manualshive.com logo in svg

3Com Switch 7700, Configuration Manual

Share
Download
3Com Switch 7700 Configuration Manual Download Page 296

288

C

HAPTER

 9: AAA 

AND

 RADIUS O

PERATION

LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the 
EAP frame, which is encapsulated in packets of other AAA upper layer protocols 
(e.g. RADIUS). This provides a channel through the complicated network to the 
Authentication Server. Such procedure is called EAP Relay.

There are two types of ports for the Authenticator. One is the Uncontrolled Port, 
and the other is the Controlled Port. The Uncontrolled Port is always in a 
bi-directional connection state. The user can access and share the network 
resources any time through the ports. The Controlled Port will be in a connecting 
state only after the user passes the authentication. Then the user is allowed to 
access the network resources. 

Figure 1   

802.1x System Architecture

Tasks for configuring 802.1x System Architecture is described in the following 
sections:

802.1x Authentication Process

Implement 802.1x on Ethernet Switch 

802.1x Authentication Process

802.1x configures EAP frame to carry the authentication information. The 
Standard defines the following types of EAP frames: 

EAP-Packet: Authentication information frame, used to carry the 
authentication information. 

EAPoL-Start: Authentication originating frame, actively originated by the 
Supplicant. 

EAPoL-Logoff: Logoff request frame, actively terminating the authenticated 
state. 

EAPoL-Key: Key information frame, supporting to encrypt the EAP packets. 

EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert 
Standard Forum (ASF). 

The EAPoL-Start, EAPoL-Logoff, and EAPoL-Key only exist between the Supplicant 
and the Authenticator. The EAP-Packet information is re-encapsulated by the 
Authenticator System and then transmitted to the Authentication Server System. 

Requester

Requester
system

Services offered by
Authenticator
system

Authenticator PAE

Authenticator
server

Authenticator
server system

Authenticator system

Controlled
port

Unauthorized
port

EAPol

LAN

EAP protocol exchanges
carried in higher layer
protocol

Summary of Contents for Switch 7700

Page 1: ...http www 3com com Switch 7700 Configuration Guide Version 3 0 Published November 2004 Part No 10014298 ...

Page 2: ...vided to you UNITED STATES GOVERNMENT LEGEND If you are a United States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed solely at private expense Software is delivered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or a...

Page 3: ...FIGURATION Ethernet Port Overview 27 Configuring Ethernet Ports 27 Setting the VLAN VPN Feature 33 Example Configuring the Default VLAN ID of the Trunk Port 34 Troubleshooting VLAN Port Configuration 35 Configuring Link Aggregation 35 Types of Link Aggregation 36 Load Sharing 38 Configuring Link Aggregation 38 Example Link Aggregation Configuration 42 VLAN CONFIGURATION VLAN Overview 45 Configurin...

Page 4: ...0 IPX Configuration 71 IPX Address Structure 71 Routing Information Protocol 71 Service Advertising Protocol 72 Configuring IPX 72 IPX Configuration Example 81 Troubleshooting IPX 83 IP ROUTING PROTOCOL OPERATION IP Routing Protocol Overview 87 Selecting Routes Through the Routing Table 88 Routing Management Policy 89 Static Routes 90 Configuring Static Routes 91 Troubleshooting Static Routes 94 R...

Page 5: ...cast 196 Configuring Common Multicast 196 Configuring IGMP 198 Configuring IGMP 199 IGMP Snooping 205 Configuring IGMP Snooping 208 IGMP Snooping Configuration Example 210 Troubleshooting IGMP Snooping 210 Configuring PIM DM 211 Configuring PIM DM 212 PIM DM Configuration Example 215 Configuring PIM SM 216 PIM SM Operating Principles 217 Preparing to Configure PIM SM 218 Configuring PIM SM 218 GMR...

Page 6: ... 271 Configuring MSTP 271 Configuring the MST Region for a Switch 272 Specifying the Switch as Primary or Secondary Root Switch 273 Configuring the MSTP Running Mode 274 Configuring the Bridge Priority for a Switch 275 Configuring the Max Hops in an MST Region 275 Configuring the Switching Network Diameter 276 Configuring the Time Parameters of a Switch 277 Configuring the Max Transmission Speed o...

Page 7: ... Configuring a Switch to Track an Interface 318 Displaying and Debugging VRRP 318 Troubleshooting VRRP 321 SYSTEM MANAGEMENT File System 323 Using a Directory 323 Managing Files 324 Formatting Storage Devices 324 Setting the Prompt Mode of the File System 324 Configuring File Management 325 FTP 326 TFTP 328 Managing the MAC Address Table 329 Configuring the MAC Address Table 330 Managing Devices 3...

Page 8: ...iguring NTP 358 NTP Configuration Examples 364 SSH Terminal Services 371 Configuring the SSH Server 373 Configuring the SSH Client 376 Specifying the Server IP Address 376 Displaying and Debugging SSH 379 SSH Configuration Example 380 ...

Page 9: ...scription Screen displays This typeface represents information as it appears on the screen Keyboard key names If you must press two or more keys simultaneously the key names are linked with a plus sign for example Press Ctrl Alt Del The words enter and type When you see the word enter in this guide you must type something and then press Return or Enter Do not press Return or Enter when an instruct...

Page 10: ...2 ABOUT THIS GUIDE ...

Page 11: ...set of modules The Switch 7700 supports the following services MAN enterprise campus networking Multicast service and multicast routing functions and support audio and video multicast service Function Features Table 1 lists and describes the function features that the Switch 7700 supports Table 1 Function Features Features Support VLAN VLANs compliant with IEEE 802 1Q standard Port based VLAN Prot...

Page 12: ... Security features Multi level user management and password protect 802 1X authentication Packet filtering Reliability Virtual Redundancy Routing Protocol VRRP Quality of Service QoS Traffic classification Bandwidth control Priority Queues of different priority on the port Queue scheduling supports Strict Priority Queueing SP Management and maintenance Command line interface configuration Configur...

Page 13: ...ams Accessories Communications HyperTerminal 2 The HyperTerminal window displays the Connection Description dialog box as shown in Figure 2 Figure 2 Set Up the New Connection 3 Enter the name of the new connection in the Name field and click OK The dialog box shown in Figure 3 displays 4 Select the serial port to be used from the Connect using dropdown menu RS 232 Serial port Console cable Console...

Page 14: ...igure 3 Properties Dialog Box 5 Click OK The Port Settings tab shown in Figure 4 displays and you can set serial port parameters Set the following parameters Baud rate 9600 Databit 8 Parity check none Stopbit 1 Flow control none ...

Page 15: ...meters 6 Click OK The HyperTerminal dialogue box displays as shown in Figure 5 7 Select Properties Figure 5 HyperTerminal Window 8 In the Properties dialog box select the Settings tab as shown in Figure 6 9 Select VT100 in the Emulation dropdown menu 10 Click OK ...

Page 16: ...net to a Switch 7700 and configure it you must 1 Configure the IP address of a VLAN interface for the Switch 7700 through the console port using the ip address command in VLAN interface view 2 Add the port that connects to a terminal to this VLAN using the port command in VLAN view 3 Log in to the Switch 7700 Tasks for Configuring through Telnet are described in the following sections Connecting t...

Page 17: ...reset login password of Telnet user 3 To set up the configuration environment connect the Ethernet port of the PC to that of the Switch 7700 through the LAN See Figure 7 Figure 7 Setting Up the Configuration Environment Through Telnet 4 Run Telnet on the PC by selecting Start Run from the Windows desktop and entering Telnet in the Open field as shown in Figure 8 Click OK Figure 8 Run Telnet The te...

Page 18: ... Service 1 Authenticate the Telnet user through the console port on the Telnet Server Switch 7700 before login By default a password is required for authenticating the Telnet user to log in the Switch 7700 If a user logs into Telnet without password the system displays the following message Login password has not been set 2 Enter system view return to user view by pressing Ctrl Z SW7700 system vie...

Page 19: ...erface aux 0 SW7700 ui aux0 set authentication password simple cipher xxxx xxxx is the preset login password of the Modem user b Using the modem command you can configure the console port to modem mode SW7700 ui aux0 modem 2 To set up the remote configuration environment connect the modems to a PC or a terminal serial port and to the Switch 7700 console port as shown in Set Up Remote Configuration...

Page 20: ...tional state Enter to get immediate help For details on a specific command refer to the appropriate chapter in this guide By default after login a modem user can access the commands at Level 0 Configuring the User Interface User interface configuration is another way to configure and manage port data The Switch 7700 supports the following configuration methods Local configuration through the conso...

Page 21: ...er interface AUX user interface AUX 0 The first VTY interface VTY 0 the second one VTY 1 and so on Tasks for configuring the user interface are described in the following sections Entering the User Interface View Configuring the Attributes of the AUX Console Port Configuring the Terminal Attributes Managing Users Configuring the Attributes of a Modem Configuring Redirection Displaying and Debuggin...

Page 22: ...able 4 to enable or disable terminal service Table 3 Configure the Attributes of the AUX Console Port Operation Command Configure the transmission speed on AUX Console port By default the transmission speed is 9600bps speed speed value Restore the default transmission speed on AUX Console port undo speed Configure the flow control on AUX Console port By default no flow control is performed on the ...

Page 23: ...an one screen of information you can use the screen length command to determine how many lines are displayed on a screen so that information can be separated in different screens and you can view it more conveniently The screen length command is described in Table 7 By default the terminal screen length is 24 lines Setting the History Command Buffer Size Table 8 describes the history command max s...

Page 24: ...e set authentication password command Perform the following configuration in user interface view Configure for password authentication when a user logs in through a VTY 0 user interface and set the password to 3Com SW7700 user interface vty 0 SW7700 ui vty0 authentication mode password SW7700 ui vty0 set authentication password simple 3Com 2 Configure the local or remote authentication username an...

Page 25: ...r can access the commands at Level 1 after logon Setting the Command Level Used after a User Logs in from a User Interface Use the user privilege level command to set the command level after a user logs in from a specific user interface so that a user is able to execute the commands at that command level Table 12 describes the user privilege level command Perform the following configuration in use...

Page 26: ...ring the Attributes of a Modem You can use the commands described in Table 14 to configure the attributes of a modem when logging in to the Switch through the modem Perform the following configuration in user interface view Configuring Redirection The send Command can be used for sending messages between user interfaces See Table 15 Table 13 Set Command Priority Operation Command Set the command p...

Page 27: ...logs on by VTY 0 the system will run telnet 10 110 100 1 automatically Displaying and Debugging User Interface After creating the previous configuration execute the display command in all views to display the user interface configuration and to verify the effect of the configuration Execute the free command in user view to clear a specified user interface See Table 17 Table 15 Configure to Send Me...

Page 28: ...ommand Line Interface is described in the following sections Command Line View Features and Functions of the Command Line Command Line View The Switch 7700 provides hierarchy protection for the command lines to prevent unauthorized users from accessing the switch illegally There are four levels of commands Visit level involves commands for network diagnosis tools such as ping and tracert command o...

Page 29: ...ged Command views are implemented according to requirements that are related to one another For example after logging in to the Switch 7700 you enter user view in which you can only use some basic functions such as displaying the operating state and statistics information In user view key in system view to enter system view in which you can key in different configuration commands and enter the cor...

Page 30: ... view in user view Ethernet Port view Configure Ethernet port parameters SW7700 Etherne t1 0 1 100M Ethernet port view SW7700 Gigabit Ethernet1 0 1 Gigabit Ethernet port view VLAN view Configure VLAN parameters SW7700 Vlan1 Enter vlan 1 in System view VLAN interface view Configure IP interface parameters for a VLAN or a VLAN aggregation SW7700 Vlan in terface1 Enter interface vlan interface 1 in S...

Page 31: ...t parameters ftp Enter ftp in user view PIM view Configure PIM parameters SW7700 PIM Enter pim in System view RIP view Configure RIP parameters SW7700 rip Enter rip in System view OSPF view Configure OSPF parameters SW7700 ospf Enter ospf in System view OSPF area view Configure OSPF area parameters SW7700 ospf 0 0 0 1 Enter area 1 in OSPF view Route policy view Configure route policy parameters SW...

Page 32: ...time and when finished r Record route Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route s Specifies the number of data bytes to be sent t Timeout in milliseconds to wait for each reply v Verbose output ICMP packets other than ECHO_RESPONSE that are received are listed STRING 1 20 IP address or hostname of a remote system Ip IP Protocol Enter a command with a separa...

Page 33: ... command Cannot find the keyword Wrong parameter type The value of the parameter exceeds the range Incomplete command The command is incomplete Too many parameters You entered too many parameters Ambiguous command The parameters you entered are not specific Table 20 Retrieve History Command Operation Key Result Display history command display history command Displays history commands by the user w...

Page 34: ...ped one with the complete key word and display it in a new line If there is not a matched key word or the matched key word is not unique the system will do no modification but displays the originally typed word in a new line Table 22 Display Functions Key or Command Function Press Ctrl C when the display pauses Stop displaying and executing command Enter a space when the display pauses Continue to...

Page 35: ...ion The speed can be set to 1000 1000Mbps or auto auto negotiation 10 100 1000BASE T Gigabit Ethernet ports support MDI MDI X auto sensing and the modes are 1000 Mbps full duplex 100 Mbps half full duplex and 10 Mbps half full duplex These modules also support auto negotiation 10GBASE R XENPAK 10 Gigabit Ethernet ports work in 10 gigabit full duplex mode The duplex mode can be configured as full f...

Page 36: ... or enabling the port After configuring the related parameters and protocol of the port you can use the following command to enable the port Perform the following configuration in Ethernet port view By default the port is enabled Setting Description Character String for Ethernet Port You can use the following command to identify the Ethernet ports Perform the following configuration in Ethernet po...

Page 37: ...mode the local and peer ports will automatically negotiate the port speed Perform the following configuration in Ethernet port view Setting Cable Type for Ethernet Port The Ethernet port supports the straight through MDI and cross over MDIX network cables The Switch 7700 only supports auto auto sensing If you set some other type you will see an error message By default the cable type is auto auto ...

Page 38: ...uipment including NICs switches and routers are not capable of supporting jumbo frames and will always discard these packets Perform the following configuration in Ethernet port view By default jumbo frames are disabled Setting the Maximum MAC Addresses an Ethernet Port can Learn Use the following command to set a limit on the number of MAC addresses that an Ethernet port will learn Perform the fo...

Page 39: ...nd at the port on a 20 port 10 100 1000BASE T Gigabit Ethernet card or a 20 port 1000BASE X Gigabit Ethernet card Setting the Link Type for an Ethernet Port An Ethernet port can operate in three different link types access hybrid and trunk types The access port carries one VLAN only and is used for connecting to the user s computer The trunk port can belong to more than one VLAN and receive send t...

Page 40: ... in one VLAN its default VLAN is the one to which it belongs The hybrid port and the trunk port can be included in several VLANs however it is necessary to configure the default VLAN ID If the default VLAN ID has been configured the packets without VLAN Tag will be forwarded to the port that belongs to the default VLAN When sending the packets with VLAN Tag if the VLAN ID of the packet is identica...

Page 41: ...VPN users If VLAN VPN is enabled on a port all the packets regardless of whether it carries a VLAN tag are given a new tag that specifies the default VLAN of this port Therefore the packets that have had a VLAN tag get two tags and the packets that have not had a VLAN tag get one Perform the following configuration in Ethernet port view If GVRP GMRP STP or 802 1x has been enabled on a port VLAN VP...

Page 42: ...D of the Trunk Port In this example the Ethernet Switch Switch A is connected to the peer Switch B through the trunk port Ethernet1 0 1 This example shows the default VLAN ID for the trunk port and verifies the port trunk pvid vlan command As a typical application of the port trunk pvid vlan command the trunk port will transmit the packets without tag to the default VLAN Figure 1 Configure the Def...

Page 43: ...xchanges information with the peer through LACP data unit LACPDU When LACP is enabled on it the port notifies the peer by sending LACPDUs with the port s system priority system MAC port priority port number and operation key When the peer receives this port information it compares the received information with the information stored at other ports to determine which ports can be aggregated so that...

Page 44: ...ey prohibit automatic adding or deleting of member ports by the system A manual or static LACP aggregation group must contain at least one member port and you must delete the aggregation group instead of the port if the group contains only one port At a manual aggregation port LACP is disabled and you are not allowed to enable it LACP is enabled at a static aggregation port When a static aggregati...

Page 45: ...p the system shall set some ports with smaller port numbers in ascending order as selected ports and others as standby ports Both selected and standby ports can transceive LACP protocol but standby ports cannot forward user service packets Dynamic LACP aggregation Dynamic LACP aggregation may automatic adding deleting by the system but prohibits manual configuration of users Dynamic LACP aggregati...

Page 46: ...al and static LACP aggregation groups Aggregation groups that probably reach the maximum rate after the resources are allocated to them Aggregation groups with the minimum master port numbers if they reach the equal rate with other groups after the resources are allocated to them When aggregation groups of higher priority levels appear the aggregation groups of lower priority levels release their ...

Page 47: ...reate a manual aggregation group or static LACP aggregation group but the dynamic LACP aggregation group is established by the system when LACP is enabled on the ports You can also delete an existing aggregation group when you delete a manual aggregation group all its member ports are disaggregated when you delete a static or dynamic LACP aggregation group its member ports form one or several dyna...

Page 48: ...retained when the system reboots However the dynamic LACP groups and descriptors are not retained when the system reboots Configuring System Priority The LACP refers to system IDs in determining if the member ports are selected or standby one for a dynamic LACP aggregation group The system ID consists of two byte system priority and six byte system MAC that is system ID system priority system MAC ...

Page 49: ... configuration and to verify the effect of the configuration You can also use the reset command in user view to clear LACP statistics of the port Use the debugging commands in user view to debug LACP Table 21 Configure System Priority Operation Command Configure system priority lacp system priority system priority value Restore the default system priority undo lacp system priority Table 22 Configu...

Page 50: ... 0 2 interface ethernet1 0 3 SW7700 Ethernet1 0 3 port link aggregation group 1 2 Configure a static LACP aggregation Create static LACP aggregation group 1 SW7700 link aggregation group 1 mode static Add Ethernet ports Ethernet1 0 1 to Ethernet1 0 3 into aggregation group 1 SW7700 interface ethernet1 0 1 SW7700 Ethernet1 0 1 port link aggregation group 1 Disable enable debugging LACP state machin...

Page 51: ...ACP at Ethernet ports Ethernet1 0 1 to Ethernet1 0 3 SW7700 interface ethernet1 0 1 SW7700 Ethernet1 0 1 lacp enable SW7700 Ethernet1 0 1 interface ethernet1 0 2 SW7700 Ethernet1 0 2 lacp enable SW7700 Ethernet1 0 2 interface ethernet1 0 3 SW7700 Ethernet1 0 3 lacp enable Only when the three ports are configured with identical basic configuration rate and duplex mode can they be added into a same ...

Page 52: ...44 CHAPTER 2 PORT CONFIGURATION ...

Page 53: ...lpful in controlling network traffic saving device investment simplifying network management and improving security VLANs are divided into four categories Port based VLAN Protocol based VLAN MAC based VLAN Policy based VLAN Port based VLANs define VLAN members according to switch ports This is the simplest and most efficient way to create VLANs The Switch 7700 supports port based and network layer...

Page 54: ...n VLAN view Using this command you can set the threshold for broadcast traffic that can pass through the VLAN This value is represented by the following ratio format broadcast traffic the entire traffic passed this VLAN The system discards the traffic that exceeds the threshold to limit broadcast traffic and maintain the normal operation of network services The lower the value of the max ratio par...

Page 55: ... You can use the following command to shut down or enable VLAN interface Perform the following configuration in VLAN interface view The operation of shutting down or enabling the VLAN interface has no effect on the UP DOWN status of the Ethernet ports in the VLAN By default when the status of all Ethernet ports in a VLAN is DOWN the status of the VLAN interface is DOWN also so the VLAN interface i...

Page 56: ...2 Add Ethernet 1 0 1 and Ethernet 2 0 1 to VLAN2 SW7700 vlan2 port Ethernet 1 0 1 Ethernet 2 0 1 3 Create VLAN 3 and enters its view SW7700 vlan2 vlan 3 4 Add Ethernet 1 0 2 and Ethernet 2 0 2 to VLAN3 SW7700 vlan3 port Ethernet 1 0 2 Ethernet 2 0 2 Table 6 Displaying and Debugging a VLAN Operation Command Display the information about a VLAN interface display interface vlan interface vlan_id Disp...

Page 57: ... the following sections Creating and Deleting a VLAN Protocol Type Creating and Deleting the Association Between a Port and a Protocol Based VLAN Protocol based VLANs are supported only in the 48 port 10 100BASE T Auto sensing FE 24 port 100BASE FX MMF FE 8 port 1000BASE X GE and 8 port 10 100 1000BASE T GE I O modules Table 7 Adding Ethernet Ports to a VLAN Operation Command Add Ethernet ports to...

Page 58: ...SW7700 vlan 2 2 Add Ethernet1 0 1 and Ethernet1 0 2 to VLAN2 SW7700 vlan2 port ethernet1 0 1 to ethernet1 0 2 3 Create VLAN 3 and enters its view Table 9 Creating and Deleting a VLAN Protocol Type Operation Command Create a VLAN protocol type protocol vlan protocol index ip ip_address net_mask ipx ethernetii I llc I raw I snap at mode ethernetii I llc I snap Delete an existing VLAN protocol type u...

Page 59: ...ort G1 0 3 in VLAN 3 any other IP traffic will be sent out form port G1 0 3 Figure 3 Protocol Based VLAN Configuration Example 1 Configure port G1 0 1 as hybrid port and allow VLAN 2 and VLAN 3 to pass SW7700 GigabitEthernet1 0 1 port link type hybrid SW7700 GigabitEthernet1 0 1 display th interface GigabitEthernet1 0 1 port link type hybrid port hybrid vlan 1 untagged return SW7700 GigabitEtherne...

Page 60: ...ip 10 0 0 1 SW7700 vlan2 vlan 3 SW7700 vlan3 protocol vlan ip SW7700 vlan3 dis protocol vlan vlan all SW7700 vlan3 dis protocol vlan vlan all VLAN ID 2 VLAN Type Protocol based VLAN Protocol Index Protocol Type 0 ip 10 0 0 1 255 255 255 0 VLAN ID 3 VLAN Type Protocol based VLAN Protocol Index Protocol Type 0 ip 3 Configure the protocol VLAN on port G1 0 1 SW7700 int g1 0 1 SW7700 GigabitEthernet1 ...

Page 61: ... GMRP on page 227 When a GARP participant is on a port of the switch each port corresponds to a GARP participant Through GARP configuration information on one GARP member is advertised rapidly to the entire switching network A GARP member can be a terminal workstation or bridge A GARP member can notify other members to register or remove its attribute information by sending declarations or withdra...

Page 62: ...bute values it sends a leave message When the leave message arrives the receiving GARP participant starts the leave timer If the receiving participant does not receive a join message from the sender before the leave timer expires the receiving participant removes the sender s GARP attribute values The leaveall timer is started as soon as a GARP participant is enabled A leaveall message is sent at ...

Page 63: ...on to other switches All the GVRP supporting switches can receive VLAN registration information from other switches and can dynamically update local VLAN registration information including the active members and the port through which each member can be reached All the switches that support GVRP can distribute their local VLAN registration information to other switches so that VLAN information is ...

Page 64: ... trunk port By default global GVRP is disabled Setting the GVRP Registration Type The GVRP includes normal fixed and forbidden registration types see IEEE 802 1Q When an Ethernet port registration type is set to normal the dynamic and manual creation registration and logout of VLAN are allowed on this port When one trunk port registration type is set to fixed the system adds the port to the VLAN i...

Page 65: ...mation among switches Figure 4 GVRP Configuration Example Configure Switch A 1 Set Ethernet1 0 1 as a trunk port and allow all the VLANs to pass through SW7700 interface Ethernet 1 0 1 SW7700 Ethernet1 0 1 port link type trunk SW7700 Ethernet1 0 1 port trunk permit vlan all 2 Create VLANs Table 15 Setting the GVRP Registration Type Operation Command Set GVRP registration type gvrp registration nor...

Page 66: ...SW7700 Ethernet1 0 1 gvrp Configure Switch B 1 Set Gigabit Ethernet2 1 as a trunk port and allow all the VLANs to pass through SW7700 interface Ethernet 2 0 1 SW7700 Ethernet2 0 1 port link type trunk SW7700 Ethernet2 0 1 port trunk permit vlan all 2 Enable GVRP globally SW7700 Ethernet2 0 1 quit SW7700 gvrp 3 Enable GVRP on the trunk port SW7700 interface ethernet 2 0 1 SW7700 Ethernet2 0 1 gvrp ...

Page 67: ...E addresses are identified with the first bits of the first octet being 11110 Addresses of Classes A B and C are unicast addresses The Class D addresses are multicast addresses and Class E addresses are reserved for future uses At present IP addresses are mostly Class A Class B and Class C IP addresses of Classes A B and C are composed of two parts network ID and host ID Their network ID lengths a...

Page 68: ...esses of classes A B and C the default values of the corresponding sub net mask is 255 0 0 0 for Class A 255 255 0 0 for Class B and 255 255 255 0 for Class C The mask can be used to divide a Class A network containing more than 16 000 000 hosts or a Class B network containing more than 60 000 hosts into multiple small networks Each small network is called a subnet For example for the Class A netw...

Page 69: ... IP Address Use the display command in all views to display the IP address configuration on interfaces and to verify configuration Example Configuring an IP Address Configure the IP address as 129 2 2 1 and sub net mask as 255 255 255 0 for the VLAN interface 1 of the Ethernet Switch Figure 1 IP Address Configuration Networking 1 Enter VLAN interface 1 SW7700 interface vlan 1 2 Configure the IP ad...

Page 70: ...ping table to save memory space and shorten the search interval Example IP Address Resolution Host A and Host B are on the same network segment The IP address of Host A is IP_A and the IP address of Host B is IP_B Host A wants to transmit packets to Host B Host A checks its own ARP mapping table first to make sure that there are corresponding ARP entries of IP_B in the table If the corresponding M...

Page 71: ...w By default the switch does not learn gratuitous ARPs Configuring the Dynamic ARP Aging Timer The following commands assign a dynamic ARP aging period to enable flexible configurations When the system learns a dynamic ARP entry its aging period is based on the currently configured value Perform the following configuration in system view By default the aging time of the dynamic ARP aging timer is ...

Page 72: ...economical and convenient for centralized management Figure 2 DHCP Relay Schematic Diagram When the DHCP Client performs initialization it broadcasts the request packet on the local network segment If there is a DHCP server on the local network segment e g the Ethernet on the right side of the figure then the DHCP can be configured directly without the relay If there is no DHCP server on the local...

Page 73: ...rver IP address cannot be configured independently instead it has to be configured together with the master server IP address By default the IP address of the DHCP Server is not configured The DHCP Server address must be configured before DHCP relay can be used Configuring the DHCP Server Group for the VLAN Interface Perform the following configuration in VLAN interface view When associating a VLA...

Page 74: ...figure the VLAN interface corresponding to the user and the related DHCP server so as to use DHCP relay Table 10 Configure Delete the Address Table Entry Operation Command Add an entry to the address table dhcp security static ip_address mac_address dynamic static Delete an entry from the address table undo dhcp security ip_address all dynamic static Table 11 Enable Disable DHCP Security on VLAN I...

Page 75: ...ddress of VLAN3 SW7700 vlan 3 SW7700 vlan3 port Ethernet 1 0 3 SW7700 interface vlan 3 SW7700 VLAN Interface3 ip address 21 2 2 1 255 255 0 0 7 It is necessary to configure a VLAN for the servers The corresponding interface VLAN of the DHCP server group 1 is configured as 4000 and that of the group 2 is configured as 3001 SW7700 vlan 4000 SW7700 vlan4000 port Ethernet 1 0 4 SW7700 interface vlan 4...

Page 76: ...ast two steps use the display dhcp server groupNo command to view the packet that has been received If you only see the Discover packet and there is no response packet it means the DHCP Server has not sent the message to the Switch 7700 In this case check if the DHCP Server has been configured properly If the numbers of request and response packets are normal enable the debugging dhcp relay in Use...

Page 77: ...ast Forwarding Broadcast packets include full net broadcast packets and direct connected broadcast packets The destination IP address of a full net broadcast packet is all ones 255 255 255 255 or all zeros A direct connected broadcast packet is a packet whose destination IP address is the network broadcast address of a subnet but the source IP address is not in the subnet segment When a switch for...

Page 78: ...o the console Use the debugging udp packet command to enable the UDP debugging to trace the UDP packet When the router sends or receives UDP packets the content format of the packet can be displayed in real time You can locate the problem from the contents of the packet The following are the UDP packet formats UDP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address...

Page 79: ... Each IPX packet is considered an independent entity that has no logical or sequential relationship with any other IPX packets IPX Address Structure IPX and IP use different address structures An IPX address comprises two parts the network number and the node address it is in the format of network node A network number identifies the network where a site is located It is four bytes long and expres...

Page 80: ...ided The servers periodically broadcast their services and addresses to the networks directly connected to them Users cannot use such information directly however Instead the information is collected by the SAP agents of the switches on the networks and saved in their server information tables Configuring IPX Before configuring IPX you must perform the tasks described in the following sections Ena...

Page 81: ...it Configuring the Maximum Number of Dynamic Routes to the Same Destination Configuring the Number of the Equivalent Routes to the Same Destination Configuring the Update Interval of IPX RIP Configuring the Aging Period of IPX RIP Configuring the Size of IPX RIP Update Packets Configuring the IPX Packet Forwarding Delay on a VLAN Interface Configuring IPX RIP to Import Static Routes Configuring IP...

Page 82: ...tive routes If the new limit is greater than the number of current active routes the system activates the equivalent routes that are available for them until the limit is reached Configuring IPX RIP After IPX is enabled on VLAN interfaces the system automatically enables RIP You can configure IPX RIP parameters using the tasks described in the following sections Configuring the Update Interval of ...

Page 83: ...ace view By default the maximum IPX RIP update packet size is 432 bytes Considering the 32 bytes for the IPX and RIP headers each update packet can carry up to 50 eight byte routing entries Configuring the IPX Packet Forwarding Delay on a VLAN Interface IPX RIP uses hop count and ticks to measure the distance to a destination network and route packets The hop count of a packet adds by one upon eac...

Page 84: ... Aging Period of IPX SAP Configuring the Size of IPX SAP Update Packets Configuring the GNS Reply of IPX SAP Configuring Static IPX Service Entries Configuring the Maximum Length of the Service Information Reserve Queue for One Service Type Enabling and Disabling SAP On a VLAN interface SAP is enabled as soon as IPX is enabled on the interface You can enable or disable SAP with the following comma...

Page 85: ...s Considering the 32 bytes for the headers each SAP update packet can carry up to seven sets of 64 byte server information Configuring the GNS Reply of IPX SAP Get Nearest Server GNS is a type of SAP message that is broadcast by SAP enabled NetWare clients To the GNS requests NetWare servers respond with Give Nearest Server messages If a NetWare server is available on the network segment to which ...

Page 86: ...ts you can manually add it into the server information table as a static entry If the route for the static service entry is invalid or deleted the broadcast of the static service entry is disabled until the switch finds a valid route for the service entry Perform the following configuration in system view Table 31 Configuring the GNS reply of IPX SAP Operation Command Respond to GNS requests with ...

Page 87: ...n the following sections to configure IPX forwarding Configuring Triggered Update in IPX Configuring Split Horizon of IPX Configuring the Encapsulation Format of the IPX frame Configuring for Forwarding Type 20 IPX Broadcast Packets Configuring Triggered Update in IPX IPX RIP and SAP periodically broadcast update If the periodical broadcast is not desired you can enable triggered update Table 34 S...

Page 88: ...he encapsulation format of the IPX frame Perform the following configuration in VLAN interface view By default the encapsulation format of the IPX frame is 802 3 dot3 Configuring for Forwarding Type 20 IPX Broadcast Packets NovellNetWare defines the type 20 IPX broadcast packet for the Network Basic Input Output System NetBIOS You can enable or disable the forwarding of type 20 broadcast packets t...

Page 89: ...kets undo ipx netbios propagation Table 40 Displaying and Debugging IPX Operation Command Display the information of IPX on one or all VLAN interfaces display ipx interface vlan interface vlan_id Display the IPX packet statistics information display ipx statistics Display the IPX service information table display ipx service table inactive name name network network order network type type service ...

Page 90: ...7700 Vlan interface2 ipx network 2 Set the IPX packet encapsulation format to Ethernet_II on VLAN interface 2 SW7700 Vlan interface2 ipx encapsulation ethernet 2 SW7700 Vlan interface2 quit Assign the network number 1000 to VLAN interface 1 to enable IPX on the interface SW7700 interface vlan interface 1 SW7700 Vlan interface1 ipx network 1000 Configure a static route with the destination network ...

Page 91: ... IPX Troubleshooting IPX Forwarding 1 A destination address cannot be pinged Do the following Check that the destination address is correct Execute the display ipx interface command check that the network number and IPX frame encapsulation format configured on the interface on the switch are consistent with those configured on the connected interface Execute the display ipx routing table command c...

Page 92: ...tic route to RIP but no static route is sent out Do the following Use the display ipx routing table command to check that the static route exists If the static route is not in the routing table use the display ipx routing table verbose command to check that it exists as an inactive route and to check for the inactive reason When the route becomes active it can be advertised as a RIP route If the c...

Page 93: ...fy that There are update packets with the debugging ipx packet and debugging ipx sap packet verbose commands If there are no update packets check that the underlying network connection is available SAP is enabled with the display ipx interface command The hop count of the active route to the server is smaller than 16 The update interval is not too long with the display current configuration comman...

Page 94: ...t service entries are available for the service request The service entries are considered equivalent only when they have the same RIP ticks RIP hop count SAP hop count and SAP preference Troubleshooting IPX Routing Management 1 The current switch receives the routing information from a neighbor device but the route cannot be found on the current switch using the display ipx routing table verbose ...

Page 95: ...nt from Host A to Host C goes through 3 networks and 2 routers and the packet is transmitted through two hops and router segments Therefore when a node is connected to another node through a network there is a hop between these two nodes and these two nodes are considered adjacent in the Internet Adjacent routers are two routers connected to the same network The number of route segments between a ...

Page 96: ... a routing table in its memory and each entry in this table specifies the physical port of the router through which a packet is sent to a subnet or a host The packet can reach the next router over a particular path or reach a destination host through a directly connected network A routing table has the following key entries A destination address Identifies the destination IP address or the destina...

Page 97: ...on is located Indirect route The router is not directly connected to the network where the destination is located To limit the size of the routing table an option is available to set a default route All the packets that fail to find a suitable table entry are forwarded through this default route In a complicated Internet as shown in the following figure the number in each network is the network ad...

Page 98: ...d to meet the user requirements The preferences for individual static routes can be different Routes Shared Between Routing Protocols As the algorithms of various routing protocols are different different protocols can generate different routes This situation creates the problem of how to resolve different routes being generated by different routing protocols The Switch 7700 supports an operation ...

Page 99: ...ng table the default route is in the form of the route to the network 0 0 0 0 with the mask 0 0 0 0 You can determine whether a default route has been set by viewing the output of the display ip routing table command If the destination address of a packet fails to match any entry of the routing table the router selects the default route to forward this packet If there is no default route and the d...

Page 100: ... the address of the next hop defines the transmitting interface because the address of the opposite interface is the address of the next hop of the route In fact for all routing items the next hop address must be specified When the IP layer transmits a packet it first searches the matching route in the routing table depending on the destination address of the packet Only when the next hop address ...

Page 101: ...default route undo ip route static 0 0 0 0 0 0 0 0 0 interface name gateway address Table 4 Deleting All Static Routes Operation Command Delete all static routes delete static routes all Table 5 Displaying and Debugging the Routing Table Operation Command View routing table summary display ip routing table View routing table details display ip routing table verbose View the detailed information of...

Page 102: ...2 4 Configure the default gateway of the Host A to be 1 1 5 2 5 Configure the default gateway of the Host B to be 1 1 4 1 6 Configure the default gateway of the Host C to be 1 1 1 2 Using this procedure all the hosts or switches in Figure 3 can be interconnected in pairs Troubleshooting Static Routes The Switch 7700 is not configured with any dynamic routing protocols enabled Both the physical sta...

Page 103: ...e network These routing entries contain the following information Destination address The IP address of a host or network Next hop address The address of the next router that an IP packet will pass through to reach the destination Output interface The interface through which the IP packet should be forwarded Cost The cost for the router to reach the destination which should be an integer in the ra...

Page 104: ...IP is disabled the interface related features also become invalid The RIP configuration tasks are described in the following sections Enabling RIP and Entering the RIP View Enabling the RIP Interface Configuring Unicast RIP Messages Specifying the RIP Version Configuring RIP Timers Configuring RIP 1 Zero Field Check of the Interface Packet Specifying the Operating State of the Interface Disabling ...

Page 105: ...command or the display rip command Configuring Unicast RIP Messages RIP is a broadcast protocol To exchange route information with the non broadcast network the unicast transmission mode must be adopted Perform the following configuration in the RIP view By default RIP does not send messages to unicast addresses Usually this command is not recommended because the opposite side does not need to rec...

Page 106: ...rbage collection timer times out before the unreachable route is updated by the update packets from the neighbors the route will be deleted completely from the routing table Modification of these timers can affect the convergence speed of RIP Perform the following configuration in RIP view The modification of RIP timers takes effect immediately By default the values of period update and timeout ti...

Page 107: ...tions in RIP view By default RIP 1 performs zero field check on the packet Specifying the Operating State of the Interface In the VLAN interface view you can specify whether RIP update packets are sent and received on the interface In addition you can specify whether an interface sends or receives RIP update packets Perform the following configuration in VLAN interface view The rip work command is...

Page 108: ...less inter domain routing To advertise all the subnet routes the route aggregation function of RIP 2 can be disabled Perform the following configurations in RIP view By default RIP 2 uses the route aggregation function Setting RIP 2 Packet Authentication RIP 1 does not support packet authentication However you can configure packet authentication on RIP 2 interfaces RIP 2 supports two authenticatio...

Page 109: ...rations in RIP view By default RIP does not import the route information of other protocols Table 15 Setting RIP 2 Packet Authentication Operation Command Configure RIP 2 simple authentication key rip authentication mode simple password string Configure RIP 2 MD5 authentication with packet type following RFC 1723 rip authentication mode simple password md5 usual key string nonstandard key string k...

Page 110: ...in the routing table but adds a specified metric value when the interface receives or sends a route Perform the following configuration in VLAN interface view By default the additional routing metric added to the route when RIP sends the packet is 1 The additional routing metric when RIP receives the packet is 0 Table 18 Configuring the Default Cost for the Imported Route Operation Command Configu...

Page 111: ...h B are connected to the network 155 10 1 0 and 196 38 165 0 Switch C Switch A and Switch B are connected by Ethernet 110 11 2 0 Correctly configure RIP to ensure that Switch C Switch A and Switch B can interconnect Table 21 Configuring RIP to Filter Routes Operation Command Configure filtering the received routing information distributed by the specified address filter policy gateway ip prefix na...

Page 112: ...not operate on the corresponding interface for example if the undo rip work command is executed or this interface is not enabled through the network command The peer routing device is configured for multicast mode for example the rip version 2 multicast command is executed but the multicast mode has not been configured on the corresponding interface of the local Ethernet switch OSPF Open Shortest ...

Page 113: ...tes in the following way Each OSPF capable router maintains a Link State Database LSD which describes the topology of the entire AS According to the network topology around itself each router generates a Link State Advertisement LSA The routers on the network transmit the LSAs among themselves by transmitting the protocol packets to each other Thus each router receives the LSAs of other routers an...

Page 114: ...the HEAD s of LSA s requiring acknowledgement Basic Concepts Related to OSPF Router ID To run OSPF a router must have a router ID If no ID is configured the system automatically selects an IP address from the IP addresses of the current interface as the router ID Designated Router DR In a broadcast network in which all routers are directly connected any two routers must establish adjacency to broa...

Page 115: ...intain logical connectivity Route summary An AS is divided into different areas that are interconnected through OSPF ABRs The routing information between areas can be reduced by use of a route summary Thus the size of routing table can be reduced and the calculation speed of the router can be improved After finding an intra area route of an area the ABR looks in the routing table and encapsulates ...

Page 116: ... OSPF Process Displaying and Debugging OSPF Enabling OSPF and Entering OSPF View Perform the following configurations in system view By default OSPF is not enabled Entering OSPF Area View Perform the following configurations in OSPF view Specifying the Interface OSPF divides the AS into different areas You must configure each OSPF interface to belong to a particular area identified by an area ID T...

Page 117: ...g Configuring the Network Type on the OSPF Interface The route calculation of OSPF is based on the topology of the adjacent network of the local router Each router describes the topology of its adjacent network and transmits it to all the other routers OSPF divides networks into four types by link layer protocol Broadcast If Ethernet or FDDI is adopted OSFP defaults the network type to broadcast N...

Page 118: ...fully connected P2MP is not the default network type No link layer protocols are regarded as P2MP You must change the network type to P2MP manually The most common method is to change a partially connected NBMA network to a P2MP network NBMA forwards packets by unicast and requires neighbors to be configured manually P2MP forward packets by multicast Perform the following configuration in VLAN int...

Page 119: ...n the segment and routing information is exchanged between them When the DR fails the BDR becomes the DR instantly Since no re election is needed and the adjacencies have already been established the process is very short But in this case a new BDR must be elected Although it also takes a long time it does not affect the route calculation Note that The DR on the network is not necessarily the rout...

Page 120: ...end Hello packets every 10 seconds and P2MP and NBMA interfaces send the packets every 30 seconds Setting a Dead Timer for the Neighboring Routers If hello packets are not received from a neighboring router that router is considered dead The dead timer of neighboring routers refers to the interval after which a router considers a neighboring router dead You can set a dead timer for the neighboring...

Page 121: ...ive the acknowledgement packet within the retransmission it retransmits this LSA to the neighbor You can configure the value of the retransmission interval Perform the following configuration in VLAN interface view By default the interval for neighboring routers to retransmit LSAs is five seconds The value of the interval should be bigger than the interval in which a packet can be transmitted and ...

Page 122: ... area has multiple ABRs no virtual links are established between these ABRs To insure that routes to the destinations outside the AS are still reachable the ABR in this area generates a default route 0 0 0 0 and advertises it to the non ABR routers in the area Note the following items when you configure a STUB area The backbone area cannot be configured as a STUB area and virtual links cannot pass...

Page 123: ...gated to Area 0 and Area 2 On the other hand RIP routes of the AS running RIP are translated into type 5 LSAs that are propagated in the OSPF AS However the type 5 LSAs do not reach Area 1 because Area 1 is an NSSA NSSAs and STUB areas have the same approach in this aspect Similar to a STUB area the NSSA cannot be configured with virtual links Figure 5 NSSA Perform the following configuration in O...

Page 124: ...fore the sizes of the LSDBs in other areas can be reduced Once the aggregate segment of a certain network is added to the area all the internal routes of the IP addresses in the range of the aggregate segment are no longer separately broadcast to other areas Only the route summary of the whole aggregate network is advertised However if the range of the segment is restricted by the not advertise ke...

Page 125: ...ation addresses of the protocol packets are not these routers so these packets are transparent to them and the routers forward them as common IP packets The routing information is directly transmitted between the two ABRs The routing information refers to the type 3 LSAs generated by the ABRs for which the synchronization mode of the routers in the area is not changed Perform the following configu...

Page 126: ... the area does not support packet authentication Configuring OSPF Packet Authentication OSPF supports simple authentication or MD5 authentication between neighboring routers Perform the following configuration in VLAN interface view By default the interface is not configured with either simple authentication or MD5 authentication Configuring OSPF to Import the Routes of Other Protocols The dynamic...

Page 127: ... ASBR to reach the destinations beyond the AS is higher than the cost from within the AS to the ASBR So in route cost calculation the cost to reach the external type 2 route equals the cost to the destination address of the route from the ASBR If the two values are equal then the cost of the router to the corresponding ASBR is considered Perform the following configuration in OSPF view By default ...

Page 128: ...rt External Routes Operation Command Configure the minimum interval for OSPF to import the external routes default interval seconds Restore the default value of the minimum interval for OSPF to import the external routes undo default interval Configure the upper limit to the routes that OSPF import each time default limit routes Restore the default upper limit to the external routes that can be im...

Page 129: ... field when transmitting DD packets and the MTU in the DD packets is 0 Disabling the Interface to Send OSPF Packets Use the silent interface command to prevent the interface from transmitting OSPF packets Table 46 Setting OSPF Route Preference Operation Command Configure a priority for OSPF for comparing with the other routing protocols preference ase preference Restore the default protocol priori...

Page 130: ...e types of SNMP TRAP packets in case of OSPF anomalies In addition you can configure the switch to send SNMP TRAP packets when a specific process is abnormal by specifying the process ID Perform the following configuration in system view Table 49 Disabling the Interface to Send OSPF Packets Operation Command Prevent the interface from sending OSPF packets silent interface silent interface type sil...

Page 131: ...SPF TRAP function undo snmp agent trap enable ospf process id ifstatechange virifstatechange nbrstatechange virnbrstatechange ifcfgerror virifcfgerror ifauthfail virifauthfail ifrxbadpkt virifrxbadpkt txretransmit viriftxretransmit originatelsa maxagelsa lsdboverflow lsdbapproachoverflow Table 52 Resetting the OSPF Process Operation Command Reset the OSPF process reset ospf statistics all process ...

Page 132: ...witch A interface Vlan interface 1 Switch A Vlan interface1 ip address 196 1 1 1 255 255 255 0 Switch A Vlan interface1 ospf dr priority 100 Switch A router id 1 1 1 1 Switch A ospf Switch A ospf 1 area 0 Switch A ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 2 Configure Switch B Switch B interface Vlan interface 1 Switch B Vlan interface1 ip address 196 1 1 2 255 255 255 0 Switch B Vlan interfa...

Page 133: ...witch A is DR while Switch C is BDR on the network and all the other neighbors are DR others which means that they are neither DRs nor BDRs 5 Modify the priority of Switch B to 200 Switch B Vlan interface2000 ospf dr priority 200 In Switch A execute the display ospf peer command to show its OSPF neighbors Note that the priority of Switch B has been modified to 200 but it is still not the DR Only w...

Page 134: ...ea 0 0 0 0 network 196 1 1 0 0 0 0 255 Switch B ospf area 0 0 0 0 quit Switch B ospf area 1 Switch B ospf area 0 0 0 1 network 197 1 1 0 0 0 0 255 Switch B ospf area 0 0 0 1 vlink peer 3 3 3 3 3 Configure Switch C Switch C interface Vlan interface 1 Switch C Vlan interface1 ip address 152 1 1 1 255 255 255 0 Switch C interface Vlan interface 1 Switch C Vlan interface1 ip address 152 1 1 1 255 255 ...

Page 135: ...nfigured on the interface The parameters should be the same parameters configured on the router adjacent to the interface The same area ID should be used and the networks and the masks should also be consistent The P2P or virtually linked segment can have different segments and masks Insure that the dead timer on the same interface is at least four times the value of the hello timer If the network...

Page 136: ... First SPF algorithm It is similar to the Open Shortest Path First OSPF protocol Integrated IS IS is an implementation of IS IS for IP regulated by the IETF This section introduces IS IS routing protocol terms Intermediate System IS An IS equals a router of TCP IP It is the basic unit in the IS IS protocol used for propagating routing information and generating routes In the following text IS is e...

Page 137: ... Every area has at least one router located on both Level 1 and Level 2 called a Level 1 Level 2 router which connects the area to the backbone network A Level 1 Level 2 router contiguous with a router in some other area will notify the Level 1 routers in the local area that it is an exit point from the area For an NPDU to go from its own area to another area a Level 1 router will first transmit i...

Page 138: ...ture of IS IS Figure 10 illustrates the NSAP structure The whole address is of 8 to 20 bytes long Figure 10 NSAP Structure NSAP includes initial domain part IDP and domain specific part DSP IDP and DSP are length variable with a total length of 20 bytes The IDP is composed of the ...

Page 139: ...e data link frames and mainly divided into 4 kinds IIH LSP CSNP and PSNP Intermediate System to Intermediate System Hello PDU IIH This packet is transmitted regularly to detect whether a contiguous system is running IS IS This supports establishing adjacency and allows data to be propagated in Link State Protocol Data Units LSPs Link State Protocol Data Unit LSP This packet is used for propagating...

Page 140: ...ons Setting authentication at the interface area or domain level using simple password or MD5 authentication Setting default route generation Importing routes from or exporting routes to other protocols To export to a protocol see the section that discusses that protocol All of these commands are discussed in this section This section also describes other commands that are used less frequently For...

Page 141: ...ugging IS IS Enabling IS IS and Entering the IS IS View To run the IS IS protocol you need to create an IS IS routing process After creating an IS IS routing process in system view you should also set the Network Entity Title NET and activate this routing process at an interface that may be adjacent to another router After that the IS IS protocol can be started and run Perform the following config...

Page 142: ...ic ranges from 1 to 63 Wide the value of route metric ranges from 1 to 16777215 The switch can choose either or both of the styles Perform the following configuration in IS IS view By default IS IS only receives and sends the packets whose route metric is in narrow style Setting IS IS Link State Routing Cost Users can configure the interface default routing cost Table 55 Setting the Network Entity...

Page 143: ... p2p links Perform the following configurations in VLAN interface view By default Hello packets are transmitted on an interface every 10 seconds Setting the CSNP Packet Broadcast Interval The CSNP packet is transmitted by the DIS over the broadcast network to synchronize the link state database LSDB The CSNP packet is regularly broadcast over the broadcast network at an interval which can be set b...

Page 144: ... p2p link Setting the Hello Failure Interval The IS IS protocol maintains adjacency between routers by transmitting and receiving Hello packets If the local router does not continuously receive Hello packets within the time interval transmitted by the peer it considers the adjacent router to be down Perform the following configurations in VLAN interface view Table 61 Setting the LSP Packet Interva...

Page 145: ...erform the following configuration in VLAN interface view You can set the circuit level to limit what type of adjacency can be established for the interface For example a Level 1 interface can only establish a Level 1 adjacency A Level 2 interface can only establish a Level 2 adjacency For the Level 1 2 router you can configure some interfaces as Level 2 to prevent transmitting Level 1 Hello packe...

Page 146: ... in the same area must have identical passwords and authentication modes to work together correctly Similarly for domain authentication the password will be encapsulated into the level 2 LSP CSNP and PSNP packets using the specified mode If the routers in the backbone layer level 2 need domain authentication the authentication mode and password must be identical on all The passwords for authentica...

Page 147: ...flood the LSP to other interfaces The IS IS configuration tasks on the interface are finished The following sections discuss how to configure other parameters of IS IS Setting the Router Type Users can set the level for the current router based upon the location of the router in the network Level 1 intra domain router Level 2 inter domain router and Level 1 2 intra domain router as well as inter d...

Page 148: ...gregate several different routes This converts the advertisement processes of several routes into the advertisement of a single route and simplifies the routing table Perform the following configurations in IS IS view By default routing summarization is disabled Setting the Overload Flag Bit Sometimes router in the IS IS domain may encounter operational problems that can affect the entire routing ...

Page 149: ...configuration terminal until logging is disabled Perform the following configuration in IS IS view By default the peer change logging is disabled Setting the LSP Refresh Interval In order to ensure that the LSPs in the whole area can maintain synchronization all current LSPs will be transmitted periodically Perform the following configurations in IS IS view Table 73 Setting Overload Flag Bit Opera...

Page 150: ...mpletion This can also be implemented by setting the parameter seconds to 0 After slice calculation is set the routes that are not processed at once will be calculated after one second Normally you should not modify the default configuration When the number of routes is between 150 000 and 200 000 you should set the parameter seconds to 1 that is the duration time for SPF calculation each time is ...

Page 151: ...ing information to a router in a network Perform the following configurations in IS IS view By default the interface is allowed to receive and send IS IS packets The silent interface command is only used to prevent the IS IS packets from being sent on the interface but interface routes can still be sent from other interfaces Table 79 Setting SPF to Release CPU Resources Operation Command Set the n...

Page 152: ...ding to the access control list specified by acl number Perform the following configurations in IS IS view Configuring for Filtering of the Routes Received by IS IS Configuring for Filtering the Distributed Routes By default IS IS does not filter received and distributed routing information Table 82 Importing Routes of Other Protocols Operation Command Import routes of other protocols import route...

Page 153: ...a Structures When it is necessary to refresh some LSPs immediately perform the following configuration in user view This may be necessary if you change area or domain authentication parameters Resetting the Specified IS IS Peer When it is necessary to reset peer relationships perform the following configuration in user view Displaying and Debugging IS IS Using the following configuration operation...

Page 154: ...ing and Debugging IS IS Operation Command Display IS IS LSDB display isis lsdb l1 l2 level 1 level 2 LSPID local verbose Display IS IS SPF calculation log display isis spf log Display IS IS routing information display isis route Display IS IS neighbor information display isis peer verbose Display mesh group information display isis mesh group Debug IS IS adjacency packets debugging isis adjacency ...

Page 155: ...ce vlan interface 102 Switch A Vlan interface102 isis enable 2 Configure Switch B Switch B isis Switch B isis network entity 86 0001 0000 0000 0006 00 Switch B interface vlan interface 101 Switch B Vlan interface101 isis enable Switch B interface vlan interface 102 Switch B Vlan interface102 isis enable Switch B interface vlan interface 100 Switch B Vlan interface100 isis enable 3 Configure Switch...

Page 156: ... routing loops by adding AS path information to BGP routes It enhances its own reliability by using TCP as the transport layer protocol When routes are updated BGP only transmits updated routes which greatly reduces bandwidth occupation by route propagation and can be applied to propagation of a great amount of routing information on the Internet BGP 4 supports CIDR which is an important improveme...

Page 157: ...e refreshing capability The open update notification and keepalive messages are defined in RFC1771 while the route refresh message is defined in RFC2918 Route Refresh Capability for BGP 4 BGP Routing At startup of the BGP session the BGP router exchanges routing information with its peers by transmitting the complete BGP routing table After that only update messages are exchanged During operation ...

Page 158: ...th the lowest MED value Select the routes learned from EBGP Select the routes advertised by the router with the lowest ID BGP Peers and Peer Groups A BGP speaker calls other BGP speakers peers when they exchange information Multiple related peers compose of a peer group In the Switch 7700 a BGP peer must belong to a peer group If you want to configure a BGP peer you first need to create a peer gro...

Page 159: ...a local AS number must be specified After BGP is enabled the local router listens to BGP connection requests sent by adjacent routers To make the local router send BGP connection requests to adjacent routers refer to the configuration of the peer command When BGP is disabled all established BGP connections will be disconnected Perform the following configurations in system view By default BGP is n...

Page 160: ...oup is internal Configuring the AS Number of an EBGP Peer Group You can specify the AS number for an EBGP peer group but an IBGP peer group needs no AS number When a peer group is specified with an AS number all its member peers inherit that AS number The AS number cannot be specified for a peer group which already has group numbers Deleting the AS number of a peer group deletes all member peers i...

Page 161: ...irst and then the peer should be added to the enabled peer group Configuring the Description of a Peer Group The description of a peer or peer group can be added to facilitate learning the characteristics of the peer By default no BGP peer group description is set Configuring the Timer of a Peer Group The peer timer command is used to configure timers of BGP peer group including the keep alive mes...

Page 162: ...ommand Configure keep alive message interval and hold timer of peer group peer group name peer address timer keep alive keepalive interval hold holdtime interval Restore the default value of keep alive message interval and hold timer of a peer group undo peer group name peer address timer Table 97 Configuring the Route Update Interval for a Peer Group Operation Command Configure the route update m...

Page 163: ... messages This command is used to configure a local router not to transmit private AS numbers when transmitting update messages By default the private AS numbers are included when transmitting BGP update messages Table 100 Configuring Transmission of a Default Route to a Peer Group Operation Command Configure transmission of a default route to a peer group peer group name default route advertise C...

Page 164: ...authentication is implemented by TCP Perform the following configurations in BGP view Table 103 Configuring for Transmission of Community Attributes to a Peer Group Operation Command Configure to send the community attributes to a peer group peer group name advertise community Configure not to send the community attributes to a peer group undo peer group name advertise community Table 104 Configur...

Page 165: ...licy for a peer group peer peer address group name route policy route policy name import Remove the ingress route policy of a peer group undo peer peer address group name route policy policy name import Configure egress route policy for a peer group peer group name route policy route policy name export Remove the egress route policy of a peer group undo peer group name route policy route policy na...

Page 166: ...h acl acl number export Remove the egress route filtering policy based on IP ACL for a peer group undo peer group name as path acl acl number export Table 110 Configuring a Route Filtering Policy Based on Address Prefix List for a Peer Group Operation Command Configure the ingress route filtering policy based on address prefix list for a peer group peer peer address group name ip prefix prefixname...

Page 167: ...ameters can be configured in the aggregate The preference of the aggregation is higher than that of the summarization Perform the following configuration in the BGP view By default BGP will not perform local route aggregation Configuring BGP Route Filtering Configuring BGP to Filter the Received Route Information Table 112 Importing IGP Routing Information Operation Command Configure BGP to import...

Page 168: ...able route is not advertised The history performance of the route is the basis to evaluate the future stability When route flapping occurs a penalty is given When the penalty reaches a specific threshold the route is suppressed Over time the penalty value decreases according to a power function and when it decreases to a specified threshold the route suppression is eliminated and the route is re a...

Page 169: ...lected as the negotiated hold timer Then BGP will send a keepalive message and set a keepalive timer If the negotiation result is 0 no keepalive message is transmitted and the holdtime interval value is ignored Perform the following configurations in BGP view By default the interval for sending keepalive packet is 60 seconds The interval for sending holdtime packet is 180 seconds Clear route atten...

Page 170: ... external peers it will select the route of the smallest MED as the optimum route provided that all the other conditions are the same Perform the following configurations in BGP view The router configured above only compares the route MED metrics of different EBGP peers in the same AS Using the compare different as med command you can compare the route MED metrics of the peers in different ASs By ...

Page 171: ... Configuring a BGP Route Reflector To ensure the interconnection between IBGP peers it is necessary to establish a fully meshed network In some networks there are large numbers of IBGP peers so the cost to establish a fully meshed network is large Thus it is necessary to configure a route reflector which specifies a centralized router as the focus of the internal session The route reflector is the...

Page 172: ...in the autonomous system are the non clients The designation of route reflector and the addition of the client peer are implemented with the peer reflect client command Configuring the Route Reflection Between Clients Perform the following configurations in BGP view By default route reflection between clients is enabled Configuring the Cluster ID Generally there is only one route reflector in a cl...

Page 173: ...on The shortcomings of confederation it is required that the route be re configured upon switching from non confederation to confederation solution and that the logic topology be basically changed Furthermore the path selected via confederation may not be the best path if there is no manually set BGP policy Configuring the Confederation ID In the eye of the BGP speakers that are not part of the co...

Page 174: ...me list number the user can define multiple portions of the AS path list i e a list number stands for a group of AS path ACLs Each AS path list is identified with a number Perform the following configurations in system view By default no AS path list is defined During the matching the relationship of OR is available between the members acl number of the ACLs so that when the routing information pa...

Page 175: ...ing and Debugging BGP After creating the configuration execute the display command in any view to display the BGP configuration and to verify the effect of the configuration Execute the reset command in user view to clear the statistics of the configuration Execute the debugging command in user view to debug the configuration Execute the reset command in user view to reset the BGP statistic inform...

Page 176: ...play bgp routing table different origin as Display neighbors information display bgp peer peer address verbose display bgp peer verbose Display the routing information that has been configured display bgp network Display AS path information display bgp paths as regular expression Display peer group information display bgp group group name Display the information on BGP routes which is mapped to a ...

Page 177: ...confed1001 external Switch B bgp peer confed1001 as number 1001 Switch B bgp group confed1003 external Switch B bgp peer confed1003 as number 1003 Switch B bgp peer 172 68 10 1 group confed1001 Switch B bgp peer 172 68 10 3 group confed1003 3 Configure Switch C Switch C bgp 1003 Switch C bgp confederation id 100 Switch C bgp confederation peer as 1001 1002 Switch C bgp group confed1001 external Sw...

Page 178: ...tch A bgp network 1 0 0 0 255 0 0 0 Switch A bgp group ex external Switch A bgp peer 192 1 1 2 group ex as number 200 2 Configure Switch B a Configure VLAN 2 Switch B interface Vlan interface 2 Switch B Vlan interface2 ip address 192 1 1 2 255 255 255 0 b Configure VLAN 3 Switch B interface Vlan interface 3 Switch B Vlan interface3 ip address 193 1 1 2 255 255 255 0 c Configure peers Switch B bgp ...

Page 179: ... Switch D also knows the existence of network 1 0 0 0 Configuring BGP Routing This example illustrates how the administrators manage the routing via BGP attributes All Ethernet switches are configured with BGP and IGP in AS 200 uses OSPF Switch A is in AS 100 and acts as Switch B of AS 200 and BGP neighbor of Switch C Both Switch B and Switch C operate IBGP to Switch D Switch D is also in AS 200 F...

Page 180: ...e policy apply_med_100 permit node 10 Switch A route policy if match acl 2000 Switch A route policy apply cost 100 Switch A route policy quit Apply route policy set_med_50 to egress route update of Switch C 193 1 1 2 and apply route policy set_med_100 on the egress route of Switch B 192 1 1 2 Switch A bgp 100 Switch A bgp peer 193 1 1 2 route policy apply_med_50 export Switch A bgp peer 192 1 1 2 ...

Page 181: ... all BGP neighbors will be reset using reset bgp all command After above configuration due to the fact that the MED attribute of route 1 0 0 0 discovered by Switch C is less than that of Switch B Switch D will first select the route 1 0 0 0 from Switch C If the MED attribute of Switch A is not configured the local preference on Switch C is configured as follows 1 Add ACL 2000 on Switch C and permi...

Page 182: ...route in the routing table to the neighbor If the ping operation succeeds check if there is an ACL denying TCP port 179 If the ACL is configured cancel the denying of port 179 The BGP route cannot be advertised correctly after importing route of IGP with the command network Do the following The route that is imported by a command network should be same as a route in the current routing table and s...

Page 183: ...if match clauses are satisfied The apply clause specifies the actions that are performed after the node match test concerning the attribute settings of the route information The comparison of different nodes in a route policy uses a Boolean or statement The system examines the nodes in the route policy in sequence Once the route is permitted by a single node in the route policy the route passes th...

Page 184: ...iguring an IP Routing Policy Configuring a routing policy includes tasks described in the following sections Defining a Route Policy Defining If match Clauses for a Route Policy Defining Apply Clauses for a Route Policy Importing Routing Information Discovered by Other Routing Protocols Defining IP Prefix Configuring for Filtering Received Routes Configuring for Filtering Distributed Routes Displa...

Page 185: ...policy view Table 133 Defining If match Conditions Operation Command Match the AS path domain of the BGP routing information if match as path acl number Cancel the matched AS path domain of the BGP routing information undo if match as path Match the community attribute of the BGP routing information if match community standard community number whole match extended community number Cancel the match...

Page 186: ...routing information apply community aa nn no export subconfed no advertise no export additive none Cancel the set community attribute in the BGP routing information undo apply community Set the next hop address of the routing information apply ip next hop ip address ip address acl acl number Cancel the next hop address of the routing information undo apply ip next hop Import the route to IS IS Lev...

Page 187: ...orted route Perform the following configuration in routing protocol view By default the routes discovered by other protocols are not imported In different routing protocol views the parameter options are different For details refer to the description of the import route command for each protocol Defining IP Prefix A prefix list is identified by the IP prefix name Each IP prefix can include multipl...

Page 188: ...for Filtering Distributed Routes Define a policy concerning route distribution that filters the routing information that does not satisfy the conditions and distributes routes with the help of an ACL or address ip prefix Perform the following configuration in routing protocol view Remove a prefix list undo ip ip prefix ip prefix name index index number permit deny Table 137 Configuring Filtering f...

Page 189: ...edistribute three static routes through configuring the OSPF routing process on the Switch A The route filtering rules can be configured on Switch B to make the received three static routes partially visible and partially shielded It means that routes in the network segments 20 0 0 0 and 40 0 0 0 are visible while those in the network segment 30 0 0 0 are shielded Figure 16 Filtering Received Rout...

Page 190: ...4 Configure OSPF to filter the external routes received Switch B ospf filter policy 1 import Troubleshooting Routing Policies Routing information filtering cannot be implemented in normal operation of the routing protocol Check for the following faults The if match mode of at least one node of the Route policy should be the permit mode When a Route policy is used for the routing information filter...

Page 191: ...system will disconnect BGP and OSPF and remove their routes from the routing table to release memory The system checks the free memory periodically When enough free memory is detected to restore the safety value BGP and OSPF connection is restored Configuring Route Capacity Route capacity configuration includes tasks described in the following sections Setting the Lower Limit for Switch Memory Set...

Page 192: ...lue of the Ethernet switch memory to the default value at the same time if it is necessary Perform the following configuration in the system view The default values of the lower limit and the safety value of the Ethernet switch memory are 2Mbytes and 4Mbytes respectively Note that safety value must have a higher value than limit value Preventing Automatic Recovery of Disconnected Routing Protocols...

Page 193: ...command in all views to display the route capacity configuration Table 143 Preventing Automatic Recovery of Disconnected Routing Protocols Operation Command Prevent automatic recovery of disconnected routing protocols memory auto establish disable Table 144 Enabling Automatic Recovery of Disconnected Routing Protocols Operation Command Enable automatic recovery of disconnected routing protocols me...

Page 194: ...186 CHAPTER 5 IP ROUTING PROTOCOL OPERATION ...

Page 195: ...Route Capacity 187 ...

Page 196: ...188 CHAPTER 5 IP ROUTING PROTOCOL OPERATION ...

Page 197: ...Route Capacity 189 ...

Page 198: ...190 CHAPTER 5 IP ROUTING PROTOCOL OPERATION ...

Page 199: ...n either case the end users will receive the information For example if the same information is required by 200 users on the network the traditional solution is to send the information 200 times in unicast mode In the broadcast mode the data is broadcast over the entire network However both of the methods waste bandwidth resources In addition the broadcast mode cannot ensure information security I...

Page 200: ... applications possible Configuring an IP Multicast Overview is described in the following sections Multicast Addresses IP Multicast Protocols Forwarding IP Multicast Packets Applying Multicast Multicast Addresses The destination addresses of multicast packets use Class D IP addresses ranging from 224 0 0 0 to 239 255 255 255 Class D addresses cannot appear in the source IP address fields of IP pac...

Page 201: ...D Addresses Class D address range Meaning 224 0 0 0 224 0 0 255 Reserved multicast addresses addresses of permanent groups Address 224 0 0 0 is reserved The other addresses can be used by routing protocols 224 0 1 0 238 255 255 255 Multicast addresses available for users addresses of temporary groups They are valid in the entire network 239 0 0 0 239 255 255 255 Multicast addresses for local manag...

Page 202: ...nclude PIM SM PIM DM Tasks for configuring IP Multicast Protocols are described in the following sections Internet Group Management Protocol IGMP Multicast Routing Protocol Internet Group Management Protocol IGMP Internet Group Management Protocol IGMP is the only protocol that hosts can use It defines the membership establishment and maintenance mechanism between hosts and routers and is the basi...

Page 203: ...se Mode PIM SM Dense mode uses the flood prune technology which is not applicable for WAN In WAN multicast receivers are sparse and therefore the sparse mode is used In sparse mode hosts need not receive multicast packets unless by default there is an explicit request for the packets A multicast router must send a join message to the RP Rendezvous Point which needs to be built into the network and...

Page 204: ...rk loads New value added services that use multicast can be delivered including direct broadcasting Web TV distance learning distance medicine net broadcasting station and real time audio video conferencing Multimedia and streaming media applications Communications of the training and corporate sites Data repository and finance stock applications Any point to multi point data distribution With the...

Page 205: ...lticast routing table as well as MFC forwarding entries using the reset multicast routing table command Perform the following configuration in user view Disable multicast undo multicast routing enable Table 4 Configure the Multicast Route Limit Operation Command Configure multicast route limit multicast route limit limit Restore multicast route limit to the default value undo multicast route limit...

Page 206: ...o send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages When the router receives the report that hosts leave the group the router will send a group specific query IGMP Version 2 to discover whether there are no members in the group Up to now IGMP has three versions IGMP Version 1 defined by RFC1112 ...

Page 207: ...n IGMP Version 1 a query of multicast routers is targeted at all the multicast groups on the network segment This is known as General Query In IGMP Version 2 besides general query Group Specific Query is added The destination IP address of the query packet is the IP address of the multicast group The group address domain in the packet is also the IP address of the multicast group This prevents the...

Page 208: ...er cannot automatically switch to Version 1 Configuring the Interval for Sending the IGMP Group Specific Query Packet In the shared network where the same network segment includes multiple hosts and multicast routers the query router is responsible for maintaining the IGMP group membership on the interface When the IGMP v2 host leaves a group it sends an IGMP Group Leave message When the IGMP quer...

Page 209: ...eave message IGMP query router must send the IGMP group query message for specified times by the robust value parameter in the igmp robust count command with default value as 2 in a specified time interval by the seconds parameter in the igmp lastmember queryinterval command with default value as 1 second If other hosts which are interested in the specified group receive the IGMP query message fro...

Page 210: ...ll respond ensuring that the network segment is connected and can receive multicast packets Perform the following configuration in VLAN interface view By default a router does not join a multicast group Limiting Access to IP Multicast Groups A multicast router learns whether there are members of a multicast group on the network when it receives an IGMP membership message A filter can be set on an ...

Page 211: ...ithin twice the interval specified by the igmp timer query command it will regard the previous querier invalid Configuring the Maximum Query Response Time When a router receives a query message the host will set a timer for each multicast group it belongs to The value of the timer is randomly selected between 0 and the maximum response time When any timer becomes 0 the host will send the membershi...

Page 212: ... the effect of the configuration Execute the debugging command in user view to debug IGMP Table 17 Configure the Maximum Query Response Time Operation Command Configure the maximum query response time for IGMP igmp max response time seconds Restore the maximum query response time to the default value undo igmp max response time Table 18 Delete IGMP Groups Joined on an Interface Operation Command D...

Page 213: ...l remove the host from the corresponding multicast table The switch continuously listens to the IGMP messages to create and maintain a MAC multicast address table on Layer 2 It can then forward the multicast packets transmitted from the upstream router according to the MAC multicast address table When IGMP Snooping is disabled the packets are multicast to all ports See Figure 3 Figure 3 Multicast ...

Page 214: ...roup the aging timer of the port begins timing If the switch has not received any IGMP report messages before the timer times out it transmits IGMP specific query message to the port Maximum response time When the switch transmits IGMP specific query message to the multicast member port the Switch 7700 starts a response timer which times before the response to the query If the switch has not recei...

Page 215: ...message to the group starts the port aging timer and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table Meanwhile it creates an IP multicast group and adds the port received to it If the corresponding MAC multicast group exists but does not contain the port that received the report message the switch adds the port into the multicast group and star...

Page 216: ...ng configuration in system view To enable IGMP snooping you must also issue the igmp snooping enable command in VLAN view IGMP Snooping and GMRP cannot run at the same time You can check if GMRP is running using the display gmrp status command in all views before enabling IGMP Snooping By default IGMP Snooping is disabled Configure Router Port Aging Time Use this to manually configure the router p...

Page 217: ... verify the effect of the configuration Execute the debugging command in user view to debug IGMP Snooping configuration Table 22 Configuring the Maximum Response Time Operation Command Configure the maximum response time igmp snooping max response time seconds Restore the default setting undo IGMP snooping max response time Table 23 Configure Aging Time of the Multicast Member Operation Command Co...

Page 218: ...iguration command to display the status of IGMP Snooping If the switch disabled IGMP Snooping you can input igmp snooping enable in the system view to enable IGMP Snooping 2 Multicast forwarding table set up by IGMP Snooping is wrong Input the display igmp snooping group command to see if the multicast group is the expected one Verify that the source IP address is correct for each multicast stream...

Page 219: ...nform the upstream node not to forward data to the downstream node Receiving the prune message the upstream node will remove the corresponding interface from the outgoing interface list corresponding to the multicast forwarding entry S G In this way a SPT Shortest Path Tree rooted at Source S is built Leaf routers initiate the pruning process This is called the flood prune process Nodes that are p...

Page 220: ...lowing sections Configuring PIM DM PIM DM Configuration Example Configuring PIM DM Basic PIM DM configuration includes Enabling Multicast Enabling PIM DM Entering PIM View Advanced PIM DM configuration includes Configuring the Interface Hello Message Interval Configuring the Filtering of Multicast Source Group Configuring the Filtering of PIM Neighbors Configuring the Maximum Number of PIM Neighbo...

Page 221: ...abled on an interface it will send Hello messages periodically The interval at which Hello messages are sent can be modified according to the bandwidth and type of the network connected to the interface Perform the following configuration in VLAN interface view The default interval is 30 seconds You can configure the value according to different network environments Generally this parameter does n...

Page 222: ...onfiguration in the PIM view By default no filtering rules are set Only the routers that match the filtering rule in the ACL can serve as a PIM neighbor of the current interface Configuring the Maximum Number of PIM Neighbor on an Interface You can limit the PIM neighbors on an interface No neighbor can be added any more when the limit is reached Perform the following configuration in the PIM view...

Page 223: ...isplay pim routing table g group address mask mask length mask rp rp address mask mask length mask group address mask mask length mask source address mask mask length mask incoming interface interface type interface num interface name null dense mode sparse mode Display the PIM interface information display pim interface interface type interface number Display the information about PIM neighboring...

Page 224: ...rface12 pim dm Configuring PIM SM PIM SM Protocol Independent Multicast Sparse Mode belongs to sparse mode multicast routing protocols PIM SM is mainly applicable to large scale networks with broad scope and few group members Different from the flood prune principle of the dense mode PIM SM assumes that all hosts do not need to receive multicast packets unless clear request is put forward PIM SM u...

Page 225: ...p G The leaf routers calculate the corresponding rendezvous point RP for multicast group G and then send join messages to the node of a higher level toward the rendezvous point RP Each router along the path between the leaf routers and the RP will generate G entries in the forwarding table indicating that all packets sent to multicast group G are applicable When the RP receives packets sent to mul...

Page 226: ...dvertises One RP can serve multiple multicast groups or all multicast groups Each multicast group can only be uniquely correspondent to one RP at a time rather than multiple RPs Configure BSRs The BSR is the management core in a PIM SM network Candidate RPs send announcement to the BSR which is responsible for collecting and advertising the information about all candidate RPs It should be noted th...

Page 227: ...e configured with Candidate RPs and Candidate BSRs Enabling Multicast Refer to Configuring Common Multicast on page 196 Enabling IGMP on an Interface Refer to Configuring IGMP on page 198 Enabling PIM SM This configuration can be effective only after multicast is enabled Perform the following configuration in VLAN interface view Repeat this configuration to enable PIM SM on other interfaces Only o...

Page 228: ... PIM SM must be specified when configuring the router as the candidate BSR At first each candidate BSR considers itself as the BSR of the PIM SM domain and sends a Bootstrap message by taking the IP address of the interface as the BSR address When receiving Bootstrap messages from other routers the candidate BSR will compare the BSR address of the newly received Bootstrap message with that of itse...

Page 229: ... Configuring Static RP Static RP serves as the backup of dynamic RP to make the network more robust Perform the following configuration in PIM view Basic ACLs can control the range of the multicast group served by static RP If static RP is in use all routers in the PIM domain must adopt the same configuration If the configured static RP address is the interface address of the local router whose st...

Page 230: ... to which groups on the RP i e RP can filter the register messages sent by DR to accept specified messages only Perform the following configuration in PIM view If an entry of a source group is denied by the ACL or the ACL does not define operation to it or there is no ACL defined the RP will send RegisterStop messages to the DR to prevent the register process of the multicast data stream Only the ...

Page 231: ...n be BSR thus the routers cannot receive or forward BSR messages other than these two Even legal BSRs cannot contest with them Perform the following configuration in PIM view For detailed information of the bsr policy command see the Switch 7700 Command Reference Guide Limiting the Range of Legal C RP In the PIM SM network using BSR mechanism every router can set itself as the C RP candidate rende...

Page 232: ...y command in all views to display the PIM SM configuration and to verify the configuration Execute the debugging command in user view to debug PIM SM Table 42 Clearing Multicast Route Entries from PIM Routing Table Operation Command Clear multicast route entries from PIM routing table reset pim routing table all group address mask group mask mask length group mask length source address mask source...

Page 233: ...lan interface10 quit SW7700 vlan 11 SW7700 vlan11 port Ethernet 1 0 4 to Ethernet 1 0 5 SW7700 vlan11 quit SW7700 pim SW7700 pim interface vlan interface 11 SW7700 vlan interface11 pim sm SW7700 vlan interface11 quit SW7700 vlan 12 SW7700 vlan12 port Ethernet 1 0 6 to Ethernet 1 0 7 SW7700 vlan12 quit SW7700 pim SW7700 pim interface vlan interface 12 SW7700 vlan interface12 pim sm SW7700 vlan inte...

Page 234: ...lan interface 10 group list 5 4 Configure PIM domain border SW7700 interface vlan interface 12 SW7700 vlan interface12 pim bsr boundary After VLAN interface 12 is configured as BSR the LS_D will be excluded from the local PIM domain and cannot receive the BSR information transmitted from LS_B anymore Configure Switch C 1 Enable PIM SM SW7700 multicast routing enable SW7700 vlan 10 SW7700 vlan10 po...

Page 235: ...reby the multicast source in the VLAN knows the multicast member When the multicast source sends packets to its group the switch only forwards the packets to the ports connected to members thereby implementing the Layer 2 multicast in VLAN The multicast information transmitted by GMRP includes local static multicast registration information configured manually and the multicast registration inform...

Page 236: ...d an update of multicast information between switches Figure 11 GMRP Networking Configure LS_A 1 Enable GMRP globally SW7700 gmrp 2 Enable GMRP on the port SW7700 interface Ethernet 1 0 1 SW7700 Ethernet1 0 1 gmrp Configure LS_B 1 Enable GMRP globally SW7700 gmrp 2 Enable GMRP on the port SW7700 interface Ethernet 1 0 1 Table 46 Enabling Disabling GMRP on the Port Operation Command Enable GMRP on ...

Page 237: ...GMRP 229 SW7700 Ethernet1 0 1 gmrp ...

Page 238: ...230 CHAPTER 6 MULTICAST PROTOCOL ...

Page 239: ...of packets When matching a data packet with the access control rule the issue of match order arises Configuring ACL Overview is described in the following sections Filtering or Classifying Data Transmitted by the Hardware Filtering or Classifying Data Transmitted by the Software ACL Support on the Switch 7700 Filtering or Classifying Data Transmitted by the Hardware An ACL can be used to filter or...

Page 240: ... sequence For the advanced ACL source address wildcards are compared first If they are the same then destination address wildcards are compared For the same destination address wildcards ranges of port numbers are compared and the smaller range is listed first If the port numbers are in the same range the configuration sequence is used After you specify the match order of an access control rule yo...

Page 241: ...y are set to define one day The end time must be later than the start time When the end time end date is not configured it will be all the time from now to the date which can be displayed by the system The end time must be later than the start time Selecting the ACL Mode The Switch 7700 can only have one of two modes ip based or link based In either mode only L2 ACLs can be defined activated and c...

Page 242: ...are described in the following sections Defining a Basic ACL Define an Advanced ACL Defining a Layer 2 ACL Defining a Basic ACL The rules of the basic ACL are defined on the basis of the Layer 3 source IP address to analyze the data packets Perform the following configuration in the designated view A basic ACL is defined by numbers from 2000 to 2999 Define an Advanced ACL The classification rules ...

Page 243: ... these rules for the parameters port1 and port2 support port_range port2 port1 1 should be followed port_range is a power value of 2 port1 is a multiple value of port_range Defining a Layer 2 ACL The rules of Layer 2 ACL are defined on the basis of the Layer 2 information such as source MAC address source VLAN ID Layer 2 protocol type Layer 2 packet fomat and destination MAC address Table 5 Define...

Page 244: ...e ACL configuration and to verify the effect of the configuration Execute the reset command in user view to clear the statistics of the ACL module Table 6 Define Layer 2 ACL Operation Command Enter Layer 2 ACL view from system view acl number acl number name acl name link match order config auto Add a sub item to the ACL from Layer 2 ACL view rule rule id permit deny protocol type format type ingr...

Page 245: ... 1 at 129 110 1 2 The ACL must be properly configured to prevent departments other than the Office of President from having access to the payment query server between 8 00 AM and 6 00 PM The Office of President at 129 111 1 2 can access the server without limitation Figure 1 Access Control Configuration Example Display the detail information about the ACL display acl config all acl number acl name...

Page 246: ...acl adv traffic of payserver rule 2 permit ip source 129 111 1 2 0 0 0 0 destination 129 110 1 2 0 0 0 0 Activate ACL 1 Activate the traffic of payserver ACL SW7700 Ethernet2 0 1 qos SW7700 qoss Ethernet2 0 1 packet filter inbound ip group traffic of payserver Basic ACL Using basic ACL filter the packet with source IP address 10 1 1 1 between 8 00 and 18 00 every day The host connects to port Ethe...

Page 247: ...ine time range 8 00 to 18 00 SW7700 time range 3com 8 00 to 18 00 daily 2 Select ACL mode Select link based ACL mode SW7700 acl mode link based 3 Define the ACL for packet whose source MAC address is 00e0 fc01 0101 and destination MAC address is 00e0 fc01 0303 Enter the named link ACL named as traffic of link SW7700 acl name traffic of link link Define the rules for a packet whose source MAC addre...

Page 248: ...owing sections Qos Concepts Configuring QoS QoS Configuration Examples Qos Concepts Tasks for configuring Qos Concepts are as follows Traffic Traffic Classification Packet Filter Traffic Policing Bandwidth Assurance Port Traffic Limit Redirection Traffic Priority Queue Scheduling Traffic Mirroring Traffic Counting RED Traffic Traffic refers to all packets passing through a switch Traffic Classific...

Page 249: ...imited network resources QoS monitors the traffic of the specific user on the incoming traffic so it can make better use of the assigned resources Bandwidth Assurance Through the traffic reservation a minimum bandwidth is reserved for specified traffic flow Even when network congestion occurs QoS requirements such as packet dropping ratio delay and jitter can also be satisfied Port Traffic Limit T...

Page 250: ... queue messages in the lower priority queue are set aside without service until all high priority messages are transmitted Traffic Mirroring The traffic mirroring function copies the specified data packets to the monitoring port for network diagnosis and troubleshooting Traffic Counting With flow based traffic counting you can request a traffic count to count and analyze the packets RED When the c...

Page 251: ...tion is not described here The following sections describe QoS configuration tasks Setting Port Priority Setting Port Mirroring Setting Queue Scheduling Entering QoS View Configuring the Traffic Limit Setting Line Limit Setting Traffic Bandwidth Setting Traffic Redirection Relabeling the Priority Level Configuring the RED Operation Configuring Traffic Statistics Displaying and Debugging QoS The 20...

Page 252: ...e inbound packets on one interface unit Failure will be prompted if you configure a second The same restriction applies to outbound packets For a 48 port interface unit the monitoring port and the monitored port must all be at the ports 1 24 or the ports 25 48 at which only one mirroring group can be configured in one direction Setting Queue Scheduling Queue scheduling is often used in solving the...

Page 253: ...1 2 2 3 3 4 4 5 5 6 6 7 7 Table 13 Mapping Between DSCP Priority Levels and Outbound Queues DSCP Value Name DSCP value Queue 0 7 be 0 0 8 15 cs1 8 af1 10 1 16 23 cs2 16 af2 18 2 24 31 cs3 24 af3 26 3 32 39 cs4 32 af4 34 4 40 47 cs5 ef 46 5 47 55 cs6 48 6 56 63 cs7 56 7 Table 14 Setting Mapping Table Operation Command Configure the COS local precedence mapping table qos cos local precedence map cos...

Page 254: ...hes actions to deal with the traffic flow that exceeds the threshold These actions can include discarding packets or lowering priority You must define the corresponding ACL before performing this configuration task Perform the following configuration in QoS view For details about the command see the Switch 7700 Command Reference Guide Table 15 Configuring the Priority for Queue Scheduling Operatio...

Page 255: ...e permitted rules in ACL Table 18 Setting the Line Rate Operation Command Set the line limit line rate target rate Remove the line limit undo line rate Table 19 Setting Traffic Bandwidth Operation Command Set traffic bandwidth traffic bandwidth outbound ip group acl number acl name rule rule link group acl number acl name rule rule min guaranteed bandwidth max guaranteed bandwidth weight Remove tr...

Page 256: ...twork congestion The 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules do not support this configuration Perform the following configuration in QoS view For details about the command see the Switch 7700 Command Reference Guide Table 21 Relabeling the Priority Level Operation Command Relabel traffic priority traffic priority inbound outbound ip group acl number acl name rule rule lin...

Page 257: ... traffic statistic Table 24 Display and Debug QoS Operation Command Display port mirroring configuration display mirroring group groupid Display the mapping relationship between cos and local precedence display qos cos local precedence map Display line rate for outbound packets display qos interface interface name interface type interface num line rate Display traffic redirection display qos inter...

Page 258: ...d traffic to 20M on average Those packets exceeding the threshold are labeled with priority level 4 Only the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules support further processing for excessive traffic Only the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules support line rate setting For the 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules the ...

Page 259: ...with priority level 4 SW7700 qosb GigabitEthernet7 0 1 traffic limit inbound ip group traffic of payserver 20 exceed remark dscp 4 Limit inbound traffic of the wage server from the port GigabitEthernet7 0 1 to 20 Mbps SW7700 qosb GigabitEthernet7 0 1 line rate 20 Port Mirroring This configuration uses one server to monitor the packets of two PCs One PC is accessed from the port E3 0 1 and the othe...

Page 260: ... mirrored to ethernet3 0 8 Priority Relabeling Configuration Example In this example ef labels are appended on packets sent between 8 00 and 18 00 each day from PC1 IP 1 0 0 2 as priority labeling reference for the upper layer device Figure 6 Priority Relabeling Configuration To create this configuration 1 Define the time range Define the time range between 8 00 and 18 00 SW7700 time range 3com 8 ...

Page 261: ...BASE T and 20 Port 1000BASE X SFP I O modules support packet redirection Figure 7 Packet Redirection To create this configuration 1 Define the time range 8 00 to 18 00 SW7700 time range 3com 8 00 to 18 00 daily 2 Define traffic rules for PC1 packets Enter the number based basic ACL and select ACL 2000 SW7700 acl number 2000 Define traffic classification rules for PC1 packets SW7700 acl basic 2000 ...

Page 262: ...eduling for the default mapping The 20 Port 10 100 1000BASE T and 20 Port 1000BASE X SFP I O modules support SP WRR and RR algorithm Other interface units support only SP algorithm Figure 8 Queue Scheduling To create this configuration 1 Respecify mapping between 802 1p priority levels and local priority levels SW7700 qos cos local precedence map 7 6 5 4 3 2 1 0 2 Define WRR algorithm for the swit...

Page 263: ... rule 0 permit ip source 1 0 0 1 0 0 0 0 time range 3com 3 Run the RED operation for the packets of IP address 1 0 0 1 and view the configuration with the display command Enter QoS view SW7700 Ethernet3 0 8 qos SW7700 qoss Ethernet3 0 8 Run RED operation for the packets of IP address 1 0 0 1 and view the configuration with the display command SW7700 qoss Ethernet3 0 8 traffic red outbound ip group...

Page 264: ...ddresses 1 0 0 1 and 2 0 0 1 view the configuration with the display command Enter QoS view SW7700 Ethernet3 0 8 qos SW7700 qoss Ethernet3 0 8 Configure traffic bandwidth for the packets of IP addresses 1 0 0 1 and 2 0 0 1 view the configuration with the display command SW7700 qoss Ethernet3 0 8 traffic bandwidth outbound ip group 1 rule 0 20 60 40 SW7700 qoss Ethernet3 0 8 traffic bandwidth outbo...

Page 265: ...al logon and device access measures including TELNET access SNMP access and HTTP access The security control over the access measures is provided with the switches to prevent illegal users from logging onto and accessing the devices There are two levels of security controls At the first level the user connection is controlled with an ACL filter and only legal users can be connected to the switch A...

Page 266: ...designated view For more information about the command see the Switch 7700 Command Reference Guide Only a numbered basic ACL can be imported for TELNET user control Example Controlling TELNET Users with ACL Figure 12 illustrates a configuration that controls TELNET users with an ACL Table 26 Defining a Basic ACL Operation Command Enter basic ACL view from system view acl number acl number name acl...

Page 267: ... illegal network management users and prevent them from accessing the local switch The steps to control SNMP users with ACL are described in the following sections Defining an ACL Importing an ACL to Control SNMP Users Defining an ACL To implement the ACL control function you can only call the numbered basic ACL ranging from 2000 to 2999 Use the configuration commands introduced in Configuring ACL...

Page 268: ...MP Users with an ACL Figure 13 illustrates a configuration that controls SNMP users with ACL Figure 13 Control SNMP User With ACL Use the following commands to control SNMP users with ACL 1 Define the basic ACLs SW7700 acl number 2000 match order config SW7700 acl basic 2000 rule 1 permit source 10 110 100 52 0 SW7700 acl basic 2000 rule 2 permit source 10 110 100 46 0 SW7700 acl basic 2000 quit I...

Page 269: ...onfiguring ACL Control 261 2 Import the basic ACLs SW7700 snmp agent community read 3com acl 2000 SW7700 snmp agent group v2c 3comgroup acl 2001 SW7700 snmp agent usm user v2c 3comuser 3comgroup acl 2002 ...

Page 270: ...262 CHAPTER 7 QOS OPERATION ...

Page 271: ...panning tree The configuration BPDU contains the following information The root ID consisting of root priority and MAC address The cost of the shortest path to the root A designated switch ID consisting of designated switch priority and MAC address A designated port ID consisting of port priority and port number The age of the configuration BPDU MessageAge The maximum age of the configuration BPDU...

Page 272: ... 4 of Switch B Figure 1 Designated Switch and Designated Port Calculating the STP Algorithm The following example illustrates the calculation process of STP The figure1 2 below illustrates the network Figure 2 Switch 7700 Networking To facilitate the descriptions only the first four parts of the configuration BPDU are given in the example They are root ID expressed as Ethernet switch priority path...

Page 273: ...iority If the root IDs are the same perform the comparison based on root path costs The cost comparison is as follows the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local port is set as X the configuration BPDU with a smaller X has a higher priority If the costs of a path to the root are the same compare in sequence the designated switch ID des...

Page 274: ...e1 0 1 Configuration BPDU of Ethernet 1 0 4 1 0 1 e1 0 4 Switch B compares the configuration BPDUs of the ports and selects the Ethernet 1 0 7 BPDU as the optimum one Thus Ethernet 1 0 7 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows The configuration BPDU of the root port Ethernet 1 0 7 remains 0 0 0 e1 0 1 Ethernet 1 0 4 updates the root ID with ...

Page 275: ...ng process of a configuration BPDU other configuration BPDUs besides the first four items make modifications according to certain rules The basic calculation process is described below Configuring the BPDU Forwarding Mechanism Upon the initiation of the network all the switches regard themselves as the roots The designated ports send the configuration BPDUs of local ports at a regular interval of ...

Page 276: ...to point link or the edge port it takes an interval as long as twice the forward delay before the network converges MSTP makes the network converge rapidly and distributes the traffic of different VLANs along their respective paths This provides a better load balance mechanism for the redundant links MSTP associates VLAN with a spanning tree domain and divides a switching network into several regi...

Page 277: ...e 0 Internal Spanning Tree IST The entire switching network has a Common and Internal Spanning Tree CIST An MSTP region has an Internal Spanning Tree IST which is a fragment of CIST For example every MST region in Figure 4 has an IST Common Spanning Tree CST CST connects the spanning trees of the MST region Taking every MST region as a switch the CST can be regarded as their spanning tree generate...

Page 278: ...same role on MSTI and CIST instance For example the boundary port as a master port on a CIST instance should serve as a master port on every MSTI in the region Port role In the process of MSTP calculation a port can serve as a designated port root port master port alternate port or BACKUP The root port is the port through which the data is forwarded to the root The designated port is the one throu...

Page 279: ... entire switching network MSTI calculation Inside an MST region MSTP generates different MSTIs for different VLANs according to the association between the VLAN and the spanning tree In this way the packets of a VLAN travel along the corresponding MSTI inside the MST region and the CST between different regions Configuring MSTP Configuring MSTP includes tasks that are described in the following se...

Page 280: ...ese parameters depending on your actual conditions or simply take the defaults For more detailed information refer to the task description or to the command descriptions in the Switch 7700 Command Reference Guide When GVRP and MSTP start up on the switch simultaneously GVRP packets will propagate along CIST which is a spanning tree instance In this case if you want to issue a certain VLAN through ...

Page 281: ...ST region are mapped to the STI 0 and the MSTP region revision level is 0 You can restore the default settings of MST region using the undo stp region configuration command in system view Activating the MST Region Configuration and Exiting the MST Region View Perform the following configuration in MST region view Specifying the Switch as Primary or Secondary Root Switch MSTP can determine the span...

Page 282: ...ing the Switching Network Diameter and Configuring the Time Parameters of a Switch You can configure the current switch as the root of several STIs however it is not necessary to specify two or more roots for an STI In other words please do not specify the root for an STI on two or more switches You can configure more than one secondary root for a spanning tree by specifying the secondary STI root...

Page 283: ...rity is more likely to become the root An MSTP switch can have different priorities in different STIs You can use the following command to configure the bridge priorities of the designated switch in different STIs Perform the following configuration in system view When configuring the switch priority with the instance instance id parameter with a value of 0 you are configuring the CIST priority of...

Page 284: ... one passing more switches than all others is the network diameter expressed as the number of passed switches You can use the following command to configure the diameter of the switching network Perform the following configuration in system view The network diameter is the parameter specifying the network scale The larger the diameter the larger the scale When a user configures the network diamete...

Page 285: ...k adopts the values of the time parameters configured on the root switch of the CIST The forward delay configured on a switch depends on the switching network diameter Generally the forward delay is supposed to be longer when the network diameter is longer Note that a forward delay that is too short can redistribute some redundant routes temporarily while a forward delay that is too long can prolo...

Page 286: ... time through the port The max transmission speed on a port is limited by the physical state of the port and the network structure You can configure it according to the network conditions You can configure the max transmission speed on a port in the following ways Configuring in system view Perform the following configuration in system view Configuring in Ethernet port view Perform the following c...

Page 287: ...hat was disabled by the stp edged port disable command use the undo shutdown command in port view It is better to configure the BPDU protection on the edge port to prevent the switch from being attacked Before BPDU protection is enabled on the switch the port runs as a non edge port when it receives BPDU even if the user has set it as an edge port By default all the Ethernet ports of the switch ha...

Page 288: ...280 CHAPTER 8 STP OPERATION the traffic from different VLANs can run over different physical links thereby implementing the VLAN based load balancing ...

Page 289: ... can have different priorities in different STIs and play different roles The traffic from different VLANs can run over different physical links thereby implementing the VLAN based load balancing You can configure the port priority in the following ways Configuring in System View Perform the following configuration in system view Table 14 Configure the Path Cost of a Port Operation Command Configu...

Page 290: ...in Ethernet port view Table 17 Configure the Port Priority Operation Command Configure the port priority stp instance instance id port priority priority Restore the default port priority undo stp instance instance id port priority Table 18 Configure the Port Connection With the Point to point Link Operation Command Configure the port to connect with the point to point link stp interface interface ...

Page 291: ...configured as auto Configuring the mCheck Variable of a Port The port of an MSTP switch operates in either STP compatible or MSTP mode If a port of an MSTP switch on a switching network is connected to an STP switch the port will automatically transition to operate in STP compatible mode The port stays in STP compatible mode and cannot automatically transition back to MSTP mode when the STP switch...

Page 292: ... the high speed link may be pulled to the low speed link and congestion will occur on the network The root protection function is used against such problem The root port and other blocked ports maintain their state according to the BPDUs sent by an uplink switch Once the link is blocked or has trouble the ports cannot receive BPDUs and the switch will select a root port again In this case the form...

Page 293: ... about the configuration commands see the Switch 7700 Command Reference Guide Enabling MSTP on the Device You can use the following command to enable MSTP on the device Perform the following configuration in system view Only if MSTP has been enabled on the device will other MSTP configurations take effect By default MSTP is disabled Enabling or Disabling MSTP on a Port You can use the following co...

Page 294: ... Enable MSTP on a port stp interface interface list enable Disable MSTP on a port stp interface interface list disable Restore the default MSTP state on the port undo stp interface list Table 25 Enable Disable MSTP on a Port Operation Command Enable MSTP on a port stp enable Disable MSTP on a port stp disable Restore the default MSTP state on the port Table 26 Display and Debug MSTP Operation Comm...

Page 295: ...e point to point connection between the access device and the access port only The port can be either physical or logical A typical application environment is as follows Each physical port of the LAN Switch only connects to one user workstation based on the physical port and the wireless LAN access environment based on the logical port etc Configuring IEEE 802 1x is described in the following sect...

Page 296: ... Process Implement 802 1x on Ethernet Switch 802 1x Authentication Process 802 1x configures EAP frame to carry the authentication information The Standard defines the following types of EAP frames EAP Packet Authentication information frame used to carry the authentication information EAPoL Start Authentication originating frame actively originated by the Supplicant EAPoL Logoff Logoff request fr...

Page 297: ...e secure and easier to manage Configuring 802 1x The configuration tasks of 802 1x itself can be fulfilled in system view of the Ethernet switch When the global 802 1x is not enabled the user can configure the 802 1x state of the port The configured items will take effect after the global 802 1x is enabled Do not enable 802 1x and RSTP at the same time or the switch may not work normally The 802 1...

Page 298: ...d permit the user to access the network resources this is most common Setting Port Access Control Method The following commands are used for setting 802 1x access control method on the specified port When no port is specified in system view the access control method of the port is configured globally Perform the following configurations in system view or Ethernet port view By default 802 1x authen...

Page 299: ...n the user runs DHCP and applies for dynamic IP addresses Configuring the Authentication Method for 802 1x Users The following commands can be used to configure the authentication method for 802 1x users Three kinds methods of authentication are available PAP the RADIUS server must support this method CHAP the RADIUS server must support this method Table 4 Check the Users that Log on the Switch by...

Page 300: ... configured as N the system considers the user logged off and sets the user in logoff stat if it does not receive a response from the user N times consecutively Perform the following configurations in system view By default the handshake period is 15 seconds Configuring Timers The following commands are used for configuring the 802 1x timers Table 7 Configure the Authentication Method for 802 1x U...

Page 301: ...w long the duration of an authentication timeout timer of a Supplicant is The value ranges from 10 to 120 in units of second tx period Specify the transmission timeout timer If a Supplicant has not responded before the specified period expires Authenticator will resend the authentication request tx period value Specify how long the duration of the transmission timeout timer is The value ranges fro...

Page 302: ...oup consisting of two RADIUS servers at 10 11 1 1 and 10 11 1 2 is connected to the switch The former one acts as the primary authentication second accounting server The latter one acts as the secondary authentication primary accounting server Set the encryption key as name when the system exchanges packets with the authentication RADIUS server and money when the system exchanges packets with the ...

Page 303: ...the primary authentication accounting RADIUS servers SW7700 radius radius1 primary authentication 10 11 1 1 SW7700 radius radius1 primary accounting 10 11 1 2 5 Set the IP address of the second authentication accounting RADIUS servers SW7700 radius radius1 secondary authentication 10 11 1 2 SW7700 radius radius1 secondary accounting 10 11 1 1 6 Set the encryption key when the system exchanges pack...

Page 304: ...lan access SW7700 luser localuser password simple localpass 16 Enable the 802 1x globally SW7700 dot1x Configuring the AAA and RADIUS Protocols The Authentication Authorization and Accounting AAA protocol provides a uniform framework for configuring these three security functions and implements network security management The network security mentioned here refers to access control including Which...

Page 305: ...rom NAS RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS NAS then controls supplicant and corresponding connections while RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS NAS and RADIUS exchange the information with UDP packets During the interaction both s...

Page 306: ... an ISP Domain ISP domain is a group of users belonging to the same ISP Taking gw20010608 3com163 net as an example in the userid isp name format the isp name i e 3com163 net following the is the ISP domain name When the Switch 7700 control user access as for an ISP user whose username is in userid isp name format the system will take userid part as username for identification and take isp name pa...

Page 307: ...ate the users can request for network service while in block state users cannot request any network service An ISP is in the block state when it is created Maximum number of supplicants specifies how many supplicants can be contained in the ISP By default for any ISP domain there is no limit to the number of supplicants The idle cut function means that if the traffic from a certain connection is l...

Page 308: ...ant Properties Operation Command Add local users local user user name Delete all the local users undo local user all Delete a local user by specifying its type undo local user user name all service type lan access ftp telnet ssh Table 16 Set the Method that a Local User Uses to Set Password Operation Command Set the method that a local user uses to set password local user password display mode cip...

Page 309: ...schemes For more about the configuration commands refer to Configuring AAA Tasks for configuring RADIUS are described in the following sections Creating Deleting a RADIUS Server Group Setting the IP Address and Port Number of RADIUS Server Setting the RADIUS Packet Encryption Key Setting the Response Timeout Timer of RADIUS Server Setting Retransmission Times of the RADIUS Request Packet Enabling ...

Page 310: ...t is compulsory to create the RADIUS server group and enter its view to set its IP address You can use the following commands to create delete a RADIUS server group Perform the following configurations in system view Several ISP domains can use a RADIUS server group at the same time By default the system has a RADIUS server group named system whose attributes are all default values The default att...

Page 311: ...rvice port settings on the Switch 7700 need to be consistent with the port settings on the RADIUS server Normally RADIUS accounting service port is 1813 and the authentication authorization service port is 1812 By default all the IP addresses of primary second authentication authorization and accounting servers are 0 0 0 0 authentication authorization service port is 1812 and accounting service UD...

Page 312: ...S server has not responded to NAS before timeout NAS has to retransmit the RADIUS request packet If it transmits the packet for more than retry time and RADIUS server still has not given any response NAS considers the communication with the current RADIUS server disconnected and will transmit the request packet to other RADIUS servers Perform the following configurations in RADIUS server group vie...

Page 313: ... online users to the RADIUS server regularly Perform the following configurations in RADIUS server group view The minute variable specifies the real time accounting interval in minutes The value must be a multiple of 3 The value of minute is related to the performance of NAS and RADIUS server The smaller the value is the higher the performances of NAS and RADIUS have to be When there are a large a...

Page 314: ...een responded to the switch saves it in the local buffer and retransmits until the server responds or discards the messages The following command can be used to enable the storage of the stop accounting message If the stop accounting buffer is enabled make sure you set the maximum retransmission time Perform the following configurations in RADIUS server group view By default the stop accounting re...

Page 315: ...s to the primary server The following commands can be used to set the primary server to be active manually so that NAS can communicate with it immediately after troubleshooting When the primary and second servers are both active or block NAS sends the packets to the primary server only Perform the following configurations in RADIUS server group view By default the state of each server in RADIUS se...

Page 316: ...Transmitted to RADIUS Server The following command defines the unit of the data flow sent to RADIUS server By default the default data unit is a byte and the default data packet unit is one packet Configuring a Local RADIUS Server Group RADIUS service adopts authentication authorization accounting servers to manage users Local authentication authorization accounting service is also used in these p...

Page 317: ... server is connected to the switch and the server IP address is 10 110 91 146 The password for exchanging messages Table 35 Display and Debug AAA and RADIUS Protocol Operation Command Display the configuration information of the specified or all the ISP domains display domain isp name Display related information of user s connection display connection access type dot1x gcm domain isp name interfac...

Page 318: ...SW7700 radius cams primary authentication 10 110 91 146 1812 SW7700 radius cams key authentication expert SW7700 radius cams server type 3com SW7700 radius cams user name format without domain 5 Configure the association between domain and RADIUS SW7700 radius cams quit SW7700 domain cams SW7700 isp cams radius scheme cams Configuring FTP Telnet User Authentication at the Local RADIUS Server Local...

Page 319: ... that the supplicant inputs the correct password 4 The encryption keys of RADIUS server and NAS may be different Check carefully and make sure that they are identical 5 There might be some communication fault between NAS and RADIUS server which can be discovered through pinging RADIUS from NAS Ensure the normal communication between NAS and RADIUS RADIUS packet cannot be transmitted to RADIUS serv...

Page 320: ...312 CHAPTER 9 AAA AND RADIUS OPERATION ...

Page 321: ...cation between the host and the external network If Switch1 is down all the hosts on this segment have Switch1 as the next hop for the default route and are disconnected from the external network Figure 1 LAN Networking VRRP which is designed for LANs with multicast and broadcast capabilities such as Ethernet settles this problem Figure 2 illustrates the implementation principal of VRRP VRRP combi...

Page 322: ...ter group breaks down the backup switch functions as the new master switch This avoids interrupting communication between the hosts and external networks Configuring VRRP VRRP configuration tasks are described in the following sections Enable Pinging the Virtual IP Address Setting Correspondence Between Virtual IP and MAC Addresses Adding and Deleting a Virtual IP Address Configuring the Priority ...

Page 323: ...leting a Virtual IP Address The virtual router ID covers the range from 1 to 255 The virtual address can be an unused address in the network segment where the virtual router resides or the IP address of an interface in the virtual router If the IP address is on the switch the switch is called an IP address owner When adding the first IP address to a virtual router the system creates a new virtual ...

Page 324: ...preemption settings a delay can also be set A backup switch waits for a period of time before becoming a master In an unstable network if the backup switch has not received packets from the master switch periodically it becomes the master switch However the failure of the backup switch to receive packets may be due to network congestion instead of the malfunction of the master switch In this case ...

Page 325: ...n key should be configured for all vlan interfaces that belong to the virtual router Configuring the VRRP Timer The Master switch advertises its normal operation state to the switches within the VRRP virtual router by sending them VRRP packets regularly at the specified advertised interval If the backup switch does not receive a VRRP packet from the master after a period of time specified by maste...

Page 326: ...onfiguration and to verify the effect of the VRRP configuration You can enable VRRP debugging to display how it runs You can set the argument option to packet or state to debug the VRRP packet or VRRP state By default the switch disables debugging Example VRRP Single Virtual Router Host A uses the VRRP virtual router which combines switch A and switch B as its default gateway to visit host B on th...

Page 327: ...switch A is still functioning it may want Switch B to function as a gateway if a critical interface connected with it does not function properly This can be implemented by configuring a tracking interface The virtual router ID is set to 1 with additional configurations of an authorization key and timer Configure switch A 1 Create a virtual router SW7700_A vlan interface2 vrrp vrid 1 virtual ip 202...

Page 328: ...eway function as master Example Multiple Virtual Routers A Switch can function as the backup switch for many virtual routers Such a multi backup configuration can implement load balancing For example switch A as master switch of group 1 can share the responsibility of the backup switch for virtual router 2 and switch B performs the same functions for group 2 and virtual router 1 Some hosts employ ...

Page 329: ...iguration Because the second possibility is caused by the malicious attempt of some devices you should resort to non technical measures More than One Master Exists Within the Same Virtual Router One possible reason for this situation is the short time coexistence of many master switches which is normal and needs no manual intervention Another possible reason is the coexistence of many master switc...

Page 330: ...322 CHAPTER 10 RELIABILITY ...

Page 331: ...ing and renaming a file or a directory and opening files By default the file system requires that the user confirm before executing commands This prevents unwanted data loss Managing the file system is described in the following sections Using a Directory Managing Files Formatting Storage Devices Setting the Prompt Mode of the File System Configuring File Management FTP TFTP Using a Directory You ...

Page 332: ...tion Operation Command Create a directory mkdir directory Delete a directory rmdir directory Display the current working directory pwd Display the information about directories or files dir all file url Change the current directory cd directory Table 2 File Operation Operation Command Delete a file from the file system and move it to the recycle bin delete file url Restore a file from the recycle ...

Page 333: ... on command views The commands are sorted in one section The sections are separated with a blank line or a comment line A comment line begins with a pound sign Default constants are not saved Generally the sections in the file are arranged in the following order system configuration ethernet port configuration vlan interface configuration routing protocol configuration and so on Management of the ...

Page 334: ...g configuration file has been downloaded FTP FTP is a common way to transmit files on the Internet and IP network FTP is a TCP IP protocol on the application layer and is used for transmitting files between a remote server and a local host The Ethernet switch provides the following FTP services FTP server You can run the FTP client program to log in to the server and access the files on it FTP cli...

Page 335: ...server authentication and authorization The authorization information of the FTP server includes the top working directory provided for FTP clients Perform the following configuration in system view Only clients who have passed the authentication and authorization successfully can access the FTP server Table 8 Enable Disable FTP Server Operation Command Enable the FTP server ftp server enable Disa...

Page 336: ...and has no configuration functions The switch connects the FTP clients and the remote server and inputs the command from the clients for corresponding operations such as creating or deleting a directory TFTP Trivial File Transfer Protocol TFTP is a simple protocol for file transmission that has no complicated interactive access interface or authentication control and therefore it can be used when ...

Page 337: ...ntry includes the MAC address of a device and the port ID of the switch connected to it The switch learns dynamic entries when it receives a data frame from a port assumed as port A The switch analyzes the source MAC address and considers that the packets destined for the source MAC address can be forwarded through port A If the MAC address table contains the MAC_SOURCE the switch updates the corr...

Page 338: ...ment The entries can be static or dynamic Configuring the MAC Address Table MAC address table management includes Setting MAC Address Table Entries Disabling or Enabling Global MAC Address Learning Disabling or Enabling MAC Address Learning on a Port Setting MAC Address Aging Time Setting the Maximum MAC Addresses an Ethernet Port can Learn Displaying and Debugging the MAC Address Table Setting MA...

Page 339: ...default the MAC address learning function is enabled Disabling or Enabling MAC Address Learning on a Port After the MAC address learning has been enabled globally you can disable it on individual ports Use the following commands to disable the MAC address learning on a specified port Perform the following configurations in the Ethernet port view By default the MAC address learning function is enab...

Page 340: ...n Ethernet Port can Learn Use the following command to set an amount limit on MAC addresses learned by the Ethernet port If the number of MAC addresses learned by this port exceeds the value set by the user this port will not learn MAC address Perform the following configuration in Ethernet port view NOTE If the count parameter is set to 0 the port is not permitted to learn MAC address By default ...

Page 341: ... mac address timer 500 4 Display the MAC address configurations in all views SW7700 display mac address interface Ethernet 1 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 00 e0 fc 35 dc 71 1 Static Ethernet1 0 2 NOAGED Table 20 Displaying and Debugging MAC Address Table Operation Command Display the information in the address table display mac address static dynamic interface interface name i...

Page 342: ... command to designate the operational file app to use when the Switch 7700 is booted Perform the following configuration in user view Tasks for designating the APP for the next boot are described in the following sections Upgrading BootROM Resetting a Slot Setting the Slot Temperature Limit Setting the Backboard View Upgrading BootROM You can use this command to upgrade the BootROM with the BootRO...

Page 343: ... The Switch 7700 Fabric 64 is capable of 64 Gbps full duplex on the backplane but the chassis has a maximum capability of 240 Gbps full duplex The Switch 7700 Fabric 32 is capable of 32 Gbps full duplex on the backplane but the chassis has a maximum capability of 128 Gbps full duplex This command sets the bandwidth available to each slot in the system Perform the following configuration in system ...

Page 344: ...me Setting the System Name Perform the following commands in system view Setting the System Clock Perform the following command in user view Table 27 Displaying Devices Operation Command Display the CPU display cpu slot slotnum Display the set back board view display backboard view Display the module types and states of each card display device detail shelf shelf no frame frame no slot slot no Dis...

Page 345: ...nabling and Disabling Terminal Debugging Displaying Diagnostic Information Table 30 Setting the Time Zone Operation Command Set the local time clock timezone zone_name add minus HH MM SS Restore to the default UTC time zone undo clock timezone Table 31 Setting Daylight Saving Time Operation Command Set the name and range of daylight saving time clock summer time zone_name one off repeating start t...

Page 346: ...he relationship between two switches Figure 3 Debugging Output You can use the following commands to control debugging Perform the following operations in user view Table 33 Enabling and Disabling Debugging Operation Command Enable the protocol debugging debugging all timeout interval module name debugging option Disable the protocol debugging undo debugging all protocol name function name debuggi...

Page 347: ...f testing tools for a network connection are found in the following Ping Tracert Command Ping The ping command can be used to check the network connection and to verify whether the host can be reached Perform the following operation in user view The output of the ping command includes The response to each ping message If no response packet is received when time is out Request time out information ...

Page 348: ...on output and also to make detailed classification to filter the information efficiently Coupled with the debugging program the syslog provides powerful support for the network administrators to monitor the operational state of networks and to diagnose network failures The syslog of the Switch 7700 has the following features Support for six different output destinations console monitor to Telnet t...

Page 349: ...uration in system view Table 37 Enable Disable the Logging Function Operation Command Enable the logging function info center enable Disable the logging function undo info center enable Table 38 Log Output Operation Command Configure to output the information to the Console info center console channel channel number channel name Disable the output of the information to the Console undo info center...

Page 350: ...nnel name Disable the output of the information to the trap buffer undo info center trapbuffer channel size Configure to output the information to SNMP info center snmp channel channel number channel name Disable the output of the information to SNMP undo info center snmp channel Rename a channel specified by channel number as channel name info center channel channel number name channel name Table...

Page 351: ...ollowing operation in system view Configuring the Info center Loghost This configuration is performed on the info center loghost The following configuration example is implemented on SunOS 4 0 The configurations on the Unix operating systems of other vendors are similar 1 Perform the following commands with the identity of root mkdir var log SW7700 touch var log SW7700 config touch var log SW7700 ...

Page 352: ...e of information filtering If you are using a UNIX workstation as a syslog server consult your UNIX system manager manual for syslog configuration information Example Log Configuration Configure to output log on the console as follows 1 Enable the logging system SW7700 info center enable 2 Configure the logging output of the console and allows the log output of RSTP module with the severity ranged...

Page 353: ...M platforms include Sun NetManager and IBM NetView The agent is the server software operated on network devices NMS can send GetRequest GetNextRequest and SetRequest messages to the agent Upon receiving the requests from the NMS the agent will perform a read or write operation according to the message types and generate and return the response message to NMS On the other hand the agent will send a...

Page 354: ...onitored network device In the above figure the managed object B can be uniquely specified by a string of numbers 1 2 1 1 The number string is the Object Identifier of the managed object The current SNMP Agent of Ethernet switch supports SNMP V1 V2C and V3 The MIBs supported are listed in the following table Configuring SNMP Configuring SNMP includes tasks that are described in the following secti...

Page 355: ...ted by the device is discarded An SNMP community is named with a character string which is called the community name Communities can have read only or read write access modes A community with read only authority can only query the device information whereas the community with read write authority can also configure the device Use the following commands to set the community name Perform the followi...

Page 356: ...ion includes the character string sysContact system contact the character string describing the system location and the version information for SNMP in the system Use the following commands to set the system information Table 46 Enabling and Disabling an SNMP Agent to Send a Trap Operation Command Enable to send a trap snmp agent trap enable standard authentication coldstart linkdown linkup warmst...

Page 357: ...r is supported only in SNMP V3 Table 49 Setting SNMP System Information Operation Command Set SNMP system information snmp agent sys info contact sysContact location syslocation version v1 v2c v3 all Restore the default SNMP system information of the Ethernet switch undo snmp agent sys info contact location version v1 v2c v3 all Table 50 Setting the Engine ID of a Local or Remote Device Operation ...

Page 358: ... the Size of an SNMP Packet Sent or Received by an Agent Use the following commands to set the size of SNMP packet sent or received by an agent Table 52 Setting the Source Address of the Trap Operation Command Set the Source Address of Trap snmp agent trap source interface name interface num Remove the source address of trap undo snmp agent trap source Table 53 Adding and Deleting a User to or fro...

Page 359: ...n Command Set the size of an SNMP packet set or received by an agent snmp agent packet max size byte count Restore the default size of an SNMP packet sent or received by an agent undo snmp agent packet max size Table 56 Enable Disable Transmission of Trap Information Operation Command Enable the current port to transmit the trap information enable snmp trap updown Disable the current port from tra...

Page 360: ...agev3user managev3group 3 Set the administrator ID contact and the physical location of the Ethernet switch SW7700 snmp agent sys info contact Mr Smith Tel 3306 SW7700 snmp agent sys info location telephone closet 3rd floor 4 Set the VLAN interface 2 as the interface used by network management Add Ethernet port 2 0 3 to the VLAN 2 This port will be used for network management Set the IP address of...

Page 361: ...total number of packets on a segment in a certain period of time or that of the correct packets sent to a host RMON helps the SNMP monitor the remote network device more actively and effectively which provides a highly efficient means for monitoring subnet operations RMON can reduce communication traffic between the NMS and the agent thus facilitating an effective management over large interconnec...

Page 362: ... Deleting an Entry to or from the Event Table RMON event management defines the event ID and handling of the event by keeping logs sending trap messages to NMS or performing both at the same time Use the following commands to add or delete an entry to or from the event table Perform the following configuration in system view Adding and Deleting an Entry to or from the History Control Table The his...

Page 363: ...ing configuration in Ethernet port view Table 61 Adding or Deleting an Entry to or from the History Control Table Operation Command Add an entry to the history control table rmon history entry number buckets number interval sampling interval owner text string Delete an entry from the history control table undo rmon history entry number Table 62 Add or Delete an Entry to or from the Extended RMON A...

Page 364: ...kets 1954 broadcast packets 1570 multicast packets 365 undersized packets 0 oversized packets 0 fragments packets 0 jabbers packets 0 CRC alignment errors 0 collisions 0 Dropped packet events due to lack of resources 0 Packets received according to length in octets 64 644 65 127 518 128 255 688 256 511 101 512 1023 3 1024 1518 0 Table 64 Displaying and Debugging RMON Operation Command Display the ...

Page 365: ...emote Procedure Call Recording an application when a user logs into a system a file is modified or some other operation is performed Figure 7 illustrates the basic operating principle of NTP Figure 7 Basic Operating Principle of NTP In page 357 Ethernet Switch A and Ethernet Switch B are connected to the Ethernet port They have independent system clocks Before implementing automatic clock synchron...

Page 366: ...itch B Configuring NTP is described in the following sections Configuring NTP NTP Configuration Examples Configuring NTP NTP configuration includes the tasks described in the following sections Configuring NTP Operating Mode Configuring NTP ID Authentication Setting the NTP Authentication Key Setting the Specified Key to Be Reliable Designating an Interface to Transmit the NTP Message Setting the ...

Page 367: ...es its clock with the clock of the remote server while the reverse synchronization will not happen Perform the following configurations in system view NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 0 to 4294967295 interface name or interface type interface number specifies the IP address of an interface from which the source IP address of...

Page 368: ... interface on the local switch to receive NTP broadcast messages and operate in broadcast client mode The local switch listens to the broadcast from the server When it receives the first broadcast packets it starts a brief client server mode to switch messages with a remote server for estimating the network delay Thereafter the local switch enters broadcast client mode and continues listening to t...

Page 369: ...t multicast packets it starts a brief client server mode to switch messages with a remote server for estimating the network delay Thereafter the local switch enters multicast client mode and continues listening to the multicast and synchronizes the local clock by the arrived multicast message Perform the following configurations in VLAN interface view Multicast IP address ip address defaults to 22...

Page 370: ...figurations in system view Table 71 Configuring NTP Authentication Operation Command Enable NTP authentication ntp service authentication enable Disable NTP authentication undo ntp service authentication enable Table 72 Configuring the NTP Authentication Key Operation Command Configure the NTP authentication key ntp service authentication keyid number authentication mode md5 value Remove the NTP a...

Page 371: ...is configuration task must be performed on the interface to be disabled from receiving an NTP message Setting the Authority to Access a Local Switch Set the authority to access the NTP services on a local switch This is a basic and brief security measure An access request will be matched with peer serve serve only and query only in an ascending order of the limitation The first matched authority w...

Page 372: ...ify the configurations according to the outputs You can use the debugging command in user view to debug NTP See Table 79 for the details of these commands NTP Configuration Examples NTP configuration examples are shown in the following Configuring NTP Servers Configuring NTP Peers Configuring NTP Broadcast Mode Cancel settings of the authority to access a local Ethernet switch undo ntp service acc...

Page 373: ...t the local clock as the NTP master clock at stratum 2 SW77001 ntp service refclock master 2 Configure Ethernet Switch SW77002 1 Enter system view SW77002 system view 2 Set SW77001 as the NTP server SW77002 ntp service unicast server 1 0 1 11 The above examples synchronized SW77002 by SW77001 Before the synchronization the SW77002 is shown in the following status SW77002 display ntp service status...

Page 374: ...z clock precision 2 17 clock offset 0 0000 ms root delay 0 00 ms root dispersion 10 94 ms peer dispersion 10 00 ms reference time 20 54 25 156 UTC Mar 7 2002 C0325201 2811A112 By this time SW77002 has been synchronized by SW77001 and is at stratum 3 higher than SW77001 by 1 Display the sessions of SW77002 and you will see SW77002 has been connected with SW77001 SW77002 display ntp service sessions...

Page 375: ...3 after synchronization SW77004 ntp service unicast server 3 0 1 31 Configure Ethernet Switch SW77005 SW77004 has been synchronized by SW77003 1 Enter system view SW77005 system view 2 Set the local clock as the NTP master clock at stratum 1 SW77005 ntp service refclock master 1 3 After performing local synchronization set SW77004 as a peer SW77005 ntp service unicast peer 3 0 1 32 The above examp...

Page 376: ... 0 0 0 0 1 0 5 1 0 1 11 0 0 0 0 16 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 0 0 0 0 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Configuring NTP Broadcast Mode On SW77003 set local clock as the NTP master clock at stratum 2 and configure to broadcast packets from Vlan interface2 Configure SW77004 and SW77001 to listen to the broadcast from their Vlan interface...

Page 377: ...eceive any broadcast packets from SW77003 while SW77004 is synchronized by SW77003 after receiving its broadcast packet After the synchronization you can find the state of SW77004 as follows SW77004 display ntp service status clock status synchronized clock stratum 8 reference clock ID LOCAL 0 nominal frequency 100 0000 Hz actual frequency 100 0000 Hz clock precision 2 17 clock offset 0 0000 ms ro...

Page 378: ...tp service refclock master 2 3 Enter Vlan interface2 view SW77003 interface vlan interface 2 4 Set it as a multicast server SW77003 Vlan Interface2 ntp service multicast server Configure Ethernet Switch SW77004 1 Enter system view SW77004 system view 2 Enter Vlan interface2 view SW77004 interface vlan interface 2 3 Enable multicast client mode SW77004 Vlan Interface2 ntp service multicast client C...

Page 379: ...on keyid 42 authentication mode md5 aNiceKey 5 Set the key as reliable SW77002 ntp service reliable authentication keyid 42 The above examples synchronized SW77002 by SW77001 Since SW77001 has not been enabled authentication it cannot synchronize SW77002 Perform the following additional configurations on SW77001 1 Enable authentication SW77001 ntp service authentication enable 2 Set the key SW7700...

Page 380: ...e same algorithm to work out the session key based on server public key and the returned random number Then both ends get the same key without data transfer over the network while the key is used at both ends for encryption and description Authentication The server authenticates the user at the client after obtaining a session key The client sends its username to the server If the username has bee...

Page 381: ...guration tasks on the SSH server are described in the following sections Setting the System Protocol Configuring and Cancelling a Local RSA Key Pair Configuring the Authentication Type Defining the Update Interval of the Server Key Defining the SSH Authentication Timeout Value Defining the SSH Authentication Retry Value Entering the Public Key Edit View and Editing a Public Key Associating a Publi...

Page 382: ...figurations in system view If the configuration is the RSA authentication type then the RSA public key of client user must be configured on the switch to perform the 7 and 8 serial number marked configuration By default no authentication type is specified for a new user so the user cannot access the switch Defining the Update Interval of the Server Key Perform the following configurations in syste...

Page 383: ...em view When entering the public key edit view with the rsa peer public key command you can begin editing the public key with the public key code begin command You can key in blank space between characters since the system can remove the blank space automatically But the public key should be composed of hexadecimal characters Terminate public key editing and save the result with the public key cod...

Page 384: ... version Specifying the RSA private key file If you specify RSA authentication for the SSH user you must specify the RSA private key file The RSA key which includes the public key and private key are generated by the client software The former is configured in the server switch and the latter is in the client The following description takes the PuTTY as an example Specifying the Server IP Address ...

Page 385: ... of the switch in the Host Name or IP Address text box You can also input the IP address of an interface in UP state but its route to SSH client PC must be reachable 2 Select the SSH protocol radio button 3 To select the SSH version select Connection SSH in the Category menu The window in Figure 11 displays ...

Page 386: ...igure 11 PuTTY Configuration for SSH Version 4 Select the 1 radio button 5 To enable RSA authentication you must specify RSA private key file which is not required for password authentication Select SSH Auth to enable RSA authentication ...

Page 387: ...w to view the operation of SSH and further to check the configuration result Run the debugging command to debug the SSH Perform the following configurations in any view Table 89 Display SSH Information Operation Command Display host and server public keys display rsa local key pair public Display client RSA public key display rsa peer public key brief name keyname Display SSH state information and...

Page 388: ...he default values for SSH authentication timeout value retry value and update interval of server key Then run SSH1 5 client program on the PC which is connected to the switch and access the switch using username client001 and password secret b For RSA authentication mode Create a local user client002 SW7700 local user client002 SW7700 luser client002 service type ssh Specify AAA authentication on ...

Page 389: ...7700 key code public key code end SW7700 rsa public peer public key end SW7700 ssh user client002 assign rsa key key002 You need to specify the RSA private key which corresponds to the public key for the SSH user client002 Run the SSH1 5 client program on the PC which has been configured with a private RSA private key and you can set up SSH connection ...

Page 390: ...382 CHAPTER 11 SYSTEM MANAGEMENT ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands