manualshive.com logo in svg

3Com Switch 8807, Configuration Manual

The 3Com Switch 8807 is a high-performance networking device designed to meet the demands of enterprise-level organizations. With advanced features and reliable performance, this switch ensures seamless data transmission and network optimization. Easily access the comprehensive datasheet and user manual for free download from our website, manualshive.com.

Share
Download
background image

21

ACL C

ONFIGURATION

ACL Overview

Introduction to ACL

A series match rules must be configured to recognize the packets before they are 
filtered. Only when packets are identified, can the network take corresponding 
actions, allowing or prohibiting them to pass, according to the preset policies. 
Access control list (ACL) is targeted to achieve these functions.

ACLs classify packets using a series of matching rules, which can be source 
addresses, destination addresses and port IDs. ACLs can be used globally on the 
switch or just at a port, through which the switch determines whether to forward 
or drop the packets.

The matching rules defined in ACLs can also be imported to differentiate traffic in 
other situations, for example, defining traffic classification rules in QoS.

An ACL rule can include many rules, which may be defined for packets within 
different address ranges. Matching order is involved in matching an ACL.

ACLs being activated directly on hardware

ACLs can be delivered to hardware for traffic filtering and classification.

The cases when ACLs are sent directly to hardware include: referencing ACLs to 
provide for QoS functions, filtering and forwarding packets with ACLs.

ACLs being referenced by upper-level modules

ACLs may also be used to filter and classify packets processed by software. Then 
you can define matching order for the rules in an ACL. Two matching modes are 
available in this case: 

config

 (user-defined order) and 

auto

 (depth first by the 

system). You cannot modify the matching order once you define it for an ACL rule, 
unless you delete the rule and redefine the matching order.

The cases when ACLs are referenced by upper-level modules include referencing 
ACLs to achieve routing policies, and using ACLs to control register users and so 
on.

Depth first principle means putting the statement with smaller packet range in the 
front. You can know the packet range by comparing IP address wildcards: The 
smaller the wildcard is, the smaller host range is. For example, the address 
129.102.1.1 0.0.0.0 specifies the host 129.102.1.1 and address 129.102.1.1 
0.0.255.255 specifies the segment 129.102.1.1 to 129.102.255.255. Then 
129.102.1.1 is surely put in the front. Specifically, for the statements of basic ACL 
rules, directly compare the wildcards of source addresses and follow 

config

 order 

if the wildcards are equal; for the ACL rules used in port packet filtering, the rules 

Summary of Contents for Switch 8807

Page 1: ...3Com Switch 8800 Family Configuration Guide Switch 8807 Switch 8810 Switch 8814 www 3Com com Part No 10015594 Rev AA Published January 2007...

Page 2: ...227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or deli...

Page 3: ...onfiguration Environment through Telnet 34 Setting Up Configuration Environment through Modem Dial up 37 4 USER INTERFACE CONFIGURATION User Interface Overview 39 User Interface Configuration 40 Displ...

Page 4: ...iguration Example 76 Troubleshooting IP Address Configuration 77 11 IP PERFORMANCE CONFIGURATION Configuring IP Performance 79 Displaying and Debugging IP Performance 79 Troubleshooting IP Performance...

Page 5: ...guration Example 119 17 MSTP REGION CONFIGURATION Introduction to MSTP 121 Configuring MSTP 132 Displaying and Debugging MSTP 150 Typical MSTP Configuration Example 152 18 DIGEST SNOOPING CONFIGURATIO...

Page 6: ...S Protocol 245 Configuring HWTACACS Protocol 256 Displaying and Debugging AAA and RADIUS Protocol 261 AAA and RADIUS HWTACACS Protocol Configuration Examples 262 Troubleshooting AAA and RADIUS HWTACAC...

Page 7: ...d Debugging Integrated IS IS 358 Typical Integrated IS IS Configuration Example 359 33 BGP CONFIGURATION BGP MBGP Overview 361 Configuring BGP 364 Displaying and Debugging BGP 383 Typical BGP Configur...

Page 8: ...VLAN CONFIGURATION Multicast VLAN Overview 431 Multicast VLAN Configuration 431 Multicast VLAN Configuration Example 432 41 COMMON MULTICAST CONFIGURATION Introduction to Common Multicast Configurati...

Page 9: ...Basic Capability Overview 515 MPLS Configuration 515 LDP Configuration 517 Displaying and Debugging MPLS Basic Capability 521 Typical MPLS Configuration Example 523 Troubleshooting MPLS Configuration...

Page 10: ...VRRP 659 VRRP Configuration Example 660 Troubleshooting VRRP 664 54 HA CONFIGURATION Introduction to HA 667 Configuring HA 667 Displaying and Debugging HA Configuration 669 HA Configuration Example 6...

Page 11: ...iguration Tasks 719 NDP Configuration Example 721 61 POE CONFIGURATION PoE Overview 723 PoE Configuration 724 Comprehensive Configuration Example 726 62 POE PSU SUPERVISION CONFIGURATION Introduction...

Page 12: ...n 789 69 DEVICE MANAGEMENT Device Management Overview 793 Device Management Configuration 793 Displaying and Debugging Device Management 796 Device Management Configuration Example 796 70 FTP TFTP CON...

Page 13: ...etection Function 845 76 QINQ CONFIGURATION QinQ Overview 847 VLAN VPN Configuration 849 VLAN VPN Configuration 849 Traffic Classification Based Nested VLAN Configuration 850 Adjusting TPID Values for...

Page 14: ......

Page 15: ...ble 1 lists icon conventions that are used throughout this guide Table 2 lists text conventions that are used throughout this guide Table 1 Notice Icons Icon Notice Type Description n Information note...

Page 16: ...about your product If information in this guide differs from information in the release notes use the information in the Release Notes These documents are available in Adobe Acrobat Reader Portable Do...

Page 17: ...For Switch 8807 in the module area there are seven slots the top two slot0 slot1 accommodate fabric modules which are in 1 1 redundancy the remaining five accommodate I O Modules For Switch 8810 in t...

Page 18: ...otocol snooping IGMP snooping Internet group management protocol IGMP v2 Protocol independent multicast dense mode PIM DM Protocol independent multicast sparse mode PIM SM Multicast source discovery p...

Page 19: ...k Remark Queue scheduling supports strict priority queuing SP weighted round robin WRR and SP WRR Congestion avoidance algorithms Tail Drop and WRED Supports up to eight priority queues per port Secur...

Page 20: ...ement products remote monitoring RMON MIB group 1 2 3 and 9 VPN manager a MPLS VPN network management tool System logs Hierarchical alarms Output of the debugging information Ping and Tracert Network...

Page 21: ...r to Doskey to execute a history command The command line interpreter searches for target not fully matching the keywords It is ok for you to key in the whole keyword or part of it as long as it is un...

Page 22: ...d when users at lower level switch to users at higher level In other words user password of the higher level is needed Suppose the user has set the super password level level simple cipher password Fo...

Page 23: ...l view Remote peer view VSI LDP view VSI view HWTACACS view Port group view The following table describes the function features of different views and the ways to enter or quit Port numbers are only f...

Page 24: ...user view VLAN interface view Configure IP interface parameters for a VLAN or a VLAN aggregation 3Com Vlan interfac e1 Key in interface vlan interface 1 in system view Use quit to return to system vi...

Page 25: ...return to user view IPv4 multicast sub address family view Enter the IPv4 multicast sub address family view to configure MBGP multicast extension parameters 3Com bgp af mul Key in ipv4 family multica...

Page 26: ...n to system view Use return to return to user view Advanced ACL view Define the rule of advanced ACL 3Com acl adv 3000 Key in acl number 3000 in system view Use quit to return to system view Use retur...

Page 27: ...eturn to system view Use return to return to user view VPN instance sub address family view Configure VPN instance sub address family parameters 3Com bgp af vpn in stance Key in ipv4 family vpn instan...

Page 28: ...ters 3Com mpls remote 1 Key in mpls remote1 Use quit to return to system view Use return to return to user view VSI LDP view Configure some VPLS features 8500 vsi 3Com ldp Key in vsi 3Com in system vi...

Page 29: ...mode chinese Chinese environment english English environment 3 Input a command with a separated by a space If this position is for parameters all the parameters and their brief descriptions will be l...

Page 30: ...ines the two keys differently In this case use the combination keys Ctrl P and Ctrl N instead for the same purpose Common Command Line Error Messages All the input commands by users can be correctly e...

Page 31: ...rsor moves to the right if the edition buffer still has free space Backspace Delete the character preceding the cursor and the cursor moves backward Leftwards cursor key or Ctrl B Move the cursor a ch...

Page 32: ...32 CHAPTER 2 COMMAND LINE INTERFACE...

Page 33: ...cable Figure 1 Set up the local configuration environment through the Console port Step 2 Run a terminal emulator such as Terminal of Windows 3X or HyperTerminal of Windows 9X on the computer Set the...

Page 34: ...re the switch or view the operation state Input a for help For details of specific commands refer to the following chapters Setting up Configuration Environment through Telnet Connecting a PC to the S...

Page 35: ...d input the IP address of the VLAN connected to the PC port as shown in Figure 6 Figure 6 Run Telnet Step 4 The terminal displays Login authentication and prompts the user to input the logon password...

Page 36: ...for authenticating the Telnet user to log in to the switch If a user logs in via the Telnet without password he will see the prompt Login password has not been set SW8800 system view System View retu...

Page 37: ...een set SW8800 system view System View return to User View with Ctrl Z SW8800 user interface aux 0 3Com ui aux0 set authentication password simple xxxx xxxx is the login password of the Modem user Ste...

Page 38: ...assword on the remote terminal emulator and wait for the prompt such as SW8800 Then you can configure and manage the switch Enter to get the immediate help For details of specific commands refer to th...

Page 39: ...AUX user interface is used to log in to the switch locally or remotely with a modem via the AUX port A switch can only have one AUX user interface The local configuration for it is similar to that fo...

Page 40: ...s describe the user interface configuration tasks Entering User Interface View Define the Login Header Configuring Asynchronous Port Attributes Configuring Terminal Attributes Managing Users Configuri...

Page 41: ...is none that is no flow control will be performed Configuring parity By default the parity on an asynchronous port is none that is no parity bit Configuring the stop bit Table 8 Configure the login h...

Page 42: ...before disabling the terminal service can continue his operation After such user logs out he cannot log in again In this case a user can log in to the switch through the user interface only when the...

Page 43: ...to 1 or 2 By default 24 lines including the multi screen identifier lines are displayed in one screen when the multi screen display function is enabled Use screen length 0 to disable the multi screen...

Page 44: ...is you need use the command below to configure a login password in order to login successfully Perform the following configuration in user interface view Configure for password authentication when a...

Page 45: ...e following configuration in local user view By default the specified logon user can access the commands at Level 2 Setting the command level used after a user logs in from a user interface You can us...

Page 46: ...ser terminal The input protocol type can be TELNET SSH or all Perform the following configuration in user interface view By default the input protocol type for a user terminal is all Configuring Modem...

Page 47: ...m Use this command with caution Make sure that you will be able to log in to the system in some other way and cancel the configuration before you use the auto execute command command and save the conf...

Page 48: ...lease the user interface connection Table 28 Display and debug user interface Operation Command Release a specified user interface connection free user interface type number Display the user applicati...

Page 49: ...nt station for remote system management Management Interface Configuration The following sections describe management interface configuration tasks Configuring interface IP address Enabling disabling...

Page 50: ...50 CHAPTER 5 MANAGEMENT INTERFACE CONFIGURATION...

Page 51: ...on routing protocol configuration and so on It ends with end The following sections describe configuration file management tasks Displaying the Current Configuration and Saved Configuration of Switch...

Page 52: ...user view You may erase the configuration files from the Flash in the following cases After being upgraded the software does not match with the configuration files The configuration files in flash are...

Page 53: ...display the running of the configuration files and to verify the effect of the configuration Table 32 Configure the name of the configuration file used for the next startup Operation Command Configur...

Page 54: ...54 CHAPTER 6 CONFIGURATION FILE MANAGEMENT...

Page 55: ...VLAN technology the broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs This is helpful to control network traffic save device investment simplify network management and e...

Page 56: ...the current VLAN is its VLAN ID Shutting down Bringing up a VLAN Interface You can use the following commands to shut down bring up a VLAN interface Perform the following configuration in VLAN interf...

Page 57: ...iew n The port to be associated with a protocol based VLAN must be of Hybrid type and in this VLAN The same protocol can be configured in the different VLANs but cannot be configured repeatedly in the...

Page 58: ...d unknown multicast packets are broadcast within a VLAN these packets will also be broadcast to the CPU To prevent waste of CPU resources you can move the CPU port out of the VLAN so that common broad...

Page 59: ...VLANs Operation Command Move the CPU port out of the specified VLANs trap to cpu disable vlan vlan list all Move the CPU port into the specified VLANs undo trap to cpu disable vlan vlan list all Tabl...

Page 60: ...2 and enter its view SW8800 vlan 2 Add Ethernet3 1 1 and Ethernet4 1 1 to VLAN 2 3Com vlan2 port ethernet3 1 1 ethernet4 1 1 Create VLAN 3 and enters its view 3Com vlan2 vlan 3 Add Ethernet3 1 2 and...

Page 61: ...proxy The address resolution protocol ARP proxy can forward and process ARP request and response packets so that the isolated sub VLANs can communicate with each other at Layer 3 By default ARP proxy...

Page 62: ...nooping Super VLAN does not support VRRP Super VLAN Configuration Example Network requirements Create Super VLAN 10 Create sub VLANs VLAN 2 VLAN 3 and VLAN 5 VLAN 2 contains ports 1 and 2 VLAN 3 conta...

Page 63: ...Ctrl Z SW8800 vlan 10 3Com vlan10 supervlan 3Com vlan10 vlan 2 3Com vlan2 port ethernet3 1 1ethernet3 1 2 3Com vlan2 arp proxy enable 3Com vlan2 vlan 3 3Com vlan3 port Ethernet3 1 3 ethernet3 1 4 3Co...

Page 64: ...64 CHAPTER 8 SUPER VLAN CONFIGURATION...

Page 65: ...gure the ports connected to different users to be of the same Secondary VLAN to enable these users to communicate with each other on Layer 2 Figure 12 Isolate user VLANs and Secondary VLANs Isolate us...

Page 66: ...an id Required Configure the VLAN as an isolate user VLAN isolate user vlan enable Required You cannot configure VLAN 1 as an isolate user VLAN Add ports to the isolate user VLAN port interface list O...

Page 67: ...ose not meeting the requirements no other processing will be made For an access port the system will set the port as a hybrid port and set the default port VLAN ID and Secondary VLAN ID to be the same...

Page 68: ...vely Network diagram Figure 13 Network diagram for isolate user VLAN Configuration procedure Only the configurations on the Switch B and Switch C are listed below 1 Configuration on Switch B Configure...

Page 69: ...Switch C Configure an isolate user VLAN SW8800 system view SW8800 vlan 6 3Com vlan6 isolate user vlan enable 3Com vlan6 port ethernet2 1 1 Configure Secondary VLANs 3Com vlan6 vlan 3 3Com vlan3 port...

Page 70: ...70 CHAPTER 9 ISOLATE USER VLAN CONFIGURATION...

Page 71: ...pes are commonly used The IP address is in dotted decimal format Each IP address contains four integers in dotted decimal notation Each integer corresponds to one byte for example 10 110 50 101 When u...

Page 72: ...line The packets are processed internally and regarded as input packets B 128 0 0 0 to 191 255 255 255 128 0 0 0 to 191 254 0 0 Host ID with all the digits being 0 indicates that the IP address is th...

Page 73: ...38 64 0 138 38 96 0 138 38 128 0 138 38 160 0 138 38 192 0 and 138 38 224 0 Refer to the following figure Each subnet can contain more than 8000 hosts Figure 15 Subnet division of an IP address Config...

Page 74: ...resses and MAC addresses to ensure that only users using the IP addresses corresponding to the specified MAC addresses can access the Internet while users using other IP addresses cannot This function...

Page 75: ...to the attacker In this case the switch CPU is under attack When receiving an IP packet whose TTL is less than or equal to 1 the switch sends the ICMP packet time exceeded to the network management s...

Page 76: ...Enter VLAN interface 1 SW8800 interface vlan interface 1 Configure the IP address for VLAN interface 1 3Com Vlan interface1 ip address 129 2 2 1 255 255 255 0 Configure that the switch sends an unreac...

Page 77: ...ntains 2 Check which VLAN includes the port of the switch used to connect to the host Check whether the VLAN has been configured with a VLAN interface Then check whether the IP address of the VLAN int...

Page 78: ...78 CHAPTER 10 IP ADDRESS CONFIGURATION...

Page 79: ...oriented socket is in the range from 1 to 32 KB and is 8 KB by default Perform the following configuration in System view Displaying and Debugging IP Performance After the above configuration execute...

Page 80: ...he specific prefix list display fib ip prefix listname Display the total number of FIB entries display fib statistics Table 60 Debug IP performance Operation Command Reset IP statistics information re...

Page 81: ...cket formats UDP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 task ROUT 15 socketid 6 src 192 168 1 1 520 dst 255 255 255 255...

Page 82: ...82 CHAPTER 11 IP PERFORMANCE CONFIGURATION flag ACK window 16079...

Page 83: ...ions withdrawn declarations GARP members exchange information by sending messages There are mainly three types of GARP messages Join Leave and LeaveAll When a GARP participant wants to register its at...

Page 84: ...nd sends the Join Message upon timeout of the Hold timer In this way all the VLAN registration information received within the time specified by the Hold timer can be sent in one frame so as to save t...

Page 85: ...switches All the GVRP supporting switches can receive VLAN registration information from other switches and dynamically update the local VLAN registration information including the active members and...

Page 86: ...gured on any port in an aggregation group the returned result is about the master port of the group Enabling Disabling Global GVRP You can use the following command to enable disable global GVRP Perfo...

Page 87: ...the configuration Execute the debugging command in user view to debug the configuration of GVRP GVRP Configuration Example Network requirements To dynamically register and update VLAN information amon...

Page 88: ...Com Ethernet3 1 1 port trunk permit vlan all Enable GVRP on the Trunk port 3Com Ethernet3 1 1 gvrp Configure Switch B Enable GVRP globally SW8800 gvrp Set Ethernet4 1 1 as a Trunk port and allows all...

Page 89: ...e Ethernet Port Enabling Disabling Flow Control for the Ethernet Port Setting the Interval of Performing Statistics on Ports Enabling Disabling Jumbo Frames Passing a Card Setting Broadcast Multicast...

Page 90: ...ports will automatically negotiate about the duplex mode Perform the following configuration in Ethernet port view Note that 10 100 Mbps electrical Ethernet port can operate in full duplex half duplex...

Page 91: ...default the speed of the port is in auto mode Setting the Cable Type for the Ethernet Port The Ethernet port supports the straight through and cross over network cables The following command can be u...

Page 92: ...ranging from 1536 to 10240 However effective Jumbo frame values fall into several sections the Table 73 Enabling disabling flow control for the Ethernet port Operation Command Enable Ethernet port fl...

Page 93: ...n multicast suppression No distinction is made between known multicast and unknown multicast for multicast suppression By default the broadcast suppression ratio is 50 while the multicast suppression...

Page 94: ...annot configure a trunk port directly as hybrid port but first set it as access port and then as hybrid port By default the port is access port Adding the Ethernet Port to Specified VLANs The followin...

Page 95: ...t the VLAN of hybrid port and trunk port is VLAN 1 and that of the access port is the VLAN to which it belongs Setting the VLAN VPN Feature on a Port A VLAN Tag consists of only 12 bits defined by IEE...

Page 96: ...ions may involve STP setting QoS setting LACP setting and port setting The detailed table is as follows Table 81 Setting the port VLAN VPN feature Operation Command Enable the port VLAN VPN feature vl...

Page 97: ...o prohibit frequent change of the port status Perform the following configuration in system view By default the port hold time is set to 3 seconds Setting the Ethernet Port in Loopback Mode Perform th...

Page 98: ...at when receiving the packets without VLAN Tag the port can forward them to the member ports belonging to the default VLAN when it sending the packets with VLAN Tag and the packet VLAN ID is the defau...

Page 99: ...hernet2 1 1 port trunk pvid vlan 100 Ethernet Port Troubleshooting Symptom 1 Default VLAN ID configuration fails Solution Take the following steps Execute the display interface or display port command...

Page 100: ...100 CHAPTER 13 ETHERNET PORT CONFIGURATION...

Page 101: ...gation groups IDs 32 through 64 are reserved IDs 65 though 192 are routed trunks IDs 193 through 920 indicate dynamic aggregation groups The systems with MPLS VPN cards only support seven load balanci...

Page 102: ...d static aggregation groups ports can be in active or inactive state The port in active state can transmit and receive user service packets but the port in inactive state cannot The active port with t...

Page 103: ...ive and inactive ports can transmit and receive LACP protocol but the inactive ports cannot forward user service packets In an aggregation group the active port with the minimum port number serves as...

Page 104: ...inimum port number serves as the master port while others as slave ports In a aggregation group the system sets the ports to active or inactive state based on these rules Based on the descending order...

Page 105: ...to the VLAN QinQ part of this manual Enabling Disabling LACP at Port You should first enable LACP at the ports before performing dynamic aggregation so that both parties can agree on adding deleting...

Page 106: ...tion in the corresponding view Note that You cannot add a mirrored port a port configured with a static MAC address a port with 802 1x enabled or a VPN port into an aggregation group You must delete t...

Page 107: ...active or inactive state Perform the following configuration in system view By default system priority is 32 768 Configuring Port Priority The LACP compares system IDs first and then port IDs if syst...

Page 108: ...gging link aggregation Operation Command Display summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group display lin...

Page 109: ...group numbers are continuous you can directly aggregate multiple ports into a group The group number is allocated by the system SW8800 link aggregation ethernet2 1 1 to ethernet2 1 3 both 2 Static LA...

Page 110: ...rnet2 1 2 interface ethernet2 1 3 3Com Ethernet2 1 3 lacp enable You must set basic configuration rate and duplex attribute consistent at both ends to aggregate successfully the LACP enabled ports int...

Page 111: ...Group Configure an upstream port for an isolated group Required Refer to section Configuring an Uplink Port in the Isolated Group Configure isolated ports for an isolated group Required Refer to sect...

Page 112: ...Command Description Table 97 Configuring isolated ports for the isolated group Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface...

Page 113: ...20 Network diagram for port isolation Configuration procedure Create isolated group 1 SW8800 system view SW8800 port isolate group 1 Configure port Ethernet2 1 2 as an isolated port in isolated group...

Page 114: ...114 CHAPTER 15 PORT ISOLATION CONFIGURATION...

Page 115: ...responding forwarding port as a new entry to the table The system forwards the packets whose destination addresses can be found in the MAC address table directly through the hardware and broadcasts th...

Page 116: ...llowing configuration in system view Setting MAC Address Aging Time The setting of an appropriate aging time can effectively implement the function of MAC address aging Too long or too short aging tim...

Page 117: ...o set the switch to forward corresponding packets when the number of MAC addresses learned by the port exceeds the configured threshold Maximum MAC Address Number Learned by a Port and Forwarding Opti...

Page 118: ...es of the network devices in network segments connected to a VLAN However if the MAC address table in a VLAN is too big in size the forwarding performances of the switch will be decreased After settin...

Page 119: ...nto the switch through the Console port to configure the address table management It is required to set the address aging time to 500s and add a static address 00e0 fc35 dc71 to Ethernet2 1 2 in VLAN1...

Page 120: ...face ethernet2 1 2 vlan 1 Set the address aging time to 500s SW8800 mac address timer 500 Display the MAC address configurations in any view SW8800 display mac address interface ethernet2 1 2 MAC ADDR...

Page 121: ...P and RSTP It not only converges fast but also allows the traffic of different VLANs to be distributed along their respective paths which provides a better load balance mechanism for the redundant lin...

Page 122: ...the VLAN mapping table of MST region A0 in Figure 23 VLAN1 is mapped to instance 1 VLAN 2 is mapped to instance 2 other VLANs is mapped to CIST In the same region the mapping relationship of VLANs and...

Page 123: ...CIST For example the common root bridge is a certain switch in A0 as shown in Figure 23 Edge port The edge port refers to the port located at the MST region edge connecting different MST regions MST r...

Page 124: ...Figure 24 Port roles TC packet Topology change TC means the structure of the MSTP spanning tree changes due to some bridge change or some port change on the network In versatile routing platform Comwa...

Page 125: ...on format of the last part in BPDU packets Besides field root bridge priority root path cost local bridge priority and port priority the field flags which takes one byte in an instance is also used fo...

Page 126: ...tion The CIST root is the highest priority switch elected from the switches on the entire network through comparing their configuration BPDUs MSTP calculates and generates IST in each MST region at th...

Page 127: ...t accordingly As illustrated in the Figure 28 Switch A forwards data to Switch B via the port AP1 To Switch B the designated bridge is Switch A and the designated port is AP1 In the figure Switch B an...

Page 128: ...d each port of the switches generates the configuration BPDU taking itself as the root with a root path cost as 0 designated bridge IDs as their own switch IDs and the designated ports as their ports...

Page 129: ...onfiguration BPDU remains unchanged Switch calculates a designated port BPDU for every port substituting the root ID with the root ID in the configuration BPDU of the root port the cost of path to roo...

Page 130: ...B the configuration BPDU 1 0 1 BP2 that has not been updated and then the updating process is launched The configuration BPDU is updated as 1 0 1 BP2 CP1 receives the configuration BPDU 0 0 0 AP2 from...

Page 131: ...the switches regard themselves as the roots The designated ports send the configuration BPDUs of local ports at a regular interval of HelloTime If it is the root port that receives the configuration...

Page 132: ...the Switch as a Primary or a Secondary Root bridge Configuring the MSTP Running Mode Configuring the Bridge Priority for a Switch Configuring the Max Hops in an MST Region Configuring the Switching Ne...

Page 133: ...ote that two switches belong to the same MST region only if they have been configured with the same MST region name STI VLAN mapping tables of an MST region and the same MST region revision level Conf...

Page 134: ...pped to MSTI 1 VLAN 2 is mapped to MSTI 2 VLAN 16 is mapped to MSTI 16 VLAN 17 is mapped to VLAN 17 and so on Perform the following configurations in MST region view By default all the VLAN lists are...

Page 135: ...You can configure the current switch as the root of several STIs However it is not necessary to specify two or more roots for an STI In other words do not specify the root for an STI on two or more s...

Page 136: ...the root An MSTP switch may have different priorities in different STIs You can use the following command to configure the Bridge priorities of the Designated bridge in different STIs Perform the fol...

Page 137: ...of passed switches You can use the following command to configure the diameter of the switching network Perform the following configuration in system view The network diameter is the parameter specify...

Page 138: ...network adopts the values of the time parameters configured on the root bridge of the CIST c CAUTION The Forward Delay configured on a switch depends on the switching network diameter Generally the F...

Page 139: ...eceive the STP packets from the upstream switch for 3 times of hello time the switch will decide the upstream switch is dead and will recalculate the topology of the network Then in a steady network t...

Page 140: ...as an edge port or non edge port in the following ways Configuration in system view Perform the following configuration in system view Configuration in Ethernet port view Perform the following configu...

Page 141: ...h do not configure the edged ports on the equipment Otherwise the system will fail to delete MAC address entries and ARP address entries on the port Configuring the Path Cost of a Port Path Cost is re...

Page 142: ...on which each standard calculates the path cost of the by certain algorithm DOT1T calculation standard 1 Calculating the rate Aggregation port The rate of either a primary or a secondary port in an a...

Page 143: ...espondence between the rate range and the value range of the path cost of the ports You can specify the intended standard by using the following commands Perform the following configuration in system...

Page 144: ...are configured with the same priority value the priorities of the ports will be differentiated by the index number The change of Ethernet port priority will lead to spanning tree recalculation You ca...

Page 145: ...ibuted if you configure a port that is not physically connected with the point to point link as connected to such a link by force By default the parameter is configured as auto Table 126 Configure the...

Page 146: ...ion exists in different regions and other problems Remember to perform stp interface mcheck after modifying stp mode Configuration in Ethernet port view Perform the following configuration in Ethernet...

Page 147: ...t protection function is used against such problems Loop protection The root port and other blocked ports maintain their states according to the BPDUs send by uplink switch Once the link is blocked or...

Page 148: ...out the stp loop protection command on the designated upstream port If the downstream port does not contain the VLAN of the designated Table 131 Configure the switch protection function Operation Comm...

Page 149: ...t it is about to change its state and role Only the port role changes but the port discarding state remains unchanged and no packets are forwarded In this way if the peer end cannot send BPDU packets...

Page 150: ...ion of BPDU to prevent the BPDU packets which are received by ports that did not participate in the generation of spanning trees from being forwarded to other ports which can cause errors during STP g...

Page 151: ...tp all Disable global debugging undo debugging stp all Enable instance debugging of MSTP debugging stp instance instance id Disable instance debugging of MSTP undo debugging stp instance instance id E...

Page 152: ...pass Enable debugging of the state machine for port state transition undo debugging stp state machine pst Enable debugging of the topology change state machine debugging stp state machine tcm Disable...

Page 153: ...uration 3Com mst region region name example 3Com mst region instance 1 vlan 10 3Com mst region instance 3 vlan 30 3Com mst region instance 4 vlan 40 3Com mst region revision level 0 Manually activate...

Page 154: ...stp region configuration 3Com mst region region name example 3Com mst region instance 1 vlan 10 3Com mst region instance 3 vlan 30 3Com mst region instance 4 vlan 40 3Com mst region revision level 0...

Page 155: ...examining their BPDUs It also enables the switch to insert corresponding configuration digests in its BPDUs destined for these switches In this way switches of different manufacturers are capable of...

Page 156: ...er ports of an MSTP region Digest Snooping Configuration Example Network requirements All switches in Figure 32 are MSTP enabled and have the same region configuration All the switches except that A a...

Page 157: ...y you need to enable digest snooping globally on 3Com B 3ComB stp config digest snooping After the above configuration all the switches in the MSTP region can communicate with each other through MSTI...

Page 158: ...158 CHAPTER 18 DIGEST SNOOPING CONFIGURATION...

Page 159: ...ch does not send the agreement packet to the downstream switch Figure 33 and Figure 34 show the designated port fast transition mechanisms of RSTP and MSTP Figure 33 Designated port fast transition me...

Page 160: ...m the designated port of the upstream switch the port sends the agreement packet to the upstream switch initiatively rather than sends the agreement packet after receiving the agreement packet As a re...

Page 161: ...dor Table 138 Configure fast transition in system view Operation Command Description Enter system view system view Enable fast transition stp interface interface type interface number no agreement che...

Page 162: ...162 CHAPTER 19 FAST TRANSITION...

Page 163: ...e operator s network Figure 36 BPDU Tunnel implementation Configuring BPDU Tunnel The following table describes the BPDU Tunnel configuration tasks Enabling disabling BPDU Tunnel Perform the following...

Page 164: ...Switch 5500 Series Ethernet Switches are used as the access devices of the user network that is Switch A and Switch B in the following figure Switch C and Switch D connect to each other through trunk...

Page 165: ...h Switch_B vlan 10 Switch_B Ethernet 0 1 port link type trunk Switch_B Ethernet 0 1 port trunk permit vlan 10 3 Configure Switch C Enable multiple STP MSTP on the device Switch_C stp enable Enable BPD...

Page 166: ...Ethernet3 1 1 port trunk permit vlan all Add Ethernet3 1 3 into VLAN20 Switch_D vlan 20 Switch_D Vlan 20 port Ethernet 3 1 3 Disable STP Protocol on Ethernet3 1 3 and enable VLAN VPN Switch_D interfa...

Page 167: ...encing ACLs to provide for QoS functions filtering and forwarding packets with ACLs ACLs being referenced by upper level modules ACLs may also be used to filter and classify packets processed by softw...

Page 168: ...ange of the specified packets The rule with the smallest range of the specified data packets is applied first and then other rules are applied based on this principle ACLs Supported The switch support...

Page 169: ...escription Enter system view system view Configure the time range time range time name start time to end time days of the week from start time start date to end time end date from start time start dat...

Page 170: ...acl name advanced basic match order config auto Required Service processor cards do not support Layer 2 ACL Define rules rule Required Exit ACL view quit Enter Ethernet port view interface interface t...

Page 171: ...ctive from 12 00 to 14 00 every Wednesday in 2004 If a time range defines multiple absolute time ranges and multiple periodic time ranges the time range is active only when periodic time ranges and ab...

Page 172: ...arried by the packet 2 bytes s tag vlan VLAN ID in the most exterior 802 1QTag carried by the packet dip Destination IP field in IP packet header 4 bytes dmac Destination MAC field in Ethernet packet...

Page 173: ...termine whether the total length of template elements exceeds 16 bytes You can either use the default template or define a flow template based on your needs n Default flow template ip protocol tcp fla...

Page 174: ...destination IP addresses TCP UDP ports used and packet priority ACLs support three types of priority schemes ToS type of service priority IP priority and DSCP priority Perform the following configura...

Page 175: ...ACL view undo rule rule id source destination source port destination port icmp type precedence tos dscp fragment bt flag time range vpn instance Delete an ACL or all ACLs system view undo acl number...

Page 176: ...group ACL at same time undo packet filter inbound ip group acl number acl name rule rule link group acl number acl name rule rule link group acl number acl name rule rule Activate link group ACL packe...

Page 177: ...ent is at 129 110 1 2 The requirement is to configure ACLs correctly to limit that the R D department can only access the wage server at working time from 8 00 to 18 00 Network diagram Figure 38 Netwo...

Page 178: ...range from 8 00 to 18 00 everyday the switch filters the packets from the host with source IP 10 1 1 1 the host is connected through the port Ethernet2 1 1 to the switch Network diagram Figure 39 Netw...

Page 179: ...00 daily 2 Define a user defined flow template SW8800 flow template user defined slot 2 ethernet protocol smac 0 0 0 dmac 0 0 0 3 Define the traffic with source MAC 00e0 fc01 0101 and destination MAC...

Page 180: ...the configuration is to prohibit the BT data traffic passing through port GE7 1 8 by configuring proper ACL rules c CAUTION 3C17526 series cards do not support BT traffic control configuration Networ...

Page 181: ...refers to all packets passing thought the switch Traffic classification Traffic classification is the technology that identifies the packets with a specified attribute according to a specific rule Cla...

Page 182: ...Figure 42 DS field and ToS byte As shown in Figure 42 the ToS field in the IP header contains 8 bits The first three bits represent IP priority in the range of 0 to 7 bits 3 6 stand for ToS priority i...

Page 183: ...scheduling is used to resolve problems of resource contention by many packets These algorithms are often used in queue scheduling strict priority SP algorithm and weighted round Robin WRR algorithm 1...

Page 184: ...cated with a 5 Mbps bandwidth Another merit for WRR algorithm Though the queues are scheduled by turn they are not configured with fixed time quantum If a queue has no packets the system immediately s...

Page 185: ...ining and Applying Flow Template Activate the ACL packet filter inbound Optional See Activating ACL Activating ACL Configure local priority of the port group priority priority level trust Optional See...

Page 186: ...rs automatically They are 300 2 x slot no and 300 2 x slot no 1 respectively slot no indicates the number of the slot where the XP4 card resides For example when the XP4 card resides in slot 1 the cor...

Page 187: ...time range Define a time range from 8 00 to 18 00 SW8800 time range 3Com 8 00 to 18 00 daily 2 Define the ACL rule of the PC packet Enter ACL rule view identified with the number 2000 SW8800 acl numbe...

Page 188: ...ting the right ACL To configure packet filtering you need only to activate corresponding ACL For more details refer to the section Activating ACL Some of QoS terms are listed in the following table Ta...

Page 189: ...mand is not 0 or when the traffic priority command is used to mark the priority of the packet all the tagged packets through the port will be mapped to the local precedence according to the 802 1p pri...

Page 190: ...orm the following configurations in the specified views Configure the CoS Local precedence mapping table qos cos local precedence map cos0 map local prec cos1 map local prec cos2 map local prec cos3 m...

Page 191: ...value cos value local precedence value drop precedence Restore the default values of the EXP Conform Level Service parameters mapping table conform level view undo exp exp list Configure the Local pr...

Page 192: ...er Configure traffic policing which applies IP group ACL and link group ACL at same time traffic limit inbound ip group acl number acl name rule rule link group acl number acl name rule rule system in...

Page 193: ...ransmission rate with the capacity of downstream devices Its major difference from traffic policing is Traffic shaping buffers packets at over threshold rates to make them sent at average rates while...

Page 194: ...ule Configure traffic priority which applies IP group ACL and link group ACL at same time traffic priority inbound ip group acl number acl name rule rule link group acl number acl name rule rule syste...

Page 195: ...group acl number acl name rule rule system index index cpu interface interface type interface number destination vlan l2 vpn l3 vpn next hop ip addr1 ip addr2 invalid forward drop slot slotid vlanid d...

Page 196: ...ds See the corresponding Command Manual for details of the commands Refer to the VLAN QinQ section in the manual for detailed information on the traffic redirect nested vlan modified vlan command Conf...

Page 197: ...witch drops packets to release system resources And then no packets are put into long delay queues The switch allocates drop precedence for it when receiving a packet also called coloring the packet T...

Page 198: ...ue command to increase appropriately the length parameter of the corresponding queue where packets are all dropped to ensure the best effect of the replication capability of the egress port See the co...

Page 199: ...that is you can duplicate packets from multiple ports to a monitoring port You can also specify the monitoring direction Only inbound packets Only outbound packets Table 174 Configure traffic mirrorin...

Page 200: ...rroring on the same GV48 or GP48 card only one monitoring port is allowed For all mirroring groups configured in the system only one monitoring port is allowed on the same GV48 or GP48 card By default...

Page 201: ...ule system index index tc index index Remove traffic statistics setting which only applies link group ACL undo traffic statistic inbound link group acl number acl name rule rule Configure traffic stat...

Page 202: ...ex Display QoS configuration of a VLAN display qos vlan vlan id all Display traffic priority configuration of a VLAN display qos vlan vlan id traffic priority Display traffic limit configuration of a...

Page 203: ...om the port GE3 1 2 The server is connected to the port GE3 1 8 Network diagram Figure 48 Networking for port mirroring configuration Configuration procedure Define a mirroring group with monitoring p...

Page 204: ...ber based basic ACL 2000 and enter it SW8800 acl number 2000 Define ACL rule for the traffic from PC1 3Com acl basic 2000 rule 0 permit source 1 0 0 1 0 time range 3Com 3 Define the CoS Conform Level...

Page 205: ...emark policed service dscp 63 Traffic Redirection Configuration Example Network requirements Forward the packets sent from PC1 IP 1 0 0 1 during the time range from 8 00 to 18 00 every day to the addr...

Page 206: ...s and local priority levels to change the mapping between 802 1p priority levels and queues That is put packets into outbound queues according to the new mapping Use WRR algorithm for the queues 0 to...

Page 207: ...group2 20 4 wrr group2 20 5 wrr group2 40 6 sp 0 7 sp 0 WRED Parameters Configuration Example Network requirements Set WRED parameters and drop algorithm for packets at the port GE7 1 1 Configure par...

Page 208: ...ange from 8 00 to 18 00 SW8800 time range 3Com 8 00 to 18 00 daily 2 Define the traffic from PC1 Define ACL rule for the traffic from PC1 SW8800 acl number 2000 3Com acl basic 2000 rule 0 permit sourc...

Page 209: ...his chapter mainly describes how to configure the first level security control over these access measures that is how to filter the users logging onto the switch with ACL For detailed description abou...

Page 210: ...alue exp exp value protocol type mac type any broadcast packet arp broadcast packet non arp broadcast pack et unicast packet multicast packet known unknown ingress source vlan id to source vlan id end...

Page 211: ...en you use Layer 2 ACLs to implement the ACL control to the Telnet or SSH users only incoming requests are restricted If a user fails to log in due to ACL restriction the system logs the user failure...

Page 212: ...00 match order config Define rules 3Com acl basic 2000 rule 1 permit source 10 110 100 52 0 3Com acl basic 2000 rule 2 permit source 10 110 100 46 0 3Com acl basic 2000 rule 3 deny source any 3Com acl...

Page 213: ...ame acl acl number The SNMP community name is a feature of SNMP V1 and SNMP V2 Applying an ACL in the snmp agent community command filters the network management systems based on SNMP V1 and SNMP V2 A...

Page 214: ...fine a basic ACL and the rules SW8800 system view System View return to User View with Ctrl Z SW8800 acl number 2000 match order config 3Com acl baisc 2000 rule 1 permit source 10 110 100 52 0 3Com ac...

Page 215: ...nfiguring a VLAN ACL Table 183 Configure a VLAN ACL Configuration step Command Description Enter system view system view Create an ACL and enter the corresponding view acl number acl number name acl n...

Page 216: ...scp value cos cos value local precedence local precedence drop priority drop level Optional Configure packet redirection traffic redirect inbound ip group acl number acl name rule rule system index in...

Page 217: ...VLAN ACL does not take effect on the ports of the XP4 card VLAN ACL Configuration Example Network requirements Set the next hop IP address of all the packets forwarded by GigabitEthernet7 1 1 and Giga...

Page 218: ...et redirection in VLAN 2 Set the next hop IP addresses of all the packets forwarded on ports in VLAN 2 to 3 0 0 1 SW8800 vlan 2 3Com vlan2 traffic redirect inbound ip group 2000 rule 0 next hop 3 0 0...

Page 219: ......

Page 220: ...220 CHAPTER 24 VLAN ACL CONFIGURATION...

Page 221: ...an be either physical or logical The typical application environment is as follows Each physical port of the LAN Switch only connects to one user workstation based on the physical port and the wireles...

Page 222: ...pporting to encrypt the EAP packets EAPoL Encapsulated ASF Alert Supports the Alerting message of Alert Standard Forum ASF The EAPoL Start EAPoL Logoff and EAPoL Key only exist between the Supplicant...

Page 223: ...tasks Enabling Disabling 802 1x Setting the Port Access Control Mode Setting Port Access Control Method Checking the Users that Log on the Switch via Proxy Setting Supplicant Number on a Port Setting...

Page 224: ...orce mode Ports in this mode are always authorized Users can access a network through this kind of port without being authorized The unauthorized force keyword specifies the port to operate in unautho...

Page 225: ...tem view The parameter interface list cannot be input when the command is executed in Ethernet Port view and it has effect only on the current interface After globally enabling proxy user detection an...

Page 226: ...f EAP packets directly and RADIUS server must support EAP authentication Perform the following configuration in system view By default CHAP authentication is used for 802 1x user authentication n When...

Page 227: ...u must perform corresponding configuration manually to isolate the Guest VLAN from other VLAN interfaces Setting the Maximum times of authentication request message retransmission The following comman...

Page 228: ...is The value ranges from 100 to 300 in units of second and defaults to 100 seconds supp timeout Specifies the authentication timeout timer of a Supplicant After the Authenticator sends Request Challe...

Page 229: ...bling Disabling Quiet Period Timer You can use the following commands to enable disable a Quiet Period timer of an Authenticator such as a 3Com Series Switch If an 802 1x user has not passed the authe...

Page 230: ...rge number of 8021 x authentication packets with the same or similar source MAC addresses These packets largely occupy the CPU resources Perform the following configuration in system view By default I...

Page 231: ...er domain name from the user name The user name of the local 802 1x access user is localuser and the password is localpass input in plain text The idle cut function is enabled Network diagram Figure 5...

Page 232: ...econdary accounting 10 11 1 1 Set the encryption key when the system exchanges packets with the authentication RADIUS server 3Com radius radius1 key authentication name Set the encryption key when the...

Page 233: ...m163 net access limit enable 30 Enable idle cut function for the user and set the idle cut parameter in the domain 3Com163 net 3Com isp 3Com163 net idle cut enable 20 2000 Add a local supplicant and s...

Page 234: ...234 CHAPTER 25 802 1X CONFIGURATION...

Page 235: ...framework takes good scalability and is easy to realize the control and centralized management of user information RADIUS Protocol Overview As mentioned above AAA is a management framework so it can...

Page 236: ...thentication and the REJECT message indicates that the user has not passed the authentication and needs to input username and password again otherwise access will be rejected HWTACACS Protocol Overvie...

Page 237: ...on continuance packet carrying the login password to the TACACS server The TACACS server sends back an authentication response indicating that the user has passed the authentication The TACACS client...

Page 238: ...nuance packet sending password to the server Authentication response packet Authentication succeeds Authorization request packet Authorization response packet Authorization succeeds The user logs on s...

Page 239: ...p name format taking gw20010608 3Com163 net as an example the isp name i e 3Com163 net following the is the ISP domain name When 3Com Series Switches control user access as for an ISP user whose usern...

Page 240: ...ed only authentication and authorization will be performed accounting will not be performed None has the same effect as Local The usernames used for Local authentication carry no domain name so if the...

Page 241: ...the specified URL page used to change the user password on the self service server Change user password on this page Perform the following configuration in ISP domain view Table 199 Configure relevan...

Page 242: ...display mode Perform the following configuration in system view Where auto means that the password display mode will be the one specified by the user at the time of configuring password see the passw...

Page 243: ...ftp directory directory lan access ppp call number call number callback nocheck callback number callback number ssh level level telnet terminal telnet level level ssh temninal terminal level level ssh...

Page 244: ...on the Radius Server For the string delivery mode the value range of the VLAN name supported by the switch is 1 32 characters If the name configured on the Radius Server exceeds 32 characters the deli...

Page 245: ...me configured with these parameters in ISP domain view For more about the configuration commands refer to the AAA Configuration section above The following sections describe RADIUS protocol configurat...

Page 246: ...a RADIUS scheme named system whose attributes are all default values Setting IP Address and Port Number of a RADIUS Server After creating a RADIUS scheme you are supposed to set IP addresses and UDP p...

Page 247: ...ary accounting server or you may also set 4 groups of exactly same data so that every server serves as a primary and secondary AAA server To guarantee the normal interaction between NAS and RADIUS ser...

Page 248: ...g the encryption key Only when the keys are identical can both ends to accept the packets from each other end and give response You can use the following commands to set the encryption key for RADIUS...

Page 249: ...with the current RADIUS Server to have been cut off and will send request packets to another RADIUS Server Use the following commands to set the maximum retry times of sending RADIUS request packets...

Page 250: ...h the current RADIUS server has been disconnected and turn to send request packet to other RADIUS server You can use the following command to set retransmission times of RADIUS request packet Perform...

Page 251: ...nting Request Failing to be Responded RADIUS server usually checks if a user is online with timeout timer If the RADIUS server has not received the real time accounting packet from NAS for long it wil...

Page 252: ...ommand to set whether or not to save the stopping accounting requests Perform the following configuration in RADIUS scheme view By default the stopping accounting request will be saved in the buffer S...

Page 253: ...ommunicating with the secondary one When the secondary one fails to communicate NAS will turn to the primary one again The following commands can be used to set the primary server to be active manuall...

Page 254: ...by mistake if they have the same username excluding their respective domain names By default as for the newly created RADIUS scheme the username sent to RADIUS servers includes an ISP domain name as f...

Page 255: ...sabled all the UDP packets whose destination port is port 1812 will be dropped so the remote RADIUS service cannot be used Configuring a Local RADIUS Authentication Server 3Com Switch 8800 Family seri...

Page 256: ...Sent by NAS Setting a Key for Securing the Communication with TACACS Server Setting the Username Format Acceptable to the TACACS Server Setting the Unit of Data Flows Destined for the TACACS Server Se...

Page 257: ...view Table 229 Create a HWTACACS scheme Operation Command Create a HWTACACS scheme and enter HWTACACS view hwtacacs scheme hwtacacs scheme name Delete a HWTACACS scheme undo hwtacacs scheme hwtacacs s...

Page 258: ...nfigured settings overwrite the corresponding existing settings You can delete a TACACS scheme only when no Active TCP connection used to send authentication packets uses the server Enabling stop acco...

Page 259: ...nd resend it to the TACACS server Perform the following configuration in HWTACACS view By default each username sent to a TACACS server contains a domain name Table 234 Configure the source address fo...

Page 260: ...tion to be resumed By default the primary TACACS server must wait five minutes before it can resume the active state The time ranges from 1 to 255 Setting a realtime accounting interval The setting of...

Page 261: ...ccounting interval timer realtime accounting minute Restore the default real time accounting interval undo timer realtime accounting Table 241 Numbers of users and the recommended intervals Number of...

Page 262: ...eme hwtacacs scheme name Delete the stop accounting requests saved in buffer without response reset stop accounting buffer radius scheme radius scheme name session id session id time range start time...

Page 263: ...expert The switch cuts off domain name from username and sends the left part to the RADIUS server Network Topology Figure 63 Network diagram for the remote RADIUS authentication of Telnet users Config...

Page 264: ...refer to the section Setting the Port State of RADIUS Client Setting the Port State of RADIUS Client Configuring Authentication at Remote TACACS Server Network requirements Configure the switch to us...

Page 265: ...y not be in the userid isp name format or NAS has not been configured with a default ISP domain Please use the username in proper format and configure the default ISP domain on NAS The user may have n...

Page 266: ...thenticated and authorized the user cannot send charging bill to the RADIUS HWTACACS server Solution The accounting port number may be set improperly Please set a proper number The accounting service...

Page 267: ...TTP HTTPS protocols run All the HTTP requests are submitted to the Portal server before the user passes the authentication Access device unconditionally forces the HTTP requests of authentication clie...

Page 268: ...Portal server The switch sends the usernames and passwords to the authentication server for authentication The switch allows a user to access Internet only after he passes the authentication and then...

Page 269: ...All users can access these free IP addresses unrestrictedly ARP Packet Handshake between the User PC and the Switch When authentications are performed in the Direct method or ReDHCP method the switch...

Page 270: ...No Portal server is configured by default When a Portal server is configured the key string is 3Com the port is 50100 and the url string is the string format of ip address by default Configure the run...

Page 271: ...tal function may be caused abnormal Portal Direct Authentication Method Configuration Example Network requirements Portal is enabled on the switch and Portal runs in the Direct authentication method T...

Page 272: ...portal This ISP domain uses the RADIUS scheme named portal 3Com isp portal radius scheme portal 3Com isp portal quit Set portal as the default ISP domain of the system optional SW8800 domain default...

Page 273: ...vlan3 quit SW8800 interface vlan interface 3 3Com Vlan interface3 ip address 172 21 1 1 255 255 0 0 Enable Portal authentication on VLAN interface 3 3Com Vlan interface3 portal newp Portal ReDHCP Aut...

Page 274: ...VLAN 3 SW8800 vlan 3 3Com vlan3 port ethernet 2 1 3 SW8800 interface vlan interface 3 3Com Vlan interface3 ip address 172 21 1 1 255 255 0 0 3Com Vlan interface3 ip address 18 21 1 1 255 255 0 0 sub C...

Page 275: ...the Portal server is newp Refer to section Portal Direct Authentication Method Configuration Example Portal Direct Authentication Method Configuration Example for related configurations 3Com Vlan int...

Page 276: ...method does not support the authentication free user configuration Authentication free User and Free IP Address Configuration Example Network requirements Portal is enabled on the switch and Portal ru...

Page 277: ...ee user mac 00E0 FC01 0101 ip 192 166 1 200 vlan 4 interface ethernet 2 1 4 2 Configure free IP addresses Add Ethernet2 1 5 into the VLAN2 configured in Portal Direct Authentication Method Configurati...

Page 278: ...onfiguration Procedure Network requirements Delete the Portal user using the IP address 172 31 1 2 Configuration procedure Delete the user using the IP address 172 31 1 2 SW8800 portal delete user 172...

Page 279: ...etwork according to the destination address of the packet it receives and forwards the packet to the next router The last router in the path is responsible for submitting the packet to the destination...

Page 280: ...g table in its memory and each entry of this table specifies the physical port of the router through which the packet is sent to a subnet or a host Therefore it can reach the next router via a particu...

Page 281: ...er in each network is the network address and R stands for a router The router R8 is directly connected with three networks so it has three IP addresses and three physical ports and its routing table...

Page 282: ...tocols including the static configuration is set with a preference and when there are multiple routing information sources the route discovered by the routing protocol with the highest preference will...

Page 283: ...led as main route The other routes have descending precedence levels and are called as backup routes Normally the router sends data via main route When the line fails the main route will hide itself a...

Page 284: ...284 CHAPTER 28 IP ROUTING PROTOCOL OVERVIEW...

Page 285: ...he destination is unreachable Blackhole route If a static route to a destination has the blackhole attribute the outgoing interface of this route is the Null 0 interface regardless of the next hop add...

Page 286: ...ket it will first search the matching route in the routing table according to the destination address of the packet Only when the next hop address of the route is specified can the link layer find the...

Page 287: ...hole Delete a default route undo ip route static 0 0 0 0 0 0 0 0 0 interface type interface number gateway address preference value Table 251 Delete all static routes Operation Command Delete all stat...

Page 288: ...5 0 255 255 255 0 1 1 3 1 Switch B ip route static 1 1 1 0 255 255 255 0 1 1 3 1 Configure the static route for Switch C Switch C ip route static 1 1 1 0 255 255 255 0 1 1 2 1 Switch C ip route stati...

Page 289: ...Faults Symptom The switch is configured with the static routing protocol and both the physical status and the link layer protocol status of the interface is Up but the IP packets cannot be forwarded...

Page 290: ...290 CHAPTER 29 STATIC ROUTE CONFIGURATION...

Page 291: ...e that is the destination network or the host is unreachable To improve the performance and avoid route loop RIP supports Split Horizon and allows importing the routes discovered by other routing prot...

Page 292: ...s modification information following split horizon mechanism After receiving trigger modification packets the adjacent routers send trigger modification packets to their respective adjacent routers As...

Page 293: ...RIP is not enabled Enabling RIP on the Specified Network Segment To flexibly control RIP operation you can enable RIP on the specified network segment so that the corresponding ports can receive and s...

Page 294: ...orizon is necessary for reducing routing loop Perform the following configuration in interface view By default split horizon of the interface is enabled Setting Additional Routing Metric Additional ro...

Page 295: ...fying the ACL and IP prefix for route import and advertisement Besides to import a route the RIP packet of a specific router can also be received by designating a neighbor router Perform the following...

Page 296: ...view By default the router receives the host route Configuring RIP 2 Route summary Function The so called route summary means that different subnet routes in the same natural network can be aggregate...

Page 297: ...ast By default multicast is adopted for transmitting packets In RIP 2 the multicast address is 224 0 0 9 The advantage of transmitting packets in the multicast mode is that the hosts not operating RIP...

Page 298: ...routes cannot always become unreachable at the point when a new period starts the actual value of Garbage collection timer is three to four times that of Period Update timer n You must consider netwo...

Page 299: ...ication But when the interface operates RIP 2 the packet authentication can be configured RIP 2 supports two authentication modes Simple authentication and MD5 authentication MD5 authentication uses t...

Page 300: ...s A and Switch B are respectively connected to the network 155 10 1 0 and 196 38 165 0 Switch C Switch A and Switch B are connected via Ethernet 110 11 2 0 Correctly configure RIP to ensure that Switc...

Page 301: ...rip network 196 38 165 0 Switch B rip network 110 11 2 0 3 Configure Switch C Configure RIP Switch C rip Switch C rip network 117 102 0 0 Switch C rip network 110 11 2 0 Troubleshooting RIP Faults Sy...

Page 302: ...rip work command is executed or this interface is not enabled through the network command The peer routing device is configured to be in the multicast mode for example the rip version 2 multicast com...

Page 303: ...pe 1 and external type 2 routes Authentication It supports the interface based packet authentication so as to guarantee the security of the route calculation Multicast transmission Support multicast a...

Page 304: ...ains the values of some timers DR BDR and the known neighbor Database Description DD Packet When two routers synchronize their databases they use the DD packets to describe their own LSDBs including t...

Page 305: ...So Stubby Area NSSA Type 5 LSAs cannot be generated or released within a NSSA Type 7 LSAs can only be released within an NSSA When Type 7 LSAs reach an ABR the ABR can convert part routing informatio...

Page 306: ...on an AS into different areas Areas are logical groups of routers The borders of areas are formed by routers Thus some routers may belong to different areas A router connects the backbone area and a n...

Page 307: ...icator and MD5 encryption authenticator to authenticate packets transmitted between neighboring routers in the same area Flexible configuration for the router port parameter On the router port you can...

Page 308: ...ed GR The Helper device judges its relationship with the Restarter device when it receives Grace LSA from the Restarter device When its neighbor state machine is full and it is not in the GR state it...

Page 309: ...OSPF neighbors must be the same Different GR methods cannot perform the GR process successfully A OSPF process can use only one GR method Packet Format of OSPF GR Format of Grace LSA This LSA is an Op...

Page 310: ...TLV is 1 The Length field refers to the length of TLV and the length of EO_TLV is 4 The Extend Options field is the extend options of OSPF RS_bit and LR_bit are set in this Option field in OSPF GR The...

Page 311: ...above are supported in the implementation of Comware Configuring OSPF OSPF configuration needs cooperation among routers intra area area boundary and AS boundary If none of OSPF parameters is configur...

Page 312: ...DD Packets Setting a Shortest Path First SPF Calculation Interval for OSPF 4 Configurations related to OSPF networking Configuring OSPF Authentication Disabling the Interface to Send OSPF Packets Con...

Page 313: ...of IP address Regardless of how it is specified it is displayed in the format of IP address Note that when you configure OSPF routers in the same area you should apply most configuration data to the...

Page 314: ...s such as static route and RIP Since these routes are more reliable the calculated cost of the external routes is the same as the cost of routes within the AS Also such route cost and the route cost o...

Page 315: ...itional parameters need configuring such as default route cost and default tag of route distribution Route tag can be used to identify the protocol related information For example OSPF can use it to i...

Page 316: ...oute area Note the following when you use this command If you use the default route advertise command on an ASBR or ABR of a common OSPF area the system generates a Type 5 LSA advertising the default...

Page 317: ...er this router becomes an ASBR For the OSPF router the default route advertise and import route commands have the similar effect For the ABR or ASBR in the NSSA area the default route advertise and ns...

Page 318: ...other areas By default an OSPF area does not filter Type 3 LSAs advertised to other areas n The filter policy import export command filters only locally originated Type 3 LSAs and does not filter Typ...

Page 319: ...advertise the route summary of this segment will not be advertised This segment is represented by IP address and mask Route summary can take effect only when it is configured on ABRs Perform the follo...

Page 320: ...he user can set the Hello timer According to RFC2328 the consistency of Hello intervals between network neighbors should be kept The Hello interval value is in inverse proportion to the route converge...

Page 321: ...e of the OSPF Interface The route calculation of OSPF is based upon the topology of the adjacent network of the local router Each router describes the topology of its adjacent network and transmits it...

Page 322: ...uring which the route calculation is incorrect In order to speed up this process OSPF puts forward the concept of BDR In fact BDR is a backup for DR DR and BDR are elected in the meantime The adjacenc...

Page 323: ...rks Perform the following configuration in interface view By default the LSU packets are transmitted per second Configuring the Cost for Sending Packets on an Interface The user can control the networ...

Page 324: ...ce is set to be in silent status the interface can still advertise its direct route However the OSPF hello packets of the interface will be blocked and no neighboring relationship can be established o...

Page 325: ...m all the other areas Its Area id is 0 0 0 0 and it is usually called the backbone Area The OSPF routes between non backbone areas are updated with the help of the backbone area OSPF stipulates that a...

Page 326: ...figuration in OSPF area view By default the value of hello seconds is 10 seconds the value of retransmit seconds is 5 seconds the value of trans delay seconds is 1 second and the value of dead seconds...

Page 327: ...ea Also there are other two ASs respectively running RIP Area 1 is defined as an NSSA area After RIP routes of the Area 1 are propagated to the NSSA ASBR the NSSA ASBR will generate type 7 LSAs which...

Page 328: ...fault route to the NSSA is 1 Setting the Switch for Adjacency State Output When the switch for adjacency state output is enabled the OSPF adjacency state changes will be output to the configuration te...

Page 329: ...Configure OSPF MIB binding ospf mib binding process id Restore the default OSPF MIB binding undo ospf mib binding Table 303 Enable Disable OSPF TRAP function Operation Command Enable OSPF TRAP functi...

Page 330: ...w Enter OSPF view ospf process id router id router id vpn instance vpn instance name Configure GR graceful restart compatible Required Table 306 Reset OSPF processes Operation Command Reset one or all...

Page 331: ...tes display ospf process id asbr summary ip address mask Display OSPF interface information display ospf process id interface Display OSPF errors display ospf process id error Display OSPF Graceful Re...

Page 332: ...dr priority 0 Switch B router id 2 2 2 2 Switch B ospf Switch B ospf 1 area 0 Switch B ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 Configure Switch C Switch C interface Vlan interface 1 Switch C V...

Page 333: ...the current DR is offline will the DR be changed Shut down Switch A and execute the display ospf peer command on Switch D to display its neighbors Note that the original BDR Switch C becomes the DR a...

Page 334: ...0 0 0 1 vlink peer 3 3 3 3 Configure Switch C Switch C interface Vlan interface 1 Switch C Vlan interface1 ip address 152 1 1 1 255 255 255 0 Switch C interface Vlan interface 2 Switch C Vlan interfac...

Page 335: ...ilyB vlan192 interface vlan 192 Switch 8800 FamilyB Vlan interface192 ip address 192 168 1 2 24 Switch 8800 FamilyB Vlan interface192 quit Switch 8800 FamilyB interface GigabitEthernet 3 1 2 Switch 88...

Page 336: ...ame area ID should be used and the networks and the masks should also be consistent The p2p or virtually linked segment can have different segments and masks Ensure that the dead timer on the same int...

Page 337: ...hat is if a virtual link has been set up between RTB and RTC neither Area1 nor Area0 can be configured as a stub area In the figure above only Area 2 can be configured as the stub area Routers in the...

Page 338: ...338 CHAPTER 31 OSPF CONFIGURATION...

Page 339: ...oes not process the IS IS routing protocol and therefore it can be ignored in the IS IS protocol Routing Domain RD A group of ISs exchange routing information with the same routing protocol in a routi...

Page 340: ...ter and Level 2 routers or Level 1 2 routers in other areas are neighbors The Level 2 router maintains a Level 2 LSDB This LSDB contains inter area routing information The backbone which is made up of...

Page 341: ...structure ES Routing Domain Boundary IS IS Area End system Subnetwork Path Level 1 IS IS Routing Level 2 IS IS Routing Interdomain Routing Intermediate system ES IS Area 1 Area 2 Area 3 Routing Domai...

Page 342: ...48 bits 6 bytes In general you can obtain System ID according to Router_ID If the IP address 168 10 1 1 of the interface LoopBack0 serves as a router_ID for the router you can use the following method...

Page 343: ...in a broadcast LAN forwards Level 2 LAN IIH non broadcast network forwards Point to Point IIH LSP Link state packet LSP can switch link state information LSP can be divided into Level 1 LSP and Level...

Page 344: ...Route Metric Type Setting IS IS Link State Routing Cost Configuring IS IS Timers Setting Parameters Related to LSP Setting Parameters Related to SPF 4 Configuration related to IS IS networking Setting...

Page 345: ...rom all the routers When you need to select a DIS from the IS IS neighbors on the broadcast network you should select level 1 DIS and level 2 DIS respectively The higher the priority is the more possi...

Page 346: ...2 to prevent transmitting Level 1 Hello packets to Level 2 backbone so as to save the bandwidth However Level 1 and Level 2 use the same kind of Hello packet over the p2p link and therefore such setti...

Page 347: ...ch can be direct static rip bgp ospf ospf ase ospf nssa and so on n The filter policy import command only filters the ISIS routes received from the neighbors and routes that cannot pass the filter wil...

Page 348: ...te In the IS IS route domain the Level 1 router only has the LSDB of the local area so it can only generate the routes in the local areas But the Level 2 router has the backbone LSDB in the IS IS rout...

Page 349: ...IS only receives and sends the packets whose route metric is in narrow style Setting IS IS Link State Routing Cost Users can configure the interface cost namely the default routing cost Perform the fo...

Page 350: ...ls in the Fast Hello mode by setting the minimum value of Hello interval to 1 second If the number of packets is not specified in the related command three Hello packets will be sent per second Perfor...

Page 351: ...ry 33 milliseconds Setting LSP packet retransmission interval Over a p2p link if the local end does not receive the response within a period of time after it sends an LSP packet it considers that the...

Page 352: ...to confirm the validity and correctness of its peers The authentication passwords at the same level of all the interfaces of a network should be identical Perform the following configuration in inter...

Page 353: ...owing configurations in IS IS view By default the system does not require password or perform authentication Setting the IS IS to use the MD5 algorithm compatible with that of the other vendors You mu...

Page 354: ...ecksum error command the LSP packet will be discarded if the checksum error is found Perform the following configuration in IS IS view By default the LSP checksum error is ignored Setting to Log the P...

Page 355: ...ll be run after the SPF interval times out Perform the following configuration in IS IS view If the level is not specified it defaults to setting the SPF calculation interval of Level 1 By default SPF...

Page 356: ...IS IS Enabling Disabling IS IS Packet Transmission To prevent the IS IS routing information from being obtained by some router in a certain network the silent interface command can be used to prohibi...

Page 357: ...rting routers The restart interval is set as holdtime in Hello PDU of IS IS In this way the neighbors of a router will not break adjacency relations with it when it is restarted The restarted router s...

Page 358: ...d IS IS peer reset isis peer system id Table 345 Display and debug IS IS Operation Command Display IS IS LSDB display isis lsdb l1 l2 level 1 level 2 LSPID local verbose Display IS IS SPF calculation...

Page 359: ...le Switch A interface vlan interface 102 Switch A Vlan interface102 ip address 100 20 0 1 255 255 255 0 Switch A Vlan interface102 isis enable Configure Switch B Switch B isis Switch B isis network en...

Page 360: ...e vlan interface 100 Switch C Vlan interface100 ip address 200 20 0 1 255 255 255 0 Switch C Vlan interface100 isis enable Configure Switch D Switch D isis Switch D isis network entity 86 0001 0000 00...

Page 361: ...occupation by route propagation and can be applied to propagation of a great amount of routing information on the Internet BGP 4 supports CIDR which is an important improvement to BGP 3 In considerati...

Page 362: ...palive messages are received and transmitted to check the connections between various neighbors The router transmitting BGP messages is called a BGP speaker which receives and generates new routing in...

Page 363: ...BGP 4 The present MBGP standard is RFC2858 MBGP is backward compatible that is a router supporting BGP extension can be interconnected with a router that does not support it MBGP extension attributes...

Page 364: ...d improve route advertisement efficiency When added into a peer group a peer inherits all the configuration of the group If the configuration of a peer group changes the configuration of its member pe...

Page 365: ...ished BGP connections will be disconnected Perform the following configuration in system view By default BGP is not enabled Configuring Basic Features for BGP Peer When configuring a MBGP peer group y...

Page 366: ...pecify the AS numbers If the AS number of the peer group is not specified each peer added to it should be specified with its own AS number AS numbers of peers in a same peer group can be different Con...

Page 367: ...onfigure timers for the whole BGP peers Perform the following configuration in BGP view Table 351 Enable disable the Graceful restart ability of a peer or peer group Operation Command Enable the Grace...

Page 368: ...be a client of a route reflector Perform the following configuration in BGP view Restore the default value of keep alive message interval and hold timer of a peer group undo peer group name peer addre...

Page 369: ...next hop address In some networking conditions when the routes are sent to the IBGP peer you can configure the local address of the sender as the next hop consequently ensuring the IBGP neighbors can...

Page 370: ...ed repeating time of local AS is set to 1 Specifying the source interface of a route update packet Generally the system specified the source interface of a route update packet When the interface fails...

Page 371: ...iltering policy of advertised routes configured for each member of a peer group must be same with that of the peer group but their route filtering policies of ingress routes may be different Perform t...

Page 372: ...undo peer group name filter policy acl number export Table 367 Configure route filtering policy based on AS path list for a peer group Operation Command Configure the ingress route filtering policy b...

Page 373: ...o BGP by default Configuring to Permit BGP to Import Default Routes of Other Protocols Perform the following configuration in BGP view By default BGP does not import the default routes of other protoc...

Page 374: ...ion Operation Command Enable automatic aggregation of subnet routes summary Disable automatic aggregation of subnet routes undo summary Enable local route aggregation aggregate address mask as set att...

Page 375: ...You have to find measures to avoid it The technology controlling unstable route is called route dampening The dampening divides the route into the stable route and unstable route the latter of which...

Page 376: ...and uses the smaller time as the negotiated holdtime If the negotiation result is 0 the router will not send Keepalive message and will not detect whether the holdtime expires Perform the following co...

Page 377: ...e MED metrics of the peers in different ASs Comparing the MED Routing Metrics from the Peers in Different ASs It is used to select the best route The route with smaller MED value will be selected Perf...

Page 378: ...ter B You only need to connect Router C to Router A and Router B respectively If a BGP router is not either a reflector or client we call the BGP router non client You still need connect non clients t...

Page 379: ...back to the originator You do not need to configure Originator_ID Originator_ID automatically takes effect when BGP is enabled Configuring BGP AS Confederation Attribute Confederation provides the met...

Page 380: ...figuring AS confederation attribute compatible with nonstandard If it is necessary to perform the interconnection with the devices whose implementation mechanism is different from that of RFC1965 you...

Page 381: ...rom EBGP the BGP performs load balancing for routes from the same AS and with the same med value only In case of routes learned from IBGP the BGP performs load balancing for routes with the same med v...

Page 382: ...formation when BGP routing policy changes Perform the following configuration in user view Table 388 Enable disable BGP load balancing Operation Command Enable BGP load balancing balance balance numbe...

Page 383: ...e specified BGP peer advertised or received display bgp routing table peer peer address advertised received network address mask statistic Display the total number or route entries received or adverti...

Page 384: ...ebugging bgp packet receive send verbose Enable disable BGP Route Refresh packet debugging undo debugging bgp route refresh receive send verbose Enable Disable information debugging of BGP normal func...

Page 385: ...3 Configure Switch C Switch C bgp 1003 Switch C bgp confederation id 100 Switch C bgp confederation peer as 1001 1002 Switch C bgp group confed1001 external Switch C bgp peer confed1001 as number 1001...

Page 386: ...terface Vlan interface 2 Switch B Vlan interface2 ip address 192 1 1 2 255 255 255 0 Configure VLAN 3 Switch B interface Vlan interface 3 Switch B Vlan interface3 ip address 193 1 1 2 255 255 255 0 Co...

Page 387: ...e display bgp routing table command you can view the BGP routing table on Switch D Note Switch D also knows the existence of network 1 0 0 0 Configuring BGP Routing Network requirements This example i...

Page 388: ...deny source any Define two route policies one is called Apply_med_50 and the other is called Apply_med_100 The first MED attribute with the route policy as network 1 0 0 0 is set as 50 while the MED...

Page 389: ...tch C bgp peer 195 1 1 1 group in Switch C bgp peer 194 1 1 2 group in 4 Configure Switch D Switch D interface vlan interface 4 Switch D Vlan interface4 ip address 194 1 1 1 255 255 255 0 Switch D int...

Page 390: ...neighborhood cannot be established The Established state cannot be entered Solution The establishment of BGP neighborhood needs the router able to establish TCP connection through port 179 and exchang...

Page 391: ...ute covering large network segment cannot be imported For example route 10 1 1 0 24 can be imported while 10 0 0 0 8 may cause error If Ospf is used after a large network segment is imported to the lo...

Page 392: ...392 CHAPTER 33 BGP CONFIGURATION...

Page 393: ...olicy to advertise receive and import the route information Filter In Switch 8800 Family series five kinds of filters Route policy ACL AS path Community list and IP prefix are provided to be called by...

Page 394: ...formation packet of the BGP includes a community attribute domain to identify a community Targeting at the community attribute the community list specifies the match condition Routing Policy Applicati...

Page 395: ...clauses of the node it will be denied by the node and will not take the test of the next node If not however the route will take the test of the next node The nodes have the OR relationship In other w...

Page 396: ...atch adv community number Disable matching the community attribute of the BGP routing information undo if match community Match the destination address of the routing information if match acl acl numb...

Page 397: ...set community attribute in the BGP routing information undo apply community Set the next hop address of the routing information apply ip next hop ip address Cancel the next hop address of the routing...

Page 398: ...Note that if more than one ip prefix item are defined then the match mode of at least one list item should be the permit mode The list items of the deny mode can be defined first to rapidly filter th...

Page 399: ...ion filtering to implement the purposeful redistribution If the destination routing protocol importing the routes cannot directly reference the route costs of the source routing protocol you should sa...

Page 400: ...face is directly connected static Route configured statically rip Route discovered by RIP ospf Route discovered by OSPF ospf ase External route discovered by OSPF ospf nssa NSSA route discovered by OS...

Page 401: ...sible and partially shielded It means that routes in the network segments 20 0 0 0 and 40 0 0 0 are visible while those in the network segment 30 0 0 0 are shielded Network diagram Figure 95 Network d...

Page 402: ...255 Switch B acl basic 2000 rule permit source any Enable OSPF protocol and specifies the number of the area to which the interface belongs Switch B router id 2 2 2 2 Switch B ospf Switch B ospf 1 ar...

Page 403: ...y filter the routing information not satisfying the requirement but if all the items are in the deny mode any routes will not pass the ip prefix filtering You can define an item of permit 0 0 0 0 0 le...

Page 404: ...404 CHAPTER 34 IP ROUTING POLICY CONFIGURATION...

Page 405: ...Setting the Maximum Number of VRFs Supported by the System Table 403 Configuration tasks Items Description Details Set the maximum number of route entries supported by the system Required Refer to sec...

Page 406: ...406 CHAPTER 35 ROUTE CAPACITY CONFIGURATION...

Page 407: ...route forwarding this non directly connected next hop address must be recursion processed once or several times to find out a directly connected next hop address to enable L2 path searching A recursi...

Page 408: ...408 CHAPTER 36 RECURSIVE ROUTING CONFIGURATION...

Page 409: ...cast mode In unicast mode every user that needs the information receives a copy through the channels the system separately establishes for them See Figure 96 Figure 96 Data transmission in unicast mod...

Page 410: ...ency Advantages of Multicast Multicast IP multicast technology solves those problems When some users in the network need specific information it allows the multicast source to send the information onl...

Page 411: ...lue added services in the Internet information service area that include online live show Web TV tele education telemedicine network radio station and real time audio video conferencing It takes a pos...

Page 412: ...a permanent group to not a single member Those not reserved for permanent multicast groups can be used by temporary multicast groups Class D multicast addresses range from 224 0 0 0 to 239 255 255 255...

Page 413: ...four bits of the multicast address are 1110 representing the multicast identifier Among the rest 28 bits only 23 bits are mapped to the MAC address and the other five bits are lost This may results in...

Page 414: ...otocols The inter domain routing first needs to solve how to transfer routing information between ASs Since the ASs may belong to different telecom carriers the inter domain routing information must c...

Page 415: ...ticast Packets 415 address is the RP address of the shared tree A multicast packet arriving at the router will be forwarded according to the multicast forwarding entry if it passes the RPF check or el...

Page 416: ...416 CHAPTER 37 IP MULTICAST OVERVIEW...

Page 417: ...a Static Multicast MAC Address c CAUTION Do not enable the PIM on the virtual interface of the VLAN to be configured The multicast MAC address to be configured must not be a multicast MAC address use...

Page 418: ...ress group and add multiple ports into the static multicast address group SW8800 mac address multicast 0100 5e01 018d interface Ethernet 2 1 1 to Ethernet 2 1 3 vlan 2 Displaying and Maintaining Stati...

Page 419: ...ost it will remove the host from the corresponding multicast table The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2 And then it can fo...

Page 420: ...er of the port will begin timing The multicast group member port aging time is set on this aging timer If the switch has not received any IGMP report message when the timer times out it transmits IGMP...

Page 421: ...ady to join exists If the corresponding MAC multicast group does not exist the switch only notifies the router that a member is ready to join a multicast group creates a new MAC multicast group adds t...

Page 422: ...ps Enabling Disabling IGMP Snooping Fast Leave Among the above configuration tasks enabling IGMP Snooping is required while others are optional for your requirements Enabling Disabling IGMP Snooping Y...

Page 423: ...n the maximum response time it will remove the port from the multicast group Perform the following configuration in system view By default the maximum response time is 1 seconds Configuring Aging Time...

Page 424: ...ng configuration in system view By default unknown multicast packets are broadcasted within the VLAN Configuring the Filtering Rule of Multicast Groups On the IGMP snooping enabled switch you can conf...

Page 425: ...t in system view However it only works on the current port e g when a Trunk port belongs to multiple VLANs in the specified VLANs if you configure it in Ethernet port view c CAUTION Fast leave configu...

Page 426: ...in a VLAN to be a static routing port in the corresponding Ethernet port view c CAUTION You will fail to configure a port to be a static routing port if the port identified by the port number argument...

Page 427: ...ation group Static routing port is valid when IGMP snooping IGMP PIM DM or PIM SM is enabled in the VLAN Displaying and Maintaining IGMP Snooping After the above configuration execute display command...

Page 428: ...View with Ctrl Z SW8800 igmp snooping enable Display the status of the VLAN10 interface to check if PIM or IGMP is enabled on this interface SW8800 display current configuration interface Vlan interf...

Page 429: ...lay if the multicast group is the expected one If the multicast group created by IGMP Snooping is not correct turn to professional maintenance personnel for help Continue with diagnosis 3 if the secon...

Page 430: ...430 CHAPTER 39 IGMP SNOOPING CONFIGURATION...

Page 431: ...smitted to users continuously Multicast VLAN Configuration Multicast VLAN is based on layer 2 multicast The following table describes the multicast VLAN configuration tasks n A port can only belong to...

Page 432: ...8 10 1 1 The port E1 1 1 belongs to VLAN 2 and is connected to the Workstation The IP address of VLAN 10 interface is 168 20 1 1 The port E1 1 10 belongs to VLAN 10 and is connected to Switch B Config...

Page 433: ...ooping on VLAN 2 and VLAN 3 Switch B vlan 2 Switch B vlan 2 igmp snooping enable Switch B vlan 2 quit Switch B vlan 3 Switch B vlan 3 igmp snooping enable Configure VLAN 10 as multicast VLAN Enable IG...

Page 434: ...t carry no VLAN label when it transmits packets of VLAN 3 and VLAN 10 Set the default VLAN ID of the port to VLAN 3 Switch B interface Ethernet 1 1 2 Switch B Ethernet 1 1 2 port link type hybrid Swit...

Page 435: ...ion Enabling Multicast Routing Enable multicast routing first before enabling multicast routing protocol Perform the following configuration in system view By default multicast routing is disabled c C...

Page 436: ...r Its Statistic Information You can clear MFC forward entries or statistic information of FMC forward entries via the following command Perform the following configuration in user view Clearing Route...

Page 437: ...rm the following configurations in system view Perform the following configuration in local user view Configure managed multicast in local user view c CAUTION In local user view before executing this...

Page 438: ...t Enable 802 1x globally SW8800 dot1x Enable 802 1x on the controlled ports the access ports for LSA and LSC SW8800 interface GigabitEthernet2 1 1 3Com GigabitEthernet2 1 1 dot1x 3Com GigabitEthernet2...

Page 439: ...Namely once you have enabled broadcast suppression on some ports of a card you cannot enable multicast suppression on the other ports of the card and vice versa If multicast suppression is enabled br...

Page 440: ...ticast routing table display multicast routing table group address mask mask mask length source address mask mask mask length incoming interface vlan interface vlan interface number register Display t...

Page 441: ...e router The router needs to send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages When the router r...

Page 442: ...P address of the multicast group This prevents the hosts of members of other multicast groups from sending response messages Max response time The Max Response Time is added in IGMP Version 2 It is us...

Page 443: ...m a host through the interface of VLAN 200 Switch B changes the source address of the message to the IP address of VLAN 100 interface 33 33 33 2 which is the outbound interface leading to Switch A Swi...

Page 444: ...ecific VLANs IP addresses PIM and IGMP have been configured in the corresponding interfaces Configuration procedure c CAUTION Enable PIM protocol on the interface first before configuring IGMP Proxy I...

Page 445: ...erface which needs to maintain the multicast membership After this you can initiate IGMP feature configuration Perform the following configuration in interface view By default IGMP is disabled on the...

Page 446: ...erval and the Number of Querying IGMP Packets On the shared network it is the query router querier that maintains IGMP membership on the interface The igmp lastmember queryinterval and igmp robust cou...

Page 447: ...Time of IGMP Querier On shared network namely a network segment where multiple multicast routers exist a query router querier for short sends query messages on the interface regularly If a non query...

Page 448: ...face If there is no limit to the number of IGMP groups added on a router interface or a router the router memory may be exhausted which may cause router failure You can set number limit for the IGMP g...

Page 449: ...lete the IGMP groups at the specific address or in the specific network segment on the specific interfaces of the router Perform the following configuration in user view After a group is deleted if ot...

Page 450: ...emoves the port from the outbound port lists of all Layer 3 multicast forwarding tables that are of the same multicast group to peel off the port from the multicast group That is the switch does not s...

Page 451: ...on aggregation ports the configuration takes effect only on primary aggregation ports If you have added an IGMP V1 host of the same multicast group to the port or configured a static host of the same...

Page 452: ...100 quit Configure the interface of VLAN 100 to be the IGMP proxy interface of the interface of VLAN 200 SwitchB interface vlan interface 200 SwitchB Vlan interface 200 igmp proxy Vlan interface 100 2...

Page 453: ...lients Each service has its own multicast address which is the multicast group When a service is selected the client sends IGMP packets to join the multicast group through which the receiver can recei...

Page 454: ...454 CHAPTER 42 IGMP CONFIGURATION...

Page 455: ...nterface the packets will be discarded After this process an S G entry will be created in the PIM DM multicast domain If the downstream node has no multicast group members it will send a Prune message...

Page 456: ...e assert mechanism Routers will send Assert packets to select the best path If two or more than two paths have the same priority and metric the path with a higher IP address will be the upstream neigh...

Page 457: ...e of the connected networks Perform the following configuration in interface view You can configure different time intervals according to the actual networks By default the time interval for sending H...

Page 458: ...e the previous configuration will be overwritten by the new configuration Configuring the Filtering of PIM Neighbor You can configure basic ACLs to filter the routers which can be PIM neighbors of the...

Page 459: ...453 Clear multicast route entries from PIM routing table Operation Command Clear multicast route entries from PIM routing table reset pim routing table all group address mask group mask group mask le...

Page 460: ...lan11 port ethernet 2 1 4 3Com vlan11 quit SW8800 vlan 12 3Com vlan12 port ethernet 2 1 6 3Com vlan12 quit Enable the PIM debugging debugging pim common all event packet timer Disable the PIM debuggin...

Page 461: ...w with Ctrl Z SW8800 multicast routing enable Enable IGMP and PIM DM on the interface SW8800 vlan 11 3Com vlan11 port ethernet 2 1 2 3Com vlan11 quit SW8800 vlan 12 3Com vlan12 port ethernet 2 1 4 3Co...

Page 462: ...462 CHAPTER 43 PIM DM CONFIGURATION...

Page 463: ...l but uses the present unicast routing table to perform the RPF check Note that the creation and interaction of the RPs and BSRs are implemented through periodical RP advertisements and BSR Bootstrap...

Page 464: ...ulate the RPs corresponding to multicast groups according to the same algorithm after receiving the C RP messages that the BSR advertises c CAUTION One RP can serve multiple multicast groups or all mu...

Page 465: ...he register messages Limiting the range of legal BSR Limiting the range of legal C RP Clearing multicast route entries from PIM routing table Clearing PIM neighbor c CAUTION At least one router in an...

Page 466: ...will compare the BSR address of the newly received Bootstrap message with that of itself Comparison standards include priority and IP address The bigger IP address is considered better when the prior...

Page 467: ...his prompt information Cannot config static rp exceeded static rp limit 10 Configuring the PIM SM Domain Border After the PIM SM domain border is configured bootstrap messages can not cross the border...

Page 468: ...ster process of the multicast data stream c CAUTION Only the register messages matching the ACL permit clause can be accepted by the RP Specifying an undefined ACL will make the RP deny all register m...

Page 469: ...connected to LSA through VLAN interface10 connected to LSC through VLAN interface11 and connected to LSD through VLAN interface12 LSC is connected to HostB through VLAN interface10 connected to LSB th...

Page 470: ...interface10 quit SW8800 vlan 11 3Com vlan11 port ethernet 2 1 4 to ethernet 2 1 5 3Com vlan11 quit SW8800 interface vlan interface 11 3Com vlan interface11 igmp enable 3Com vlan interface11 pim sm 3Co...

Page 471: ...lan interface12 quit Configure the C BSR SW8800 pim 3Com pim c bsr vlan interface 10 30 2 Configure the C RP SW8800 acl number 2000 3Com acl basic 2000 rule permit source 225 0 0 0 0 255 255 255 SW880...

Page 472: ...vlan interface11 pim sm 3Com vlan interface11 quit SW8800 vlan 12 3Com vlan12 port ethernet 2 1 6 to ethernet 2 1 7 3Com vlan12 quit SW8800 interface vlan interface 12 3Com vlan interface12 igmp enabl...

Page 473: ...SDP makes a PIM SM domain independent of the RP in another PIM SM domain After getting multicast source information in that domain the receiver here can join directly to the SPT of the multicast sourc...

Page 474: ...choose to take the path along SPT The RP in domain 1 generates an SA Source Active message for the MSDP peers the RPs in PIM SM domain 2 and domain 3 The SA message contains multicast source IP addres...

Page 475: ...cast source as from Switch A to Switch B it is received and forwarded to other peers If the SA message is from a MSDP peer that has only one peer as from Switch B to Switch A it is received If the SA...

Page 476: ...nfigure MSDP peers Advanced configuration tasks of MSDP include Configure static RPF peers Configure Originating RP Configure SA caching state Configure the maximum number of SA caching Request the so...

Page 477: ...g to the configured prefix list If multiple static RPF peers using the same rp policy parameter are configured any peer that receives an SA message will forward it to the other peers Not using the rp...

Page 478: ...rvice attacks you can set the maximum number of SAs cached on the router Perform the following configuration in MSDP view By default the maximum number of SA caching is 2048 Requesting Source Informat...

Page 479: ...ce is advertised in SA messages Filtering SA request messages Please perform the following configurations in MSDP view By default only the routers which caches SA messages can respond to SA request me...

Page 480: ...s no less than the threshold Therefore the forwarding of SA messages with encapsulated data can be controlled by configuring the TTL threshold For example you can set the TTL threshold for intra domai...

Page 481: ...ew By default MSDP connection is retried at the interval of 30 seconds Shutting MSDP Peers Down The session between MSDP peers can be cut off and re activated as needed If a session between MSDP peers...

Page 482: ...o shutdown peer address Table 480 Clear MSDP connections statistics and SA caching configuration Operation Command Clear a specified TCP connection and reset the counters of all MSDP information reset...

Page 483: ...tic RPF peers with the parameter rp policy After the configuration is complete Switch D will only receive SA messages permitted by the corresponding filtering policy from its static RPF peers Network...

Page 484: ...0 25 0 0 16 SwitchD msdp SwitchD msdp peer 10 25 1 1 connect interface Vlan interface30 SwitchD msdp static rpf peer 10 25 1 1 rp policy list c Configuring Anycast RP Network requirements To configure...

Page 485: ...tchB interface loopback10 SwitchB LoopBack10 ip address 10 1 1 1 255 255 255 255 SwitchB LoopBack10 igmp enable SRC A SwitchE Loopback0 10 10 1 1 Loopback10 10 1 1 1 Vlan interface20 10 10 3 1 24 Loop...

Page 486: ...20 undo shutdown SwitchB Vlan interface20 quit Configure OSPF SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 10 2 0 0 255 255 255 SwitchB ospf 1 area 0 0 0 0 network 10 10 3...

Page 487: ...witchA Vlan interface20 igmp enable SwitchA Vlan interface20 pim sm SwitchA Vlan interface20 undo shutdown SwitchA Vlan interface20 quit Configure the IP address of Vlan interface10 and enable IGMP an...

Page 488: ...pback0 10 26 1 1 Loopback0 10 28 1 1 Loopback0 10 29 1 1 Vlan interface20 Vlan interface10 SwitchI PIM SM domain 3 SwitchH PIM SM domain 2 SwitchG SwitchA PIM SM domain 1 SwitchB SwitchC SRC B SwitchD...

Page 489: ...gure the IP address of Vlan interface30 and enable IGMP and PIM SM SwitchA interface Vlan interface30 SwitchA Vlan interface30 ip address 10 25 2 3 255 255 255 0 SwitchA Vlan interface30 igmp enable S...

Page 490: ...ex SwitchA bgp af mul peer ex next hop local SwitchA bgp af mul quit SwitchA bgp quit Configure MSDP peer Mess Group and Originating RP SwitchA msdp SwitchA msdp peer 10 28 1 1 connect interface loop...

Page 491: ...1 255 255 255 0 SwitchE Vlan interface20 igmp enable SwitchE Vlan interface20 pim sm SwitchE Vlan interface20 undo shutdown SwitchE Vlan interface20 quit Configuring OSPF SwitchE ospf SwitchE ospf 1 a...

Page 492: ...ck 0 SwitchE msdp static rpf peer 10 29 1 1 SwitchE msdp peer 10 25 1 1 connect interface loopback 0 SwitchE msdp peer 10 27 1 2 connect interface loopback 0 SwitchE msdp peer 10 25 1 1 mesh group net...

Page 493: ...ther network layer protocols such as multicast IPv6 Carrying multicast routing information is only one of the extended functions MBGP enables unicast and multicast routing information to be exchanged...

Page 494: ...es MBGP may construct different inter domain routes for unicast and multicast under a same policy MBGP Operating Mode and Message Type MBGP runs on a router in the following two modes IBGP Internal BG...

Page 495: ...llowing configuration in BGP view By default the system does not run the MBGP multicast extension protocol Specifying Network Routes Notified by MBGP Multicast Extension The network command is used to...

Page 496: ...ection If the router does not receive a single Keepalive message or any other kind of message from the peer within the defined connection Holdtime it will think the MBGP connection broken and exit and...

Page 497: ...d is reserved for the occasional compatibility with the network equipments of other vendors Table 485 Enable a peer group Operation Command Enable the specified peer group peer group name enable Disab...

Page 498: ...ure the local address as the next hop when advertising routes Operation Command Configure the local address as the next hop when advertising routing information peer group name next hop local Remove t...

Page 499: ...address as path acl acl number import Remove incoming policy configuration undo peer group name peer address as path acl acl number import Configure routing policy for outgoing packets peer group name...

Page 500: ...the Routing Protocol part Importing IGP Routing Information into MBGP MBGP can advertise intra area network information to other ASs To this end you can use MBGP to advertise the intra area network in...

Page 501: ...uses OSPF Switch A is AS100 and serves as the MBGP neighbor of Switch B and Switch C in AS200 Switch B and Switch C run IBGP for Switch D in AS200 Switch D is also in AS200 Table 496 Display and debu...

Page 502: ...quit SwitchA vlan 30 SwitchA vlan30 port ethernet1 1 3 SwitchA vlan30 quit SwitchA interface vlan interface 30 SwitchA Vlan interface30 ip address 193 1 1 1 255 255 255 0 SwitchA Vlan interface30 qui...

Page 503: ...itch B 192 1 1 2 SwitchA bgp 100 SwitchA bgp ipv4 family multicast SwitchA bgp af mul peer a2 route policy set_med_50 export SwitchA bgp af mul peer a1 route policy set_med_100 export Configure Switch...

Page 504: ...quit SwitchC bgp 200 SwitchC bgp undo synchronization SwitchC bgp group c1 external SwitchC bgp peer 193 1 1 1 group c1 as number 100 SwitchC bgp group c2 internal SwitchC bgp peer 194 1 1 2 group c2...

Page 505: ...50 quit SwitchD interface vlan interface 50 SwitchD Vlan interface50 ip address 195 1 1 1 255 255 255 0 SwitchD Vlan interface50 quit SwitchD ospf SwitchD ospf 1 area 0 SwitchD ospf 1 area 0 0 0 0 net...

Page 506: ...506 CHAPTER 46 MBGP MULTICAST EXTENSION CONFIGURATION...

Page 507: ...IPX And it allows a device to make forwarding decision based on the labels attached to the received packets without going through the complex routing table lookup procedures with IP MPLS brings toget...

Page 508: ...TTL in IP packet Label operations 1 Label mapping There are two types of label mapping label mapping at ingress routers and label mapping in MPLS domain The first type of mapping is implemented at Ing...

Page 509: ...l distribution mode To distribute labels to its peer the LSR can use Label Distribution Protocol LDP messages or make the labels carried on other routing protocol messages n Upstream and downstream ar...

Page 510: ...protocol in MPLS which controls binding labels and FECs between LSRs and coordinates a series of procedures between LSRs MPLS Architecture MPLS Network Structure The basic composing unit of MPLS netwo...

Page 511: ...general network layer forwarding and increases the forwarding speed Establishing LSP Actually the establishment of LSP refers to the process of binding FEC with the label and then advertising this bin...

Page 512: ...its downstream LSR Usually the upstream LSR selects the downstream LSR according to the information in its routing table In Figure 123 LSRs on the way along LSP1 use the sequential label control mode...

Page 513: ...ket may carry multiple labels which are in the form of stack Operations to the stack follow the last in first out principle and it is always the labels at the top of the stack that decide how to forwa...

Page 514: ...ere are obvious advantages to implement VPN by MPLS MPLS VPN connects the geographically different branches of private network by using LSP forming a united network MPLS VPN also supports the intercon...

Page 515: ...ting LSP or explicit route you can configure according to the methods in configuration list For some complicated functions configuration combination may be required MPLS Configuration The following se...

Page 516: ...ID Operation Command Define LSR ID mpls lsr id ip address Delete LSR ID undo mpls lsr id Table 498 Enter MPLS view Operation Command Enable MPLS globally and enter MPLS view system view Enable MPLS on...

Page 517: ...configuration in the system view Cancel the configuration of the advertisement of local distribution labels undo mpls ldp label advertise fec ip prefix all Table 501 Configure the advertisement of loc...

Page 518: ...re not directly connected with it at the link layer Enter Remote peer view Perform the following configuration in the system view There is no default remote peer Configuring an address for the Remote...

Page 519: ...onfigure Remote session hold time in Remote peer view By default targeted session hold holdtime is 60 seconds and the interval is 24 seconds targeted hello holdtime is 45 seconds and the interval is 1...

Page 520: ...responding router checks if its ID is contained in this record If not the router adds its ID into the record and if yes it indicates that a loop presents and the process for establishing LSP is termin...

Page 521: ...previously you can execute the display command in any view to view the running state of a single or all the static LSPs and thus to evaluate the effect of the configurations Displaying the MPLS statis...

Page 522: ...ration in system view Table 515 Display statistics information of static LSP Operation Command Displaying the MPLS statistics information or LSP information of all ports or a single VLAN interface dis...

Page 523: ...trap enable lsp Table 519 Enable the trap function of MPLS Operation Command Table 520 Display LDP Operation Command Display LDP information display mpls ldp Display buffer information for LDP displa...

Page 524: ...vlan201 quit SW8800 interface Vlan interface 201 3Com Vlan interface201 ip address 168 1 1 1 255 255 0 0 3Com Vlan interface201 mpls 3Com Vlan interface201 mpls ldp enable 3Com Vlan interface201 mpls...

Page 525: ...203 mpls ldp enable 3Com Vlan interface203 mpls ldp transport ip interface Configure IP address and enable MPLS and LDP for VLAN interface 202 SW8800 vlan 202 3Com vlan202 port gigabitethernet 2 1 2 3...

Page 526: ...d LDP for VLAN interface 203 SW8800 vlan 203 3Com vlan203 port gigabitethernet 2 1 3 3Com vlan203 quit SW8800 interface vlan interface 203 3Com Vlan interface203 ip address 172 17 1 2 255 255 0 0 3Com...

Page 527: ...leshooting MPLS Configuration 527 Solution The default address for session transfer is MPLS LSR ID The local machine should issue the LSR ID route often the Loopback address and lean the peer LSR ID r...

Page 528: ...528 CHAPTER 48 MPLS BASIC CAPABILITY CONFIGURATION...

Page 529: ...services easily and enable their networks to meet the expansibility and manageability requirement for VPN The VPN constructed by using MPLS also provides the possibility for the implementation of val...

Page 530: ...t only increase the network operating cost but also bring relevant management and security issues The nested VPN is a better solution Its main idea is to transfer VPNv4 route between PE and CE of comm...

Page 531: ...tion RD route filtering policy member interface list and so on It includes the VPN membership and routing rules of this site PE is responsible for updating and maintaining the relationship between VPN...

Page 532: ...mmended that the same RD be configured for all routes from the same user site VPN Target attribute VPN Target attribute is one of the MBGP extension community attributes and is used to limit VPN routi...

Page 533: ...nd learns the CE routing information learned at the egress PE router The internal connectivity among the VPN internal nodes is ensured through enabling IGP for example RIP and OSPF or configuring stat...

Page 534: ...he MPLS forwarding table according to the interior layer label and destination address to determine the egress interface for labeling operation and the packet It then extracts the interior layer label...

Page 535: ...the network as they primarily function to access the VPN clients at the edges Congruous with the IP network model HoVPN model improves the scalability of BGP MPLS VPN and hence allows lower layer MPLS...

Page 536: ...processes which can be bound to different VPN instances In practice you can create one OSPF instance for each service type OSPF multi instance can fully isolate different services in transmission whi...

Page 537: ...rface to access multiple VPNs BGP MPLS VPN Configuration Configuring Various Kinds of Routers Implementing BGP MPLS VPN functions requires the following procedures in general Configure basic informati...

Page 538: ...er side device only basic configuration is required on a CE router for routing information exchange with PE router Currently route switching modes available include static route RIP OSPF EBGP and so o...

Page 539: ...des configuring MPLS LSR ID enable MPLS globally and enable MPLS in the corresponding VLAN interface view Refer to Chapter 2 MPLS Basic Capacity Configuration for details Defining BGP MPLS VPN site 1...

Page 540: ...PN routing information The following is the advertisement controlling process of VPN routing information When BGP is imported into a VPN route learned at CE it associates a VPN target extension commun...

Page 541: ...ffect the existing routing table To make the new configuration take effect immediately you should rebuild the corresponding routing protocol or perform shutdown undo shutdown operation on the correspo...

Page 542: ...er you cancel card configuration if the VLAN configured on a port exceeds 1K which is the default value the configuration will be deleted automatically In aggregation mode VPN range configuration will...

Page 543: ...gure a static route pointing to CE on PE for it to learn VPN routing information from CE Perform the following configuration in the system view Disable the 4K vpn range for the interface undo port vpn...

Page 544: ...VPN instance address family view BGP routes should also be imported into OSPF Here only introduces OSPF multi instance configuration in detail First step Configure OSPF process Perform the following...

Page 545: ...and then its default tag value is 3489661028 in decimal notation This value is an integer ranging from 0 to 4294967295 Step 4 Configure Sham link optional Sham links are required between two PEs when...

Page 546: ...e Perform the following configuration in VPN instance address family view Step 3 Activate peer group By default BGP neighbor is active while MBGP neighbor is inactive You should activate MBGP neighbor...

Page 547: ...specify the AS number of neighbor for the rest configuration you can keep the system default values In the case of standard BGP BGP tests routing loop via AS number to avoid generating routing loop In...

Page 548: ...ed fails you can perform the following configuration to permit BGP session over any interface through which TCP connection with the peer can be set up The command here is usually executed together wit...

Page 549: ...ly keyword is required for configuring EBGP and alliance but not for configuring IBGP Step 5 Advertise default route to the peer group Table 547 Configure VPNv4 address family Operation Command Enter...

Page 550: ...utes See OSPF part in Routing Protocol for details Displaying and Debugging BGP MPLS VPN Displaying VPN address information from BGP table After the above configuration execute display command in any...

Page 551: ...ble associated with VPN instance display ip routing table vpn instance vpn instance name ip address verbose statistics Table 555 Display VPN instance related information Operation Command Display the...

Page 552: ...t 2 1 1 CE1 vlan 201 CE1 vlan201 port gigabitethernet 2 1 1 AS 65430 AS 65410 AS 65430 AS 65440 VPN B CE4 PE1 RD 100 1 P VPN A CE3 VLAN201 168 3 1 1 16 168 3 1 2 16 AS 65420 VPN B CE2 VPN A CE1 VLAN20...

Page 553: ...f vpn instance import route direct PE1 bgp af vpn instance group 168 external PE1 bgp af vpn instance peer 168 1 1 1 group 168 as number 65410 PE1 bgp af vpn instance quit PE1 bgp quit Bind the VLAN i...

Page 554: ...t up MP IBGP adjacency between PEs to exchange inter PE VPN routing information and activate MP IBGP peer in VPNv4 sub address family view PE1 bgp 100 PE1 bgp group 202 internal PE1 bgp peer 202 100 1...

Page 555: ...tion P ospf P ospf 1 area 0 P ospf 1 area 0 0 0 0 network 172 1 1 0 0 0 255 255 P ospf 1 area 0 0 0 0 network 172 2 1 0 0 0 255 255 P ospf 1 area 0 0 0 0 network 172 3 1 0 0 0 255 255 P ospf 1 area 0...

Page 556: ...100 1 3 PE3 mpls PE3 mpls quit PE3 mpls ldp PE3 vlan 201 PE3 vlan201 interface gigabitethernet 2 1 1 PE3 vlan201 quit PE3 interface Vlan interface 201 PE3 Vlan interface201 ip address 172 3 1 1 255 25...

Page 557: ...different cities by configuring different VPN target attributes at different PEs Network diagram Figure 135 Network diagram for Extranet PC CE B PC PC CE C PC PC CE A PC PC PC CE B PC PC CE C PC PC C...

Page 558: ...e group 172 external PE A bgp af vpn instance peer 172 15 1 1 group 172 as number 65011 PE A bgp af vpn instance quit PE A bgp quit Bind VPN instance1 with the interface of VLAN301 which connects CE A...

Page 559: ...external PE C bgp af vpn instance peer 172 16 1 1 group 172 as number 65012 PE C bgp af vpn instance quit PE C bgp quit Bind VPN instance2 with the interface of VLAN301 which connects CE C PE C vlan 3...

Page 560: ...instance3 PE B bgp af vpn instance import route direct PE B bgp af vpn instance import route static PE B bgp af vpn instance group 172 external PE B bgp af vpn instance peer 172 17 1 1 group 172 as nu...

Page 561: ...jacency between PE1 and PE2 or PE1 and PE3 but not between PE2 and PE3 that is VPN routing information cannot be exchanged between PE2 and PE3 Create two VPN instances on PE1 import VPN routes of VPN...

Page 562: ...routes learned into MBGP VPN instance address family with one routing loop permitted PE1 bgp 100 PE1 bgp ipv4 family vpn instance vpn instance2 PE1 bgp af vpn instance import route static PE1 bgp af v...

Page 563: ...lan interface202 quit Configure Loopback interface PE1 interface loopback 0 PE1 LoopBack0 ip address 11 1 1 1 255 255 255 255 PE1 LoopBack0 quit Set up MP IBGP adjacency between PEs to exchange inter...

Page 564: ...oopback 0 PE2 LoopBack0 ip address 22 1 1 1 255 255 255 255 PE2 LoopBack0 quit Set up MP IBGP adjacency between PE2 and PE1 to exchange inter PE VPN routing information and activate MP IBGP peer in VP...

Page 565: ...LoopBack0 quit Set up MP IBGP adjacency between PE3 and PE1 to exchange inter PE VPN routing information and activate MP IBGP peer in VPNv4 sub address family view PE3 bgp 100 PE3 bgp group 11 PE3 bgp...

Page 566: ...f vpn instance import route direct PE1 bgp af vpn instance import route static AS 100 CE1 PE1 CE2 PE2 PE3 Loopback0 1 1 1 1 32 Loopback0 2 2 2 2 32 Loopback0 3 3 3 3 32 VLAN211 172 11 11 2 24 VLAN211...

Page 567: ...face211 ip binding vpn instance vpn instance1 1 PE1 Vlan interface211 ip address 172 11 11 1 255 255 255 0 PE1 Vlan interface211 quit PE1 vlan 212 PE1 vlan212 port gigabitethernet 2 1 2 PE1 vlan212 qu...

Page 568: ...E1 bgp group 2 PE1 bgp peer 2 2 2 2 group 2 PE1 bgp peer 2 2 2 2 connect interface loopback 0 PE1 bgp group 3 PE1 bgp peer 3 3 3 3 group 3 PE1 bgp peer 3 3 3 3 connect interface loopback 0 PE1 bgp ipv...

Page 569: ...PE2 Vlan interface212 ip binding vpn instance vpn instance2 1 PE2 Vlan interface212 ip address 172 12 12 1 255 255 255 0 PE2 Vlan interface212 quit PE2 vlan 211 PE2 vlan211 port gigabitethernet 2 1 1...

Page 570: ...CE4 to VPN instance 3 2 PE3 vlan 311 PE3 vlan311 port gigabitethernet 3 1 1 PE3 vlan311 quit PE3 interface Vlan interface 311 PE3 Vlan interface311 ip binding vpn instance vpn instance3 1 PE3 Vlan int...

Page 571: ...PC2 CE4 PC4 CE3 172 21 21 2 24 PC3 192 168 11 10 192 168 21 10 192 168 12 10 192 168 22 10 P1 3 3 3 3 32 VLAN201 PE2 2 2 2 2 32 10 1 1 2 24 20 1 1 1 24 AS 100 CE1 CE2 172 12 12 2 24 PC1 PC2 CE4 PC4 CE...

Page 572: ...ce group 172 11 external PE1 bgp af vpn instance peer 172 11 11 2 group 172 11 as number 65011 PE1 bgp af vpn quit PE1 bgp ipv4 family vpn instance vpnb PE1 bgp af vpn instance import route direct PE1...

Page 573: ...Vlan interface203 ip address 172 12 12 1 255 255 255 0 PE2 Vlan interface203 quit PE2 interface Vlan interface 204 PE2 Vlan interface204 ip binding vpn instance vpnb PE2 Vlan interface204 ip address...

Page 574: ...Vlan interface 206 P1 Vlan interface206 mpls P1 Vlan interface206 mpls ldp enable P1 Vlan interface206 ip address 98 98 98 1 255 255 255 0 P1 Vlan interface206 quit Configure IBGP neighbors and EBGP...

Page 575: ...one AS 100 168 1 1 1 16 Loopback0 202 100 1 2 32 172 1 1 2 16 192 1 1 1 24 Loopback0 202 100 1 1 32 172 1 1 1 16 Loopback0 202 200 1 1 32 162 1 1 1 16 162 1 1 2 16 Loopback0 200 200 1 2 32 168 2 2 1 1...

Page 576: ...0 PE2 ospf 1 area 0 0 0 0 network 162 1 0 0 0 0 255 255 PE2 ospf 1 area 0 0 0 0 network 202 200 1 2 0 0 0 0 PE2 ospf 1 area 0 0 0 0 quit PE2 ospf 1 quit Configure ASBR PE2 ASBR PE2 interface loopback...

Page 577: ...Vlan interface210 quit Configure basic MPLS capability on ASBR PE2 enable LDP on the interface connected to PE2 and enable MPLS on the interface connected to ASBR PE1 ASBR PE2 mpls lsr id 162 1 1 1 AS...

Page 578: ...nce vpna PE2 vpn instance route distinguisher 200 2 PE2 vpn instance vpn target 100 1 both PE2 vpn instance quit PE2 vlan 510 PE2 interface vlan 510 PE2 Vlan interface510 ip binding vpn instance vpna...

Page 579: ...Configure ASBR PE1 configure the route policy ASBR PE1 acl number 2001 ASBR PE1 acl basic 2001 rule permit source 202 100 1 2 0 ASBR PE1 acl basic 2001 rule deny source any ASBR PE1 acl basic 2001 qu...

Page 580: ...nv4 PE2 bgp af vpn peer 30 enable PE2 bgp af vpn peer 202 100 1 2 group 30 PE2 bgp af vpn quit PE2 bgp quit Configure ASBR PE2 configure the route policy ASBR PE2 acl number 2001 ASBR PE2 acl basic 20...

Page 581: ...S VPN at the city level UPE acts as a PE on the network at the city level and provide access service for the VPN clients which are normally low end routers Network diagram Figure 140 Network diagram f...

Page 582: ...255 255 SPE LoopBack 0 quit Configure BGP SPE bgp 100 SPE import direct SPE bgp group 1 internal SPE bgp peer 1 0 0 1 group 1 SPE bgp peer 1 connect interface LoopBack0 SPE bgp ipv4 family vpn instan...

Page 583: ...0 2 group 1 UPE bgp ipv4 family vpn instance vpn1 UPE bgp af vpn instance import direct UPE bgp ipv4 family vpnv4 UPE bgp af vpn peer 1 enable UPE bgp af vpn peer 1 0 0 2 group 1 Configure OSPF UPE os...

Page 584: ...nterface201 ip address 10 1 1 2 255 255 255 0 CE1 10 10 10 10 CE2 20 20 20 20 12 1 1 0 24 PE1 PE3 3 3 3 3 PE2 2 2 2 2 VLAN201 10 1 1 1 24 168 1 1 0 24 20 2 1 0 24 VLAN202 12 1 1 1 24 MPLS VPN Backbone...

Page 585: ...l PE1 bgp peer 50 1 1 2 group fc PE1 bgp peer 50 1 1 2 connect interface LoopBack1 PE1 bgp peer 50 1 1 3 group fc Configure BGP and import OSPF routing and direct connect route PE1 bgp ipv4 family vpn...

Page 586: ...an interface203 mpls PE2 Vlan interface203 mpls ldp enable PE2 Vlan interface203 quit PE2 vlan 201 PE2 vlan201 port gigabitethernet 2 1 1 PE2 vlan201 quit PE2 interface Vlan interface 201 PE2 Vlan int...

Page 587: ...group fc Configure OSPF and import BGP and direct connect route PE2 ospf 100 router id 2 2 2 2 vpn instance vpn1 PE2 ospf 100 import route bgp PE2 ospf 100 import route static PE2 ospf 100 area 0 0 0...

Page 588: ...lan interface202 quit CE2 vlan 201 CE2 vlan201 port gigabitethernet 2 1 1 CE2 vlan201 quit CE2 interface Vlan interface 201 CE2 Vlan interface201 ip address 20 1 1 1 255 255 255 0 CE2 Vlan interface20...

Page 589: ...ov_pe2 4 4 4 4 VLAN 110 10 1 1 1 8 10 1 1 2 8 VLAN 210 18 1 1 1 8 VLAN 210 18 1 1 2 8 AS100 VLAN 310 1 1 1 2 8 VLAN 310 1 1 1 1 8 VLAN 510 15 1 1 2 8 VLAN 510 15 1 1 1 8 VLAN 410 2 1 1 2 8 VLAN 410 2...

Page 590: ...mpls ldp prov_pe2 Vlan interface110 quit Configure IBGP between provider PEs Configure prov_pe1 prov_pe1 bgp 100 prov_pe1 bgp group ibgp internal prov_pe1 bgp peer 4 4 4 4 group ibgp prov_pe1 bgp peer...

Page 591: ...t Configure prov_pe2 prov_pe2 ip vpn instance customer_vpn prov_pe2 vpn instance route distinguisher 3 3 prov_pe2 vpn instance vpn target 3 3 prov_pe2 vpn instance quit prov_pe2 interface vlan 410 pro...

Page 592: ...external prov_pe1 bgp af vpn instance peer 18 1 1 2 group ebgp as number 50003 Configure prov_pe2 to access the corresponding Customer PE prov_pe2 route policy com2 permit node 10 prov_pe2 route polic...

Page 593: ...n instance vpn1 cust_pe2 vpn instance route distinguisher 1 1 cust_pe2 vpn instance vpn target 1 1 cust_pe2 interface vlan 610 cust_pe2 Vlan interface610 ip binding vpn instance vpn1 cust_pe2 Vlan int...

Page 594: ...binding vpn instance vpn1 CE Vlan interface201 ip address 10 1 1 2 255 255 255 0 Configure VLAN202 CE vlan 202 CE vlan202 port gigabitethernet 2 1 2 CE vlan202 quit CE interface Vlan interface 202 CE...

Page 595: ...rnet3 1 0 20 2 1 2 24 Ethernet1 1 0 20 2 1 1 24 AS100 AS65420 AS65410 AS65430 Ethernet1 1 0 Ethernet1 1 0 PC2 172 16 0 1 16 192 168 1 1 24 192 168 1 2 24 Ethernet2 1 0 20 1 1 2 24 Ethernet2 1 0 172 16...

Page 596: ...ea 0 PE2 ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 PE2 ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 PE2 ospf 1 area 0 0 0 0 quit PE2 ospf 1 quit 2 Configure basic MPLS capability and create VPN...

Page 597: ...eate a VPN instance for VPN1 on PE2 and bind the address of the interface of VLAN210 to VPN1 PE2 ip vpn instance vpn1 PE2 vpn vpn1 route distinguisher 300 1 PE2 vpn vpn1 vpn target 100 1 both PE2 vpn...

Page 598: ...l PE1 bgp af vpn instance peer 20 2 1 1 group 20 as number 65410 PE1 bgp af vpn instance quit PE1 bgp ipv4 family vpn instance vpn2 PE1 bgp af vpn instance import route direct PE1 bgp af vpn instance...

Page 599: ...t Check from the hub PE that whether the routing information between two VPN instances can be learnt by each other if not perform the following operation check if the EBGP protocol runs between hub PE...

Page 600: ...correct using the display current configuration bgp command confirm that you have specified the local loopback interface as the interface to create adjacent interface with the peer end by using the pe...

Page 601: ...or the information on the processing of MPLS VPN through VPLS Application Modules Card intermixing does not support using XP4B and other interface cards on which ACL redirection is configured under th...

Page 602: ...port of the MPLS card is Looped back automatically becomes a Loopback port after it is configured for redirection and you cannot perform other configurations on the port Therefore make sure that the d...

Page 603: ...ls The Switch should be configured with some basic routing configurations so that it can exchange public network routing information with other P devices and PE devices The routing protocols available...

Page 604: ...ed VLAN through matching them with a Layer 2 rule so that the specified VLAN packets can pass Table 561 Configure flow template and ACL rules of L3VPN Operation Command Description Enter system view s...

Page 605: ...o the VPLS card There are two kinds of redirection services VPLS related redirection services The key word join vlan must be specified and the system will add the current port into destination vlan af...

Page 606: ...es So that the VPN user routes of CE1 are imported into BGP routes and then advertised to PE1 CE1 system view CE1 vlan 211 CE1 interface vlan interface 211 CE1 vlan interface211 ip address 10 10 10 10...

Page 607: ...ecting PE1 and P router and the Loopback interface PE1 ospf 1 route id 1 1 1 1 PE1 ospf 1 area 0 PE1 ospf 1 area 0 0 0 0 network 196 168 1 0 0 0 0 255 PE1 ospf 1 area 0 0 0 0 network 1 1 1 1 0 0 0 0 P...

Page 608: ...nnecting PE1 and CE1 PE1 interface vlan interface 10 PE1 vlan interface10 ip binding vpn instance vpna PE1 vlan interface10 ip address 10 10 10 1 255 255 255 0 PE1 vlan interface10 quit Establish EBGP...

Page 609: ...pf 1 area 0 0 0 0 network 196 168 1 0 0 0 0 255 P ospf 1 area 0 0 0 0 network 196 168 2 0 0 0 0 255 P ospf 1 area 0 0 0 0 network 3 3 3 3 0 0 0 0 4 Configure PE2 Configure global MPLS PE2 mpls lsr id...

Page 610: ...e 10 PE2 vlan interface10 quit Configure redirection on the port PE2 interface Ethernet 3 1 1 PE2 Ethernet3 1 1 port link type trunk PE2 Ethernet3 1 1 flow template user defined PE2 Ethernet3 1 1 traf...

Page 611: ...MPLS cards do not support related MPLS functions Configuration restrictions If related MPLS service is configured the service cannot work normally Exclusively MPLS Cards Introduction to networking MP...

Page 612: ...and BGP MPLS VPN to the same VLAN Combination of One VPLS Card and Multiple non MPLS Cards Introduction to networking A VPLS card supports VPLS However a VPLS card does not have egress interfaces so a...

Page 613: ...ablishes Layer 2 connections rather than imports and manages the routing information This eases work load of PE provider edge devices and the entire SP service provider network remarkably and thus ena...

Page 614: ...E and then mark them with tunnel labels On receiving these packets the remote PEs strip off the tunnel labels and send the packets to the corresponding CEs according to their VC labels Table 565 illus...

Page 615: ...the features and implementation ways of the above three types of MPLS L2VPNs Table 563 Features and implementation ways of the three types of MPLS L2VPNs VPN type Implementation Feature CCC Configures...

Page 616: ...l CE ID and the remote CE ID on the PE and specify the Circuit ID assigned for the connection by the local CE Table 563 Features and implementation ways of the three types of MPLS L2VPNs VPN type Impl...

Page 617: ...work requirements CEs and the corresponding PEs shown in Figure 149 are interconnected through their GigabitEthernet ports Data is encapsulated as Ethernet packets at the data link layer A local conne...

Page 618: ...itethernet 2 1 3 PE_A vlan213 interface vlan interface 213 PE_A Vlan interface213 quit Enable MPLS on the interface of VLAN 214 PE_A vlan 214 PE_A vlan214 port gigabitethernet 2 1 4 PE_A vlan214 quit...

Page 619: ...terface 212 transmit lsp PEA PEB receive lsp PEB PEA 2 Configure PE B Enable MPLS globally PE_B mpls lsr id 10 0 0 1 PE_B mpls Enable MPLS L2VPN globally PE_B mpls l2vpn Configure VLAN 211 PE_B vlan 2...

Page 620: ...ress interface being the interface of VLAN 212 PE_P mpls static lsp transit PEA PEB l2vpn incoming interface vlan interface 214 in label 100 nexthop 6 6 6 1 out label 101 Configure a static LSP with t...

Page 621: ...lsr id Required Enable MPLS mpls Required Quit to system view quit Configure the LDP remote peer mpls ldp remote peer index Required Before configuring the connection you need to enable LDP on each ro...

Page 622: ...ddress 168 1 1 1 255 255 0 0 PE A Vlan interface21 mpls PE A Vlan interface21 mpls ldp enable Configure an IP address for the Loopback interface which is used as the Router ID PE A interface loopback...

Page 623: ...rface vlan interface 212 PE B Vlan interface212 quit Configure an IP address for the Loopback interface which is used as the LSR ID PE B interface loopback 0 PE B LoopBack0 ip address 192 1 1 2 255 25...

Page 624: ...n interface22 mpls ldp enable PE P Vlan interface22 ip address 169 1 1 2 255 255 0 0 Enable OSPF PE P ospf 1 PE P ospf 1 area 0 0 0 0 PE P ospf 1 area 0 0 0 0 network 168 1 0 0 0 0 255 255 PE P ospf 1...

Page 625: ...ess family view l2vpn family Required Activate the peer or peer group peer group name peer address enable Required By default only the peers of BGP IPv4 unicast address families are active The peer gr...

Page 626: ...e only way to modify a configured RD is to remove the corresponding MPLS L2VPN and create another one As for L2VPN it is recommended that you assign a unique RD for each VPN Configure the VPN target o...

Page 627: ...pls ldp Configure an IP address for the Loopback interface PE A interface loopback 0 PE A LoopBack0 ip address 1 1 1 1 32 Enable MPLS L2VPN globally PE A mpls l2vpn Configure VLAN 212 PE A vlan 212 PE...

Page 628: ...mpls l2vpn vpn1 ce1 quit Enable OSPF PE A ospf 1 router id 1 1 1 1 PE A ospf 1 area 0 0 0 0 PE A ospf 1 area 0 0 0 0 network 1 1 1 1 0 0 0 0 PE A ospf 1 area 0 0 0 0 network 5 5 5 0 0 0 0 255 2 Config...

Page 629: ...pn1 ce ce2 id 2 range 200 PE B mpls l2vpn vpn1 ce2 connection ce offset 1 interface vlan interface 212 PE B mpls l2vpn vpn1 ce2 quit Enable OSPF PE B ospf 1 router id 3 3 3 3 PE B ospf 1 area 0 0 0 0...

Page 630: ...ing the peer of a Kompella MPLS L2VPN connection The Connection is down and the VPN value is null Solution VPN value being null indicates the VPN is configured incorrectly Make sure the VPN configurat...

Page 631: ...on fails if the encapsulation types configured on the two ends are not the same Symptom 4 Fail to ping the peer end of a CCC MPLS L2VPN connection The sending and receiving channels are up so does the...

Page 632: ...632 CHAPTER 51 MPLS VLL...

Page 633: ...orking VPLS provides the operators using point to point L2VPN with a better solution In addition unlike L3VPN VPLS does not participate in user s internal routing Now operators need only manage and op...

Page 634: ...ite 1 PE2 PE3 PE1 PE4 VPN 1 Site 1 CE1 CE2 CE3 CE4 CE5 CE6 VPN 2 Site 2 VPN 1 Site 2 VPN 1 Site 3 VPN 2 Site 1 PE2 PE3 PE1 PE4 MPLS VPN 1 Site 1 CE1 CE2 CE3 CE4 CE5 CE6 VPN 2 Site 2 VPN 1 Site 2 VPN 1...

Page 635: ...either a MPLS edge network connected by LSP or a simple Ethernet network for VLAN VPN user access VPLS Operational Principle VPLS Basic Transmission Components As shown in the following figure the who...

Page 636: ...ablished by PW signaling protocol and carried on LSP For a VPLS system a PW is just like a directly connected path between local and peer ACs through which user s layer 2 data are transmitted transpar...

Page 637: ...blic network labels have already been popped out on P device through PHP PE2 forwarder chooses an AC to forward layer 2 packets from CE3 to CE1 Concepts Related to VPLS MPLS L2VPN An MPLS L2VPN is a V...

Page 638: ...ure a VPLS instance vsi vsi name static Required static is required for configuring a VSI Configure an IP address of a peer PE peer peer ip vc id vc id upe dual npe encapsulation ethernet vlan Require...

Page 639: ...ion Entering the remote peer mode Perform the following configuration in system view By default no remote peer exists Configuring an address for the remote peer You can specify any LDP enabled interfa...

Page 640: ...iew Configuring an IP address of a peer PE Use the peer command to create a VPLS peer PE contained in an instance When you create a VPLS peer PE you must specify an IP address and peer type for the pe...

Page 641: ...AUTION If any of GVRP STP and 802 1x protocols is enabled on a port you cannot enable VLAN VPN on the port If IGMP Snooping is enabled in the VLAN to which the port belongs or if IGMP is enabled on th...

Page 642: ...rotocol STP or 802 1x protocol is enabled on a port VLAN VPN on this port is not allowed to enable If IGMP Snooping is enabled in the VLAN to which the port belongs or if IGMP is enabled on the VLAN i...

Page 643: ...ined slot slotnum template info Define user flow template in port view flow template user defined Remove flow template undo flow template user defined Table 582 Configure ACL rules Operation Command E...

Page 644: ...e bandwidth command to configure the VPN rate limitation in the range of 64 kbps to 4 194 303 kbps with the increment of 64 After the configuration the system automatically takes the biggest number th...

Page 645: ...rform the following configuration in VSI view By default MTU is 1 500 Bytes Configuring CoS Use the command to map user priority 802 1Q COS to PSN COS PSN Public Switching Network COS Class Of Service...

Page 646: ...ment basic VPLS service Table 589 Configure other VPLS characteristics Operation Command Define remove a description of this VPLS instance description text undo description Disable enable the VPN serv...

Page 647: ...LAN 100 E6 1 48 VLAN 10 g4 1 1 VLAN 10 g4 1 1 10 10 10 10 24 10 10 10 11 24 VLAN 10 G4 1 1 VLAN 10 G4 1 1 10 10 10 10 24 10 10 10 11 24 PE2 CE2 VPN1 CE1 VPN1 PE1 VLAN 100 E6 1 48 5 6 7 8 1 2 3 4 VLAN...

Page 648: ...packets with VPLS labels PE1 flow template user defined slot 4 ethernet protocol vlanid PE1 acl number 4000 PE1 acl link 4000 rule 0 permit mpls l2label range ingress any egress any PE1 acl link 4000...

Page 649: ...N add a port to it configure the IP address for the interface Then enable MPLS and MPLS LDP on the interface PE2 vlan 10 PE2 vlan10 port GigabitEthernet 4 1 1 PE2 vlan10 interface vlan 10 PE2 vlan int...

Page 650: ...ice processor card and specify the VLAN ID of the redirect flow PE2 interface GigabitEthernet4 1 1 PE2 GigabitEthernet4 1 1 flow template user defined PE2 GigabitEthernet4 1 1 traffic redirect inbound...

Page 651: ...ice processor card is in Normal state Symptom 2 Packets cannot be forwarded Solution The service processor card is not in place use the display device command to verify that the service processor card...

Page 652: ...652 CHAPTER 52 VPLS CONFIGURATION...

Page 653: ...n between the host and the external network If Switch is down all the hosts on this segment taking Switch as the next hop on the default route will be disconnected from the external network Figure 156...

Page 654: ...er switch in the virtual group breaks down another Backup switch will function as the new Master switch to continue serving the host with routing to avoid interrupting the communication between the ho...

Page 655: ...es whether to check TTL value of VRRP packet on the Backup switch The TTL value must be 225 If the Backup switch find TTL is not 225 when receiving VRRP packet the packet will be discarded Perform the...

Page 656: ...the switch in the virtual router it can also be configured as virtual address In this case the switch will be called an IP Address Owner When adding the first IP address to a virtual router the syste...

Page 657: ...r switch punctually it will become the Master switch However the failure of Backup to receive the packets may be due to network congestion instead of the malfunction of the Master switch In this case...

Page 658: ...er Timer The Master switch advertises its normal operation state to the switches within the VRRP virtual router by sending them VRRP packets regularly at adver interval And the backup switch only rece...

Page 659: ...will turn to Master switch so as to track this interface Perform the following configuration in VLAN interface view By default value reduced is taken 10 and value increased is taken 2 n When the swit...

Page 660: ...rtual router information includes virtual router ID1 virtual IP address 202 38 160 111 switch A as the Master and switch B as the Backup allowed preemption Display the configuration information of the...

Page 661: ...interface vlan 2 LSW_A vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 LSW_A vlan interface2 vrrp vrid 1 priority 110 LSW A vlan interface2 vrrp vrid 1 preempt mode Configure switch B Configure...

Page 662: ...ected with it does not function properly This can be implemented by configuration of tracking interface In simple language the virtual router ID is set as 1 with additional configurations of authoriza...

Page 663: ...s the gateway but when the interface vlan interface 3 of switch A is down its priority will be reduced by 30 lower than that of switch B so that switch B will preempt the Master for gateway services i...

Page 664: ...iority for the virtual router LSW_B vlan interface2 vrrp vrid 2 priority 110 n Multiple virtual routers are often used in actual network applications Troubleshooting VRRP As the configuration of VRRP...

Page 665: ...To solve such problems an attempt should be made to ping among the many Master switches and if such an attempt fails check the device connectivity If they can be pinged check the VRRP configuration F...

Page 666: ...666 CHAPTER 53 VRRP CONFIGURATION...

Page 667: ...master and slave modules The hot swap of master modules will cause master slave switchover Switch 8800 Family series support manual master slave switchover You can change the current module state man...

Page 668: ...8800 Family series support automatic synchronization The active system stores its configuration file and backup the configuration file to the slave system simultaneously when the master s configuratio...

Page 669: ...automatically Displaying and Debugging HA Configuration After the above configuration execute display command in relevant view to display the running of the ACL configuration and to verify the configu...

Page 670: ...the master to ensure the normal operation Configuration procedure Synchronize the configuration file manually SW8800 slave update configuration Display the switchover state SW8800 display switchover s...

Page 671: ...he IP address of Host A is IP_A and the IP address of Host B is IP_B Host A needs to transmit messages to Host B ARP implementation procedure is as follows Host A checks its own ARP mapping table firs...

Page 672: ...ally used in users requiring IP address and MAC address binding Its initial state is non resolution so it cannot forward data directly It can resolve VLANs and egresses dynamically through ARP packets...

Page 673: ...of flexible configuration the system provides the following commands to assign dynamic ARP aging period When the system learns a dynamic ARP entry its aging period is based on the current value confi...

Page 674: ...simultaneously the network device enables two ports in these two networks to communicate with each other on Layer 3 by forwarding ARP requests between the two networks even if the two ports are isola...

Page 675: ...gure the gratuitous ARP packet learning function Configuring ARP Packets Not to Broadcast in VLAN In order to disable the mutual access function for two devices in the same network segment you can man...

Page 676: ...begin include exclude text Display the current setting of the dynamic ARP aging timer display arp timer aging Display multicast ARP configuration information display arp multi port ip address Display...

Page 677: ...l remain unchanged if the short static ARP entry is resolved from an aggregated port it will be deducted from the number of non aggregated ARP entries and included into the number of aggregation ARP e...

Page 678: ...rt the system Otherwise the configuration above may fail to take effect After the ARP table size configuration do not perform active standby switchover before you restart the system Otherwise the conf...

Page 679: ...n slot 2 to 8K SW8800 arp max entry 2 8 The configuration won t be enable until the system is rebooted Configure the maximum number of aggregation ARP entries supported by each interface card in the s...

Page 680: ...680 CHAPTER 56 ARP TABLE SIZE CONFIGURATION...

Page 681: ...rver in turn returns corresponding configuration information such as IP addresses according to the policies configured for it A typical DHCP implementation comprises a DHCP server and multiple DHCP cl...

Page 682: ...ddress pool valid for the entire switch An address pool of this type is created using the dhcp server ip pool command in system view VLAN interface address pool valid for a specific VLAN interface An...

Page 683: ...t which enables the DHCP client to go through steps in the first round registration 3 Prolonging the lease time of IP address An IP address assigned dynamically is valid for a specified lease time and...

Page 684: ...ation parameter for subsequent operations Configuring General DHCP General DHCP configuration refers to those that are applicable to both DHCP server and DHCP relay The following sections describe the...

Page 685: ...ver assign IP addresses in global address pools to DHCP clients dhcp select global Specify to forward DHCP packets to local DHCP server and let the local server assign IP addresses in VLAN interface a...

Page 686: ...g NetBIOS node type for DHCP clients Configuring DHCP custom options Creating a Global DHCP IP Address Pool An IP address pool contains IP addresses that can be assigned to DHCP clients In response to...

Page 687: ...ocate the addresses in the range to DHCP clients The two modes cannot coexist in a global DHCP address pool but they can coexist in a VLAN interface address pool but those that are dynamically assigne...

Page 688: ...gn IP addresses dynamically that is IP addresses are leased permanently or temporarily you need to configure an available address range Perform the following configuration in DHCP address pool view By...

Page 689: ...can configure different lease times for different DHCP address pools But you can configure only one lease time for one DHCP address pool and all the address in the same pool will have the same lease...

Page 690: ...s pools of multiple VLAN interfaces to the default value undo dhcp server expired interface vlan interface vlan id to vlan interface vlan id all Table 630 Configure a DHCP client domain name for a glo...

Page 691: ...interface address pools If you execute the dhcp server dns list command multiple times the newly configured IP addresses overwrite the existing ones Table 633 Configure DNS server address for a globa...

Page 692: ...be established According to the ways they establish their mappings NetBIOS nodes fall into the following four types b node Nodes of this type establish their mappings by broadcasting b stands for broa...

Page 693: ...P address pool Perform the following configuration in DHCP address pool view Table 639 Configure a NetBIOS node type for a global DHCP address pool Operation Command Configure the NetBIOS node type fo...

Page 694: ...CP option configured for a global DHCP address pool undo option code Table 643 Configure custom DHCP options for current VLAN interface Operation Command Configure a custom DHCP option for DHCP addres...

Page 695: ...ckets Displaying and Debugging the DHCP Server After the above configuration you can execute the display command in any view to display operating information about the DHCP server to verify your confi...

Page 696: ...ddress pool pool name interface vlan interface vlan id all Display the statistics about the DHCP server display dhcp server statistics Display the information about the tree like structure of DHCP add...

Page 697: ...t interface Specify to assign IP addresses in global address pool to DHCP clients it is also the default configuration 3Com Vlan interface2 dhcp select global Or execute the following command to rever...

Page 698: ...P relay DHCP clients in a LAN can communicate with DHCP servers in other subnets to acquire IP addresses This enables DHCP clients of multiple networks to share a common DHCP server and thus enables y...

Page 699: ...ON The IP address of the intended DHCP server for the DHCP relay feature cannot be IP address of the VLAN interface corresponding to the DHCP relay Otherwise the system gives the information such as C...

Page 700: ...rms user address checking on the VLAN interface to prevent unauthorized binding request If you disable the DHCP security feature on a VLAN interface the switch does not perform user address checking o...

Page 701: ...terface Vlan interface 2 Assign an IP address to Vlan interface 2 3Com Vlan interface2 ip address 10 110 1 1 255 255 0 0 Specify to forward DHCP packets to a remote DHCP server 3Com Vlan interface2 dh...

Page 702: ...option 5 is the subitem of link selection which includes the IP address that the DHCP Relay adds With Option 82 the information about the addresses of the DHCP clients and the DHCP relay devices can...

Page 703: ...IP address that is in the same network segment with this address Option 82 Structure There is a field named options in the DHCP packets It can be null or contains at least one feature specific option...

Page 704: ...ion 1 and sub option 2 can be added while sub option 5 cannot be added currently In the normal mode sub option 1 is the layer 2 port number and VLAN ID of the received packet and sub option 2 is the M...

Page 705: ...nt to acquire an IP address directly from the DHCP server in the same network segment Both the processes have four phases discovery offer selection and acknowledgement For the details refer to the DHC...

Page 706: ...nfiguration Prerequisites Before enabling Option 82 support on DHCP relay you should configure The network parameters and the relay function on the DHCP relay The network parameters the parameters rel...

Page 707: ...Option 82 That is the DHCP relay replaces the original Option 82 in the packets with its own Option 82 Configure the mode of DHCP Relay option 82 dhcp relay information format normal verbose Optional...

Page 708: ...s the node identifier SW8800 interface vlan interface 100 3Com vlan interface 100 dhcp select relay 3Com vlan interface 100 ip relay address 202 38 1 2 3Com vlan interface 100 dhcp relay information e...

Page 709: ...s the related IP address of the domain name in its own database and sends it back to the switch If the domain name server judges that the domain name does not belong to the local domain it forwards th...

Page 710: ...directly and the system translates it into the IP address rather than the obscure IP address Perform the following configuration in system view Each host can have only one IP address If you configure...

Page 711: ...e buffer Execute the debugging command to debug the domain name resolution DNS Configuration Example Network requirements As the client the switch uses dynamic domain name resolution The IP address of...

Page 712: ...from 200 200 200 200 bytes 56 Sequence 4 ttl 128 time 2 ms Reply from 200 200 200 200 bytes 56 Sequence 5 ttl 128 time 2 ms ftp com ping statistics 5 packet s transmitted 5 packet s received 0 00 pack...

Page 713: ...ure of Netstream data Figure 168 The basic collection and analysis procedure of Netstream data The collection and analysis procedure of Netstream data is as follows 1 The switch regularly sends the co...

Page 714: ...al Enable the aggregation mode corresponding to the current aggregation view enable Optional Aggregation mode is not enabled by default Configure the destination host address and the UDP port number o...

Page 715: ...even aggregation modes of Netstream Aggregation mode Classification rules AS aggregation Source AS number destination AS number and outbound interface index Destination prefix aggregation Destination...

Page 716: ...ackets received on GigabitEthernet3 1 3 The NMM Application Module to implement the Netstream function is plugged in slot 5 of the switch Network diagram Figure 169 Diagram for 3Com Switch 8800 Family...

Page 717: ...tstream statistics packets Switch_A ip Netstream export source 12 110 2 10 Configure the export destination address and destination port number of the Netstream statistics packets Switch_A ip Netstrea...

Page 718: ...718 CHAPTER 59 NETSTREAM CONFIGURATION...

Page 719: ...received by the device is different from the original information the device updates the corresponding entry in the NDP neighbor information table If the neighbor information received by the device i...

Page 720: ...m periodically collects the NDP neighbor information about the adjacent node of the port With NDP disabled on the port the system cannot collect NDP information through the port Configuring the Aging...

Page 721: ...rmation ndp timer aging aging in secs By default the aging timer for NDP information is 180 seconds The aging timer for NDP information must be greater than or equal to the interval at which NDP packe...

Page 722: ...igure the aging timer for NDP information as 200 seconds 3Com Ethernet1 1 2 quit SW8800 ndp timer aging 200 Configure NDP packets to be sent every 70 seconds SW8800 ndp timer hello 70 2 Configure Swit...

Page 723: ...mean time through the signal lines 1 3 2 and 6 of the category 3 5 twisted pairs Using converters they can also supply power to the PDs that can be powered only through spare lines 4 5 7 and 8 The Swi...

Page 724: ...the port with a higher priority can supply power To ensure power supply to the last PD and provide redundant power to prevent a transient rise of module power consumption by default a buffer of 19 W...

Page 725: ...he compatibility of the PD connected to it 5 Configure the PoE power management for a module on the switch poe power management auto manual slot slot num Optional By default you manually manage PoE po...

Page 726: ...d with access point AP devices The IP phones connected to GigabitEthernet3 1 23 and GigabitEthernet3 1 24 do not need PoE GigabitEthernet3 1 48 is reserved for the use of network management so it need...

Page 727: ...guration till the port GigabitEthernet3 1 48 Enable PoE on the ports GigabitEthernet5 1 1 through GigabitEthernet5 1 48 3Com GigabitEthernet5 1 1 poe enable 3Com GigabitEthernet5 1 2 poe enable 3Com G...

Page 728: ...728 CHAPTER 61 POE CONFIGURATION...

Page 729: ...is less than the upper threshold For 220 VAC input it is recommended to set the upper threshold to 264 V and the lower threshold to 181 V For 110 VAC input it is recommended to set the upper threshol...

Page 730: ...ds Configuration Example Network requirements Set the overvoltage alarm threshold of DC output for the PoE PSUs to 57 0 V Set the undervoltage alarm threshold of DC output for the PoE PSUs to 45 0 V C...

Page 731: ...s For details about display output refer to the Command Manual PoE PSU Supervision Configuration Example Network requirements Insert a PoE capable card into slot 3 of the Switch 8800 Family series rou...

Page 732: ...AC input for PoE PSUs to 264 0 V SW8800 poe power input thresh upper 264 0 Set the undervoltage alarm threshold of AC input for PoE PSUs to 181 0 V SW8800 poe power input thresh lower 181 0 Set the ov...

Page 733: ...elper UDP helper configuration includes Enabling disabling the function of forwarding UDP broadcast packets Specifying the UDP ports whose packets need to be forwarded Configuring the destination serv...

Page 734: ...ver to which the UDP packets are forwarded udp helper server ip address Required Up to 20 destination servers are corresponding to a VLAN interface Suppose a destination server is configured on a VLAN...

Page 735: ...ent configuration command does not display the default port numbers A default port number is displayed when the function of forwarding UDP broadcast packets is disabled on this port 4 If the undo udp...

Page 736: ...736 CHAPTER 63 UDP HELPER CONFIGURATION...

Page 737: ...ork Management Station and Agent Network Management Station is the workstation for running the client program At present the commonly used NM platforms include Sun NetManager and IBM NetView Agent is...

Page 738: ...Agent of switch supports SNMP V1 V2C and V3 The MIBs supported are listed in the following table Configuring SNMP The following sections describe the SNMP configuration tasks Setting Community Names S...

Page 739: ...hority can only query the device information whereas the community with read write authority can also configure the device Perform the following configuration in system view Setting the System Informa...

Page 740: ...mation snmp agent sys info contact sysContact location sysLocation version v1 v2c v3 all Restore the default information undo snmp agent sys info contact location version v1 v2c v3 all Table 680 Enabl...

Page 741: ...the following commands to set or remove the source address of the trap Delete the destination address of trap undo snmp agent target host host addr securityname securityname Table 681 Set the destina...

Page 742: ...can use either the predefined views or the self defined views You can use the following commands to create update the information of views or delete a view Perform the following configuration in syst...

Page 743: ...Set the size of the SNMP packet sent received by an agent Operation Command Set the size of the SNMP packet sent received by an agent snmp agent packet max size byte count Restore the default size of...

Page 744: ...VLAN interface 2 as 129 102 0 1 SW8800 vlan 2 3Com vlan2 port gigabitethernet 2 1 3 3Com vlan2 interface vlan 2 3Com Vlan interface2 ip address 129 102 0 1 255 255 0 0 Enable SNMP agent to send the tr...

Page 745: ...tion Example 745 The switch supports 3Com s network management products Users can query and configure the switch through the network management system For details see the manuals for the network manag...

Page 746: ...746 CHAPTER 64 SNMP CONFIGURATION...

Page 747: ...llows multiple monitors It can collect data in two ways One is to collect data with a special RMON probe NMS directly obtains the management information from the RMON probe and controls the network re...

Page 748: ...a port When a value of the monitored data exceeds the defined threshold an alarm event will be generated And then the events are handled according to the definition which is decided in the event mana...

Page 749: ...the defined prialarm formula according to the time interval sampling time that you have set 2 Performing the operation to the sampled value according to the defined formula prialarm formula 3 Comparin...

Page 750: ...e following commands to add delete an entry to from the statistics table Perform the following configuration in Ethernet port view Statistics entry calculates the accumulated information starting from...

Page 751: ...MulticastPkts 0 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 etherStatsFragments 0 etherStatsJabbers 0 etherStatsCRCAlignErrors 0 etherStatsCollisions 0 etherStatsDropEvents insufficient resourc...

Page 752: ...terval 10 sec Rising threshold 1000 linked with event 1 Falling threshold 100 linked with event 1 When startup enables risingOrFallingAlarm Latest value 0 Configure an extended alarm group SW8800 rmon...

Page 753: ...increment backup between the server and the client NTP ensures the clock synchronization between the two systems For multiple systems that coordinate to process a complex event NTP ensures them to re...

Page 754: ...11 00 01AM NETWORK LS_A LS_B NTP packet 10 00 00AM 11 00 01AM 11 00 02AM NETWORK LS_A LS_B NTP Packet received at 10 00 03 1 2 3 4 NTP 10 00 00AM NTP 10 00 00AM NETWORK LS_A LS_B NETWORK LS_A LS_B NT...

Page 755: ...Switch according to its location in the network and the network structure The following settings are for your reference If you set a remote server as the time server of the local equipment the local S...

Page 756: ...m view NTP version number number ranges from 1 to 3 and defaults to 3 it does not support authentication and will not be the first choice for time server Configuring NTP Broadcast Server Mode Designat...

Page 757: ...an interface on the local Switch to transmit NTP multicast packets In this case the local equipment operates in Multicast mode and serves as a Multicast server to multicast messages to its clients reg...

Page 758: ...cify the reliable key A Client will synchronize itself by a server only if the serve can provide a reliable key Perform the following configuration in system view Setting NTP Authentication Key This c...

Page 759: ...27 127 1 0 and the stratum defaults to 8 Setting Authority to Access a Local Switch Set authority to access the NTP services on a local Switch This is a basic and brief security measure compared to au...

Page 760: ...and verify the configurations according to the outputs In user view you can use the debugging command to debug NTP Table 710 Set authority to access a local switch Operation Command Set authority to a...

Page 761: ...1 system view Set the local clock as the NTP master clock at stratum 2 3Com1 ntp service refclock master 2 Configure Switch 3Com2 Enter system view 3Com2 system view Set 3Com1 as the NTP server 3Com2...

Page 762: ...ms Reference time 19 21 32 287 UTC Oct 24 2004 C5267F3C 49A61E0C By this time 3Com2 has been synchronized by 3Com1 and is at stratum 3 higher than 3Com1 by 1 Display the sessions of 3Com2 and you wil...

Page 763: ...ice unicast peer 3 0 1 32 The above examples configure 3Com4 and 3Com5 as peers and configure 3Com5 as in active peer mode and 3Com4 in passive peer mode Since 3Com5 is at stratum 1 and 3Com4 is at st...

Page 764: ...onfigure the local clock as the master clock Network diagram See Figure 7 2 Configuration procedure Configure Switch 3Com3 Enter system view 3Com3 system view Set the local clock as the NTP master clo...

Page 765: ...tratum 3 higher than 3Com3 by 1 Display the status of 3Com4 sessions and you will see 3Com4 has been connected to 3Com3 3Com2 display ntp service sessions source reference stra reach poll now offset d...

Page 766: ...n interface2 view 3Com1 interface vlan interface 2 Enable multicast client mode 3Com1 Vlan Interface2 ntp service multicast client The above examples configure 3Com4 and 3Com1 to receive multicast mes...

Page 767: ...Set the key 3Com2 ntp service authentication keyid 42 authentication mode md5 aNiceKey Set the key as reliable 3Com2 ntp service reliable authentication keyid 42 Qudiway2 ntp service unicast server 1...

Page 768: ...768 CHAPTER 66 NTP CONFIGURATION Set the key 3Com1 ntp service authentication keyid 42 authentication mode md5 aNiceKey Configure the key as reliable 3Com1 ntp service reliable authentication keyid 42...

Page 769: ...SH server or SSH client When used as an SSH server the switch supports multiple connections with SSH clients when used as an SSH client the switch supports SSH connections with the SSH server enabled...

Page 770: ...lic key from the server the client encrypts the random number for calculating the session key and sends the result to the server Using the local private key the server decrypts the data sent by the cl...

Page 771: ...rver and the client uses the random number and the session ID with the length of 16 characters as parameters to calculate the authentication data The client sends the authentication data it generates...

Page 772: ...y interval hours Optional By default the system does not update the server key Configure the SSH authentication timeout ssh server timeout seconds Optional By default it is 60 seconds Configure the nu...

Page 773: ...mpt will appear asking if you want to replace it When an SSH user logs in the key generated by the server must be longer than 768 bits By default the key generated by the server is 1 024 bits Configur...

Page 774: ...sa or password publickey the user must be assigned a key and authenticated in key mode through a local SSH user An SSH user in key mode does not support remote authentication If no default authenticat...

Page 775: ...nt Perform the first configuration in the following table in system view n The configuration commands are applicable to the environments where the server employs RSA authentication and password public...

Page 776: ...s any illegal character the configured key is invalid If the configured key is valid it will be saved to the public keys in the system Perform the following configuration in public key edit view Speci...

Page 777: ...s that when the SSH client accesses the server for the first time in the case that there is no local copy of the server s public key the user can choose to proceed to access the server and save a loca...

Page 778: ...ure 182 Network diagram for SSH server Table 728 Configure cancel the first time authentication of the server Operation Command Configure the first time authentication of the server ssh client first t...

Page 779: ...lient001 service type ssh 3Com luser client001 quit SW8800 ssh user client001 authentication type password n You can use the default values for SSH authentication timeout and retries After completing...

Page 780: ...n existent public key sw8800002 to user client002 SW8800 ssh user client002 assign rsa key sw8800002 Start the SSH client software on the terminal preserving the RSA private key and perform the corres...

Page 781: ...the owner s prior written consent no decompiling or reverse engineering shall be allowed SW8800 Configure the client to authenticate the server for the first time SW8800 system view System View return...

Page 782: ...r can log in successfully Configuring the service type to be used Use this configuration to set the type of SSH service to be used Perform the following configuration in system view By default the ser...

Page 783: ...nt bye Optional sftp client exit sftp client quit 4 SFTP directory operation Chang the current directory sftp client cd remote path Return to the upper directory sftp client cdup Display the current d...

Page 784: ...ations include change the name of a file download a file upload a file display the list of files and delete a file Perform the following configuration in SFTP user view Table 735 Start the SFTP client...

Page 785: ...is configured with the username 8040 and password 3com Network diagram Figure 184 Network diagram for SFTP Table 738 SFTP file operations Operation Command Change the name of the specified file on th...

Page 786: ...ey code 4C35029B B4929D58 B9F2A372 99C0F029 D69FE3D3 0469894B 8505A rsa key code 417BAD0D 921AA895 2F9B6ADE 9E755B66 4E6CAE2F 94C339E3 8505A rsa key code 5E301FD0 31FC490B 67E1B657 49750201 25 3Com rs...

Page 787: ...rwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Change the directory name new1 to new2 and check if the directory n...

Page 788: ...7 SSH TERMINAL SERVICE drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pu rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk sftp client Exit SFTP sftp client qui...

Page 789: ...einafter referred to as Switch 8800 Family series support master slave fabric switchover The two modules both have a program system The program user can operate the programs on both modules When you s...

Page 790: ...nd file name is 136 characters The move command takes effect only when the source and destination files are in the same device Storage Device Operation The file system can be used to format a specifie...

Page 791: ...d first to avoid the data lost in the buffer After using the umount command you can dismount the CF card from the slot When inserted the CF card is enabled automatically When the light of the CF card...

Page 792: ...792 CHAPTER 68 FILE SYSTEM MANAGEMENT...

Page 793: ...Bootstrap Programs for the Switch Upgrading BootROM Setting Slot Temperature Limit Updating Service Processing Modules Rebooting the Switch It would be necessary for users to reboot the switch when fa...

Page 794: ...card assume it is B There are two backup programs too one is in the Flash card assume it is C the other is in the CF card assume it is D There is one flag BootDev You can view or modify the names of...

Page 795: ...of the flash for a main control module in a Switch 8800 Family series routing switch is 16MB while the size of current host software including the host application of the application module reaches o...

Page 796: ...r is configured with the name switch the password hello and the read write authority over the Switch root directory on the PC The IP address of a VLAN interface on the switch is 1 1 1 1 and the IP add...

Page 797: ...need to first delete the existing programs in the flash memory and then download the new ones to the memory Enter the corresponding command in user view to establish FTP connection Then enter correct...

Page 798: ...2 2 The switch and PC are reachable with each other The switch application switch app is stored on the PC Using FTP this file can be uploaded from the PC to the switch remotely and the configuration f...

Page 799: ...uploading the new one into the flash of the switch 1 After uploading performs upgrading on the switch SW8800 You can use the boot boot loader command to specify the new file as the application program...

Page 800: ...800 CHAPTER 69 DEVICE MANAGEMENT...

Page 801: ...can run FTP client program to log in the server and access the files on it FTP client You can run the ftp X X X X command where X X X X represents the IP address of the remote FTP server to set up a c...

Page 802: ...includes the top working directory provided for FTP clients You can use the following commands to configure FTP server authentication and authorization Perform the following configuration in correspo...

Page 803: ...ain name ipaddress password display mode Set the password display mode when the switch displays local user information local user password display mode auto cipher force Restore the password display m...

Page 804: ...nd from the clients for corresponding operations such as creating or deleting a directory FTP Client Configuration Example Network requirements The switch serves as FTP client and the remote PC as FTP...

Page 805: ...and then upload the new ones Enter the authorized directory of the FTP server ftp cd switch Use the put command to upload the vrpcfg cfg to the FTP server ftp put vrpcfg cfg Use the get command to dow...

Page 806: ...If the Flash Memory of the switch is not enough you need to first delete the existing programs in the Flash Memory and then upload the new ones 3 When the uploading is completed initiate file upgrade...

Page 807: ...means of TFTP Perform the following configuration in user view In the command tftp server indicates the IP address or host name of TFTP server source file indicates the file information to be download...

Page 808: ...h app is stored on the PC Using TFTP the switch can download the switch app from the remote TFTP server and upload the vrpcfg cfg to the TFTP server under the switch directory for backup purpose Netwo...

Page 809: ...app from the TFTP server to the Flash Memory of the switch SW8800 tftp 1 1 1 2 get switch app switch app Upload the vrpcfg cfg to the TFTP server SW8800 tftp 1 1 1 2 put vrpcfg cfg vrpcfg cfg Use the...

Page 810: ...810 CHAPTER 70 FTP TFTP CONFIGURATION...

Page 811: ...imestamp Sysname Module name Severity Digest Content For example Jun 7 05 22 03 2003 3Com IFNET 6 UPDOWN Line protocol on interface Ethernet2 1 2 changed state to UP When the log information is output...

Page 812: ...sname and module name 5 Module name The module name is the name of module which create this logging information the following sheet list some examples Table 762 The module name field Module name Descr...

Page 813: ...switched path agent module LSPM Label switch path management module MIX Dual system management module MMC MMC module MODEM Modem module MPLSFW MPLS forward module MPM Multicast port management module...

Page 814: ...on it represent the abstract of contents Notice There is a colon between digest and content The digest can be up to 32 characters long Information Center Configuration Switch supports 7 output directi...

Page 815: ...o the loghost Table 764 Numbers and names of the channels for log output Output direction Channel number Default channel name Console 0 console Monitor 1 monitor Information center loghost 2 loghost T...

Page 816: ...terminal Device Configuration Default value Configuration description Switch Enable information center By default information center is enabled Other configurations are valid only if the information...

Page 817: ...put debugging information Enable the terminal display function and this function for the corresponding information For Telnet terminal and dumb terminal to view the information you must enable the cur...

Page 818: ...ormation and so on You must turn on the switch of the corresponding module before defining output debugging information Table 770 Send the configuration information to SNMP Device Configuration Defaul...

Page 819: ...rmation source on the switch By this configuration you can define the information that sent to console terminal is generated by which modules information type information level and so on Perform the f...

Page 820: ...bugging as the information type when configuring information source meantime using the debugging command to turn on the debugging switch of those modules 4 Configuring the loghost The configuration on...

Page 821: ...nd debugging When there is no specific configuration record for a module in the channel use the default one n If you want to view the debugging information of some modules on the switch you must selec...

Page 822: ...nabling information center Perform the following configuration in system view Table 777 Configure the output format of time stamp Operation Command Configure the output format of the time stamp info c...

Page 823: ...al or dumb terminal channel number or channel name must be set to the channel that corresponds to monitor direction Every channel has been set with a default record whose module name is default and th...

Page 824: ...mation as the information sent to the Telnet terminal or dumb terminal now you need to use the terminal monitor command to enable the terminal display function and the terminal logging command to enab...

Page 825: ...ages 3 Configuring information source on the switch By this configuration you can define the information that sent to log buffer is generated by which modules information type information level and so...

Page 826: ...select debugging as the information type when configuring information source meantime using the debugging command to turn on the debugging switch of those modules You can use the following commands to...

Page 827: ...specifies the severity level of information The information with the level below it will not be output channel number specifies the channel number and channel name specifies the channel name When def...

Page 828: ...ng the Configuration Information to SNMP Network Management To send configuration information to SNMP NM follow the steps below 1 Enabling information center Perform the following configuration in sys...

Page 829: ...erent default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one n If you want to view the debugging information of some...

Page 830: ...The information with the severity level above informational will be sent to the loghost The output language is English Table 795 Configure the output format of time stamp Operation Command Configure...

Page 831: ...ost This configuration is performed on the loghost The following example is performed on SunOS 4 0 and the operation on Unix operation system produced by other manufactures is generally the same to th...

Page 832: ...assification in great detail and filter the information Configuration examples of sending log to Linux loghost Network requirements The Network requirements are as follows Sending the log information...

Page 833: ...ter loghost and information center loghost a b c d facility configured on the switch Otherwise the log information probably cannot be output to the loghost correctly Step 3 After the establishment of...

Page 834: ...ole terminal log output allow modules ARP and IP to output information the severity level is restricted within the range of emergencies to informational SW8800 info center console channel console SW88...

Page 835: ...the Universal Time Coordinated UTC time Perform the following configuration in user view By default the UTC time zone is adopted Setting the Summer Time You can set the name start and end time of the...

Page 836: ...he debugging information Protocol debugging ON OFF switch controls the debugging output of a protocol Terminal debugging ON OFF switch controls the debugging output on a specified user screen The figu...

Page 837: ...can collect all sorts of information about the switch to locate the source of fault Each module has its corresponding display command which displays the operating information of related module for fa...

Page 838: ...packets the number of received packets the packet loss ratio the round trip time in its minimum value mean value and maximum value quick ping enable Use the quick ping enable command to enable the pin...

Page 839: ...sage indicating that the packet cannot be sent for the TTL is timeout Re send the packet with TTL value as 2 and the second hop returns the TTL timeout message The process is carried over and over unt...

Page 840: ...840 CHAPTER 72 SYSTEM MAINTENANCE AND DEBUGGING...

Page 841: ...security function is enabled At present the following protocols are being checked Set the State of HTTP Protocol port Perform the following configurations in system view Table 807 Set the status of p...

Page 842: ...Y CONFIGURATION By default the port 80 of HTTP protocol is enabled Table 809 Set the status of HTTP protocol port Operation Command Shutdown the port of HTTP protocol ip http shutdown Open the port of...

Page 843: ...ch other Configuring Egress Packet Statistics Counters Note that You cannot configure ports as the objects to be monitored by the egress packet statistics counters on GV48D GT24D GP24D XP4B and XP4CA...

Page 844: ...844 CHAPTER 74 PACKET STATISTICS CONFIGURATION...

Page 845: ...peration Command Remarks Ether system view system view Enable the global loopback detection function loopback detection enable Required Enable the loopback detection function in a VLAN loopback detect...

Page 846: ...846 CHAPTER 75 ETHERNET PORT LOOPBACK DETECTION...

Page 847: ...tic configuring As QinQ is implemented through trunk port defined in 802 1Q all devices along tunnels with QinQ employed must be 802 1Q enabled Therefore QinQ is suitable for small sized metropolitan...

Page 848: ...e of the TPID field which is defined by IEEE 802 1Q But Switch 8800 Family series switches can also adjust the TPID values of QinQ packets This ensures Switch 8800 Family series switches are compatibl...

Page 849: ...port belongs or enable IGMP on the VLAN interface of the VLAN If you have enabled VLAN VPN for the ports in the VLAN the VLAN cannot be removed After you enable the QinQ function the configured ACL ma...

Page 850: ...ter Ethernet port view or port group view interface interface type interface number interface name or port group index Set outer VLAN tags for the packets matching the ACL rules Deliver a Layer 3 traf...

Page 851: ...0 is a multicast VLAN When receiving a packet with the tag of VLAN 600 Switch 8814 does not process the packet n Assume that 3C17533 24 port 1000 Base X modules are installed in the slot 2 of Switch A...

Page 852: ...lot 4 s tag vlan Switch_A GigabitEthernet4 1 2 flow template user defined Switch_A GigabitEthernet4 1 2 quit Configure QinQ so that when the packets of VLAN 100 to 512 leave the uplink port GigabitEth...

Page 853: ...vpn uplink enable command on a port you will fail to execute the vlan vpn enable command on the same port TPID Value Configuration Example Network requirements Switch A and Switch C are Switch 8800 Fa...

Page 854: ...type trunk SwitchA GigabitEthernet2 1 2 port trunk permit vlan 10 SwitchA GigabitEthernet2 1 2 vlan vpn uplink enable Configure the GigabitEthernet2 1 1 port to be a VLAN VPN port and add it to VLAN...

Page 855: ...ch C Switch C sends the packet to its GigabitEthernet2 1 1 port by forwarding the packet in VLAN 10 As GigabitEthernet2 1 1 port is an access port Switch C strip off the outer VLAN tag of the packet a...

Page 856: ...cess the user network Interconnect switch C and switch D through trunk ports Enable VLAN VPN tunnel to transmit packets transparently between the user network and the operator s network Packet ingress...

Page 857: ...itch_B stp enable Set the port to a trunk port and allow the packets of VLAN 10 to pass the port Switch_B vlan 10 Switch_B Ethernet0 1 port link type trunk Switch_B Ethernet0 1 port trunk permit vlan...

Page 858: ...rnet4 1 2 vlan vpn enable Switch_C Ethernet4 1 2 quit Set Ethernet4 1 3 to a trunk port and add this port to all the VLANs Switch_C interface Ethernet4 1 3 Switch_C Ethernet4 1 3 port link type trunk...

Page 859: ...witch_D interface Ethernet3 1 3 Switch_D Ethernet3 1 3 port link type trunk Switch_D Ethernet3 1 3 port trunk permit vlan all c CAUTION STP must be enabled on VLAN VPN tunnel enabled devices otherwise...

Page 860: ...860 CHAPTER 76 QINQ CONFIGURATION...

Page 861: ...res various parameters needed by the test through the network management tool or the command line Then you can enable the test and view the test result After the test use the display nqa command to di...

Page 862: ...ess Required By default no destination address is set Set the description information of the test group description text Optional By default there is no description information of the test group Set t...

Page 863: ...ailure Optional By default no Trap information is sent to the network management system Set the times of constant probe fails after which the Trap information is sent to the network management system...

Page 864: ...ket loses if there is no information of the destination address in the switch and the configured packet size is over the maximum size of a single packet All of the parameters and test results can be d...

Page 865: ...192 168 80 80 Vpn instance NULL Send operation times 5 Receive response times 5 Min Max Average Round Trip Time 21 33 25 Square Sum of Round Trip Time 3557 Last complete test time 2005 12 8 11 22 33...

Page 866: ...866 CHAPTER 77 NQA CONFIGURATION...

Page 867: ...em configuration file or on the terminal the password must be encrypted be being stored When a user inputs the password rather than the plain text of the user s password will appear on the terminal Wh...

Page 868: ...Timeout time for user authentication 4 Configuring super password parameters User levels are configured by the administrator during user configuration The command super is used to change user levels...

Page 869: ...ion Command Description Enter system view system view Enter local user view local user username Configure system login password password simple cipher password Input the password twice as prompted by...

Page 870: ...he password after the password is successfully changed the system will record the new password and record the time when the new password is set and will allow the user to log in If the user chooses no...

Page 871: ...umber of days in which the password will expire and ask the user whether to change the password Configuring minimum length of password There is a limitation for the minimum length of user configured p...

Page 872: ...system administrator The value range is 3 to 360 minutes and the default value is 120 minutes The system will permanently lock the user In this case the user can log in again only if he or she is rem...

Page 873: ...ut time for password authentication An authentication process for a user starts when the server obtains the user name and ends when the password authentication is completed for the user If the passwor...

Page 874: ...h You can either use the default configuration or configure the password control parameters as required Network diagram Figure 204 Network diagram for password control configuration Configuration proc...

Page 875: ...word control Global password settings for all users Password aging Enabled 90 days Password length Enabled 10 Characters Password history Enabled Max history records 4 Password alert before expire 7 d...

Page 876: ...876 CHAPTER 78 PASSWORD CONTROL CONFIGURATION...

Page 877: ...ss Server ASBR Autonomous System Border Router ASCII American Standard Code for Information Interchange ASF Alert Standard Forum ASN Abstract Syntax Notation AU Access Unit AUG Administrative Unit Gro...

Page 878: ...a Date DHCP Dynamic Host Configuration Protocol DMAC Destination MAC DNP Development and Pilot DNS Domain Name Server DoD Downstream on Demand DoS Deny of Service DP Design Point DR Designated Router...

Page 879: ...ing IETF Internet Engineering Task Force IF Information Frame IFM IP Forward Module IGMP Internet Group Management Protocol IGP Interior Gateway Protocol IGRP Interior Gateway Routing Protocol IGSP In...

Page 880: ...Capacitor MIB Management Information Base MM Market Management process MMC Meet Me Conference MODEM MOdulator DEModulator MP Multilink PPP MPLS Multiprotocol Label Switching MPLSFW Multi protocol Labe...

Page 881: ...n Module PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PoE Power Over Ethernet POH Path Overhead Point to Point Point to Point PPP Point to Point P...

Page 882: ...M 1 Electrical Process Board SPT Special Tone Board SS Scheduled Start Date or Start to Start SSH Secure Shell SSL Secure Socket s Layer SSM Spread Spectrum Modulation ST Segment Type STM 1 SDH Transp...

Page 883: ...S Virtual Operate System VPDN Virtual Private Data Network VPI Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network Comware Versatile Routing Platform VSI Virtual Swit...

Reviews:

No comments

Related manuals for Switch 8807

KELCO E30 Installation & Programming Manual preview
E30
Brand: KELCO Pages: 41
Qlogic SANbox 5802V Supplementary Manual preview
SANbox 5802V
Brand: Qlogic Pages: 4
Adler ASM512 Installation, Maintenance And Operating Manual Instruction preview
ASM512
Brand: Adler Pages: 8
Dell EMC PowerSwitch Z9332F-ON Setup Manual preview
PowerSwitch Z9332F-ON
Brand: Dell EMC Pages: 16
IOGear GUH420 Quick Start Manual preview
GUH420
Brand: IOGear Pages: 1
Amped Wireless APA2600M Installation And Configuration Manual preview
APA2600M
Brand: Amped Wireless Pages: 22
YA Fusion Z-7799 Instruction Manual preview
Fusion Z-7799
Brand: YA Pages: 47
Kramer Sierra Pro XL 1608V5S Specifications preview
Sierra Pro XL 1608V5S
Brand: Kramer Pages: 2
hager WBMSLL Quick Start Manual preview
WBMSLL
Brand: hager Pages: 2
HIKVISION DS-3E0108P-E User Manual preview
DS-3E0108P-E
Brand: HIKVISION Pages: 25
NBK EORP-200 Instruction Manual preview
EORP-200
Brand: NBK Pages: 32
Orbis DICROMAT+ User Instructions preview
DICROMAT+
Brand: Orbis Pages: 2
Abtus AVS-HDMI81 User'S Operation Manual preview
AVS-HDMI81
Brand: Abtus Pages: 4
PortaOne PortaSwitch Handbook preview
PortaSwitch
Brand: PortaOne Pages: 78
infobit iMatrix H44H150 User Manual preview
iMatrix H44H150
Brand: infobit Pages: 27
Kramer Sierra Video 3264V5Sxl Specifications preview
Sierra Video 3264V5Sxl
Brand: Kramer Pages: 1
Unilamp Luzense RADIM RF Instruction Manual preview
Luzense RADIM RF
Brand: Unilamp Pages: 2
ORiNG TES-W9124GT-M12X-BP2-24V-IP54 Quick Installation Manual preview
TES-W9124GT-M12X-BP2-24V-IP54
Brand: ORiNG Pages: 2

Brands by name

Popular brands

Load more brands