background image

72

C

HAPTER

 6: L

OGGING

 

IN

 

THROUGH

 

THE

 W

EB

-

BASED

 N

ETWORK

 M

ANAGEMENT

 S

YSTEM

Figure 18   

Establish an HTTP connection between your PC and the switch

 

4

Log into the switch through IE. Launch IE on the Web-based network 
management terminal (your PC) and enter the IP address of the management 
VLAN interface of the switch in the address bar. (Make sure the route between the 
Web-based network management terminal and the switch is available.)

5

When the login authentication interface (as shown in Figure 19) appears, enter 
the user name and the password configured in step 2 and click <Login> to bring 
up the main page of the Web-based network management system. 

Figure 19   

The login page of the Web-based network management system

 

Configuring the Login 
Banner

Configuration Procedure

If a login banner is configured with the 

header

 command, when a user logs in 

through Web, the banner page is displayed before the user login authentication 
page. The contents of the banner page are the login banner information 
configured with the 

header

 command. Then, by clicking <Continue> on the 

banner page, the user can enter the user login authentication page, and enter the 
main page of the Web-based network management system after passing the 
authentication. If no login banner is configured by the 

header

 command, a user 

logging in through Web directly enters the user login authentication page.

Configuration Example

Network requirements

A user logs in to the switch through Web.

The banner page is desired when a user logs into the switch.

Switch

PC

HTTP 

Connection

Table 32   

Configure the login banner

Operation Command 

Description 

Enter system view 

system-view

 - 

Configure the banner to be 
displayed when a user logs in 
through Web 

header login

 

text

 Required

By default, no login banner is 
configured.

Summary of Contents for Switch 7754

Page 1: ...3Com Switch 7750 Family Configuration Guide Switch 7750 Switch 7754 Switch 7757 Switch 7758 www 3Com com Part Number 10015462 Rev AD Published December 2007 ...

Page 2: ... 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com ...

Page 3: ...h Authentication Mode Being None 39 Console Port Login Configuration with Authentication Mode Being Password 42 Console Port Login Configuration with Authentication Mode Being Scheme 46 4 LOGGING IN THROUGH TELNET Introduction 51 Telnet Configuration with Authentication Mode Being None 52 Telnet Configuration with Authentication Mode Being Password 55 Telnet Configuration with Authentication Mode ...

Page 4: ...N FILE MANAGEMENT Introduction to Configuration File 83 Configuration File Related Operations 83 10 VLAN OVERVIEW VLAN Overview 87 Port Based VLAN 89 Protocol Based VLAN 91 11 VLAN CONFIGURATION VLAN Configuration 95 Configuring a Port Based VLAN 97 Configuring a Protocol Based VLAN 100 12 VOICE VLAN CONFIGURATION Voice VLAN Overview 105 Voice VLAN Configuration 108 Displaying and Maintaining Voic...

Page 5: ...pecial IP Packets to CPU 132 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 132 Disabling ICMP Error Message Sending 133 Displaying and Debugging IP Performance 133 Troubleshooting 134 17 IPX CONFIGURATION IPX Protocol Overview 137 IPX Configuration 138 Displaying and Debugging IPX 145 IPX Configuration Example 145 Troubleshooting IPX 147 18 GVRP CONFIGURATION Introduct...

Page 6: ...189 Displaying and Maintaining Link Aggregation Configuration 192 Link Aggregation Configuration Example 193 24 PORT ISOLATION CONFIGURATION Port Isolation Overview 195 Configuring Port Isolation 195 Displaying Port Isolation Configuration 196 Port Isolation Configuration Example 196 25 PORT SECURITY CONFIGURATION Port Security Overview 199 Port Security Configuration 202 Displaying Port Security ...

Page 7: ...nfiguration 264 Digest Snooping Configuration 268 Rapid Transition Configuration 269 BPDU Tunnel Configuration 272 STP Maintenance Configuration 274 MSTP Displaying and Debugging 274 MSTP Implementation Example 275 BPDU Tunnel Configuration Example 277 31 IP ROUTING PROTOCOL OVERVIEW Introduction to IP Route and Routing Table 281 Routing Management Policy 283 32 STATIC ROUTE CONFIGURATION Introduc...

Page 8: ... IS IS Configuration Example 345 36 BGP CONFIGURATION BGP Overview 349 BGP Configuration Tasks 354 Basic BGP Configuration 355 Configuring the Way to Advertise Receive Routing Information 356 Configuring BGP Route Attributes 361 Adjusting and Optimizing a BGP Network 363 Configuring a Large Scale BGP Network 365 Displaying and maintaining BGP 368 Configuration Example 369 BGP Error Configuration E...

Page 9: ...t Architecture 416 Forwarding Mechanism of Multicast Packets 420 42 GMRP CONFIGURATION GMRP Overview 423 Configuring GMRP 423 Displaying and Maintaining GMRP 424 GMRP Configuration Example 424 43 IGMP SNOOPING CONFIGURATION Overview 427 IGMP Snooping Configuration 430 Displaying and Maintaining IGMP Snooping 437 IGMP Snooping Configuration Example 438 Troubleshooting IGMP Snooping 440 44 COMMON MU...

Page 10: ...493 MSDP Configuration Example 494 Troubleshooting MSDP Configuration 504 49 AAA RADIUS HWTACACS CONFIGURATION Overview 507 Configuration Tasks 516 AAA Configuration 518 RADIUS Configuration 525 HWTACACS Configuration 532 Displaying and Maintaining AAA RADIUS HWTACACS Information 536 AAA RADIUS HWTACACS Configuration Example 537 Troubleshooting AAA RADIUS HWTACACS Configuration 541 50 EAD CONFIGUR...

Page 11: ...Example 584 56 DHCP OVERVIEW Introduction to DHCP 589 DHCP IP Address Assignment 589 DHCP Packet Format 590 DHCP Packet Processing Modes 592 Protocols and Standards 592 57 DHCP SERVER CONFIGURATION Introduction to DHCP Server 593 Global Address Pool Based DHCP Server Configuration 594 Interface Address Pool Based DHCP Server Configuration 600 DHCP Security Configuration 606 Displaying and Maintain...

Page 12: ...splaying ACL Configuration 652 ACL Configuration Example 653 61 QOS CONFIGURATION Overview 657 QoS Supported by the Switch 7750 666 Setting Port Priority 666 Configuring Priority to Be Used When a Packet Enters an Output Queue 667 Configuring Priority Remark 669 Configuring Rate Limit on Ports 671 Configuring TP 672 Configuring Redirect 673 Configuring Queue scheduling 674 Configuring Congestion A...

Page 13: ...PoE Supervision Information 729 PoE PSU Supervision Configuration Example 729 66 POE PROFILE CONFIGURATION Introduction to PoE Profile 731 PoE Profile Configuration Tasks 731 Displaying PoE Profile Configuration 732 PoE Profile Configuration Example 732 67 UDP HELPER CONFIGURATION Introduction to UDP Helper 735 Configuring UDP Helper 735 Displaying and Maintaining UDP Helper 736 UDP Helper Configu...

Page 14: ...on Tasks 798 Basic Configuration of BIMS Device 798 Configuring BIMS Access Mode 799 BIMS Configuration Example 800 74 FTP AND TFTP CONFIGURATION FTP Configuration 803 TFTP Configuration 810 75 INFORMATION CENTER Information Center Overview 815 Information Center Configuration 819 Displaying and Debugging Information Center Configuration 825 Information Center Configuration Examples 825 76 DNS CON...

Page 15: ...ckets Monitoring 868 Displaying the Device Management Configuration 869 Remote Switch Update Configuration Example 870 81 REMOTE PING CONFIGURATION Remote ping Overview 873 Remote ping Configuration 876 Remote ping Configuration Example 889 82 RRPP CONFIGURATION RRPP Overview 903 Master Node Configuration 909 Transit Node Configuration 911 Edge Node Configuration 912 Assistant Edge Node Configurat...

Page 16: ...or Link Configuration 934 Monitor Link Configuration Example 934 86 CONFIGURING HARDWARE DEPENDENT SOFTWARE Configuring Boot ROM Upgrade with App File 937 Configuring Inter Card Link State Adjustment 938 Configuring Internal Channel Monitoring 939 Configuring Switch Chip Auto reset 939 Configuring CPU Usage Threshold 940 ...

Page 17: ...that are used throughout this guide Related Documentation The following manuals offer additional information necessary for managing your Switch 7750 Switch 7750 Command Reference Guide Provides detailed descriptions of command line interface CLI commands that you require to manage your Switch 7750 Switch 7750 Quick Reference Guide Provides a summary of command line interface CLI commands that are ...

Page 18: ...t If information in this guide differs from information in the release notes use the information in the Release Notes These documents are available in Adobe Acrobat Reader Portable Document Format PDF on the CD ROM that accompanies your router or on the 3Com World Wide Web site http www 3com com ...

Page 19: ...t level Commands at this level are mainly used to diagnose network and change the language mode of user interface and cannot be saved in configuration files For example the ping tracert and language mode commands are at this level Monitor level Commands at this level are mainly used to maintain the system and diagnose service problems and cannot be saved to configuration files For example the disp...

Page 20: ... into four command levels visit monitor system and manage which are identified as 0 1 2 and 3 respectively The administrator can change the command level a command belongs to Table 3 lists the operations to configure the level of a specific command Table 1 Set a user level switching password Operation Command Description Enter system view system view Set a password for switching from a lower user ...

Page 21: ...view Ethernet port view Null interface view Tunnel interface view AUX interface view VLAN view VLAN interface view Loopback interface view Local user view User interface view FTP client view SFTP client view Cluster view DHCP address pool view MST region view RRPP domain view MSDP region view Port isolate group view HWping view Public key view Public key code view PIM view RIP view OSPF view OSPF ...

Page 22: ...destination prefix aggregation view Netstream source and destination aggregation view Smart link group view Table 4 lists information about CLI views including the operations you can performed in these views how to enter these views and so on Table 4 CLI views View Available operation Prompt example Enter method Quit method User view Display operation status and statistical information SW7750 Ente...

Page 23: ...urn to system view Execute the return command to return to user view Tunnel interface view Configure tunnel interface parameters SW7750 Tunne l0 Execute the interface tunnel 0 command in system view Execute the quit command to return to system view Execute the return command to return to user view AUX interface view Configure AUX interface parameters SW7750 Aux0 0 0 Execute the interface aux 0 0 0...

Page 24: ...ameters sftp client Execute the sftp 10 1 1 1 command in system view Execute the quit command to return to user view Cluster view Configure cluster parameters SW7750 cluster Execute the cluster command in system view Execute the quit command to return to system view Execute the return command to return to user view DHCP address pool view Configure DHCP address pool parameters SW7750 dhcp pool 1 Ex...

Page 25: ...mand in system view Execute the peer public key end command to return to system view Public key code view Edit RSA public keys of SSH users SW7750 rsa ke y code Execute the public key code begin command in public key view Execute the public key code end command to return to public key view PIM view Configure PIM parameters SW7750 pim Execute the pim command in system view Use the multicast routing...

Page 26: ... user view ES IS view Configure parameters for the ES IS protocol SW7750 esis Execute the esis command in system view Execute the quit command to return to system view Execute the return command to return to user view Routing policy view Configure routing policies SW7750 route policy Execute the route policy policy1 permit node 10 command in system view Execute the quit command to return to system...

Page 27: ... view Execute the quit command to return to system view Execute the return command to return to user view QinQ view Create QinQ instances and configure parameters for QinQ SW7750 Gigabi tEthernet4 0 1 v id 1000 Execute the vlan vpn vid 1000 uplink Ethernet 1 0 5 untagged command in Ethernet port view Execute the quit command to return to system view Execute the return command to return to user vie...

Page 28: ...ation view Configure netstream protocol port aggregation parameters SW7750 aggregation pr otport Execute the ip netstream aggregation protocol port command in system view Execute the quit command to return to system view Execute the return command to return to user view Netstream sourceprefix aggregation view Configure netstream source prefix aggregation parameters SW7750 aggregation src pre Execu...

Page 29: ...e in this position of the command on your terminal to display all the available keywords and their brief descriptions The following takes the clock command as an example SW7750 clock datetime Specify the time and date summer time Configure summer time timezone Configure time zone Enter a command a space and a character instead of an argument available in this position of the command on your termin...

Page 30: ...translate the help into Chinese Terminal Display CLI provides the following display feature Display suspending That is the displaying of output information can be split when the screen is full and you can then perform the three operations listed in Table 5 as needed Command History CLI can store the latest executed commands as history commands so that users can recall and execute them again By def...

Page 31: ...red too many parameters Ambiguous command The parameters entered are ambiguous Wrong parameter The input parameter is wrong Table 8 Edit operations Press To A common key Insert the character the key represents at the cursor and move the cursor one character to the right if the edit buffer is not full The Backspace key Delete the character on the left of the cursor and move the cursor one character...

Page 32: ...32 CHAPTER 1 CLI OVERVIEW ...

Page 33: ...ber Two kinds of user interface index exist absolute user interface index and relative user interface index 1 The absolute user interface indexes are as follows AUX user interface 0 VTY user interfaces Numbered after AUX user interfaces and increases in the step of 1 2 A relative user interface index can be obtained by appending a number to the identifier of a user interface type It is generated b...

Page 34: ...sconnect a specified user interface free user interface type number Optional Execute this command in user view Enter system view system view Enable copyright information displaying copyright info enable Optional By default copyright information displaying is disabled That is the copyright information is not displayed after a user logs into a switch successfully Enter user interface view user inter...

Page 35: ...rough the Console Port Following are the procedures to connect to a switch through the Console port 1 Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 1 Figure 1 Diagram for setting the connection to the Console port 2 If you use a PC to connect to the Console port launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal i...

Page 36: ...36 CHAPTER 3 LOGGING IN THROUGH THE CONSOLE PORT Figure 2 Create a connection Figure 3 Specify the port used to establish the connection ...

Page 37: ...he character The commands available on a switch are described in the related module of the command manual Console Port Login Configuration Common Configuration Table 12 lists the common configuration of Console port login Table 12 Common configuration of Console port login Configuration Remarks Console port configuration Baud rate Optional The default baud rate is 9 600 bps Check mode Optional By ...

Page 38: ...able Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain up to 10 commands Set the timeout time of a user interface Optional The default timeout time is 10 minutes Table 12 ...

Page 39: ... RADIUS users Required The user name and password of a local user are configured on the switch The user name and password of a RADIUS user are configured on the RADIUS server Refer to user manual of RADIUS server for more Manage AUX users Set service type for AUX users Required Perform common configuration Perform common configuration for Console port login Optional Refer to Common Configuration o...

Page 40: ...mand level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Make terminal services available shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By def...

Page 41: ... can contain up to 20 commands The timeout time of the AUX user interface is 6 minutes Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the...

Page 42: ... user privilege level 2 Set the baud rate of the Console port to 19 200 bps SW7750 ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 SW7750 ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 SW7750 ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes SW7750 ui aux0 idle tim...

Page 43: ...ntrol Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a Console port is 1 Set the data bits databits 7 8 Optional The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Make terminal s...

Page 44: ...r can store up to 20 commands The timeout time of the AUX user interface is 6 minutes Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the ...

Page 45: ...the local password to 123456 in plain text SW7750 ui aux0 set authentication password simple 123456 Specify commands of level 2 are available to users logging into the AUX user interface SW7750 ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps SW7750 ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 SW7750 ui aux0 screen length 30 Set...

Page 46: ...ent you need to perform the following configuration as well Perform AAA RADIUS configuration on the switch Refer to AAA Configuration on page 518 and RADIUS Configuration on page 525 for more Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Specify the AAA scheme to be applied to the domain scheme local none radius scheme radius scheme name ...

Page 47: ... does not perform flow control Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a Console port is 1 Set the data bits databits 7 8 Optional The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user ...

Page 48: ...mand buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable t...

Page 49: ...ser view SW7750 local user guest Set the authentication password to 1234567890 in plain text SW7750 luser guest password simple 1234567890 Set the service type of the local user to Terminal with the available command level being 2 SW7750 luser guest service type terminal level 2 SW7750 luser guest quit Enter AUX user interface view SW7750 user interface aux 0 Configure to authenticate users loggin...

Page 50: ...50 CHAPTER 3 LOGGING IN THROUGH THE CONSOLE PORT SW7750 ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes SW7750 ui aux0 idle timeout 6 ...

Page 51: ...n Configuration Description VTY user interface configuration Configure the command level available to users logging into the VTY user interface Optional By default commands of level 0 are available to users logging into a VTY user interface Configure the protocols the user interface supports Optional By default Telnet and SSH protocol are supported VTY terminal configuration Make terminal services...

Page 52: ...or RADIUS authentication Optional Local authentication is performed by default Refer to Configuring RADIUS Authentication Authorization Servers on page 525 for more Configure user name and password Configure user names and passwords for local RADIUS users Required The user name and password of a local user are configured on the switch The user name and password of a remote user are configured on t...

Page 53: ...es are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 T...

Page 54: ... for Telnet configuration with the authentication mode being none Configuration procedure Enter system view SW7750 system view Enter VTY 0 user interface view SW7750 user interface vty 0 Configure not to authenticate Telnet users logging into VTY 0 SW7750 ui vty0 authentication mode none Table 24 Determine the command level when users logging into switches are not authenticated Scenario Command le...

Page 55: ...ation mode being password Operation Command Description Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure to authenticate users logging into VTY user interfaces using the local password authentication mode password Required Set the local password set authentication password cipher simple password Required Configure the co...

Page 56: ...formation in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time of the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the conn...

Page 57: ...gure to authenticate users logging into VTY 0 using the local password SW7750 ui vty0 authentication mode password Set the local password to 123456 in plain text SW7750 ui vty0 set authentication password simple 123456 Specify commands of level 2 are available to users logging into VTY 0 SW7750 ui vty0 user privilege level 2 Configure Telnet protocol is supported SW7750 ui vty0 protocol inbound te...

Page 58: ...d accordingly on the AAA server Refer to the user manual of AAA server Configure the AAA scheme to be applied to the domain scheme local none radius scheme radius scheme name local hwtacacs scheme hwtacacs scheme name local Quit to system view quit Create a local user and enter local user view local user user name Required No local user exists by default Set the authentication password for the loc...

Page 59: ... screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the ...

Page 60: ...e authenticated in the RSA mode of SSH The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user privilege level level command is not executed and the service type command specifies the available command level The user privilege level level command is executed and the service type command does not specify the a...

Page 61: ...mand buffer can store up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 10 Network diagram for Telnet configuration with the authentication mode being scheme Configuration procedure Enter system view SW7750 system view Create a local user named guest and enter local user view SW7750 local user guest Set the authentication password of the local user to 1234567890 in pl...

Page 62: ...ou log in through the Console port Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 11 Figure 11 Diagram for establishing connection to a Console port Launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 9X on the PC with the baud rate set to 9 600 bps data bits set to 8 parity check set to none and flow con...

Page 63: ... parameter as shown in Figure 13 Figure 13 Launch Telnet 5 Enter the password when the Telnet window displays Login authentication and prompts for login password The CLI prompt such as SW7750 appears if the password is correct If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later...

Page 64: ...rm Telnet related configuration on the switch operating as the Telnet server Refer to Telnet Configuration with Authentication Mode Being None on page 52 Telnet Configuration with Authentication Mode Being Password on page 55 and Telnet Configuration with Authentication Mode Being Scheme on page 58 for more 2 Telnet to the switch operating as the Telnet client 3 Execute the following command on th...

Page 65: ... switch side is available Configuration on the Switch Side Modem Configuration Perform the following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically af ter the first ring AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Set DSR to high level by force ATEQ1 W Disable the modem from ...

Page 66: ...ation mode configuration Configuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None on page 39 Configuration on switch when the authentication mode is password Refer to Console Port Login Configuration with Authentication Mode Being Password on page 42 Configuration on switch when the authentication mode is scheme Refe...

Page 67: ...UX port also the Console port be set to a value lower than the transmission speed of the modem Otherwise packets may get lost 3 Connect your PC the modems and the switch as shown in the following figure Figure 15 Establish the connection by using modems 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure...

Page 68: ...ated modules in the command manual for detailed configuration commands n If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to Command Level Command View on page 19 for information about command level Modem Attributes Configuration You can configure the Modem related parameters Configuration Prerequisites You have configured th...

Page 69: ...on procedures of the Modem attribute Operation Command Description Enter system view system view Enter AUX user interface view user interface aux 0 Enable Modem call in call in and call out modem call in both Required Call in and call out are allowed when the command is executed without any keyword Set the answer mode to auto answer modem auto answer Optional By default manual answer mode is adopt...

Page 70: ...70 CHAPTER 5 LOGGING IN USING MODEM ...

Page 71: ... in Create a Web user account setting both the user name and the password to admin and the user level to 3 SW7750 system view SW7750 local user admin SW7750 luser admin service type telnet level 3 SW7750 luser admin password simple admin 3 Establish an HTTP connection between your PC and the switch as shown in Figure 18 Table 31 Requirements for logging into a switch through the Web based network ...

Page 72: ...r is configured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The contents of the banner page are the login banner information configured with the header command Then by clicking Continue on the banner page the user can enter the user login authentication page and enter the main page of the Web based network managemen...

Page 73: ...s of the switch in the address bar of the browser running on the user terminal and press Enter the browser will display the banner page as shown in Figure 21 Figure 21 Banner page displayed when a user logs in to the switch through Web Click Continue to enter user login authentication page You will enter the main page of the Web based network management system if the authentication succeeds Enabli...

Page 74: ... HTTP service is enabled disabled after the corresponding configuration Enabling the Web server by using the undo ip http shutdown command opens TCP 80 port Disabling the Web server by using the ip http shutdown command closes TCP 80 port Disable the Web server undo ip http shutdown Required Table 33 Enable Disable the WEB Server Operation Command Description ...

Page 75: ...guration on both the NMS and the switch Connection Establishment Using NMS Figure 22 Network diagram for logging in through an NMS Table 34 Requirements for logging into a switch through an NMS Item Requirement Switch The IP address of the VLAN interface of the switch is configured The route between the NMS and the VLAN interface IP address is available Refer to Configuring an IP Address for a VLA...

Page 76: ...76 CHAPTER 7 LOGGING IN THROUGH NMS ...

Page 77: ...rolling Telnet Users by Source IP Addresses on page 77 By source and destination IP address Through advanced ACL Controlling Telnet Users by Source and Destination IP Addresses on page 78 SNMP By source IP addresses Through basic ACL Controlling Network Management Users by Source IP Addresses on page 79 WEB By source IP addresses Through basic ACL Controlling Web Users by Source IP Address on page...

Page 78: ...ption Enter system view system view Create an advanced ACL or enter advanced ACL view acl number acl number name acl name advanced match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id permit deny protocol source source addr wildcard any destination dest addr dest mask any source port operator port1 port2 destination ...

Page 79: ...ystem view Create a basic ACL or enter basic ACL view acl number acl number name acl name basic match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id permit deny source source addr wildcard any fragment time range time name Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp ...

Page 80: ...xample Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are permitted to access the switch Network diagram Figure 23 Network diagram for controlling SNMP users using ACLs Configuration procedure Define a basic ACL SW7750 system view SW7750 acl number 2000 match order config SW7750 acl basic 2000 rule 1 permit source 10 110 100 52 0 SW7750 acl ba...

Page 81: ...d commands Configuration Example Network requirements Only the Web users sourced from the IP address of 10 110 100 52 are permitted to access the switch Table 39 Control Web users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword...

Page 82: ...e a basic ACL SW7750 system view SW7750 acl number 2030 SW7750 acl basic 2030 rule 1 permit source 10 110 100 52 0 SW7750 acl basic 2030 quit Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch SW7750 ip http acl 2030 Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 ...

Page 83: ...d into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by empty lines or comment lines A line is a comment line if it starts with the character The sections are listed in this order system configuration section logical interface configuration section physical port configuration section routing protocol configuration sectio...

Page 84: ...d the system saves the configuration files in the safely saving mode In this mode the configuration files are saved slowly However the original configuration files will be saved in the Flash if the device is restarted or the power is off when the configuration files are being saved Remove a specific configuration file from the Flash reset saved configuration Optional You can execute the reset save...

Page 85: ... the configuration before restarting a device so that the current configuration remains after the device is restarted If you use the save command to save the current configuration file without specifying any option the configuration file is saved as the name of the configuration file used in this start If the device is started using the default configuration file this time the current configuratio...

Page 86: ...86 CHAPTER 9 CONFIGURATION FILE MANAGEMENT ...

Page 87: ...pt the inbound port of the packet In this case a host in the network receives a lot of packets whose destination is not the host itself Thus plenty of bandwidth resources are wasted causing potential serious security problems The traditional way to isolate broadcast domains is to use routers However routers are expensive and provide few ports so they cannot subnet the network particularly The virt...

Page 88: ... hosts When the physical position of a host changes within the range of the VLAN you need not change its network configuration VLAN Principles VLAN tags in the packets are necessary for the switch to identify packets of different VLANs The switch works at Layer 2 Layer 3 switches are not discussed in this chapter and it can identify the data link layer encapsulation of the packet only so you can a...

Page 89: ...When the switch receives an un VLAN tagged packet it will encapsulate a VLAN tag with the default VLAN ID of the inbound port for the packet and the packet will be assigned to the default VLAN of the inbound port for transmission Port Based VLAN Port based VLAN technology introduces the simplest way to classify VLANs You can isolate the hosts and divide them into different virtual workgroups throu...

Page 90: ... with a default VLAN the port receives and sends packets in a way related to its link type For detailed description refer to Table 42 Table 43 and Table 44 Table 42 Packet processing of an Access port Processing of an incoming packet Processing of an outgoing packet If the packet does not carry a VLAN tag If the packet carries a VLAN tag Receive the packet and add the default VLAN tag to the packe...

Page 91: ...hernet data for you to understand well the procedure for the switch to identify the packet protocols Ethernet II and 802 2 802 3 encapsulation In the link layer there are two main packet encapsulation types Ethernet II and 802 2 802 3 whose encapsulation formats are described in the following figures Ethernet II packet Figure 28 Ethernet II encapsulation format 802 2 802 3 standard packet Figure 2...

Page 92: ...ocol supports 802 3 raw encapsulation format currently This format is identified by the two bytes whose value is 0xFFFF after the length field 802 2 logical link control LLC encapsulation the length field the destination service access point DSAP field the source service access point SSAP field and the control field are encapsulated after the source and destination address field Figure 31 802 2 LL...

Page 93: ...ation Control field Invalid packets that cannot be matched dsap ssap value 802 2 SNAP encapsulation Match the dsap ssap value 802 2 LLC encapsulation Match the type value 802 3 raw encapsulation 0x05DD to 0x05FF 0x0600 to 0xFFFF 0 to 0x05DC Value is not 3 Value is 3 Both are AA Both are FF Other values Receive packets Type Length field Ethernet II ncapsulation Match the type value Invalid packets ...

Page 94: ...teria The user defined template adopts the user defined encapsulation formats and values of some specific fields as the matching criteria After configuring the protocol template you must add a port to the protocol based VLAN and associate this port with the protocol template This port will add VLAN tags to the packets based on protocol types The port in the protocol based VLAN must be connected to...

Page 95: ...the system can suppress broadcast storm avoid network congestion and ensure normal network operation Table 46 Basic VLAN configuration Operation Command Description Enter system view system view Create a VLAN and enter VLAN view vlan vlan id Required The vlan id argument ranges from 1 to 4 094 Assign a name for the current VLAN name string Optional By default the name of a VLAN is its VLAN ID Spec...

Page 96: ...he VLAN interface are down the VLAN interface is down disabled if one or more ports of the VLAN interface are up the VLAN interface is up enabled Enter VLAN view vlan vlan id Set VLAN broadcast storm suppression broadcast suppression rati o pps pps Required Table 49 Broadcast storm suppression modes and module types VLAN broadcast storm suppression mode Type A cards Other cards VLAN pps suppressio...

Page 97: ...51 Display VLAN configuration Operation Command Description Display the VLAN interface information display interface Vlan interface vlan id You can execute the display command in any view Display the VLAN information display vlan vlan id to vlan id all static dynamic To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Required If the specified VLAN does not exi...

Page 98: ...a you need to use the Access port as a medium For example the Trunk port has to be configured as an Access port first and then a Hybrid port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the port link type as Hybrid port link type hybrid Required Configure the default VLAN of the Hybrid port port hybrid pvid...

Page 99: ... 0 2 to VLAN 2 and add Ethernet2 0 3 and Ethernet2 0 4 to VLAN 3 Network diagram Figure 34 Network diagram for VLAN configuration Configuration procedure Create VLAN 2 and enter its view SW7750 system view SW7750 vlan 2 Specify the description string of VLAN 2 as home SW7750 vlan2 description home Add Ethernet2 0 1 and Ethernet2 0 2 ports to VLAN 2 SW7750 vlan2 port Ethernet2 0 1 Ethernet2 0 2 Cre...

Page 100: ...igure both ipx raw standard template and LLC user defined template whose dsap and ssap are both ff in the same VLAN It is not allowed to configure both ipx ethernetii standard template and EthernetII user defined template whose etype is 8137 in the same VLAN It is not allowed to configure both ipx snap standard template and SNAP user defined template whose etype is 8137 in the same VLAN When the v...

Page 101: ...not be removed If a protocol of a VLAN has been distributed to a port the VLAN cannot be removed from the port If a protocol of a VLAN has been distributed to a port the protocol cannot be removed from the VLAN For a given type of packets if the protocol VLAN bound to a port is different from the protocol VLAN applied on the module that provides the port the board associated protocol VLAN configur...

Page 102: ...ration Table 55 Protocol based VLAN creation on different cards Description Type A card Non Type A card Create protocol based VLAN on specific module in system view Not supported Supported only for all IP protocols and subnet IP protocols Create protocol based VLAN on specific port in Ethernet port view Supported Supported exclude all IP protocols and subnet IP protocols AppleTalk protocol and the...

Page 103: ...rt to be a hybrid port SW7750 Ethernet2 0 5 port link type hybrid Add the port to VLAN 5 and add VLAN 5 to the untagged VLAN list of the port SW7750 Ethernet2 0 5 port hybrid vlan 5 untagged Associate the port with protocol index 1 SW7750 Ethernet2 0 5 port hybrid protocol vlan vlan 5 1 User defined template based protocol VLAN configuration example 1 Network requirement Create VLAN 7 and configur...

Page 104: ...750 vlan7 protocol vlan 2 mode snap etype abcd Enter port view of the Ethernet2 0 7 SW7750 vlan7 interface Ethernet 2 0 7 Configure Ethernet2 0 7 as a hybrid port SW7750 Ethernet2 0 7 port link type hybrid Add the port to VLAN 7 and add VLAN 7 to the list of untagged VLANs permitted to pass through the port SW7750 Ethernet2 0 7 port hybrid vlan 7 untagged Associate the port with the two indexes of...

Page 105: ... bits of a MAC address The following table shows the five default OUI addresses of a switch You can create multiple voice VLANs and bind each voice VLAN to a port In this way the voice traffic received by a port can be transmitted in the voice VLAN bound to the port This feature allows you to manage voice traffic flexibly A voice VLAN can operate in two modes automatic mode and manual mode You can...

Page 106: ...r it As multiple types of IP voice devices exist you need to match port mode with types of voice stream sent by IP voice devices as listed in Table 58 Table 58 Matching relationship between port modes and voice stream types Port voice VLAN mode Voice stream type Port type Supported or not Automatic mode Tagged voice stream Access Not supported Trunk Supported Make sure the default VLAN of the port...

Page 107: ...oice VLAN And the access port permits the packets of the default VLAN Hybrid Supported Make sure the default VLAN of the port exists and is in the list of the tagged VLANs whose packets are permitted by the access port Untagged voice stream Access Supported Make sure the default VLAN of the port is a voice VLAN Trunk Supported Make sure the default VLAN of the port is a voice VLAN and the port per...

Page 108: ...AN to the port as a voice VLAN voice vlan vlan id Required By default no voice VLAN is bound to a port Enable the voice VLAN legacy function on the port voice vlan legacy Optional By default voice VLAN legacy is disabled Set the voice VLAN operation mode to automatic mode voice vlan mode auto Optional The default voice VLAN operation mode is automatic mode Quit to system view quit Set an OUI addre...

Page 109: ... Add the port to the VLAN port interface list Trunk or Hybrid port Enter port view interface interface type interface number Add the port to the voice VLAN port trunk permit vlan vlan id port hybrid vlan vlan id tagged untagged Configure the voice VLAN to be the default VLAN of the port port trunk pvid vlan vlan id port hybrid pvid vlan vlan id Optional Refer to Table 58 to determine whether or no...

Page 110: ...feature realizes the communication between 3Com s devices and other vendor s voice devices by automatically adding the voice VLAN tag to the voice data coming from other vendors voice devices The voice vlan legacy command can be executed before voice VLAN is enabled globally and on a port but it takes effect only after voice VLAN is enabled globally and on the port Displaying and Maintaining Voice...

Page 111: ...Bind VLAN 2 to Ethernet 2 0 3 as a voice VLAN Configure the OUI address to be 0011 2200 0000 with the description string being test Configuration procedure Create VLAN 3 SW7750 system view SW7750 vlan 3 SW7750 vlan3 quit Configure Ethernet2 0 3 port to be a Trunk port specify VLAN 3 as its default VLAN and permit packets of VLAN 3 to pass through the port SW7750 interface Ethernet2 0 3 SW7750 Ethe...

Page 112: ...n aging time 1440 minutes Current voice vlan enabled port mode PORT MODE STATUS Voice Vlan ID Ethernet2 0 3 MANUAL ENABLE 3 Remove Ethernet2 0 3 port from the voice VLAN SW7750 interface Ethernet2 0 3 SW7750 Ethernet2 0 3 undo port trunk permit vlan 3 ...

Page 113: ... without VLAN tags Therefore the switch can reset the local VLAN structure to save VLAN resource without considering the VLAN configuration in the lower layer Isolate User VLAN Packets Forwarding Process Figure 35 is the diagram for isolate user VLAN application the following content describes the isolate user VLAN packets forwarding process based on this figure Configure Switch B Configure port E...

Page 114: ...Ethernet2 0 1 of Switch B the packets are automatically added with default VLAN ID that is the tag of VLAN 5 2 According to the MAC address forwarding table copied in the outbound process the system will find the egress port being Ethernet2 0 4 3 Because Ethernet2 0 4 belongs to VLAN 5 packets can pass through it normally and at the same time Ethernet2 0 4 removes the VLAN tag of the packets So th...

Page 115: ... VLAN and the secondary VLAN must be hybrid ports and all ports must perform untag operation on all VLAN packets Configure the mapping between the isolate user VLAN and the secondary VLAN Required Configuring Mapping between isolate user VLAN and Secondary VLAN on page 116 Table 62 isolate user VLAN configuration tasks Operation Description Related section Table 63 Configure an isolate user VLAN O...

Page 116: ...the VLAN configurations of the lower layer switches VLAN 5 on Switch B is an isolate user VLAN which includes the uplink port Ethernet2 0 1 and two secondary VLANs VLAN 2 and VLAN 3 VLAN 3 includes port Ethernet2 0 2 and VLAN 2 includes port Ethernet2 0 5 VLAN 6 on Switch C is an isolate user VLAN which includes the uplink port Ethernet2 0 1 and two secondary VLANs VLAN 3 and VLAN 4 VLAN 3 include...

Page 117: ...oid broadcast SwitchB vlan2 quit SwitchB interface Ethernet 2 0 2 SwitchB Ethernet2 0 2 port link type hybrid SwitchB Ethernet2 0 2 port hybrid vlan 3 untagged SwitchB Ethernet2 0 2 port hybrid vlan 5 untagged SwitchB Ethernet2 0 2 port hybrid pvid vlan 3 SwitchB Ethernet2 0 2 undo port hybrid vlan 1 Add port Ethernet2 0 5 to the isolate user VLAN and the secondary VLAN and configure the port to u...

Page 118: ...e secondary VLAN SwitchC vlan6 quit SwitchC vlan 3 SwitchC vlan3 vlan 4 Add port Ethernet2 0 3 to the isolate user VLAN and the secondary VLAN and configure the port to untag the VLAN packets Remove the port from VLAN 1 SwitchC vlan4 quit SwitchC interface Ethernet 2 0 3 SwitchC Ethernet2 0 3 port link type hybrid SwitchC Ethernet2 0 3 port hybrid vlan 3 untagged SwitchC Ethernet2 0 3 port hybrid ...

Page 119: ...solate user VLAN to secondary VLAN mapping SwitchC Ethernet2 0 1 quit SwitchC isolate user vlan 6 secondary 3 to 4 After the above configurations Switch A can receive packets from Switch B and Switch C and they are all packets without VLAN tag Each VLAN 3 configured on Switch B and Switch C cannot communicate with each other because the packets from them are stripped off the original VLAN tags bef...

Page 120: ...120 CHAPTER 13 ISOLATE USER VLAN CONFIGURATION ...

Page 121: ...roxy function is used ARP proxy enables Layer 3 connectivity between Layer 2 isolated ports by performing ARP request and forwarding and handling response packets Super VLAN Configuration Super VLAN Configuration Tasks Configuring a Super VLAN You can configure multiple super VLANs for a switch You can use the following commands to specify a VLAN as a super VLAN After a VLAN is configured as a sup...

Page 122: ...a Sub VLAN You can use the following commands to establish the mapping between a super VLAN and a sub VLAN c CAUTION The sub VLAN must exist before you create mapping between the sub VLAN and the super VLAN When you establish mapping between the super VLAN and the sub VLAN if a VLAN interface is configured for the sub VLAN the system will prompt you to delete the interface to establish the mapping...

Page 123: ... the outside network Configuration Procedure n A super VLAN interface can only correspond to one DHCP server group The last configuration will take effect if you execute the dhcp server groupNo command The group number specified in the dhcp server groupNo command needs to be configured first in the dhcp server ip command Refer to Configuring an Interface to Operate in DHCP Relay Agent Mode on page...

Page 124: ... it SW7750 system view SW7750 vlan 10 SW7750 vlan10 supervlan Create VLAN2 VLAN3 and VLAN5 and add corresponding ports to them SW7750 vlan10 quit SW7750 vlan 2 SW7750 vlan2 port Ethernet 2 0 1 Ethernet 2 0 2 SW7750 vlan2 quit SW7750 vlan 3 SW7750 vlan3 port Ethernet 2 0 3 Ethernet 2 0 4 SW7750 vlan3 quit SW7750 vlan 5 SW7750 vlan5 port Ethernet 2 0 5 Ethernet 2 0 6 Configure the mapping between th...

Page 125: ...figure it as a super VLAN SW7750 system view SW7750 vlan 6 SW7750 vlan6 supervlan Create VLAN 2 and VLAN 3 and establish the mapping between them and VLAN 6 SW7750 vlan6 quit SW7750 vlan 2 SW7750 vlan2 quit SW7750 vlan 3 SW7750 vlan3 quit SW7750 vlan 6 SW7750 vlan6 subvlan 2 3 Create the VLAN interface of VLAN 6 and configure an IP address for it SW7750 vlan6 quit SW7750 interface Vlan interface 6...

Page 126: ...126 CHAPTER 14 SUPER VLAN ...

Page 127: ...ted decimal notation Each IP address contains four decimal integers with each integer corresponding to one byte for example 10 110 50 101 Some IP addresses are reserved for special use The IP address ranges that can be used by users are listed in Table 73 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 1 0 1 1 0 1 1 1 0 1 1 1 1 0 net id net id net id Multica...

Page 128: ... by hosts when they are booted but is not used afterward An IP address with all 0s network ID represents a specific host on the local network and can be used as a source address but cannot be used as a destination address All the IP addresses in the format of 127 X Y Z are reserved for loopback test and the packets sent to these addresses will not be output to lines instead they are processed inte...

Page 129: ...ess 138 38 128 0 101 Subnet address 138 38 160 0 110 Subnet address 138 38 192 0 111 Subnet address 138 38 224 0 Subnet number Host number Subnet address 10001010 00100110 000 00000 00000000 ClassB 138 38 0 0 Subnet mask 255 255 224 0 11111111 11111111 111 00000 00000000 11111111 11111111 000 00000 00000000 Standard mask 255 255 0 0 Subnet address 000 Subnet address 138 38 0 0 001 Subnet address 1...

Page 130: ... You can perform troubleshooting as follows Check the configuration of the switch and then use the display arp command to check whether the host has an corresponding ARP entry in the ARP table maintained by the Switch Check the VLAN that includes the switch port connecting the host Check whether the VLAN has been configured with the VLAN interface Then check whether the IP addresses of the VLAN in...

Page 131: ...t Introduction to FIB Every switch stores a forwarding information base FIB FIB is used to store the forwarding information of the switch and guide Layer 3 packet forwarding You can know the forwarding information of the switch through the FIB table Each FIB entry includes destination address mask length next hop current flag timestamp and outbound interface When the switch is running normally the...

Page 132: ...he subnet If a directed broadcast packet reaches the destination network after being forwarded by the switch the switch will receive the broadcast packet for the switch also belongs to the subnet Since the VLAN of the switch isolates the broadcast domain the switch will stop forwarding the packet to the network Using the commands you can choose to forward the directed broadcast packet to the direc...

Page 133: ...ing table becomes very large If a host sends malicious ICMP destination unreachable packets end users may be affected To solve such problems you can disable a device from sending ICMP error packets Currently you can only disable the sending of ICMP redirect messages Displaying and Debugging IP Performance After the above configurations you can execute the display command in any view to display the...

Page 134: ...n port 4296 Use the debugging tcp packet command to enable the TCP debugging to trace TCP packets Switch terminal debugging Switch debugging tcp packet Table 81 Display IP performance Operation Command Description Display TCP connection status display tcp status You can execute the display command in any view Display TCP connection statistics display tcp statistics Display UDP traffic statistics d...

Page 135: ...t will be displayed in the following format in real time TCP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 Sequence number 4185089 Ack number 0 Flag SYN Packet length 60 Data offset 10 ...

Page 136: ...136 CHAPTER 16 IP PERFORMANCE CONFIGURATION ...

Page 137: ...d 0 0cb 47 0000 00cb 0047 is the node address You can also write an IPX address in the form of N H H H where N is the network number and H H H is the node address Routing Information Protocol IPX uses the routing information protocol RIP to maintain and advertise dynamic routing information With IPX enabled the switch exchanges routing information with other neighbors through RIP to maintain an in...

Page 138: ...Routing Configuring IPX static routes Table 83 Configure IPX Configuration task Description Detailed configuration Basic IPX configuration Required Basic IPX Configuration on page 138 IPX routing configuration Required Configuring IPX Routing on page 138 IPX RIP configuration Required Configuring IPX RIP on page 139 IPX SAP configuration Required Configuring IPX SAP on page 141 IPX forwarding rela...

Page 139: ...as needed Enable IPX ipx enable Required IPX is disabled by default Enter VLAN interface view interface Vlan interface vlan id Configure an IPX network number for the VLAN interface ipx network network Required By default the system does not assign network numbers to VLAN interface That is IPX is disabled on all the VLAN interfaces Exit VLAN interface view quit Configure IPX static routes ipx rout...

Page 140: ...cks 1 tick 1 18 seconds indicate the delay that a VLAN interface experiences Table 87 Configure IPX RIP Operation Command Description Enter system view system view Enable IPX ipx enable Required IPX is disabled by default Configure the update interval of IPX RIP ipx rip timer update seconds Optional By default the update interval of IPX RIP is 60 seconds Configure the aging period of IPX RIP ipx r...

Page 141: ...n where the switches mistake an operating server for a failed one The aging period of IPX SAP is a multiple of the IPX RIP update interval You can set multiple update intervals as an aging period Table 88 Configure IPX SAP Operation Command Description Enter system view system view Enable IPX ipx enable Required IPX is disabled by default Enter VLAN interface view interface Vlan interface vlan id ...

Page 142: ... VLAN interface Configure the aging period of IPX SAP ipx sap multiplier multiplier Optional By default an IPX SAP service entry is deleted if it is not updated after three update intervals Enter VLAN interface view interface Vlan interface vlan id Configure an IPX network number for the VLAN interface ipx network network Required By default the system does not assign network numbers to VLAN inter...

Page 143: ... the information of the server picked out by round robin polling ipx sap gns load balance Optional By default the switch responds to SAP GNS requests with the information of a server that is picked out in turn from all the known servers This prevents a server from getting overloaded Respond to GNS requests with the information of the nearest server undo ipx sap gns load balance Optional By default...

Page 144: ...rence preference Optional By default no static service entry is found in the service information table Configure the maximum length of the service information reserve queue for one service type ipx sap max reserve servers length Optional By default the maximum length of the service information reserve queue for one service type is 2 048 Table 91 Configure IPX service information Operation Command ...

Page 145: ...h the IPX network The node address of the server is 0000 0c91 f61f Enable the forwarding of type 20 broadcast packets ipx netbios propagation Optional By default type 20 broadcast packets are not forwarded Table 92 Configure IPX forwarding Operation Command Description Table 93 Display and debug IPX Operation Command Description Display the information of IPX on the VLAN interface display ipx inte...

Page 146: ...ce 2 Switch Vlan interface2 ipx encapsulation ethernet 2 Switch Vlan interface2 quit Assign the network number 1000 to VLAN interface 1 to enable IPX on the VLAN interface Switch interface Vlan interface 1 Switch Vlan interface1 ipx network 1000 Configure a static route with the destination network number 3 Switch Vlan interface1 quit Switch ipx route static 3 1000 000f e20f 0001 tick 7 hop 2 2 Co...

Page 147: ...f 451 hop 2 Configure a service information entry indicating that the server can provide the printing service Switch ipx service 7 printserver 2 0000 0c91 f61f 5 hop 2 Troubleshooting IPX Troubleshooting IPX forwarding Symptom 1 A destination address cannot be pinged Solutions Check whether the destination address is correct Use the display ipx interface command to check whether the network number...

Page 148: ...tempt the packet is dropped Troubleshooting IPX RIP Symptom 1 The switch cannot learn routes from the peer device Solutions Use the debugging ipx rip packet verbose command to enable debugging for IPX RIP Check whether there is a RIP packet with routing information from the peer device to make sure that the underlying connection is available between the two devices If there is a RIP packet with ro...

Page 149: ...erface command Check whether the hop count of the route to the server is smaller than 16 with the display ipx routing table command Check whether adequate memory is available for adding the service entry into the service information table You can try to add it as a static service entry Symptom 3 No new dynamic service entry is found in the service information table Solutions Check whether the rele...

Page 150: ...Use the display current configuration command to check whether the triggered updates feature is configured on the VLAN interface Periodical update is disabled when the triggered updates feature applies Check whether all service information is learnt from the VLAN interface Then check whether split horizon is enabled on the VLAN interface Symptom 6 SAP does not respond to GNS requests Solutions Use...

Page 151: ...rent switch with the display ipx routing table verbose command Solutions Use the display current configuration command to view the maximum number of dynamic routes for each destination network number The corresponding command is ipx route max reserve path The default value is 4 Use the display ipx routing table verbose command to check whether the number of the existing dynamic routes to the desti...

Page 152: ...152 CHAPTER 17 IPX CONFIGURATION ...

Page 153: ...o the received declarations withdrawal declarations GARP members exchange information through sending messages There mainly are 3 types of GARP messages including Join Leave and LeaveAll When a GARP participant wants to register its attribute information on other switches it will send Join message outward When it wants to remove some attribute values from other switches it will send Leave message ...

Page 154: ...LeaveALL message after the timer times out so that other GARP participants can re register all the attribute information on this participant After that the participant restarts the LeaveAll timer to begin a new cycle GVRP port registration mode GVRP has the following three port registration modes Normal Fixed and Forbidden Normal In this mode a port can dynamically register deregister a VLAN and p...

Page 155: ...ibute List It contains multiple attributes Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attribute Length The length of the attribute 2 to 255 Attribute Event The event described by the attribute 0 LeaveAll Event 1 JoinEmpty 2 JoinIn 3 LeaveEmpty 4 Leave...

Page 156: ...lue Table 95 GVRP Configuration procedure Operation Command Description Enter system view system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number Configure the Hold Join and Leave timers garp timer hold join leave timer value Optional By default th...

Page 157: ...changing the timeout time of the Hold timer This upper threshold is less than one half of the timeout time of the Leave timer You can change the threshold by changing the timeout time of the Leave timer Leave This lower threshold is greater than twice the timeout time of the Join timer You can change the threshold by changing the timeout time of the Join timer This upper threshold is less than the...

Page 158: ...all the VLANs SW7750 interface Ethernet2 0 1 SW7750 Ethernet2 0 1 port link type trunk SW7750 Ethernet2 0 1 port trunk permit vlan all Enable GVRP on the trunk port SW7750 Ethernet2 0 1 gvrp GVRP is enabled on port Ethernet2 0 1 Configure switch B Enable GVRP globally SW7750 system view SW7750 gvrp GVRP is enabled globally Configure port Ethernet2 0 2 to be a trunk port and to permit the packets o...

Page 159: ...illustrates the structure of a packet with single VLAN tag Figure 43 Structure of the packets with single VLAN tag Figure 44 illustrates the structure of a packet with nested VLAN tags Figure 44 Structure of packets with nested VLAN tags Compared with MPLS based Layer 2 VPN QinQ has the following features It enables Layer 2 VPN tunnels that are simpler QinQ can be implemented through manual config...

Page 160: ...structure of tagged packets of Ethernet frames The user priority field is the 802 1p priority of the tag This 3 bit field is in the range of 0 to 7 Through configuring inner to outer tag priority mapping for a QinQ enabled port you can assign different priority for the outer tag of a packet according to its inner tag priority Refer to Setting Port Priority on page 666 for the detailed configuratio...

Page 161: ...equirements Switch A Switch B and Switch C are Switch 7750s Two networks are connected to the Ethernet2 0 1 ports of Switch A and Switch C Switch B only permits the packets of VLAN 10 It is required that packets of the VLANs other than VLAN 10 be exchanged between the networks connected to Switch A and Switch C Enter Ethernet port view interface interface type interface number Enable QinQ for the ...

Page 162: ...hernet2 0 1 port access vlan 10 SwitchA Ethernet2 0 1 stp disable SwitchA Ethernet2 0 1 undo ntdp enable SwitchA Ethernet2 0 1 vlan vpn enable SwitchA Ethernet2 0 1 quit 2 Configure Switch B Configure Ethernet2 0 1 port and Ethernet2 0 2 port as trunk ports Add the two ports to VLAN 10 SwitchB system view SwitchB vlan 10 SwitchB vlan10 quit SwitchB interface Ethernet 2 0 1 SwitchB Ethernet2 0 1 po...

Page 163: ...0 2 port of Switch B it is forwarded in VLAN 10 and is passed to Ethernet2 0 1 port The packet is forwarded from Ethernet2 0 1 port of Switch B to the network on the other side and reaches Ethernet2 0 2 port of Switch C Switch C forwards the packet in VLAN 10 to its Ethernet2 0 1 port As Ethernet2 0 1 port is an access port the outer VLAN tag of the packet is stripped off and the packet restores t...

Page 164: ...164 CHAPTER 19 QINQ CONFIGURATION ...

Page 165: ... VLAN tags according to the VLAN ID they carry This is achieved by using the corresponding commands n For Switch 7750 Ethernet switches the selective QinQ feature can also be achieved through using ACL and QoS together Refer to Configuring Traffic Based Selective QinQ on page 679 for related configurations Outer Tag Replacement Switch 7750s support the outer VLAN tag replacement function You can s...

Page 166: ...iew Enter Ethernet port view interface interface type interface number Enable QinQ for the port vlan vpn enable Required By default QinQ is disabled Configure the outer VLAN tag to be added to a packet and configure the upstream port for this packet vlan vpn vid vlan id uplink interface type interface number untagged Required Specify the inner VLAN tags by specifying VLAN IDs raw vlan id inbound v...

Page 167: ... Enter system view SwitchA system view Enter GigabitEthernet2 0 1 port view SwitchA interface GigabitEthernet 2 0 1 Configure this port to be a hybrid port And configure to keep the outer tags of packets of VLAN 10 and VLAN 100 and remove the outer tags of packets of other VLANs SwitchA GigabitEthernet2 0 1 port link type hybrid SwitchA GigabitEthernet2 0 1 port hybrid vlan 1 to 9 untagged SwitchA...

Page 168: ...of VLAN 100 to be inserted to packets and specify the upstream port of the tag to be GigabitEthernet2 0 1 which does not remove the outer VLAN tags of packets when transmitting these packets SwitchA GigabitEthernet2 0 1 vid 10 quit SwitchA GigabitEthernet2 0 1 vlan vpn vid 100 uplink GigabitEthernet 2 0 1 Specify the inner VLAN tags SwitchA GigabitEthernet2 0 1 vid 100 raw vlan id inbound 20 to 25...

Page 169: ... of VLAN 4 When a packet is received its source MAC address MAC A is learned into the MAC address table of the default VLAN VLAN 2 of the port When a response packet is returned to the device from VLAN 4 of the service provider network the device will search the outgoing port for MAC A in the MAC address table of VLAN 4 However because the corresponding entry is not learned into the MAC address ta...

Page 170: ...h shared VLAN enabled the packets of the current I O Module or Fabric are forwarded according to the MAC address table of the shared VLAN So you need to add the ports of all the packets to be forwarded to the shared VLAN The operation of adding ports to the shared VLAN is the same as the operation of adding ports to a common VLAN Refer to Configuring a Port Based VLAN on page 97 for details c CAUT...

Page 171: ...gure 49 Network diagram for Shared VLAN configuration Configuration Procedure Enable selective QinQ on Ethernet2 0 6 Refer to Selective QinQ Configuration Example on page 167 for the details Specify VLAN 100 as the shared VLAN on the module in slot 2 SW7750 system view SW7750 vlan 100 SW7750 vlan100 quit SW7750 shared vlan 100 slot 2 Add the ports of all the packets forwarded on the module in slot...

Page 172: ...172 CHAPTER 21 SHARED VLAN CONFIGURATION ...

Page 173: ...the Ethernet port description text Optional By default no description is defined for the port Set the duplex mode of the Ethernet port duplex auto full half Optional By default the duplex mode of the port is auto auto negotiation Set the speed of the Ethernet port speed 10 100 1000 10000 auto Optional By default the speed of the port is auto auto negotiation Set the medium dependent interface MDI ...

Page 174: ...t to full or auto 100 Mbps optical Ethernet port It works in full duplex mode and its duplex mode can be set to full or auto Gigabit optical Ethernet port It works in full duplex mode and its duplex mode can be set to full or auto 10 000 Mbps optical Ethernet port Its duplex mode can be set to full only Management port Its duplex mode cannot be set Table 107 Rate setting for an Ethernet port Port ...

Page 175: ...t multicast unknown unicast suppression on ports Configure the available auto negotiation speed s for the port speed auto 10 100 1000 Optional By default the port speed is determined through auto negotiation Use the 1000 keyword for Gigabit Ethernet ports only Table 108 Configure auto negotiation speeds for a port Operation Command Remarks Table 109 Configure broadcast multicast unknown unicast su...

Page 176: ...ysical state of its ports n The delays set with the above commands are weight values rather than exact time values The greater the delay weight the longer the delay You can set the delay of reporting down state either in system view or Ethernet port view If you perform this configuration in both system view and Ethernet port view the configuration performed in Ethernet port view is given priority ...

Page 177: ...he port is an edge port Port configuration includes link type of the port port rate and duplex mode n To copy the configuration of a source port to a member port of a link aggregation group you should configure the aggregation group rather than the member port itself as the destination port If the member port is configured as the destination port the switch will remove the port from the destinatio...

Page 178: ...uring the specified interval and displays the average rates in the interval For example if you set this interval to 100 seconds the displayed information is as follows Table 113 Set loopback detection for a port Operation Command Description Enter system view system view Set time interval for port loopback detection loopback detection interval time time Optional The default interval is 30 seconds ...

Page 179: ...ng the function you can choose to monitor certain Ethernet ports instead of monitoring all ports so as to reduce the quantity of log information output to the log server n After you allow a port to output the Up Down log information if the physical link status of the port does not change the switch does not send log information to the log server but monitors the port in real time Table 115 Set the...

Page 180: ...erface interface type interface number Allow the port to output the UP Down log information enable log updown Required By default a port is allowed to output the UP Down log information Table 118 Display basic port configuration Operation Command Description Display port configuration information display interface interface type interface type interface number You can execute the display commands ...

Page 181: ...et2 0 1 Set Ethernet2 0 1 as a trunk port SW7750 Ethernet2 0 1 port link type trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet2 0 1 SW7750 Ethernet2 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet2 0 1 to 100 SW7750 Ethernet2 0 1 port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom Fail to configure the de...

Page 182: ...182 CHAPTER 22 PORT BASIC CONFIGURATION ...

Page 183: ... QoS configuration including traffic limiting priority marking default 802 1p priority bandwidth assurance congestion avoidance traffic redirection traffic statistics and so on VLAN configuration including permitted VLANs and default VLAN ID Port attribute configuration including port rate duplex mode and link type Trunk Hybrid or Access The ports for a manual or static aggregation group must have...

Page 184: ...e member ports that can be set as selected ports in an aggregation group exceeds the maximum number supported by the device the system will choose the ports with lower port numbers as the selected ports and set others as standby ports Requirements on ports for manual aggregation Generally there is no limit on the rate and duplex mode of the ports you want to add to a manual aggregation group Howev...

Page 185: ...half duplex low speed The system sets the following ports to standby state ports that are not connected to the same peer device as the master port selected port with the minimum port number and ports that are connected to the same peer device as the master port but not in the same aggregation group as the master port The system sets the ports unable to aggregate with the master port due to some ha...

Page 186: ...IDs system priority system MAC address between the two parties First compare the two system priorities then the two system MAC addresses if the system priorities are equal The device with smaller device ID will be considered as the preferred one 2 Compare port IDs port priority port number on the preferred device The comparison between two port IDs is as follows First compare the two port prioriti...

Page 187: ...d descriptions Aggregation type Basic description Specific description Manual aggregation Support up to 384 aggregation groups including 64 load sharing aggregation groups For Type A modules an aggregation group supports up to 8 selected GE ports or 16 selected FE ports For non Type A modules an aggregation group supports up to 8 selected GE ports or 8 selected FE ports Static dynamic aggregation ...

Page 188: ...sources are as follows Table 120 Restriction of type A I O Modules on link aggregation I O Module type Cross chip aggregation Aggregation type I O Module specificatio n Maximum number of ports in an aggregation group Maximum number of selected ports in an aggregation group Type A I O Module Not supported Manual aggregation 3C16860 3C 16860 16 16 3C16861 LS8 1FS24A 3C1 6861 LS81FS 24 16 16 3C16858 ...

Page 189: ...resources c CAUTION A load sharing aggregation group contains up to two selected ports however a non load sharing aggregation group can only have one selected port at most and others are standby ports Link Aggregation Configuration c CAUTION The following ports cannot be added to an aggregation group destination ports to be mirrored to reflection ports to be remotely mirrored to ports configured w...

Page 190: ...rm one or more dynamic aggregation groups You can manually add remove a port to from a static aggregation group and a port can only be manually added removed to from a static aggregation group Add a group of ports to a new manual aggregation group link aggregation interface type interface number to interface type interface number both Optional Configure a description for the aggregation group link...

Page 191: ...t to participate in dynamic aggregation of the system because only when LACP is enabled on those ports at both ends can the two parties reach agreement in adding removing ports to from dynamic aggregation groups n Enabling LACP on a member port of a manual aggregation group will not take effect If an existing aggregation group contains no port the type of the aggregation group is set to the latest...

Page 192: ...even parameters are available on type A I O Modules including 3C16860 3C16860 3C16861 3C16861 LS81FS24A LS81FS24 3C16858 3C16858 3C16859 and 3C16859 None of the above seven parameters are available on non type A I O Modules Only type A I O Modules support l4port Displaying and Maintaining Link Aggregation Configuration After the above configuration execute the display command in any view to displa...

Page 193: ...to User View with Ctrl Z SW7750 link aggregation group 1 mode manual Add Ethernet 2 0 1 through Ethernet 2 0 3 to aggregation group 1 SW7750 interface ethernet2 0 1 SW7750 Ethernet2 0 1 port link aggregation group 1 SW7750 Ethernet2 0 1 interface ethernet2 0 2 SW7750 Ethernet2 0 2 port link aggregation group 1 SW7750 Ethernet2 0 2 interface ethernet2 0 3 SW7750 Ethernet2 0 3 port link aggregation ...

Page 194: ...t2 0 2 interface ethernet2 0 3 SW7750 Ethernet2 0 3 port link aggregation group 1 3 Adopt the dynamic LACP aggregation mode Enable LACP on Ethernet 2 0 1 through Ethernet 2 0 3 SW7750 interface ethernet2 0 1 SW7750 Ethernet2 0 1 lacp enable SW7750 Ethernet2 0 1 interface ethernet2 0 2 SW7750 Ethernet2 0 2 lacp enable SW7750 Ethernet2 0 2 interface ethernet2 0 3 SW7750 Ethernet2 0 3 lacp enable Not...

Page 195: ... the isolation group automatically When a port in an aggregation group leaves an isolation group the other ports in the aggregation group leave the isolation group automatically Configuring Port Isolation Table 127 lists the operations to add an Ethernet port to an isolation group to isolate Layer 2 data between ports in the isolation group Table 127 Configure port isolation Operation Command Desc...

Page 196: ...Configuration Example Network requirements PC2 PC3 and PC4 connect to the switch ports Ethernet2 0 2 Ethernet2 0 3 and Ethernet2 0 4 respectively It is desired that PC2 PC3 and PC4 are isolated from each other so that they cannot communicate with each other Network diagram Figure 52 Network diagram for port isolation configuration Configuration procedure Create isolation group 1 SW7750 system view...

Page 197: ...port isolate group1 port Ethernet2 0 2 to Ethernet2 0 4 Display information about the ports in the isolation group SW7750 port isolate group1 display isolate port Isolate group ID 1 Isolated port s in group 1 Ethernet2 0 2 Ethernet2 0 3 Ethernet2 0 4 ...

Page 198: ...198 CHAPTER 24 PORT ISOLATION CONFIGURATION ...

Page 199: ...kload and greatly enhances system security and manageability Port Security Features The following port security features are provided 1 NTK need to know feature By checking the destination MAC addresses in outbound data frames on a port NTK ensures that only successfully authenticated devices can obtain data frames from the port thus preventing illegal devices from intercepting network data 2 Intr...

Page 200: ...unt command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned configured can pass through the port In the secure mode the device will trigger NTK and intrusion protection upon detecting an illegal packet secure In this mode the port is disabled from learning MAC addresses Only those packets whose source MAC a...

Page 201: ...ilar to the userlogin secure mode except that besides the packets of the single 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port When the port changes from the normal mode to this security mode the system automatically removes the existing dynamic authenticated MAC address entries on the port macAddress WithRadius In t...

Page 202: ...s allowed however cannot exceed the configured upper limit By setting the maximum number of MAC addresses allowed on a port you can Control the maximum number of users who are allowed to access the network through the port Control the number of Security MAC addresses that can be added with port security Table 130 Port security configuration tasks Task Remarks Enabling Port Security on page 202 Req...

Page 203: ... for port mirroring Link aggregation Table 132 Set the maximum number of MAC addresses allowed on a port Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the maximum number of MAC addresses allowed on the port port security max mac count count value Required Not limited by default Table 133 Set the port security mode Ope...

Page 204: ...ype interface number Configure the NTK feature port security ntk mode ntkonly ntk withbroadcasts ntk withmulticasts Required Be default NTK is disabled on a port namely all frames are allowed to be sent Table 135 Configure the intrusion protection feature Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the corresponding...

Page 205: ...rn to secure n The security MAC addresses manually configured are written to the configuration file they will not get lost when the port is up or down As long as the configuration file is saved the security MAC addresses can be restored after the switch reboots Configuration prerequisites Port security is enabled The maximum number of security MAC addresses allowed on the port is set The security ...

Page 206: ... 1 After the number of security MAC addresses reaches 80 the port stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds Network diagram Figure 53 Network diagram for port security configuration Configuration procedure Enter system view SW7750 system view Enable port security SW775...

Page 207: ...utolearn SW7750 GigabitEthernet2 0 1 quit Add the MAC address 0001 0002 0003 of Host as a security MAC address to the port in VLAN 1 SW7750 mac address security 0001 0002 0003 interface GigabitEthern et 2 0 1 vlan 1 Configure the port to be silent for 30 seconds after intrusion protection is triggered SW7750 GigabitEthernet2 0 1 port security intrusion mode disablepo rt temporarily SW7750 GigabitE...

Page 208: ...208 CHAPTER 25 PORT SECURITY CONFIGURATION ...

Page 209: ...ve configuration you can use the display command in any view to display port binding information and verify your configuration Table 140 Configure port binding Operation Command Description Enter system view system view Bind the MAC address and IP address of a legal user with a specific port In system view am user bind mac addr mac address ip addr ip address interface list Either is required By de...

Page 210: ... Host A Network diagram Figure 54 Network diagram for port binding configuration Configuration procedure Configure switch A as follows Enter system view SW7750 system view Enter Ethernet 2 0 1 port view SW7750 interface Ethernet2 0 1 Bind the MAC address and the IP address of Host A to Ethernet 2 0 1 SW7750 Ethernet2 0 1 am user bind mac addr 0001 0002 0003 ip addr 10 12 1 1 10 12 1 1 24 MAC addre...

Page 211: ... shown in Figure 55 Fibers that are not connected or disconnected as shown in Figure 56 the hollow lines in which refer to fibers that are not connected or disconnected Device link detection protocol DLDP can detect the link status of an optical fiber cable or copper twisted pair such as super category 5 twisted pair If DLDP finds a unidirectional link it disables the related port automatically or...

Page 212: ... correctly and whether packets can be exchanged normally at both ends However the auto negotiation mechanism cannot implement this detection n In order for DLDP to detect fiber disconnection in one direction you need to configure the port to work in mandatory full duplex mode at a mandatory rate When the port determines the duplex mode and speed through auto negotiation even if DLDP is enabled it ...

Page 213: ...able state Disable packets carry only the local port information instead of the neighbor information When a port detects a unidirectional link and enters the disable state the port sends disable packets to the neighbor A port enters the disable state upon receiving a disable packet LinkDown Linkdown packets are used to notify unidirectional link emergencies a unidirectional link emergency occurs w...

Page 214: ...ets with the RSY flag set or not set Advertisement Advertisement packets Probe Probe packets Table 144 The procedure to process a received DLDP packet Packet type Processing procedure Advertisement packet Extracts neighbor information If the corresponding neighbor entry does not exist on the local device DLDP creates the neighbor entry triggers the entry aging timer and switches to the probe state...

Page 215: ... remains in active state for more than five seconds and enters this status It is a stable state where no unidirectional link is found Probe DHCP sends packets to check whether the link is a unidirectional It enables the probe sending timer and an echo waiting timer for each target neighbor Disable DLDP detects a unidirectional link or finds in enhanced mode that a neighbor disappears In this case ...

Page 216: ... when the entry aging timer expires DLDP sends an advertisement packet with an RSY tag and deletes the neighbor entry In the enhanced mode if no packet is received from the neighbor when the entry aging timer expires DLDP enables the enhanced timer The entry aging timer length is three times the advertisement timer length Enhanced timer In the enhanced mode if no packet is received from the neighb...

Page 217: ...ts original DLDP state if it receives a port up message before the delaydown timer expires Otherwise it removes the DLDP neighbor information and changes to the inactive state Table 147 DLDP timers Timer Description Table 148 DLDP operating mode and neighbor entry aging DLDP operating mode DLDP detects whether neighbors exist or not when neighbor tables are aging The entry aging timer is enabled o...

Page 218: ...o see if the neighbor information carried in the recover echo packet is consistent with that of the local port If yes the link between the local port and the neighbor is considered to be recovered to bidirectional the port changes from the disable state to the active state and neighboring relationship is reestablished between the local port and the neighbor n Only ports in the DLDP down state can ...

Page 219: ... is 5 seconds Set the delaydown timer dldp delaydown timer delaydown time Optional By default the delaydown timer expires after 1 second it is triggered Set the DLDP handling mode when an unidirectional link is detected dldp unidirectional shutdo wn auto manual Optional By default the handling mode is auto Set the operating mode of DLDP dldp work mode enhance normal Optional By default DLDP works ...

Page 220: ...ilization is high DLDP may issue mistaken reports You are recommended to configure the operating mode of DLDP as manual after unidirectional links are discovered For the dldp interval integer command make sure that the same interval for transmitting advertisement packets is set on the ports used to connected both devices otherwise DLDP will not operate properly Resetting DLDP Status n Only after t...

Page 221: ...network traffic increases and port bandwidth is reduced DLDP is also applicable to STP Discarding ports Ports discarded by STP can set up normal DLDP neighbors and detect unidirectional links DLDP does not process any LACP event and treats each link in the aggregation group as independent The mandatory duplex mode must be enabled on both ends of the DLDP link In this way unidirectional links will ...

Page 222: ...and Switch B are cross connected DLDP disconnects the unidirectional links after detecting them When the network administrator connects the fiber correctly the ports taken down by DLDP are restored Network diagram Figure 57 Fiber cross connection Configuration procedure 1 Configure Switch A Configure the ports to work in mandatory full duplex mode at the speed of 1000 Mbps SW7750A system view SW77...

Page 223: ...n the fibers are not correctly connected When the fibers are cross connected both ends are unidirectional links and the two ends are displayed as in Disable status When one end is correctly connected and the other end is not connected one end is in Advertisement status and the other is in Inactive status Restore the ports taken down by DLDP SW7750A dldp reset 2 Configure Switch B The configuration...

Page 224: ...224 CHAPTER 27 DLDP CONFIGURATION ...

Page 225: ...witch queries its MAC address table for the forwarding port number according to the destination MAC address carried in the packet and then forwards the packet through the port The dynamic address entries not configured manually in the MAC address table are learned by the Ethernet switch When an Ethernet switch learns a MAC address the following occurs When a switch receives a packet from one of it...

Page 226: ...f the destination device does not respond to the packet this indicates that the destination device is unreachable or that the destination device receives the packet but gives no response In this case the switch still cannot learn the MAC address of the destination device Therefore the switch will still broadcast any other packet with this destination MAC address To fully utilize a MAC address tabl...

Page 227: ...e 152 Characteristics of different types of MAC address entries MAC address entry Configuration method Aging time Reserved or not at reboot if the configuration is saved Static MAC address entry Manually configured Unavailable Yes Dynamic MAC address entry Manually configured or generated by MAC address learning mechanism Available No Table 153 MAC address entry configuration tasks Configuration t...

Page 228: ...e no aging keyword specifies that MAC address entries do not age out Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mechanism enables an Ethernet switch to acquire the MAC addresses of the network devices on the segment connected to the ports of the switch The switch directly forwards the packets destined for these MAC addresses An oversized MAC address table...

Page 229: ...es The Switch 7750 learn MAC address entries in one of the following ways Through MAC address learning on the port By synchronizing MAC address entries between chips Table 156 Set the maximum number of MAC addresses a port can learn Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Set the maximum number of MAC addresses ...

Page 230: ...1PT4GB0 LS8M1PT8GB0 LS81PT4GA and LS81PT8GA Setting the processing method for the specific packets You can use the following commands to configure whether or not the packets with destination MAC address being the bridge MAC address of the switch will be passed to CPU for processing Displaying and Maintaining MAC Address Configuration To verify your configuration you can display information about t...

Page 231: ...namic MAC addresses to 500 seconds SW7750 mac address timer aging 500 Display the information about the MAC address entries in system view SW7750 display mac address interface Ethernet 2 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 000f e235 dc71 1 Config static Ethernet2 0 2 NOAGED 000f e200 5503 1 Learned Ethernet2 0 2 445 000f e200 5548 1 Learned Ethernet2 0 2 282 3 mac address es found o...

Page 232: ...232 CHAPTER 28 MAC ADDRESS TABLE MANAGEMENT ...

Page 233: ...ches authentication can be performed locally or through a RADIUS server 1 When a RADIUS server is used for authentication the switch serves as a RADIUS client Authentication is carried out through the cooperation of switches and the RADIUS server In MAC address mode a switch sends user MAC addresses detected to the RADIUS server as both user names and passwords The rest handling procedures are the...

Page 234: ...resses that the port can learn you are not allowed to enable the centralized MAC address authentication function on the port If a port is already enabled with the 802 1x function and the access control mode of the port is not configured as macbased you are not allowed to enable the centralized MAC address authentication function on the port If a port is already enabled with the centralized MAC add...

Page 235: ...ized MAC address authentication for a port in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable centralized MAC address authentication for the current port mac authentication Required By default centralized MAC address authentication is disabled on a port Table 165 Configure centralized MAC addre...

Page 236: ...cation The period is determined by the Reauth period server Table 167 lists the operations to configure the timers used in centralized MAC address authentication Configuring Centralized MAC Address Re Authentication Re authentication function enables a switch to re authenticate a user s identity or change his authentication information when necessary if the user adopts the MAC address authenticati...

Page 237: ...ss Authentication Configuration Example n Centralized MAC address authentication configuration is similar to that of 802 1x In this example the differences between the two lie in Centralized MAC address authentication needs to be enabled both globally and for a port In MAC address mode MAC address of locally authenticated user is used as both user name and password Table 168 Configure the centrali...

Page 238: ...ication mode The user name and password are both 000fe2010101 Network diagram Figure 59 Enable to perform the MAC address authentication locally for access users Configuration Procedure Add a local access user SW7750 system view SW7750 local user 000fe2010101 SW7750 luser 000fe2010101 password simple 000fe2010101 SW7750 luser 000fe2010101 service type lan access SW7750 luser 000fe2010101 quit Conf...

Page 239: ...ss Authentication Configuration Example 239 SW7750 mac authentication timer offline detect 180 SW7750 mac authentication timer quiet 30 For domain related configuration refer to the 802 1x Configuration Example on page 404 ...

Page 240: ...240 CHAPTER 29 CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION ...

Page 241: ...the forwarding loads of different VLANs MSTP is compatible with both STP and RSTP It overcomes the drawback of STP and RSTP It not only enables spanning trees to converge rapidly but also enables packets of different VLANs to be forwarded along their respective paths to provide a better load balancing mechanism with redundant links MSTP Protocol Data Unit Bridge protocol data unit BPDU is the prot...

Page 242: ... spanning tree in a MST region Multiple spanning trees can be established in one MST region These spanning trees are independent of each other For example each region in Figure 60 contains multiple spanning trees known as MSTIs multiple spanning tree instances Each of these spanning trees corresponds to a VLAN VLAN mapping table A VLAN mapping table is a property of an MST region It contains infor...

Page 243: ...wn in Figure 60 the region root of MSTI 1 is switch B and the region root of MSTI 2 is switch C Common root bridge The common root bridge is the root of the CIST The common root bridge of the network shown in Figure 60 is a switch in region A0 Port roles In MSTP the following port roles exist root port designated port master port region edge port alternate port and backup port A root port is used ...

Page 244: ...orts can be in the following three states Forwarding state Ports in this state can forward user packets and receive send BPDU packets Learning state Ports in this state can receive send BPDU packets Discarding state Ports in this state can only receive BPDU packets Table 170 lists possible combinations of port states and port roles Table 170 Combinations of port states and port roles Port State Po...

Page 245: ...eing itself 1 Each switch sends out its configuration BPDUs and operates in the following way when receiving a configuration BPDU on one of its ports from another switch If the priority of the configuration BPDU is lower than that of the configuration BPDU of the port itself the switch discards the BPDU and does not change the configuration BPDU of the port If the priority of the configuration BPD...

Page 246: ... receive configuration messages and cannot forward packets Otherwise the switch sets the local port to the designated port replaces the original configuration BPDU of the port with the resulting one and releases it regularly MSTP Implementation on Switches MSTP is compatible with both STP and RSTP That is switches with MSTP employed can recognize the protocol packets of STP and RSTP and use them t...

Page 247: ...figuration Optional The default is recommended Network Diameter Configuration on page 252 MSTP time related configuration Optional The defaults are recommended MSTP Time related Configuration on page 252 Timeout time factor configuration Optional Timeout Time Factor Configuration on page 254 Maximum transmitting speed configuration Optional The default is recommended Maximum Transmitting Speed Con...

Page 248: ...stance 1 and VLAN 20 through VLAN 30 being mapped to spanning tree 2 SW7750 system view SW7750 stp region configuration SW7750 mst region region name info SW7750 mst region instance 1 vlan 2 to 10 SW7750 mst region instance 2 vlan 20 to 30 SW7750 mst region revision level 1 SW7750 mst region active region configuration Verify the above configuration SW7750 mst region check region configuration Adm...

Page 249: ...ss replaces the root bridge when the latter fails You can specify the network diameter and the Hello time parameters while configuring a root bridge secondary root bridge Refer to Network Diameter Configuration on page 252 and MSTP Time related Configuration on page 252 for information about the network diameter parameter and the Hello time parameter n You can configure a switch as the root bridge...

Page 250: ...dge or a secondary root bridge by using the stp root primary or stp root secondary command the bridge priority of the switch is not configurable During the selection of the root bridge if multiple switches have the same bridge priority the one with the least MAC address becomes the root bridge candidate Configuration example Set the bridge priority of the current switch to 4 096 in spanning tree i...

Page 251: ...decreased by 1 every time the configuration BPDU passes a switch Such a mechanism disables the switches that are beyond the maximum hops from participating in spanning tree generation and thus limits the size of an MST region With such a mechanism the maximum hops configured on the switch operating as the root bridge of the IST or an MSTI in a MST region becomes the network diameter of the spannin...

Page 252: ...idge diameter 6 MSTP Time related Configuration You can configure three MSTP time related parameters for a switch Forward delay Hello time and Max age The Forward delay parameter sets the delay of state transition Link problems occurred in a network results in the spanning trees being regenerated and original spanning tree structures being changed As the newly generated configuration BPDUs cannot ...

Page 253: ...lt in normal links being regarded as invalid when packets get lost on them which in turn results in spanning trees being regenerated And a too small Hello time parameter may result in duplicated configuration BPDUs being sent frequently which increases the work load of the switches and wastes network resources The default is recommended As for the Max age parameter if it is too small network conge...

Page 254: ...g devices at the interval specified by the Hello time parameter to test the links Normally a switch regards its upstream switch faulty if the former does not receive any protocol packets from the latter in a period three times of the Hello time and then initiates the spanning tree regeneration process Spanning trees may be regenerated even in a steady network if an upstream switch continues to be ...

Page 255: ...orts that neither directly connects to other switches nor indirectly connects to other switches through network segments After a port is configured as an edge port rapid transition is applicable to the port That is when the port changes from blocking state to forwarding state it does not have to wait for a delay You can configure a port as an edge port in the following two ways Table 181 Configure...

Page 256: ...ated Configuration A point to point link directly connects two switches If the roles of the two ports at the two ends of a point to point link meet certain criteria the two ports can transit to the forwarding state rapidly by exchanging synchronization packets eliminating the forwarding delay You can specify whether or not the link connected to a port is a point to point link in one of the followi...

Page 257: ... force false auto Required The auto keyword is adopted by default The force true keyword specifies that the links connected to the specified ports are point to point links The force false keyword specifies that the links connected to the specified ports are not point to point links The auto keyword specifies to automatically determine whether or not the links connected to the specified ports are p...

Page 258: ... on specified ports stp interface interface list disable Optional By default MSTP is enabled on all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree generation this operation saves CPU resources Table 188 Disable MSTP in Ethernet port view Operation Command Descri...

Page 259: ...atus root branch or leaf of each switch in each spanning tree instance is determined Table 189 Leaf node configuration Operation Remarks Related section MSTP configuration Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after performing other configurations MSTP Configuration on page 258 MST region configuration Required MST Reg...

Page 260: ...e determined by switch or through manual configuration Standards for calculating path costs of ports Currently a switch can calculate the path costs of ports based on one of the following standards dot1d 1998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports dot1t Adopts the IEEE 802 1t standard to calculate the default path costs of ports legacy Adopts the standard...

Page 261: ... 2 ports Aggregated link 3 ports Aggregated link 4 ports 19 15 15 15 200 000 100 000 66 666 50 000 200 180 160 140 1 000 Mbps Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link 4 ports 4 3 3 3 200 000 10 000 6 666 5 000 20 18 16 14 10 Gbps Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link 4 ports 2 1 1 1 200 000 1 000 666 500 2 1 1 1 Table 192 Con...

Page 262: ...determining the root port In the same condition ports with smaller port priority values are more potential to become the root port than those with bigger priority values A port on a MSTP enabled switch can have different port priorities and play different roles in different spanning tree instances This enables packets of different VLANs to be forwarded along different physical paths so that load b...

Page 263: ... 256 MSTP Configuration Refer to MSTP Configuration on page 258 The mCheck Configuration As mentioned previously ports on an MSTP enabled switch can operate in three modes STP compatible RSTP compatible and MSTP A port on an MSTP enabled switch operating as an upstream switch transits to the STP compatible mode when it has an STP enabled switch connected to it When the STP enabled downstream switc...

Page 264: ...ction Configuration Introduction The following protection functions are available on an MSTP enabled switch BPDU protection root protection loop guard and topology change BPDU TC BPDU attack guard BPDU protection Normally the access ports of the devices operating on the access layer directly connect to terminals such as PCs or file servers These ports are usually configured as edge ports to achiev...

Page 265: ...ed period Loop guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch These BPDUs may get lost because of network congestions and link failures If a switch does not receive BPDUs from the upstream switch for certain period the switch selects a new root port the original root port becomes a designated port and the bloc...

Page 266: ...ction function and edge port setting only one can be valid on a port at one time BPDU Protection Configuration Configuration prerequisites MSTP is enabled on the current switch Configuration procedure Configuration example Enable the BPDU guard function SW7750 system view SW7750 stp bpdu protection c CAUTION As Gigabit ports of a Switch 7750 cannot be shut down the BPDU guard function is not appli...

Page 267: ...e 200 Enable the root guard function in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view Interface interface type interface number Enable the root guard function on current port stp root protection Required The root guard function is disabled by default Table 201 Enable the Loop guard function in system view Operation Command Description Enter...

Page 268: ...ion such as region ID and configuration digest As some partners switches adopt proprietary spanning tree protocols they cannot interwork with other switches in an MST region even if they are configured with the same MST region related settings as other switches in the MST region This problem can be overcome by implementing the digest snooping feature If a port on a Switch 7750 is connected to a pa...

Page 269: ...e configured with exactly the same MST region related configurations including region name revision level and VLAN to MSTI mapping The digest snooping feature must be enabled on all the ports of your Switch 7750 that are connected to partners proprietary protocol adopted switches in the same MST region With the digest snooping feature is enabled the VLAN to MSTI mapping cannot be modified The dige...

Page 270: ...switch Figure 62 and Figure 63 illustrate the RSTP and MSTP rapid transition mechanisms Figure 62 The RSTP rapid transition mechanism Figure 63 The MSTP rapid transition mechanism Limitation on the combination of RSTP and MSTP exists to implement rapid transition For example when the upstream switch adopts RSTP the downstream switch adopts MSTP and does not support RSTP compatible mode the root po...

Page 271: ...g tree protocol you can enable the rapid transition feature on the ports of the 3Com series switch operating as the downstream switch Among these ports those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports instead of waiting for agreement packets from the upstream switch This enables designa...

Page 272: ... operator s network comprises packet ingress egress devices and the user s network has networks A and B On the operator s network configure the arriving BPDU packets at the ingress to have MAC addresses in a special format and reconvert them back to their original formats at the egress This is how transparent transmission is implemented on the operator s network Table 205 Configure the rapid trans...

Page 273: ... 802 1x GVRP GMRP STP or NTDP enabled the BPDU Tunnel function is not applicable to these ports Network Network A Network B Customer networks Service provider network Packet input output device Packet input output device Table 207 Configure the BPDU Tunnel function Operation Command Description Enter system view system view Enable MSTP globally stp enable Enable the BPDU Tunnel function globally v...

Page 274: ...ics Table 208 Enable log trap output for ports of MSTP instance Operation Command Description Enter system view system view Enable log trap output for the ports of a specified instance stp instance instance id portlog Required By default log trap output is disabled for the ports of all instances Enable log trap output for the ports of all instances stp portlog all Required By default log trap outp...

Page 275: ...are configured as the root bridges of spanning tree instance 1 and spanning tree instance 3 respectively Switch C is configured as the root bridge of spanning tree instance 4 Network diagram Figure 66 Network diagram for implementing MSTP n The Permit shown in Figure 66 means the corresponding link permits packets of specific VLANs Configuration procedure 1 Configure Switch A Enter MST region view...

Page 276: ...iguration Specify Switch B as the root bridge of spanning tree instance 3 SW7750 stp instance 3 root primary 3 Configure Switch C Enter MST region view SW7750 system view SW7750 stp region configuration Configure the MST region SW7750 mst region region name example SW7750 mst region instance 1 vlan 10 SW7750 mst region instance 3 vlan 30 SW7750 mst region instance 4 vlan 40 SW7750 mst region revis...

Page 277: ... operate as the access devices of the user s network that is Switch A and Switch B in the network diagram Switch C and Switch D connect to each other through the configured trunk port of the switch and are enabled with the BPDU Tunnel function Thereby transparent transmission is realized between the user s network and the operator s network Network diagram Figure 67 Network diagram for BPDU Tunnel...

Page 278: ...and then enable the VLAN VPN function on it SW7750 interface Ethernet 1 0 1 SW7750 Ethernet1 0 1 port access vlan 10 SW7750 Ethernet1 0 1 stp disable SW7750 Ethernet1 0 1 vlan vpn enable SW7750 Ethernet1 0 1 quit Configure port Ethernet1 0 2 as a trunk port SW7750 interface Ethernet 1 0 2 SW7750 Ethernet1 0 2 port link type trunk Add the trunk port to all VLANs SW7750 Ethernet1 0 2 port trunk perm...

Page 279: ... 1 0 2 SW7750 Ethernet1 0 2 port access vlan 10 SW7750 Ethernet1 0 2 stp disable SW7750 Ethernet1 0 2 vlan vpn enable SW7750 Ethernet1 0 2 quit Configure port Ethernet1 0 1 as a trunk port SW7750 interface Ethernet 1 0 1 SW7750 Ethernet1 0 1 port link type trunk Add the trunk port to all VLANs SW7750 Ethernet1 0 1 port trunk permit vlan all ...

Page 280: ...280 CHAPTER 30 MSTP CONFIGURATION ...

Page 281: ... directly to the destination host if the host is on a network directly connected to the router Each entry in a routing table contains Destination address It identifies the address of the destination host or network of an IP packet Network mask Along with the destination address it identifies the address of the network segment where the destination host or router resides By performing logical AND b...

Page 282: ... the network where the destination resides In order to avoid an oversized routing table you can set a default route All the packets for which the router fails to find a matching entry in the routing table will be forwarded through this default route As shown in Figure 68 the number in each network cloud indicates the network address and R represents a router Router G is connected to three networks...

Page 283: ...ing protocols may discover different routes to the same destination but only one route among these routes and the static routes is optimal In fact at any given moment only one routing protocol can determine the current route to a specific destination Routing protocols including static routing are endowed with different preferences When there are multiple routing information sources the route disco...

Page 284: ...e of the routes has the highest preference and is called primary route The other routes have descending preferences and are called backup routes Normally the router sends data through the main route When line failure occurs on the main route the main route will hide itself and the router will choose the one whose preference is the highest among the remaining backup routes as the path to send data ...

Page 285: ...n will be discarded and the source hosts will be informed of the unreachability of the destination Blackhole route route with blackhole attribute If a static route destined for a destination has the blackhole attribute the outgoing interface of this route is the Null 0 interface regardless of the next hop address and all the IP packets addressed to this destination will be dropped without notifyin...

Page 286: ...g table will be forwarded through the default route Do not configure the next hop address of a static route to the address of an interface on the local switch The preference can be configured differently to implement flexible route management policy Displaying and Maintaining the Routing Table After the above configuration use the display command in any view to display the static route configurati...

Page 287: ...ic route display ip routing table ip address mask longer match verbose Display the routes in a specified address range display ip routing table ip address1 mask1 ip address2 mask2 verbose Display the routes discovered by a specified protocol display ip routing table protocol protocol inactive verbose Display the tree structured routing table information display ip routing table radix Display the s...

Page 288: ...tatic 1 1 1 0 255 255 255 0 1 1 2 1 SwitchC ip route static 1 1 4 0 255 255 255 0 1 1 3 2 Configure the default gateway of Host A to 1 1 5 1 Detailed configuration procedure is omitted Configure the default gateway of Host B to 1 1 4 1 Detailed configuration procedure is omitted Configure the default gateway of Host C to 1 1 1 1 Detailed configuration procedure is omitted Now all the hosts switche...

Page 289: ... RIP manages a routing database which contains routing entries to all the reachable destinations in the internetwork Each routing entry contains the following information Destination address IP address of a host or network Next hop address IP address of an interface on the adjacent router that IP packets should pass through to reach the destination Interface Interface on this router through which ...

Page 290: ...hbors every 30 seconds Upon receiving the packets the neighbors maintain their own routing tables and select optimal routes and then advertise update information to their respective neighbors so as to make the updated routes known globally Furthermore RIP uses the timeout mechanism to handle the timeout routes so as to ensure real time and valid routes RIP is commonly used by most IP router suppli...

Page 291: ... Setting RIP preference Optional Setting RIP preference on page 295 Enabling RIP traffic sharing across interfaces Optional Enabling RIP traffic sharing across interfaces on page 295 Configuring RIP to import routes from another protocol Optional Configuring RIP to redistribute routes from another protocol on page 296 RIP Network Adjustment and Optimization Configuring RIP timers Optional Configur...

Page 292: ...ce Specifying the RIP version on an interface Table 214 Enable RIP globally and on the interface of a specified network segment Operation Command Description Enter system view system view Enable RIP globally and enter RIP view rip Enable RIP on the interface of a specified network segment network network address Required By default RIP is disabled on any interface Table 215 Setting the RIP operati...

Page 293: ...orm the following tasks Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each other at the network layer Configuring basic RIP functions Configuring RIP Route Control Setting the additional routing metrics of an interface Additional routing metric is the routing metric hop count added to the original metrics of RIP routes on an interface It does not change ...

Page 294: ...help in route addressing but consume a lot of network resources After host route receiving is disabled a router can refuse any incoming host routes Set the additional routing metric to be added for incoming RIP routes on this interface rip metricin value Optional By default the additional routing metric added for incoming routes on an interface is 0 Set the additional routing metric to be added fo...

Page 295: ... sharing across interfaces Table 220 Configure RIP to filter incoming outgoing routes Operation Command Description Enter system view system view Enter RIP view rip Configure RIP to filter incoming routes filter policy acl number ip prefix ip prefix name gateway ip prefix name gateway ip prefix name import interface interface type interface number Required By default RIP does not filter any incomi...

Page 296: ...n an interface or link with special requirements Configuration Prerequisites Before adjusting RIP perform the following tasks Configuring the network layer addresses of interfaces so that adjacent nodes are reachable to each other at the network layer Configuring basic RIP functions Enable RIP traffic sharing across interfaces traffic share across interface Optional By default RIP traffic sharing ...

Page 297: ...d for RIP 2 Setting RIP 2 packet authentication mode RIP 2 supports two authentication modes simple authentication and MD5 authentication Table 224 Configure RIP timers Operation Command Description Enter system view system view Enter RIP view rip Set the values of RIP timers timers update update timer timeout timeout timer Optional By default Update timer value is 30 seconds and Timeout timer val...

Page 298: ...assword md5 rfc2453 key string rfc2082 key string key id Required If you specify to use MD5 authentication you must specify one of the following MD5 authentication types rfc2453 this type supports the packet format defined in RFC 2453 rfc2082 this type supports the packet format defined in RFC 2082 Table 228 Configure a RIP neighbor Operation Command Description Enter system view system view Enter...

Page 299: ...tion related to RIP is listed below Before the following configuration make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly 1 Configure SwitchA Configure RIP SwitchA system view SwitchA rip SwitchA rip network 110 11 2 0 SwitchA rip network 155 10 1 0 2 Configure SwitchB Configure RIP SwitchB system view SwitchB rip SwitchB rip network 1...

Page 300: ...n configuration rip command to verify RIP is enabled on the interface with the network command Use the display this command in VLAN interface view to verify the undo rip work command was not executed on the interface connected to the peer Use the display this command in VLAN interface view to verify the RIP packets sent by the two ends have the same format The peer routing device is configured to ...

Page 301: ...e OSPF supports multiple equivalent routes to the same destination Routing hierarchy OSPF has a four level routing hierarchy It prioritizes the routes as intra area inter area external type 1 and external type 2 routes Authentication OSPF supports interface based packet authentication to guarantee the security of route calculation Multicast transmission OSPF supports transmitting protocol packets ...

Page 302: ...igured the system will automatically select an IP address from the IP addresses of the interfaces as the router ID A router ID is selected in the following way if loopback interface addresses are configured the system chooses the latest configured IP address as the router ID if no loopback interface is configured the first configured IP address among the IP addresses of other interfaces will be th...

Page 303: ... After an AS is divided into different areas that are interconnected through OSPF ABRs The routing information between areas can be reduced through route summary This reduces the size of routing tables and improves the calculation speed of routers After an ABR in an area calculates the intra area routes in the area the ABR aggregates multiple OSPF routes into one LSA based on the summary configura...

Page 304: ...he network are not directly reachable to each other you must configure the corresponding interface type to P2MP If a router in the network has only one peer you can change the corresponding interface type to P2P The differences between NBMA and P2MP are as follows An NBMA network is fully connected non broadcast and multi accessible whereas a P2MP network is not necessarily fully connected DR and ...

Page 305: ...tead of being manually configured DR and BDR are elected by all the routers on the current network segment The priority of a router interface determines the qualification of the interface in DR BDR election All the routers with DR priorities greater than 0 in the current network segment are eligible candidates Hello packets serve as the votes in the election Each router writes the DR it selects to...

Page 306: ...SR packets contain the digest of the needed LSAs LSU packet Link state update LSU packets are used to transmit the needed LSAs to the peer router An LSU packet is a collection of multiple LSAs complete LSAs not LSA digest LSAck packet Link state acknowledgment LSAck packets are used to acknowledge received LSU packets An LSAck contains the HEAD s of LSA s to be acknowledged one LSAck packet can ac...

Page 307: ...logy in a stub area OSPF multi process Multiple OSPF processes can be run on a router Sharing discovered routing information with other dynamic routing protocols At present OSPF supports importing the routes of other dynamic routing protocols such as RIP and static routes as OSPF external routes into the AS to which the router belongs In addition OSPF supports advertising the routing information i...

Page 308: ...figuring OSPF Route Summary Optional Configuring OSPF Route Summary on page 314 Configuring OSPF to Filter Received Routes Optional Configuring OSPF to Filter Received Routes on page 314 Configuring the Cost for Sending Packets on an OSPF Interface Optional Configuring the Cost for Sending Packets on an OSPF Interface on page 315 Setting OSPF Route Priority Optional Setting OSPF Route Priority on ...

Page 309: ... OSPF Timers Optional Configuring OSPF Timers on page 317 Configuring the LSA transmission delay Optional Configuring the LSA transmission delay on page 318 Configuring the SPF Calculation Interval Optional Configuring the SPF Calculation Interval on page 318 Disabling OSPF Packet Transmission on an Interface Optional Disabling OSPF Packet Transmission on an Interface on page 318 Configuring OSPF ...

Page 310: ... The undo protocol multicast mac enable command must be configured if Layer 2 Layer 3 multicast function is enabled in the system In router ID selection the priorities of the router IDs configured with the ospf process id router id router id command the router id command and the priorities of the router IDs automatically selected are in a descending order Router IDs can be re selected A re selecte...

Page 311: ...with the backbone area and the backbone area must keep connectivity in itself If the physical connectivity cannot be ensured due to various restrictions you can configure OSPF virtual links to satisfy this requirement Configuration Prerequisites Before configuring OSPF area attributes perform the following tasks Configuring the network layer addresses of interfaces so that the adjacent nodes are r...

Page 312: ...lection in the network Thus the router with higher performance and reliability can be selected as a DR or BDR Configuration Prerequisites Before configuring the network type of an OSPF interface perform the following tasks Configuring the network layer address of the interface so that the adjacent node is reachable at network layer Performing basic OSPF configuration Configuring the Network Type o...

Page 313: ...f a neighbor has the right to vote If you specify the priority to 0 when configuring a neighbor the local router will believe that the neighbor has no right to vote and sends no Hello packet to it This configuration can reduce the number of Hello packets on the network during the election of DR and BDR However if the local router is already a DR or BDR it will send Hello packets to the neighbor wh...

Page 314: ...ew system view Enter OSPF view ospf process id router id router id Enter area view area area id Enable ABR route summary abr summary ip address mask advertise not advertise Required This command takes effect only when it is configured on an ABR By default this function is disabled on an ABR Table 237 Configure ASBR route summary Operation Command Description Enter system view system view Enter OSP...

Page 315: ...st for sending packets on an OSPF interface ospf cost value Optional By default OSPF calculates the cost for sending packets on an interface according to the current baud rate on the interface For a VLAN interface on the switch this value is fixed at 1 Table 240 Set OSPF route priority Operation Command Description Enter system view system view Enter OSPF view ospf process id router id router id S...

Page 316: ...ced when the interfaces transmit LSAs By Adjusting SPF calculation interval you can mitigate resource consumption caused by frequent network changes In a network with high security requirements you can enable OSPF authentication to enhance OSPF network security In addition OSPF supports network management You can configure the binding of the OSPF MIB with an OSPF process and configure the Trap mes...

Page 317: ...nsmission interval that is too short Otherwise unnecessary retransmission will occur LSA retransmission interval must be greater than the round trip time of a packet between two routers Table 242 Configure OSPF timers Operation Command Description Enter system view system view Enter interface view interface interface type interface number Set the hello interval on the interface ospf timer hello se...

Page 318: ...e you can disable multiple OSPF processes from transmitting OSPF packets The silent interface command however only applies to the OSPF interface where the specified process has been enabled without affecting the interface for any other process Table 243 Configure the LSA transmission delay Operation Command Description Enter system view system view Enter interface view interface interface type int...

Page 319: ...l MTU value of the interface is filled in the Interface MTU field of the DD packets Table 246 Configure OSPF authentication Operation Command Description Enter system view system view Enter OSPF view ospf process id router id router id Enter OSPF area view area area id Configure the authentication mode of the OSPF area authentication mode s imple md5 Required By default no authentication mode is c...

Page 320: ...r status changes Table 249 Configure OSPF MIB binding Operation Command Description Enter system view system view Configure OSPF MIB binding ospf mib binding process id Optional By default MIB is bound to the first enabled OSPF process When multiple OSPF processes are enabled you can configure to which OSPF process the MIB is bound Enable OSPF Trap snmp agent trap enable ospf process id ifauthfail...

Page 321: ... Display OSPF statistics display ospf process id cumulative Display OSPF LSDB information display ospf process id area id lsdb brief asbr ase network nssa router summary ip address verbose originate router ip address self originate Display OSPF peer information display ospf process id peer brief statistics Display OSPF next hop information display ospf process id nexthop Display OSPF routing table...

Page 322: ...lan interface1 ospf dr priority 0 SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 Configure SwitchC SwitchC system view SwitchC interface Vlan interface 1 SwitchC Vlan interface1 ip address 196 1 1 3 255 255 255 0 SwitchC Vlan interface1 ospf dr priority 2 SwitchC router id 3 3 3 3 SwitchC ospf SwitchC ospf 1 area 0 SwitchC ospf ...

Page 323: ...tchB interface Vlan interface 1 SwitchB Vlan interface1 ospf dr priority 200 On SwitchA run the display ospf peer command to display its OSPF peers Note that the priority of SwitchB has been changed to 200 but it is still not the DR The DR is changed only when the current DR turn offline Shut down SwitchA and run the display ospf peer command on SwitchD to display its peers Note that the original ...

Page 324: ...SwitchB Vlan interface1 ip address 196 1 1 2 255 255 255 0 SwitchB Vlan interface1 quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 197 1 1 2 255 255 255 0 SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 area 1 Device Interface IP address Router ID Switch A...

Page 325: ...o routers reaches the FULL state Note On a broadcast or NBMA network if the interfaces between two routers are in DROther state the peer state machine between the two routers are in 2 way state instead of FULL state The peer state machine between DR BDR and all the other routers is in FULL state Use the display ospf peer command to view peers Use the display ospf interface command to view the OSPF...

Page 326: ...a should be configured to be connected to the backbone area As shown in Figure 75 Router A and Router D are configured to belong to only one area whereas Router B Area 0 and Area 1 and Router C Area 1 and Area 2 are configured to belong to two areas Router B also belongs to area 0 which meets the requirement However none of the areas of Router C is Area 0 Therefore a virtual link should be set up ...

Page 327: ...communication between an ES and an IS therefore an ES does not participate in the IS IS process and can be ignored in the IS IS protocol Routing domain RD A group of ISs exchange routing information with the same routing protocol in a routing domain Area An area is a division unit in a routing domain The IS IS protocol allows a routing domain to be divided into multiple areas Link state database L...

Page 328: ...ighbor relationship with the Level 2 and Level 1 2 routers in the same or in different areas It maintains a Level 2 LSDB which contains routing information for routing between areas All Level 2 routers must be contiguous to form the backbone in a routing domain Only Level 2 routers can directly communicate with routers outside the routing domain 3 Level 1 2 router A router functions as a Level 1 a...

Page 329: ... in this topology The backbone is composed of all contiguous Level 2 and Level 1 2 routers which can reside in different areas Figure 77 IS IS topology II n The IS IS backbone does not need to be a specific area Both the IS IS Level 1 and Level 2 routers use the SPF algorithm to generate the shortest path tree SPT Area 1 Area 3 Area 5 Area 4 Area 2 L1 L1 L2 L2 L2 L2 L1 L1 L2 L1 L2 L2 L1 L1 L1 L2 L...

Page 330: ...ntify the area and the routing domain In normal condition a router only needs one area address and all nodes must share the same area addresses in the same domain But a router can have three area addresses at most to support smooth area merging partitioning and switching 3 System ID The system ID identifies the host or router uniquely The Switch 7750 implement a fixed length of 48 bits 6 bytes The...

Page 331: ...med 47 0001 aaaa bbbb cccc 00 where Area 47 0001 System ID aaaa bbbb cccc SEL 00 Here is another example A NET exists that is named 01 1111 2222 4444 00 where Area 01 System ID 1111 2222 4444 SEL 00 IS IS PDU Format Hello The Hello packet is used by routers to establish and maintain the neighbor relationship It is also called IS to IS Hello PDUs IIH For broadcast network the Level 1 router uses th...

Page 332: ... redistribution Optional Configuring IS IS Route Redistribution on page 335 Configure route filtering Optional Configuring Route Filtering on page 336 Configure route leaking Optional Configuring Route Leaking on page 337 Configure route summarization Optional Configuring Route Summarization on page 337 Configure default route generation Optional Configuring Default Route Generation on page 337 Co...

Page 333: ...e 342 Configure to discard LSPs with incorrect checksum Optional Configuring to Discard LSPs with Incorrect Checksum on page 342 Configure to log peer changes Optional Configuring to Log Peer Changes on page 342 Assign an LSP refresh time Optional Assigning an LSP Refresh Time on page 342 Configure LSP maximum aging time Optional Assigning an LSP Maximum Aging Time on page 343 Configure SPF parame...

Page 334: ...rea address and router system ID Enabling IS IS on the Specified Interface Configuring DIS Priority In a broadcast network IS IS needs to select a router as DIS When a DIS needs to be selected from the IS IS neighbors on the broadcast network the Level 1 DIS and Level 2 DIS should be selected respectively The Table 252 Enabling IS IS Operation Command Description Enter system view system view Conf...

Page 335: ...nfiguring IS IS Route Redistribution IS IS processes the routes discovered by other routing protocols as routes outside a routing domain You can specify the default cost for IS IS to redistribute routes from another routing protocol You can configure IS IS to redistribute routes to Level 1 Level 2 and Level 1 2 Table 255 Configure DIS priority Operation Command Description Enter system view system...

Page 336: ...pe of routes are to be filtered with the filter policy export command all the routes imported with the import route command will be filtered Table 258 Configure route redistribution Operation Command Description Enter system view system view Enter IS IS view isis tag Required Enable route redistribution from another routing protocol import route protocol allow ibgp cost value type external interna...

Page 337: ...system assigns a priority for each routing protocol When multiple routing protocols discover a route to the same destination the protocol with the highest priority will dominate Table 261 Configure route leaking Operation Command Description Enter system view system view Enter IS IS view isis tag Required Enable route leaking import route isis level 2 into level 1 acl acl number Optional By defaul...

Page 338: ...ity of IS IS routes is 15 Table 264 Configure protocol priority Operation Command Description Table 265 Configure IS IS route cost style Operation Command Description Enter system view system view Enter IS IS view isis tag Required Configure a cost style cost style narrow wide wide compatible compatible narrow compatible relax spf limit Optional By default IS IS receives sends only the packets wit...

Page 339: ...mmand Description Enter system view system view Enter interface view interface interface type interface number Required Configure the CSNP packets sending interval in seconds isis timer csnp seconds level 1 level 2 Optional The default CSNP packets sending interval is 10 seconds Table 269 Configure the LSP sending interval Operation Command Description Enter system view system view Enter interface...

Page 340: ...uthentication password is encapsulated in the LSP CSNP and PSNP packets at Level 1 as predefined If area authentication is also enabled on other routers in the same area area authentication works normally only if the authentication mode and password of these routers are the same as those of the neighboring routers Likewise if domain authentication is required the domain authentication password is ...

Page 341: ...nto a mesh group The interfaces in the group will flood the new LSPs to only the interfaces outside the mesh group Table 273 Configure authentication Operation Command Description Enter system view system view Enter IS IS view isis tag Required Define the area authentication mode area authentication mode si mple md5 password ip osi Optional Define the domain authentication mode domain authenticati...

Page 342: ... Refresh Time All LSPs are sent periodically to synchronize the LSPs in an area Add an interface to a mesh group isis mesh group mesh group numbe r mesh blocked Optional By default LSPs are flooded on interfaces normally Table 275 Add an interface to a mesh group Operation Command Description Table 276 Configure overload tag Operation Command Description Enter system view system view Enter IS IS v...

Page 343: ...tions SPF calculation in IS IS may occupy system resources for a long time if the routing table contains a great number of entries over 30 000 To avoid this you can configure SPF calculation durations Table 279 Assign an LSP refresh time Operation Command Description Enter system view system view Enter IS IS view isis tag Required Assign an LSP refresh time timer lsp refresh seconds Optional By de...

Page 344: ...on spf slice size seconds Optional By default SPF calculation is not sliced Table 283 Configure SPF to release CPU resources automatically Operation Command Description Enter system view system view Enter IS IS view isis tag Required Configure the interval at which SPF releases CPU resources spf delay interval number Optional By default in IS IS SPF releases CPU resources each time it has finished...

Page 345: ...h B Switch C and Switch D belong to the same area Table 286 Reset configuration data of the IS IS peer Operation Command Description Enter system view system view Reset configuration data of an IS IS peer reset isis peer system id Optional By default configuration data of an IS IS peer is not reset Table 287 Display and maintain integrated IS IS configuration Operation Command Description Display ...

Page 346: ...0001 0000 0000 0006 00 SwitchB interface vlan interface 101 SwitchB Vlan interface101 ip address 200 10 0 1 255 255 255 0 SwitchB Vlan interface101 isis enable SwitchB interface vlan interface 102 SwitchB Vlan interface102 ip address 200 0 0 1 255 255 255 0 SwitchB Vlan interface102 isis enable SwitchB interface vlan interface 100 SwitchB Vlan interface100 ip address 100 10 0 2 255 255 255 0 Switc...

Page 347: ...Vlan interface100 isis enable Configure Switch D SwitchD isis SwitchD isis network entity 86 0001 0000 0000 0008 00 SwitchD interface vlan interface 102 SwitchD Vlan interface102 ip address 100 20 0 2 255 255 255 0 SwitchD Vlan interface102 isis enable SwitchD interface vlan interface 100 SwitchD Vlan interface100 ip address 100 30 0 1 255 255 255 0 SwitchD Vlan interface100 isis enable ...

Page 348: ...348 CHAPTER 35 IS IS CONFIGURATION ...

Page 349: ...ansport layer protocol with the port number being 179 to ensure reliability BGP supports classless inter domain routing CIDR With BGP employed only the changed routes are propagated This saves network bandwidth remarkably and makes it feasible to propagate large amount of route information across the Internet The AS path information used in BGP eliminates routing loops thoroughly In BGP multiple r...

Page 350: ...ation is performed all the bits of this field are 1 Length 2 bytes in length This filed indicates the size in bytes of a BGP packet with the packet header counted in Type 1 byte in length This field indicates the type of a BGP packet Its value ranges from 1 to 5 which represent Open Update Notification Keepalive and Route refresh packets Among these types of BGP packets the first four are defined ...

Page 351: ...ssage format An Update message can advertise a group of reachable routes with the same path attribute These routes are set in the NLRI field The Path Attributes field carries the attributes of these routes according to which BGP chooses routes An Update message can also carry multiple unreachable routes The withdrawn routes are set in the Withdrawn Routes field The fields of an Update message are ...

Page 352: ...a router it sends the whole BGP routing table to its peers to exchange routing information Afterwards BGP sends only Update messages instead of the whole table During the running BGP also sends receives Keepalive messages to determine whether the connections to its peers are normal A router running BGP is also called a BGP speaker because it can send BGP messages A BGP speaker can receive routing ...

Page 353: ...P Peer and Peer Group Definition As described in BGP Routing Mechanism on page 352 two BGP speakers capable of exchanging BGP messages with each other are peers of each other A BGP peer group is a set of BGP peers Relation between peer and peer group In the Switch 7750 a BGP peer cannot exist independently it must belong to a peer group Therefore when you configure a BGP peer you must first create...

Page 354: ...ng information Optional Configuring BGP Route Receiving Policy on page 359 Configuring BGP IGP Route Synchronization Optional Configuring BGP IGP Route Synchronization on page 360 Configuring BGP route dampening Optional Configuring BGP Route Dampening on page 360 Configuring BGP load balance Optional Configuring BGP Load Balance on page 361 Configuring BGP route attributes Optional Configuring BG...

Page 355: ...em view system view Start BGP and enter BGP view bgp as number Required By default the system does not run BGP Enter multicast address family view ipv4 family multicast Required Table 290 Configure basic BGP functions Operation Command Description Enter system view system view Specify the router ID router id ip address Optional Enable BGP and enter BGP view bgp as number Required By default BGP is...

Page 356: ...w the peers to establish multiple hop TCP connections between them Configuring the Way to Advertise Receive Routing Information Configuration Prerequisites Make sure the following operation is performed before configuring the way to advertise receive BGP routing information Enabling the basic BGP functions Make sure the following information is available when you configure the way to advertise rec...

Page 357: ...BGP peer routing tables BGP supports two route aggregation modes automatic aggregation mode and manual aggregation mode Automatic aggregation mode where IGP sub network routes imported by BGP are aggregated In this mode only the aggregated routes are advertised The imported IGP sub network routes are not advertised Note that the default routes and the routes imported by using the network command c...

Page 358: ...olicy route policy name suppress policy route policy name Table 293 Enable default rout advertising Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as number Required By default BGP is disabled Enable default route advertising peer group name default route advertise Required By default a BGP router does not send default routes to a specified peer group...

Page 359: ...ering policy configured Specify an AS path ACL based BGP filtering policy for a peer group peer group name as path acl acl number export IP prefix based BGP route filtering policy for a peer group peer group name ip prefix ip prefix name export Table 294 Configure the BGP route advertising policy Operation Command Description Table 295 Configure BGP route receiving policy Operation Command Descrip...

Page 360: ...ing information Suppressed routes are neither added to the routing table nor advertised to other BGP peers Filter the routing information receivedfrom a peer peer group Specify an ACL based BGP route filtering policy for a peer peer group peer group name ip address filter policy acl number import Required By default no ACL based BGP route filtering policy AS path ACL based BGP route filtering poli...

Page 361: ...hable 15 in minutes half life unreachable 15 in minutes reuse 750 suppress 2000 ceiling 16 000 Table 298 Configure BGP load balance Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as number Configure BGP load balance balance num Required By default the system does not adopt BGP load balance Table 299 Configure BGP route attributes Operation Command Des...

Page 362: ...coming from the neighbor routers in different ASs is disabled Configure the local address as the next hop address when a BGP router advertises a route peer group name next hop local Required In some network to ensure an IBGP neighbor locates the correct next hop you can configure the next hop address of a route to be the local address for a BGP router to advertise route information to IBGP peer gr...

Page 363: ...t To make a new BGP routing policy taking effect you need to reset the BGP connection This temporarily disconnects the BGP connection In the Switch 7750 BGP supports the route refresh function With route refresh function enabled on all the BGP routers if BGP routing policy changes the local router sends refresh messages to its peers And the peers receiving the message in turn send their routing in...

Page 364: ...p address timer keepalive keepalive interval hold holdtime interval Configure the interval at which a peer group sends the same route update packet peer group name route update interval seconds Optional By default the interval at which a peer group sends the same route update packet to IBGP peers is 15 seconds and to EBGP peers is 30 seconds Configure the number of route prefixes to be received fr...

Page 365: ...tiple BGP routers In an AS to ensure the connectivity among IBGP peers you need to set up full connection among them When there are too many IBGP peers it will cost a lot in establishing a full connection network Using RR or confederation can solve the problem In a large AS RR and confederation can be used simultaneously Configuration Prerequisites Before configuring a large scale BGP network you ...

Page 366: ... as the local AS number Add a peer to a peer group peer ip address group group name as number as number Create an EBGP peer group Create an EBGP peer group group group name external Optional You can add multiple peers to the group The system automatically creates the peer in BGP view and specifies its AS number as the one of the peer group Configure the AS number of a peer group peer group name as...

Page 367: ... bgp as number Required By default the system does not operate BGP Configure the local router as the RR and configure the peer group as the client of the RR peer group name reflect client Required By default no RR and its client is configured Enable route reflection between clients reflect between clients Optional By default route reflection is enabled between clients Configure cluster ID of an RR...

Page 368: ... table as path acl acl number Display routing information about CIDR display bgp multicast routing table cidr Display routing information about a specified BGP community display bgp multicast routing table community aa nn no export subconfed no advertise no export whole match Display the route matching with the specific BGP community ACL display bgp multicast routing table community list community...

Page 369: ...and IBGP Network diagram Figure 84 Diagram for AS confederation Table 306 Reset BGP connection Operation Command Reset all BGP connections reset bgp all Reset the BGP connection with a specified peer reset bgp ip address Reset the BGP connection with a specified peer group reset bgp group group name Table 307 Clear BGP information Operation Command Clear the route dampening information and release...

Page 370: ...onfed1001 external SwitchC bgp peer 172 68 10 1 group confed1001 as number 1001 SwitchC bgp group confed1002 external SwitchC bgp peer 172 68 10 2 group confed1002 as number 1002 SwitchC bgp group ebgp200 external SwitchC bgp peer 156 10 1 2 group ebgp200 as number 200 SwitchC bgp group ibgp1003 internal SwitchC bgp peer 172 68 1 2 group ibgp1003 Configuring BGP RR Network requirements SwitchB rec...

Page 371: ...figure SwitchB Configure VLAN2 SwitchB interface Vlan interface 2 SwitchB Vlan interface2 ip address 192 1 1 2 255 255 255 0 Configure VLAN3 SwitchB interface Vlan interface 3 SwitchB Vlan interface3 ip address 193 1 1 2 255 255 255 0 Configure a BGP peer SwitchB bgp 200 SwitchB bgp group ex external SwitchB bgp peer 192 1 1 1 group ex as number 100 Device Interface IP address AS Switch A Vlan int...

Page 372: ...itchD Vlan interface4 ip address 194 1 1 2 255 255 255 0 Configure a BGP peer SwitchD bgp 200 SwitchD bgp group in internal SwitchD bgp peer 194 1 1 1 group in Use the display bgp routing table command to display the BGP routing table on SwitchB Note that SwitchB has already known the existence of network 1 0 0 0 Use the display bgp routing table command to display the BGP routing table on SwitchD...

Page 373: ...chA bgp group ex192 external SwitchA bgp peer 192 1 1 2 group ex192 as number 200 SwitchA bgp group ex193 external SwitchA bgp peer 193 1 1 2 group ex193 as number 200 SwitchA bgp quit Configure the MED attribute of Switch A Device Interface IP address AS Switch A Vlan int 101 1 1 1 1 8 100 Vlan int 2 192 1 1 1 24 Vlan int 3 193 1 1 1 24 Switch B Vlan int 2 192 1 1 2 24 200 Vlan int 4 194 1 1 2 24...

Page 374: ...date of neighbor Switch B 192 1 1 2 SwitchA bgp 100 SwitchA bgp peer ex193 route policy apply_med_50 export SwitchA bgp peer ex192 route policy apply_med_100 export 2 Configure Switch B SwitchB interface vlan 2 SwitchB Vlan interface2 ip address 192 1 1 2 255 255 255 0 SwitchB interface vlan interface 4 SwitchB Vlan interface4 ip address 194 1 1 2 255 255 255 0 SwitchB ospf SwitchB ospf 1 area 0 S...

Page 375: ... Switch B Switch D will choose the route 1 0 0 0 coming from Switch C If you do not configure MED attribute of Switch A when you configure Switch A but configure the local preference on Switch C as following Configure the local preference of Switch C Create ACL 2000 to permit routing information sourced from network 1 0 0 0 SwitchC acl number 2000 SwitchC acl basic 2000 rule permit source 1 0 0 0 ...

Page 376: ...ckets If you cannot ping through the neighbor device check whether there is a route to the neighbor in the routing table If you can ping through the neighbor device check whether an ACL is configured to inhibit TCP port 179 If yes cancel the inhibition of port 179 Symptom 2 After you use the network command to import the routes discovered by IGP to BGP the BGP routes cannot be successfully adverti...

Page 377: ...ocols The following sections describe these filters Route policy A route policy is used to match some attributes with given routing information and the attributes of the information will be set if the conditions are satisfied A route policy can comprise multiple nodes Each node is a unit for matching test and the nodes will be matched in the order of their node numbers Each node comprises a set of...

Page 378: ... used in BGP to define the matching conditions about AS path An as path contains a series of AS paths which are the records of routing information passed paths during BGP routing information exchange community list community list is only used to define the matching conditions about community attributes in BGP A BGP routing information packet contains a community attribute field used to identify a ...

Page 379: ...take the test of the next node If not the system goes on the test of the next node The deny argument specifies that the matching mode for the defined node in the route policy is deny In this mode no apply clause is executed If a route satisfies all the if match clauses of the node the system considers that the route fails to pass through the node and does not take the test of the next node If not ...

Page 380: ...n Enter system view system view Enter route policy view route policy route policy name permit deny node node number Define a rule to match the AS path field of BGP routing information if match as path as number list Optional Define a rule to match the community attribute of BGP routing information if match community basic community number whole match adv community number Optional Define a rule to ...

Page 381: ...ute of BGP routing information apply community none aa nn 1 13 no export subconfed no export no advertise additive Optional Define a action to set the next hop address of routing information apply ip next hop ip address Optional Define an action to import routing information into the IS IS area s at specified level s apply isis level 1 level 2 level 1 2 Optional Define an action to set the local p...

Page 382: ...ttributes A router can decide whether to change community attributes before forwarding a route to other peer entity Community list is used to identify community information It falls in to two types basic community list and advanced community list The former one s value ranges from 1 to 99 and the latter one s ranges from 100 to 199 By default no BGP community list is defined Applying Routing Polic...

Page 383: ...e routing policy configuration IP Routing Policy Configuration Example Configuring IP Routing Policy Network requirements As shown in Figure 87 Switch A communicates with Switch B using OSPF protocol Switch A s router ID is 1 1 1 1 and Switch B s is 2 2 2 2 Configure OSPF routing process on Switch A and configure three static routes Configure a routing policy for Switch A to filter imported static...

Page 384: ...atic 40 0 0 1 255 0 0 0 12 0 0 2 Enable the OSPF protocol and specify the ID of the area to which the interface 10 0 0 1 belongs SwitchA system view SwitchA router id 1 1 1 1 SwitchA ospf SwitchA ospf 1 area 0 SwitchA ospf 1 area 0 0 0 0 network 10 0 0 0 0 255 255 255 SwitchA ospf 1 area 0 0 0 0 quit Switch ospf 1 quit Configure an ACL SwitchA acl number 2000 SwitchA acl basic 2000 rule deny sourc...

Page 385: ...ion Cost Type NextHop AdvRouter Area 10 0 0 0 8 10 Net 10 0 0 1 1 1 1 1 0 0 0 0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 20 0 0 0 8 1 2 1 10 0 0 1 1 1 1 1 40 0 0 0 8 1 2 1 10 0 0 1 1 1 1 1 Total Nets 1 Intra Area 1 Inter Area 0 ASE 2 NSSA 0 Troubleshooting IP Routing Policy Symptom Routing information cannot be filtered when the routing protocol runs normally Solution Check to ...

Page 386: ...e items are in the deny mode no route will pass the ip prefix filtering You can define the item permit 0 0 0 0 0 less equal 32 after multiple items in the deny mode for all other routes to pass the filtering if less equal 32 is not specified only the default route will be matched ...

Page 387: ...refore the route capacity limitation implemented by a Switch 7750 applies to OSPF and BGP routes only but not to static and RIP routes When the free memory of the switch is equal to or lower than the lower limit OSPF or BGP connection will be disconnected and OSPF or BGP routes will be removed from the routing table If automatic protocol connection recovery is enabled when the free memory of the s...

Page 388: ...scription Enter system view system view Set the lower limit and the safety value of switch memory memory safety safety value limit limit value Optional safety value defaults to 40 and limit value defaults to 30 Table 316 Enable automatic protocol recovery Operation Command Description Enter system view system view Enable automatic protocol recovery memory auto establish enable Optional By default ...

Page 389: ...e 88 Architecture of 802 1x authentication The supplicant system is an entity residing at one end of the LAN segment and is authenticated by the authenticator system connected to the other end of the LAN segment The supplicant system is usually a user terminal device An 802 1x authentication is initiated when a user launches client program on the supplicant system Note that the client program must...

Page 390: ...ed port and an uncontrolled port The uncontrolled port can always send and receive packets It mainly serves to forward EAPoL packets to ensure that a supplicant system can send and receive authentication requests The controlled port can be used to pass service packets when it is in authorized state It is blocked when not in authorized state In this case no packets can pass through it Controlled po...

Page 391: ...em in turn determines the state authorized or unauthorized of the controlled port according to the instructions accept or reject received from the RADIUS server Encapsulation of EAPoL Messages The format of an EAPoL packet EAPoL is a packet encapsulation format defined in 802 1x To enable EAP protocol packets to be transmitted between supplicant systems and authenticator systems through LANs EAP p...

Page 392: ...he authentication servers Network management related information such as alarming information is encapsulated in EAPoL Encapsulated ASF Alert packets which are terminated by authenticator systems The format of an EAP packet For an EAPoL packet with the Type value being EAP packet the corresponding Packet body is an EAP packet Its format is illustrated in Figure 91 Figure 91 The format of an EAP pa...

Page 393: ...sage fields The type code of the EAP message field is 79 Figure 93 The format of an EAP message field The Message authenticator field as shown in Figure 94 can be used to prevent interception of access request packets during authentications using CHAP EAP and so on A packet with the EAP message field must also have the Message authenticator field otherwise the packet is regarded as invalid and is ...

Page 394: ...D5 authentication procedure Figure 95 802 1x authentication procedure in EAP relay mode The detailed procedure is as follows A supplicant system launches an 802 1x client to initiate an access request through the sending of an EAPoL start packet to the switch with its user name and password provided The 802 1x client program then forwards the packet to the switch to start the authentication proces...

Page 395: ...IUS access request packet with the locally encrypted password If the two match it will then send feedbacks through a RADIUS access accept packet and an EAP success packet to the switch to indicate that the supplicant system is authorized The switch changes the state of the corresponding port to accepted state to allow the supplicant system access the network The supplicant system can also terminat...

Page 396: ...requests for authentication The switch sends a unicast request identity packet to a supplicant system and then enables the transmission timer The switch sends another request identity packet to the supplicant system if the supplicant system fails to send a reply packet to the switch when this timer times out The second case is when the switch authenticates the 802 1x client who does not request fo...

Page 397: ...tch quiets for the set period set by the quiet period timer before it processing another 802 1x relatedauthentication request initiated by the supplicant system ver period This timer sets the client version request timer If the supplicant system does not send the version response packets within the set period the switch sends another version request packet 802 1x Implementation on the Switch 7750 ...

Page 398: ...m logging in This function makes the switch to send version requesting packets again if the 802 1x client fails to send version reply packet to the switch before the version checking timer times out n The client version checking function needs the support of 3Com s 802 1x client program The Guest VLAN function The Guest VLAN function enables supplicant systems that do not pass the authentication t...

Page 399: ...pass the authentication through 802 1x client if they provide the user names and passwords that match with those stored in the switches You can also specify to adopt RADIUS authentication scheme with a local authentication scheme as a backup In this case the local authentication scheme is adopted when the RADIUS server fails Refer to AAA Configuration on page 518 for detailed information about AAA...

Page 400: ...e latest time value obtained as the authentication interval After re authentication is enabled on a port you cannot change the dynamic VLAN delivery attribute value for the port if you do so the re authentication will cause users to be offline Enable 802 1x for specified ports Use the following command in system view dot1x interface interface list Required By default 802 1x is disabled for all por...

Page 401: ...sers for specified ports In system view dot1x max user user number interface interface list Optional By default up to 1 024 concurrent on line users are allowed on each port In port view dot1x max user user number Configure the maximum retry times to send request packets dot1x retry max retry value Optional By default the maximum retry times to send a request packet is 2 That is the authenticator ...

Page 402: ...sted in Table 320 takes effect only when it is performed on CAMS as well as on the switch and the client version checking function is enabled on the switch by the dot1x version check command Configuring Client Version Checking Table 320 Configure user proxy checking Operation Command Description Enter system view system view Enable global proxy checking function dot1x supp proxy check logoff trap ...

Page 403: ...erify the 802 1x related configuration by executing the display command in any view You can clear 802 1x related statistics information by executing the reset command in user view Configure the client version checkin g period timer dot1x timer ver period ver period value Optional The default ver period value is 30 seconds Table 321 Configure client version checking Operation Command Description Ta...

Page 404: ...y accounting server The other operates as the secondary authentication server and primary accounting server The password for the switch and the authentication RADIUS servers to exchange message is name And the password for the switch and the accounting RADIUS servers to exchange message is money The switch sends another packet to the RADIUS servers again if it sends a packet to the RADIUS server a...

Page 405: ... Configuration on page 525 for information about these commands Configuration on the client and the RADIUS servers is omitted Enable 802 1x globally SW7750 system view System View return to User View with Ctrl Z SW7750 dot1x Enable 802 1x for Ethernet2 0 1 port SW7750 dot1x interface Ethernet 2 0 1 Set the access control method to be MAC address based can be omitted as MAC address based is the def...

Page 406: ...t the timer for the switch to send real time accounting packets to the RADIUS servers SW7750 radius radius1 timer realtime accounting 15 Configure to send the user name to the RADIUS server with the domain name removed beforehand SW7750 radius radius1 user name format without domain SW7750 radius radius1 quit Create the domain named aabbcc net and enter its view SW7750 domain enable aabbcc net Spe...

Page 407: ...Configuration Example 407 Create a local access user account SW7750 local user localuser SW7750 luser localuser service type lan access SW7750 luser localuser password simple localpass ...

Page 408: ...408 CHAPTER 39 802 1X CONFIGURATION ...

Page 409: ...ation and to be forwarded between HABP enabled switches Therefore the management devices can get the MAC addresses of their attached switches to manage them effectively HABP is implemented by HABP server and HABP client Normally an HABP server sends HABP request packets regularly to HABP clients to collect the MAC addresses of the attached switches HABP clients respond to the HABP request packets ...

Page 410: ...kets of all the VLANs Configure the current switch to be an HABP server habp server vlan vlan id Required By default a switch operates as an HABP client after you enable HABP on the switch and if you want to use the switch as a management switch you must configure the switch to be an HABP server Configure the interval to send HABP request packets habp timer interval Optional The default interval f...

Page 411: ...nabled globally Enable the 802 1x on GigabitEthernet2 0 2 SW7750 interface GigabitEthernet 2 0 2 SW7750 GigabitEthernet2 0 2 dot1x 802 1x is enabled on port GigabitEthernet2 0 2 2 Configure Switch A Enable HABP globally SW7750 system view System View return to User View with Ctrl Z SW7750 habp enable Verify the configuration on the server SW7750 display habp table MAC Holdtime Receive Port 000f e2...

Page 412: ...412 CHAPTER 40 HABP CONFIGURATION ...

Page 413: ...on security legal use of paid services and network bandwidth In the network packets are sent in three modes unicast broadcast and multicast The following sections describe and compare data interaction processes in unicast broadcast and multicast Information Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this informati...

Page 414: ...server broadcasts this information through routers and users A and C on the network also receive this information The security and payment of the information cannot be guaranteed As we can see from the information transmission process the security and legal use of paid service cannot be guaranteed In addition when only a small number of users on the same network need the information the utilizatio...

Page 415: ...the information is correctly delivered to users B D and E The advantages of multicast over unicast are as follows No matter how many receivers exist there is only one copy of the same multicast data flow on each link With the multicast mode used to transmit information an increase of the number of users does not add to the network burden remarkably The advantages of multicast over broadcast are as...

Page 416: ...ficiency Multicast decreases network traffic and reduces server load and CPU load Optimal performance Multicast reduces redundant traffic Distributive application Multicast makes multiple point application possible Application of multicast The multicast technology effectively addresses the issue of point to multipoint data transmission By enabling high efficiency point to multipoint data transmiss...

Page 417: ...ommunication between the information source and members of a multicast group a group of information receivers network layer multicast addresses namely IP multicast addresses must be provided In addition a technology must be available to map IP multicast addresses to link layer MAC multicast addresses The following sections describe these two types of multicast addresses IP multicast address Intern...

Page 418: ...ulticast groups The IP address 224 0 0 0 is reserved Other IP addresses can be used by routing protocols 224 0 1 0 to 231 255 255 255 233 0 0 0 to 238 255 255 255 Available any source multicast ASM multicast addresses IP addresses of temporary groups They are valid for the entire network 232 0 0 0 to 232 255 255 255 Available source specific multicast SSM multicast group addresses 239 0 0 0 to 239...

Page 419: ...er 23 bits of a MAC address are the low order 23 bits of the multicast IP address Figure 103 describes the mapping relationship Figure 103 Mapping relationship between multicast IP address and multicast MAC address The high order four bits of the IP multicast address are 1110 representing the multicast ID Only 23 bits of the remaining 28 bits are mapped to a MAC address Thus five bits of the multi...

Page 420: ...domain routes Intra domain multicast routes have been quite mature Protocol independent multicast PIM is the most commonly used protocol currently PIM transmits information to receivers by means of multicast source discovery and multicast distribution tree establishment According to forwarding mechanisms PIM includes PIM dense mode PIM DM and PIM sparse mode PIM SM The key problem for inter domain...

Page 421: ... routing protocols Based on source addresses multicast routers judge whether multicast packets come from specified interfaces that is RPF check determines whether inbound interfaces are correct by comparing the interfaces that the packets reach with the interfaces that the packets should reach If the router resides on a shortest path tree SPT the interface that multicast packets should reach point...

Page 422: ...422 CHAPTER 41 MULTICAST OVERVIEW ...

Page 423: ...he VLAN where the receiving port resides In this way the multicast source in the VLAN gets aware of the existence of the multicast group member When the multicast source sends multicast packets to a group the switch only forwards the packets to ports connected to the members of that group thereby implementing Layer 2 multicast in the VLAN Configuring GMRP The main tasks in GMRP configuration inclu...

Page 424: ... configuration Configuration procedure Configure SwitchA Enable GMRP globally SW7750 system view SW7750 gmrp GMRP is enabled globally Enable GMRP on the port SW7750 interface Ethernet 2 0 1 SW7750 Ethernet2 0 1 gmrp GMRP is enabled on port Ethernet 2 0 1 Configure SwitchB Enable GMRP globally SW7750 system view SW7750 gmrp GMRP is enabled globally Enable GMRP on the port Table 332 Display and debu...

Page 425: ...GMRP Configuration Example 425 SW7750 interface Ethernet 2 0 1 SW7750 Ethernet2 0 1 gmrp GMRP is enabled on port Ethernet 2 0 1 ...

Page 426: ...426 CHAPTER 42 GMRP CONFIGURATION ...

Page 427: ...ed from the router As shown in Figure 106 multicast packets are broadcasted at Layer 2 when IGMP Snooping is disabled and multicast at Layer 2 when IGMP Snooping is enabled Figure 106 Multicast packet transmission with or without IGMP Snooping being enabled Table 333 IGMP message processing on the switch Received message type Sender Receiver Switch processing IGMP host report message Host Switch A...

Page 428: ...multicast MAC address Figure 107 IGMP Snooping implementation To implement Layer 2 multicast the switch processes four different types of IGMP messages it received as shown in Table 335 Table 334 IGMP Snooping timers Timer Setting Packet normally received before timeout Timeout action on the switch Router port aging timer Aging time of the router port IGMP general query message PIM message DVMRPpr...

Page 429: ...g queried IGMP host report message Host Multicast router and multicast switch Apply for joining a multicast group or respond to an IGMP query message Chec k if the IP multi cast group has a corres pondi ng MAC multi cast group If yes check if the port exists in the MAC multicast group If yes add the IP multicast group address to the MAC multicast group table If not add the port to the MAC multicas...

Page 430: ...mbers and enable the corresponding query timer If the multicast groupresponds the switch checks whether the port is the last host port corresponding to the MAC multicast group If yes remove the correspondi ng MAC multicast group and IP multicast group If no remove only those entries that correspond to this port in the MAC multicast group and remove the correspondi ng IP multicast group entries If ...

Page 431: ...izing the network topology Configure timers Optional Configuring Timers on page 432 Enable IGMP fast leave Optional Enabling IGMP Fast Leave for a Port or All Ports on page 432 Configure IGMP Snooping filter Optional Configuring IGMP Snooping Filtering ACLs on page 433 Configure to limit the number of multicast groups on a port Optional Configuring to Limit Number of Multicast Groups on a Port on ...

Page 432: ...ery to the port and enables the query response timer of the IP multicast group Enabling IGMP Fast Leave for a Port or All Ports Normally when receiving an IGMP Leave message the switch does not immediately remove the port from the multicast group but sends an IGMP group specific query message If no response is received in a given period it then removes the port from the multicast group Table 338 C...

Page 433: ...t If yes it adds the port to the forward port list of the multicast group If not it drops the IGMP report message and does not forward the corresponding data stream to the port In this way you can control the multicast streams that users can access Make sure that ACL rules have been configured before configuring this feature Configuring IGMP Snooping filtering ACLs globally Table 340 Enable the IG...

Page 434: ... layer This router or Layer 3 switch is called IGMP querier Enable IGMP Snooping filter in system view igmp snooping group policy acl number vlan vlan list Required You can configure the ACL to filter the IP addresses of corresponding multicast group By default the multicast filtering feature is disabled Table 343 Configure IGMP Snooping filtering ACLs for a port Operation Command Description Ente...

Page 435: ...is enabled in a query interval the Layer 2 switch will forward only the first IGMP host report message from a multicast group to the Layer 3 switch and drop the other IGMP host report messages from the same multicast group Table 345 Configure IGMP Snooping querier Operation Command Description Enter system view system view Enable IGMP Snooping igmp snooping enable Required By default IGMP Snooping...

Page 436: ...ensure that the IGMP entry does not age out When the simulated joining function is disabled on an Ethernet port the simulated host sends an IGMP leave message Therefore to ensure that IGMP entries will not age out the port must receive IGMP general queries periodically Configuring IGMP Snooping simulated joining in VLAN interface view Configuring IGMP Snooping simulated joining in Ethernet port vi...

Page 437: ...ly if multicast VLAN is configured Perform the following configuration to configure multicast VLAN c CAUTION You can configure up to 5 multicast VLANs for the device A multicast VLAN cannot be configured as a multicast sub VLAN A multicast sub VLAN cannot be configured as a multicast VLAN A multicast sub VLAN cannot be configured as the sub VLAN of another multicast VLAN A multicast sub VLAN is co...

Page 438: ...snooping enable Table 350 Display information about IGMP Snooping Operation Command Description Display the current IGMP Snooping configuration display igmp snooping configuration You can execute the display commands in any view Display IGMP Snooping message statistics display igmp snooping statistics Display IP and MAC multicast groups in one or all VLANs display igmp snooping group vlan vlanid D...

Page 439: ...nabled Switch B Layer 3 switch GigabitEthernet 2 0 1 GigabitEthernet 2 0 2 GigabitEthernet 2 0 3 Router A Switch C Switch D GigabitEthernet 2 0 1 belongs to VLAN 1024 GigabitEthernet 2 0 2 is a trunk port belonging to VLAN 2 to VLAN 4 GigabitEthernet 2 0 3 is a trunk port belonging to VLAN 5 to VLAN 7 Switch C Layer 2 switch The port connecting the upper layer switch is configured as a trunk port ...

Page 440: ...n the corresponding VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time If it is only disabled on the corresponding VLAN use the igmp snooping enable command in VLAN view only to enable it on the corresponding VLAN 2 Multicast forwarding table set up by IGMP Snooping is wron...

Page 441: ...ormation in the network You can configure the suppression on the multicast source port feature to filter multicast packets on the unauthorized multicast source port so as to prevent the users connected to the port from setting up multicast servers privately Clearing the related multicast entries through clearing the related multicast entries you can clear the multicast route entries saved in the m...

Page 442: ...ble 353 Enable multicast routing and configure limit on the number of multicast route entries Operation Command Description Enter system view system view Enable multicast routing multicast routing enable Required Multicast routing must be enabled before the multicast group management protocol and the multicast routing protocol are configured Configure limit on the number of multicast route entries...

Page 443: ...users usually configure both primary and secondary links over a connection in order to avoid communication interruption due to link failure When the primary link fails the secondary link can replace it immediately to avoid communication interruption On a link where a multicast protocol such as PIM or IGMP is enabled the switch cannot restore multicast data transmission after switchover until the s...

Page 444: ...erface interface type interface number Configure static router ports multicast static router port vlan vlan id Required Operation Command Description Enter system view system view Enter VLAN view vlan vlan id Configure static router ports multicast static router port interface interface type interface number Required Table 358 Clear the related multicast entries Operation Command Description Clear...

Page 445: ...the statistics information about the suppression on the multicast source port display multicast source deny interface interface type interface number You can execute the display commanding any view If neither the port type nor the port number is specified the statistics information about the suppression on all the multicast source ports on the switch is displayed If only the port type is specified...

Page 446: ... mask mask length source address mask group mask mask length incoming interface interfa ce type interface number register You can execute the display commanding any view Display the information about the multicast forwarding table display multicast forwarding table group address mask group mask mask length source address mask group mask mask length incoming interface interfa ce type interface numb...

Page 447: ...ticast MAC address entries created by the mac address multicast command manually however it cannot be used to delete the multicast MAC address entries learned by the switch If you want to add a port to a multicast MAC address entry created through the mac address multicast command you must delete this entry first create this entry again and then add the specified port to the forwarding ports of th...

Page 448: ...T MAC ADDRESS TABLE CONFIGURATION Table 361 Display the multicast MAC addresses Operation Command Description Display the static multicast MAC addresses display mac address multicast count You can use the display command in any view ...

Page 449: ...n IGMP is asymmetric between the host and the router The host needs to respond to the IGMP query messages of the multicast routers that is report message responses as an IGMP host The multicast router sends IGMP general query messages periodically and determines whether any host of a specified group joins in its subnet based on the received response packets When the router receives IGMP leave mess...

Page 450: ...P Version 2 It is used to dynamically adjust the maximum time for a host to respond to the membership query message Working Procedure of IGMP The working procedure of IGMP is as follows The receiver host reports the membership to its shared network A querier IGMPv2 is selected from all the IGMP enabled routers in the same network segment The querier periodically sends group member query messages t...

Page 451: ...hosts in the network want to join in another multicast group G2 they will send IGMP host report messages about G2 to respond to the query messages After the query response process the IGMP routers get to know that receivers corresponding to the multicast group G1 exist in the network and generate the G1 multicast forwarding entries according to which the multicast information is forwarded The data...

Page 452: ...on to the multicast router The multicast router relies on IGMP query response timeout to know whether a group no longer has members This adds to the leave latency In IGMPv2 on the other hand when a host leaves a multicast group 1 This host sends a Leave Group message often referred to as leave message to all routers the destination address is 224 0 0 2 on the local subnet 2 Upon receiving the leav...

Page 453: ...ol on VLAN interface 1 Configure the pim neighbor policy command to filter PIM neighbors in the network segment 33 33 33 0 24 That is Switch A does not consider Switch B as its PIM neighbor In this case when Switch B of leaf network receives from VLAN interface 2 an IGMP join or IGMP leave message sent by the host it will change the source address of the IGMP information to the address of VLAN int...

Page 454: ...ng IGMP Query Packets on page 454 Configure IGMP multicast groups on the interface Optional Configuring IGMP Multicast Groups on the Interface on page 456 Configure IGMP simulated joining Optional Configuring IGMP Simulated Joining on page 458 Configure IGMP Proxy Optional Configuring IGMP Proxy on page 459 Configure suppression on IGMP host report messages Optional Configuring Suppression on IGMP...

Page 455: ...t value x seconds time it will maintain the membership of the group If the IGMP querier does not receive IGMP join messages from other hosts after the robust value x seconds time it considers the group times out and will not maintain the membership of the group The procedure is only fit for the occasion when IGMP queriers runs IGMP version 2 If the host runs IGMP version 1 it does not send IGMP le...

Page 456: ...enabled globally IGMP is enabled on all the layer 3 interfaces automatically Configure the query interval igmp timer query seconds Optional The query interval is 60 seconds by default Configuring the interval of sending IGMP group specific query messages igmp lastmember queryinterval seconds Optional By default the interval of sending IGMP group specific query messages is 1 second Configuring the ...

Page 457: ...st routing enable Required Enter VLAN interface view interface Vlan interface interface number Enable IGMP on the current interface igmp enable By default if the IP multicast routing protocol is enabled globally IGMP is enabled on all the layer 3 interfaces automatically Configure limit on the number of IGMP groups on the interface igmp group limit limit Optional By default the number of multicast...

Page 458: ...rface view first Limit the range of multicast groups that the interface serves igmp group policy acl number vlan vlan id Optional By default the filter is not configured that is any multicast group is permitted on the port The port must belong to the IGMP enabled VLAN specified in the command Otherwise the command does not take effect Table 365 Configure IGMP multicast groups on the interface Oper...

Page 459: ...red for one interface Configuring Suppression on IGMP Host Report Messages When a Layer 2 switch receives an IGMP host report message from a host in a multicast group the switch will forward the message to the Layer 3 switch port connecting to it If there are multiple hosts in a multicast group the Layer 3 switch will receive the same IGMP host report messages from multiple hosts in a multicast gr...

Page 460: ... Configure suppression on IGMP host report messages Operation Command Description Enter system view system view Configure suppression on IGMP host report messages igmp report aggregation Required By default the suppression on IGMP host report messages is disabled Table 370 Remove the joined IGMP groups from the interface Operation Command Description Remove the joined IGMP groups from the interfac...

Page 461: ...nd the related resources bandwidth and the CPU of the router are consumed at the same time In order to reduce the network resource consumption PIM DM prunes the branches which do not forward multicast data and keeps only the branches including receivers In order that the pruned branches which are demanded to forward multicast data can receive multicast data flows again the pruned branches can be r...

Page 462: ...nd forward the packet to all the downstream PIM DM nodes That is the process of flooding If not that is the router considers that the multicast packets travel into the router through incorrect interfaces the router just discards the packets After this process the router will create a S G entry for every host in PIM DM domain If there is no multicast group member in the downstream nodes the router ...

Page 463: ...t forwarding tree from the data source S based on the existing unicast routing table static multicast routing table and MBGP routing table The procedure is as follows When a multicast packet arrives the router first checks the path If the interface this packet reaches is the one along the unicast route towards the multicast source the path is considered as correct Otherwise the multicast packet wi...

Page 464: ...e the upstream neighbor of the S G entry which is responsible for forwarding the S G multicast packets The unselected routers will prune the corresponding interfaces to disable the information forwarding Introduction to PIM SM Protocol independent multicast sparse mode PIM SM is a sparse mode multicast protocol It is generally used in the following occasions where Group members are sparsely distri...

Page 465: ...e receiver PIM SM is independent of the special unicast routing protocol Instead it performs RPF check based on the existing unicast routing table Work Mechanism of PIM SM The working procedure of PIM SM is Neighbor discovery DR election RP discovery RPT shared tree building Multicast source registration Switching RPT to SPT Neighbor discovery The neighbor discovery mechanism is the same as descri...

Page 466: ...mple network there is only little multicast information One RP is enough for information forwarding In this case you can statically specify the position of RP in each router in the SM domain However PIM SM network is of very large scale RP forwards a lot of multicast information In order to reduce the workload of RP and optimize the topology of the shared tree different multicast groups must have ...

Page 467: ... itself as BSR any more Otherwise the candidate BSR will keep its own BSR address and continue to consider itself as BSR The positions of RPs and BSRs in the network are as shown in Figure 115 Figure 115 Diagram for the communication between RPs and BSRs Only one BSR can be elected in a network or management domain while multiple candidate BSRs C BSR can be configured In this case once the BSR fai...

Page 468: ...t to the receiver will send Prune messages to RP hop by hop in the direction reverse to RPT When the first upstream router receives the Prune message it will delete the links with the downstream routers from the interface list and check whether it has the receivers interested in the multicast information If not the upstream router will continue to forward the Prune message to upstream routers Mult...

Page 469: ... reaches the router nearest to the multicast source namely the first hop router hop by hop and all the passed routers have the S G entry As a result a branch of SPT is built Then the last hop router sends Prune message with the RP bit to RP hop by hop When RP receives the message it will reversely forward the Prune message to the multicast source Thus the multicast information stream is switched f...

Page 470: ... PIM neighbors Optional Configuring PIM Neighbors on page 471 Clear the related PIM entries Optional Clearing the Related PIM Entries on page 471 Table 373 Enable PIM DM PIM SM on the interface Operation Command Description Enter system view system view Enable the multicast routing protocol multicast routing enable Required Enter VLAN interface view interface Vlan interface interface number Enable...

Page 471: ...ol multicast routing enable Required Enter VLAN interface view interface Vlan interface interface number Enable PIM DM PIM SM on the current interface pim dm pim sm Required Configure the PIM protocol type on the interface Configure limit on the number of PIM neighbors on the interface pim neighbor limit limit Optional By default the upper limit on the number of PIM neighbors on a interface is 128...

Page 472: ...iguring BSR RP Table 377 Configure filtering policies for multicast source group Operation Command Description Enter system view system view Enable the multicast routing protocol multicast routing enable Required Enter PIM view pim Perform source group filter on the received multicast packets source policy acl number Optional You can configure to filter the IP addresses of some multicast groups in...

Page 473: ... interface number hash mask len priority Optional By default candidate BSRs are not set for the switch and the value of priority is 0 Configure candidate RPs c rp interface type interface number group policy acl number priority priority Optional You can configure to filter the IP addresses of some multicast groups in ACL By default candidate RPs are not set for the switch and the value of priority...

Page 474: ... network can be effectively divided into domains using different BSRs Filtering the Registration Packets from RP to DR Through the registration packet filtering mechanism in PIM SM network you can determine which sources send packets to which groups on RP that is RP can filter the registration packets from DR and receive the specified packets only Table 380 Configure PIM SM domain boundary Operati...

Page 475: ...st hop switch performs RPT to SPT switchover upon receiving the first multicast packet The infinity keyword specifies that RPT to SPT switchover never takes place Displaying and Debugging PIM After completing the above configurations you can execute the display command in any view to verify the configuration by checking the displayed information Quit VLAN view quit Enter PIM view pim Configure to ...

Page 476: ...bles display pim routing table g group address mask mask length mask rp rp address mask mask length mask group address mask mask length mask source address mask mask length mask incoming interface interfac e type interface number null dense mode sparse mode You can execute the display command in any view Display the information about PIM interfaces display pim interface interface type interface nu...

Page 477: ...n interface 20 Lanswitch2 system view Lanswitch2 multicast routing enable Lanswitch2 interface Vlan interface 11 Lanswitch2 Vlan interface11 pim dm Lanswitch2 Vlan interface11 quit Lanswitch2 interface Vlan interface 20 Lanswitch2 Vlan interface12 pim dm Lanswitch2 Vlan interface12 igmp enable The configuration on Lanswitch 3 is similar to the configuration on Lanswitch 2 PIM SM Configuration Exam...

Page 478: ...M SM on each interface and enable IGMP on Vlan interface 11 SW7750 system view SW7750 multicast routing enable SW7750 interface Vlan interface 10 SW7750 Vlan interface10 pim sm SW7750 Vlan interface10 quit SW7750 interface Vlan interface 11 SW7750 Vlan interface11 pim sm SW7750 Vlan interface11 igmp enable SW7750 Vlan interface11 quit SW7750 interface Vlan interface 12 SW7750 Vlan interface12 pim ...

Page 479: ... LS_D cannot receive BSR information from LS_B any mote that is LS_D is excluded from the PIM domain Configure LS_C The configuration on LS_C is similar to the configuration on LS_A Troubleshooting PIM Symptom 1 The router cannot set up multicast routing tables correctly Solution You can troubleshoot PIM according to the following procedure Make sure that the unicast routing is right before troubl...

Page 480: ...480 CHAPTER 47 PIM CONFIGURATION ...

Page 481: ...e to local receivers If there is a mechanism that allows RPs of different PIM SM domains to share their multicast source information the local RP will be able to join multicast sources in other domains and multicast data can be transmitted among different domains MSDP achieves this objective By establishing MSDP peer relationships among RPs of different PIM SM domains source active SA messages can...

Page 482: ...ried in the message and joins the SPT rooted at the source across the PIM SM domain When multicast data from the multicast source arrives the receiver side MSDP peer forwards the data to the receivers along the RPT Intermediate MSDP peer an MSDP peer with multicast remote MSDP peers like RP 2 An intermediate MSDP peer forwards SA messages received from one remote MSDP peer to other remote MSDP pee...

Page 483: ... gets aware of the information related to the multicast source 2 As the source side RP RP 1 creates SA messages and periodically sends the SA messages to its MSDP peer An SA message contains the source address S the multicast group address G and the address of the RP which has created this SA message namely RP 1 3 On MSDP peers each SA message is subject to a Reverse Path Forwarding RPF check and ...

Page 484: ...no longer relies on RPs in other PIM SM domains The receivers can override the RPs in other domains and directly join the multicast source based SPT RPF check rules for SA messages As shown in Figure 122 there are five autonomous systems in the network AS 1 through AS 5 with IGP enabled on routers within each AS and EBGP as the interoperation protocol among different ASs Each AS contains at least ...

Page 485: ...RP 6 receives the SA messages from RP 4 and RP 5 suppose RP 5 has a higher IP address Although RP 4 and RP 5 are in the same SA AS 3 and both are MSDP peers of RP 6 because RP 5 has a higher IP address RP 6 accepts only the SA message from RP 5 5 When RP 7 receives the SA message from RP 6 Because the SA message is from a static RPF peer RP 6 RP 7 accepts the SA message and forwards it to other pe...

Page 486: ...d as this RP In this example Receiver joins the RPT rooted at RP 2 3 RPs share the registered multicast information by means of SA messages In this example RP 1 creates an SA message and sends it to RP 2 with the multicast data from Source encapsulated in the SA message When the SA message reaches RP 2 RP 2 decapsulates the message 4 Receivers receive the multicast data along the RPT and directly ...

Page 487: ...g only one MSDP peer known as a stub area the BGP or MBGP route is not compulsory SA messages are transferred in a stub area through the static RPF peers In addition the use of static RPF peers can avoid RPF check on the received SA messages thus saving resources Before configuring static RPF peers you must create an MSDP peering connection If you configure only one MSDP peer on a router the MSDP ...

Page 488: ...rom outside the mesh group it sends them to other members of the group On the other hand a mesh group member does not perform RPF check on SA messages from within the mesh group and does not forward the messages to other members of the mesh group This avoids SA message flooding since it is unnecessary to run Table 384 Configure MSDP basic functions Operation Command Description Enter system view s...

Page 489: ... peers to each other To prevent failure of RPF check on SA messages between MSDP peers you must configure the RP address to be carried in the SA messages n In Anycast RP application C BSR and C RP must be configured on different devices or ports Configuring an MSDP Mesh Group Configure a mesh group name on all the peers that will become members of the MSDP mesh group so that the peers are fully co...

Page 490: ...ticast data must be encapsulated in the SA message otherwise the receiver will never receive the multicast source information By default when a new receiver joins a router does not send any SA request message to its MSDP peer but has to wait for the next SA message This defers the reception of the multicast information by the receiver In order for the new receiver to know about the currently activ...

Page 491: ... SA request message the router will get immediately a response from all active multicast sources By default the router does not send any SA request message to its MSDP peers upon receipt of a Join message instead it waits for the next SA message The SA message that the remote MSDP peer responds with is cached in advance therefore you must enable the SA message caching mechanism in advance Typicall...

Page 492: ... default an MSDP peer receives and forwards all SA messages MSDP inbound outbound filter implements the following functions Filtering out all S G entries Receiving forwarding only the SA messages permitted by advanced ACL rules An SA message carrying encapsulated data can reach the specified MSDP peer outside the domain only when the TTL in its IP header exceeds the threshold therefore you can con...

Page 493: ...configuration In user view you can execute the reset command to reset the MSDP counter Configure to filter SA messages to be received or forwarded peer peer address sa policy import export acl acl number Optional By default no filtering is imposed on SA messages to be received or forwarded namely all SA messages from MSDP peers are received or forwarded Configure the minimum TTL for the multicast ...

Page 494: ...ip is established between the RPs based on BGP routes within each PIM SM network Loopback 0 on Switch C Switch D and Switch E functions as the C BSR and C RP of its own PIM SM domain respectively An MSDP peering relationship is established between Switch C and Switch F based on EBGP routes and an MSDP peering relationship is established between Switch F and Switch D based on IBGP routes Display th...

Page 495: ...f each interface according to Figure 124 The details are omitted here 2 Enable multicast and enable PIM SM on each interface Enable multicast on SwitchC and enable PIM SM on all interfaces Switch C is taken for example The configuration procedures on other switches are similar to that on Switch C The details are omitted here Device Interface IP address Device Interface IP address Switch C Vlan int...

Page 496: ...ation of C BSRs and C RPs Configure the interface Loopback0 on Switch C Switch D and Switch F and configure the locations of C BSRs and C RPs Switch C is taken for example The configuration procedures on Switch D and Switch F are similar to that on Switch C The details are omitted here SwitchC pim SwitchC pim c bsr loopback 0 32 SwitchC pim c rp loopback 0 SwitchC pim quit 4 Configure BGP routes b...

Page 497: ...2 168 1 1 100 4 0 1 4 00 01 05 Established 192 168 3 1 200 4 0 0 0 00 00 05 Active Carry out the display bgp routing table command to view the BGP routing table information on the switches The BGP routing table information on Switch D is as follows SwitchD display bgp routing table Flags valid active I internal D damped H history S aggregate suppressed Dest Mask Next hop Med Local pref Origin As p...

Page 498: ... 192 168 3 2 Up 00 15 32 200 8 0 SwitchD display msdp brief MSDP Peer Brief Information Peer s Address State Up Down time AS SA Count Reset Count 192 168 3 1 UP 01 07 08 200 8 0 192 168 1 1 UP 00 06 39 100 13 0 View the detailed MSDP peer information on Switch F SwitchC display msdp peer status MSDP Peer 192 168 1 2 AS 200 Description Information about connection status State Up Up down time 00 15...

Page 499: ... In the PIM SM domain configure the interface IP addresses on the switches and interconnect the switches through OSPF Configure the IP address and mask of each interface according to Figure 125 The details are omitted here 2 Enable multicast and configure PIM SM Device Interface IP address Device Interface IP address Switch A Vlan int100 10 110 1 2 24 Switch D Vlan int100 10 110 3 1 24 Switch B Vl...

Page 500: ... pim c bsr loopback 10 32 SwitchC pim c rp loopback 10 SwitchC pim quit When the multicast source S1 in the PIM SM domain sends multicast information receivers on Switch D can receive multicast information Carry out the display pim routing table command to view PIM routes on the switch The information about PIM routes on Switch C and Switch D is displayed as follows SwitchC display pim routing tab...

Page 501: ...t Count 1 1 1 1 Up 00 10 18 0 0 Configuration Example of a PIM Stub Domain Network requirements Two ISPs maintains their ASs AS 100 and AS 200 respectively OSPF is running within each AS and BGP is running between the two ASs PIM SM1 belongs to AS 100 while PIM SM2 and PIM SM3 belong to AS 200 Each PIM SM domain is a single BSR managed domain each having 0 or 1 multicast source S and multiple rece...

Page 502: ...in Figure 126 The detailed configuration steps are omitted 2 Enable multicast and enable PIM SM on each interface Enable multicast on all the switches and enable PIM SM on each interface The configuration procedures on the other switches are similar to the configuration procedure on Switch C So the configuration procedures on the other switches are omitted SwitchC multicast routing enable SwitchC ...

Page 503: ...itch D and Switch F are similar to the configuration procedure on Switch C so the configuration procedures are omitted SwitchC pim SwitchC pim c bsr loopback 0 32 SwitchC pim c rp loopback 0 SwitchC pim quit 4 Configure a static RPF peer Configure Switch D and Switch F as static RPF peers of Switch C SwitchC ip ip prefix list df permit 192 168 0 0 16 greater equal 1 6 less equal 32 SwitchC msdp Sw...

Page 504: ...r is configured but it is always in the down state Analysis An MSDP peer relationship between the locally configured connect interface interface address and the configured peer address is based on a TCP connection If the address of local connect interface interface is inconsistent with the peer address configured on the peer router no TCP connection can be established If there is no route between ...

Page 505: ... entries of the local multicast domain through SA messages verify that the import source command is configured correctly Solution 1 Check the connectivity of the route between the routers Use the display ip routing table command to check that the unicast route between the routers is correct 2 Further check that a unicast route exists between two routers that will become MSDP peers and that the rou...

Page 506: ...506 CHAPTER 48 MSDP CONFIGURATION ...

Page 507: ...is configured on this device Local authentication is fast and requires lower operational cost But the information storage capacity is limited by device hardware Remote authentication Users are authenticated remotely through the RADIUS protocol or HWTACACS protocol This device for example a 3Com series switch acts as the client to communicate with the RADIUS server or TACACS server For RADIUS proto...

Page 508: ...n ISP domain view Introduction to RADIUS AAA is a management framework It can be implemented by not only one protocol But in practice the most commonly used protocol for AAA is RADIUS What is RADIUS RADIUS remote authentication dial in user service is a distributed information exchange protocol in client server structure It can prevent unauthorized access to the network and is commonly used in net...

Page 509: ... RADIUS client a switch for example and the RADIUS server are verified by using a shared key This enhances the security The RADIUS protocol combines the authentication and authorization processes together by sending authorization information in the authentication response message Figure 128 depicts the message exchange procedure between user switch and RADIUS server Figure 128 Basic message exchan...

Page 510: ...epts or denies the user depending on the received authentication result If it accepts the user the RADIUS client sends a start accounting request Accounting Request with the Status Type filed set to start to the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response 6 The user starts to access the resources 7 The RADIUS client sends a stop accounting request Acco...

Page 511: ...rk This packet carries user information It must contain the User Name attribute and may contain the following attributes NAS IP Address User Password and NAS Port 2 Access Accept Direction server client The server transmits this packet to the client if all the attribute values carried in the Access Request packet are acceptable that is the user passes the authentication 3 Access Reject Direction s...

Page 512: ...rotocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS Figure 130 depicts the structure of attribute 26 The Vendor ID field representing the code of the vendor occupies four bytes The first byte is 0 and the other three bytes are defined in RFC1700 Here the vendor can encapsulate multiple Table 396 RADIUS attributes Value of the Type field At...

Page 513: ...ical HWTACACS application a dial up or terminal user needs to log in to the device for operations As the client of HWTACACS in this case the switch sends the username and password to the TACACS server for authentication After passing authentication and being authorized the user can log in to the switch to perform operations as shown in Figure 131 Code Attribute Identifier 0 7 Length Authenticator ...

Page 514: ...t HWTACACS server HWTACACS server TACACS server User TACACS client Requests to log in Authentication start request Authentication response requesting username Requests username Enters username Authentication continuous message carrying username Authentication response requesting password Requests password Enters password Authentication success response Authorization request Authorization success r...

Page 515: ...entication continuance packet carrying the login password to the TACACS server 6 The TACACS server sends back an authentication response indicating that the user has passed the authentication 7 The TACACS client sends the user authorization request packet to the TACACS server 8 The TACACS server sends back the authorization response indicating that the user has passed the authorization 9 Upon rece...

Page 516: ... for the ISP domain Required If local authentication is adopted refer to Configuring the Attributes of a Local User on page 523 If RADIUS authentication is adopted refer to RADIUS Configuration on page 525 Configuring an AAA Scheme for an ISP Domain on page 520 Configure dynamic VLAN assignment Optional Configuring Dynamic VLAN Assignment on page 522 Configure the attributes of a local user Option...

Page 517: ...page 528 Configure the supported RADIUS server type Optional Configuring the Supported RADIUS Server Type on page 528 Configure the status of RADIUS servers Optional Configuring the Status of RADIUS Servers on page 528 Configure the attributes for data to be sent to RADIUS servers Optional Configuring the Attributes for Data to be Sent to RADIUS Servers on page 529 Configure a local RADIUS authent...

Page 518: ...cheme Required Creating a HWTACACS Scheme on page 532 Configure HWTACACS authentication servers Required Configuring HWTACACS Authentication Servers on page 532 Configure HWTACACS authorization servers Required Configuring HWTACACS Authorization Servers on page 533 Configure HWTACACS accounting servers Optional Configuring HWTACACS Accounting Servers on page 533 Configure shared keys for RADIUS pa...

Page 519: ...ription Enter system view system view Create an ISP domain or enter the view of an existing ISP domain domain isp name Required Activate deactivate the ISP domain state active block Optional By default once an ISP domain is created it is in the active state and all the users in this domain are allowed to access the network Set the maximum number of access users that can be contained in the ISP dom...

Page 520: ... scheme name local command the local scheme becomes the secondary scheme in case the RADIUS server does not response normally That is if the communication between the switch and the RADIUS server is normal no local authentication is performed otherwise local authentication is performed If you execute the scheme hwtacacs scheme radius scheme name local command the local scheme becomes the secondary...

Page 521: ...horization and accounting schemes the separate ones will be adopted in precedence RADIUS scheme and local scheme do not support the separation of authentication and authorization Therefore pay attention when you make Table 402 Configure separate AAA schemes Operation Command Description Enter system view system view Create an ISP domain or enter the view of an existing ISP domain domain isp name R...

Page 522: ... with the assigned ID and then adds the port to the newly created VLAN String If the RADIUS server assigns string type of VLAN IDs you can set the VLAN assignment mode to string on the switch Then upon receiving a string ID assigned by the RADIUS authentication server the switch compares the ID with existing VLAN names on the switch If it finds a match it adds the port to the corresponding VLAN Ot...

Page 523: ... Create an ISP domain and enter its view domain isp name Set the VLAN assignment mode vlan assignment mode inte ger string Optional By default the VLAN assignment mode is integer Create a VLAN and enter its view vlan vlan id Set a VLAN name for VLAN assignment name string This operation is required if the VLAN assignment mode is set to string Table 404 Configure dynamic VLAN assignment Operation C...

Page 524: ...o cut down the connection Authorize the user to access the specified type s of service s service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the priority level of the user level level Optional By default the priority level of the user is 0 Set the attributes of the user whose service type is lan access att...

Page 525: ...tion exchange between the switch and the RADIUS servers To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP domain view For specific configuration commands refer to AAA Configuration on page 518 Creating a RADIUS Scheme The RADIUS protocol configuration is performed on a RADIUS scheme basis You should first create a RADIUS scheme and...

Page 526: ...n Command Description Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Set the IP address and port number of the primary RADIUS accounting server primary accounting ip address port number Required By default the IP address and UDP port number of the primar...

Page 527: ...t fails to perform accounting it cuts down the connection of the user The IP address and the port number of the default primary accounting server system are 127 0 0 1 and 1646 Currently RADIUS does not support the accounting of FTP users Configuring Shared Keys for RADIUS Packets The RADIUS client and server adopt MD5 algorithm to encrypt the RADIUS packets exchanged with each other The two partie...

Page 528: ...y restores the communication with the primary server instead of communicating with the secondary server and at the same time restores the status of the primary server to the active state while keeping the status of the secondary server unchanged When both the primary and secondary servers are in active or block state the switch sends packets only to the primary server Table 411 Configure the maxim...

Page 529: ...nting block active Set the status of the secondary RADIUS authentication authori zation server state secondary authentication block active Set the status of the secondary RADIUS accounting server state secondary accounting block active Table 414 Configure the attributes for data to be sent to the RADIUS servers Operation Command Description Enter system view system view Create a RADIUS scheme and ...

Page 530: ...authentication servers including the default local RADIUS authentication server Configuring the Timers of RADIUS Servers If the switch gets no response from the RADIUS server after sending out a RADIUS request authentication authorization request or accounting request and waiting for a period of time it should retransmit the packet to ensure that the user can obtain the RADIUS service This wait ti...

Page 531: ...tart function is designed to resolve the above problem After this function is enabled every time the switch restarts 1 The switch generates an Accounting On packet which mainly contains the following information NAS ID NAS IP address source IP address and session ID 2 The switch sends the Accounting On packet to CAMS at regular intervals 3 Once the CAMS receives the Accounting On packet it sends a...

Page 532: ...protocol is configured scheme by scheme Therefore you must create a HWTACACS scheme and enter HWTACACS view before you perform other configuration tasks c CAUTION The system supports up to 16 HWTACACS schemes You can only delete the schemes that are not being used Configuring HWTACACS Authentication Servers Table 417 Enable the user re authentication upon device restart function Operation Command ...

Page 533: ...ort number of the secondary TACACS authentication server secondary authentication ip address port Required By default the IP address of the secondary authentication server is 0 0 0 0 and the port number is 0 Table 419 Configure HWTACACS authentication servers Operation Command Description Table 420 Configure TACACS authorization servers Operation Command Description Enter system view system view C...

Page 534: ...ry TACACS accounting server primary accounting ip address port Required By default the IP address of the primary accounting server is 0 0 0 0 and the port number is 0 Set the IP address and port number of the secondary TACACS accounting server secondary accounting ip address port Required By default the IP address of the secondary accounting server is 0 0 0 0 and the port number is 0 Enable the st...

Page 535: ...n names Set the units of measure for data flows sent to TACACS servers data flow format data byte giga byte kilo byte mega byte Optional By default in a TACACS scheme the unit of measure for data is byte and that for packets is one packet data flow format packet giga packet kilo packet mega packet one packet Set the source IP address used by the switch to send HWTACACS packets HWTACACS view nas ip...

Page 536: ...lay command in any view Display the information about user connections display connection access type dot1x domain domain name interface interface type interface number ip ip address mac mac address radius scheme radius scheme name vlan vlan id ucibindex ucib index user name user name Display the information about local users display local user domain isp name idle cut disable enable vlan vlan id ...

Page 537: ... the RADIUS protocol reset radius statistics Table 427 Display and maintain HWTACACS protocol information Operation Command Description Display the configuration or statistic information about one specific or all HWTACACS schemes display hwtacacs hwtacacs scheme name statistics You can execute the display command in any view Display the buffered HWTACACS stop accounting request packets that are no...

Page 538: ...t user names and login passwords The Telnet user name added to the RADIUS server must be in the format of userid isp name if you have configure the switch to include domain names in the user names to be sent to the RADIUS server Network diagram Figure 133 Remote RADIUS authentication of Telnet users Configuration procedure Enter system view SW7750 system view SW7750 Adopt AAA authentication for Te...

Page 539: ... of Telnet users The following description only takes the local authentication of Telnet users as example Network requirements In the network environment shown in Figure 134 you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally Network diagram Figure 134 Local authentication of Telnet users Configuration procedure Method 1 Using a local...

Page 540: ...with the configuration in RADIUS scheme TACACS Authentication Authorization and Accounting of Telnet Users Network requirements You are required to configure the switch so that the Telnet users logging in to the TACACS server are authenticated authorized and accounted Configure the switch to A TACACS server with IP address 10 1 1 1 is connected to the switch This server will be used as the AAA ser...

Page 541: ...in is specified on the switch Use the correct user name format or set a default ISP domain on the switch The user is not configured in the database of the RADIUS server Check the database of the RADIUS server make sure that the configuration information about the user exists The user input an incorrect password Be sure to input the correct password The switch and the RADIUS server have different s...

Page 542: ...t properly set Be sure to set a correct port number for RADIUS accounting The switch requests that both the authentication authorization server and the accounting server use the same device with the same IP address but in fact they are not resident on the same device Be sure to configure the RADIUS servers on the switch according to the actual situation Troubleshooting the HWTACACS Protocol See th...

Page 543: ...bled the switch determines the validity of session control packets it receives according to the source IP address of the packets Only those session control packets sent from the authentication server and the security policy server can be regarded as valid Basic EAD functions are implemented through the cooperation among security client security cooperation device switch security policy server anti...

Page 544: ...dard the security policy server reissues an ACL to the switch to assign the access right to the client EAD Configuration Configuration prerequisites EAD is implemented typically in RADIUS scheme Before configuring EAD perform the following configuration Configuring the attributes such as the user name user type and password for access users If local authentication is performed you need to configur...

Page 545: ...server Configure the authentication server type to extended Configure the encryption password for exchanging messages between the switch and RADIUS server to expert Configure the IP address of the security policy server to 10 110 91 166 Enter RADIUS scheme view radius scheme radius scheme name Configure the RADIUS server type to extended server type extended Optional By default for a new RADIUS sc...

Page 546: ...0 radius cams primary authentication 10 110 91 164 1812 SW7750 radius cams key authentication expert SW7750 radius cams accouting optional SW7750 radius cams server type extended Configure the IP address for the security policy server SW7750 radius cams security policy server 10 110 91 166 Associate domain with RADIUS scheme SW7750 radius cams quit SW7750 domain system SW7750 isp system radius sch...

Page 547: ...ess configured for a traffic group You can configure some network addresses for a traffic group and then traffic generated by accessing these addresses will be accounted Traffic collection module an interface module configured to perform traffic collection A traffic collection module sends all the traffic passing through it to the traffic accounting module Traffic accounting module the module whic...

Page 548: ...affic accounting module periodically sends update traffic accounting statistics to the accounting server 7 When the user goes offline the authenticator device sends the total traffic amount to the accounting server 8 The accounting process is over for this user Configuring Traffic Accounting Prerequisites A service module that can be used as the traffic accounting module is plugged into the switch...

Page 549: ...traffic collection card Traffic slot slot num Required Enable the traffic accounting function accounting enable Required By default this function is disabled on the traffic accounting module Table 430 Configure traffic group Configuration Command Description Enter system view system view Create a traffic group and enter traffic group view traffic accounting traffic group group name Required Config...

Page 550: ... traffic group somegroup Configure the following two destination network IP addresses for the traffic accounting group SW7750 traffic group somegroup network 11 127 1 0 24 SW7750 traffic group somegroup network 12 127 1 0 24 SW7750 traffic group somegroup quit Enter the user s domain view suppose the user belongs to domain aaa set the accounting mode to traffic accounting and configure the domain ...

Page 551: ...group rate 1 SW7750 isp aaa quit Configure the traffic accounting module specify the traffic collection module and enable the traffic accounting function SW7750 traffic accounting accounting slot 2 SW7750 accounting slot 2 traffic slot 3 SW7750 accounting slot 2 accounting enable ...

Page 552: ...552 CHAPTER 51 TRAFFIC ACCOUNTING CONFIGURATION ...

Page 553: ...to the Layer 3 Switch implementing communication between these hosts and the external network If Switch fails all the hosts on this segment taking Switch as the next hop through the default routes are cut off from the external network Figure 141 LAN Networking VRRP designed for LANs with multicast and broadcast capabilities such as Ethernet settles the problem caused by switch failures VRRP combin...

Page 554: ...between the hosts and the external networks This ensures the communications between the hosts and the external networks Virtual Router Overview After you enable VRRP on the switches of a backup group a virtual router is formed You can perform related configuration on the virtual router Configuring a virtual router IP address The IP address of the virtual router can be an unassigned IP address of t...

Page 555: ...lready enabled the system does not support this configuration By default virtual router IP addresses are mapped to the virtual MAC address of a backup group n When you map a virtual IP address to the virtual MAC address on a Switch 7750 the number of backup groups that can be configured on a VLAN interface is determined by the chips used Refer to device specification for detail Backup Group Config...

Page 556: ...uthentication key should not exceed eight characters In a vulnerable network the authentication type can be set to md5 The switch then uses the authentication type provided by the Authentication Header and MD5 algorithm to authenticate the VRRP packets In this case you need to set an authentication key in plain text comprising up to eight characters or an authentication key of a 24 character encry...

Page 557: ...As a result other switch in the backup group may have a higher priority than this switch and therefore take over the role as a master switch n The Ethernet port tracked can be in or out of the VLAN in whose interface the backup group resides If a switch is the IP address owner the VLAN interface Ethernet port tracking function can not be enabled for the switch If a tracked VLAN interface Ethernet ...

Page 558: ...ated parameters Operation Command Description Enter system view system view Create a VLAN vlan vlan id Quit to system view quit Enter VLAN interface view interface Vlan interface valn id Configure the priority of the backup group vrrp vrid virtual router id priority priority Optional By default the priority of a backup group is 100 Configure the preemptive mode and delay period for the backup grou...

Page 559: ...e mode enabled Table 436 Display and Maintain VRRP Operation Command Description Display the VRRP statistics information display vrrp statistics interface interface type interface number vrid virtual router id You can execute the display command in any view Display the VRRP status information display vrrp interface interface type interface number vrid virtual router id Display the detailed VRRP in...

Page 560: ... 1 255 255 255 0 LSW A Vlan interface2 quit Enable a backup group to respond to ping operations destined for its virtual router IP address LSW A vrrp ping enable Create a backup group LSW A interface Vlan interface 2 LSW A Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the priority for the backup group LSW A Vlan interface2 vrrp vrid 1 priority 110 LSW A Host A Internet Host B LSW B VLA...

Page 561: ...backup group LSW B Vlan interface2 vrrp vrid 1 preempt mode The IP address of the default gateway of Host A can be configured to be 202 38 160 111 Normally Switch A functions as the gateway but when Switch A is turned off or malfunctions Switch B will function as the gateway instead Configure Switch A to operate in preemptive mode so that it can resume its gateway function as the master switch aft...

Page 562: ...p address 202 38 160 1 255 255 255 0 LSW A Vlan interface2 quit Configure that the virtual router can be pinged LSW A vrrp ping enable Create a backup group LSW A interface Vlan interface 2 LSW A Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the priority for the backup group LSW A Vlan interface2 vrrp vrid 1 priority 110 LSW A Host A Internet Host B LSW B VLAN Interface3 10 100 10 2 Vi...

Page 563: ...terface 2 LSW B Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the authentication key for the backup group LSW B Vlan interface2 vrrp vrid 1 authentication mode md5 abc123 Set the master to send VRRP packets once in every 5 seconds LSW B Vlan interface2 vrrp vrid 1 timer advertise 5 Normally Switch A functions as the gateway but when VLAN 3 interface on Switch A goes down its priority w...

Page 564: ...ernet 1 0 6 LSW A vlan2 quit LSW A interface Vlan interface 2 LSW A Vlan interface2 ip address 202 38 160 1 255 255 255 0 Create backup group 1 LSW A Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the priority for backup group 1 LSW A Vlan interface2 vrrp vrid 1 priority 150 Create backup group 2 LSW A Vlan interface2 vrrp vrid 2 virtual ip 202 38 160 112 Configure Switch B Switch A Hos...

Page 565: ...p group or the attempt of other devices sending out illegal VRRP packets The first possible fault can be solved through modifying the configuration And as the second possibility is caused by the malicious attempt of some devices non technical measures should be resorted to Symptom 2 More than one master existing within a backup group There are also 2 reasons One is short time coexistence of many m...

Page 566: ...IGURATION Symptom 3 VRRP state of a switch changes repeatedly Such problems occur when the backup group timer duration is too short They can be solved through prolonging the duration or configuring the preemption delay period ...

Page 567: ...anually switchover master slave You can change the current module state manually by executing command c CAUTION The HA feature of the Switch 7758 can detect the software upgrade of the two Fabric with at least one Fabric being active However the Fabric and the I O Module of the Ethernet switches must be identical in their software version otherwise they cannot work normally So that during the upgr...

Page 568: ...slave module works normally you can set the slave system restart manually Perform the following configuration in user view Performing the Master Slave Switchover Manually When the slave module is available and the master is in real time backup state you can inform the slave module of a master slave switchover by using a command if you expect the slave module to operate in place of the master modul...

Page 569: ...onfiguration file to the slave module only if the slave system operates normally The configuration file will be fully copied at each time the operation is executed Displaying HA After the above configuration you can execute the display command in any view to view the HA configuration and to verify the effect of the configuration Table 440 Perform the master slave switchover manually Operation Comm...

Page 570: ...570 CHAPTER 53 HA CONFIGURATION ...

Page 571: ...ure All fields except for the target hardware address field are used in an ARP request The target hardware address is just what the sender wants to obtain All fields are used in an ARP reply Figure 146 ARP packet format Table 444 describes the fields of an ARP packet Table 444 Field descriptions of an ARP packet Field Description Hardware Type Type of the hardware interface See Table 445 for the v...

Page 572: ...ytes Protocol address length Length of the protocol address in bytes Operation code Type of the packet which can be 1 ARP request 2 ARP reply 3 RARP request 4 RARP reply Sender hardware address Hardware address of the sender Sender IP address IP address of the sender Target hardware address This field is null for an ARP request and is the hardware address of the receiver for an ARP reply Target IP...

Page 573: ...address and MAC address carried in the request IP_A and MAC_A of Host A in an entry to its ARP table and then returns an ARP reply packet to the sender Host A with its MAC address carried in the packet Note that the ARP reply is a unicast packet instead of a broadcasted packet Upon receiving the ARP reply Host A extracts the IP address and MAC address of Host B from the packet adds them in an entr...

Page 574: ...d This prevents traffic interruption as mentioned above How gratuitous ARP update interval works A switch periodically sends gratuitous ARP packets that carry the master IP address and secondary IP address of VLAN interfaces and the IP addresses of all the VRRP virtual routers to update the ARP entries on the device that is connected to the switch and incapable of updating ARP entries actively If ...

Page 575: ... on a trusted port Introduction to ARP Source Suppression With the ARP source suppression function the switch classifies incoming ARP packets and limits the maximum number of ARP packets with the same type that can be sent to the CPU in a time of time so as to protect the CPU from being attacked by illegal ARP packets generated by ARP scanning of a host to the whole network A Switch 7750 classifie...

Page 576: ...figuring the Aging Time for Dynamic ARP Entries on page 577 Configure ARP entry checking Optional Configuring ARP Entry Checking on page 577 Enabling ARP forwarding in the protocol based VLAN Optional Enabling ARP Forwarding in the Protocol Based VLAN on page 577 Configure gratuitous ARP Optional Configuring Gratuitous ARP on page 578 Configure ARP attack detection Optional Configuring ARP Attack ...

Page 577: ...P to MAC resolutions Enter port view interface interface type interface number Configure the maximum number of dynamic ARP entries that can be learnt by the port arp max dynamic entry number Optional It is 2048 by default Table 450 Configure the maximum number of ARP entries that can be learnt on a port Operation Command Description Table 451 Configure the aging time for dynamic ARP entries Operat...

Page 578: ...n Enter system view system view Enable gratuitous ARP learning gratuitous arp learning enable Required Disabled by default Table 455 Configure the gratuitous ARP update interval Operation Command Description Enter system view system view Enable gratuitous ARP packets to be sent periodically arp gratuitous updating enable Required By default this function is disabled on the switch Set a gratuitous ...

Page 579: ... port is 15pps Configure the port state auto recovery interval arp protective down recover interval time Optional 300 seconds by default Configure the port as a trusted port for ARP packet rate limit arp rate limit trust Optional By default the port is an untrusted port Table 457 Configure the ARP packet rate limit function Operation Command Description Table 458 Configure ARP source suppression O...

Page 580: ...isplay command in any view Display ARP entries display arp static dynamic ip address Display the ARP entries matching a specified rule display arp begin include exclude text Display the number limits of ARP entries display arp entry limit interface type interface number Display the ARP entries of all ports on a specified slot display arp slot slot id Display the ARP entries of all ports in a speci...

Page 581: ...n on the ports of Switch A and set the recovery interval to 200 seconds Network diagram Figure 147 ARP packet rate limit configuration Configuration procedure Enable DHCP snooping on Switch A SwitchA system view SwitchA dhcp snooping Specify Ethernet 2 0 1 as the trusted port for DHCP snooping and ARP packet rate limit SwitchA interface Ethernet2 0 1 SwitchA Ethernet2 0 1 dhcp snooping trust Switc...

Page 582: ...582 CHAPTER 54 ARP CONFIGURATION SwitchA arp protective down recover interval 200 ...

Page 583: ...two hosts cannot communicate With proxy ARP enabled on the switch when VLAN interface 3 receives the ARP request if the switch finds a route to the destination IP address encapsulated in the ARP request in the routing table the switch sends host A the MAC address 00 00 0e 12 33 33 of VLAN interface 3 in an ARP response with the source IP address being the destination IP address of the ARP request ...

Page 584: ...hen isolate user vlan function is enabled on the Layer 2 switches connected with the Switch 7750 ports in the same VLAN are isolated with each other at Layer 2 To provide Layer 3 connectivity between Layer 2 isolated ports in the same VLAN you need to enable the intra VLAN ARP proxy function on the Switch 7750 to have ARP proxy process intra VLAN ARP requests Configuring Proxy ARP Proxy ARP Config...

Page 585: ...ce3 quit Configure the IP address of VLAN interface 4 as 192 168 1 27 24 Switch interface Vlan interface 4 Switch Vlan interface4 ip address 192 168 1 27 24 Switch Vlan interface4 quit Enable proxy ARP on VLAN interface 3 Switch interface Vlan interface 3 Switch Vlan interface3 arp proxy enable Switch Vlan interface3 quit Enable proxy ARP on VLAN interface 4 Switch interface Vlan interface 4 Switc...

Page 586: ... Switch vlan10 supervlan Switch vlan10 subvlan 2 3 Switch vlan10 interface vlan interface 10 Switch Vlan interface10 ip address 192 168 10 100 255 255 0 0 Switch Vlan interface10 quit Enable proxy ARP on VLAN interface 10 to allow Host A and Host B to communicate with each other through ARP Switch system view Switch interface vlan interface 10 Switch Vlan interface10 arp proxy enable Switch Vlan i...

Page 587: ...vlan 2 SwitchB vlan2 port ethernet 2 0 2 SwitchB vlan2 quit SwitchB vlan 3 SwitchB vlan3 port ethernet 2 0 3 SwitchB vlan3 quit SwitchB vlan 5 SwitchB vlan5 port ethernet 2 0 1 SwitchB vlan5 isolate user vlan enable SwitchB vlan5 quit SwitchB isolate user vlan 5 secondary 2 3 2 Configure Switch A Configure VLAN 5 and add Ethernet 2 0 1 to it SwitchA system view SwitchA vlan 5 SwitchA vlan5 port et...

Page 588: ...588 CHAPTER 55 PROXY ARP CONFIGURATION SwitchA Vlan interface5 arp proxy enable SwitchA Vlan interface5 arp proxy source vlan enable SwitchA Vlan interface5 quit ...

Page 589: ...CP servers return the corresponding configuration information such as IP addresses to configure IP addresses dynamically A typical DHCP application includes one DHCP server and multiple clients such as PCs and laptops as shown in Figure 152 Figure 152 Typical DHCP application DHCP IP Address Assignment IP Address Assignment Policy Currently DHCP provides the following three IP address assignment p...

Page 590: ...nment of the IP address to the client When the client receives the DHCP ACK packet it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address and uses the IP address only if it does not receive any response within a specified period n The IP addresses offered by other DHCP servers if any are not used by the DHCP client and are still availa...

Page 591: ...DHCP client initiates a DHCP request flags The first bit is the broadcast response flag bit It is used to identify that the DHCP response packet is sent in the unicast or broadcast mode Other bits are reserved ciaddr IP address of a DHCP client yiaddr IP address that the DHCP server assigns to a client siaddr IP address of the DHCP server giaddr IP address of the first DHCP relay agent that the DH...

Page 592: ...ols the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients Trunk DHCP packets received from DHCP clients are forwarded to an external DHCP server which assigns IP addresses to the DHCP clients You can specify the mode to process DHCP packets For the configuration of the first two modes see Chapter 57 DHC...

Page 593: ...e lease time of the IP address to the DHCP client Types of address pools The address pools of a DHCP server fall into two types global address pool and interface address pool A global address pool is created by executing the dhcp server ip pool command in system view It is valid on the current device If an interface is configured with a valid unicast IP address you can create an interface based ad...

Page 594: ...s IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients A DHCP server assigns IP addresses in interface address pools or global address pools to DHCP clients in the following sequence IP addresses that are statically bound to the MAC addresses of DHCP clients IP addresses that are ever used by DHCP clients That is those in t...

Page 595: ...re NetBIOS services for the DHCP server Optional Configuring NetBIOS Services for the DHCP Server on page 598 Customize DHCP service Optional Customizing DHCP Service on page 599 Configure gateway addresses for DHCP clients Optional Configuring Gateway Addresses for DHCP Clients on page 599 Table 461 Global address pool based DHCP server configuration tasks Configuration task Description Related s...

Page 596: ... be coupled In the same global DHCP address pool if the static bind ip address command or the static bind mac address command is executed repeatedly the new configuration overwrites the previous one The IP address to be statically bound cannot be an interface IP address of the DHCP server otherwise static binding does not take effect A client can permanently use the statically bound IP address tha...

Page 597: ...addresses while assigning IP addresses to DHCP clients Currently you can configure up to eight DNS server addresses for a DHCP address pool You can configure domain names to be used by DHCP clients for address pools After you do this the DHCP server provides the domain names to the DHCP clients as well while the former assigns IP addresses to the DHCP clients Table 465 Configure to assign IP addre...

Page 598: ...INS server returns the IP address corresponding to the destination node name to the source node M node Nodes of this type are p nodes mixed with broadcasting features The character m stands for the word mixed that is to say this type of nodes obtain mappings by sending broadcast packets first If they fail to obtain mappings they send unicast packets to the WINS server to obtain mappings H node Nod...

Page 599: ...ients to be of a specific NetBIOS node type netbios type b node h node m node p node Optional By default no NetBIOS node type of the DHCP client is specified and a DHCP client uses an h node Table 467 Configure NetBIOS services for the DHCP server Operation Command Description Table 468 Customize DHCP service Operation Command Description Enter system view system view Create a DHCP address pool an...

Page 600: ...es contained in it belong to the network segment where the interface resides and are available to the interface only You can perform certain configurations for DHCP address pools of an interface or multiple interfaces within specified interface ranges Configuring for multiple interfaces eases configuration work load and makes you to configure in a more convenient way Table 470 Interface address po...

Page 601: ...ients When such a DHCP client applies for an IP address the DHCP server finds the IP address corresponding to the MAC address of the DHCP client and then assigns the IP address to the DHCP client Customize DHCP service Optional Customizing DHCP Service on page 605 Table 470 Interface address pool based DHCP server configuration tasks Configuration task Description Related section Table 471 Enable ...

Page 602: ...igned to DHCP clients are those not occupied by specific network devices such as gateways and FTP servers The lease time can differ with address pools But that of the IP addresses of the same address pool is the same Lease time is not inherited that is to say the lease time of a child address pool is not affected by the configuration of the parent address pool Enter interface view interface interf...

Page 603: ...server you can configure domain names to be used by DHCP clients for address pools After you do this the DHCP server provides the domain names to the DHCP clients while the DHCP server assigns IP addresses to the DHCP clients Specify the IP addresses that are not dynamically assigned dhcp server forbidden ip low ip address high ip address Optional By default all IP addresses in a DHCP address pool...

Page 604: ...t packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding to the destination node name to the source node M node Nodes of this type are p nodes mixed with broadcasting features The character m stands for the word mixed that is to say this type of nodes obtain mappings by sending broadcast packets first If they fail to obtain mappings they s...

Page 605: ...Required By default no NetBIOS node type is specified and a DHCP client uses an h node dhcp server netbios type b node h node m node p node quit Configure multiple interfaces in system view dhcp server netbios type b node h node m node p node interface interface type interface number to interface type interface number all Table 476 Configure NetBIOS services for the DHCP server Operation Command D...

Page 606: ...t assigns the address to a DHCP client IP address detecting is achieved by performing ping operations To detect whether an IP address is currently in use the DHCP server sends an ICMP packet with the IP address to be assigned as the destination and waits for a response If the DHCP server receives no response within a specified time it resends an ICMP packet This procedure repeats until the DHCP se...

Page 607: ...n the same network segment The network segment 10 1 1 0 24 to which the IP addresses of the address pool belong is divided into two sub network segments 10 1 1 0 25 and 10 1 1 128 25 The switch operating as the DHCP server hosts two VLANs whose interface IP addresses are 10 1 1 1 25 and 10 1 1 129 25 respectively Table 480 Display and maintain DHCP server configuration Operation Command Descriptio...

Page 608: ... example in the network to which VLAN interface 1 is connected if multiple clients apply for IP addresses the child address pool 10 1 1 0 25 assigns IP addresses first When the IP addresses in the child address pool have been assigned if other clients need IP addresses the IP addresses will be assigned from the parent address pool 10 1 1 0 24 and the attributes will be based on the configuration o...

Page 609: ...omain name aabbcc com SW7750 dhcp pool 0 dns list 10 1 1 2 SW7750 dhcp pool 0 quit Configure DHCP address pool 1 including address range gateway and lease time SW7750 dhcp server ip pool 1 SW7750 dhcp pool 1 network 10 1 1 0 mask 255 255 255 128 SW7750 dhcp pool 1 gateway list 10 1 1 126 SW7750 dhcp pool 1 expired day 10 hour 12 SW7750 dhcp pool 1 quit Configure DHCP address pool 2 including addre...

Page 610: ...configured on a host if you receive a response packet of the ping operation You can then disable the IP address from being dynamically assigned by using the dhcp server forbidden ip command on the DHCP server Attach the DHCP client to the network release the dynamically assigned IP address and obtain an IP address again For example enter DOS by executing the cmd command in Windows XP and then rele...

Page 611: ...IP addresses In this case the DHCP clients in multiple networks can use the same DHCP server which can decrease your cost and provide a centralized administration DHCP Relay Agent Fundamentals Figure 155 illustrates a typical DHCP relay agent application Figure 155 Typical DHCP relay agent application DHCP relay agents can transparently transmit broadcast packets on DHCP clients or servers to the ...

Page 612: ...ents through which and other proper software you can achieve the DHCP assignment limitation and accounting functions Primary terminologies Option A length variable field in DHCP packets carrying information such as part of the lease information and packet type It includes at least one option and at most 255 options Option 82 Also known as relay agent information option This option is a part of the...

Page 613: ...to which the DHCP client belongs and the MAC address of the DHCP relay agent 5 Upon receiving the DHCP request packet forwarded by the DHCP relay agent the DHCP server stores the information contained in the option field and sends a packet that contains DHCP configuration information and option 82 to the DHCP relay agent 6 Upon receiving the packet returned from the DHCP server the DHCP relay agen...

Page 614: ...ring a DHCP Relay Agent to Broadcast Responses to Clients on page 615 Specify gateways for DHCP clients Optional Specifying Gateways for DHCP Clients on page 615 Specify source IP address of uplink packets Optional Specifying the Source IP Address of Uplink Packets on page 616 Configure DHCP relay agent security functions Optional Configuring DHCP Relay Agent Security Functions on page 617 Configu...

Page 615: ...ients After this function is enabled even if the flag field in the DHCP DISCOVER packet is set to 0 the DHCP relay agent still broadcasts responses to the clients Specifying Gateways for DHCP Clients To implement this feature on the DHCP relay agent you need to bind ports in a VLAN to either the VLAN interface s primary IP address or one of its secondary IP addresses a gateway address The binding ...

Page 616: ...secondary Removing all the gateways in system view Specifying the Source IP Address of Uplink Packets When a Switch 7750 Ethernet switch working as a DHCP relay agent forwards a client s packet to the DHCP server the source IP address of the packet is the IP address of the relay agent s interface that connects to the DHCP server by default Table 485 Specify a gateway in Ethernet port view Operatio...

Page 617: ...ed a DHCP relay agent inhibits a user from accessing external networks if the binding of the IP address MAC address VLAN ID and port number do not match any entries including the entries dynamically tracked by the DHCP relay agent and the manually configured static entries in the user address table on the DHCP relay agent Table 488 Specify the source IP address of uplink packets Operation Command ...

Page 618: ...task you can validate or invalidate the dynamic IP to MAC mapping entries generated by the DHCP relay agent DHCP client addresses are matched based on the dynamic entries generated by DHCP relay agent only after these entries are activated otherwise DHCP client addresses are matched based only on the security address entries statically configured Table 490 Specify address checking fields Operation...

Page 619: ...nd lease time The routes between the DHCP relay agent and the DHCP server are reachable Enabling option 82 supporting on a DHCP relay agent The following operations need to be performed on a DHCP relay agent enabled network device n To enable option 82 you need to perform the corresponding configuration on the DHCP server and the DHCP relay agent Table 492 Configure whether to allow freely connect...

Page 620: ...k diagram Figure 156 Network diagram for DHCP relay agent Configuration procedure Enter system view SW7750 system view Table 494 Display DHCP relay agent configuration Operation Command Description Display the information about a specified DHCP server group display dhcp server groupNo You can execute the display command in any view Display the information about the DHCP server group to which a spe...

Page 621: ... Relay Agent Symptom A client fails to obtain configuration information through a DHCP relay agent Analysis This problem may be caused by improper DHCP relay agent configuration When a DHCP relay agent operates improperly you can locate the problem by enabling debugging and checking the information about debugging and interface state You can display the information by executing the corresponding d...

Page 622: ...622 CHAPTER 58 DHCP RELAY AGENT CONFIGURATION ...

Page 623: ...an unauthorized DHCP server exists in the network a DHCP client may obtain an illegal IP address To ensure that the DHCP clients obtain IP addresses from valid DHCP servers you can specify a port to be a trusted port or an untrusted port through the DHCP snooping function Trusted A trusted port is connected to an authorized DHCP server directly or indirectly It forwards DHCP messages to guarantee ...

Page 624: ...CK packet DHCP REQUEST packet Introduction to DHCP Snooping Option 82 Introduction to Option 82 For details about Option 82 refer to Option 82 Support on page 612 Padding content and frame format of Option 82 There is no specification for what should be padded in Option 82 Manufacturers can pad it as required By default the sub options of Option 82 for the Switch 7750 enabled with DHCP snooping ar...

Page 625: ... to 1 in the case of ASCII format Figure 159 Extended format of the circuit ID sub option Figure 160 Extended format of the remote ID sub option In practice some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub options To interwork with these devices the Switch 7750 supports Option 82 in the standard format Refer to Figure 161 and Figure 162 for th...

Page 626: ...ce will Drop Drop the packet Keep Forward the packet without changing Option 82 Replace Neither of the two sub options is configured Forward the packet after replacing the original Option 82 with the default content The storage format of Option 82 content is the one specified with the dhcp snooping information format command or the default HEX format if this command is not executed Circuit ID sub ...

Page 627: ... which the port belongs to These records are saved as entries in the DHCP snooping table IP static binding table The DHCP snooping table only records information about clients that obtains IP address dynamically through DHCP If a fixed IP address is configured for a client the IP address and MAC address of the client cannot be recorded in the DHCP snooping table Consequently this client cannot pas...

Page 628: ...able the DHCP snooping function dhcp snooping Required By default the DHCP snooping function is disabled Enter Ethernet port view interface interface type interface number Set the port connected to a DHCP server to a trusted port dhcp snooping trust Required By default all ports of a switch are untrusted ports Table 498 DHCP snooping Option 82 support configuration tasks Configuration task Descrip...

Page 629: ...HCP Snooping to Support Option 82 on page 628 Configuring the padding format for Option 82 on page 631 Table 499 Enable DHCP snooping Option 82 support Operation Command Description Enter system view system view Enable DHCP snooping Option 82 support dhcp snoopinginformation enable Required Disabled by default Table 500 Configure a handling policy for DHCP packets with Option 82 Operation Command ...

Page 630: ...port aggregation Configuring the remote ID sub option You can configure the remote ID sub option in system view or Ethernet port view In system view the remote ID takes effect on all interfaces You can configure Option 82 as the system name of the device or any customized character string in the ASCII format In Ethernet port view the remote ID takes effect only on the current interface You can con...

Page 631: ...mote ID sub option in Option 82 Operation Command Description Enter system view system view Configure the remote ID sub option in system view dhcp snoopinginformation remote id sysname string string Optional By default the remote ID sub option is the MAC address of the DHCP snooping device that received the DHCP client s request Enter Ethernet port view interface interface type interface number Co...

Page 632: ...option 82 and option 82 is enabled on the switch The Ethernet 2 0 1 port of Switch A is a trusted port Create a static binding ip source static binding ip address ip address mac address mac address Optional By default no static binding entry is created Table 505 Configure IP filtering Operation Command Description Table 506 Display and maintain DHCP snooping configuration Operation Command Descrip...

Page 633: ... 82 Support Configuration Example Network requirements As shown in Figure 164 Ethernet 2 0 5 of the switch is connected to the DHCP server and Ethernet 2 0 1 Ethernet 2 0 2 and Ethernet 2 0 3 are respectively connected to DHCP Client A DHCP Client B and DHCP Client C Enable DHCP snooping on the switch Specify Ethernet 2 0 5 on the switch as a trusted port for DHCP snooping Enable DHCP snooping Opt...

Page 634: ...of the DHCP snooping device Switch dhcp snooping information remote id sysname Set the circuit ID sub option in DHCP packets from VLAN 1 to abcd on Ethernet 2 0 3 Switch interface Ethernet2 0 3 Switch Ethernet2 0 3 dhcp snooping information vlan 1 circuit id s tring abcd IP Filtering Configuration Example Network requirements As shown in Figure 165 Ethernet 2 0 1 of the Switch 7750 is connected to...

Page 635: ...1 as the trusted port Switch interface Ethernet2 0 1 Switch Ethernet2 0 1 dhcp snooping trust Switch Ethernet2 0 1 quit Enable IP filtering on Ethernet 2 0 2 Ethernet 2 0 3 and Ethernet 2 0 4 to filter packets based on the source IP addresses MAC addresses Switch interface Ethernet2 0 2 Switch Ethernet2 0 2 ip check source ip address mac address Switch Ethernet2 0 2 quit Switch interface Ethernet2...

Page 636: ...636 CHAPTER 59 DHCP SNOOPING CONFIGURATION Switch interface Ethernet2 0 2 Switch Ethernet2 0 2 ip source static binding ip address 1 1 1 1 m ac address 0001 0001 0001 ...

Page 637: ...nly Advanced ACL rules are made based on the L3 and L4 information such as the source and destination IP addresses of the data packets the type of protocol over IP protocol specific features and so on Layer 2 ACL rules are made based on the Layer 2 information such as the source and destination MAC address information VLAN priority Layer 2 protocol and so on User defined ACL such rules specify a b...

Page 638: ...CL are matched in the following order 1 Protocol number of ACL rules Protocol number ranges from 1 to 255 The smaller the protocol range the higher the priority 2 Range of source IP address The smaller the source IP address range that is the longer the mask the higher the priority 3 Range of destination IP address The smaller the destination IP address range that is the longer the mask the higher ...

Page 639: ...e range is configured and the system time is within the time range If you remove the time range of an ACL rule the ACL rule becomes invalid the next time the ACL rule timer refreshes Types of ACLs Supported by the Ethernet Switch The following types of ACLs are supported by the Ethernet switch Basic ACL Advanced ACL Layer 2 ACL User defined ACL Choosing ACL Mode for Traffic Flows A switch can only...

Page 640: ...he time range configuration tasks include configuring periodic time sections and configuring absolute time sections A periodic time section appears as a period of time in a day of the week while an absolute time section appears in the form of the start time to the end time Configuration Procedure Table 508 Set the matching order of ACL rules applied to a port Operation Command Description Enter sy...

Page 641: ... configuration till the largest date available in the system Configuration Example Define a periodic time section test that will be active from 8 00 to 18 00 Monday through Friday SW7750 system view SW7750 time range test 8 00 to 18 00 working day SW7750 display time range test Current time is 11 14 19 4 27 2006 Thursday Time range test Active 08 00 to 18 00 working day Defining Basic ACLs A basic...

Page 642: ...matched Defining Advanced ACLs Advanced ACLs define classification rules according to the source and destination IP addresses of packets the type of protocol over IP and protocol specific features such as TCP UDP source and destination ports TCP flag bit ICMP protocol type and so on The value range for advanced ACL numbers is 3 000 to 3 999 ACL 3998 and 3999 are reserved for cluster management and...

Page 643: ... match order is config Define an rule rule rule id permit deny rule string Required Display ACL information display acl config all acl number acl name Optional This command can be executed in any view Table 512 Rule information Parameter Type Function Description protocol Protocol type Type of protocol over IP When expressed in numerals the value range is 1 to 255 When expressed with a name the va...

Page 644: ...ecedence ToS priority Value range 0 to 15 dscp dscp Packet precedence DSCP priority Value range 0 to 63 fragment Fragment information Specifies that the ACL rule is effective for non initial fragment packets time range time name Time range information Specifies the time range in which the ACL rule is active Table 512 Rule information Parameter Type Function Description Table 513 Description of DSC...

Page 645: ... 8 1000 Table 516 TCP UDP specific rule information Parameter Type Function Description source port operator port1 port2 Source port s Defines the source port information of UDP TCP packets The value of operator can be lt less than gt greater than eq equal to neq not equal to or range within the range of Only the range operator requires two port numbers as the operands and other operators require ...

Page 646: ... Parameter Type Function Description icmp type icmp type icmp code Type and message code information of ICMP packets Specifies the type and message code information of ICMP packets in the ACL rule icmp type ICMP message type ranging 0 to 255 icmp code ICMP message code ranging 0 to 255 Table 518 ICMP messages Name ICMP TYPE ICMP CODE echo Type 8 Code 0 echo reply Type 0 Code 0 fragmentneed DFset T...

Page 647: ... 2 information such as the source and destination MAC address information VLAN priority and Layer 2 protocol to process packets The value range for Layer 2 ACL numbers is 4 000 to 4 999 Configuration Preparation Before configuring an ACL rule containing time range arguments you need to configure define the corresponding time ranges For the configuration of time ranges refer to Configuring Time Ran...

Page 648: ...mask in the format of H H H defaults to ffff ffff ffff source vlan id source VLAN ID in the range of 1 to 4 094 any represents all packets received from all ports egress dest mac ad dr dest mac mask any Destination MAC address information Specifies the destination MAC address range in the ACL rule dest mac addr destination MAC address in the format of H H H dest mac mask destination MAC address ma...

Page 649: ...50 acl number 4000 SW7750 acl link 4000 rule deny cos 3 source 000d 88f5 97ed ffff ff ff ffff dest 0011 4301 991e ffff ffff ffff SW7750 acl link 4000 display acl config 4000 Link ACL 4000 1 rule rule 0 deny cos excellent effort source 000d 88f5 97ed ffff ffff fff f dest 0011 4301 991e ffff ffff ffff 0 times matched Defining User Defined ACLs Using a byte which is specified through its offset from ...

Page 650: ...ig 5001 User ACL 5001 1 rule rule 25 deny 06 ff 27 time range t1 0 times matched Inactive Applying ACLs on Ports By applying ACLs on ports you can filter certain packets Configuration Preparation You need to define an ACL before applying it on a port For operations to define ACLs refer to Defining Basic ACLs on page 641 Defining Advanced ACLs on page 642 Defining Layer 2 ACLs on page 647 and Defin...

Page 651: ...ination mode Form of acl rule Apply all rules in an IP type ACL separately ip group acl number acl name Apply one rule in an IP type ACL separately ip group acl number acl name rule rule id Apply all rules in a link type ACL separately link group acl number acl name Apply one rule in a link type separately link group acl number acl name rule rule id Table 525 Combined application of ACLs on I O Mo...

Page 652: ...sh letter a to z or A to Z without space and quotation mark case insensitive user group acl num ber acl name User defined ACL acl number ACL number ranging from 5 000 to 5 999 acl name ACL name up to 32 characters long beginning with an English letter a to z or A to Z without space and quotation mark case insensitive rule id Number of the ACL rule ranging from 0 to 127 If this argument is not spec...

Page 653: ...CL configuration are listed below 1 Define the time range Define the time range from 8 00 to 18 00 SW7750 system view SW7750 time range test 8 00 to 18 00 daily 2 Define an ACL for packets with the source IP address of 10 1 1 1 Enter ACL 2000 SW7750 acl number 2000 Define an access rule to deny packets with their source IP addresses being 10 1 1 1 SW7750 acl basic 2000 rule 1 deny source 10 1 1 1 ...

Page 654: ...me range that contain a periodic time section from 8 00 to 18 00 SW7750 system view SW7750 time range test 8 00 to 18 00 working day 2 Define an ACL for filtering requests destined for the wage server Create ACL 3000 SW7750 acl number 3000 Define an ACL rule for requests destined for the wage server SW7750 acl adv 3000 rule 1 deny ip destination 192 168 1 2 0 time range test SW7750 acl adv 3000 qu...

Page 655: ...4000 Define an ACL rule to deny packets with the source MAC address of 0011 0011 0011 and destination MAC address of 0011 0011 0012 specifying the time range named test for the ACL rule SW7750 acl link 4000 rule 1 deny ingress 0011 0011 0011 ffff ffff ffff egress 0011 0011 0012 ffff ffff ffff time range test SW7750 acl link 4000 quit 3 Apply the ACL on a port Apply ACL 4000 on the port Ethernet 2 ...

Page 656: ...0 to 18 00 SW7750 system view SW7750 time range aaa 8 00 to 18 00 daily 2 Create an ACL rule to filter TCP packets Create ACL 5000 SW7750 acl number 5000 Define a rule for TCP packets SW7750 acl user 5000 rule 1 deny 06 ff 27 time range aaa 3 Apply the ACL on a port Apply ACL 5000 on the port Ethernet 2 0 1 SW7750 interface Ethernet 2 0 1 SW7750 Ethernet2 0 1 qos SW7750 qosb Ethernet2 0 1 packet f...

Page 657: ... is the evaluation on the service ability to support the core requirements such as delay delay variation and packet loss ratio in the packet delivery Traffic Traffic means service traffic that is all the packets passing the switch Traffic Classification Traffic classification means to identify packets conforming to certain characters according to certain rules A classification rule is a filter rul...

Page 658: ... different service classes The Diff Serv network defines four traffic classes Expedited Forwarding EF class In this class packets can be forwarded regardless of link share of other traffic The class is suitable for preferential services with low delay low packet loss ratio low variation and assured bandwidth such as virtual leased line Assured forwarding AF class This class is further divided into...

Page 659: ...ble to occasions where the Layer 3 packet header does not need analysis but QoS must be assured in Layer 2 Figure 171 An Ethernet frame with a 802 1Q tag header Table 529 Description on DSCP values DSCP DSCP value decimal DSCP value binary ef 46 101110 af11 10 001010 af12 12 001100 af13 14 001110 af21 18 010010 af22 20 010100 af23 22 010110 af31 26 011010 af32 28 011100 af33 30 011110 af41 34 1000...

Page 660: ...p specification 3 Local precedence Local precedence is the precedence of an outbound queue on a port of the switch It is in the range of 0 to 7 Each outbound queue has its own local precedence Priority of Protocol Packets Protocol packets carry their own priority You can perform QoS actions on protocol packets by setting their priorities Priority Remark The priority remark function is to use ACL r...

Page 661: ...nuous burst packets if the traffic of each user is not limited The traffic of each user must be limited in order to make better use of the limited network resources and provide better service for more users For example the traffic can only get its committed resources in an interval to avoid network congestion caused by excess bursts TP traffic policing is a kind of traffic control policy to limit ...

Page 662: ...apacity of the token bucket namely the maximum traffic size that is permitted in every burst It is generally set to committed burst size CBS The set burst size must be bigger than the maximum packet length One evaluation is performed on each arriving packet In each evaluation if the number of tokens in the bucket is enough the traffic is conforming to the specification and you must take away some ...

Page 663: ...tors are protected For example you can limit HTTP packets within 50 of the network bandwidth If the traffic of a certain connection is excess TP can choose to drop the packets or to reset the priority of the packets TP is widely used in policing the traffic into the network of internet service providers ISP TP can classify the policed traffic and perform pre defined policing actions according to d...

Page 664: ...eue with higher priority strictly following the priority order from high to low When the queue with higher priority is empty packets in the queue with lower priority are sent You can put critical service packets into the queues with higher priority and put non critical service such as e mail packets into the queues with lower priority In this case critical service packets are sent preferentially a...

Page 665: ...ull use of Traffic based Traffic Statistics The function of traffic based traffic statistics is to use ACL rules in traffic identifying and perform traffic statistics on the packets matching with the ACL rules You can get the statistics of the packets you are interested in through this function RED When congestion is too serious the switch can adopt the random early detection RED algorithm to solv...

Page 666: ...t is VLAN tagged the switch does not perform the operation above Configuration prerequisites The port whose priority is to be configured is specified The priority value of the specified port is specified Configuration procedure Table 531 QoS functions supported by the Switch 7750 and related commands QoS Description Related command Priority mapping Support only the mapping between 802 1p priority ...

Page 667: ...ity are sent preferentially The switch puts a packet into the corresponding queue according to the DSCP precedence IP precedence 802 1p priority or local precedence of the packet The mapping relationship between precedence values and queues are shown in Table 533 Table 534 Table 535 and Table 536 Enter Ethernet port view interface interface type interface number Set the port priority priority prio...

Page 668: ...n type A I O Module Queue 0 to 7 be 0 be 0 0 8 to 15 cs1 8 af1 10 cs1 8 af11 10 af12 12 af13 14 1 16 to 23 cs2 16 af2 18 cs2 16 af21 18 af22 20 af23 22 2 24 to 31 cs3 24 af3 26 cs3 24 af31 26 af32 28 af33 30 3 32 to 39 cs4 32 af4 34 cs4 32 af41 34 af42 36 af43 38 4 40 to 47 cs5 40 ef 46 cs5 40 ef 46 5 47 to 55 cs6 48 cs6 48 6 56 to 63 cs7 56 cs7 56 7 Table 534 The mapping relationship between the ...

Page 669: ...ocal precedence map 2 3 4 1 7 0 5 6 SW7750 display qos cos local precedence map cos local precedence map cos 0 1 2 3 4 5 6 7 local precedence 2 3 4 1 7 0 5 6 Configuring Priority Remark Refer to Priority Remark on page 660 for the introduction to priority remark Priority remark can be implemented in the following ways Through TP only non type A I O Modules support this function When configuring TP...

Page 670: ...ACL rules traffic priority inbound outbound acl rule system index system index dscp dscp value ip precedence pre value local precedence pre value Required Type A I O Modules support this command traffic priority inbound acl rule system index system index dscp dscp value ip precedence pre value cos cos local precedence pre value Optional Non type A I O Modules support this command Display the param...

Page 671: ...les in an IP ACL separately ip group acl number acl name Apply a rule in an IP ACL separately ip group acl number acl name rule rule id Apply all the rules in a Link ACL separately link group acl number acl name Apply a rule in a Link ACL separately link group acl number acl name rule rule id Apply all the rules in a user defined ACL separately user group acl number acl name Apply a rule in a user...

Page 672: ...l rule Applied ACL rules which can be the combination of various ACL rules Type A I O Modules ways of combinations are described in Table 540 and non type A I O Modules ways of combination is described in Table 541 n TP configuration is effective only for the ACL rules whose actions are permit Table 543 Configure TP Operation Command Description Enter system view system view Enter Ethernet port vi...

Page 673: ...Redirect on page 663 for the introduction to redirect Configuration Prerequisites ACL rules used for traffic identifying are defined Refer to Choosing ACL Mode for Traffic Flows on page 639 for defining ACL rules The port that the packets are redirected to is specified The ports that needs this configuration are specified Configuration Procedure acl rule Applied ACL rules which can be the combinat...

Page 674: ...eue scheduling Refer to Queue Scheduling on page 663 for the introduction to queue scheduling Configuration Prerequisites The queue scheduling algorithm is specified The ports that need this configuration are specified Configuration Procedure Table 545 Configure queue scheduling Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface ...

Page 675: ...e 8 10 COS configuration Config max queues 8 Schedule mode weighted round robin Weighting in packets COSQ 0 10 packets COSQ 1 5 packets COSQ 2 10 packets COSQ 3 10 packets COSQ 4 5 packets COSQ 5 10 packets COSQ 6 5 packets COSQ 7 10 packets Egress port queue statistics in bytes Priority CosQ Threshold Count Used 0 2 18432 0 0 1 0 2560 0 0 2 1 2560 0 0 3 3 2560 0 0 4 4 2560 0 0 5 5 2560 0 0 6 6 25...

Page 676: ...1 qos SW7750 qoss Ethernet2 0 1 traffic red outbound ip group 2000 64 128 20 Configuring Traffic Statistics Refer to Traffic based Traffic Statistics on page 665 for the introduction to traffic statistics Configuration Prerequisites ACL rules used for traffic identifying are defined Refer to Choosing ACL Mode for Traffic Flows on page 639 for defining ACL rules The ports that needs this configurat...

Page 677: ...er system view system view Enter Ethernet port view interface interface type interface number Enter QoS view qos Use the ACL rules in traffic identifying and perform traffic statistics on the packets matching with the ACL rules traffic statistic inbound outbound acl rule system index system index Required Type A I O Modules support this command traffic statistic inbound acl rule system index syste...

Page 678: ...tion can be properly applied to the hardware Configuration Example Ethernet 2 0 1 of the switch is accessed into the network segment 10 1 1 1 24 Enable the function of assured bandwidth for traffic from the network segment 10 1 1 1 24 Set the parameters as follows the minimum assured bandwidth is 64 kbps the maximum available bandwidth is 128 kbps and the weight of bandwidth is 50 Configuration pr...

Page 679: ...dth for all the traffic matching the CAR rule on these ports to share Suppose you want to allocate 2 Mbps of CAR bandwidth for the incoming traffic matching ACL rule 0 and enable CAR on two ports with the traffic limit command If bidirectional CAR is enabled each port guarantees 2 Mbps of bandwidth for its incoming traffic matching ACL rule 0 If bidirectional CAR is disabled the switch guarantees ...

Page 680: ...e with Voice VLAN That is you cannot configure both features on the same port The port on which the traffic based selective QinQ function is configured and the specified uplink port cannot be in the same aggregation group Table 551 Configure traffic based selective QinQ Operation Command Description Enter system view system view Create a VLAN vlan vlan id The vlan id argument is the ID of external...

Page 681: ...rnet2 0 1 port hybrid vlan 25 untagged SW7750 GigabitEthernet2 0 1 vlan vpn enable SW7750 GigabitEthernet2 0 1 qos SW7750 qosb GigabitEthernet2 0 1 traffic remark inbound ip group 2 000 remark vlan 25 uplink GigabitEthernet 2 0 2 QoS Configuration Example Configuration Example of TP and Rate Limit on the Port Network requirement The enterprise network interworks all the departments through the por...

Page 682: ...d traffic within 640 kbps and set the precedence of packets exceeding the specification to 4 SW7750 interface Ethernet 2 0 1 SW7750 Ethernet2 0 1 qos SW7750 qosb Ethernet2 0 1 traffic limit inbound ip group 3000 640 exceed remark dscp 4 Configuration Example of Priority Remark Network requirements Mark ef on the packets that PC1 whose IP address is 1 0 0 2 sends from 8 00 to 18 00 every day to pro...

Page 683: ...identification based basic ACL view identified SW7750 acl number 2000 SW7750 acl basic 2000 rule 0 permit source 1 0 0 1 0 time range test SW7750 acl basic 2000 quit 3 Remark ef precedence on the packets that PC1 sends SW7750 interface Ethernet 2 0 1 SW7750 Ethernet2 0 1 qos SW7750 qosb Ethernet2 0 1 traffic priority inbound ip group 2000 dscp ef ...

Page 684: ...684 CHAPTER 61 QOS CONFIGURATION ...

Page 685: ...Mirroring Local Port Mirroring Port mirroring refers to the process of copying the packets received or sent by the specified port to the specified local port Remote Port Mirroring Remote port mirroring eliminates the limitation that the source port and the destination port must be located on the same switch This feature makes it possible for the source port and the destination port to be located o...

Page 686: ...nitoring device through the destination port Table 552 describes how the ports on various switches are involved in the mirroring operation Table 552 Ports involved in the mirroring operation Switch Ports involved Function Source switch Source port Port to be mirrored copy user data packets to the specified reflector port through local port mirroring There can be more than one source port Reflector...

Page 687: ...VLAN such as voice VLAN or protocol VLAN Configuring other VLAN related functions Local Traffic Mirroring Traffic mirroring maps traffic flows that match specific ACLs to the specified local port for packet analysis and monitoring Before configuring traffic mirroring you need to define ACLs required for flow identification Remote Traffic Mirroring Remote traffic mirroring copies traffic flows that...

Page 688: ...ing group mirroring group mirroring port mirroring group monitor port mirroring group reflector port mirroring group remote probe vlan remote probe vlan enable Configuring Remote Port Mirroring on page 690 Support traffic mirroring monitor port mirrored to Configuring Local Traffic Mirroring on page 696 Support remote traffic mirroring mirroring group mirroring group monitor port mirroring group r...

Page 689: ...mber Configure the source port and specify the direction of the packets to be mirrored mirroring group group id mirroring port both inbound outbound Required Display parameter settings of the local port mirroring group display mirroring group all local Required This command can be executed in any view Table 555 Configure local port mirroring in system view Operation Command Description Enter syste...

Page 690: ...g on the source switch Table 556 Configure remote port mirroring on the source switch Operation Command Description Enter system view system view Create a VLAN and enter its VLAN view vlan vlan id vlan id is the ID of the destination remote probe VLAN Define the current VLAN as a remote probe VLAN remote probe vlan enable Required Exit current view quit Enter port view of the relay port that conne...

Page 691: ...ort The reflector port cannot forward traffics as a normal port Therefore it is recommended that you use an idle and in down state port as the reflector port and be careful to not add other settings on this port Be sure not to configure a port used to connect the intermediate and destination switches as the mirroring source port Otherwise traffic disorder may occur in the network Configure a remot...

Page 692: ...mirroring on the intermediate switch Operation Command Description Enter system view system view Create a remote probe VLAN and enter VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN Define the current VLAN as a remote probe VLAN remote probe vlan enable Required Exit current view quit Enter port view of the relay port through which the intermediate switch is connected to the sour...

Page 693: ...ype interface number Configure the current port as a trunk port port link type trunk Required By default the type of the port is access Configure the relay port to permit packets from the remote probe VLAN to pass port trunk permit vlan remote probe vlan id Required This configuration is necessary for ports through which the destination switch is connected to the source switch or an intermediate s...

Page 694: ...d analyze the packets sent and received by PC1 via the data detect device To meet the requirement above by using the remote port mirroring function perform the following configuration Define VLAN10 as remote probe VLAN Define Switch A as the destination switch configure GigabitEthernet 2 0 2 the port that is connected to the data detect device as the destination port for remote mirroring Set Gigab...

Page 695: ...nk permit vlan 10 SW7750 GigabitEthernet2 0 1 quit SW7750 interface GigabitEthernet 2 0 2 SW7750 GigabitEthernet2 0 2 port link type trunk SW7750 GigabitEthernet2 0 2 port trunk permit vlan 10 SW7750 GigabitEthernet2 0 2 quit SW7750 acl number 4500 SW7750 acl link 4500 rule 1 permit ingress 10 SW7750 acl link 4500 quit SW7750 interface GigabitEthernet 2 0 2 SW7750 GigabitEthernet2 0 2 qos SW7750 q...

Page 696: ...ed Define the destination port mirroring group group id monitor port monitor port Required LACP must be disabled on the mirroring destination port and you are recommended to disable STP on the mirroring destination port Enter Ethernet port view of the source port interface interface type interface number Enter QoS view qos Reference ACLs for identifying traffic flows and perform traffic mirroring ...

Page 697: ... GigabitEthernet 2 0 4 Configuring Remote Traffic Mirroring Configuration prerequisites ACLs for identifying traffics have been defined For defining ACLs refer to ACL Configuration on page 637 The source switch intermediate switch and the destination switch have been specified The reflector port destination port for mirroring and remote probe VLAN have been specified Required configurations are pe...

Page 698: ...t with the intermediate switch and the destination switch must be configured so Quit from the current view quit Configure the remote source mirroring group mirroring group group id remote source Required Configure the remote reflector port mirroring group group id reflector port reflector port Required The remote reflector port must be Access port where LACP must be disabled and STP is recommended...

Page 699: ...witch is the same as configuring remote port mirroring on the intermediate switch Refer to Configuring remote port mirroring on the intermediate switch on page 692 for details Configuring the destination switch Configuring a destination switch is the same as configuring remote port mirroring on the destination switch Refer to Configuring remote port mirroring on the destination switch on page 692 ...

Page 700: ...re the traffic mirroring function on GigabitEthernet 2 0 2 2 Network diagram Figure 181 Network diagram for remote traffic mirroring 3 Configuration procedure Configure Switch A SW7750 system view SW7750 vlan 10 SW7750 vlan10 remote probe vlan enable SW7750 vlan10 quit SW7750 interface GigabitEthernet 2 0 1 SW7750 GigabitEthernet2 0 1 port link type trunk SW7750 GigabitEthernet2 0 1 port trunk per...

Page 701: ...tEthernet 2 0 3 SW7750 mirroring group 1 remote probe vlan 10 SW7750 interface GigabitEthernet 2 0 2 SW7750 GigabitEthernet2 0 2 qos SW7750 qosb GigabitEthernet2 0 2 mirrored to inbound ip group 2000 interface GigabitEthernet 2 0 3 reflector SW7750 qosb GigabitEthernet2 0 2 display qos interface GigabitEthe rnet2 0 2 mirrored to GigabitEthernet2 0 2 mirrored to Inbound Matches Acl 2000 rule 0 runn...

Page 702: ...roring port mirroring port list both inbound outbound You must perform one of the two operations The mirroring source I O Module can be a distributed or centralized I O Module however the mirroring source ports must be ports on distributed I O Modules Mirroring source ports can also be configured in Ethernet port view For detailed information refer to Configuring port mirroring in Ethernet port vi...

Page 703: ...r devices forms a cluster Normally a cluster member device is not assigned a public IP address Management and maintenance operations intended for the member devices in a cluster are redirected by the management device Figure 182illustrates a typical cluster implementation Figure 182 Diagram for cluster Switch Clustering V2 offers the following advantages The procedures to configure multiple switch...

Page 704: ...ting each member and then distributes the configuration and management commands to members Member management means to manage the following events through the management device including adding a member removing a member and the member s authentication on the management device Member management also manages the cluster parameters including interval of sending handshake packets management VLAN of th...

Page 705: ...d candidate device enable NTDP both globally and for specific ports As member devices and candidate devices adopt the NTDP settings configured for the management device NTDP setting configurations are not needed NTDP takes effect in the management VLAN only Switch 7750 Ethernet switches take VLAN 1 as the management VLAN that is the NTDP function of the Switch 7750 takes effect in VLAN 1 only Intr...

Page 706: ...s the data to the external server When the management program running on the external server manages the member device the external server transmits the protocol packets to the management device first and then the management device forwards the protocol packets to the member device You can configure public FTP servers TFTP servers logging hosts and SNMP hosts for the whole cluster The management d...

Page 707: ...edirecting commands that is forward the commands to the intended member devices for processing Provide the following functions including neighbor discovery topology information collection cluster management and cluster state maintenance and support all types of FTP servers and SNMP host proxies Member device Normally a member device is not configured with a public IP address Member in the cluster ...

Page 708: ...igure cluster parameters Required Configuring Cluster Parameters on page 709 Configure interaction for the cluster Required Configuring Interaction for the Cluster on page 711 Table 565 Enable NDP globally and for a specific port Operation Command Description Enter system view system view Enable NDP globally ndp enable Required By default NDP is enabled globally Enable NDP for the specified Ethern...

Page 709: ...ew Configure the range topology information within which is to be collected ntdp hop hop value Optional By default the hop range for topology collection is 3 hops Configure the hop delay to forward topology collection request packets ntdp timer hop delay time Optional By default the delay of the device is 200 ms Configure the port delay to forward topology collection request packets ntdp timer por...

Page 710: ...erface vlan id Required The Switch 7750 requires you to configure the IP address of the Layer 3 virtual interface of VLAN1 before you set up a cluster Otherwise the cluster cannot be set up Configure the IP address of the VLAN interface ip address ip address mask mask length Required Enter cluster view cluster Configure an IP address pool for the cluster ip pool administrator ip address ip mas k i...

Page 711: ... ip address mask mask length Required Enter cluster view cluster Configure the rang e of the IP addresses of the cluster ip pool administrator ip address ip mas k ip mask length Required Build a cluster automatically auto build recover Optional You can build clusters according to corresponding prompts Table 572 Configure interaction for the cluster Operation Command Description Enter system view s...

Page 712: ...ult the NDP is enabled for the port You can choose to enable NDP in system view or in Ethernet port view In Ethernet port view Enter Ethernet port view interface interface type interface number Enable NDP on the port ndp enable Table 575 Enable NTDP globally and for specific ports Operation Command Description Enter system view system view Enable system NTDP ntdp enable Required By default the NTD...

Page 713: ...ddress H H H eraseflash Optional Return to system view quit Return to user view quit Switch between the management device view and a member device view cluster switch to member number mac address H H H administrator Optional Switch between the management device view and the member device view Table 578 Display and maintain cluster configurations Operation Command Description Display the global NDP...

Page 714: ...f the management device belongs to VLAN1 whose interface IP address is 163 172 55 1 All the devices in the cluster use the same FTP server and TFTP server The FTP server and TFTP server share one IP address 163 172 55 2 The SNMP site and log host share one IP address 69 172 55 4 Network diagram Figure 184 Network diagram for Switch Clustering cluster configuration Clear the NDP statistics on a por...

Page 715: ...LAN SW7750 system view SW7750 interface Vlan interface 1 SW7750 Vlan interface1 ip address 163 172 55 1 SW7750 Vlan interface1 quit Enable NDP globally and on Ethernet1 0 2 and Ethernet1 0 3 SW7750 ndp enable SW7750 interface Ethernet 1 0 2 SW7750 Ethernet1 0 2 ndp enable SW7750 Ethernet1 0 2 interface Ethernet 1 0 3 SW7750 Ethernet1 0 3 ndp enable SW7750 Ethernet1 0 3 quit Configure the holdtime ...

Page 716: ...starts from 172 16 0 1 The mask is 255 255 255 248 SW7750 cluster ip pool 172 16 0 1 255 255 255 248 Specify a name for the cluster and create the cluster SW7750 cluster build aaa aaa_0 3Com cluster Add the attached two switches to the cluster aaa_0 3Com cluster add member 1 mac address 00e0 fc01 0011 aaa_0 3Com cluster add member 17 mac address 00e0 fc01 0012 Configure the holdtime of the member ...

Page 717: ...cluster put bbb txt n Upon the completion of the above configurations you can execute the cluster switch to member num mac address H H H command on the management device to switch to member device view to maintain and manage a member device You can then execute the cluster switch to administrator command to resume the management device view You can also reboot a member device by executing the rebo...

Page 718: ...718 CHAPTER 63 CLUSTER ...

Page 719: ...PD detection PD power information collection PoE power supply monitoring and power off for devices PD PDs receive power from the PSE PDs include standard PDs and nonstandard PDs Standard PDs conform to the 802 3af standard including IP phones WLAN APs network cameras and so on Power interface PI PIs are RJ45 interfaces which connect PSE PDs to network cables PoE Features Supported by the Switch 77...

Page 720: ... they work together to supply 2 400 W of power 2 Input voltage 200 VAC to 240 VAC One PSU of the PSE2500 A1 power system can supply 2 500 W of power If the PSUs of PSE2500 A1 power system need to work in redundancy mode two PSUs are required PoE enabled Boards The following modules of Switch 7750 support PoE 3C16860 LS81GT48A Setting PoE Management Mode Switch 7750 manage PoE in either auto mode o...

Page 721: ...re of a PoE enabled board Required Configuring the PoE Feature of a PoE enabled Board on page 721 Configure the PoE feature of a PoE port Required Setting the PoE Feature of a PoE Port on page 722 Upgrade the PSE processing software online Optional Upgrading the PSE Processing Software Online on page 723 Table 580 Configure the PoE feature on a port Operation Command Description Enter system view ...

Page 722: ...st enable PoE on this module with the poe enable slot slot num command When PoE compatibility detection is performed on non standard devices the system performance will be affected When standard 802 3af devices are connected to the module you are not recommended to enable the PoE compatibility detection feature Setting the PoE Feature of a PoE Port Enable the compatibility detection feature for re...

Page 723: ...e is to upgrade the valid software in the PSE through refreshing the software while the full update mode is to delete the invalid software in PSE completely and then reload the software Generally the refresh update mode is used to upgrade the PSE processing software When the PSE processing software is damaged that is all the PoE commands cannot be successfully executed you can use the full update ...

Page 724: ... high priority Set the PoE management mode of slot 3 to auto Slot 3 is supplied with 400 W of power and slot 5 is supplied with full power namely 806 W Enable PoE compatibility detection on the PoE module in slot 3 The input power of the AP device connected the Ehternet5 0 15 port cannot be greater than 9 W Table 584 Display and maintain PoE Operation Command Description Display the PoE status of ...

Page 725: ...on the modules in slot 3 and slot 5 SW7750 poe enable slot 3 SW7750 poe enable slot 5 Set the PoE management mode on slot 3 to auto SW7750 poe power management auto slot 3 Set the maximum power supplied by the module in slot 3 to 400 W SW7750 poe max power 400 slot 3 Set the maximum power supplied by the module in slot 5 is 806 W full power SW7750 poe max power 806 slot 5 Disable the PoE feature o...

Page 726: ... critical so that the devices connected to Ethernet3 0 48 can be provided with power preferentially without interrupting power supply to the current ports SW7750 interface Ethernet 3 0 48 SW7750 Ethernet3 0 48 poe priority critical Enable the PoE compatibility detection feature on the module in slot 3 SW7750 poe legacy enable slot 3 Set the maximum PoE power supplied by Ethernet5 0 15 to 9 W SW775...

Page 727: ...you are recommended to set the upper threshold to 132 0 V and the lower threshold to 90 0 V AC Input Alarm Threshold Configuration Example Network requirements Set the overvoltage alarm threshold of AC input for PoE PSUs to 264 0 V Set the undervoltage alarm threshold of AC input for PoE PSUs to 181 0 V Table 585 PoE PSU supervision configuration tasks Operation Description Related section Configu...

Page 728: ...hold of DC output for the PoE PSUs to 55 0 V Set the undervoltage alarm threshold of DC output for the PoE PSUs to 47 0 V Configuration procedure Enter the system view SW7750 system view Set the overvoltage alarm threshold of DC output for the PoE PSUs to 55 0 V SW7750 poe power output thresh upper 55 0 Set the undervoltage alarm threshold of DC output for the PoE PSUs to 47 0 V SW7750 poe power o...

Page 729: ...Connect IP phones to Ethernet3 0 1 through Ethernet3 0 48 Set the AC input and DC output alarm thresholds to appropriate values Table 588 Display PoE supervision information Operation Command Description Display the basic information about the external PoE PSUs displaysupervision module information You can execute the display command in any view Display alarm information about the PoE PSUs display...

Page 730: ...ut for the PoE PSUs to 264 0 V SW7750 poe power input thresh upper 264 0 Set the undervoltage alarm threshold of AC input for the PoE PSUs to 181 0 V SW7750 poe power input thresh lower 181 0 Set the overvoltage alarm threshold of DC output for the PoE PSUs to 55 0 V SW7750 poe power output thresh upper 55 0 Set the undervoltage alarm threshold of DC output for the PoE PSUs to 47 0 V SW7750 poe po...

Page 731: ... be enabled on the port PoE Profile Configuration Tasks Table 589 Configure PoE profile Operation Command Description Enter system view system view Create a PoE profile poe profile profile name Required Enter PoE profile view while creating the PoE profile Configure the relevant features in PoE profile Enable the PoE feature on a port poe enable Required The PoE feature on a port is enabled by def...

Page 732: ...splay command in any view to see the running status of the PoE profile You can verify the configurations by viewing the information PoE Profile Configuration Example Network requirements Ethernet2 0 1 through Ethernet2 0 10 of the Switch 7757 are used by users of group A who have the following requirements The PoE function can be enabled on all ports Signal cables are used to supply power Apply th...

Page 733: ...Ethernet 1 0 10 Figure 187 PoE profile application Configuration procedure Create Profile1 and enter PoE profile view SW7750 system view SW7750 poe profile Profile1 In Profile1 add the PoE policy configuration applicable to Ethernet2 0 1 through Ethernet2 0 5 ports for users of group A SW7750 poe profile Profile1 poe enable SW7750 poe profile Profile1 poe mode signal SW7750 poe profile Profile1 po...

Page 734: ...oe profile Profile2 poe priority high SW7750 poe profile Profile2 poe max power 15400 SW7750 poe profile Profile2 quit Display detailed configuration information for Profile2 SW7750 display poe profile name Profile2 Poe profile Profile2 1 action poe priority high Apply the configured Profile1 to Ethernet2 0 1 through Ethernet2 0 5 ports SW7750 apply poe profile Profile1 interface Ethernet 2 0 1 to...

Page 735: ... addresses of the packets and then sends the packet to the specified destination server n The DHCP Relay module uses UDP port 67 and 68 to relay BOOTP DHCP broadcast packets so do not use port 67 and 68 as UDP Helper destination ports With UDP Helper enabled the device relays the UDP broadcast packets whose destination ports are one of the six UDP ports list in Table 591 by default Configuring UDP...

Page 736: ...orming the above configurations you can use the display command in any view to display the information about the destination servers and the number of the packets forwarded to each destination server Verify the configuration by checking the output information You can use the reset command in user view to clear statistics about packets forwarded by UDP Helper Configure a UDP port as a UDP Helper de...

Page 737: ... network segment 202 38 1 0 24 is reachable Enable UDP Helper SW7750 system view SW7750 udp helper enable Configure port 55 as a UDP Helper destination port SW7750 udp helper port 55 Configure the server with the IP address of 202 38 1 2 as a destination server for the UDP broadcast packets SW7750 interface Vlan interface 1 SW7750 Vlan interface1 ip address 10 110 1 1 16 SW7750 Vlan interface1 udp...

Page 738: ...738 CHAPTER 67 UDP HELPER CONFIGURATION ...

Page 739: ...for running the client program At present the commonly used NM platforms include 3Com s Network Management Products Sun NetManager and IBM NetView Agent is the server software operated on network devices The NMS can send GetRequest GetNextRequest and SetRequest messages to the Agent Upon receiving the requests from the NMS Agent will perform Read or Write operation according to the message types g...

Page 740: ...represents a managed object as shown in Figure 189 Thus the object can be identified with the unique path starting from the root Figure 189 Architecture of the MIB tree The management information base MIB is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device In the above figure the managed object B can be u...

Page 741: ...N MIB Device management Interface management Table 594 Common MIBs MIB attribute MIB content References Table 595 Configure SNMP basic functions for SNMP V1 and SNMP V2C Operation Command Description Enter system view system view Enable SNMP Agent snmp agent Optional By default SNMP Agent is disabled To enable SNMP Agent you can execute this command or those commands used to configure SNMP Agent f...

Page 742: ...id switch fabricid Optional By default the device switch fabric ID is Enterprise Number device information Create or update the view information snmp agent mib view included excluded view name oid tree Optional By default the view name is ViewDefault and OID is 1 Table 596 Configure SNMP basic functions SNMP V3 Operation Command Description Enter system view system view Enable SNMP Agent snmp agen...

Page 743: ...the device switch fabric ID is Enterprise Number device information Create or update the view information snmp agent mib view included excluded view name oid tree Optional By default the view name is ViewDefault and OID is 1 Table 596 Configure SNMP basic functions SNMP V3 Operation Command Description Table 597 Configure Trap Operation Command Description Enter system view system view Enable the ...

Page 744: ...tyname security string v1 v2c v3 authentication privacy Required Set the source address to send Trap packets snmp agent trap source interface type interface number Optional Set the information queue length of Trap packet sent to destination host snmp agent trap queue size size Optional The default value is 100 Set aging time for Trap packets snmp agent trap life seconds Optional The default aging ...

Page 745: ... Description Display system information of the current SNMP device display snmp agent sys info contact location version The display command can be executed in any view Display SNMP packet statistics information display snmp agent statistics Display the switch fabric ID of the current device display snmp agent local switch fabricid remote switch fabricid Display group information about the device d...

Page 746: ...MP community is public SW7750 snmp agent trap enable standard authentication SW7750 snmp agent trap enable standard coldstart SW7750 snmp agent trap enable standard linkup SW7750 snmp agent trap enable standard linkdown SW7750 snmp agent target host trap address udp domain 10 10 10 1 u dp port 5000 params securityname public Configuring NMS The Switch 7750 supports 3Com s 3Com s Network Management...

Page 747: ...s is reduced thus facilitating the management of large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It collects data in one of the following two ways Using the dedicated RMON probe When an ROM system operates in this way the NMS directly obtains management information from the RMON probes and controls the network resources In this case all information in the RMON MIB...

Page 748: ...eriod sampling time Comparing the sampled value with the set threshold and triggering the corresponding events if the sampled value exceeds the threshold Extended alarm group With extended alarm entry you can perform operations on the samples of an alarm variable and then compare the operation result with the set threshold thus implement more flexible alarm functions With an extended alarm entry d...

Page 749: ...ring SNMP Basic Functions on page 741 Configuring RMON Table 599 Configure RMON Operation Command Description Enter system view system view Add an event entry rmon event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add an alarm entry rmon alarm entry number alarm variable sampling time delta absolute rising threshold threshold value1 ev...

Page 750: ... connected to a remote NMS through Internet Create an entry in the Ethernet statistics table to make statistics on the Ethernet port performance for network management Network diagram Figure 191 Network diagram for RMON configuration Add a statistics entry rmon statistics entry number owner text Optional Table 599 Configure RMON Operation Command Description Table 600 Display RMON Operation Comman...

Page 751: ...ntry 1 owned by user1 rmon is VALID Interface Ethernet2 0 1 ifIndex 4227626 etherStatsOctets 0 etherStatsPkts 0 etherStatsBroadcastPkts 0 etherStatsMulticastPkts 0 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 etherStatsFragments 0 etherStatsJabbers 0 etherStatsCRCAlignErrors 0 etherStatsCollisions 0 etherStatsDropEvents insufficient resources 0 Packets received according to length etherStats...

Page 752: ...752 CHAPTER 69 RMON CONFIGURATION ...

Page 753: ...he same time The accounting system requires that the clocks of all the network devices be consistent Some functions such as restarting all the network devices in a network simultaneously require that they adopt the same time When multiple systems cooperate to handle a rather complex event to ensure a correct execution order they must adopt the same time To perform incremental backup operations bet...

Page 754: ... serves as the NTP server that is the clock of Device A will be synchronized to that of Device B It takes one second to transfer an NTP message from Device A to Device B or from Device B to Device A Figure 192 Implementation principle of NTP The procedure of synchronizing the system clock is as follows Device A sends an NTP message to Device B with a timestamp 10 00 00 am T1 identifying when it is...

Page 755: ...tation Mode To accommodate networks of different structures and switches in different network positions NTP can operate in multiple modes as described in the following Client Server mode Figure 193 NTP implementation mode client Sever mode Peer mode Figure 194 NTP implementation mode peer mode Server Clock synchronization request packet Response packet Network Client Works in server mode automatic...

Page 756: ...mote server operates as the peer of the Switch 7750 and the Switch 7750 operates as the active peer Client Broadcast clock synchronizati on packets periodically Network Server Initiates a client server mode request after receiving the first broadcast packet Works in the server mode automatically and sends response packets Client server mode reques Response packet Obtains the delay between the clie...

Page 757: ...e VLAN interface configured on the switch Multicast mode Configure the Switch 7750 to operate in NTP multicast server mode In this case the Switch 7750 sends multicast NTP packets through the VLAN interface configure on the switch Configure the Switch 7750 to operate in NTP multicast client mode In this case the Switch 7750 receives multicast NTP packets through the VLAN interface configure on the...

Page 758: ...a clock synchronization packet periodically The devices which are configured to be in the NTP broadcast client mode will respond this packet and start the clock synchronization procedure NTP multicast server mode When a Switch 7750 operates in NTP multicast server mode it multicasts a clock synchronization packet periodically The devices which are configured to be in the Enter VLAN interface view ...

Page 759: ...ion For the networks with higher security requirements you can specify to perform authentications when enabling NTP With the authentications performed on both the client side and the server side the client is synchronized only to the server that passes the authentication This improves network security Prerequisites NTP authentication configuration involves Configuring NTP authentication on the cli...

Page 760: ...entication model md5 value Required By default the NTP authentication key is not configured Configure the specified key to be a trusted key ntp service reliable authentication keyid key id Required By default no trusted authentication key is configured Associate the specified key with the corresponding NTP server NTP client mode ntp service unicast server remote ip server name authentication keyid...

Page 761: ...server authentication keyid key id In NTP broadcast server mode and NTP multicast server mode you need to associate the specified key with the corresponding NTP server on the server You can associate an NTP server with an authentication key while configuring a switch to operate in a specific NTP mode You can also associate them using this command after configuring the NTP mode where a switch is to...

Page 762: ...ements Configure the local clock of S7750 1 to be the NTP master clock with the stratum being 2 S7750 2 operates in client mode with S7750 1 as the time server S7750 1 operates in server mode automatically Disable the interface from receiving NTP packets ntp service in interface disable Optional By default a VLAN interface receives NTP packets Return to system view quit Disable NTP service globall...

Page 763: ...ence 99 8562 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer dispersion 0 00 ms Reference time 00 00 00 000 UTC Jan 1 1900 00000000 00000000 Configure S7750 1 to be the time server of S7750 2 SW7750 2 system view SW7750 2 ntp service unicast server 1 0 1 11 After the above configuration S7750 2 is synchronized to S7750 1 View the NTP status of S7750 2 ...

Page 764: ...P master clock with the clock stratum being 2 Configure a Switch 7750 to operate as a client with 3Com2 as the time server 3Com2 will then operate in the server mode automatically Meanwhile 3Com3 sets the Switch 7750 to be its peer n This example assumes that 3Com2 is a switch that allows its local clock to be the master clock 3Com3 is a switch that allows its local clock to be the master clock an...

Page 765: ...persion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that the Switch 7750 is synchronized to 3Com3 and the stratum of its local clock is 2 one stratum higher than 3Com3 View the information about the NTP sessions of the Switch 7750 and you can see that a connection is established between the Switch 7750 and 3Com...

Page 766: ... server and send broadcast packets through VLAN interface 2 SW77503 Vlan Interface2 ntp service broadcast server 2 Configure Switch 7750 1 Enter system view SW7750 1 system view SW7750 1 Enter VLAN interface 2 view SW7750 1 interface Vlan interface 2 SW7750 1 Vlan Interface2 Configure Switch 7750 1 to be a broadcast client SW7750 1 Vlan Interface2 ntp service broadcast client 3 Configure Switch 77...

Page 767: ...ual frequency 249 9992 Hz Clock precision 2 19 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that Switch 7750 1 is synchronized to 3Com3 with the clock stratum of 3 one stratum higher than 3Com3 View the information about the NTP sessions of Switch 7750...

Page 768: ... a multicast server SW77503 Vlan Interface2 ntp service multicast server 2 Configure Switch 7750 1 Enter system view SW7750 1 system view SW7750 1 Enter VLAN interface 2 view SW7750 1 interface vlan interface 2 Configure 3Com4 to be a multicast client SW7750 1 Vlan interface2 ntp service multicast client 3 Configure Switch 7750 2 Enter system view SW7750 2 system view SW7750 2 Vlan int2 1 0 1 31 2...

Page 769: ...quency 249 9992 Hz Clock precision 2 19 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that Switch 7750 1 is synchronized to 3Com3 with the clock stratum being 3 one stratum higher than 3Com3 View the information about the NTP sessions of Switch 7750 1 a...

Page 770: ... SW7750 2 ntp service unicast server 1 0 1 11 authentication keyid 42 The above configuration synchronizes Switch 7750 2 to Switch 7750 1 As NTP authentication is not enabled on Switch 7750 1 Switch 7750 2 will fail to be synchronized to Switch 7750 1 The following configuration is needed for Switch 7750 1 Enable authentication on 3Com1 SW7750 1 system view SW7750 1 ntp service authentication enab...

Page 771: ... UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that Switch 7750 2 is synchronized to Switch 7750 1 with the clock stratum being 3 one stratum higher than Switch 7750 1 View the information about the NTP sessions of Switch 7750 2 and you can see that a connection is established between Switch 7750 2 and Switch 7750 1 SW7750 2 display ntp service sessions source reference str...

Page 772: ...772 CHAPTER 70 NTP CONFIGURATION ...

Page 773: ...therwise the server clears the TCP connection 2 Key algorithm negotiation stage These operations are completed at this stage The server and the client send key algorithm negotiation packets to each other which include the supported public key algorithm list encryption algorithm list MAC algorithm list and compression algorithm list Based on the received algorithm negotiation packets the server and...

Page 774: ...es SSH server configuration tasks Configuring supported protocols Table 608 Configure SSH2 0 server Configuration Keyword Description Configure supported protocols protocol inbound Refer to Configuring supported protocols on page 774 Generate a local RSA key pair rsa local key pair create Refer to Generating or destroying RSA key pairs on page 775 Destroy a local RSA key pair rsa local key pair de...

Page 775: ...ompts you the host RSA key pair 3Com_Host is generated and does not inform you the information about the server RSA key pair even if the server RSA key pair is generated in the background for the purpose of SSH1 x compatibility You can use the display rsa local key pair public command to display the generated key pairs After you configure the rsa local key pair command the system prompts you to de...

Page 776: ...entication type for a user When the two commands are configured simultaneously and the authentication types configured for the user specified by username are different with each other comply with the configuration of the ssh user username authentication type command c CAUTION If RSA authentication type is defined then the RSA public key of the client user must be configured on the switch Table 611...

Page 777: ...ation type On the other hand you can import the RSA public key of an SSH user from the public key file When the rsa peer public key keyname import sshkey filename command is executed the system will transform the format of the public key file created on the client into the public key cryptography standards PKCS format and configure the client public key automatically Before the configuration above...

Page 778: ...client you need to configure the host public key of the server to be accessed on the local device and specify the name of the host public key file of the server to be accessed Thus the SSH client can authenticate the SSH server to be accessed Enter public key edit view public key code begin You can key in a blank space between characters since the system can remove the blank space automatically Bu...

Page 779: ... is the same as that of configuring a client public key on the server Specify the name of the host public key of the SSH server to be accessed on the SSH client ssh client server ip assign rsa key keyname Required if first time authentication is not configured on the client Connect the SSH client to the SSH server and specify the preferred key exchange algorithm the preferred encryption algorithm ...

Page 780: ... SSH SW7750 ui vty0 4 protocol inbound ssh Configure the login protocol for user clinet001 as SSH and authentication type as password SW7750 local user client001 SW7750 luser client001 password simple abc SW7750 luser client001 service type ssh SW7750 luser client001 quit SW7750 ssh user client001 authentication type password n Select the default SSH authentication timeout time and authentication ...

Page 781: ...125 SW7750 rsa key code public key code end SW7750 rsa public key peer public key end SW7750 ssh user client002 assign rsa key 3Com002 Start the SSH client software on the host which stores the RSA private keys and make corresponding configuration to establish an SSH connection SSH Client Configuration Example Network requirements As shown in Figure 203 Switch A serves as an SSH client and uses th...

Page 782: ...guration on page 778 Configure the client public key on the server and name the public key Switch001 SW7750 rsa peer public key Switch001 RSA public key view return to System View with peer public key end SW7750 rsa public key public key code begin RSA key code view return to last view with public key code end SW7750 rsa key code 3047 SW7750 rsa key code 0240 SW7750 rsa key code C8969B5A 132440F4 ...

Page 783: ... a VLAN interface on the switch and assign it an IP address which the SSH server will use as the destination for SSH connection SW7750 system view SW7750 interface vlan interface 1 SW7750 Vlan interface1 ip address 10 1 1 2 255 255 255 0 SW7750 Vlan interface1 quit Generate an RSA key pair SW7750 rsa local key pair create Display the RSA public key of the client only the host public key contents a...

Page 784: ...6A A94A207E 1E25F3F9 SW7750 rsa key code E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74 SW7750 rsa key code 5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420 SW7750 rsa key code 024ECF2C 28A6A454 C27449E0 46EB1EAF 8A918D33 SW7750 rsa key code BAF53AF3 63B1FB17 F01E4933 00BE2EEA A272CD78 SW7750 rsa key code C289B7DD 2BE0F7AD SW7750 rsa key code 0203 SW7750 rsa key code 010001 SW7750 rsa key code public ke...

Page 785: ...tion Enter system view system view Configure service type for an SSH user ssh user username service type stelnet sftp all Required By default the available service type is stelnet Table 619 Enable the SFTP server Operation Command Description Enter system view system view Enable the SFTP server sftp server enable Required By default the SFTP server is not enabled Table 620 Configure SFTP client Op...

Page 786: ...elp information about SFTP client commands help SFTP client view Optional Table 621 Enable the SFTP client Operation Command Description Enter system view system view Enable the SFTP client sftp host ip host name port num prefer_kex dh_group1 dh_exchange_group prefer_ctos_cipher des aes128 prefer_stoc_cipher des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_...

Page 787: ... directory dir a l remote path Optional The dir and ls commands have the same function ls a l remote path Create a directory on the SFTP server mkdir remote path Optional Delete a directory from the SFTP server rmdir remote path 1 10 Table 624 Operate with SFTP files Operation Command Description Enter system view system view Optional Enter SFTP client view sftp host ip host name Rename a file or ...

Page 788: ...the remote SFTP server and enter SFTP client view SW7750 sftp 10 111 27 91 Display the current directory on the SFTP server delete file z and verify the operation sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone ...

Page 789: ... noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Received status End of file Received status Success Rename directory new1 to new2 and verify the operation sftp client rename new1 new2 Received status Success File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noo...

Page 790: ...nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk Received status End of file Received status Success sftp client Exit from ...

Page 791: ...before executing the commands which have potential risks for example deleting and overwriting files n Switch 7750s support Fabric switchover Both the primary and the secondary Fabric have file system built in for you to manipulate the files on the both Fabrics Note that the URL of a file on the secondary Fabric must begin with slot No flash where No is the number of the slot where the secondary Fa...

Page 792: ...ule Configuration Operation Command Description Enter the root directory of a CF card cd cf Required Disable a CF card umount cf Required Table 627 File system configuration tasks Task Remark Related section Directory related operations Optional Directory Related Operations on page 792 File related operations Optional File Related Operations on page 792 Storage device related operations Optional S...

Page 793: ...evable For memory spaces that are unavailable due to unexpected errors you can use the fixdisk command to restore them Table 629 File related operations Operation Command Description Delete a file delete unreserved file url Optional A deleted file can be restored if you delete it by executing the delete command with the unreserved keyword not specified You can use the undelete command to restore a...

Page 794: ... 3 rw 3980 Apr 21 2006 15 08 29 config cfg 4 drw Apr 16 2006 11 18 17 hj 5 drw Apr 10 2005 19 07 59 dd 6 rw 11779 Apr 05 2006 10 23 03 test bak 7 rw 19307 Apr 16 2006 11 15 55 1 txt 8 rw 66 Apr 05 2006 11 32 28 temp1 31877 KB total 15876 KB free Create a directory named test SW7750 mkdir test Created dir flash test Copy flash config cfg as flash test 1 cfg SW7750 copy flash config cfg flash test 1...

Page 795: ...KB free SW7750 dir flash test Directory of flash test 0 rw 3980 Apr 25 2006 16 33 21 1 cfg 31877 KB total 15869 KB free Enter directory test SW7750 cd test Rename 1 cfg as c cfg SW7750 rename 1 cfg c cfg Renamed file flash 1 cfg to flash c cfg Delete the file c cfg SW7750 delete c cfg Deleted file flash test c cfg Restore the file c cfg SW7750 undelete c cfg Undeleted file flash test c cfg Display...

Page 796: ...796 CHAPTER 72 FILE SYSTEM MANAGEMENT ...

Page 797: ...rated in the software system of the router By accessing the BIMS center the router updates its configuration file and application automatically BIMS allows the device to access the BIMS center immediately after the corresponding command is executed at startup at regular intervals or at a specified time Update Procedure of Configuration File or Application The following is how the device uses BIMS ...

Page 798: ...ost software or configuration file is deleted and the new file is not saved yet In this case the upgrade will fail the configuration on the device will be lost and eventually the BIMS cannot manage the device Basic Configuration of BIMS Device c CAUTION The same port number must be configured on the BIMS device and on the BIMS center Table 632 BIMS device basic configuration Operation Command Desc...

Page 799: ...the BIMS Center at a Specified Time You can configure the BIMS device to access the BIMS center at a specified time and if desired at regular intervals from then on during a specified period Table 633 Enable BIMS device to access BIMS center upon power on Operation Command Description Enter system view system view Enable BIMS device to access BIMS center upon power on bims boot request Optional By...

Page 800: ... Automatically add the device function and set the shared key between the BIMS center and BIMS device After that when the device accesses the BIMS center it can be automatically added to the BIMS center Specify the files for upgrade including configuration file and application When the device accesses the BIMS center the BIMS center will judge whether to use these files to upgrade the files on the...

Page 801: ...3 21 97 and 80 respectively Configuration procedure 1 Configure the BIMS center Refer to Configuring the BIMS Device to Access the BIMS Center Periodically at Startup on page 800 2 Configure the BIMS device Enter system view SW7750 system view Enable BIMS SW7750 bims enable bims is enable Assign the device a unique identifier ar18 20 907 SW7750 bims device id ar18 20 907 Configure the shared key u...

Page 802: ...802 CHAPTER 73 BIMS CONFIGURATION ...

Page 803: ...n FTP client or an FTP server in an FTP implementation FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log into a switch operating as an FTP server by running an FTP client program on your PC to access the files on the FTP server To accept login requests an FTP server must be assigned an IP address Table 637 describes the con...

Page 804: ...FTP Server Prerequisites A switch operates as an FTP server A remote PC operates as an FTP client The network operates properly as shown in Figure 205 Figure 205 Network diagram for FTP configuration PC Log into a switch operating as an FTP server through an FTP client application Table 637 Configurations needed when a switch operates as an FTP server Device Configuration Default Description Table...

Page 805: ...cating the FTP client a work directory An FTP server provides services to the FTP clients that are both authenticated and authorized The configurations such as configuring user name password the way to display passwords service type are performed on FTP servers Refer to the information about the local user local user password display mode password and service type commands in Configuring the Attri...

Page 806: ...figurations Configuration procedure 1 Configure the switch Log into the switch You can log into a switch through the Console port or by Telneting to the switch See Logging into an Ethernet Switch on page 33 for detailed information SW7750 Start the FTP service on the switch and create a user account and the corresponding password SW7750 system view SW7750 ftp server enable SW7750 local user switch...

Page 807: ...o hold the file to be uploaded you need to move the files that are not in use from the flash to other place to make room for the file 3Com series switch is not shipped with FTP client applications You need to purchase and install it by yourself 3 After uploading the application you can update the application on the switch Use the boot boot loader command to specify the uploaded file switch app to ...

Page 808: ...wd Optional Create a directory on the remote FTP server mkdir pathname Optional Remove a directory on the remote FTP server rmdir pathname Optional Delete a specified file delete remotefile Optional Query a specified file dir filename localfile Optional Query a specified remote file ls remotefile localfile Optional The ls command does not support extended parameters such as a Download a remote fil...

Page 809: ...rocedure 1 Perform FTP server related configurations on the PC that is create a user account on the FTP server with user name switch and password hello For detailed configuration refer to the configuration instruction relevant to the FTP server software 2 Configure the switch Log into the switch You can log into a switch through the Console port or by Telneting to the switch See Logging into an Et...

Page 810: ... and then restart the switch Thus the switch application is upgraded SW7750 boot boot loader switch app SW7750 reboot n For information about the boot boot loader command and how to specify the startup file for a switch refer to Specifying the APP to be Adopted at Reboot on page 863 TFTP Configuration Introduction to TFTP Compared with FTP TFTP trivial file transfer protocol features simple intera...

Page 811: ...a switch operates as a TFTP client Device Configuration Default Description Switch Configure an IP address for the VLAN interface of the switch so that it is reachable for TFTP server TFTP applies to networks where client server interactions are comparatively simple It requires the routes between TFTP clients TFTP servers are reachable You can log into a TFTP server directly for file accessing thr...

Page 812: ... a switch through the Console port or by Telneting to the switch See Logging into an Ethernet Switch on page 33 for detailed information SW7750 c CAUTION If the available space of the flash of the switch is not enough to hold the file to be uploaded you need to move the files that are not in use from the flash to other place to make room for the file Download the switch application named switch ap...

Page 813: ... 813 SW7750 boot boot loader switch app SW7750 reboot n For information about the boot boot loader command and how to specify the startup file for a switch refer to Specifying the APP to be Adopted at Reboot on page 863 ...

Page 814: ...814 CHAPTER 74 FTP AND TFTP CONFIGURATION ...

Page 815: ... log host 188 Apr 9 17 28 50 524 2004 3Com IFNET 5 UPDOWN Line protocol on t he interface M Ethernet0 0 0 is UP SIP 10 5 1 5 SP 1080 The following describes the fields of an information item 1 Priority The calculation formula for priority is priority facility 8 severity 1 in which facility the device name defaults to local7 with the value being 23 the value of local6 is 22 that of local5 is 21 and...

Page 816: ...nformation Table 644 Modules generating information Module name Description ACCOUNT L3 real time accounting module ACL Access control list module ADBM Address base module AM_USERB Access management module ARP Address resolution protocol module BGP Border gateway protocol module CFM Configuration file management module CLNP Connectionless network protocol module CLNSECHO Connectionless network prot...

Page 817: ...ODEM module MPM Multicast port management module MSDP Multicast source discovery protocol module MSTP Multiple spanning tree protocol module NAT Network address translation module NDP Neighbor discovery protocol module NETSTREA Traffic statistic module NTDP Network topology discovery protocol module NTP Network time protocol module OSPF Open shortest path first module RDS Radius module RM Routing ...

Page 818: ...est 6 Digest It is a phrase within 32 characters abstracting the information contents A colon separates the digest and information contents SYSM System management module SYSMIB System MIB module TAC Terminal access controller module TELNET Telnet module TFTPC TFTP client module TUNNEL Packets transparent transmission module UDPH UDP helper module USERLOG User log module VFS Virtual file system mod...

Page 819: ...on center of the Ethernet switch features Supporting six information output directions namely console console monitor terminal monitor log host loghost trap buffer trapbuffer log buffer logbuffer and SNMP snmp agent Filtering information by information severities information is divided into eight severity levels Filtering information by modules where information is generated Language options Chine...

Page 820: ...rface through which log information is sent to the log host info center loghost source interface type interface number Optional Define an information source info center source modu name default channel channel number channel name log trap debug level severity state state Required Set the format of the time stamp info center timestamp log trap debugging boot date none Optional Table 647 Enable info...

Page 821: ...lt this function is enabled for console user Enable debugging information terminal display function terminal debugging Optional By default the debugging information terminal display is disabled for terminal users Enable log information terminal display function terminal logging Optional By default log information terminal display is enabled for console users Enable trap information terminal displa...

Page 822: ... function with the terminal logging command Perform the following configuration in user view Define an information source info center source modu name default channel channel number channel name log trap debug level severity state state Required Set the format of time stamp info center timestamp log trap debugging boot date none Optional This is to set the time stamp format for log debugging trap ...

Page 823: ...m view Enable the information center info center enable Optional By default the information center is enabled Enable information output to the log buffer info center logbuffer channel channel number channel name size buffersize exclude regular expression Optional By default the switch uses information channel 4 to output log information to the log buffer which can holds up to 512 items by default ...

Page 824: ...p debugging boot date none Optional This is to set the time stamp format for log debugging trap information output This determines how the time stamp is presented to users Table 653 Enable information output to the trap buffer Operation Command Description Table 654 Enable information output to the SNMP Operation Command Description Enter system view system view Enable the information center info ...

Page 825: ...llowing log information in English to the Unix log host whose IP address is 202 38 1 10 the log information of the two modules ARP and IP with severity higher than informational Table 655 Display and debug information center Operation Command Description Display information on information channel display channel channel number channel name The display command can be executed in any view Display th...

Page 826: ...rap state off SW7750 info center source ip channel loghost log level informational debug stat e off trap state off 2 Configure the log host The operations here are performed on SunOS 4 0 The operations on other manufacturers Unix operation systems are similar Step 1 Execute the following commands as the superuser root user mkdir var log 3Com touch var log 3Com information Step 2 Edit the file etc ...

Page 827: ...ux Log Host Network requirements The switch sends the following log information in English to the Linux log host whose IP address is 202 38 1 10 All modules log information with severity higher than errors Network diagram Figure 211 Network diagram for log output to a Linux log host Configuration procedure 1 Configure the switch Enable the information center SW7750 system view SW7750 info center e...

Page 828: ... conf is modified run the following commands to view the process ID of the system daemon syslogd stop the process and then restart the daemon syslogd in the background with the r option ps ae grep syslogd 147 kill 9 147 syslogd r n In case of Linux log host the daemon syslogd must be started with the r option After all the above operations the switch can make records in the corresponding log file ...

Page 829: ...g information output to the console Permit ARP and IP modules to output information with severity level higher than informational to the console SW7750 info center console channel console SW7750 info center source arp channel console log level informational SW7750 info center source ip channel console log level informational Enable terminal display SW7750 terminal monitor SW7750 terminal logging ...

Page 830: ...830 CHAPTER 75 INFORMATION CENTER ...

Page 831: ...NS Resolution With static DNS resolution you can manually configure some name to address mappings in the static DNS list and the system will search the static list for corresponding IP addresses when users use domain names with some applications such as telnet Dynamic DNS Resolution Resolving procedure The procedure of dynamic DNS resolution is as follows 1 A user program sends a name query to the...

Page 832: ...an use the list to supply the missing part For example you can configure a suffix com in the list and users only need to input aabbcc to get the IP address of aabbcc com for the resolver will automatically add the suffix and delimiter before passing the name to the DNS Server When a user input a domain name If there is no dot in the domain name such as aabbcc the resolver will consider this as a h...

Page 833: ...to visit Host with IP address 3 1 1 1 16 The DNS server IP address is 2 1 1 2 16 The DNS suffixes com and net are configured Table 656 Configure static DNS resolution Operation Command Description Enter system view system view Add a hostname to address mapping entry ip host hostname ip address Required There is no entry in the static DNS list by default Table 657 Configure dynamic DNS resolution O...

Page 834: ...erver IP address 2 1 1 2 SW7750 dns server 2 1 1 2 Configure net as a DNS suffix SW7750 dns domain net Configure com as a DNS suffix SW7750 dns domain com Ping Host on Switch to verify the configuration and the corresponding IP address it should be 3 1 1 1 Displaying and Maintaining DNS After the above configuration you can execute the display command in any view to view the DNS configuration and ...

Page 835: ...as the correct IP address of the DNS Server If the specified domain name is not in the cache ensure that dynamic DNS resolution is enabled the DNS Client can normally communicate with the DNS Server and the DNS Server works normally Check the DNS mapping list is correct on the DNS Server Table 658 Display and maintain DNS Operation Command Description Display static DNS list information display ip...

Page 836: ...836 CHAPTER 76 DNS CONFIGURATION ...

Page 837: ...P through Ethernet port You can load software remotely by using FTP TFTP n The BootROM software version should be compatible with the host software version when you load the BootROM and host software Local Software Loading If your terminal is directly connected to the switch you can load the BootROM and host software locally Before loading the software make sure that your terminal is correctly con...

Page 838: ...oot Menu appears Otherwise the system starts to decompress the program and if you want to enter the Boot Menu at this time you will have to restart the switch Input the correct BootROM password no password is need by default The system enters the Boot Menu BOOT MENU 1 Download application file to flash 2 Select application file to boot 3 Display all files in flash 4 Delete file from flash 5 Modify...

Page 839: ...menu shown below SRPG bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Then you can choose different protocols to load BootROM Step 2 Enter 3 in the above menu to download the BootROM software using XMODEM The system will prompt to enter the name of the BootROM file to load Load File name S775...

Page 840: ...g are configurations on PC Take the Hyperterminal using Windows operating system as example Step 4 Choose File Properties in HyperTerminal click Configure in the pop up dialog box and then select the baud rate of 115200 bps in the Console port configuration dialog box that appears as shown in Figure 215 Figure 216 Figure 215 Properties dialog box ...

Page 841: ...ons n The new baud rate takes effect only after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC Step 7 Choose Transfer Send File in the HyperTerminal s window and click Browse in pop up dialo...

Page 842: ... rate to 9600 bps refer to Step 4 and 5 Then press any key as prompted The system will display the following information when it completes the loading Bootrom updating done n If the HyperTerminal s baud rate is not reset to 9600 bps the system prompts Your baudrate should be set to 9600 bps again Press enter key when ready You need not reset the HyperTerminal s baud rate and can skip the last step...

Page 843: ...client and server It uses UDP to provide unreliable data stream transfer service Loading BootROM software Figure 220 Local loading using TFTP Step 1 As shown in Figure 220 connect the switch through an Ethernet port to the TFTP server and connect the switch through the Console port to the configuration PC n You can use one PC as both the configuration device and the TFTP server Step2 Run the TFTP ...

Page 844: ...ost software Step 1 Select 1 in Boot Menu and press Enter The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 3 Step 2 Enter 1 in the above menu to download the host software using TFTP The subsequent steps are the same as those for loading the BootROM program except tha...

Page 845: ...ootROM update menu shown below SRPG bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Step 4 Enter 2 in the above menu to download the BootROM software using FTP Then set the following FTP related parameters as required Load File name S7750 btm Switch IP address 10 1 1 2 Server IP address 10 1 ...

Page 846: ...Remote Software Loading If your terminal is not directly connected to the switch you can telnet to the switch and use FTP or TFTP to load BootROM and host software remotely Remote Loading Using FTP Loading Process Using FTP Client 1 Loading BootROM As shown in Figure 222 a PC is used as both the configuration device and the FTP server You can telnet to the switch and then execute the FTP commands ...

Page 847: ...le and that you need to use the boot boot loader command to select the host software at reboot of the switch After the above operations the BootROM and host software loading is completed Pay attention to the following The loading of BootROM and host software takes effect only after you restart the switch with the reboot command If the space of the Flash memory is not enough you can delete the usel...

Page 848: ...nterface1 ip address 192 168 0 65 255 255 255 0 Step 3 Enable FTP service on the switch configure the FTP user name to test password to pass and directory to FLASH root directory SW7750 Vlan interface1 quit SW7750 ftp server enable SW7750 local user test New local user added SW7750 luser test password simple pass SW7750 luser test service type ftp ftp directory flash Step 4 Enable FTP client softw...

Page 849: ...otROM Step 6 Enter ftp 192 168 0 65 and enter the user name test password pass as shown in Figure 226 to log on the FTP server Figure 226 Log on the FTP server Step 7 Use the put command to upload the file s7500 btm to the switch as shown in Figure 227 ...

Page 850: ...for that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software at reboot of the switch n The steps listed above are performed in the Windows operating system if you use other FTP client software refer to the corresponding user s guide before operation Only the configurations steps concerning loading are illustrated her...

Page 851: ...le Fabrics and active standby switchover function If a switch possesses two Fabrics with the active standby switchover function enabled you can in turn upgrade and restart the two Fabrics with one Fabric being active Although Fabric can be upgraded through hot backup because the I O Module must be restarted to keep identical with the Fabric s software your services will still be interrupted during...

Page 852: ...852 CHAPTER 77 BOOTROM AND HOST SOFTWARE LOADING ...

Page 853: ...854 Set the local time zone Optional Setting the Local Time Zone on page 854 Set the summer time Optional Setting the Summer Time on page 854 Set the CLI language mode Optional Setting the CLI Language Mode on page 854 Return from current view to lower level view Returning from Current View to Lower Level View on page 855 Return from current view to user view Returning from Current View to User Vi...

Page 854: ...em time Perform the following configuration in user view Setting the CLI Language Mode Table 662 Set the date and time of the system Operation Command Description Set the current date and time of the system clock datetime HH MM SS YYYY MM DD Optional Table 663 Set the local time zone Operation Command Description Set the local time zone clock timezone zone name add minus HH MM SS Optional By defau...

Page 855: ...ls whether the debugging information of a protocol is output Terminal display which controls whether the debugging information is output to a user screen The relation between the two switches is as follows Table 666 Return from current view to lower level view Operation Command Description Return from current view to lower level view quit This operation will result in exiting the system if current...

Page 856: ...rmation will affect the efficiency of the system disable your debugging after you finish it Enable terminal display for debugging terminal debugging By default terminal display for debugging is disabled 1 2 3 Protocol debugging switches ON ON OFF ON OFF 1 3 1 3 Terminal display switches 1 3 Debugging information 1 2 3 Protocol debugging switches ON ON OFF ON OFF 1 3 1 3 Terminal display switches 1...

Page 857: ...ent operating information about the modules settled when this command is designed in the system for troubleshooting your system Perform the following operation in any view Table 671 Display the current operation information about the modules in the system Operation Command Description Display the current operation information about the modules in the system display diagnostic information module na...

Page 858: ...858 CHAPTER 78 BASIC SYSTEM CONFIGURATION DEBUGGING ...

Page 859: ... check the network connectivity It can help you locate the trouble spot of the network The executing procedure of the tracert command is as follows First the source host sends a data packet with the TTL of 1 and the first hop device returns an ICMP error message indicating that it cannot forward this packet because of TTL timeout Then the source host resends the packet with the TTL of 2 and the se...

Page 860: ...TY TEST Table 673 The tracert command Operation Command Support IP protocol tracert a source ip f first TTL m max TTL p port q num packet w timeout host Support CLNS protocol tracert clns m max TTL n num packet t timeout v nsap address ...

Page 861: ...he secondary module is inserted configurations on the last two SFP interfaces of the primary module will not be sent to the first two SFP interfaces of the secondary module automatically and you need to do this manually Introduction to Device Management The device management function of the Ethernet switch can report the current status and event debugging information of the modules to you Through ...

Page 862: ... time Update the BootROM Optional Updating the BootROM on page 863 Upgrade BootROM along with the upgrade of ARP Optional Upgrading BootROM along with the Upgrade of ARP on page 863 Set module temperature threshold Optional Setting Module Temperature Threshold on page 864 Enable disable RDRAM Optional Enabling Disabling RDRAM on page 864 Enable system load sharing Optional Enabling System Load Sha...

Page 863: ...h to update the running BootROM application With this command a remote user can conveniently update the BootRom by uploading the BootROM to the switch through FTP and running this command The BootROM can be used when the switch reboots Perform the following configuration in user view Upgrading BootROM along with the Upgrade of ARP Upgrading BootROM along with ARP can ensure the best matching betwe...

Page 864: ...oss card forwarded load sharing is performed between the active Fabric and the standby Fabric n Only unicast traffic supports load sharing The 96Gbps Switch Fabric and GEbus I O Modules do not support load sharing Only I O Module of XGbus type supports load sharing Table 680 Configure to upgrade BootROM Operation Command Description Use the current boot file to upgrade BootROM boot bootrom default...

Page 865: ...nsceiver Electrical label information is also called permanent configuration data or archive information which is written to the storage device of a module during device debugging or test The information includes name of the module device serial number and vendor name or vendor name specified Table 684 Commonly used pluggable transceivers Transceiver type Applied environment Whether can be an opti...

Page 866: ...d commands A type modules include 3C16860 3C16861 LS81FS24A 3C16858 and 3C16859 Pause Frame Protection Mechanism Configuration Task The following describes the configuration tasks of Pause Frame protection mechanism Pause Frame Protection Mechanism Configuration Example Network requirements Enable pause frame protection mechanism on the module in Slot 7 of the switch Configuration procedure 1 Ente...

Page 867: ...rect IP addresses Layer 3 Connectivity Detection Configuration Example Network requirements The physical link between the local peer and the remote peer is correct The local peer port that is used to connect is Ethernet4 0 1 The IP address of the lay 3 interface of the remote peer is 1 1 1 1 Configuration procedure Enter system view SW7750 system view SW7750 Enter Ethernet interface view SW7750 in...

Page 868: ...Enable queue traffic monitoring SW7750 qe monitor enable Set the overall traffic threshold used in queue traffic monitoring to 90 Mbps SW7750 qe monitor overflow threshold 90000000 Configuring Error Packets Monitoring If the switch receives a great number of error packets it will not be able to send receive packets properly With error packets monitoring enabled the switch collects information abou...

Page 869: ...e Device Management Configuration After the above configurations you can execute the display command in any view to display the operating status of the device management to verify the configuration effects Table 688 Configure error packets monitoring Operation Command Description Enter the system view system view Set the interval for detecting error packets qe monitor errpkt check time interval Op...

Page 870: ...h are stored into the directory of the switch Use FTP to download the switch app and boot btm files from the FTP server to the switch Network diagram Figure 229 Network diagram of FTP configuration Configuration procedure 1 Configure the following FTP server related parameters on the PC an FTP user with the username and password as switch and hello respectively and specify the Table 689 Display th...

Page 871: ...mmand in user view Input the correct user name and password to log into the FTP server SW7750 ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 FTP service ready User none switch 331 Password required for switch Password 230 User logged in ftp Execute the get command to download the switch app and boot btm files on the FTP server to the Flash memory of the switch ftp get switch app ftp get bo...

Page 872: ...cified file will be booted next time on unit 1 SW7750 display boot loader The primary app to boot of board 0 at the next time is flash switch app The backup app to boot of board 0 at the next time is flash old app The app to boot of board 0 at this time is flash old app SW7750 reboot ...

Page 873: ...ping client and you can view the test results on remote ping client only When performing a remote ping test you need to configure a remote ping test group on the remote ping client A remote ping test group is a set of remote ping test parameters A test group contains several test parameters and is uniquely identified by an administrator name and a test tag After creating a remote ping test group a...

Page 874: ...t number greater than 50000 Otherwise your remote ping test may fail or the service corresponding to the well known port may become unavailable TCP test Tcppublic test Tcpprivate test UDP test Udppublic test Udpprivate test Table 691 Remote ping test parameters Test parameter Description Destination address destination ip For TCP UDP jitter test you must specify a destination IP address and the de...

Page 875: ...size For ICMP UDP jitter test you can configure the size of test packets For ICMP test the ICMP packet size refers to the length of ECHO REQUEST packets excluding IP and ICMP headers Maximum number of history records that can be saved history records This parameter is used to specify the maximum number of history records that can be saved in a test group When the number of saved history records ex...

Page 876: ...be sent per probe jitter packetnum Jitter test is used to collect statistics about delay jitter in UDP packet transmission In a jitter probe the remote ping client sends a series of packets to the remote ping server at regular intervals you can set the interval Once receiving such a packet the remote ping server marks it with a timestamp and then sends it back to the remote ping client Upon receiv...

Page 877: ...ric is enabled all other test types cannot be performed when IRF fabric is enabled With IRF fabric enabled you are allowed to configure remote ping tests and use the display commands to check your configurations Table 692 Remote ping server configuration tasks Item Description Related section Enable the remote ping server function The remote ping server function is needed only for jitter TCP and U...

Page 878: ...s configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the test type test type icmp Optional By default the test type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes Configure th...

Page 879: ...ach test makes one probe Configure the maximum number of history records that can be saved history records number Figure 231 Optional By default the maximum number is 50 Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Start the test test enable Required Display test results display remote ping results admin name operation tag Required You can ex...

Page 880: ...l By default a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Configure the type of FTP operation ftp operation get put Optional By default the type of FTP operation is get that is the FTP operation will get a file from the FTP server Configure an FTP login username username name Required By default neither username nor passwor...

Page 881: ...no IP address of the DNS server is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source port is configured Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records t...

Page 882: ...ew Enable the remote ping client function remote ping agent enable Required By default the remote ping client function is disabled Create a remote ping test group and enter its view remote ping administrator name operation tag Required By default no test group is configured Configure the test type test type jitter Required By default the test type is ICMP Configure the destination IP address desti...

Page 883: ...t packets that will be sent in each jitter probe jitter packetnum number Optional By default each jitter probe will send 10 packets Configure the interval to send test packets in the jitter test jitter interval interval Optional By default the interval is 20 milliseconds Start the test test enable Required Display test results display remote ping results admin name operation tag Required You can e...

Page 884: ...Optional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display remote ping results admin name operation ta...

Page 885: ...ss Optional By default the source IP address is not specified Configure the test type test type tcpprivate tcppublic Required By default the test type is ICMP Configure the source port source port port number Optional By default no source port is specified Configure the number of probes per test count times Optional By default one probe is made per time Configure the automatic test interval freque...

Page 886: ...blic Required By default the test type is ICMP Configure the destination address destination ip ip address Required This IP address and the one configured on the remote ping server for listening service must be the same By default no destination address is configured Configure the destination port destination port port number Required in a Udpprivate test A Udppublic test is a UDP connection test ...

Page 887: ...the service type is zero Start the test test enable Required Display test results display remote ping results admin name operation tag Required The display command can be executed in any view Table 701 Configure UDP test on remote ping client Operation Command Description Table 702 Configure DNS test on remote ping client Operation Command Description Enter system view system view Enable the remot...

Page 888: ...ot specified Configure the IP address of the DNS server dns server ip address Required By default no DNS server address is configured Start the test test enable Required Display test results display remote ping results admin name operation tag Required The display command can be executed in any view Table 703 Configure the remote ping client to send Trap messages Operation Command Description Ente...

Page 889: ...le remote ping client 7750 system view 7750 remote ping agent enable Create a remote ping test group setting the administrator name to administrator and test tag to ICMP 7750 remote ping administrator icmp Configure the test type as icmp Configure the number of consecutive unsuccessful remote ping probes before Trap output probe failtimes times Optional By default Trap messages are sent each time ...

Page 890: ...ded test time 2000 4 2 20 55 12 3 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 7750 remote ping administrator icmp display remote ping history administrator i cmp Remote ping entry ...

Page 891: ...e ping administrator dhcp test enable Display test results 7750 remote ping administrator dhcp display remote ping results administra tor dhcp Remote ping entry admin administrator tag dhcp test result Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 1018 1037 1023 Square Sum of Round Trip Time 10465630 Last complete test time 2000 4 3 9 51 30 9 Extend result SD Ma...

Page 892: ...work diagram for the FTP test Configuration procedure Configure FTP Server Switch B Configure FTP server on Switch B For specific configuration of FTP server refer to FTP and TFTP Configuration on page 803 Configure remote ping Client Switch A Enable the remote ping client 7750 system view 7750 remote ping agent enable Create a remote ping test group setting the administrator name to administrator...

Page 893: ...fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 7750 remote ping administrator ftp display remote ping history administrat or ftp Remote ping entry admin administrator tag ftp history record Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 2000 04 03 04 00 18 8 3 9945 1 0 2000 04 03 04 00 02 9 4 15891 1 0 2000 04 03 03 59 52...

Page 894: ...s 7750 remote ping administrator http timeout 30 Start the test 7750 remote ping administrator http test enable Display test results 7750 remote ping administrator http display remote ping results administrator h ttp Remote ping entry admin administrator tag http test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 47 87 74 S...

Page 895: ...t name you must configure the IP address of the DNS server to resolve the host name into an IP address which is the destination IP address of this HTTP test Jitter Test Network requirements Both the remote ping client and the remote ping server are Switch 7750s Perform a remote ping jitter test between the two switches to test the delay jitter of the UDP packets exchanged between this end remote p...

Page 896: ...ct operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Jitter result RTT Number 100 Min Positive SD 1 Min Positive DS 1 Max Positive SD 6 Max Positive DS 8 Positive SD Number 38 Positive DS Number 25 Positive SD Sum 85 Positive DS Sum 42 Positive SD average 2 Positive DS a...

Page 897: ...nt community write private n The SNMP network management function must be enabled on SNMP agent before it can receive response packets The SNMPv2c version is used as reference in this example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual Configure remote ping Client Switch A Enable the remote ping client 7750 system view 7750 ...

Page 898: ...in administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19 9 5 9 1 0 2000 04 03 08 57 19 9 6 11 1 0 2000 04 03 08 57 19 9 7 10 1 0 2000 04 03 08 57 19 9 8 10 1 0 2000 04 03 08 57 19 9 9 10 1 0 2000 04 03 08 57 19 8 10 10 1 0 2000 04 03 08 57 19 8 For detailed ou...

Page 899: ...trator tcpprivate test enable Display test results 7750 remote ping administrator tcpprivate display remote ping results administr ator tcpprivate Remote ping entry admin administrator tag tcpprivate test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 4 7 5 Square Sum of Round Trip Time 282 Last complete test time 2000 4 2 8...

Page 900: ...8000 Configure remote ping Client Switch A Enable the remote ping client 7750 system view 7750 remote ping agent enable Create a remote ping test group setting the administrator name to administrator and test tag to udpprivate 7750 Remote ping administrator udpprivate Configure the test type as udpprivate 7750 remote ping administrator udpprivate test type udpprivate Configure the IP address of th...

Page 901: ... 11 1 0 2000 04 02 08 29 45 5 2 12 1 0 2000 04 02 08 29 45 4 3 11 1 0 2000 04 02 08 29 45 4 4 11 1 0 2000 04 02 08 29 45 4 5 11 1 0 2000 04 02 08 29 45 4 6 11 1 0 2000 04 02 08 29 45 4 7 10 1 0 2000 04 02 08 29 45 3 8 10 1 0 2000 04 02 08 29 45 3 9 10 1 0 2000 04 02 08 29 45 3 10 11 1 0 2000 04 02 08 29 45 3 For detailed output description see the corresponding command manual DNS Test Network requ...

Page 902: ...ceive response times 10 Min Max Average Round Trip Time 6 10 8 Square Sum of Round Trip Time 756 Last complete test time 2006 11 28 11 50 40 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation er...

Page 903: ...oncepts of RRPP Figure 250 RRPP networking Domain A domain consists of switches with the same domain ID and control VLAN A domain can consist of multiple Ethernet rings only one of which is the primary ring and the others are subrings The ring roles are determined by user configuration If there is only one Ethernet ring you can configure the ring either as a primary ring or as a subring without ma...

Page 904: ...used to transfer data packets A data VLAN contains the ports connecting the switch with the Ethernet ring network and other ports Node Every switch on an Ethernet ring network is a node Node roles are as follows Master node The node that initiates loop detection and prevents data loops prevention is the master node Each ring has one and only one master node Transit node All nodes other than the ma...

Page 905: ...After the ports are unblocked these packets or messages can pass through the ports Common port and edge port Of the two ports connecting an edge node or assistant edge node to a subring one is the common port and the other is the edge port of the node The common port connects the edge node to the primary ring and a subring at the same time An edge port is connected only with a subring Conceptually...

Page 906: ...the secondary port and sends the Common Flush packet to tell all transit nodes to refresh their respective MAC address FDB and ARP table Ring recovery The master node may detect that the ring has recovered a period time after the RRPP domain port on a transit node becomes UP again In this period a temporary data loop may occur in data VLANs which can cause broadcast storm Table 705 RRPP messages M...

Page 907: ...tatus and the master node sends the Complete Flush message through the primary port to request the transit node to update the FDB and unblock the temporarily blocked port After the transit node receives the Complete Flush message it unblocks the temporarily blocked port If the transit node does not receive the Complete Flush message after the Fail timer expires it automatically unblocks the tempor...

Page 908: ... exist between each pair of rings In this case only one RRPP domain is to be defined in which one ring must be defined as the primary ring and the rest as subrings RRPP on 3Com Switch 7750 Family To employ RRPP on a Switch 7750 Ethernet switch make sure that The chassis comes with the silk print XGbus Ring 2 Ring 1 Switch A Switch B Switch C Switch E Domain 1 Transit node Switch D Transit node Tra...

Page 909: ...gs have been configured as trunk ports All ports allow data VLAN packets to pass And STP has been disenabled on all the ports connecting the Ethernet rings Master Node Configuration Tasks The following table describes the master node configuration tasks Table 706 Configure the master node Operation Command Description Enter system view system view Create an RRPP domain and enter RRPP domain view r...

Page 910: ...ster Node Configuration Example Network requirements Define the switch as a node in RRPP domain 1 Define VLAN 4092 as the control VLAN Define the switch as the master node on primary ring 1 in RRPP domain 1 GigabitEthernet2 0 1 as the primary port and GigabitEthernet2 0 2 as the secondary port Set the Hello timer and Fail time to 2 seconds and 7 seconds respectively Configuration procedure c CAUTI...

Page 911: ...ate an RRPP domain and enter RRPP domain view rrpp domain domain id Required The command prompt of RRPP domain view depends on the domain id you input Specify a control VLAN for the RRPP domain control vlan vlan id Required Specify the current switch as the transit node of a ring and specify the primary port and the secondary port of the node ring ring id node mode transit primary port pri port se...

Page 912: ...e unique in the same RRPP domain Transit Node Configuration Example Network requirements Define the switch as a node in RRPP domain 1 Define VLAN 4092 as the control VLAN Define the switch as a transit node on primary ring 1 in RRPP domain 1 GigabitEthernet2 0 1 as the primary port and GigabitEthernet2 0 2 as the secondary port Configuration procedure c CAUTION Make sure that the switch ports conn...

Page 913: ... depends on the domain id you input Specify a control VLAN for the RRPP domain control vlan vlan id Required Specify the current switch as a transit node of the primary ring and specify the primary port and the secondary port ring ring id node mode transit primary port pri port secondary port sec port level level value Required Level 0 identifies the primary ring and level 1 identifies a subring S...

Page 914: ...c CAUTION Make sure that the switch ports connecting the Ethernet rings have been configured as trunk ports All ports allow data VLAN packets to pass And STP has been disenabled on all the ports connecting the Ethernet rings SW7750 system view SW7750 rrpp domain 1 SW7750 rrpp domain 1 control vlan 4092 SW7750 rrpp domain 1 ring 1 node mode transit primary port Gigabit Ethernet2 0 1 secondary port ...

Page 915: ...ontrol VLAN for the RRPP domain control vlan vlan id Required Specify the current switch as a transit node of the primary ring and specify the primary port and the secondary port ring ring id node mode transit primary port pri port secondary port sec port level level value Required Level 0 identifies the primary ring and level 1 identifies a subring Specify the current switch as an assistant edge ...

Page 916: ... CAUTION Make sure that the switch ports connecting the Ethernet rings have been configured as trunk ports All ports allow data VLAN packets to pass And STP has been disenabled on all the ports connecting the Ethernet rings SW7750 system view SW7750 rrpp domain 1 SW7750 rrpp domain 1 control vlan 4092 SW7750 rrpp domain 1 ring 1 node mode transit primary port Gigabit Ethernet2 0 1 secondary port G...

Page 917: ...1 control vlan 4092 SW7750 rrpp domain 1 ring 1 node mode master primary port GigabitE thernet2 0 1 secondary port GigabitEthernet2 0 2 level 0 SW7750 rrpp domain 1 ring 1 enable SW7750 rrpp domain 1 quit SW7750 rrpp enable Configure Switch B SW7750 system view SW7750 rrpp domain 1 SW7750 rrpp domain 1 control vlan 4092 SW7750 rrpp domain 1 ring 1 node mode transit primary port Gigabit Ethernet2 0...

Page 918: ... Switch B Switch C and Switch D constitute primary ring 1 Switch B Switch C and Switch E form the subring 2 Switch A serves as the master node of the primary ring GigabitEthernet2 0 1 as the primary port and GigabitEthernet2 0 2 as the secondary port Switch E serves as the master node of the subring its GigabitEthernet2 0 1 is the primary port and its GigabitEthernet2 0 2 is the secondary port Swi...

Page 919: ... SW7750 rrpp domain 1 control vlan 4092 SW7750 rrpp domain 1 ring 1 node mode transit primary port Gigabit Ethernet2 0 1 secondary port GigabitEthernet2 0 2 level 0 SW7750 rrpp domain 1 ring 2 node mode edge common port GigabitEthe rnet 2 0 2 edge port GigabitEthernet 2 0 3 SW7750 rrpp domain 1 ring 1 enable SW7750 rrpp domain 1 ring 2 enable SW7750 rrpp domain 1 quit SW7750 rrpp enable Configure ...

Page 920: ... Gigabit Ethernet2 0 1 secondary port GigabitEthernet2 0 2 level 0 SW7750 rrpp domain 1 ring 1 enable SW7750 rrpp domain 1 quit SW7750 rrpp enable Configure Switch E SW7750 system view SW7750 rrpp domain 1 SW7750 rrpp domain 1 control vlan 4092 SW7750 rrpp domain 1 ring 2 node mode master primary port GigabitE thernet2 0 1 secondary port GigabitEthernet2 0 2 level 1 SW7750 rrpp domain 1 ring 2 ena...

Page 921: ...egment where the next hop of the default route resides through enabling default route Telnet protection By default default route Telnet protection is disabled Before configuring Telnet protection you need to enable Telnet SNMP and ICMP protection respectively You can configure Telnet protection SNMP protection and ICMP protection for only the packets of the specific source IP addresses c CAUTION A...

Page 922: ...ection or special ARP Telnet protection attack protection ip address Required If you use this command with the ip address parameter you can protect the specified Layer 3 interfaces Table 712 Configure ICMP protection Operation Command Description Enter system view system view Enable ICMP protection attack protection icmp ip address Required If you use this command with the ip address parameter you...

Page 923: ...nsists of two member ports one master port and one slave port Normally only one port master or slave is active and the other port is blocked that is in the standby state When link failure occurs on the port in active state the Smart Link group will block the port automatically and turn standby state to active state on the blocked port Figure 256 Network diagram of Smart Link In Figure 256 Ethernet...

Page 924: ...the device Switch A in Figure 256 broadcasts flush messages in this control VLAN Control VLAN for receiving flush messages This control VLAN is used for receiving and processing flush messages When link switching occurs the devices Switch B and Switch C in Figure 256 receive and process flush messages of this control VLAN and then refresh MAC forwarding table entries and ARP entries n Currently th...

Page 925: ...e port does not come into the forwarding state until the next link switching Configuring Smart Link n Before configuring a member port of a Smart Link group you must Disable the port to avoid loops thus preventing broadcast storm Disable STP on the port After completing the configuration you need to enable the Ethernet ports disabled before configuring the Smart Link group Configuration Tasks Conf...

Page 926: ...5 Configure Smart Link with ports as the members of the Smart Link group Operation Command Remarks Enter system view system view Create a Smart Link group and enter Smart Link group view smart link group group id Required Enable the function of sending flush messages in the specified control VLAN flush enable control vlan vlan id Required By default no control VLAN for sending flush messages is sp...

Page 927: ...n an associated device is different than the one for sending flush messages configured on the corresponding Smart Link device the device will forward received flush messages without processing them 9 In the static or manual link aggregation group which serves as a Smart Link group member if a member port can process flush messages this function cannot be synchronized to the other ports in the aggr...

Page 928: ...witch Switch C Switch D and Switch E support Smart Link Configure Smart Link feature to provide remote PCs with reliable access to the server Network diagram Figure 258 Network diagram for Smart Link configuration Table 718 Display and debug Smart Link Operation Command Remarks Display the information of a Smart Link group display smart link group group id all You can execute the display command i...

Page 929: ...e Ethernet2 0 1 as the master port and Ethernet2 0 2 as the slave port for Smart Link group 1 SwitchA smlk group1 port Ethernet 2 0 1 master SwitchA smlk group1 port Ethernet 2 0 2 slave Configure to send flush messages within VLAN 1 SwitchA smlk group1 flush enable control vlan 1 2 Enable the function of processing flush messages received from VLAN 1 on Switch C Enter system view SwitchC system v...

Page 930: ...flush messages received from VLAN 1 on Switch E Enter system view SwitchE system view Enable the function of processing flush messages received from VLAN 1 on Ethernet 2 0 2 and Ethernet 2 0 3 SwitchE smart link flush enable control vlan 1 port Ethernet 2 0 2 to Ethernet 2 0 3 ...

Page 931: ...itor Link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 259 Network diagram for a Monitor Link group implementation As shown in Figure 259 the Monitor Link group configured on the device Switch A consists of an uplink port Ethernet2 0 1 and two downlink ports Ethernet2 0 2 and Ethernet2 0 3 A member port can be an Etherne...

Page 932: ...tor Link group and Monitor Link group detects that the link for the uplink port Ethernet2 0 1 fails all the downlink ports in the group are shut down therefore Ethernet2 0 3 on Switch C is blocked Now Smart Link group configured on Switch A detects that a link fault occurs on the master port Ethernet2 0 1 Then Smart Link immediately activates the slave port Ethernet2 0 2 so that traffic is switche...

Page 933: ...roup group id Required Table 721 Configure the uplink port Operation Command Remarks Enter system view system view Enter the specified Monitor Link group view monitor link group group id Configure the uplink port for the Monitor Link group Configure the specified link aggregation group as the uplink port of the Monitor Link group link aggregation group group id uplink Required Use any of the three...

Page 934: ...Monitor Link Configuration Example Implementing Collaboration Between Smart Link and Monitor Link Network requirements As shown in Figure 261 the PCs access the server and Internet through the switch Configure Smart Link and Monitor Link to prevent the PCs from failing to access the server and Internet due to uplink link or port failure Configure a downlink port for the Monitor Link group Configur...

Page 935: ...Enter Ethernet port view Disable STP on Ethernet2 0 1 and Ethernet2 0 2 SwitchA interface Ethernet 2 0 1 SwitchA Ethernet2 0 1 stp disable SwitchA Ethernet2 0 1 quit SwitchA interface Ethernet 2 0 2 SwitchA Ethernet2 0 2 stp disable Return to system view SwitchA Ethernet2 0 2 quit Create Smart Link group 1 and enter Smart Link group view SwitchA smart link group 1 BLOCK Switch A Switch B Eth1 0 1 ...

Page 936: ...onitor link group 1 Configure Ethernet2 0 1 as the uplink port of the Monitor Link group and Ethernet2 0 2 and Ethernet2 0 3 as the downlink ports SwitchC mtlk group1 port Ethernet 2 0 1 uplink SwitchC mtlk group1 port Ethernet 2 0 2 downlink SwitchC mtlk group1 port Ethernet 2 0 3 downlink Return to system view Enable the function of processing flush messages received from VLAN 1 on Ethernet2 0 2...

Page 937: ...ot ROM You need also to confirm the upgrade operation in the upgrade process Boot ROM Upgrade Configuration Example Network requirements Use the current startup file to upgrade the Boot ROMs of all normal I O Module modules in position Use the specified App file abcd app to upgrade the Boot ROMs of all normal I O Module modules in position Specify the App file abcd app as the primary startup file ...

Page 938: ...through negotiation to improve the adaptability and stability This mode is based on the corresponding Ethernet standards By default the Fabric and the service modules in a Switch 7750 Ethernet switch negotiate to establish 1000 Mbps links in between Fix mode where 1000 Mbps links are established between the Fabric and the service modules without negotiation Therefore the time for negotiation is sa...

Page 939: ... number of times the Fabric fails to receive handshake packets exceeds the upper limit Monitoring Internal Channel Configuration Configuring Switch Chip Auto reset Introduction In actual application a switch may fail to process services normally due to internal channel block or because the switch chip is busy Switch 7750s support the function of resetting switch chips automatically In case that th...

Page 940: ...fied module When the CPU usage of the module in the specified slot exceeds the configured threshold the switch sends trap messages and log messages to the network administrator If you set CPU thresholds for both all the modules and the specified module the CPU threshold of the specified module is determined by the latter one For example if you set the CPU usage threshold of all the modules to 88 a...

Reviews: