message thus making the key update more reliable Upon sending a key update request message the OLT starts the encryption response timer If the OLT receives a correct new key notification message from an ONU before the timer expires the OLT enables the new key and cancels the timer If the OLT receives no new key notification message before the timer expires t...

Page 288: ...s and each OLT port has 64 logical ports namely ONU ports each of which can correspond with an ONU Thus one EPON card can work as multiple OLT devices This reduces users equipment purchase costs and the management costs and fault ratio caused by interconnection between multiple device ports Powerful ONU remote management capabilities You can centrally manage and configure different services on ONU...

Page 289: ...ported by an S7900E switch is in the range 1 to 80 The actual numbers vary with ONU devices For example when the ONU device corresponding to ONU 3 0 1 1 in an EPON system is S3100 16C EPON EI the UNI port number is in the range 1 to 16 S7900E OLT Configuration Task List Figure 1 6 shows an EPON system networking diagram which assumes that only two ONUs are attached to one OLT port and each ONU is ...

Page 290: ...oduction Configuration procedure of UNI remote management through OLT Alarm Configuration Configurations of all the alarms in an EPON system Supported Switch Features and Restrictions Switch features supported by OLTs and ONUs related manuals and cautions ...

Page 291: ...th China s EPON standards OLT Configuration OLT Configuration Task List Complete the following tasks to configure an OLT Task Remarks Configuring OUI and extended OAM version number list Optional Configuring the maximum ONU OLT RTT Optional Configuring the timeout time of the extended OAM messages Optional EPON System Parameter Configuration Configuring the key update time and encryption reply tim...

Page 292: ...nds a REGISTER_REQ message to the OLT at T1 after a delay the time stamp of the REGISTER_REQ message is T1 3 The OLT receives the REGISTER_REQ message at T2 4 The OLT calculates the ONU RTT by using the formula RTT T2 T0 T1 T0 T2 T1 5 If the OLT becomes idle at T3 and remains idle for a period of T the timeslot assigned to the ONU is T3 RTT T That is the ONU will start sending data at T3 RTT and s...

Page 293: ...cified uplink ONU bandwidth range and notifies the results to the ONUs through bandwidth authorization GATE messages This ensures that uplink data sent by ONUs will not conflict with each other Compared with static fixed bandwidth allocation DBA is more suitable for bursty IP Ethernet services DBA reduces bandwidth wastes and allows for more efficient uplink bandwidth utilization With DBA adopted ...

Page 294: ...e 65535 while the default thresholds of other queues are 0 1 time quantum TQ is equal to 16 ns which is the time it takes to transmit two bytes of data at 1 Gbps You can manually load an external DBA algorithm file by using the dba algorithm update command as needed DBA related configuration is only recommended for administrators Improper DBA configuration may terminate all the services H3C ONU Re...

Page 295: ...red By default an OLT port belongs to only VLAN 1 and forwards packets of VLAN 1 tagged Configure the default VLAN of the OLT port port hybrid pvid vlan vlan id Optional VLAN 1 by default The VLAN s that you assign an OLT port to must already exist Enabling Layer 2 Communication Between the ONUs Attached to an OLT Port By default Layer 2 communication is disabled between the ONUs attached to an OL...

Page 296: ...EPON System Reliability Follow these steps to configure fiber backup To do Use the command Remarks Enter system view system view Enter FTTH view ftth Create a fiber backup group fiber backup group group number Required In fiber backup group view group member interface type interface number quit quit interface interface type interface number port fiber backup group group number quit ftth Add an OLT...

Page 297: ...ce number slot slot number Display the information about the legal ONU with the specified MAC address display onuinfo mac address mac address Display the information about all the silent ONUs connected to the specified OLT port or to the EPON card seated in the specified slot display onuinfo silent interface interface type interface number slot slot number Display the optical parameter information...

Page 298: ... check whether an ONU is online Port statistics data includes average error rate of data bits and data frames transmitted between an OLT and the ONUs For detailed information refer to the command manual OLT Configuration Examples OLT Port Isolation Configuration Example Network requirements An OLT device is connected to the Internet through the uplink port Configure port isolation between OLT 3 0 ...

Page 299: ...equirements Add two OLT ports of the same EPON board to a fiber backup group one after the other Perform a manual switchover between the two OLT ports When the master port is shut down the slave port becomes the new master port Network diagram Figure 2 2 Network diagram for fiber backup group configuration OLT3 0 1 OLT3 0 2 OLT POS ONU2 ONU1 ONUn 2 N Configuration procedure Create fiber backup gro...

Page 300: ...fiber group1 port switch over Sysname fiber group1 display fiber backup group 1 fiber backup group 1 information Member Role State Olt3 0 2 MASTER ACTIVE Olt3 0 1 SLAVE READY Shut down OLT 3 0 2 You can see that OLT 3 0 1 becomes the new master port Sysname fiber group1 quit Sysname interface olt3 0 2 Sysname Olt3 0 2 shutdown Sysname Olt3 0 2 display fiber backup group 1 fiber backup group 1 info...

Page 301: ... EC series ONUs For details see H3C EC1001 Video Encoder User Manual Support for OLT remote management commands varies with ONUs For details see the sections describing the supported configuration functions in ONU device user manuals The following table lists the ONU remote management functions supported by an S7900E switch working as an OLT device ONU Configuration Task List Complete the followin...

Page 302: ...Binding an ONU with an ONU Port An OLT supports ONU authentication based on ONU MAC address and denies illegal ONU access to the system ONU authentication can be implemented by binding the ONU to an ONU port During the ONU registration The OLT broadcasts a discovery GATE message After receiving the discovery GATE message an unregistered ONU sends a REGISTER_REQ message whose source MAC address is ...

Page 303: ... batch ONU binding configured the device automatically binds the current quiet ONU MAC addresses to the ONU ports and generate the binding configuration on the ONU ports however the ONUs joining subsequently will not be bound This binding method is applicable to a initially set up network environment where all ONUs are valid This method can save a great deal of binding operations You must use the ...

Page 304: ...the configuration of binding the specified ONU to the specified ONU port However batch ONU binding conflicts with automatic ONU binding Configuring the Management VLAN of the ONU To manage an ONU through Telnet make sure the ONU is assigned an IP address Only the VLAN interface corresponding to the management VLAN can be assigned an IP address You can designate the management VLAN through the comm...

Page 305: ... based on different terminal service requirements to realize efficient bandwidth utilization Follow these steps to configure the ONU bandwidth allocation and related parameters To do Use the command Remarks Enter system view system view Enter ONU port view interface onu interface number Enable the ONU downlink bandwidth allocation policy and prioritize high priority packets bandwidth downstream po...

Page 306: ...oping Option82 enabled on an ONU For DHCP request messages with Option82 fields the ONU replaces the Option82 fields with the local one before broadcasting the DHCP request messages For DHCP request messages without Option82 fields the ONU adds the Option82 field which contains ONU MAC addresses number of the UNI connected to the DHCP client and the VLAN to which the UNI belongs into the request m...

Page 307: ...ur on the network STP runs normally only when all attached ONUs are H3C ONUs Configuring the Multicast Mode of the ONU Prerequisites for multicast mode configuration Through extended OAM an OLT can be used to remotely configure the multicast mode of an ONU as either IGMP snooping mode or multicast control mode The configuration of a multicast IP address to multicast VLAN correspondence is used to ...

Page 308: ...mer expiry Router port aging timer Aging time of a router port IGMP general query message PIM message Dvmrp Probe message Considers the port not a router port Aging timer for multicast group member port Aging time of the multicast group member port IGMP host report message Sends an IGMP group specific query message to the multicast member port Query response timer Maximum response to query time IG...

Page 309: ... Configure the query response timer onu protocol igmp snooping max response time seconds Optional By default the maximum response time of group specific queries is 1 second Configure the aging timer of the multicast member port onu protocol igmp snooping host aging time seconds Optional 260 seconds by default Enable IGMP membership report suppression onu protocol igmp snooping report aggregation e...

Page 310: ... to the OLT Then the ONU adds or deletes the group address filtering and multicast forwarding entries on the ONU based on the multicast control OAM packets containing a series of multicast control entries delivered by the OLT and forwards or shuts off the multicast traffic accordingly Follow these steps to configure multicast in multicast control mode To do Use the command Remarks Enter system vie...

Page 311: ...r to Setting the link type of an ONU port to access and Setting the link type of an ONU port to trunk Note that The access ports described in Table 3 2 do not include ports in the default state namely the access ports in VLAN 1 The link type of the ONU ports under the same OLT port must be the same access or trunk Thus when an ONU port under an OLT port is configured as an access port in a VLAN ot...

Page 312: ... type of an ONU port under an OLT port is configured as access the OLT port must be configured as a hybrid port and be assigned to the specified VLANs with the port hybrid vlan vlan id list tagged command where the VLANs specified by vlan id list can only be the VLANs of the ONU ports under the OLT port Setting the link type of an ONU port to trunk Follow these steps to set the link type of an ONU...

Page 313: ...ation to the OLT Note that Because a large number of ONUs are attached to an OLT enabling ONUs to report information to the OLT may generate a large amount of traffic and thus cause congestion Therefore you are recommended to select the reported information type as required Follow these steps to configure an ONU to report information to the OLT To do Use the command Remarks Enter system view syste...

Page 314: ...nktest frame number value frame size value delay on off vlan tag on vlan priority value vlan id value off Required The following lists the default values of the link test parameters Number of test frames 20 Frame size 1000 bytes VLAN tag not carried in testing frames Delay testing state Off The link connectivity between an ONU and the OLT can be tested only when the ONU is online Testing the Cable...

Page 315: ... ONU software versions remotely through OLTs Updating ONU devices requires a large amount of work because in an EPON system there are different types of ONU devices which use different update files To improve the ONU update efficiency and reduce resources consumed by issuing commands to each ONU the S7900E switches support batch updating of ONUs by type and OLT port besides updating of a single ON...

Page 316: ...n the original slave SRPU after the switchover otherwise the update will fail Update files used vary with ONUs If ONUs and update files do not match the update will fail For example if you specify to update ET704 A ONUs in OLT port view updating other types of ONUs attached to the OLT port will fail After the update command is issued the OLT will wait 15 to 20 seconds before executing the command ...

Page 317: ...file as 2 app in ONU 3 0 1 1 port view 2 app will be used to update the ONU If you cancel the port level configuration the update by type configuration is not executed until the ONU is registered successfully next time and the corresponding port is brought up An OLT can update up to 64 types of ONUs at the same time that is you can specify update files for up to 64 types of ONUs with the update on...

Page 318: ...fic information Display the IP address allocation information when the ONU serves as a DHCP client display dhcp client Display the information about the protocols supported by the ONU display onu protocol stp igmp snooping dhcp snooping information Display multicast control information display epon multicast information Available in ONU port view To display the information of an ONU make sure the ...

Page 319: ...ace onu 3 0 1 1 Sysname Onu3 0 1 1 bind onuid 000f e200 0031 Sysname Onu3 0 1 1 quit Sysname interface onu 3 0 1 2 Sysname Onu3 0 1 2 bind onuid 000f e200 3749 When the two ONUs are up display the binding information of the ONUs Sysname display onuinfo interface Olt 3 0 1 ONU Mac Address LLID Dist M Port Board Ver Sft Epm State Aging 000f e200 0031 1 50 Onu3 0 1 1 ET704 A L B 110 100 Up N A 000f e...

Page 320: ... the switch with a multicast source and connect port OLT 3 0 1 of the OLT with an ONU which is bound to ONU 3 0 1 1 through an optical splitter Attach two hosts User 1 and User 2 to ports UNI 1 and UNI 2 respectively It is required that User 1 has access to channels from 225 1 2 1 to 225 1 2 255 and User 2 has access to channels from 225 1 3 1 to 225 1 3 255 Network diagram Figure 3 3 Network diag...

Page 321: ...link multicast packets Sysname Onu3 0 1 1 uni 1 multicast strip tag enable Sysname Onu3 0 1 1 uni 2 multicast strip tag enable Sysname Onu3 0 1 1 quit Configure the link type of OLT 3 0 1 as hybrid allow the packets of VLAN 1002 and VLAN 1003 to pass through OLT 3 0 1 and add tags to the VLAN 1002 and VLAN 1003 packets sent by OLT 3 0 1 Sysname interface olt 3 0 1 Sysname Olt3 0 1 port link type h...

Page 322: ...name igmp snooping quit Enable IGMP snooping in VLAN 1002 and VLAN 1003 Sysname vlan 1002 Sysname vlan1002 igmp snooping enable Sysname vlan1002 vlan 1003 Sysname vlan1003 igmp snooping enable Sysname vlan1003 quit Configure the multicast mode of the ONU as the multicast control mode Sysname Onu3 0 1 1 multicast mode multicast control Configure UNI 1 to allow the user attached to it to access Chan...

Page 323: ...onfigure Ethernet 2 0 1 as a Trunk port and permit the packets of VLAN 1002 and VLAN 1003 to pass through the port Sysname interface Ethernet2 0 1 Sysname Ethernet2 0 1 port link type trunk Sysname Ethernet2 0 1 port trunk permit vlan 1002 1003 ONU Update Configuration Example Network requirements An S7900E switch at the city TV broadcasting central office CO has 12 OLT ports connected to 150 type...

Page 324: ...re see the parts discussing software maintenance in 3Com S7900E Family Getting Started Guide Update all the attached type A ONUs to version 109 in OLT 3 0 1 port view Sysname interface olt 3 0 1 Sysname Olt3 0 1 update onu filename a109 app Update flash a109 app Y N y Info Download file to onu may take a long time please wait Please wait while the firmware is being burnt and check the software ver...

Page 325: ...e wait Please wait while the firmware is being burnt and check the software version after re registration Sysname Onu3 0 1 1 quit Update all the type A ONUs attached to the S7900E switch to version 110 Sysname system view Sysname ftth Sysname ftth update onu onu type a filename a110 app ...

Page 326: ... duplex mode it can either send or receive packets at a time When a UNI works in auto negotiation mode the duplex mode of the UNI is determined through negotiation by both ends Flow control for UNIs If the flow control function is enabled for both the UNIs and the remote device the ONU will send messages to notify the remote device to stop sending packets temporarily when congestion occurs on the ...

Page 327: ...UNI port uni uni number speed 10 100 auto Optional By default the UNI port rate is 100Mbps Enable auto negotiation for a UNI port uni uni number auto negotiation Optional By default auto negotiation is enabled on a UNI port Force a UNI port to restart auto negotiation uni uni number restart auto negotiation Optional This command takes effect only when auto negotiation is enabled on the UNI port Wh...

Page 328: ...VLAN tag added by the user The user s VID may not be for the user only as some other users in the same EPON system may also use the same VID into a unique network side VLAN tag Table 4 2 describes the packet processing by an ONU in translation mode Table 4 2 Packet processing in the three VLAN operation modes VLAN operation mode Direction With or without VLAN tag Packet processing With VLAN tag Up...

Page 329: ... ID in the tag is the default VLAN ID of the port the packet is untagged and then forwarded If the VLAN ID in the tag does not match any VLAN translation entry on the port the packet is dropped Translation mode Downlink Without VLAN tag The packet is dropped Follow these steps to configure the VLAN operation mode for a UNI To do Use the command Remarks Enter system view system view Enter ONU port ...

Page 330: ...s in IGMP Snooping mode For related configurations refer to Configuring the Multicast Mode of the ONU The fast leave processing feature is effective for IGMPv2 or IGMPv3 clients only If fast leave processing is enabled for a port to which more than one host is attached when one host leaves a multicast group the other hosts attached to the port and listening to the same multicast group will fail to...

Page 331: ...nfiguration To do Use the command Remarks Display the information about the current status of a UNI display uni information uni number Available in ONU port view Clear the packet statistics information for a UNI reset counters uni uni number Available in ONU port view The above commands take effect on H3C ONUs only The above commands work only when the ONU is online ...

Page 332: ...es effect on the current OLT port and all the ONUs attached to the OLT port When an alarm configuration command is executed in ONU port view the command takes effect only on the ONU corresponding to the current ONU port Alarm Configuration Task List Complete the following tasks to configure alarms Task Remarks Enabling Alarm Monitoring Optional Configuring Global Alarms Optional Configuring Alarms...

Page 333: ...a signal error Data Access DA error or memory allocation failure occurs By default this function is enabled Enable the bit error rate alarm function alarm bit error rate enable Optional When the total number of error bits or bit error rate of the data transferred between the OLT and ONUs exceeds the alarm threshold a bit error rate alarm occurs By default this function is enabled Configure the mon...

Page 334: ...n alarm llid mismatch enable Optional The system generates an LLID mismatch frame alarm when the time slots are used in disorder that is an ONU uses another ONU s time slot to forward data By default this function is disabled Configure the threshold for LLID mismatch frame alarms alarm llid mismatch threshold threshold Optional By default the threshold of LLID mismatch alarms is 5000 frames Enable...

Page 335: ...larms are generated immediately Since alarm events are carried in the OAM packets a lot of OAM packets are generated In this case OAM packets may be lost By default the window size is 1 second and the alarm threshold is 20 frames Enable the error frame alarm function alarm oam error frame enable Optional The system generates an error frame alarm when the number of error frames in a specific time p...

Page 336: ...error frames in a specific period that is the window size exceeds the corresponding predefined threshold By default this function is enabled Configure the window size and thresholds for error symbol period alarms alarm oam error symbol period window high windowhigh window low windowlow threshold high thresholdhigh threshold low thresholdlow Optional When both the upper limit and the lower limit of...

Page 337: ...AM vendor specific alarm function alarm oam vendor specific enable Optional This alarm is customized by vendors By default this function is enabled Enable the ONU over limitation alarm function alarm onu over limitation enable Optional The system generates an ONU over limitation alarm when the total number of ONUs connected with the OLT exceeds the limit By default this function is enabled Configu...

Page 338: ...or rate alarm function alarm frame error rate enable Optional When the total number of error frames or the error frame rate of the data transferred between the OLT and ONUs exceeds the alarm threshold a frame error rate alarm occurs By default this function is enabled Configure the monitor direction and threshold for frame error rate alarms alarm frame error rate direction uplink downlink up down ...

Page 339: ...am dying gasp enable Optional The system generates a dying gasp alarm when a system error a data loading error or any other nonreversible error occurs Enable the error frame period alarm function alarm oam error frame period enable Optional The system generates an error frame period alarm when the number of error frames in a specific period that is the window size exceeds the corresponding predefi...

Page 340: ...e error frame seconds summary alarm function alarm oam error frame seconds summa ry enable Optional The system generates an error frame seconds summary alarm when the number of error frame seconds in an error frame second at least one error frame occurs in a specific time period for example 1 minute exceeds the corresponding predefined threshold By default this function is enabled Configure the wi...

Page 341: ...ction alarm oam local link fault enable Optional The system generates a local link fault alarm when the inbound direction of the local data terminal becomes faulty Enable the registration error alarm function alarm registration error enable Optional The system generates a registration error alarm when an error occurs during the registration of an ONU By default this function is enabled Enable the ...

Page 342: ...ames in a specific period that is the window size exceeds the corresponding predefined threshold By default this function is enabled Enable the error frame period alarm function alarm oam error frame period enable Optional The system generates an error frame period alarm when the number of error frames in a specific period that is the window size exceeds the corresponding predefined threshold By d...

Page 343: ...the error frame seconds summary alarm function alarm oam error frame seconds summa ry enable Optional The system generates an error frame seconds summary alarm when the number of error frame seconds in an error frame second at least one error frame occurs in a specific time period for example 1 minute exceeds the corresponding predefined threshold By default this function is enabled Configure the ...

Page 344: ...nfigured and the views in which alarm configurations are displayed For details about the display trapbuffer command see the part discussing information center in the command manual Table 5 1 Relations between the alarm command configuration views and alarm configuration display views Alarm command configuration view Alarm configuration display view Remarks FTTH view OLT port view ONU port view ONU...

Page 345: ...figuration view Alarm configuration display view Remarks FTTH view FTTH view For an alarm configuration command available in FTTH view only you can use the display this command in FTTH view to display the alarm configuration ...

Page 346: ...rt Port related configuration Port link type Setting the link type of an OLT port to Hybrid Allowing the packets of the specified VLAN s to pass through the current Hybrid port Setting the default VLAN ID for the Hybrid port VLAN configuration Port isolation Configuring OLT port isolation Port related configuration Port trap Configuring OLT port trap SNMP RMON configuration IGMP Snooping Configuri...

Page 347: ...onfiguring the maximum number of 802 1X users on an OLT port Configuring 802 1X port access control mode Configuring detection and access control of the users logging in through a proxy Enabling 802 1X multicast trigger function Displaying 802 1X related configuration information Clearing 802 1X related statistics information 802 1X configuration MAC authentication Enabling MAC authentication on t...

Page 348: ...rroring can be configured in port view of ONU 3 0 1 1 This configuration however will not take effect if the ONUs attached to ONU 3 0 1 1 do not support port mirroring Table 6 2 ONU port features Feature Remarks Reference Basic parameters Configuring an ONU port description string Enabling disabling an ONU port Configuring port up down state suppression timers Displaying and clearing port statisti...

Page 349: ...ulticast groups that can be joined on a port Configuring IPv4 multicast group filtering Configuring a port as a simulated host to join a multicast group Configuring IPv4 multicast group replacement Configuring static router member ports Multicast Protocols MLD Snooping Enabling fast leaving processing Configuring the maximum number of IPv6 multicast groups that can be joined on a port Configuring ...

Page 350: ...mum number of 802 1X users on an ONU port Configuring 802 1X port access control modes Configuring detection and access control of the users logging in through a proxy Enabling 802 1X multicast trigger function Displaying 802 1X related configuration information Clearing 802 1X related statistics information 802 1X configuration Table 6 3 Restrictions Feature Restrictions Loopback test In an ONU r...

Page 351: ... on an ONU port supports a maximum of 30 ACL rules in the case of single direction configuration and a maximum of 16 ACL rules for each direction when configured for both uplink and downlink directions VLAN ID based packet filtering on an ONU port supports a maximum of 6 ACL rules for the uplink direction and a maximum 8 ACL rules for the downlink direction Source destination IP address based pack...

Page 352: ...uring TCP Attributes z Configuring ICMP to Send Error Packets ARP Address Resolution Protocol ARP is used to resolve an IP address into a data link layer address This document describes z ARP Overview z Configuring ARP z Configuring Gratuitous ARP z Proxy ARP configuration DHCP DHCP is built on a client server model in which the client sends a configuration request and then the server returns a re...

Page 353: ...nd transfer them over the network This document describes z Configuring an IPv6 Manual Tunnel z Configuring a 6to4 Tunnel z Configuring an ISATAP Tunnel z Configuring an IPv4 over IPv4 Tunnel z Configuring an IPv4 over IPv6 Tunnel z Configuring an IPv6 over IPv6 Tunnel z Configuring a GRE over IPv4 Tunnel z Configuring a GRE over IPv6 Tunnel UDP Helper UDP Helper functions as a relay agent that co...

Page 354: ... Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 IP Addressing Configuration Example 1 4 Displaying and Maintaining IP Addressing 1 5 ...

Page 355: ...example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net ID The first several bits of the IP address defining a network also known as class bits z Host id Identifies a host o...

Page 356: ...tes the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For example a packet with the destination address of 192 168 1 255 will be broadcasted to all the hosts on the network 192 168 1 0 Subnetting and Masking Subnetting was developed to address the risk of IP addr...

Page 357: ...P address to an interface you may configure the interface to obtain one through DHCP address negotiation as alternatives If you change the way an interface obtains an IP address from manual assignment to DHCP for example the IP address obtained from DHCP will overwrite the old one manually assigned This chapter only covers how to assign an IP address manually For how to obtain an IP address throug...

Page 358: ...he switch and the hosts on the LAN can communicate with each other do the following z Assign two IP addresses to VLAN interface 1 on the switch z Set the switch as the gateway on all PCs in the two networks Figure 1 3 Network diagram for IP addressing configuration Configuration procedure Assign a primary IP address and a secondary IP address to VLAN interface 1 Switch system view Switch interface...

Page 359: ...55 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 5 ttl 255 time 26 ms 172 16 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 25 25 26 ms The output informati...

Page 360: ...y Connected Network 1 1 Enabling Reception of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configuration Example 1 2 Configuring TCP Attributes 1 3 Configuring TCP Optional Parameters 1 3 Configuring ICMP to Send Error Packets 1 4 Displaying and Maintaining IP Performance Optimization 1 5 ...

Page 361: ...ieve best network performance IP performance optimization configuration includes z Enabling the device to receive and forward directed broadcasts z Configuring TCP timers z Configuring the TCP buffer size z Enabling ICMP error packets sending Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Directed broadcast packets are broadcast on a specific network In th...

Page 362: ...ted by the S7900E series Ethernet switches By default the devices allow forwarding of directed broadcasts to a directly connected network Configuration Example Network requirements As shown in Figure 1 1 the host s interface and VLAN interface 3 of Switch A are on the same network segment 1 1 1 0 24 VLAN interface 2 of Switch A and VLAN interface 2 of Switch B are on another network segment 2 2 2 ...

Page 363: ... TCP optional parameters that can be configured include z synwait timer When sending a SYN packet TCP starts the synwait timer If no response packet is received within the synwait timer interval the TCP connection cannot be created z finwait timer When a TCP connection is changed into FIN_WAIT_2 state the finwait timer is started If no FIN packets is received within the timer interval the TCP conn...

Page 364: ... route option in the packet ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing table to find out the best route 2 Sending ICMP timeout packets If the device received an IP packet with a timeout error it drops the packet and sends an ICMP timeout packet to the source The device will send an ICMP timeout packet under the following ...

Page 365: ... send ICMP error packets its performance will be reduced z As the redirection function increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large z If a host sends malicious ICMP destination unreachable packets end users may be affected To prevent such problems you can disable the device from sending ICMP error packets Follow these ste...

Page 366: ...Available in any view Display socket information for distributed IRF devices display ip socket socktype sock type task id socket id chassis chassis number slot slot number Available in any view Display FIB information display fib vpn instance vpn instance name begin include exclude regular expression acl acl number ip prefix ip prefix name Available in any view Display FIB information matching the...

Page 367: ...ural Network 1 5 ARP Configuration Example 1 6 Configuring Gratuitous ARP 1 7 Introduction to Gratuitous ARP 1 7 Configuring Gratuitous ARP 1 7 Displaying and Maintaining ARP 1 8 2 Proxy ARP Configuration 2 1 Proxy ARP Overview 2 1 Proxy ARP 2 1 Local Proxy ARP 2 2 Enabling Proxy ARP 2 2 Displaying and Maintaining Proxy ARP 2 3 Proxy ARP Configuration Examples 2 3 Proxy ARP Configuration Example 2...

Page 368: ...tributed IRF device If an S7900E series is not in any IRF it operates as a distributed device if the S7900E series is in an IRF it operates as a distributed IRF device For introduction of IRF refer to IRF Configuration in the System Volume ARP Function The Address Resolution Protocol ARP is used to resolve an IP address into a physical address Ethernet MAC address for example In an Ethernet LAN wh...

Page 369: ... device the message is being sent to ARP Operation Suppose that Host A and Host B are on the same subnet and Host A sends a packet to Host B as shown in Figure 1 2 The resolution process is as follows 1 Host A looks into its ARP table to see whether there is an ARP entry for Host B If yes Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends t...

Page 370: ...nterface goes down the corresponding dynamic ARP entry will be removed Static ARP entry A static ARP entry is manually configured and maintained It cannot get aged or be overwritten by a dynamic ARP entry Using static ARP entries enhances communication security After a static ARP entry is specified only a specific MAC address is associated with the specified IP address Attack packets cannot modify...

Page 371: ...c ip address mac address vlan id interface type interface number vpn instance vpn instance name Required No permanent static ARP entry is configured by default Configure a non permanent static ARP entry arp static ip address mac address vpn instance vpn instance name Required No non permanent static ARP entry is configured by default z The vlan id argument must be the ID of an existing VLAN which ...

Page 372: ... cannot learn any ARP entry with a multicast MAC address and configuring such a static ARP entry is not allowed otherwise the system displays error messages After the ARP entry check is disabled the device can learn the ARP entry with a multicast MAC address and you can also configure such a static ARP entry on the device Follow these steps to enable the ARP entry check To do Use the command Remar...

Page 373: ...ected to Switch which is connected to Router through interface GigabitEthernet2 0 1 belonging to VLAN 10 The IP address of Router is 192 168 1 1 24 The MAC address of Router is 00e0 fc01 0000 To enhance communication security for Router and Switch static ARP entries are configured on Switch Figure 1 3 Network diagram for configuring static ARP entries Configuration procedure Configure Switch Creat...

Page 374: ...f the IP address is already used the device issuing the gratuitous ARP packet will be informed by an ARP reply of the conflict z Informing other devices about the change of its MAC address so that they can update their ARP entries Enabling Learning of Gratuitous ARP Packets With this feature enabled a device receiving a gratuitous ARP packet adds the sender IP and MAC addresses carried in the pack...

Page 375: ... view Display the ARP entry for a specified IP address for distributed IRF devices display arp ip address chassis chassis number slot slot number verbose begin exclude include regular expression Available in any view Display the ARP entries for a specified VPN instance display arp vpn instance vpn instance name begin exclude include regular expression count Available in any view Display the aging ...

Page 376: ...etwork Proxy ARP involves common proxy ARP and local proxy ARP which are described in the following sections The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless otherwise specified Proxy ARP A proxy ARP enabled device allows hosts that reside on different subnets to communicate As shown in Figure 2 1 Router connects to two subnets through Vlan interface1 ...

Page 377: ...2 0 1 Enable local proxy ARP on Switch A to allow Layer 3 communication between the two hosts Figure 2 2 Application environment of local proxy ARP In one of the following cases you need to enable local proxy ARP z Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3 z If a super VLAN is configured hosts in different sub VLANs of the super VLAN need ...

Page 378: ...led display local proxy arp interface interface type interface number Available in any view Proxy ARP Configuration Examples Proxy ARP Configuration Example Network requirements As shown in Figure 2 3 Host A and Host D have the same IP prefix and mask IP addresses of Host A and Host D are 192 168 10 100 16 and 192 168 20 200 16 respectively but they are located on different subnets separated throu...

Page 379: ...ing preceding configurations use the ping command to verify the connectivity between Host A and Host D Local Proxy ARP Configuration Example in Case of Port Isolation Network requirements As shown in Figure 2 4 Host A and Host B belong to the same VLAN and connect to Switch B via GigabitEthernet2 0 1 and GigabitEthernet2 0 3 respectively Switch B connects to Switch A via GigabitEthernet2 0 2 Confi...

Page 380: ...SwitchB gigabitethernet2 0 1 port isolate enable SwitchB gigabitethernet2 0 1 interface gigabitethernet 2 0 3 SwitchB gigabitethernet2 0 3 port isolate enable SwitchB gigabitethernet2 0 3 quit 2 Configure Switch A Create VLAN 2 and add gigabitethernet2 0 2 to VLAN 2 SwitchA system view SwitchA vlan 2 SwitchA vlan2 port gigabitethernet 2 0 2 SwitchA vlan2 interface vlan interface 2 SwitchA Vlan int...

Page 381: ...ch Vlan interface10 ip address 192 168 10 100 255 255 0 0 Switch Vlan interface10 quit The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2 and Layer 3 Configure the local proxy ARP to implement Layer 3 communication between sub VLANs Switch system view Switch interface vlan interface 10 Switch Vlan interface10 local proxy arp enable The ping operation from...

Page 382: ...tem view SwitchB vlan 2 SwitchB vlan2 port GigabitEthernet2 03 SwitchB vlan2 quit SwitchB vlan 3 SwitchB vlan3 port GigabitEthernet2 01 SwitchB vlan3 quit SwitchB vlan 5 SwitchB vlan5 port GigabitEthernet2 02 SwitchB vlan5 isolate user vlan enable SwitchB vlan5 quit SwitchB isolate user vlan 5 secondary 2 3 2 Configure Switch A Create VLAN 5 and add GigabitEthernet2 0 2 to it SwtichA system view S...

Page 383: ...2 8 SwtichA Vlan interface5 local proxy arp enable The ping operation from Host A to Host B is successful after the configuration ...

Page 384: ...onfiguring a Domain Name Suffix for the Client 2 8 Configuring DNS Servers for the Client 2 8 Configuring WINS Servers and NetBIOS Node Type for the Client 2 8 Configuring the BIMS Server Information for the Client 2 9 Configuring Gateways for the Client 2 9 Configuring Option 184 Parameters for the Client with Voice Service 2 10 Configuring the TFTP Server and Bootfile Name for the Client 2 10 Co...

Page 385: ...HCP Relay Agent Configuration Examples 3 9 DHCP Relay Agent Configuration Example 3 9 DHCP Relay Agent Option 82 Support Configuration Example 3 10 Troubleshooting DHCP Relay Agent Configuration 3 11 4 DHCP Client Configuration 4 1 Introduction to DHCP Client 4 1 Enabling the DHCP Client on an Interface 4 1 Displaying and Maintaining the DHCP Client 4 2 DHCP Client Configuration Example 4 2 5 DHCP...

Page 386: ...on hosts become more complex The Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which a client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client A typical DHCP application as shown in Figure 1 1 includes a DHCP server and multiple clients P...

Page 387: ...P server via four steps 2 The client broadcasts a DHCP DISCOVER message to locate a DHCP server 3 A DHCP server offers configuration parameters including an IP address to the client in a DHCP OFFER message The sending mode of the DHCP OFFER message is determined by the flag field in the DHCP DISCOVER message Refer to DHCP Message Format for related information 4 If several DHCP servers send offers...

Page 388: ...cast to extend the lease duration Upon availability of the IP address the DHCP server returns a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast denying the request If the client receives no reply it broadcasts another DHCP REQUEST message for lease extension after 7 8 lease duration elapses The DHCP server handles the request as above mentioned ...

Page 389: ...ormat as the Bootstrap Protocol BOOTP message for compatibility but differs from it in the option field which identifies new features for DHCP DHCP uses the option field in DHCP messages to carry control information and network configuration parameters implementing dynamic address allocation and providing more network configuration information for clients Figure 1 4 shows the DHCP option format Fi...

Page 390: ...iguration Server ACS parameters including the ACS URL username and password z Service provider identifier acquired by the customer premises equipment CPE from the DHCP server and sent to the ACS for selecting vender specific configurations and parameters z Preboot Execution Environment PXE server address for further obtaining the bootfile or other control information from the PXE server 1 Format o...

Page 391: ...ate the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients Option 82 involves at most 255 sub options At least one sub option is defined Currently the DHCP relay agent supports two sub options sub option 1 Circuit ID and sub option ...

Page 392: ... interface that received the client s request Its format is shown in Figure 1 10 Figure 1 10 Sub option 1 in verbose padding format In Figure 1 10 except that the VLAN ID field has a fixed length of 2 bytes all the other padding contents of sub option 1 are length variable z Sub option 2 Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device th...

Page 393: ...or not z Sub option 4 Failover route that specifies the destination IP address and the called number SIP users use such IP addresses and numbers to communicate with each other that a SIP user uses to reach another SIP user when both the primary and backup calling processors are unreachable You must define the sub option 1 to make other sub options effective Protocols and Standards z RFC 2131 Dynam...

Page 394: ...orted on loopback interfaces Introduction to DHCP Server Application Environment The DHCP server is well suited to the network where z It is hard to implement manual configuration and centralized management z The hosts are more than the assignable IP addresses and it is impossible to assign a fixed IP address to each host For example an ISP limits the number of hosts accessing the Internet at a ti...

Page 395: ...level child has no such configuration or z Overridden if the lower level child has such configuration z The extended address pool database is not organized as a tree z The IP address lease does not enjoy the inheritance attribute Principles for selecting an address pool The DHCP server observes the following principles to select an address pool when assigning an IP address to a client 1 If the rec...

Page 396: ...nterface of the DHCP server or DHCP relay agent resides to avoid wrong IP address allocation IP Address Allocation Sequence A DHCP server assigns an IP address to a client according to the following sequence 1 The first assignable IP address found in the extended address pool referenced on the receiving interface 2 The IP address manually bound to the client s MAC address or ID 3 The IP address th...

Page 397: ...ng Dynamic Address Allocation for an Extended Address Pool Required for the extended address pool configuration Configuring a Domain Name Suffix for the Client Configuring DNS Servers for the Client Configuring WINS Servers and NetBIOS Node Type for the Client Configuring the BIMS Server Information for the Client Configuring Gateways for the Client Configuring Option 184 Parameters for the Client...

Page 398: ...lient s MAC or ID to IP address in the DHCP address pool When the client with the MAC address or ID requests an IP address the DHCP server will find the IP address from the binding for the client A DHCP address pool now supports only one static binding which can be a MAC to IP or ID to IP binding Follow these steps to configure a static binding in a common address pool To do Use the command Remark...

Page 399: ...ces on a DHCP client share the same MAC address you need to specify the client ID rather than MAC address in a static binding to identify the requesting interface otherwise the client may fail to obtain an IP address Configuring dynamic address allocation You need to specify one and only one address range using a mask for the dynamic address allocation To avoid address conflicts the DHCP server ex...

Page 400: ...ask are specified the address pool becomes valid Follow these steps to configure dynamic address allocation for an extended address pool To do Use the command Remarks Enter system view system view Enter extended address pool view dhcp server ip pool pool name extended Specify the IP address range network ip range min address max address Required Not specified by default Specify the IP address mask...

Page 401: ... do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name extended Specify DNS servers dns list ip address 1 8 Required Not specified by default Configuring WINS Servers and NetBIOS Node Type for the Client A Microsoft DHCP client using NetBIOS protocol contacts a Windows Internet Naming Service WINS server for name resolution Therefore th...

Page 402: ...onfiguration files obtained from a branch intelligent management system BIMS server Therefore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure the BIMS server IP address port number and shared key in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP add...

Page 403: ...e config ncp ip ip address Required Not specified by default Specify the IP address of the backup network calling processor voice config as ip ip address Optional Not specified by default Configure the voice VLAN voice config voice vlan vlan id disable enable Optional Not configured by default Specify the failover IP address and dialer string voice config fail over ip address dialer string Optiona...

Page 404: ...ss Specify the name of the TFTP server tftp server domain name domain name Required to use either command Not specified by default Specify the bootfile name bootfile name bootfile name Required Not specified by default Configuring Self Defined DHCP Options By configuring self defined DHCP options you can z Define new DHCP options New configuration options will come out with DHCP development To sup...

Page 405: ...on may affect DHCP operation Enabling DHCP Enable DHCP before performing other configurations Follow these steps to enable DHCP To do Use the command Remarks Enter system view system view Enable DHCP dhcp enable Required Disabled by default Enabling the DHCP Server on an Interface With the DHCP server enabled on an interface upon receiving a client s request the DHCP server will assign an IP addre...

Page 406: ...he server interface connected to the client Applying an Extended Address Pool on an Interface After you create an extended address pool and apply it on an interface the DHCP server upon receiving a client s request on the interface will assign an IP address from this address pool to the client If no IP address is available in this address pool address allocation fails and the DHCP server will not ...

Page 407: ...detection enabled the device puts a record once for each DHCP server The administrator needs to find unauthorized DHCP servers from the log information Configuring IP Address Conflict Detection To avoid IP address conflicts the DHCP server checks whether the address to be assigned is in use by sending ping packets The DHCP server pings the IP address to be assigned using ICMP If the server gets a ...

Page 408: ...uring the handling mode for Option 82 Follow these steps to enable the DHCP server to handle Option 82 To do Use the command Remarks Enter system view system view Enable the server to handle Option 82 dhcp server relay information enable Optional Enabled by default To support Option 82 it is required to perform configuration on both the DHCP server and relay agent or the device enabled with DHCP s...

Page 409: ... not save DHCP server lease information Therefore when the system boots up or the reset dhcp server ip in use command is executed no lease information will be available in the configuration file In this case the server will deny the request for lease extension from a client and the client needs to request an IP address again DHCP Server Configuration Examples DHCP networking involves two types z T...

Page 410: ...cp pool 0 static bind client identifier 3030 3066 2e65 3234 392e 3830 3530 2d56 6c61 6e2d 696e 7465 7266 6163 6532 SwitchA dhcp pool 0 dns list 10 1 1 2 SwitchA dhcp pool 0 gateway list 10 1 1 126 SwitchA dhcp pool 0 quit Create DHCP address pool 1 configure a static binding DNS server and gateway in it SwitchA dhcp server ip pool 1 SwitchA dhcp pool 1 static bind ip address 10 1 1 6 SwitchA dhcp ...

Page 411: ...c com DNS server address 10 1 1 2 25 and gateway address 10 1 1 254 25 and there is no WINS server address z The domain name and DNS server address on subnets 10 1 1 0 25 and 10 1 1 128 25 are the same Therefore the domain name suffix and DNS server address can be configured only for subnet 10 1 1 0 24 Subnet 10 1 1 128 25 can inherit the configuration of subnet 10 1 1 0 24 In this example the num...

Page 412: ...onfiguration is complete clients on networks 10 1 1 0 25 and 10 1 1 128 25 can obtain IP addresses on the corresponding network and other network parameters from Switch A You can use the display dhcp server ip in use command on the DHCP server to view the IP addresses assigned to the clients Self Defined Option Configuration Example Network requirements As shown in Figure 2 3 the DHCP client Switc...

Page 413: ...e command on the DHCP server to view the IP addresses assigned to the clients Troubleshooting DHCP Server Configuration Symptom A client s IP address obtained from the DHCP server conflicts with another IP address Analysis A host on the subnet may have the same IP address Solution 1 Disconnect the client s network cable and ping the client s IP address on another host with a long timeout time to c...

Page 414: ... DHCP server must be available on each subnet which is not practical DHCP relay agent solves the problem Via a relay agent DHCP clients communicate with a DHCP server on another subnet to obtain configuration parameters Thus DHCP clients on different subnets can contact the same DHCP server for ease of centralized management and cost reduction Fundamentals Figure 3 1 shows a typical application of...

Page 415: ...formation refer to Relay agent option Option 82 If the DHCP relay agent supports Option 82 it will handle a client s request according to the contents defined in Option 82 if any The handling strategies are described in the table below If a reply returned by the DHCP server contains Option 82 the DHCP relay agent will remove the Option 82 before forwarding the reply to the client If a client s req...

Page 416: ...Relay Agent Security Functions Optional Configuring the DHCP Relay Agent to Send a DHCP Release Request Optional Configuring the DHCP Relay Agent to Support Option 82 Optional Configuring the DHCP Relay Agent Enabling DHCP Enable DHCP before performing other DHCP related configurations Follow these steps to enable DHCP To do Use the command Remarks Enter system view system view Enable DHCP dhcp en...

Page 417: ...HCP server group and add a server into the group dhcp relay server group group id ip ip address Required Not created by default Enter interface view interface interface type interface number Correlate the DHCP server group with the current interface dhcp relay server select group id Required By default no interface is correlated with any DHCP server group z You can specify up to twenty DHCP server...

Page 418: ...d Disabled by default z The dhcp relay address check enable command is independent of other commands of the DHCP relay agent That is the invalid address check takes effect when this command is executed regardless of whether other commands are used z The dhcp relay address check enable command only checks IP and MAC addresses of clients z You are recommended to configure IP address check on the int...

Page 419: ... the IP address of the DHCP server which assigned an IP address to the DHCP client and the receiving interface The administrator can use this information to check out any DHCP unauthorized servers Follow these steps to enable unauthorized DHCP server detection To do Use the command Remarks Enter system view system view Enable unauthorized DHCP server detection dhcp relay server detect Required Dis...

Page 420: ...e type interface number Enable the relay agent to support Option 82 dhcp relay information enable Required Disabled by default Configure the handling strategy for requesting messages containing Option 82 dhcp relay information strategy drop keep replace Optional replace by default Configure the padding format for Option 82 dhcp relay information format normal verbose node identifier mac sysname us...

Page 421: ...ame must contain no spaces Otherwise the DHCP relay agent will drop the message Displaying and Maintaining DHCP Relay Agent Configuration To do Use the command Remarks Display information about DHCP server groups correlated to a specified or all interfaces display dhcp relay all interface interface type interface number Available in any view Display Option 82 configuration information on the DHCP ...

Page 422: ...address of VLAN interface 2 is 10 1 1 2 24 Figure 3 3 Network diagram for DHCP relay agent Switch B DHCP server Switch A DHCP relay agent DHCP client DHCP client DHCP client DHCP client Vlan int2 10 1 1 2 24 Vlan int1 10 10 1 1 24 Vlan int2 10 1 1 1 24 Configuration procedure Specify IP addresses for the interfaces omitted Enable DHCP SwitchA system view SwitchA dhcp enable Add DHCP server 10 1 1 ...

Page 423: ...circuit ID sub option as company001 and for the remote ID sub option as device001 z Switch A forwards DHCP requests to the DHCP server Switch B after replacing Option 82 in the requests so that the DHCP clients can obtain IP addresses Configuration procedure Specify IP addresses for the interfaces omitted Enable DHCP SwitchA system view SwitchA dhcp enable Add DHCP server 10 1 1 1 into DHCP server...

Page 424: ...e debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information for locating the problem Solution Check that z The DHCP is enabled on the DHCP server and relay agent z The address pool on the same subnet where DHCP clients reside is available on the DHCP server z The routes between the DHCP server and DHCP relay agent are reacha...

Page 425: ...CP server cannot be a Windows 2000 Server or Windows 2003 Server Introduction to DHCP Client With the DHCP client enabled an interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server Enabling the DHCP Client on an Interface Follow these steps to enable the DHCP client on an interface To do Use the command Remarks Enter system view system view Enter inter...

Page 426: ...cified configuration information display dhcp client verbose interface interface type interface number Available in any view DHCP Client Configuration Example Network requirements As shown in Figure 4 1 on a LAN Switch B contacts the DHCP server via VLAN interface 2 to obtain an IP address DNS server address and static route information The IP address resides on network 10 1 1 0 24 The DNS server ...

Page 427: ...ient on VLAN interface 2 SwitchB system view SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address dhcp alloc 3 Verification Use the display dhcp client command to view the IP address and other network parameters assigned to Switch B SwitchB Vlan interface2 display dhcp client verbose Vlan interface2 DHCP client information Current machine state BOUND Allocated IP 10 1 1 3 255 255 ...

Page 428: ... Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 10 1 1 0 24 Direct 0 0 10 1 1 3 Vlan2 10 1 1 3 32 Direct 0 0 127 0 0 1 InLoop0 20 1 1 0 24 Static 70 0 10 1 1 2 Vlan2 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 ...

Page 429: ...duction of IRF refer to IRF Configuration in the System Volume DHCP Snooping Overview Functions of DHCP Snooping As a DHCP security feature DHCP snooping can implement the following 1 Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers 2 Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is an unauth...

Page 430: ... For details refer to IP Source Guard Configuration in the Security Volume z VLAN mapping The device replaces service provider VLANs SVLANs in packets with customer VLANs CVLANs by searching corresponding DHCP snooping entries for DHCP client information including IP addresses MAC addresses and CVLANs before sending the packets to clients For details refer to VLAN Mapping Configuration in the Acce...

Page 431: ...0 1 GigabitEthernet2 0 2 Switch C GigabitEthernet2 0 1 GigabitEthernet2 0 3 and GigabitEthernet2 0 4 GigabitEthernet2 0 2 DHCP Snooping Support for Option 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent option Option 82 If DHCP snooping suppor...

Page 432: ...d the message after adding the Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 The handling strategy and padding format for Option 82 on the DHCP snooping device are the same as those on the relay agent Configuring DHCP Snooping Basic Functions Fol...

Page 433: ...ation will be effective z Configuring both the DHCP snooping and selective QinQ function on the switch is not recommended because it may result in malfunction of DHCP snooping Configuring DHCP Snooping to Support Option 82 Prerequisites You need to enable the DHCP snooping function before configuring DHCP snooping to support Option 82 Configuring DHCP Snooping to Support Option 82 Follow these ste...

Page 434: ...lies to non user defined Option 82 only Configure non user defined Option 82 Configure the code type for the remote ID sub option dhcp snooping information remote id format type ascii hex Optional hex by default The code type configuration applies to non user defined Option 82 only Configure the padding content for the circuit ID sub option dhcp snooping information vlan vlan id circuit id string ...

Page 435: ...laying and Maintaining DHCP Snooping To do Use the command Remarks Display DHCP snooping entries display dhcp snooping ip ip address Available in any view Display Option 82 configuration information on the DHCP snooping device display dhcp snooping information all interface interface type interface number Available in any view Display DHCP packet statistics on the DHCP snooping device for distribu...

Page 436: ...GigabitEthernet2 0 1 as trusted SwitchB interface GigabitEthernet2 0 1 SwitchB GigabitEthernet2 0 1 dhcp snooping trust SwitchB GigabitEthernet2 0 1 quit DHCP Snooping Option 82 Support Configuration Example Network requirements z As shown in Figure 5 3 enable DHCP snooping and Option 82 support on Switch B z Configure the handling strategy for DHCP requests containing Option 82 as replace z On Gi...

Page 437: ...tchB GigabitEthernet2 0 2 dhcp snooping information circuit id string company001 SwitchB GigabitEthernet2 0 2 dhcp snooping information remote id string device001 SwitchB GigabitEthernet2 0 2 quit Configure GigabitEthernet2 0 3 to support Option 82 SwitchB interface GigabitEthernet 2 0 3 SwitchB GigabitEthernet2 0 3 dhcp snooping information enable SwitchB GigabitEthernet2 0 3 dhcp snooping inform...

Page 438: ...ples 1 5 Static Domain Name Resolution Configuration Example 1 5 Dynamic Domain Name Resolution Configuration Example 1 6 DNS Proxy Configuration Example 1 9 Troubleshooting IPv4 DNS Configuration 1 10 2 IPv6 DNS Configuration 2 1 Introduction to IPv6 DNS 2 1 Configuring the IPv6 DNS Client 2 1 Configuring Static Domain Name Resolution 2 1 Configuring Dynamic Domain Name Resolution 2 1 Displaying ...

Page 439: ...o IP address mappings are stored in the local static name resolution table to improve efficiency Static Domain Name Resolution The static domain name resolution means setting up mappings between domain names and IP addresses IP addresses of the corresponding domain names can be found in the static domain resolution table when you use applications such as Telnet Dynamic Domain Name Resolution Resol...

Page 440: ...pply the missing part For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The resolver can add the suffix and delimiter before passing the name to the DNS server z If there is no dot in the domain name for example aabbcc the resolver will consider this a host name and add a DNS suffix before query If no match is f...

Page 441: ...ame resolution table after receiving the request If the requested information exists in the table the DNS proxy returns a DNS reply to the client 3 If the requested information does not exist in the static domain name resolution table the DNS proxy sends the request to the designated DNS server for domain name resolution 4 After receiving a reply from the DNS server the DNS proxy forwards the repl...

Page 442: ...me resolution To do Use the command Remarks Enter system view system view Enable dynamic domain name resolution dns resolve Required Disabled by default Specify a DNS server dns server ip address Required Not specified by default Configure a DNS suffix dns domain domain name Optional Not configured by default that is only the provided domain name is resolved z You can configure up to six DNS serve...

Page 443: ...e Switch and thus the Switch can use the domain name host com to access the host whose IP address is 10 1 1 2 Figure 1 3 Network diagram for static domain name resolution Configuration procedure Configure a mapping between host name host com and IP address 10 1 1 2 Sysname system view Sysname ip host host com 10 1 1 2 Use the ping host com command to verify that the Switch can use static domain na...

Page 444: ...om and the IP address 3 1 1 1 16 Figure 1 4 Network diagram for dynamic domain name resolution Configuration procedure z Before performing the following configuration make sure that the Switch and the host are accessible to each another via available routes and the IP addresses of the interfaces are configured as shown Figure 1 4 z This configuration may vary with different DNS servers The followi...

Page 445: ...one Create a mapping between host name and IP address Figure 1 6 Add a host In Figure 1 6 right click zone com and then select New Host to bring up a dialog box as shown in Figure 1 7 Enter host name host and IP address 3 1 1 1 ...

Page 446: ...t is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56 Sequence 1 ttl 126 time 3 ms Reply from 3 1 1 1 bytes 56 Sequence 2 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 3 ttl 126 time 1 ms Reply from 3 ...

Page 447: ...NS server and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 1 8 1 Configure the DNS server This configuration may vary with different DNS servers When a Windows server 2000 PC acts as the DNS server refer to Dynamic Domain Name Resolution Configuration Example for related configuration information 2 Configure the DNS proxy Specify the...

Page 448: ...ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 5 ttl 126 time 1 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 1 3 ms Troubleshooting IPv4 DNS Configuration Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to verify that t...

Page 449: ...een host names and IPv6 addresses Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv6 addresses Follow these steps to configure static domain name resolution To do Use the command Remarks Enter system view system view Configure a mapping between a host name and an IPv6 address ipv6 host hostname ipv6 address Required Not configured ...

Page 450: ...name Required Not configured by default that is only the provided domain name is resolved z The dns resolve and dns domain commands are the same as those of IPv4 DNS z You can configure up to six DNS servers including those with IPv4 addresses z You can specify up to ten DNS suffixes Displaying and Maintaining IPv6 DNS To do Use the command Remarks Display the static IPv6 domain name resolution ta...

Page 451: ...ame resolution to resolve domain name host com into IPv6 address 1 2 Switch ping ipv6 host com PING host com 1 2 56 data bytes press CTRL_C to break Reply from 1 2 bytes 56 Sequence 1 hop limit 128 time 3 ms Reply from 1 2 bytes 56 Sequence 2 hop limit 128 time 1 ms Reply from 1 2 bytes 56 Sequence 3 hop limit 128 time 1 ms Reply from 1 2 bytes 56 Sequence 4 hop limit 128 time 2 ms Reply from 1 2 ...

Page 452: ...t the Switch and the host are accessible to each another via available routes and the IPv6 addresses of the interfaces are configured as shown Figure 2 2 z This configuration may vary with different DNS servers The following configuration is performed on a PC running Windows server 2003 Make sure that the DNS server supports the IPv6 DNS function so that the server can process IPv6 DNS packets and...

Page 453: ...ate a new zone named com Figure 2 3 Create a zone Create a mapping between the host name and the IPv6 address As shown in Figure 2 4 right click zone com Figure 2 4 Create a record In Figure 2 4 select Other New Records to bring up a dialog box as shown in Figure 2 5 Select IPv6 Host AAA as the resource record type ...

Page 454: ...2 6 Figure 2 5 Select the resource record type As shown in Figure 2 6 type host name host and IPv6 address 1 1 and then click OK Figure 2 6 Add a mapping between domain name and IPv6 address ...

Page 455: ...nding destination IP address is 1 1 Switch ping ipv6 host Trying DNS resolve press CTRL_C to break Trying DNS server 2 2 PING host com 1 1 56 data bytes press CTRL_C to break Reply from 1 1 bytes 56 Sequence 1 hop limit 126 time 2 ms Reply from 1 1 bytes 56 Sequence 2 hop limit 126 time 1 ms Reply from 1 1 bytes 56 Sequence 3 hop limit 126 time 1 ms Reply from 1 1 bytes 56 Sequence 4 hop limit 126...

Page 456: ...um Number of Neighbors Dynamically Learned 1 14 Configuring Parameters Related to RA Messages 1 14 Configuring the Maximum Number of Attempts to Send an NS Message for DAD 1 16 Configuring PMTU Discovery 1 17 Configuring a Static PMTU for a Specified IPv6 Address 1 17 Configuring the Aging Time for Dynamic PMTUs 1 17 Configuring IPv6 TCP Properties 1 17 Configuring ICMPv6 Packet Sending 1 18 Confi...

Page 457: ...tributed IRF device If an S7900E series is not in any IRF it operates as a distributed device if the S7900E series is in an IRF it operates as a distributed IRF device For introduction of IRF refer to IRF Configuration in the System Volume z EA boards such as LSQ1GP12EA and LSQ1TGX1EA do not support IPv6 features IPv6 Overview Internet Protocol Version 6 IPv6 also called IP next generation IPng wa...

Page 458: ...ements of hierarchical address division as well as allocation of public and private addresses Hierarchical address structure IPv6 adopts the hierarchical address structure to quicken route search and reduce the system sources occupied by the IPv6 routing table by route aggregation Automatic address configuration To simplify host configuration IPv6 supports stateful and stateless address configurat...

Page 459: ... most while the size of IPv6 extension headers is restricted to the maximum size of IPv6 packets Introduction to IPv6 Address IPv6 address format An IPv6 address is represented as a set of 16 bit hexadecimals separated by colons An IPv6 address is divided into eight groups and the 16 bits of each group are represented by four hexadecimal numbers for example 2001 0000 130F 0000 0000 09C0 876A 130B ...

Page 460: ...target interface is nearest to the source according to a routing protocol s measure of distance There are no broadcast addresses in IPv6 Their function is replaced by multicast addresses The type of an IPv6 address is designated by the first several bits called format prefix Table 1 1 lists the mappings between address types and format prefixes Table 1 1 Mappings between address types and format p...

Page 461: ...t address FF02 2 Link local scope all routers multicast address FF05 2 Site local scope all routers multicast address Besides there is another type of multicast address solicited node address A solicited node multicast address is used to acquire the link layer address of a neighbor node on the same link and is also used for duplicate address detection DAD Each IPv6 unicast or anycast address has a...

Page 462: ...scovery and address autoconfiguration z Redirection Table 1 3 lists the types and functions of ICMPv6 messages used by the NDP Table 1 3 Types and functions of ICMPv6 messages ICMPv6 message Number Function Used to acquire the link layer address of a neighbor Used to verify whether the neighbor is reachable Neighbor solicitation NS message 135 Used to perform a duplicate address detection Used to ...

Page 463: ...ddress of node A 2 After receiving the NS message node B judges whether the destination address of the packet is its solicited node multicast address If yes node B learns the link layer address of node A and then unicasts an NA message containing its link layer address 3 Node A acquires the link layer address of node B from the NA message Neighbor reachability detection After node A acquires the l...

Page 464: ...matically generates an IPv6 address according to the information obtained through router prefix discovery The router prefix discovery is implemented through RS and RA messages The router prefix discovery procedure is as follows 1 After started a node sends an RS message to request the router for the address prefix and other configuration information for the purpose of autoconfiguration 2 The route...

Page 465: ... PMTU discovery mechanism is to find the minimum MTU of all links in the path from the source to the destination Figure 1 5 shows the working procedure of PMTU discovery Figure 1 5 Working procedure of PMTU discovery The working procedure of the PMTU discovery is as follows 1 The source host uses its MTU to send packets to the destination host 2 If the MTU supported by a forwarding interface is sm...

Page 466: ...kets allowing communication between IPv4 and IPv6 nodes It performs IP address translation and according to different protocols performs semantic translation for packets This technology is only suitable for communication between pure IPv4 node and pure IPv6 node The S7900E series Ethernet switches do not support NAT PT Protocols and Standards Protocols and standards related to IPv6 include z RFC 1...

Page 467: ...format is adopted the IPv6 address prefix of an interface is the configured prefix and the interface identifier is generated automatically by the interface z Manual configuration IPv6 site local addresses or aggregatable global unicast addresses are configured manually z Stateless address autoconfiguration IPv6 global unicast addresses are generated automatically based on the address prefix inform...

Page 468: ...ss is configured for an interface a link local address is generated automatically The automatically generated link local address is the same as the one generated by using the ipv6 address auto link local command If a link local address is manually assigned to an interface this manual link local address takes effect If the manually assigned link local address is removed the automatically generated ...

Page 469: ...ough NS and NA messages or through a manually configured static neighbor entry The device uniquely identifies a static neighbor entry according to the neighbor IPv6 address and the local Layer 3 interface ID Currently there are two configuration methods z Associate a neighbor IPv6 address and link layer address with a Layer 3 interface z Associate a neighbor IPv6 address and link layer address wit...

Page 470: ...heir descriptions Parameters Description Cur hop limit When sending an IPv6 packet a host uses the value to fill the Cur Hop Limit field in IPv6 headers The value is also filled into the Cur Hop Limit field in response messages of a device Prefix information options After receiving the prefix information advertised by the device the hosts on the same link can perform stateless autoconfiguration M ...

Page 471: ...imit ipv6 nd hop limit value Optional 64 by default Enable the consistency check on the source MAC address of ND packets ipv6 nd mac check enable Optional Disabled by default Enter interface view interface interface type interface number Disable the RA message suppression undo ipv6 nd ra halt Required By default RA messages are suppressed Configure the maximum and minimum intervals for sending RA ...

Page 472: ...conds and the value of the Reachable Timer field in RA messages is 0 z The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages z In VRRP networking the source MAC address in an NA message is always different from that in the link layer address option at present and therefore the consistency check on the MAC address of ND packets cannot be ena...

Page 473: ...he path MTU from a source host to a destination host is dynamically determined refer to IPv6 PMTU Discovery the source host sends subsequent packets to the destination host on basis of this MTU After the aging time expires the dynamic PMTU is removed and the source host re determines a dynamic path MTU through the PMTU mechanism The aging time is invalid for a static PMTU Follow these steps to con...

Page 474: ...the configured capacity One token allows one ICMPv6 error packet to be sent Each time an ICMPv6 error packet is sent the number of tokens in a token bucket decreases by one If the number of ICMPv6 error packets successively sent exceeds the capacity of the token bucket the additional ICMPv6 error packets cannot be sent out until the capacity of the token bucket is restored Follow these steps to co...

Page 475: ...vice degrades greatly because it has to send back ICMP time exceeded packets You can disable sending of ICMPv6 time exceeded packets Follow these steps to enable sending of ICMPv6 time exceeded packets To do Use the command Remarks Enter system view system view Enable sending of ICMPv6 time exceeded packets ipv6 hoplimit expires enable Optional Enabled by default Displaying and Maintaining IPv6 Ba...

Page 476: ... view Display socket information for distributed IRF devices display ipv6 socket socktype socket type task id socket id chassis chassis number slot slot number Available in any view Display the statistics of IPv6 packets and ICMPv6 packets for distributed devices display ipv6 statistics slot slot number Available in any view Display the statistics of IPv6 packets and ICMPv6 packets for distributed...

Page 477: ... corresponding VLANs configure IPv6 addresses for the VLAN interfaces and verify the connectivity between them z The aggregatable global unicast addresses of VLAN interface 2 and VLAN interface 1 on Switch A are 3001 1 64 and 2001 1 64 respectively z The aggregatable global unicast address of VLAN interface 2 on Switch B is 3001 2 64 and a route to Host is available z IPv6 is enabled for Host to a...

Page 478: ... NDP SwitchA display ipv6 neighbors interface GigabitEthernet 2 0 2 Type S Static D Dynamic IPv6 Address Link layer VID Interface State T Age FE80 215 E9FF FEA6 7D14 0015 e9a6 7d14 1 GE2 0 2 STALE D 1238 2001 15B E0EA 3524 E791 0015 e9a6 7d14 1 GE2 0 2 STALE D 1248 The above information shows that the IPv6 aggregatable global unicast address that Host obtained is 2001 15B E0EA 3524 E791 Verificati...

Page 479: ...ds 0 SwitchA display ipv6 interface vlan interface 1 verbose Vlan interface1 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1C0 Global unicast address es 2001 1 subnet is 2001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 1 FF02 1 FF00 1C0 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is...

Page 480: ...ds 0 Display the IPv6 interface settings on Switch B All the IPv6 global unicast addresses configured on the interface are displayed SwitchB display ipv6 interface vlan interface 2 verbose Vlan interface2 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1234 Global unicast address es 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF0...

Page 481: ...ing Switch A and Switch B on Host and ping Switch A and Host on Switch B to verify the connectivity between them When you ping a link local address you should use the i parameter to specify an interface for the link local address SwitchB ping ipv6 c 1 3001 1 PING 3001 1 56 data bytes press CTRL_C to break Reply from 3001 1 bytes 56 Sequence 1 hop limit 64 time 2 ms 3001 1 ping statistics 1 packet ...

Page 482: ...Troubleshooting IPv6 Basics Configuration Symptom The peer IPv6 address cannot be pinged Solution z Use the display current configuration command in any view or the display this command in system view to verify that IPv6 is enabled z Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up z Use the debugging ipv6 packet...

Page 483: ...Relay Agent 1 3 Protocols and Standards 1 4 Configuring the DHCPv6 Client 1 4 Configuration Prerequisites 1 4 Configuration Procedure 1 4 Configuring the DHCPv6 Relay Agent 1 5 Configuration Prerequisites 1 5 Configuration Procedure 1 5 Displaying and Maintaining DHCPv6 1 6 DHCPv6 Configuration Examples 1 6 Stateless DHCPv6 Configuration Example 1 6 DHCPv6 Relay Agent Configuration Example 1 8 ...

Page 484: ... addresses assigned to hosts and assign addresses to specific hosts thus facilitating network management z Assign configuration parameters to hosts such as the DNS server address or domain name Basic Concepts Multicast address of all DHCPv6 servers and relay agents The multicast address FF02 1 2 identifies all DHCPv6 servers and relay agents on the local link DUID A DHCP unique identifier DUID uni...

Page 485: ...vice can only serve as the DHCPv6 client and relay agent Serving as a DHCPv6 client the device only supports stateless DHCPv6 configuration instead of stateful DHCPv6 configuration that is the device can only obtain other network configuration parameters instead of an IPv6 address from the DHCPv6 server Stateless DHCPv6 Configuration After obtaining an IPv6 address through stateless address autoco...

Page 486: ... 1 3 Operation of Stateless DHCPv6 As shown in Figure 1 3 stateless DHCPv6 operates as follows 1 The DHCPv6 client multicasts an information request message to the destination address FF02 1 2 The information request message contains the option request option specifying configuration parameters that the client requests from the DHCPv6 server 2 After receiving the information request message the DH...

Page 487: ...r then sends the Relay reply message to the DHCPv6 relay agent 4 The DHCPv6 relay agent obtains the reply from the Relay reply message and sends the reply to the DHCPv6 client The DHCPv6 client uses the IPv6 address and other network parameters assigned by the DHCPv6 server to perform network configuration Protocols and Standards z RFC 3736 Stateless Dynamic Host Configuration Protocol DHCP Servic...

Page 488: ...from a DHCPv6 client the interface that operates as a DHCPv6 relay agent encapsulates the request into a Relay forward message and forwards the message to the specified DHCPv6 server which then assigns an IPv6 address and other configuration parameters to the DHCPv6 client Configuration Prerequisites Before configuring DHCPv6 relay agent you need to use the ipv6 command to enable IPv6 Configuratio...

Page 489: ... ipv6 dhcp client interface interface type interface number Available in any view Display DHCPv6 client statistics display ipv6 dhcp client statistics interface interface type interface number Available in any view Display the DUID of the local device display ipv6 dhcp duid Available in any view Display DHCPv6 server addresses specified on the DHCPv6 relay agent display ipv6 dhcp relay server addr...

Page 490: ...face 2 SwitchA Vlan interface2 ipv6 address auto With this command executed if VLAN interface 2 has no IP address configured Switch A will automatically generate a link local address and send an RS message requesting the gateway Switch B to reply with an RA message immediately Verification After receiving an RA message with the M flag set to 0 and with the O flag set to 1 Switch A automatically en...

Page 491: ...bind 0 Information request 5 Release 0 Decline 0 DHCPv6 Relay Agent Configuration Example Network requirements As shown in Figure 1 6 the network address prefix of DHCPv6 clients is 1 64 and the IPv6 address of the DHCPv6 server is 2 2 64 The DHCPv6 client and server need to communicate via a DHCPv6 relay agent Switch A Switch A acts as the gateway of network 1 64 It sends RA messages to notify th...

Page 492: ... SwitchA Vlan interface1 undo ipv6 nd ra halt SwitchA Vlan interface1 ipv6 nd autoconfig managed address flag SwitchA Vlan interface1 ipv6 nd autoconfig other flag 3 Verify the configuration After completing the above configurations display DHCPv6 server address information on Switch A SwitchA Vlan interface1 display ipv6 dhcp relay server address all Interface Vlan1 Server address es Output Inter...

Page 493: ...onfiguration Example 1 16 Configuring an ISATAP Tunnel 1 19 Configuration Prerequisites 1 19 Configuration Procedure 1 19 Configuration Example 1 20 Configuring an IPv4 over IPv4 Tunnel 1 23 Configuration Prerequisites 1 23 Configuration Procedure 1 23 Configuration Example 1 24 Configuring an IPv4 over IPv6 Tunnel 1 27 Configuration Prerequisites 1 28 Configuration Procedure 1 28 Configuration Ex...

Page 494: ...ii Displaying and Maintaining Tunneling Configuration 1 45 Troubleshooting Tunneling Configuration 1 45 ...

Page 495: ...l and transfer them over the network A tunnel is a virtual point to point connection providing a channel to transfer encapsulated packets Packets are encapsulated and decapsulated at both ends of a tunnel Tunneling refers to the whole process from data encapsulation to data transfer to data decapsulation Tunneling provides the following z Transition techniques such as IPv6 over IPv4 tunneling to i...

Page 496: ...tocol IPv6 is compatible with all protocols except IPv4 in the TCP IP suite Therefore IPv6 can completely take the place of IPv4 Before IPv6 becomes the dominant protocol networks using the IPv6 protocol stack are expected to communicate with the Internet using IPv4 Therefore an IPv6 IPv4 interworking technology must be developed to ensure the smooth transition from IPv4 to IPv6 In addition the in...

Page 497: ...ulated IPv6 packet If the destination address is the device itself the device forwards the IPv6 packet to the upper layer protocol for processing Configured tunnel and automatic tunnel An IPv6 over IPv4 tunnel can be established between hosts between hosts and devices and between devices The tunnel destination needs to forward packets if the tunnel destination is not the final destination of the I...

Page 498: ... used to automatically acquire the destination IPv4 address of the tunnel The automatic 6to4 tunnel adopts 6to4 addresses The address format is 2002 abcd efgh subnet number interface ID 64 where 2002 represents the fixed IPv6 address prefix and abcd efgh represents the 32 bit globally unique source IPv4 address of the 6to4 tunnel in hexadecimal notation For example 1 1 1 1 can be represented by 01...

Page 499: ...rgo an encapsulation and decapsulation process Figure 1 3 shows these two processes Figure 1 3 Principle of IPv4 over IPv4 tunnel z Encapsulation The encapsulation process is as follows 1 The interface of Router A connecting to an IPv4 host receives an IP packet and submits it to the IP protocol stack for processing 2 The IP protocol stack determines how to route the packet according to the destin...

Page 500: ...sponding data module for processing The data module then determines how to route the packet 2 If the packet needs to be routed to Host B connected to Router B the packet is sent to Router A s tunnel interface that is connected to Router B 3 After receiving the packet the tunnel interface adds an IPv6 header to it and submits it to the IPv6 module for processing 4 The IPv6 module re determines a ro...

Page 501: ...otocol checks the destination address field in the packet header to determine how to route the packet 3 If the packet must be tunneled to reach its destination Router A sends it to the tunnel interface 4 Upon receipt of the packet the tunnel interface encapsulates it in a GRE packet Then the system encapsulates the packet in an IP packet and forwards the IP packet based on its destination address ...

Page 502: ...e payload to the X protocol for forwarding Encapsulation and decapsulation processes on both ends of the GRE tunnel and the resulting increase in data volumes will degrade the forwarding efficiency for the GRE enabled device to some extent Protocols and Standards z RFC 1853 IP in IP Tunneling z RFC 2473 Generic Packet Tunneling in IPv6 Specification z RFC 2893 Transition Mechanisms for IPv6 Hosts ...

Page 503: ...ssis number slot slot number Optional Not specified by default Reference a service loopback group service loopback group number Required By default the tunnel does not reference any service loopback group Set the MTU of packets sent over the interface mtu size Optional 64000 by default Shut down the tunnel interface shutdown Optional By default the interface is down When active standby switchover ...

Page 504: ... Configure an IPv6 address for the tunnel interface Configure a link local IPv6 address ipv6 address ipv6 address link local Optional By default a link local address will automatically be created when an IPv6 global unicast address or site local address is configured Specify the IPv6 manual tunnel mode tunnel protocol ipv6 ipv4 Required By default the tunnel is a GRE over IPv4 tunnel The same tunn...

Page 505: ...estination and set the outbound interface to the tunnel interface at the local end or set the next hop to the tunnel interface at the peer end The similar configuration needs to be performed at the other tunnel end z When you configure dynamic routing at both tunnel ends you need to enable the dynamic routing protocol on the tunnel interfaces For related configurations refer to related contents in...

Page 506: ...oup 1 type tunnel Add GigabitEthernet 2 0 3 to service loopback group 1 SwitchA interface GigabitEthernet 2 0 3 SwitchA GigabitEthernet2 0 3 undo stp enable SwitchA GigabitEthernet2 0 3 port service loopback group 1 SwitchA GigabitEthernet2 0 3 quit Reference service loopback group 1 on the tunnel SwitchA interface tunnel 0 SwitchA Tunnel0 service loopback group 1 SwitchA Tunnel0 quit Configure a ...

Page 507: ...0 SwitchB Tunnel0 service loopback group 1 SwitchB Tunnel0 quit Configure a static route to IPv6 Group 1 through tunnel 0 on Switch B SwitchB ipv6 route static 3002 64 tunnel 0 Configuration verification After the above configurations display the status of the tunnel interfaces on Switch A and Switch B respectively SwitchA display ipv6 interface tunnel 0 verbose Tunnel0 current state UP Line proto...

Page 508: ...eply from 3003 1 bytes 56 Sequence 1 hop limit 64 time 1 ms Reply from 3003 1 bytes 56 Sequence 2 hop limit 64 time 1 ms Reply from 3003 1 bytes 56 Sequence 3 hop limit 64 time 1 ms Reply from 3003 1 bytes 56 Sequence 4 hop limit 64 time 1 ms Reply from 3003 1 bytes 56 Sequence 5 hop limit 64 time 1 ms 3003 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip mi...

Page 509: ...is configured for the tunnel interface ipv6 address auto link local Configure an IPv6 address for the tunnel interface Configure an IPv6 link local address ipv6 address ipv6 address link local Optional By default a link local address will automatically be generated when an IPv6 global unicast address or site local address is configured Specify the 6to4 tunnel mode tunnel protocol ipv6 ipv4 6to4 Re...

Page 510: ...on needs to be performed at the other tunnel end 6to4 Tunnel Configuration Example Network requirements As shown in Figure 1 9 two 6to4 networks are connected to an IPv4 network through two 6to4 switches Switch A and Switch B respectively Configure a 6to4 tunnel to make Host A and Host B reachable to each other To enable communication between 6to4 networks you need to configure 6to4 addresses for ...

Page 511: ...SwitchA Tunnel0 ipv6 address 2002 201 101 1 64 SwitchA Tunnel0 source vlan interface 100 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchA Tunnel0 quit Create service loopback group 1 to support the tunnel service SwitchA service loopback group 1 type tunnel Add GigabitEthernet 2 0 3 to service loopback group 1 SwitchA interfaceGigabitEthernet 2 0 3 SwitchA GigabitEthernet2 0 3 undo stp enabl...

Page 512: ... service loopback group 1 SwitchB interface GigabitEthernet 2 0 3 SwitchB GigabitEthernet2 0 3 undo stp enable SwitchB GigabitEthernet2 0 3 port service loopback group 1 SwitchB GigabitEthernet2 0 3 quit Reference service loopback group 1 on the tunnel SwitchB interface tunnel 0 SwitchB Tunnel0 service loopback group 1 SwitchB Tunnel0 quit Configure a static route whose destination address is 2002...

Page 513: ...ix length ipv6 address prefix length Configure an IPv6 global unicast address or site local address ipv6 address ipv6 address prefix length eui 64 Required Use either command By default no IPv6 global unicast address is configured for the tunnel interface ipv6 address auto link local Configure an IPv6 address for the tunnel interface Configure an IPv6 link local address ipv6 address ipv6 address l...

Page 514: ...nstead of the IPv4 address of the tunnel destination and set the outbound interface to the tunnel interface at the local end or set the next hop to the tunnel interface at the peer end The similar configuration needs to be performed at the other tunnel end Configuration Example Network requirements As shown in Figure 1 10 an IPv6 network is connected to an IPv4 network through an ISATAP switch The...

Page 515: ...net 2 0 3 Switch GigabitEthernet2 0 3 undo stp enable Switch GigabitEthernet2 0 3 port service loopback group 1 Switch GigabitEthernet2 0 3 quit Reference service loopback group 1 on the tunnel Switch interface tunnel 0 Switch Tunnel0 service loopback group 1 Switch Tunnel0 quit Configure a static route to the ISATAP host Switch ipv6 route static 2001 16 tunnel 0 z Configuration on the ISATAP host...

Page 516: ...6s 6d23h59m46s public preferred link local fe80 5efe 2 1 1 2 life infinite link MTU 1500 true link MTU 65515 current hop limit 255 reachable time 42500ms base 30000ms retransmission interval 1000ms DAD transmits 0 default site prefix length 48 By comparison it is found that the host acquires the address prefix 2001 64 and automatically generates the address 2001 5efe 2 1 1 2 Meanwhile uses Router ...

Page 517: ...tem view Enter tunnel interface view interface tunnel number Configure an IPv4 address for the tunnel interface ip address ip address mask mask length sub Required By default no IPv4 address is configured for the tunnel interface Specify the IPv4 over IPv4 tunnel mode tunnel protocol ipv4 ipv4 Optional By default the tunnel is a GRE over IPv4 tunnel The same tunnel mode should be configured at bot...

Page 518: ...must have different source and destination addresses z If you specify a source interface instead of a source address for the tunnel the source address of the tunnel is the primary IP address of the source interface z When you configure dynamic routing at each tunnel end you need to enable the dynamic routing protocol on the tunnel interface For related configurations refer to related contents in t...

Page 519: ...ace tunnel 1 IP address of VLAN interface 101 of Switch B SwitchA Tunnel1 destination 3 1 1 1 SwitchA Tunnel1 quit Create service loopback group 1 to support the tunnel service SwitchA service loopback group 1 type tunnel Add GigabitEthernet 2 0 3 to service loopback group 1 SwitchA interface GigabitEthernet 2 0 3 SwitchA GigabitEthernet2 0 3 undo stp enable SwitchA GigabitEthernet2 0 3 port servi...

Page 520: ... interface GigabitEthernet 2 0 3 SwitchB GigabitEthernet2 0 3 undo stp enable SwitchB GigabitEthernet2 0 3 port service loopback group 1 SwitchB GigabitEthernet2 0 3 quit Reference service loopback group 1 on the tunnel SwitchB interface tunnel 2 SwitchB Tunnel2 service loopback group 1 SwitchB Tunnel2 quit Configure a static route from Switch B through the interface tunnel 2 to Group 1 SwitchB ip...

Page 521: ...5 packets input 320 bytes 0 input error 9 packets output 576 bytes 0 output error Ping the IPv4 address of the peer interface VLAN interface 100 from Switch A SwitchA ping 10 1 3 1 PING 10 1 3 1 56 data bytes press CTRL_C to break Reply from 10 1 3 1 bytes 56 Sequence 1 ttl 255 time 15 ms Reply from 10 1 3 1 bytes 56 Sequence 2 ttl 255 time 15 ms Reply from 10 1 3 1 bytes 56 Sequence 3 ttl 255 tim...

Page 522: ...interface tunnel number Configure an IPv4 address for the tunnel interface ip address ip address mask mask length sub Required By default no IPv4 address is configured for the tunnel interface Specify the IPv4 over IPv6 tunnel mode tunnel protocol ipv4 ipv6 Optional By default the tunnel is a GRE over IPv4 tunnel The same tunnel mode should be configured at both ends of the tunnel Otherwise packet...

Page 523: ...d of a source address for the tunnel the source address of the tunnel is the primary IP address of the source interface z When you configure dynamic routing at each tunnel end you need to enable the dynamic routing protocol on the tunnel interface For related configurations refer to related contents in the IP Routing Volume Configuration Example Network requirements The two subnets Group 1 and Gro...

Page 524: ...the interface tunnel 1 IP address of VLAN interface 101 of Switch B SwitchA Tunnel1 destination 2002 2 1 SwitchA Tunnel1 quit Create service loopback group 1 to support the tunnel service SwitchA service loopback group 1 type tunnel Add GigabitEthernet 2 0 3 to service loopback group 1 SwitchA interface GigabitEthernet 2 0 3 SwitchA GigabitEthernet2 0 3 undo stp enable SwitchA GigabitEthernet2 0 3...

Page 525: ...B service loopback group 1 type tunnel Add GigabitEthernet 2 0 3 to service loopback group 1 SwitchB interface GigabitEthernet 2 0 3 SwitchB GigabitEthernet2 0 3 undo stp enable SwitchB GigabitEthernet2 0 3 port service loopback group 1 SwitchB GigabitEthernet2 0 3 quit Reference service loopback group 1 on the tunnel SwitchB interface tunnel 2 SwitchB Tunnel2 service loopback group 1 SwitchB Tunn...

Page 526: ...c 0 packets sec Last 300 seconds output 1 bytes sec 0 packets sec 167 packets input 10688 bytes 0 input error 170 packets output 10880 bytes 0 output error Ping the IPv4 address of the peer interface VLAN interface 100 from Switch A SwitchA ping 30 1 3 1 PING 30 1 3 1 56 data bytes press CTRL_C to break Reply from 30 1 3 1 bytes 56 Sequence 1 ttl 255 time 46 ms Reply from 30 1 3 1 bytes 56 Sequenc...

Page 527: ...s or site local address ipv6 address ipv6 address prefix length eui 64 ipv6 address auto link local Configure an IPv6 address for the tunnel interface Configure an IPv6 link local address ipv6 address ipv6 address link local Required Use one of the commands By default no IPv6 address is configured for the tunnel interface Specify the IPv6 over IPv6 tunnel mode tunnel protocol ipv6 ipv6 Optional By...

Page 528: ...ment z Two or more tunnel interfaces using the same encapsulation protocol must have different source and destination addresses z If you specify a source interface instead of a source address for the tunnel the source address of the tunnel is the primary IP address of the source interface z Before configuring dynamic routes you must enable the dynamic routing protocol on the tunnel interfaces at b...

Page 529: ...r the interface tunnel 1 IP address of VLAN interface 101 SwitchA Tunnel1 source 2002 11 1 Configure the destination address for the interface tunnel 1 IP address of VLAN interface 101 of Switch B SwitchA Tunnel1 destination 2002 22 1 SwitchA Tunnel1 quit Create service loopback group 1 to support the tunnel service SwitchA service loopback group 1 type tunnel Add GigabitEthernet 2 0 3 to service ...

Page 530: ...el 2 IP address of VLAN interface 101 of Switch A SwitchB Tunnel2 destination 2002 11 1 SwitchB Tunnel2 quit Create service loopback group 1 to support the tunnel service SwitchB service loopback group 1 type tunnel Add GigabitEthernet 2 0 3 to service loopback group 1 SwitchB interface GigabitEthernet 2 0 3 SwitchB GigabitEthernet2 0 3 undo stp enable SwitchB GigabitEthernet2 0 3 port service loo...

Page 531: ...dress es FF02 1 FF24 1 FF02 1 FF01 2 FF02 1 FF00 0 FF02 2 FF02 1 MTU is 1460 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics Ping the IPv6 address of the peer interface VLAN interface 100 from Switch A SwitchA ping ipv6 2002 3 1 PING 2002 3 1 56 data bytes press CTRL_C to break Reply from ...

Page 532: ...ter tunnel interface view interface tunnel interface number Required By default a device has no tunnel interface Configure an IPv4 address for the tunnel interface ip address ip address mask mask length Required By default a tunnel interface has no IPv4 address Set the tunnel mode to GRE over IPv4 tunnel protocol gre Optional By default the tunnel is a GRE over IPv4 tunnel Note that you need to co...

Page 533: ... z When configuring a route through the tunnel you can configure a static route using the address of the network segment that the original packet is destined for as its destination address and the address of the peer tunnel interface as its next hop Or you can enable a dynamic routing protocol on both the tunnel interface and the router interface connecting the private network Configuration Exampl...

Page 534: ...net 2 0 3 to service loopback group 1 SwitchA interface GigabitEthernet 2 0 3 SwitchA GigabitEthernet2 0 3 undo stp enable SwitchA GigabitEthernet2 0 3 port service loopback group 1 Apply service loopback group 1 to the tunnel in tunnel interface view SwitchA GigabitEthernet2 0 3 quit SwitchA interface tunnel 1 SwitchA Tunnel1 service loopback group 1 SwitchA Tunnel1 quit Configure a static route ...

Page 535: ... interface view SwitchB GigabitEthernet2 0 3 quit SwitchB interface tunnel 1 SwitchB Tunnel1 service loopback group 1 SwitchB Tunnel1 quit Configure a static route from Switch B through interface Tunnel 1 to Group 1 SwitchB ip route static 10 1 1 0 255 255 255 0 Tunnel 1 Configuring a GRE over IPv6 Tunnel EB boards and SD boards support only the GRE over IPv6 Tunnel Configuration Prerequisites Int...

Page 536: ... dynamic through the tunnel to the other end Note that z If you delete a tunnel interface the functions configured on this tunnel interface will be removed as well z The source address and destination address of a tunnel uniquely identify a path They must be configured at both ends of the tunnel and the source address at one end must be the destination address at the other end and vice versa z Tun...

Page 537: ...nterface 100 SwitchA Vlan interface100 ip address 10 1 1 1 255 255 255 0 SwitchA Vlan interface100 quit Configure interface VLAN interface 101 the physical interface of the tunnel SwitchA interface vlan interface 101 SwitchA Vlan interface101 ipv6 address 2002 1 1 64 SwitchA Vlan interface101 quit Create an interface named Tunnel 0 SwitchA interface tunnel 0 Configure an IPv4 address for interface...

Page 538: ...c 10 1 3 0 255 255 255 0 tunnel 0 2 Configure Switch B SwitchB system view Enable IPv6 SwitchB ipv6 Configure interface VLAN interface 100 SwitchB interface vlan interface 100 SwitchB Vlan interface100 ip address 10 1 3 1 255 255 255 0 SwitchB Vlan interface100 quit Configure interface VLAN interface 101 the physical interface of the tunnel SwitchB interface vlan interface 101 SwitchB Vlan interfa...

Page 539: ...Pv6 information on tunnel interfaces display ipv6 interface tunnel number verbose Available in any view Clear statistics on tunnel interfaces reset counters interface tunnel number Available in user view Troubleshooting Tunneling Configuration Symptom After the configuration of related parameters such as tunnel source address tunnel destination address and tunnel mode the tunnel interface is still...

Page 540: ...ontents 1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 1 Displaying and Maintaining UDP Helper 1 2 UDP Helper Configuration Examples 1 2 UDP Helper Configuration Example 1 2 ...

Page 541: ... relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the one pre configured on the device the device modifies the destinati...

Page 542: ...tion of all UDP ports is removed if you disable UDP Helper z You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port numbers z You can configure up to 20 destination servers on an interface Displaying and Maintaining UDP Helper To do Use the command Remarks Displays the information of forwarded UDP packets display udp helper server interface interface t...

Page 543: ... 0 16 is available Enable UDP Helper SwitchA system view SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port 55 SwitchA udp helper port 55 Specify the destination server 10 2 1 1 on VLAN interface 1 SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 110 1 1 16 SwitchA Vlan interface1 udp helper server 10 2 1 1 ...

Page 544: ...7 FTP Client Configuration Example Distributed IRF Device 1 9 Configuring the FTP Server 1 11 Configuring FTP Server Operating Parameters 1 11 Configuring Authentication and Authorization on the FTP Server 1 12 FTP Server Configuration Example Distributed Device 1 13 FTP Server Configuration Example Distributed IRF Device 1 15 Displaying and Maintaining FTP 1 17 2 TFTP Configuration 2 1 TFTP Overv...

Page 545: ... files z ASCII mode transfers files as text like txt bat and cfg files Operation of FTP FTP adopts the client server model Your device can function either as the client or as the server as shown in Figure 1 1 z When the device serves as the FTP client the user first connects to the device from a PC through Telnet or an emulation program and then executes the ftp command to establish a connection t...

Page 546: ...onfiguration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP for security reasons Therefore you must use a valid username and password By default authenticated users can access the root directory of the device Device FTP server Configure the FTP server operating parameter...

Page 547: ...IP address The primary IP address configured on the source interface is the source address of the transmitted packets The source address of the transmitted packets is selected following these rules z If no source address is specified the FTP client uses the IP address of the interface determined by the matched route as the source IP address to communicate with an FTP server z If the source address...

Page 548: ... the remote FTP server directly in user view ftp ipv6 server address service port source ipv6 source ipv6 address i interface type interface number ftp ipv6 Log in to the remote FTP server indirectly in FTP client view open ipv6 server address service port i interface type interface number Use either approach The ftp ipv6 command is available in user view and the open ipv6 command is available in ...

Page 549: ... mode transfers files as raw data 4 Use the lcd command to display the local working directory of the FTP client You can upload the file under this directory or save the downloaded file under this directory 5 Upload or download the file Follow these steps to operate the files on an FTP server To do Use the command Remarks Display detailed information about a directory or file on the remote FTP ser...

Page 550: ...do Use the command Remarks Use another username to relog in after successfully logging in to the FTP server user username password Optional Maintaining and Debugging an FTP Connection After a device serving as the FTP client has established a connection with the FTP server For how to establish an FTP connection refer to Establishing an FTP Connection you can perform the following operations to loc...

Page 551: ...e FTP server Their IP addresses are 10 2 1 1 16 and 10 1 1 1 16 respectively An available route exists between Device and PC z Device downloads a startup file from PC for device upgrade and uploads the configuration file to PC for backup z On PC an FTP user account has been created for the FTP client with the username being abc and the password being pwd Figure 1 2 Network diagram for FTPing a sta...

Page 552: ...fy newest app as the main startup file to be used at the next startup z Specify newest app as the main startup file to be used at the next startup for the AMB Sysname boot loader file newest app slot 0 main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on slot 0 z Specify newest app as the main sta...

Page 553: ...nd uploads the configuration file to PC for backup z On PC an FTP user account has been created for the FTP client with the username being abc and the password being pwd Figure 1 3 Network diagram for FTPing a startup file from an FTP server Configuration procedure If the available memory space of the device is insufficient use the fixdisk command to clear the memory or use the delete unreserved f...

Page 554: ...r complete FTP 3494 byte s sent in 5 646 second s 618 00 byte s sec ftp bye Specify newest app as the main startup file to be used at the next startup for the AMB of the IRF Sysname boot loader file newest app chassis 1 slot 0 main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on chassis 1 slot 0 S...

Page 555: ...g data This means that any anomaly power failure for example during file transfer might result in file corruption on the FTP server This mode however consumes less memory space than the fast mode Follow these steps to configure the FTP server To do Use the command Remarks Enter system view system view Enable the FTP server ftp server enable Required Disabled by default Use an ACL to control FTP cl...

Page 556: ...ipher password Required Assign the FTP service to the user service type ftp Required By default the system does not support anonymous FTP access and does not assign any service If the FTP service is assigned the root directory of the device is used by default Configure user properties authorization attribute acl acl number callback number callback number idle cut minute level level user profile pr...

Page 557: ...ge level Authorize ftp s access to the root directory of the flash on the AMB and specify ftp to use FTP Sysname system view Sysname local user ftp Sysname luser ftp password simple pwd Sysname luser ftp authorization attribute level 3 Sysname luser ftp authorization attribute work directory flash To access the flash root directory of the SMB in slot 1 execute this command Sysname luser ftp author...

Page 558: ...ate command to upgrade the Boot ROM 3 Upgrade Device Copy the startup file newest app to the root directory of the storage medium on the SMB in slot 1 Sysname copy newest app slot1 flash Specify newest app as the main startup file to be used at the next startup z Specify newest app as the main startup file to be used at the next startup for the AMB Sysname boot loader file newest app slot 0 main T...

Page 559: ... PC as the FTP client Their IP addresses are as shown in the following figure Device and PC are reachable to each other z Device downloads a startup file from PC for upgrade and uploads the configuration file to PC for backup z On PC an FTP user account has been created for the FTP client with the username being abc and the password being pwd Figure 1 5 Network diagram for FTPing a startup file fr...

Page 560: ...ged in Download the configuration file config cfg of the device to the PC for backup ftp get config cfg back config cfg Upload the configuration file newest app to the root directory of the storage medium on the AMB of the IRF ftp put newest app ftp bye z You can take the same steps to upgrade configuration file with FTP When upgrading the configuration file with FTP put the new file under the roo...

Page 561: ...rd Continue Y N y The specified file will be used as the main boot file at the next reboot on chassis 2 slot 0 Sysname boot loader file chassis2 slot1 flash newest app chassis 1 slot 0 main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on chassis 2 slot 1 Reboot the device and the startup file is u...

Page 562: ...ient and server TFTP uses the UDP port 69 for data transmission For TFTP basic operation refer to RFC 1986 In TFTP file transfer is initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In a normal file uploading process the client sends a write request to th...

Page 563: ...o the storage medium until the whole file is obtained In this way if file download fails for example due to network disconnection the device can still start up because the original system file is not overwritten This mode is more secure but consumes more memory You are recommended to use the secure mode or if you use the normal mode specify a filename not existing in the current directory as the t...

Page 564: ...A device uses the source address determined by the matched route to communicate with the TFTP server by default Return to user view quit Download or upload a file in an IPv4 network tftp server address get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Available in user view Download or upload a file in an IPv6 network t...

Page 565: ...erform the following operations Download application file newest app from PC to the device z Download application file newest app from PC to the root directory of the storage medium on the AMB Sysname tftp 1 2 1 1 get newest app z Download application file newest app from PC to the root directory of the storage medium on the SMB in slot 1 Sysname tftp 1 2 1 1 get newest app slot1 flash newest app ...

Page 566: ... IRF system which is composed of a master and a slave The member ID of the master is 1 and the slot numbers of the AMB and the SMB on the master are 0 and 1 respectively The member ID of the slave is 2 and the slot numbers of the AMB and SMB on the slave are 0 and 1 respectively z Device serves as a TFTP client and PC as the TFTP server Their IP addresses are as shown in the following figure Devic...

Page 567: ... flash newest app Upload a configuration file config cfg to the TFTP server Sysname tftp 1 2 1 1 put config cfg configback cfg Specify newest app as the main startup file to be used at the next startup for all the main boards of the IRF Sysname boot loader file newest app chassis 1 slot 0 main This command will set the boot file of the specified board Continue Y N y The specified file will be used...

Page 568: ...startup must be saved under the root directory of the storage medium You can copy or move a file to the root directory of the storage medium For the details of the boot loader command refer to Device Management Commands in the System Volume ...

Page 569: ... Overview 1 1 Introduction to sFlow 1 1 Operation of sFlow 1 2 Configuring sFlow 1 2 Displaying and Maintaining sFlow 1 3 sFlow Configuration Example 1 3 Troubleshooting sFlow Configuration 1 4 The Remote sFlow Collector Cannot Receive sFlow Packets 1 4 ...

Page 570: ...to collect and analyze traffic statistics The sFlow system involves an sFlow agent embedded in a device and a remote sFlow collector The sFlow agent collects traffic statistics and packets from the sFlow enabled ports on the device encapsulates the information into sFlow packets and sends the packets to the sFlow collector The sFlow collector analyzes the sFlow packets and displays the results sFl...

Page 571: ...of the sFlow agent sflow agent ip ip address ipv6 ipv6 address Required Not configured by default Specify the IP address and port number of the sFlow collector sflow collector ip ip address ipv6 ipv6 address port port num Required Not specified by default Set the counter sampling interval at which the sFlow agent collects the statistics of sFlow enabled ports sflow interval interval time Optional ...

Page 572: ... any view sFlow Configuration Example Network requirements z Host A and Server are connected to Switch through GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 respectively z Host B works as an sFlow collector with IP address 3 3 3 2 and port number 6343 and is connected to Switch through GigabitEthernet 2 0 3 z GigabitEthernet 2 0 3 belongs to VLAN 1 having an IP address of 3 3 3 1 Run sFlow agent...

Page 573: ...ng sFlow Configuration The Remote sFlow Collector Cannot Receive sFlow Packets Symptom The remote sFlow collector cannot receive sFlow packets Analysis z sFlow is not enabled globally because the sFlow agent or and the sFlow collector is are not specified z No port is enabled with sFlow to sample data z The IP address of the sFlow collector specified on the sFlow agent is different from that of th...

Page 574: ...ns This document describes z Static route configuration z Detecting Reachability of the Static Route s Nexthop RIP Routing Information Protocol RIP is a simple Interior Gateway Protocol IGP mainly used in small sized networks This document describes z RIP basic functions configuration z RIP advanced functions configuration z RIP network optimization configuration OSPF Open Shortest Path First OSPF...

Page 575: ...State Changes IPv6 Static Routing Static routes are special routes that are manually configured by network administrators Similar to IPv4 static routes IPv6 static routes work well in simple IPv6 network environments This document describes z IPv6 static route configuration IPv6 RIPng RIP next generation RIPng is an extension of RIP 2 for IPv4 RIPng for IPv6 is IPv6 RIPng This document describes z...

Page 576: ...ring attributes modifying when routes are received advertised or redistributed This document describes z Defining Filters z Route policy configuration Policy Routing Policy routing is to make forwarding decisions based on user defined policies Different from the normal destination based routing policy routing can make routing decisions based on the source address and other criteria in addition to ...

Page 577: ...outing Protocol Overview 1 3 Static Routing and Dynamic Routing 1 3 Classification of Dynamic Routing Protocols 1 3 Routing Protocols and Routing Priority 1 4 Load Balancing and Route Backup 1 5 Route Recursion 1 6 Sharing of Routing Information 1 6 Configuring a Router ID 1 6 Displaying and Maintaining a Routing Table 1 6 ...

Page 578: ... the packet reaches the last router which forwards the packet to the intended destination host Routing Table Routing table Routing tables play a key role in routing Each router maintains a routing table and each entry in the table specifies which physical interface a packet destined for a certain destination should go out to reach the next hop the next router or the directly connected destination ...

Page 579: ...n but having different nexthops may have different priorities and be found by various routing protocols or manually configured The optimal route is the one with the highest priority with the smallest metric Routes can be divided into two categories by destination z Subnet routes The destination is a subnet z Host routes The destination is a host Based on whether the destination is directly connect...

Page 580: ...tem resources It works well in small stable networks with simple topologies Its major drawback is that you must perform routing configuration again whenever the network topology changes it cannot adjust to network changes by itself Dynamic routing is based on dynamic routing protocols which can detect network topology changes and recalculate the routes accordingly Therefore dynamic routing is suit...

Page 581: ...rotocols For information on multicast routing protocols refer to the IP Multicast Volume Version of IP protocol IPv4 routing protocols RIP OSPFv2 BGP4 and IS IS IPv6 routing protocols RIPng OSPFv3 BGP4 and IPv6 IS IS Routing Protocols and Routing Priority Different routing protocols may find different routes to the same destination However not all of those routes are optimal In fact at a particula...

Page 582: ...y find several routes with the same metric to the same destination and if this protocol has the highest priority among all the active protocols these routes will be considered valid routes for load balancing z The number of routes for load balancing is 8 z In current implementations routing protocols supporting load balancing are static routing RIP OSPF BGP and IS IS Route backup Route backup can ...

Page 583: ...D is configured for a protocol the global router ID is used To do Use the command Remarks Enter system view system view Configure a router ID router id router id Optional Not configured by default Displaying and Maintaining a Routing Table To do Use the command Remarks Display brief information about the active routes in the routing table display ip routing table vpn instance vpn instance name ver...

Page 584: ...isplay ipv6 routing table ipv6 address prefix length longer match verbose Available in any view Display routing information permitted by an IPv6 ACL display ipv6 routing table acl acl6 number verbose Available in any view Display routing information permitted by an IPv6 prefix list display ipv6 routing table ipv6 prefix ipv6 prefix name verbose Available in any view Display IPv6 routing informatio...

Page 585: ...guration Prerequisites 1 2 Configuration Procedure 1 3 Configuring BFD for Static Routes 1 3 BFD Control Packet Mode 1 4 BFD Echo Packet Mode 1 4 Displaying and Maintaining Static Routes 1 5 Static Route Configuration Example 1 5 Basic Static Route Configuration Example 1 5 Configuring BFD Echo Packet Mode for Static Routing 1 8 Configuring BFD Control Packet Mode for Static Routing 1 10 ...

Page 586: ...l change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded After a default route is configured on a router any packet whose destination IP address matches no entry in...

Page 587: ...y after the next hop address is specified When specifying the output interface note that z If the output interface is a Null 0 interface there is no need to configure the next hop address z If the output interface is a point to point interface there is no need to configure the next hop address You need not change the configuration even if the peer s address changes For example a PPP interface obta...

Page 588: ...nce value Optional 60 by default z When configuring a static route the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface such as VLAN interface z If you do not specify the preference when configuring a static route the default preference will be used Reconfiguring the default preference applies only to newly cre...

Page 589: ...est address mask mask length interface type interface number next hop address bfd control packet preference preference value tag tag value description description text Use either command BFD Echo Packet Mode With BFD echo packet mode enabled for a static route the local device sends BFD echo packets to the peer which loops it back to test the link in between Follow these steps to configure BFD ech...

Page 590: ...ne end when the echo mode is used Displaying and Maintaining Static Routes To do Use the command Remarks Display the current configuration information display current configuration Display the brief information of the IP routing table display ip routing table Display the detailed information of the IP routing table display ip routing table verbose View information of static routes display ip routi...

Page 591: ... Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the three hosts A B and C are 1 1 2 3 1 1 6 1 and 1 1 3 1 respectively The configuration procedure is omitted 4 Display the configuration Display the IP routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask ...

Page 592: ...2 Direct 0 0 127 0 0 1 InLoop0 Use the ping command on Host B to check reachability to Host A assuming Windows XP runs on the two hosts C Documents and Settings Administrator ping 1 1 2 2 Pinging 1 1 2 2 with 32 bytes of data Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TT...

Page 593: ...fd echo source ip 123 1 1 1 SwitchA interface vlan interface 10 SwitchA vlan interface10 bfd min echo receive interval 500 SwitchA vlan interface10 bfd detect multiplier 7 SwitchA vlan interface10 quit SwitchA ip route static 120 1 1 1 24 vlan interface 10 10 1 1 100 bfd echo packet SwitchA ip route static 120 1 1 1 24 vlan interface 11 11 1 1 2 preference 65 SwitchA quit 3 Verify the configuratio...

Page 594: ...ta UP DOWN Diag 1 0 53892593 SwitchA BFD 8 SCM Sess 123 1 1 1 10 1 1 100 Vlan10 Oper Reset 0 53892593 SwitchA BFD 8 EVENT Send sess down Msg Src 123 1 1 1 Dst 10 1 1 100 Vlan10 Protocol STATIC 0 53892595 SwitchA RM 7 LOG static route Dest 120 1 1 1 24 Nexthop 10 1 1 100 ExitIf Vlan10 became invalid Execute the display ip routing table protocol static command and you can see Switch A selects Switch...

Page 595: ... interface12 bfd min receive interval 500 SwitchA vlan interface12 bfd detect multiplier 9 SwitchA vlan interface12 quit SwitchA ip route static 14 1 1 0 24 vlan interface 12 12 1 1 2 bfd control packet SwitchA quit Configure Switch B SwitchB system view SwitchB interface vlan interface12 SwitchB vlan interface12 ip address 12 1 1 2 24 SwitchB vlan interface12 bfd min transmit interval 500 SwitchB...

Page 596: ...2 Vlan12 Ctrl Sta UP DOWN Diag 1 Jul 27 10 18 18 672 2007 SwitchA BFD 7 EVENT Send sess down Msg Src 12 1 1 1 Dst 12 1 1 2 Vlan12 Ctrl instance 0 protocol STATIC Jul 27 10 18 19 172 2007 SwitchA BFD 7 EVENT Receive Delete sess Src 12 1 1 1 Dst 12 1 1 2 Vlan12 Ctrl Direct Instance 0x0 Proto STATIC Jul 27 10 18 19 172 2007 SwitchA BFD 7 EVENT Notify driver to stop receiving bf Display the static rou...

Page 597: ...e Maximum Number of Load Balanced Routes 1 14 Enabling Zero Field Check on Incoming RIPv1 Messages 1 14 Enabling Source IP Address Check on Incoming RIP Updates 1 14 Configuring RIPv2 Message Authentication 1 15 Specifying a RIP Neighbor 1 15 Configuring RIP to MIB Binding 1 16 Configuring the RIP Packet Sending Rate 1 16 Configuring BFD for RIP 1 17 Single Hop Detection in BFD Echo Packet Mode 1 ...

Page 598: ...ii ...

Page 599: ...uration and maintenance than OSPF and IS IS Operation of RIP Introduction RIP is a distance vector routing protocol using UDP packets for exchanging information through port 520 RIP uses a hop count to measure the distance to a destination The hop count from a router to a directly connected network is 0 The hop count from a router to a directly connected router is 1 To limit convergence time the r...

Page 600: ...ed for that route after the garbage collect timer expires the route will be deleted from the routing table Routing loops prevention RIP is a distance vector D V routing protocol Since a RIP router advertises its own routing table to neighbors routing loops may occur RIP uses the following mechanisms to prevent routing loops z Counting to infinity The metric value of 16 is defined as unreachable Wh...

Page 601: ...authentication and MD5 authentication to enhance security RIPv2 has two types of message transmission broadcast and multicast Multicast is the default type using 224 0 0 9 as the multicast address The interface working in the RIPv2 broadcast mode can also receive RIPv1 messages RIP Message Format A RIP message consists of a header and up to 25 route entries A RIPv2 authentication message uses the ...

Page 602: ...work address subnet address or host address z Subnet Mask Mask of the destination address z Next Hop If set to 0 0 0 0 it indicates that the originator of the route is the best next hop otherwise it indicates a next hop better than the originator of the route RIPv2 authentication message format RIPv2 sets the AFI field of the first route entry to 0xFFFF to identify authentication information See F...

Page 603: ...e This mechanism cannot detect link faults quickly After BFD is configured for RIP when BFD detects a broken link RIP can quickly age out the unreachable route thus avoiding interference to other services Protocols and Standards z RFC 1058 Routing Information Protocol z RFC 1723 RIP Version 2 Carrying Additional Information z RFC 1721 RIP Version 2 Protocol Analysis z RFC 1722 RIP Version 2 Protoc...

Page 604: ...If a physical interface is attached to multiple networks you cannot advertise these networks in different RIP processes Configuring the interface behavior Follow these steps to configure the interface behavior To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Disable an or all interfaces from sending routing updates the interfa...

Page 605: ...m view Enter RIP view rip process id vpn instance vpn instance name Specify a global RIP version version 1 2 Optional By default if an interface has a RIP version specified the version takes precedence over the global one If no RIP version is specified for an interface the interface can send RIPv1 broadcasts and receive RIPv1 broadcasts unicasts RIPv2 broadcasts multicasts and unicasts Return to s...

Page 606: ...d additional routing metric rip metricin route policy route policy name value Optional 0 by default Define an outbound additional routing metric rip metricout route policy route policy name value Optional 1 by default Configuring RIPv2 Route Summarization Route summarization means that subnets in a natural network are summarized into a natural network that is sent to other networks This feature ca...

Page 607: ...h Required You need to disable RIPv2 route automatic summarization before advertising a summary route on an interface Disabling Host Route Reception Sometimes a router may receive from the same network many host routes which are not helpful for routing and consume a large amount of network resources In this case you can disable RIP from receiving host routes to save network resources Follow these ...

Page 608: ...vpn instance name Enable RIP to advertise a default route default route only originate cost cost Optional Not enabled by default Return to system view quit Enter interface view interface interface type interface number Configure the RIP interface to advertise a default route rip default route only originate cost cost no originate Optional By default a RIP interface can advertise a default route if...

Page 609: ...port command filters outgoing routes including routes redistributed with the import route command Configuring a Priority for RIP Multiple IGP protocols may run in a router If you want RIP routes to have a higher priority than those learned by other routing protocols you can assign RIP a smaller priority value to influence optimal route selection Follow these steps to configure a priority for RIP T...

Page 610: ... Configuring RIP Network Optimization Complete the following tasks before configuring RIP network optimization z Configure network addresses for interfaces and make neighboring nodes reachable to each other z Configure RIP basic functions Configuring RIP Timers You can change the RIP network convergence speed by adjusting RIP timers Follow these steps to configure RIP timers To do Use the command ...

Page 611: ...routing loops between adjacent routers Follow these steps to enable split horizon To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable split horizon rip split horizon Optional Enabled by default Disabling the split horizon function on a point to point link does not take effect Enabling poison reverse The poison reverse fu...

Page 612: ...Pv1 messages If such a field contains a non zero value the RIPv1 message will not be processed If you are sure that all messages are trusty you can disable zero field check to save CPU resources This feature does not apply to RIPv2 packets that have no zero fields Follow these steps to enable zero field check on incoming RIPv1 messages To do Use the command Remarks Enter system view system view En...

Page 613: ...information is sent with the RIP message which however cannot meet high security needs Follow these steps to configure RIPv2 message authentication To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure RIPv2 authentication rip authentication mode md5 rfc2082 key string key id rfc2453 key string simple password Required ...

Page 614: ...ing This task allows you to enable a specific RIP process to receive SNMP requests Follow these steps to bind RIP to MIB To do Use the command Remarks Enter system view system view Bind RIP to MIB rip mib binding process id Optional By default MIB is bound to RIP process 1 Configuring the RIP Packet Sending Rate RIP periodically sends routing information in RIP packets to RIP neighbors Sending lar...

Page 615: ... only when both ends have routes to send and BFD is enabled on the receiving interface Single Hop Detection in BFD Echo Packet Mode Follow these steps to configure BFD for RIP single hop detection in BFD echo packet mode To do Use the command Remarks Enter system view system view Configure the source IP address of BFD echo packets bfd echo source ip ip address Required By default no source IP addr...

Page 616: ...ing RIP To do Use the command Remarks Display RIP current status and configuration information display rip process id vpn instance vpn instance name Display all active routes in RIP database display rip process id database Display RIP interface information display rip process id interface interface type interface number Display routing information about a specified RIP process display rip process ...

Page 617: ...A SwitchA display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 2 on Vlan interface100 Destination Mask Nexthop Cost Tag Flags Sec 10 0 0 0 8 192 168 1 2 1 0 RA 11 From the routing table you can find that RIPv1 uses a natural mask 3 Configure RIP version Configure RIPv2 on Switch A SwitchA rip SwitchA rip 1 version 2 SwitchA rip 1 undo summa...

Page 618: ...igure route redistribution on Switch B to make RIP 200 redistribute direct routes and routes from RIP 100 Thus Switch C can learn routes destined for 10 2 1 0 24 and 11 1 1 0 24 while Switch A cannot learn routes destined for 12 3 1 0 24 and 16 4 1 0 24 z Configure a filtering policy on Switch B to filter out the route 10 2 1 1 24 from RIP 100 making the route not advertised to Switch C Figure 1 5...

Page 619: ...6 Routes 6 Destination Mask Proto Pre Cost NextHop Interface 12 3 1 0 24 Direct 0 0 12 3 1 2 Vlan200 12 3 1 2 32 Direct 0 0 127 0 0 1 InLoop0 16 4 1 0 24 Direct 0 0 16 4 1 1 Vlan400 16 4 1 1 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 3 Configure route redistribution On Switch B configure RIP 200 to redistribute direct routes a...

Page 620: ...ic Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 11 1 1 0 24 RIP 100 1 12 3 1 1 Vlan200 12 3 1 0 24 Direct 0 0 12 3 1 2 Vlan200 12 3 1 2 32 Direct 0 0 127 0 0 1 InLoop0 16 4 1 0 24 Direct 0 0 16 4 1 1 Vlan400 16 4 1 1 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 Configuring an Additional Metric for a ...

Page 621: ...witchA rip 1 quit Configure Switch B SwitchB system view SwitchB rip 1 SwitchB rip 1 network 1 0 0 0 SwitchB rip 1 version 2 SwitchB rip 1 undo summary Configure Switch C SwitchC system view SwitchB rip 1 SwitchC rip 1 network 1 0 0 0 SwitchC rip 1 version 2 SwitchC rip 1 undo summary Configure Switch D SwitchD system view SwitchD rip 1 SwitchD rip 1 network 1 0 0 0 SwitchD rip 1 version 2 SwitchD...

Page 622: ... vlan interface 200 SwitchA Vlan interface200 rip metricin 3 SwitchA Vlan interface200 display rip 1 database 1 0 0 0 8 cost 0 ClassfulSumm 1 1 1 0 24 cost 0 nexthop 1 1 1 1 Rip interface 1 1 2 0 24 cost 0 nexthop 1 1 2 1 Rip interface 1 1 3 0 24 cost 1 nexthop 1 1 1 2 1 1 4 0 24 cost 2 nexthop 1 1 1 2 1 1 5 0 24 cost 2 nexthop 1 1 1 2 The display shows that there is only one RIP route to network ...

Page 623: ...ch B SwitchB system view SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 network 10 6 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit Configure Switch C SwitchC system view SwitchC ospf SwitchC ospf 1 area 0 SwitchC ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 network 10 2 1 0 0 0 0 255 SwitchC ospf ...

Page 624: ... 1 2 Vlan300 11 3 1 2 32 Direct 0 0 127 0 0 1 InLoop0 11 4 1 0 24 Direct 0 0 11 4 1 2 Vlan400 11 4 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 Configure route summarization on Switch C and advertise only the summary route 10 0 0 0 8 SwitchC interface vlan interface 300 SwitchC Vlan interface300 rip summary address 10 0 0 ...

Page 625: ...rface connected to the Layer 2 switch z When the link between Switch C and the Layer 2 switch fails BFD can quickly detect the link failure and notify it to RIP and the BFD session goes down In response RIP deletes the neighbor relationship with Switch C and the route information received from Switch C Then Switch A learns the static route sent by Switch C with the outbound interface being the int...

Page 626: ...t 4 Configure a static route on Switch C SwitchC ip route static 100 1 1 1 24 null 0 5 Verify the configuration Display the BFD session information of Switch A SwitchA display bfd session Total Session Num 1 Init Mode Active Session Working Under Echo Mode LD SourceAddr DestAddr State Holdtime Interface 5 192 168 1 1 192 168 1 2 Up 2000ms Vlan100 Display the RIP route learned from Switch B on Swit...

Page 627: ...information of Switch A You can see that Switch A has deleted the neighbor relationship with Switch C and thus no output information is displayed SwitchA display bfd session Display the RIP routes of RIP process 1 on Switch A The RIP route learned from Switch C is no longer existent SwitchA display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Display the ...

Page 628: ... the BFD session goes down In response RIP deletes the neighbor relationship with Switch C and the route information received from Switch C Then Switch A learns the static route sent by Switch C the outbound interface of the route is the interface connected to Switch D Figure 1 9 Network diagram for configuring BFD for RIP bidirectional detection in BFD control packet mode Switch C Switch A Vlan i...

Page 629: ...0 bfd min transmit interval 500 SwitchA Vlan interface100 bfd min receive interval 500 SwitchA Vlan interface100 bfd detect multiplier 7 SwitchA Vlan interface100 quit Configure Switch C SwitchC bfd session init mode active SwitchC interface vlan interface 200 SwitchC Vlan interface200 bfd min transmit interval 500 SwitchC Vlan interface200 bfd min receive interval 500 SwitchC Vlan interface200 bf...

Page 630: ...ghbor 192 168 3 2 Tunnel ID 0x0 Label NULL State Inactive Adv Age 00h12m50s Tag 0 Enable RIP event debugging on Switch A SwitchA debugging rip 1 event SwitchA terminal debugging When the link between Switch B and Switch C fails you can see that Switch A quickly detects the link state change Jan 19 10 41 51 203 2008 SwitchA BFD 4 LOG Sess 192 168 1 1 192 168 2 2 Vlan interface 100 Ctrl Sta UP DOWN ...

Page 631: ...ces are disabled from handling RIP messages If the peer is configured to send multicast messages the same should be configured on the local end Solution z Use the display current configuration command to check RIP configuration z Use the display rip command to check whether some interface is disabled Route Oscillation Occurred Symptom When all links work well route oscillation occurs on the RIP ne...

Page 632: ...ce as NBMA 1 27 Configuring the OSPF Network Type for an Interface as P2MP 1 28 Configuring the OSPF Network Type for an Interface as P2P 1 29 Configuring OSPF Route Control 1 29 Prerequisites 1 29 Configuring OSPF Route Summarization 1 30 Configuring OSPF Inbound Route Filtering 1 31 Configuring ABR Type 3 LSA Filtering 1 31 Configuring an OSPF Cost for an Interface 1 32 Configuring the Maximum N...

Page 633: ...LSU Transmit Rate 1 44 Configuring OSPF Graceful Restart 1 45 Configuring the OSPF GR Restarter 1 45 Configuring the OSPF GR Helper 1 46 Triggering OSPF Graceful Restart 1 47 Configuring BFD for OSPF 1 47 Displaying and Maintaining OSPF 1 48 OSPF Configuration Examples 1 49 Configuring OSPF Basic Functions 1 49 Configuring OSPF Route Redistribution 1 52 Configuring OSPF to Advertise a Summary Rout...

Page 634: ...ring OSPF Network Optimization z Configuring OSPF Graceful Restart z Configuring BFD for OSPF z Displaying and Maintaining OSPF z OSPF Configuration Examples z Troubleshooting OSPF Configuration The term router in this document refers to a router in a generic sense or an Ethernet switch running routing protocols Introduction to OSPF Unless otherwise noted OSPF refers to OSPFv2 throughout this docu...

Page 635: ...ters to compose a LSDB Link State Database An LSA describes the network topology around a router so the LSDB describes the entire network topology of the AS z Each router transforms the LSDB to a weighted directed graph which actually reflects the topology architecture of the entire network All the routers have the same graph z Each router uses the SPF algorithm to compute a Shortest Path Tree tha...

Page 636: ...s describe routes to other ASs z Opaque LSA A proposed type of LSA the format of which consists of a standard LSA header and application specific information Opaque LSAs are used by the OSPF protocol or by some application to distribute information into the OSPF routing domain The opaque LSA includes three types Type 9 Type 10 and Type 11 which are used to flood into different areas The Type 9 opa...

Page 637: ...es Backbone area and virtual links Each AS has a backbone area which is responsible for distributing routing information between none backbone areas Routing information between non backbone areas must be forwarded by the backbone area Therefore OSPF requires that z All non backbone areas must maintain connectivity to the backbone area z The backbone area itself must maintain connectivity In practi...

Page 638: ... packets Stub area The ABR in a stub area does not distribute Type 5 LSAs into the area so the routing table size and amount of routing information in this area are reduced significantly You can configure the stub area as a totally stub area where the ABR advertises neither the destinations to other areas nor external routes Stub area configuration is optional and not every area is eligible to be ...

Page 639: ... protocol Area 1 is an NSSA area and the ASBR in it translates RIP routes into Type 7 LSAs and advertises them throughout Area 1 When these LSAs travel to the NSSA ABR the ABR translates Type 7 LSAs to Type 5 LSAs for advertisement to Area 0 and Area 2 On the left of the figure RIP routes are translated into Type 5 LSAs by the ASBR of Area 2 and distributed into the OSPF AS However Area 1 is an NS...

Page 640: ...uter belongs to more than two areas one of which must be the backbone area It connects the backbone area to a non backbone area The connection between an area border router and the backbone area can be physical or logical 3 Backbone Router At least one interface of a backbone router must be attached to the backbone area Therefore all ABRs and internal routers in area 0 are backbone routers 4 Auton...

Page 641: ...to consideration Classification of OSPF Networks OSPF network types OSPF classifies networks into four types upon the link layer protocol z Broadcast When the link layer protocol is Ethernet or FDDI OSPF considers the network type broadcast by default On Broadcast networks hello packets LSU packets and LSAck packets are generally sent to multicast addresses 224 0 0 5 reserved for OSPF routers and ...

Page 642: ... synchronization consuming network resources The Designated Router is defined to solve the problem All other routers on the network send routing information to the DR which is responsible for advertising link state information If the DR fails to work routers on the network have to elect another DR and synchronize information with the new DR It is time consuming and prone to routing calculation err...

Page 643: ...nterface of a router and belongs to a single network segment The router s other interfaces may be a BDR or DRother z After DR BDR election and then a new router joins it cannot become the DR immediately even if it has the highest priority on the network z The DR may not be the router with the highest priority in a network and the BDR may not be the router with the second highest priority OSPF Pack...

Page 644: ...her than contained in the Authentication field Hello packet A router sends hello packets periodically to neighbors to find and maintain neighbor relationships and to elect the DR BDR including information about values of timers DR BDR and neighbors already known The format is shown below Figure 1 10 Hello packet format Network mask HelloInterval Options Rtr Pri RouterDeadInterval Designated router...

Page 645: ...m AuType Packet length Authentication Authentication Interface MTU DD sequence number LSA header Options 0 0 0 0 0 I M M S 0 7 15 31 LSA header Major fields z Interface MTU Size in bytes of the largest IP datagram that can be sent out the associated interface without fragmentation z I Initial The Init bit which is set to 1 if the packet is the first packet of database description packets and set t...

Page 646: ...llowing figure shows the LSR packet format Figure 1 12 LSR packet format Major fields z LS type Type number of the LSA to be requested Type 1 for example indicates the Router LSA z Link State ID Determined by LSA type z Advertising Router ID of the router that sent the LSA LSU packet LSU Link State Update packets are used to send the requested LSAs to peers and each packet carries a collection of ...

Page 647: ...header as shown in the following figure Figure 1 15 LSA header format Major fields z LS age Time in seconds elapsed since the LSA was originated A LSA ages in the LSDB added by 1 per second but does not in transmission z LS type Type of the LSA z Link State ID The contents of this field depend on the LSA s type z LS sequence number Used by other routers to judge new and old LSAs z LS checksum Chec...

Page 648: ...nk ID Determined by Link type z Link data Determined by Link type z Type Link type A value of 1 indicates a point to point link to a remote router a value of 2 indicates a link to a transit network a value of 3 indicates a link to a stub network a value of 4 indicates a virtual link z TOS Number of different TOS metrics given for this link z Metric Cost of using this router link z TOS IP Type of S...

Page 649: ...nt to the DR including the DR itself 3 Summary LSA Network summary LSAs Type 3 LSAs and ASBR summary LSAs Type 4 LSAs are originated by ABRs Other than the difference in the Link State ID field the format of type 3 and 4 summary LSAs is identical Figure 1 18 Summary LSA format Major fields z Link State ID For a Type 3 LSA it is an IP address outside the area for a type 4 LSA it is the router ID of...

Page 650: ... The IP address mask for the advertised destination z E External Metric The type of the external metric value which is set to 1 for type 2 external routes and set to 0 for type 1 external routes Refer to Route types for description about external route types z Metric The metric to the destination z Forwarding Address Data traffic for the advertised destination will be forwarded to this address z E...

Page 651: ...text authentication and MD5 ciphertext authentication The authentication password for interfaces attached to a network segment must be identical Hot Standby Distributed routers support OSPF Hot Standby HSB OSPF backups necessary information of the Active Main Board AMB into the Standby Main Board SMB Once the AMB fails the SMB begins to work to ensure the normal operation of OSPF OSPF backups the ...

Page 652: ...rs so that they will not remove their adjacencies with it and advertise the adjacencies The GR Restarter re establishes neighborships and updates its own routing table and forwarding table based on the new routing information received from neighbors and removes the stale routes TE and DS TETE OSPF Traffic Engineering TE provides for the establishment and maintenance of Label Switch Paths LSPs of T...

Page 653: ...e same VPN can use OSPF as the internal routing protocol but they are treated as different ASs An OSPF route learned by a site will be forwarded to another site as an external route which leads to heavy OSPF routing traffic and management issues Configuring area IDs on PEs can differentiate VPNs Sites in the same VPN are considered as directly connected PE routers then exchange OSPF routing inform...

Page 654: ...1765 OSPF Database Overflow z RFC 2328 OSPF Version 2 z RFC 3101 OSPF Not So Stubby Area NSSA Option z RFC 3137 OSPF Stub Router Advertisement z RFC 3630 Traffic Engineering Extensions to OSPF Version 2 z RFC 4811 OSPF Out of Band LSDB Resynchronization z RFC 4812 OSPF Restart Signaling z RFC 4813 OSPF Link Local Signaling OSPF Configuration Task List An OSPF routing domain has different types of ...

Page 655: ...oad balanced Routes Optional Configuring a Priority Optional Configuring OSPF Route Control Configuring OSPF Route Redistribution Optional Configuring OSPF Packet Timers Optional Specifying an LSA Transmission Delay Optional Specifying SPF Calculation Interval Optional Specifying the LSA Minimum Repeat Arrival Interval Optional Specifying the LSA Generation Interval Optional Disabling Interfaces f...

Page 656: ...f the interface To run OSPF a router must have a Router ID which is the unique identifier of the router in the AS z You can specify a Router ID when creating the OSPF process Any two routers in an AS must have different Router IDs In practice the ID of a router is the IP address of one of its interfaces z If you specify no Router ID when creating the OSPF process the global Router ID will be used ...

Page 657: ...nto multiple areas you can further configure some areas as stub areas or NSSA areas as needed If connectivity between the backbone and a non backbone area or within the backbone itself cannot be achieved you can configure virtual links to solve it Prerequisites Before configuring an OSPF area you have configured z IP addresses for interfaces making neighboring nodes accessible with each other at t...

Page 658: ...z Using the default cost command only takes effect on the ABR of a stub area z The backbone area cannot be a totally stub area z A totally stub area cannot have an ASBR because AS external routes cannot be distributed into the stub area z Virtual links cannot transit totally stub areas Configuring an NSSA Area A stub area cannot redistribute routes You can configure the area as an NSSA area to all...

Page 659: ...irtual link To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Enter area view area area id Configure a virtual link vlink peer router id hello seconds retransmit seconds trans delay seconds dead seconds simple plain cipher password md5 hmac md5 key id plain cipher password Required You need to configure this c...

Page 660: ...egment Prerequisites Before configuring OSPF network types you have configured z IP addresses for interfaces making neighboring nodes accessible with each other at network layer z OSPF basic functions Configuring the OSPF Network Type for an Interface as Broadcast Follow these steps to configure the OSPF network type for an interface as broadcast To do Use the command Remarks Enter system view sys...

Page 661: ...red The DR priority configured with the ospf dr priority command and the one configured with the peer command have the following differences z The former is for actual DR election z The latter is to indicate whether a neighbor has the election right or not If you configure the DR priority for a neighbor as 0 the local router will consider the neighbor has no election right and thus no hello packet...

Page 662: ...p address cost value dr priority dr priority Required if the interface type is P2MP unicast Configuring the OSPF Network Type for an Interface as P2P Follow these steps to configure the OSPF network type for an interface as P2P To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the OSPF network type for the interface...

Page 663: ...e command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Enter OSPF area view area area id Configure ABR route summarization abr summary ip address mask mask length advertise not advertise cost cost Required The command is available on an ABR only Not configured by default Configuring route summarization when redistributing rout...

Page 664: ...ough ACLs and IP address prefixes z Filtering routing information by next hop through the filtering criteria configured with the gateway keyword z Filtering routing information by destination address through ACLs and IP address prefixes and by next hop through the filtering criteria configured with the gateway keyword z Filtering routing information by route policies specified by the route policy ...

Page 665: ...ue Interface bandwidth If the calculated cost is greater than 65535 the value of 65535 is used if the calculated cost is less than 1 the value of 1 is used If no cost is configured for an interface OSPF computes the interface cost automatically Follow these steps to configure an OSPF cost for an interface To do Use the command Remarks Enter system view system view Enter interface view interface in...

Page 666: ...an improve link utilization Follow these steps to configure the maximum number of load balanced routes To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Configure the maximum number of equivalent load balanced routes maximum load balancing maximum Optional The value defaults to 8 Configuring a Priority for OSP...

Page 667: ...stem view Enter OSPF view ospf process id router id router id vpn instance instance name Configure OSPF to redistribute routes from another protocol import route protocol process id all processes allow ibgp cost cost type type tag tag route policy route policy name Required Not configured by default Configure OSPF to filter redistributed routes before advertisement filter policy acl number ip pref...

Page 668: ... and type for redistributed routes Tags are used to indicate information related to protocols For example when redistributing BGP routes OSPF uses tags to identify AS IDs Follow these steps to configure the default parameters for redistributed routes To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Configure ...

Page 669: ...ap information and collecting log information Prerequisites Before configuring OSPF network optimization you have configured z IP addresses for interfaces z OSPF basic functions Configuring OSPF Packet Timers You can configure the following timers on OSPF interfaces as needed z Hello timer Interval for sending hello packets It must be identical on OSPF neighbors The longer the interval the lower c...

Page 670: ...o default values after you change the network type for an interface z The dead interval should be at least four times the hello interval on an interface z The poll interval is at least four times the hello interval z The retransmission interval should not be so small for avoidance of unnecessary LSA retransmissions In general this value is bigger than the round trip time of a packet between two ad...

Page 671: ... frequent SPF calculation applies at the minimum interval If network changes become frequent SPF calculation interval is incremented by incremental interval 2n 2 n is the number of calculation times each time a calculation occurs up to the maximum interval Specifying the LSA Minimum Repeat Arrival Interval After receiving the same LSA as the previously received LSA within the LSA minimum repeat ar...

Page 672: ...terval is 0 milliseconds and the incremental interval is 5000 milliseconds With this command configured when network changes are not frequent LSAs are generated at the minimum interval If network changes become frequent LSA generation interval is incremented by incremental interval 2n 2 n is the number of generation times each time a generation occurs up to the maximum interval Disabling Interface...

Page 673: ...f 3 means a link to the stub network so the cost of the link remains unchanged A value of 1 2 or 4 means a point to point link a link to a transit network or a virtual link In such cases a maximum cost value of 65535 is used Thus other neighbors find the links to the stub router have such big costs they will not send packets to the stub router for forwarding as long as there is a route with a smal...

Page 674: ...ntication for the interface ospf authentication mode simple cipher plain password Configure the authentication mode MD5 authentication for the interface ospf authentication mode hmac md5 md5 key id cipher plain password Either is required Not configured by default Adding the Interface MTU into DD Packets Generally when an interface sends a DD packet it adds 0 into the Interface MTU field of the DD...

Page 675: ... reduce the burden of the backbone area Follow these steps to make them compatible To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Required Make RFC 1583 compatible rfc1583 compatible Optional Compatible by default To avoid routing loops it is recommended to configure all the routers to be either compatible ...

Page 676: ... OSPF network management To do Use the command Remarks Enter system view system view Bind OSPF MIB to an OSPF process ospf mib binding process id Optional The OSPF process with the smallest process id is bound with OSPF MIB by default Enable OSPF trap generation snmp agent trap enable ospf process id ifauthfail ifcfgerror ifrxbadpkt ifstatechange iftxretransmit lsdbapproachoverflow lsdboverflow ma...

Page 677: ...er will need to receive and process large numbers of packets Configuring OSPF to give priority to receiving and processing Hello packets helps ensure stable neighbor relationships Follow these steps to configure OSPF to give priority to receiving and processing Hello packets To do Use the command Remarks Enter system view system view Configure OSPF to give priority to receiving and processing Hell...

Page 678: ...at carry link local signaling LLS and out of band re synchronization OOB extension information Configuring the OSPF GR Restarter You can configure the IETF standard or non IETF standard OSPF GR Restarter Configure the IETF standard OSPF GR Restarter Follow these steps to configure the standard IETF OSPF GR Restarter To do Use the command Remarks Enter system view system view Enable OSPF and enter ...

Page 679: ...l timer Optional 120 seconds by default Configuring the OSPF GR Helper You can configure the IETF standard or non IETF standard OSPF GR Helper Configuring the IETF standard OSPF GR Helper Follow these steps to configure the IETF standard OSPF GR Helper To do Use the command Remarks Enter system view system view Enable OSPF and enter its view ospf process id router id router id vpn instance instanc...

Page 680: ...art reset ospf process id process graceful restart Required Available in user view Configuring BFD for OSPF After discovering neighbors by sending hello packets OSPF notifies BFD of the neighbor addresses and BFD uses theses addresses to establish sessions Before a BFD session is established it is in the Down state In this state BFD control packets are sent at an interval of not less than one seco...

Page 681: ...bor information display ospf process id peer verbose interface type interface number neighbor id Display neighbor statistics of OSPF areas display ospf process id peer statistics Display next hop information display ospf process id nexthop Display routing table information display ospf process id routing interface interface type interface number nexthop nexthop address Display virtual link informa...

Page 682: ... in user view OSPF Configuration Examples These examples only cover commands for OSPF configuration Configuring OSPF Basic Functions Network requirements z As shown in the following figure all switches run OSPF The AS is split into three areas in which Switch A and Switch B act as ABRs to forward routing information between areas z After configuration all switches can learn routes to every network...

Page 683: ...chC system view SwitchC ospf SwitchC ospf 1 area 1 SwitchC ospf 1 area 0 0 0 1 network 10 2 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 1 network 10 4 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 1 quit SwitchC ospf 1 quit Configure Switch D SwitchD system view SwitchD ospf SwitchD ospf 1 area 2 SwitchD ospf 1 area 0 0 0 2 network 10 3 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 2 network 10 5 1 0 0 0 0 255 Sw...

Page 684: ...uter Area 10 2 1 0 24 10 Transit 10 2 1 1 10 2 1 1 0 0 0 1 10 3 1 0 24 4 Inter 10 1 1 2 10 3 1 1 0 0 0 0 10 4 1 0 24 13 Stub 10 2 1 2 10 4 1 1 0 0 0 1 10 5 1 0 24 14 Inter 10 1 1 2 10 3 1 1 0 0 0 0 10 1 1 0 24 2 Transit 10 1 1 1 10 2 1 1 0 0 0 0 Total Nets 5 Intra Area 3 Inter Area 2 ASE 0 NSSA 0 Display the Link State Database on Switch A SwitchA display ospf lsdb OSPF Process 1 with Router ID 10...

Page 685: ... 2 10 5 1 0 24 10 Stub 10 5 1 1 10 5 1 1 0 0 0 2 10 1 1 0 24 12 Inter 10 3 1 1 10 3 1 1 0 0 0 2 Total Nets 5 Intra Area 2 Inter Area 3 ASE 0 NSSA 0 On Switch D ping the IP address 10 4 1 1 to check connectivity SwitchD ping 10 4 1 1 PING 10 4 1 1 56 data bytes press CTRL_C to break Reply from 10 4 1 1 bytes 56 Sequence 2 ttl 253 time 2 ms Reply from 10 4 1 1 bytes 56 Sequence 2 ttl 253 time 1 ms R...

Page 686: ...tem view SwitchC ip route static 3 1 2 1 24 10 4 1 2 On Switch C configure OSPF to redistribute static routes SwitchC ospf 1 SwitchC ospf 1 import route static 4 Verify the configuration Display the ABR ASBR information of Switch D SwitchD display ospf abr asbr OSPF Process 1 with Router ID 10 5 1 1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10 3 1 1 0 0 0 2 10 1...

Page 687: ...g figure z Switch A and Switch B are in AS 200 which runs OSPF z Switch C Switch D and Switch E are in AS 100 which runs OSPF z An eBGP connection is established between Switch B and Switch C Switch C is configured to redistribute OSPF routes into BGP z Switch B is configured to redistribute BGP routes into OSPF Switch B is configured with route summarization and advertises only the summary route ...

Page 688: ...SwitchC ospf 1 area 0 0 0 0 quit SwitchC ospf 1 quit Configure Switch D SwitchD system view SwitchD ospf SwitchD ospf 1 area 0 SwitchD ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 network 10 3 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 quit Configure Switch E SwitchE system view SwitchE ospf SwitchE ospf 1 area 0 SwitchE ospf 1 area 0 0 0 0 network 10 2 1 0 0 0 0 255 S...

Page 689: ...Loop0 5 Configure summary route 10 0 0 0 8 on Switch B and advertise it SwitchB ospf 1 asbr summary 10 0 0 0 8 Display the OSPF routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 10 0 0 0 8 O_ASE 150 2 11 2 1 1 Vlan100 11 2 1 0 24 Direct 0 0 11 2 1 2 Vlan100 11 2 1 2 32 Direct 0 0 127 0 0 1 InLo...

Page 690: ... 1 with Router ID 10 4 1 1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10 2 1 1 0 0 0 1 3 10 2 1 1 ABR Inter 10 3 1 1 0 0 0 1 5 10 2 1 1 ABR Inter 10 5 1 1 0 0 0 1 7 10 2 1 1 ASBR Display OSPF routing table information on Switch C SwitchC display ospf routing OSPF Process 1 with Router ID 10 4 1 1 Routing Tables Routing for Network Destination Cost Type NextHop Ad...

Page 691: ...C SwitchC ospf SwitchC ospf 1 area 1 SwitchC ospf 1 area 0 0 0 1 stub SwitchC ospf 1 area 0 0 0 1 quit SwitchC ospf 1 quit Display OSPF routing information on Switch C SwitchC display ospf routing OSPF Process 1 with Router ID 10 4 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 0 0 0 0 0 4 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 2 1 0 24 3 Transit 10 2 1 2 10 2 1 1 ...

Page 692: ... 0 4 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 2 1 0 24 3 Transit 10 2 1 2 10 4 1 1 0 0 0 1 10 4 1 0 24 3 Stub 10 4 1 1 10 4 1 1 0 0 0 1 Total Nets 3 Intra Area 2 Inter Area 1 ASE 0 NSSA 0 After this configuration routing entries on the stub router are further reduced containing only one default external route Configuring an OSPF NSSA Area Network requirements The following figure shows an AS is split in...

Page 693: ...mmary SwitchA ospf 1 area 0 0 0 0 quit SwitchA ospf 1 quit Configure Switch C SwitchC ospf SwitchC ospf 1 area 1 SwitchC ospf 1 area 0 0 0 1 nssa SwitchC ospf 1 area 0 0 0 1 quit SwitchC ospf 1 quit It is recommended to configure the nssa command with the keyword default route advertise no summary on Switch A an ABR to reduce the routing table size on NSSA routers On other NSSA routers use the nss...

Page 694: ...s Routing for Network Destination Cost Type NextHop AdvRouter Area 10 2 1 0 24 22 Inter 10 3 1 1 10 3 1 1 0 0 0 2 10 3 1 0 24 10 Transit 10 3 1 2 10 3 1 1 0 0 0 2 10 4 1 0 24 25 Inter 10 3 1 1 10 3 1 1 0 0 0 2 10 5 1 0 24 10 Stub 10 5 1 1 10 5 1 1 0 0 0 2 10 1 1 0 24 12 Inter 10 3 1 1 10 3 1 1 0 0 0 2 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 3 1 3 0 24 1 Type2 1 10 3 1 1 10 2 1...

Page 695: ...it Configure Switch B SwitchB system view SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Configure Switch C SwitchC system view SwitchC router id 3 3 3 3 SwitchC ospf SwitchC ospf 1 area 0 SwitchC ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 ...

Page 696: ... Neighbor is up for 00 01 28 Authentication Sequence 0 Router ID 4 4 4 4 Address 192 168 1 4 GR State Normal State Full Mode Nbr is Master Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 01 28 Authentication Sequence 0 Switch D becomes the DR and Switch C is the BDR 3 Configure router priorities on interfaces Configure Switch A SwitchA interface vlan ...

Page 697: ...uter ID 3 3 3 3 Address 192 168 1 3 GR State Normal State Full Mode Nbr is Slave Priority 2 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 33 sec Neighbor is up for 00 11 15 Authentication Sequence 0 The DR and BDR have no change In the above output you can find the priority configuration does not take effect immediately 4 Restart OSPF process omitted Restart the OSPF process of Switch D S...

Page 698: ...01 41 Authentication Sequence 0 Switch A becomes the DR and Switch C is the BDR If the neighbor state is full it means Switch D has established the adjacency with the neighbor If the neighbor state is 2 way it means the two switches are neither the DR nor the BDR and they do not exchange LSAs Display OSPF interface information SwitchA display ospf interface OSPF Process 1 with Router ID 1 1 1 1 In...

Page 699: ...10 1 1 2 24 Vlan int100 10 3 1 2 24 Vlan int100 10 3 1 1 24 Virtual link Vlan int200 10 2 1 1 24 Vlan int200 10 2 1 2 24 Area 1 Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF basic functions Configure Switch A SwitchA system view SwitchA ospf 1 router id 1 1 1 1 SwitchA ospf 1 area 0 SwitchA ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchA ospf 1 are...

Page 700: ...ting OSPF Process 1 with Router ID 2 2 2 2 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10 2 1 0 24 2 Transit 10 2 1 1 3 3 3 3 0 0 0 1 10 1 1 0 24 2 Transit 10 1 1 2 2 2 2 2 0 0 0 0 Total Nets 2 Intra Area 2 Inter Area 0 ASE 0 NSSA 0 Since Area 0 has no direct connection to Area 2 the routing table of Switch B has no route to Area 2 3 Configure a virtual link Con...

Page 701: ...same OSPF routing domain are GR capable z Switch A acts as the non IETF standard GR Restarter whereas Switch B and Switch C are the GR Helpers and re synchronize their LSDB with Switch A through OOB communication of GR Figure 1 28 Network diagram for OSPF GR configuration Vlan int100 192 1 1 1 24 Vlan int100 192 1 1 3 24 Vlan int100 192 1 1 2 24 GR helper GR helper GR restarter Switch A Switch C S...

Page 702: ... OSPF Graceful Restart event debugging and then perform OSPF Graceful Restart on Switch A SwitchA debugging ospf event graceful restart SwitchA terminal monitor SwitchA terminal debugging SwitchA reset ospf 100 process graceful restart Warning Reset OSPF process Y N y Dec 12 09 36 12 500 2006 SwitchA RM 3 RMLOG OSPF NBRCHANGE Process 1 Neighbour 192 1 1 1 Vlan100 from Full to Down OSPF 1 Intf 192 ...

Page 703: ...un OSPF The AS is divided into three areas z Switch A and Switch B work as ABRs z Configure Switch C as an ASBR to redistribute external routes static routes and configure a filter policy on Switch C to filter out redistributed route 3 1 3 0 24 z Configure a route policy on Switch A to filter route 10 5 1 0 24 Figure 1 29 Network diagram for OSPF route filtering configuration Configuration procedu...

Page 704: ... 10 1 1 2 Vlan100 10 4 1 0 24 OSPF 10 13 10 2 1 2 Vlan200 10 5 1 0 24 OSPF 10 14 10 1 1 2 Vlan100 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 On Switch C filter out route 3 1 3 0 24 Configure the IPv4 prefix list SwitchC ip ip prefix prefix1 index 1 deny 3 1 3 0 24 SwitchC ip ip prefix prefix1 index 2 permit 3 1 1 0 24 SwitchC ip ip prefix prefix1 index 3 p...

Page 705: ...y ip routing table Routing Tables Public Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface 3 1 1 0 24 O_ASE 150 1 10 2 1 2 Vlan200 3 1 2 0 24 O_ASE 150 1 10 2 1 2 Vlan200 10 1 1 0 24 Direct 0 0 10 1 1 1 Vlan100 10 1 1 1 32 Direct 0 0 127 0 0 1 InLoop0 10 2 1 0 24 Direct 0 0 10 2 1 1 Vlan200 10 2 1 1 32 Direct 0 0 127 0 0 1 InLoop0 10 3 1 0 24 OSPF 10 4 10 1 1 2 Vlan100 10...

Page 706: ...B SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 1 0 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit SwitchB interface vlan interface 10 SwitchB Vlan interface10 ospf bfd enable SwitchB Vlan interface10 quit 3 Configure BFD parameters Configure Switch A SwitchA bfd session init mode active SwitchA interface vlan interface 10 SwitchA Vlan interface10 bfd ...

Page 707: ... event SwitchA terminal debugging When the link between Switch B and the Layer 2 switch fails you can see that Switch A can quickly detect the changes on Switch B Nov 12 18 34 48 823 2005 SwitchA BFD 5 LOG Sess 10 1 0 102 10 1 0 100 vlan10 Sta UP DOWN Diag 1 Nov 12 18 34 48 824 2005 SwitchA RM 4 RMLOG OSPF NBRCHANGE Process 1 Neighbour 10 1 0 102 vlan10 from Full to Down 0 50673825 SwitchA BFD 8 S...

Page 708: ...removed its neighbor relationship with Switch B and therefore no information is output SwitchA display ospf peer OSPF Process 1 with Router ID 192 168 1 40 Neighbor Brief Information Troubleshooting OSPF Configuration No OSPF Neighbor Relationship Established Symptom No OSPF neighbor relationship can be established Analysis If the physical link and lower layer protocols work well check OSPF parame...

Page 709: ... command to display neighbors 2 Use the display ospf interface command to display OSPF interface information 3 Use the display ospf lsdb command to display the Link State Database to check its integrity 4 Display information about area configuration using the display current configuration configuration ospf command If more than two areas are configured at least one area is connected to the backbon...

Page 710: ... Redistribution 1 22 Configuring IS IS Route Filtering 1 23 Configuring IS IS Route Leaking 1 24 Tuning and Optimizing IS IS Networks 1 24 Configuration Prerequisites 1 24 Specifying Intervals for Sending IS IS Hello and CSNP Packets 1 24 Specifying the IS IS Hello Multiplier 1 25 Configuring a DIS Priority for an Interface 1 25 Disabling an Interface from Sending Receiving IS IS Packets 1 26 Enab...

Page 711: ...guring BFD for IS IS 1 35 Displaying and Maintaining IS IS 1 35 IS IS Configuration Example 1 36 IS IS Basic Configuration 1 36 DIS Election Configuration 1 41 Configuring IS IS Route Redistribution 1 45 IS IS Graceful Restart Configuration Example 1 49 IS IS Authentication Configuration Example 1 51 Configuring BFD for IS IS 1 53 ...

Page 712: ...c sense or an Ethernet switch running routing protocols IS IS Overview Intermediate System to Intermediate System IS IS is a dynamic routing protocol designed by the International Organization for Standardization ISO to operate on the connectionless network protocol CLNP The IS IS routing protocol was modified and extended in RFC 1195 by the International Engineer Task Force IETF for application i...

Page 713: ...t identifies an abstract network service access point and describes the network address in the OSI reference model IS IS address format 1 NSAP As shown in Figure 1 1 an NSAP address consists of the Initial Domain Part IDP and the Domain Specific Part DSP The IDP is equal to the network ID of an IP address and the DSP is equal to the subnet and host ID The IDP includes the Authority and Format Iden...

Page 714: ...de transport layer information It is a special NSAP address with the SEL being 0 Therefore the length of the NET is equal to the NSAP and is in the range 8 bytes to 20 bytes Generally a router only needs one NET but it can have three NETs at most for smooth area merging and partitioning When you configure multiple NETs make sure their system IDs are the same For example a NET is ab cdef 1234 5678 ...

Page 715: ...s z The Level 1 routers in different areas can not establish neighbor relationships z The neighbor relationship establishment of Level 2 routers has nothing to do with area Figure 1 2 shows an IS IS network topology Area 1 comprises a set of Level 2 routers and is the backbone The other four areas are non backbone areas connected to the backbone through Level 1 2 routers Figure 1 2 IS IS topology ...

Page 716: ...outing information of the entire IS IS routing domain but does not share the information of other Level 1 areas and the Level 2 area with the Level 1 area by default Since a Level 1 router simply sends packets destined for other areas to the nearest Level 1 2 router this may cause that the best paths cannot be selected To solve this problem route leaking was introduced A Level 2 router can adverti...

Page 717: ...tachment address MAC address on a broadcast network will be elected A router can be the DIS for different levels IS IS DIS election differs from OSPF DIS election in that z A router with priority 0 can also participate in the DIS election z When a router is added to the network and becomes the new DIS an LDP flooding process is triggered As shown in Figure 1 4 the same level routers on a network i...

Page 718: ...DU format Figure 1 5 PDU format Common header format Figure 1 6 shows the PDU common header format Figure 1 6 PDU common header format Intradomain routing protocol discriminator Reserved Version R ID length Version Protocol ID extension Length indicator Maximum area address R R PDU type No of Octets 1 1 1 1 1 1 1 1 z Intradomain Routing Protocol Discriminator Set to 0x83 z Length Indicator Length ...

Page 719: ...ers to establish and maintain neighbor relationships A hello packet is also called an IS to IS hello PDU IIH For broadcast networks the Level 1 routers use the Level 1 LAN IIHs and the Level 2 routers use the Level 2 LAN IIHs The P2P IIHs are used on point to point networks Figure 1 7 illustrates the hello packet format in broadcast networks where the blue fields are the common header Figure 1 7 L...

Page 720: ...at on the point to point networks Figure 1 8 P2P IIH format Instead of the priority and LAN ID fields in the LAN IIH the P2P IIH has a Local Circuit ID field LSP packet format The Link State PDUs LSP carry link state information LSP involves two types Level 1 LSP and Level 2 LSP The Level 2 LSPs are sent by the Level 2 routers and the Level 1 LSPs are sent by the Level 1 routers The level 1 2 rout...

Page 721: ...ter generating the LSP is connected to multiple areas z OL LSDB Overload Indicates that the LSDB is not complete because the router runs out of memory In this case other routers will not send packets to the overloaded router except packets destined to the networks directly connected to the router For example in Figure 1 10 Router A forwards packets to Router C through Router B Once other routers k...

Page 722: ...nchronize the LSDB between neighboring routers On broadcast networks CSNP is sent by the DIS periodically 10s by default On point to point networks CSNP is only sent during the first adjacency establishment The CSNP packet format is shown in Figure 1 11 Figure 1 11 L1 L2 CSNP format PSNP only contains the sequence numbers of one or multiple latest received LSPs It can acknowledge multiple LSPs at ...

Page 723: ... CLV format Figure 1 13 CLV format Table 1 2 shows that different PDUs contain different CLVs Table 1 2 CLV name and the corresponding PDU type CLV Code Name PDU Type 1 Area Addresses IIH LSP 2 IS Neighbors LSP LSP 4 Partition Designated Level2 IS L2 LSP 6 IS Neighbors MAC Address LAN IIH 7 IS Neighbors SNPA Address LAN IIH 8 Padding IIH 9 LSP Entries SNP 10 Authentication Information IIH LSP SNP ...

Page 724: ... switching from AMB to SMB IS IS can work immediately The other HSB is to backup only the configuration information of IS IS during the switching from AMB to SMB After the graceful restart GR the IS IS router will send requests to neighbors to synchronize the LSDB IS IS Graceful Restart For detailed GR information refer to GR Configuration in the High Availability Volume After an IS IS GR Restarte...

Page 725: ...ld allowing a maximum of only 256 fragments to be generated by an IS IS router limits the amount of link information that the IS IS router can advertise The LSP fragment extension feature allows an IS IS router to generate more LSP fragments Up to 50 additional virtual systems can be configured on the router and each virtual system is capable of generating 256 LSP fragments to enable the IS IS rou...

Page 726: ...em belongs to which originating system therefore no limitation is imposed on the link state information of the extended LSP fragments advertised by the virtual systems The operation mode of LSP fragment extension is configured based on area and routing level Mode 1 allows the routers supporting and not supporting LSP fragment extension to interoperate with each other but it restricts the link stat...

Page 727: ...g for IS IS IS IS Configuration Task List Complete the following tasks to configure IS IS Task Remarks Enabling IS IS Configuring the IS Level and Circuit Level Configuring IS IS Basic Functions Configuring the Network Type of an Interface as P2P Required Configuring IS IS Link Cost Optional Specifying a Priority for IS IS Required Configuring the Maximum Number of Equal Cost Routes Optional Confi...

Page 728: ... Before the configuration accomplish the following tasks z Configure the link layer protocol z Configure an IP address for each interface and make sure all neighboring nodes are reachable to each other at the network layer Enabling IS IS Follow these steps to enable IS IS To do Use the command Remarks Enter system view system view Enable the IS IS routing process and enter its view isis process id...

Page 729: ...system view quit Enter interface view interface interface type interface number Specify the circuit level isis circuit level level 1 level 1 2 level 2 Optional The default is Level 1 2 Configuring the Network Type of an Interface as P2P Interfaces with different network types operate differently For example broadcast interfaces on a network need to elect the DIS and flood CSNP packets to synchroni...

Page 730: ...e cost style is of another type if the interface bandwidth does not exceed 10 Mbps the interface cost equals 60 if the interface bandwidth does not exceed 100 Mbps the interface cost equals 50 if the interface bandwidth does not exceed 155 Mbps the interface cost equals 40 if the interface bandwidth does not exceed 622 Mbps the interface cost equals 30 if the interface bandwidth does not exceed 25...

Page 731: ...IS IS cost calculation To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Specify an IS IS cost style cost style wide wide compatible Required narrow by default Enable automatic IS IS cost calculation auto cost enable Required Disabled by default Configure a bandwidth reference value for automatic IS IS cost calculation bandw...

Page 732: ...he number range and default vary by device Configuring IS IS Route Summarization This task is to configure a summary route so routes falling into the network range of the summary route are summarized into one route for advertisement Doing so can reduce the size of routing tables as well as the scale of LSP and LSDB Both IS IS routes and redistributed routes can be summarized Follow these steps to ...

Page 733: ...tribution Redistribution of large numbers of routes on a device may affect the performance of other devices in the network In that case you can configure a limit on the number of redistributed routes to limit the number of routes to be advertised Follow these steps to configure IS IS route redistribution from other routing protocols To do Use the command Remarks Enter system view system view Enter...

Page 734: ...ulated from received LSPs To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Filter routes calculated from received LSPs filter policy acl number ip prefix ip prefix name route policy route policy name import Required No filtering is configured by default Filtering redistributed routes IS IS can redistribute routes from other...

Page 735: ... 1 command to filter routes from Level 2 to Level 1 Other routing policies specified for route reception and redistribution does not affect the route leaking Tuning and Optimizing IS IS Networks Configuration Prerequisites Before the configuration accomplish the following tasks z Configure IP addresses for interfaces and make adjacent nodes reachable to each other at the network layer z Enable IS ...

Page 736: ...el 1 and Level 2 hello packets are advertised separately and therefore you need to set a hello multiplier for each level On a P2P link Level 1 and Level 2 hello packets are advertised in P2P hello packets and you need not specify Level 1 or Level 2 Configuring a DIS Priority for an Interface On an IS IS broadcast network a router should be elected as the DIS at a routing level You can specify a DI...

Page 737: ... layer because they are directly encapsulated into frames Therefore any two IS IS neighboring routers need to negotiate a common MTU To avoid sending big hellos for saving bandwidth you can enable the interface to send small hello packets without CLVs Follow these steps to enable an interface to send small hello packets To do Use the command Remarks Enter system view system view Enter interface vi...

Page 738: ... id vpn instance vpn instance name Specify the LSP refresh interval timer lsp refresh seconds Optional 900 seconds by default Specify the LSP generation interval timer lsp generation maximum interval initial interval second wait interval level 1 level 2 Optional 2 seconds by default 3 Specify LSP sending intervals If a change occurs in the LSDB IS IS advertises the changed LSP to neighbors You can...

Page 739: ...S view isis process id vpn instance vpn instance name Specify the maximum length of generated Level 1 LSPs or Level 2 LSPs lsp length originate size level 1 level 2 1497 bytes by default Specify the maximum length of received LSPs lsp length receive size 1497 bytes by default Enabling LSP flash flooding Since changed LSPs may trigger SPF recalculation you can enable LSP flash flooding to advertise...

Page 740: ...etworks many P2P links exist The following figure shows a fully meshed network where Routers A B C and D run IS IS When Router A generates an LSP it floods the LSP out Ethernet 1 1 Ethernet 1 2 and Ethernet 1 3 After receiving the LSP from Ethernet 1 3 Router D floods it out Ethernet 1 1 and Ethernet 1 2 to Router B and Router C which however has received the LSP from Router A In this case LSP flo...

Page 741: ... needed Follow these steps to configure the SPF parameters To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Configure the SPF calculation interval timer spf maximum interval initial interval second wait interval Optional The default SPF calculation interval is 10 seconds Setting the LSDB Overload Bit By setting the overload...

Page 742: ...the password in the received hello packets If the authentication succeeds it forms the neighbor relationship with the peer The authentication mode and password at both ends must be identical Follow these steps to configure neighbor relationship authentication To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify the authe...

Page 743: ...md5 simple password ip osi Required No routing domain authentication is configured by default Configuring System ID to Host Name Mappings In IS IS a system ID identifies a router or host uniquely A system ID has a fixed length of 6 bytes When an administrator needs to view IS IS neighbor information routing table or LSDB information using the system IDs in dotted decimal notation is not convenient...

Page 744: ... Follow these steps to configure dynamic system ID to host name mapping To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Specify a host name for the router is name sys name Required No specified by default Return to system view quit Enter interface view interface interface type interface number Configure a DIS name isis dis...

Page 745: ...ault Suppress the SA bit during restart graceful restart suppress sa Optional By default the SA bit is not suppressed Enabling the Logging of Neighbor State Changes Follow these steps to enable the logging of neighbor state changes To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Enable the logging of neighbor state changes...

Page 746: ...e BFD on the IS IS interface isis bfd enable Required Not enabled by default For details about IS IS refer to IS IS Configuration in the IP Routing Volume Displaying and Maintaining IS IS To do Use the command Remarks Display brief IS IS configuration information display isis brief process id vpn instance vpn instance name Available in any view Display the status of IS IS debug switches display is...

Page 747: ...id vpn instance vpn instance name Available in any view Display IS IS SPF calculation log information display isis spf log process id vpn instance vpn instance name Available in any view Display IS IS statistics display isis statistics level 1 level 1 2 level 2 process id vpn instance vpn instance name Available in any view Clear ISIS process data structure information reset isis all process id vp...

Page 748: ...Vlan interface100 quit Configure Switch B SwitchB system view SwitchB isis 1 SwitchB isis 1 is level level 1 SwitchB isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 isis enable 1 SwitchB Vlan interface200 quit Configure Switch C SwitchC system view SwitchC isis 1 SwitchC isis 1 network entity 10 0000 0000 0003 00 SwitchC...

Page 749: ... IS IS LSDB of each switch to check the LSP integrity SwitchA display isis lsdb Database information for ISIS 1 Level 1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT P OL 0000 0000 0001 00 00 0x00000004 0xdf5e 1096 68 0 0 0 0000 0000 0002 00 00 0x00000004 0xee4d 1102 68 0 0 0 0000 0000 0002 01 00 0x00000001 0xdaaf 1102 55 0 0 0 0000 0000 0003 00 00 0x00000009 0xcaa3 1161 111 1 0 0...

Page 750: ...0 0x00000014 0x194a 1051 111 1 0 0 0000 0000 0003 01 00 0x00000002 0xabdb 854 55 0 0 0 Self LSP Self LSP Extended ATT Attached P Partition OL Overload Level 2 Link State Database LSPID Seq Num Checksum Holdtime Length ATT P OL 0000 0000 0003 00 00 0x00000012 0xc93c 842 100 0 0 0 0000 0000 0004 00 00 0x00000026 0x331 1173 84 0 0 0 0000 0000 0004 01 00 0x00000001 0xee95 668 55 0 0 0 Self LSP Self LS...

Page 751: ... 1 1 1 R 192 168 0 0 24 20 NULL Vlan100 10 1 1 1 R 0 0 0 0 0 10 NULL Vlan100 10 1 1 1 R Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set SwitchC display isis route Route information for ISIS 1 ISIS 1 IPv4 Level 1 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 192 168 0 0 24 10 NULL Vlan300 Direct D L 10 1 1 0 24 10 NULL Vlan100 Direct D L 10 1 2 0 ...

Page 752: ...6 0 0 16 10 NULL Vlan100 Direct D L Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set DIS Election Configuration Network requirements As shown in Figure 1 16 Switch A B C and Switch D reside in IS IS area 10 on a broadcast network Ethernet Switch A and Switch B are Level 1 2 switches Switch C is a Level 1 switch and Switch D is a Level 2 switch Change the DIS priority of Switch A...

Page 753: ...0 0003 00 SwitchC isis 1 is level level 1 SwitchC isis 1 quit SwitchC interface vlan interface 100 SwitchC Vlan interface100 isis enable 1 SwitchC Vlan interface100 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 network entity 10 0000 0000 0004 00 SwitchD isis 1 is level level 2 SwitchD isis 1 quit SwitchD interface vlan interface 100 SwitchD Vlan interface100 isis enabl...

Page 754: ...aces of Switch C SwitchC display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 Yes No Display information about IS IS interfaces of Switch D SwitchD display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No Yes By using...

Page 755: ...RI 64 System Id 0000 0000 0004 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 30s Type L2 PRI 64 Display information about IS IS interfaces of Switch A SwitchA display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 Yes Yes After the DIS priority configuration Switch A becomes the L...

Page 756: ...00 Circuit Id 0000 0000 0001 01 State Up HoldTime 9s Type L2 PRI 100 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 28s Type L2 PRI 64 SwitchD display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No No Configuring IS IS Route Redistribution Network requir...

Page 757: ...an interface100 quit Configure Switch B SwitchB system view SwitchB isis 1 SwitchB isis 1 is level level 1 SwitchB isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 isis enable 1 SwitchB Vlan interface200 quit Configure Switch C SwitchC system view SwitchC isis 1 SwitchC isis 1 network entity 10 0000 0000 0003 00 SwitchC i...

Page 758: ...h switch SwitchA display isis route Route information for ISIS 1 ISIS 1 IPv4 Level 1 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 10 1 1 0 24 10 NULL VLAN100 Direct D L 10 1 2 0 24 20 NULL VLAN100 10 1 1 1 R 192 168 0 0 24 20 NULL VLAN100 10 1 1 1 R 0 0 0 0 0 10 NULL VLAN100 10 1 1 1 R Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set SwitchC disp...

Page 759: ...e NextHop Flags 192 168 0 0 24 10 NULL VLAN300 Direct D L 10 1 1 0 24 20 NULL VLAN300 192 168 0 1 R 10 1 2 0 24 20 NULL VLAN300 192 168 0 1 R Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set 3 Configure RIPv2 on Switch D and Switch E and configure route redistribution from RIP to IS IS on Switch D Configure RIPv2 on Switch D SwitchD rip 1 SwitchD rip 1 network 10 0 0 0 SwitchD r...

Page 760: ...Hop Flags 10 1 1 0 24 10 NULL VLAN100 Direct D L 10 1 2 0 24 10 NULL VLAN200 Direct D L 192 168 0 0 24 10 NULL VLAN300 Direct D L 10 1 4 0 24 10 NULL VLAN300 192 168 0 2 R L 10 1 5 0 24 20 NULL VLAN300 192 168 0 2 R L 10 1 6 0 24 20 NULL VLAN300 192 168 0 2 R L Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set IS IS Graceful Restart Configuration Example Network requirements Swit...

Page 761: ...Verify the configuration After Router A establishes adjacencies with Router B and Router C they begin to exchange routing information Restart IS IS on Router A which enters into the restart state and sends connection requests to its neighbors through the Graceful Restart mechanism to synchronize the LSDB Using the display isis graceful restart status command can display the IS IS GR status on Rout...

Page 762: ...e area Configure routing domain authentication on Switch C and Switch D to prevent untrusted routes from entering the routing domain Figure 1 19 IS IS authentication configuration Configuration procedure 1 Configure IP addresses for interfaces Omitted 2 Configure IS IS basic functions Configure Switch A SwitchA system view SwitchA isis 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA i...

Page 763: ...ion between neighbors Specify the MD5 authentication mode and password eRq on VLAN interface 100 of Switch A and on VLAN interface 100 of Switch C SwitchA interface vlan interface 100 SwitchA Vlan interface100 isis authentication mode md5 eRg SwitchA Vlan interface100 quit SwitchC interface vlan interface 100 SwitchC Vlan interface100 isis authentication mode md5 eRg SwitchC Vlan interface100 quit...

Page 764: ...ation Specify the MD5 authentication mode and password 1020Sec on Switch C and Switch D SwitchC isis 1 SwitchC isis 1 domain authentication mode md5 1020Sec SwitchC isis 1 quit SwitchD isis 1 SwitchD isis 1 domain authentication mode md5 1020Sec Configuring BFD for IS IS Network requirements z As shown in Figure 1 20 Switch A and Switch B are interconnected through a Layer 2 switch BFD is enabled ...

Page 765: ...00 0000 0002 00 SwitchB isis 1 quit SwitchB interface vlan interface 10 SwitchB Vlan interface10 isis enable SwitchB Vlan interface10 isis bfd enable SwitchB Vlan interface10 quit 3 Configure BFD parameters Configure Switch A SwitchA bfd session init mode active SwitchA interface vlan interface 10 SwitchA Vlan interface10 bfd min receive interval 500 SwitchA Vlan interface10 bfd min transmit inter...

Page 766: ... 17 isisAdjacencyChange ISIS Level 1 Adjencency IN Circuit 983041 State Change Aug 8 14 54 05 365 2008 SwitchA IFNET 4 LINK UPDOWN vlan10 link status is DOWN Aug 8 14 54 05 366 2008 SwitchA IFNET 4 UPDOWN Line protocol on the interface GigabitEthernet2 0 1 is DOWN Aug 8 14 54 05 367 2008 SwitchA ISIS 4 ADJLOG ISIS 1 ADJCHANGE Adjacency To 0 000 0000 0002 vlan10 DOWN Level 2 Circuit Down Aug 8 14 5...

Page 767: ...display bfd session Display the IS IS neighbor information of Switch A You can see that Switch A has removed its neighbor relationship with Switch B and therefore no information is output SwitchA display isis peer 1 ...

Page 768: ...21 Controlling Route Distribution and Reception 1 21 Prerequisites 1 21 Configuring BGP Route Summarization 1 21 Advertising a Default Route to a Peer or Peer Group 1 22 Configuring BGP Route Distribution Reception Filtering Policies 1 22 Enabling BGP and IGP Route Synchronization 1 24 Limiting Prefixes Received from a Peer Peer Group 1 24 Configuring BGP Route Dampening 1 25 Configuring a Shortcu...

Page 769: ... 1 41 Configuring BGP GR 1 41 Enabling Trap 1 42 Enabling Logging of Peer State Changes 1 42 Configuring BFD for BGP 1 43 Displaying and Maintaining BGP 1 43 Displaying BGP 1 43 Resetting BGP Connections 1 44 Clearing BGP Information 1 45 BGP Configuration Examples 1 45 BGP Basic Configuration 1 45 BGP and IGP Synchronization Configuration 1 49 BGP Load Balancing Configuration 1 51 BGP Community C...

Page 770: ...P 4 in this document BGP Overview There are three early BGP versions BGP 1 RFC1105 BGP 2 RFC1163 and BGP 3 RFC1267 The current version in use is BGP 4 RFC 4271 which is the defacto Internet exterior gateway protocol used between ISPs The characteristics of BGP are as follows z Focusing on the control of route propagation and the selection of optimal routes rather than the route discovery and calcu...

Page 771: ...een ASs Formats of BGP Messages Header BGP has five types of messages z Open z Update z Notification z Keep alive z Route refresh They have the same header as shown below Figure 1 1 BGP message header z Marker The 16 byte field is used to delimit BGP messages The Marker must be all ones z Length The 2 byte unsigned integer indicates the total length of the message z Type This 1 byte unsigned integ...

Page 772: ...awn routes Path attributes NLRI Unfeasible routes length 2 Octets N Octets 2 Octets N Octets N Octets Each Update message can advertise a group of feasible routes with identical attributes and the routes are contained in the network layer reachable information NLRI field The Path Attributes field carries attributes of these routes Each Update message can also carry multiple withdrawn routes in the...

Page 773: ... Its format contains only the message header Route refresh A Route refresh message is sent to a peer to request the resending of the specified address family routing information Its format is shown below Figure 1 5 BGP Route refresh message format z AFI Address family identifier z Res Reserved Set to 0 z SAFI Subsequent Address Family Identifier BGP Path Attributes Classification of path attribute...

Page 774: ...ion that is how a route became a BGP route It involves three types z IGP Has the highest priority Routes added to the BGP routing table using the network command have the IGP attribute z EGP Has the second highest priority Routes obtained via EGP have the EGP attribute z incomplete Has the lowest priority The source of routes with this attribute is unknown which does not mean such routes are unrea...

Page 775: ...cations you can apply a routing policy to control BGP route selection by modifying the AS_PATH length By configuring an AS path filtering list you can filter routes based on AS numbers contained in the AS_PATH attribute 3 NEXT_HOP Different from IGP the NEXT_HOP attribute may not be the IP address of a directly connected router It involves three types of values as shown in Figure 1 7 z When advert...

Page 776: ...e smallest MED value the best route if other conditions are the same As shown below traffic from AS10 to AS20 travels through Router B that is selected according to MED Figure 1 8 MED attribute D 9 0 0 0 Next_hop 2 1 1 1 MED 0 D 9 0 0 0 Next_hop 3 1 1 1 MED 100 MED 0 Router B Router A Router C Router D 2 1 1 1 3 1 1 1 MED 100 AS 20 AS 10 9 0 0 0 EBGP EBGP IBGP IBGP IBGP In general BGP compares MED...

Page 777: ...o do with the local AS Well known community attributes involve z Internet By default all routes belong to the Internet community Routes with this attribute can be advertised to all BGP peers z No_Export After received routes with this attribute cannot be advertised out the local AS or out the local confederation but can be advertised to other sub ASs in the confederation for confederation informat...

Page 778: ...atching route with the direct next hop is called the recursive route The process of finding a recursive route is route recursion Currently the system supports BGP load balancing based on route recursion namely if multiple recursive routes to the same destination are load balanced suppose three direct next hop addresses BGP generates the same number of next hops to forward packets Note that BGP loa...

Page 779: ...Router D and Router E the route that has AS_PATH unchanged but has NEXT_HOP changed to Router C other BGP transitive attributes are those of the best route BGP route advertisement rules The current BGP implementation supports the following route advertisement rules z When multiple feasible routes to a destination exist the BGP speaker advertises only the best route to its peers z A BGP speaker adv...

Page 780: ...uting table and advertise the route to the eBGP peer You can disable the synchronization feature in the following cases z The local AS is not a transitive AS AS20 is a transitive AS in the above figure z Routers in the local AS are iBGP fully meshed Settlements for Problems in Large Scale BGP Networks Route summarization Route summarization can reduce the routing table size on a large network and ...

Page 781: ...lue the route is added into the routing table and advertised to other BGP peers Figure 1 12 BGP route dampening Peer group You can organize BGP peers with the same attributes into a group to simplify configurations on them When a peer joins the peer group the peer obtains the same configuration as the peer group If the configuration of the peer group is changed the configuration of group members i...

Page 782: ... A router that is neither a route reflector nor a client is a non client which has to establish BGP sessions to the route reflector and other non clients as shown below Figure 1 13 Network diagram for route reflector The route reflector and clients form a cluster In some cases you can configure more than one route reflector in a cluster to improve network reliability and prevent single point failu...

Page 783: ...erspective of a non confederation BGP speaker it needs not know sub ASs in the confederation The ID of the confederation is the number of the AS In the above figure AS 200 is the confederation ID The deficiency of confederation is when changing an AS into a confederation you need to reconfigure your routers and the topology will be changed In large scale BGP networks both route reflector and confe...

Page 784: ...s like IPv6 To support more network layer protocols IETF extended BGP 4 by introducing Multiprotocol Extensions for BGP 4 MP BGP in RFC 4760 Routers supporting MP BGP can communicate with routers not supporting MP BGP MP BGP extended attributes In BGP 4 the three types of attributes for IPv4 address format namely NLRI NEXT_HOP and AGGREGATOR AGGREGATOR contains the IP address of the speaker genera...

Page 785: ...ies Attribute z RFC2796 BGP Route Reflection z RFC3065 Autonomous System Confederations for BGP z RFC4271 A Border Gateway Protocol 4 BGP 4 z RFC5291 Outbound Route Filtering Capability for BGP 4 z RFC5292 Address Prefix Based Outbound Route Filter for BGP 4 z draft ietf idr restart 08 Graceful Restart Mechanism for BGP BGP Configuration Task List Complete the following tasks to configure BGP Task...

Page 786: ...Route Attributes Configuring the AS PATH Attribute Optional Configuring BGP Keepalive Interval and Holdtime Optional Configuring the Interval for Sending the Same Update Optional Configuring BGP Soft Reset Optional Enabling the BGP ORF Capability Optional Enabling Quick eBGP Session Reestablishment Optional Enabling MD5 Authentication for TCP Connections Optional Configuring BGP Load Balancing Opt...

Page 787: ...outer ID z If the router ID is specified in BGP view using the undo router id command can make the system select a new router ID Follow these steps to create a BGP connection To do Use the command Remarks Enter system view system view Enable BGP and enter BGP view bgp as number Not enabled by default Specify a Router ID router id ip address Optional By default the global router ID is used Specify ...

Page 788: ... peer or peer group peer group name ip address connect interface interface type interface number Required By default BGP uses the outbound interface of the best route to the BGP peer peer group as the source interface for establishing a TCP connection to the peer peer group To establish multiple BGP connections between two routers you need to specify on the local router the source interface for es...

Page 789: ...w BGP to advertise it to BGP peers The origin attribute of routes advertised in this way is IGP You can also reference a route policy to flexibly control route advertisement The network to be injected must be available in the local IP routing table Follow these steps to inject a local network To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Inject a network ...

Page 790: ...te policy route policy name Required Not redistributed by default Enable default route redistribution into BGP default route imported Optional Not enabled by default Controlling Route Distribution and Reception Prerequisites BGP connections have been created Configuring BGP Route Summarization To reduce the routing table size on medium and large BGP networks you need to configure route summarizati...

Page 791: ...icy route policy name suppress policy route policy name Required Not configured by default Advertising a Default Route to a Peer or Peer Group After this task is configured the BGP router sends a default route with the next hop being itself to the specified peer peer group regardless of whether the default route is available in the routing table Follow these steps to advertise a default route to a...

Page 792: ... sequence z filter policy export z peer filter policy export z peer as path acl export z peer ip prefix export z peer route policy export Only routes pass the first policy can they go to the next and only routes passing all the configured policies can they be advertised Configure BGP route reception filtering policies Only routes permitted by the configured filtering policies can be installed into...

Page 793: ...s next hop before advertisement With BGP and IGP synchronization enabled the BGP router cannot advertise the iBGP route to eBGP peers unless the route is also available in the IGP routing table Follow these steps to enable BGP and IGP synchronization To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable synchronization between BGP and IGP synchronization R...

Page 794: ...refix number reconnect reconnect time percentage value Required to choose any No limit is configured by default Configuring BGP Route Dampening By configuring BGP route dampening you can suppress unstable routes from being added to the local routing table or being advertised to BGP peers Follow these steps to configure BGP route dampening To do Use the command Remarks Enter system view system view...

Page 795: ...ue for routes received from a peer or peer group peer group name ip address preferred value value Optional The preferred value is 0 by default Configuring Preferences for BGP Routes A router may run multiple routing protocols each of which has a preference specified If they find the same route the route found by the routing protocol with the highest preference is selected This task allows you conf...

Page 796: ...affic going into an AS When a BGP router obtains from eBGP peers multiple routes to the same destination but with different next hops it considers the route with the smallest MED value as the best route if other conditions are the same Configure the default MED value Follow these steps to configure the default MED value To do Use the command Remarks Enter system view system view Enter BGP view bgp...

Page 797: ...configure the bestroute compare med command on Router D After that Router D will put routes received from the same AS into a group For the same group the route with the lowest MED is selected Then it compares routes from different groups This mechanism avoids the above mentioned problem The following output is the BGP routing table on Router D after the comparison of MED of routes from each AS is ...

Page 798: ...nsure a BGP peer can find the correct next hop in some cases you need to configure the router as the next hop for routes sent to the peer For example as shown in the figure below Router A and Router B establish an eBGP neighbor relationship and Router B and Router C establish an iBGP neighbor relationship When Router B advertises a network learned from Router A to Router C if Router C has no route...

Page 799: ...or routes sent to an iBGP peer peer group Configuring the AS PATH Attribute Permit local AS number to appear in routes from a peer peer group In general BGP checks whether the AS_PATH attribute of a route from a peer contains the local AS number If so it discards the route to avoid routing loops This task allows you to permit local AS number to appear in routes from a peer peer group and specify t...

Page 800: ...the command Remarks Enter system view system view Enter BGP view bgp as number Specify a fake AS number for a peer peer group peer group name ip address fake as as number Optional Not specified by default This command is only applicable to an eBGP peer or peer group Configure AS number substitution In MPLS L3VPN if eBGP is used between PE and CE sites in different geographical areas should have di...

Page 801: ... updates to a peer peer group Follow these steps to remove private AS numbers from updates to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure BGP to remove private AS numbers from the AS_PATH attribute of updates to a peer peer group peer group name ip address public as only Optional By default BGP updates carry private AS number...

Page 802: ...to configure the interval for sending the same update to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure the interval for sending the same update to a peer peer group peer group name ip address route update interval interval Optional The intervals for sending the same update to an iBGP peer and an eBGP peer default to 15 seconds ...

Page 803: ...p all routes command When a route selection policy is modified you can use the refresh bgp command to refresh the BGP routing table by applying the new policy Following these steps to save all route updates from a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Disable BGP route refresh and multi protocol extension capability for a peer peer...

Page 804: ...er group peer group name ip address capability advertise orf non standard Optional By default standard BGP ORF capability defined in RFC 5291 and RFC 5292 is supported If the peer supports only non standard ORF you need to configure this command Enable the ORF capability for a BGP peer peer group peer group name ip address capability advertise orf ip prefix both receive send Required Disabled by d...

Page 805: ...ow these steps to enable MD5 authentication for TCP connections To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable MD5 authentication when establishing a TCP connection to the peer peer group peer group name ip address password cipher simple password Optional Not enabled by default Configuring BGP Load Balancing If multiple paths to a destination exist ...

Page 806: ...onfigure a peer group and add these peers into this group In this way peers can share the same policy as the peer group When the policy of the group is modified the modification also applies to peers in it thus simplifying configuration A peer group is an iBGP peer group if peers in it belong to the same AS and is an eBGP peer group if peers in it belong to different ASs Note that If a peer group ...

Page 807: ...bgp as number Create an eBGP peer group group group name external Required Specify the AS number for the group peer group name as number as number Required Add a peer into the group peer ip address group group name Required All the added peers have the same AS number as that of the peer group Follow these steps to configure an eBGP peer group using the second approach To do Use the command Remarks...

Page 808: ...ity between iBGP peers you need to make them fully meshed But it becomes unpractical when there are large numbers of iBGP peers Configuring route reflectors or confederation can solve it In a large scale AS both of them can be used Configuring BGP Community A BGP community is a group of destinations with the same characteristics It has no geographical boundaries and is independent of ASs You can c...

Page 809: ...ops Follow these steps to configure a BGP route reflector To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure the router as a route reflector and specify a peer peer group as its client peer group name ip address reflect client Required Not configured by default Enable route reflection between clients reflect between clients Optional Enabled by defaul...

Page 810: ... specify the peering sub ASs in the confederation A confederation contains 32 sub ASs at most The AS number of a sub AS is effective only in the confederation Follow these steps to configure a BGP confederation To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure a confederation ID confederation id as number Required Not configured by default Specify p...

Page 811: ...BGP session should be less than the Holdtime carried in the Open message z The End Of RIB End of Routing Information Base indicates the end of route updates Enabling Trap After Trap is enabled for BGP BGP generates Level 4 traps to report important events of it The generated traps are sent to the Information Center of the device The output rules of the traps namely whether to output the traps and ...

Page 812: ...nterface Therefore BFD was introduced to solve this problem It can quickly finds neighbors and thus reduce network convergence time Follow these steps to enable BFD for a BGP peer To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable BFD for the specified BGP peer peer ip address bfd Required Not enabled by default z At present you can configure BFD for IP...

Page 813: ... display bgp routing table dampened Display BGP dampening parameter information display bgp routing table dampening parameter Display BGP routing information originating from different ASs display bgp routing table different origin as Display BGP routing flap statistics display bgp routing table flap info regular expression as regular expression as path acl as path acl number ip address mask mask ...

Page 814: ...etwork requirements In the following network run eBGP between Switch A and Switch B and iBGP between Switch B and Switch C so that Switch C can access the network 8 1 1 0 24 connected to Router A Figure 1 20 Network diagram for BGP basic configuration on switches Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure iBGP z To prevent route flapping caused by port stat...

Page 815: ...C ospf 1 quit SwitchC display bgp peer BGP local router ID 3 3 3 3 Local AS number 65009 Total number of peers 1 Peers in established state 1 Peer AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 2 2 2 2 65009 2 2 0 0 00 00 13 Established The output information shows that Switch C has established an iBGP peer relationship with Switch B 3 Configure eBGP z The eBGP peers Switch A and Switch B usually b...

Page 816: ...ale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 8 1 1 0 24 0 0 0 0 0 0 i Display the BGP routing table on Switch B SwitchB display bgp routing table Total Number of Routes 1 BGP Local router ID is 2 2 2 2 Status codes valid VPNv4 best best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 8 1 1...

Page 817: ...play the BGP routing table on Switch C SwitchC display bgp routing table Total Number of Routes 4 BGP Local router ID is 3 3 3 3 Status codes valid VPNv4 best best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 2 2 2 2 32 2 2 2 2 0 100 0 i 3 1 1 0 24 2 2 2 2 0 100 0 i 8 1 1 0 24 3 1 1 2 0 100 0 65008i i 9 1 1 0 24 2 2 ...

Page 818: ...n AS 65009 so that Switch B can obtain the route to 9 1 2 0 24 Configure Switch B SwitchB system view SwitchB ospf 1 SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 2 2 2 2 0 0 0 0 SwitchB ospf 1 area 0 0 0 0 network 9 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Configure Switch C SwitchC system view SwitchC ospf 1 SwitchC ospf 1 import route direct SwitchC ospf ...

Page 819: ...chA display bgp routing table Total Number of Routes 3 BGP Local router ID is 1 1 1 1 Status codes valid VPNv4 best best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 3 3 3 3 32 3 1 1 1 1 0 65009 8 1 1 0 24 0 0 0 0 0 0 i 9 1 2 0 24 3 1 1 1 1 0 65009 Display the routing table on Switch C SwitchC display ip routing table ...

Page 820: ... break Reply from 8 1 1 1 bytes 56 Sequence 1 ttl 254 time 2 ms Reply from 8 1 1 1 bytes 56 Sequence 2 ttl 254 time 2 ms Reply from 8 1 1 1 bytes 56 Sequence 3 ttl 254 time 2 ms Reply from 8 1 1 1 bytes 56 Sequence 4 ttl 254 time 2 ms Reply from 8 1 1 1 bytes 56 Sequence 5 ttl 254 time 2 ms 8 1 1 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 2...

Page 821: ...e OSPF to establish the iBGP connection z On Switch C establish an eBGP connection with Switch A and an iBGP connection with Switch B configure BGP to advertise network 9 1 1 0 24 to Switch A so that Switch A can access the intranet through Switch C configure a static route to interface loopback 0 on Switch B or use another protocol like OSPF to establish the iBGP connection Configure Switch A Swi...

Page 822: ...t hop 3 1 1 1 is marked with a greater than sign indicating it is the best route because the ID of Switch B is smaller the route with next hop 3 1 2 1 is marked with only an asterisk indicating it is a valid route but not the best z Using the display ip routing table command you can find only one route to 9 1 1 0 24 with next hop 3 1 1 1 and outbound interface VLAN interface 200 3 Configure loadin...

Page 823: ...C Configure No_Export community attribute on Switch A to make routes from AS 10 not advertised by AS 20 to any other AS Figure 1 23 Network diagram for BGP community configuration Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure eBGP Configure Switch A SwitchA system view SwitchA bgp 10 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 200 1 2 2 as number 20 SwitchA...

Page 824: ...gp routing table Total Number of Routes 1 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 9 1 1 0 24 200 1 3 1 0 0 20 10i Switch C learned route 9 1 1 0 24 from Switch B 3 Configure BGP community Configure a routing policy SwitchA route policy comm_policy permit node ...

Page 825: ...BGP z Between Switch A and Switch B is an eBGP connection between Switch C and Switch B and between Switch C and Switch D are iBGP connections z Switch C is a route reflector with clients Switch B and D z Switch D can learn route 1 0 0 0 8 from Switch C Figure 1 24 Network diagram for BGP route reflector configuration Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Config...

Page 826: ...uter id 4 4 4 4 SwitchD bgp peer 194 1 1 1 as number 200 SwitchD bgp quit 3 Configure the route reflector Configure Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 2 reflect client SwitchC bgp peer 194 1 1 2 reflect client SwitchC bgp quit 4 Verify the above configuration Display the BGP routing table on Switch B SwitchB display bgp routing table Total Number of Routes 1 BGP Local router ID is 2...

Page 827: ... n i n t 3 0 0 Vlan int400 Vlan int500 Vlan int400 Vlan int500 Vlan int200 Vlan int200 Vlan int300 Vlan int200 Device Interface IP address Device Interface IP address Switch A Vlan int100 200 1 1 1 24 Switch D Vlan int200 10 1 5 1 24 Vlan int200 10 1 1 1 24 Vlan int400 10 1 3 2 24 Vlan int300 10 1 2 1 24 Switch E Vlan int200 10 1 5 2 24 Vlan int400 10 1 3 1 24 Vlan int500 10 1 4 2 24 Vlan int500 1...

Page 828: ...e iBGP connections in AS65001 Configure Switch A SwitchA bgp 65001 SwitchA bgp peer 10 1 3 2 as number 65001 SwitchA bgp peer 10 1 3 2 next hop local SwitchA bgp peer 10 1 4 2 as number 65001 SwitchA bgp peer 10 1 4 2 next hop local SwitchA bgp quit Configure Switch D SwitchD system view SwitchD bgp 65001 SwitchD bgp router id 4 4 4 4 SwitchD bgp confederation id 200 SwitchD bgp peer 10 1 3 1 as n...

Page 829: ...in i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 9 1 1 0 24 10 1 1 1 0 100 0 65001 100i SwitchB display bgp routing table 9 1 1 0 BGP local router ID 2 2 2 2 Local AS number 65002 Paths 1 available 1 best BGP routing table entry information of 9 1 1 0 24 From 10 1 1 1 1 1 1 1 Relay Nexthop 0 0 0 0 Original nexthop 10 1 1 1 AS path 65001 100 Origin igp Attribute value MED 0 l...

Page 830: ...nal route information from Switch A and generate the same BGP route entries it seems like that they reside in the same AS although they have no direct connection in between BGP Path Selection Configuration Network requirements z In the figure below all switches run BGP Between Switch A and Switch B and between Switch A and Switch C are eBGP connections Between Switch B and Switch D and between Swi...

Page 831: ... 1 area 0 0 0 0 network 193 1 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 network 195 1 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 quit SwitchC ospf 1 quit Configure Switch D SwitchD system view SwitchD ospf SwitchD ospf area 0 SwitchD ospf 1 area 0 0 0 0 network 194 1 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 network 195 1 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 quit SwitchD ospf 1 quit 3 Configur...

Page 832: ...and apply_med_100 which sets the MED for route 1 0 0 0 8 to 100 SwitchA route policy apply_med_50 permit node 10 SwitchA route policy if match acl 2000 SwitchA route policy apply cost 50 SwitchA route policy quit SwitchA route policy apply_med_100 permit node 10 SwitchA route policy if match acl 2000 SwitchA route policy apply cost 100 SwitchA route policy quit Apply routing policy apply_med_50 to...

Page 833: ...ng policy localpref to routes from peer 193 1 1 1 SwitchC bgp 200 SwitchC bgp peer 193 1 1 1 route policy localpref import SwitchC bgp quit Display the routing table on Switch D SwitchD display bgp routing table Total Number of Routes 2 BGP Local router ID is 194 1 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPr...

Page 834: ...rface10 ip address 10 1 0 100 24 SwitchB Vlan interface10 quit 2 Configure BGP basic functions Configure Switch A SwitchA bgp 100 SwitchA bgp peer 10 1 0 100 as number 100 SwitchA bgp peer 10 1 0 100 bfd SwitchA bgp quit Configure Switch B SwitchB bgp 100 SwitchB bgp peer 10 1 0 102 as number 100 SwitchB bgp peer 10 1 0 102 bfd SwitchB bgp quit 3 Configure BFD parameters Configure Switch A SwitchA...

Page 835: ...kt Num 52 Send Pkt Num 50 Hold Time 1600ms Connect Type Direct Running Up for 00 00 01 Auth mode None Protocol BGP Diag Info No Diagnostic After the link between Switch A and Switch B fails display the detailed BGP neighbor information of Switch A Switch A has removed its neighbor relationship with Switch B SwitchA display bgp peer 10 1 0 100 verbose Peer 10 1 0 100 Local 1 1 1 1 Type IBGP link BG...

Page 836: ...es omitted Configure the eBGP connection SwitchA system view SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 200 1 1 1 as number 65009 Inject network 8 0 0 0 8 to the BGP routing table SwitchA bgp network 8 0 0 0 Enable GR capability for BGP SwitchA bgp graceful restart 2 Configure Switch B Configure IP addresses for interfaces omitted Configure the eBGP connection SwitchB system ...

Page 837: ... the connection to a peer cannot become established Analysis To become BGP peers any two routers need to establish a TCP session using port 179 and exchange Open messages successfully Solution 1 Use the display current configuration command to verify the peer s AS number 2 Use the display bgp peer command to verify the peer s IP address 3 If the loopback interface is used check whether the peer co...

Page 838: ...6 Static Routing 1 1 Features of IPv6 Static Routes 1 1 Default IPv6 Route 1 1 Configuring an IPv6 Static Route 1 1 Configuration prerequisites 1 2 Configuring an IPv6 Static Route 1 2 Displaying and Maintaining IPv6 Static Routes 1 2 IPv6 Static Routing Configuration Example 1 2 ...

Page 839: ... routes also have shortcomings any topology changes could result in unavailable routes requiring the network administrator to manually configure and modify the static routes Features of IPv6 Static Routes Similar to IPv4 static routes IPv6 static routes work well in simple IPv6 network environments Their major difference lies in the destination and next hop addresses IPv6 static routes use IPv6 ad...

Page 840: ...preference preference value Required The default preference of IPv6 static routes is 60 Displaying and Maintaining IPv6 Static Routes To do Use the command Remarks Display IPv6 static route information display ipv6 routing table protocol static inactive verbose Available in any view Remove all IPv6 static routes delete ipv6 static routes all Available in system view Using the undo ipv6 route stati...

Page 841: ...ic route on SwitchC SwitchC system view SwitchC ipv6 route static 0 5 2 3 Configure the IPv6 addresses of hosts and gateways Configure the IPv6 addresses of all the hosts based upon the network diagram configure the default gateway of Host A as 1 1 that of Host B as 2 1 and that of Host C as 3 1 4 Display configuration information Display the IPv6 routing table of SwitchA SwitchA display ipv6 rout...

Page 842: ... ping command SwitchA ping ipv6 3 1 PING 3 1 56 data bytes press CTRL_C to break Reply from 3 1 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 5 hop limit 254 time 63 ms 3 1 ping statistics...

Page 843: ...Png Route Summarization 1 5 Advertising a Default Route 1 5 Configuring a RIPng Route Filtering Policy 1 6 Configuring a Priority for RIPng 1 6 Configuring RIPng Route Redistribution 1 6 Tuning and Optimizing the RIPng Network 1 7 Configuring RIPng Timers 1 7 Configuring Split Horizon and Poison Reverse 1 8 Configuring Zero Field Check on RIPng Packets 1 8 Configuring the Maximum Number of Equal C...

Page 844: ...x 128 bit destination address prefix z Next hop 128 bit IPv6 address z Source address RIPng uses FE80 10 as the link local source address RIPng Working Mechanism RIPng is a routing protocol based on the distance vector D V algorithm RIPng uses UDP packets to exchange routing information through port 521 RIPng uses a hop count to measure the distance to a destination The hop count is referred to as...

Page 845: ...figuration in the IP Routing Volume RIPng Packet Format Basic format A RIPng packet consists of a header and multiple route table entries RTEs The maximum number of RTEs in a packet depends on the IPv6 MTU of the sending interface Figure 1 1 shows the packet format of RIPng Figure 1 1 RIPng basic packet format z Command Type of message 0x01 indicates Request 0x02 indicates Response z Version Versi...

Page 846: ...uested routing information to the requesting router in the response packet Response packet The response packet containing the local routing table information is generated as z A response to a request z An update periodically z A trigged update caused by route change After receiving a response a router checks the validity of the response before adding the route to its routing table such as whether ...

Page 847: ...g a Default Route z Configuring a RIPng Route Filtering Policy z Configuring a Priority for RIPng z Configuring RIPng Route Redistribution Before the configuration accomplish the following tasks first z Configure an IPv6 address on each interface and make sure all nodes are reachable to one another z Configure RIPng basic functions z Define an IPv6 ACL before using it for route filtering Refer to ...

Page 848: ... Summarization Follow these steps to configure RIPng route summarization To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Advertise a summary IPv6 prefix ripng summary address ipv6 address prefix length Required Advertising a Default Route Follow these steps to advertise a default route To do Use the command Remarks Enter sy...

Page 849: ...uting information Configuring a Priority for RIPng Any routing protocol has its own protocol priority used for optimal route selection You can set a priority for RIPng manually The smaller the value is the higher the priority is Follow these steps to configure a RIPng priority To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure a RIPng priority p...

Page 850: ...lancing Configuring RIPng Timers You can adjust RIPng timers to optimize the performance of the RIPng network Follow these steps to configure RIPng timers To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure RIPng timers timers garbage collect garbage collect value suppress suppress value timeout timeout value update update value Optional The RIPn...

Page 851: ... are recommended to enable split horizon to prevent routing loops Configuring the poison reverse function The poison reverse function enables a route learned from an interface to be advertised through the interface However the metric of the route is set to 16 That is to say the route is unreachable Follow these steps to configure poison reverse To do Use the command Remarks Enter system view syste...

Page 852: ...id Configure the maximum number of equal cost RIPng routes for load balancing maximum load balancing number Optional The value defaults to 8 Displaying and Maintaining RIPng To do Use the command Remarks Display configuration information of a RIPng process display ripng process id Available in any view Display routes in the RIPng database display ripng process id database Available in any view Dis...

Page 853: ...tem view SwitchA ripng 1 SwitchA ripng 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ripng 1 enable SwitchA Vlan interface100 quit SwitchA interface vlan interface 400 SwitchA Vlan interface400 ripng 1 enable SwitchA Vlan interface400 quit Configure Switch B SwitchB system view SwitchB ripng 1 SwitchB ripng 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface2...

Page 854: ...E2FF FE00 100 cost 1 tag 0 A 11 Sec Dest 4 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 11 Sec Dest 5 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 11 Sec Display the routing table of Switch A SwitchA display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 200 2FF FE64 8904 on Vlan interface100 Dest 1 64 via FE80 200 2FF FE64 8904 cost 1 tag 0 A 31 Sec Dest 4 64 via FE80 ...

Page 855: ...g 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE00 1235 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE00 1235 cost 1 tag 0 A 2 Sec Dest 4 64 via FE80 20F E2FF FE00 1235 cost 2 tag 0 A 2 Sec Dest 5 64 via FE80 20F E2FF FE00 1235 cost 2 tag 0 A 2 Sec Configuring RIPng Route Redistribution Network requirements z Two RIPng processes are running on Switch B which ...

Page 856: ... SwitchB Vlan interface100 ripng 100 enable SwitchB Vlan interface100 quit SwitchB ripng 200 SwitchB ripng 200 quit SwitchB interface vlan interface 300 SwitchB Vlan interface300 ripng 200 enable SwitchB Vlan interface300 quit Enable RIPng 200 on Switch C SwitchC system view SwitchC ripng 200 SwitchC interface vlan interface 300 SwitchC Vlan interface300 ripng 200 enable SwitchC Vlan interface300 ...

Page 857: ...cesses on Switch B SwitchB ripng 100 SwitchB ripng 100 default cost 3 SwitchB ripng 100 import route ripng 200 SwitchB ripng 100 quit SwitchB ripng 200 SwitchB ripng 200 import route ripng 100 SwitchB ripng 200 quit Display the routing table of Switch A SwitchA display ipv6 routing table Routing Table Destinations 7 Routes 7 Destination 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop...

Page 858: ...irect NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination 4 64 Protocol RIPng NextHop FE80 200 BFF FE01 1C02 Preference 100 Interface Vlan100 Cost 4 Destination FE80 10 Protocol Direct NextHop Preference 0 Interface NULL0 Cost 0d ...

Page 859: ...ation Control 1 8 Prerequisites 1 8 Configuring OSPFv3 Route Summarization 1 8 Configuring OSPFv3 Inbound Route Filtering 1 9 Configuring an OSPFv3 Cost for an Interface 1 9 Configuring the Maximum Number of OSPFv3 Load balanced Routes 1 10 Configuring a Priority for OSPFv3 1 10 Configuring OSPFv3 Route Redistribution 1 11 Tuning and Optimizing OSPFv3 Networks 1 12 Prerequisites 1 12 Configuring O...

Page 860: ...ii Configuring OSPFv3 Route Redistribution 1 23 Configuring OSPFv3 GR 1 26 Troubleshooting OSPFv3 Configuration 1 28 No OSPFv3 Neighbor Relationship Established 1 28 Incorrect Routing Information 1 28 ...

Page 861: ...ric sense or a Layer 3 switch z EA boards such as LSQ1GP12EA and LSQ1TGX1EA do not support IPv6 features Introduction to OSPFv3 OSPFv3 Overview Open Shortest Path First version 3 OSPFv3 supports IPv6 and complies with RFC2740 OSPF for IPv6 The same between OSPFv3 and OSPFv2 z 32 bits router ID and area ID z Packets Hello DD Data Description LSR Link State Request LSU Link State Update LSAck Link S...

Page 862: ...Network LSA Originated for broadcast and NBMA networks by the Designated Router This LSA contains the list of routers connected to the network Flooded throughout a single area only z Inter Area Prefix LSA Similar to Type 3 LSA of OSPFv2 originated by ABRs Area Border Routers and flooded throughout the LSA s associated area Each Inter Area Prefix LSA describes a route with IPv6 address prefix to a ...

Page 863: ...ello packet from a neighbor within a period it will declare the peer is down The period is called the dead interval After sending an LSA to its adjacency a router waits for an acknowledgment from the adjacency If no response is received after the retransmission interval elapses the router will send again the LSA The retransmission interval must be longer than the round trip time of the LSA LSA del...

Page 864: ...g OSPFv3 Route Summarization Optional Configuring OSPFv3 Inbound Route Filtering Optional Configuring an OSPFv3 Cost for an Interface Optional Configuring the Maximum Number of OSPFv3 Load balanced Routes Optional Configuring a Priority for OSPFv3 Optional Configuring OSPFv3 Routing Information Control Configuring OSPFv3 Route Redistribution Optional Configuring OSPFv3 Timers Optional Configuring ...

Page 865: ...ter ID router id router id Required Enter interface view interface interface type interface number Enable an OSPFv3 process on the interface ospfv3 process id area area id instance instance id Required Not enabled by default Configuring OSPFv3 Area Parameters The stub area and virtual link features of OSPFv3 are the same as OSPFv2 Splitting an OSPFv3 AS into multiple areas reduces the number of LS...

Page 866: ...ble on the ABR of the stub area z If you use the stub command with the keyword no summary on an ABR the ABR advertises a default route in an Inter Area Prefix LSA into the stub area No AS external LSA Inter Area Prefix LSA or Inter Area Router LSA is advertised in the area The stub area of this kind is also known as a totally stub area Configuring an OSPFv3 Virtual Link You can configure a virtual...

Page 867: ...be directly reachable to each other through a virtual circuit In the event no such direct link is available you need to change the network type through a command z If direct connections are not available between some routers in an NBMA network the type of interfaces associated should be configured as P2MP or as P2P for interfaces with only one neighbor Prerequisites Before configuring OSPFv3 netwo...

Page 868: ...formation Control This section is to configure the control of OSPF routing information advertisement and reception and redistribution from other protocols Prerequisites z Enable IPv6 packet forwarding z Configure OSPFv3 basic functions Configuring OSPFv3 Route Summarization If contiguous network segments exist in an area you can use the abr summary command to summarize them into one network segmen...

Page 869: ...out can be added into the local routing table Configuring an OSPFv3 Cost for an Interface You can configure an OSPFv3 cost for an interface with one of the following two methods z Configure the cost value in interface view z Configure a bandwidth reference value for the interface and OSPFv3 computes the cost automatically based on the bandwidth reference value Interface OSPFv3 cost Bandwidth refer...

Page 870: ...ltiple equal cost routes to a destination are available enabling load balancing among these routes can improve link utilization Follow these steps to configure the maximum number of load balanced routes To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Specify the maximum number of load balanced routes maximum load balancing maximum Optional The value ...

Page 871: ...a default route default route advertise always cost cost type type route policy route policy name Optional Not injected by default Filter redistributed routes filter policy acl6 number ipv6 prefix ipv6 prefix name export isisv6 process id ospfv3 process id ripng process id bgp4 direct static Optional Not configured by default z Executing the import route or default route advertise command on a rou...

Page 872: ...ing z Configure OSPFv3 basic functions Configuring OSPFv3 Timers Follow these steps to configure OSPFv3 timers To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the hello interval ospfv3 timer hello seconds instance instance id Optional Defaults to 10 seconds on P2P broadcast interfaces Specify the poll interval osp...

Page 873: ...erface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure a DR priority ospfv3 dr priority priority instance instance id Optional Defaults to 1 The DR priority of an interface determines the interface s qualification in DR election Interfaces having the priority 0 cannot become a DR or BDR Ignoring MTU Check for DD P...

Page 874: ... sending OSPFv3 packets Using the silent interface command disables only the interfaces associated with the current process z After an OSPF interface is set to silent direct routes of the interface can still be advertised in Intra Area Prefix LSAs via other interfaces but other OSPFv3 packets cannot be advertised Therefore no neighboring relationship can be established on the interface This featur...

Page 875: ...elpers Then the GR Restarter retrieves its adjacencies and LSDB with the help of the GR Helpers Thus the normal data forwarding is ensured Configuring GR Restarter You can configure the GR Restarter capability on a GR Restarter Follow these steps to configure GR Restarter To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Enable the GR capability gracef...

Page 876: ...rbose peer router id Display OSPFv3 neighbor statistics display ospfv3 peer statistic Display OSPFv3 routing table information display ospfv3 process id routing ipv6 address prefix length ipv6 address prefix length abr routes asbr routes all statistics Display OSPFv3 area topology information display ospfv3 process id topology area area id Display OSPFv3 virtual link information display ospfv3 pro...

Page 877: ...onfigure Area 2 as a stub area to reduce LSAs in the area without affecting route reachability Figure 1 2 Network diagram for OSPFv3 area configuration Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure OSPFv3 basic functions Configure Switch A SwitchA system view SwitchA ipv6 SwitchA ospfv3 SwitchA ospfv3 1 router id 1 1 1 1 SwitchA ospfv3 1 quit SwitchA interfa...

Page 878: ...face100 ospfv3 1 area 0 SwitchC Vlan interface100 quit SwitchC interface vlan interface 400 SwitchC Vlan interface400 ospfv3 1 area 2 SwitchC Vlan interface400 quit Configure Switch D SwitchD system view SwitchD ipv6 SwitchD ospfv3 SwitchD ospfv3 1 router id 4 4 4 4 SwitchD ospfv3 1 quit SwitchD interface Vlan interface 400 SwitchD Vlan interface400 ospfv3 1 area 2 SwitchD Vlan interface400 quit D...

Page 879: ...eted route OSPFv3 Router with ID 4 4 4 4 Process 1 Destination 2001 64 Type IA Cost 2 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 1 64 Type IA Cost 3 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 2 64 Type I Cost 1 NextHop directly connected Interface Vlan400 Destination 2001 3 64 Type IA Cost 4 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 3 Configure Area 2 as a ...

Page 880: ...tination 2001 2 64 Type I Cost 1 NextHop directly connected Interface Vlan400 Destination 2001 3 64 Type IA Cost 4 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 4 Configure Area 2 as a totally stub area Configure Area 2 as a totally stub area on Switch C SwitchC ospfv3 1 area 0 0 0 2 stub no summary Display OSPFv3 routing table information on Switch D You can find route entries are reduced All non ...

Page 881: ...ion configuration Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure OSPFv3 basic functions Configure Switch A SwitchA system view SwitchA ipv6 SwitchA ospfv3 SwitchA ospfv3 1 router id 1 1 1 1 SwitchA ospfv3 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ospfv3 1 area 0 SwitchA Vlan interface100 quit Configure Switch B SwitchB system view ...

Page 882: ...ri State Dead Time Interface Instance ID 2 2 2 2 1 2 Way DROther 00 00 36 Vlan200 0 3 3 3 3 1 Full Backup 00 00 35 Vlan100 0 4 4 4 4 1 Full DR 00 00 33 Vlan200 0 Display neighbor information on Switch D You can find the neighbor states are all full SwitchD display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 1 1 1 1 1 Full DROther 00 00 30 Vlan...

Page 883: ... DROther 00 00 36 Vlan200 0 3 3 3 3 2 Full Backup 00 00 40 Vlan100 0 4 Restart DR BDR election Use the shutdown and undo shutdown commands on interfaces to restart DR BDR election omitted Display neighbor information on Switch A You can find Switch C becomes the BDR SwitchA display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 2 2 2 2 0 Full DRO...

Page 884: ...rfaces omitted 2 Configure OSPFv3 basic functions Enable OSPFv3 process 1 on Switch A SwitchA system view SwitchA ipv6 SwitchA ospfv3 1 SwitchA ospfv3 1 router id 1 1 1 1 SwitchA ospfv3 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ospfv3 1 area 2 SwitchA Vlan interface100 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 ospfv3 1 area 2 SwitchA Vlan inter...

Page 885: ...ing table Routing Table Destinations 6 Routes 6 Destination 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination 3 64 Protocol Direct NextHop 3 2 Preference 0 Interface Vlan300 Cost 0 Destination 3 2 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination 4 64 Protocol Direct NextHop 4 1 Preference 0 Interface Vlan400 Cost 0 Destination 4 1 128 ...

Page 886: ...v3 NextHop FE80 200 CFF FE01 1C03 Preference 150 Interface Vlan300 Cost 3 Destination 3 64 Protocol Direct NextHop 3 2 Preference 0 Interface Vlan300 Cost 0 Destination 3 2 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination 4 64 Protocol Direct NextHop 4 1 Preference 0 Interface Vlan400 Cost 0 Destination 4 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0...

Page 887: ...ful restart enable SwitchA ospfv3 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ospfv3 1 area 1 SwitchA Vlan interface100 quit Enable OSPFv3 on Switch B and set the router ID to 2 2 2 2 By default GR helpler is enabled on Switch B SwitchB system view SwitchB ipv6 SwitchB ospfv3 1 SwitchB ospfv3 1 router id 2 2 2 2 SwitchB ospfv3 1 quit SwitchB interface vlan interface 100 S...

Page 888: ... ospfv3 peer command 2 Display OSPFv3 interface information using the display ospfv3 interface command 3 Ping the neighbor router s IP address to check connectivity 4 Check OSPF timers The dead interval on an interface must be at least four times the hello interval 5 On a broadcast network at least one interface must have a DR priority higher than 0 Incorrect Routing Information Symptom OSPFv3 can...

Page 889: ...ut area configuration using the display current configuration configuration command If more than two areas are configured at least one area is connected to the backbone 5 In a Stub area all routers are configured with the stub command 6 If a virtual link is configured use the display ospf vlink command to check the neighbor state ...

Page 890: ...uring IPv6 IS IS Basic Functions 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Configuring IPv6 IS IS Routing Information Control 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Displaying and Maintaining IPv6 IS IS 1 4 IPv6 IS IS Configuration Example 1 4 ...

Page 891: ...em to Intermediate System intra domain routing information exchange protocol supports multiple network protocols including IPv6 IS IS with IPv6 support is called IPv6 IS IS dynamic routing protocol The international engineer task force IETF defines two type length values TLVs and a new network layer protocol identifier NLPID to enable IPv6 support for IS IS TLV is a variable length field in the li...

Page 892: ...sis process id Required Not enabled by default Configure the network entity title for the IS IS process network entity net Required Not configured by default Enable IPv6 for the IS IS process ipv6 enable Required Disabled by default Return to system view quit Enter interface view interface interface type interface number Enable IPv6 for an IS IS process on the interface isis ipv6 enable process id...

Page 893: ... 2 IPv6 routes ipv6 import route limit number Optional The default value depends on the SRPU models LPU models and their working modes Configure the filtering of outgoing redistributed routes ipv6 filter policy acl6 number ipv6 prefix ipv6 prefix name route policy route policy name export protocol process id Optional Not configured by default Enable route leaking ipv6 import route isisv6 level 2 i...

Page 894: ...e Available in any view Display IS IS neighbor information display isis peer statistics verbose process id vpn instance vpn instance name Available in any view Display IPv6 IS IS routing information display isis route ipv6 level 1 level 2 verbose process id Available in any view Display SPF log information display isis spf log process id vpn instance vpn instance name Available in any view Display...

Page 895: ...an interface100 isis ipv6 enable 1 SwitchA Vlan interface100 quit Configure Switch B SwitchB system view SwitchB isis 1 SwitchB isis 1 is level level 1 SwitchB isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 ipv6 enable SwitchB isis 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 isis ipv6 enable 1 SwitchB Vlan interface200 quit Configure Switch C SwitchC system vie...

Page 896: ...chC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 is level level 2 SwitchD isis 1 network entity 20 0000 0000 0004 00 SwitchD isis 1 ipv6 enable SwitchD isis 1 quit SwitchD interface vlan interface 300 SwitchD Vlan interface300 isis ipv6 enable 1 SwitchD Vlan interface300 quit SwitchD interface vlan interface 301 SwitchD Vlan interface301 isis ipv6 ena...

Page 897: ... Peer Group 1 7 Configuring Outbound Route Filtering 1 8 Configuring Inbound Route Filtering 1 9 Configuring IPv6 BGP and IGP Route Synchronization 1 9 Configuring Route Dampening 1 10 Configuring IPv6 BGP Route Attributes 1 10 Prerequisites 1 10 Configuring IPv6 BGP Preference and Default LOCAL_PREF and NEXT_HOP Attributes 1 10 Configuring the MED Attribute 1 11 Configuring the AS_PATH Attribute ...

Page 898: ...ii IPv6 BGP Basic Configuration 1 21 IPv6 BGP Route Reflector Configuration 1 23 Troubleshooting IPv6 BGP Configuration 1 24 No IPv6 BGP Peer Relationship Established 1 24 ...

Page 899: ...ation Examples z Troubleshooting IPv6 BGP Configuration IPv6 BGP Overview BGP 4 was designed to carry only IPv4 routing information and thus other network layer protocols such as IPv6 are not supported To support multiple network layer protocols IETF extended BGP 4 by introducing Multiprotocol BGP MP BGP which is defined in RFC 2858 multiprotocol extensions for BGP 4 MP BGP for IPv6 is referred to...

Page 900: ...onal Advertising a Default Route to an IPv6 Peer Peer Group Optional Configuring Outbound Route Filtering Optional Configuring Inbound Route Optional Configuring IPv6 BGP and IGP Route Synchronization Optional Controlling Route Distribution and Reception Configuring Route Dampening Optional Configuring IPv6 BGP Preference and Default LOCAL_PREF and NEXT_HOP Attributes Optional Configuring the MED ...

Page 901: ... IP addresses are configured for any interfaces Enter IPv6 address family view ipv6 family Specify an IPv6 peer peer ipv6 address as number as number Required Injecting a Local IPv6 Route Follow these steps to configure advertise a local route into the routing table To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family I...

Page 902: ...and For information about using a routing policy to set a preferred value refer to the command peer group name ipv4 address ipv6 address route policy route policy name import export in this document and the command apply preferred value preferred value in Routing Policy Commands of the IP Routing Volume Specifying the Source Interface for Establishing TCP Connections Follow these steps to specify ...

Page 903: ...he command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Allow the establishment of eBGP connection to a non directly connected peer peer group peer ipv6 group name ipv6 address ebgp max hop hop count Required Not configured by default In general direct links should be available between eBGP peers If not you can use the peer ebgp max ...

Page 904: ...teps to configure to log on the session and event information of an IPv6 peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable logging of peer changes globally log peer change Optional Enabled by default Enter IPv6 address family view ipv6 family Enable the state change logging for an IPv6 peer or peer group peer ipv6 group name ipv6 addres...

Page 905: ...ing the import route command cannot redistribute any IGP default route Configuring IPv6 BGP Route Summarization To reduce the routing table size on medium and large BGP networks you need to configure route summarization on BGP routers BGP supports only manual summarization of IPv6 routes Follow these steps to configure IPv6 BGP route summarization To do Use the command Remarks Enter system view sy...

Page 906: ... number Enter IPv6 address family view ipv6 family Configure the filtering of outgoing routes filter policy acl6 number ipv6 prefix ipv6 prefix name export protocol process id Required Not configured by default Apply a routing policy to routes advertised to an IPv6 peer peer group peer ipv6 group name ipv6 address route policy route policy name export Required Not applied by default Specify an IPv...

Page 907: ...e ipv6 address filter policy acl6 number import Required Not specified by default Specify an AS path ACL to filter routing information imported from an IPv6 peer peer group peer ipv6 group name ipv6 address as path acl as path acl number import Required Not specified by default Specify an IPv6 prefix list to filter routing information imported from an IPv6 peer peer group peer ipv6 group name ipv6...

Page 908: ... dampening To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Configure IPv6 BGP route dampening parameters dampening half life reachable half life unreachable reuse suppress ceiling route policy route policy name Optional Not configured by default Configuring IPv6 BGP Route Attributes This section describes how to us...

Page 909: ... sure an iBGP peer can find the correct next hop you can configure routes advertised to the IPv6 iBGP peer peer group to use the local router as the next hop If BGP load balancing is configured the local router specifies itself as the next hop of routes sent to an IPv6 iBGP peer peer group regardless of whether the peer next hop local command is configured z In a third party next hop network that ...

Page 910: ...as path neglect Optional Enabled by default Configure to carry only the public AS number in updates sent to a peer peer group peer ipv6 group name ipv6 address public as only Optional By default IPv6 BGP updates carry private AS number Substitute the local AS number for the AS number of an IPv6 peer peer group identified in the AS_PATH attribute peer ipv6 group name ipv6 address substitute as Opti...

Page 911: ...apply the new policy Prerequisites Before configuring IPv6 BGP timers you need to z Enable IPv6 z Configure IPv6 BGP basic functions Configuring IPv6 BGP Timers Follow these steps to configure IPv6 BGP timers To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Specify keepalive interval and holdtime timer keepalive kee...

Page 912: ...icy peer ipv6 group name ipv6 address keep all routes Optional Not saved by default Return to user view return Soft reset BGP connections manually refresh bgp ipv6 all ipv6 address group ipv6 group name external internal export import Required If the peer keep all routes command is used all routes from the peer peer group will be saved regardless of whether the filtering policy is available These ...

Page 913: ...GP peer peer group peer group name ipv6 address capability advertise orf non standard Optional By default standard BGP ORF capability defined in RFC 5291 and RFC 5292 is supported Enable the ORF IP prefix negotiation capability for a BGP peer peer group peer group name ip address ipv6 address capability advertise orf ip prefix both receive send Required Not supported by default Table 1 1 Descripti...

Page 914: ... not limited by AS To guarantee connectivity between iBGP peers you need to make them fully meshed but it becomes unpractical when there are too many iBGP peers Using route reflectors or confederation can solve it In a large scale AS both of them can be used Confederation configuration of IPv6 BGP is identical to that of BGP4 so it is not mentioned here The following describes z Configuring IPv6 B...

Page 915: ...d by default z To create a pure eBGP peer group you need to specify an AS number for the peer group z If a peer was added into an eBGP peer group you cannot specify any AS number for the peer group Creating a mixed eBGP peer group Follow these steps to create a mixed eBGP peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family v...

Page 916: ...ended community attribute to an IPv6 peer peer group peer ipv6 group name ipv6 address advertise ext community Required Not advertised by default Apply a routing policy to routes advertised to a peer peer group Follow these steps to apply a routing policy to routes advertised to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 ad...

Page 917: ...ector fully meshed If clients are fully meshed it is recommended to disable route reflection between clients to reduce routing costs z If a cluster has multiple route reflectors you need to specify the same cluster ID for these route reflectors to avoid routing loops Displaying and Maintaining IPv6 BGP Displaying BGP To do Use the command Remarks Display IPv6 BGP peer group information display bgp...

Page 918: ... routing table different origin as Display IPv6 BGP routing flap statistics display bgp ipv6 routing table flap info regular expression as regular expression as path acl as path acl number network address prefix length longer match Display BGP routing information to or from an IPv4 or IPv6 peer display bgp ipv6 routing table peer ipv4 address ipv6 address advertised routes received routes network ...

Page 919: ...xamples for IPv6 BGP configuration are similar to those of BGP4 so refer to BGP Configuration in the IP Routing Volume for related information IPv6 BGP Basic Configuration Network requirements In the following figure are all IPv6 BGP switches Between Switch A and Switch B is an eBGP connection Switch B Switch C and Switch D are fully meshed through iBGP connections Figure 1 1 IPv6 BGP basic config...

Page 920: ... SwitchD ipv6 SwitchD bgp 65009 SwitchD bgp router id 4 4 4 4 SwitchD bgp ipv6 family SwitchD bgp af ipv6 peer 9 1 1 as number 65009 SwitchD bgp af ipv6 peer 9 2 1 as number 65009 SwitchD bgp af ipv6 quit SwitchD bgp quit 3 Configure the eBGP connection Configure Switch A SwitchA system view SwitchA ipv6 SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp ipv6 family SwitchA bgp af ipv6 pe...

Page 921: ...e established iBGP connections with each other IPv6 BGP Route Reflector Configuration Network requirements As shown in the following figure Switch B receives an eBGP update and sends it to Switch C which is configured as a route reflector with two clients Switch B and Switch D Switch B and Switch D need not establish an iBGP connection because Switch C reflects updates between them Figure 1 2 Netw...

Page 922: ...umber 200 SwitchC bgp af ipv6 peer 102 2 as number 200 Configure Switch D SwitchD system view SwitchD ipv6 SwitchD bgp 200 SwitchD bgp router id 4 4 4 4 SwitchD bgp ipv6 family SwitchD bgp af ipv6 peer 102 1 as number 200 3 Configure route reflector Configure Switch C as a route reflector Switch B and Switch D as its clients SwitchC bgp af ipv6 peer 101 2 reflect client SwitchC bgp af ipv6 peer 10...

Page 923: ...to verify the peer s IPv6 address 3 If the loopback interface is used check whether the peer connect interface command is configured 4 If the peer is not directly connected check whether the peer ebgp max hop command is configured 5 Check whether a route to the peer is available in the routing table 6 Use the ping command to check connectivity 7 Use the display tcp ipv6 status command to check the...

Page 924: ...mmunity List 1 5 Configuring a Route Policy 1 6 Prerequisites 1 6 Creating a Route Policy 1 6 Defining if match Clauses 1 7 Defining apply Clauses 1 8 Displaying and Maintaining the Route Policy 1 10 Route Policy Configuration Example 1 10 Applying a Route Policy to IPv4 Route Redistribution 1 10 Applying a Route Policy to IPv6 Route Redistribution 1 13 Applying a Route Policy to Filter Received B...

Page 925: ...ot support IPv6 features z Route policy in this chapter involves both IPv4 route policy and IPv6 route policy Introduction to Route Policy Route Policy and Policy Routing A route policy is used on a router for route filtering and attributes modification when routes are received advertised or redistributed Policy routing also called policy based routing PBR is a routing mechanism based on a user de...

Page 926: ...ity list configured based on the BGP community attribute can only be used to match BGP routing information Extended community list An extended community list configured based on the BGP extended community attribute Route Target for VPN and Source of Origin can only be used to match BGP routing information Route policy A route policy is used to match routing information and modify the attributes of...

Page 927: ... you need to decide on z IP prefix list name z Matching address range z Extcommunity list sequence number Defining an IP prefix List Define an IPv4 prefix list Identified by name an IPv4 prefix list can comprise multiple items Each item specifies a prefix range to match and is identified by an index number An item with a smaller index number is matched first If one item is matched the IP prefix li...

Page 928: ...ith a smaller index number is matched first If one item is matched the IPv6 prefix list is passed and the routing information will not go to the next item Follow these steps to define an IPv6 prefix list To do Use the command Remarks Enter system view system view Define an IPv6 prefix list ip ipv6 prefix ipv6 prefix name index index number deny permit ipv6 address prefix length greater equal min p...

Page 929: ...se steps to define a community list To do Use the command Remarks Enter system view system view Define a basic community list ip community list basic comm list num deny permit community number list internet no advertise no export no export subconfed Define a community list Define an advanced community list ip community list adv comm list num deny permit regular expression Required to define either...

Page 930: ...ng information z apply clauses Specify the actions to be taken on routing information that has satisfied the match criteria such as route attribute modification Prerequisites Before configuring this task you need to configure z Filters z Routing protocols You also need to decide on z Name of the route policy and node numbers z Match criteria z Attributes to be modified Creating a Route Policy Foll...

Page 931: ...the deny keyword no routing information can pass it Defining if match Clauses Follow these steps to define if match clauses for a route policy node To do Use the command Remarks Enter system view system view Enter route policy node view route policy route policy name deny permit node node number Required Match IPv4 routing information specified in the ACL if match acl acl number Match IPv4 routing...

Page 932: ...e2 external type1or2 is is level 1 is is level 2 internal nssa external type1 nssa external type2 nssa external type1or2 Optional Not configured by default Match RIP OSPF and IS IS routing information having the specified tag value if match tag value Optional Not configured by default z The if match clauses of a route policy node are in logic AND relationship namely routing information has to sati...

Page 933: ...ternal type 1 type 2 Optional Not set by default Set the extended community attribute for BGP routing apply extcommunity rt as number nn ip address nn 1 16 additive Optional Not set by default for IPv4 routes apply ip address next hop ip address Optional Not set by default The setting does not apply to redistributed routing information Set the next hop for IPv6 routes apply ipv6 next hop ipv6 addr...

Page 934: ...adv community list number Display BGP extended community list information display ip extcommunity list ext comm list number Display IPv4 prefix list statistics display ip ip prefix ip prefix name Display IPv6 prefix list statistics display ip ipv6 prefix ipv6 prefix name Display route policy information display route policy route policy name Available in any view Clear IPv4 prefix list statistics ...

Page 935: ...00 quit SwitchC interface vlan interface 201 SwitchC Vlan interface201 isis enable SwitchC Vlan interface201 quit SwitchC interface vlan interface 202 SwitchC Vlan interface202 isis enable SwitchC Vlan interface202 quit SwitchC interface vlan interface 203 SwitchC Vlan interface203 isis enable SwitchC Vlan interface203 quit Configure Switch B SwitchB system view SwitchB isis SwitchB isis 1 is leve...

Page 936: ... Area 192 168 1 0 24 1562 Stub 192 168 1 1 192 168 1 1 0 0 0 0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172 17 1 0 24 1 Type2 1 192 168 1 2 192 168 2 2 172 17 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 172 17 3 0 24 1 Type2 1 192 168 1 2 192 168 2 2 192 168 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 Total Nets 5 Intra Area 1 Inter Area 0 ASE 4 NSSA 0 4 Configure filtering lists Con...

Page 937: ...ables Routing for Network Destination Cost Type NextHop AdvRouter Area 192 168 1 0 24 1 Transit 192 168 1 1 192 168 1 1 0 0 0 0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172 17 1 0 24 100 Type2 1 192 168 1 2 192 168 2 2 172 17 2 0 24 1 Type2 20 192 168 1 2 192 168 2 2 172 17 3 0 24 1 Type2 1 192 168 1 2 192 168 2 2 192 168 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 Total Nets 5 In...

Page 938: ... enable SwitchA Vlan interface100 quit Configure three static routes SwitchA ipv6 route static 20 32 11 2 SwitchA ipv6 route static 30 32 11 2 SwitchA ipv6 route static 40 32 11 2 Configure a route policy SwitchA ip ipv6 prefix a index 10 permit 30 32 SwitchA route policy static2ripng deny node 0 SwitchA route policy if match ipv6 address prefix list a SwitchA route policy quit SwitchA route polic...

Page 939: ...0 CA03 1 cost 1 tag 0 A 3 Sec Applying a Route Policy to Filter Received BGP Routes Network requirements As shown in the following figure z All the switches run BGP Switch C establishes eBGP connections with other switches z Configure a route policy on Switch D to reject routes from AS 200 Figure 1 3 Route policy configuration to filter received BGP routes Swtich B AS 200 Vlan int200 1 1 2 1 24 Sw...

Page 940: ...4 SwitchD bgp peer 1 1 3 1 as number 300 SwitchD bgp quit On Switch A inject routes 4 4 4 4 24 5 5 5 5 24 and 6 6 6 6 24 to BGP SwitchA bgp network 4 4 4 4 24 SwitchA bgp network 5 5 5 5 24 SwitchA bgp network 6 6 6 6 24 On Switch B inject routes 7 7 7 7 24 8 8 8 8 24 and 9 9 9 9 24 to BGP SwitchB bgp network 7 7 7 7 24 SwitchB bgp network 8 8 8 8 24 SwitchB bgp network 9 9 9 9 24 Display the BGP ...

Page 941: ...policy rt1 to filter routes received from peer 1 1 3 1 SwitchD bgp 400 SwitchD peer 1 1 3 1 route policy rt1 import Display the BGP routing table information of Switch D SwitchD display bgp routing table Total Number of Routes 3 BGP Local router ID is 4 4 4 4 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal ...

Page 942: ... to display route policy information IPv6 Routing Information Filtering Failure Symptom Filtering routing information failed while the routing protocol runs normally Analysis At least one item of the IPv6 prefix list should be configured as permit mode and at least one node of the Route policy should be configured as permit mode Solution 1 Use the display ip ipv6 prefix command to display IP prefi...

Page 943: ...ew 1 1 Configuring Traffic Redirecting 1 1 Configuring a QoS Policy 1 2 Applying the QoS Policy 1 2 Displaying and Maintaining QoS Policies 1 3 Policy Routing Configuration Examples 1 4 IPv4 Policy Routing Configuration Example 1 4 IPv6 Policy Routing Configuration Example 1 5 ...

Page 944: ...tion based routing policy routing can make routing decisions based on the source address and other criteria in addition to the destination IP address The S7900E series switches implement policy routing through QoS policies You can configure traffic classification and traffic redirecting action so that packets matching specific criteria will be forwarded along the specified path thus to implement f...

Page 945: ...enter policy view qos policy policy name Associate the class with the traffic behavior in the QoS policy classifier tcl name behavior behavior name To implement policy routing successfully ensure that the next hop address specified in the redirect action exist and the outgoing interface is not a tunnel interface If you fail to do that the matching traffic will be dropped Applying the QoS Policy Wh...

Page 946: ...qos apply policy policy name inbound Required Follow these steps to apply the QoS policy to a VLAN To do Use the command Remarks Enter system view system view Apply the QoS policy to VLANs qos vlan policy policy name vlan vlan id list inbound Required QoS policies cannot be applied to dynamic VLANs for example VLANs created by GVRP Displaying and Maintaining QoS Policies To do Use the command Rema...

Page 947: ...utbound Available in any view Policy Routing Configuration Examples IPv4 Policy Routing Configuration Example Network requirements As shown in Figure 1 1 redirect all packets received on GigabitEthernet 2 0 1 of Switch A to the next hop 202 1 1 2 Figure 1 1 Network diagram for IPv4 policy routing configuration Configuration procedure Configure ACL 2000 SwitchA system view SwitchA acl number 2000 S...

Page 948: ... instead of Switch B IPv6 Policy Routing Configuration Example Network requirements As shown in Figure 1 2 redirect all packets received on GigabitEthernet 2 0 1 of Switch A to the next hop 202 2 Figure 1 2 Network diagram for IPv6 policy routing configuration Configuration procedure Configure IPv6 ACL 2000 SwitchA system view SwitchA acl ipv6 number 2000 SwitchA acl6 basic 2000 rule 0 permit sour...

Page 949: ...olicy a quit Apply QoS policy a to the incoming traffic of GigabitEthernet 2 0 1 SwitchA interface gigabitethernet 2 0 1 SwitchA GigabitEthernet2 0 1 qos apply policy a inbound Verification After completing the configuration verify that when Switch A receives packets with destination IP address 201 2 it forwards the packets to Switch C instead of Switch B ...

Page 950: ...nformation for IP multicast support This document describes z Multicast routing and forwarding overview z Multicast routing and forwarding configuration IGMP Internet Group Management Protocol IGMP is a protocol in the TCP IP suite responsible for management of IP multicast members This document describes z IGMP overview z Configuring basic functions of IGMP z Configuring IGMP performance paramete...

Page 951: ...GMP Snooping z Configuring IGMP Snooping Port Functions z Configuring IGMP Snooping Querier z Configuring IGMP Snooping Proxying z Configuring IGMP Snooping Policy Multicast VLAN The multicast VLAN feature configured on the Layer 2 device can saves the network bandwidth and lessens the burden of the Layer 3 device This document describes z Configuring Sub VLAN Based Multicast VLAN z Configuring Po...

Page 952: ... constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups This document describes z Configuring Basic Functions of MLD Snooping z Configuring MLD Snooping Port Functions z Configuring MLD Snooping Querier z Configuring MLD Snooping Proxying z Configuring MLD Snooping Policy IPv6 Multicast VLAN The IPv6 multicast VLAN feature configured on the Layer 2 device c...

Page 953: ...ast 1 4 Common Notations in Multicast 1 5 Advantages and Applications of Multicast 1 5 Multicast Models 1 6 Multicast Architecture 1 6 Multicast Addresses 1 7 Multicast Protocols 1 11 Multicast Packet Forwarding Mechanism 1 13 Multi Instance Multicast 1 13 Introduction to the Multi Instance Concept 1 13 Multi Instance Application in Multicast 1 14 ...

Page 954: ...By allowing high efficiency point to multipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added services such as live Webcasting Web TV distance learning telemedicine Web radio real time videoconferencing and other bandwidth and time critical information services ...

Page 955: ...d over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information to each of these users This means a tremendous pressure on the information source and the network bandwidth As we can see from the information transmission process unicast is not suitable for batch tr...

Page 956: ...ificant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multicast can well solve this problem When some hosts on the network need multicast information the information sender or multicast source sends only one copy of the information Multicast distribution tree...

Page 957: ...dcast is confined to the same subnet while multicast is not Features of Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast address Hosts join a multicast group to become members of the multicast group before they can receive the multicast data addressed to that multicast group Typically a multicast source does not need to jo...

Page 958: ...cast group or joins another group Common Notations in Multicast Two notations are commonly used in multicast z G Indicates a rendezvous point tree RPT or a multicast packet that any multicast source sends to multicast group G Here represents any multicast source while G represents a specific multicast group z S G Indicates a shortest path tree SPT or a multicast packet that multicast source S send...

Page 959: ...ecific sources Therefore receivers can receive the multicast data from only part of the multicast sources From the view of a receiver multicast sources are not all valid they are filtered SSM model In the practical life users may be interested in the multicast data from only certain multicast sources The SSM model provides a transmission service that allows users to specify the multicast sources t...

Page 960: ... in Table 1 2 Table 1 2 Class D IP address blocks and description Address block Description 224 0 0 0 to 224 0 0 255 Reserved permanent group addresses The IP address 224 0 0 0 is reserved and other IP addresses can be used by routing protocols and for topology searching protocol maintenance and so on Common permanent group addresses are listed in Table 1 3 A packet destined for an address in this...

Page 961: ... Host Configuration Protocol DHCP server relay agent 224 0 0 13 All Protocol Independent Multicast PIM routers 224 0 0 14 Resource Reservation Protocol RSVP encapsulation 224 0 0 15 All Core Based Tree CBT routers 224 0 0 16 Designated Subnetwork Bandwidth Management SBM 224 0 0 17 All SBMs 224 0 0 18 Virtual Router Redundancy Protocol VRRP 2 IPv6 multicast addresses Figure 1 4 IPv6 multicast form...

Page 962: ...multicast traffic is intended Possible values of this field are given in Table 1 5 Table 1 5 Values of the Scope field Value Meaning 0 3 F Reserved 1 Interface local scope 2 Link local scope 4 Admin local scope 5 Site local scope 6 7 9 through D Unassigned 8 Organization local scope E Global scope z Group ID 112 bits IPv6 multicast group identifier that uniquely identifies an IPv6 multicast group ...

Page 963: ...same MAC address Therefore in Layer 2 multicast forwarding a device may receive some multicast data addressed for other IPv4 multicast groups and such redundant data needs to be filtered by the upper layer 2 IPv6 multicast MAC addresses The high order 16 bits of an IPv6 multicast MAC address are 0x3333 and the low order 32 bits are the low order 32 bits of a multicast IPv6 address Figure 1 7 shows...

Page 964: ...eneral descriptions about applications and functions of the Layer 2 and Layer 3 multicast protocols in a network For details of these protocols refer to the related configuration manuals in the IP Multicast Volume Layer 3 multicast protocols Layer 3 multicast protocols include multicast group management protocols and multicast routing protocols Figure 1 8 describes where these multicast protocols ...

Page 965: ... Border Gateway Protocol MP BGP is used for exchanging multicast routing information among different ASs For the SSM model multicast routes are not divided into inter domain routes and intra domain routes Since receivers know the position of the multicast source channels established through PIM SM are sufficient for multicast information transport Layer 2 multicast protocols Layer 2 multicast prot...

Page 966: ...t packet transmission in the network unicast routing tables or multicast routing tables for example the MBGP routing table specially provided for multicast must be used as guidance for multicast forwarding z To process the same multicast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check on t...

Page 967: ...d an instance resides on different PE devices Multi Instance Application in Multicast With multi instance multicast enabled a PE is able to z Maintain a set of independent multicast forwarding mechanism for each instance include various multicast protocols a list of PIM neighbors and a multicast routing table per instance Each instance searches its own forwarding table or routing table to forward ...

Page 968: ...nce z The configuration made in VPN instance view only takes effect on the VPN instance interface only An interface that does not belong to any VPN instance is called public instance interface z For more information about multicast VPN refer to Multicast VPN Configuration in the IP Multicast Volume ...

Page 969: ...figuration Prerequisites 1 8 Configuring Multicast Static Routes 1 8 Configuring a Multicast Routing Policy 1 9 Configuring a Multicast Forwarding Range 1 10 Configuring the Multicast Forwarding Table Size 1 10 Configuring Static Multicast MAC Address Entries 1 11 Tracing a Multicast Path 1 12 Displaying and Maintaining Multicast Routing and Forwarding 1 12 Configuration Examples 1 14 Changing an ...

Page 970: ...cast implementations multicast routing and forwarding are implemented by three types of tables z Each multicast routing protocol has its own multicast routing table such as PIM routing table z The information of different multicast routing protocols forms a general multicast routing table z The multicast forwarding table is directly used to control the forwarding of multicast packets A multicast f...

Page 971: ... RPF interface and the next hop is the RPF neighbor z The router automatically chooses an optimal multicast static route by searching its multicast static routing table using the IP address of the packet source as the destination address The corresponding routing entry explicitly defines the RPF interface and the RPF neighbor 2 Then the router selects one from these three optimal routes as the RPF...

Page 972: ...outer discards the packet 2 If the corresponding S G entry exists and the interface on which the packet actually arrived is the incoming interface the router forwards the packet to all the outgoing interfaces 3 If the corresponding S G entry exists but the interface on which the packet actually arrived is not the incoming interface in the multicast forwarding table the multicast packet is subject ...

Page 973: ...nicast network and multicast traffic follows the same transmission path as unicast traffic does By configuring a multicast static route for a given multicast source you can change the RPF route so as to create a transmission path for multicast traffic different from that for unicast traffic Figure 1 2 Changing an RPF route As shown in Figure 1 2 when no multicast static route is configured Router ...

Page 974: ...led an RPF static route z A multicast static route is effective only on the multicast router on which it is configured and will not be advertised throughout the network or redistributed to other routers Application of GRE Tunnel in Multicast Forwarding There may be routers that do not support multicast protocols in a network As multicast traffic from a multicast source is forwarded hop by hop by m...

Page 975: ...st hop router to the last hop router Concepts in multicast traceroute 1 Last hop router If a router has one of its interfaces connecting to the subnet the given destination address is on and if the router is able to forward multicast streams from the given multicast source onto that subnet that router is called last hop router 2 First hop router the router that directly connects to the multicast s...

Page 976: ...warding Range Optional Configuring the Multicast Forwarding Table Size Optional Configuring Static Multicast MAC Address Entries Optional Configuring Multicast Routing and Forwarding Tracing a Multicast Path Optional IP multicast does not support the use of secondary IP address segments Namely multicast can be routed and forwarded only through primary IP addresses rather than secondary addresses e...

Page 977: ...st routing protocol so that all devices in the domain are interoperable at the network layer z Enable PIM PIM DM or PIM SM Before configuring multicast routing and forwarding prepare the following data z The maximum number of downstream nodes for a single multicast forwarding table entry z The maximum number of entries in the multicast forwarding table Configuring Multicast Static Routes By config...

Page 978: ... Follow these steps to configure a multicast routing policy in the public instance To do Use the command Remarks Enter system view system view Configure the device to select the RPF route based on the longest match multicast longest match Required The route with the highest priority is selected as the RPF route by default Configure multicast load splitting multicast load splitting source source gr...

Page 979: ...ulticast routing entries however can exhaust the router s memory and thus result in lower router performance You can set a limit on the number of entries in the multicast forwarding table based on the actual networking situation and the performance requirements If the configured maximum number of multicast forwarding table entries is smaller than the current value the forwarding entries in excess ...

Page 980: ...ew ip vpn instance vpn instance name Configure the maximum number of entries in the multicast forwarding table multicast forwarding table route limit limit Optional 1000 by default Configure the maximum number of downstream nodes for a single route in the multicast forwarding table multicast forwarding table downstream limit limit Optional 128 by default Configuring Static Multicast MAC Address En...

Page 981: ...uration is effective for the specified interface When configuring a static multicast MAC address entry in interface view or port group view the configuration is effective only for the current interface or interfaces in the current port group z Any legal multicast MAC address except 0100 5Exx xxxx with x representing a hexadecimal number from 0 to F can be manually added to the multicast MAC addres...

Page 982: ...k mask length incoming interface interface type interface number register outgoing interface exclude include match interface type interface number register Available in any view Display information of the multicast static routing table display multicast routing table all instance vpn instance vpn instance name static config source address mask length mask Available in any view Display RPF route in...

Page 983: ...routing table Configuration Examples Changing an RPF Route Network requirements z PIM DM runs in the network All switches in the network support multicast z Switch A Switch B and Switch C run OSPF z Typically Receiver can receive the multicast data from Source through the path Switch A Switch B which is the same as the unicast route z Perform the following configuration so that Receiver can receiv...

Page 984: ...face vlan interface 102 SwitchB Vlan interface102 pim dm SwitchB Vlan interface102 quit Enable IP multicast routing on Switch A and enable PIM DM on each interface SwitchA system view SwitchA multicast routing enable SwitchA interface vlan interface 200 SwitchA Vlan interface200 pim dm SwitchA Vlan interface200 quit SwitchA interface vlan interface 102 SwitchA Vlan interface102 pim dm SwitchA Vlan...

Page 985: ...ast static route and the RPF neighbor is now Switch C Creating an RPF Route Network requirements z PIM DM runs in the network and all switches in the network support IP multicast z Switch B and Switch C run OSPF and have no unicast routes to Switch A z Typically Receiver can receive the multicast data from Source 1 in the OSPF domain z Perform the following configuration so that Receiver can recei...

Page 986: ...rface SwitchA system view SwitchA multicast routing enable SwitchC interface vlan interface 300 SwitchC Vlan interface300 pim dm SwitchC Vlan interface300 quit SwitchC interface vlan interface 102 SwitchC Vlan interface102 pim dm SwitchC Vlan interface102 quit The configuration on Switch B is similar to that on Switch A The specific configuration steps are omitted here Use the display multicast rp...

Page 987: ...tes to Source 2 exist on Switch B and Switch C The source is the configured static route Multicast Forwarding over GRE Tunnels Network requirements z Multicast routing and PIM DM are enabled on Switch A and Switch C Switch B does not support multicast z OSPF is running on Switch A Switch B and Switch C z Perform the following configurations so that Receiver can receive the multicast data from Sour...

Page 988: ... 1 1 1 SwitchC Tunnel0 quit 3 Configure OSPF Configure OSPF on Switch A SwitchA ospf 1 SwitchA ospf 1 area 0 SwitchA ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 network 20 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 network 50 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 quit SwitchA ospf 1 quit Configure OSPF on Switch B SwitchB system view SwitchB ospf 1 SwitchB osp...

Page 989: ...an interface102 pim dm SwitchC Vlan interface102 quit SwitchC interface tunnel 0 SwitchC Tunnel0 pim dm SwitchC Tunnel0 quit 5 Configure a static multicast route On Switch C configure a static multicast route and specify its RPF neighbor leading toward Source is Tunnel 0 on Switch A SwitchC ip rpf route static 10 1 1 0 24 50 1 1 1 6 Verify the configuration Source sends multicast data to the multi...

Page 990: ...In the configuration you can use the display multicast routing table static config command to view the detailed configuration information of multicast static routes to verify that the multicast static route has been correctly configured and the route entry exists 2 In the configuration you can use the display multicast routing table static command to view the information of multicast static routes...

Page 991: ...n 1 Use the display pim routing table command to check whether the corresponding S G entries exist on the router If so the router has received the multicast data otherwise the router has not received the data 2 Use the display multicast boundary command to view the multicast boundary information on the interfaces Use the multicast boundary command to change the multicast forwarding boundary settin...

Page 992: ...onfiguration Prerequisites 1 12 Configuring IGMP Message Options 1 12 Configuring IGMP Query and Response Parameters 1 13 Configuring IGMP Fast Leave Processing 1 16 Configuring IGMP SSM Mapping 1 16 Configuration Prerequisites 1 16 Enabling SSM Mapping 1 16 Configuring SSM Mappings 1 17 Configuring IGMP Proxying 1 17 Configuration Prerequisites 1 17 Enabling IGMP Proxying 1 18 Configuring Multica...

Page 993: ...series is in an IRF it operates as a distributed IRF device For introduction of IRF refer to IRF Configuration in the System Volume IGMP Overview As a TCP IP protocol responsible for IP multicast group member management the Internet Group Management Protocol IGMP is used by IP hosts to establish and maintain their multicast group memberships to immediately neighboring multicast routers IGMP Versio...

Page 994: ... router will act as the IGMP querier on the subnet In IGMPv1 the designated router DR elected by the working multicast routing protocol such as PIM serves as the IGMP querier For more information about DR refer to PIM Configuration in the IP Multicast Volume Figure 1 1 IGMP queries and reports Query Report DR Host A G2 Host B G1 Host C G1 Ethernet Router A Router B IP network Assume that Host B an...

Page 995: ...er the router forwards the multicast data to the local subnet and then the receivers on the subnet receive the data As IGMPv1 does not specifically define a Leave Group message upon leaving a multicast group an IGMPv1 host stops sending reports to the address of the multicast group it listened to If no member of a multicast group exists on the subnet the IGMP router will not receive any report add...

Page 996: ...rier will assume that no hosts on the subnet are still interested in multicast traffic to that group and will stop maintaining the memberships of the group Enhancements in IGMPv3 Built upon and being compatible with IGMPv1 and IGMPv2 IGMPv3 provides hosts with enhanced control capabilities and provides enhancements of query and report messages Enhancements in control capability of hosts IGMPv3 has...

Page 997: ...y the report sender requests the multicast data from any sources but those defined in the specified multicast source list z TO_IN The filtering mode has changed from Exclude to Include z TO_EX The filtering mode has changed from Include to Exclude z ALLOW The Source Address fields in this Group Record contain a list of the additional sources that the system wishes to hear from for packets sent to ...

Page 998: ...figured on Router A Router A cannot provide SSM service and drops the message z If G is in the SSM group range and the IGMP SSM mappings have been configured on Router A for multicast group G Router A translates the G information in the IGMP report into G INCLUDE S1 S2 information based on the configured IGMP SSM mappings and provides SSM service accordingly z The IGMP SSM mapping feature does not...

Page 999: ...filter mode and source list Such an entry is a collection of members in the same multicast group on each downstream interface A proxy device performs host functions on the upstream interface based on the database It responds to queries according to the information in the database or sends join leave messages when the database changes On the other hand the proxy device performs router functions on ...

Page 1000: ...P Proxying Configuring Multicast Forwarding on a Downstream Interface Optional z Configurations performed in IGMP view are effective on all interfaces while configurations performed in interface view are effective on the current interface only z If a feature is not configured for an interface in interface view the global configuration performed in IGMP view will apply to that interface If a featur...

Page 1001: ... by default Enabling IGMP in a VPN instance Follow these steps to enable IGMP in a VPN instance To do Use the command Remarks Enter system view system view Create a VPN instance and enter VPN instance view ip vpn instance vpn instance name Configure an RD for the VPN instance route distinguisher route distinguisher Required No RD is configured by default Enable IP multicast routing multicast routi...

Page 1002: ...erface interface type interface number Configure an IGMP version on the interface igmp version version number Optional IGMPv2 by default Configuring Static Joining After an interface is configured as a static member of a multicast group or a multicast source and group it will act as a virtual member of the multicast group to receive multicast data addressed to that multicast group for the purpose ...

Page 1003: ...s you can set an ACL rule on the interface as a packet filter so that the interface maintains only the multicast groups matching the criteria Follow these steps to configure a multicast group filter To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure a multicast group filter igmp group policy acl number version number...

Page 1004: ...functions of IGMP Before adjusting IGMP performance prepare the following data z Startup query interval z Startup query count z IGMP general query interval z IGMP querier s robustness variable z Maximum response time for IGMP general queries z IGMP last member query interval z Other querier present interval Configuring IGMP Message Options IGMP queries include group specific queries and group and ...

Page 1005: ...on Enable insertion of the Router Alert option into IGMP messages send router alert Optional By default IGMP messages carry the Router Alert option Configuring IGMP packet options on an interface Follow these steps to configure IGMP packet options on an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the...

Page 1006: ...fill their Max Response time field Namely for IGMP group specific queries the maximum response time equals the IGMP last member query interval When multiple multicast routers exist on the same subnet the IGMP querier is responsible for sending IGMP queries If a non querier router receives no IGMP query from the querier within the other querier present interval it will assume the querier to have ex...

Page 1007: ...l For the system default see Note below Configure the startup query count igmp startup query count value Optional For the system default see Note below Configure the IGMP query interval igmp timer query interval Optional 60 seconds by default Configure the IGMP querier robustness variable igmp robust count robust value Optional 2 by default Configure the maximum response time for IGMP general quer...

Page 1008: ...e IGMP querier may change frequently on the network z Make sure that the IGMP query interval is greater than the maximum response time for IGMP general queries otherwise multicast group members may be wrongly removed z The configurations of the maximum response time for IGMP general queries the IGMP last member query interval and the IGMP other querier present interval are effective only for IGMPv...

Page 1009: ... Enter public instance or VPN instance IGMP view igmp vpn instance vpn instance name Configure an IGMP SSM mapping ssm mapping group address mask mask length source address Required No IGMP mappings are configured by default If IGMPv3 is enabled on a VLAN interface and if a port in that VLAN is configured as a simulated host the simulated host will send IGMPv3 reports even if you did not specify a...

Page 1010: ...otocols such as PIM DM or PIM SM on interfaces with IGMP proxying enabled or vice versa However the source lifetime source policy and ssm policy commands configured in PIM view can still take effect In addition in IGMPv1 the designated router DR is elected by the working multicast routing protocol such as PIM to serve as the IGMP querier Therefore a downstream interface running IGMPv1 cannot be el...

Page 1011: ...e Available in any view Display layer 2 port information for IGMP multicast groups on a distributed device display igmp group port info vlan vlan id slot slot number verbose Available in any view Display IGMP configuration and operation information display igmp all instance vpn instance vpn instance name interface interface type interface number verbose Available in any view Display the informatio...

Page 1012: ...er 2 port information about IGMP multicast groups of static joins The reset igmp group command may cause an interruption of receivers reception of multicast data IGMP Configuration Examples Basic IGMP Functions Configuration Example Network requirements z Receivers receive VOD information through multicast Receivers of different organizations form stub networks N1 and N2 and Host A and Host C are ...

Page 1013: ... configuration steps are omitted here 2 Enable IP multicast routing and enable PIM DM and IGMP Enable IP multicast routing on Switch A enable PIM DM on each interface and enable IGMP on VLAN interface 100 SwitchA system view SwitchA multicast routing enable SwitchA interface vlan interface 100 SwitchA Vlan interface100 igmp enable SwitchA Vlan interface100 pim dm SwitchA Vlan interface100 quit Swi...

Page 1014: ...ace vlan interface 200 Vlan interface200 10 110 2 1 IGMP is enabled Current IGMP version is 2 Value of query interval for IGMP in seconds 60 Value of other querier present interval for IGMP in seconds 125 Value of maximum query response time for IGMP in seconds 10 Querier for IGMP 10 110 2 1 this router Total 1 IGMP Group reported SSM Mapping Configuration Example Network requirements z The PIM SM...

Page 1015: ...on steps are omitted here Configure OSPF for interoperability among the switches Ensure the network layer interoperation on the PIM SM domain and dynamic update of routing information among the switches through a unicast routing protocol The detailed configuration steps are omitted here 2 Enable IP multicast routing enable PIM SM on each interface and enable IGMP and IGMP SSM mapping on the host s...

Page 1016: ...e 104 SwitchD pim c rp vlan interface 104 SwitchD pim quit 4 Configure the SSM group range Configure the SSM group range 232 1 1 0 24 on Switch D SwitchD acl number 2000 SwitchD acl basic 2000 rule permit source 232 1 1 0 0 0 0 255 SwitchD acl basic 2000 quit SwitchD pim SwitchD pim ssm policy 2000 SwitchD pim quit The configuration on Switch A Switch B and Switch C is similar to that on Switch D ...

Page 1017: ... 133 133 1 1 232 1 1 1 Protocol pim ssm Flag UpTime 00 13 25 Upstream interface Vlan interface104 Upstream neighbor 192 168 4 2 RPF prime neighbor 192 168 4 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface400 Protocol igmp UpTime 00 13 25 Expires 133 133 3 1 232 1 1 1 Protocol pim ssm Flag UpTime 00 13 25 Upstream interface Vlan interface103 Upstream neighbor 192...

Page 1018: ...quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 igmp enable SwitchA Vlan interface100 pim dm SwitchA Vlan interface100 quit Enable IP multicast routing on Switch B IGMP Proxying on VLAN interface 100 and IGMP on VLAN interface 200 SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 100 SwitchB Vlan interface100 igmp proxying enable SwitchB Vlan...

Page 1019: ...t Analysis z The correctness of networking and interface connections and whether the protocol layer of the interface is up directly affect the generation of group membership information z Multicast routing must be enabled on the router and IGMP must be enabled on the interface connecting to the host z If the IGMP version on the router interface is lower than that on the host the router will not be...

Page 1020: ...alysis z A router running IGMP maintains multiple parameters for each interface and these parameters influence one another forming very complicated relationships Inconsistent IGMP interface parameter configurations for routers on the same subnet will surely result in inconsistency of memberships z In addition although an IGMP router is compatible with a host that is running a different IGMP versio...

Page 1021: ...ration Prerequisites 1 18 Enabling PIM SM 1 19 Configuring an RP 1 20 Configuring a BSR 1 22 Configuring Administrative Scoping 1 26 Configuring Multicast Source Registration 1 28 Disabling SPT Switchover 1 29 Configuring PIM SSM 1 30 PIM SSM Configuration Task List 1 30 Configuration Prerequisites 1 30 Enabling PIM SM 1 31 Configuring the SSM Group Range 1 32 Configuring PIM Common Features 1 32 ...

Page 1022: ...SM Configuration Example 1 54 Troubleshooting PIM Configuration 1 57 Failure of Building a Multicast Distribution Tree Correctly 1 57 Multicast Data Abnormally Terminated on an Intermediate Router 1 58 RPs Unable to Join SPT in PIM SM 1 59 RPT Establishment Failure or Source Registration Failure in PIM SM 1 59 ...

Page 1023: ...rmediate system to intermediate system IS IS or border gateway protocol BGP Independent of the unicast routing protocols running on the device multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes PIM uses the reverse path forwarding RPF mechanism to implement multicast forwarding When a multicast packet arrives on an interfa...

Page 1024: ...n z When a new receiver on a previously pruned branch joins a multicast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch Generally speaking the multicast forwarding path is a source tree namely a forwarding tree with the multicast source as its root and multicast group members as its leaves Because the source tree is the shortest path from the...

Page 1025: ...multicast group down to this node z An S G entry contains the multicast source address S multicast group address G outgoing interface list and incoming interface z For a given multicast stream the interface that receives the multicast stream is referred to as upstream and the interfaces that forward the multicast stream are referred to as downstream A prune process is first initiated by a leaf rou...

Page 1026: ...i access network where more than one multicast router exists by electing a unique multicast forwarder on the multi access network Figure 1 2 Assert mechanism As shown in Figure 1 2 after Router A and Router B receive an S G packet from the upstream node they both forward the packet to the local subnet As a result the downstream node Router C receives two identical multicast packets and both Router...

Page 1027: ...in as the common node or rendezvous point RP through which the multicast data travels along the RPT and reaches the receivers z When a receiver is interested in the multicast data addressed to a specific multicast group the router connected to this receiver sends a join message to the RP corresponding to that multicast group The path along which the message goes hop by hop to the RP forms a branch...

Page 1028: ...a DR However if IGMPv1 runs on any multi access network in a PIM DM domain a DR must be elected to act as the IGMPv1 querier on that multi access network z IGMP must be enabled on a device that acts as a receiver side DR before receivers attached to this device can join multicast groups through this DR For details about IGMP refer to IGMP Configuration in the IP Multicast Volume Figure 1 3 DR elec...

Page 1029: ... one BSR but can have multiple candidate BSRs C BSRs Once the BSR fails a new BSR is automatically elected from the C BSRs to avoid service interruption z An RP can serve multiple multicast groups or all multicast groups Only one RP can serve a given multicast group at a time z A device can serve as a C RP and a C BSR at the same time As shown in Figure 1 4 each C RP periodically unicasts its adve...

Page 1030: ...i IP address of the C RP Logical operator of and XOR Logical operator of exclusive or Mod Modulo operator which gives the remainder of an integer division RPT establishment Figure 1 5 RPT establishment in a PIM SM domain As shown in Figure 1 5 the process of building an RPT is as follows 1 When a receiver joins multicast group G it uses an IGMP message to inform the directly connected DR 2 Upon ge...

Page 1031: ... in Figure 1 6 the multicast source registers with the RP as follows 1 When the multicast source S sends the first multicast packet to multicast group G the DR directly connected with the multicast source upon receiving the multicast packet encapsulates the packet in a PIM register message and sends the message to the corresponding RP by unicast 2 When the RP receives the register message it extra...

Page 1032: ... RP or the DR at the receiver side to initiate an SPT switchover process 1 The RP initiates an SPT switchover process Upon receiving the first multicast packet the RP sends an S G join message hop by hop toward the multicast source to establish an SPT between the DR at the source side and the RP The subsequent multicast data from the multicast source travels along the established SPT to the RP For...

Page 1033: ...tains one BSR which serves multicast groups within a specific range Multicast protocol packets such as assert messages and bootstrap messages for a specific group range cannot cross the admin scope zone boundary Multicast group ranges served by different admin scope zones can overlap A multicast group is valid only within its local admin scope zone functioning as a private group address The global...

Page 1034: ...p address ranges Each admin scope zone serves specific multicast groups Usually these addresses have no intersections however they may overlap one another Figure 1 8 Relationship between admin scope zones and the global scope zone in group address ranges In Figure 1 8 the group address ranges of admin scope 1 and 2 have no intersection whereas the group address range of admin scope 3 is a subset o...

Page 1035: ...PT is required there is no source registration process and there is no need of using the multicast source discovery protocol MSDP for discovering sources in other PIM domains Compared with the ASM model the SSM model only needs the support of IGMPv3 and some subsets of PIM SM The operation mechanism of PIM SSM can be summarized as follows z Neighbor discovery z DR election z SPT building Neighbor ...

Page 1036: ...is used to refer to a join message Multi Instance PIM A multicast router running multiple instances maintains an independent set of PIM neighbor table multicast routing table BSR information and RP set information for each instance Upon receiving a multicast data packet the multicast router determines the VPN instance the data packet belongs to and then forwards the packet as per the multicast rou...

Page 1037: ...ses messages from the PIM neighbors When deploying a PIM DM domain you are recommended to enable PIM DM on all non border interfaces of the routers Enabling PIM DM globally in the public instance Follow these steps to enable PIM DM globally in the public instance To do Use the command Remarks Enter system view system view Enable IP multicast routing multicast routing enable Required Disable by def...

Page 1038: ...ulticast forwarding when the pruned state times out To prevent this the router with the multicast source attached periodically sends an S G state refresh message which is forwarded hop by hop along the initial multicast flooding path of the PIM DM domain to refresh the prune timer state of all the routers on the path A multi access subnet can have the state refresh capability only if the state ref...

Page 1039: ...ks Enter system view system view Enter public instance PIM view or VPN instance PIM view pim vpn instance vpn instance name Configure the interval between state refresh messages state refresh interval interval Optional 60 seconds by default Configure the time to wait before receiving a new state refresh message state refresh rate limit interval Optional 30 seconds by default Configure the TTL valu...

Page 1040: ...global scope zone Optional Configuring Multicast Source Registration Optional Disabling SPT Switchover Optional Configuring PIM Common Features Optional Configuration Prerequisites Before configuring PIM SM complete the following task z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer Before configuring PIM SM prepare the following dat...

Page 1041: ...nter system view system view Enable IP multicast routing multicast routing enable Required Disable by default Enter interface view interface interface type interface number Enable PIM SM pim sm Required Disabled by default Enabling PIM SM in a VPN instance Follow these steps to enable PIM SM in a VPN instance To do Use the command Description Enter system view system view Create a VPN instance and...

Page 1042: ...If there is only one dynamic RP in a network manually configuring a static RP can avoid communication interruption due to single point failures and avoid frequent message exchange between C RPs and the BSR Perform this configuration on all the routers in the PIM SM domain Follow these steps to configure a static RP To do Use the command Remarks Enter system view system view Enter public instance P...

Page 1043: ...policy acl number priority priority holdtime hold interval advertisement interval adv interval Required No C RPs are configured by default Configure a legal C RP address range and the range of multicast groups to be served crp policy acl number Optional No restrictions by default z When configuring a C RP ensure a relatively large bandwidth between this C RP and the other devices in the PIM SM dom...

Page 1044: ...ional 60 seconds by default Configure C RP timeout time c rp holdtime interval Optional 150 seconds by default For the configuration of other timers in PIM SM refer to Configuring PIM Common Timers Configuring a BSR A PIM SM domain can have only one BSR but must have at least one C BSR Any router can be configured as a C BSR Elected from C BSRs the BSR is responsible for collecting and advertising...

Page 1045: ...ng as the neighbor router discards these bootstrap messages Therefore with a legal BSR address range configured on all routers in the entire network all these routers will discard bootstrap messages from out of the legal address range The above mentioned preventive measures can partially protect the security of BSRs in a network However if a legal BSR is controlled by an attacker the above mention...

Page 1046: ...figure a PIM domain border pim bsr boundary Required By default no PIM domain border is configured Configuring global C BSR parameters In each PIM SM domain a unique BSR is elected from C BSRs The C RPs in the PIM SM domain send advertisement messages to the BSR The BSR summarizes the advertisement messages to form an RP set and advertises it to all routers in the PIM SM domain All the routers use...

Page 1047: ... IP address and RP Set information through bootstrap messages within the entire zone it serves The BSR floods bootstrap messages throughout the network at the interval of BS BSR state period Any C BSR that receives a bootstrap message retains the RP set for the length of BS timeout during which no BSR election takes place If the BSR state times out and no bootstrap message is received from the BSR...

Page 1048: ...pe zones Each admin scope zone maintains a BSR which serves a specific multicast group range while the global scope zone also maintains a BSR which serves all the rest multicast groups Enabling administrative scoping Before configuring an admin scope zone you must enable administrative scoping first Perform the following configuration on all routers in the PIM SM domain Follow these steps to enabl...

Page 1049: ...ected from C BSRs C RPs in the network send advertisement messages to the specific BSR The BSR summarizes the advertisement messages to form an RP set and advertises it to all routers in the specific admin scope zone All the routers use the same Hash algorithm to get the RP address corresponding to the specific multicast group Configure C BSRs for each admin scope zone and the global scope zone 1 ...

Page 1050: ...lobal scope zone level or admin scope zone level the corresponding global values will be used For configuration of global C BSR parameters see Configuring global C BSR parameters Configuring Multicast Source Registration Within a PIM SM domain the source side DR sends register messages to the RP and these register messages have different multicast source or group addresses You can configure a filt...

Page 1051: ... all routers that may become source side DRs Follow these steps to configure register related parameters To do Use the command Remarks Enter system view system view Enter public instance PIM view or VPN instance PIM view pim vpn instance vpn instance name Configure a filtering rule for register messages register policy acl number Optional No register filtering rule by default Configure the device ...

Page 1052: ...t use spt switch threshold infinity command on a switch that may become an RP namely a static RP or a C RP Configuring PIM SSM The PIM SSM model needs the support of IGMPv3 Therefore be sure to enable IGMPv3 on PIM routers with multicast receivers PIM SSM Configuration Task List Complete these tasks to configure PIM SSM Task Remarks Enabling PIM SM Required Configuring the SSM Group Range Optional...

Page 1053: ...ce interface type interface number Enable PIM SM pim sm Required Disabled by default Enabling PIM SM in a VPN instance Follow these steps to enable PIM SM in a VPN instance To do Use the command Description Enter system view system view Create a VPN instance and enter VPN instance view ip vpn instance vpn instance name Configure a route distinguisher RD for the VPN instance route distinguisher rou...

Page 1054: ... multicast groups within this address range are using the PIM SSM model Perform the following configuration on all routers in the PIM SM domain Follow these steps to configure an SSM multicast group range To do Use the command Remarks Enter system view system view Enter public instance PIM view or VPN instance PIM view pim vpn instance vpn instance name Configure the SSM group range ssm policy acl...

Page 1055: ...une Message Sizes Optional Configuration Prerequisites Before configuring PIM common features complete the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configure PIM DM or PIM SM or PIM SSM Before configuring PIM common features prepare the following data z An ACL rule for filtering multicast data z An ACL rule ...

Page 1056: ...ticast data filter by default z Generally a smaller distance from the filter to the multicast source results in a more remarkable filtering effect z This filter works not only on independent multicast data but also on multicast data encapsulated in register messages Configuring a Hello Message Filter Along with the wide applications of PIM the security requirement for the protocol is becoming more...

Page 1057: ...llowed to wait before sending a prune override message When a router receives a prune message from a downstream router it does not perform the prune action immediately instead it maintains the current forwarding state for a period of LAN delay plus override interval If the downstream router needs to continue receiving multicast data it must send a prune override message within the prune override i...

Page 1058: ...pim hello option dr priority priority Optional 1 by default Configure PIM neighbor timeout time pim hello option holdtime interval Optional 105 seconds by default Configure the prune message delay time LAN delay pim hello option lan delay interval Optional 500 milliseconds by default Configure the prune override interval pim hello option override interval interval Optional 2 500 milliseconds by de...

Page 1059: ...t has lost assert election will prune its downstream interface and maintain the assert state for a period of time When the assert state times out the assert losers will resume multicast forwarding When a router fails to receive subsequent multicast data from multicast source S the router does not immediately delete the corresponding S G entry instead it maintains the S G entry for a period of time...

Page 1060: ...fault If there are no special networking requirements we recommend that you use the default settings Configuring Join Prune Message Sizes A larger join prune message size will result in loss of a larger amount of information when a message is lost with a reduced join message size the loss of a single message will bring relatively minor impact By controlling the maximum number of S G entries in a j...

Page 1061: ...terface type interface number verbose Available in any view View the information of join prune messages to send display pim all instance vpn instance vpn instance name join prune mode sm flags flag value ssm interface interface type interface number neighbor neighbor address verbose Available in any view View PIM neighboring information display pim all instance vpn instance vpn instance name neigh...

Page 1062: ...tub network N2 through their respective VLAN interface 200 and to Switch D through VLAN interface 101 and VLAN interface 102 respectively z IGMPv2 is to run between Switch A and N1 and between Switch B Switch C and N2 Network diagram Figure 1 10 Network diagram for PIM DM configuration Ethernet Ethernet Ethernet N1 N2 V l a n i n t 1 0 2 V l a n i n t 1 0 2 V l a n i n t 1 0 3 V l a n i n t 1 0 3 ...

Page 1063: ...quit The configuration on Switch B and Switch C is similar to that on Switch A Enable IP multicast routing on Switch D and enable PIM DM on each interface SwitchD system view SwitchD multicast routing enable SwitchD interface vlan interface 300 SwitchD Vlan interface300 pim dm SwitchD Vlan interface300 quit SwitchD interface vlan interface 103 SwitchD Vlan interface103 pim dm SwitchD Vlan interfac...

Page 1064: ... PIM routing table information on each switch For example View the PIM routing table information on Switch A SwitchA display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 Protocol pim dm Flag WC UpTime 00 04 25 Upstream interface NULL Upstream neighbor NULL RPF prime neighbor NULL Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol igmp UpTime 00...

Page 1065: ... C are multicast receivers in two stub networks z Switch D connects to the network that comprises the multicast source Source through VLAN interface 300 z Switch A connects to stub network N1 through VLAN interface 100 and to Switch D and Switch E through VLAN interface 101 and VLAN interface 102 respectively z Switch B and Switch C connect to stub network N2 through their respective VLAN interfac...

Page 1066: ...onfigure IP addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 1 11 Detailed configuration steps are omitted here Configure the OSPF protocol for interoperation among the switches in the PIM SM domain Ensure the network layer interoperation in the PIM SM domain and enable dynamic update of routing information among the switches through a unicast...

Page 1067: ...m quit On Switch E configure the service scope of RP advertisements specify a C BSR and a C RP and set the hash mask length to 32 and the priority of the C BSR to 20 SwitchE system view SwitchE acl number 2005 SwitchE acl basic 2005 rule permit source 225 1 1 0 0 0 0 255 SwitchE acl basic 2005 quit SwitchE pim SwitchE pim c bsr vlan interface 102 32 20 SwitchE pim c rp vlan interface 102 group pol...

Page 1068: ...Scope Not scoped Candidate RP 192 168 4 2 Vlan interface105 Priority 0 HoldTime 150 Advertisement Interval 60 Next advertisement scheduled at 00 00 34 View the BSR information and the locally configured C RP information in effect on Switch E SwitchE display pim bsr info Elected BSR Address 192 168 9 2 Priority 20 Hash mask length 32 State Elected Scope Not scoped Uptime 00 01 18 Next BSR message s...

Page 1069: ...tween Switch D and Switch E Upon receiving multicast data Switch A immediately switches from the RPT to the SPT Switches on the RPT path Switch A and Switch E have a G entry while switches on the SPT path Switch A and Switch D have an S G entry You can use the display pim routing table command to view the PIM routing table information on the switches For example View the PIM routing table informat...

Page 1070: ... View the PIM routing table information on Switch E SwitchE display pim routing table Total 1 G entry 0 S G entry 225 1 1 0 RP 192 168 9 2 local Protocol pim sm Flag WC UpTime 00 13 16 Upstream interface Register Upstream neighbor 192 168 4 2 RPF prime neighbor 192 168 4 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface102 Protocol pim sm UpTime 00 13 16 Expires 0...

Page 1071: ...n int104 Vlan int108 Vlan int107 Vlan int107 Vlan int109 Vlan int109 Vlan int500 V l a n i n t 1 0 5 Vlan int108 Vlan int400 Vlan int110 Vlan int110 Vlan int106 V l a n i n t 6 0 0 Vlan int100 Vlan int200 V l a n i n t 1 0 3 Vlan int102 Vlan int102 Vlan int101 Vlan int101 Admin scope 2 PIM SM Global scope Admin scope 1 Receiver Host B Receiver Host C Device Interface IP address Device Interface IP...

Page 1072: ... interface 100 SwitchA Vlan interface100 igmp enable SwitchA Vlan interface100 pim sm SwitchA Vlan interface100 quit SwitchA interface vlan interface 101 SwitchA Vlan interface101 pim sm SwitchA Vlan interface101 quit The configuration on Switch E and Switch I is similar to the configuration on Switch A On Switch B enable IP multicast routing and administrative scoping and enable PIM SM on each in...

Page 1073: ...stem view SwitchD interface vlan interface 107 SwitchD Vlan interface107 multicast boundary 239 0 0 0 8 SwitchD Vlan interface107 quit 4 Configure C BSRs and C RPs On Switch B configure the service scope of RP advertisements and configure VLAN interface 101 as a C BSR and C RP of admin scope zone 1 SwitchB acl number 2001 SwitchB acl basic 2001 rule permit source 239 0 0 0 0 255 255 255 SwitchB ac...

Page 1074: ...d Scope Global Uptime 00 01 45 Expires 00 01 25 Elected BSR Address 10 110 1 2 Priority 0 Hash mask length 30 State Elected Scope 239 0 0 0 8 Uptime 00 04 54 Next BSR message scheduled at 00 00 06 Candidate BSR Address 10 110 1 2 Priority 0 Hash mask length 30 State Elected Scope 239 0 0 0 8 Candidate RP 10 110 1 2 Vlan interface101 Priority 0 HoldTime 150 Advertisement Interval 60 Next advertisem...

Page 1075: ...ay pim bsr info Elected BSR Address 10 110 9 1 Priority 0 Hash mask length 30 State Elected Scope Global Uptime 00 11 11 Next BSR message scheduled at 00 00 49 Candidate BSR Address 10 110 9 1 Priority 0 Hash mask length 30 State Elected Scope Global Candidate RP 10 110 9 1 Vlan interface109 Priority 0 HoldTime 150 Advertisement Interval 60 Next advertisement scheduled at 00 00 55 To view the RP i...

Page 1076: ...Group MaskLen 224 0 0 0 4 RP 10 110 9 1 local Priority 0 HoldTime 150 Uptime 00 00 32 Expires 00 01 58 PIM SSM Configuration Example Network requirements z Receivers receive VOD information through multicast The receiver groups of different organizations form stub networks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the SSM mode z Host A and Host C a...

Page 1077: ...witch B Vlan int200 10 110 2 1 24 Switch E Vlan int104 192 168 3 2 24 Vlan int103 192 168 2 1 24 Vlan int103 192 168 2 2 24 Switch C Vlan int200 10 110 2 2 24 Vlan int102 192 168 9 2 24 Vlan int104 192 168 3 1 24 Vlan int105 192 168 4 1 24 Configuration procedure 1 Configure IP addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 1 13 Detailed con...

Page 1078: ...tchA pim SwitchA pim ssm policy 2000 SwitchA pim quit The configuration on Switch B Switch C Switch D and Switch E is similar to that on Switch A 4 Verify the configuration Carry out the display pim interface command to view the PIM configuration and running status on each interface For example View the PIM configuration information on Switch A SwitchA display pim interface Interface NbrCnt HelloI...

Page 1079: ...orwarding entries That is a multicast distribution tree cannot be built correctly and clients cannot receive multicast data Analysis z When PIM DM runs on the entire network multicast data is flooded from the first hop router connected with the multicast source to the last hop router connected with the clients When the multicast data is flooded to a router no matter which router is it creates S G ...

Page 1080: ...neighbor command to view the PIM neighbor information 4 Check that PIM and IGMP are enabled on the interfaces directly connecting to the multicast source and to the receivers 5 Check that the same PIM mode is enabled on related interfaces Use the display pim interface verbose command to check whether the same PIM mode is enabled on the RPF interface and the corresponding interface of the RPF neigh...

Page 1081: ... rp info command to check whether the same static RP address has been configured on all the routers in the entire network RPT Establishment Failure or Source Registration Failure in PIM SM Symptom C RPs cannot unicast advertise messages to the BSR The BSR does not advertise bootstrap messages containing C RP information and has no unicast route to any C RP An RPT cannot be established correctly or...

Page 1082: ...upport of the RP and BSR Use the display pim bsr info command to check whether the BSR information is available on each router and then use the display pim rp info command to check whether the RP information is correct 3 View PIM neighboring relationships Use the display pim neighbor command to check whether the normal PIM neighboring relationships have been established among the routers ...

Page 1083: ...guring MSDP Peer Connection Control 1 12 Configuring SA Messages Related Parameters 1 12 Configuration Prerequisites 1 12 Configuring SA Message Content 1 13 Configuring SA Request Messages 1 13 Configuring SA Message Filtering Rules 1 14 Configuring the SA Cache Mechanism 1 15 Displaying and Maintaining MSDP 1 16 MSDP Configuration Examples 1 16 Inter AS Multicast Configuration Leveraging BGP Rou...

Page 1084: ...d to discover multicast source information in other PIM SM domains In the basic PIM SM mode a multicast source registers only with the RP in the local PIM SM domain and the multicast source information of a domain is isolated from that of another domain As a result the RP is aware of the source information only within the local domain and a multicast distribution tree is built only within the loca...

Page 1085: ... side RP creates SA messages and sends the messages to its remote MSDP peer to notify the MSDP peer of the locally registered multicast source information A source side MSDP peer must be created on the source side RP otherwise it will not be able to advertise the multicast source information out of the PIM SM domain z Receiver side MSDP peer the MSDP peer nearest to the receivers typically the rec...

Page 1086: ... exists in the domain PIM SM 1 and RP 1 has learned the existence of Source through multicast source registration If RPs in PIM SM 2 and PIM SM 3 also wish to know the specific location of Source so that receiver hosts can receive multicast traffic originated from it MSDP peering relationships should be established between RP 1 and RP 3 and between RP 3 and RP 2 respectively Figure 1 2 MSDP peerin...

Page 1087: ...the multicast source side so that it can directly join the SPT rooted at the source over other PIM SM domains Then the multicast data can flow along the SPT to RP 2 and is forwarded by RP 2 to the receivers along the RPT Upon receiving the multicast traffic the DR at the receiver side DR 2 decides whether to initiate an RPT to SPT switchover process z If no receivers for the group exist in the dom...

Page 1088: ...me as the MSDP peer address which means that the MSDP peer where the SA is from is the RP that has created the SA message RP 2 accepts the SA message and forwards it to its other MSDP peer RP 3 2 When RP 3 receives the SA message from RP 2 Because the SA message is from an MSDP peer RP 2 in the same AS and the MSDP peer is the next hop on the optimal path to the source side RP RP 3 accepts the mes...

Page 1089: ... MSDP peers Anycast RP refers to such an application that enables load balancing and redundancy backup between two or more RPs within a PIM SM domain by configuring the same IP address for and establishing MSDP peering relationships between these RPs As shown in Figure 1 4 within a PIM SM domain a multicast source sends multicast data to multicast group G and Receiver is a member of the multicast ...

Page 1090: ... PIM SM domain and forward part of the multicast data thus achieving load balancing between different RPs z Redundancy backup between RPs When an RP fails the multicast source previously registered on it or the receivers previous joined it will register with or join another nearest RP thus achieving redundancy backup between RPs z Be sure to configure a 32 bit subnet mask 255 255 255 255 for the A...

Page 1091: ... Configuring the SA Cache Mechanism Optional Configuring Basic Functions of MSDP All the configuration tasks should be carried out on RPs in PIM SM domains and each of these RPs acts as an MSDP peer Configuration Prerequisites Before configuring the basic functions of MSDP complete the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at t...

Page 1092: ...system view quit Enable MSDP and enter VPN instance MSDP view msdp vpn instance vpn instance name Required Disabled by default z For details about the ip vpn instance and route distinguisher commands see MPLS L3VPN Commands in the MPLS Volume z For details about the multicast routing table command see Multicast Routing and Forwarding Commands in the IP Multicast Volume Creating an MSDP Peer Connec...

Page 1093: ...Use the command Remarks Enter system view system view Enter public instance MSDP view or VPN instance MSDP view msdp vpn instance vpn instance name Configure a static RPF peer static rpf peer peer address rp policy ip prefix name Required No static RPF peer configured by default If only one MSDP peer is configured on a router this MSDP will be registered as a static RPF peer Configuring an MSDP Pe...

Page 1094: ...ast traffic On one hand an MSDP peer in an MSDP mesh group forwards SA messages from outside the mesh group that have passed the RPF check to the other members in the mesh group on the other hand a mesh group member accepts SA messages from inside the group without performing an RPF check and does not forward the message within the mesh group either This mechanism not only avoids SA flooding but a...

Page 1095: ...s to resume operation a TCP connection is required You can flexibly adjust the interval between MSDP peering connection retries Follow these steps to configure MSDP peer connection control To do Use the command Remarks Enter system view system view Enter public instance MSDP view or VPN instance MSDP view msdp vpn instance vpn instance name Deactivate an MSDP peer shutdown peer address Optional Ac...

Page 1096: ...is the same as the local RP address it will discard the SA message In the Anycast RP application however you need to configure RPs with the same IP address on two or more routers in the same PIM SM domain and configure these routers as MSDP peers to one another Therefore a logic RP address namely the RP address on the logic interface that is different from the actual RP address must be designated ...

Page 1097: ...ing or forwarding an SA message so that the propagation of multicast source information is controlled at SA message reception or forwarding By configuring a TTL threshold for multicast data packet encapsulation in SA messages you can control the multicast data packet encapsulation in SA messages and limit the propagation range of SA messages z Before creating an SA message with an encapsulated mul...

Page 1098: ...ocally on the router However the more S G entries are cached the larger memory space of the router is used With the SA cache mechanism enabled when receiving a new G join message the router searches its SA cache first z If the corresponding S G entry does not exist in the cache the router waits for the SA message its MSDP peer will send in the next cycle z If the corresponding S G entry exists in ...

Page 1099: ...le in user view Clear S G entries in the SA cache reset msdp all instance vpn instance vpn instance name sa cache group address Available in user view Clear all statistics information of an MSDP peer reset msdp all instance vpn instance vpn instance name statistics peer address Available in user view MSDP Configuration Examples Inter AS Multicast Configuration Leveraging BGP Routes Network require...

Page 1100: ...Loop0 1 1 1 1 32 Switch F Vlan int105 10 110 6 2 24 Switch C Vlan int104 10 110 4 1 24 Vlan int400 10 110 7 1 24 Vlan int102 192 168 3 1 24 Source 1 10 110 2 100 24 Vlan int101 192 168 1 2 24 Source 2 10 110 5 100 24 Loop0 2 2 2 2 32 Configuration procedure 1 Configure IP addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 1 5 Detailed configurat...

Page 1101: ... 0 as a C BSR and a C RP on Switch B SwitchB pim SwitchB pim c bsr loopback 0 SwitchB pim c rp loopback 0 SwitchB pim quit The configuration on Switch C and Switch E is similar to the configuration on Switch B 4 Configure BGP for mutual route redistribution between BGP and OSPF Configure EBGP on Switch B and redistribute OSPF routes SwitchB bgp 100 SwitchB bgp router id 1 1 1 1 SwitchB bgp peer 19...

Page 1102: ...8 3 1 connect interface vlan interface 102 SwitchE msdp quit 6 Verify the configuration Carry out the display bgp peer command to view the BGP peering relationships between the switches For example View the information about BGP peering relationships on Switch B SwitchB display bgp peer BGP local router ID 1 1 1 1 Local AS number 100 Total number of peers 1 Peers in established state 1 Peer V AS M...

Page 1103: ...twork NextHop MED LocPrf PrefVal Path Ogn 1 1 1 1 32 192 168 1 1 0 0 100 i 2 2 2 2 32 192 168 3 2 0 100 0 3 3 3 3 32 0 0 0 0 0 0 192 168 1 0 0 0 0 0 0 0 192 168 1 1 0 0 100 192 168 1 1 32 0 0 0 0 0 0 192 168 1 2 32 0 0 0 0 0 0 192 168 1 1 0 0 100 192 168 3 0 0 0 0 0 0 0 i 192 168 3 2 0 100 0 192 168 3 1 32 0 0 0 0 0 0 192 168 3 2 32 0 0 0 0 0 0 i 192 168 3 2 0 100 0 When the multicast source in PI...

Page 1104: ...200 8 0 View the detailed MSDP peer information on Switch B SwitchB display msdp peer status MSDP Peer 192 168 1 2 AS 200 Description Information about connection status State Up Up down time 00 15 47 Resets 0 Connection interface Vlan interface101 192 168 1 1 Number of sent received messages 16 16 Number of discarded output messages 0 Elapsed time since last connection or counters clear 00 17 51 ...

Page 1105: ...to provide unicast routes z PIM SM 2 and PIM SM 3 are both stub domains and BGP or MBGP is not required between these two domains and PIM SM 1 Instead static RPF peers are configured to avoid RPF check on SA messages z It is required that the respective loopback 0 of Switch B Switch C and Switch E be configured as the C BSR and C RP of the respective PIM SM domains z It is required that Switch C a...

Page 1106: ... 3 3 32 Vlan int102 192 168 3 1 24 Switch F Vlan int105 10 110 6 2 24 Loop0 1 1 1 1 32 Vlan int400 10 110 7 1 24 Switch C Vlan int101 192 168 1 2 24 Source 1 10 110 2 100 24 Vlan int104 10 110 4 1 24 Source 2 10 110 5 100 24 Loop0 2 2 2 2 32 Configuration procedure 1 Configure IP addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 1 6 Detailed co...

Page 1107: ...im c bsr loopback 0 SwitchB pim c rp loopback 0 SwitchB pim quit The configuration on Switch C and Switch E is similar to the configuration on Switch B 4 Configure a static RPF peer Configure Switch C and Switch E as a static RPF peers of Switch B SwitchB ip ip prefix list df permit 192 168 0 0 16 greater equal 16 less equal 32 SwitchB msdp SwitchB msdp peer 192 168 3 2 connect interface vlan inte...

Page 1108: ... brief MSDP peer information on Switch B SwitchB display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 2 2 0 0 0 0 Peer s Address State Up Down time AS SA Count Reset Count 192 168 3 2 Up 01 07 08 8 0 192 168 1 2 Up 00 16 39 13 0 View the brief MSDP peer information on Switch C SwitchC display msdp brief MSDP Peer Brief Information Configured Up Listen Connect S...

Page 1109: ...4 Switch C Vlan int101 192 168 1 2 24 Source 2 10 110 6 100 24 Vlan int102 192 168 2 2 24 Switch A Vlan int300 10 110 5 1 24 Switch D Vlan int200 10 110 3 1 24 Vlan int103 10 110 2 2 24 Vlan int104 10 110 4 1 24 Switch B Vlan int100 10 110 1 1 24 Vlan int102 192 168 2 1 24 Vlan int103 10 110 2 1 24 Loop0 2 2 2 2 32 Vlan int101 192 168 1 1 24 Loop10 4 4 4 4 32 Loop0 1 1 1 1 32 Loop20 10 1 1 1 32 Lo...

Page 1110: ...SwitchB LoopBack10 quit SwitchB interface loopback 20 SwitchB LoopBack20 pim sm SwitchB LoopBack20 quit The configuration on Switch A Switch C Switch D and Switch E is similar to the configuration on Switch B 3 Configure C BSRs and C RPs Configure Loopback 10 as a C BSR and Loopback 20 as a C RP on Switch B SwitchB pim SwitchB pim c bsr loopback 10 SwitchB pim c rp loopback 20 SwitchB pim quit The...

Page 1111: ... display pim routing table command When Source 1 10 110 5 100 24 sends multicast data to multicast group G 225 1 1 1 Host A joins multicast group G By comparing the PIM routing information displayed on Switch B with that displayed on Switch D you can see that Switch B acts now as the RP for Source 1 and Host A View the PIM routing information on Switch B SwitchB display pim routing table Total 1 G...

Page 1112: ...IM routing information on Switch B SwitchB display pim routing table No information is output on Switch B View the PIM routing information on Switch D SwitchD display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 RP 10 1 1 1 local Protocol pim sm Flag WC UpTime 00 12 07 Upstream interface Register Upstream neighbor NULL RPF prime neighbor NULL Downstream interface s information Total num...

Page 1113: ... multicast groups 225 1 1 0 30 and 226 1 1 0 30 while Host can receive only the multicast data addressed to multicast groups 226 1 1 0 30 and 227 1 1 0 30 Network diagram Figure 1 8 Network diagram for SA message filtering configuration Loop0 Vlan int102 Vlan int102 Device Interface IP address Device Interface IP address Source 1 10 110 3 100 24 Switch C Vlan int300 10 110 4 1 24 Source 2 10 110 6...

Page 1114: ...n interface101 pim sm SwitchA Vlan interface101 quit SwitchA interface vlan interface 102 SwitchA Vlan interface102 pim sm SwitchA Vlan interface102 quit SwitchA interface loopback 0 SwitchA LoopBack0 pim sm SwitchA LoopBack0 quit The configuration on Switch B Switch C and Switch D is similar to the configuration on Switch A The specific configuration steps are omitted here Configure a PIM domain ...

Page 1115: ...1 0 30 to Switch D SwitchC acl number 3001 SwitchC acl adv 3001 rule deny ip source 10 110 3 100 0 destination 225 1 1 0 0 0 0 3 SwitchC acl adv 3001 rule permit ip source any destination any SwitchC acl adv 3001 quit SwitchC msdp SwitchC msdp peer 10 110 5 2 sa policy export acl 3001 SwitchC msdp quit Configure an SA message rule on Switch D so that Switch D will not create SA messages for Source...

Page 1116: ... 1 1 1 1 00 32 53 00 05 07 Troubleshooting MSDP MSDP Peers Stay in Down State Symptom The configured MSDP peers stay in the down state Analysis z A TCP connection based MSDP peering relationship is established between the local interface address and the MSDP peer after the configuration z The TCP connection setup will fail if there is a consistency between the local interface address and the MSDP ...

Page 1117: ...r argument and make sure that ACL rule can filter appropriate S G entries Inter RP Communication Faults in Anycast RP Application Symptom RPs fail to exchange their locally registered S G entries with one another in the Anycast RP application Analysis z In the Anycast RP application RPs in the same PIM SM domain are configured to be MSDP peers to achieve load balancing among the RPs z An MSDP peer...

Page 1118: ... command In the Anycast RP application environment be sure to use the originating rp command to configure the RP address in the SA messages which must be the local interface address 4 Verify that the C BSR address is different from the anycast RP address ...

Page 1119: ...Dampening 1 7 Configuring MBGP Route Attributes 1 7 Prerequisites 1 8 Configuring MBGP Route Preferences 1 8 Configuring the Default Local Preference 1 8 Configuring the MED Attribute 1 8 Configuring the Next Hop Attribute 1 9 Configuring the AS PATH Attribute 1 9 Tuning and Optimizing MBGP Networks 1 10 Prerequisites 1 10 Configuring MBGP Soft Reset 1 10 Enabling the MBGP ORF Capability 1 11 Conf...

Page 1120: ...ast topology may be different from the unicast topology To meet the requirement the multiprotocol BGP extensions enable BGP to carry the unicast Network Layer Reachability Information NLRI and multicast NLRI separately and the multicast NLRI is used to perform reverse path forwarding RPF exclusively In this way route selection for a destination through the unicast routing table and through the mul...

Page 1121: ...Peer Group Optional Configuring Outbound MBGP Route Filtering Optional Configuring Inbound MBGP Route Filtering Optional Controlling Route Advertisement and Reception Configuring MBGP Route Dampening Configuring MBGP Route Preferences Configuring the Default Local Preference Configuring the MED Attribute Configuring the Next Hop Attribute Configuring MBGP Route Attributes Configuring the AS PATH A...

Page 1122: ...and Reception Prerequisites You need to configure MBGP basic functions before configuring this task Configuring MBGP Route Redistribution MBGP can advertise routing information in the local AS to neighboring ASs It redistributes such routing information from IGP into its routing table rather than learns the information by itself Follow these steps to configure MBGP route redistribution To do Use t...

Page 1123: ...otocol process id med med value route policy route policy name Required No route redistribution is configured by default Enable default route redistribution into the MBGP routing table default route imported Required Not enabled by default Configuring MBGP Route Summarization To reduce the routing table size on medium and large MBGP networks you need to configure route summarization on peers MBGP ...

Page 1124: ... bgp as number Enter IPv4 MBGP address family view ipv4 family multicast Advertise a default route to an MBGP peer or peer group peer group name ip address default route advertise route policy route policy name Required Not advertised by default With the peer default route advertise command executed the router sends a default route with the next hop being itself to the specified MBGP peer or peer ...

Page 1125: ... export Reference an IP prefix list to filer route advertisements to an IPv4 MBGP peer peer group peer group name ip address ip prefix ip prefix name export At least one of these approaches is required No outbound route filtering is configured by default Configuring Inbound MBGP Route Filtering By configuring MBGP route reception filtering policies you can filter out unqualified routes from an MBG...

Page 1126: ...filtering is configured by default Specify the maximum number of routes that can be received from an IPv4 MBGP peer peer group peer group name ip address route limit limit percentage Optional The number is unlimited by default Members of a peer group can have different route reception filtering policies from the peer group Configuring MBGP Route Dampening By configuring MBGP route dampening you ca...

Page 1127: ...icy name Optional The default preferences of multicast MBGP eBGP MBGP iBGP and local MBGP routes are 255 255 and 130 respectively Configuring the Default Local Preference Follow these steps to configure the default local preference To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv4 MBGP address family view ipv4 family multicast Configure the default...

Page 1128: ...er the peer next hop local command is configured In a third party next hop network that is the local router has two multicast eBGP peers in a broadcast network the router does not specify itself as the next hop of routing information sent to the eBGP peers unless the peer next hop local command is configured Follow these steps to specify the router as the next hop of routes sent to a peer peer gro...

Page 1129: ...to configure BGP basic functions before configuring this task Configuring MBGP Soft Reset After modifying a route selection policy you have to reset MBGP connections to make it take effect causing short time disconnections After the route refresh capability is enabled on all MBGP routers in a network when a route selection policy is modified on a router the local router can perform dynamic route u...

Page 1130: ...riginal routes from a peer peer group regardless of whether they pass the inbound filtering policies peer group name ip address keep all routes Required Not kept by default Return to user view return Soft reset MBGP connections manually refresh bgp ipv4 multicast all ip address group group name external internal export import Optional Enabling the MBGP ORF Capability The BGP Outbound Route Filter ...

Page 1131: ...you need to configure this command For details about the command refer to BGP Commands in the IP Routing Volume Enter MBGP address family view ipv4 family multicast Enable the ORF IP prefix negotiation capability for a BGP peer peer group peer group name ip address capability advertise orf ip prefix both receive send Optional Not supported by default Table 1 1 Description of the both send and rece...

Page 1132: ...cult due to large numbers of MBGP peers You can configure peer groups to make management easier and improve route distribution efficiency Follow these steps to configure an IPv4 MBGP peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Create a BGP peer group group group name external internal Required Not created by default Add a peer into the peer g...

Page 1133: ...r system view system view Enter BGP view bgp as number Enter IPv4 MBGP address family view ipv4 family multicast Advertise the community attribute to an MBGP peer peer group peer group name ip address advertise community Advertise the community attribute to an MBGP peer peer group Advertise the extended community attribute to an MBGP peer peer group peer group name ip address advertise ext communi...

Page 1134: ...tor uses its router ID as the cluster ID z In general it is not required that clients of a route reflector be fully meshed The route reflector forwards routing information between clients If clients are fully meshed you can disable route reflection between clients to reduce routing costs z In general a cluster has only one route reflector and the router ID of the route reflector is used to identif...

Page 1135: ...ing information matching an MBGP community list display bgp multicast routing table community list basic community list number whole match adv community list number 1 16 Available in any view Display MBGP dampened routing information display bgp multicast routing table dampened Available in any view Display MBGP dampening parameter information display bgp multicast routing table dampening paramete...

Page 1136: ...4 multicast flap info regexp as path regexp as path acl as path acl number ip address mask mask length Available in user view MBGP Configuration Example Network requirements As shown in the following figure z PIM SM 1 is in AS 100 and PIM SM 2 is in AS 200 OSPF is the IGP in the two ASs and MBGP runs between the two ASs to exchange multicast route information z The multicast source belongs to PIM ...

Page 1137: ... in the above figure omitted 2 Configure OSPF omitted 3 Enable IP multicast routing PIM SM and IGMP and configure a PIM SM domain border Enable IP multicast routing on Switch A and enable PIM SM on each interface SwitchA system view SwitchA multicast routing enable SwitchA interface vlan interface 100 SwitchA Vlan interface100 pim sm SwitchA Vlan interface100 quit SwitchA interface vlan interface ...

Page 1138: ...witchA LoopBack0 pim sm SwitchA LoopBack0 quit SwitchA pim SwitchA pim c bsr loopback 0 SwitchA pim c rp loopback 0 SwitchA pim quit Configure Loopback 0 and configure it as the C BSR and C RP on Switch B SwitchB interface loopback 0 SwitchB LoopBack0 ip address 2 2 2 2 32 SwitchB LoopBack0 pim sm SwitchB LoopBack0 quit SwitchB pim SwitchB pim c bsr loopback 0 SwitchB pim c rp loopback 0 SwitchB p...

Page 1139: ...uit 7 Verify the configuration You can use the display bgp multicast peer command to display MBGP peers on a switch For example display MBGP peers on Switch B SwitchB display bgp multicast peer BGP local router ID 2 2 2 2 Local AS number 200 Total number of peers 3 Peers in established state 3 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 192 168 1 1 4 100 56 56 0 0 00 40 54 Established You...

Page 1140: ... VPN 1 14 Configuration Prerequisites 1 14 Enabling IP Multicast Routing in a VPN Instance 1 14 Configuring a Share Group and an MTI Binding 1 15 Configuring BGP MDT 1 16 Configuration Prerequisites 1 16 Configuring BGP MDT Peers or Peer Groups 1 16 Configuring a BGP MDT Route Reflector 1 17 Displaying and Maintaining Multicast VPN 1 18 Multicast VPN Configuration Examples 1 18 Single AS MD VPN Co...

Page 1141: ... L3VPN Configuration in the MPLS Volume z For details about BGP refer to BGP Configuration in the IP Routing Volume Introduction to MPLS L3VPN Multicast VPN is a technique that implements multicast delivery in MPLS L3VPN networks An MPLS L3VPN is a virtual private network VPN implemented based on the extension technologies of the Border Gateway Protocol BGP and Multiprotocol Label Switching MPLS I...

Page 1142: ...VPN environment between any two sites that belong to the same VPN packets are transmitted labeled across the public network The PE device at the entrance to the provider backbone attaches two labels to the packets one inner label and the other outer label z Outer label the label used for switching within the backbone representing a label switched path LSP from the local PE to the peer PE With this...

Page 1143: ...ible receivers on the network for that group only those belong to VPN A namely in Site 1 Site 3 or Site 5 can receive the multicast stream The stream is multicast in these sites and in the public network The prerequisites for implementing multicast VPN are as follows 1 The support for VPN instance based multicast within each site 2 The support for public instance based multicast within the public ...

Page 1144: ...unnel MT An MT is a tunnel that interconnects all PEs in an MD for delivering private network traffic within the MD Multicast tunnel interface MTI An MTI is the entrance to or exit of an MT equivalent to an entrance to or exit of an MD PE devices use the MTI to access the MD An MTI handles only multicast packets but not unicast packets An MTI is automatically created with the configuration of a sh...

Page 1145: ... thought of as a private data transmission pool and an MTI can be thought of an entrance exit of the pool The local PE device puts the private data into the transmission pool the MD through the entrance MTI and the transmission pool automatically duplicates the private data and transmits the data to each exit MTI of the transmission pool so that any remote PE device that needs the data can get it ...

Page 1146: ...ished between the public instance interface on a PE device and an interface on the P device across the link z PE PE neighboring relationship PIM neighboring relationship established after a VPN instance on a PE device receives a PIM hello from a VPN instance on a remote PE device through an MTI z PE CE neighboring relationship PIM neighboring relationship established between a VPN instance associa...

Page 1147: ...ing a share MDT is different in these three PIM modes Share MDT establishment in a PIM DM network Figure 1 5 Share MDT establishment in a PIM DM network As shown in Figure 1 5 PIM DM is enabled in the network and all the PE devices support VPN instance A The process of establishing a share MDT is as follows The public instance on PE 1 initiates a flood prune process in the entire public network wi...

Page 1148: ...eated on each device along the path in the public network At the same time PE 2 and PE 3 respectively initiate a similar join process Finally an RPT is established in the MD with the public network RP as the root and PE 1 PE 2 and PE 3 as leaves 2 The public instance on PE 1 registers the multicast source with the public network RP with the BGP interface address as the multicast source address and...

Page 1149: ...its leaves At the same time PE 2 and PE 3 respectively initiate a similar SPT establishment process Finally three independent SPTs are established in the MD In the PIM SS M network the three independent SPTs constitute a share MDT Characteristics of a share MDT As discussed above a share MDT is characterized as follows no matter what PIM mode is running in the public network z All PE devices that ...

Page 1150: ... across the public network to establish SPTs The following example explains how multicast protocol packets are delivered based on the share MDT while PIM SM is running in both the public network and the VPNs network with receivers and the VPN RP located in different sites As shown in Figure 1 8 PIM SM is running in both the public network and the VPNs network Receiver for the VPN multicast group G...

Page 1151: ...rds the join message 5 When receiving the join message the VPN instance on PE 1 considers that it received the message from the MTI PE 1 creates a local 225 1 1 1 state entry with the downstream interface being the MTI and the upstream interface being the one that leads to CE 1 At the same time it sends a join message to CE 1 which is the VPN RP 6 Upon receiving the join message from the VPN insta...

Page 1152: ...and the VPN instance on PE 1 checks the MVRF If the outgoing interface list of the forwarding entry contains an MTI PE 1 processes the private network multicast data Now the VPN instance on PE 1 considers that the private network multicast data has been sent out the MTI 3 PE 1 encapsulates the multicast data by means of GRE with its BGP interface address as the multicast source address and the sha...

Page 1153: ...instance and treat each other as a CE device Figure 1 10 VPN instance VPN instance interconnectivity In the VPN instance VPN instance interconnectivity approach a separate MD needs to be established within each AS and VPN multicast traffic between different ASs is transmitted between these MDs Because only VPN multicast traffic is forwarded between ASBRs different PIM modes can run within differen...

Page 1154: ...DT Peers or Peer Groups Required Configuring BGP MDT Configuring a BGP MDT Route Reflector Optional Configuring MD VPN Configuration Prerequisites Before configuring MD VPN complete the following tasks z Configure any unicast routing protocol to provide intra domain interoperability at the network layer z Configure MPLS L3VPN z Configure PIM PIM DM PIM SM or PIM SSM Before configuring MD VPN prepa...

Page 1155: ...me Configuring a Share Group and an MTI Binding By running multiple instances on each PE device you enable the PE device to work for multiple VPNs You need to configure the same share group address for the same VPN instance on different PE devices With a share group and an MTI number configured the system automatically creates an MTI binds the share group address to the MTI and binds the MTI to th...

Page 1156: ...roup command refer to Service Lookback Commands in the Access Volume z PIM on the MTI interface takes effect only after PIM is enabled on at least one interface of the VPN instance when PIM is disabled on all the interfaces of the VPN instance PIM on the MTI interface is disabled simultaneously Configuring BGP MDT If PIM SSM is running in the public network you need to configure BGP MDT Configurat...

Page 1157: ...e client to client reflection to reduce overloads if the clients have been fully meshed The route reflector and its clients form a cluster In general a cluster has only one route reflector whose router ID identifies the cluster However you can configure several route reflectors in a cluster to improve network reliability and they must have the same cluster ID configured to avoid routing loops Foll...

Page 1158: ... b the share group address is 239 2 2 2 PE interfaces and VPN instances they belong to z PE 1 VLAN interface 11 and VLAN interface 20 belong to VPN instance a VLAN interface 12 and Loopback 1 belong to the public network instance z PE 2 VLAN interface 13 belongs to VPN instance b VLAN interface 14 belongs to VPN instance a VLAN interface 15 and Loopback 1 belong to the public network instance z PE...

Page 1159: ... int13 Vlan int14 Vlan int14 Vlan int15 Vlan int15 Vlan int16 Vlan int16 Vlan int17 Vlan int17 Vlan int18 Vlan int18 Vlan int19 Vlan int19 Device Interface IP address Device Interface IP address S 1 10 110 7 2 24 PE 3 Vlan int19 192 168 8 1 24 S 2 10 110 8 2 24 Vlan int17 10 110 5 1 24 R 1 10 110 1 2 24 Vlan int18 10 110 6 1 24 R 2 10 110 9 2 24 Loop1 1 1 1 3 32 R 3 10 110 10 2 24 Loop2 33 33 33 3...

Page 1160: ... instance a multicast domain share group 239 1 1 1 binding mtunnel 0 PE1 vpn instance a quit Configure an IP address and enable PIM SM and LDP capability on the public network interface VLAN interface 12 PE1 interface vlan interface 12 PE1 Vlan interface12 ip address 192 168 6 1 24 PE1 Vlan interface12 pim sm PE1 Vlan interface12 mpls PE1 Vlan interface12 mpls ldp PE1 Vlan interface12 quit Bind VL...

Page 1161: ...4 quit PE1 bgp quit With BGP peers configured on PE 1 the interfaces MTI 0 will automatically obtain an IP address which is the loopback interface address specified in the BGP peer configuration The PIM mode running on MTI 0 is the same as on the interfaces in VPN instance a Configure OSPF PE1 ospf 1 PE1 ospf 1 area 0 0 0 0 PE1 ospf 1 area 0 0 0 0 network 1 1 1 1 0 0 0 0 PE1 ospf 1 area 0 0 0 0 ne...

Page 1162: ...lticast routing in VPN instance a configure a share group address associate an MTI with the VPN instance PE2 vpn instance a multicast routing enable PE2 vpn instance a multicast domain share group 239 1 1 1 binding mtunnel 0 PE2 vpn instance a quit Configure an IP address and enable PIM SM and LDP capability on the public network interface VLAN interface 15 PE2 interface vlan interface 15 PE2 Vlan...

Page 1163: ...f vpnv4 peer 1 1 1 1 group vpn g PE2 bgp af vpnv4 peer 1 1 1 3 group vpn g PE2 bgp af vpnv4 quit PE2 bgp quit With BGP peers configured on PE 2 the interfaces MTI 0 and MTI 1 will automatically obtain IP addresses which are the loopback interface addresses specified in the BGP peer configuration The PIM mode running on MTI 0 is the same as on the interfaces in VPN instance a and the PIM mode runni...

Page 1164: ...n instance a quit Create VPN instance b configure a RD for it and create an egress route and an ingress route for it PE3 ip vpn instance b PE3 vpn instance b route distinguisher 200 1 PE3 vpn instance b vpn target 200 1 export extcommunity PE3 vpn instance b vpn target 200 1 import extcommunity Enable IP multicast routing in VPN instance b configure a share group address associate an MTI with the ...

Page 1165: ... interface loopback 2 PE3 LoopBack2 ip binding vpn instance b PE3 LoopBack2 ip address 33 33 33 33 32 PE3 LoopBack2 pim sm PE3 LoopBack2 quit Configure Loopback 2 as a C BSR and a C RP for VPN b PE3 pim vpn instance b PE3 pim b c bsr loopback 2 PE3 pim b c rp loopback 2 PE3 pim b quit Configure BGP PE3 bgp 100 PE3 bgp group vpn g internal PE3 bgp peer vpn g connect interface loopback 1 PE3 bgp pee...

Page 1166: ...E3 rip 2 quit PE3 rip 3 vpn instance b PE3 rip 3 network 10 0 0 0 PE3 rip 3 network 33 0 0 0 PE3 rip 3 import route bgp PE3 rip 3 return 4 Configure P Enable IP multicast routing in the public instance configure an MPLS LSR ID and enable the LDP capability P system view P multicast routing enable P mpls lsr id 2 2 2 2 P mpls P mpls quit P mpls ldp P mpls ldp quit Configure an IP address and enable...

Page 1167: ...nce P pim P pim c bsr loopback 1 P pim c rp loopback 1 P pim quit Configure OSPF P ospf 1 P ospf 1 area 0 0 0 0 P ospf 1 area 0 0 0 0 network 2 2 2 2 0 0 0 0 P ospf 1 area 0 0 0 0 network 192 168 0 0 0 0 255 255 5 Configure CE a1 Enable IP multicast routing CEa1 system view CEa1 multicast routing enable Configure an IP address for VLAN interface 10 and enable PIM SM on the interface CEa1 interface...

Page 1168: ...ddress for VLAN interface 40 and enable IGMP and PIM SM on the interface CEa2 interface vlan interface 40 CEa2 Vlan interface40 ip address 10 110 9 1 24 CEa2 Vlan interface40 igmp enable CEa2 Vlan interface40 pim sm CEa2 Vlan interface40 quit Configure an IP address for VLAN interface 14 and enable PIM SM on the interface CEa2 interface vlan interface 14 CEa2 Vlan interface14 ip address 10 110 4 2...

Page 1169: ...lan interface17 ip address 10 110 5 2 24 CEa3 Vlan interface17 pim sm CEa3 Vlan interface17 quit Configure an IP address for VLAN interface 16 and enable PIM SM on the interface CEa3 interface vlan interface 16 CEa3 Vlan interface16 ip address 10 110 12 2 24 CEa3 Vlan interface16 pim sm CEa3 Vlan interface16 quit Configure RIP CEa3 rip 2 CEa3 rip 2 network 10 0 0 0 9 Configure CE b2 Enable IP mult...

Page 1170: ... PE2 display multicast domain vpn instance b share group local MD local share group information for VPN Instance b Share group 239 2 2 2 MTunnel address 1 1 1 2 View the local share group information of VPN instance a on PE 3 PE3 display multicast domain vpn instance a share group local MD local share group information for VPN Instance a Share group 239 1 1 1 MTunnel address 1 1 1 3 View the local...

Page 1171: ...work routes between them z Configure MPLS separately in AS 100 and AS 200 IP multicast routing z Enable IP multicast routing in the public instance on PE 1 PE 2 PE 3 and PE 4 z Enable IP multicast routing in VPN instance a on PE 1 and PE 4 z Enable IP multicast routing in VPN instance b on PE 1 and PE 4 z Enable IP multicast routing on CE a1 CE a2 CE b1 and CE b2 IGMP z Run IGMPv2 on VLAN interfac...

Page 1172: ...92 168 1 2 24 Vlan int12 10 11 2 1 24 Loop1 1 1 1 3 32 Loop1 1 1 1 1 32 Loop2 22 22 22 22 32 PE 2 Vlan int2 10 10 1 2 24 PE 4 Vlan int4 10 10 2 2 24 Vlan int3 192 168 1 1 24 Vlan int13 10 11 3 1 24 Loop1 1 1 1 2 32 Vlan int14 10 11 4 1 32 Loop2 11 11 11 11 32 Loop2 1 1 1 4 32 CE a1 Vlan int10 10 11 5 1 24 CE b1 Vlan int20 10 11 6 1 24 Vlan int11 10 11 1 2 24 Vlan int12 10 11 2 2 24 Loop0 2 2 2 2 3...

Page 1173: ...ort extcommunity PE1 vpn instance b multicast routing enable PE1 vpn instance b multicast domain share group 239 4 4 4 binding mtunnel 1 PE1 vpn instance b quit Configure an IP address and enable PIM SM and LDP capability on the public network interface VLAN interface 2 PE1 interface vlan interface 2 PE1 Vlan interface2 ip address 10 10 1 1 24 PE1 Vlan interface2 pim sm PE1 Vlan interface2 mpls PE...

Page 1174: ...nable PE1 bgp af vpnv4 quit PE1 bgp quit With BGP peers configured on PE 1 the interfaces MTI 0 and MTI 1 will automatically obtain IP addresses which are the loopback interface addresses specified in the BGP peer configuration The PIM mode running on MTI 0 is the same as on the interfaces in VPN instance a and the PIM mode running on MTI 1 is the same as on the interfaces in VPN instance b Config...

Page 1175: ... mpls ldp PE2 Vlan interface2 quit Configure an IP address and enable PIM SM and MPLS capability on the public network interface VLAN interface 3 PE2 interface vlan interface 3 PE2 Vlan interface3 ip address 192 168 1 1 24 PE2 Vlan interface3 pim sm PE2 Vlan interface3 mpls PE2 Vlan interface3 quit Configure an IP address for Loopback 1 and enable PIM SM PE2 interface loopback 1 PE2 LoopBack1 ip a...

Page 1176: ...2 pe3 ebgp max hop 255 PE2 bgp peer pe2 pe3 route policy map1 export PE2 bgp peer pe2 pe3 label route capability PE2 bgp peer pe2 pe3 connect interface loopback 1 PE2 bgp peer 1 1 1 3 group pe2 pe3 PE2 bgp quit Configure OSPF PE2 ospf 1 PE2 ospf 1 area 0 0 0 0 PE2 ospf 1 area 0 0 0 0 network 1 1 1 2 0 0 0 0 PE2 ospf 1 area 0 0 0 0 network 11 11 11 11 0 0 0 0 PE2 ospf 1 area 0 0 0 0 network 10 10 0...

Page 1177: ...interface 3 PE3 Vlan interface3 ip address 192 168 1 2 24 PE3 Vlan interface3 pim sm PE3 Vlan interface3 mpls PE3 Vlan interface3 quit Configure an IP address for Loopback 1 and enable PIM SM PE3 interface loopback 1 PE3 LoopBack1 ip address 1 1 1 3 32 PE3 LoopBack1 pim sm PE3 LoopBack1 quit Configure an IP address for Loopback 2 and enable PIM SM PE3 interface loopback 2 PE3 LoopBack2 ip address ...

Page 1178: ...3 pe4 connect interface loopback 1 PE3 bgp peer 1 1 1 2 group pe3 pe4 PE3 bgp quit Configure OSPF PE3 ospf 1 PE3 ospf 1 area 0 0 0 0 PE3 ospf 1 area 0 0 0 0 network 1 1 1 3 0 0 0 0 PE3 ospf 1 area 0 0 0 0 network 22 22 22 22 0 0 0 0 PE3 ospf 1 area 0 0 0 0 network 10 10 0 0 0 0 255 255 PE3 ospf 1 area 0 0 0 0 quit PE3 ospf 1 quit Configure a route policy PE3 route policy map1 permit node 10 PE3 ro...

Page 1179: ...munity PE4 vpn instance b vpn target 200 1 import extcommunity PE4 vpn instance b multicast routing enable PE4 vpn instance b multicast domain share group 239 4 4 4 binding mtunnel 1 PE4 vpn instance b quit Configure an IP address and enable PIM SM and LDP capability on the public network interface VLAN interface 4 PE4 interface vlan interface 4 PE4 Vlan interface4 ip address 10 10 2 2 24 PE4 Vlan...

Page 1180: ... bgp b quit PE4 bgp ipv4 family vpnv4 PE4 bgp af vpnv4 peer 1 1 1 1 enable PE4 bgp af vpnv4 quit PE4 bgp quit With BGP peers configured on PE 4 the interfaces MTI 0 and MTI 1 will automatically obtain IP addresses which are the loopback interface addresses specified in the BGP peer configuration The PIM mode running on MTI 0 is the same as on the interfaces in VPN instance a and the PIM mode runni...

Page 1181: ...sm CEa1 Vlan interface11 quit Configure an IP address for Loopback 1 and enable PIM SM CEa1 interface loopback 1 CEa1 LoopBack1 ip address 2 2 2 2 32 CEa1 LoopBack1 pim sm CEa1 LoopBack1 quit Configure Loopback 1 as a C BSR and a C RP for VPN a CEa1 pim vpn instance a CEa1 pim a c bsr loopback 1 CEa1 pim a c rp loopback 1 CEa1 pim a quit Configure OSPF CEa1 ospf 1 CEa1 ospf 1 area 0 0 0 0 CEa1 osp...

Page 1182: ...30 ip address 10 11 7 1 24 CEa2 Vlan interface30 igmp enable CEa2 Vlan interface30 pim sm CEa2 Vlan interface30 quit Configure an IP address for VLAN interface 13 and enable PIM SM on the interface CEa2 interface vlan interface 13 CEa2 Vlan interface13 ip address 10 11 3 2 24 CEa2 Vlan interface13 pim sm CEa2 Vlan interface13 quit Configure OSPF CEa2 ospf 1 CEa2 ospf 1 area 0 0 0 0 CEa2 ospf 1 are...

Page 1183: ...ew the share group information of a VPN instance use the display multicast domain vpn instance share group command View the local share group information of VPN instance a on PE 1 PE1 display multicast domain vpn instance a share group local MD local share group information for VPN Instance a Share group 239 1 1 1 MTunnel address 1 1 1 1 View the local share group information of VPN instance b on ...

Page 1184: ...an IP address automatically and PIM is enabled on at least one interface of the VPN instance so that PIM can be enabled on the MTI interface PIM adjacencies can be established between the same VPN instance on different PE devices only after the MTI interface obtains an IP address and gets PIM enabled Solution 1 Check the share group address Use the display multicast domain vpn instance share group...

Page 1185: ...ly establish its MVRF z The customer DR must have a route to the private network RP Solution 1 Use the display pim bsr info command to check whether the BSR information exists in the public instance and VPN instance If not check whether a unicast route exists to the BSR 2 Use the display pim rp info command to view the RP information If no RP information is available check whether a unicast route ...

Page 1186: ...ration Prerequisites 1 15 Enabling IGMP Snooping Querier 1 15 Configuring IGMP Queries and Responses 1 15 Configuring Source IP Address of IGMP Queries 1 17 Configuring IGMP Snooping Proxying 1 17 Configuration Prerequisites 1 17 Enabling IGMP Snooping Proxying 1 17 Configuring a Source IP Address for the IGMP Messages Sent by the Proxy 1 18 Configuring an IGMP Snooping Policy 1 18 Configuration P...

Page 1187: ...MP Snooping Proxying Configuration Example 1 33 Troubleshooting IGMP Snooping Configuration 1 35 Switch Fails in Layer 2 Multicast Forwarding 1 35 Configured Multicast Group Policy Fails to Take Effect 1 36 ...

Page 1188: ...n IRF it operates as a distributed IRF device For introduction of IRF refer to IRF Configuration in the System Volume IGMP Snooping Overview Internet Group Management Protocol Snooping IGMP snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups Principle of IGMP Snooping By analyzing received IGMP messages a Layer 2 device running IGMP sn...

Page 1189: ...cing Layer 2 broadcast packets thus saving network bandwidth z Enhancing the security of multicast traffic z Facilitating the implementation of per host accounting Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 1 2 Router A connects to the multicast source IGMP snooping runs on Switch A and Switch B and Host A and Host C are receiver hosts namely multicast group mem...

Page 1190: ...nooping enabled switch deems that all its ports on which IGMP general queries with the source IP address other than 0 0 0 0 or PIM hello messages are received are dynamic router ports For details about PIM hello messages see PIM Configuration of the IP Multicast Volume Aging timers for dynamic ports in IGMP Snooping and related messages and actions Table 1 1 Aging timers for dynamic ports in IGMP ...

Page 1191: ...ynamic router port When receiving a membership report A host sends an IGMP report to the IGMP querier in the following circumstances z Upon receiving an IGMP query a multicast group member host responds with an IGMP report z When intended to join a multicast group a host sends an IGMP report to the IGMP querier to announce that it is interested in the multicast information addressed to that group ...

Page 1192: ...t the switch discards the IGMP leave message instead of forwarding it to any port z If the forwarding table entry exists and the outgoing port list contains the port the switch forwards the leave message to all router ports in the native VLAN Because the switch does not know whether any other hosts attached to the port are still listening to that group address the switch does not immediately remov...

Page 1193: ...figuration in the IP Multicast volume Figure 1 3 Network diagram for IGMP snooping proxying As shown in Figure 1 3 Switch A works as an IGMP Snooping proxy It represents its attached hosts to send membership reports and leave messages to Router A Table 1 2 describes how an IGMP snooping proxy processes IGMP messages Table 1 2 IGMP message processing on an IGMP snooping proxy IGMP message Actions G...

Page 1194: ...ed an IGMP snooping switch processes multicast protocol messages differently under different conditions specifically as follows 1 If only IGMP is enabled or both IGMP and PIM are enabled on the switch the switch handles multicast protocol messages in the normal way 2 In only PIM is enabled on the switch z The switch broadcasts IGMP messages as unknown messages in the VLAN z Upon receiving a PIM he...

Page 1195: ...uerier Optional Configuring IGMP Queries and Responses Optional Configuring IGMP Snooping Querier Configuring Source IP Address of IGMP Queries Optional Enabling IGMP Snooping Proxying Optional Configuring IGMP Snooping Proxying Configuring a Source IP Address for the IGMP Messages Sent by the Proxy Optional Configuring a Multicast Group Filter Optional Configuring Multicast Source Port Filtering ...

Page 1196: ...aggregate interface view or port group view z For IGMP snooping configurations made on a Layer 2 aggregate interface do not interfere with configurations made on its member ports nor do they take part in aggregation calculations configurations made on a member port of the aggregate group will not take effect until it leaves the aggregate group Configuring Basic Functions of IGMP Snooping Configura...

Page 1197: ...vlan vlan id Configure the version of IGMP snooping igmp snooping version version number Optional Version 2 by default If you switch IGMP snooping from version 3 to version 2 the system will clear all IGMP snooping forwarding entries from dynamic joins and will z Keep forwarding entries for version 3 static G joins z Clear forwarding entries from version 3 static S G joins which will be restored w...

Page 1198: ...icast group and multicast source addresses Configuring Aging Timers for Dynamic Ports If the switch receives no IGMP general queries or PIM hello messages on a dynamic router port the switch removes the port from the router port list when the aging timer of the port expires If the switch receives no IGMP reports for a multicast group on a dynamic member port the switch removes the port from the ou...

Page 1199: ...at a particular multicast source sends to a particular group you can configure static G or S G joining on that port namely configure the port as a group specific or source and group specific static member port You can configure a port of a switch to be a static router port through which the switch can forward all the multicast traffic it received Follow these steps to configure static ports To do ...

Page 1200: ...lticast router may deem that no member of this multicast group exists on the network segment and therefore will remove the corresponding forwarding path To avoid this situation from happening you can enable simulated joining on a port of the switch namely configure the port as a simulated member host for a multicast group When receiving an IGMP query the simulated host gives a response Thus the sw...

Page 1201: ...re than one host is attached when one host leaves a multicast group the other hosts attached to the port and interested in the same multicast group will fail to receive multicast data for that group Therefore if the function of dropping unknown multicast traffic is already enabled on the switch or in the VLANs the fast leave processing function should not be enabled Configuring fast leave processi...

Page 1202: ... a VLAN where multicast traffic needs to be Layer 2 switched only and no multicast routers are present the Layer 2 switch will act as the IGMP snooping querier to send IGMP queries thus allowing multicast forwarding entries to be established and maintained at the data link layer Follow these steps to enable IGMP snooping querier To do Use the command Remarks Enter system view system view Enter VLA...

Page 1203: ...configure IGMP queries and responses globally To do Use the command Remarks Enter system view system view Enter IGMP snooping view igmp snooping Configure the maximum response time to IGMP general queries max response time interval Optional 10 seconds by default Configure the IGMP last member query interval last member query interval interval Optional 1 second by default Configuring IGMP queries a...

Page 1204: ...ure the source IP address of IGMP group specific queries igmp snooping special query source ip ip address current interface Optional 0 0 0 0 by default The source address of IGMP query messages may affect IGMP querier selection within the segment Configuring IGMP Snooping Proxying Configuration Prerequisites Before configuring IGMP snooping Proxying in a VLAN enable IGMP snooping in the VLAN and p...

Page 1205: ...ping policy prepare the following data z ACL rule for multicast group filtering z The maximum number of multicast groups that can pass the ports z 802 1p precedence for IGMP messages Configuring a Multicast Group Filter On an IGMP snooping enabled switch the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users In a...

Page 1206: ...can join any valid multicast group Configuring Multicast Source Port Filtering With the multicast source port filtering feature enabled on a port the port can be connected with multicast receivers only rather than with multicast sources because the port will block all multicast data packets while it permits multicast protocol packets to pass If this feature is disabled on a port the port can be co...

Page 1207: ... waste and low forwarding efficiency Configuring globally the function of dropping multicast packets Follow these steps to configure globally the function of dropping multicast packets To do Use the command Remarks Enter system view system view Enter IGMP snooping view igmp snooping Enable the function of dropping multicast packets drop unknown Required Disabled by default Configuring the function...

Page 1208: ...ackets Currently the S7900E supports processing unknown multicast data packets destined for up to 2000 unknown multicast addresses at a time The switch floods excessive unknown multicast data packets directly z The S7900E supports the function of dropping unknown multicast data packets configuring in up to 500 VLANs Configuring IGMP Report Suppression When a Layer 2 device receives an IGMP report ...

Page 1209: ...warding entries persistent to that port from the IGMP snooping forwarding table and the hosts on this port need to join the multicast groups again z If you have configured static or simulated joins on a port however when the number of multicast groups on the port exceeds the configured threshold the system deletes all the forwarding entries persistent to that port from the IGMP snooping forwarding...

Page 1210: ...system view system view interface interface type interface number Enter Ethernet port ONU port Layer 2 aggregate interface view or port group view port group manual port group name Required Use either approach Enable multicast group replacement igmp snooping overflow replace vlan vlan list Required Disabled by default Be sure to configure the maximum number of multicast groups allowed on a port re...

Page 1211: ...ce display igmp snooping group vlan vlan id slot slot number verbose Available in any view Display information about IGMP snooping multicast groups on a distributed IRF device display igmp snooping group vlan vlan id chassis chassis number slot slot number verbose Available in any view Display the statistics information of IGMP messages learned by IGMP snooping display igmp snooping statistics Ava...

Page 1212: ...and Host B accidentally temporarily stop receiving multicast data Figure 1 4 Network diagram for group policy simulated joining configuration Source Router A Switch A Receiver Receiver Host B Host A Host C 1 1 1 1 24 GE2 0 4 GE2 0 2 GE2 0 3 IGMP querier GE2 0 1 GE2 0 1 10 1 1 1 24 GE2 0 2 1 1 1 2 24 Configuration procedure 1 Configure IP addresses Configure an IP address and subnet mask for each i...

Page 1213: ...icy 2001 vlan 100 SwitchA igmp snooping quit Configure GigabitEthernet 2 0 3 and GigabitEthernet 2 0 4 as simulated hosts for multicast group 224 1 1 1 SwitchA interface gigabitethernet 2 0 3 SwitchA Gigabitethernet2 0 3 igmp snooping host join 224 1 1 1 vlan 100 SwitchA Gigabitethernet2 0 3 quit SwitchA interface gigabitethernet 2 0 4 SwitchA Gigabitethernet2 0 4 igmp snooping host join 224 1 1 1...

Page 1214: ...c member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked under normal conditions and multicast traffic flows to the receivers attached to Switch C only along the path of Switch A Switch B Switch C z It is required to configure GigabitEthern...

Page 1215: ...face and enable IGMP on GigabitEthernet 2 0 1 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 2 0 1 RouterA Gigabitethernet2 0 1 igmp enable RouterA Gigabitethernet2 0 1 pim dm RouterA Gigabitethernet2 0 1 quit RouterA interface gigabitethernet 2 0 2 RouterA Gigabitethernet2 0 2 pim dm RouterA Gigabitethernet2 0 2 quit 3 Configure Switch A Enable IGMP snoopin...

Page 1216: ...hrough GigabitEthernet 2 0 5 to this VLAN and enable IGMP snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 2 0 1 to gigabitethernet 2 0 5 SwitchC vlan100 igmp snooping enable SwitchC vlan100 quit Configure GigabitEthernet 2 0 3 and GigabitEthernet 2 0 5 as static member ports for multicast group 224 1 1 1 SwitchC interface gigabitethernet 2 0 3 SwitchC Gigabitethernet2 0 ...

Page 1217: ...GMP snooping multicast group information in VLAN 100 on Switch C SwitchC display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port unit board Mask 0x04 Router port s total 1 port GE...

Page 1218: ...r z To prevent flooding of unknown multicast traffic within the VLAN it is required to configure all the switches to drop unknown multicast data packets z Because a switch does not enlist a port that has heard an IGMP query with a source IP address of 0 0 0 0 default as a dynamic router port configure a non all zero IP address as the source IP address of IGMP queries to ensure normal creation of L...

Page 1219: ... traffic in VLAN 100 SwitchB vlan100 igmp snooping enable SwitchB vlan100 igmp snooping drop unknown SwitchB vlan100 quit Configurations on Switch C and Switch D are similar to the configuration on Switch B 3 Verify the configuration After the IGMP snooping querier starts to work all the switches but the querier can receive IGMP general queries By using the display igmp snooping statistics command...

Page 1220: ...uter A IGMP querier Switch A Proxy Querier Receiver Host B Host A Host C 1 1 1 1 24 GE2 0 4 GE2 0 2 GE2 0 3 GE2 0 1 GE2 0 1 10 1 1 1 24 GE2 0 2 1 1 1 2 24 Receiver Configuration procedure 1 Configure IP addresses for interfaces Configure an IP address and subnet mask for each interface as per Figure 1 7 The configuration steps are omitted here 2 Configure Router A Enable IP multicast routing enabl...

Page 1221: ...e display igmp group command to display information about IGMP snooping multicast groups and IGMP multicast groups For example Display information about IGMP snooping multicast groups on Switch A SwitchA display igmp snooping group Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1...

Page 1222: ...R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE2 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE2 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port GE2 0 4 Troubleshooting IGMP Snooping Configuration Switch ...

Page 1223: ...1 Use the display acl command to check the configured ACL rule Make sure that the ACL rule conforms to the multicast group policy to be implemented 2 Use the display this command in IGMP snooping view or in the corresponding interface view to check whether the correct multicast group policy has been applied If not use the group policy or igmp snooping group policy command to apply the correct mult...

Page 1224: ...N Based Multicast VLAN 1 4 Configuring Port Based Multicast VLAN 1 4 Configuration Prerequisites 1 5 Configuring User Port Attributes 1 5 Configuring Multicast VLAN Ports 1 5 Configuring the Maximum Number of Forwarding Entries in a Multicast VLAN 1 7 Displaying and Maintaining Multicast VLAN 1 7 Multicast VLAN Configuration Examples 1 7 Sub VLAN Based Multicast VLAN Configuration 1 7 Port Based M...

Page 1225: ...rograms on demand service the Layer 3 device Router A needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without multicast VLAN The multicast VLAN feature configured on the Layer 2 device is the solution to this is...

Page 1226: ...on IGMP Snooping manages router ports in the multicast VLAN and member ports in the sub VLANs When forwarding multicast data to Switch A Router A needs to send only one copy of multicast traffic to Switch A in the multicast VLAN and Switch A distributes the traffic to the multicast VLAN s sub VLANs that contain receivers Port based multicast VLAN As shown in Figure 1 3 Host A Host B and Host C are...

Page 1227: ...VLAN tags refer to VLAN Configuration in the Access Volume Multicast VLAN Configuration Task List Complete the following tasks to configure multicast VLAN Task Remarks Configuring Sub VLAN Based Multicast VLAN Configuring User Port Attributes Configuring Port Based Multicast VLAN Configuring Multicast VLAN Ports Required Use either approach Configuring the Maximum Number of Forwarding Entries in a...

Page 1228: ...LAN must exist and must not be sub VLANs of any other multicast VLAN z The total number of sub VLANs of a multicast VLAN must not exceed the maximum number the system can support an S7900E series Ethernet switch supports up to five multicast VLANs and supports up to 4000 sub VLANs for each multicast VLAN The total number of sub VLANs for all multicast VLANs on the switch cannot exceed 4000 Configu...

Page 1229: ...erface interface type interface number Enter interface view or port group view port group manual port group name aggregation agg id Required Use either command Configure the user port link type as hybrid port link type hybrid Required Access by default Specify the user VLAN that comprises the current user port s as the default VLAN port hybrid pvid vlan vlan id Required VLAN 1 by default Configure...

Page 1230: ...ports in interface view or port group view To do Use this command Remarks Enter system view system view Configure the specified VLAN as a multicast VLAN and enter multicast VLAN view multicast vlan vlan id Required Not a multicast VLAN by default Return to system view quit interface interface type interface number Enter interface view or port group view port group manual port group name Required U...

Page 1231: ...move excessive entries In this case the system does not automatically remove any existing entries or create new entries Displaying and Maintaining Multicast VLAN To do Use the command Remarks Display information about a multicast VLAN display multicast vlan vlan id Available in any view Multicast VLAN Configuration Examples Sub VLAN Based Multicast VLAN Configuration Network requirements z Router ...

Page 1232: ... IP addresses Configure an IP address and subnet mask for each interface as per Figure 1 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMP on the host side interface GigabitEthernet 2 0 2 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 2 0 1 RouterA GigabitEther...

Page 1233: ...t 4 Verify the configuration Display information about the multicast VLAN SwitchA display multicast vlan Total 1 multicast vlan s Multicast vlan 10 subvlan list vlan 2 4 port list no port View the IGMP Snooping multicast group information on Switch A SwitchA display igmp snooping group Total 4 IP Group s Total 4 IP Source s Total 4 MAC Group s Port flags D Dynamic port S Static port C Copy port Su...

Page 1234: ... ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE2 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port GE2 0 4 Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE2 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 ...

Page 1235: ...source sends multicast data to multicast group 224 1 1 1 Host A Host B and Host C are receivers of the multicast group z Configure the port based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the multicast data to the receivers that belong to different user VLANs Network diagram Figure 1 5 Network diagram for port bas...

Page 1236: ...re VLAN 2 as the default VLAN Configure GigabitEthernet 2 0 2 to permit packets of VLAN 2 and VLAN 10 to pass and untag the packets when forwarding them SwitchA interface gigabitethernet 2 0 2 SwitchA GigabitEthernet2 0 2 port link type hybrid SwitchA GigabitEthernet2 0 2 port hybrid pvid vlan 2 SwitchA GigabitEthernet2 0 2 port hybrid vlan 2 untagged SwitchA GigabitEthernet2 0 2 port hybrid vlan ...

Page 1237: ...port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE2 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 3 port GE2 0 2 D GE2 0 3 D GE2 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 3 ...

Page 1238: ...4 Configuring IPv6 Multicast Routing and Forwarding 1 5 Configuration Prerequisites 1 5 Configuring an IPv6 Multicast Routing Policy 1 5 Configuring an IPv6 Multicast Forwarding Range 1 5 Configuring the IPv6 Multicast Forwarding Table Size 1 6 Configuring IPv6 Static Multicast MAC Address Entries 1 7 Displaying and Maintaining IPv6 Multicast Routing and Forwarding 1 8 Troubleshooting IPv6 Multica...

Page 1239: ...GX1EA do not support IPv6 features IPv6 Multicast Routing and Forwarding Overview Introduction to IPv6 Multicast Routing and Forwarding In IPv6 multicast implementations multicast routing and forwarding are implemented by three types of tables Each IPv6 multicast routing protocol has its own multicast routing table such as IPv6 PIM routing table The multicast routing information of different IPv6 ...

Page 1240: ...ource as the destination address and automatically selects the optimal route as the RPF route The outgoing interface in the corresponding routing entry is the RPF interface and the next hop is the RPF neighbor The router considers the path along which the IPv6 multicast packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source The router automa...

Page 1241: ... entry into the IPv6 multicast forwarding table with the RPF interface as the incoming interface If the interface on which the packet actually arrived is the RPF interface the RPF check succeeds and the router forwards the packet to all the outgoing interfaces If the interface on which the packet actually arrived is not the RPF interface the RPF check fails and the router discards the packet 2 If ...

Page 1242: ...h The RPF check fails and the packet is discarded Configuration Task List Complete these tasks to configure IPv6 multicast routing and forwarding Task Remarks Enabling IPv6 Multicast Routing Optional Configuring an IPv6 Multicast Routing Policy Optional Configuring an IPv6 Multicast Forwarding Range Optional Configuring the IPv6 Multicast Forwarding Table Size Optional Configuring IPv6 Multicast R...

Page 1243: ...view system view Configure the device to select the RPF route based on the longest match multicast ipv6 longest match Optional The route with the highest priority is selected as the RPF route by default Configure IPv6 multicast load splitting multicast ipv6 load splitting source source group Optional Disabled by default Configuring an IPv6 Multicast Forwarding Range IPv6 multicast packets do not t...

Page 1244: ...ed value When forwarding IPv6 multicast traffic the router replicates a copy of the IPv6 multicast traffic for each downstream node and forwards the traffic and thus each of these downstream nodes forms a branch of the IPv6 multicast distribution tree You can configure the maximum number of downstream nodes namely the maximum number of outgoing interfaces for a single entry in the IPv6 multicast f...

Page 1245: ...er 2 aggregate interface view or port group view interface interface type interface number Required Configurations performed in Ethernet interface view or Layer 2 aggregate interface view take effect for only the current interface while that performed in port group view take effect for all ports in the port group Configure a static multicast MAC address entry mac address multicast mac address vlan...

Page 1246: ... view Display the information of the IPv6 multicast routing table display multicast ipv6 routing table ipv6 source address prefix length ipv6 group address prefix length incoming interface interface type interface number register outgoing interface exclude include match interface type interface number register Available in any view Display the RPF route information of the specified IPv6 multicast ...

Page 1247: ...kets but there is no corresponding S G entry in the IPv6 PIM routing table Analysis The multicast ipv6 boundary command is used to filter IPv6 multicast packets received on an interface If an IPv6 multicast packet fails to match the IPv6 ACL rule of this command IPv6 PIM will create no routing entry In addition the source policy command in IPv6 PIM is used to filter received IPv6 multicast packets...

Page 1248: ...1 14 Configuring MLD Message Options 1 14 Configuring MLD Query and Response Parameters 1 15 Configuring MLD Fast Leave Processing 1 17 Configuring MLD SSM Mapping 1 18 Configuration Prerequisites 1 18 Enabling MLD SSM Mapping 1 18 Configuring MLD SSM Mappings 1 18 Configuring MLD Proxying 1 19 Configuration Prerequisites 1 19 Enabling MLD Proxying 1 19 Configuring IPv6 Multicast Forwarding on a D...

Page 1249: ...isplaying and Maintaining MLD Configuration z MLD Configuration Examples z Troubleshooting MLD MLD Overview The Multicast Listener Discovery protocol MLD is used by an IPv6 router to discover the presence of multicast listeners on the directly attached subnets Multicast listeners are nodes wishing to receive IPv6 multicast packets Through MLD the router can learn whether there are any IPv6 multica...

Page 1250: ...s often referred to as queries So a querier election mechanism is required to determine which router will act as the MLD querier on the subnet 1 Initially every MLD router assumes itself as the querier and sends MLD general query messages often referred to as general queries to all hosts and routers on the local subnet the destination address is FF02 1 2 Upon hearing a general query every MLD rout...

Page 1251: ...bership for G1 Assume it is Host B that sends the report message Upon hearing the report from Host B Host C which is on the same subnet with Host B suppresses its own report for G1 because the MLD routers Router A and Router B already know that at least one host on the local subnet is interested in G1 This mechanism known as MLD report suppression helps reduce traffic on the local subnet 4 At the ...

Page 1252: ...oup filtering MLDv2 has introduced IPv6 multicast source filtering modes Include and Exclude so that a host can specify a list of IPv6 multicast sources it expect or does not expect IPv6 multicast data from when it joins an IPv6 multicast group z If it expects IPv6 multicast data from specific IPv6 multicast sources like S1 S2 it sends a report with the Filter Mode denoted as Include Sources S1 S2...

Page 1253: ...es The router keeps tracing the newly added or deleted IPv6 multicast source z Timers Filter timer the time the router waits before switching to the Include mode after an IPv6 multicast address times out source timer for source recording and so on Receiver host state listening By listening to the state of receiver hosts a multicast router running MLDv2 records and maintains information of hosts jo...

Page 1254: ...e delay allowed before a host sends a report message Reserved Reserved field and initialized to zero Multicast Address z This field is set to 0 in a general query message z It is set to a specific IPv6 multicast address in a multicast address specific query message or multicast address and source specific query message S Flag indicating whether a router updates the timer for suppression after rece...

Page 1255: ...rt message Field Description Type 143 Message type For a report message this field is set to 143 Reserved The Reserved fields are set to 0 on transmission and ignored on reception Checksum Standard IPv6 checksum Number of Multicast Address Records This field indicates how many IPv6 multicast address records are present in this report message Multicast Address Record i This field represents informa...

Page 1256: ...ost C MLDv2 Receiver As shown in Figure 1 5 on an IPv6 SSM network Host A and Host B are running MLDv1 and Host C is running MLDv2 To provide SSM service for all the hosts while it is infeasible to run MLDv2 on Host A and Host B you need to configure the MLD SSM mapping feature on Router A With the MLD SSM mapping feature configured when Router A receives an MLDv1 report it checks the IPv6 multica...

Page 1257: ...A proxy interface is an interface on which MLD proxying is configured It is in the direction toward the root of the multicast forwarding tree An upstream interface acts as a host running MLD therefore it is also called host interface z Downstream interface An interface that is running MLD and not in the direction toward the root of the multicast forwarding tree A downstream interface acts as a rou...

Page 1258: ... on an Interface Optional Configuring MLD Message Options Optional Configuring MLD Query and Response Parameters Optional Adjusting MLD Performance Configuring MLD Fast Leave Processing Optional Enabling MLD SSM Mapping Optional Configuring MLD SSM Mapping Configuring MLD SSM Mappings Optional Enabling MLD Proxying Optional Configuring MLD Proxying Configuring IPv6 Multicast Forwarding on a Downst...

Page 1259: ...marks Enter system view system view Enable IPv6 multicast routing multicast ipv6 routing enable Required Disable by default Enter interface view interface interface type interface number Enable MLD mld enable Required Disabled by default For details about the multicast ipv6 routing table command see IPv6 Multicast Routing and Forwarding Commands in the IP Multicast Volume Configuring the MLD Versi...

Page 1260: ...ure a static member of an IPv6 multicast group or an IPv6 multicast source and group mld static group ipv6 group address source ipv6 source address Required By default an interface is not a static member of any IPv6 multicast group or IPv6 multicast source and group Before you can configure an interface of an IPv6 PIM SM device as a static member of an IPv6 multicast group or an IPv6 multicast sou...

Page 1261: ...t interface can join any valid IPv6 multicast group Configuring the Maximum Number of IPv6 Multicast Groups on an Interface You can configure the allowed maximum number of the IPv6 multicast groups on an interface to flexibly control the number of IPv6 multicast groups the interface can join Follow these steps to configure the maximum number of IPv6 multicast groups an interface can join To do Use...

Page 1262: ... the information for all IPv6 multicast sources and groups Therefore a router may receive IPv6 multicast packets addressed to IPv6 multicast groups that have no members on the local subnet In this case the Router Alert option carried in the IPv6 multicast packets is useful for the router to make a decision whether to deliver the IPv6 multicast packets to the upper layer protocol for processing For...

Page 1263: ...iodically sends MLD general queries at the MLD query interval to determine whether any IPv6 multicast group member exists on the network You can modify the query interval based on the actual condition of the network Upon receiving an MLD done message the MLD querier sends last listener query count MLD multicast address specific queries at the MLD last listener query interval MLD is robust to robus...

Page 1264: ...onfigure the startup query interval startup query interval interval Optional For the system default see Note below Configure the startup query count startup query count value Optional For the system default see Note below Configure the MLD query interval timer query interval Optional 125 seconds by default Configure the MLD querier robustness variable robust count robust value Optional 2 times by ...

Page 1265: ...query count is set to the MLD querier robustness variable By default the MLD querier robustness variable is 2 so the startup query count is also 2 z If not statically configured the other querier present interval is determined by the formula Other querier present interval in seconds MLD query interval times MLD querier robustness variable plus maximum response delay for MLD general query divided b...

Page 1266: ... command Remarks Enter system view system view Enter interface view interface interface type interface number Enable the MLD SSM mapping feature mld ssm mapping enable Required Disabled by default To ensure SSM service for all hosts on a subnet regardless of the MLD version running on the hosts enable MLDv2 on the interface that forwards IPv6 multicast traffic onto the subnet Configuring MLD SSM M...

Page 1267: ...nable MLD proxying on the interface in the direction toward the root of the multicast forwarding tree to make the device serve as an MLD proxy Follow these steps to enable MLD proxying To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable the MLD proxying feature mld proxying enable Required Disabled by default z Each devi...

Page 1268: ...s of these MLD proxy devices has been elected as the querier Otherwise duplicate multicast flows may be received on the multi access network Displaying and Maintaining MLD Configuration To do Use the command Remarks Display MLD multicast group information display mld group ipv6 group address interface interface type interface number static verbose Available in any view Display Layer 2 port informa...

Page 1269: ...refix length Available in user view You cannot use the reset mld group command to clear the MLD multicast group information of static joins The reset mld group port info command cannot clear Layer 2 port information about MLD multicast groups of static joins The reset mld group command cause an interruption of receivers reception of multicast data MLD Configuration Examples Basic MLD Functions Con...

Page 1270: ... switches Ensure the network layer interoperation among the switches on the IPv6 PIM network and dynamic update of routing information between the switches through a unicast routing protocol The detailed configuration steps are omitted here 2 Enable the IPv6 multicast routing and enable IPv6 PIM DM and MLD Enable IPv6 multicast routing on Switch A enable IPv6 PIM DM on each interface and enable ML...

Page 1271: ...on VLAN interface 200 of Switch B SwitchB display mld interface vlan interface 200 Vlan interface200 FE80 200 5EFF FE66 5100 MLD is enabled Current MLD version is 1 Value of query interval for MLD in seconds 125 Value of other querier present interval for MLD in seconds 255 Value of maximum query response time for MLD in seconds 10 Querier for MLD FE80 200 5EFF FE66 5100 this router Total 1 MLD Gr...

Page 1272: ...ted Configure OSPFv3 for interoperability among the switches Ensure the network layer interoperation on the IPv6 PIM SM domain and dynamic update of routing information among the switches through an IPv6 unicast routing protocol The detailed configuration steps are omitted here 2 Enable IPv6 multicast routing enable IPv6 PIM SM on each interface and enable MLD and MLD SSM mapping on the host side ...

Page 1273: ... D SwitchD pim ipv6 SwitchD pim6 c bsr 1003 2 SwitchD pim6 c rp 1003 2 SwitchD pim6 quit 4 Configure the IPv6 SSM group range Configure the IPv6 SSM group range FF3E 64 on Switch D SwitchD acl ipv6 number 2000 SwitchD acl6 basic 2000 rule permit source ff3e 64 SwitchD acl6 basic 2000 quit SwitchD pim ipv6 SwitchD pim6 ssm policy 2000 SwitchD pim6 quit The configuration on Switch A Switch B and Swi...

Page 1274: ... table information on Switch D SwitchD display pim ipv6 routing table Total 0 G entry 2 S G entry 1001 1 FF3E 101 Protocol pim ssm Flag UpTime 00 13 25 Upstream interface Vlan interface104 Upstream neighbor 1003 1 RPF prime neighbor 1003 1 Downstream interface s information Total number of downstreams 1 1 Vlan interface400 Protocol mld UpTime 00 13 25 Expires 3001 1 FF3E 101 Protocol pim ssm Flag ...

Page 1275: ...ticast routing on Switch A IPv6 PIM DM on VLAN interface 101 and MLD on VLAN interface 100 SwitchA system view SwitchA multicast ipv6 routing enable SwitchA interface vlan interface 101 SwitchA Vlan interface101 pim ipv6 dm SwitchA Vlan interface101 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 mld enable SwitchA Vlan interface100 pim ipv6 dm SwitchA Vlan interface100 quit En...

Page 1276: ... Router Symptom When a host sends a message for joining IPv6 multicast group G there is no member information of multicast group G on the immediate router Analysis z The correctness of networking and interface connections and whether the protocol layer of the interface is up directly affect the generation of IPv6 group member information z IPv6 multicast routing must be enabled on the router and M...

Page 1277: ... Inconsistent Memberships on Routers on the Same Subnet Symptom Different memberships are maintained on different MLD routers on the same subnet Analysis z A router running MLD maintains multiple parameters for each interface and these parameters influence one another forming very complicated relationships Inconsistent MLD interface parameter configurations for routers on the same subnet will sure...

Page 1278: ...g a BSR 1 21 Configuring IPv6 Multicast Source Registration 1 24 Configuring SPT Switchover 1 25 Configuring IPv6 PIM SSM 1 25 IPv6 PIM SSM Configuration Task List 1 25 Configuration Prerequisites 1 26 Enabling IPv6 PIM SM 1 26 Configuring the IPv6 SSM Group Range 1 27 Configuring IPv6 PIM Common Features 1 27 IPv6 PIM Common Feature Configuration Task List 1 28 Configuration Prerequisites 1 28 Co...

Page 1279: ...icast Distribution Tree Correctly 1 46 IPv6 Multicast Data Abnormally Terminated on an Intermediate Router 1 47 RPs Unable to Join SPT in IPv6 PIM SM 1 47 RPT Establishment Failure or Source Registration Failure in IPv6 PIM SM 1 48 ...

Page 1280: ...M uses an IPv6 unicast routing table to perform reverse path forwarding RPF check to implement IPv6 multicast forwarding Independent of the IPv6 unicast routing protocols running on the device IPv6 multicast routing can be implemented as long as the corresponding IPv6 multicast routing entries are created through IPv6 unicast routes IPv6 PIM uses the reverse path forwarding RPF mechanism to implem...

Page 1281: ...uned again z When a new receiver on a previously pruned branch joins an IPv6 multicast group to reduce the join latency IPv6 PIM DM uses the graft mechanism to resume IPv6 multicast data forwarding to that branch Generally speaking the IPv6 multicast forwarding path is a source tree namely a forwarding tree with the IPv6 multicast source as its root and IPv6 multicast group members as its leaves B...

Page 1282: ...to that IPv6 multicast group down to this node z An S G entry contains the multicast source address S IPv6 multicast group address G outgoing interface list and incoming interface z For a given IPv6 multicast stream the interface that receives the IPv6 multicast stream is referred to as upstream and the interfaces that forward the IPv6 multicast stream are referred to as downstream A prune process...

Page 1283: ... assert mechanism is used to shutoff duplicate IPv6 multicast flows onto the same multi access network where more than one multicast routers exists by electing a unique IPv6 multicast forwarder on the multi access network Figure 1 2 Assert mechanism As shown in Figure 1 2 after Router A and Router B receive an S G IPv6 multicast packet from the upstream node they both forward the packet to the loc...

Page 1284: ...o implement IPv6 multicast forwarding is to build and maintain rendezvous point trees RPTs An RPT is rooted at a router in the IPv6 PIM domain as the common node or rendezvous point RP through which the IPv6 multicast data travels along the RPT and reaches the receivers z When a receiver is interested in the IPv6 multicast data addressed to a specific IPv6 multicast group the router connected to t...

Page 1285: ... connects to IPv6 multicast sources or to receivers The DR at the receiver side sends join messages to the RP the DR at the IPv6 multicast source side sends register messages to the RP z A DR is elected on a multi access subnet by means of comparison of the priorities and IPv6 link local addresses carried in hello messages z MLD must be enabled on a device that acts as a receiver side DR before re...

Page 1286: ...be configured in an IPv6 PIM SM domain among which an RP is dynamically elected through the bootstrap mechanism Each elected RP serves a different multicast group range For this purpose a bootstrap router BSR must be configured The BSR serves as the administrative core of the IPv6 PIM SM domain An IPv6 PIM SM domain can have only one BSR but can have multiple candidate BSRs C BSRs Once the BSR fai...

Page 1287: ...this algorithm Table 1 1 Values in the hashing algorithm Value Description Value Hash value G The digest from the exclusive or XOR operation between the 32 bit segments of the IPv6 multicast group address For example if the IPv6 multicast address is FF0E C20 1A3 63 101 G 0xFF0E0C20 XOR 0x01A30063 XOR 0x00000000 XOR 0x00000101 M Hash mask length Ci The digest from the exclusive or XOR operation bet...

Page 1288: ...form the directly connected DR 2 Upon getting the IPv6 multicast group G s receiver information the DR sends a join message which is hop by hop forwarded to the RP corresponding to the multicast group 3 The routers along the path from the DR to the RP form an RPT branch Each router on this branch generates a G entry in its forwarding table The means any IPv6 multicast source The RP is the root whi...

Page 1289: ...icast IPv6 multicast packet down the RPT and sends an S G join message hop by hop toward the IPv6 multicast source Thus the routers along the path from the RP to the IPv6 multicast source form an SPT branch Each router on this branch generates an S G entry in its forwarding table The DR at the IPv6 multicast source side is the root while the RP is the leaf of the SPT 3 The subsequent IPv6 multicas...

Page 1290: ...Pv6 multicast source to establish an SPT between the DR at the source side and the RP Subsequent IPv6 multicast data travels along the established SPT to the RP For details about the SPT switchover initiated by the RP refer to Multicast source registration 2 The receiver side DR initiates an SPT switchover process Upon receiving the first IPv6 multicast packet the receiver side DR initiates an SPT...

Page 1291: ...l receivers know exactly where an IPv6 multicast source is located by means of advertisements consultancy and so on Therefore no RP is needed no RPT is required and is no source registration process is needed for the purpose of discovering IPv6 multicast sources in other IPv6 PIM domains Compared with the ASM model the SSM model only needs the support of MLDv2 and some subsets of IPv6 PIM SM The o...

Page 1292: ...ot and receivers as its leaves This SPT is the transmission channel in IPv6 PIM SSM z If not the IPv6 PIM SM process is followed the DR needs to send a G join message to the RP and an IPv6 multicast source registration process is needed In IPv6 PIM SSM the channel concept is used to refer to an IPv6 multicast group and the channel subscription concept is used to refer to a join message Protocols a...

Page 1293: ... following data z The interval between state refresh messages z Minimum time to wait before receiving a new refresh message z Hop limit value of state refresh messages z Graft retry period Enabling IPv6 PIM DM With IPv6 PIM DM enabled a router sends hello messages periodically to discover IPv6 PIM neighbors and processes messages from the IPv6 PIM neighbors When deploying an IPv6 PIM DM domain you...

Page 1294: ...bility pim ipv6 state refresh capable Optional Enabled by default Configuring State Refresh Parameters The router directly connected with the multicast source periodically sends state refresh messages You can configure the interval for sending such messages A router may receive multiple state refresh messages within a short time of which some may be duplicated messages To keep a router from receiv...

Page 1295: ...IPv6 PIM DM graft is the only type of message that uses the acknowledgment mechanism In an IPv6 PIM DM domain if a router does not receive a graft ack message from the upstream router within the specified time after it sends a graft message the router keeps sending new graft messages at a configurable interval namely graft retry period until it receives a graft ack from the upstream router Follow ...

Page 1296: ... IPv6 PIM SM complete the following task z Configure any IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer Before configuring IPv6 PIM SM prepare the following data z The IP address of a static RP and an ACL rule defining the range of IPv6 multicast groups to be served by the static RP z C RP priority and an ACL rule defining the range of IPv6 m...

Page 1297: ...the multicast ipv6 routing table command see IPv6 Multicast Routing and Forwarding Commands in the IP Multicast Volume Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism For a large IPv6 PIM network static RP configuration is a tedious job Generally static RP configuration is just a backup means for the dynamic RP election mechanism to enhance the r...

Page 1298: ...fing you need to configure a legal C RP address range and the range of IPv6 multicast groups to be served on the BSR In addition because every C BSR has a chance to become the BSR you need to configure the same filtering policy on all C BSRs in the IPv6 PIM SM domain Follow these steps to configure a C RP To do Use the command Remarks Enter system view system view Enter IPv6 PIM view pim ipv6 Conf...

Page 1299: ...o distribute the RP Set information within the IPv6 PIM SM domain C RPs must periodically send C RP Adv messages to the BSR The BSR learns the RP Set information from the received messages and encapsulates its own IPv6 address together with the RP Set information in its bootstrap messages The BSR then floods the bootstrap messages to all IPv6 routers in the network Each C RP encapsulates a timeout...

Page 1300: ...st from masquerading as a BSR The same configuration needs to be made on all routers in the IPv6 PIM SM domain The following are typical BSR spoofing cases and the corresponding preventive measures 1 Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP mappings Such attacks often occur on border routers Because a BSR is inside the network whereas hosts are o...

Page 1301: ...etwork into different IPv6 PIM SM domains Bootstrap messages cannot cross a domain border in either direction Perform the following configuration on routers that can become an IPv6 PIM domain border Follow these steps to configure an IPv6 PIM border domain To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configuring an IPv6 ...

Page 1302: ...g the C BSRs Perform the following configuration on C BSR routers Follow these steps to configure C BSR timers To do Use the command Remarks Enter system view system view Enter IPv6 PIM view pim ipv6 Configure the BS period c bsr interval interval Optional For the default value see the note below Configure the BS timeout c bsr holdtime interval Optional For the default value see the note below Abo...

Page 1303: ...ide DR Upon receiving this message the DR stops sending register messages encapsulated with IPv6 multicast data and starts a register stop timer When the register stop timer expires the DR sends a null register message a register message without encapsulated multicast data to the RP If the DR receives a register stop message during the register probe time it will reset its register stop timer othe...

Page 1304: ...cl6 number order order value Optional By default the device switches to the SPT immediately after it receives the first IPv6 multicast packet from the RPT For an S7900E series Ethernet switch once an IPv6 multicast forwarding entry is created subsequent IPv6 multicast data will not be encapsulated in register messages before being forwarded even if a register outgoing interface is available Theref...

Page 1305: ... Therefore a router is IPv6 PIM SSM capable after you enable IPv6 PIM SM on it When deploying an IPv6 PIM SM domain you are recommended to enable IPv6 PIM SM on all non border interfaces of routers Follow these steps to enable IPv6 PIM SSM To do Use the command Remarks Enter system view system view Enable IPv6 multicast routing multicast ipv6 routing enable Required Disable by default Enter interf...

Page 1306: ...ration on all routers in the IPv6 PIM SM domain Follow these steps to configure the IPv6 SSM group range To do Use the command Remarks Enter system view system view Enter IPv6 PIM view pim ipv6 Configure the IPv6 SSM group range ssm policy acl6 number Optional FF3x 32 by default here x refers to any legal group scope z Make sure that the same IPv6 SSM group range is configured on all routers in th...

Page 1307: ...sage Sizes Optional Configuration Prerequisites Before configuring IPv6 PIM common features complete the following tasks z Configure any IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configure IPv6 PIM DM or IPv6 PIM SM or IPv6 PIM SSM Before configuring IPv6 PIM common features prepare the following data z An IPv6 ACL rule for filtering I...

Page 1308: ...ault z Generally a smaller distance from the filter to the IPv6 multicast source results in a more remarkable filtering effect z This filter works not only on independent IPv6 multicast data but also on IPv6 multicast data encapsulated in register messages Configuring a Hello Message Filter Along with the wide applications of IPv6 PIM the security requirement for the protocol is becoming more and ...

Page 1309: ... a downstream router is allowed to wait before sending a prune override message When a router receives a prune message from a downstream router it does not perform the prune action immediately instead it maintains the current forwarding state for a period of LAN delay plus override interval If the downstream router needs to continue receiving IPv6 multicast data it must send a prune override messa...

Page 1310: ...fault Configure IPv6 PIM neighbor timeout time pim ipv6 hello option holdtime interval Optional 105 seconds by default Configure the prune message delay time LAN delay pim ipv6 hello option lan delay interval Optional 500 milliseconds by default Configure the prune override interval pim ipv6 hello option override interval interval Optional 2 500 milliseconds by default Disable join suppression pim...

Page 1311: ...t has lost assert election will prune its downstream interface and maintain the assert state for a period of time When the assert state times out the assert loser will resume IPv6 multicast forwarding When a router fails to receive subsequent IPv6 multicast data from the IPv6 multicast source S the router does not immediately delete the corresponding S G entry instead it maintains the S G entry fo...

Page 1312: ...dtime assert interval Optional 180 seconds by default If there are no special networking requirements we recommend that you use the default settings Configuring Join Prune Message Sizes A larger join prune message size will result in loss of a larger amount of information when a message is lost with a reduced join message size the loss of a single message will bring relatively minor impact By cont...

Page 1313: ...e interface number neighbor ipv6 neighbor address verbose Available in any view View IPv6 PIM neighboring information display pim ipv6 neighbor interface interface type interface number ipv6 neighbor address verbose Available in any view View the content of the IPv6 PIM routing table display pim ipv6 routing table ipv6 group address prefix length ipv6 source address prefix length incoming interfac...

Page 1314: ...witch B Vlan int200 2001 1 64 Vlan int101 2002 2 64 Vlan int101 2002 1 64 Vlan int102 3001 2 64 Switch C Vlan int200 2001 2 64 Vlan int102 3001 1 64 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses and IPv6 unicast routing Enable IPv6 forwarding on each switch and configure the IPv6 address and prefix length for each interface as per Figure 1 8 Detailed configuration s...

Page 1315: ...nterface 101 SwitchD Vlan interface101 pim ipv6 dm SwitchD Vlan interface101 quit SwitchD interface vlan interface 102 SwitchD Vlan interface102 pim ipv6 dm SwitchD Vlan interface102 quit 3 Verify the configuration Use the display pim ipv6 interface command to view the IPv6 PIM configuration and running status on each interface For example View the IPv6 PIM configuration information on Switch D Sw...

Page 1316: ...S G entry FF0E 101 Protocol pim dm Flag WC UpTime 00 01 24 Upstream interface NULL Upstream neighbor NULL RPF prime neighbor NULL Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol mld UpTime 00 01 20 Expires never 4001 100 FF0E 101 Protocol pim dm Flag ACT UpTime 00 01 20 Upstream interface Vlan interface103 Upstream neighbor 1002 2 RPF prime neighbor 10...

Page 1317: ...nect to N2 through their respective VLAN interface 200 and to Switch E through VLAN interface 103 and VLAN interface 104 respectively z Vlan interface 105 on Switch D and Vlan interface 102 on Switch E act as C BSRs and C RPs the C BSR on Switch E has a higher priority the IPv6 multicast group range served by the C RP is FF0E 101 64 modify the hash mask length to map a certain number of consecutiv...

Page 1318: ...IM SM on each interface and enable MLD on VLAN interface 100 which connects Switch A to N1 SwitchA system view SwitchA multicast ipv6 routing enable SwitchA interface vlan interface 100 SwitchA Vlan interface100 mld enable SwitchA Vlan interface100 pim ipv6 sm SwitchA Vlan interface100 quit SwitchA interface vlan interface 101 SwitchA Vlan interface101 pim ipv6 sm SwitchA Vlan interface101 quit Sw...

Page 1319: ...ace NbrCnt HelloInt DR Pri DR Address Vlan100 0 30 1 1001 1 local Vlan101 1 30 1 1002 2 Vlan102 1 30 1 1003 2 To view the BSR election information and the locally configured C RP information in effect on a switch use the display pim ipv6 bsr info command For example View the BSR information and the locally configured C RP information in effect on Switch A SwitchA display pim ipv6 bsr info Elected ...

Page 1320: ...on prefix prefix length FF0E 101 64 RP 4002 1 Priority 0 HoldTime 130 Uptime 00 05 19 Expires 00 02 11 RP 1003 2 Priority 0 HoldTime 130 Uptime 00 05 19 Expires 00 02 11 Assume that Host A needs to receive information addressed to the IPv6 multicast group G FF0E 100 The RP corresponding to the multicast group G is Switch E as a result of hash calculation so an RPT will be built between Switch A an...

Page 1321: ...formation Total number of downstreams 1 1 Vlan interface100 Protocol pim sm UpTime 00 02 15 Expires 00 03 06 The information on Switch B and Switch C is similar to that on Switch A View the IPv6 PIM multicast routing table information on Switch D SwitchD display pim ipv6 routing table Total 0 G entry 1 S G entry 4001 100 FF0E 100 RP 1003 2 Protocol pim sm Flag SPT LOC ACT UpTime 00 14 44 Upstream ...

Page 1322: ... The entire PIM domain operates in the SSM mode z Host A and Host C are IPv6 multicast receivers in two stub networks N1 and N2 z Switch D connects to the network that comprises the IPv6 multicast source Source through VLAN interface 300 z Switch A connects to N1 through VLAN interface 100 and to Switch D and Switch E through VLAN interface 101 and VLAN interface 102 respectively z Switch B and Sw...

Page 1323: ...4002 2 64 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses and IPv6 unicast routing Enable IPv6 forwarding on each switch and configure the IPv6 address and prefix length for each interface as per Figure 1 10 Detailed configuration steps are omitted here Configure OSPFv3 for interoperation among the switches in the IPv6 PIM SM domain Ensure the network layer interopera...

Page 1324: ...iguration Use the display pim ipv6 interface command to view the IPv6 PIM configuration and running status on each interface For example View the IPv6 PIM configuration information on Switch A SwitchA display pim ipv6 interface Interface NbrCnt HelloInt DR Pri DR Address Vlan100 0 30 1 1001 1 local Vlan101 1 30 1 1002 2 Vlan102 1 30 1 1003 2 Assume that Host A needs to receive the information a sp...

Page 1325: ...n tree cannot be built correctly and clients cannot receive IPv6 multicast data Analysis z An IPv6 PIM routing entry is created based on an IPv6 unicast route whichever IPv6 PIM mode is running Multicast works only when unicast does z IPv6 PIM must be enabled on the RPF interface An RPF neighbor must be an IPv6 PIM neighbor as well If IPv6 PIM is not enabled on the RPF interface or the RPF neighbo...

Page 1326: ... been configured through the multicast ipv6 boundary command any IPv6 multicast packet will be kept from crossing the boundary and therefore no routing entry can be created in the IPv6 PIM routing table z In addition the source policy command is used to filter received IPv6 multicast packets If the IPv6 multicast data fails to pass the ACL rule defined in this command IPv6 PIM cannot create the ro...

Page 1327: ...ally send advertisement messages to the BSR by unicast If a C RP does not have a route to the BSR the BSR will be unable to receive the advertisements from the C RP and therefore the bootstrap messages of the BSR will not contain the information about that C RP z The RP is the core of an IPv6 PIM SM domain Make sure that the RP information on all routers is exactly the same a specific group is map...

Page 1328: ...7 Configuring IPv6 MBGP Route Attributes 1 7 Configuration Prerequisites 1 8 Configuring IPv6 MBGP Route Preferences 1 8 Configuring the Default Local Preference 1 8 Configuring the MED Attribute 1 8 Configuring the NEXT_HOP Attribute 1 9 Configuring the AS_PATH Attribute 1 9 Tuning and Optimizing IPv6 MBGP Networks 1 10 Configuration Prerequisites 1 10 Configuring IPv6 MBGP Soft Reset 1 10 Enabli...

Page 1329: ...outing information for IPv4 only IETF defined multi protocol BGP extensions to carry routing information for multiple network layer protocols For an IPv6 network the IPv6 multicast topology need be different from the IPv6 unicast topology To meet the requirement the multi protocol BGP extensions enable IPv6 BGP to carry the IPv6 unicast Network Layer Reachability Information NLRI and IPv6 multicas...

Page 1330: ...nfiguring IPv6 MBGP Route Dampening Optional Configuring IPv6 MBGP Route Preferences Configuring the Default Local Preference Configuring the MED Attribute Optional Configuring the NEXT_HOP Attribute Optional Configuring IPv6 MBGP Route Attributes Configuring the AS_PATH Attribute Optional Configuring IPv6 MBGP Soft Reset Optional Enabling the IPv6 MBGP ORF Capability Optional Tuning and Optimizin...

Page 1331: ...P view bgp as number Enter IPv6 MBGP address family view ipv6 family multicast Specify a preferred value for routes received from the IPv6 MBGP peer peer group peer ipv6 group name ipv6 address preferred value value Optional The preferred value defaults to 0 If you both reference a route policy and use the command peer ipv6 group name ipv6 address preferred value value to set a preferred value for...

Page 1332: ...Not injected by default Configuring IPv6 MBGP Route Redistribution Follow these steps to configure IPv6 MBGP route redistribution To do Use the command Description Enter system view system view Enter BGP view bgp as number Enter the MBGP multicast address family view ipv6 family multicast Enable default route redistribution into the IPv6 MBGP routing table default route imported Optional By defaul...

Page 1333: ... name Required Not configured by default Advertising a Default Route to a Peer or Peer Group Follow these steps to advertise a default route to a peer or peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 MBGP address family view ipv6 family multicast Advertise a default route to an IPv6 MBGP peer or peer group peer ipv6 group name ipv6 a...

Page 1334: ...iple filter policies they will be applied in the following order z filter policy export z peer filter policy export z peer as path acl export z peer ipv6 prefix export z peer route policy export A filter policy can be applied only after the previous one is passed routing information can be advertised only after passing all the filter policies configured z Members of an IPv6 MBGP peer group must ha...

Page 1335: ...orted from a peer peer group peer ipv6 group name ipv6 address route limit limit percentage Optional The number is unlimited by default A peer can has an inbound route filtering policy different from that of the peer group it belongs to That is peer group members can have different inbound route filtering policies Configuring IPv6 MBGP Route Dampening Follow these steps to configure IPv6 MBGP rout...

Page 1336: ...eference values of external internal and local routes are 255 255 and 130 respectively Configuring the Default Local Preference Follow these steps to configure the default local preference To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 MBGP address family view ipv6 family multicast Set the default local preference default local preference value ...

Page 1337: ... a third party next hop network that is the local router has two IPv6 multicast eBGP peers in a broadcast network the router does not specify itself as the next hop of routes sent to the EBGP peers by default Follow these steps to specify the router as the next hop of routes sent to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv...

Page 1338: ...tions to make it take effect causing short time disconnections After the route refresh capability is enabled on all IPv6 MBGP routers in a network when a route selection policy is modified on a router the local router can perform dynamic route updates without tearing down IPv6 MBGP connections If the peer does not support route refresh you can save all route updates from the peer When the route se...

Page 1339: ...ons manually refresh bgp ipv6 multicast all ipv6 address group ipv6 group name external internal export import Optional Enabling the IPv6 MBGP ORF Capability The BGP Outbound Route Filter ORF feature allows a BGP speaker to send to its BGP peer a set of ORFs through Route refresh messages The peer then applies the ORFs in addition to its local routing policies if any to filter updates to the BGP s...

Page 1340: ...x both receive send Required Not supported by default Table 1 1 Description of the both send and receive parameters and the negotiation result Local parameter Peer parameter Negotiation result receive send both The ORF sending capability is enabled locally and the ORF receiving capability is enabled on the peer send receive both The ORF receiving capability is enabled locally and the ORF sending c...

Page 1341: ...v6 MBGP address family view ipv6 family multicast Enable the configured IPv6 unicast BGP peer group to create the IPv6 MBGP peer group peer ipv6 group name enable Required Add the IPv6 MBGP peer into the peer group peer ipv6 address group ipv6 group name Required By default no peer is added z To create an IPv6 MBGP peer group you need to enable an existing IPv6 unicast peer group in IPv6 MBGP addr...

Page 1342: ...name export Required Not configured by default z You need to configure a route policy to define the community attribute and apply the policy to outgoing routes z For route policy configuration refer to Route Policy Configuration in the IP Routing Volume Configuring an IPv6 MBGP Route Reflector To guarantee connectivity between IPv6 multicast iBGP peers you need to make them fully meshed but it bec...

Page 1343: ...ticast paths as regular expression Available in any view Display IPv6 MBGP peer peer group information display bgp ipv6 multicast peer ipv6 address verbose Available in any view Display the prefix entries in the ORF information of the specified BGP peer display bgp ipv6 multicast peer ipv6 address received ipv6 prefix Available in any view Display IPv6 MBGP routing table information display bgp ip...

Page 1344: ...ble in any view Display IPv6 MBGP routing statistics display bgp ipv6 multicast routing table statistic Available in any view Display the IPv6 MBGP routing table information display ipv6 multicast routing table verbose Available in any view Display the multicast routing information of the specified destination address display ipv6 multicast routing table ipv6 address prefix length longer match ver...

Page 1345: ...n int100 IPv6 MBGP peers IPv6 PIM SM 1 IPv6 PIM SM 2 Device Interface IP address Device Interface IP address Source 1002 100 64 Switch C Vlan int200 3002 1 64 Switch A Vlan int100 1002 1 64 Vlan int102 2001 2 64 Vlan int101 1001 1 64 Vlan int104 3001 1 64 Switch B Vlan int101 1001 2 64 Switch D Vlan int103 2002 2 64 Vlan int102 2001 1 64 Vlan int104 3001 2 64 Vlan int103 2002 1 64 Configuration pr...

Page 1346: ...der on Switch A SwitchA interface vlan interface 101 SwitchA Vlan interface101 pim ipv6 bsr boundary SwitchA Vlan interface101 quit Configure an IPv6 PIM domain border on Switch B SwitchB interface vlan interface 101 SwitchB Vlan interface101 pim ipv6 bsr boundary SwitchB Vlan interface101 quit 4 Configure the position of C BSR and C RP Configure the position of C BSR and C RP on Switch A SwitchA ...

Page 1347: ...import route ospfv3 1 SwitchB bgp af ipv6 quit SwitchB bgp ipv6 family multicast SwitchB bgp af ipv6 mul peer 1001 1 enable SwitchB bgp af ipv6 mul import route ospfv3 1 SwitchB bgp af ipv6 mul quit SwitchB bgp quit 6 Verify the configuration You can use the display bgp ipv6 multicast peer command to display IPv6 MBGP peers on a switch For example display IPv6 MBGP peers on Switch B SwitchB displa...

Page 1348: ...n Prerequisites 1 15 Enabling MLD Snooping Querier 1 15 Configuring MLD Queries and Responses 1 15 Configuring Source IPv6 Addresses of MLD Queries 1 17 Configuring MLD Snooping Proxying 1 17 Configuration Prerequisites 1 17 Enabling MLD Snooping Proxying 1 17 Configuring a Source IPv6 Address for the MLD Messages Sent by the Proxy 1 18 Configuring an MLD Snooping Policy 1 18 Configuration Prerequ...

Page 1349: ...ii MLD Snooping Proxying Configuration Example 1 32 Troubleshooting MLD Snooping 1 35 Switch Fails in Layer 2 Multicast Forwarding 1 35 Configured IPv6 Multicast Group Policy Fails to Take Effect 1 36 ...

Page 1350: ...stributed IRF device For introduction of IRF refer to IRF Configuration in the System Volume z EA boards such as LSQ1GP12EA and LSQ1TGX1EA do not support IPv6 features MLD Snooping Overview Multicast Listener Discovery Snooping MLD snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups Introduction to MLD Snooping By analyzing ...

Page 1351: ... Reducing Layer 2 broadcast packets thus saving network bandwidth z Enhancing the security of multicast traffic z Facilitating the implementation of per host accounting Basic Concepts in MLD Snooping MLD Snooping related ports As shown in Figure 1 2 Router A connects to the multicast source MLD snooping runs on Switch A and Switch B Host A and Host C are receiver hosts namely IPv6 multicast group ...

Page 1352: ...dynamic ports z On an MLD snooping enabled switch the ports that received MLD general queries with the source address other than 0 0 or IPv6 PIM hello messages are dynamic router ports For details about IPv6 PIM hello messages see IPv6 PIM Configuration of the IP Multicast Volume Aging timers for dynamic ports in MLD Snooping Table 1 1 Aging timers for dynamic ports in MLD snooping and related mes...

Page 1353: ...rt to the MLD querier in the following circumstances z Upon receiving an MLD query an IPv6 multicast group member host responds with an MLD report z When intended to join an IPv6 multicast group a host sends an MLD report to the MLD querier to announce that it is interested in the multicast information addressed to that IPv6 multicast group Upon receiving an MLD report the switch forwards it throu...

Page 1354: ...e switch does not know whether any other hosts attached to the port are still listening to that IPv6 multicast group address the switch does not immediately remove the port from the outgoing port list of the forwarding table entry for that group instead it resets the aging timer for the port Upon receiving an MLD done message from a host the MLD querier resolves the IPv6 multicast group address in...

Page 1355: ...g As shown in Figure 1 3 Switch A works as an MLD Snooping proxy As a host from the perspective of the querier Router A Switch A represents its attached hosts to send their membership reports and done messages to Router A Table 1 2 describes how an MLD Snooping proxy processes MLD messages Table 1 2 MLD message processing on an MLD snooping proxy MLD message Actions General query When receiving an...

Page 1356: ...d an MLD snooping switch processes IPv6 multicast protocol messages differently under different conditions specifically as follows 1 If only MLD is enabled or both MLD and IPv6 PIM are enabled on the switch the switch handles IPv6 multicast protocol messages in the normal way 2 In only IPv6 PIM is enabled on the switch z The switch broadcasts MLD messages as unknown messages in the VLAN z Upon rec...

Page 1357: ... Optional Configuring MLD Queries and Responses Optional Configuring MLD Snooping Querier Configuring Source IPv6 Addresses of MLD Queries Optional Enabling MLD Snooping Proxying Optional Configuring MLD Snooping Proxying Configuring a Source IPv6 Address for the MLD Messages Sent by the Proxy Optional Configuring an IPv6 Multicast Group Filter Optional Configuring IPv6 Multicast Source Port Filte...

Page 1358: ... aggregate interface view or port group view z For MLD snooping configurations made on a Layer 2 aggregate interface do not interfere with configurations made on its member ports nor do they take part in aggregation calculations configurations made on a member port of the aggregate group will not take effect until it leaves the aggregate group Configuring Basic Functions of MLD Snooping Configurat...

Page 1359: ... view vlan vlan id Configure the version of MLD snooping mld snooping version version number Optional Version 1 by default If you switch MLD snooping from version 2 to version 1 the system will clear all MLD snooping forwarding entries from dynamic joining and will z Keep forwarding entries from version 2 static G joining z Clear forwarding entries from version 2 static S G joining which will be r...

Page 1360: ...ulticast group and IPv6 multicast source addresses Configuring Aging Timers for Dynamic Ports If the switch receives no MLD general queries or IPv6 PIM hello messages on a dynamic router port the switch removes the port from the router port list when the aging timer of the port expires If the switch receives no MLD reports for an IPv6 multicast group on a dynamic member port the switch removes the...

Page 1361: ...data addressed to a particular IPv6 multicast group you can configure that port as a static member port for that IPv6 multicast group You can configure a port of a switch to be a static router port through which the switch can forward all IPv6 multicast data it received Follow these steps to configure static ports To do Use the command Remarks Enter system view system view interface interface type...

Page 1362: ...he multicast router will deem that no member of this IPv6 multicast group exists on the network segment and therefore will remove the corresponding forwarding path To avoid this situation from happening you can enable simulated joining on a port of the switch namely configure the port as a simulated member host for an IPv6 multicast group When an MLD query is received simulated host gives a respon...

Page 1363: ...ort to which more than one host is attached when one host leaves a multicast group the other hosts attached to the port and interested in the same multicast group will fail to receive multicast data for that group Therefore if the function of dropping unknown IPv6 multicast traffic is already enabled on the switch or in the VLANs the fast leave processing function should not be enabled Configuring...

Page 1364: ...itch in a VLAN where multicast traffic needs to be Layer 2 switched only and no Layer 3 multicast devices are present the Layer 2 switch will act as the MLD querier to send periodic MLD queries thus allowing multicast forwarding entries to be established and maintained at the data link layer Follow these steps to enable the MLD snooping querier To do Use the command Remarks Enter system view syste...

Page 1365: ...ses globally Follow these steps to configure MLD queries and responses globally To do Use the command Remarks Enter system view system view Enter MLD snooping view mld snooping Configure the maximum response time for MLD general queries max response time interval Optional 10 seconds by default Configure the MLD last member query interval last listener query interval interval Optional 1 second by d...

Page 1366: ...6 address of MLD query messages may affect MLD querier election within the segment Configuring MLD Snooping Proxying Configuration Prerequisites Before configuring MLD snooping proxying in a VLAN enable MLD snooping in the VLAN and prepare the following data z Source IPv6 address for the MLD reports sent by the proxy z Source IPv6 address for the MLD done messages sent by the proxy Enabling MLD Sn...

Page 1367: ...oping policy prepare the following data z IPv6 ACL rule for IPv6 multicast group filtering z The maximum number of IPv6 multicast groups that can pass the ports z 802 1p precedence for MLD messages Configuring an IPv6 Multicast Group Filter On a MLD snooping enabled switch the configuration of an IPv6 multicast group filter allows the service provider to define limits of multicast programs availab...

Page 1368: ...n any valid IPv6 multicast group Configuring IPv6 Multicast Source Port Filtering With the IPv6 multicast source port filtering feature enabled on a port the port can be connected with IPv6 multicast receivers only rather than with multicast sources because the port will block all IPv6 multicast data packets while it permits multicast protocol packets to pass If this feature is disabled on a port ...

Page 1369: ...ds it in the VLAN incurring network bandwidth waste and low forwarding efficiency Enabling dropping IPv6 multicast packets globally Follow these steps to enable dropping IPv6 multicast packets globally To do Use the command Remarks Enter system view system view Enter MLD snooping view mld snooping Enable dropping IPv6 multicast packets drop unknown Required Disabled by default Enabling dropping un...

Page 1370: ...ata packets Currently the S7900E supports processing unknown IPv6 multicast data packets destined for up to 1000 IPv6 unknown multicast addresses at a time The switch floods excessive unknown IPv6 multicast data packets directly z The S7900E supports the function of dropping unknown IPv6 multicast data packets configuring in up to 500 VLANs Configuring MLD Report Suppression When a Layer 2 device ...

Page 1371: ...umber of IPv6 multicast groups that can be joined on a port reaches the maximum number configured the system deletes all the forwarding entries persistent to that port from the MLD snooping forwarding table and the hosts on this port need to join IPv6 multicast groups again z If you have configured static or simulated joining on a port however when the number of IPv6 multicast groups on the port e...

Page 1372: ...p of ports Follow these steps to configure IPv6 multicast group replacement on a port or a group of ports To do Use the command Remarks Enter system view system view interface interface type interface number Enter Ethernet port ONU port Layer 2 aggregate interface view or port group view port group manual port group name Required Use either approach Enable IPv6 multicast group replacement mld snoo...

Page 1373: ...ted device display mld snooping group vlan vlan id slot slot number verbose Available in any view Display information about MLD Snooping multicast groups on a distributed IRF device display mld snooping group vlan vlan id chassis chassis number slot slot number verbose Available in any view Display the statistics information of MLD messages learned by MLD snooping display mld snooping statistics A...

Page 1374: ... accidentally temporarily stop receiving IPv6 multicast data Figure 1 4 Network diagram for IPv6 group policy simulated joining configuration Source Router A Switch A Receiver Receiver Host B Host A Host C GE2 0 1 GE2 0 4 GE2 0 2 GE2 0 3 MLD querier 1 1 64 GE2 0 1 2001 1 64 GE2 0 2 1 2 64 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding and confi...

Page 1375: ... group policy 2001 vlan 100 SwitchA mld snooping quit Configure GigabitEthernet 2 0 3 and GigabitEthernet 2 0 4 as simulated hosts for IPv6 multicast group FF1E 101 SwitchA interface gigabitethernet 2 0 3 SwitchA GigabitEthernet2 0 3 mld snooping host join ff1e 101 vlan 100 SwitchA GigabitEthernet2 0 3 quit SwitchA interface gigabitethernet 2 0 4 SwitchA GigabitEthernet2 0 4 mld snooping host join...

Page 1376: ...s static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked under normal conditions and IPv6 multicast traffic flows to the receivers attached to Switch C only along the path of Switch A Switch B Switch C z It is required to configure G...

Page 1377: ...erface and enable MLD on GigabitEthernet 2 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 2 0 1 RouterA GigabitEthernet2 0 1 mld enable RouterA GigabitEthernet2 0 1 pim ipv6 dm RouterA GigabitEthernet2 0 1 quit RouterA interface gigabitethernet 2 0 2 RouterA GigabitEthernet2 0 2 pim ipv6 dm RouterA GigabitEthernet2 0 2 quit 3 Configure Switch A Enab...

Page 1378: ...ugh GigabitEthernet 2 0 5 to this VLAN and enable MLD snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 2 0 1 to gigabitethernet 2 0 5 SwitchC vlan100 mld snooping enable SwitchC vlan100 quit Configure GigabitEthernet 2 0 3 and GigabitEthernet 2 0 5 as static member ports for IPv6 multicast group FF1E 101 SwitchC interface gigabitethernet 2 0 3 SwitchC GigabitEthernet2 0 3...

Page 1379: ...isplay the detailed MLD snooping multicast group information in VLAN 100 on Switch C SwitchC display mld snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port unit board Mask 0x04 Router por...

Page 1380: ...oping is enabled on all the switches Switch A which is close to the multicast sources is chosen as the MLD snooping querier z To prevent flooding of unknown multicast traffic within the VLAN it is required to configure all the switches to drop unknown multicast data packets Figure 1 6 Network diagram for MLD snooping querier configuration Configuration procedure 1 Configure Switch A Enable IPv6 fo...

Page 1381: ...B vlan100 quit Configurations of Switch C and Switch D are similar to the configuration of Switch B 3 Verify the configuration When the MLD snooping querier starts to work all the switches but the querier receive MLD general queries Use the display mld snooping statistics command to view the statistics information of these MLD messages received Display the MLD message statistics on Switch B Switch...

Page 1382: ...re 1 Configure IPv6 addresses for interfaces Configure an IP address and prefix length for each interface as per Figure 1 7 The configuration steps are out the scope of this document 2 Configure Router A Enable IPv6 multicast routing enable IPv6 PIM DM on each interface and enable MLD on port GigabitEthernet 2 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabite...

Page 1383: ...about MLD snooping multicast groups on Switch A SwitchA display mld snooping group Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE2 0 1 D IP group s the following ip group s match to one mac group I...

Page 1384: ...otal 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE2 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 1 port GE2 0 4 D MAC group s MAC group address 3333 0000 0101 Host port s total 1 port GE2 0 4 Troubleshooting MLD Snooping Switch Fails in Layer 2 Multicast Forwarding Symptom A switch fails t...

Page 1385: ... Use the display acl ipv6 command to check the configured IPv6 ACL rule Make sure that the IPv6 ACL rule conforms to the IPv6 multicast group policy to be implemented 2 Use the display this command in MLD snooping view or the corresponding interface view to check whether the correct IPv6 multicast group policy has been applied If not use the group policy or mld snooping group policy command to app...

Page 1386: ...v6 Multicast VLAN 1 4 Configuring Port Based IPv6 Multicast VLAN 1 5 Configuration Prerequisites 1 5 Configuring User Port Attributes 1 5 Configuring IPv6 Multicast VLAN Ports 1 6 Configuring the Maximum Number of Forwarding Entries in IPv6 Multicast VLANs 1 7 Displaying and Maintaining IPv6 Multicast VLAN 1 8 IPv6 Multicast VLAN Configuration Examples 1 8 Sub VLAN Based Multicast VLAN Configurati...

Page 1387: ...lticast VLAN As shown in Figure 1 1 in the traditional IPv6 multicast programs on demand mode when hosts Host A Host B and Host C belonging to different VLANs require IPv6 multicast programs on demand service the Layer 3 device Router A needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device Switch A This results in not only waste of network bandwidth but ...

Page 1388: ... 2 VLAN 3 VLAN 4 Switch A Receiver Host A Receiver Host B Receiver Host C IPv6 Multicast packets VLAN 2 VLAN 3 VLAN 4 VLAN 10 IPv6 Multicast VLAN After the configuration MLD snooping manages router ports in the IPv6 multicast VLAN and member ports in the sub VLANs When forwarding multicast data to Switch A Router A needs to send only one copy of multicast traffic to Switch A in the IPv6 multicast ...

Page 1389: ...ffic to all the member ports in the IPv6 multicast VLAN z For information about MLD Snooping router ports and member ports refer to MLD Snooping Configuration in the IP Multicast Volume z For information about VLAN tags refer to VLAN Configuration in the Access Volume IPv6 Multicast VLAN Configuration Task List Complete the following tasks to configure IPv6 multicast VLAN Configuration task Remark...

Page 1390: ...w Configure the specified VLAN as an IPv6 multicast VLAN and enter IPv6 multicast VLAN view multicast vlan ipv6 vlan id Required No IPv6 multicast VLAN configured by default Configure the specified VLAN s as sub VLAN s of the IPv6 multicast VLAN subvlan vlan list Required By default an IPv6 multicast VLAN has no sub VLANs z You cannot configure IPv6 multicast VLAN on a device with IP multicast rou...

Page 1391: ...nable MLD Snooping in all the user VLANs Configuring User Port Attributes Configure the user ports as hybrid ports to permit packets of the specified user VLAN to pass and configure the user VLAN to which the user ports belong as the default VLAN Configure the user ports to permit packets of the IPv6 multicast VLAN to pass and untag the packets Thus upon receiving multicast packets tagged with the...

Page 1392: ...in IPv6 multicast VLAN view Follow these steps to configure IPv6 multicast VLAN ports in IPv6 multicast VLAN view To do Use the command Remarks Enter system view system view Configure the specified VLAN as an IPv6 multicast VLAN and enter IPv6 multicast VLAN view multicast vlan ipv6 vlan id Required No IPv6 multicast VLAN configured by default Assign port s to the IPv6 multicast VLAN port interfac...

Page 1393: ...rwarding table for IPv6 multicast VLANs When the number of forwarding entries maintained for the IPv6 multicast VLANs reaches the threshold the device creates no more forwarding entries until some entries time out or get manually removed Follow these steps to configure the maximum number of entries in the forwarding table To do Use the command Remarks Enter system view system view Configure the ma...

Page 1394: ...LAN 2 through VLAN 4 respectively and Host A through Host C are attached to GigabitEthernet 2 0 2 through GigabitEthernet 2 0 4 of Switch A z The IPv6 multicast source sends IPv6 multicast data to the IPv6 multicast group FF1E 101 Host A Host B and Host C are receivers of the IPv6 multicast group z Configure the sub VLAN based IPv6 multicast VLAN feature so that Router A just sends IPv6 multicast ...

Page 1395: ... SwitchA mld snooping quit Create VLAN 2 and assign GigabitEthernet 2 0 2 to this VLAN SwitchA vlan 2 SwitchA vlan2 port gigabitethernet 2 0 2 SwitchA vlan2 quit The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2 Create VLAN 10 assign GigabitEthernet 2 0 1 to this VLAN and enable MLD Snooping in the VLAN SwitchA vlan 10 SwitchA vlan10 port gigabitethernet 2 0 1 Swit...

Page 1396: ...3333 0000 0101 Host port s total 1 port GE2 0 2 Vlan id 3 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 0 port IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 1 port GE2 0 3 D MAC group s MAC group address 3333 0000 0101 Host port s total 1 port GE2 0 3 Vlan id 4 Total 1 IP Group s Total 1 IP Source s ...

Page 1397: ...bitEthernet 2 0 1 and to Switch A through GigabitEthernet 2 0 2 z MLDv1 is required on Router A MLDv1 Snooping is required on Switch A Router A acts as the MLD querier z Switch A s GigabitEthernet 2 0 1 belongs to VLAN 10 GigabitEthernet 2 0 2 through GigabitEthernet 2 0 4 belong to VLAN 2 through VLAN 4 respectively and Host A through Host C are attached to GigabitEthernet 2 0 2 through GigabitEt...

Page 1398: ...nable IPv6 PIM DM on each interface and enable MLD on the host side interface GigabitEthernet 2 0 2 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 2 0 1 RouterA GigabitEthernet2 0 1 ipv6 pim dm RouterA GigabitEthernet2 0 1 quit RouterA interface gigabitethernet 2 0 2 RouterA GigabitEthernet2 0 2 ipv6 pim dm RouterA GigabitEthernet2 0 2 mld enable 3 Conf...

Page 1399: ... similar The detailed configuration steps are omitted Configure VLAN 10 as an IPv6 multicast VLAN SwitchA multicast vlan ipv6 10 Assign GigabitEthernet 2 0 2 and GigabitEthernet 2 0 3 to IPv6 multicast VLAN 10 SwitchA ipv6 mvlan 10 port gigabitethernet 2 0 2 to gigabitethernet 2 0 3 SwitchA ipv6 mvlan 10 quit Assign GigabitEthernet 2 0 4 to IPv6 multicast VLAN 10 SwitchA interface gigabitethernet ...

Page 1400: ...rt GE2 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 3 port GE2 0 2 D GE2 0 3 D GE2 0 4 D MAC group s MAC group address 3333 0000 0101 Host port s total 3 port GE2 0 2 GE2 0 3 GE2 0 4 As shown above MLD Snooping is maintaining router ports and member ports in VLAN 10 ...

Page 1401: ...PE MPLS Basics MPLS integrates both Layer 2 fast switching and Layer 3 routing and forwarding satisfying the networking requirements of various new applications This document describes z MPLS Overview z MPLS Configuration Basics z LDP Overview z Configuring MPLS Basic Capability z Configuring Static LSP z Configuring MPLS LDP MPLS L2VPN MPLS L2VPN provides Layer 2 VPN services on the MPLS network ...

Page 1402: ...s over public networks This document describes z VPLS Overview z Configuring VPLS Instances z Binding VPLS Instances z Configuring VPLS Attributes MPLS TE Combining the MPLS technology and traffic engineering MPLS TE provides a simple more scalable traffic engineering solution This document describes z MPLS TE Overview z Configuring MPLS TE Basic Capability z Configuring MPLS TE Tunnels with Stati...

Page 1403: ...nge between a MCE and a Site 2 3 Configuring to Use Static Routes between a MCE and a Site 2 3 Configuring to Use RIP between a MCE and a Site 2 4 Configuring to Use OSPF between a MCE and a Site 2 4 Configuring to Use IS IS between a MCE and a Site 2 5 Configuring to Use EBGP between a MCE and a Site 2 6 Configuring Route Exchange between a MCE and a PE 2 8 Configuring Route Exchange between a MC...

Page 1404: ...y and convenient support for MPLS QoS and MPLS TE Hence it is widely used The BGP MPLS VPN model consists of three kinds of devices z Customer edge device CE A CE resides on a customer network and has one or more interfaces directly connected with service provider networks It can be a router a switch or a host It neither can sense the existence of any VPN nor needs to support MPLS z Provider edge ...

Page 1405: ... the ingress LSR the egress PE functions as the egress LSR while P routers function as the transit LSRs You can use S7900E series switches as the CEs in a BGP MPLS VPN implementation BGP MPLS VPN Concepts Site Site is often mentioned in the VPN whose meanings are described as follows z A site is a group of IP systems with IP connectivity that does not rely on any service provider network to implem...

Page 1406: ...es the route distinguisher RD route filtering policy and member interface list LFIBs of VPN instances exist on only PEs supporting MPLS No LFIBs of VPN instances exist on MCE capable devices VPN IPv4 address Traditional BGP cannot process VPN routes which have overlapping address spaces If for example both VPN 1 and VPN 2 use addresses in the segment 10 110 10 0 24 and advertise a route to the seg...

Page 1407: ...ent of VPN routing information A VPN instance on a PE supports two types of VPN target attributes z Export target attribute A local PE sets this type of VPN target attribute for VPN IPv4 routes learnt from directly connected sites before advertising them to other PEs z Import target attribute A PE checks the export target attribute of VPN IPv4 routes advertised by other PEs If the export target at...

Page 1408: ...VLAN interface 2 can be bound to VPN 1 and VLAN interface 3 can be bound to VPN 2 When receiving a piece of routing information MCE determines the source of the routing information according to the number of the interface receiving the information and then maintains the corresponding routing table accordingly You need to also to bind the interfaces to the VPNs on PE 1 in the same way as those on t...

Page 1409: ...me binding configured on CE and site private network routes of different VPNs can be exchanged between CEs and sites through different RIP processes thus isolating and securing VPN routes OSPF An S7900E switch can bind OSPF processes to VPN instances and isolate the routes of different VPNs Note that For an OSPF process bound to a VPN instance the router ID of the public network configured in syst...

Page 1410: ...To use EBGP to exchange private routes between a CE and a site you need to configure BGP peers for VPN instances on CEs and import IGP routing information from corresponding VPNs Normally sites reside in different ASs so EBGP is used for route exchange In this case the following configurations are needed 1 Configuring to use EBGP to import IGP routes from each site To advertise private network rou...

Page 1411: ...1 8 z RIP z OSPF z IS IS z EBGP For information on how to configure the routing protocols and how to import routes refer to the IP Routing Volume ...

Page 1412: ...e is an integration of the VPN membership and routing rules of its corresponding site A VPN instance takes effect only after a route distinguisher RD is configured for it For a VPN instance with the RD not configured all the other settings except the description information are inaccessible The description information of a VPN instance can be used to record the relationship between the VPN instanc...

Page 1413: ... associated with a VPN instance Executing the ip binding vpn instance command invalidates the IP address configured for the current interface so you need to configure an IP address for an interface again after associating the interface with a VPN instance Configuring the Route related Attributes for a VPN Instance The process of advertising VPN routes is as follows z When the switch learns a VPN r...

Page 1414: ...routes matching the VPN target attribute are permitted z This attribute can be advertised with a route only when BGP runs between the MCE and the PE Otherwise this attribute is of no sense z The VPN target specified for a VPN instance on the MCE device must be same as that specified for the VPN instance on the PE device Configuring Route Exchange between a MCE and a Site Configuring Route Exchange...

Page 1415: ...igure RIP between a MCE and a site To do Use the command Remarks Enter system view system view Enable RIP for a VPN instance This operation also leads you to RIP view rip process id vpn instance vpn instance name Required This operation is performed on the MCE device As for the corresponding configuration on the site you can just enable RIP as usual Redistribute routes from the remote site adverti...

Page 1416: ...nfiguration on the site you can just enable OSPF as usual Configure the type codes of OSPF extended community attributes ext community type domain id type code1 router id type code2 route type type code3 Optional The defaults are as follows 0x0005 for Domain ID 0x0107 for Router ID and 0x0306 for Route Type z Router IDs of the public network configured in system view do not applies to OSPF process...

Page 1417: ...ter enabling IS IS for a VPN instance you need also to configure to use IS IS for routing information exchange Configuring to Use EBGP between a MCE and a Site 1 Configuration on the MCE device Follow these steps to configure an MCE device To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter BGP VPN instance view ipv4 family vpn instance vpn instance name ...

Page 1418: ...al AS number So do the routes advertised by the site In this case you need to configure to permit the routes with their AS numbers contained in their AS_PATH attributes being the local AS number on MCE devices for the routes advertised by the site to be received and processed by the MCE device 2 Configuration on the site The site configuration procedures vary with device model The following takes ...

Page 1419: ...r a VPN instance To do Use the command Remarks Enter system view system view ip route static dest address mask mask length gateway address interface type interface number gateway address vpn instance d vpn instance name gateway address preference preference value tag tag value description description text Define a static route for a VPN instance ip route static vpn instance s vpn instance name 1 6...

Page 1420: ...y the MCE device to the routing table of the PE Follow these steps to enable RIP for a VPN instance To do Use the command Remarks Enter system view system view Enable RIP for a VPN instance and enter RIP view rip process id vpn instance vpn instance name Required Set the default cost for imported routes default cost value Optional By default the cost for an imported route is 0 Import the VPN route...

Page 1421: ...te maintained by the MCE device to the routing table of the PE In IS IS routes discovered by other routing protocols are external routes While importing routes of other protocols you can specify the default cost value for the imported routes as well You can also apply filter policies for imported routes Follow these steps to configure IS IS to import external routes To do Use the command Remarks E...

Page 1422: ... filter policy acl number ip prefix ip prefix name export direct isis process id ospf process id rip process id static Optional By default no filter policy is applied Apply a filter policy for received routes filter policy acl number ip prefix ip prefix name import Optional By default no filter policy is applied Displaying and Maintaining MCE To do Use the command Remarks Display the IP routing ta...

Page 1423: ...statistic Available in any view Perform a soft reset of the BGP connections in a specified VPN instance refresh bgp vpn instance vpn instance name ip address all external group group name export import Available in user view Reset the BGP connections of a VPN instance reset bgp vpn instance vpn instance name as number ip address all external group group name Available in user view Clear the route ...

Page 1424: ...and advertises all the VPN routes to the PE device using OSPF Network diagram Figure 2 1 Network diagram for MCE configuration A CE Site 1 VPN2 PE PE PE VPN 2 VR2 VPN1 VR1 MCE GE2 0 18 GE2 0 10 Vlan int10 10 214 10 3 192 168 0 0 GE2 0 20 Vlan int20 10 214 20 3 RIP 192 168 10 0 CE VPN 1 Site2 GE2 0 3 Vlan int30 10 214 30 1 Vlan int40 10 214 40 1 Configuration procedure For distinguish devices assum...

Page 1425: ...rresponding VLAN interfaces Then bind VLAN 30 to VPN 1 and VLAN 40 to VPN 2 and configure IP addresses of the VLAN interfaces MCE vlan 30 MCE vlan30 quit MCE interface Vlan interface 30 MCE Vlan interface30 ip binding vpn instance vpn1 MCE Vlan interface30 ip address 10 214 30 1 30 MCE Vlan interface30 quit MCE vlan 40 MCE vlan40 quit MCE interface Vlan interface 40 MCE Vlan interface40 ip binding...

Page 1426: ...nd advertise the network segments 192 168 10 0 and 10 214 20 0 VR2 system view VR2 rip 20 VR2 rip 20 network 192 168 10 0 VR2 rip 20 network 10 0 0 0 RIP is running within VPN2 so you can configure RIP on MCE and involve the RIP on MCE in the routing computation in the site to update the routing information automatically Create RIP process 20 disable automatic route summarization redistribute rout...

Page 1427: ...s are omitted here Configure Loopback0 of MCE and CE to specify the router ID for MCE and PE respectively The IP addresses for Loopback0 of MCE and CE are 101 101 10 1 and 100 100 10 1 respectively Configuration procedures are omitted here Create OSPF process 10 on MCE bind the process to VPN1 and set the OSPF domain ID to 10 and enable OSPF multi instance MCE GigabitEthernet2 0 3 quit MCE ospf 10...

Page 1428: ...The information displayed below verifies the configuration PE display ip routing table vpn instance vpn2 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 6 Routes 6 Destination Mask Proto Pre Cost NextHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 214 40 0 24 Direct 0 0 10 214 40 1 Vlan40 10 214 40 2 32 Direct 0 0 127 ...

Page 1429: ... 10 1 and 20 1 for both the import and export extended community attribute list MCE system view MCE ip vpn instance vpn1 MCE vpn instance vpn1 route distinguisher 10 1 MCE vpn instance vpn1 vpn target 10 1 both MCE vpn instance vpn1 quit MCE ip vpn instance vpn2 MCE vpn instance vpn2 route distinguisher 20 1 MCE vpn instance vpn2 vpn target 20 1 both Create VLAN 2 add GigabitEthernet 2 0 10 to VLA...

Page 1430: ...ng vpn instance vpn2 MCE Vlan interface40 ip address 10 214 40 1 30 MCE Vlan interface40 quit z Configure the routing protocol running between MCE and a site The procedure of enabling OSPF in the two VPN instances and advertising the network segments is the same as that in normal OSPF and is omitted Create OSPF process 10 for MCE whose router ID is 10 10 10 1 bind the process to VPN1 Redistribute ...

Page 1431: ...0 0 127 0 0 1 InLoop0 172 16 20 0 24 OSPF 10 1 10 100 20 2 Vlan3 z Configure the routing protocol running between MCE and PE The procedure of connecting MCE to PE through trunk ports is similar to that in MCE Configuration Example A and is omitted here Create BGP process 10 for MCE MCE bgp 100 MCE bgp Enter IPv4 address family view in VPN1 MCE bgp ipv4 family vpn instance vpn1 MCE bgp vpn1 Configu...

Page 1432: ...ation procedures are omitted here Followed is the result of the above configurations PE display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 100 40 0 24 Direct 0 0 10 100 20 3 Vlan3 10 100 40 3 32 Direct 0 0 127 0 0 1 InLoop0 172 ...

Page 1433: ... Configuring PHP 1 18 Configuration Prerequisites 1 18 Configuration Procedure 1 18 Configuring a Static LSP 1 19 Configuration Prerequisites 1 19 Configuration Procedure 1 19 Configuring MPLS LDP 1 20 Configuration Prerequisites 1 20 MPLS LDP Configuration Task List 1 20 Configuring MPLS LDP Capability 1 21 Configuring Local LDP Session Parameters 1 21 Configuring Remote LDP Session Parameters 1 ...

Page 1434: ...28 Configuring MPLS Statistics 1 29 Setting the Interval for Reporting Statistics 1 29 Inspecting an MPLS LSP 1 30 Enabling MPLS Trap 1 30 Displaying and Maintaining MPLS 1 31 Resetting LDP Sessions 1 31 Displaying MPLS Operation 1 31 Displaying MPLS LDP Operation 1 32 Clearing MPLS Statistics 1 33 MPLS Configuration Examples 1 33 Example for Configuring LDP Sessions 1 33 Example for Configuring L...

Page 1435: ...ut MPLS TE refer to MPLS TE Configuration in the MPLS Volume z For detailed information about QoS refer to the QoS Volume z The S7900E Series Ethernet Switches are distributed devices supporting Intelligent Resilient Framework IRF Two S7900E series can be connected together to form a distributed IRF device If an S7900E series is not in any IRF it operates as a distributed device if the S7900E seri...

Page 1436: ...ired while a label can only represent a single FEC A label is carried in the header of a packet It does not contain any topology information and is local significant A label is four octets or 32 bits in length Figure 1 1 illustrates its format Figure 1 1 Format of a label A label consists of four fields z Label Label value of 20 bits Used as the pointer for forwarding z Exp For QoS three bits in l...

Page 1437: ...gress of the MPLS network to the egress It functions like a virtual circuit in ATM or frame relay Each node of an LSP is an LSR Label distribution protocol A label distribution protocol is a protocol used by MPLS for control It has the same functions as a signaling protocol on a traditional network It classifies FECs distributes labels and establishes and maintains LSPs MPLS supports multiple labe...

Page 1438: ...st out LIFO stack which is called a label stack A packet with multiple levels of labels can travel along more than one level of LSP tunnel The ingress and egress of each tunnel perform Push and Pop operations respectively on the top of a stack MPLS has no limit to the depth of a label stack For a label stack with a depth of m the label at the bottom is of level 1 while the label at the top has a l...

Page 1439: ...xt hop along the LSP 3 After receiving a packet each transit LSR looks up its Label Forwarding Information Base LFIB for the next hop according to the label of the packet swaps the label and then forwards the packet to the next hop None of the transit LSRs performs Layer 3 processing 4 When the egress LER receives the packet it removes the label of the packet and IP forwards the packet Obviously M...

Page 1440: ...g protocols such as IGPs and BGP LDP only uses the routing information indirectly it has no direct relationship with routing protocols On the other hand existing protocols such as BGP and RSVP can be extended to support label distribution In MPLS applications it may be necessary to extend some routing protocols For example MPLS based VPN applications requires that BGP be extended to propagate VPN ...

Page 1441: ...le for establishing LSPs between them managing VPN users and advertising routes among different branches of the same VPN Route advertisement among PEs is usually implemented by LDP or extended BGP MPLS based VPN supports IP address multiplexing between branches and interconnection between VPNs Compared with a traditional route a VPN route requires the branch and VPN identification information Ther...

Page 1442: ...more information refer to LDP Label Distribution Currently the S7900E series supports only the DU mode Label distribution control mode There are two label distribution control modes z Independent In this mode an LSR can advertise label bindings upstream at anytime A consequence of this mode is that an LSR may have advertised a label binding to the upstream LSR when it receives a binding from its d...

Page 1443: ...es the label from the packet and forwards the packet based on the network layer destination address In fact on a relatively simple MPLS application network the label of a packet is useless for the egress which only needs to forward the packet based on the network layer destination address In this case the penultimate hop popping PHP feature can pop the label at the penultimate node relieving the e...

Page 1444: ...ntil it reaches the destination router of the LSP where it is forwarded by IP routing Such processing increases the network traffic and the packet forwarding delay For description and configuration of P routers refer to MPLS L3VPN Configuration and MPLS L2VPN Configuration in the MPLS Volume For an MPLS packet with only one level of label the ICMP response message travels along the IP route when t...

Page 1445: ...ing paths directly and further establish LSPs LSPs can be established between both neighboring LSRs and LSRs that are not directly connected making label switching possible at all transit nodes on the network For detailed description about LDP refer to RFC 3036 LDP Specification LDP peer Two LSRs with an LDP session established between them and using LDP to exchange label bindings are called LDP p...

Page 1446: ... of 1 means that the label space is per interface a label space ID of 0 means that the label space is per platform Currently only per platform label space is supported LDP Label Distribution Figure 1 7 illustrates how LDP distributes labels Figure 1 7 Label distribution LER LSR A LSR B LSR D LSR C LSR E LSR F LSR G LSR H Ingress Egress Label request LSP1 LSP2 Label mapping In Figure 1 7 B is the u...

Page 1447: ...ng LSRs periodically announcing its presence This way LSRs can automatically find their peers without manual configuration LDP provides two discovery mechanisms z Basic discovery mechanism The basic discovery mechanism is used to discover local LDP peers that is LSRs directly connected at link layer and to further establish local LDP sessions Using this mechanism an LSR periodically sends LDP link...

Page 1448: ... a label to the FEC and sends the new label binding information to its own upstream LSRs 4 When the ingress LER receives the label binding message it adds an entry in its LFIB Thus an LSP is established for the FEC and packets of the FEC can be label switched along the LSP Session termination LDP checks Hello messages to determine adjacency and checks Keepalive messages to determine the integrity ...

Page 1449: ...pstream neighbor based on the split horizon mechanism The LDP label filtering feature allows the LDP protocol to accept and advertise label bindings selectively It provides two filtering mechanisms label acceptance control or inbound filtering for the inbound direction and label advertisement control or outbound filtering for the outbound direction as described below Label acceptance control On an...

Page 1450: ... To support GR a GR device must backup the FECs and label information When an LDP session is GR capable 1 Whenever the GR restarter restarts a GR helper will detect that the related LDP session is down and will keep its neighborship with the GR restarter and retain information about the session until the reconnect timer times out 2 If the GR helper receives a session request from the GR restarter ...

Page 1451: ...ces z Assigning IP addresses to relevant interfaces z Configuring static routes or an IGP protocol ensuring that LSRs can reach each other at Layer 3 MPLS basic capability can be configured on LSRs even when LSRs cannot reach each other However you need to configure the mpls ldp transport address command in this case For details about the command refer to MPLS Basics Commands in the MPLS Volume Co...

Page 1452: ...e VLAN tag 14 bytes for the Ethernet frame header For descriptions of the jumboframe function refer to Ethernet Port Configuration in the Access Volume Configuring PHP Configure PHP on an egress and select the type of labels for the egress to distribute based on whether the penultimate hop supports PHP Configuration Prerequisites Before configuring PHP be sure to complete the following task z Conf...

Page 1453: ...r layer label the switch will forward the packet based on the inner layer label otherwise the switch will forward the packet based on the IP address Configuring a Static LSP An LSP can be static or dynamic A static LSP is manually configured while a dynamic LSP is established by MPLS LDP For a static LSP to work all LSRs along the LSP must be configured properly Static LSPs can be used in MPLS L2V...

Page 1454: ...ent in the routing table you also need to specify the next hop when configuring the static IP route z The value of the next hop addr argument cannot be any local public network IP address z For information about configuring a static IP route refer to Static Routing Configuration in the IP Routing Volume Configuring MPLS LDP Configuration Prerequisites Before configuring LDP be sure to complete the...

Page 1455: ...ons will be deleted z Usually you do not need to configure the LDP LSR ID which defaults to the MPLS LSR ID In some VPN applications for example MPLS L3VPN applications however you need to ensure that different LDP instances have different LDP LSR IDs if the address spaces overlap Otherwise the TCP connections cannot be established normally Configuring Local LDP Session Parameters You can configur...

Page 1456: ...mote peer name Required Configure the remote peer IP address remote ip ip address Required Configure LDP to advertise prefix based labels through a remote session prefix label advertise Optional By default LDP does not advertise prefix based labels through a remote session Set the targeted Hello timer mpls ldp timer hello hold value Optional 45 seconds by default Set the targeted Keepalive timer m...

Page 1457: ... Static and IGP routes permitted by an IP address prefix list Follow these steps to configure the policy for triggering LSP establishment To do Use the command Remarks Enter system view system view Enter MPLS view mpls Configure the LSP establishment triggering policy lsp trigger vpn instance vpn instance name all ip prefix prefix name Optional By default only local loopback addresses with 32 bit ...

Page 1458: ...ring LDP Loop Detection Follow these steps to configure LDP loop detection To do Use the command Remarks Enter system view system view Enable LDP capability globally and enter MPLS LDP view mpls ldp Required Enable loop detection loop detect Required Disabled by default Set the maximum hop count hops count hop number Optional 32 by default Set the maximum path vector length path vectors pv number ...

Page 1459: ...l policy accept label peer peer id ip prefix ip prefix name Optional Not configured by default Configure a label advertisement control policy advertise label ip prefix ip prefix name peer peer ip prefix name Required Not configured by default Configuring LDP Instances LDP instances are for carrier s carrier networking applications of MPLS L3VPN You need to configure LDP capability for existing VPN...

Page 1460: ...urations in MPLS LDP view do not affect interfaces bound to VPN instances When configuring the transport address of an LDP instance you need to use the IP address of the interface bound to the VPN instance z By default LDP adjacencies on a private network are established using addresses of the LDP enabled interfaces while those on the public network are established using the LDP LSR ID Configuring...

Page 1461: ...hout main backup switchover you can restart MPLS LDP gracefully You are not recommended to perform this operation in normal cases Follow these steps to restart MPLS LDP gracefully To do Use the command Remarks Restart MPLS LDP gracefully graceful restart mpls ldp Required Available in user view Configuring BFD for MPLS LDP Bidirectional forwarding detection BFD provides a mechanism to quickly dete...

Page 1462: ... VPN packets carry two layers of labels outer and inner for transmission in the public network and private network respectively The LSQ1SRP1CB engine and EA series LPUs have to copy the IP TTL of private network packets to the inner label before they can copy the IP TTL to the outer label However SD series and EB series can copy the IP TTL of private packets to the outer label directly Specifying ...

Page 1463: ...n the TTL of an MPLS packet expires ttl expiration pop Specify that ICMP responses travel along the LSP when the TTL of an MPLS packet expires undo ttl expiration pop Optional Configure one of them as required By default ICMP response messages of an MPLS packet with a one level label stack travel along the IP route ICMP response messages of an MPLS packet with multiple levels of labels always trav...

Page 1464: ... MPLS trap function enabled trap packets of the notifications level will be generated to report critical MPLS events Such trap packets will be sent to the information center of the device Whether and where the packets will then be output depend on the configurations of the information center For information on how to configure the information center refer to Information Center Configuration in the...

Page 1465: ...t Available in any view Display information about ILM entries On a distributed stacking device display mpls ilm label chassis chassis number slot slot number include text Available in any view Display information about specified labels or all labels display mpls label label value1 to label value2 all Available in any view Display information about LSPs display mpls lsp incoming interface interface...

Page 1466: ...ics interface interface type interface number all Available in any view Displaying MPLS LDP Operation To do Use the command Remarks Display information about LDP display mpls ldp all verbose begin exclude include regular expression Available in any view Display the label advertisement information of the specified FEC display mpls ldp fec vpn instance vpn instance name dest addr mask length Availab...

Page 1467: ...ut a specified LDP instance display mpls ldp vpn instance vpn instance name begin exclude include regular expression Available in any view Clearing MPLS Statistics To do Use the command Remarks Clear MPLS statistics for one or all MPLS interfaces reset mpls statistics interface interface type interface number all Available in user view Clear MPLS statistics for all LSPs or the LSP with a specified...

Page 1468: ...uit SwitchA ospf 1 quit Configure Switch B Sysname system view Sysname sysname SwitchB SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 SwitchB ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 network 20 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Configure Switch C Sysname system view Sysname sysname SwitchC ...

Page 1469: ...n the state of Full The following takes Switch A as an example SwitchA display ospf peer verbose OSPF Process 1 with Switch ID 1 1 1 9 Neighbors Area 0 0 0 0 interface 10 1 1 1 Vlan interface10 s neighbors Router ID 2 2 2 9 Address 10 1 1 2 GR State Normal State Full Mode Nbr is Master Priority 1 DR None BDR None MTU 1500 Dead timer due in 39 sec Neighbor is up for 00 02 13 Authentication Sequence...

Page 1470: ...sessions have been established or use the display mpls ldp peer command to check the peers The following takes Switch A as an example SwitchA display mpls ldp session LDP Session s in Public Network Total number of sessions 1 Peer ID Status LAM SsnRole FT MD5 KA Sent Rcv 2 2 2 9 0 Operational DU Passive Off Off 5 5 LAM Label Advertisement Mode FT Fault Tolerance SwitchA display mpls ldp peer LDP P...

Page 1471: ...9 0 3 3 3 9 Remote Peer peerc Example for Configuring LDP to Establish LSPs Network requirements On the network in Figure 1 10 an LSP is required between Switch A and Switch C Check the validity and reachability of the LSP Configuration procedure 1 Configure LDP sessions Refer to Example for Configuring LDP Sessions 2 Configure the LSP establishment triggering policy for LDP to establish LSPs For ...

Page 1472: ...ytes press CTRL_C to break Reply from 20 1 1 2 bytes 100 Sequence 1 time 1 ms Reply from 20 1 1 2 bytes 100 Sequence 2 time 1 ms Reply from 20 1 1 2 bytes 100 Sequence 3 time 1 ms Reply from 20 1 1 2 bytes 100 Sequence 4 time 1 ms Reply from 20 1 1 2 bytes 100 Sequence 5 time 1 ms FEC LDP IPV4 PREFIX 3 3 3 9 32 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip ...

Page 1473: ...e peer switchb SwitchA mpls ldp remote switchb remote ip 2 2 2 9 SwitchA mpls ldp remote switchb remote ip bfd SwitchA mpls ldp remote switchb quit SwitchA mpls ldp remote peer switchc SwitchA mpls ldp remote switchc remote ip 3 3 3 9 SwitchA mpls ldp remote switchc remote ip bfd SwitchA mpls ldp remote switchc quit SwitchA vlan 12 SwitchA vlan12 port gigabitethernet 2 0 2 SwitchA vlan12 quit Swit...

Page 1474: ... id 3 3 3 9 SwitchC mpls SwitchC mpls quit SwitchC mpls ldp SwitchC mpls ldp quit SwitchC mpls ldp remote peer switcha SwitchC mpls ldp remote switcha remote ip 1 1 1 9 SwitchC mpls ldp remote switcha remote ip bfd SwitchC mpls ldp remote switcha quit SwitchC vlan 13 SwitchC vlan13 port gigabitethernet 2 0 1 SwitchC vlan13 quit SwitchC interface vlan interface 13 SwitchC Vlan interface13 mpls Swit...

Page 1475: ...0 255 SwitchA ospf 1 area 0 0 0 0 network 13 1 1 1 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 network 1 1 1 9 0 0 0 0 SwitchA ospf 1 area 0 0 0 0 quit SwitchA ospf 1 quit Configure OSPF basic capability on Switch B SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 12 1 1 2 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 ...

Page 1476: ...tchB vsi vpna ldp quit SwitchB vsi vpna quit Configure a VSI instance on Switch C SwitchC mpls l2vpn SwitchC vsi vpna static SwitchC vsi vpna pwsignal ldp SwitchC vsi vpna ldp vsi id 100 SwitchC vsi vpna ldp peer 1 1 1 9 upe SwitchC vsi vpna ldp quit SwitchC vsi vpna quit 5 Verify the configuration Use the display bfd session verbose command on Switch A to display the detailed BFD session informat...

Page 1477: ...otal 2 connection s connection s 1 up 1 block 0 down VSI Name vpna Signaling ldp VsiID VsiType PeerAddr InLabel OutLabel LinkID VCState 100 vlan 2 2 2 9 134312 138882 1 up 100 vlan 3 3 3 9 134216 140476 2 block Use the display vpls fib vsi vpna verbose command to display the forwarding table information of the VPLS instance of Switch A SwitchA display vpls fib vsi vpna verbose VSI Name vpna VSI In...

Page 1478: ...naling ldp VsiID VsiType PeerAddr InLabel OutLabel LinkID VCState 100 vlan 2 2 2 9 134312 138882 1 block 100 vlan 3 3 3 9 134216 140476 2 up SwitchA display vpls fib vsi vpna verbose VSI Name vpna VSI Index 0 Link ID 1 Role Primary State Standy In Label 134312 Out Label 138882 TnlType LDP LSP MTU 1500 Tunnel ID 0x1130214 Next Hop 12 1 1 2 Out IfIndex 61997067 Link ID 2 Role Backup State Active In ...

Page 1479: ...ing Martini MPLS L2VPN 1 9 Configuration Prerequisites 1 9 Configuration Procedure 1 9 Configuring Kompella MPLS L2VPN 1 10 Configuration Prerequisites 1 10 Configuration Procedure 1 11 Configuring an MPLS L2VPN Connection Based on Layer 2 Ethernet Interface and VLAN 1 13 Configuration Prerequisites 1 13 Configuration Procedure 1 14 Displaying and Maintaining MPLS L2VPN 1 15 Displaying the Operati...

Page 1480: ... Frame Relay FR are quite popular They share the network infrastructure of carriers However they have some inherent disadvantages z Dependence on dedicated media To provide both ATM based and FR based VPN services carriers must establish two separate infrastructures across the whole service scope one ATM infrastructure and one FR infrastructure Apparently the cost is very high and the infrastructu...

Page 1481: ...ng information of users guaranteeing the security of the user VPN routing information z Support for multiple network layer protocols such as IP IPX and SNA Basic concepts of MPLS L2VPN In MPLS L2VPN the concepts and principles of CE PE and P are the same as those in MPLS L3VPN z Customer edge device CE A CE resides on a customer network and has one or more interfaces directly connected with servic...

Page 1482: ...col to advertise Layer 2 reachability information and VC labels The following sections describe these implementation methods for MPLS L2VPN in detail CCC MPLS L2VPN Unlike common MPLS L2VPN Circuit Cross Connect CCC employs just one level of label to transfer user data Therefore it uses label switched paths LSPs exclusively That is a CCC LSP can be used to transfer only the data of the CCC connect...

Page 1483: ...hat is the bidirectional virtual connection between VSIs A PW consists of two unidirectional MPLS virtual circuits VCs Martini MPLS L2VPN employs VC type and VC ID to identify a VC The VC type indicates the encapsulation type of the VC which can be VLAN The VC ID uniquely identifies the VC among the VCs of the same VC type on a PE The PEs connecting the two CEs of a VC exchange VC labels through L...

Page 1484: ...ve some labels for the VPN for future use This wastes some label resources in a short term but can reduce the VPN deployment and configuration workload in the case of expansion Imagine that an enterprise VPN contains 10 CEs and the number may increase to 20 in future service expansion In this case you can set the CE range of each CE to 20 Thus when you need to add a CE to the VPN later you only ne...

Page 1485: ...e these encapsulation types z Ethernet z VLAN Configuring a PE Interface Connecting a CE to Use Ethernet z An Ethernet interface can use the encapsulation type of Ethernet For Ethernet interface configuration information refer to Ethernet Port Configuration in the Access Volume z A VLAN interface using the link type of access can use the encapsulation type of Ethernet For configuration information...

Page 1486: ...t a point to point link for example when the outgoing interface is a VLAN interface you need to specify the IP address of the next hop If not you need to specify the outgoing interface Configuration Procedure Configuring the remote CCC connection 1 Configure the PEs Follow these steps to configure a PE To do Use the command Remarks Enter system view system view Create a remote CCC connection betwe...

Page 1487: ... used Configuration Prerequisites Before configuring SVC MPLS L2VPN complete these tasks z Configuring IGP on the PEs and P devices to guarantee the IP connectivity of the MPLS backbone z Configuring MPLS basic capability and MPLS LDP for the MPLS backbone on the PEs and P devices to establish LDP LSPs z Enabling MPLS L2VPN on the PEs z For VLAN access configuring a subinterface for ATM access con...

Page 1488: ...o establish a remote session between the two PEs so that VC FECs and VC labels can be transferred through the session Configuration Prerequisites Before configuring Martini MPLS L2VPN complete these tasks z Configuring IGP on the PEs and P devices to guarantee the IP connectivity of the MPLS backbone z Configuring MPLS basic capability and MPLS LDP for the MPLS backbone on the PEs and P devices to...

Page 1489: ...ID conflicts Configuring Kompella MPLS L2VPN Kompella MPLS L2VPN uses extended BGP as the signaling protocol to transfer L2VPN information between PEs To create a Kompella local connection you only need to configure the VPN and CE connection on the PE Neither IGP nor BGP L2VPN capability is required Configuration Prerequisites Before configuring Kompella MPLS L2VPN complete these tasks z Configuri...

Page 1490: ...cy vpn target Optional Enabled by default Enable the specified peer or peers to exchange BGP routing information of the BGP L2VPN address family peer group name ip address enable Required For information about the configuration of BGP L2VPN address family refer to MPLS L3VPN Configuration in the MPLS Volume Configuring VPN Follow these steps to configure VPN To do Use the command Remarks Enter sys...

Page 1491: ...u do not specify the CE offset the following are true z For the first connection of the CE the CE offset is the value specified by the default offset parameter in the ce command z For any other connection of the CE the CE offset is that of the former connection plus 1 z When planning a VPN you are recommended to encode CE IDs in incremental sequence starting from 1 When configuring connections you...

Page 1492: ...he inbound Layer 2 Ethernet interfaces and the VLAN tags in the packets In other words only packets that are received on the same Layer 2 Ethernet interface and carry the same VLAN tag are forwarded through the same MPLS L2VPN connection To configure a connection based on Layer 2 Ethernet interface and VLAN you need to create a service instance on the Layer 2 Ethernet interface configure a packet ...

Page 1493: ...face type interface number Create a service instance and enter service instance view service instance instance id Required By default no service instance is created Configure a packet matching rule for the service instance encapsulation s vid vlan list Required By default no packet matching rule is configured for the service instance Create a Martini MPLS L2VPN connection based on Layer 2 Ethernet...

Page 1494: ...connections display mpls l2vpn connection vpn name vpn name remote ce ce id down up verbose summary interface interface type interface number Available in any view Display information about L2VPN in the BGP routing table display bgp l2vpn all group group name peer ip address verbose route distinguisher rd ce id ce id label offset label offset Available in any view Display L2VPN information on a PE...

Page 1495: ...d between CE 1 and CE 2 The main steps for configuring a CCC remote connection are z Create remote CCC connections on the PEs No static LSP is required on the PEs z Configure two static LSPs on the P device for packets to be transferred in both directions Figure 1 3 Network diagram for configuring a remote CCC connection CE 1 CE 2 Remote CCC connection PE 1 PE 2 P Vlan int30 Vlan int30 Vlan int20 ...

Page 1496: ... using the interface connecting CE 1 as the incoming interface and that connecting the P device as the outgoing interface setting the incoming label to 100 and the outgoing label to 200 PE1 ccc ce1 ce2 interface vlan interface 10 in label 100 out label 200 next hop 10 1 1 2 3 Configure the P device Configure the LSR ID and enable MPLS globally Sysname system view Sysname sysname P P interface loop...

Page 1497: ...figure interface VLAN interface 20 and enable MPLS PE2 interface vlan interface 20 PE2 Vlan interface20 ip address 10 2 2 1 24 PE2 Vlan interface20 mpls PE2 Vlan interface20 quit Create a remote connection from CE 2 to CE 1 using the interface connecting CE 2 as the incoming interface and that connecting the P device as the outgoing interface setting the incoming label to 201 and the outgoing labe...

Page 1498: ...ttl 255 time 60 ms 100 1 1 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 10 76 180 ms Example for Configuring SVC MPLS L2VPN Network requirements z CEs are connected to PEs through VLAN interfaces z An SVC MPLS L2VPN is established between CE 1 and CE 2 Figure 1 4 Network diagram for configuring SVC MPLS L2VPN Device Interface IP address Devic...

Page 1499: ...Back0 ip address 192 2 2 2 32 PE1 LoopBack0 quit PE1 mpls lsr id 192 2 2 2 PE1 mpls Configure the LSP establishment triggering policy PE1 mpls lsp trigger all PE1 mpls quit Enable MPLS L2VPN and LDP globally PE1 mpls l2vpn PE1 mpls ldp PE1 mpls ldp quit Configure the interface connected with the P device namely VLAN interface 20 and enable LDP on the interface PE1 interface vlan interface 20 PE1 V...

Page 1500: ...ace P interface vlan interface 20 P Vlan interface20 ip address 10 1 1 2 24 P Vlan interface20 mpls P Vlan interface20 mpls ldp P Vlan interface20 quit Configure the interface connected with PE 2 namely VLAN interface 30 and enable LDP on the interface P interface vlan interface 30 P Vlan interface30 link protocol ppp P Vlan interface30 ip address 10 2 2 2 24 P Vlan interface30 mpls P Vlan interfa...

Page 1501: ... 0 0 0 0 network 10 2 2 1 0 0 0 255 PE2 ospf 1 area 0 0 0 0 network 192 3 3 3 0 0 0 0 PE2 ospf 1 area 0 0 0 0 quit PE2 ospf 1 quit On the interface connecting CE 2 namely VLAN interface 10 create an SVC MPLS L2VPN connection The interface requires no IP address PE2 interface vlan interface 10 PE2 Vlan interface10 mpls static l2vc destination 192 2 2 2 transmit vpn label 200 receive vpn label 100 P...

Page 1502: ...0 ms Reply from 100 1 1 2 bytes 56 Sequence 4 ttl 255 time 140 ms Reply from 100 1 1 2 bytes 56 Sequence 5 ttl 255 time 80 ms 100 1 1 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 80 126 150 ms Example for Configuring Martini MPLS L2VPN Network requirements z CEs are connected to PEs through VLAN interfaces z A Martini MPLS L2VPN is establishe...

Page 1503: ...remote 1 remote ip 192 3 3 3 PE1 mpls ldp remote 1 quit Configure the interface connected with the P device namely VLAN interface 20 and enable LDP on the interface PE1 interface vlan interface 20 PE1 Vlan interface20 ip address 10 1 1 1 24 PE1 Vlan interface20 mpls PE1 Vlan interface20 mpls ldp PE1 Vlan interface20 quit Configure OSPF on PE 1 for establishing LSPs PE1 ospf PE1 ospf 1 area 0 PE1 o...

Page 1504: ...ldp P Vlan interface20 quit Configure the interface connected with PE 2 namely VLAN interface 30 and enable LDP on the interface P interface vlan interface 30 P Vlan interface30 ip address 10 2 2 2 24 P Vlan interface30 mpls P Vlan interface30 mpls ldp P Vlan interface30 quit Configure OSPF on the P device for establishing LSPs P ospf P ospf 1 area 0 P ospf 1 area 0 0 0 0 network 10 1 1 2 0 0 0 25...

Page 1505: ...f 1 area 0 PE2 ospf 1 area 0 0 0 0 network 192 3 3 3 0 0 0 0 PE2 ospf 1 area 0 0 0 0 network 10 2 2 0 0 0 0 255 PE2 ospf 1 area 0 0 0 0 quit PE2 ospf 1 quit On the interface connecting CE 2 namely VLAN interface 10 create a L2VPN connection The interface requires no IP address PE2 interface vlan interface 10 PE2 Vlan interface10 mpls l2vc 192 2 2 2 101 PE2 Vlan interface10 quit 5 Configure CE 2 Sy...

Page 1506: ... 1 2 bytes 56 Sequence 5 ttl 255 time 70 ms 100 1 1 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 30 50 70 ms Example for Configuring Kompella MPLS L2VPN on Switches Network requirements z CEs are connected to PEs through VLAN interfaces z A Kompella MPLS L2VPN is established between CE 1 and CE 2 Figure 1 6 Network diagram for configuring Kom...

Page 1507: ... Sysname system view Sysname sysname PE1 PE1 mpls l2vpn PE1 bgp 100 PE1 bgp peer 4 4 4 4 as number 100 PE1 bgp peer 4 4 4 4 connect interface loopback 0 PE1 bgp l2vpn family PE1 bgp af l2vpn policy vpn target PE1 bgp af l2vpn peer 4 4 4 4 enable PE1 bgp af l2vpn quit PE1 bgp quit Configure PE 2 Sysname system view Sysname sysname PE2 PE2 mpls l2vpn PE2 bgp 100 PE2 bgp peer 2 2 2 2 as number 100 PE...

Page 1508: ...ove configurations you can issue the display mpls l2vpn connection command on the PEs You should see that an L2VPN connection is established between the PEs and the connection is up CE 1 and CE 2 should be able to ping each other The following takes PE 1 as an example Display the MPLS L2VPN connection information on PE 1 PE1 display mpls l2vpn connection 1 total connections connections 1 up 0 down...

Page 1509: ...erface IP address Device Interface IP address CE 1 Vlan int10 100 1 1 1 24 P Loop0 192 4 4 4 32 PE 1 Loop0 192 2 2 2 32 Vlan int23 23 1 1 2 24 Vlan int23 23 1 1 1 24 Vlan int26 26 2 2 2 24 CE 2 Vlan int10 100 1 1 2 24 PE 2 Loop0 192 3 3 3 32 Vlan int26 26 2 2 1 24 Ethernet interface and VLAN Configuration procedure 1 Configure CE 1 Sysname system view Sysname sysname CE1 CE1 interface vlan interfa...

Page 1510: ...stance and then establish an MPLS L2VPN connection PE1 interface gigabitethernet 2 0 1 PE1 GigabitEthernet2 0 1 port access vlan 10 PE1 GigabitEthernet2 0 1 service instance 1000 PE1 GigabitEthernet2 0 1 srv1000 encapsulation s vid 10 PE1 GigabitEthernet2 0 1 srv1000 xconnect peer 192 3 3 3 pw id 1000 PE1 GigabitEthernet2 0 1 srv1000 quit PE1 GigabitEthernet2 0 1 quit 3 Configure the P device Sysn...

Page 1511: ...pBack0 ip address 192 3 3 3 32 PE2 LoopBack0 quit Configure the LSR ID and enable MPLS globally PE2 mpls lsr id 192 3 3 3 PE2 mpls PE2 mpls quit Enable MPLS L2VPN and LDP globally PE2 mpls l2vpn PE2 mpls ldp PE2 mpls ldp quit Configure PE 2 to establish a remote LDP connection with PE 1 PE2 mpls ldp remote peer 2 PE2 mpls ldp remote 2 remote ip 192 2 2 2 PE2 mpls ldp remote 2 quit Configure the in...

Page 1512: ... CE 2 should be able to ping each other Display the L2VPN connection information on PE 1 PE1 display mpls l2vc Total ldp vc 1 1 up 0 down Transport Client Service VC Local Remote Tunnel VC ID Intf ID State VC Label VC Label Policy 1000 GE2 0 1 1000 up 8193 8192 default Display the L2VPN connection information on PE 2 PE2 display mpls l2vc Total ldp vc 1 1 up 0 down Transport Client Service VC Loca...

Page 1513: ... down and the remote VC label is invalid Analysis The reason the VC is down may be that the PEs are configured with different encapsulation types Solution z Check whether the local PE and the peer PE are configured with the same encapsulation type If not the connection is destined to fail z Check whether the PEs are configured with the Remote argument and whether the peer addresses are correctly c...

Page 1514: ... 26 Configuration Prerequisites 1 26 Configuring a VPN Instance 1 26 Configuring Route Advertisement between PE and CE 1 27 Configuring Route Advertisement Between PEs 1 31 Configuring Routing Features for BGP VPNv4 Subaddress Family 1 32 Configuring Inter Provider VPN 1 35 Configuration Prerequisites 1 35 Configuring Inter Provider VPN Option A 1 35 Configuring Inter Provider VPN Option B 1 36 Co...

Page 1515: ... MPLS L3VPNs 1 47 Example for Configuring Inter Provider VPN Option A 1 55 Example for Configuring Inter Provider VPN Option B 1 60 Example for Configuring Inter Provider VPN Option C 1 65 Example for Configuring Carrier s Carrier 1 71 Example for Configuring Nested VPN 1 79 Example for Configuring HoVPN 1 90 Example for Configuring OSPF Sham Links 1 96 Example for Configuring BGP AS Number Substi...

Page 1516: ... MPLS L3VPN Networking Schemes z MPLS L3VPN Routing Information Advertisement z Multi AS VPN z Carrier s Carrier z Nested VPN z HoVPN z OSPF VPN Extension z BGP AS Number Substitution Introduction to MPLS L3VPN MPLS L3VPN is a kind of PE based L3VPN technology for service provider VPN solutions It uses BGP to advertise VPN routes and uses MPLS to forward VPN packets on service provider backbones M...

Page 1517: ... information of a CE it uses BGP to exchange VPN routing information with other PEs A PE maintains routing information about only VPNs that are directly connected rather than all VPN routing information on the provider network A P router maintains only routes to PEs It does not need to know anything about VPN routing information When VPN traffic travels over the MPLS backbone the ingress PE functi...

Page 1518: ... the route distinguisher RD route filtering policy and member interface list VPN IPv4 address Traditional BGP cannot process VPN routes which have overlapping address spaces If for example both VPN 1 and VPN 2 use addresses on the segment 10 110 10 0 24 and each advertise a route to the segment BGP selects only one of them which results in loss of the other route PEs use MP BGP to advertise VPN ro...

Page 1519: ... information A VPN instance on a PE supports two types of VPN target attributes z Export target attribute A local PE sets this type of VPN target attribute for VPN IPv4 routes learnt from directly connected sites before advertising them to other PEs z Import target attribute A PE checks the export target attribute of VPN IPv4 routes advertised by other PEs If the export target attribute matches th...

Page 1520: ... the remote PEs Based on layer 1 labels VPN packets can be label switched along the LSPs to the remote PEs z Layer 2 labels Inner labels used for forwarding packets from the remote PEs to the CEs An inner label indicates to which site or more precisely to which CE the packet should be sent A PE finds the interface for forwarding a packet according to the inner label If two sites CEs belong to the ...

Page 1521: ...while that for VPN 2 is 200 1 The two VPN 1 sites can communicate with each other and the two VPN 2 sites can communicate with each other However the VPN 1 sites cannot communicate with the VPN 2 sites Hub and spoke networking scheme For a VPN where a central access control device is required and all users must communicate with each other through the access control device the hub and spoke network...

Page 1522: ...te with each other through the hub site z The import target attribute of any spoke PE is distinct from the export VPN targets of the other spoke PEs Therefore any two spoke PEs can neither directly advertise VPN IPv4 routes to each other nor directly access each other Extranet networking scheme The extranet networking scheme can be used when some resources in a VPN are to be accessed by users that...

Page 1523: ...MPLS L3VPN networking the advertisement of VPN routing information involves CEs and PEs A P router maintains only the routes of the backbone and does not need to know any VPN routing information A PE maintains only the routing information of the VPNs directly connected to it rather than that of all VPNs Therefore MPLS L3VPN has excellent scalability The VPN routing information of a local CE is adv...

Page 1524: ...e sites of a VPN may be connected to multiple ISPs in different ASs or to multiple ASs of an ISP Such an application is called multi AS VPN RFC 2547bis presents three inter provider VPN solutions z VRF to VRF ASBRs manage VPN routes between them through subinterfaces This solution is also called inter provider VPN option A z EBGP advertisement of labeled VPN IPv4 routes ASBRs advertise labeled VPN...

Page 1525: ...subinterface for each VPN also calls for higher performance of the PEs Inter provider VPN option B In this kind of solution two ASBRs use MP EBGP to exchange labeled VPN IPv4 routes that they have obtained from the PEs in their respective ASs As shown in Figure 1 8 the routes are advertised through the following steps 1 PEs in AS 100 advertise labeled VPN IPv4 routes to the ASBR PE of AS 100 or th...

Page 1526: ...ched agreement on the route exchange Inter provider VPN option C The above two kinds of solutions can satisfy the needs for inter provider VPNs However they require that the ASBRs maintain and advertise VPN IPv4 routes When every AS needs to exchange a great amount of VPN routes the ASBRs may become bottlenecks hindering network extension One way to solve the above problem is to make PEs directly ...

Page 1527: ...of the MPLS L3VPN service provider is also a service provider In this case the MPLS L3VPN service provider is called the provider carrier or the Level 1 carrier while the customer is called the customer carrier or the Level 2 carrier This networking model is referred to as carrier s carrier In this model the Level 2 service provider serves as a CE of the Level 1 service provider For good scalabili...

Page 1528: ... VPN routes of the Level 2 carrier but it does not advertise the routes to the PE of the Level 1 carrier it only exchanges the routes with other PEs of the Level 2 carrier A Level 2 carrier can be an ordinary ISP or an MPLS L3VPN service provider When the Level 2 carrier is an ordinary ISP its PEs run IGP to communicate with the CEs rather than MPLS As shown in Figure 1 11 PE 3 and PE 4 exchange V...

Page 1529: ...equest is to implement internal VPN configuration on the service provider s PEs This solution is easy to deploy but it increases the network operation cost and brings issues on management and security because z The number of VPNs that PEs must support will increase sharply z Any modification of an internal VPN must be done through the service provider The nested VPN technology offers a better solu...

Page 1530: ...VPNv4 routes which carry the comprehensive VPN information to the other PEs of the service provider 4 After another provider PE receives the VPNv4 routes it matches the VPNv4 routes based on its local VPNs Each local VPN accepts routes of its own and advertises them to its connected sub VPN CEs such as CE 3 and CE 4 or CE 5 and CE 6 in Figure 1 13 If a CE is connected to a provider PE through an I...

Page 1531: ...layer to the access layer the performance requirements on the devices reduce while the network expands MPLS L3VPN on the contrary is a plane model where performance requirements are the same for all PEs If a certain PE has limited performance or scalability the performance or scalability of the whole network is influenced Due to the above difference you are faced with the scalability problem when ...

Page 1532: ...s of its directly connected sites and advertises the labels to the SPE along with VPN routes through MP BGP z An SPE manages and advertises VPN routes It maintains all the routes of the VPNs connected through UPEs including the routes of both the local and remote sites An SPE advertises routes along with labels to UPEs including the default routes of VPN instances or summary routes and the routes ...

Page 1533: ... z HoVPN supports multi level recursion With recursion of HoPEs a VPN can be extended infinitely in theory Figure 1 15 Recursion of HoPEs Figure 1 15 shows a three level HoPE The PE in the middle is called the middle level PE MPE MP BGP runs between SPE and MPE as well as between MPE and UPE The term of MPE does not really exist in a HoVPN model It is used here just for the convenience of descript...

Page 1534: ...the MPLS VPN backbone That is if a VPN site contains an OSPF area 0 the PE connected with the CE must be connected with the area 0 in this VPN site through an area 0 the virtual link can be used for logical connection 2 BGP OSPF interaction With OSPF running between PEs and CEs PEs advertise VPN routes to each other through BGP and to CEs through OSPF With conventional OSPF two sites are considere...

Page 1535: ...and a VPN site is connected to multiple PEs when a PE advertises the BGP VPN routes learnt from MPLS BGP to the VPN site through LSAs the LSAs may be received by another PE resulting in a routing loop To avoid routing loops when creating Type 3 LSAs the PE always sets the flag bit DN for BGP VPN routes learnt from MPLS BGP regardless of whether the PE and the CEs are connected through the OSPF bac...

Page 1536: ...distributed into BGP as a VPN IPv4 route A sham link can be configured in any area You need to configure it manually In addition the local VPN instance must have a route to the destination of the sham link BGP AS Number Substitution Since BGP detects routing loops by AS number if EBGP runs between PEs and CEs you must assign different AS numbers to geographically different sites to ensure correct ...

Page 1537: ...multiple CEs through different interfaces such as PE 2 in Figure 1 18 which connects CE 2 and CE 3 For a multi homed CE that is a CE connected with multiple PEs the BGP AS number substitution function must be used in combination with the site of origin SOO function Otherwise routing loops may appear MPLS L3VPN Configuration Task List Complete the following tasks to conf Task Remarks Configuring VP...

Page 1538: ...site A VPN instance takes effect only after you configure an RD for it Before configuring an RD for a VPN instance you can configure no parameters for the instance other than a description A VPN instance description is a piece of descriptive information about the VPN instance You can use it to keep information such as the relationship of the VPN instance with a VPN Follow these steps to create and...

Page 1539: ... attribute of the VPN instance associated with the CE z The VPN instance determines which routes it can accept and redistribute according to the import extcommunity in the VPN target z The VPN instance determines how to change the VPN targets attributes for routes to be redistributed according to the export extcommunity in the VPN target Follow these steps to configure route related attributes of ...

Page 1540: ...d Remarks Enter system view system view Create a tunneling policy and enter tunneling policy view tunnel policy tunnel policy name Required Specify the priorities of tunnels and the number of tunnels for load balancing tunnel select seq cr lsp lsp load balance number number Required By default the LSP tunnel is used and the number of tunnels for load balancing is 1 z When you configure tunnel prio...

Page 1541: ...tion refer to the related sections in this chapter In configuring MPLS L3VPN the key task is to manage the advertisement of VPN routes on the MPLS backbone and includes the management of route advertisement between PEs and CEs and that between PEs As for the route exchange between a PE and a CE you can configure static routes multiple RIP instances multiple OSPF instances multiple IS IS instances ...

Page 1542: ...nt between PE and CE Route advertisement between PE and CE can depend on static routes RIP OSPF IS IS or EBGP You may choose one as needed Configuring static routes between PEs and CEs Follow these steps to configure static routes between PEs and CEs To do Use the command Remarks Enter system view system view ip route static dest address mask mask length gateway address interface type interface nu...

Page 1543: ...st start RIP by using the same method for starting a common RIP process z For description and detailed configuration about RIP refer to RIP Configuration in the IP Routing Volume Configuring OSPF between PE and CE An OSPF process that is bound to a VPN instance does not use the public network router ID configured in system view Therefore you need to specify the router ID when starting a process or...

Page 1544: ...fferent VPNs can be configured with domain IDs as desired The domain ID of an OSPF process is included in the routes generated by the process When an OSPF route is injected into BGP the OSPF domain ID is included in the BGP VPN route and delivered as a BGP extended community attribute z After configuring an OSPF instance you must start OSPF by using the same method for starting a common OSPF proce...

Page 1545: ...the local CEs import route protocol process id med med value route policy route policy name Required A PE needs to inject the routes of the local CEs into its VPN routing table so that it can advertise them to the peer PE Configure BGP to filter routes to be advertised filter policy acl number ip prefix ip prefix name export direct isis process id ospf process id rip process id static Optional By ...

Page 1546: ...import route protocol process id med med value route policy route policy name Optional A CE needs to advertise its routes to the connected PE so that the PE can advertise them to the peer CE z Exchange of BGP routes for a VPN instance is the same as that of ordinary BGP routes z The configuration task in BGP instance view is the same as that in BGP view For detailed information refer to BGP Config...

Page 1547: ...ddress family Every command in the following table has the same function on BGP routes for each type of the address families Follow these steps to configure common routing features for all types of subaddress families To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Configure the remote PE as the peer peer ip address as number as number Required Spe...

Page 1548: ... name ip address capability advertise orf ip prefix both receive send Optional By default the ORF capability is disabled on a BGP peer or peer group Enable VPN target filtering for received VPNv4 routes policy vpn target Optional Enabled by default Enable route reflection between clients reflect between clients Optional Enabled by default Specify the cluster ID of the RR reflector cluster id clust...

Page 1549: ...aspath filter number import export Optional By default no AS filtering list is applied to a peer or peer group Specify to advertise all default routes of a VPN instance to a peer or peer group peer group name ip address default route advertise vpn instance vpn instance name Optional By default no default route is advertised to a peer or peer group Apply a filtering policy to a peer or peer group p...

Page 1550: ... in the AS z Configuring basic MPLS capabilities for the MPLS backbones of each AS z Configuring MPLS LDP for the MPLS backbones so that LDP LSPs can be established z Configuring basic MPLS L3VPN for each AS When configuring basic MPLS L3VPN for each AS specific configurations may be required on PEs or ASBR PEs This depends on the inter provider VPN solution selected Configuring Inter Provider VPN...

Page 1551: ...d Return to system view quit Enter BGP view bgp as number Enter BGP VPNv4 subaddress family view ipv4 family vpnv4 Disable VPN target filtering for VPNv4 routes undo policy vpn target Required By default PE performs VPN target filtering of the received VPNv4 routes The routes surviving the filtering will be added to the routing table and the others are discarded In the inter provider VPN option B ...

Page 1552: ...een PEs of different ASs The PEs and ASBR PEs in an AS must be able to exchange labeled IPv4 routes Follow these steps to configure a PE for inter provider VPN option C To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure the ASBR PE in the same AS as the IBGP peer peer group name ip address as number as number Required Enable the PE to exchange labele...

Page 1553: ...Required By default the device does not advertise labeled routes to the IPv4 peer peer group Configure the ASBR PE to change the next hop to itself when advertising routes to PEs in the same AS peer group name ip address next hop local Required By default a BGP speaker does not use its address as the next hop when advertising a route to its IBGP peer peer group Configure the remote ASBR PE as the ...

Page 1554: ... with many VPNs if you want to implement layered management of VPNs and to conceal the deployment of internal VPNs nested VPN is a good solution By using nested VPN you can implement layered management of internal VPNs easily with a low cost and simple management operation Configuration Prerequisites Before configuring nested VPN configure the basic MPLS L3VPN capability Refer to Configuring Basic...

Page 1555: ... address ranges for sub VPNs of a user VPN cannot overlap z It is not recommended to give nested VPN peers addresses that public network peers use z Before specifying a nested VPN peer or peer group be sure to configure the corresponding CE peer or peer group in BGP VPN instance view z At present nested VPN does not support multi hop EBGP networking Therefore a service provider PE and its peer mus...

Page 1556: ...present in the local routing table or not z The default routes of a VPN instance can be advertised to only a BGP peer or peer group that is UPE z It is not recommended to configure the peer default route advertise vpn instance command and the peer upe route policy command at the same time z It is not recommended for an SPE to be connected to a CE directly If an SPE must be directly connected with ...

Page 1557: ...command Remarks Enter system view system view Enter BGP view bgp as number Required Enter BGP VPN instance view ipv4 family vpn instance vpn instance name Required Inject direct routes that is loopback host routes import route direct Required Creating a Sham Link Follow these steps to create a sham link To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id rou...

Page 1558: ...fore configuring BGP AS number substitution complete these tasks z Configuring basic MPLS L3VPN z Configuring CEs at different sites to have the same AS number Configuration Procedure When CEs at different sites have the same AS number you need to configure the BGP AS number substitution function to avoid route loss With the BGP AS number substitution function when a PE advertises a route to a CE ...

Page 1559: ...t BGP VPNv4 connections reset bgp vpnv4 as number ip address all external internal group group name Available in user view Displaying and Maintaining MPLS L3VPN To do Use the command Remarks Display information about the routing table associated with a VPN instance display ip routing table vpn instance vpn instance name verbose Available in any view Display information about a specified or all VPN...

Page 1560: ...nce vpn instance name peer group name log info ip address log info verbose verbose Available in any view Display the IP prefix information of the ORF packets received from the specified BGP peer display bgp vpnv4 all vpn instance vpn instance name peer ip address received ip prefix Available in any view Display all BGP VPNv4 routing information display bgp vpnv4 all routing table network address m...

Page 1561: ...ing table network address mask mask length longer prefixes as path acl as path acl number cidr community aa nn 1 13 no export s ubconfed no advertise no export whole match community list basic community list number whole match adv community list number 1 16 dampened dampening parameter different origin as flap info as path acl as path acl number network address mask longer match mask length longer...

Page 1562: ...nce name flap info ip address mask mask length as path acl as path acl number regexp as path regexp Available in user view For commands to display information about a routing table refer to IP Routing Table Commands in the IP Routing Volume MPLS L3VPN Configuration Examples Example for Configuring MPLS L3VPNs Network requirements z CE 1 and CE 3 belong to VPN 1 while CE 2 and CE 4 belong to VPN 2 ...

Page 1563: ...Vlan int11 172 2 1 2 24 CE 2 Vlan int1 10 2 1 1 24 Vlan int12 10 3 1 2 24 CE 3 Vlan int12 10 3 1 1 24 Vlan int13 10 4 1 2 24 CE 4 Vlan int13 10 4 1 1 24 Configuration procedure 1 Configure IGP on the MPLS backbone enabling the PEs and the P device to communicate Configure PE 1 PE1 system view PE1 interface loopback 0 PE1 LoopBack0 ip address 1 1 1 9 32 PE1 LoopBack0 quit PE1 interface vlan interfa...

Page 1564: ...E2 ospf 1 area 0 0 0 0 quit PE2 ospf 1 quit After you complete the above configurations OSPF adjacency should be established between PE 1 P and PE 2 Issuing the display ospf peer command you can see that the adjacency status is Full Issuing the display ip routing table command you can see that the PEs have learned the loopback route of each other The following takes PE 1 as an example PE1 display ...

Page 1565: ...nterface13 mpls ldp PE1 Vlan interface13 quit Configure the P device P mpls lsr id 2 2 2 9 P mpls P mpls quit P mpls ldp P mpls ldp quit P interface vlan interface 13 P Vlan interface13 mpls P Vlan interface13 mpls ldp P Vlan interface13 quit P interface vlan interface 11 P Vlan interface11 mpls P Vlan0interface11 mpls ldp P Vlan interface11 quit Configure PE 2 PE2 mpls lsr id 3 3 3 9 PE2 mpls PE2...

Page 1566: ...igure VPN instances on PEs to allow CEs to access Configure PE 1 PE1 ip vpn instance vpn1 PE1 vpn instance vpn1 route distinguisher 100 1 PE1 vpn instance vpn1 vpn target 111 1 PE1 vpn instance vpn1 quit PE1 ip vpn instance vpn2 PE1 vpn instance vpn2 route distinguisher 100 2 PE1 vpn instance vpn2 vpn target 222 2 PE1 vpn instance vpn2 quit PE1 interface vlan interface 11 PE1 Vlan interface11 ip b...

Page 1567: ...nstances configured 2 VPN Instance Name RD Create Time vpn1 100 1 2006 08 13 09 32 45 vpn2 100 2 2006 08 13 09 42 59 PE1 ping vpn instance vpn1 10 1 1 1 PING 10 1 1 1 56 data bytes press CTRL_C to break Reply from 10 1 1 1 bytes 56 Sequence 1 ttl 255 time 56 ms Reply from 10 1 1 1 bytes 56 Sequence 2 ttl 255 time 4 ms Reply from 10 1 1 1 bytes 56 Sequence 3 ttl 255 time 4 ms Reply from 10 1 1 1 by...

Page 1568: ...PE and CE and has reached the state of Established The following takes PE 1 and CE 1 as an example PE1 display bgp vpnv4 vpn instance vpn1 peer BGP local router ID 1 1 1 9 Local AS number 100 Total number of peers 1 Peers in established state 1 Peer AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 10 1 1 1 65410 11 9 0 1 00 06 37 Established 5 Configure MP IBGP peers between PEs Configure PE 1 PE1 bg...

Page 1569: ... 9 NULL0 PE1 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 3 Routes 3 Destination Mask Proto Pre Cost NextHop Interface 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan12 10 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 10 4 1 0 24 BGP 255 0 3 3 3 9 NULL0 CEs of the same VPN should be capable of pinging each other whereas those of different VPNs should not For example CE 1 should be capa...

Page 1570: ...1 CE 2 AS 65001 AS 65002 PE 1 PE 2 ASBR PE 2 ASBR PE 1 MPLS backbone MPLS backbone AS 100 AS 200 Vlan int11 Vlan int11 Vlan int11 Vlan int12 Vlan int12 Vlan int13 Vlan int13 Vlan int12 Vlan int12 Device Interface IP address Device Interface IP address CE 1 Vlan int11 10 1 1 1 24 CE 2 Vlan int11 10 2 1 1 24 PE 1 Loop0 1 1 1 9 32 PE 2 Loop0 4 4 4 9 32 Vlan int11 10 1 1 2 24 Vlan int11 10 2 1 2 24 Vl...

Page 1571: ...sr id 1 1 1 9 PE1 mpls PE1 mpls quit PE1 mpls ldp PE1 mpls ldp quit PE1 interface vlan interface 12 PE1 Vlan interface12 mpls PE1 Vlan interface12 mpls ldp PE1 Vlan interface12 quit Configure MPLS basic capability on ASBR PE 1 and enable MPLS LDP on the interface connected to PE 1 ASBR PE1 system view ASBR PE1 mpls lsr id 2 2 2 9 ASBR PE1 mpls ASBR PE1 mpls quit ASBR PE1 mpls ldp ASBR PE1 mpls ldp...

Page 1572: ...nformation 3 Configure VPN instances on PEs to allow CEs to access The VPN targets for the VPN instances of the PEs must match those for the VPN instances of the ASBR PEs in the same AS It is not required for PEs in different ASs Configure CE 1 CE1 system view CE1 interface vlan interface 11 CE1 Vlan interface11 ip address 10 1 1 1 24 CE1 Vlan interface11 quit Configure PE 1 PE1 ip vpn instance vp...

Page 1573: ...ng the instance to the interface connected with ASBR PE 1 Note that ASBR PE 2 considers ASBR PE 1 its CE ASBR PE2 ip vpn instance vpn1 ASBR PE2 vpn vpn vpn1 route distinguisher 200 1 ASBR PE2 vpn vpn vpn1 vpn target 100 1 both ASBR PE2 vpn vpn vpn1 quit ASBR PE2 interface vlan interface 13 ASBR PE2 Vlan interface13 ip binding vpn instance vpn1 ASBR PE2 Vlan interface13 ip address 192 1 1 2 24 ASBR...

Page 1574: ...t PE1 bgp quit Configure ASBR PE 1 ASBR PE1 bgp 100 ASBR PE1 bgp ipv4 family vpn instance vpn1 ASBR PE1 bgp vpn1 peer 192 1 1 2 as number 200 ASBR PE1 bgp vpn1 quit ASBR PE1 bgp peer 1 1 1 9 as number 100 ASBR PE1 bgp peer 1 1 1 9 connect interface loopback 0 ASBR PE1 bgp ipv4 family vpnv4 ASBR PE1 bgp af vpnv4 peer 1 1 1 9 enable ASBR PE1 bgp af vpnv4 peer 1 1 1 9 next hop local ASBR PE1 bgp af v...

Page 1575: ... IS between them z PE 1 and ASBR PE 1 exchange labeled IPv4 routes by MP IBGP z PE 2 and ASBR PE 2 exchange labeled IPv4 routes by MP IBGP z ASBR PE 1 and ASBR PE 2 exchange labeled IPv4 routes by MP EBGP z ASBRs do not perform VPN target filtering of received VPN IPv4 routes Figure 1 21 Configure inter provider VPN option B on switches Loop0 Loop0 Loop0 Loop0 CE 1 CE 2 AS 65001 AS 65002 PE 1 PE 2...

Page 1576: ...and start IS IS on it PE1 interface loopback 0 PE1 LoopBack0 ip address 2 2 2 9 32 PE1 LoopBack0 isis enable 1 PE1 LoopBack0 quit Create VPN instance vpn1 and configure the RD and VPN target attributes PE1 ip vpn instance vpn1 PE1 vpn instance vpn1 route distinguisher 11 11 PE1 vpn instance vpn1 vpn target 1 1 2 2 3 3 import extcommunity PE1 vpn instance vpn1 vpn target 3 3 export extcommunity PE1...

Page 1577: ...PE1 Vlan interface12 ip address 1 1 1 1 255 0 0 0 ASBR PE1 Vlan interface12 isis enable 1 ASBR PE1 Vlan interface12 mpls ASBR PE1 Vlan interface12 mpls ldp ASBR PE1 Vlan interface12 quit Configure interface VLAN interface 13 and enable MPLS on it ASBR PE1 interface vlan interface 13 ASBR PE1 Vlan interface13 ip address 11 0 0 2 255 0 0 0 ASBR PE1 Vlan interface13 mpls ASBR PE1 Vlan interface13 qui...

Page 1578: ... PE2 Vlan interface12 ip address 9 1 1 1 255 0 0 0 ASBR PE2 Vlan interface12 isis enable 1 ASBR PE2 Vlan interface12 mpls ASBR PE2 Vlan interface12 mpls ldp ASBR PE2 Vlan interface12 quit Configure interface VLAN interface 13 and enable MPLS on it ASBR PE2 interface vlan interface 13 ASBR PE2 Vlan interface13 ip address 11 0 0 1 255 0 0 0 ASBR PE2 Vlan interface13 mpls ASBR PE2 Vlan interface13 qu...

Page 1579: ...an interface12 ip address 9 1 1 2 255 0 0 0 PE2 Vlan interface12 isis enable 1 PE2 Vlan interface12 mpls PE2 Vlan interface12 mpls ldp PE2 Vlan interface12 quit Configure interface Loopback 0 and start IS IS on it PE2 interface loopback 0 PE2 LoopBack0 ip address 5 5 5 9 32 PE2 LoopBack0 isis enable 1 PE2 LoopBack0 quit Create VPN instance vpn1 and configure the RD and VPN target attributes PE2 ip...

Page 1580: ... the network through PE 1 in AS 100 and Site 2 accesses the network through PE 2 in AS 600 z PEs in the same AS runs IS IS between them z PE 1 and ASBR PE 1 exchange labeled IPv4 routes by MP IBGP z PE 2 and ASBR PE 2 exchange labeled IPv4 routes by MP IBGP z PE 1 and PE 2 are MP EBGP peers z ASBR PE 1 and ASBR PE 2 use their respective routing policies and label the routes received from each othe...

Page 1581: ...S on it PE1 interface loopback 0 PE1 LoopBack0 ip address 2 2 2 9 32 PE1 LoopBack0 isis enable 1 PE1 LoopBack0 quit Create VPN instance vpn1 and configure the RD and VPN target attributes PE1 ip vpn instance vpn1 PE1 vpn instance vpn1 route distinguisher 11 11 PE1 vpn instance vpn1 vpn target 1 1 2 2 3 3 import extcommunity PE1 vpn instance vpn1 vpn target 3 3 export extcommunity PE1 vpn instance ...

Page 1582: ...igure LSR ID enable MPLS and LDP ASBR PE1 mpls lsr id 3 3 3 9 ASBR PE1 mpls ASBR PE1 mpls label advertise non null ASBR PE1 mpls quit ASBR PE1 mpls ldp ASBR PE1 mpls ldp quit Configure interface VLAN interface 11 start IS IS and enable MPLS and LDP on the interface ASBR PE1 interface vlan interface 11 ASBR PE1 Vlan interface11 ip address 1 1 1 1 255 0 0 0 ASBR PE1 Vlan interface11 isis enable 1 AS...

Page 1583: ...e capability Specify to use routing policy policy1 to filter routes advertised from EBGP peer 11 0 0 1 ASBR PE1 bgp peer 11 0 0 1 as number 600 ASBR PE1 bgp peer 11 0 0 1 route policy policy1 export Configure the capability to advertise labeled routes to EBGP peer 11 0 0 1 and to receive labeled routes from the peer ASBR PE1 bgp peer 11 0 0 1 label route capability ASBR PE1 bgp quit 3 Configure AS...

Page 1584: ...inject routes of IS IS process 1 ASBR PE2 bgp 600 ASBR PE2 bgp import route isis 1 Configure the capability to advertise labeled routes to IBGP peer 5 5 5 9 and to receive labeled routes from the peer ASBR PE2 bgp peer 5 5 5 9 as number 600 ASBR PE2 bgp peer 5 5 5 9 connect interface loopback 1 ASBR PE2 bgp peer 5 5 5 9 label route capability Specify to use routing policy policy2 to filter routes ...

Page 1585: ...tinguisher 11 11 PE2 vpn instance vpn1 vpn target 1 1 2 2 3 3 import extcommunity PE2 vpn instance vpn1 vpn target 3 3 export extcommunity PE2 vpn instance vpn1 quit Configure interface Loopback 1 and bind the interface to VPN instance vpn1 PE2 interface loopback 1 PE2 LoopBack1 ip binding vpn instance vpn1 PE2 LoopBack1 ip address 20 0 0 1 32 PE2 LoopBack1 quit Start BGP on PE 2 PE2 bgp 600 Confi...

Page 1586: ... 2 are devices of the Level 2 carrier and work as CE to access the Level 1 carrier backbone z PE 3 and PE 4 are devices of the Level 2 carrier and work as PE to provide access service for the customers of the Level 2 carrier z CE 3 and CE 4 are customers of the Level 2 carrier The key of the carrier s carrier configuration lies in the exchange process of two kinds of routes z The exchange of the i...

Page 1587: ... 4 4 4 9 32 Vlan int11 11 1 1 2 24 Vlan int12 30 1 1 2 24 Vlan int12 30 1 1 1 24 Vlan int11 21 1 1 1 24 Configuration procedure 1 Configure MPLS L3VPN on the Level 1 carrier backbone start IS IS as the IGP enable LDP between PE 1 and PE 2 and establish MP IBGP peer relationship between the PEs Configure PE 1 PE1 system view PE1 interface loopback 0 PE1 LoopBack0 ip address 3 3 3 9 32 PE1 LoopBack0...

Page 1588: ... that the BGP peer relationship has been established and has reached the state of Established Issuing the display isis peer command you should see that the IS IS neighbor relationship has been set up Take PE 1 as an example PE1 display mpls ldp session LDP Session s in Public Network Peer ID Status LAM SsnRole FT MD5 KA Sent Rcv 4 4 4 9 0 Operational DU Active Off Off 378 378 LAM Label Advertiseme...

Page 1589: ...12 mpls ldp PE3 Vlan interface12 mpls ldp transport address interface PE3 Vlan interface12 quit Configure CE 1 CE1 system view CE1 interface loopback 0 CE1 LoopBack0 ip address 2 2 2 9 32 CE1 LoopBack0 quit CE1 mpls lsr id 2 2 2 9 CE1 mpls CE1 mpls quit CE1 mpls ldp CE1 mpls ldp quit CE1 isis 2 CE1 isis 2 network entity 10 0000 0000 0000 0002 00 CE1 isis 2 quit CE1 interface loopback 0 CE1 LoopBac...

Page 1590: ...0 0000 0003 00 PE1 isis 2 import route bgp PE1 isis 2 quit PE1 interface vlan interface 11 PE1 Vlan interface11 ip binding vpn instance vpn1 PE1 Vlan interface11 ip address 11 1 1 2 24 PE1 Vlan interface11 isis enable 2 PE1 Vlan interface11 mpls PE1 Vlan interface11 mpls ldp PE1 Vlan interface11 mpls ldp transport address interface PE1 Vlan interface11 quit PE1 bgp 100 PE1 bgp ipv4 family vpn inst...

Page 1591: ...instance vpn1 vpn target 1 1 PE3 vpn instance vpn1 quit PE3 interface vlan interface 11 PE3 Vlan interface11 ip binding vpn instance vpn1 PE3 Vlan interface11 ip address 100 1 1 2 24 PE3 Vlan interface11 quit PE3 bgp 100 PE3 bgp ipv4 family vpn instance vpn1 PE3 bgp vpn1 peer 100 1 1 1 as number 65410 PE3 bgp vpn1 import route direct PE3 bgp vpn1 quit PE3 bgp quit The configurations for PE 4 and C...

Page 1592: ...0 127 0 0 1 InLoop0 30 1 1 2 32 Direct 0 0 30 1 1 2 Vlan12 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 Issuing the display ip routing table vpn instance command on PE 1 and PE 2 you should see that the internal routes of the Level 2 carrier network are present in the VPN routing tables but the VPN routes that the Level 2 carrier maintains are not Takes PE 1 a...

Page 1593: ... 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 Issuing the display ip routing table command on PE 3 and PE 4 you should see that the internal routes of the Level 2 carrier network are present in the public network routing tables Takes PE 3 as an example PE3 display ip routing table Routing Tables Public Destinations 11 Routes 11 Destination Mask Proto Pre Cost NextHop Interface 1 1 1 9 32 Direct 0 0 1...

Page 1594: ...0 1 1 1 bytes 56 Sequence 1 ttl 252 time 102 ms Reply from 120 1 1 1 bytes 56 Sequence 2 ttl 252 time 69 ms Reply from 120 1 1 1 bytes 56 Sequence 3 ttl 252 time 105 ms Reply from 120 1 1 1 bytes 56 Sequence 4 ttl 252 time 88 ms Reply from 120 1 1 1 bytes 56 Sequence 5 ttl 252 time 87 ms 120 1 1 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 69...

Page 1595: ...AS 200 VPN 1 AS 200 VPN 1 CE 5 AS 65411 SUB_VPN 2 Vlan int13 Vlan int13 CE 4 AS 65420 SUB_VPN 1 Vlan int11 Vlan int11 Device Interface IP address Device Interface IP address CE 1 Loop0 2 2 2 9 32 CE 2 Loop0 5 5 5 9 32 Vlan int12 10 1 1 2 24 Vlan int11 21 1 1 2 24 Vlan int11 11 1 1 1 24 Vlan int12 20 1 1 1 24 CE 3 Vlan int11 100 1 1 1 24 CE 4 Vlan int11 120 1 1 1 24 CE 5 Vlan int13 110 1 1 1 24 CE ...

Page 1596: ... here After completing the configurations above you can execute commands display mpls ldp session display bgp peer and display isis peer respectively on either PE 1 or PE 2 You should see that the LDP session is established the BGP peer relationship is established and in the Established state and the IS IS neighbor relationship is established and up The following takes PE 1 for illustration PE1 di...

Page 1597: ... 2 quit PE3 interface loopback 0 PE3 LoopBack0 isis enable 2 PE3 LoopBack0 quit PE3 interface vlan interface 12 PE3 Vlan interface12 ip address 10 1 1 1 24 PE3 Vlan interface12 isis enable 2 PE3 Vlan interface12 mpls PE3 Vlan interface12 mpls ldp PE3 Vlan interface12 quit Configure PE 1 CE1 system view CE1 interface loopback 0 CE1 LoopBack0 ip address 2 2 2 9 32 CE1 LoopBack0 quit CE1 mpls lsr id ...

Page 1598: ...rget 1 1 PE1 vpn instance vpn1 quit PE1 interface vlan interface11 PE1 Vlan interface11 ip binding vpn instance vpn1 PE1 Vlan interface11 ip address 11 1 1 2 24 PE1 Vlan interface11 mpls PE1 Vlan interface11 quit PE1 bgp 100 PE1 bgp ipv4 family vpn instance vpn1 PE1 bgp vpn1 peer 11 1 1 1 as number 200 PE1 bgp vpn1 quit PE1 bgp quit Configure CE 1 CE1 interface vlan interface 11 CE1 Vlan interface...

Page 1599: ... vpn target 2 1 PE3 vpn instance SUB_VPN1 quit PE3 interface vlan interface 11 PE3 Vlan interface11 ip binding vpn instance SUB_VPN1 PE3 Vlan interface11 ip address 100 1 1 2 24 PE3 Vlan interface11 quit PE3 ip vpn instance SUB_VPN2 PE3 vpn instance SUB_VPN2 route distinguisher 101 1 PE3 vpn instance SUB_VPN2 vpn target 2 2 PE3 vpn instance SUB_VPN2 quit PE3 interface vlan interface 13 PE3 Vlan in...

Page 1600: ...d PE 1 CE1 bgp 200 CE1 bgp ipv4 family vpnv4 CE1 bgp af vpnv4 peer 11 1 1 2 enable Specify to allow the local AS number to appear in the AS PATH attribute of the routes received CE1 bgp af vpnv4 peer 11 1 1 2 allow as loop 2 Specify to receive all VPNv4 routes CE1 bgp af vpnv4 undo policy vpn target CE1 bgp af vpnv4 quit CE1 bgp quit Configurations on PE 2 and CE 2 are similar to those on PE 1 and...

Page 1601: ...ing table command on PE 1 and PE 2 to verify that the public routing tables contain only routes on the service provider network The following takes PE 1 for illustration PE1 display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 3 3 3 9 32 Direct 0 0 127 0 0 1 InLoop0 4 4 4 9 32 ISIS 15 10 30 1 1 2 Vlan12 30 1 1 0 24 Direct 0 0 30 1...

Page 1602: ...t the VPNv4 routing tables on the customer VPN contain internal sub VPN routes The following takes CE 1 for illustration CE1 display bgp vpnv4 all routing table BGP Local router ID is 11 11 11 11 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Total number of routes from all PE 4 Route Distinguisher 100 1 Network NextHop In Out Label MED Loc...

Page 1603: ...ontain routes of remote sub VPNs The following takes CE 3 for illustration CE3 display ip routing table Routing Tables Public Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 100 1 1 0 24 Direct 0 0 100 1 1 1 Vlan11 100 1 1 1 32 Direct 0 0 127 0 0 1 InLoop0 120 1 1 0 24 BGP 255 0 100 1 1 2 Vlan11 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 In...

Page 1604: ...cessfully CE5 ping 130 1 1 1 PING 130 1 1 1 56 data bytes press CTRL_C to break Reply from 130 1 1 1 bytes 56 Sequence 1 ttl 252 time 102 ms Reply from 130 1 1 1 bytes 56 Sequence 2 ttl 252 time 69 ms Reply from 130 1 1 1 bytes 56 Sequence 3 ttl 252 time 105 ms Reply from 130 1 1 1 bytes 56 Sequence 4 ttl 252 time 88 ms Reply from 130 1 1 1 bytes 56 Sequence 5 ttl 252 time 87 ms 130 1 1 1 ping sta...

Page 1605: ...itches Device Interface IP address Device Interface IP address CE 1 Vlan int12 10 2 1 1 24 CE 3 Vlan int12 10 1 1 1 24 CE 2 Vlan int13 10 4 1 1 24 CE 4 Vlan int13 10 3 1 1 24 UPE 1 Loop0 1 1 1 9 32 UPE 2 Loop0 4 4 4 9 32 Vlan int11 172 1 1 1 24 Vlan int11 172 2 1 1 24 Vlan int12 10 2 1 2 24 Vlan int12 10 1 1 2 24 Vlan int13 10 4 1 2 24 Vlan int13 10 3 1 2 24 SPE 1 Loop0 2 2 2 9 32 SPE 2 Loop0 3 3 ...

Page 1606: ... 2 both UPE1 vpn instance vpn2 quit UPE1 interface vlan interface 12 UPE1 Vlan interface12 ip binding vpn instance vpn1 UPE1 Vlan interface12 ip address 10 2 1 2 24 UPE1 Vlan interface12 quit UPE1 interface vlan interface 13 UPE1 Vlan interface13 ip binding vpn instance vpn2 UPE1 Vlan interface13 ip address 10 4 1 2 24 UPE1 Vlan interface13 quit Configure UPE 1 to establish MP IBGP peer relationsh...

Page 1607: ...k 0 UPE2 Loopback0 ip address 4 4 4 9 32 UPE2 Loopback0 quit UPE2 mpls lsr id 4 4 4 9 UPE2 mpls UPE2 mpls quit UPE2 mpls ldp UPE2 mpls ldp quit UPE2 interface vlan interface 11 UPE2 Vlan interface11 ip address 172 2 1 1 24 UPE2 Vlan interface11 mpls UPE2 Vlan interface11 mpls ldp UPE2 Vlan interface11 quit Configure the IGP protocol OSPF for example UPE2 ospf UPE2 ospf 1 area 0 UPE2 ospf 1 area 0 ...

Page 1608: ...eer 3 3 3 9 enable UPE2 bgp af vpnv4 quit UPE2 bgp ipv4 family vpn instance vpn1 UPE2 bgp vpn1 peer 10 1 1 1 as number 65430 UPE2 bgp vpn1 import route direct UPE2 bgp vpn1 quit UPE2 bgp ipv4 family vpn instance vpn2 UPE2 bgp vpn1 peer 10 3 1 1 as number 65440 UPE2 bgp vpn1 import route direct UPE2 bgp vpn1 quit UPE2 bgp quit 5 Configure CE 3 CE3 system view CE3 interface vlan interface 12 CE3 Vla...

Page 1609: ... 0 network 172 1 1 0 0 0 0 255 SPE1 ospf 1 area 0 0 0 0 network 180 1 1 0 0 0 0 255 SPE1 ospf 1 area 0 0 0 0 quit SPE1 ospf 1 quit Configure VPN instances vpn1 and vpn2 SPE1 ip vpn instance vpn1 SPE1 vpn instance vpn1 route distinguisher 500 1 SPE1 vpn instance vpn1 vpn target 100 1 both SPE1 vpn instance vpn1 quit SPE1 ip vpn instance vpn2 SPE1 vpn instance vpn2 route distinguisher 700 1 SPE1 vpn...

Page 1610: ...capability and MPLS LDP to establish LDP LSPs SPE2 system view SPE2 interface loopback 0 SPE2 LoopBack0 ip address 3 3 3 9 32 SPE2 LoopBack0 quit SPE2 mpls lsr id 3 3 3 9 SPE2 mpls SPE2 mpls quit SPE2 mpls ldp SPE2 mpls ldp quit SPE2 interface vlan interface 12 SPE2 Vlan interface12 ip address 180 1 1 2 24 SPE2 Vlan interface12 mpls SPE2 Vlan interface12 mpls ldp SPE2 Vlan interface12 quit SPE2 in...

Page 1611: ... peer 2 2 2 9 enable SPE2 bgp af vpnv4 peer 4 4 4 9 enable SPE2 bgp af vpnv4 peer 4 4 4 1 9 upe SPE2 bgp af vpnv4 quit SPE2 bgp ipv4 family vpn instance vpn1 SPE2 bgp vpn1 quit SPE2 bgp ipv4 family vpn instance vpn2 SPE2 bgp vpn2 quit SPE2 bgp quit Configure SPE 2 to advertise to UPE 2 the routes permitted by a routing policy that is the routes of CE 1 SPE2 ip ip prefix hope index 10 permit 10 2 1...

Page 1612: ...eps are omitted After completing the configurations CE 1 and CE 2 should be able to learn the OSPF route to the VLAN interface 1 of each other The following takes CE 1 as an example CE1 display ip routing table Routing Tables Public Destinations 9 Routes 9 Destination Mask Proto Pre Cost NextHop Interface 20 1 1 0 24 Direct 0 0 20 1 1 1 Vlan11 20 1 1 1 32 Direct 0 0 127 0 0 1 InLoop0 20 1 1 2 32 D...

Page 1613: ...PE1 ospf 1 area 0 PE1 ospf 1 area 0 0 0 0 network 1 1 1 9 0 0 0 0 PE1 ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 PE1 ospf 1 area 0 0 0 0 quit PE1 ospf 1 quit Configure MPLS basic capability and MPLS LDP on PE 2 to establish LDP LSPs PE2 system view PE2 interface loopback 0 PE2 LoopBack0 ip address 2 2 2 9 32 PE2 LoopBack0 quit PE2 mpls lsr id 2 2 2 9 PE2 mpls PE2 mpls quit PE2 mpls ldp PE2 mpl...

Page 1614: ... interface12 quit PE1 ospf 100 vpn instance vpn1 PE1 ospf 100 domain id 10 PE1 ospf 100 area 1 PE1 ospf 100 area 0 0 0 1 network 100 1 1 0 0 0 0 255 PE1 ospf 100 area 0 0 0 1 quit PE1 ospf 100 quit PE2 bgp 100 PE1 bgp ipv4 family vpn instance vpn1 PE1 bgp vpn1 import route ospf 100 PE1 bgp vpn1 import route direct PE1 bgp vpn1 quit PE1 bgp quit Configure PE 2 to allow CE 2 to access the network PE...

Page 1615: ...PF 10 3126 100 1 1 1 Vlan12 4 Configure a sham link Configure PE 1 PE1 interface loopback 1 PE1 LoopBack1 ip binding vpn instance vpn1 PE1 LoopBack1 ip address 3 3 3 3 32 PE1 LoopBack1 quit PE1 ospf 100 PE1 ospf 100 area 1 PE1 ospf 100 area 0 0 0 1 sham link 3 3 3 3 5 5 5 5 cost 10 PE1 ospf 100 area 0 0 0 1 quit PE1 ospf 100 quit Configure PE 2 PE2 interface loopback 1 PE2 LoopBack1 ip binding vpn...

Page 1616: ...1 2 Vlan11 30 1 1 0 24 OSPF 10 1574 100 1 1 2 Vlan12 100 1 1 0 24 Direct 0 0 100 1 1 1 Vlan12 100 1 1 1 32 Direct 0 0 127 0 0 1 InLoop0 120 1 1 0 24 OSPF 10 12 100 1 1 2 Vlan12 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 Issuing the display ospf sham link command on the PEs you should see the established sham link Takes PE 1 as an example PE1 display ospf sha...

Page 1617: ...backbone to establish LDP LSPs z Establish MP IBGP peer relationship between the PEs to advertise VPN IPv4 routes z Configure the VPN instance of VPN 1 on PE 2 to allow CE 2 to access the network z Configure the VPN instance of VPN 1 on PE 1 to allow CE 1 to access the network z Configure BGP between PE 1 and CE 1 and between PE 2 and CE 2 to inject routes of CEs into PEs After completing the abov...

Page 1618: ...t PE 2 advertises the route to 100 1 1 1 32 and the AS_PATH is 100 600 PE2 terminal monitor PE2 terminal debugging PE2 debugging bgp update vpn instance vpn1 verbose PE2 refresh bgp vpn instance vpn1 all export 0 4402392 PE2 RM 7 RMDEBUG BGP vpn1 Send UPDATE to 10 2 1 1 for following destinations Origin Incomplete AS Path 100 600 Next Hop 10 2 1 2 100 1 1 1 32 Issuing the display bgp routing table...

Page 1619: ...4 10 2 1 2 0 0 100 10 2 1 1 32 10 2 1 2 0 0 100 100 1 1 1 32 10 2 1 2 0 100 100 CE2 display ip routing table Routing Tables Public Destinations 9 Routes 9 Destination Mask Proto Pre Cost NextHop Interface 10 1 1 0 24 BGP 255 0 10 2 1 2 Vlan12 10 1 1 1 32 BGP 255 0 10 2 1 2 Vlan12 10 2 1 0 24 Direct 0 0 10 2 1 1 Vlan12 10 2 1 1 32 Direct 0 0 127 0 0 1 InLoop0 10 2 1 2 32 Direct 0 0 10 2 1 2 Vlan12 ...

Page 1620: ...1 105 Reply from 200 1 1 1 bytes 56 Sequence 5 ttl 253 time 70 ms 200 1 1 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 66 79 109 ms ...

Page 1621: ...P Extensions 1 9 Configuring MPLS L2VPN 1 9 Configuring a VPLS Instance 1 10 Configuring an LDP VPLS Instance 1 10 Configuring a BGP VPLS Instance 1 11 Binding the VPLS Instance 1 12 Configuring VPLS Attributes 1 13 Configuring Other VPLS Attributes 1 13 Displaying and Maintaining VPLS 1 13 VPLS Configuration Examples 1 14 Configuring VPLS Instance 1 14 Configuring H VPLS Using LSP 1 19 Configurin...

Page 1622: ...verview Virtual Private LAN Service VPLS also called Transparent LAN Service TLS or virtual private switched network service can deliver a point to multipoint L2VPN service over public networks With VPLS geographically dispersed sites can interconnect and communicate over MAN or WAN as if they were on the same LAN VPLS provides Layer 2 VPN services However it supports multipoint services rather th...

Page 1623: ...a point to multipoint L2VPN service mechanism With QinQ the private network VLAN tags of packets are encapsulated into the public network VLAN tags allowing packets to be transmitted with two layers of tags across the service provider network This provides a simpler Layer 2 VPN tunneling service z Forwarders A forwarder functions as the VPLS forwarding table Once a PE receives a packet from an AC ...

Page 1624: ...ludes two parts z Remote MAC address learning associated with PWs A PW consists of two unidirectional VC LSPs A PW is up only when both of the VC LSPs are up When the inbound VC LSP learns a new MAC address the PW needs to map the MAC address to the outbound VC LSP z Local MAC address learning of interfaces directly connected with users This refers to learning source MAC addresses from Layer 2 pac...

Page 1625: ...r a backup link becomes active and a message with the instruction of relearning MAC entries arrives a PE updates the corresponding MAC entries in the FIB table of the VPLS instance and sends the message to other PEs that are directly connected through LDP sessions If the message contains a null MAC address TLV list these PEs remove all MAC addresses from the specified VSI except for those learned ...

Page 1626: ... service delimiter for the service provider network to identify the user The tag is called a P Tag z Ethernet access The Ethernet header of a packet upstream from the CE or downstream from the PE does not contain any service delimiter If a header contains a VLAN tag it is the internal VLAN tag of the user and means nothing to the PE This kind of internal VLAN tag of the user is called a U Tag You ...

Page 1627: ...cket with the MPLS label for the U PW namely the multiplex distinguishing flag and then sends the packet to NPE 1 z When receiving the packet NPE 1 determines which VSI the packet belongs to by the label and based on the destination MAC address of the packet tags the packet with the multiplex distinguishing flag for the N PW and forwards the packet z Upon receiving the packet from the N PW NPE 1 t...

Page 1628: ...ation MAC address of the packet labels the packet with the VLAN tag Then it forwards the packet through the QinQ tunnel to MTU which in turn forwards the packet to the CE For packets to be exchanged between CE 1 and CE 2 MTU can forward them directly without PE 1 because it holds the bridging function by itself For the first data packet with an unknown destination MAC address or a broadcast packet...

Page 1629: ...k List Complete the following tasks to configure VPLS Task Remarks Configuring MPLS Basic Capability Required Configuring Remote LDP Sessions Configuring BGP Extensions Required Choose either Configuring MPLS L2VPN Required Configuring a VPLS Instance Required Binding the VPLS Instance Required Configuring VPLS Attributes Optional Configuring MPLS Basic Capability MPLS basic capability is required...

Page 1630: ...ow these steps to configure BGP extensions To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter VPLS address family view vpls family Required Activate a peer peer peer address enable Required No peer is activated by default For configurations in VPLS address family view refer to MPLS L3VPN Configuration in the MPLS Volume Configuring MPLS L2VPN You must en...

Page 1631: ...VPN implementation the Martini mode uses extended LDP remote LDP sessions as the signaling for transferring PW information Therefore the LDP mode is also called the Martini mode 3 Specify the ID of the VPLS instance 4 Use the peer command to create the VPLS peer PE for the instance specifying z IP address of the peer PE z ID of the PW to the peer PE which must be consistent with that specified on ...

Page 1632: ...s class name Required Enable the PW switchback function and set the switchback delay time dual npe revertive wtr time wtr time Optional Disabled by default Configuring a BGP VPLS Instance Configuration prerequisites z Configuring IGP on the PEs and P devices to guarantee the IP connectivity of the MPLS backbone z Configuring MPLS basic capability for the MPLS backbone on the PEs and P devices z Co...

Page 1633: ...ng the VPLS instance Configuration procedure To bind a Layer 2 Ethernet interface and one or more VLANs with a VPLS instance you need to create a service instance on the Layer 2 Ethernet interface configure a packet matching rule for the service instance and bind the service instance with the VPLS instance After these configurations packets that arrive at the Layer 2 Ethernet interface and match t...

Page 1634: ...psulation type of the VPLS instance encapsulation bgp vpls ethernet vlan Optional vlan by default which corresponds to the VSI PW encapsulation type of tagged Set the description of the VPLS instance description text Optional No description set by default Shut down the VPLS service of the VPLS instance shutdown Optional Enabled by default Specify a tunneling policy for the VPLS instance tnl policy...

Page 1635: ... Available in any view Display information about one or all PW class templates display pw class pw class name Available in any view Clear the MAC address table of one or all VPLS instances reset mac address vsi vsi name Available in user view Resetting VPLS To do Use the command Remarks Reset a specified or all VPLS BGP connections reset bgp vpls as number ip address all external internal Availabl...

Page 1636: ...dp quit Configure PE 1 to establish an LDP remote session with PE 2 PE1 mpls ldp remote peer 1 PE1 mpls ldp remote 1 remote ip 3 3 3 9 PE1 mpls ldp remote 1 quit Configure the interface connected with the P device and enable LDP on the interface PE1 interface vlan interface 2 PE1 Vlan interface2 ip address 23 1 1 1 24 PE1 Vlan interface2 mpls PE1 Vlan interface2 mpls ldp PE1 Vlan interface2 quit C...

Page 1637: ...ng CE 1 create service instance 1000 to bind the interface and VLAN 100 with VPLS instance aaa and create service instance 2000 to bind the interface and VLAN 200 with VPLS instance bbb PE1 interface gigabitethernet 2 0 1 PE1 GigabitEthernet2 0 1 service instance 1000 PE1 GigabitEthernet2 0 1 srv1000 encapsulation s vid 100 PE1 GigabitEthernet2 0 1 srv1000 xconnect vsi aaa PE1 GigabitEthernet2 0 1...

Page 1638: ... 0 network 26 2 2 2 0 0 0 255 P ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 P ospf 1 area 0 0 0 0 quit 3 Configure PE 2 Sysname system view Sysname sysname PE2 PE2 interface loopback 0 PE2 LoopBack0 ip address 3 3 3 9 32 PE2 LoopBack0 quit Configure the LSR ID and enable MPLS globally PE2 mpls lsr id 3 3 3 9 PE2 mpls PE2 mpls quit Enable MPLS L2VPN and LDP globally PE2 mpls l2vpn PE2 mpls ldp PE2 ...

Page 1639: ...nstance bbb which uses BGP PE2 vsi bbb auto PE2 vsi bbb pwsignal bgp PE2 vsi bbb bgp route distinguisher 100 1 PE2 vsi bbb bgp vpn target 111 1 PE2 vsi bbb bgp site 11 range 12 PE2 vsi bbb bgp quit PE2 vsi bbb quit On the interface connecting CE 2 create service instance 1000 to bind the interface and VLAN 100 with VPLS instance aaa and create service instance 2000 to bind the interface and VLAN 2...

Page 1640: ...N PW is required between NPE 1 and NPE 3 CE 3 accesses the network through NPE 3 z CE 1 and CE 3 access the UPE and NPE3 through interface GigabitEthernet 2 0 1 respectively and send the packet of VLAN 100 to UPE and NPE3 z UPE and NPE 1 are connected through interfaces named VLAN interface 10 z NPE 1 and NPE 3 are connected through interfaces named VLAN interface 20 z VPLS instance aaa uses LDP t...

Page 1641: ...PLS L2VPN UPE mpls l2vpn Configure the basic attributes of VPLS instance aaa which uses LDP UPE vsi aaa static UPE vsi aaa pwsignal ldp UPE vsi aaa ldp vsi id 500 UPE vsi aaa ldp peer 2 2 2 9 UPE vsi aaa ldp quit UPE vsi aaa quit Configure interface GigabitEthernet 2 0 1 and bind VPLS instance aaa to VLAN 100 UPE interface gigabitethernet 2 0 1 UPE GigabitEthernet2 0 1 service instance 1000 UPE Gi...

Page 1642: ...ls ldp remote peer 2 NPE1 mpls remote 2 remote ip 1 1 1 9 NPE1 mpls remote 2 quit Configure the remote LDP session with NPE 3 NPE1 mpls ldp remote peer 3 NPE1 mpls remote 3 remote ip 3 3 3 9 NPE1 mpls remote 3 quit Configure MPLS L2VPN NPE1 mpls l2vpn Configure the basic attributes of VPLS instance aaa which uses LDP NPE1 vsi aaa static NPE1 vsi aaa pwsignal ldp NPE1 vsi aaa ldp vsi id 500 NPE1 vs...

Page 1643: ...tance 1000 NPE3 GigabitEthernet2 0 1 srv1000 encapsulation s vid 100 NPE3 GigabitEthernet2 0 1 srv1000 xconnect vsi aaa NPE3 GigabitEthernet2 0 1 srv1000 quit After completing the above configurations you can issue the display vpls connection command on the PEs There should be a PW connection established and in the state of up Configuring a Backup Link for H VPLS Access Network requirements As sho...

Page 1644: ... LoopBack0 quit UPE mpls lsr id 1 1 1 1 UPE mpls UPE mpls quit UPE mpls ldp UPE mpls ldp quit Configure MPLS basic capability on the interface connected with NPE 1 UPE interface vlan interface 12 UPE Vlan interface12 ip address 12 1 1 1 24 UPE Vlan interface12 mpls UPE Vlan interface12 mpls ldp UPE Vlan interface12 quit Configure the remote LDP session with NPE 1 UPE mpls ldp remote peer 1 UPE mpl...

Page 1645: ... mpls ldp UPE Vlan interface13 quit On the interface connected with CE 1 that is GigabitEthernet 2 0 1 create a service instance and bind the L2VPN UPE interface gigabitethernet 2 0 1 UPE GigabitEthernet2 0 1 service instance 1000 UPE GigabitEthernet2 0 1 srv1000 encapsulation s vid 10 UPE GigabitEthernet2 0 1 srv1000 xconnect vsi aaa UPE GigabitEthernet2 0 1 srv1000 quit On the interface connecte...

Page 1646: ...e 2 remote ip 1 1 1 1 NPE1 mpls remote 2 quit Configure the remote LDP session with NPE 3 NPE1 mpls ldp remote peer 3 NPE1 mpls remote 3 remote ip 4 4 4 4 NPE1 mpls remote 3 quit Configure MPLS L2VPN NPE1 mpls l2vpn Configure the basic attributes of VPLS instance aaa which uses LDP NPE1 vsi aaa static NPE1 vsi aaa pwsignal ldp NPE1 vsi aaa ldp vsi id 500 NPE1 vsi aaa ldp peer 1 1 1 1 upe NPE1 vsi ...

Page 1647: ...ion of VLAN interface 15 and VLAN interface 16 is similar to the configuration of VLAN interface 12 and VLAN interface 13 on UPE The configuration procedure is omitted After completing the above configurations you can execute the display vpls connection command on the PEs There should be a PW connection established and in the state of up Troubleshooting VPLS Symptom The VPLS link PW is not up Anal...

Page 1648: ... with Dynamic Signaling Protocol 1 17 Configuration Prerequisites 1 17 Configuration Procedure 1 17 Configuring RSVP TE Advanced Features 1 21 Configuration Prerequisites 1 21 Configuration Procedure 1 21 Tuning CR LSP Setup 1 25 Configuration Prerequisites 1 26 Configuration Procedure 1 26 Tuning MPLS TE Tunnel Setup 1 27 Configuration Prerequisites 1 28 Configuration Procedures 1 28 Configuring ...

Page 1649: ... Examples 1 40 MPLS TE Using Static CR LSP Configuration Example 1 40 MPLS TE Using RSVP TE Configuration Example 1 44 RSVP TE GR Configuration Example 1 50 CR LSP Backup Configuration Example 1 53 FRR Configuration Example 1 56 MPLS TE in MPLS L3VPN Configuration Example 1 66 Troubleshooting MPLS TE 1 74 ...

Page 1650: ...CR LSP z RSVP TE z Traffic Forwarding z CR LSP Backup z Fast Reroute z DiffServ Aware TE z Protocols and Standards Traffic Engineering and MPLS TE Traffic engineering Network congestion is one of the major problems that can degrade your network backbone performance It may occur either when network resources are inadequate or when load distribution is unbalanced Traffic Engineering TE is intended t...

Page 1651: ... traffic engineering for the following z MPLS supports explicit LSP routing z LSP routing is easy to manage and maintain compared with traditional packet by packet IP forwarding z Constraint based Routed Label Distribution Protocol CR LDP is suitable for implementing a variety of traffic engineering policies z MPLS TE uses less system resources compared with other traffic engineering implementatio...

Page 1652: ...te the shortest path to each network node In MPLS TE the Constraint based Shortest Path First CSPF algorithm is used It is derived from SPF and makes calculation based on two conditions z Constraints on the LSP to be set up with respect to bandwidth color preemption holding priority explicit path and other constraints They are configured at the LSP ingress z TEDB What CSPF does to identify the sho...

Page 1653: ...making preemption decision Both setup and holding priorities range from 0 to 7 with a lower numerical number indicating a higher priority For a new path to preempt an existing path the setup priority of the new path must be greater than the holding priority of the existing path To initiate a preemption the Resv message of RSVP TE is sent To avoid flapping caused by improper preemptions between CR ...

Page 1654: ... RSVP is designed for IntServ It reserves resources on each node along a path RSVP operates at the transport layer but does not participate in data transmission It is an Internet control protocol similar to ICMP The following are features of RSVP z Unidirectional z Receiver oriented The receiver initiates resource reservation requests and is responsible for maintaining the reservation information ...

Page 1655: ...th Figure 1 1 Diagram for make before break Figure 1 1 presents a scenario where a path Router A Router B Router C Router D is established with 30 Mbps reserved bandwidth between Router A and Router D The remaining bandwidth is then 30 Mbps If 40 Mbps path bandwidth is requested the remaining bandwidth of the Router A Router B Router C Router D path will be inadequate The problem cannot be address...

Page 1656: ...label bindings but also routing constraints supporting CR LSP and FRR z New objects added to the Path message include LABEL_REQUEST EXPLICIT_ROUTE RECORD_ROUTE and SESSION_ATTRIBUTE z New objects added to the Resv message include LABEL and RECORD_ROUTE The LABEL_REQUEST object in the Path message requests the label bindings for an LSP It is also saved in the path state block The node receiving LAB...

Page 1657: ...that the interface resends the message at an exponentially increased retransmission interval equivalent to 1 Delta Rf seconds 2 Summary refresh extension Send summary refreshes Srefreshes rather than retransmit standard Path or Resv messages to refresh related RSVP state This reduces refresh traffic and allows nodes to make faster processing To use summary refresh you must use the Message_ID exten...

Page 1658: ...a GR helper and the GR restarter reestablish a Hello session before the restart timer expires the recovery timer is started and signaling packet exchanging is triggered to restore the original soft state Otherwise all RSVP soft state information and forwarding entries relevant to the neighbor will be removed If the recovery timer expires soft state information and forwarding entries that are not r...

Page 1659: ...so known as autoroute announce considers a TE tunnel as a logical interface directly connected to the destination when computing IGP routes on the ingress of the TE tunnel IGP shortcut and forwarding adjacency are different in that in the forwarding adjacency approach routes with TE tunnel interfaces as outgoing interfaces are advertised to neighboring devices but not in the IGP shortcut approach ...

Page 1660: ...LSP is created immediately after a primary CR LSP is created MPLS TE switches traffic to the secondary CR LSP after the primary CR LSP fails z Standard backup where a secondary CR LSP is created to take over after the primary CR LSP fails Fast Reroute This section covers these topics z Overview z Basic concepts z Protection z Deploying FRR Overview Fast Reroute FRR provides a quick per link or per...

Page 1661: ...ss LSP As shown in Figure 1 5 the primary LSP is Router A Router B Router C Router D Router E and the bypass LSP is Router B Router F Router D Router C is the protected device Figure 1 5 FRR node protection Deploying FRR When configuring the bypass LSP make sure the protected link or node is not on the bypass LSP As bypass LSPs are pre established FRR requires extra bandwidth When network bandwidt...

Page 1662: ...ce class level For traffic trunks which are distinguished by class of service this means varied bandwidth constraints Essentially what DS TE does is to map traffic trunks with LSPs making each traffic trunk traverse the constraints compliant path DS TE involves two concepts z Class type CT The set of traffic trunks crossing a link that is governed by a specific set of Bandwidth constraints CT is u...

Page 1663: ...eters Optional Configuring CR LSP Backup Optional Configuring FRR Optional Configuring MPLS TE Basic Capabilities MPLS TE basic capabilities are essential to MPLS TE feature configurations After configuring the basic capabilities you need to make other configurations in order to use MPLS TE depending on the actual requirements Configuration Prerequisites Before the configuration do the following z...

Page 1664: ...uses the basic capabilities you configured in this section may be inadequate for the tunnel to work and you may need to make extra configurations z For information about tunnel interfaces refer to Tunneling Configuration in the IP Services Volume Creating MPLS TE Tunnel over Static CR LSP Creating MPLS TE tunnels over static CR LSPs does not involve configuration of tunnel constraints or the issue...

Page 1665: ...addr out label out label value bandwidth bc0 bc1 bandwidth value Create a static CR LSP on your device depending on its location in the network At the egress static cr lsp egress tunnel name incoming interface interface type interface number in label in label value Required Use any of the commands depending on the location of your device in the network z The tunnel name argument specifies the name...

Page 1666: ...f the IGP TE extension is not configured the CR LSP is created based on IGP routing rather than computed by CSPF Configuration Prerequisites Before making the configuration do the following z Configure static routing or an IGP protocol to make sure that all LSRs are reachable z Configure MPLS basic capabilities z Configure MPLS TE basic capabilities Configuration Procedure Complete the following t...

Page 1667: ...ed by default Enter OSPF area view area area id Required Enable MPLS TE in the OSPF area mpls te enable Required Disabled by default Exit to OSPF view quit z For more information about OSPF opaque LSA refer to OSPF Configuration in the IP routing volume z MPLS TE cannot reserve resources and distribute labels on OSPF virtual links that is MPLS TE cannot establish an LSP tunnel through an OSPF virt...

Page 1668: ...w wide wide compatible compatible narrow compatible relax spf limit Required By default IS IS uses narrow metric style Enable IS IS TE traffic eng level 1 level 2 level 1 2 Required Disabled by default Configure the TLV type of the sub TLV carrying DS TE parameters te set subtlv lo multiplier value Optional By default the lo multiplier parameter in sub TLV 253 z For more information about IS IS re...

Page 1669: ... hop is a strict node by default Repeat this step to define a sequential set of the hops that the explicit path traverses Modify the IP address of current node on the explicit path modify hop ip address1 ip address2 include loose strict exclude Optional By default the include keyword and the strict keyword apply In other words the explicit path traverses the specified node and the next node is a s...

Page 1670: ...nt tunnel configuration mpls te commit Required To use RSVP TE as the signaling protocol for setting up the MPLS TE tunnel you must enable both MPLS TE and RSVP TE on the interface for the tunnel to use Configuring RSVP TE Advanced Features RSVP TE adds new objects in Path and Resv messages to support CR LSP setup RSVP TE provides many configurable options with respect to reliability network resou...

Page 1671: ...es are reserved for senders on the same session and shared among them Follow these steps to configure RSVP reservation style To do Use the command Remarks Enter system view system view Enter MPLS TE tunnel interface view interface tunnel tunnel number Configure the resources reservation style for the tunnel mpls te resv style ff se Optional The default resource reservation style is SE Submit curre...

Page 1672: ...sing summary refreshes Follow these steps to configure RSVP refreshing mechanism To do Use the command Remarks Enter system view system view Enter interface view of MPLS TE link interface interface type interface number Enable the reliability mechanism of RSVP TE mpls rsvp te reliability Optional Enable retransmission mpls rsvp te timer retransmission increment value increment value retransmit val...

Page 1673: ...le resource reservation confirmation mpls rsvp te resvconfirm Required Disabled by default z Reservation confirmation is initiated by the receiver which sends the Resv message with an object requesting reservation confirmation z Receiving the ResvConf message does not mean resource reservation is established It only indicates that resources are reserved on the farthest upstream node where the Resv...

Page 1674: ...ls Enable global RSVP hello extension mpls rsvp te hello Required Disabled by default Enable MPLS RSVP TE GR mpls rsvp te graceful restart Required Disabled by default Set the RSVP TE GR restart timer mpls rsvp te timer graceful restart restart restart time Optional 120 seconds by default Set the RSVP TE GR recovery timer mpls rsvp te timer graceful restart recovery recovery time Optional 300 seco...

Page 1675: ...tive group and affinity attribute The affinity attribute of an MPLS TE tunnel identifies the properties of the links that the tunnel can use Together with the link administrative group it decides which links the MPLS TE tunnel can use This is done by ANDing the 32 bit affinity attribute with the 32 bit link administrative group attribute When doing that a 32 bit mask is used The affinity bits corr...

Page 1676: ...ired Configuring CR LSP reoptimization Dynamic CR LSP optimization involves periodic calculation of paths that traffic trunks should traverse If a better route is found for an existing CR LSP a new CR LSP will be established to replace the old one and services will be switched to the new CR LSP Follow these steps to configure CR LSP reoptimization To do Use the command Remarks Enter system view sy...

Page 1677: ... tunnel interface view interface tunnel tunnel number Enable the system to perform loop detection when setting up a tunnel mpls te loop detection Required Disabled by default Submit current tunnel configuration mpls te commit Required Configuring route and label recording Follow these steps to configure route and label recording To do Use the command Remarks Enter system view system view Enter MPL...

Page 1678: ...signed to paths for MPLS TE to make preemption decision For a new path to preempt an existing path the setup priority of the new path must be greater than the holding priority of the existing path To avoid flapping caused by improper preemptions between CR LSPs the setup priority of a CR LSP should not be set higher than its holding priority Follow these steps to assign priorities to a tunnel To d...

Page 1679: ...ough automatic route advertisement Two approaches IGP shortcut and forwarding adjacency are available to automatic route advertisement to advertise MPLS TE tunnel interface routes to IGPs allowing traffic to be routed down MPLS TE tunnels In either approach TE tunnels are considered point to point links and TE tunnel interfaces can be set as outgoing interfaces IGP shortcut and forwarding adjacenc...

Page 1680: ...PF view ospf process id Enable the IGP shortcut function enable traffic adjustment Required Disabled by default 2 Configure forwarding adjacency You need to create a bi directional MPLS TE tunnel and enable forwarding adjacency at both ends of the tunnel to make forwarding adjacency take effect Follow these steps to configure forwarding adjacency To do Use the command Remarks Enter system view sys...

Page 1681: ... failed link timer z Configuring the link metric used for routing a tunnel z Configuring the traffic flow type of a tunnel Configuring the failed link timer A CSPF failed link timer starts once a link goes down If IGP removes or modifies the link before the timer expires CSPF will update information about the link in TEDB and stops the timer If IGP does not remove or modify the link before the tim...

Page 1682: ...ink mpls te metric value Optional If no TE metric is assigned to the link IGP metric is used as the TE metric by default z The metric type configured in MPLS TE tunnel interface view takes priority over the one configured in MPLS view z If you do not configure the mpls te path metric type command in MPLS TE tunnel interface view the configuration in MPLS view takes effect Configuring the traffic f...

Page 1683: ...matically You do not need to configure them Configuring FRR As mentioned earlier Fast Reroute FRR provides quick but temporary per link or per node local protection on an LSP FRR uses bypass tunnels to protect primary tunnels As bypass tunnels are pre established they require extra bandwidth and are usually used to protect crucial interfaces or links only You can define which type of LSP can use b...

Page 1684: ...mit current tunnel configuration mpls te commit Required Configuring a bypass tunnel on its PLR After a tunnel is specified to protect an interface its corresponding LSP becomes a bypass LSP Setting up a bypass LSP must be manually performed on its headend also called point of local repair PLR which must be a part of the primary LSP but must not be the tail of the primary LSP Configuring a bypass ...

Page 1685: ... of the outgoing interface of the protected LSP interface interface type interface number Bind the bypass tunnel with the protected interface mpls te fast reroute bypass tunnel tunnel tunnel number Required Bypass tunnels do not protect bandwidth by default This can defeat your attempts to binding a primary LSP to a bypass tunnel Therefore when configuring a bypass tunnel you must configure the ba...

Page 1686: ...configure cooperation of MPLS RSVP TE and BFD To do Use the command Remarks Enter system view system view Enter view of the interface enabled with MPLS RSVP TE interface interface type interface number Enable BFD for MPLS RSVP TE mpls rsvp te bfd enable Required Disabled by derfault Configuring the FRR polling timer The protection provided by FRR is temporary Once a protected LSP becomes available...

Page 1687: ...number begin exclude include regular expression Available in any view Display information about RSVP requests display mpls rsvp te request interface interface type interface number begin exclude include regular expression Available in any view Display information about RSVP resource reservation display mpls rsvp te reservation interface interface type interface number begin exclude include regular...

Page 1688: ...nel name Available in any view Display tunnel statistics display mpls te tunnel statistics Available in any view Display statistics about MPLS TE tunnels display mpls te tunnel interface tunnel number Available in any view Display the information of the specified or all OSPF processes about traffic tuning display ospf process id traffic adjustment Available in any view Display information about OS...

Page 1689: ...work requirements z Switch A Switch B and Switch C run IS IS z Establish a TE tunnel using a static CR LSP between Switch A and Switch C Figure 1 6 Set up MPLS TE tunnels using static CR LSPs Loop0 2 2 2 2 32 Vlan int1 2 1 1 2 24 Vlan int2 3 2 1 1 24 Vlan int1 2 1 1 1 24 Vlan int2 3 2 1 2 24 Loop0 1 1 1 1 32 Loop0 3 3 3 3 32 Switch A Switch C Switch B Configuration procedure 1 Assign IP addresses ...

Page 1690: ...uit SwitchC interface vlan interface 2 SwitchC Vlan interface2 isis enable 1 SwitchC Vlan interface2 quit SwitchC interface loopback 0 SwitchC LoopBack0 isis enable 1 SwitchC LoopBack0 quit Perform the display ip routing table command on each switch You can see that all nodes learnt the host routes of other nodes with LSR IDs as destinations Take Switch A for example SwitchA display ip routing tab...

Page 1691: ... mpls lsr id 3 3 3 3 SwitchC mpls SwitchC mpls mpls te SwitchC mpls quit SwitchC interface vlan interface 2 SwitchC Vlan interface2 mpls SwitchC Vlan interface2 mpls te SwitchC Vlan interface2 quit 4 Configure an MPLS TE tunnel Configure an MPLS TE tunnel on Switch A SwitchA interface tunnel 0 SwitchA Tunnel0 ip address 6 1 1 1 255 255 255 0 SwitchA Tunnel0 tunnel protocol mpls te SwitchA Tunnel0 ...

Page 1692: ...th Discards 0 100 0 Output queue Protocol queuing Size Length Discards 0 500 0 Output queue FIFO queuing Size Length Discards 0 75 0 Last 300 seconds input 0 bytes sec 0 packets sec Last 300 seconds output 0 bytes sec 0 packets sec 0 packets input 0 bytes 0 input error 0 packets output 0 bytes 0 output error Perform the display mpls te tunnel command on each switch to verify information about the ...

Page 1693: ...el0 30 NULL Vlan2 Up On an MPLS TE tunnel configured using a static CR LSP traffic is forwarded directly based on label at the transit nodes and egress node Therefore it is normal that the FEC field in the sample output is empty on Switch B and Switch C 7 Create a static route for routing MPLS TE tunnel traffic SwitchA ip route static 3 2 1 2 24 tunnel 0 preference 1 Perform the display ip routing...

Page 1694: ...s with LSR IDs as destinations Configure Switch A SwitchA system view SwitchA isis 1 SwitchA isis 1 network entity 00 0005 0000 0000 0001 00 SwitchA isis 1 quit SwitchA interface vlan interface 1 SwitchA Vlan interface1 isis enable 1 SwitchA Vlan interface1 isis circuit level level 2 SwitchA Vlan interface1 quit SwitchA interface loopback 0 SwitchA LoopBack1 isis enable 1 SwitchA LoopBack1 isis ci...

Page 1695: ...ck0 isis circuit level level 2 SwitchC LoopBack0 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 network entity 00 0005 0000 0000 0004 00 SwitchD isis 1 quit SwitchD interface vlan interface 3 SwitchD Vlan interface3 isis enable 1 SwitchD Vlan interface3 isis circuit level level 2 SwitchD Vlan interface3 quit SwitchD interface loopback 0 SwitchD LoopBack0 isis enable 1 Sw...

Page 1696: ...nterface1 mpls rsvp te SwitchA Vlan interface1 quit Configure Switch B SwitchB mpls lsr id 2 2 2 9 SwitchB mpls SwitchB mpls mpls te SwitchB mpls mpls rsvp te SwitchB mpls mpls te cspf SwitchB mpls quit SwitchB interface vlan interface 1 SwitchB Vlan interface1 mpls SwitchB Vlan interface1 mpls te SwitchB Vlan interface1 mpls rsvp te SwitchB Vlan interface1 quit SwitchB interface vlan interface 2 ...

Page 1697: ... interface3 mpls rsvp te SwitchD Vlan interface3 quit 4 Configure IS IS TE Configure Switch A SwitchA isis 1 SwitchA isis 1 cost style wide SwitchA isis 1 traffic eng level 2 SwitchA isis 1 quit Configure Switch B SwitchB isis 1 SwitchB isis 1 cost style wide SwitchB isis 1 traffic eng level 2 SwitchB isis 1 quit Configure Switch C SwitchC isis 1 SwitchC isis 1 cost style wide SwitchC isis 1 traff...

Page 1698: ... 4 4 9 Tunnel protocol transport CR_LSP Last 300 seconds input 0 bytes sec 0 packets sec Last 300 seconds output 0 bytes sec 0 packets sec 0 packets input 0 bytes 0 input error 0 packets output 0 bytes 0 output error Perform the display mpls te tunnel interface command on Switch A to verify information about the MPLS TE tunnel SwitchA display mpls te tunnel interface Tunnel Name Tunnel1 Tunnel Des...

Page 1699: ...nk Number 6 Id MPLS LSR Id IGP Process Id Area Link Count 1 3 3 3 9 ISIS 1 Level 2 2 2 2 2 2 9 ISIS 1 Level 2 2 3 4 4 4 9 ISIS 1 Level 2 1 4 1 1 1 9 ISIS 1 Level 2 1 7 Create a static route for routing MPLS TE tunnel traffic SwitchA ip route static 30 1 1 2 24 tunnel 1 preference 1 Perform the display ip routing table command on Switch A You can find a static route entry with interface Tunnel1 as ...

Page 1700: ...terface 1 SwitchA Vlan interface1 mpls SwitchA Vlan interface1 mpls te SwitchA Vlan interface1 mpls rsvp te SwitchA Vlan interface1 mpls rsvp te hello SwitchA Vlan interface1 quit Configure Switch B SwitchB system view SwitchB mpls lsr id 2 2 2 9 SwitchB mpls SwitchB mpls mpls te SwitchB mpls mpls rsvp te SwitchB mpls mpls rsvp te hello SwitchB mpls interface vlan interface 1 SwitchB Vlan interfac...

Page 1701: ...re RSVP TE GR Configure Switch A SwitchA system view SwitchA mpls SwitchA mpls mpls rsvp te graceful restart Configure Switch B SwitchB system view SwitchB mpls SwitchB mpls mpls rsvp te graceful restart Configure Switch C SwitchC system view SwitchC mpls SwitchC mpls mpls rsvp te graceful restart 7 Verify the configuration After the above configuration a tunnel will be created between Switch A an...

Page 1702: ... 2 2 9 32 Switch C Loop0 3 3 3 9 32 Vlan int1 10 1 1 2 24 Vlan int2 20 1 1 2 24 Vlan int2 20 1 1 1 24 Vlan int3 40 1 1 2 24 Configuration procedure 1 Assign IP addresses and masks to interfaces see Figure 1 9 Omitted 2 Configure the IGP protocol Enable IS IS to advertise host routes with LSR IDs as destinations on each node Omitted Perform the display ip routing table command on each switch You sh...

Page 1703: ...tion 3 3 3 9 SwitchA Tunnel1 mpls te tunnel id 10 Enable hot LSP backup SwitchA Tunnel1 mpls te backup hot standby SwitchA Tunnel1 mpls te commit SwitchA Tunnel1 quit Perform the display interface tunnel command on Switch A You can find that Tunnel1 is up SwitchA display interface tunnel Tunnel1 current state UP Line protocol current state UP Description Tunnel1 Interface The Maximum Transmit Unit...

Page 1704: ...1 1 1 Hop 1 30 1 1 2 Hop 2 4 4 4 9 Hop 3 40 1 1 1 Hop 4 40 1 1 2 Hop 5 3 3 3 9 Perform the tracert command to draw the picture of the path that a packet must travel to reach the tunnel destination SwitchA tracert a 1 1 1 9 3 3 3 9 traceroute to 3 3 3 9 3 3 3 9 30 hops max 40 bytes packet 1 10 1 1 2 25 ms 30 1 1 2 25 ms 10 1 1 2 25 ms 2 40 1 1 2 45 ms 20 1 1 2 29 ms 40 1 1 2 54 ms The sample output...

Page 1705: ...C Switch D use FRR to protect the link Switch B Switch C and use BFD to detect the status of link Switch B Switch C Do the following z Create a bypass LSP that traverses the path Switch B Switch E Switch C Switch B is the PLR and Switch C is the MP z Explicitly route the primary TE tunnel and the bypass TE tunnel with the signaling protocol being RSVP TE Figure 1 10 Link protection using the FRR a...

Page 1706: ...Loop0 2 2 2 2 32 ISIS 15 10 2 1 1 2 Vlan1 3 1 1 0 24 ISIS 15 20 2 1 1 2 Vlan1 3 2 1 0 24 ISIS 15 20 2 1 1 2 Vlan1 3 3 1 0 24 ISIS 15 30 2 1 1 2 Vlan1 3 3 3 3 32 ISIS 15 20 2 1 1 2 Vlan1 4 1 1 0 24 ISIS 15 30 2 1 1 2 Vlan1 4 4 4 4 32 ISIS 15 30 2 1 1 2 Vlan1 5 5 5 5 32 ISIS 15 20 2 1 1 2 Vlan1 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 3 Configure MPLS TE bas...

Page 1707: ...ch A and configurations on Switch C are similar to those on Switch B 4 Create an MPLS TE tunnel on Switch A the headend of the primary LSP Create an explicit path for the primary LSP SwitchA explicit path pri path SwitchA explicit path pri path next hop 2 1 1 2 SwitchA explicit path pri path next hop 3 1 1 2 SwitchA explicit path pri path next hop 4 1 1 2 SwitchA explicit path pri path next hop 4 ...

Page 1708: ...command on Switch A to verify the configuration of the tunnel interface SwitchA display mpls te tunnel interface Tunnel Name Tunnel4 Tunnel Desc Tunnel4 Interface Tunnel State Desc CR LSP is Up Tunnel Attributes LSP ID 1 1 1 1 1 Session ID 10 Admin State UP Oper State UP Ingress LSR ID 1 1 1 1 Egress LSR ID 4 4 4 4 Signaling Prot RSVP Resv Style SE Class Type CLASS 0 Tunnel BW 0 kbps Reserved BW 0...

Page 1709: ...d 15 SwitchB Tunnel5 mpls te path explicit path by path preference 1 Configure the bandwidth that the bypass tunnel protects SwitchB Tunnel5 mpls te backup bandwidth 10000 SwitchB Tunnel5 mpls te commit SwitchB Tunnel5 quit Bind the bypass tunnel with the protected interface SwitchB interface Vlan interface 2 SwitchB Vlan interface2 mpls te fast reroute bypass tunnel tunnel 5 SwitchB Vlan interfac...

Page 1710: ...Id Destination In Out If Name 1 1 1 1 1 4 4 4 4 Vlan1 Tunnel4 SwitchB display mpls te tunnel LSP Id Destination In Out If Name 1 1 1 1 1 4 4 4 4 Vlan1 Vlan2 Tunnel4 2 2 2 2 1 3 3 3 3 Vlan4 Tunnel5 SwitchC display mpls te tunnel LSP Id Destination In Out If Name 1 1 1 1 1 4 4 4 4 Vlan2 Vlan3 Tunnel4 2 2 2 2 1 3 3 3 3 Vlan5 Tunnel5 SwitchD display mpls te tunnel LSP Id Destination In Out If Name 1 1...

Page 1711: ...ype Ingress Bypass In Use Not Exists BypassTunnel Tunnel Index Mpls Mtu 1500 6 Verify the FRR function Shut down the protected outgoing interface on PLR SwitchB interface vlan interface 2 SwitchB Vlan interface2 shutdown Sep 7 08 53 34 2004 SwitchB IFNET 5 UPDOWN Line protocol on the interface Vlan interface2 turns into DOWN state Perform the display interface tunnel 4 command on Switch A to ident...

Page 1712: ...te Pinning Disabled Retry Limit 5 Retry Interval 10 sec Reopt Disabled Reopt Freq Back Up Type None Back Up LSPID Auto BW Disabled Auto BW Freq Min BW Max BW Current Collected BW Interfaces Protected VPN Bind Type NONE VPN Bind Value Car Policy Disabled Tunnel Group Primary Primary Tunnel Backup Tunnel Group Status Oam Status Up Tunnel Name Tunnel4 Tunnel Desc Tunnel4 Interface Tunnel State Desc C...

Page 1713: ...licy Disabled Tunnel Group Primary Primary Tunnel Backup Tunnel Group Status Oam Status Up If you perform the display mpls te tunnel interface command immediately after an FRR protection switch you are likely to see two CR LSPs in up state are present This is normal because the make before break mechanism of FRR introduces a delay before removing the old LSP after a new LSP is created Perform the ...

Page 1714: ...chB mpls quit Bring the protected outgoing interface up on PLR SwitchB interface vlan interface 2 SwitchB Vlan interface2 undo shutdown Sep 7 09 01 31 2004 SwitchB IFNET 5 UPDOWN Line protocol on the interface Vlan interface2 turns into UP state Perform the display interface tunnel 4 command on Switch A to identify the state of the primary LSP You can find that the tunnel interface is up About 5 s...

Page 1715: ...plication in VPN Configuration procedure 1 Configure OSPF ensuring that PE 1 and PE 2 can learn LSR ID routes from each other Configure PE 1 PE1 system view PE1 interface loopback 0 PE1 LoopBack0 ip address 2 2 2 2 255 255 255 255 PE1 LoopBack0 quit PE1 interface vlan interface 2 PE1 Vlan interface2 ip address 10 0 0 1 255 255 255 0 PE1 Vlan interface2 quit PE1 ospf PE1 ospf 1 area 0 PE1 ospf 1 ar...

Page 1716: ...Vlan interface2 s neighbors Router ID 3 3 3 3 Address 10 0 0 2 GR State Normal State Full Mode Nbr is Master Priority 1 DR None BDR None Dead timer due in 30 sec Neighbor is up for 00 01 00 Authentication Sequence 0 PE1 display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 2 2 2 2 32 Direct 0 0 127 0 0 1 InLoop0 3 3 3 3 32 OSPF 10 ...

Page 1717: ...s mpls te cspf PE2 mpls quit PE2 interface vlan interface 2 PE2 Vlan interface2 mpls te PE2 Vlan interface2 quit PE2 ospf PE2 ospf 1 opaque capability enable PE2 ospf 1 area 0 PE2 ospf 1 area 0 0 0 0 mpls te enable PE2 ospf 1 area 0 0 0 0 quit PE2 ospf 1 quit 4 Configure an MPLS TE tunnel Create a TE tunnel with PE 1 as the headend and PE 2 as the tail The signaling protocol is RSVP TE PE1 mpls PE...

Page 1718: ...e on each PE and bind it to the interface connected to the CE Configure on CE 1 CE1 interface vlan interface 1 CE1 Vlan interface1 ip address 192 168 1 2 255 255 255 0 CE1 Vlan interface1 quit Configure the VPN instance on PE 1 and use CR LSP for VPN setup Bind the VPN instance with the interface connected to CE 1 PE1 ip vpn instance vpn1 PE1 vpn instance vpn1 route distinguisher 100 1 PE1 vpn ins...

Page 1719: ...ectivity For example ping CE 1 on PE 1 PE1 ping vpn instance vpn1 192 168 1 2 PING 192 168 1 2 56 data bytes press CTRL_C to break Reply from 192 168 1 2 bytes 56 Sequence 1 ttl 255 time 47 ms Reply from 192 168 1 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 192 168 1 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 192 168 1 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 192 168 1 ...

Page 1720: ...an see that the BGP peer relationships have been formed between PEs and between PEs and CEs and have reached the established state Take PE 1 for example PE1 bgp display bgp peer BGP local router ID 2 2 2 2 Local AS number 100 Total number of peers 1 Peers in established state 1 Peer V AS MsgRcvd MsgSent OutQ Up Down State PrefRcv 3 3 3 3 4 100 3 3 0 00 00 11 Established 0 PE1 bgp display bgp vpn i...

Page 1721: ...ms 192 168 1 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 35 48 74 ms The sample output shows that CE 1 and CE 2 can reach each other 7 Verify the configuration Perform the display mpls lsp verbose command on PE 1 You can find an LSP with LspIndex 2050 This is the LSP that is the MPLS TE tunnel established using RSVP TE PE1 display mpls lsp v...

Page 1722: ... POP Perform the display interface tunnel command on PE 1 You can see that traffic is being forwarded along the CR LSP of the TE tunnel PE1 display interface tunnel 1 Tunnel1 current state UP Line protocol current state UP Description Tunnel1 Interface The Maximum Transmit Unit is 1500 Internet Address is 12 1 1 1 24 Primary Encapsulation is TUNNEL service loopback group not set Tunnel source unkn...

Page 1723: ...e OSPF neighbor must reach the FULL state Solution 1 Perform the display current configuration command to check that MPLS TE is configured on involved interfaces 2 Perform the debugging ospf mpls te command to observe whether OSPF can receive the TE LINK establishment message 3 Perform the display ospf peer command to check that OSPF neighbors are established correctly ...

Page 1724: ...escribes z QoS overview z QoS policy configuration z Priority mapping configuration z Traffic policing Configuration z Traffic shaping Configuration z Line rate configuration z Congestion management z Congestion avoidance configuration z Traffic filtering configuration z Priority remarking configuration z Traffic redirecting configuration z Aggregation CAR configuration z Class based accounting co...

Page 1725: ...view 3 1 Introduction to Priority Mapping 3 1 Priority Mapping Tables 3 1 Priority Trust Mode on a Port 3 2 Priority Mapping Procedure 3 2 Priority Mapping Configuration Tasks 3 3 Configuring Priority Mapping 3 4 Configuring a Priority Mapping Table 3 4 Configuring the Priority Trust Mode on a Port 3 4 Configuring the Port Priority of a Port 3 5 Displaying and Maintaining Priority Mapping 3 5 Prio...

Page 1726: ...2 WRED Configuration Approaches 6 2 Introduction to WRED Parameters 6 2 Configuring WRED on an Interface 6 2 Configuration Procedure 6 3 Configuration Example 6 3 Displaying and Maintaining WRED 6 3 7 Traffic Filtering Configuration 7 1 Traffic Filtering Overview 7 1 Configuring Traffic Filtering 7 1 Support of Line Cards for the Traffic Filtering Function 7 2 Traffic Filtering Configuration Examp...

Page 1727: ...n Example 11 2 12 QoS in an EPON System 4 QoS in an EPON System 4 QoS Functions for Uplink Traffic 4 QoS Functions for Downlink Traffic 5 Configuring QoS in an EPON System 6 QoS Configuration Task List in an EPON System 6 Configuring QoS at the OLT side 7 Configuring QoS at the ONU Side 9 Example for UNI Priority Remarking Configuration 13 13 Appendix 13 1 Appendix A Acronym 13 1 Appendix B Defaul...

Page 1728: ...d packet loss rate The network resources are always scarce QoS requirements exist on any occasion where traffic flows contend for network resources QoS is a relative concept for traffic flows that is guaranteeing QoS for a certain traffic flow may damage QoS of other traffic flows For example in the case of fixed bandwidth if a traffic flow gets more bandwidth the other traffic flows will get less...

Page 1729: ...ntify and guarantee QoS for each data flow and provides the most granularly differentiated QoS However the Inter Serv model imposes extremely high requirements on devices In a network with heavy data traffic the Inter Serv model imposes very great pressure on the storage and processing capabilities of devices On the other hand the Inter Serv model is poor in scalability and therefore it is hard to...

Page 1730: ... directions of a port When a flow exceeds the specification some restriction or punishment measures can be taken to prevent overconsumption of network resources z Traffic shaping proactively adjusts the output rate of traffic to adapt traffic to the network resources of the downstream device and avoid unnecessary packet drop and congestion Traffic shaping is usually applied to the outgoing traffic...

Page 1731: ...uring QoS policies A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these concepts class traffic behavior and policy Class Classes are used to identify traffic A class is identified by a class name and contains some match criteria for traffic identification The relationsh...

Page 1732: ...erator and or Required By default the relationship between match criteria is AND Configure match criteria if match match criteria Required match criteria Match criterion Table 2 1 shows the available criteria Table 2 1 The keyword and argument combinations for the match criteria argument Keyword and argument combination Description acl access list number name acl name Specifies to match an IPv4 AC...

Page 1733: ... or a word representing the specific value For the number to word mapping see Table 13 21 ip precedence ip precedence list Match IP precedence The ip precedence list is a list of up to eight IP precedence values An IP precedence is in the range of 0 to 7 protocol protocol name Match a protocol The protocol name can be IP or IPv6 qos local id local id value Match a local QoS ID which is in the rang...

Page 1734: ...ferencing the class cannot be applied to interfaces successfully z customer dot1p 8021p list z destination mac mac address z dscp dscp list z ip precedence ip precedence list z service dot1p 8021p list z source mac mac address z system index index value list To create multiple if match clauses or specify multiple values for a list argument for any of the matching criteria listed above ensure that ...

Page 1735: ...ehavior associations if the action of creating an outer VLAN tag the action of setting customer network VLAN ID or the action of setting service provider network VLAN ID is configured in a traffic behavior we recommend you not to configure any other action in this traffic behavior Otherwise the QoS policy may not function as expected after it is applied z The do1q tag manipulation keyword is appli...

Page 1736: ...and Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Apply the policy to the interface port group qos apply policy policy name inbound outbound Required The QoS policy applied to the outgoing traffic of an interface does not regulate local packets Local packets refer to the critical protocol packets sent by the l...

Page 1737: ...ctive by default z If a user profile is active the QoS policy except ACLs referenced in the QoS policy applied to it cannot be configured or removed If the user profile is being used by online users the referenced ACLs cannot be modified either z The QoS policies applied in user profile view support only the remark car and filter actions z Do not apply an empty policy in user profile view because ...

Page 1738: ...ared with data plane units they allow for great packet processing flexibility but have lower throughput When the data plane receives packets that it cannot recognize or process it transmits them to the control plane If the transmission rate exceeds the processing capability of the control plane which very likely occurs at times of DoS attacks the control plane will be busy handling undesired packe...

Page 1739: ...isplay traffic class information display traffic classifier user defined tcl name Available in any view Display traffic behavior configuration information display traffic behavior user defined behavior name Available in any view Display user defined QoS policy configuration information display qos policy user defined policy name classifier tcl name Available in any view Display QoS policy configur...

Page 1740: ...n any view Display information about pre defined control plane QoS policies on a distributed IRF device display qos policy control plane pre defined chassis chassis number slot slot number Available in any view Clear VLAN QoS policy statistics reset qos vlan policy vlan vlan id inbound outbound Available in user view Clear statistics of a global QoS policy reset qos policy global inbound outbound ...

Page 1741: ...isions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a port the device assigns a set of QoS priority parameters to the packet based on a certain priority and sometimes may modify its priority according to certain rules depending on device status This process is called priority mapping The priority based on which priority mapping is perform...

Page 1742: ...iority of the packet for priority mapping table lookup The priority mapping procedure varies with the priority modes as described in the next section Priority Mapping Procedure Priority Mapping Procedure Figure 3 1 presents how the S7900E performs priority mapping for an Ethernet packet The procedure differs depending on whether the packet is 802 1q tagged or not Figure 3 1 Priority mapping proced...

Page 1743: ...priority marking is configured the device performs priority marking before priority mapping and then uses the re marked packet carried priority for priority mapping or directly uses the re marked scheduling priority for traffic scheduling depending on your configuration In this case neither priority trust mode configuration on the port nor port priority configuration takes effect Priority Mapping ...

Page 1744: ... to EXP priority mapping table dot1p exp and the EXP to 802 1p priority mapping table exp dot1p are available only for the EB and SD cards Configuring the Priority Trust Mode on a Port Follow these steps to configure the trusted packet priority type on an interface port group To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number ...

Page 1745: ...port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure the port priority qos priority priority value Required The default port priority is 0 Displaying and Maintaining Priority Mapping To do Use the command Remarks Display priority mapping table configurati...

Page 1746: ... to GigabitEthernet 2 0 3 of Device which sets the 802 1p priority of traffic from the management department to 5 Configure port priority 802 1p to local priority mapping table and priority marking to implement the plan as described in Table 3 1 Table 3 1 Configuration plan Queuing plan Traffic destination Traffic Priority order Traffic source Output queue Queue priority R D department 6 High Mana...

Page 1747: ...igabitEthernet2 0 1 quit Set the port priority of GigabitEthernet 2 0 2 to 4 Device interface gigabitethernet 2 0 2 Device GigabitEthernet2 0 2 qos priority 4 Device GigabitEthernet2 0 2 quit Set the port priority of GigabitEthernet 2 0 3 to 5 Device interface gigabitethernet 2 0 3 Device GigabitEthernet1 3 qos priority 5 Device GigabitEthernet1 3 quit 2 Configure the priority mapping table Config...

Page 1748: ...avior admin quit Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 2 0 3 Device GigabitEthernet2 0 3 qos apply policy admin inbound Configure a priority marking policy for the marketing department and apply the policy to the incoming traffic of GigabitEthernet 2 0 1 Device traffic behavior market Device behavi...

Page 1749: ...o it it is shaped or policed to ensure that it is under the specifications Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Buckets Token bucket features A token bucket is analogous to a container holding a certain number of tokens The system puts tokens into the bucket at a set rate When the token bucket is full the extra tokens overflows Evaluating...

Page 1750: ...te allowed by the E bucket z Excess burst size EBS Size of the E bucket that is transient burst of traffic that the E bucket can forward CBS and EBS are carried by two different token buckets In each evaluation packets are measured against the buckets z If the C bucket has enough tokens packets are colored green z If the C bucket does not have enough tokens but the E bucket has enough tokens packe...

Page 1751: ...ming traffic and forwarding it Traffic Shaping Traffic shaping supports shaping traffic to the outgoing traffic Traffic shaping provides measures to adjust the rate of outbound traffic actively A typical traffic shaping application is to limit the local traffic output rate according to the downstream traffic policing parameters The difference between traffic policing and GTS is that packets to be ...

Page 1752: ...this way all the traffic sent to Switch B conforms to the traffic specification defined in Switch B Line Rate Line rate supports rate limiting traffic in the outbound direction The line rate of a physical interface specifies the maximum rate for forwarding packets including critical packets Line rate also uses token buckets for traffic control With line rate configured on an interface all packets ...

Page 1753: ...e packets on a port using line rate is easier Configuring Traffic Policing Configuration Procedure Follow these steps to configure traffic policing To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior v...

Page 1754: ...12 kbps and drop the exceeding traffic Enter system view Sysname system view Configure advanced ACL 3000 to match HTTP traffic Sysname acl number 3000 Sysname acl adv 3000 rule permit tcp destination port eq 80 Sysname acl adv 3000 quit Create a class named http and reference ACL 3000 in the class to match HTTP traffic Sysname traffic classifier http Sysname classifier http if match acl 3000 Sysna...

Page 1755: ...a queue qos gts queue queue number cir committed information rate cbs committed burst size Required z On SC SA and EA LPUs the granularity of GTS is 64 kbps z On SD and EB LPUs the granularity of GTS is 8 kbps Display GTS configuration information on the interface all interfaces display qos gts interface interface type interface number Optional Available in any view Configuration Example Configure...

Page 1756: ...lr interface interface type interface number Available in any view Configuration Example Limit the outbound line rate of GigabitEthernet 2 0 1 to 512 kbps Enter system view Sysname system view Enter interface view Sysname interface gigabitethernet 2 0 1 Limit the outbound line rate of GigabitEthernet 2 0 1 to 512 kbps Sysname GigabitEthernet2 0 1 qos lr outbound cir 512 Displaying and Maintaining ...

Page 1757: ...4 9 ...

Page 1758: ...hows two common cases Figure 5 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100M 100M 100M 50M 10M 10M 1 2 Congestion may bring these negative results z Increased delay and jitter during packet transmission z Decreased network throughput and resource use efficiency z Network resource memory in particular exhaustion and even system breakdown Congestion is unavoidable in switched networks ...

Page 1759: ...ses numbered 7 to 0 in descending priority order SP queuing schedules the eight queues strictly according to the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packets in the queue with the second highest priority and so on Thus you can assign mission critical packets to the high priority queue t...

Page 1760: ... advantage of WRR queuing is that while the queues are scheduled in turn the service time for each queue is not fixed that is if a queue is empty the next queue will be scheduled immediately This improves bandwidth resource use efficiency WFQ queuing Figure 5 4 Schematic diagram for WFQ queuing Queue 1 Band width 1 Queue2 Band width 2 Queue N 1 Band width N 1 Queue N Band width N Packets to be sen...

Page 1761: ...e port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z The assignable bandwidth 10 Mbps 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps 9 5 Mbps z The total assignable bandwidth quota is the sum of all the precedence value 1 s that is 1 2 3 4 5 15 z The bandwidth percentage assigned to each fl...

Page 1762: ...s in port group view take effect on all ports in the port group Configure SP queuing qos sp Optional The default queuing algorithm on an interface is SP queuing Display SP queuing configuration display qos sp interface interface type interface number Optional Available in any view Configuration example 1 Network requirements Configure GigabitEthernet 2 0 1 to use SP queuing 2 Configuration procedu...

Page 1763: ...th their weights being 1 3 3 5 8 8 10 and 15 2 Configuration procedure Enter system view Sysname system view Configure WRR queuing on GigabitEthernet 2 0 1 Sysname interface gigabitethernet 2 0 1 Sysname GigabitEthernet2 0 1 qos wrr Sysname GigabitEthernet2 0 1 qos wrr 0 group 1 weight 1 Sysname GigabitEthernet2 0 1 qos wrr 1 group 1 weight 3 Sysname GigabitEthernet2 0 1 qos wrr 2 group 1 weight 3...

Page 1764: ...anteed bandwidth and scheduling weight configurations z The EA cards support both configurations too but the scheduling weight for each queue can only be 1 z The SA cards support only the scheduling weight configuration Configuration example 1 Network requirements z Configure the queues on port GigabitEthernet2 0 1 as WFQ queues and sets the scheduling weights of queues 1 3 4 5 and 6 to 1 5 10 15 ...

Page 1765: ...twork requirements z Configure to adopt SP WRR queue scheduling algorithm on GigabitEthernet2 0 1 z Configure queue 0 queue 1 queue 2 and queue 3 on GigabitEthernet2 0 1 to be in SP queue scheduling group z Configure queue 4 queue 5 queue 6 and queue 7 on GigabitEthernet2 0 1 to be in WRR queue scheduling group with the weight being 2 4 6 and 8 respectively Configuration procedure Enter system vie...

Page 1766: ...nfiguration information display qos wrr interface interface type interface number Display SP queue configuration information display qos sp interface interface type interface number Display WFQ queue configuration information display qos wfq interface interface type interface number Available in any view ...

Page 1767: ... the flow control mechanism at the source end can maximize throughput and utilization rate of the network and minimize packet loss and delay Traditional packet drop policy The traditional packet drop policy is tail drop When the length of a queue reaches the maximum threshold all the subsequent packets are dropped Such a policy results in global TCP synchronization That is if packets from multiple...

Page 1768: ...d When the average queue size is between the lower threshold and the upper threshold packets are dropped randomly The longer a queue the higher the drop probability When the average queue size exceeds the upper threshold subsequent packets are dropped z Drop precedence a parameter used for packet drop The value 0 corresponds to green packets the value 1 corresponds to yellow packets and the value ...

Page 1769: ...ffect on all ports in the port group Apply the WRED table qos wred apply table name Required Configuration Example Network requirements Apply a queue based WRED table to port GigabitEthernet 2 0 1 Configuration procedure Enter system view Sysname system view Configure a queue based WRED table Sysname qos wred queue table queue table1 Sysname wred table queue table1 quit Enter interface view Sysnam...

Page 1770: ...6 4 ...

Page 1771: ...s to configure traffic filtering To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic behavior behavior name Configure the traffic filtering action filter deny permit Required z deny Drops ...

Page 1772: ...rds for the traffic filtering action for the inbound and outbound traffic For line card categories and their description refer to the 3Com S7900E Family Getting Started Guide Table 7 1 Support of line cards for the traffic filtering action Traffic direction right Card category below Inbound Outbound SC Supported Supported SA Supported Not supported EA Supported Not supported EB Supported Supported...

Page 1773: ... match acl 3000 DeviceA classifier classifier_1 quit Create a behavior named behavior_1 and configure the traffic filtering action for the behavior DeviceA traffic behavior behavior_1 DeviceA behavior behavior_1 filter deny DeviceA behavior behavior_1 quit Create a policy named policy and associate class classifier_1 with behavior behavior_1 in the policy DeviceA qos policy policy DeviceA qospolic...

Page 1774: ... change its transmission priority in the network To configure priority marking you can associate a class with a behavior configured with the priority marking action to set the priority fields or flag bits of the class of packets Configuring Priority Marking Follow these steps to configure priority marking To do Use the command Remarks Enter system view system view Create a class and enter class vi...

Page 1775: ...e a policy and enter policy view qos policy policy name Associate the class with the traffic behavior in the QoS policy classifier tcl name behavior behavior name Exit policy view quit To an interface Applying the QoS policy to an interface To online users Applying the QoS policy to online users To a VLAN Applying the QoS policy to a VLAN Globally Applying the QoS policy globally Apply the QoS pol...

Page 1776: ...ported Not supported Supported Not supported Remarking the local precedence for packets Supported Not supported Supported Not supported Supported Not supported Remarking the specified QoS local ID for packets Not supported Not supported Not supported Not supported Not supported Not supported Table 8 2 Support of EB SD cards for priority marking Card category right EB SD Action below Inbound Outbou...

Page 1777: ... Device z The data server mail server and file server are connected to GigabitEthernet 2 0 2 of Device Configure priority marking on Device to satisfy the following requirements Traffic source Destination Processing priority Host A B Data server High Host A B Mail server Medium Host A B File server Low Figure 8 1 Network diagram for priority marking configuration Internet Host A Host B Device Data...

Page 1778: ...fserver if match acl 3002 Device classifier classifier_fserver quit Create a behavior named behavior_dbserver and configure the action of setting the local precedence value to 4 for the behavior Device traffic behavior behavior_dbserver Device behavior behavior_dbserver remark local precedence 4 Device behavior behavior_dbserver quit Create a behavior named behavior_mserver and configure the actio...

Page 1779: ...oS local ID create a class to match the QoS local ID and associate this class with the traffic policing action The configuration procedure is as follows Create ACL 2000 to match packets with source IP address 1 1 1 1 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 1 1 1 1 0 Sysname acl basic 2000 quit Create a class class_a to match both packets with source MA...

Page 1780: ...associate class class_b with behavior behavior_b Sysname qos policy car_policy Sysname qospolicy car_policy classifier class_a behavior behavior_a Sysname qospolicy car_policy classifier class_b behavior behavior_b Apply the QoS policy car_policy to the interface and you can satisfy the network requirements ...

Page 1781: ...recting traffic to the next hop redirects packets which require processing by an interface to the interface This action is applicable to only Layer 3 packets Configuring Traffic Redirecting Follow these steps to configure traffic redirecting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the matc...

Page 1782: ...redirecting action can be applied only to the incoming traffic z To implement QoS policy routing successfully ensure that the next hop address specified in the redirect action exist and the outgoing interface is not a tunnel interface If you fail to do that the matching traffic will be dropped Support of Line Cards for Traffic Redirecting Table 9 1 shows the support of line cards for the traffic r...

Page 1783: ... You have determined the traffic behavior to reference the aggregation CAR Configuration procedure Follow these steps to reference an aggregation CAR in a traffic behavior To do Use the command Remarks Enter system view system view Configure an aggregation CAR action qos car car name aggregative cir committed information rate cbs committed burst size ebs excess burst size pir peek information rate...

Page 1784: ... to rate limit the traffic of VLAN 10 and VLAN 100 received on GigabitEthernet 2 0 1 using these parameters CIR is 256 kbps CBS is 2000 bytes and the action for red packets is discard Configure an aggregation CAR according to the rate limit requirements Sysname system view Sysname qos car aggcar 1 aggregative cir 256 cbs 2000 red discard Create class 1 to match traffic of VLAN 10 create behavior 1...

Page 1785: ...avior 2 Sysname qos policy car Sysname qospolicy car classifier 1 behavior 1 Sysname qospolicy car classifier 2 behavior 2 Sysname qospolicy car quit Apply the QoS policy to the incoming traffic of GigabitEthernet 2 0 1 Sysname interface GigabitEthernet 2 0 1 Sysname GigabitEthernet2 0 1 qos apply policy car inbound ...

Page 1786: ...se steps to configure class based accounting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic behavior behavior name Required Configure the accounting action accounting Optional Traffic...

Page 1787: ...ddress 1 1 1 1 DeviceA system view DeviceA acl number 2000 DeviceA acl basic 2000 rule permit source 1 1 1 1 0 DeviceA acl basic 2000 quit Create a class named classifier_1 and reference ACL 2000 in the class DeviceA traffic classifier classifier_1 DeviceA classifier classifier_1 if match acl 2000 DeviceA classifier classifier_1 quit Create behavior behavior_1 and configure an accounting action in...

Page 1788: ... configuration DeviceA display qos policy interface gigabitethernet 2 0 1 Interface GigabitEthernet2 0 1 Direction Inbound Policy policy Classifier classifier_1 Operator AND Rule s If match acl 2000 Behavior behavior_1 Accounting Enable 16 Packets ...

Page 1789: ...icy z Configuring the ONU to perform traffic policing for uplink traffic of a UNI z Configuring the UNI to tag the uplink 802 1q untagged traffic with the default VLAN tag and adding the UNI priority to the Priority field as the 802 1p precedence CoS precedence z Configuring the ONU to distribute the uplink traffic to different output queues based on the mapping between the CoS precedence and loca...

Page 1790: ...igns to the ONU z Configuring high priority packet buffer for downlink traffic that the OLT sends to the specified ONU Processing on an ONU z Filtering the packets matching certain match criteria according to the configured QoS policy z Configuring the ONU to distribute the received downlink traffic to different output queues based on the mapping between the CoS precedence and local precedence z C...

Page 1791: ...y Trust Mode on a Port Configure traffic policing for uplink traffic of all ONUs through QoS Configuring Traffic Policing Configure QoS for uplink traffic Configure congestion management on the uplink port Configuring SP Queuing Configure WRR Queuing Configuring WFQ Queuing Configuring SP WRR Queues Configure the OLT to perform priority mapping for traffic received on an uplink port Modify the pri...

Page 1792: ...de Modify the priority mapping on the OLT port Follow these steps to modify the 802 1p to local mapping on the OLT port To do Use the command Remarks Enter system view system view Enter OLT port view interface interface type interface number Modify the 802 1p to local mapping on the OLT port for downlink or uplink traffic priority queue mapping downstream upstream value 1 8 Optional For the defaul...

Page 1793: ...er ONU port view interface interface type interface number Reserve high priority buffer for the current ONU bandwidth downstream high priority enable Optional By default the OLT reserves no high priority buffer for an ONU High priority packet buffering takes effect for downlink traffic only when downlink bandwidth allocation policy is enabled as shown in Configure traffic policing for downlink upl...

Page 1794: ...ffer size of the OLT port and that of the downlink bandwidth limit take effect only when the downlink bandwidth allocation policy is enabled z The configured downlink bandwidth limitation takes effect only on known unicasts but not on unknown unicasts multicasts or broadcasts z The sum of the minimum uplink bandwidths configured for all the existing ONU ports under an OLT port cannot exceed 921600...

Page 1795: ...s refer to Table 12 4 Table 12 4 Relationship between VLAN operation modes and priority remarking VLAN operation mode With or without VLAN tag Packet processing With VLAN tag z In the case of traffic classification based on the source MAC address destination MAC address Ethernet priority VLAN ID or physical port if the packet matches the configured traffic classification rule the packet is priorit...

Page 1796: ...D in the tag does not match any VLAN translation entry on the port The packet is dropped Translation mode Without VLAN tag The packet is tagged with the VLAN tag corresponding to the default PVID of the port and then z If the packet matches the configured traffic classification rule the packet is priority remarked with the value specified in the rule and is then forwarded z Otherwise the packet is...

Page 1797: ...ic classification rule is the same as the priority of the UNI the traffic classification rule will not take effect Priority remarking based on VLAN ID The configuration of VLAN ID based priority remarking takes effect globally Namely a VLAN ID based traffic classification rule configured for a UNI port of an ONU applies to incoming traffic from all the other UNI ports of the ONU Priority remarking...

Page 1798: ...t for both UNI 1 and UNI 2 z Configure priority remarking for UNI 1 Remark tagged packets sourced from the MAC address of 000A EB7F AAAB with CoS 3 precedence z Configure priority remarking for UNI 2 Remark tagged packets sourced from the MAC address of 001B EB7F 21AC with CoS 1 precedence Network diagram Figure 12 3 Network diagram for UNI priority remarking configuration Configuration procedure ...

Page 1799: ...1 uni 1 classification marking index 1 queue 3 priority 3 src mac equal 000A EB7F AAAB Sysname Onu3 0 1 1 uni 2 classification marking index 1 queue 1 priority 1 src mac equal 001B EB7F 21AC After the configuration above is complete when two streams each 50 Mbps from two UNIs of the ONU are being forwarded to the OLT the packets sourced from the MAC address of 001B EB7F 21AC are dropped at forward...

Page 1800: ...Class Based Weighted Fair Queuing CE Customer Edge CIR Committed Information Rate CQ Custom Queuing DAR Deeper Application Recognition DiffServ Differentiated Service DSCP Differentiated Services Codepoint EACL Enhanced ACL EBS Excess Burst Size EF Expedited Forwarding FEC Forwarding Equivalence Class FIFO First in First out GTS Generic Traffic Shaping IntServ Integrated Service ISP Internet Servi...

Page 1801: ...e Network WFQ Weighted Fair Queuing WRED Weighted Random Early Detection Appendix B Default Priority Mapping Tables Uncolored Priority Mapping Tables z Some devices support four forwarding classes and some other devices support eight forwarding classes Therefore the above table lists two volumes up fc 4 and up fc 8 for the default up fc mapping values which vary by device z For the default dot11e ...

Page 1802: ...e default dscp lp dscp dp dscp dot1p and dscp exp priority mapping tables Input priority value dscp lp mapping dscp dp mapping dscp dot1p mapping dscp exp mapping DSCP Local precedence lp Drop precedence dp 802 1p priority dot1p EXP 0 to 7 0 0 0 0 8 to 15 1 0 1 1 16 to 23 2 0 2 2 24 to 31 3 0 3 3 32 to 39 4 0 4 4 40 to 47 5 0 5 5 48 to 55 6 0 6 6 56 to 63 7 0 7 7 Table 13 4 The default dscp rpr pr...

Page 1803: ... 0 0 2 16 0 1 3 24 0 1 4 32 0 2 5 40 0 2 6 48 0 2 7 56 0 2 Table 13 6 The default lp dot1p and lp dscp priority mapping tables Input priority value lp dot1p mapping lp dscp mapping Local precedence lp 802 1p priority dot1p DSCP 0 1 0 1 2 8 2 0 16 3 3 24 4 4 32 5 5 40 6 6 48 7 7 56 Table 13 7 The default ippre rpr priority mapping tables IP precedence RPR precedence 0 0 1 0 2 1 3 1 4 2 5 2 6 2 7 2 ...

Page 1804: ...p lp mappin g up rpr mappin g up fc 4 mappin g up fc 8 mappin g User precede nce up 802 1p priority dot1p DSCP EXP Drop precede nce dp Local precede nce lp RPR fc 4 fc 8 0 0 0 0 0 2 0 0 0 1 1 8 1 0 0 0 0 1 2 2 16 2 0 1 1 1 2 3 3 24 3 0 3 1 1 3 4 4 32 4 0 4 2 2 4 5 5 40 5 0 5 2 2 5 6 6 48 6 0 6 2 3 6 7 7 56 7 0 7 2 3 7 Colored Priority Mapping Tables For the default colored dscp dscp exp lp exp dot...

Page 1805: ...and dscp lp priority mapping tables for yellow packets Input priority value dscp dot1p mapping dscp dp mapping dscp exp mapping dscp lp mapping DSCP of yellow packets 802 1p priority dot1p Drop precedence dp EXP Local precedence lp 0 to 7 0 1 0 0 8 to 15 1 1 1 1 16 to 23 2 1 2 2 24 to 31 3 1 3 3 32 to 39 4 1 4 4 40 to 47 5 1 5 5 48 to 55 6 1 6 6 56 to 63 7 1 7 7 Table 13 12 The default dscp dot1p ...

Page 1806: ...scp priority mapping tables for green packets Input priority value exp dp mapping exp dscp mapping EXP of green packets Drop precedence dp DSCP 0 0 0 1 0 8 2 0 16 3 0 24 4 0 32 5 0 40 6 0 48 7 0 56 Table 13 14 The default exp dp and exp dscp priority mapping tables for yellow packets Input priority value exp dp mapping exp dscp mapping EXP of yellow packets Drop precedence dp DSCP 0 1 0 1 1 8 2 1 ...

Page 1807: ...nput priority value lp dp mapping lp dot1p mapping lp dscp mapping Local precedence lp of green packets Drop precedence dp 802 1p priority dot1p DSCP 0 0 1 0 1 0 2 8 2 0 0 16 3 0 3 24 4 0 4 32 5 0 5 40 6 0 6 48 7 0 7 56 Table 13 17 The default lp dp lp dot1p and lp dscp priority mapping tables for yellow packets Input priority value lp dp mapping lp dot1p mapping lp dscp mapping Local precedence l...

Page 1808: ...ed packets Drop precedence dp 802 1p priority dot1p DSCP 0 2 1 0 1 2 2 8 2 2 0 16 3 2 3 24 4 2 4 32 5 2 5 40 6 2 6 48 7 2 7 56 Table 13 19 The default up dscp priority mapping table for green yellow red packets up of green yellow red packets dscp 0 0 1 8 2 16 3 24 4 32 5 40 6 48 7 56 Appendix C Introduction to Packet Precedences IP Precedence and DSCP Values Figure 13 1 ToS and DS fields ...

Page 1809: ...ble 13 20 Description on IP precedence IP precedence decimal IP precedence binary Description 0 000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network Table 13 21 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 01011...

Page 1810: ...PID two bytes in length whose value is 0x8100 and the tag control information TCI two bytes in length Figure 13 3 presents the format of the 802 1Q tag header The Priority field in the 802 1Q tag header is called the 802 1p priority because its use is defined in IEEE 802 1p Table 13 22 presents the values for 802 1p priority Figure 13 3 802 1Q tag header Table 13 22 Description on 802 1p priority ...

Page 1811: ...13 12 EXP Values The EXP field lies in MPLS labels and is used for QoS Figure 13 4 MPLS label structure As shown in Figure 13 4 the EXP field is 3 bits long and ranges from 0 to 7 ...

Page 1812: ...ser Profile Overview 1 1 User Profile Configuration Task List 1 1 Creating a User Profile 1 2 Configuration Prerequisites 1 2 Creating a User Profile 1 2 Configuring a User Profile 1 2 Enabling a User Profile 1 3 Displaying and Maintaining User Profile 1 3 ...

Page 1813: ...r profile is applicable to restricting online users access if no users are online no user access no users pass the authentication or users have logged out user profile does not take effect as it is a predefined configuration With user profile you can z Make use of system resources more granularly For example without user profile you can apply a QoS policy based on interface VLAN globally and so on...

Page 1814: ...ser profile already exists you will directly enter the corresponding user profile view The configuration made in user profile view takes effect when the user profile is enabled and a user using the user profile goes online Configuring a User Profile After a user profile is created you need to apply a QoS policy in user profile view to implement restrictions on the online users Follow these steps t...

Page 1815: ...rofile A created user profile takes effect only after being enabled Follow these steps to enable a user profile To do Use the command Remarks Enter system view system view Enable a user profile user profile profile name enable Required A user profile is disabled by default z Only an enabled user profile can be used by a user You cannot modify or remove the configuration items in a user profile unt...

Page 1816: ...2 1X configuration z 802 1X Guest VLAN configuration MAC Authentication MAC authentication provides a way for authenticating users based on ports and MAC addresses it requires no client software to be installed on the hosts This document describes z RADIUS Based MAC Authentication z Local MAC Authentication Portal Portal authentication as its name implies helps control access to the Internet This ...

Page 1817: ...SFTP Client Public Key This document describes Public Key Configuration ACL An ACL is used for identifying traffic based on a series of preset matching criteria This document describes z ACL overview and ACL types z ACL configuration ARP Attack Protection Currently ARP attacks and viruses are threatening LAN security The device can provide multiple features to detect and prevent such attacks This ...

Page 1818: ...ethods for an ISP Domain 1 17 Configuring AAA Accounting Methods for an ISP Domain 1 19 Configuring Local User Attributes 1 21 Configuring User Group Attributes 1 22 Tearing down User Connections Forcibly 1 23 Configuring a NAS ID VLAN Binding 1 23 Displaying and Maintaining AAA 1 24 Configuring RADIUS 1 24 Creating a RADIUS Scheme 1 25 Specifying the RADIUS Authentication Authorization Servers 1 ...

Page 1819: ...s Related to the Data Sent to HWTACACS Server 1 38 Specifying the Source IP Address for HWTACACS Packets to be Sent 1 39 Setting Timers Regarding HWTACACS Servers 1 39 Displaying and Maintaining HWTACACS 1 40 AAA Configuration Examples 1 41 AAA for Telnet Users by an HWTACACS Server 1 41 AAA for Telnet Users by Separate Servers 1 42 AAA for SSH Users by a RADIUS Server 1 44 Level Switching Authent...

Page 1820: ...n z Introduction to AAA z Introduction to RADIUS z Introduction to HWTACACS z Domain Based User Management z Protocols and Standards z AAA Configuration Task List z Configuring AAA z Configuring RADIUS z Configuring HWTACACS z AAA Configuration Examples z Troubleshooting AAA Introduction to AAA Authentication Authorization and Accounting AAA provides a uniform framework for configuring these three...

Page 1821: ...uding the service type start and end time and traffic In this way accounting can be used for not only charging but also network security surveillance You can use AAA to provide only one or two security functions if desired For example if your company only wants employees to be authenticated before they access specific resources you only need to configure an authentication server If network usage i...

Page 1822: ...or example rejecting or accepting the user access request to the clients In general the RADIUS server maintains three databases namely Users Clients and Dictionary as shown in Figure 1 2 Figure 1 2 RADIUS server components z Users Stores user information such as the usernames passwords applied protocols and IP addresses z Clients Stores information about RADIUS clients such as the shared keys and ...

Page 1823: ...horization information If the authentication fails it returns an Access Reject message 4 The RADIUS client permits or denies the user according to the returned authentication result If it permits the user it sends a start accounting request Accounting Request to the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response and starts accounting 6 The user accesses t...

Page 1824: ...esponse 4 Accounting Request From the client to the server A packet of this type carries user information for the server to start stop accounting for the user It contains the Acct Status Type attribute which indicates whether the server is requested to start the accounting or to end the accounting 5 Accounting Response From the server to the client The server sends to the client a packet of this t...

Page 1825: ...es Its format and content depend on the Type and Length fields Table 1 2 RADIUS attributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Terminate Cause 6 Service Type 50 Acct Multi Session Id 7 Framed Protocol 51 Acct Link Count 8 Framed IP Address 52 Acc...

Page 1826: ...ent Auth id 44 Acct Session Id 91 Tunnel Server Auth id z The attribute types listed in Table 1 2 are defined by RFC 2865 RFC 2866 RFC 2867 and RFC 2868 z For information about commonly used standard RADIUS attributes refer to Commonly Used Standard RADIUS Attributes Extended RADIUS Attributes The RADIUS protocol features excellent extensibility Attribute 26 Vender Specific defined by RFC 2865 all...

Page 1827: ...ke implementing AAA using a client server model using shared keys for user information security and having good flexibility and extensibility Meanwhile they also have differences as listed in Table 1 3 Table 1 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP providing higher transport efficiency Encrypts the entire pac...

Page 1828: ...orization response indicating successful authorization 14 The user logs in successfully 15 Start accounting request 16 Accounting response indicating the start of accounting 17 The user logs off 18 Stop accounting request 19 Stop accounting response 10 Authentication continuance packet with the login password 1 A Telnet user sends an access request to the NAS 2 Upon receiving the request the HWTAC...

Page 1829: ...HWTACACS server 19 The HWTACACS server sends back a stop accounting response indicating that the stop accounting request has been received Domain Based User Management An Internet service provider ISP domain accommodates a collection of users NAS devices manage users based on ISP domains Each user belongs to an ISP domain The ISP domain of a user is determined by the username used for login as sho...

Page 1830: ...iguration in the Security Volume Login such as SSH Telnet FTP and terminal SSH2 0 Configuration in the Security Volume FTP and TFTP Configuration in the IP Services Volume Portal Portal Configuration in the Security Volume Command authorization and accounting Login Configuration in the System Volume Level switching authentication Basic System Configuration in the System Volume Protocols and Standa...

Page 1831: ...users it is necessary to configure the authentication mode for logging into the user interface as scheme For detailed information refer to Login Configuration of the System Volume AAA Configuration Task List Task Remarks Creating an ISP Domain Required Configuring ISP Domain Attributes Optional Configuring AAA Authentication Methods for an ISP Domain Required For local authentication refer to Conf...

Page 1832: ...ers Optional Configuring Attributes Related to Data to Be Sent to the RADIUS Server Optional Enabling the RADIUS Trap Function Optional Specifying the Source IP Address for RADIUS Packets to Be Sent Optional Setting Timers Regarding RADIUS Servers Optional Specifying a Security Policy Server Optional Enabling the Listening Port of the RADIUS Client Optional Configuring Interpretation RADIUS Class ...

Page 1833: ...assword structure service type and rights you need to configure ISP domains to distinguish the users In addition you need to configure different AAA methods for the ISP domains For the NAS each user belongs to an ISP domain Up to 16 ISP domains can be configured on a NAS If a user does not provide the ISP domain name the system considers that the user belongs to the default ISP domain Follow these...

Page 1834: ...ult an ISP domain has no default authorization user profile A self service RADIUS server for example Intelligent Management Center iMC is required for the self service server localization function to work With the self service function a user can manage and control his or her accounting information or card number A server with self service software is a self service server Configuring AAA Authenti...

Page 1835: ...h access mode and service type limiting the authentication protocols that can be used for access z Determine whether to configure an authentication method for all access modes or service types Follow these steps to configure AAA authentication methods for an ISP domain To do Use the command Remarks Enter system view system view Enter ISP domain view domain isp name Specify the default authenticati...

Page 1836: ...to switch the privilege level to 3 the system uses enab3 aaa for authentication when the domain name is required and uses enab3 for authentication when the domain name is not required Configuring AAA Authorization Methods for an ISP Domain In AAA authorization is a separate process at the same level as authentication and accounting Its responsibility is to send authorization requests to the specif...

Page 1837: ... an ISP domain To do Use the command Remarks Enter system view system view Enter ISP domain view domain isp name Specify the default authorization method for all types of users authorization default hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Optional local by default Specify the command authorization method authorization command hwtacacs scheme hwt...

Page 1838: ... AAA accounting is a separate process at the same level as authentication and authorization Its responsibility is to send accounting start update end requests to the specified accounting server Accounting is not required and therefore accounting method configuration is optional AAA supports the following accounting methods z No accounting none The system does not perform accounting for the users z...

Page 1839: ...nal The default accounting method is used by default z With the accounting optional command configured a user that would be otherwise disconnected can still use the network resources even when no accounting server is available or communication with the current accounting server fails z The local accounting method is not used to implement accounting but to work together with the access limit comman...

Page 1840: ...password display mode for all local users local user password display mode auto cipher force Optional auto by default indicating to display the password of a local user in the way indicated by the password command Add a local user and enter local user view local user user name Required No local user exists by default Configure a password for the local user password cipher simple password Optional ...

Page 1841: ... HWTACACS authentication the commands that a login user can use after logging in depend on the level of the user With other authentication methods which commands are available depends on the level of the user interface For an SSH user using public key authentication the commands that can be used depend on the level configured on the user interface For details about authentication method and comman...

Page 1842: ...nnections at present Tear down AAA user connections forcibly on a distributed IRF device cut connection all domain isp name ucibindex ucib index user name user name chassis chassis number slot slot number Required Applicable to only LAN access and portal user connections at present Configuring a NAS ID VLAN Binding In some application scenarios it is required to identify the access locations of us...

Page 1843: ...IRF device display local user idle cut disable enable service type ftp lan access portal ssh telnet terminal state active block user name user name vlan vlan id chassis chassis number slot slot number Available in any view Display configuration information about a specified user group or all user groups display user group group name Available in any view Configuring RADIUS The RADIUS protocol is c...

Page 1844: ...scheme can be referenced by more than one ISP domain at the same time Specifying the RADIUS Authentication Authorization Servers Follow these steps to specify the RADIUS authentication authorization servers To do Use the command Remarks Enter system view system view Enter RADIUS scheme view radius scheme radius scheme name Specify the primary RADIUS authentication authorization server primary auth...

Page 1845: ...t use IP addresses of the same IP version Specifying the RADIUS Accounting Servers and Relevant Parameters Follow these steps to specify the RADIUS accounting servers and perform related configurations To do Use the command Remarks Enter system view system view Enter RADIUS scheme view radius scheme radius scheme name Specify the primary RADIUS accounting server primary accounting ip address ipv6 ...

Page 1846: ...nsmission attempts on the device allowing the device to disconnect a user when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request z The IP addresses of the primary and secondary accounting servers cannot be the same Otherwise the configuration fails z Currently RADIUS does not support keeping accounts on...

Page 1847: ...fault z The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 z Refer to the timer response timeout command in the command manual for configuring RADIUS server response timeout period Setting the Supported RADIUS Server Type Follow these steps to set the supported RADIUS server type To do Use the command Re...

Page 1848: ...mand Remarks Enter system view system view Enter RADIUS scheme view radius scheme radius scheme name Set the status of the primary RADIUS authentication authorization server state primary authentication active block Set the status of the primary RADIUS accounting server state primary accounting active block Set the status of the secondary RADIUS authentication authorization server state secondary ...

Page 1849: ...username is sent without the ISP domain name do not apply the RADIUS scheme to more than one ISP domain Otherwise users using the same username but in different ISP domains will be considered the same user z For level switching authentication the user name format keep original and user name format without domain commands produce the same results that is usernames sent to the RADIUS server carry no...

Page 1850: ...a device can enable the following three timers z RADIUS server response timeout response timeout If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request authentication authorization or accounting request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout time...

Page 1851: ...e product of the two parameters cannot exceed 30 seconds For detailed information about timeout time of a specific access module refer to the corresponding part in the Access Volume z To configure the maximum number of retransmission attempts of RADIUS packets refer to the command retry in the command manual Specifying a Security Policy Server The core of the EAD solution is integration and cooper...

Page 1852: ...ss attribute 25 to a RADIUS client However the RFC only requires the RADIUS client to send the attribute to the accounting server it does not require the RADIUS client to resolve the attribute Currently some RADIUS servers use the class attribute to deliver the assigned committed access rate CAR parameters To support such applications you need to configure the RADIUS client to interpret the class ...

Page 1853: ...lot slot number Available in user view Display information about buffered stop accounting requests that get no responses on a distributed device display stop accounting buffer radius scheme radius server name session id session id time range start time stop time user name user name slot slot number Available in any view Display information about buffered stop accounting requests that get no respon...

Page 1854: ...matter whether there are users online or not This is different from RADIUS Creating an HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis Before performing other HWTACACS configurations follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view To do Use the command Remarks Enter system view system view Create an HWTACACS scheme and enter HWTACACS scheme ...

Page 1855: ...entication servers are specified the secondary one is used when the primary one is not reachable z The IP addresses of the primary and secondary authentication servers cannot be the same Otherwise the configuration fails z You can remove an authentication server only when no active TCP connection for sending authentication packets is using it Specifying the HWTACACS Authorization Servers Follow th...

Page 1856: ...kets is using it Specifying the HWTACACS Accounting Servers Follow these steps to specify the HWTACACS accounting servers and perform related configurations To do Use the command Remarks Enter system view system view Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Specify the primary HWTACACS accounting server primary accounting ip address port number Specify the secondary HWTACACS...

Page 1857: ...ackets exchanged between them and a shared key to verify the packets Only when the same key is used can they properly receive the packets and make responses Follow these steps to set the shared key for HWTACACS packets To do Use the command Remarks Enter system view system view Enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Set the shared keys for HWTACACS authentication authoriza...

Page 1858: ...to be sent if the physical port for sending the HWTACACS packets fails response packets from the server will be able to arrive at the NAS Follow these steps to specify the source IP address for HWTACACS packets to be sent To do Use the command Remarks Enter system view system view hwtacacs nas ip ip address Specify the source IP address for HWTACACS packets to be sent hwtacacs scheme hwtacacs sche...

Page 1859: ...information or statistics of the specified or all HWTACACS schemes on a distributed device display hwtacacs hwtacacs server name statistics slot slot number Available in any view Display configuration information or statistics of the specified or all HWTACACS schemes on a distributed IRF device display hwtacacs hwtacacs server name statistics chassis chassis number slot slot number Available in an...

Page 1860: ...et Switch Telnet user Authentication Accounting server 10 1 1 1 24 Configuration procedure Configure the IP addresses of the interfaces omitted Enable the Telnet server on the switch Switch system view Switch telnet server enable Configure the switch to use AAA for Telnet users Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Switch ui vty0 4 quit Create HWTACACS scheme hw...

Page 1861: ...unting default hwtacacs scheme hwtac When telneting into the switch a user enters username userid bbb for authentication using domain bbb AAA for Telnet Users by Separate Servers Network requirements As shown in Figure 1 10 configure the switch to provide local authentication HWTACACS authorization and RADIUS accounting services to Telnet users The user name and the password for Telnet users are b...

Page 1862: ...authorization expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the RADIUS scheme Switch radius scheme rd Switch radius rd primary accounting 10 1 1 1 1813 Switch radius rd key accounting expert Switch radius rd server type extended Switch radius rd user name format without domain Switch radius rd quit Create a local user named hello Switch local use...

Page 1863: ...server to expert and specify that a username sent to the RADIUS server carries the domain name The RADIUS server provides different user services according to the domain names Figure 1 11 Configure AAA for SSH users by a RADIUS server Internet Switch SSH user RADIUS server 10 1 1 1 24 Vlan int2 192 168 1 70 24 Vlan int3 10 1 1 2 24 Configuration procedure 1 Configure the RADIUS server iMC This exa...

Page 1864: ... management Log into the iMC management platform select the User tab and select Access User View Device Mgmt User from the navigation tree to enter the Device Management User page Then click Add to enter the Add Device Management User window and perform the following configurations z Add a user named hello bbb and specify the password z Select SSH as the service type z Specify the IP address range...

Page 1865: ...gure the IP address of VLAN interface 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure the switch to use AAA for SSH users ...

Page 1866: ...sp bbb authentication login radius scheme rad Switch isp bbb authorization login radius scheme rad Switch isp bbb accounting login radius scheme rad Switch isp bbb quit When using SSH to log in a user enters a username in the form userid bbb for authentication using domain bbb 3 Verify the configuration After the above configuration the SSH user should be able to use the configured account to acce...

Page 1867: ... message exchange and specify that usernames sent to the HWTACACS server carry no domain name Configure the domain to use the HWTACACS scheme hwtac for user privilege level switching authentication z Configure the password for local privilege level switching authentication 3 On the HWTACACS server add the username and password for user privilege level switching authentication Configuration procedu...

Page 1868: ...uit Create ISP domain bbb Switch domain bbb Configure the ISP domain to use local authentication for Telnet users Switch isp bbb authentication login local Configure to use HWTACACS scheme hwtac for privilege level switching authentication Switch isp bbb authentication super hwtacacs scheme hwtac Switch isp bbb quit Create a local Telnet user named test Switch local user test Switch luser test ser...

Page 1869: ...o enter the user interface of the switch and access all level 0 commands Switch telnet 192 168 1 70 Trying 192 168 1 70 Press CTRL K to abort Connected to 192 168 1 70 Copyright c 2004 2009 3Com Corp and its licensors All rights reserved This software is protected by copyright law and international treaties Without the prior written permission of 3Com Corporation and its licensors any reproduction...

Page 1870: ...tion Switch super 3 Password Å Enter the password for HWTACACS privilege level switching authentication Error Invalid configuration or no response from the authentication server Info Change authentication mode to local Password Å Enter the password for local privilege level switching authentication User privilege level is 3 and only those commands can be used whose level is equal or less than this...

Page 1871: ...nd link layers 2 The IP address of the RADIUS server is correctly configured on the NAS 3 UDP ports for authentication authorization accounting configured on the NAS are the same as those configured on the RADIUS server 4 The port numbers of the RADIUS server for authentication authorization and accounting are available Symptom 3 A user is authenticated and authorized but accounting for the user i...

Page 1872: ...to be configured for the user 11 Filter ID Name of the filter list 12 Framed MTU Maximum transmission unit MTU for the data link between the user and NAS For example with 802 1X EAP authentication NAS uses this attribute to notify the server of the MTU for EAP packets so as to avoid oversized EAP packets 14 Login IP Host IP address of the NAS interface that the user accesses 15 Login Service Type ...

Page 1873: ...ion 61 NAS Port Type Type of the physical port of the NAS that is authenticating the user which can be z 15 Ethernet z 16 Any type of ADSL z 17 Cable with cable for cable TV z 201 VLAN z 202 ATM If the port is an ATM or Ethernet one and VLANs are implemented on it the value of this attribute is 201 79 EAP Message Used for encapsulating EAP packets to allow the NAS to authenticate dial in users via...

Page 1874: ... Trigger Function 1 17 Enabling the Unicast Trigger Function 1 17 Specifying a Mandatory Authentication Domain for a Port 1 18 Enabling the Quiet Timer Function 1 18 Enabling the Re Authentication Function 1 18 Configuring a Guest VLAN 1 19 Configuring an Auth Fail VLAN 1 20 Displaying and Maintaining 802 1X 1 21 802 1X Configuration Example 1 21 Guest VLAN and VLAN Assignment Configuration Exampl...

Page 1875: ...evices that fail to pass the authentication are denied access to the LAN The port security feature provides rich security modes that combine or extend 802 1X and MAC address authentication In a networking environment that requires flexible use of 802 1X and MAC address authentication you are recommended to configure the port security feature In a network environment that requires only 802 1X authe...

Page 1876: ... between the client device and authentication server z Between the client and the device EAP protocol packets are encapsulated using EAPOL to be transferred on the LAN z Between the device and the RADIUS server EAP protocol packets can be exchanged in two modes EAP relay and EAP termination In EAP relay mode EAP packets are encapsulated in the EAP over RADIUS EAPOR packets on the device which then...

Page 1877: ...orts to access the network without authentication z unauthorized force Places the port in the unauthorized state denying any access requests from users of the ports z auto Places the port in the unauthorized state initially to allow only EAPOL packets to pass and turns the ports into the authorized state to allow access to the network after the users pass authentication This is the most common cho...

Page 1878: ...a client and a device z Length Length of the data that is length of the Packet body field in bytes If the value of this field is 0 no subsequent data field is present z Packet body Content of the packet The format of this field varies with the value of the Type field EAP Packet Format An EAPOL packet of the type of EAP Packet carries an EAP packet in its Packet body field The format of the EAP pac...

Page 1879: ...me EAP Message The EAP Message attribute is used to encapsulate EAP packets Figure 1 6 shows its encapsulation format The value of the Type field is 79 The String field can be up to 253 bytes If the EAP packet is longer than 253 bytes it can be fragmented and encapsulated into multiple EAP Message attributes Figure 1 6 Encapsulation format of the EAP Message attribute Message Authenticator Figure ...

Page 1880: ...iggering mode The device multicasts EAP Request Identify packets periodically every 30 seconds by default to clients z Unicast triggering mode The device deems that a new user is attached to itself upon receiving a data frame on a port with the source MAC address not included in the MAC address table In this case the device sends a unicast packet out the port to trigger 802 1X authentication Authe...

Page 1881: ...dentity packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the device 5 Upon receiving the EAP Response Identity packet the device relays the packet in a RADIUS Access Request packet to the authentication server 6 When receiving the RADIUS Access Request packet the RADIUS server compares the identify information against its user information database to o...

Page 1882: ...as gone offline and performs the necessary operations guaranteeing that the device always knows when a client goes offline 12 The client can also send an EAPOL Logoff packet to the device to go offline unsolicitedly In this case the device changes the status of the port from authorized to unauthorized and sends an EAP Failure packet to the client In EAP relay mode a client must use the same authen...

Page 1883: ...ormation from the client to the RADIUS server for authentication 802 1X Access Control Method 3Com devices not only implement the port based access control method defined in the 802 1X protocol but also extend and optimize the protocol by supporting the MAC based access control method z Port based access control With this method configured on a port after a user connected to the port passes authen...

Page 1884: ...he client is offline z Quiet timer quiet period When a client fails the authentication the device refuses further authentication requests from the client in this period of time z Periodic re authentication timer reauth period If periodic re authentication is enabled on a port the device re authenticates online users on the port at the interval specified by this timer Features Working Together with...

Page 1885: ... a port that uses the port based access control method With PGV configured on a port if no user initiates authentication on the port in a certain period of time 90 seconds by default the port will be added to the guest VLAN and all users accessing the port will be authorized to access the resources in the guest VLAN The device adds a PGV configured port into the guest VLAN according to the port s ...

Page 1886: ...ails the authentication the port stays in the Auth Fail VLAN If the user passes the authentication successfully the port leaves the Auth Fail VLAN and z If the authentication server assigns a VLAN the port joins the assigned VLAN After the user goes offline the port returns to its initial VLAN that is the VLAN the port was in before it was added to any authorized VLAN z If the authentication serve...

Page 1887: ...ecifying a Mandatory Authentication Domain for a Port Optional Enabling the Quiet Timer Function Optional Enabling the Re Authentication Function Optional Configuring a Guest VLAN Optional Configuring an Auth Fail VLAN Optional 802 1X Basic Configuration Configuration Prerequisites 802 1X provides a method for implementing user identity authentication However 802 1X cannot implement the authentica...

Page 1888: ... The defaults are as follows 15 seconds for the handshake timer 60 seconds for the quiet timer 3600 seconds for the periodic re authentication timer 100 seconds for the server timeout timer 30 seconds for the client timeout timer and 30 seconds for the username request timeout timer Note that z For 802 1X to take effect on a port you must enable it both globally and on the port z You can enable 80...

Page 1889: ... users for the port dot1x max user user number Optional 1024 by default Note that z Enabling 802 1X on a port is mutually exclusive with adding the port to an aggregation group and adding the port to a service loopback group z For a user side device sending untagged traffic the voice VLAN function and 802 1X are mutually exclusive and cannot be configured together on the same port For details abou...

Page 1890: ... need to disable the online user handshake function on the device otherwise the device will tear down the connections with such online users for not receiving handshake responses Enabling the Proxy Detection Function With the proxy detection function enabled the device can prevent users from logging in through proxies that is authenticated 802 1X clients so that no user can access network resource...

Page 1891: ... authentication This function is used for clients that cannot initiate authentication unsolicitedly Follow these steps to configure the multicast trigger function To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enable the multicast trigger function dot1x multicast trigger Optional Enabled by default Enabling the Un...

Page 1892: ...for the port dot1x mandatory domain domain name Required Not specified by default Enabling the Quiet Timer Function After the quiet timer is enabled on the device when a client fails 802 1X authentication the device refuses further authentication requests from the client in a period of time which is specified by the quiet timer using the dot1x timer quiet period command Follow these steps to enabl...

Page 1893: ... the access port you are recommended to configure different VLAN IDs for the voice VLAN default VLAN of the port and 802 1X guest VLAN This is to ensure the normal use of the functions z A super VLAN cannot be set as the guest VLAN Similarly a guest VLAN cannot be set as the super VLAN For information about super VLAN refer to VLAN Configuration in the Access Volume z Only Hybrid ports support MGV...

Page 1894: ... function and the free IP function in EAD fast deployment are mutually exclusive on a port z If the traffic from a user side device carries VLAN tags and the 802 1X authentication and guest VLAN functions are configured on the access port you are recommended to configure different VLAN IDs for the voice VLAN default VLAN of the port and 802 1X guest VLAN This is to ensure the normal use of the fun...

Page 1895: ...intaining 802 1X To do Use the command Remarks Display 802 1X session information statistics or configuration information of specified or all ports display dot1x sessions statistics interface interface list Available in any view Clear 802 1X statistics reset dot1x statistics interface interface list Available in user view 802 1X Configuration Example Network requirements z It is required to use th...

Page 1896: ...over 20 minutes Figure 1 10 Network diagram for 802 1X configuration Configuration procedure The following configuration procedure covers most AAA RADIUS configuration commands for the device while configuration on the 802 1X client and RADIUS server are omitted For information about AAA RADIUS configuration commands refer to AAA Configuration in the Security Volume Configure the IP addresses for ...

Page 1897: ...the RADIUS server Device radius radius1 user name format without domain Device radius radius1 quit Create domain aabbcc net and enter its view Device domain aabbcc net Set radius1 as the RADIUS scheme for users of the domain and specify to use local authentication as the secondary scheme Device isp aabbcc net authentication default radius scheme radius1 local Device isp aabbcc net authorization de...

Page 1898: ...uns RADIUS and is in VLAN 2 z The update server which is in VLAN 10 is for client software download and upgrade z Port GigabitEthernet 2 0 3 of the device which is in VLAN 5 is for accessing the Internet As shown in Figure 1 12 z On port GigabitEthernet 2 0 2 enable 802 1X and set VLAN 10 as the guest VLAN of the port If the device sends an EAP Request Identity packet from the port for the maximum...

Page 1899: ...he following configuration procedure uses many AAA RADIUS commands For detailed configuration of these commands refer to AAA Configuration in the Security Volume z Configurations on the 802 1X client and RADIUS server are omitted Configure RADIUS scheme 2000 Device system view Device radius scheme 2000 Device radius 2000 primary authentication 10 11 1 1 1812 ...

Page 1900: ...evice vlan 10 Device vlan10 quit Specify port GigabitEthernet 2 0 2 to use VLAN 10 as its guest VLAN Device dot1x guest vlan 10 interface gigabitethernet 2 0 2 You can use the display current configuration or display interface gigabitethernet 2 0 2 command to view your configuration You can also use the display vlan 10 command to verify whether the configured guest VLAN functions normally when the...

Page 1901: ...y accounting abc Device radius 2000 user name format without domain Device radius 2000 quit Create an ISP domain and specify the AAA schemes Device domain 2000 Device isp 2000 authentication default radius scheme 2000 Device isp 2000 authorization default radius scheme 2000 Device isp 2000 accounting default radius scheme 2000 Device isp 2000 quit Configure ACL 3000 to deny packets destined for 10...

Page 1902: ...1 28 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss C ...

Page 1903: ... be time consuming and inefficient To address the issue quick EAD deployment was developed In conjunction with 802 1X it can have an access switch to force all attached devices to download and install the EAD client before permitting them to access the network EAD Fast Deployment Implementation To support the fast deployment of EAD schemes 802 1X provides the following two mechanisms 1 Limit on ac...

Page 1904: ...EAD is enabled Follow these steps to configure a freely accessible network segment To do Use the command Remarks Enter system view system view Configure a freely accessible network segment dot1x free ip ip address mask address mask length Required No freely accessible network segment is configured by default z You cannot configure both the free IP and the 802 1X guest VLAN function on a port z If ...

Page 1905: ...a user accesses the network this timer is started If the user neither downloads client software nor performs authentication before the timer expires the occupied ACL will be released so that other users can use it When there are a large number of users you can shorten the timeout time to improve the ACL usage efficiency Follow these steps to set the EAD rule timeout time To do Use the command Rema...

Page 1906: ...o support EAD fast deployment Configure the IP addresses of the interfaces omitted Configure the free IP Device system view Device dot1x free ip 192 168 2 0 24 Configure the redirect URL for client software download Device dot1x url http 192 168 2 3 Enable 802 1X globally Device dot1x Enable 802 1X on the port Device interface gigabitethernet 2 0 1 Device GigabitEthernet2 0 1 dot1x 3 Verify your c...

Page 1907: ...ating system of the host regards the string a website name and tries to have it resolved If the resolution fails the operating system sends an ARP request with the address in the format other than X X X X The redirection function does redirect this kind of ARP request z The address is within the freely accessible network segment In this case the device regards that the user is trying to access a h...

Page 1908: ... 1 2 Quiet MAC Address 1 2 VLAN Assigning 1 2 ACL Assigning 1 2 Configuring MAC Authentication 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 Displaying and Maintaining MAC Authentication 1 4 MAC Authentication Configuration Examples 1 4 Local MAC Authentication Configuration Example 1 4 RADIUS Based MAC Authentication Configuration Example 1 6 ACL Assignment Configuration Example...

Page 1909: ...er serves as both the username and password z Fixed username where all users use the same preconfigured username and password for authentication regardless of the MAC addresses Multiple users can be authenticated on the same port using the same username and password RADIUS Based MAC Authentication In RADIUS based MAC authentication the device serves as a RADIUS client and requires a RADIUS server ...

Page 1910: ...ll be discarded silently by the device until the quiet timer expires This prevents the device from authenticating an illegal user repeatedly in a short time If a quiet MAC address is the same as a static MAC address configured or an MAC address that has passed another type of authentication the quiet function does not take effect VLAN Assigning For separation of users from restricted network resou...

Page 1911: ...thentication To do Use the command Remarks Enter system view system view Enable MAC authentication globally mac authentication Required Disabled by default mac authentication interface interface list Enable MAC authentication for specified ports interface interface type interface number mac authentication quit Required Use either approach Disabled by default Specify the ISP domain for MAC authenti...

Page 1912: ...ing the port to a service loopback group z For details about the default ISP domain refer to AAA Configuration in the Security Volume Displaying and Maintaining MAC Authentication To do Use the command Remarks Display the global MAC authentication information or the MAC authentication information about specified ports display mac authentication interface interface list Available in any view Clear ...

Page 1913: ...authentication for port GigabitEthernet 2 0 1 Device mac authentication interface gigabitethernet 2 0 1 Specify the ISP domain for MAC authentication Device mac authentication domain aabbcc net Set the MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Specify the MAC authentication username format as MAC address that is using the...

Page 1914: ... Total 1 connection s matched on slot 2 Total 1 connection s matched RADIUS Based MAC Authentication Configuration Example Network requirements As illustrated in Figure 1 2 a host is connected to the device through port GigabitEthernet 2 0 1 The device authenticates authorizes and keeps accounting on the host through the RADIUS server z MAC authentication is required on every port to control user ...

Page 1915: ...rization default radius scheme 2000 Device isp 2000 accounting default radius scheme 2000 Device isp 2000 quit Enable MAC authentication globally Device mac authentication Enable MAC authentication for port GigabitEthernet 2 0 1 Device mac authentication interface gigabitethernet 2 0 1 Specify the ISP domain for MAC authentication Device mac authentication domain 2000 Set the MAC authentication ti...

Page 1916: ... MAC 00e0 fc12 3456 Total 1 connection s matched on slot 2 Total 1 connection s matched ACL Assignment Configuration Example Network requirements As shown in Figure 1 3 a host is connected to port GigabitEthernet 2 0 1 of the switch and must pass MAC authentication to access the Internet z Specify to use the MAC address of a user as the username and password for MAC authentication of the user z Co...

Page 1917: ...rimary authentication 10 1 1 1 1812 Sysname radius 2000 primary accounting 10 1 1 2 1813 Sysname radius 2000 key authentication abc Sysname radius 2000 key accounting abc Sysname radius 2000 user name format without domain Sysname radius 2000 quit Create an ISP domain and specify the AAA schemes Sysname domain 2000 Sysname isp 2000 authentication default radius scheme 2000 Sysname isp 2000 authori...

Page 1918: ...mat mac address Enable MAC authentication for port GigabitEthernet 2 0 1 Sysname interface gigabitethernet 2 0 1 Sysname GigabitEthernet2 0 1 mac authentication After completing the above configurations you can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Reques...

Page 1919: ...Specifying a Mandatory Authentication Domain 1 10 Specifying a NAS ID Profile for an Interface 1 11 Setting the Maximum Number of Online Portal Users 1 12 Displaying and Maintaining Portal 1 12 Portal Configuration Examples 1 13 Configuring Direct Portal Authentication 1 13 Configuring Re DHCP Portal Authentication 1 17 Configuring Layer 3 Portal Authentication 1 20 Configuring Direct Portal Authe...

Page 1920: ...al website enter username and password for authentication This authentication mode is called active authentication There is still another authentication mode namely forced authentication in which the access device forces a user trying to access the Internet through HTTP to log in to a portal website for authentication The portal feature provides the flexibility for Internet service providers ISPs ...

Page 1921: ... security authentication of a client depends on the communications between the portal client and the security policy server Access device Device for broadband access It can be a switch or a router that provides the following three functions z Before authentication redirecting all HTTP requests from users in the subnet to be authenticated to the portal server z During authentication interacting wit...

Page 1922: ...rity authentication result z Since a portal client uses an IP address as its ID ensure that there is no Network Address Translation NAT device between the authentication client access device portal server and authentication accounting server when deploying portal authentication This is to avoid authentication failure due to NAT operations z Currently only a RADIUS server can serve as the remote au...

Page 1923: ...e a client is uniquely identified by an IP address This is because the mode supports Layer 3 forwarding devices between the authentication client and the access device but the access device does not learn the MAC address of the authentication client In non Layer 3 authentication mode a client is uniquely identified by the combination of its IP address and MAC address because the access device can ...

Page 1924: ...request message and sends it to the access device Meanwhile the portal server starts a timer to wait for an authentication acknowledgment message 4 The access device and the RADIUS server exchange RADIUS packets to authenticate the user 5 If the user passes authentication the access device sends an authentication acknowledgment message to the portal server 6 The portal server sends an authenticati...

Page 1925: ...s received the access device notifies the portal server of the change 10 The portal server notifies the authentication client of logon success 11 The portal server sends a user IP address change acknowledgment message to the access device With extended portal functions the process includes two additional steps 12 The security policy server exchanges security authentication information with the cli...

Page 1926: ...z With re DHCP authentication the invalid IP address check function of DHCP relay is enabled on the access device and the DHCP server is installed and configured properly z With RADIUS authentication usernames and passwords of the users are configured on the RADIUS server and the RADIUS client configurations are performed on the access device For information about RADIUS client configuration refer...

Page 1927: ...renced by any interface z The portal server to be referenced must exist z Only Layer 3 portal authentication mode portal server server name method layer3 can be used in applications with Layer 3 forwarding devices present between the authentication clients and the access device However Layer 3 authentication does not require any Layer 3 forwarding devices between the access device and the authenti...

Page 1928: ...an modifying it Configuring an Authentication Subnet By configuring authentication subnets you can allow portal authentication to be triggered by only packets from users on the authentication subnets If a user does not initiate portal authentication before accessing the external network and the user s packets are neither matching the portal free rules nor from authentication subnets the user packe...

Page 1929: ...nas ip ip address Optional By default there is no source IP address specified for portal packets and the IP address of the user login interface will be used as the source IP address of the portal packets Logging out Users Logging out a user terminates the authentication process for the user or removes the user from the authenticated users list Follow these steps to log out users To do Use the comm...

Page 1930: ...s NAS ID will be used as that of the NAS identifier attribute in the RADIUS packets to be sent to the RADIUS server A NAS ID profile defines the binding relationship between VLANs and NAS IDs A NAS ID VLAN binding is defined by the nas id id value bind vlan vlan id command which is described in detail in AAA Commands of the Security Volume If no NAS ID profile is specified for an interface or no m...

Page 1931: ...rs the command can be executed successfully and will not impact the online portal users but the system will not allow new portal users to log in until the number drops down below the limit Displaying and Maintaining Portal To do Use the command Remarks Display the ACLs on a specified interface display portal acl all dynamic static interface interface type interface number Available in any view Dis...

Page 1932: ...t portal server statistics all interface interface type interface number Available in user view Clear TCP spoofing statistics reset portal tcp cheat statistics Available in user view Portal Configuration Examples Configuring Direct Portal Authentication Network requirements z The host is directly connected to the switch and the switch is configured for direct authentication The host is assigned wi...

Page 1933: ...t Portal Service Management Server from the navigation tree to enter the portal server configuration page as shown in Figure 1 5 z Input the URL address of the portal authentication main page in the format of http ip port portal where ip and port are those configured during the iMC UAM installation Usually their default settings are used Figure 1 5 Portal server configuration Configure the IP addr...

Page 1934: ...nnecting the user z Type the key which must be the same as that configured on the switch z Set whether to enable IP address reallocation Direction portal authentication is used in this example and therefore select No from the Reallocate IP drop down list Figure 1 7 Add a portal device Associate the portal device with the IP address group As shown in Figure 1 8 in the device list on the portal devi...

Page 1935: ... to make the previous configurations take effect 2 Configure the switch z Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you need set the server type to extended Switch radius rs1 server type extended Specify the primary authentication server and primary ac...

Page 1936: ... z Configure portal authentication Configure the portal server as follows z Name newpt z IP address 192 168 0 111 z Key portal z Port number 50100 z URL http 192 168 0 111 portal Switch portal server newpt ip 192 168 0 111 key portal port 50100 url http 192 168 0 111 portal Enable portal authentication on the interface connecting the host Switch interface vlan interface 100 Switch Vlan interface10...

Page 1937: ...ss z You need to configure IP addresses for the devices as shown in Figure 1 10 and ensure that routes are available between devices z Perform configurations on the RADIUS server to ensure that the user authentication and accounting functions can work normally Configure the switch 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius schem...

Page 1938: ... server as follows z Name newpt z IP address 192 168 0 111 z Key portal z Port number 50100 z URL http 192 168 0 111 portal Switch portal server newpt ip 192 168 0 111 key portal port 50100 url http 192 168 0 111 portal Configure the switch as a DHCP relay agent and enable the invalid address check function Switch dhcp enable Switch dhcp relay server group 0 ip 192 168 0 112 Switch interface vlan ...

Page 1939: ...sure that routes are available between devices z Perform configurations on the RADIUS server to ensure that the user authentication and accounting functions can work normally Configure Switch A 1 Configure a RADIUS scheme Create a RADIUS scheme named rs1 and enter its view SwitchA system view SwitchA radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you need set...

Page 1940: ... 168 0 111 z Key portal z Port number 50100 z URL http 192 168 0 111 portal SwitchA portal server newpt ip 192 168 0 111 key portal port 50100 url http 192 168 0 111 portal Enable portal authentication on the interface connecting Switch B SwitchA interface vlan interface 4 SwitchA Vlan interface4 portal server newpt method layer3 SwitchA Vlan interface4 quit On Switch B you need to configure a def...

Page 1941: ...DIUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you need set the server type to extended Switch radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius ...

Page 1942: ...1 for unrestricted resources On the security policy server you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL Switch acl number 3000 Switch acl adv 3000 rule permit ip destination 192 168 0 0 0 0 0 255 Switch acl adv 3000 rule deny ip Switch acl adv 3000 quit Switch acl number 3001 Switch acl adv 3001 rule permit ip Switch acl adv 3001 quit 4 Configure portal authen...

Page 1943: ...Configure re DHCP portal authentication with extended functions Configuration procedure z For re DHCP authentication you need to configure a public address pool 20 20 20 0 24 in this example and a private address pool 10 0 0 0 24 in this example on the DHCP server The configuration steps are omitted For DHCP configuration information refer to DHCP Configuration in the IP Services Volume z For re D...

Page 1944: ...s1 quit 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view Switch domain dm1 Configure the ISP domain to use RADIUS scheme rs1 Switch isp dm1 authentication portal radius scheme rs1 Switch isp dm1 authorization portal radius scheme rs1 Switch isp dm1 accounting portal radius scheme rs1 Switch isp dm1 quit Configure dm1 as the default ISP domain for all users The...

Page 1945: ...s 10 0 0 1 255 255 255 0 sub Switch Vlan interface100 dhcp select relay Switch Vlan interface100 dhcp relay server select 0 Switch Vlan interface100 dhcp relay address check enable Enable re DHCP portal authentication on the interface connecting the host Switch Vlan interface100 portal server newpt method redhcp Switch Vlan interface100 quit Configuring Layer 3 Portal Authentication with Extended ...

Page 1946: ...e for the RADIUS scheme When using the iMC server you need set the server type to extended SwitchA radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers SwitchA radius rs1 primary authentication 192 168 0 112 SwitchA radius rs1 primary accounting 192 168 0 112 SwitchA radius rs1 key accounti...

Page 1947: ...y ACL SwitchA acl number 3000 SwitchA acl adv 3000 rule permit ip destination 192 168 0 0 0 0 0 255 SwitchA acl adv 3000 rule deny ip SwitchA acl adv 3000 quit SwitchA acl number 3001 SwitchA acl adv 3001 rule permit ip SwitchA acl adv 3001 quit 4 Configure portal authentication Configure the portal server as follows z Name newpt z IP address 192 168 0 111 z Key portal z Port number 50100 z URL ht...

Page 1948: ...uthentication client Analysis When you execute the portal delete user command on the access device to force the user to log out the access device actively sends a REQ_LOGOUT message to the portal server The default listening port of the portal server is 50100 However if the listening port configured on the access device is not 50100 the destination port of the REQ_LOGOUT message is not the actual ...

Page 1949: ...re 1 7 Configuring Port Security Features 1 8 Configuring NTK 1 8 Configuring Intrusion Protection 1 8 Configuring Trapping 1 9 Configuring Secure MAC Addresses 1 10 Configuration Prerequisites 1 10 Configuration Procedure 1 10 Ignoring Authorization Information from the Server 1 10 Displaying and Maintaining Port Security 1 11 Port Security Configuration Examples 1 11 Configuring the autoLearn Mo...

Page 1950: ... needed When a port security enabled device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This reduces your maintenance workload and greatly enhances system security The following types of frames are classified as illegal z Received frames with unknown source MAC addresses when MAC address learning is disabled z Received f...

Page 1951: ...nd access to the port is not restricted In this mode neither the NTK nor the intrusion protection feature is triggered autoLearn In this mode a port can learn a specified number of MAC addresses and save those addresses as secure MAC addresses It permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses configured by using the mac address static command When t...

Page 1952: ...eceiving non 802 1X frames and performs 802 1X authentication upon receiving 802 1X frames macAddressElseUserLo ginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication having a higher priority z Upon receiving a non 802 1X frame a port in this mode performs only MAC authentication z Upon receiving an 802 1X frame the port performs MAC au...

Page 1953: ...ss specifies MAC address authentication z Else specifies that the authentication method before Else is applied first If the authentication fails the protocol type of the authentication request determines whether to turn to the authentication method following the Else z In a security mode with Or the protocol type of the authentication request determines which authentication method is to be used z ...

Page 1954: ...e Follow these steps to enable port security To do Use the command Remarks Enter system view system view Enable port security port security enable Required Disabled by default Note that 1 Enabling port security resets the following configurations on a port to the bracketed defaults Then values of these configurations cannot be changed manually the system will adjust them based on the port security...

Page 1955: ...port To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Set the maximum number of secure MAC addresses allowed on a port port security max mac count count value Required Not limited by default This configuration is different from that of the maximum number of MAC addresses that can be leaned by the port in MAC address manageme...

Page 1956: ...do Use the command Remarks Enter system view system view Set an OUI value for user authentication port security oui oui value index index value Optional Not configured by default The command is required for the userlogin withoui mode Enter interface view interface interface type interface number Set the port security mode port security port mode autolearn mac authentication mac else userlogin secu...

Page 1957: ...llow frames to be forwarded to only devices passing authentication The NTK feature supports three modes z ntkonly Forwards only frames destined for authenticated MAC addresses z ntk withbroadcasts Forwards only frames destined for authenticated MAC addresses or the broadcast address z ntk withmulticasts Forwards only frames destined for authenticated MAC addresses multicast addresses or the broadc...

Page 1958: ...uring which a port remains disabled port security timer disableport time value Optional 20 seconds by default On a port operating in either the macAddressElseUserLoginSecure mode or the macAddressElseUserLoginSecureExt mode intrusion protection is triggered only after both MAC authentication and 802 1X authentication for the same frame fail Configuring Trapping The trapping feature enables a devic...

Page 1959: ...o do Use the command Remarks Enter system view system view In system view port security mac address security mac address interface interface type interface number vlan vlan id interface interface type interface number Configure a secure MAC address In interface view port security mac address security mac address vlan vlan id Required Use either approach No secure MAC address is configured by defau...

Page 1960: ...ty interface interface type interface number vlan vlan id count Available in any view Display information about blocked MAC addresses display port security mac address block interface interface type interface number vlan vlan id count Available in any view Port Security Configuration Examples Configuring the autoLearn Mode Network requirements Restrict port GigabitEthernet 2 0 1 of the switch as f...

Page 1961: ...w the port security configuration information Switch display port security interface gigabitethernet 2 0 1 Equipment port security is enabled Intrusion trap is enabled Disableport Timeout 30s OUI value GigabitEthernet2 0 1 is link up Port mode is autoLearn NeedToKnow mode is disabled Intrusion Protection mode is DisablePortTemporarily Max MAC address number is 64 Stored MAC address number is 0 Aut...

Page 1962: ...gabitethernet 2 0 1 GigabitEthernet2 0 1 current state Port Security Disabled IP Packet Frame Type PKTFMT_ETHNT_2 Hardware Address 000f cb00 5558 Description GigabitEthernet2 0 1 Interface The port should be re enabled 30 seconds later Switch GigabitEthernet2 0 1 display interface gigabitethernet 2 0 1 GigabitEthernet2 0 1 current state UP IP Packet Frame Type PKTFMT_ETHNT_2 Hardware Address 000f ...

Page 1963: ...for configuring the userLoginWithOUI mode Configuration procedure z The following configuration steps cover some AAA RADIUS configuration commands For details about the commands refer to AAA Configuration in the Security Volume z Configurations on the host and RADIUS servers are omitted 1 Configure the RADIUS protocol Configure a RADIUS scheme named radsun Switch system view Switch radius scheme r...

Page 1964: ...oui 1234 0300 1111 index 3 Switch port security oui 1234 0400 1111 index 4 Switch port security oui 1234 0500 1111 index 5 Switch interface gigabitethernet 2 0 1 Set the port security mode to userLoginWithOUI Switch GigabitEthernet2 0 1 port security port mode userlogin withoui 4 Verify the configuration After completing the above configurations you can use the following command to view the config...

Page 1965: ...s disabled Disableport Timeout 20s OUI value Index is 1 OUI value is 123401 Index is 2 OUI value is 123402 Index is 3 OUI value is 123403 Index is 4 OUI value is 123404 Index is 5 OUI value is 123405 GigabitEthernet2 0 1 is link up Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 ...

Page 1966: ... domain NOT configured Guest VLAN NOT configured Auth Fail VLAN NOT configured Max number of on line users is 256 EAPOL Packet Tx 16331 Rx 102 Sent EAP Request Identity Packets 16316 EAP Request Challenge Packets 6 EAP Success Packets 4 Fail Packets 5 Received EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authentica...

Page 1967: ... 1 Configure the RADIUS protocol The required RADIUS authentication accounting configurations and ISP domain configurations are the same as those in Configuring the userLoginWithOUI Mode 2 Configure port security Enable port security Switch system view Switch port security enable Configure a MAC authentication user setting the user name and password to aaa and 123456 respectively Switch mac authen...

Page 1968: ...h display mac authentication interface gigabitethernet 2 0 1 MAC address authentication is enabled User name format is fixed account Fixed username aaa Fixed password 123456 Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 3 Current domain is mac Silent MAC User info MAC Addr From Port ...

Page 1969: ...led Proxy logoff checker is disabled The port is an authenticator Periodic reauthentication is disabled Authentication Mode is Auto Port Control Type is Mac based 802 1X Multicast trigger is enabled Mandatory authentication domain NOT configured Guest VLAN NOT configured Auth Fail VLAN NOT configured Max number of on line users is 256 EAPOL Packet Tx 16331 Rx 102 Sent EAP Request Identity Packets ...

Page 1970: ...ure secure MAC addresses Switch GigabitEthernet2 0 1 port security mac address security 1 1 2 vlan 1 Error Security MAC address configuration failed Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn Solution Set the port security mode to autoLearn Switch GigabitEthernet2 0 1 undo port security port mode Switch GigabitEthernet2 0 1 por...

Page 1971: ...ser is online Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode Switch GigabitEthernet2 0 1 quit Switch cut connection interface gigabitethernet 2 0 1 Switch interface gigabitethernet 2 0 1 Switch GigabitEthernet2 0 1 undo port security port mode ...

Page 1972: ...ntaining IP Source Guard 1 3 IP Source Guard Configuration Examples 1 4 Static Binding Entry Configuration Example 1 4 Dynamic Binding Function Configuration Example 1 1 5 Dynamic Binding Function Configuration Example 2 1 7 Dynamic Binding Function Configuration Example 3 1 8 Troubleshooting IP Source Guard 1 9 Failed to Configure Static Binding Entries and Dynamic Binding Function 1 9 ...

Page 1973: ...legal usages of network resources and improve the network security For example IP source guard can prevent an illegal host from pretending to be a legal user to access the network With IP source guard enabled on a port after receiving a packet the port looks up the key attributes including source IP address source MAC address and VLAN tag of the packet in the binding entries of the IP source guard...

Page 1974: ... service loopback group Configuring a Static Binding Entry Follow these steps to configure a static binding entry To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure a static binding entry user bind ip address ip address ip address ip address mac address mac address mac address mac address vlan vlan id Required No sta...

Page 1975: ...ip address mac address mac address Required Not configured by default z To implement dynamic binding in IP source guard make sure that DHCP snooping or DHCP Relay is configured and works normally For DHCP configuration information refer to DHCP Configuration in the System Volume z A port takes only the latest dynamic binding entries configured on it Displaying and Maintaining IP Source Guard To do...

Page 1976: ...witch A Configure port GigabitEthernet 2 0 2 of Switch A to allow only IP packets with the source MAC address of 00 01 02 03 04 05 and the source IP address of 192 168 0 3 to pass SwitchA system view SwitchA interface gigabitethernet 2 0 2 SwitchA GigabitEthernet2 0 2 user bind ip address 192 168 0 3 mac address 0001 0203 0405 SwitchA GigabitEthernet2 0 2 quit Configure port GigabitEthernet 2 0 1 ...

Page 1977: ...tus 0001 0203 0406 192 168 0 1 N A GigabitEthernet2 0 2 Static 0001 0203 0407 192 168 0 2 N A GigabitEthernet2 0 1 Static Dynamic Binding Function Configuration Example 1 Network requirements As shown in Figure 1 2 Switch A connects to Client A and the DHCP server through ports GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 respectively DHCP snooping is enabled on Switch A Detailed requirements a...

Page 1978: ... 0 1 display this interface GigabitEthernet2 0 1 port link mode bridge ip check source ip address mac address return Display the dynamic binding entries that port GigabitEthernet 2 0 1 has obtained from DHCP snooping SwitchA GigabitEthernet2 0 1 display ip check source Total entries found 1 MAC IP Vlan Port Status 0001 0203 0406 192 168 0 1 1 GigabitEthernet 2 0 1 DHCP SNP Display the dynamic entr...

Page 1979: ... user device is generated on the OLT device z Enable IP Source Guard on OLT 3 0 1 to protect the server against attacks launched by clients using fake source IP addresses This example shows only the OLT configuration For DHCP server configuration refer to the DHCP Configuration in the IP Service Volume Network diagram Figure 1 3 Network diagram for configuring dynamic binding function II Configura...

Page 1980: ...ined by OLT 3 0 1 Sysname display dhcp snooping DHCP Snooping is enabled The client binding table for all untrusted ports Type D Dynamic S Static Type IP Address MAC Address Lease VLAN Interface D 192 168 0 1 0001 0203 0406 86335 1 Onu3 0 1 1 The display shows that after IP Source Guard is enabled on OLT 3 0 1 the port obtains the dynamic entry generated by DHCP snooping Dynamic Binding Function C...

Page 1981: ...rface 100 SwitchA Vlan interface100 dhcp select relay Correlate VLAN interface 100 with DHCP server group 1 SwitchA Vlan interface100 dhcp relay server select 1 2 Verify the configuration Display the generated dynamic binding entries SwitchA display ip check source Total entries found 1 MAC IP Vlan Port Status 0001 0203 0406 192 168 0 1 100 Vlan interface100 DHCP RLY Troubleshooting IP Source Guar...

Page 1982: ...g and Maintaining SSH 1 12 SSH Server Configuration Examples 1 13 When Switch Acts as Server for Password Authentication 1 13 When Switch Acts as Server for Publickey Authentication 1 15 SSH Client Configuration Examples 1 20 When Switch Acts as Client for Password Authentication 1 20 When Switch Acts as Client for Publickey Authentication 1 23 2 SFTP Service 2 1 SFTP Overview 2 1 Configuring an S...

Page 1983: ...o logging into a remote device securely By encryption and strong authentication it protects devices against attacks such as IP spoofing and plain text password interception The device can not only work as an SSH server to support connections with SSH clients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when actin...

Page 1984: ... number while the software version number is used for debugging 3 The client receives and resolves the packet If the protocol version of the server is lower but supportable the client uses the protocol version of the server otherwise the client uses its own protocol version 4 The client sends to the server a packet that contains the number of the protocol version it decides to use The server compa...

Page 1985: ...rname and password locally or by a remote AAA server and then informs the client of the authentication result z Publickey authentication The server authenticates the client by the digital signature During publickey authentication the client sends to the server a publickey authentication request that contains its username public key and publickey algorithm information The server checks whether the ...

Page 1986: ...rver and the client exchanges data in the following way z The client encrypts and sends the command to be executed to the server z The server decrypts and executes the command and then encrypts and sends the result to the client z The client decrypts and displays the result on the terminal z In the interaction stage you can execute commands from the client by pasting the commands in text format th...

Page 1987: ...nts may use different publickey algorithms though a single client usually uses only one type of publickey algorithm z The public key local create rsa command generates two RSA key pairs a server key pair and a host key pair Each of the key pairs consists of a public key and a private key The public key in the server key pair of the SSH server is used in SSH1 to encrypt the session key for secure t...

Page 1988: ...ired By default the authentication mode is password Configure the user interface s to support SSH login protocol inbound all ssh Optional All protocols are supported by default z For detailed information about the authentication mode and protocol inbound commands refer to User Interface Commands of the System Volume z If you configure a user interface to support SSH be sure to configure the corres...

Page 1989: ... SSH server Configuring a client public key manually Follow these steps to configure the client public key manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a client public key Enter the content of the public key Required Spaces and carriage returns are allowed between charac...

Page 1990: ...y the service type and authentication mode To do Use the command Remarks Enter system view system view For Stelnet users ssh user username service type stelnet authentication type password any password publickey publickey assign publickey keyname Create an SSH user and specify the service type and authentication mode For all users or SFTP users ssh user username service type all sftp authenticatio...

Page 1991: ...e ssh user command z The configured authentication method takes effect only for users logging in after the configuration For users using publickey authentication z You must configure on the device the corresponding username and public keys z After login the commands available for a user are determined by the user privilege level which is configured with the user privilege level command on the user...

Page 1992: ... maximum number of SSH authentication attempts ssh server authentication retries times Optional 3 by default Authentication will fail if the number of authentication attempts including both publickey and password authentication exceeds that specified in the ssh server authentication retries command Configuring the Device as an SSH Client SSH Client Configuration Task List Complete the following ta...

Page 1993: ... configured with the server host public key accesses the server for the first time the user can continue accessing the server and save the host public key on the client When accessing the server again the client will use the saved server host public key to authenticate the server z Without first time authentication a client not configured with the server host public key will deny to access the ser...

Page 1994: ...es aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Establish a connection between the SSH client and server and specify the public key algorithm preferred encryption algorithms preferred HMAC algorithms and preferred key exchange algorithm For an IPv4 IPv6 server ssh2 i...

Page 1995: ...any view For information about the display public key local and display public key peer commands refer to Public Key Commands in the Security Volume SSH Server Configuration Examples When Switch Acts as Server for Password Authentication Network requirements z As shown in Figure 1 1 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data ...

Page 1996: ... Switch local user client001 Switch luser client001 password simple aabbcc Switch luser client001 service type ssh Switch luser client001 authorization attribute level 3 Switch luser client001 quit Specify the service type for user client001 as Stelnet and the authentication mode as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Configu...

Page 1997: ... interface When Switch Acts as Server for Publickey Authentication Network requirements z As shown in Figure 1 3 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data exchange z Publickey authentication is used the algorithm is RSA Figure 1 3 Switch acts as server for publickey authentication Configuration procedure 1 Configure the SSH ...

Page 1998: ...to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Before performing the following tasks you must use the client software to generate an RSA key pair on the client save the public key in a file named key pub and then upload the file to the SSH server through FTP or TFTP For details refer to Configure the SSH clientbelow Import the client s public key from file key pub and name it S...

Page 1999: ... key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 5 Otherwise the process bar stops moving and the key pair generating process will be stopped ...

Page 2000: ... file name as key pub to save the public key Figure 1 6 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the key private in this case ...

Page 2001: ...he client Specify the private key file and establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 1 8 SSH client configuration interface 1 Select Connection SSH Auth from the navigation tree The following window appears Click Browse to bring up the file selection win...

Page 2002: ... as Client for Password Authentication Network requirements z As shown in Figure 1 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the password is aabbcc Password authentication is required Figure 1 10 Switch acts as client for password authentication Configuration procedure 1 Configure the SSH server C...

Page 2003: ... level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication type as password This step is optional SwitchB ssh user client001 service type stelnet authentication type password 2 Configure the SSH client Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165...

Page 2004: ... code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 SwitchA pkey key code B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 SwitchA pkey key code E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD ...

Page 2005: ...nt will use as the destination for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh Set the...

Page 2006: ... a DSA key pair SwitchA public key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client Establish an SSH connection...

Page 2007: ...FTP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detailed configuration procedure refer to Configuring the Device as an SSH Server z You have used the ssh user service type command to set the service type of SSH users to sftp or all For configuration pr...

Page 2008: ...or the SFTP Client You can configure a client to use only a specified source IP address or interface to access the SFTP server thus enhancing the service manageability Follow these steps to specify a source IP address or interface for the SFTP client To do Use the command Remarks Enter system view system view Specify a source IPv4 address or interface for the SFTP client sftp client source ip ip a...

Page 2009: ...p14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Use either command in user view Working with the SFTP Directories SFTP directory operations include z Changing or displaying the current working directory z Displaying files under a specified directory or the directory information z Changing the name of a specified directory on the server z Creating or deletin...

Page 2010: ...z Changing the name of a file z Downloading a file z Uploading a file z Displaying a list of the files z Deleting a file Follow these steps to work with SFTP files To do Use the command Remarks Enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer ...

Page 2011: ...rver port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view Display a list of all commands or the help information of an SFTP client command help all command name Required Termin...

Page 2012: ...iguration procedure 1 Configure the SFTP server Switch B Generate RSA and DSA key pairs and enable the SSH server SwitchB system view SwitchB public key local create rsa SwitchB public key local create dsa SwitchB ssh server enable Enable the SFTP server SwitchB sftp server enable Configure an IP address for VLAN interface 1 which the SSH client uses as the destination for SSH connection SwitchB i...

Page 2013: ...witch A Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 192 168 0 2 255 255 255 0 SwitchA Vlan interface1 quit Generate RSA key pairs SwitchA public key local create rsa Export the host public key to file pubkey SwitchA public key local export rsa ssh2 pubkey SwitchA quit After generating key pairs on a client y...

Page 2014: ...55 pub Add a directory named new1 and check if it has been created successfully sftp client mkdir new1 New directory created sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx...

Page 2015: ...lient quit Bye Connection closed SwitchA SFTP Server Configuration Example Network requirements As shown in Figure 2 2 an SSH connection is established between the host and the switch The host an SFTP client logs into the switch for file management and file transfer An SSH user uses password authentication with the username being client002 and the password being aabbcc The username and password ar...

Page 2016: ...e type being SSH Switch local user client002 Switch luser client002 password simple aabbcc Switch luser client002 service type ssh Switch luser client002 quit Configure the user authentication type as password and service type as SFTP Switch ssh user client002 service type sftp authentication type password 2 Configure the SFTP client z There are many kinds of SFTP client software The following tak...

Page 2017: ...2 11 Figure 2 3 SFTP client interface ...

Page 2018: ... Asymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer 1 3 Displaying and Maintaining Public Keys 1 4 Public Key Configuration Examples 1 5 Configuring the Public Key of a Peer Manually 1 5 Importing the Public Key of a Peer from a Public Key File 1 7 ...

Page 2019: ...entiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types of key algorithms based on whether the keys for encryption and decryption are the same z Symmetric key algorithm The same key is used for both encryption and decryption Commonly used symmetric key algorithms include ...

Page 2020: ...Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption decryption and signature whereas DSA is used for signature only Asymmetric key algorithms are usually used in digital signature applications for peer identity authentication because they involve complex calculations and are time consuming symmetric key algorithms are ofte...

Page 2021: ... key on the screen or export it to a specified file so as to configure the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public key To do Use the command Remarks Enter system view system view Display the local RSA host public key on the screen in a specified format or export it to a specified file public key local export rsa op...

Page 2022: ...om a public key file z The device supports up to 20 host pubic keys of peers Follow these steps to configure the public key of a peer manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public key of the peer Type or copy the key Required Spaces and carriage returns are allow...

Page 2023: ...ce A is configured manually on Device B Figure 1 2 Network diagram for manually configuring the public key of a peer Configuration procedure 1 Configure Device A Create RSA key pairs on Device A DeviceA system view DeviceA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits...

Page 2024: ... DeviceB system view DeviceB public key peer devicea Public key view return to System View with peer public key end DeviceB pkey public key public key code begin Public key code view return to last view with public key code end DeviceB pkey key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E35...

Page 2025: ...public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair created 09 50 06 2007 08 07 Key name HOST_KEY Key type RSA Encry...

Page 2026: ... authorization attribute level 3 DeviceB luser ftp quit 3 Upload the public key file of Device A to Device B FTP the public key file devicea pub to Device B with the file transfer mode of binary DeviceA ftp 10 1 1 2 Trying 10 1 1 2 Press CTRL K to abort Connected to 10 1 1 2 220 FTP service ready User 10 1 1 2 none ftp 331 Password required for ftp Password 230 User logged in ftp binary 200 Type s...

Page 2027: ...0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ...

Page 2028: ...Configuration 2 1 Creating a Time Range 2 1 Configuring a Basic IPv4 ACL 2 2 Configuring an Advanced IPv4 ACL 2 4 Configuring an Ethernet Frame Header ACL 2 6 Copying an IPv4 ACL 2 7 Displaying and Maintaining IPv4 ACLs 2 8 IPv4 ACL Configuration Example 2 8 3 IPv6 ACL Configuration 3 1 Creating a Time Range 3 1 Configuring a Basic IPv6 ACL 3 1 Configuring an Advanced IPv6 ACL 3 3 Copying an IPv6 ...

Page 2029: ...tering can be used to efficiently prevent illegal users from accessing networks and to control network traffic and save network resources Access control lists ACL are often used to filter packets with configured matching rules ACLs are sets of rules or sets of permit or deny statements that decide what packets can pass and what should be rejected based on matching criteria such as source MAC addre...

Page 2030: ...v4 ACL This section covers these topics z IPv4 ACL Classification z IPv4 ACL Naming z IPv4 ACL Match Order z IPv4 ACL Step z Effective Period of an IPv4 ACL z IP Fragments Filtering with IPv4 ACL IPv4 ACL Classification IPv4 ACLs identified by ACL numbers fall into four categories as shown in Table 1 1 Table 1 1 IPv4 ACL categories Category ACL number Matching criteria Basic IPv4 ACL 2000 to 2999 ...

Page 2031: ...PN instance first and compare packets against the rule configured with a VPN instance 2 In case of a tie sort rules by source IP address wildcard mask and compare packets against the rule configured with more zeros in the source IP address wildcard 3 If two rules are present with the same number of zeros in their source IP address wildcards compare packets against the rule configured first prior t...

Page 2032: ...ss masks are the same compare packets against the one configured first The comparison of a packet against an ACL stops once a match is found The packet is then processed as per the rule IPv4 ACL Step Meaning of the step When defining rules in an IPv4 ACL you do not necessarily assign them numbers the system can do this automatically and the step defines the increment between two neighboring number...

Page 2033: ...ation about types of LPUs refer to the 3Com S7900E Family Getting Started Guide Introduction to IPv6 ACL This section covers these topics z IPv6 ACL Classification z IPv6 ACL Naming z IPv6 ACL Match Order z IPv6 ACL Step z Effective Period of an IPv6 ACL IPv6 ACL Classification IPv6 ACLs identified by ACL numbers fall into three categories as show in Table 1 2 Table 1 2 IPv6 ACL categories Categor...

Page 2034: ...Look at the protocol type field in the rules first A rule with no limit to the protocol type that is configured with the ipv6 keyword has the lowest precedence Rules each of which has a single specified protocol type are of the same precedence level Compare packets against the rule with the highest precedence 2 In case of a tie look at the source IPv6 address prefixes Then compare packets against ...

Page 2035: ...Configuration Procedure Follow these steps to create a time range To do Use the command Remarks Enter system view system view Create a time range time range time range name start time to end time days from time1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 Required Display the configuration and status of one or all time ranges display time range time range name all Optional ...

Page 2036: ...time range is from the time the configuration takes effect to the latest time that the system can express that is 24 00 12 31 2100 z Up to 256 time ranges can be defined Configuration Examples Create a periodic time range that is active from 8 00 to 18 00 every working day Sysname system view Sysname time range test 8 00 to 18 00 working day Sysname display time range test Current time is 22 17 42...

Page 2037: ...ault no IPv4 ACL description is present Create a rule description rule rule id comment text Optional By default no rule description is present Note that z You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of the settings in which case the other settings remain the same z You cannot create a r...

Page 2038: ...ure an advanced IPv4 ACL To do Use the command Remarks Enter system view system view Create and enter advanced IPv4 ACL view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name command to enter the view of the ACL later Create or modify a rule rule rule i...

Page 2039: ...to a newly created rule will be inserted among the existing rules in the depth first match order Note that the IDs of the rules still remain the same z You can modify the match order of an ACL with the acl number acl number name acl name match order auto config command but only when it does not contain any rules z The rule specified in the rule comment command must have existed Configuration Examp...

Page 2040: ... addr dest mask lsap lsap code lsap wildcard source mac sour addr source mask time range time range name type type code type wildcard Required To create multiple rules repeat this step Note that the lsap keyword is not supported if the ACL is to be referenced by a QoS policy for traffic classification Set a rule numbering step step step value Optional The default step is 5 Create an ACL descriptio...

Page 2041: ...nt effort Copying an IPv4 ACL This feature allows you to copy an existent IPv4 ACL to generate a new one which is of the same type and has the same match order match rules rule numbering step and descriptions as the source IPv4 ACL Configuration Prerequisites Make sure that the source IPv4 ACL exists while the destination IPv4 ACL does not Configuration Procedure Follow these steps to copy an IPv4...

Page 2042: ...n any view Display information about ACL uses of a switch distributed IRF device display acl resource chassis chassis number slot slot number Available in any view Display the configuration and state of a specified or all time ranges display time range time range name all Available in any view Clear statistics about a specified or all IPv4 ACLs that are referenced by upper layer software reset acl...

Page 2043: ... source 192 168 2 0 0 0 0 255 destination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3000 quit Configure a rule to control access of the Marketing Department to the salary query server Switch acl number 3001 Switch acl adv 3001 rule deny ip source 192 168 3 0 0 0 0 255 destination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3001 quit 3 Apply the IPv4 ACL Configure class c_rd for...

Page 2044: ... Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Configure QoS policy p_market to use traffic behavior b_market for class c_market Switch qos policy p_market Switch qospolicy p_market classifier c_market behavior b_market Switch qospolicy p_market quit Apply QoS policy p_rd to interface GigabitEthernet 2 0 2 Switch interface GigabitEthernet 2 0 2 Switch GigabitEthern...

Page 2045: ...time range command first Configuration Procedure Follow these steps to configure a basic IPv6 ACL To do Use the command Remarks Enter system view system view Create and enter basic IPv6 ACL view acl ipv6 number acl6 number name acl6 name match order auto config Required The default match order is config If you specify a name for an IPv6 ACL when creating the ACL you can use the acl ipv6 name acl6 ...

Page 2046: ...le will be inserted among the existing rules in the depth first match order Note that the IDs of the rules still remain the same z You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6 number name acl6 name match order auto config command but only when it does not contain any rules z The rule specified in the rule comment command must have existed Configuration Examples Creat...

Page 2047: ...l ipv6 name acl6 name command to enter the view of the ACL later Create or modify a rule rule rule id deny permit protocol established ack ack value fin fin value psh psh value rst rst value syn syn value urg urg value destination dest dest prefix dest dest prefix any destination port operator port1 port2 dscp dscp fragment icmpv6 type icmpv6 type icmpv6 code icmpv6 message logging source source s...

Page 2048: ...he rule specified in the rule comment command must have existed Configuration Examples Create IPv6 ACL 3000 to permit the TCP packets with the source address 2030 5060 9050 64 to pass Sysname system view Sysname acl ipv6 number 3000 Sysname acl6 adv 3000 rule permit tcp source 2030 5060 9050 64 Verify the configuration Sysname acl6 adv 3000 display acl ipv6 3000 Advanced IPv6 ACL 3000 named none 1...

Page 2049: ...d IRF device display acl ipv6 acl6 number all name acl6 name chassis chassis number slot slot number Available in any view Display information about ACL uses of a switch display acl resource slot slot number Available in any view Display information about ACL uses of a switch distributed IRF device display acl resource chassis chassis number slot slot number Available in any view Display the confi...

Page 2050: ...itch classifier c_rd if match acl ipv6 2000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Apply QoS p...

Page 2051: ...tion 1 3 Configuring Source MAC Address Based ARP Attack Detection 1 3 Introduction 1 3 Configuration Procedure 1 3 Displaying and Maintaining Source MAC Address Based ARP Attack Detection 1 4 Configuring ARP Packet Rate Limit 1 4 Introduction 1 4 Configuring the ARP Packet Rate Limit Function 1 4 Configuring ARP Detection 1 5 Introduction 1 5 Configuring ARP Detection Based on Specified Objects 1...

Page 2052: ...of ARP packets to bring a great impact to the CPU For details about ARP attack features and types refer to ARP Attack Protection Technology White Paper Currently ARP attacks and viruses are threatening LAN security The device can provide multiple features to detect and prevent such attacks This chapter mainly introduces these features ARP Attack Protection Configuration Task List Complete the foll...

Page 2053: ...n the following five seconds If the packets have various source addresses you can enable the ARP black hole routing function After receiving an IP packet whose destination IP address cannot be resolved by ARP the device with this function enabled immediately creates a black hole route and simply drops all packets matching the route during the aging time of the black hole route Configuring ARP Sour...

Page 2054: ...ed Disabled by default Configuring Source MAC Address Based ARP Attack Detection Introduction This feature allows the device to check the source MAC address of ARP packets If the number of ARP packets sent from a MAC address within five seconds exceeds the specified value the device considers this an attack and adds the MAC address to the attack detection table Before the attack detection entry is...

Page 2055: ... attack source mac slot slot number interface interface type interface number Available in any view Display attacking entries detected for distributed IRF devices display arp anti attack source mac chassis chassis number slot slot number interface interface type interface number Available in any view Configuring ARP Packet Rate Limit Introduction This feature allows you to limit the rate of ARP pa...

Page 2056: ...n Specified Objects With this feature configured the device permits the ARP packets received from an ARP trusted port to pass directly and checks the ARP packets received from an ARP untrusted port You can specify objects in the ARP packets to be detected The objects involve z src mac Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet head...

Page 2057: ... valid and is forwarded If an entry with a matching IP address but an unmatched MAC address is found the ARP packet is considered invalid and is discarded If no entry with a matching IP address is found the device compares the ARP packet s sender IP and MAC addresses against the DHCP snooping entries 802 1X security entries and OUI MAC addresses z If a match is found in any of the entries the ARP ...

Page 2058: ... packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled z When configuring an IP Source Guard binding entry you need to specify the VLAN otherwise no ARP packet will pass the ARP detection based on static IP Source Guard binding entries Displaying and Maintaining ARP Detection To do Use the command Remarks Display the VLANs enabled with ARP detection display arp detec...

Page 2059: ...uration procedure is omitted 4 Configure Switch B Enable DHCP snooping SwitchB system view SwitchB dhcp snooping SwitchB interface gigabitethernet 2 0 3 SwitchB gigabitethernet2 0 3 dhcp snooping trust SwitchB gigabitethernet2 0 3 quit Enable ARP detection for VLAN 10 SwitchB vlan 10 SwitchB vlan10 arp detection enable Configure the upstream port as a trusted port and the downstream ports as untru...

Page 2060: ... 1 2 configure Switch A as a DHCP server and enable 802 1X on Switch B Enable ARP detection for VLAN 10 to allow only packets from valid clients to pass Configure Host A and Host B as local 802 1X access users Figure 1 2 Network diagram for ARP detection configuration Configuration procedure 1 Add all the ports on Switch B into VLAN 10 and configure the IP address of VLAN interface 10 on Switch A ...

Page 2061: ...er test password simple test SwitchB luser test quit Enable ARP detection for VLAN 10 SwitchB vlan 10 SwitchB vlan10 arp detection enable Configure the upstream port as a trusted port and the downstream ports as untrusted ports a port is an untrusted port by default SwitchB vlan10 interface gigabitethernet 2 0 3 SwitchB gigabitethernet2 0 3 arp detection trust SwitchB gigabitethernet2 0 3 quit Aft...

Page 2062: ...i Table of Contents 1 URPF Configuration 1 1 URPF Overview 1 1 What is URPF 1 1 How URPF Works 1 1 Configuring URPF 1 2 ...

Page 2063: ... even access the system as the administrator Even if the attackers cannot receive any response packets the attacks are still disruptive to the attacked target Figure 1 1 Attack based on source address spoofing As shown in Figure 1 1 Router A originates a request to the server Router B by sending a packet with a forged source IP address of 2 2 2 1 8 and Router B sends a packet to Router C at 2 2 2 ...

Page 2064: ...lt route is not configured the packet is discarded Configuring URPF Follow these steps to configure URPF globally To do Use the command Remarks Enter system view system view Enable URPF check globally ip urpf strict Required Disabled by default After you enable the URPF function on an S7900E series Ethernet switch a half reduction of route entries may occur For relevant information refer to Table ...

Page 2065: ...fter you enable URPF z If the number of route entries on an LPU exceeds half the number of route entries that the LPU can accommodate the URPF function cannot be enabled which avoids loss of route entries and packets z For details about the route extension mode refer to Device Management Configuration in the System Volume ...

Page 2066: ...hes including a master and multiple backups on a LAN into a virtual router called VRRP group VRRP streamlines host configuration while providing high reliability This document describes z VRRP overview z IPv4 Based VRRP configuration z IPv6 Based VRRP configuration Smart Link Smart Link is a solution for active standby link redundancy backup and rapid transition in dual uplink networking This docu...

Page 2067: ...nt Packets z Setting the DelayDown Timer z Setting the Port Shutdown Mode z Configuring DLDP Authentication z Resetting DLDP State Ethernet OAM Ethernet OAM is a tool monitoring Layer 2 link status It helps network administrators manage their networks effectively This document describes z Ethernet OAM overview z Configuring Basic Ethernet OAM Functions z Configuring Link Monitoring z Enabling OAM ...

Page 2068: ...s z Track Overview z Configuring Collaboration Between the Track Module and the Detection Modules z Configuring Collaboration Between the Track Module and the Application Modules GR Overview Graceful Restart ensures the continuity of packet forwarding when a protocol restarts This document describes z Introduction to Graceful Restart z Basic Concepts in Graceful Restart z Graceful Restart Communic...

Page 2069: ...1 1 Introduction to Dual SRPU System 1 1 Dual SRPU System Configuration Task List 1 2 Ignoring Version Check of the SMB 1 2 Restarting the SMB 1 2 Manually Configuring Switchover Between the AMB and SMB 1 3 Displaying and Maintaining Dual SRPU System 1 3 ...

Page 2070: ... SMB when the device works in the IRF mode you can only use the display switchover state command to view the backup state of the main boards and other functions and commands do not take effect When configuring Dual SRPU System go to these sections for information you are interested in z Introduction to Dual SRPU System z Dual SRPU System Configuration Task List z Ignoring Version Check of the SMB ...

Page 2071: ...m from checking the version of the SMB To do Use the command Remarks Enter system view system view Ignore version check of the SMB ha slave ignore version check Required The version check of the SMB is enabled by default If the software versions of the AMB and SMB are greatly different or the software difference affects the use of the device even if the ha slave ignore version check command is con...

Page 2072: ...manual switchover between the AMB and SMB slave switchover disable enable Optional Enabled by default Manually configure switchover between the AMB and SMB slave switchover Required The original AMB will be restarted if an AMB and SMB switchover is performed Therefore ensure the consistency of the software version of the AMB and SMB before performing an AMB and SMB switchover By default if the ver...

Page 2073: ...Trap Function of VRRP 1 18 Displaying and Maintaining VRRP for IPv4 1 18 Configuring VRRP for IPv6 1 19 VRRP for IPv6 Configuration Task List 1 19 Configuring the Association Between Virtual IPv6 Address and MAC Address 1 19 Creating VRRP Group and Configuring Virtual IPv6 Address 1 20 Configuring Router Priority Preemptive Mode and Tracking Function 1 21 Configuring VF Tracking 1 22 Configuring V...

Page 2074: ...or a Layer 3 switch z At present the interfaces that VRRP involves can only be VLAN interfaces z EA boards such as LSQ1GP12EA and LSQ1TGX1EA do not support IPv6 features VRRP Overview Normally as shown in Figure 1 1 you can configure a default route with the gateway as the next hop for every host on a network segment All packets destined to other network segments are sent over the default route to...

Page 2075: ...ingle link VRRP works in one of the following two modes z Standard protocol mode Includes two versions based on RFCs VRRPv2 and VRRPv3 VRRPv2 is based on IPv4 and VRRPv3 is based on IPv6 The two versions implement the same functions but are applied in different network environments Refer to VRRP Standard Protocol Mode for details z Load balancing mode Extends the standard protocol mode and realize...

Page 2076: ...ed the IP address owner z In a VRRP group you can configure only one IP address owner z Status of a router in a VRRP group includes master backup and initialize VRRP priority VRRP determines the role master or backup of each router in the VRRP group by priority A router with a higher priority has more opportunity to become the master VRRP priority is in the range of 0 to 255 The greater the number...

Page 2077: ...cation header The router receiving the packet performs the same operation using the authentication key and MD5 algorithm and compares the result with the content in the authentication header If the results are the same the router receiving the packet considers the packet an authentic and valid VRRP packet otherwise the router considers the packet invalid On a secure network you do not need to set ...

Page 2078: ...ication data 2 IPv6 address n 0 7 15 23 31 3 A VRRP packet consists of the following fields z Version Version number of the protocol 2 for VRRPv2 and 3 for VRRPv3 z Type Type of the VRRPv2 or VRRPv3 packet Only one VRRP packet type is present that is VRRP advertisement which is represented by 1 z Virtual Rtr ID VRID Serial number of the virtual router that is serial number of the VRRP group It ran...

Page 2079: ...become the master even if the backup is configured with a higher priority z If the timer of a backup expires but the backup still does not receive any VRRP advertisement it considers that the master fails In this case the backup considers itself as the master and sends VRRP advertisements to start a new master election VRRP Tracking Tracking a specified interface The interface tracking function ex...

Page 2080: ... shown in Figure 1 5 Figure 1 5 VRRP in master backup mode At the beginning Router A is the master and therefore can forward packets to external networks whereas Router B and Router C are backups and are thus in the state of listening If Router A fails Router B and Router C elect for a new master The new master takes over the forwarding task to provide services to hosts on the LAN Load sharing You...

Page 2081: ...n each VRRP group that it will take the expected role in the group VRRP Load Balancing Mode Overview When VRRP works in the standard protocol mode only the master can forward packets and the backups are in the state of listening Although you can create multiple VRRP groups to implement load sharing among multiple routers hosts on the LAN need to be configured with different gateways thus making th...

Page 2082: ...ackup routers however do not reply the ARP requests for the IPv4 network or ND requests for the IPv6 network from the hosts Figure 1 7 Allocating virtual MAC addresses As shown in Figure 1 7 the virtual IP address of the VRRP group is 10 1 1 1 24 Router A is the master Router B and Router C are the backups Router A allocates different virtual MAC addresses to Routers A B and C Host A Host B and Ho...

Page 2083: ...the higher the weight the higher the forwarding capability When the weight is lower than a specified value which is the lower limit of failure the router will not be capable of forwarding packets for the hosts The priority of a VF decides the VF state a VF with the highest priority is in the active state and is known as the active virtual forwarder AVF which forwards packets other VFs are in the l...

Page 2084: ...dress of the AVF as their gateway MAC address cannot access the external network You can solve this problem through the VF tracking function You can monitor the uplink state by using network quality analyzer NQA and bidirectional forwarding detection BFD and establish the collaboration between the VF and the NQA or between the VF and the BFD through the tracking function When the uplink fails the ...

Page 2085: ...ress Optional When VRRP works in the load balancing mode the association between the virtual IP address and the MAC address can be configured but is not effective Configuring VRRP Working Mode Optional Creating VRRP Group and Configuring Virtual IP Address Required Configuring Router Priority Preemptive Mode and Tracking Function Optional Configuring VF Tracking Optional The VF tracking function i...

Page 2086: ...e virtual MAC address is associated with the virtual IP address by default z When VRRP works in the load balancing mode the association between the virtual IP address and the MAC address can be configured but is not effective In this mode the virtual IP address is always associated with the virtual MAC address z You should configure this function before creating a VRRP group Otherwise you cannot m...

Page 2087: ...ded to create VRRP groups on the VLAN interface of a super VLAN Otherwise network performance may be affected Configuration prerequisites Before creating a VRRP group and configuring a virtual IP address on an interface you should first configure an IP address for the interface and ensure that the virtual IP address to be configured is in the same network segment as the IP address of the interface...

Page 2088: ...such as 0 0 0 1 z Only when the configured virtual IP address and the interface IP address belong to the same segment and are legal host addresses can the VRRP group operate normally If the configured virtual IP address and the interface IP address do not belong to the same network segment or the configured IP address is the network address or network broadcast address of the network segment that ...

Page 2089: ...r removed to up the priority of the router corresponding to the interface is restored automatically z If the state of a Track object changes from negative or invalid to positive the priority of the router corresponding to the Track object is restored automatically Configuring VF Tracking Configuration prerequisites Before configuring the VF tracking function create a VRRP group and configure a vir...

Page 2090: ... VRRP Packet Attributes Configuration prerequisites Before configuring the relevant attributes of VRRP packets you should first create a VRRP group and configure a virtual IP address for it Configuration procedure Follow these steps to configure VRRP packet attributes To do Use the command Remarks Enter system view system view Enter the specified interface view interface interface type interface n...

Page 2091: ...destination For information center configurations refer to Information Center Configuration in the System Volume Follow these steps to enable the trap function of VRRP To do Use the command Remarks Enter system view system view Enable the trap function of VRRP snmp agent trap enable vrrp authfailure newmaster Optional Enabled by default For detailed description on the snmp agent trap enable vrrp c...

Page 2092: ...ciation between the IPv6 address and the MAC address and thus forward the packets to be forwarded to the other network segments to the master There are two types of association between virtual IPv6 address and MAC address z Virtual IPv6 address is associated with virtual MAC address By default a MAC address is created for a VRRP group after the VRRP group is created and the virtual IPv6 address is...

Page 2093: ... You can configure multiple virtual IPv6 addresses for a VRRP group A VRRP group is created automatically when you specify the first virtual IPv6 address for the VRRP group If you specify another virtual IPv6 address for the VRRP group later the virtual IPv6 address is added to the virtual IPv6 address list of the VRRP group It is not recommended to create VRRP groups on the VLAN interface of a su...

Page 2094: ...s collision In such a case it is recommended to modify the IPv6 address of the interface on the IP address owner to resolve the collision Configuring Router Priority Preemptive Mode and Tracking Function Configuration prerequisites Before configuring these features you should first create a VRRP group and configure a virtual IPv6 address Configuration procedure By configuring router priority preem...

Page 2095: ...m negative or invalid to positive the priority of the router corresponding to the Track object is restored automatically Configuring VF Tracking Configuration prerequisites Before configuring the VF tracking function create a VRRP group and configure a virtual IPv6 address for it Configuration procedure VRRP works in load balancing mode Suppose that the VF is configured to monitor the Track object...

Page 2096: ...RP packet attributes To do Use the command Remarks Enter system view system view Enter the specified interface view interface interface type interface number Configure the authentication mode and authentication key when the VRRP groups send or receive VRRP packets vrrp ipv6 vrid virtual router id authentication mode simple key Optional Authentication is not performed by default Configure the time ...

Page 2097: ...ngle VRRP Group Configuration Example Network requirements z Host A needs to access Host B on the Internet using 202 38 160 111 24 as its default gateway z Switch A and Switch B belong to VRRP group 1 with the virtual IP address of 202 38 160 111 24 z If Switch A operates normally packets sent from Host A to Host B are forwarded by Switch A if Switch A fails packets sent from Host A to Host B are ...

Page 2098: ... 160 111 SwitchB Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set Switch B to work in preemptive mode The preemption delay is five seconds SwitchB Vlan interface2 vrrp vrid 1 preempt mode timer delay 5 3 Verify the configuration After the configuration Host B can be pinged through on Host A You can use the display vrrp verbose command to verify the configuration Display detailed informati...

Page 2099: ...dard Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status Up State Master Config Pri 100 Running Pri 100 Preempt Mode Yes Delay Time 5 Auth Type None Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 2 The above information indicates that if Switch A fails Switch B becomes the master and packets sent from Host ...

Page 2100: ... 111 Configure the priority of Switch A in the VRRP group to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Configure the authentication mode of the VRRP group as simple and authentication key as hello SwitchA Vlan interface2 vrrp vrid 1 authentication mode simple hello Set the interval for Master to send VRRP advertisement to five seconds SwitchA Vlan interface2 vrrp vrid 1 timer advertise ...

Page 2101: ...ng Pri 110 Preempt Mode Yes Delay Time 0 Auth Type Simple Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 VRRP Track Information Track Interface Vlan3 State Up Pri Reduced 30 Display detailed information of VRRP group 1 on Switch B SwitchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Mode Standard Run Method Virtual MAC Total number of vir...

Page 2102: ...erface2 VRID 1 Adver Timer 5 Admin Status Up State Master Config Pri 100 Running Pri 100 Preempt Mode Yes Delay Time 0 Auth Type Simple Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 2 The above information indicates that if VLAN interface 3 on Switch A is not available the priority of Switch A is reduced to 80 and it becomes the backup Switch B becomes the mas...

Page 2103: ... vlan 2 SwitchA vlan2 port gigabitethernet 2 0 5 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 202 38 160 1 255 255 255 128 Create a VRRP group 1 and set its virtual IP address to 202 38 160 100 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 100 Configure the priority of Switch A in VRRP group 1 as 110 SwitchA Vlan interface2 vrrp vrid 1 priori...

Page 2104: ...up 2 to 110 SwitchB Vlan interface3 vrrp vrid 2 priority 110 3 Verify the configuration You can use the display vrrp verbose command to verify the configuration Display detailed information of the VRRP group on Switch A SwitchA Vlan interface3 display vrrp verbose IPv4 Standby Information Run Mode Standard Run Method Virtual MAC Total number of virtual routers 2 Interface Vlan interface2 VRID 1 Ad...

Page 2105: ...witch A is the master Switch B is the backup and hosts with the default gateway of 202 38 160 100 25 accesses the Internet through Switch A in VRRP group 2 Switch A is the backup Switch B is the master and hosts with the default gateway of 202 38 160 200 25 accesses the Internet through Switch B VRRP Load Balancing Mode Configuration Example Network requirements z Switch A Switch B and Switch C be...

Page 2106: ...irtual IP address as 10 1 1 1 SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 10 1 1 2 24 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 10 1 1 1 Set the priority of Switch A in VRRP group 1 to 120 SwitchA Vlan interface2 vrrp vrid 1 priority 120 Set Switch A to work in preemptive mode The preemption delay is five seconds SwitchA Vlan interface2 vrrp vrid 1 preempt mode timer...

Page 2107: ...RRP group 1 and configure its virtual IP address as 10 1 1 1 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ip address 10 1 1 4 24 SwitchC Vlan interface2 vrrp vrid 1 virtual ip 10 1 1 1 Set Switch C to work in preemptive mode The preemption delay is five seconds SwitchC Vlan interface2 vrrp vrid 1 preempt mode timer delay 5 4 Verify the configuration After the configuration Host A can...

Page 2108: ...chB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Mode Load Balance Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status Up State Backup Config Pri 110 Running Pri 110 Preempt Mode Yes Delay Time 5 Auth Type None Virtual IP 10 1 1 1 Master IP 10 1 1 2 Forwarder Information 3 Forwarders 1 Active Config Weight 255 Ru...

Page 2109: ... Auth Type None Virtual IP 10 1 1 1 Master IP 10 1 1 2 Forwarder Information 3 Forwarders 1 Active Config Weight 255 Running Weight 255 Forwarder 01 State Listening Virtual MAC 000f e2ff 0011 Learnt Owner ID 0000 5e01 1101 Priority 127 Active 10 1 1 2 Forwarder 02 State Listening Virtual MAC 000f e2ff 0012 Learnt Owner ID 0000 5e01 1103 Priority 127 Active 10 1 1 3 Forwarder 03 State Active Virtua...

Page 2110: ...C 000f e2ff 0011 Take Over Owner ID 0000 5e01 1101 Priority 85 Active local Redirect Time 577 secs Time out Time 1777 secs Forwarder 02 State Listening Virtual MAC 000f e2ff 0012 Learnt Owner ID 0000 5e01 1103 Priority 85 Active 10 1 1 3 Forwarder 03 State Active Virtual MAC 000f e2ff 0013 Owner Owner ID 0000 5e01 1105 Priority 255 Active local The above information indicates that if Switch A fail...

Page 2111: ...lan int2 FE80 1 1 1 64 Vlan int2 FE80 2 1 2 64 Host B Gateway 1 10 64 Internet Configuration procedure 1 Configure Switch A Configure VLAN 2 SwitchA system view SwitchA ipv6 SwitchA vlan 2 SwitchA vlan2 port gigabitethernet 2 0 5 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ipv6 address fe80 1 link local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a VRRP gro...

Page 2112: ...imer delay 5 Enable Switch B to send RA messages SwitchB Vlan interface2 vrrp ipv6 vrid 1 preempt mode timer delay 5 3 Verify the configuration After the configuration Host B can be pinged through on Host A You can use the display vrrp ipv6 verbose command to verify the configuration Display detailed information of VRRP group 1 on Switch A SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Sta...

Page 2113: ...Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status Up State Master Config Pri 100 Running Pri 100 Preempt Mode Yes Delay Time 5 Auth Type None Virtual IP FE80 10 1 10 Virtual MAC 0000 5e00 0201 Master IP FE80 2 The above information indicates that if Switch A fails Switch B becomes the master and packets sent from Host A to Host B...

Page 2114: ... 1 virtual ip fe80 10 link local SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip 1 10 Set the priority of Switch A in VRRP group 1 to 110 SwitchA Vlan interface2 vrrp ipv6 vrid 1 priority 110 Set the authentication mode for VRRP group 1 to simple and authentication key to hello SwitchA Vlan interface2 vrrp ipv6 vrid 1 authentication mode simple hello Set the VRRP advertisement interval to 500 ...

Page 2115: ... preemption delay is five seconds SwitchB Vlan interface2 vrrp ipv6 vrid 1 preempt mode timer delay 5 Enable Switch B to send RA messages SwitchB Vlan interface2 undo ipv6 nd ra halt 3 Verify the configuration After the configuration Host B can be pinged through on Host A You can use the display vrrp ipv6 verbose command to verify the configuration Display detailed information of VRRP group 1 on S...

Page 2116: ...ch A is not available the detailed information of VRRP group 1 on Switch A is displayed SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Mode Standard Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 500 Admin Status Up State Backup Config Pri 110 Running Pri 80 Preempt Mode Yes Delay Time 5 Auth Type Simple Key hel...

Page 2117: ...nd Switch B belong to both VRRP group 1 and VRRP group 2 The virtual IPv6 addresses of VRRP group 1 are 1 10 64 and FE80 10 and those of VRRP group 2 are 2 10 64 and FE90 10 z In VRRP group 1 Switch A has a higher priority than Switch B In VRRP group 2 Switch B has a higher priority than Switch A In this case hosts in VLAN 1 and VLAN can communicate with the outside through Switch A and Switch B r...

Page 2118: ... fe90 1 link local SwitchA Vlan interface3 ipv6 address 2 1 64 Create VRRP group 2 and set its virtual IPv6 addresses to FE90 10 and 2 10 SwitchA Vlan interface3 vrrp ipv6 vrid 2 virtual ip fe90 10 link local SwitchA Vlan interface3 vrrp ipv6 vrid 2 virtual ip 2 10 Enable Switch A to send RA messages SwitchA Vlan interface2 undo ipv6 nd ra halt 2 Configure Switch B Configure VLAN 2 SwitchB system ...

Page 2119: ... vrrp ipv6 verbose command to verify the configuration Display detailed information of the VRRP group on Switch A SwitchA Vlan interface3 display vrrp ipv6 verbose IPv6 Standby Information Run Mode Standard Run Method Virtual MAC Total number of virtual routers 2 Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status Up State Master Config Pri 110 Running Pri 110 Preempt Mode Yes Delay Time...

Page 2120: ...gh Switch A in VRRP group 2 Switch A is the backup Switch B is the master and hosts with the default gateway of 2 10 64 accesses the Internet through Switch B Multiple VRRP groups are commonly used in actual networking In IPv6 network to implement load sharing among multiple VRRP groups you need to manually configure the default gateway for hosts VRRP Load Balancing Mode Configuration Example Netw...

Page 2121: ...witchA interface vlan interface 2 SwitchA Vlan interface2 ipv6 address fe80 1 link local SwitchA Vlan interface2 ipv6 address 1 1 64 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the priority of Switch A in VRRP group 1 to 120 SwitchA Vlan interface2 vrrp ipv6 vrid 1 priority 120 Set Switch A to work in preemptive mode The preemption delay is five seconds SwitchA Vlan ...

Page 2122: ...N 2 SwitchC system view SwitchC vlan 2 SwitchC vlan2 port gigabitethernet 2 0 5 SwitchC vlan2 quit Configure VRRP to work in the load balancing mode SwitchC vrrp mode load balance Create VRRP group 1 and configure its virtual IPv6 address as FE80 10 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ipv6 address fe80 3 link local SwitchC Vlan interface2 ipv6 address 1 3 64 SwitchC Vlan int...

Page 2123: ...f e2ff 4012 Learnt Owner ID 0000 5e01 1103 Priority 127 Active FE80 2 Forwarder 03 State Listening Virtual MAC 000f e2ff 4013 Learnt Owner ID 0000 5e01 1105 Priority 127 Active FE80 3 Display detailed information of VRRP group 1 on Switch B SwitchB Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Mode Load Balance Run Method Virtual MAC Total number of virtual routers 1 Inter...

Page 2124: ...splay vrrp ipv6 verbose IPv6 Standby Information Run Mode Load Balance Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status Up State Backup Config Pri 100 Running Pri 100 Preempt Mode Yes Delay Time 5 Auth Type None Virtual IP FE80 10 Master IP FE80 1 Forwarder Information 3 Forwarders 1 Active Config Weight 255 Running Weight 255 F...

Page 2125: ...e Load Balance Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status Up State Backup Config Pri 100 Running Pri 100 Preempt Mode Yes Delay Time 5 Auth Type None Virtual IP FE80 10 Master IP FE80 2 Forwarder Information 3 Forwarders 2 Active Config Weight 255 Running Weight 255 Forwarder 01 State Active Virtual MAC 000f e2ff 4011 Take...

Page 2126: ...on technical measures Symptom 2 Multiple masters are present in the same VRRP group Analysis z Multiple masters coexist for a short period This is normal and requires no manual intervention z Multiple masters coexist for a long period This is because devices in the VRRP group cannot receive VRRP packets or the received VRRP packets are illegal Solution Ping between these masters and do the followi...

Page 2127: ...nfiguring Role Preemption for a Smart Link Group 1 7 Enabling the Sending of Flush Messages 1 8 Configuring the Collaboration Between Smart Link and CC of CFD 1 8 Smart Link Device Configuration Example 1 9 Configuring an Associated Device 1 9 Enabling the Receiving of Flush Messages 1 9 Associated Device Configuration Example 1 10 Displaying and Maintaining Smart Link 1 10 Smart Link Configuratio...

Page 2128: ...vice connects to two different upstream devices as shown in Figure 1 1 Figure 1 1 Diagram for a dual uplink network GE2 0 1 GE2 0 2 GE2 0 1 GE2 0 1 GE2 0 2 GE2 0 2 A dual uplink network demonstrates high reliability but it may contain network loops In most cases Spanning Tree Protocol STP or Rapid Ring Protection Protocol RRPP is used to remove network loops The problem with STP however is that ST...

Page 2129: ...ach form a smart link group with GE2 0 1 being active and GE2 0 2 being standby Master slave port Master port and slave port are two port roles in a smart link group When both ports in a smart link group are up the master port preferentially transits to the forwarding state while the slave port stays in the standby state Once the master port fails the slave port takes over to forward traffic As sh...

Page 2130: ...ange z To keep traffic forwarding stable the master port that has been blocked due to link failure does not take over immediately upon its recovery Instead link switchover will occur at next link switchover Topology change mechanism As link switchover can outdate the MAC address forwarding entries and ARP ND entries on all devices you need a forwarding entry update mechanism to ensure proper trans...

Page 2131: ...ink status smart link ports need to use link detection protocols When a fault is detected or cleared the link detection protocols inform Smart Link to switch over the links With the collaboration between Smart Link and the Continuity Check CC function of Connectivity Fault Detection CFD configured CFD notifies the ports of fault detection events on the basis of detection VLANs and detection ports ...

Page 2132: ...t link group and make sure that the ports are not member ports of any aggregation group or service loopback group A loop may occur on the network during the time when STP is disabled but Smart Link has not yet taken effect on a port Configuring Protected VLANs for a Smart Link Group Follow these steps to configure the protected VLANs for a smart link group To do Use the command Remarks Enter syste...

Page 2133: ...ure member ports for a smart link group in interface view To do Use the command Remarks Enter system view system view Enter Ethernet interface view or layer 2 aggregate interface view interface interface type interface number Configure member ports for a smart link group port smart link group group id master slave Required Configuring Role Preemption for a Smart Link Group Follow these steps to co...

Page 2134: ...ot remove the control VLAN Otherwise flush messages cannot be sent properly Configuring the Collaboration Between Smart Link and CC of CFD Follow these steps to configure the collaboration between Smart Link and the CC function of CFD on a smart link member port To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Confi...

Page 2135: ... undo stp enable Sysname GigabitEthernet2 0 2 port link type trunk Sysname GigabitEthernet2 0 2 port trunk permit vlan 20 Sysname GigabitEthernet2 0 2 quit Sysname smart link group 1 Sysname smlk group1 protected vlan reference instance 0 to 8 Sysname smlk group1 port gigabitethernet 2 0 1 master Sysname smlk group1 port gigabitethernet 2 0 2 slave Sysname smlk group1 flush enable control vlan 20 ...

Page 2136: ...ges directly without any processing z Do not remove the control VLANs Otherwise flush messages cannot be sent properly z Make sure that the control VLANs are existing VLANs and assign the ports capable of receiving flush messages to the control VLANs Associated Device Configuration Example Network requirements Configure GigabitEthernet 2 0 1 to receive and process flush messages in VLAN 20 Configu...

Page 2137: ... Configure Smart Link on the devices for dual uplink backup using VLAN 1 the default for flush update Figure 1 2 Single smart link group configuration Configuration procedure 1 Configuration on Device C Create VLANs 1 through 30 map VLANs 1 through 10 VLANs 11 through 20 and VLANs 21 through 30 to MSTI 0 MSTI 1 and MSTI 2 respectively and activate the MST region configuration DeviceC system view D...

Page 2138: ...port gigabitethernet 2 0 2 slave Enable flush message sending in smart link group 1 DeviceC smlk group1 flush enable DeviceC smlk group1 quit 2 Configuration on Device D Create VLANs 1 through 30 map VLANs 1 through 10 VLANs 11 through 20 and VLANs 21 through 30 to MSTI 0 MSTI 1 and MSTI 2 respectively and activate the MST region configuration DeviceD system view DeviceD vlan 1 to 30 DeviceD stp r...

Page 2139: ...viceB GigabitEthernet2 0 1 port trunk permit vlan 1 to 30 DeviceB GigabitEthernet2 0 1 smart link flush enable DeviceB GigabitEthernet2 0 1 quit DeviceB interface gigabitethernet 2 0 2 DeviceB GigabitEthernet2 0 2 port link type trunk DeviceB GigabitEthernet2 0 2 port trunk permit vlan 1 to 30 DeviceB GigabitEthernet2 0 2 smart link flush enable DeviceB GigabitEthernet2 0 2 quit DeviceB interface ...

Page 2140: ... to 30 DeviceA GigabitEthernet2 0 1 smart link flush enable DeviceA GigabitEthernet2 0 1 quit DeviceA interface gigabitethernet 2 0 2 DeviceA GigabitEthernet2 0 2 port link type trunk DeviceA GigabitEthernet2 0 2 port trunk permit vlan 1 to 30 DeviceA GigabitEthernet2 0 2 smart link flush enable DeviceA GigabitEthernet2 0 2 quit 6 Verifying the configurations You can use the display smart link gro...

Page 2141: ...roup 1 references MSTI 0 and smart link group 2 references MSTI 2 z The control VLAN of smart link group 1 is VLAN 10 and that of smart link group 2 is VLAN 101 Figure 1 3 Multiple smart link groups load sharing configuration Device A Device D Device B GE2 0 1 GE2 0 2 GE2 0 1 GE2 0 1 GE2 0 2 GE2 0 2 Device C GE2 0 1 GE2 0 2 Configuration procedure 1 Configuration on Device C Create VLAN 1 through ...

Page 2142: ...mlk group 1 flush enable control vlan 10 DeviceC smlk group 1 quit Create smart link group 2 and configure all VLANs mapped to MSTI 2 as the protected VLANs for smart link group 2 DeviceC smart link group 2 DeviceC smlk group2 protected vlan reference instance 2 Configure GigabitEthernet 2 0 1 as the slave port and GigabitEthernet 2 0 2 as the master port for smart link group 2 DeviceC smlk group2...

Page 2143: ...gigabitethernet 2 0 2 DeviceD GigabitEthernet2 0 2 port link type trunk DeviceD GigabitEthernet2 0 2 port trunk permit vlan 1 to 200 DeviceD GigabitEthernet2 0 2 smart link flush enable control vlan 10 101 DeviceD GigabitEthernet2 0 2 quit 4 Configuration on Device A Create VLAN 1 through VLAN 200 DeviceA system view DeviceA vlan 1 to 200 Configure GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 a...

Page 2144: ...e ROLE Control VLAN 101 Protected VLAN Reference Instance 2 Member Role State Flush count Last flush time GigabitEthernet2 0 2 MASTER ACTVIE 5 16 37 20 2009 02 21 GigabitEthernet2 0 1 SLAVE STANDBY 1 17 45 20 2009 02 21 You can use the display smart link flush command to display the flush messages received on each device For example Display the flush messages received on Device B DeviceB display s...

Page 2145: ...ew 1 1 Terminology 1 1 How Monitor Link Works 1 1 Configuring Monitor Link 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Monitor Link Configuration Example 1 2 Displaying and Maintaining Monitor Link 1 3 Monitor Link Configuration Example 1 3 ...

Page 2146: ... port can be assigned to only one monitor link group Both Layer 2 Ethernet ports and Layer 2 aggregate interfaces can be assigned to a monitor link group Uplink The uplink is the link monitored by the monitor link group The monitor link group is down when the group has no uplink ports or all uplink ports are down The monitor link group is up when any uplink port is up Downlink The downlink is the ...

Page 2147: ...ch Repeat this step to add more uplink ports In monitor link group view port interface type interface number downlink Configure the downlink for the monitor link group In Ethernet port view or Layer 2 aggregate interface view port monitor link group group id downlink Use either approach Repeat this step to add more downlink ports z A port can be assigned to only one monitor link group z You are re...

Page 2148: ... can sense the link failure and perform link switchover in the smart link group For detailed information about smart link refer to Smart Link Configuration in the High Availability Volume Figure 1 1 Network diagram for smart link in combination with monitor link configuration Device A Device B Device C Device D GE2 0 1 GE2 0 2 GE2 0 1 GE2 0 2 GE2 0 1 GE2 0 2 GE2 0 1 GE2 0 2 Configuration procedure...

Page 2149: ...eA interface gigabitethernet 2 0 2 DeviceA GigabitEthernet2 0 2 smart link flush enable 3 Configuration on Device B Create monitor link group 1 DeviceB system view DeviceB monitor link group 1 Configure GigabitEthernet 2 0 1 as an uplink port and GigabitEthernet 2 0 2 as a downlink port for monitor link group 1 DeviceB mtlk group1 port gigabitethernet 2 0 1 uplink DeviceB mtlk group1 port gigabite...

Page 2150: ...Ethernet 2 0 1 and GigabitEthernet 2 0 2 separately DeviceD interface gigabitethernet 2 0 1 DeviceD GigabitEthernet2 0 1 smart link flush enable DeviceD GigabitEthernet2 0 1 quit DeviceD interface gigabitethernet 2 0 2 DeviceD GigabitEthernet2 0 2 smart link flush enable ...

Page 2151: ...RRPP Rings 1 13 Configuring RRPP Ports 1 13 Configuring RRPP Nodes 1 14 Activating an RRPP Domain 1 16 Configuring RRPP Timers 1 16 Configuring RRPP Fast Detection 1 17 Enabling Fast Detection 1 17 Configuring Fast Detection Timers 1 18 Configuring an RRPP Ring Group 1 18 Displaying and Maintaining RRPP 1 19 RRPP Configuration Examples 1 19 Single Ring Configuration Example 1 19 Intersecting Ring ...

Page 2152: ... IEEE spanning tree protocols RRPP features the following z Fast topology convergence z Convergence time independent of Ethernet ring size Background Metropolitan area networks MANs and enterprise networks usually use the ring structure to improve reliability However services will be interrupted if any node in the ring network fails A ring network usually uses Resilient Packet Ring RPR or Ethernet...

Page 2153: ...one of the following two states z Health state All the physical links on the Ethernet ring are connected z Disconnect state Some physical links on the Ethernet ring are broken As shown in Figure 1 1 Domain 1 contains two RRPP rings Ring 1 and Ring 2 The level of Ring 1 is set to 0 that is Ring 1 is configured as the primary ring the level of Ring 2 is set to 1 that is Ring 2 is configured as a sub...

Page 2154: ...o detect the integrity of the primary ring and perform loop guard As shown in Figure 1 1 Ring 1 is the primary ring and Ring 2 is a subring Device A is the master node of Ring 1 Device B Device C and Device D are the transit nodes of Ring 1 Device E is the master node of Ring 2 Device B is the edge node of Ring 2 and Device C is the assistant edge node of Ring 2 Primary port and secondary port Eac...

Page 2155: ...an edge node RRPP ring group is allowed to send Edge Hello packets RRPPDUs Table 1 1 shows the types of RRPPDUs and their functions Table 1 1 RRPPDU types and their functions Type Description Hello The master node initiates Hello packets to detect the integrity of a ring in a network Fast Hello The master node initiates Fast Hello packets to fast detect the integrity of a ring in a network Link Do...

Page 2156: ...specifies the maximum delay between the master node sending Fast Hello packets out the primary port and the secondary port receiving the Fast Hello packets from the primary port If the secondary port receives the Fast Hello packets sent by the local master node before the Fast Fail timer expires the entire ring is in Health state Otherwise the ring transits into Disconnect state In an RRPP domain ...

Page 2157: ...T failure As shown in Figure 1 5 Ring 1 is the primary ring and Ring 2 and Ring 3 are subrings When the two SRPTs between the edge node and the assistant edge node are down the master nodes of Ring 2 and Ring 3 will open their respective secondary ports and thus a loop among Device B Device C Device E and Device F is generated As a result broadcast storm occurs In this case to prevent generating t...

Page 2158: ...level convergence To address this problem a fast detection mechanism was introduced The mechanism works as follows z The master node sends Fast Hello packets out its primary port at the interval specified by the Fast Hello timer If the secondary port receives the Fast Hello packets sent by the local master node before the Fast Fail timer expires the entire ring is in Health state otherwise the rin...

Page 2159: ...n rings In this case you need to define an RRPP domain for each ring Figure 1 3 Schematic diagram for a tangent ring network Intersecting rings As shown in Figure 1 4 there are two or more rings in the network topology and two common nodes between rings In this case you only need to define an RRPP domain and configure one ring as the primary ring and the other rings as subrings ...

Page 2160: ...m for a dual homed ring network Single ring load balancing In a single ring network you can achieve load balancing by configuring multiple domains As shown in Figure 1 6 Ring 1 is configured as the primary ring of both Domain 1 and Domain 2 Domain 1 and Domain 2 are configured with different protected VLANs In Domain 1 Device A is configured as the master node of Ring 1 in Domain 2 Device B is con...

Page 2161: ...2 Device E is configured as the master node of Ring 2 in both Domain 1 and Domain 2 However different ports on Device E are blocked in Domain 1 and Domain 2 With the configurations you can enable traffic of different VLANs to travel over different paths in the subring and primary ring thus achieving intersecting ring load balancing Figure 1 7 Schematic diagram for an intersecting ring load balanci...

Page 2162: ... Fast Detection Optional Perform this task on the master node edge node and assistant edge node in the RRPP domain Configuring RRPP Fast Detection Configuring Fast Detection Timers Optional Perform this task on the master node in the RRPP domain Configuring an RRPP Ring Group Optional Perform this task on the edge node and assistant edge node in the RRPP domain z RRPP does not have an auto electio...

Page 2163: ...of RRPPDUs do not enable QinQ or VLAN mapping on the control VLANs z To ensure that RRPPDUs can be sent and received correctly do not configure the default VLAN of a port accessing an RRPP ring as the primary control VLAN or the secondary control VLAN z To transparently transmit RRPPDUs on a device not configured with RRPP you must ensure only the two ports connecting the device to the RRPP ring p...

Page 2164: ...orts that is ports connecting devices to an RRPP ring must be Layer 2 Ethernet ports Layer 2 GE ports Layer 2 XGE ports or Layer 2 aggregate interfaces and cannot be member ports of any aggregation group service loopback group or smart link group z After configuring a Layer 2 aggregate interface as an RRPP port you can still assign ports to or remove ports from the aggregation group corresponding ...

Page 2165: ... You are recommended to use the link delay command to enable link status rapid report function on an RRPP port by setting the link delay of the port to 0 to accelerate topology convergence For detailed information about the link delay command refer to Ethernet Port Commands in the Access Volume Configuring RRPP Nodes z The maximum number of rings that can be configured on a device in all RRPP doma...

Page 2166: ...n configuring an edge node you must first configure the primary ring before configuring the subrings Perform this configuration on a device to be configured as an edge node Follow these steps to specify an edge node To do Use the command Remarks Enter system view system view Enter RRPP domain view rrpp domain domain id Specify the current device as a transit node of the primary ring and specify th...

Page 2167: ...omain on the current device Perform this operation on all nodes in the RRPP domain Follow these steps to activate an RRPP domain To do Use the command Remarks Enter system view system view Enable RRPP rrpp enable Required Disabled by default Enter RRPP domain view rrpp domain domain id Enable the specified RRPP ring ring ring id enable Required Disabled by default On an edge node or assistant edge...

Page 2168: ...value of the master node of the subring Configuring RRPP Fast Detection The S7900E series Ethernet switches support RRPP fast detection only after SD or EB cards are mounted in them Enabling Fast Detection Perform this configuration on the master node edge node and assistant edge node in the RRPP domain to be configured Follow these steps to enable fast detection To do Use the command Remarks Ente...

Page 2169: ...er than 600ms and the difference between the Fast Fail timer value on the master node of the subring and that on the master node of the primary ring is greater than twice the Fast Hello timer value of the master node of the subring Configuring an RRPP Ring Group To reduce Edge Hello traffic you can adopt the RRPP ring group mechanism that is assign subrings with the same edge node assistant edge n...

Page 2170: ...aining RRPP To do Use the command Remarks Display brief RRPP information display rrpp brief Display RRPP group configuration information display rrpp ring group ring group id Display detailed RRPP information display rrpp verbose domain domain id ring ring id Display RRPP statistics display rrpp statistics domain domain id ring ring id Available in any view Clear RRPP statistics reset rrpp statist...

Page 2171: ... 2 link delay 0 DeviceA GigabitEthernet2 0 2 undo stp enable DeviceA GigabitEthernet2 0 2 port link type trunk DeviceA GigabitEthernet2 0 2 port trunk permit vlan all DeviceA GigabitEthernet2 0 2 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and configure the VLANs mapped to MSTIs 0 through 31 as the protected VLANs of RRPP domain 1 DeviceA rrpp domain ...

Page 2172: ...of RRPP domain 1 and configure the VLANs mapped to MSTIs 0 through 31 as the protected VLANs of RRPP domain 1 DeviceB rrpp domain 1 DeviceB rrpp domain1 control vlan 4092 DeviceB rrpp domain1 protected vlan reference instance 0 to 31 Configure Device B as the transit node of primary ring 1 with GigabitEthernet 2 0 1 as the primary port and GigabitEthernet 2 0 2 as the secondary port and enable rin...

Page 2173: ...2 0 3 is the edge port z Device D is the transit node of primary ring 1 GigabitEthernet 2 0 1 is the primary port and GigabitEthernet 2 0 2 is the secondary port Figure 1 9 Network diagram for intersecting rings configuration Configuration procedure 1 Configuration on Device A Configure the suppression time of physical link state changes on GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 as zero d...

Page 2174: ... 1 DeviceB GigabitEthernet2 0 1 link delay 0 DeviceB GigabitEthernet2 0 1 undo stp enable DeviceB GigabitEthernet2 0 1 port link type trunk DeviceB GigabitEthernet2 0 1 port trunk permit vlan all DeviceB GigabitEthernet2 0 1 quit DeviceB interface gigabitethernet 2 0 2 DeviceB GigabitEthernet2 0 2 link delay 0 DeviceB GigabitEthernet2 0 2 undo stp enable DeviceB GigabitEthernet2 0 2 port link type...

Page 2175: ...abitEthernet2 0 2 link delay 0 DeviceC GigabitEthernet2 0 2 undo stp enable DeviceC GigabitEthernet2 0 2 port link type trunk DeviceC GigabitEthernet2 0 2 port trunk permit vlan all DeviceC GigabitEthernet2 0 2 quit DeviceC interface gigabitethernet 2 0 3 DeviceC GigabitEthernet2 0 3 link delay 0 DeviceC GigabitEthernet2 0 3 undo stp enable DeviceC GigabitEthernet2 0 3 port link type trunk DeviceC...

Page 2176: ... GigabitEthernet2 0 2 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and configure VLANs mapped to MSTIs 0 through 31 as the protected VLANs of RRPP domain 1 DeviceD rrpp domain 1 DeviceD rrpp domain1 control vlan 4092 DeviceD rrpp domain1 protected vlan reference instance 0 to 31 Configure Device D as the transit node of primary ring 1 with GigabitEther...

Page 2177: ...guration and operational information on each device Intersecting Ring Load Balancing Configuration Example Networking requirements z Device A Device B Device C Device D and Device F constitute RRPP domain 1 and VLAN 100 is the primary control VLAN of the RRPP domain Device A is the master node of the primary ring Ring 1 Device D is the transit node of the primary ring Ring 1 Device F is the master...

Page 2178: ... region quit Configure the suppression time of physical link state changes on GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 as zero disable STP configure the two ports as trunk ports remove them from VLAN 1 and assign them to VLAN 10 and VLAN 20 DeviceA interface gigabitethernet 2 0 1 DeviceA GigabitEthernet2 0 1 link delay 0 DeviceA GigabitEthernet2 0 1 undo stp enable DeviceA GigabitEthernet2 ...

Page 2179: ... protected VLAN of RRPP domain 2 DeviceA rrpp domain 2 DeviceA rrpp domain2 control vlan 105 DeviceA rrpp domain2 protected vlan reference instance 2 Configure Device A as the master node of primary ring 1 with GigabitEthernet 2 0 2 as the master port and GigabitEthernet 2 0 1 as the secondary port and enable ring 1 DeviceA rrpp domain2 ring 1 node mode master primary port gigabitethernet 2 0 2 se...

Page 2180: ...quit Configure the suppression time of physical link state changes on GigabitEthernet 2 0 4 as zero disable STP configure the port as a trunk port remove it from VLAN 1 and assign it to VLAN 10 DeviceB interface gigabitethernet 2 0 4 DeviceB GigabitEthernet2 0 4 link delay 0 DeviceB GigabitEthernet2 0 4 undo stp enable DeviceB GigabitEthernet2 0 4 port link type trunk DeviceB GigabitEthernet2 0 4 ...

Page 2181: ...n2 ring 2 enable DeviceC rrpp domain2 quit Enable RRPP DeviceB rrpp enable 3 Configuration on Device C Create VLANs 10 and 20 map VLAN 10 to MSTI 1 and VLAN 20 to MSTI 2 and activate MST region configuration DeviceC system view DeviceC vlan 10 DeviceC vlan10 quit DeviceC vlan 20 DeviceC vlan20 quit DeviceC stp region configuration DeviceC mst region instance 1 vlan 10 DeviceC mst region instance 2...

Page 2182: ...runk DeviceC GigabitEthernet2 0 4 undo port trunk permit vlan 1 DeviceC GigabitEthernet2 0 4 port trunk permit vlan 10 DeviceC GigabitEthernet2 0 4 quit Create RRPP domain 1 configure VLAN 10 as the primary control VLAN of RRPP domain 1 and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1 DeviceC rrpp domain 1 DeviceC rrpp domain1 control vlan 100 DeviceC rrpp domain1 pro...

Page 2183: ... instance 2 vlan 20 DeviceD mst region active region configuration DeviceD mst region quit Configure the suppression time of physical link state changes on GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 as zero disable STP configure the two ports as trunk ports remove them from VLAN 1 and assign them to VLAN 10 and VLAN 20 DeviceD interface gigabitethernet 2 0 1 DeviceD GigabitEthernet2 0 1 link ...

Page 2184: ...ary port gigabitethernet 2 0 1 secondary port gigabitethernet 2 0 2 level 0 DeviceD rrpp domain2 ring 1 enable DeviceD rrpp domain2 quit Enable RRPP DeviceD rrpp enable 5 Configuration on Device E Create VLAN 20 map VLAN 20 to MSTI 2 and activate MST region configuration DeviceE system view DeviceE vlan 20 DeviceE vlan20 quit DeviceE stp region configuration DeviceE mst region instance 2 vlan 20 D...

Page 2185: ...10 quit DeviceF stp region configuration DeviceF mst region instance 1 vlan 10 DeviceF mst region active region configuration DeviceF mst region quit Configure the suppression time of physical link state changes on GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 as zero disable STP configure the two ports as trunk ports remove them from VLAN 1 and assign them to VLAN 10 DeviceF interface gigabitet...

Page 2186: ...1 ring 3 Create RRPP ring group 1 on Device C and add subrings 2 and 3 to the RRPP ring group DeviceC rrpp ring group 1 DeviceC rrpp ring group1 domain 2 ring 2 DeviceC rrpp ring group1 domain 1 ring 3 8 Verification After the configuration you can use the display command to view RRPP configuration and operational information on each device Fast Detection Configuration Example Network requirements...

Page 2187: ... 2 undo stp enable DeviceA GigabitEthernet2 0 2 port link type trunk DeviceA GigabitEthernet2 0 2 port trunk permit vlan all DeviceA GigabitEthernet2 0 2 quit Create RRPP domain 1 configure VLAN 4092 as the primary VLAN of RPPP domain 1 and configure the VLANs mapped to MSTIs 0 through 31 as the protected VLANs of RRPP domain 1 DeviceA rrpp domain 1 DeviceA rrpp domain1 control vlan 4092 DeviceA r...

Page 2188: ...itEthernet2 0 2 port trunk permit vlan all 3 Configuration on Device C Configure the suppression time of physical link state changes on GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 as zero disable STP configure the two ports as trunk ports and assign them to all VLANs DeviceC system view DeviceC interface gigabitethernet 2 0 1 DeviceC GigabitEthernet2 0 1 link delay 0 DeviceC GigabitEthernet2 0...

Page 2189: ...y port gigabitethernet 2 0 1 secondary port gigabitethernet 2 0 2 level 0 DeviceD rrpp domain1 ring 1 enable DeviceD rrpp domain1 quit Enable the RRPP protocol DeviceD rrpp enable 5 Verification After the above configuration is completed you can use the display command to view RRPP configuration and operational information on Device A and Device D Troubleshooting Symptom When the link state is nor...

Page 2190: ...1 39 z Use the debugging rrpp command on each node to check whether a port receives or transmits Hello packets If not Hello packets are lost ...

Page 2191: ...ng the Interval for Sending Advertisement Packets 1 10 Setting the DelayDown Timer 1 10 Setting the Port Shutdown Mode 1 11 Configuring DLDP Authentication 1 11 Resetting DLDP State 1 12 Resetting DLDP State in System View 1 12 Resetting DLDP State in Port view Port Group View 1 12 Displaying and Maintaining DLDP 1 13 DLDP Configuration Example 1 13 Troubleshooting 1 15 ...

Page 2192: ...shooting Overview Background Sometimes unidirectional links appear in networks On a unidirectional link one end can receive packets from the other end but the other end cannot Unidirectional links result in problems such as loops in an STP enabled network As for fiber links two kinds of unidirectional links exist One occurs when fibers are cross connected as shown in Figure 1 1 The other occurs wh...

Page 2193: ... ends of a link are operating normally at the physical layer DLDP detects whether the link is correctly connected at the link layer and whether the two ends can exchange packets properly This is beyond the capability of the auto negotiation mechanism at the physical layer How DLDP Works DLDP link states A device is in one of these DLDP link states Initial Inactive Active Advertisement Probe Disabl...

Page 2194: ... timer This timer is set to 10 seconds and is triggered when a device transits to the Probe state or an enhanced detect is launched When the Echo timer expires and no Echo packet has been received from a neighbor device the state of the link is set to unidirectional and the device transits to the Disable state In this case the device sends Disable packets prompts the user to shut down the port or ...

Page 2195: ...ed DLDP mode when an entry timer expires the Enhanced timer is triggered and the device sends up to eight Probe packets at a frequency of one packet per second to test the neighbor If no Echo packet is received from the neighbor when the Echo timer expires the device transits to the Disable state Table 1 3 DLDP mode and neighbor entry aging DLDP mode Detecting a neighbor after the corresponding ne...

Page 2196: ...0 The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the corresponding local configuration z Plain text authentication In this mode before sending a DLDP packet the sending side sets the Authentication field to the password configured in plain text and sets the Authentication type field to 1 The receiving side ...

Page 2197: ...ponding neighbor entry does not exist creates the neighbor entry triggers the Entry timer and transits to Probe state Advertisement packet with RSY tag Retrieving the neighbor information If the corresponding neighbor entry already exists resets the Entry timer and transits to Probe state If the corresponding neighbor entry does not exist creates the neighbor entry triggers the Entry timer and tra...

Page 2198: ...tes in Enhanced mode If yes and the local port is not in Disable state the local transits to Disable state 3 If no echo packet is received from the neighbor DLDP performs the following processing Table 1 6 Processing procedure when no echo packet is received from the neighbor No echo packet received from the neighbor Processing procedure In normal mode no echo packet is received when the Echo time...

Page 2199: ...tate or Unidirectional state after the probe operation finishes Two way A neighbor is in this state after it receives response from its peer This state indicates the link is a two way link Unidirectional A neighbor is in this state when the link connecting it is detected to be a unidirectional link After a device transits to this state the corresponding neighbor entries maintained on other devices...

Page 2200: ...isabled by default Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name Either of the two is required Configurations made in Ethernet port view apply to the current port only configurations made in port group view apply to all ports in the port group Enable DLDP dldp enable Required Di...

Page 2201: ...ausing more traffic forwarding errors if the interval is too short unnecessary Advertisement packets can be generated to consume bandwidth Therefore you are recommended to use the default value z To enable DLDP to operate properly make sure the intervals for sending Advertisement packets on both sides of a link are the same Setting the DelayDown Timer On some ports when the Tx line fails the port ...

Page 2202: ...ode To do Use the command Remarks Enter system view system view Set port shutdown mode dldp unidirectional shutdown auto manual Optional auto by default z On a port with both remote OAM loopback and DLDP enabled if the port shutdown mode is auto mode the port will be shut down by DLDP when it receives a packet sent by itself causing remote OAM loopback to operate improperly To prevent this you nee...

Page 2203: ...State in Port view Port Group View The DLDP state that the port transits to upon the DLDP state reset operation depends on its physical state If the port is physically down it transits to Inactive state if the port is physically up it transits to Active state Resetting DLDP State in System View Resetting DLDP state in system view applies to all the ports shut down by DLDP Follow these steps to res...

Page 2204: ... user view DLDP Configuration Example Network requirements z Device A and Device B are connected through two fiber pairs in which two fibers are cross connected as shown in Figure 1 4 z It is desired that the unidirectional links can be disconnected on being detected and the ports shut down by DLDP can be restored after the fiber connections are corrected Figure 1 4 Network diagram for DLDP config...

Page 2205: ...onfiguration information on all the DLDP enabled ports of Device A DeviceA display dldp DLDP global status enable DLDP interval 6s DLDP work mode enhance DLDP authentication mode none DLDP unidirectional shutdown auto DLDP delaydown timer 2s The number of enabled ports is 2 Interface GigabitEthernet2 0 1 DLDP port state disable DLDP link state down The neighbor number of the port is 0 Interface Gi...

Page 2206: ...ndex 59 Neighbor state two way Neighbor aged time 11 The output information indicates that both GigabitEthernet 2 0 1 and GigabitEthernet 2 0 2 are in Advertisement state and the links are up which means unidirectional links are not detected and the two ports are restored Troubleshooting Symptom Two DLDP enabled devices Device A and Device B are connected through two fiber pairs in which two fiber...

Page 2207: ...Configuring Errored Frame Event Detection 1 7 Configuring Errored Frame Period Event Detection 1 7 Configuring Errored Frame Seconds Event Detection 1 7 Enabling OAM Remote Loopback 1 8 Displaying and Maintaining Ethernet OAM Configuration 1 9 Ethernet OAM Configuration Example 1 10 2 Extended OAM Configuration 2 1 Overview 2 1 Extended OAMPDU 2 1 How Extended OAM Works 2 2 Configuring Extended OA...

Page 2208: ...rnet has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance OAM on Ethernet networks has now become an urgent matter As a tool monitoring Layer 2 link status Ethernet OAM is mainly used to address common link related issues on the last mile You can monitor the status of the point to point link between two directly connected ...

Page 2209: ... be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the encapsulated protocol in the Ethernet OAMPDU The value is 0x8809 Subtype The specific protocol being encapsulated in the Ethernet OAMPDU The value is 0x03 Flags Status information of an Ethernet OAM entity Code Type of the Ethernet OAMPD...

Page 2210: ...s and establishes sessions with them In this phase interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM connections can be established An Ethernet OAM connection can be established only when the settings concerning loopback link detecting and link event of ...

Page 2211: ...cially when the physical connection in the network is not disconnected but network performance is degrading gradually Link monitoring is used to detect and indicate link faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 1 4 the local OAM entity sends an Event Notification OAMPD...

Page 2212: ...nts listed in Table 1 5 Table 1 5 Critical link error events Ethernet OAM link events Description Link Fault Peer link signal is lost Dying Gasp An unexpected fault such as power failure occurred Critical event An undetermined critical event happened As Information OAMPDUs are exchanged periodically across established OAM connections an Ethernet OAM entity can inform one of its OAM peers of link f...

Page 2213: ...ote Loopback Optional Configuring Basic Ethernet OAM Functions As for Ethernet OAM connection establishment a device can operate in active mode or passive mode After Ethernet OAM is enabled on an Ethernet port according to its Ethernet OAM mode the Ethernet port establishes an Ethernet OAM connection with its peer port Follow these steps to configure basic Ethernet OAM functions To do Use the comm...

Page 2214: ...t occurs if the number of frame errors in specific number of received frames exceeds the predefined threshold Follow these steps to configure errored frame period event detection To do Use the command Remarks Enter system view system view Configure the errored frame period event detection period oam errored frame period period period value Optional 1000 milliseconds by default Configure the errore...

Page 2215: ... OAM Remote Loopback After enabling OAM remote loopback on a port you can send loopback frames from the port to a remote port and then observe how many of these loopback frames are returned In this way you can calculate the packet loss ratio on the link thus evaluating the link performance Follow these steps to enable Ethernet OAM remote loopback To do Use the command Remarks Enter system view Sys...

Page 2216: ...groups or service loopback groups For more information about link aggregation groups and service loopback groups refer to Link Aggregation Configuration and Service Loopback Group Configuration in the Access Volume z Enabling internal loopback test on a port in remote loopback test can terminate the remote loopback test For more information about loopback test refer to Ethernet Interface Configura...

Page 2217: ...quit Set the errored frame detection interval to 20 seconds and set the errored frame event triggering threshold to 10 DeviceA oam errored frame period 20 DeviceA oam errored frame threshold 10 2 Configure Device B Configure GigabitEthernet 2 0 1 to operate in active Ethernet OAM mode the default and enable Ethernet OAM for it DeviceB system view DeviceB interface gigabitethernet 2 0 1 DeviceA Gig...

Page 2218: ...play the statistics of Ethernet OAM critical link events on all the ports of Device A DeviceA display oam critical event Port GigabitEthernet2 0 1 Link Status Up Event statistic Link Fault 0 Dying Gasp 0 Critical Event 0 According to the above output information no critical link event occurred on the link between Device A and Device B Display Ethernet OAM link event statistics of the remote end of...

Page 2219: ...exchange various management information Extended information OAMPDU Extended OAM adds an Organization Specific Information TLV to the information OAMPDU For details about information OAMPDUs refer to Ethernet OAMPDUs An information OAMPDU containing this TLV is called an extended information OAMPDU The Organization Specific Information TLV contains the following contents z Local Organizationally U...

Page 2220: ...ocation Used for performing DBA configuration and query z Payload Carries the function codes and configuration contents corresponding to the user s query or configuration instructions An OLT can configure the functions shown in Extended OAM management for ONUs z Pad Padding field How Extended OAM Works Extended OAM has two functions extended OAM discovery and extended OAM management Extended OAM d...

Page 2221: ...ble extend OAM manually instead extended OAM is enabled on a port automatically when you enable Ethernet OAM on the port Configuring Extended OAM Discovery Timeout Time Extended OAM discovery timeout time refers to the timeout time of extended OAM messages exchanged between an OLT and its ONU during an extended OAM discovery process Follow these steps to configure the extended OAM discovery timeou...

Page 2222: ...ration Prerequisites 1 8 Configuring Procedure 1 8 Configuring LB on MEPs 1 9 Configuration Prerequisites 1 9 Configuration Procedure 1 9 Configuring LT on MEPs 1 10 Configuration Prerequisites 1 10 Finding the Path Between a Source MEP and a Target MEP 1 10 Enabling Automatic LT Messages Sending 1 10 Displaying and Maintaining CFD 1 11 CFD Configuration Examples 1 11 Configuring Service Instance ...

Page 2223: ...sic Concepts in CFD Maintenance domain A maintenance domain MD defines the network where CFD plays its role The MD boundary is defined by some maintenance association end points MEPs configured on the ports An MD is identified by an MD name To locate faults exactly CFD introduces eight levels from 0 to 7 to MDs The bigger the number the higher the level and the larger the area covered Domains can ...

Page 2224: ...MEP ID The MEPs of an MD define the range and boundary of the MD The MA and MD that a MEP belongs to define the VLAN attribute and level of the packets sent by the MEP MEPs fall into inward facing MEPs and outward facing MEPs The level of a MEP determines the levels of packets that the MEP can process The packets transmitted from a MEP carry the level of the MEP A MEP forwards packets at a higher ...

Page 2225: ... forwards packets at a higher level without any processing Figure 1 4 demonstrates a grading example of the CFD module In the figure there are six devices labeled 1 through 6 respectively Suppose each device has two ports and MEPs and MIPs are configured on some of these ports Four levels of MDs are designed in this example the bigger the number the higher the level and the larger the area covered...

Page 2226: ...ice faults or configuration errors This function is implemented through periodic sending of continuity check messages CCMs by the MEPs As a multicast message a CCM sent by one MEP is intended to be received by all the other MEPs in the same MA If a MEP fails to receive the CCMs within 3 5 sending periods the link is regarded as faulty and a corresponding log is generated When multiple MEPs send CC...

Page 2227: ...ent devices z Define the MA in each MD according to the VLAN you want to monitor z Assign a name for each MA Make sure that the same MA in the same MD has the same name on different devices z Determine the MEP list of each MA in each MD Make sue that devices in the same MA maintain the same MEP list z At the edges of MD and MA MPs should be designed at the device port MEPs can be designed on devic...

Page 2228: ...and Remarks Enter system view system view Enable CFD cfd enable Required CFD is disabled by default Configure the CFD protocol version cfd version draft5 standard Optional By default CFD uses the standard version of IEEE 802 1ag Create an MD cfd md md name level level value Required Not created by default Create an MA cfd ma ma name md md name vlan vlan id Required Not created by default Create a ...

Page 2229: ...Ethernet interface view interface interface type interface number Create a MEP cfd mep mep id service instance instance id inbound outbound Required Not configured by default Enable the MEP cfd mep service instance instance id mep mep id enable Required Disabled by default You cannot create a MEP if the MEP ID is not included in the MEP list of the corresponding service instance Configuring MIP Ge...

Page 2230: ... or deleting the MEPs on a port z Changes occur to the VLAN attribute of a port z The rule specified in the cfd mip rule command changes Configuring CC on MEPs After the CC function is configured MEPs can send CCMs mutually to check the connectivity between them Configuration Prerequisites Before configuring this function you should first complete the MEP configuration Configuring Procedure Follow...

Page 2231: ...of the remote MEP is illustrated in Table 1 2 Table 1 2 Relationship of the interval field value the interval between CCM messages and the timeout time of the remote MEP The interval field value The interval between CCM messages The timeout time of the remote MEP 3 100 milliseconds 350 milliseconds 4 1 second 3 5 seconds 5 10 second 35 seconds 6 60 seconds 210 seconds 7 600 seconds 2100 seconds In...

Page 2232: ...within 3 5 sending intervals the link between the two is regarded as faulty and LTMs will be sent out Based on the LTRs that echo back the fault source can be located Configuration Prerequisites Before configuring this function you should first complete MEP and MIP configuration tasks Finding the Path Between a Source MEP and a Target MEP Follow these steps to find the path between a source MEP an...

Page 2233: ...e reply service instance instance id mep mep id Available in any view Display the information of a remote MEP display cfd remote mep service instance instance id mep mep id Available in any view Display the content of the LTR that responds to LTM messages display cfd linktrace reply auto detection size size value Available in any view CFD Configuration Examples Configuring Service Instance Network...

Page 2234: ...ance 2 md MD_B ma MA_MD_B 3 Configuration on Device B configuration on Device D is the same as that on Device B DeviceB system view DeviceB cfd enable DeviceB cfd md MD_A level 5 DeviceB cfd ma MA_MD_A md MD_A vlan 100 DeviceB cfd service instance 1 md MD_A ma MA_MD_A DeviceB cfd md MD_B level 3 DeviceB cfd ma MA_MD_B md MD_B vlan 100 DeviceB cfd service instance 2 md MD_B ma MA_MD_B After the abo...

Page 2235: ...etwork diagram of MD and MEP configuration Configuration procedure 1 On Device A DeviceA system view DeviceA cfd meplist 1001 4002 5001 service instance 1 DeviceA cfd meplist 2001 4001 service instance 2 DeviceA interface gigabitethernet 2 0 1 DeviceA GigabitEthernet2 0 1 cfd mep 1001 service instance 1 inbound DeviceA GigabitEthernet2 0 1 cfd mep service instance 1 mep 1001 enable DeviceA Gigabit...

Page 2236: ...commands display cfd mp and display cfd mep to verify your configuration Configuring the Rules for Generating MIPs Network requirements After finishing MEP configuration you can continue to configure the MIPs MIPs which are generated by some rules are configured in the following way z Decide the device on which MIPs are to be configured z Choose suitable rules for MIP generation By default MIP is ...

Page 2237: ...o trace the fault source after CC detects a link fault As shown in Figure 1 6 enable LB on Device A so that Device A can send LBM messages to MEPs on Device D Configuration procedure Configure Device A DeviceA system view DeviceA cfd loopback service instance 1 mep 1001 target mep 4002 Configuring LT on MEPs Network requirements Use the LT function to find the path and locate the fault after you o...

Page 2238: ...1 16 DeviceA cfd linktrace service instance 1 mep 1001 target mep 4002 ...

Page 2239: ...ion to BFD 1 1 How BFD Works 1 2 BFD Packet Format 1 4 Supported Features 1 5 Protocols and Standards 1 6 Configuring BFD Basic Functions 1 6 Configuration Prerequisites 1 6 Configuration Procedure 1 6 Enabling Trap 1 7 Displaying and Maintaining BFD 1 7 ...

Page 2240: ...ing z Hardware detection Detects link failures by sending hardware detection signals such as SDH synchronous digital hierarchy transmission system alarms Hardware detection can quickly detect failures but it is not supported by all media types z Hello mechanism Devices can use the hello mechanism of a routing protocol for failure detection which has a failure detection rate in seconds However for ...

Page 2241: ...asures Operation of BFD Figure 1 1 BFD session establishment on OSPF routers OSPF neighbors BFD neighbors Router A Router B 1 2 3 2 OSPF advertises the BFD neighbor relationship BFD session establishment as shown in the above figure z A protocol sends Hello messages to discover neighbors and establish neighborships z After establishing neighborships the protocol notifies BFD of the neighbor inform...

Page 2242: ...ds the packets back to the originating end thereby monitoring link status in both directions BFD operating modes Before a BFD session is established there are two BFD operating modes active and passive z Active mode In this mode BFD actively sends BFD control packets regardless of whether any BFD control packet is received from the peer z Passive mode In this mode BFD does not send control packets...

Page 2243: ...the related BFD parameters such as the minimum transmit interval minimum receive interval initialization mode and packet authentication mode After that both ends use the negotiated parameters without affecting the current session state BFD Packet Format Figure 1 3 illustrates the BFD control packet format BFD control packets are encapsulated into UDP packets with port number 3784 Figure 1 3 BFD co...

Page 2244: ...h of the BFD Control packet in bytes z My Discriminator A unique nonzero discriminator value generated by the transmitting system used to demultiplex multiple BFD sessions between the same pair of systems z Your Discriminator It is the discriminator received from the corresponding remote system This field reflects back the received value of My Discriminator or is 0 if that value is unknown z Desir...

Page 2245: ... the network layer z Configure the routing protocols that support BFD Configuration Procedure Follow these steps to configure BFD basic functions To do Use the command Remarks Enter system view system view Specify the mode for establishing a BFD session bfd session init mode active passive Optional active by default Enter interface view interface interface type interface number Configure the minim...

Page 2246: ... the System Volume Follow these steps to enable BFD trap To do Use the command Remarks Enter system view system view Enable BFD trap snmp agent trap enable bfd Optional Enabled by default For the description of the snmp agent trap enable bfd command refer to the snmp agent trap enable command in SNMP Commands in the System Volume Displaying and Maintaining BFD To do Use the command Remarks Display...

Page 2247: ...1 8 To do Use the command Remarks Clear BFD session statistics on a distributed IRF device reset bfd session statistics chassis chassis number slot slot number Available in user view ...

Page 2248: ...ing Collaboration Between the Track Module and the Application Modules 1 4 Configuring Track VRRP Collaboration 1 4 Configuring Track Static Routing Collaboration 1 6 Displaying and Maintaining Track Entries 1 7 Track Configuration Examples 1 7 VRRP Track NQA Collaboration Configuration Example The Master Monitors the Uplink 1 7 Configuring BFD for a VRRP Backup to Monitor the Master 1 11 Configur...

Page 2249: ...ns through the track module More specifically the detection modules probe the link status network performance and so on and inform the application modules of the detection result through the track module After the application modules are aware of the changes of network status they deal with the changes accordingly to avoid communication interruption and network performance degradation The track mo...

Page 2250: ...ion may be interrupted because routes cannot be recovered in time For example the master in a VRRP group monitors the uplink interface through the track module When the uplink interface fails the track module notifies the master to reduce its priority so that a backup with a higher priority can preempt as the master to forward packets When the uplink interface recovers if the track module notifies...

Page 2251: ... the specified NQA test group and reaction entry can be nonexistent In this case the status of the configured track entry is Invalid Configuring Track BFD Collaboration Through the following configuration you can establish the collaboration between the track module and BFD which probes the link status by sending echo packets and informs the track module of the probe result Configuration prerequisi...

Page 2252: ...sion is created by default Configuring Collaboration Between the Track Module and the Application Modules Configuring Track VRRP Collaboration VRRP is an error tolerant protocol It adds a group of routers that can act as network gateways to a VRRP group which forms a virtual router Routers in the VRRP group elect the master acting as the gateway according to their priorities A router with a higher...

Page 2253: ...ress Required No VRRP group is created by default Specify a track entry to be monitored by VRRP vrrp ipv6 vrid virtual router id track track entry number reduced priority reduced switchover Required No track entry is specified for VRRP by default This command is supported when VRRP works in both the standard protocol mode and load balancing mode Specify a track entry to be monitored by a virtual f...

Page 2254: ...route the track module and detection modules and thus check the reachability of the static route according to the status of the track entry z If the status of the track entry is Positive then the next hop of the static route is reachable and the configured static route is valid z If the status of the track entry is Negative then the next hop of the static route is unreachable and the configured st...

Page 2255: ... recursion the associated track entry must monitor the next hop of the recursive route instead of that of the static route otherwise a valid route may be considered invalid z For details of static route configuration refer to Static Routing Configuration in the IP Routing Volume Displaying and Maintaining Track Entries To do Use the command Remarks Display information about the specified track ent...

Page 2256: ...tion entry 1 specifying that five consecutive probe failures trigger the Track NQA collaboration SwitchA nqa admin test icmp echo reaction 1 checked element probe fail threshold type consecutive 5 action type trigger only SwitchA nqa admin test icmp echo quit Start NQA probes SwitchA nqa schedule admin test start time now lifetime forever 3 Configure a track entry on Switch A Configure track entry...

Page 2257: ...lan interface2 vrrp vrid 1 authentication mode simple hello Configure the master to send VRRP packets at an interval of five seconds SwitchB Vlan interface2 vrrp vrid 1 timer advertise 5 Configure Switch B to work in preemptive mode and set the preemption delay to five seconds SwitchB Vlan interface2 vrrp vrid 1 preempt mode timer delay 5 6 Verify the configuration After configuration ping Host B ...

Page 2258: ... is a fault on the link between Switch A and Switch C IPv4 Standby Information Run Mode Standard Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status Up State Backup Config Pri 110 Running Pri 80 Preempt Mode Yes Delay Time 5 Auth Type Simple Key hello Virtual IP 10 1 1 10 Master IP 10 1 1 2 VRRP Track Information Track Object 1 State...

Page 2259: ... z If BFD is not configured when the master in a VRRP group fails the backup cannot become the master until the configured timeout timer expires The timeout is generally three to four seconds and therefore the switchover is slow To solve this problem VRRP uses BFD to probe the state of the master Once the master fails the backup can become the new master within 1 second Figure 1 3 Network diagram ...

Page 2260: ...ster SwitchB interface vlan interface 2 SwitchB Vlan interface2 vrrp vrid 1 virtual ip 192 168 0 10 SwitchB Vlan interface2 vrrp vrid 1 track 1 switchover SwitchB Vlan interface2 return 5 Verify the configuration Display the detailed information of VRRP group 1 on Switch A SwitchA display vrrp verbose IPv4 Standby Information Run Mode Standard Run Method Virtual MAC Total number of virtual routers...

Page 2261: ...tchB debugging bfd event When Switch A fails the following output information is displayed on Switch B Dec 17 14 44 34 142 2008 SwitchB BFD 7 EVENT Send sess down Msg Src 192 168 0 102 Dst 192 168 0 101 Vlan interface2 Echo instance 0 protocol Track Dec 17 14 44 34 144 2008 SwitchB VRRP 7 DebugState IPv4 Vlan interface2 Virtual Router 1 Backup Master reason The status of the tracked object changed...

Page 2262: ...as the master thus ensuring that the hosts in the LAN can access the external network through Switch B Figure 1 4 Network diagram for monitoring uplinks using BFD Internet Master uplink device Backup uplink device Uplink Virtual router Virtual IP address 192 168 0 10 Vlan int2 192 168 0 101 24 Vlan int2 192 168 0 102 24 Switch A Master Switch B Backup Vlan int3 1 1 1 1 24 Vlan int3 1 1 1 2 24 L2 s...

Page 2263: ...tual ip 192 168 0 10 SwitchB Vlan interface2 return 5 Verify the configuration Display the detailed information of the VRRP group on Switch A SwitchA display vrrp verbose IPv4 Standby Information Run Mode Standard Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status Up State Master Config Pri 110 Running Pri 110 Preempt Mode Yes Delay...

Page 2264: ...0 in seconds Reference object BFD session Packet type Echo Interface Vlan interface2 Remote IP 1 1 1 2 Local IP 1 1 1 1 display the detailed information of VRRP group 1 on Switch A SwitchA display vrrp verbose IPv4 Standby Information Run Mode Standard Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status Up State Backup Config Pri 110...

Page 2265: ...tch C Figure 1 5 Network diagram for Static Routing Track NQA collaboration configuration Vlan int2 10 1 1 1 24 Vlan int2 10 1 1 2 24 Vlan int3 10 2 1 1 24 Switch C Vlan int3 10 2 1 2 24 Switch B Switch A Configuration procedure 1 Configure the IP address of each interface as shown in Figure 1 5 2 Configure a static route on Switch A and associate it with the track entry Configure the address of t...

Page 2266: ...witchA display track all Track ID 1 Status Positive Notification delay Positive 0 Negative 0 in seconds Reference object NQA entry admin test Reaction 1 Display the routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 10 1 1 0 24 Static 60 0 10 2 1 1 Vlan3 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan3 10 ...

Page 2267: ... As shown in Figure 1 6 the next hop of the static route from Switch A to Switch C is Switch B z Configure Static Routing Track BFD collaboration on Switch A to implement real time monitoring of the validity of the static route to Switch C Figure 1 6 Network diagram for Static Routing Track BFD collaboration configuration Vlan int2 10 1 1 1 24 Vlan int2 10 1 1 2 24 Vlan int3 10 2 1 1 24 Switch C V...

Page 2268: ... Switch A SwitchA display ip routing table Routing Tables Public Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 10 1 1 0 24 Static 60 0 10 2 1 1 Vlan3 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan3 10 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The output information above indicates the BFD detection res...

Page 2269: ...nitors the Uplink Interface Network requirements z As shown in Figure 1 7 Host A needs to access Host B on the Internet The default gateway of Host A is 10 1 1 10 24 z Switch A and Switch B belong to VRRP group 1 whose virtual IP address is 10 1 1 10 z When Switch A works normally packets from Host A to Host B are forwarded through Switch A When VRRP detects that there is a fault on the uplink int...

Page 2270: ...g Host B on Host A and you can see that Host B is reachable Use the display vrrp command to view the configuration result Display detailed information about VRRP group 1 on Switch A SwitchA Vlan interface2 display vrrp verbose IPv4 Standby Information Run Mode Standard Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status Up State Mast...

Page 2271: ...uters 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status Up State Backup Config Pri 110 Running Pri 80 Preempt Mode Yes Delay Time 0 Auth Type None Virtual IP 10 1 1 10 Master IP 10 1 1 2 VRRP Track Information Track Object 1 State Negative Pri Reduced 30 After shutting down the uplink interface on Switch A display detailed information about VRRP group 1 on Switch B SwitchB Vlan interfa...

Page 2272: ...ontents 1 GR Overview 1 1 Introduction to Graceful Restart 1 1 Basic Concepts in Graceful Restart 1 1 Graceful Restart Communication Procedure 1 2 Graceful Restart Mechanism for Several Commonly Used Protocols 1 4 ...

Page 2273: ...it to the state prior to the restart in minimal time No route flapping occurs during the restart the packet forwarding path remains the same and the whole system can forward data continuously Hence it is called Graceful Restart Basic Concepts in Graceful Restart A router with the Graceful Restart function enabled is called a Graceful Restart capable router It can perform a Graceful Restart when it...

Page 2274: ... Helper must support GR or be GR capable Thus when GR Restarter restarts its GR Helper can know its restart process In some cases GR Restarter and GR Helper can replace each other The communication procedure between the GR Restarter and the GR Helper works as follows 1 Establishing a GR session Figure 1 1 A GR session is established between the GR Restarter and the GR Helper As illustrated in Figu...

Page 2275: ...e the GR Time expires the GR Helper will neither terminate the session with the GR Restarter nor delete the topology or routing information of the latter 3 Signaling to GR Helper Figure 1 3 The GR Restarter signals to the GR Helper s after restart As illustrated in Figure 1 3 after the GR Restarter has recovered it will signal to all its neighbors and reestablish GR Session 4 Obtaining topology an...

Page 2276: ...Commonly Used Protocols Comware supports Graceful Restart based on protocols supporting IPv6 such as MPLS Label Distribution Protocol MPLS LDP MPLS with Resource Reservation Protocol Traffic Engineering MPLS RSVP TE Border Gateway Protocol BGP Intermediate System to Intermediate System IS IS Open Shortest Path First OSPF and OSPFv3 For the implementation and configuration procedure of the Graceful...

Page 2277: ...ently This document describes z Introduction to User Interface z Logging In Through the Console Port z Logging In Through Telnet SSH z Logging In Using Modem z Logging In Through NMS z Specifying Source IP address Interface for Telnet Packets z Controlling Login Users Basic System Configuration Basic system configuration involves the configuration of device name system clock welcome message and us...

Page 2278: ...system creating deleting modifying and renaming a file or a directory and opening a file This document describes z File system management z Configuration File Management SNMP Simple network management protocol SNMP offers a framework to monitor network devices through TCP IP protocol suite This document describes z SNMP overview z Basic SNMP function configuration z SNMP log configuration z Trap c...

Page 2279: ...wer z Configuring PoE Power Management z Configuring the PoE Monitoring Function z Configuring PoE Interface through PoE Profile z Upgrading PSE Processing Software in Service NQA NQA analyzes network performance services and service quality by sending test packets to provide you with network performance and service quality parameters This document describes z NQA Overview z Configuring the NQA Se...

Page 2280: ...esilient Framework IRF allows you to build an IRF namely a united device by interconnecting multiple devices through IRF ports You can manage all the devices in the IRF by managing the united device This document describes z IRF Overview z IRF Working Process z Configuring IRF z Configuring MAD detection z Accessing an IRF IPC Inter Process Communication IPC is a reliable communication mechanism a...

Page 2281: ...on Procedure 2 7 Configuration Example 2 8 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 11 Configuring Command Authorization 2 12 Configuring Command Accounting 2 13 3 Logging In Through Telnet SSH 3 1 Logging In Through Telnet 3 1 Introduction 3 1 Telnet Connection Establishment 3 1 Common Configuration 3 4 Telnet L...

Page 2282: ...ntroduction 6 1 Connection Establishment Using NMS 6 1 7 Specifying Source for Telnet Packets 7 1 Introduction 7 1 Specifying Source IP address Interface for Telnet Packets 7 1 Displaying the source IP address Interface Specified for Telnet Packets 7 2 8 Controlling Login Users 8 1 Introduction 8 1 Controlling Telnet Users 8 1 Prerequisites 8 1 Controlling Telnet Users by Source IP Addresses 8 1 C...

Page 2283: ...he AUX port and the Console port of a 3Com series switch are the same one you will be in the AUX user interface if you log in through this port 3Com S7900E series Ethernet switch supports two types of user interfaces AUX and VTY z AUX port Used to manage and monitor users logging in via the console port The device provides AUX ports of EIA TIA 232 DTE type The port is usually used for the first ac...

Page 2284: ...iguration in user interface view of VTY 1 applies User Interface Number User interfaces can be numbered in two ways absolute numbering and relative numbering Absolute numbering Absolute numbering allows you to uniquely specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in ...

Page 2285: ... Set the banner header incoming legal login shell motd text Optional Set a system name for the switch sysname string Optional Enter one or more user interface views user interface type first number last number Display the information about the current user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configuration of t...

Page 2286: ...n to a switch It is also the prerequisite to configure other login methods By default you can log in to an 3Com S7900E series Ethernet switch through its Console port only To log in to an Ethernet switch through its Console port the related configuration of the user terminal must be in accordance with that of the Console port Table 2 1 lists the default settings of a Console port Table 2 1 The def...

Page 2287: ...h as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the connection ...

Page 2288: ...witch or check the information about the switch by executing commands You can also acquire help by type the character Refer to the following chapters for information about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port login Configuration Description Enter system view s...

Page 2289: ...n to the AUX user interface Make terminal services available shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines Set history command buffer size history command max size value Optional By default the history command buffer can con...

Page 2290: ...cal authentication or RADIUS authentication Optional Local authentication is performed by default Refer to the AAA Configuration in the Security Volume for details Configure user name and password Configure user names and passwords for local remote users Required z The user name and password of a local user are configured on the switch z The user name and password of a remote user are configured o...

Page 2291: ... switch is configured to allow you to login through Telnet and your user level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z The user is not authenticated when logging in through the Console port z Commands of level 2 are available to user logging in to the AUX user interface z The baud rate of the Console por...

Page 2292: ...the configuration consistent with that on the switch Refer to Setting Up the Connection to the Console Port for details Console Port Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to perform Console port login configuration with authentication mode being password To do Use the command Remarks Enter system view system view Enter AUX user inter...

Page 2293: ... z The timeout time of the AUX user interface is 6 minutes Network diagram Figure 2 6 Network diagram for AUX user interface configuration with the authentication mode being password Configuration procedure Enter system view Sysname system view Enter AUX user interface view Sysname user interface aux 0 Specify to authenticate the user logging in through the Console port using the local password Sy...

Page 2294: ...o Setting Up the Connection to the Console Port for details Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Console port login configuration with authentication mode being scheme To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux first number last number Configure ...

Page 2295: ...l of AAA server Create a local user Enter local user view local user user name Required No local user exists by default Set the authentication password for the local user password simple cipher password Required By default a user is authorized with no password Specifies the level of the local user authorization attribute level level By default no authorization attribute is configured for a local u...

Page 2296: ...er logging in to the AUX user interface z The baud rate of the Console port is 19 200 bps z The screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of the AUX user interface is 6 minutes Network diagram Figure 2 7 Network diagram for AUX user interface configuration with the authentication mode being scheme Configuration procedure 1 Configu...

Page 2297: ...vel for a login user depends on the user level The user is authorized the command with the default level not higher than the user level With the command authorization configured the command level for a login user is decided by both the user level and AAA authorization If a user executes a command of the corresponding user level the authorization server checks whether the command is authorized If y...

Page 2298: ...ds will be recorded on the HWTACACS server The command accounting configuration involves two steps 1 Enable command accounting See the following table for details 2 Configure a command accounting scheme Specify the IP address and other related parameters for the accounting server For details refer to the AAA Configuration in the Security Volume Follow these steps to enable command accounting To do...

Page 2299: ...route between the switch and the Telnet terminal is available Switch The authentication mode and other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Telnet Connection Establishment Telnetting to a Switch from a Terminal You can telnet to a switch and then configure the switch if the interf...

Page 2300: ... the password authentication to login Step 3 Connect your PC to the Switch as shown in Figure 3 1 Make sure the Ethernet port to which your PC is connected belongs to the management VLAN of the switch and the route between your PC and the switch is available Figure 3 1 Network diagram for Telnet connection establishment Step 4 Launch Telnet on your PC with the IP address of the management VLAN int...

Page 2301: ... by executing the telnet command and then to configure the later Figure 3 3 Network diagram for Telnetting to another switch from the current switch Step 1 Configure the user name and password for Telnet on the switch operating as the Telnet server Refer to section Telnet Login Configuration with Authentication Mode Being None section Telnet Login Configuration with Authentication Mode Being Passw...

Page 2302: ...re supported VTY user interface configuration Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automatically executed when a user logs into a user interface Make terminal services available shell Optional By default terminal services are available in all user interfaces Set the maximum number of line...

Page 2303: ...Telnet configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure not to authenticate users logging in to VTY user interfaces authentication mode none Required By default VTY users are authenticated after logging in Note that if you configure not to au...

Page 2304: ... command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to perform Telnet configuration with authentication mode being password To do Use the command Remarks Enter system view system view Enter one or more...

Page 2305: ...edure Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the local password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sysname ui vty0 set authentication password simple 123456 Specify c...

Page 2306: ...erning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuration in the Security Volume for details z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Create a lo...

Page 2307: ... mode z The commands of level 2 are available to users logging in to VTY 0 z Telnet protocol is supported in VTY 0 z The screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes Network diagram Figure 3 6 Network diagram for Telnet configuration with the authentication mode being scheme 2 Configuration procedure z Configure...

Page 2308: ...horized If yes the command can be executed The authorization server checks the commands authorized for users through the username and thus the command authorization configuration involves three steps 1 Configure to use username and password authentication when users log in 2 Enable command authorization See the following table for details 3 Configure an authorization scheme Specify the IP address ...

Page 2309: ... to enable command accounting To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface vty first number last number Enable command accounting command accounting Required Disabled by default that is the accounting server does not record the commands the users execute Logging In Through SSH Secure Shell SSH offers an approach to logging into a remote d...

Page 2310: ...switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is properly configured The modem is properly connected to PSTN and a telephone set Switch side The authentication mode a...

Page 2311: ...e Console port is usually set to a value lower than the transmission speed of the modem Otherwise packets may get lost z Other settings of the Console port such as the check mode the stop bits and the data bits remain the default The configuration on the switch depends on the authentication mode the user is in Refer to Table 2 3 for the information about authentication mode configuration Configura...

Page 2312: ...d the output of different modems may differ Refer to the user manual of the modem when performing the above configuration z It is recommended that the baud rate of the AUX port also the Console port be set to a value lower than the transmission speed of the modem Otherwise packets may get lost Step 3 Connect your PC the modems and the switch as shown in the following figure Figure 4 1 Establish th...

Page 2313: ...can also enter the character at anytime for help Refer to the following chapters for information about the configuration commands If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Modem Attribute Configuration You can configure the attributes of the modem directly connected to the console port of your switch This modem is called the...

Page 2314: ...ignal after the off hook action during incoming call connection setup modem timer answer seconds Optional 30 seconds by default Configuration Example Network requirements Configure the switch side modem to allow both incoming calls and outgoing calls and configure the modem to operate in the auto answer mode Set the timeout time that the modem waits for the carrier signal after the off hook action...

Page 2315: ...sword is 123 Figure 5 1 Network diagram for configuring user authentication Configuration procedure Assign an IP address to Device to make Device be reachable from Host A Host B Host C and RADIUS server The configuration is omitted Enable telnet services on Device Device system view Device telnet server enable Set that no authentication is needed when users use the console port to log in to Device...

Page 2316: ...s and use local authentication as the backup Device domain system Device isp system authentication login radius scheme rad local Device isp system authorization login radius scheme rad local Device isp system quit Add a local user named monitor set the user password to 123 and specify to display the password in cipher text Authorize user monitor to use the telnet service and specify the level of t...

Page 2317: ...standard Specify Device to remove the domain name in the username sent to the HWTACACS server for the scheme Device hwtacacs scheme tac Device hwtacacs tac primary authentication 192 168 2 20 49 Device hwtacacs tac primary authorization 192 168 2 20 49 Device hwtacacs tac key authentication expert Device hwtacacs tac key authorization expert Device hwtacacs tac server type standard Device hwtacacs...

Page 2318: ...ice user interface aux 0 Device ui aux0 command accounting Device ui aux0 quit Enable command accounting for users logging in through telnet or SSH Device user interface vty 0 4 Device ui vty0 4 command accounting Device ui vty0 4 quit Create a HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme Ensure that the port number be cons...

Page 2319: ...it Create ISP domain system and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users Device domain system Device isp system accounting command hwtacacs scheme tac Device isp system quit ...

Page 2320: ...protocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the management VLAN of the switch is configured The route between the NMS and the switch is available Switch The basic SNMP functions are co...

Page 2321: ...e security Specifying source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface for Telnet Packets The configuration can be performed in user view and system view The configuration performed in user view only applies to the current session Whereas the confi...

Page 2322: ...for Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reachable Displaying the source IP address Interface Specified for Telnet Packets Follow these steps to display the source IP address interface specified for Telnet packets To do Use the command Remarks D...

Page 2323: ...ough Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses Controlling Telnet Users Prerequisites The controlling policy against Telnet users is determined including the source and destination IP addresses to be controlled and the controlling actions permitting or denying Controlling ...

Page 2324: ...CL refer to ACL Configuration in the Security Volume Follow these steps to control Telnet users by source and destination IP addresses To do Use the command Remarks Enter system view system view Create an advanced ACL or enter advanced ACL view acl ipv6 number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule r...

Page 2325: ...he ACL rule rule id permit deny rule string Required You can define rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by source MAC addresses acl acl number inbound Required The inbound keyword specifies to filter the users trying to Telnet to the current s...

Page 2326: ...nt Users by Source IP Addresses You can manage a 3Com S7900E series Ethernet switch through network management software Network management users can access switches through SNMP You need to perform the following two operations to control network management users by source IP addresses z Defining an ACL z Applying the ACL to control users accessing the switch through SNMP Prerequisites The controll...

Page 2327: ...ify view notify view acl acl number snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Apply the ACL while configuring the SNMP user name snmp agent usm user v1 v2c user name group name acl acl number snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode aes128 de...

Page 2328: ... basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 rule 2 permit source 10 110 100 46 0 Sysname acl basic 2000 rule 3 deny source any Sysname acl basic 2000 quit Apply the ACL to only permit SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 to access the switch Sysname snmp agent community read 3com acl 2000 Sysname snmp agent group v2c 3comgroup acl ...

Page 2329: ...pyright Information 1 6 Configuring a Banner 1 7 Configuring CLI Hotkeys 1 8 Configuring Command Aliases 1 9 Configuring User Privilege Levels and Command Levels 1 10 Displaying and Maintaining Basic Configurations 1 17 CLI Features 1 18 Introduction to CLI 1 18 Online Help with Command Lines 1 19 Synchronous Information Output 1 20 Undo Form of a Command 1 20 Editing Features 1 20 CLI Display 1 2...

Page 2330: ...hen it has no configuration file or the configuration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved in the startup configuration file Follow these steps to display device configurations To do Use the command Remarks Display the current validated configurations of the device display current configuration configur...

Page 2331: ...The system divides the command line interface into multiple command views which adopts a hierarchical structure For example there is system view under user view and interface view and VLAN view under system view After you have configured the functions under the current view you can perform the following operations to exit the current view Follow the step below to exit the current view To do Use th...

Page 2332: ...r system view system view Set the time zone clock timezone zone name add minus zone offset Optional clock summer time zone name one off start time start date end time end date add time Set a daylight saving time scheme clock summer time zone name repeating start time start date end time end date add time Optional Use either command Displaying the system clock The system clock is decided by the com...

Page 2333: ...07 3 3 Display 03 00 00 zone time Sat 03 03 2007 If the original system clock is not in the daylight saving time range the original system clock is displayed Configure clock summer time ss one off 1 00 2006 1 1 1 00 2006 8 8 2 Display 01 00 00 UTC Sat 01 01 2005 3 If the original system clock is in the daylight saving time range the original system clock summer offset is displayed Configure clock ...

Page 2334: ... the original system clock zone offset is not in the summer time range the original system clock zone offset is displayed Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2005 1 1 1 00 2005 8 8 2 Display 04 00 00 ss Sat 01 01 2005 2 and 3 or 3 and 2 If the value of the original system clock zone offset is in the summer time range the original system clock zone offset ...

Page 2335: ...er quits user view after logging in to the device through the console port or AUX port The copyright information will not be displayed under other circumstances The display format of copyright information is as shown below Copyright c 2004 2009 3Com Corp and its licensors All rights reserved This software is protected by copyright law and international treaties Without the prior written permission...

Page 2336: ...ne is to input all the banner information right after the command keywords The start and end characters of the input text must be the same but are not part of the banner information In this case the input text together with the command keywords cannot exceed 510 characters The other is to input all the banner information in multiple lines by pressing the Enter key In this case up to 2000 character...

Page 2337: ... in any view Refer to Table 1 2 for hotkeys reserved by the system By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with command line and the Ctrl T and Ctrl U commands are NULL z Ctrl G corresponds to the display current configuration command z Ctrl L corresponds to the display ip routing table command z Ctrl O corresponds to the undo debugging all command Table 1 2 Hotkeys reserved...

Page 2338: ... the cursor as the ending of the clipboard These hotkeys are defined by the device When you interact with the device from terminal software these keys may be defined to perform other operations If so the definition of the terminal software will dominate Configuring Command Aliases You can replace the first keyword of a command supported by the device with your preferred keyword by configuring the ...

Page 2339: ... in they can only use commands at their own or lower levels All the commands are categorized into four levels which are visit monitor system and manage from low to high and identified respectively by 0 through 3 Table 1 3 describes the levels of the commands Table 1 3 Default command levels Level Privilege Description 0 Visit Involves commands for network diagnosis and commands for accessing an ex...

Page 2340: ...ux vty first num2 last num2 Configure the authentication mode for logging in to the user interface as scheme authentication mode scheme Required By default the authentication mode for VTY users is password and no authentication is needed for AUX users Exit to system view quit Configure the authentication mode for SSH users as password For the details refer to SSH2 0 Configuration in the Security V...

Page 2341: ...sername test and password 123 After passing the authentication users can only use the commands of level 0 If the users need to use commands of levels 0 1 2 and 3 the following configuration is required Sysname luser test authorization attribute level 3 3 Configure the user privilege level under a user interface If the user interface authentication mode is scheme when a user logs in and SSH publick...

Page 2342: ...ace to log in to the device authentication mode none password Optional By default the authentication mode for VTY user interfaces is password and AUX user interfaces do not need authentication Configure the privilege level of the user logging in from the current user interface user privilege level level Optional By default the user privilege level for users logging in from the console user interfa...

Page 2343: ... passwords and specify the user privilege levels as 2 Sysname system view Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode password Sysname ui vty0 4 set authentication password cipher 123 Sysname ui vty0 4 user privilege level 2 By default when users log in to the device through Telnet they can use the commands of level 0 after passing the authentication After you set the user...

Page 2344: ...he user passes the authentication the user privilege level will be switched successfully otherwise the user privilege level will remain unchanged With no local switch authentication password configured the AAA authentication is performed if the user passes the AAA authentication the user privilege level will be switched successfully otherwise the user privilege level will remain unchanged z scheme...

Page 2345: ...er is easily cracked z The timeout time of AAA authentication is 120 seconds after that the AAA authentication is considered as no response z The privilege level switch fails after three consecutive unsuccessful password attempts Switching user privilege level To avoid misoperations the administrators are recommended to log in to the device by using a lower privilege level and view device operatin...

Page 2346: ... higher level or improve device security Follow these steps to modify the command level To do Use the command Remarks Enter system view system view Configure the command level in a specified view command privilege level level view view command Required Refer to Table 1 3 for the default settings You are recommended to use the default command level or modify the command level under the guidance of ...

Page 2347: ... in the system Execution of the display diagnostic information command equals execution of the commands display clock display version display device and display current configuration one by one For the detailed description of the display users command refer to Login Commands in the System Volume CLI Features This section covers the following topics z Introduction to CLI z Online Help with Command ...

Page 2348: ...he types of online help available with the CLI z Full help z Fuzzy help To obtain the desired help information you can 1 Enter in any view to access all the commands in this view and brief description about them as well Sysname User view commands archive Specify archive settings backup Backup next startup configuration file to TFTP server boot loader Set boot loader bootrom Update read backup rest...

Page 2349: ...information output refers to the feature that if the user s input is interrupted by system output then after the completion of system output the system will display a command line prompt and your input so far and you can continue your operations from where you were stopped You can use the info center synchronous command to enable synchronous information output For the detailed description of this ...

Page 2350: ...command line you can use other shortcut keys For details see Table 1 2 besides the shortcut keys defined in Table 1 4 or you can define shortcut keys by yourself For details see Configuring CLI Hotkeys CLI Display With the output information filtering function you can quickly find the information you are interested in When there is a lot of information to be output the system displays the informat...

Page 2351: ...an match zo and zoo but not z Vertical bar used to match the whole string on the left or right of it For example def int can only match a character string containing def or int _ Underline If it is at the beginning or the end of a regular expression it equals or in other cases it equals comma space round bracket or curly bracket For example a_b can match a b or a b _ab can only match a line starti...

Page 2352: ...string ending with string For example do can match word undo or string abcdo bcharacter2 Used to match character1character2 character1 can be any character except number letter or underline and b equals A Za z0 9_ For example ba can match a with represents character1 and a represents character2 while ba cannot match 2a or ba Bcharacter It must match a string containing character and there can no s...

Page 2353: ...en information display pauses Continues to display information of the next line Press Ctrl C when information display pauses Stops the display and the command execution Ctrl E Moves the cursor to the end of the current line PageUp Displays information on the previous page PageDown Displays information on the next page Saving Commands in the History Buffer The CLI can automatically save the command...

Page 2354: ...cess the next history command Down arrow key or Ctrl N Displays the next history command if there is any You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet However the up arrow and down arrow keys are invalid in Windows 9X HyperTerminal because they are defined in a different way You can press Ctrl P or Ctrl N instead Command Line Error Information The comm...

Page 2355: ...ive Standby Mode for Service Ports on SRPUs 1 11 Configuring the Traffic Forwarding Mode of SRPUs 1 12 Configuring the Working Mode of LPUs 1 14 Introduction to the Working Mode of LPUs 1 14 Configuring the Working Mode of an EA LPU 1 14 Configuring the Working Mode of EB and SD LPUs 1 15 Enabling the Port Down Function Globally 1 16 Enabling Expansion Memory Data Recovery Function on a board 1 16...

Page 2356: ... Configuring the Scheduled Automatic Execution Function z Upgrading Device Software z Configuring Temperature Alarm Thresholds for a board z Clearing the 16 bit Interface Indexes Not Used in the Current System z Configuring the System Load Sharing Function z Enabling Active Standby Mode for Service Ports on SRPUs z Configuring the Traffic Forwarding Mode of SRPUs z Configuring the Working Mode of ...

Page 2357: ...nal Configuring the Exception Handling Method When the system detects any software abnormality it handles the situation with one of the following two methods z reboot The system recovers itself through automatic reboot z maintain The system maintains the current situation and does not take any measure to recover itself Therefore you need to recover the system manually such as reboot the system Som...

Page 2358: ...e exception handling method is effective to the failed member device only and does not influence the operations of other IRF members Rebooting a Device When a fault occurs to a running device you can remove the fault by rebooting the device depending on the actual situation You can reboot a device following any of the three methods z Power on the device after powering it off which is also called h...

Page 2359: ... default Available in user view z Distributed IRF device Follow the step below to reboot a device through command lines immediately To do Use the command Remarks Reboot a member device or all IRF member devices reboot chassis chassis number slot slot number Required The chassis keyword specifies a IRF member device If it is not provided the whole IRF is specified The slot keyword specifies a card ...

Page 2360: ...an active SRPU and standby SRPU switchover will occur distributed device z If a main boot file fails or does not exist the device cannot be rebooted with the reboot command In this case you can re specify a main boot file to reboot the device or you can power off the device then power it on and the system automatically uses the backup boot file to restart the device z If you are performing file op...

Page 2361: ...nds used to switch views such as system view quit and the commands used to modify status of a user that is executing commands such as super the operation interface command view and status of the current user are not changed after the automatic execution function is performed z If the system time is modified after the automatic execution function is configured the scheduled automatic execution conf...

Page 2362: ...ing FTP or TFTP 2 Use a command to specify the Boot ROM program for the next boot 3 Reboot the device to make the specified Boot ROM program take effect z Distributed device Since the Boot ROM programs of the SRPUs and line processing units LPUs vary with devices users are easily confused to make mistakes when upgrading Boot ROM With the validity check function enabled the device can strictly chec...

Page 2363: ...fy the boot file for the next boot of the active SRPU and standby SRPU respectively 4 Reboot the device to make the new boot file take effect z Distributed IRF device 1 Save the boot file to the root directory of the storage medium of the active SRPU of the IRF the active SRPU of the master using FTP TFTP or other approaches 2 Copy the new boot file to the root directory of the storage medium of t...

Page 2364: ...tributed device Configuring Temperature Alarm Thresholds for a board You can set temperature alarm thresholds for a card by using the following commands When the temperature of a card reaches the threshold the device will generate alarms Follow these steps to configure temperature alarm thresholds for a card distributed device To do Use the command Remarks Enter system view system view Configure t...

Page 2365: ...their interface indexes remain unchanged Follow these steps to clear the 16 bit interface indexes not used in the current system To do Use the command Remarks Clear the 16 bit interface indexes saved but not in use in the current systems of the active SRPU and the standby SRPU distributed device reset unused porttag Required Available in user view Clear the 16 bit interface indexes saved but not i...

Page 2366: ...n the LSQ1SRP2XB or LSQ1SRP12GB work in one of the following mode z Concurrent processing mode All services ports on both of the two SRPUs can forward data concurrently If the active and standby switchover occurs due to software failure all services ports on both of the two SRPUs still can forward data however if the active and standby switchover occurs due to hardware failure the service ports on...

Page 2367: ...1 Traffic forwarding modes supported by S7900E SRPUs SRPU model Supported traffic forwarding mode Feature Recommended application environment Enhanced Layer 2 forwarding mode Supporting selective QinQ Double tagged VLAN networks LSQ1SRP2XB LSQ1SRPB LSQ1MPUA LSQ1CGP24TS C LSQ1CGV24PS C LSQ1SRPD LSQ1SRP12GB Standard forwarding mode z Supporting QinQ z Powerful Layer 3 forwarding functions Common net...

Page 2368: ...2XB LSQ1SRPB LSQ1MPUA LSQ1CGP24TSC LSQ1CGV24PSC LSQ1SRPD or LSQ1SRP12GB To do Use the command Remarks Enter system view system view Configure the traffic forwarding mode of the SRPU switch mode l2 enhanced standard Optional standard by default Restore the default traffic forwarding mode undo switch mode Optional Follow these steps to configure traffic forwarding mode of LSQ1SRP1CB To do Use the co...

Page 2369: ...s mode in a Layer 2 network with a large MAC address table z Route extension mode The EB LPU can provide a 256K routing table and the SD LPU can provide 128K routing table It is recommended to use this mode in a Layer 3 network with a large routing table z Mixed extension mode The EB LPU can provide 258K MAC address table and 258K routing table the SD LPU can provide 64K MAC address table and 64K ...

Page 2370: ...andard routing routing z When the SRPU of the S7900E switch is LSQ1SRP1CB it is recommended not to modify the default working mode the EA LPUs as other modes z When the SRPU of the S7900E switch is LSQ1SRP2XB LSQ1SRPB LSQ1MPUA LSQ1CGP24TSC LSQ1CGV24PSC LSQ1SRPD or LSQ1SRP12GB if an EA LPU is connected to a Layer 2 forwarding network with a large number of MAC addresses you can modify the working m...

Page 2371: ...me or upgrade the software version for them for the first time after working mode switch the EB or SD LPU may be rebooted for once or twice because of system optimization which takes six to ten minutes Enabling the Port Down Function Globally With this function enabled if the SRPU is plugged out or reboots abnormally all service ports will be down immediately Follow these steps to enable the port ...

Page 2372: ...plication environment Whether can be an optical transceiver Whether can be an electrical transceiver SFP Small Form factor Pluggable Generally used for 100M 1000M Ethernet interfaces or POS 155M 622M 2 5G interfaces Yes Yes GBIC Gigabit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit small Form factor Pluggable Generally used for 10G Ethernet interfaces Yes ...

Page 2373: ...nformation for you to diagnose and troubleshoot faults of pluggable transceivers Optical transceivers customized by H3C also support the digital diagnosis function which monitors the key parameters of a transceiver such as temperature voltage laser bias current TX power and RX power When these parameters are abnormal you can take corresponding measures to prevent transceiver faults Follow these st...

Page 2374: ...ew Display the power state of the device display power power id Available in any view Display the reboot time of a device display schedule reboot Available in any view Display detailed configurations of the scheduled automatic execution function display schedule job Available in any view Display the exception handling methods display system failure Available in any view Display the version update ...

Page 2375: ...le in any view Display detailed configurations of the scheduled automatic execution function display schedule job Available in any view Display the reboot time of a device display schedule reboot Available in any view Display the exception handling methods display system failure Available in any view Display the version update records of the active SRPU software Boot file display version update re...

Page 2376: ...cess to the aaa directory FTP Server luser aaa service type ftp FTP Server luser aaa authorization attribute level 3 z Configuration on Device If the size of the flash on the device is not large enough delete the original application programs from the Flash before downloading Before upgrade execute the save command to save the current configuration configuration procedure is omitted Log in to the ...

Page 2377: ...e boot loader file slot1 flash soft version2 app slot 1 main Reboot the device The software version is upgraded now Device reboot After the device reboots use the display version command to check if the upgrade is successful RemoteUpgradeConfigurationExample DistributedIRFDevice Network requirements z As shown in Figure 1 3 the current software version is soft version1 for the IRF system Upgrade t...

Page 2378: ...nt types of servers IRF tftp 2 2 2 2 get new config cfg File will be transferred in binary mode Downloading file from remote TFTP server please wait TFTP 917 bytes received in 1 second s File downloaded successfully IRF tftp 2 2 2 2 get new config cfg chassis1 slot1 flash new config cfg Download file new config cfg to the SRPU of Slave IRF tftp 2 2 2 2 get new config cfg chassis2 slot0 flash new c...

Page 2379: ...Continue Y N y The specified file will be used as the main boot file at the next reboot on chassis 1 slot 0 IRF boot loader file chassis1 slot1 flash soft version2 app chassis 1 slot 1 main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on chassis 1 slot 1 IRF boot loader file chassis2 slot0 flash s...

Page 2380: ...the Space of a Storage Medium 1 7 Mounting Unmounting a Storage Medium 1 7 Setting File System Prompt Modes 1 8 File System Operations Example 1 8 2 Configuration File Management 2 1 Configuration File Overview 2 1 Types of Configuration 2 1 Format and Content of a Configuration File 2 1 Coexistence of Multiple Configuration Files 2 1 Startup with the Configuration File 2 2 Saving the Current Conf...

Page 2381: ... for the Next System Startup 2 9 Backing Up the Startup Configuration File 2 10 Deleting the Startup Configuration File for the Next Startup 2 10 Restoring the Startup Configuration File 2 11 Displaying and Maintaining Device Configuration 2 11 ...

Page 2382: ...r information you are interested in z File System z Directory Operations z File Operations z Batch Operations z Storage Medium Operations z Setting File System Prompt Modes z File System Operations Example File System File System Overview A major function of the file system is to manage storage media It allows you to perform operations such as directory create and delete and file copy and display ...

Page 2383: ... the display device command to view the correspondence between a board and its slot number 1 to 135 characters flash test a cfg indicates a file named a cfg in the test folder under the root directory of the flash memory on the AMB To read and write the a cfg file under the root directory of the flash on the SMB with the slot number 1 input slot1 flash a cfg for the filename Filename formats distr...

Page 2384: ...mory on the AMB of the IRF To read and write the a cfg file under the root directory of the flash on an SMB of the IRF the member ID and slot number of the SMB are 2 and 5 respectively input chassis2 slot5 flash a cfg for the filename Directory Operations Directory operations include creating removing a directory displaying the current working directory displaying the specified directory or file i...

Page 2385: ...tion refer to the delete command for subdirectory deletion refer to the rmdir command z After you execute the rmdir command successfully the files in the recycle bin under the directory will be automatically deleted File Operations File operations include displaying the specified directory or file information displaying file contents renaming copying moving removing restoring and deleting files Yo...

Page 2386: ...eurl source fileurl dest Required Available in user view Copying a File To do Use the command Remarks Copy a file copy fileurl source fileurl dest Required Available in user view Moving a File To do Use the command Remarks Move a file move fileurl source fileurl dest Required Available in user view Deleting a File To do Use the command Remarks Move a file to the recycle bin or delete it permanentl...

Page 2387: ...w Emptying the Recycle Bin To do Use the command Remarks Enter the original working directory of the file to be deleted cd directory Optional If the original directory of the file to be deleted is not the current working directory this command is required Available in user view Delete the file under the current directory and in the recycle bin reset recycle bin force Required Available in user vie...

Page 2388: ...the space of a storage medium fixdisk device Optional Available in user view Format a storage medium format device FAT16 FAT32 Optional FAT16 and FAT32 are not applicable to a flash card Available in user view z When you format a storage medium all the files stored on it are erased and cannot be restored In particular if there is a startup configuration file on the storage medium formatting the st...

Page 2389: ...ons on it do not unplug or switchover the storage medium or the card where the storage medium resides Otherwise the file system could be damaged z Before removing a mounted storage medium from the system you should first unmount it to avoid damaging the storage medium Setting File System Prompt Modes The file system provides the following two prompt modes z alert In this mode the system warns you ...

Page 2390: ...t under the test directory Sysname cd test Sysname mkdir mytest Created dir flash test mytest Display the current working directory Sysname pwd flash test Display the files and the subdirectories under the test directory Sysname dir Directory of flash test 0 drw Feb 16 2006 15 28 14 mytest 64389 KB total 2519 KB free Return to the upper directory Sysname cd Display the current working directory Sy...

Page 2391: ...n that is using the default parameters z Current configuration which refers to the currently running configuration of the system The current configuration may include the startup configuration if the startup configuration is not modified during system operation and it also includes the new configuration added during the system operation The current configuration is stored in the temporary storage ...

Page 2392: ...ng the consistency of the configuration files on the AMB and SMB z If the configuration file auto save function is not enabled when you save the current configuration by executing the save safely command or executing the save filename all command and then pressing Enter only the AMB will automatically save the current configuration to the specified configuration file and use the file as the config...

Page 2393: ...he file more slowly but can retain the configuration file in the device even if the device reboots or the power fails during the process The fast saving mode is suitable for environments where power supply is stable The safe mode however is preferred in environments where stable power supply is unavailable or remote maintenance is involved Follow the steps below to save the current configuration d...

Page 2394: ...o Save distributed IRF device z During the execution of the save safely command the startup configuration file to be used at the next system startup may be lost if the device reboots or the power supply fails In this case the device will boot with the null configuration and after the device reboots you need to re specify a startup configuration file for the next system startup refer to Specifying ...

Page 2395: ...xecutes the commands only present in the replacement configuration file but not in the current configuration file z The rollback operation removes the commands that are different in the replacement configuration file and in the current configuration file and then executes them according to the replacement configuration file z The current running configuration is only saved to the AMB and only the ...

Page 2396: ...iles If you change the path of the saved configuration files the files in the original path become common configuration files and are not processed as saved configuration files The number of saved configuration files has an upper limit After the maximum number of files is saved the system deletes the oldest files when the next configuration file is saved Follow these steps to configure parameters ...

Page 2397: ...ration files are cleared z The value of the file number argument is determined by the memory space You are recommended to set a comparatively small value for the file number argument if the available memory space is small Saving the Current Running Configuration Automatically You can configure the system to save the current running configuration at a specified interval and use the display archive ...

Page 2398: ...u can save the current running configuration manually before you modify it Therefore if it really fails the device can revert to the configuration state before the modification Follow the step below to save the current running configuration manually To do Use the command Remarks Save the current running configuration manually archive configuration Required Available in user view The path and filen...

Page 2399: ...ation file to be used at the next system startup You can specify a configuration file as the startup configuration file to be used at the next system startup in the following two ways z Use the save command If you save the current configuration to the specified configuration file in the interactive mode the system automatically sets the file as the configuration file to be used at the next system ...

Page 2400: ...play startup command in user view to see whether you have set the startup configuration file and use the dir command to see whether this file exists If the file is set as NULL or does not exist the backup operation will fail Deleting the Startup Configuration File for the Next Startup You can delete the startup configuration file to be used at the next system startup using commands You may need to...

Page 2401: ... To do Use the command Remarks Restore the startup configuration file to be used at the next system startup restore startup configuration from src addr src filename Required Available in user view z Before restoring a configuration file you should ensure that the server is reachable the server is enabled with TFTP service and the client has read and write permission z After the command is successf...

Page 2402: ...y the current configuration display current configuration configuration configuration interface interface type interface number by linenum begin include exclude text Available in any view For detailed description of the display this and display current configuration commands refer to Basic System Configuration Commands in the System Volume ...

Page 2403: ...ration 1 3 Configuring SNMP Logging 1 5 Introduction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 Configuring SNMP Trap 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 9 SNMPv1 SNMPv2c Configuration Example 1 9 SNMPv3 Configuration Example 1 10 SNMP Logging Configuration Example 1 12 ...

Page 2404: ...SNMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technologies Thus SNMP achieves effective management of devices from different vendors especially in small high speed and low cost network environments SNMP Mechanism An SNMP enabled network comprises a Network Management Station NMS and agents z An NMS is a station that r...

Page 2405: ...s used to encrypt packets between the NMS and agents preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy authentication without privacy or no authentication no privacy Successful interaction between an NMS and the agents requires consistency of SNMP versions configured on them You can configure multipl...

Page 2406: ...aults are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configure a local engine ID for an SNMP entity snmp agent local engineid engineid Optional Company ID and device ID by default Create or update the MIB view content for an SNMP agent snmp agent mib view excluded included view name oid tree mask mask value Optional The MIB view name i...

Page 2407: ...quired The defaults are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configure a local engine ID for an SNMP entity snmp agent local engineid engineid Optional Company ID and device ID by default Create or update MIB view content for an SNMP agent snmp agent mib view excluded included view name oid tree mask mask value Optional The MIB v...

Page 2408: ...index of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the information center configured the output rules for SNMP logs are decided that is whether the logs are permitted to display and the output destinations SNMP logs Get requests Set requests and Set responses ...

Page 2409: ...raps which are generated by different modules As traps that occupy large device memory affect device performance it is recommended not to enable the trap function for all modules but for the specific modules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information output destinations B...

Page 2410: ...tate changes you need to enable the trap function of interface state changes on an interface and globally Use the enable snmp trap updown command to enable the trap function on an interface and use the snmp agent trap enable standard linkdown linkup command to enable this function globally Configuring Trap Parameters Configuration prerequisites To send traps to the NMS you need to make the followi...

Page 2411: ...traps defined in RFC snmp agent trap if mib link extended Optional Standard linkUp linkDown traps defined in RFC are used by default Configure the size of the trap send queue snmp agent trap queue size size Optional 100 by default Configure the holding time of the traps in the queue snmp agent trap life seconds Optional 120 seconds by default z An extended linkUp linkDown trap is the standard link...

Page 2412: ...nmp agent trap list Display SNMPv3 agent user information display snmp agent usm user engineid engineid username user name group group name Display SNMPv1 or v2c agent community information display snmp agent community read write Display MIB view information for an SNMP agent display snmp agent mib view exclude include viewname view name Available in any view SNMPv1 SNMPv2c Configuration Example N...

Page 2413: ...rget host command is the same with that on the NMS otherwise the NMS cannot receive any trap 2 Configuring the SNMP NMS With SNMPv1 v2c the user needs to specify the read only community the read and write community the timeout time and number of retries The user can inquire and configure the device through the NMS The configurations on the agent and the NMS must match 3 Verify the configuration z ...

Page 2414: ...ntact person and physical location information of the device Sysname snmp agent sys info contact Mr Wang Tel 3306 Sysname snmp agent sys info location telephone closet 3rd floor Enable sending of traps to the NMS with an IP address of 1 1 1 2 24 using public as the community name Sysname snmp agent trap enable Sysname snmp agent target host trap address udp domain 1 1 1 2 udp port 5000 params secu...

Page 2415: ...Pv1 SNMPv2c Configuration Example and SNMPv3 Configuration Example Enable logging display on the terminal This function is enabled by default so that you can omit this configuration Sysname terminal monitor Sysname terminal logging Enable the information center to output the system information with the severity level equal to or higher than informational to the console port Sysname system view Sys...

Page 2416: ...s of the NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID of the instance erroIndex Error index with 0 meaning no error errorstatus Error status with noError meaning no error value Value set when the SET operation is performed This field is null meaning the value obtained with the GET operation is not logged When the value is a string of characters and the string...

Page 2417: ...et Statistics Function 1 4 Configuring the RMON History Statistics Function 1 4 Configuring the RMON Alarm Function 1 5 Configuration Prerequisites 1 5 Configuration Procedure 1 5 Displaying and Maintaining RMON 1 6 Ethernet Statistics Group Configuration Example 1 6 History Group Configuration Example 1 7 Alarm Group Configuration Example 1 9 Private Alarm Group Configuration Example 1 11 ...

Page 2418: ...port rate reaches a certain value or the potion of broadcast packets received in the total packets reaches a certain value Both the RMON protocol and the Simple Network Management Protocol SNMP are used for remote network management z RMON is implemented on the basis of the SNMP which is thus enhanced RMON sends traps to the management device to notify the abnormality of the alarm variables by usi...

Page 2419: ... statistics group defines that the system collects statistics on various traffic information on an interface at present only Ethernet interfaces are supported and saves the statistics in the Ethernet statistics table ethernetStatsTable for query convenience of the management device It provides statistics about network collisions CRC alignment errors undersize oversize packets broadcasts multicasts...

Page 2420: ... of alarm variables and compares the result with the defined threshold thereby realizing a more comprehensive alarming function System handles the prialarm alarm table entry as defined by the user in the following ways z Periodically samples the prialarm alarm variables defined in the prialarm formula z Calculates the sampled values based on the prialarm formula z Compares the result with the defi...

Page 2421: ...the RMON history statistics function To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Create an entry in the RMON history control table rmon history entry number buckets number interval sampling interval owner text Required z The entry number must be globally unique and cannot be used on another interface otherwise ...

Page 2422: ...number description string log log trap log trapcommunity none trap trap community owner text Required Create an entry in the alarm table rmon alarm entry number alarm variable sampling interval absolute delta rising threshold threshold value1 event entry1 falling threshold threshold value2 event entry2 owner text Create an entry in the private alarm table rmon prialarm entry number prialarm formul...

Page 2423: ...ble in any view Display the RMON history control entry and history sampling information display rmon history interface type interface number Available in any view Display RMON alarm configuration information display rmon alarm entry number Available in any view Display RMON prialarm configuration information display rmon prialarm entry number Available in any view Display RMON events configuration...

Page 2424: ...kts 307 etherStatsBroadcastPkts 56 etherStatsMulticastPkts 34 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 etherStatsFragments 0 etherStatsJabbers 0 etherStatsCRCAlignErrors 0 etherStatsCollisions 0 etherStatsDropEvents insufficient resources 0 Packets received according to length 64 235 65 127 67 128 255 4 256 511 1 512 1023 0 1024 1518 0 z Obtain the value of the MIB node directly by execu...

Page 2425: ...itEthernet2 0 1 display rmon history HistoryControlEntry 2 owned by null is VALID Samples interface GigabitEthernet2 0 1 ifIndex 19 Sampling interval 10 sec with 8 buckets max Sampled values of record 1 dropevents 0 octets 834 packets 8 broadcast packets 1 multicast packets 6 CRC alignment errors 0 undersize packets 0 oversize packets 0 fragments 0 jabbers 0 collisions 0 utilization 0 Sampled valu...

Page 2426: ...6 CRC alignment errors 0 undersize packets 0 oversize packets 0 fragments 0 jabbers 0 collisions 0 utilization 0 Sampled values of record 8 dropevents 0 octets 1154 packets 13 broadcast packets 1 multicast packets 6 CRC alignment errors 0 undersize packets 0 oversize packets 0 fragments 0 jabbers 0 collisions 0 utilization 0 z Obtain the value of the MIB node directly by executing the SNMP Get ope...

Page 2427: ... snmp agent target host trap address udp domain 1 1 1 2 params securityname public Configure RMON to gather statistics on interface GigabitEthernet 2 0 1 Sysname interface GigabitEthernet 2 0 1 Sysname GigabitEthernet2 0 1 rmon statistics 1 owner user1 Sysname GigabitEthernet2 0 1 quit Create an RMON alarm entry that when the delta sampling value of node 1 3 6 1 2 1 16 1 1 1 4 1 exceeds 100 or is ...

Page 2428: ...pe 2 has sampled alarm value 0 less than or 50 Private Alarm Group Configuration Example Network requirements As shown in Figure 1 4 monitor the utilization rate of interface GigabitEthernet 2 0 1 when it is receiving packets When the utilization rate is higher than 80 the system logs the event locally and sends a trap to the NMS when the utilization rate is lower than 5 the system only logs the e...

Page 2429: ...on prialarm 1 1 3 6 1 2 1 16 1 1 1 4 1 8 1 3 6 1 2 1 16 1 1 1 5 1 16 100 1 3 6 1 2 1 2 2 1 5 1 1 0 SpeedRatio 10 delta rising threshold 80 1 falling threshold 5 2 entrytype forever owner v3user The OID of node etherStatsOctets 1 is 1 1 3 6 1 2 1 16 1 1 1 4 1 which indicates the number of bytes received on interface GigabitEthernet2 0 1 the OID of node etherStatsPkts 1 is 1 1 3 6 1 2 1 16 1 1 1 5 1...

Page 2430: ...ng the MAC Learning Limit 1 7 Displaying and Maintaining MAC Address Tables 1 7 MAC Address Table Configuration Example 1 8 2 MAC Information Configuration 2 1 Overview 2 1 Introduction to MAC Information 2 1 How MAC Information Works 2 1 Configuring MAC Information 2 1 Enabling MAC Information Globally 2 1 Enabling MAC Information on an Interface 2 2 Configuring MAC Information Mode 2 2 Configuri...

Page 2431: ...ce this device is connected and to which VLAN the interface belongs When forwarding a frame the device first looks up the MAC address table by the destination MAC address of the frame for the outgoing port If the outgoing port is found the frame is forwarded rather than broadcast Thus broadcasts are reduced How a MAC Address Table Entry Is Created A MAC address table entry can be dynamically learn...

Page 2432: ...s prevent hackers from stealing data using forged MAC addresses Types of MAC Address Table Entries A MAC address table may contain these types of entries z Static entries which are manually configured and never age out z Dynamic entries which can be manually configured or dynamically learned and may age out z Blackhole entries which are manually configured and never age out Blackhole entries are c...

Page 2433: ...s table automatically by learning the source MAC addresses of received frames To improve port security you can manually add MAC address entries to the MAC address table to bind ports with MAC addresses thus fending off MAC address spoofing attacks In addition you can configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses Follow these steps to...

Page 2434: ...rent interface only Add modify MAC address entries under the specified interface view mac address dynamic static mac address vlan vlan id Required z When using the mac address command to add a MAC address entry the current interface must belong to the VLAN specified by the vlan keyword and the VLAN must already exist Otherwise you will fail to add this MAC address entry z When using the mac addres...

Page 2435: ...rface view interface interface type interface number Enter port group view port group manual port group name Enter Ethernet interface view port group view or Layer 2 aggregate interface view Enter Layer 2 aggregate interface view interface bridge aggregation interface number Required Use any of the three commands Configurations made in Ethernet interface view or Layer 2 aggregate interface view ta...

Page 2436: ... mechanism for dynamic entries In this way dynamic MAC address entries that are not updated within their aging time will be deleted to make room for new entries and the MAC address table can be timely updated to accommodate the latest network changes Set the aging timer appropriately a long aging interval may cause the MAC address table to retain outdated entries exhaust the MAC address table reso...

Page 2437: ...ps to configure the MAC learning limit on an Ethernet port or the Ethernet ports in a port group or ONU port To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter port group view port group manual port group name Enter Ethernet interface view port group view or ONU port view Enter ONU port view interface onu interf...

Page 2438: ...ng timer for dynamic MAC address entries to 500 seconds Configuration procedure Add a static MAC address entry Sysname system view Sysname mac address static 000f e235 dc71 interface gigabitethernet 2 0 1 vlan 1 Add a destination blackhole MAC address entry Sysname mac address blackhole 000f e235 abcd vlan 1 Set the aging timer for dynamic MAC address entries to 500 seconds Sysname mac address tim...

Page 2439: ...ation Works When a new MAC address is learned or an existing MAC address is deleted on a device the device writes related information about the MAC address to the buffer area used to store user information When the timer set for sending MAC address monitoring Syslog or trap messages expires or when the buffer is used up the device sends the Syslog or trap messages to the monitor end immediately Co...

Page 2440: ...ng the Interval for Sending Syslog or Trap Messages To prevent Syslog or trap messages being sent too frequently and thus affecting system performance you can set the interval for sending Syslog or trap messages Follow these steps to set the interval for sending Syslog or trap messages To do Use the command Remarks Enter system view system view Set the interval for sending Syslog or trap messages ...

Page 2441: ...ure 2 1 Network diagram for MAC Information configuration Configuration procedure 1 Configure Device to send Syslog messages to Host B Refer to Information Center Configuration in the System Volume for details 2 Enable MAC Information Enable MAC Information on Device Device system view Device mac address information enable Configure MAC Information mode as Syslog Device mac address information mod...

Page 2442: ...2 4 Set the interval for sending Syslog or trap messages to 20 seconds Device mac address information interval 20 ...

Page 2443: ...nd Debugging 1 1 Ping 1 1 Introduction 1 1 Configuring Ping 1 1 Ping Configuration Example 1 2 Tracert 1 4 Introduction 1 4 Configuring Tracert 1 4 System Debugging 1 5 Introduction to System Debugging 1 5 Configuring System Debugging 1 6 Ping and Tracert Configuration Example 1 7 ...

Page 2444: ... the destination device 2 The source device determines whether the destination is reachable based on whether it receives an ICMP echo reply if the destination is reachable the source device determines the link quality based on the numbers of ICMP echo requests sent and replies received determines the distance between the source and destination based on the round trip time of ping packets Configuri...

Page 2445: ...en the two devices get the detailed information of routes from Device A to Device C Figure 1 1 Ping network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING 1 1 2 2 56 data bytes press CTRL_C to break Reply from 1 1 2 2 bytes 56 Sequence 1 ttl 254 time 205 ms Reply from 1 1 2 2 bytes 56 Sequenc...

Page 2446: ... 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 11 53 ms The principle of ping r is as shown in Figure 1 1 1 The source Device A sends an ICMP echo request with the RR option being empty to the destination Device C 2 The intermediate device Device B adds the IP address 1 1 2 1 of its outbound interface to the RR option of the ICMP echo requ...

Page 2447: ...es the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated In this way the source device can get the address 1 1 1 2 of the first Layer 3 device 3 The source device sends a packet with a TTL value of 2 to the destination device 4 The second hop Device C responds with a TTL expired ICMP error message which gives the source device the ad...

Page 2448: ...r the introduction to the tracert lsp command refer to MPLS Basics Commands in the MPLS Volume System Debugging Introduction to System Debugging The device provides various debugging functions For the majority of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The following two switches control the display of debugging informat...

Page 2449: ... You can also output debugging information to other destinations For the detailed configurations refer to Information Center Commands in the System Volume By default you can output debugging information to a terminal by following these steps To do Use the command Remarks Enable the terminal monitoring of system information terminal monitor Optional The terminal monitoring on the console is enabled...

Page 2450: ...need to locate the failed nodes in the network Figure 1 4 Ping and tracert network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING 1 1 2 2 56 data bytes press CTRL_C to break Request time out Request time out Request time out Request time out Request time out 1 1 2 2 ping statistics 5 packet s...

Page 2451: ... B an error occurred on the connection between Device B and Device C In this case you can use the debugging ip icmp command to enable ICMP debugging on Device A and Device C to check whether the devices send or receive the specified ICMP packets or you can use the display ip routing table command to display whether a route exists between the two devices ...

Page 2452: ... Information to the Console 1 7 Outputting System Information to a Monitor Terminal 1 8 Outputting System Information to a Log Host 1 9 Outputting System Information to the Trap Buffer 1 10 Outputting System Information to the Log Buffer 1 11 Outputting System Information to the SNMP Module 1 12 Saving System Information to a Log File 1 13 Configuring Synchronous Information Output 1 13 Disabling ...

Page 2453: ...ors and developers in monitoring network performance and diagnosing network problems The following describes the working process of information center z Receives the log trap and debugging information generated by each module z Outputs the above information to different information channels according to the user defined output rules z Outputs the information to different destinations based on the ...

Page 2454: ...hree types z Log information z Trap information z Debugging information Eight Levels of System Information The information is classified into eight levels by severity The severity levels in the descending order are emergency alert critical error warning notice informational and debug When the system information is output by level the information with severity level higher than or equal to the spec...

Page 2455: ... channels and output destinations can be changed through commands Besides you can configure channels 6 7 and 8 without changing the default configuration of the seven channels Table 1 2 Information channels and output destinations Information channel number Default channel name Default output destination Description 0 console Console Receives log trap and debugging information 1 monitor Monitor te...

Page 2456: ...to be output to the log file log information with severity level equal to or higher than informational is allowed to be output to the log host log information with severity level equal to or higher than warning is allowed to be output to the console monitor terminal and log buffer log information is not allowed to be output to the trap buffer and the SNMP module z All trap information is allowed t...

Page 2457: ...P or log file the system information is in the following format timestamp sysname module level digest content For example a monitor terminal connects to the device When a terminal logs in to the device the log information in the following format is displayed on the monitor terminal Jun 26 17 08 35 809 2008 Sysname SHELL 4 LOGIN VTY login from 1 1 1 1 z If the output destination is the log host the...

Page 2458: ...dify the system name Refer to Basic System Configuration Commands in the System Volume for details This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn This field is a version identifier of syslog It is displayed only when the output destination is log host module The module field represents the name of the module that generates system ...

Page 2459: ...a Log Host Optional Outputting System Information to the Trap Buffer Optional Outputting System Information to the Log Buffer Optional Outputting System Information to the SNMP Module Optional Saving System Information to a Log File Optional Configuring Synchronous Information Output Optional Outputting System Information to the Console Outputting system information to the console To do Use the co...

Page 2460: ... command Remarks Enable the monitoring of system information on the console terminal monitor Optional Enabled on the console and disabled on the monitor terminal by default Enable the display of debugging information on the console terminal debugging Required Disabled by default Enable the display of log information on the console terminal logging Optional Enabled by default Enable the display of ...

Page 2461: ... monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the display of system information on a monitor terminal To do Use the command Remarks Enable the monitoring of system information on a monitor terminal terminal monitor Required Enabled on the console and disabled on the monitor termin...

Page 2462: ...nal Refer toDefault Output Rules of System Information Specify the source IP address for the log information info center loghost source interface type interface number Optional By default the source interface is determined by the matched route and the primary IP address of this interface is the source IP address of the log information Configure the format of the time stamp for system information o...

Page 2463: ... You can configure to output log trap and debugging information to the log buffer but the log buffer receives the log and debugging information only and discards the trap information To do Use the command Remarks Enter system view system view Enable information center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number ...

Page 2464: ...o the SNMP module To do Use the command Remarks Enter system view system view Enable information center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be output to the SNMP module info ...

Page 2465: ...c Optional The default value is 86 400 seconds Configure the maximum storage space reserved for a log file info center logfile size quota size Optional The default value is 1 MB Configure the directory to save the log file info center logfile switch directory dir name Optional By default the directory to save the log file is the logfile directory under root directory of the CF card Manually save t...

Page 2466: ...ystem will not display the command line prompt but your previous input in a new line Disabling a Port from Generating Link Up Down Logging Information By default all the ports of the device generate link up down logging information when the port state changes Therefore you may need to use this function in some cases for example z You only concern the states of some of the ports In this case you ca...

Page 2467: ...w Display the state of the log buffer and the log information recorded on a distributed IRF device display logbuffer reverse level severity size buffersize chassis chassis number slot slot number begin exclude include regular expression Available in any view Display a summary of the log buffer on a distributed device display logbuffer summary level severity slot slot number Available in any view D...

Page 2468: ...information of all modules on channel loghost Sysname info center source default channel loghost debug state off log state off trap state off As the default system configurations for different channels are different you need to disable the output of log trap and debugging information of all modules on the specified channel loghost in this example first and then configure the output rule as needed ...

Page 2469: ...conf file must be identical to those configured on the device using the info center loghost and info center source commands otherwise the log information may not be output properly to the log host Step 4 After log file info log is created and file etc syslog conf is modified you need to issue the following commands to display the process ID of syslogd kill the syslogd process and then restart sysl...

Page 2470: ...of log trap and debugging information of all modules on the specified channel loghost in this example first and then configure the output rule as needed so that unnecessary information will not be output Configure the information output rule allow log information of all modules with severity equal to or higher than informational to be output to the log host Sysname info center source default chann...

Page 2471: ...the log information may not be output properly to the log host Step 4 After log file info log is created and file etc syslog conf is modified you need to issue the following commands to display the process ID of syslogd kill the syslogd process and restart syslogd using the r option to make the modified configuration take effect ps ae grep syslogd 147 kill 9 147 syslogd r Ensure that the syslogd p...

Page 2472: ...e output Configure the information output rule allow log information of ARP and IP modules with severity equal to or higher than informational to be output to the console Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel console log level informational state on Sysname info center source ip channel console log level informa...

Page 2473: ...um PSE Power 1 7 Configuring the Maximum PoE Interface Power 1 7 Configuring PoE Power Management 1 7 Configuring PSE Power Management 1 8 Configuring PoE Interface Power Management 1 8 Configuring the PoE Monitoring Function 1 10 Configuring PoE Power Supply Monitoring 1 10 Configuring PSE Power Monitoring 1 11 Monitoring PD 1 11 Configuring PoE Interface through PoE Profile 1 11 Configuring PoE ...

Page 2474: ...oE Interface through PoE Profile z Upgrading PSE Processing Software in Service z Displaying and Maintaining PoE z PoE Configuration Example z Troubleshooting PoE PoE Overview Introduction to PoE Power over Ethernet PoE means that power sourcing equipment PSE supplies power to powered devices PDs from Ethernet interfaces through twisted pair cables Advantages z Reliable Power is supplied in a cent...

Page 2475: ... follows the slot number of LPU x 3 1 For example if the slot number is 3 the PSE ID is 3 x 3 1 z After the S7900E series Ethernet switch configured the IRF the formula for calculating PSE IDs is as follows the slot number of chassis 1 x 14 slot number of LPU x 3 1 For example if the chassis number is 3 and the slot number is 4 the PSE ID is 3 1 x14 4 x 3 1 A PSE can examine the Ethernet cables co...

Page 2476: ...or a PoE Interface Required Detecting PDs Enabling the PSE to Detect Nonstandard PDs Optional Configuring the Maximum PoE Power Optional Configuring the Maximum PSE Power Optional Configuring the PoE Power Configuring the Maximum PoE Interface Power Optional Configuring PSE Power Management Optional Configuring PoE Power Management Configuring PoE Interface Power Management Optional Configuring Po...

Page 2477: ...are not allowed to enable PoE for the PSE z If the PSE is enabled with the PoE power management function you are allowed to enable PoE for the PSE whether the PSE can supply power depends on other factors for example the power supply priority of the PSE Follow these steps to enable PoE for a PSE To do Use the command Remarks Enter system view system view Enable PoE for the PSE poe enable pse pse i...

Page 2478: ...smitting data in category 3 5 twisted pair cables to supply DC power to PDs z When the sum of the power consumption of all powered PoE interfaces on a PSE exceeds the maximum power of the PSE the system considers the PSE is overloaded The maximum PSE power is decided by the user configuration z Which PoE interface power supply mode is selected depends on the specifications of PDs A PSE can supply ...

Page 2479: ...ware factor determining the maximum PoE power z User configuration through command lines PoE power supply has self protection mechanism with which hardware protection measures will be taken for example stopping power supply to all PSEs in case of PoE power overload To avoid possible hardware protection the device allows you to configure a maximum PoE power assuming the value is M2 which should be ...

Page 2480: ...aximum power of the PSE must be greater than or equal to the sum of maximum power of all critical PoE interfaces on the PSE to guarantee the power supply to these PoE interfaces Configuring the Maximum PoE Interface Power The maximum PoE interface power is the maximum power that the PoE interface can provide to the connected PD If the power required by the PD is larger than the maximum PoE interfa...

Page 2481: ...um power of the PSE you will fail to set the power priority of the PSE to critical Otherwise you can succeed in setting the power priority to critical and this PSE will preempt the power of the PSE with a lower priority level In the latter case the PSE whose power is preempted will be disconnected but its configuration will remain unchanged After you change the priority of the PSE from critical to...

Page 2482: ... PD power results in PSE power overload power supply to the PD on the PoE interface with a lower priority will be stopped to ensure the power supply to the PD with a higher priority If the guaranteed remaining PSE power the maximum PSE power minus the power allocated to the critical PoE interface regardless of whether PoE is enabled for the PoE interface is lower than the maximum power of the PoE ...

Page 2483: ...der voltage threshold for the PoE power supply poe power input threshold lower value Optional The default AC input under voltage threshold is 90 00 Configure an AC input under voltage threshold for the PoE power supply distributed IRF device poe power input threshold chassis chassis number lower value Optional The default AC input under voltage threshold is 90 00 Configure an AC input over voltage...

Page 2484: ...onfigure a PoE interface in either of the following two ways z Using command lines z Using a PoE profile and applying the PoE profile to the specified PoE interface s When configuring a single PoE interface you can use command lines when you configure PoE interfaces in batches you can use a PoE profile A PoE profile is a collection of configurations containing multiple PoE features On large scale ...

Page 2485: ...t be configured modified and deleted in only one way If a parameter configured in a way for example through command lines is then configured in the other way for example through PoE profile the latter configuration fails and the original one is still effective To make the latter configuration effective you must cancel the original one first Applying PoE Profile You can apply a PoE profile in eithe...

Page 2486: ...E processing software and reloads it If the PSE processing software is damaged in this case you can execute none of PoE commands successfully you can upgrade the PSE processing software in full mode to restore the PSE function In service PSE processing software upgrade may be unexpectedly interrupted for example an error results in device reboot If you fail to upgrade the PSE processing software i...

Page 2487: ...cted with the PSE display poe pse pse id interface power Display information of the PoE power supply display poe power Display information of the PoE power supply distributed IRF device display poe power chassis chassis number Display the state information of the AC input power supply display poe power ac input state Display the state information of the AC input power supply distributed IRF device...

Page 2488: ... poe profile index index name profile name Display all information of the configurations and applications of the PoE profile applied to the specified PoE interface display poe profile interface interface type interface number PoE Configuration Example Network requirements As shown in Figure 1 2 z The device is equipped with two PoE supporting cards which are inserted in Slot 3 and Slot 5 respectiv...

Page 2489: ...net5 0 1 poe enable Sysname GigabitEthernet5 0 1 quit Enable PoE on GigabitEthernet 3 0 2 and set its power priority to critical Sysname interface gigabitethernet 3 0 2 Sysname GigabitEthernet3 0 2 poe enable Sysname GigabitEthernet3 0 2 poe priority critical Sysname GigabitEthernet3 0 2 quit Enable PoE on GigabitEthernet 5 0 2 and set its maximum power to 9000 milliwatts Sysname interface gigabit...

Page 2490: ...ome configurations in the PoE profile do not meet the configuration requirements of the PoE interface z Another PoE profile is already applied to the PoE interface Solution z In the first case you can solve the problem by removing the original configurations of those configurations z In the second case you need to modify some configurations in the PoE profile z In the third case you need to remove...

Page 2491: ...ng a DLSw Test 1 18 Configuring the Collaboration Function 1 19 Configuring Trap Delivery 1 20 Configuring the NQA Statistics Function 1 20 Configuring the History Records Saving Function 1 21 Configuring Optional Parameters Common to an NQA Test Group 1 22 Scheduling an NQA Test Group 1 23 Displaying and Maintaining NQA 1 24 NQA Configuration Examples 1 24 ICMP Echo Test Configuration Example 1 2...

Page 2492: ...nd provides you with network performance and service quality parameters such as jitter TCP connection delay FTP connection delay and file transfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagnose and locate network faults Features of NQA Supporting multiple test types Ping can use only the Internet Control Message Protocol IC...

Page 2493: ... application modules then deal with the changes accordingly based on the status of the track entry and thus collaboration is implemented Take static routing as an example You have configured a static route with the next hop 192 168 0 88 If 192 168 0 88 is reachable the static route is valid if 192 168 0 88 is unreachable the static route is invalid With the collaboration between NQA Track module a...

Page 2494: ...S test one probe means to carry out a corresponding function z For an ICMP echo or UDP echo test one packet is sent in one probe z For an SNMP test three packets are sent in one probe NQA client and server NQA client is the device initiating an NQA test and the NQA test group is created on the NQA client NQA server processes the test packets sent from the NQA client as shown in Figure 1 2 The NQA ...

Page 2495: ...NQA client 1 Enable the NQA client 2 Create a test group and configure test parameters according to the test type The test parameters may vary with test types 3 Start the NQA test After the test you can view test results using the display or debug commands Complete these tasks to configure NQA client Task Remarks Enabling the NQA Client Required Creating an NQA Test Group Required Configuring an I...

Page 2496: ...er tcp connect udp echo ip address port number Required The IP address and port number must be consistent with those configured on the NQA client and must be different from those of an existing listening service Enabling the NQA Client Configurations on the NQA client take effect only when the NQA client is enabled Follow these steps to enable the NQA client To do Use the command Remarks Enter sys...

Page 2497: ...echo Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation Configure the size of probe packets sent data size size Optional 100 bytes by default Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadec...

Page 2498: ...ary for the DHCP server to respond to a client request and assign an IP address to the client Configuration prerequisites Before performing a DHCP test you need to configure the DHCP server If the NQA DHCP client and the DHCP server are not in the same network segment you need to configure a DHCP relay For the configuration of DHCP server and DHCP relay refer to DHCP Configuration in the IP Servic...

Page 2499: ... to configure a DNS test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as DNS and enter test type view type dns Required Specify an interface for a DNS test destination ip ip address Required By default no destination IP address is configured for a test operation The destination IP address must be th...

Page 2500: ...operation destination ip ip address Required By default no destination IP address is configured for a test operation The destination IP address for a test operation is the IP address of the FTP server Configure the source IP address of a probe request source ip ip address Required By default no source IP address is specified The source IP address must be that of an interface on the device and the ...

Page 2501: ...us detecting the connectivity and performance of the HTTP server Configuration prerequisites Before performing an HTTP test you need to configure the HTTP server Configuring an HTTP test Follow these steps to configure an HTTP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as HTTP and enter test ...

Page 2502: ...vailable Real time services such as voice and video have high requirements on delay jitters With the UDP jitter test uni bi directional delay jitters can be obtained to judge whether a network can carry real time services Delay jitter refers to the difference between the interval of receiving two packets consecutively and the interval of sending these two packets The procedure of a UDP jitter test...

Page 2503: ...the source port number for a request source port port number Optional By default no source port number is specified Configure the size of a probe packet sent data size size Optional 100 bytes by default Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadecimal number 00010203040506070809 Configure the number of pa...

Page 2504: ... SNMP test Follow these steps to configure an SNMP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as SNMP and enter test type view type snmp Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a ...

Page 2505: ... type as TCP and enter test type view type tcp Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation The destination address must be the IP address of the listening service configured on the NQA server Configure the destination port destination port port number Required By default n...

Page 2506: ... udp echo Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation The destination address must be the IP address of the listening service configured on the NQA server Configure the destination port destination port port number Required By default no destination port number is configur...

Page 2507: ...hen sends it back to the source 3 Upon receiving the packets the source calculates the delay jitter and delay by calculating the difference between the interval for the destination to receive two successive packets and the interval for the source to send these two successive packets and thus the network status can be analyzed The voice parameter values that indicate VoIP network status can also be...

Page 2508: ...at of the existing listening service on the NQA server Configure the destination port for a test operation destination port port number Required By default no destination port number is configured for a test operation The destination port must be consistent with that of the existing listening service on the NQA server Configure the codec type codec type g711a g711u g729a Optional By default the co...

Page 2509: ...0 milliseconds by default Configure the timeout for waiting for a response in a voice test probe packet timeout packet timeout Optional 5000 milliseconds by default Configure common optional parameters Refer to Configuring Optional Parameters Common to an NQA Test Group Optional Only one probe can be made in one voice test and the number of probe packets sent in each probe depends on the configura...

Page 2510: ...s the threshold the configured action is triggered Follow these steps to configure the collaboration function To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of the test group type dhcp dlsw dns ftp http icmp echo snmp tcp udp echo The collaboration function is not supported in UDP jitter and voice tests ...

Page 2511: ...ment server by default Only the reaction trap test complete command is supported in a voice test namely in a voice test traps are sent to the NMS only if the test succeeds Configuring the NQA Statistics Function NQA puts the NQA tests completed in a specified interval into one group and calculates the statistics of the test results of the group These statistics form a statistics group You can use ...

Page 2512: ...rated Configuring the History Records Saving Function With the history records saving function enabled the system will save the history records of the NQA test You can view the history records of a test group using the display nqa history command The configuration task also allows you to configure z Lifetime of the history records The records are removed when the lifetime is reached z The maximum ...

Page 2513: ...ters common to an NQA test group To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of a test group type dhcp dlsw dns ftp http icmp echo snmp tcp udp echo udp jitter voice Configure the descriptive string for a test group description text Optional By default no descriptive string is available for a test gro...

Page 2514: ...an be forever which indicates that a test will not stop until you use the undo nqa schedule command to stop the test A test group performs tests when the system time is between the start time and the end time the start time plus test duration If the system time is behind the start time when you execute the nqa schedule command a test is started when the system time reaches the start time if the sy...

Page 2515: ...tion information display nqa history admin name operation tag Display the results of the last NQA test display nqa result admin name operation tag Display the statistics of a type of NQA test display nqa statistics admin name operation tag Display NQA server status display nqa server status Available in any view NQA Configuration Examples ICMP Echo Test Configuration Example Network requirements U...

Page 2516: ...ess 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average round trip time 2 5 3 Square Sum of round trip time 96 Last succeeded probe time 2007 08 23 15 00 01 2 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other erro...

Page 2517: ...e admin test start time now lifetime forever Disable DHCP test after the test begins for a period of time SwitchA undo nqa schedule admin test Display the result of the last DHCP test SwitchA display nqa result admin test NQA entry admin admin tag test test results Send operation times 1 Receive response times 1 Min Max Average round trip time 624 624 624 Square Sum of round trip time 389376 Last ...

Page 2518: ...f history records DeviceA nqa admin test dns history record enable DeviceA nqa admin test dns quit Enable DNS test DeviceA nqa schedule admin test start time now lifetime forever Disable DNS test after the test begins for a period of time DeviceA undo nqa schedule admin test Display results of the last DNS test DeviceA display nqa result admin test NQA entry admin admin tag test test results Desti...

Page 2519: ...m view DeviceA nqa entry admin test DeviceA nqa admin test type ftp DeviceA nqa admin test ftp destination ip 10 2 2 2 DeviceA nqa admin test ftp source ip 10 1 1 1 DeviceA nqa admin test ftp operation put DeviceA nqa admin test ftp username admin DeviceA nqa admin test ftp password systemtest DeviceA nqa admin test ftp filename config txt Enable the saving of history records DeviceA nqa admin tes...

Page 2520: ...est the connection with a specified HTTP server and the time required to obtain data from the HTTP server Figure 1 7 Network diagram for the HTTP tests Configuration procedure Create an HTTP test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type http DeviceA nqa admin test http destination ip 10 2 2 2 DeviceA nqa admin test htt...

Page 2521: ... 0 Display the history of HTTP tests DeviceA display nqa history admin test NQA entry admin admin tag test history record s Index Response Status Time 1 64 Succeeded 2007 11 22 10 12 47 9 UDP Jitter Test Configuration Example Network requirements Use the NQA UDP jitter function to test the delay jitter of packet transmission between Device A and Device B Figure 1 8 Network diagram for UDP jitter t...

Page 2522: ...ts Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Packet s arrived late 0 UDP jitter results RTT number 10 Min positive SD 4 Min positive DS 1 Max positive SD 21 Max positive DS 28 Positive SD number 5 Positive DS number 4 Positive SD sum 52...

Page 2523: ...ate 0 UDP jitter results RTT number 410 Min positive SD 3 Min positive DS 1 Max positive SD 30 Max positive DS 79 Positive SD number 186 Positive DS number 158 Positive SD sum 2602 Positive DS sum 1928 Positive SD average 13 Positive DS average 12 Positive SD square sum 45304 Positive DS square sum 31682 Min negative SD 1 Min negative DS 1 Max negative SD 30 Max negative DS 78 Negative SD number 1...

Page 2524: ...agent service and set the SNMP version to all the read community to public and the write community to private DeviceB system view DeviceB snmp agent sys info version all DeviceB snmp agent community read public DeviceB snmp agent community write private 2 Configurations on Device A Create an SNMP query test group and configure related test parameters DeviceA system view DeviceA nqa entry admin tes...

Page 2525: ...y admin test NQA entry admin admin tag test history record s Index Response Status Time 1 50 Timeout 2007 11 22 10 24 41 1 TCP Test Configuration Example Network requirements Use the NQA TCP function to test the time for establishing a TCP connection between Device A and Device B The port number used is 9000 Figure 1 10 Network diagram for TCP tests Configuration procedure 1 Configure Device B Ena...

Page 2526: ...age round trip time 13 13 13 Square Sum of round trip time 169 Last succeeded probe time 2007 11 22 10 27 25 1 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Packet s arrived late 0 Display the history of TCP tests DeviceA d...

Page 2527: ...y record number 10 DeviceA nqa admin test udp echo quit Enable UDP echo test DeviceA nqa schedule admin test start time now lifetime forever Disable UDP echo test after the test begins for a period of time DeviceA undo nqa schedule admin test Display results of the last UDP echo test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 S...

Page 2528: ...m view DeviceA nqa entry admin test DeviceA nqa admin test type voice DeviceA nqa admin test voice destination ip 10 2 2 2 DeviceA nqa admin test voice destination port 9000 DeviceA nqa admin test voice quit Enable voice test DeviceA nqa schedule admin test start time now lifetime forever Disable the voice test after the test begins for a period of time DeviceA undo nqa schedule admin test Display...

Page 2529: ...1691776 One way results Max SD delay 343 Max DS delay 985 Min SD delay 343 Min DS delay 985 Number of SD delay 1 Number of DS delay 1 Sum of SD delay 343 Sum of DS delay 985 Square sum of SD delay 117649 Square sum of DS delay 970225 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 Voice scores MOS value 4 38 ICPIF value 0 Display the statistics of voice tests DeviceA displ...

Page 2530: ...359 Max DS delay 985 Min SD delay 0 Min DS delay 0 Number of SD delay 4 Number of DS delay 4 Sum of SD delay 1390 Sum of DS delay 1079 Square sum of SD delay 483202 Square sum of DS delay 973651 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 Voice scores Max MOS value 4 38 Min MOS value 4 38 Max ICPIF value 0 Min ICPIF value 0 The display nqa history command cannot show y...

Page 2531: ...2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 19 19 19 Square Sum of round trip time 361 Last succeeded probe time 2007 11 22 10 40 27 7 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Pa...

Page 2532: ...cho Configure the destination IP address of the ICMP echo test operation as 10 2 1 1 SwitchA nqa admin test icmp echo destination ip 10 2 1 1 Configure the interval between two consecutive tests as 100 milliseconds SwitchA nqa admin test icmp echo frequency 100 Create collaboration entry 1 If the number of consecutive probe failures reaches 5 collaboration with other modules is triggered SwitchA n...

Page 2533: ...s of VLAN interface 3 on Switch B SwitchB system view SwitchB interface vlan interface 3 SwitchB Vlan interface3 undo ip address On Switch A display information about all the Track entries SwitchA display track all Track ID 1 Status Negative Notification delay Positive 0 Negative 0 in seconds Reference object NQA entry admin test Reaction 1 Display brief information about active routes in the rout...

Page 2534: ...sabling an Interface from Receiving NTP Messages 1 13 Configuring the Maximum Number of Dynamic Sessions Allowed 1 13 Configuring Access Control Rights 1 13 Configuration Prerequisites 1 14 Configuration Procedure 1 14 Configuring NTP Authentication 1 14 Configuration Prerequisites 1 14 Configuration Procedure 1 15 Displaying and Maintaining NTP 1 16 NTP Configuration Examples 1 16 Configuring NTP...

Page 2535: ...no means keep time synchronized among all the devices within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within the entire network while it ensures a high clock precision NTP is used when all devices within the network must be consistent in timekeeping for ex...

Page 2536: ...ce A Device B Device A Device B Device A Device B Device A 10 00 00 am 11 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of system clock synchronization is as follows z Device A sends Device B an NTP message which is timestamped when it leaves Device A The time stamp is 10 00 00 am T1 z When this ...

Page 2537: ...mp 64 bits Transmit timestamp 64 bits Authenticator optional 96 bits Reference timestamp 64 bits Originate timestamp 64 bits 1 4 Main fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit version number indicating the version of NTP The latest version is ve...

Page 2538: ...lement clock synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the IP address of the NTP server or peer is unknown and many devices in the network need to be synchronized you can adopt the broadcast or multicast mode while in the client server and symmetric peers m...

Page 2539: ...essage the client sends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and the server and enters the broadcast client mode Periodically broadcasts clock synchronization messages Mode 5 Receives broadcast messages and synchronizes its local clock In the broadcast mode a serv...

Page 2540: ...nd the server Then the client enters the multicast client mode and continues listening to multicast messages and synchronizes its local clock based on the received multicast messages In symmetric peers mode broadcast mode and multicast mode the client or the symmetric active peer and the server the symmetric passive peer can work in the specified NTP working mode only after they exchange NTP messa...

Page 2541: ...sk List Complete the following tasks to configure NTP Task Remarks Configuring the Operation Modes of NTP Required Configuring the Local Clock as a Reference Source Optional Configuring Optional Parameters of NTP Optional Configuring Access Control Rights Optional Configuring NTP Authentication Optional Configuring the Operation Modes of NTP Devices can implement clock synchronization in one of th...

Page 2542: ...devices working in the client server mode you only need to make configurations on the clients but not on the servers Follow these steps to configure an NTP client To do Use the command Remarks Enter system view system view Specify an NTP server for the device ntp service unicast server vpn instance vpn instance name ip address server name authentication keyid keyid priority source interface interf...

Page 2543: ...ticast address or the IP address of the local clock z When the source interface for NTP messages is specified by the source interface argument the source IP address of the NTP messages will be configured as the primary IP address of the specified interface z Typically at least one of the symmetric active and symmetric passive peers has been synchronized otherwise the clock synchronization will not...

Page 2544: ...uthentication keyid keyid version number Required A broadcast server can synchronize broadcast clients only after its clock has been synchronized Configuring NTP Multicast Mode The multicast server periodically sends NTP multicast messages to multicast clients which send replies after receiving the messages and synchronize their local clocks For devices working in the multicast mode you need to co...

Page 2545: ...lticast clients among which 128 can take effect at the same time Configuring the Local Clock as a Reference Source A network device can get its clock synchronized in one of the following two ways z Synchronized to the local clock which works as the reference source z Synchronized to another device on the network in any of the four NTP operation modes previously described If you configure two synch...

Page 2546: ...IP address of the NTP messages as the primary IP address of the specified interface when sending the NTP messages When the device responds to an NTP request received the source IP address of the NTP response is always the IP address of the interface that received the NTP request Following these steps to specify the source interface for NTP messages To do Use the command Remarks Enter system view s...

Page 2547: ...ermits the peer devices to perform control query to the NTP service on the local device but does not permit a peer device to synchronize its clock to that of the local device The so called control query refers to query of some states of the NTP service including alarm information authentication status clock source information and so on z synchronization server access only This level of right permi...

Page 2548: ...nizing with a device that has failed authentication Configuration Prerequisites The configuration of NTP authentication involves configuration tasks to be implemented on the client and on the server When configuring the NTP authentication feature pay attention to the following principles z For all synchronization modes when you enable the NTP authentication feature you should configure an authenti...

Page 2549: ...onfigure the key as a trusted key ntp service reliable authentication keyid keyid Required No authentication key is configured to be trusted by default Client server mode ntp service unicast server ip address server name authentication keyid keyid Associate the specified key with an NTP server Symmetric peers mode ntp service unicast peer ip address peer name authentication keyid keyid Required Yo...

Page 2550: ...specify it as a trusted key after associating the key with the NTP server The procedure of configuring NTP authentication on a server is the same as that on a client and the same authentication key must be configured on both the server and client sides Displaying and Maintaining NTP To do Use the command Remarks View the information of NTP service status display ntp service status Available in any...

Page 2551: ...0 000 UTC Jan 1 1900 00000000 00000000 Specify Device A as the NTP server of Device B so that Device B is synchronized to Device A DeviceB system view DeviceB ntp service unicast server 1 0 1 11 View the NTP status of Device B after clock synchronization DeviceB display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 100 0000 Hz Actual fre...

Page 2552: ...r while Device B is the symmetric passive peer Figure 1 8 Network diagram for NTP symmetric peers mode configuration Switch A Switch B Switch C 3 0 1 31 24 3 0 1 32 24 3 0 1 33 24 Configuration procedure 1 Configuration on Device A Specify the local clock as the reference source with the stratum level of 2 DeviceA system view DeviceA ntp service refclock master 2 2 Configuration on Device B Specif...

Page 2553: ...ynchronized to Device C and the clock stratum level of Device B is 2 while that of Device C is 1 View the NTP session information of Device B which shows that an association has been set up between Device B and Device C DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 245 3 0 1 31 127 127 1 0 2 15 64 24 10535 0 19 6 14 5 1234 3 0 1 33 LOCL 1 14 64 27 77...

Page 2554: ... D to work in the broadcast client mode and receive broadcast messages on VLAN interface 2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service broadcast client 3 Configuration on Switch A Configure Switch A to work in the broadcast client mode and receive broadcast messages on VLAN interface 3 SwitchA system view SwitchA interface vlan interface 3 SwitchA Vla...

Page 2555: ...urce peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Multicast Mode Network requirements z Switch C s local clock is to be used as a reference source with the stratum level of 2 z Switch C works in the multicast server mode and sends out multicast messages from VLAN interface 2 z Switch A and Switch D work in the multicast client mode and receive multicast messages th...

Page 2556: ...Hz Clock precision 2 18 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 8 31 ms Peer dispersion 34 30 ms Reference time 16 01 51 713 UTC Sep 19 2005 C6D95F6F B6872B02 As shown above Switch D has been synchronized to Switch C and the clock stratum level of Switch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which shows that an association has been set u...

Page 2557: ...ce status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 0 0000 ms Root delay 40 00 ms Root dispersion 10 83 ms Peer dispersion 34 30 ms Reference time 16 02 49 713 UTC Sep 19 2005 C6D95F6F B6872B02 As shown above Switch A has been synchronized to Switch C and the clock stratum level...

Page 2558: ... Device B DeviceB ntp service authentication enable Set an authentication key DeviceB ntp service authentication keyid 42 authentication mode md5 aNiceKey Specify the key as a trusted key DeviceB ntp service reliable authentication keyid 42 Specify Device A as the NTP server DeviceB ntp service unicast server 1 0 1 11 authentication keyid 42 Before Device B can synchronize its clock to that of Dev...

Page 2559: ...ource peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Broadcast Mode with Authentication Network requirements z Switch C s local clock is to be used as a reference source with the stratum level of 3 z Switch C works in the broadcast server mode and sends out broadcast messages from VLAN interface 2 z Switch D works in the broadcast client mode and receives broadcast m...

Page 2560: ...N interface 2 and Switch C can send broadcast messages through VLAN interface 2 Upon receiving a broadcast message from Switch C Switch D synchronizes its clock to that of Switch C View the NTP status of Switch D after clock synchronization SwitchD Vlan interface2 display ntp service status Clock status synchronized Clock stratum 4 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual f...

Page 2561: ...ers mode but not in the multicast or broadcast mode Figure 1 13 Network diagram for MPLS VPN time synchronization configuration CE 1 CE 2 CE 4 CE 3 PE 1 PE 2 P VPN 1 VPN 2 VPN 1 VPN 2 Vlan int 10 Vlan int 10 MPLS backbone Vlan int 20 Vlan int 20 Vlan int 30 Vlan int 30 Vlan int 40 Vlan int 40 Vlan int 50 Vlan int 50 Vlan int 60 Vlan int 60 设备 接口 IP地址 设备 接口 IP地址 CE 1 Vlan int 10 10 1 1 1 24 PE 1 Vl...

Page 2562: ... time later The information should show that CE 3 has been synchronized to CE 1 with the clock stratum level of 2 CE3 display ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 10 1 1 1 Nominal frequency 99 9100 Hz Actual frequency 99 9100 Hz Clock precision 2 18 Clock offset 0 0000 ms Root delay 47 00 ms Root dispersion 0 18 ms Peer dispersion 34 29 ms Reference time ...

Page 2563: ... time later The information should show that PE 2 has been synchronized to PE 1 with the clock stratum level of 2 PE2 display ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 10 1 1 2 Nominal frequency 99 9100 Hz Actual frequency 99 9100 Hz Clock precision 2 18 Clock offset 0 0000 ms Root delay 32 00 ms Root dispersion 0 60 ms Peer dispersion 7 81 ms Reference time 0...

Page 2564: ...n 1 6 Step by Step Patch Installation Task List 1 6 Configuring the Patch File Location 1 6 Loading a Patch File 1 7 Activating Patches 1 7 Confirming Running Patches 1 8 One Step Patch Uninstallation 1 9 Step by Step Patch Uninstallation 1 9 Step by Step Patch Uninstallation Task List 1 9 Stop Running Patches 1 9 Deleting Patches 1 9 Displaying and Maintaining Hotfix 1 10 Hotfix Configuration Exa...

Page 2565: ...e device that is it can repair the software defects of the current version without rebooting the device Basic Concepts in Hotfix Patch and patch file A patch also called patch unit is a package to fix software defects Generally patches are released as patch files A patch file may contain one or more patches for different defects After loaded from the storage media to the memory patch area each pat...

Page 2566: ... be in the state of IDLE DEACTIVE ACTIVE and RUNNING Load run temporarily confirm running stop running delete install and uninstall represent operations corresponding to commands of patch load patch active patch run patch deactive patch delete patch install and undo patch install For example if you execute the patch active command for the patches in the DEACTIVE state the patches turn to the ACTIV...

Page 2567: ... memory patch area and are in the DEACTIVE state At this time the patch states in the system are as shown in Figure 1 3 The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot Figure 1 3 A patch file is loaded to the memory patch area ACTIVE state Patches in the ACTIVE state are those that have run temporarily in the system and will become DEACTIVE after ...

Page 2568: ...s of the system are as shown in Figure 1 5 Figure 1 5 Patches are running The patches that are in the RUNNING state will be still in the RUNNING state after system reboot Hotfix Configuration Task List Task Remarks One Step Patch Installation Install patches Step by Step Patch Installation Use either approach The step by step patch installation allows you to control the patch status One Step Patch...

Page 2569: ...Product Card type PATCH FLAG Default patch name mpu PATCH MPU patch_mpu bin lpb PATCH LPB patch_lpb bin S7900E lpr PATCH LPR patch_lpr bin The loading and installation are performed on all cards that are in position and OAM CPU so before these operations save the patch files for the active main board AMB and interface card to the root directory of the AMB s storage medium and save the patch files ...

Page 2570: ... Location Optional Loading a Patch File Required Activating Patches Required Confirming Running Patches Optional Configuring the Patch File Location If you save the patch files to other storage media except the flash on the device you need to specify the directory where the patch files locate with the patch location argument Then the system loads the appropriate patch files from the specified dire...

Page 2571: ...will try to load the patch file from the CF card Set the file transfer mode to binary mode before using FTP or TFTP to upload download patch files to from the flash of the device Otherwise patch file cannot be parsed properly Follow the steps below to load a patch file distributed device To do Use the command Remarks Enter system view system view Load the patch file on from the storage medium such...

Page 2572: ... slot slot number Required Confirming Running Patches After you confirm the running of a patch the patch state becomes RUNNING and the patch is in the normal running stage After the device is reset or rebooted the patch is still valid Follow the steps below to confirm the running of patches distributed device To do Use the command Remarks Enter system view system view Confirm the running of the sp...

Page 2573: ...TIVE and the system runs in the way before it is installed with the patch Follow the steps below to stop running patches distributed device To do Use the command Remarks Enter system view system view Stop running the specified patches patch deactive patch number slot slot number Required Follow the steps below to stop running patches distributed IRF device To do Use the command Remarks Enter syste...

Page 2574: ...in any view Hotfix Configuration Examples Hotfix Configuration Example Network requirements z The software running on Device is of some problem and thus hotfixing is needed z The patch files patch_mpu bin for the AMB patch_lpr bin and patch_lpb bin are saved on the TFTP server z The IP address of Device is 1 1 1 1 24 and IP address of TFTP Server is 2 2 2 2 24 An available route exists between Dev...

Page 2575: ...in from the TFTP server to the AMB Device tftp 2 2 2 2 get patch_mpu bin Device tftp 2 2 2 2 get patch_lpr bin Device tftp 2 2 2 2 get patch_lpb bin Copy the patch files to the root directory of the SMB in slot 1 Device copy patch_mpu bin slot1 flash Install the patches Device system view Device patch install flash Patches will be installed Continue Y N y Do you want to continue running patches af...

Page 2576: ...erating Mode 1 9 Configuring IRF 1 10 Setting a Member ID for a Device 1 10 Specifying a Priority for an IRF Member 1 11 Configuring IRF Ports 1 11 Specifying the Preservation Time of IRF Bridge MAC Address 1 12 Setting the Delay Time for the Link Layer to Report a Link Down Event 1 13 Configuring MAD Detection 1 14 Accessing an IRF 1 18 Accessing the Master 1 18 Accessing a Slave 1 18 Displaying ...

Page 2577: ...ry configurations and then these devices are virtualized into a virtual device This virtualization technology realizes the cooperation of multiple devices unified management and non stop maintenance Hereinafter the virtual device is called IRF z At present the S7900E Series Ethernet Switches support an IRF of two members that is you can use two S7900E series switches to form an IRF one operates as...

Page 2578: ... thus the reliability of the IRF system is increased through the link backup z Powerful network expansion capability By adding member devices you can increase the number of IRF ports and expand network bandwidth As all member devices have their own CPUs they can process and forward protocol packets independently thus improving processing capability of the IRF system Application As shown in Figure ...

Page 2579: ... following describes some basic concepts in IRF Operation mode The device can operate in either of the following two modes z Standalone mode The device operates in a standalone manner It does not form any IRF with other devices z IRF mode The device interconnects with other devices to form an IRF Role The devices that form an IRF are called IRF members Each of them plays either of the following tw...

Page 2580: ...ocal standby SRPU A local standby SRPU is the standby SRPU of a member device As an optional hardware configuration it acts as the backup of the local active SRPU The active SRPU of the IRF The active SRPU of the IRF is the local active SRPU of the master and manages the whole IRF system The standby SRPU of the IRF A standby SRPU of the IRF is a backup of the active SRPU of the IRF A main board of...

Page 2581: ...ent involves four stages Physical Connections Topology Collection Role Election and IRF Management and Maintenance You need to first connect the IRF members physically and then the devices will perform topology collection and role election after that the IRF system can operate normally and enter the IRF management and maintenance stage Physical Connections To make an IRF operate normally you need ...

Page 2582: ... 2 Upon receiving the topology information from the directly connected neighbor it updates the local topology information 3 If there is a local standby SRPU configured the local active SRPU synchronizes its recorded topology information to the local standby SRPU to ensure that the topology information on both SRPUs is consistent After topology collection lasts for a period of time all members have...

Page 2583: ... chassis2 slot1 flash test cfg indicates that a file named test cfg is saved under the root directory of the flash on the SRPU in slot 1 of member device 2 Therefore to ensure the uniqueness of member IDs you need to plan and configure the member IDs of devices uniformly before they join the IRF If the local active SRPU and local standby SRPU keep different member IDs of the device the member ID k...

Page 2584: ...active ID to operate normally The state of all the other IRFs will be set to recovery and all the ports in them will be shut down except for the IRF ports and ports manually specified not to shut down z Failure recovery The MAD mechanism prompts the user for multi active collision and the device then tries to repair the failed IRF links automatically If the reparation fails you need to repair the ...

Page 2585: ...ng LACP MAD detection Optional Specifying the reserved ports Optional Configuring MAD Detection Failure recovery Optional Accessing the Master Required Accessing an IRF Accessing a Slave Optional After establishing an IRF you are recommended to enable the MAD detection function to avoid the influences to the network caused by accidental IRF split Switching Operating Mode The device supports two op...

Page 2586: ...l reboot automatically as soon as you confirm the operation of switching the operating mode Configuring IRF Setting a Member ID for a Device The member ID of a device defaults to 1 Before an IRF is formed you need to manually number the two devices respectively to avoid member ID collision You are recommended to set the member ID for a newly added device in the following way 1 Plan the member IDs ...

Page 2587: ...an modify the priority through command lines Follow these steps to specify a priority for an IRF member To do Use the command Remarks Enter system view system view Specify a priority for an IRF member irf member member id priority priority Optional The priority of an IRF member defaults to 1 Configuring IRF Ports The S7900E series uses 10 GE optical ports which are on the SRPU or on SC SD or EB in...

Page 2588: ...rking mode of a physical IRF port By default the working mode of a physical IRF port is normal An SC interface card does not support configuration of the working mode of physical IRF ports as enhanced z Physical IRF ports that connect two member devices in an IRF must be configured to work in the same mode z To use the virtual private LAN service VPLS function in an IRF configure the working mode ...

Page 2589: ...C address To do Use the command Remarks Enter system view system view Configure the IRF bridge MAC address to be preserved permanently after the master leaves irf mac address persistent always Specify the preservation time of the IRF bridge MAC address as 6 minutes after the master leaves irf mac address persistent timer Configure that the IRF bridge MAC address changes as soon as the master leave...

Page 2590: ...herwise the IRF system will not be aware of the IRF topology changes in time and thus the service will be recovered slowly Configuring MAD Detection IRF of distributed devices supports two MAD approaches BFD MAD detection and LACP MAD detection The LACP MAD detection requires intermediate devices which must be capable of identifying and processing LACPDU protocol packets carrying Active ID values ...

Page 2591: ...tive z When the IRF operates normally only the MAD IP address of the master is effective and the BFD session is down z When the IRF splits into two or multiple IRFs all the MAD IP addresses of the masters in different IRFs are effective the BFD session is activated and multiple active IRFs are detected Follow these steps to enable BFD MAD detection To do Use the command Remarks Enter system view s...

Page 2592: ...d a common IP address are not mutually interfered they can coexist the MAD IP address automatically becomes the slave address after being configured and the common IP address becomes the primary address z If an IRF configured with the BFD MAD function splits into two or more IRFs routing collision information may be generated because the new IRFs still keep the forwarding entries with the destinat...

Page 2593: ...uit system view quit Enter the view of the port that connects to the LACP MAD detection link interface interface type interface number Assign the port to the aggregation group for LACP MAD detection port link aggregation group number Required Use the same method to create a dynamic aggregation group on the intermediate device and add the port that connects to the LACP MAD detection link on the dev...

Page 2594: ...Use the command Remarks Enter system view system view Restore devices in the recovery state to the normal state mad restore Required Accessing an IRF Accessing the Master After an IRF is formed you can access the console of the IRF system through the AUX or console port of any member device Create a Layer 3 Ethernet interface and configure an IP address for it and make sure that the interface and ...

Page 2595: ...m view system view Log in to the specified slave device of an IRF irf switch to chassis chassis number slot slot number Required By default you actually log in to the master device of an IRF when you log in to the IRF An IRF system allows at most nine users to log in at the same time The permitted login users include five users logged in through virtual type terminal VTY and four users logged in t...

Page 2596: ...ons z To increase the number of access ports additional devices are needed In this example Device B is added z To address the requirements for high availability ease of management and maintenance use IRF2 technology to create an IRF with Device A and Device B at the access layer z To offset the risk of IRF splits configure MAD to detect multi active IRF collisions In this example BFD MAD is adopte...

Page 2597: ... to make the configuration of member ID take effect After logging in to the device again create IRF port2 1 of the device and bind it to the physical IRF port Ten GigabitEthernet 2 3 0 25 and then save the configurations Sysname system view Sysname interface ten gigabitethernet 2 3 0 25 Sysname Ten GigabitEthernet2 3 0 25 shutdown Sysname Ten GigabitEthernet2 3 0 25 quit Sysname irf port 2 1 Sysna...

Page 2598: ...XGE2 3 0 25 IRF port2 1 GE1 3 0 2 GE2 3 0 2 Device A Device B IRF IRF link Note The solid orange line represents the IRF link the solid magenta lines represent links used for LACP MAD detection the solid black lines represent Ethernet links GE3 0 2 GE3 0 1 Configuration consideration z Device A is located at the distribution layer of the network To improve the forwarding capability at this layer a...

Page 2599: ... Ten GigabitEthernet1 3 0 25 save Configure Device B Sysname system view Sysname chassis convert mode irf This command will convert the device to IRF mode and the device will reboot Are you sure Y N y The device reboots automatically to switch its operating mode After logging in to the device again change the member ID of the device to 2 Sysname system view Sysname irf member 1 renumber 2 Warning ...

Page 2600: ...Device A and Device B Sysname interface gigabitethernet 1 3 0 2 Sysname GigabitEthernet1 3 0 2 port link aggregation group 2 Sysname GigabitEthernet1 3 0 2 quit Sysname interface gigabitethernet 2 3 0 2 Sysname GigabitEthernet2 3 0 2 port link aggregation group 2 4 Configure the intermediate device Create a dynamic aggregation port Sysname system view Sysname interface bridge aggregation 2 Sysname...

Page 2601: ...i Table of Contents 1 IPC Configuration 1 1 IPC Overview 1 1 Introduction to IPC 1 1 Enabling IPC Performance Statistics 1 2 Displaying and Maintaining IPC 1 3 ...

Page 2602: ...refore a distributed device corresponds to multiple nodes Therefore in actual application IPC is mainly applied on an IRF or distributed device it provides a reliable transmission mechanism between different devices and boards Link An IPC link is a connection between any two IPC nodes There is one and only one link between any two nodes for packet sending and receiving All IPC nodes are fully conn...

Page 2603: ...eate multiple multicast groups The creation and deletion of a multicast group and multicast group members depend on the application module z Mixcast namely both unicast and multicast are supported Enabling IPC Performance Statistics When IPC performance statistics is enabled the system collects statistics for packet sending and receiving of a node in a specified time range for example in the past ...

Page 2604: ...f a node display ipc multicast group node node id self node Display packet information of a node display ipc packet node node id self node Display link status information of a node display ipc link node node id self node Display IPC performance statistics information of a node display ipc performance node node id self node channel channel id Available in any view Clear IPC performance statistics i...

Page 2605: ...ACFP The Application Control Forwarding Protocol ACFP is developed based on the OAA architecture This document describes z Introduction to ACFP z Configuring the ACFP Server Switch z Configuring ACFP Client OAP Card ACSEI As a private protocol ACSEI provides a method for exchanging information between ACFP clients and ACFP server This document describes z Introduction to ACSEI z ACSEI Server Confi...

Page 2606: ...i Table of Contents 1 OAP Configuration 1 1 OAP Overview 1 1 Configuring an OAP Card 1 1 Logging In to the Software System of an OAP Card Through the Switch 1 1 Restarting an OAP Card 1 2 ...

Page 2607: ...m to load software of different functions Meanwhile after an OAP card is installed into the switch it can quickly implement applications such as security and wireless control which satisfies users diversified needs In this way different types of applications can be integrated into one device thus facilitating network and services deployment and greatly reducing cost at the same time Configuring an...

Page 2608: ... an OAP Card If the software system of an OAP card works abnormally or is under other anomalies you can restart the OAP card with the following command Follow the step to restart an OAP card To do Use the command Remarks Restart the OAP card distributed device oap reboot slot slot number Restart the OAP card distributed IRF device oap reboot chassis chassis number slot slot number Required Availab...

Page 2609: ...FP Collaboration 1 2 ACFP Management 1 2 ACFP Information Overview 1 2 Using ACFP 1 5 ACFP Configuration Task List 1 5 Configuring the ACFP Server Switch 1 6 Enabling the ACFP Server 1 6 Enabling the ACFP Trap Function 1 6 Displaying and Maintaining ACFP 1 7 Configuring ACFP Client OAP Card 1 7 ...

Page 2610: ...he advantages of respective manufacturers for better support of new services while reducing user investments The open application architecture OAA is an open service architecture developed with this concept It integrates devices and software produced by different manufacturers making them function as one device and thus providing integrated resolutions for the customers The Application Control For...

Page 2611: ...ncluding inbound interface and outbound interface of the packet and collaboration rules When the packet received by the ACFP server is redirected or mirrored to the ACFP client after matching a collaboration rule the packet carries the context ID of the collaboration policy to which the collaboration rule belongs When the redirected packet is returned from the ACFP client the packet also carries t...

Page 2612: ...s the context ID the HGPlus context only The above mentioned information indicates the collaboration capabilities of an ACFP server ACFP clients can access this information through a collaboration protocol or collaboration MIB ACFP client information ACFP client information contains the following z ACFP client identifier It can be assigned by the ACFP server through a collaboration protocol or spe...

Page 2613: ...FP collaboration rules refer to the collaboration rules that the ACFP client sends to the ACFP server for application There are three types of collaboration rules z Monitoring rules that is to monitor analyze and process the packets to be sent to the ACFP client The action types corresponding to monitoring rules are redirect and mirror z Filtering rules that is to determine which packets to deny a...

Page 2614: ...rules that belong to it Using ACFP z In a GRE tunneling environment an ACFP policy can be configured on a tunnel interface only z QoS processing such as marking the QoS local ID and local priority for the packets is not performed on the packets returned after they are redirected to the ACFP client z On the destination interface the packets redirected or mirrored by ACFP only support Layer 2 QoS pr...

Page 2615: ...nings ACFP server does not support the working mode of the ACFP client errors Expiration period of ACFP collaboration policy changed notifications ACFP collaboration rules are created informational ACFP collaboration rules are removed informational ACFP collaboration rules failed errors Expiration period of ACFP collaboration policy timed out notifications The generated traps will be sent to the i...

Page 2616: ...rface type interface number out interface interface type interface number active inactive Display ACFP rule configuration information display acfp rule info in interface interface type interface number out interface interface type interface number policy client id policy index Display the configuration information of the ACFP trap function display snmp agent trap list Available in any view Configu...

Page 2617: ...EI Startup and Running 1 2 ACSEI Server Configuration Switch 1 2 Enabling ACSEI Server 1 2 Configuring the Clock Synchronization Timer 1 3 Configuring the Monitoring Timer 1 3 Closing an ACSEI Client 1 3 Restarting an ACSEI Client 1 3 Displaying and Maintaining ACSEI Server 1 4 Configuring ACSEI Client OAP Card 1 4 ...

Page 2618: ...e Open Application Architecture OAA The collaborating IDS Intrusion Detection System cards or IDS devices serve as the ACFP clients which run applications of other vendors and support the IPS Intrusion Prevention System IDS services Refer to ACFP Configuration in the OAA Volume for details of ACFP z The open application platform OAP is designed for new services On OAP card runs the operating syste...

Page 2619: ...ests to the ACSEI server You cannot set this timer ACSEI Startup and Running ACSEI starts up and runs in the following procedures 1 Run the ACSEI client application to enable ACSEI client 2 Start up the device and enable the ACSEI server function on it 3 The ACSEI client multicasts registration requests 4 After the ACSEI server receives a valid registration request it negotiates parameters with th...

Page 2620: ... view system view Enable the ACSEI server function acsei server enable Required Enter ACSEI server view acsei server Configure the monitoring timer for ACSEI server to monitor ACSEI client acsei timer monitor seconds Optional Five seconds by default Closing an ACSEI Client Follow these steps to close an ACSEI client To do Use the command Remarks Enter system view system view Enable the ACSEI serve...

Page 2621: ...s Display ACSEI client summary display acsei client summary client id Display ACSEI client information display acsei client info client id Available in any view Configuring ACSEI Client OAP Card As a function supported by the OAP card ACSEI client is integrated into the software system of the OAP card The configuration of the ACSEI client depends on the ordered OAP card Refer to the corresponding ...

Reviews:

No comments

Related manuals for S7902E

BandLuxe R500 Series User Manual preview
R500 Series
Brand: BandLuxe Pages: 67
NAIM AV2 Update Instructions preview
AV2
Brand: NAIM Pages: 2
Datasheen D902AC User Manual preview
D902AC
Brand: Datasheen Pages: 25
Teac HD-35NAS User Manual preview
HD-35NAS
Brand: Teac Pages: 20
Maple Systems cMT-FHDX Series Installation Instruction preview
cMT-FHDX Series
Brand: Maple Systems Pages: 2
NETGEAR Powerline 100 Installation Manual preview
Powerline 100
Brand: NETGEAR Pages: 2
ROE EVISON HD101 User Manual preview
EVISON HD101
Brand: ROE Pages: 41
Watchguard Firebox T20-W Quick Start Manual preview
Firebox T20-W
Brand: Watchguard Pages: 40
NETGEAR FS605 v3 Installation Manual preview
FS605 v3
Brand: NETGEAR Pages: 84
Cytron Technologies SHIELD-2AMOTOR User Manual preview
SHIELD-2AMOTOR
Brand: Cytron Technologies Pages: 13
Patton electronics Model 2711 User Manual preview
Model 2711
Brand: Patton electronics Pages: 13
Angel Cool Aironet 1200 Quick Start Manual preview
Aironet 1200
Brand: Angel Cool Pages: 2
M86 Security M86 Web Filter User Manual preview
M86 Web Filter
Brand: M86 Security Pages: 309
TDK InvenSense RoboKit1 Hardware Reference Manual preview
InvenSense RoboKit1
Brand: TDK Pages: 13
EK EK-Quantum Momentum ROG Rampage VI Encore User Manual preview
EK-Quantum Momentum ROG Rampage VI Encore
Brand: EK Pages: 11
Belden HIRESCHMANN IT MAMMUTHUS MTM8003-FAN User Manual preview
HIRESCHMANN IT MAMMUTHUS MTM8003-FAN
Brand: Belden Pages: 84
OWC Mercury FireWire 400 Owner'S Manual preview
Mercury FireWire 400
Brand: OWC Pages: 2
Doremi MB-4K User Manual preview
MB-4K
Brand: Doremi Pages: 15

Brands by name

Popular brands

Load more brands