manualshive.com logo in svg

H3C H3C S5600 Series, Operation Manual, Page: 603 / 1278

Share
Download
H3C H3C S5600 Series Operation Manual Download Page 603

Operation Manual – AAA 
H3C S5600 Series Ethernet Switches 

Table of Contents

 

Table of Contents 

Chapter 1 AAA Overview .............................................................................................................. 1-1

 

1.1 Introduction to AAA ............................................................................................................ 1-1

 

1.1.1 Authentication.......................................................................................................... 1-1

 

1.1.2 Authorization ........................................................................................................... 1-2

 

1.1.3 Accounting............................................................................................................... 1-2

 

1.1.4 Introduction to ISP Domain ..................................................................................... 1-2

 

1.2 Introduction to AAA Services ............................................................................................. 1-3

 

1.2.1 Introduction to RADIUS........................................................................................... 1-3

 

1.2.2 Introduction to HWTACACS.................................................................................... 1-8

 

Chapter 2 AAA Configuration ...................................................................................................... 2-1

 

2.1 AAA Configuration Task List.............................................................................................. 2-1

 

2.1.1 Creating an ISP Domain and Configuring Its Attributes.......................................... 2-2

 

2.1.2 Configuring an AAA Scheme for an ISP Domain.................................................... 2-4

 

2.1.3 Configuring Dynamic VLAN Assignment ................................................................ 2-7

 

2.1.4 Configuring the Attributes of a Local User .............................................................. 2-8

 

2.1.5 Cutting Down User Connections Forcibly ............................................................. 2-10

 

2.2 RADIUS Configuration Task List ..................................................................................... 2-11

 

2.2.1 Creating a RADIUS Scheme................................................................................. 2-13

 

2.2.2 Configuring RADIUS Authentication/Authorization Servers.................................. 2-13

 

2.2.3 Configuring RADIUS Accounting Servers ............................................................. 2-14

 

2.2.4 Configuring Shared Keys for RADIUS Messages................................................. 2-16

 

2.2.5 Configuring the Maximum Number of RADIUS Request Transmission Attempts 2-17

 

2.2.6 Configuring the Type of RADIUS Servers to be Supported .................................. 2-17

 

2.2.7 Configuring the Status of RADIUS Servers .......................................................... 2-18

 

2.2.8 Configuring the Attributes of Data to be Sent to RADIUS Servers ....................... 2-19

 

2.2.9 Configuring the Local RADIUS Server .................................................................. 2-21

 

2.2.10 Configuring Timers for RADIUS Servers ............................................................ 2-22

 

2.2.11 Enabling Sending Trap Message when a RADIUS Server Goes Down ............. 2-23

 

2.2.12 Enabling the User Re-Authentication at Restart Function .................................. 2-24

 

2.3 HWTACACS Configuration Task List .............................................................................. 2-26

 

2.3.1 Creating a HWTACACS Scheme.......................................................................... 2-26

 

2.3.2 Configuring TACACS Authentication Servers....................................................... 2-27

 

2.3.3 Configuring TACACS Authorization Servers......................................................... 2-27

 

2.3.4 Configuring TACACS Accounting Servers ............................................................ 2-28

 

2.3.5 Configuring Shared Keys for HWTACACS Messages.......................................... 2-29

 

2.3.6 Configuring the Attributes of Data to be Sent to TACACS Servers ...................... 2-30

 

2.3.7 Configuring the Timers Regarding TACACS Servers ........................................... 2-30

 

Summary of Contents for H3C S5600 Series

Page 1: ...H3C S5600 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20080724 C 1 01 Product Version Release 1602 ...

Page 2: ... V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statement...

Page 3: ... performance fundamental and the related configuration 6 Voice VLAN Introduces voice VLAN fundamental and the related configuration 7 GVRP Introduces GVRP and the related configuration 8 Port Basic Configuration Introduces basic port configuration 9 Link Aggregation Introduces link aggregation and the related configuration 10 Port Isolation Introduces port isolation and the related configuration 1...

Page 4: ... VRRP and the related configuration 23 ARP Introduces ARP and the related configuration 24 DHCP Introduces DHCP server DHCP relay DHCP Snooping and the related configurations 25 ACL Introduces ACL and the related configuration 26 QoS QoS Profile Introduces QoS QoS profile and the related configuration 27 Mirroring Introduces port mirroring and the related configuration 28 IRF Fabric Introduces IRF...

Page 5: ...n 44 Access Management Introduces Access Management and the related configuration 45 Appendix Lists the acronyms used in this manual Conventions The manual uses the following conventions I Command conventions Convention Description Boldface The keywords of a command line are in Boldface italic Command arguments are in italic Items keywords or arguments in square brackets are optional x y Alternati...

Page 6: ...on Warning Means reader be extremely careful Improper operation may cause bodily injury Caution Means reader be careful Improper operation may cause data loss or damage to equipment Note Means a complementary description Related Documentation In addition to this manual each H3C S5600 Series Ethernet Switches documentation set includes the following Manual Description H3C S5600 Series Ethernet Swit...

Page 7: ... Solutions Provides information about products and technologies Technical Support Document Technical Documents Provides several categories of product documentation such as installation operation and maintenance Technical Support Document Product Support Software Provides the documentation released with the software version Documentation Feedback You can e mail your comments about product documenta...

Page 8: ... 3 Software Release Notes 1 2 Chapter 2 Correspondence Between Documentation and Software 2 1 2 1 Software Version 2 1 2 2 Manual List 2 4 Chapter 3 Product Overview 3 1 3 1 Preface 3 1 3 2 Switch Models 3 1 3 3 Software Features 3 2 Chapter 4 Networking Applications 4 1 4 1 Application in Small Middle Scaled Enterprise Networks 4 1 4 2 Application in Large Scaled Campus Networks 4 2 ...

Page 9: ...basis due to product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version This manual serves the purpose of user guide only Unless otherwise noted all the information in the document set does not claim or imply any warranty For the latest software documentation go to the H3C website 1 2 H3C Website Perform the following steps to query and downloa...

Page 10: ...es Ethernet Switches Chapter 1 Obtaining the Documentation 1 2 1 3 Software Release Notes With software upgrade new software features may be added You can acquire the information about the newly added software features through software release notes ...

Page 11: ...ble 2 3 Table 2 1 Added features in Release 1602 Added feature in Release 1602 Manual Specifying the authentication mode for user level switching Adopting HWTACACS authentication for user level switching 01 CLI Copyright information is displayed when a Telnet user logs in Banner information is displayed when a user logs in through Web 02 Login Auto negotiation rate configuration for the current po...

Page 12: ... port configuration Support of static router port configuration Support of VLAN tag configuration for query messages 17 Multicast Protocol Online user handshake Support of 802 1x re authentication configuration Support of 802 1x re authentication timeout configuration Quick deployment of EAD 18 802 1x and System Guard Support of domain delimiter configuration Support of HWTACACS scheme configurati...

Page 13: ...ag after the traffic is redirected to the uplink port or the aggregation port group Burst function 26 QoS QoS Profile Configuration of IRF automatic fabric 28 IRF Fabric Online upgrade of PSE processing software 30 PoE PoE Profile Creating a MIB view with the mask of a MIB subtree Encrypting a plain text password Adding interface description and interface type in linkUp linkDown Trap message 32 SN...

Page 14: ...3 Smart Link Monitor Link Table 2 2 Deleted feature from Release 1602 Deleted feature Manual CLI language mode setting 38 System Maintenance and Debugging Table 2 3 Modified features in Release 1602 Modified feature Manual Support of up to 128 characters in a domain name compared with the original 24 characters 19 AAA Sequence of selecting Web files 35 File System Management Keywords of five comma...

Page 15: ...lists the S5600 series Ethernet Switches models Table 3 1 Models in the S5600 series Model Power supply Available ports on front panel Ports on front panel Combo ports Console port H3C S5600 26C AC and DC dual input power supply PSL130 A D 24 24 x 10 100 100 0Base T electrical ports 4 x 1000 Mbps SFP Combo ports 1 H3C S5600 26C PWR AC DC input external PoE power supply PSL480 A D24P 24 24 x 10 100...

Page 16: ...applications Table 3 2 summarizes the features provided by each module Table 3 2 Service features of the S5600 series Part Features 1 CLI z CLI z Hierarchically grouped commands z CLI online help 2 Login z Logging into a switch through the Console port z Logging into a switch through an Ethernet port by using Telnet or SSH z Logging into a switch through the Console port by using modem z Logging i...

Page 17: ...ole MAC addresses z Configuring the aging time for MAC addresses z MAC address learning limit 14 Auto Detect z Auto detect z Auto detect applications in static routing VRRP and VLAN interface backup 15 MSTP z STP RSTP MSTP z The following guard functions are available on an MSTP enabled switch BPDU guard root guard loop guard TC BPDU attack guard and BPDU drop z Digest snooping z Rapid transition ...

Page 18: ...ress authentication z Enhanced MAC address authentication 22 VRRP z Virtual Router Redundancy Protocol VRRP 23 ARP z Gratuitous ARP z Sending gratuitous ARP packets periodically z Manually configuring ARP entries z ARP attack detection z ARP packet rate limiting z Proxy ARP z Resilient ARP 24 DHCP z DHCP client BOOTP client z DHCP server z DHCP relay z DHCP Snooping z DHCP accounting z Using Optio...

Page 19: ...SSHv1 5 35 File System Management z File system configuration z File attribute configuration z Configuration file backup and restoration 36 FTP SFTP TFTP z Operating as an FTP server FTP client z Operating as an SFTP server SFTP client z Operating as a TFTP client 37 Information Center z System logs z Hierarchical alarms z Debugging information output 38 System Maintenance and Debugging z Loading ...

Page 20: ...Series Ethernet Switches Chapter 3 Product Overview 3 6 Part Features 42 DNS IPv4 Domain Name System DNS 43 Smart Link Monitor Link z Smart Link z Monitor Link 44 Access Management Configuring the access IP address pool based on the physical port ...

Page 21: ...wing describes several typical networking methods for the S5600 series 4 1 Application in Small Middle Scaled Enterprise Networks The S5600 series can be used as backbone switches in the branches of small middle scaled enterprises where they can be connected by routers to the networks of other branches or the headquarters When the branches or enterprises grow in scale the S5600 series also provide...

Page 22: ...d campus networks where each of them can be connected with multiple Layer 2 3 downstream Ethernet switches for example S3600 series switches and connected to Layer 3 core upstream switches through the GE expansion module slot In this way the S5600 series can provide a full solution for building enterprise networks in various size from Gigabit backbone network 100 Mbps network to desktop network Fi...

Page 23: ...roduction to the CLI 1 1 1 2 Command Hierarchy 1 2 1 2 1 Command Level and User Privilege Level 1 2 1 2 2 Modifying the Command Level 1 3 1 2 3 Switching User Level 1 4 1 3 CLI Views 1 8 1 4 CLI Features 1 13 1 4 1 Online Help 1 13 1 4 2 Terminal Display 1 15 1 4 3 Command History 1 15 1 4 4 Error Prompts 1 16 1 4 5 Command Edit 1 17 ...

Page 24: ...Through the CLI on a switch a user can enter commands to configure the switch and check output information to verify the configuration Each S5600 series Ethernet switch provides an easy to use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch The CLI on S5600 series Ethernet switches provides the following features and so has good manageabil...

Page 25: ...tem and diagnose service faults and they cannot be saved in configuration file Such commands include debugging and terminal z System level level 2 Commands at this level are mainly used to configure services Commands concerning routing and network layers are at this level These commands can be used to provide network services directly z Manage level level 3 Commands at this level are associated wi...

Page 26: ...l view view command Required Caution z It is recommended not to change the level of a command arbitrarily for it may cause inconvenience to maintenance and operation z When you change the level of a command with multiple keywords you should input the keywords one by one in the order they appear in the command syntax Otherwise your configuration will not take effect II Configuration example The net...

Page 27: ... user level switching Required Switching to a specific user level Required I Specifying the authentication mode for user level switching You can switch between user levels through corresponding commands after logging into a switch successfully The high to low user level switching is unlimited However the low to high user level switching requires the corresponding authentication The super password ...

Page 28: ...g Note When both the super password authentication and the HWTACACS authentication are specified the device adopts the preferred authentication mode first If the preferred authentication mode cannot be implemented for example the super password is not configured or the HWTACACS authentication server is unreachable the backup authentication mode is adopted II Adopting super password authentication ...

Page 29: ...assword as prompted Note that if you have passed the HWTACACS authentication when logging in to the switch only the password is required The following table lists the operations to configure HWTACACS authentication for user level switching which can only be performed by Level 3 users Follow these steps to set the HWTACACS authentication scheme for user level switching To do Use the command Remarks...

Page 30: ...to the switch his her user level is 0 Now the network administrator wants to allow general users to switch to level 3 so that they are able to configure the switch 1 Super password authentication configuration example A level 3 user sets a switching password for user level 3 Sysname system view Sysname super password level 3 simple 123 A general user telnets to the switch and then uses the set pas...

Page 31: ...level is 3 and only those commands can be used whose level is equal or less than this Privilege note 0 VISIT 1 MONITOR 2 SYSTEM 3 MANAGE 1 3 CLI Views CLI views are designed for different configuration tasks They are both correlated and distinguishing For example once a user logs into a switch successfully the user enters user view where the user can perform some simple operations such as checking...

Page 32: ...gure VLAN parameters Sysname vla n1 Execute the vlan command in system view VLAN interface view Configure VLAN interface parameters including the management VLAN parameters Sysname Vla n interface1 Execute the interface Vlan interface command in system view Loopback interface view Configure loopback interface parameters Sysname Loo pBack0 Execute the interface loopback command in system view NULL ...

Page 33: ... command in system view Configure the RSA public key for SSH users Sysname rsa public key Execute the rsa peer public ke y command in system view Public key view Configure the RSA or DSA public key for SSH users Sysname pee r public key Execute the public key peer command in system view Execute the peer public key end command to return to system view Edit the RSA public key for SSH users Sysname r...

Page 34: ...in system view Execute the return command to return to user view OSPF area view Configure OSPF area parameters Sysname osp f 1 area 0 0 0 1 Execute the area command in OSPF view Execute the quit command to return to OSPF view Execute the return command to return to user view BGP view Configure BGP protocol parameters Sysname bg p Execute the bgp command in system view Execute the quit command to r...

Page 35: ...e the acl number command in system view User defined ACL view Define rules for a user defined ACL with ID ranging from 5000 to 5999 Sysname acl user 5000 Execute the acl number command in system view QoS profile view Define QoS profile Sysname qos profile a123 Execute the qos profile command in system view RADIUS scheme view Configure RADIUS scheme parameters Sysname rad ius 1 Execute the radius s...

Page 36: ...ters Sysname mtl k group1 Execute the monitor link group command in system view Detected group view Configure detected group parameters Sysname det ect group 1 Execute the detect group command in system view QinQ view Configure QinQ parameters Sysname Gig abitEthernet1 0 1 vid 20 Execute the vlan vpn vid command in GigabitEthernet port view The vlan vpn enable command should be first executed Exec...

Page 37: ...and a space and a question mark If the question mark is at a keyword position in the command all available keywords at the position and their descriptions will be displayed on your terminal Sysname clock datetime Specify the time and date summer time Configure summer time timezone Configure time zone If the question mark is at an argument position in the command the description of the argument wil...

Page 38: ...ides the screen splitting feature to have display output suspended when the screen is full When display output pauses you can perform the following operations as needed see Table 1 2 Table 1 2 Display related operations Operation Function Press Ctrl C Stop the display output and execution of the command Press any character except Space Enter and when the display output pauses Stop the display outp...

Page 39: ...ands in such an environment However you can use Ctrl P and Ctrl N instead to achieve the same purpose z When you enter the same command multiple times consecutively only one history command entry is created by the command line interface 1 4 4 Error Prompts If a command passes the syntax check it will be successfully executed otherwise an error message will be displayed Table 1 3 lists the common e...

Page 40: ...t of the cursor and move the cursor one character to the left Left arrow key or Ctrl B Move the cursor one character to the left Right arrow key or Ctrl F Move the cursor one character to the right Up arrow key or Ctrl P Down arrow key or Ctrl N Display history commands Tab Use the partial online help That is when you input an incomplete keyword and press Tab if the input parameter uniquely identi...

Page 41: ...nfiguration with Authentication Mode Being Password 2 9 2 5 1 Configuration Procedure 2 9 2 5 2 Configuration Example 2 11 2 6 Console Port Login Configuration with Authentication Mode Being Scheme 2 13 2 6 1 Configuration Procedure 2 13 2 6 2 Configuration Example 2 15 Chapter 3 Logging In Through Telnet 3 1 3 1 Introduction 3 1 3 1 1 Common Configuration 3 2 3 1 2 Telnet Configurations for Diffe...

Page 42: ...ress for Telnet Service Packets 7 1 7 1 Overview 7 1 7 2 Configuring Source IP Address for Telnet Service Packets 7 1 7 3 Displaying Source IP Address Configuration 7 2 Chapter 8 User Control 8 1 8 1 Introduction 8 1 8 2 Controlling Telnet Users 8 2 8 2 1 Prerequisites 8 2 8 2 2 Controlling Telnet Users by Source IP Addresses 8 2 8 2 3 Controlling Telnet Users by Source and Destination IP Addresse...

Page 43: ...er to be displayed when a user logs in through Web See Configuring the Login Banner 1 1 Logging In to an Ethernet Switch You can log in to an S5600 Ethernet switch in one of the following ways z Logging in locally through the console port z Logging in locally or remotely through an Ethernet port by means of Telnet or SSH z Telnetting to the console port using a modem z Logging in to the Web based ...

Page 44: ...e index 1 The absolute user interface indexes are as follows z The absolute AUX user interfaces are numbered 0 through 7 z VTY user interface indexes follow AUX user interface indexes The first absolute VTY user interface is numbered 8 the second is 9 and so on 2 A relative user interface index can be obtained by appending a number to the identifier of a user interface type It is generated by user...

Page 45: ...xt Optional By default no banner is configured Set a system name for the switch sysname string Optional By default the system name is H3C Enable copyright information displaying copyright info enable Optional By default copyright displaying is enabled That is the copy right information is displayed on the terminal after a user logs in successfully Enter user interface view user interface type firs...

Page 46: ...also the prerequisite to configure other login methods By default you can locally log in to an S5600 Ethernet switch through its console port only Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Setting Default Baud rate 9 600 bps Flow control None Check mode Parity None Stop bits 1 Data bits 8 To log in to a switch through the console port m...

Page 47: ...h as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP The following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally both sides that is the serial port of the PC and the console port of the switch are configured as those listed in Table 2 1 Figure 2 2 Create a connect...

Page 48: ...sfully completes POST power on self test The prompt such as H3C appears after you press the Enter key as shown in Figure 2 5 Figure 2 5 HyperTerminal CLI 4 You can then configure the switch or check the information about the switch by executing the corresponding commands You can also acquire help by typing the character Refer to related parts in this manual for information about the commands used ...

Page 49: ...nal The default data bits of a console port is 8 AUX user interface configuration Configure the command level available to the users logging in to the AUX user interface Optional By default commands of level 3 are available to the users logging in to the AUX user interface Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum nu...

Page 50: ...ou need to modify the corresponding settings of the terminal emulation utility running on your PC accordingly in the dialog box shown in Figure 2 4 2 3 2 Console Port Login Configurations for Different Authentication Modes Table 2 3 Console port login configurations for different authentication modes Authentication mode Console port login configuration Remarks None Perform common configuration Per...

Page 51: ...nfigured on the switch The user name and password of a RADIUS user are configured on the RADIUS server Refer to user manual of RADIUS server for more Manage AUX users Set service type for AUX users Required Scheme Perform common configuration Perform common configuration for console port login Optional Refer to Table 2 2 Note Changes made to the authentication mode for console port login takes eff...

Page 52: ...nal The default data bits of a console port is 8 Configure the command level available to users logging in to the user interface user privilege level level Optional By default commands of level 3 are available to users logging in to the AUX user interface and commands of level 0 are available to users logging in to the VTY user interface Enable terminal services shell Optional By default terminal ...

Page 53: ... requirements Assume that the switch is configured to allow users to log in through Telnet and the current user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Do not authenticate the users z Commands of level 2 are available to the users logging in to the AUX user interface z The baud rate of t...

Page 54: ...screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingl...

Page 55: ... 1 1 5 2 Optional The default stop bits of a console port is 1 Configur e the console port Set the data bits databits 7 8 Optional The default data bits of a console port is 8 Configure the command level available to users logging in to the user interface user privilege level level Optional By default commands of level 3 are available to users logging in to the AUX user interface Make terminal ser...

Page 56: ...rements Assume the switch is configured to allow users to log in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Authenticate the users using passwords z Set the local password to 123456 in plain text z The commands of level 2 are available to the users z The baud rat...

Page 57: ...evel 2 are available to users logging in to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the console port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 2...

Page 58: ...al By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well Perform AAA RADIUS configuration on the switch Refer to the AAA part for more Configure the user ...

Page 59: ...console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a console port is 1 Configure the console port Set the data bits databits 7 8 Optional The default data bits of a console port is 8 Configure the command level available to users logging in to the user interface user privilege level level Optional By default commands of level 3 are...

Page 60: ...thenticate the users in the scheme mode the command level available to users logging in to a switch depends on the command level specified in the service type terminal level level command 2 6 2 Configuration Example I Network requirements Assume the switch is configured to allow users to log in through Telnet and the user level is set to the administrator level level 3 Perform the following config...

Page 61: ...rvice type to Terminal Specify commands of level 2 are available to users logging in to the AUX user interface Sysname luser guest service type terminal level 2 Sysname luser guest quit Enter AUX user interface view Sysname user interface aux 0 Configure to authenticate users logging in through the console port in the scheme mode Sysname ui aux0 authentication mode scheme Set the baud rate of the ...

Page 62: ...ing In Through the Console Port 2 17 Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2 4 to log in to the switch successfully ...

Page 63: ...l You can also log in to a switch through SSH SSH is a secure shell added to Telnet Refer to the SSH Operation for related information Table 3 1 Requirements for Telnetting to a switch Item Requirement The IP address is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and R...

Page 64: ...rface Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain up to 10 commands VTY terminal configuration Set the timeout time of a user interf...

Page 65: ... for more Manage VTY users Set service type for VTY users Required Scheme Perform common configuration Perform common Telnet configuration Optional Refer to Table 3 2 Note To improve security and prevent attacks to the unused Sockets TCP 23 and TCP 22 ports for Telnet and SSH services respectively will be enabled or disabled after corresponding configurations z If the authentication mode is none T...

Page 66: ...vilege level level Optional By default commands of level 0 are available to users logging in to VTY user interfaces Configure the protocols to be supported by the VTY user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the commands to be executed automatically after a user login to the user interface successfully auto execute c...

Page 67: ...idle timeout 0 command to disable the timeout function Note that if you configure not to authenticate the users the command level available to users logging in to a switch depends on the user privilege level level command 3 2 2 Configuration Example I Network requirements Assume current user logins through the console port and the current user level is set to the administrator level level 3 Perfor...

Page 68: ...ntain to 30 Sysname ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 3 3 Telnet Configuration with Authentication Mode Being Password 3 3 1 Configuration Procedure Follow these steps to configure Telnet with the authentication mode being...

Page 69: ...s are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 Th...

Page 70: ...of VTY 0 is 6 minutes II Network diagram Figure 3 2 Network diagram for Telnet configuration with the authentication mode being password III Configuration procedure Enter system view Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the password Sysname ui vty0 authentication mode password Set the local passwo...

Page 71: ... system view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well Perform AAA RADIUS configuration on the switch Refer to the AAA part for ...

Page 72: ...lt Make terminal services available shell Optional Terminal services are available in all use interfaces by default Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set history command buffer size history command...

Page 73: ...rvice type command The user privilege level level command is executed and the service type command does not specify the available command level Level 0 VTY users that are AAA RADIUS authenticated or locally authenticated The user privilege level level command is executed and the service type command specifies the available command level Determined by the service type command The user privilege lev...

Page 74: ...cuted and the service type command specifies the available command level Determined by the service type command Note Refer to AAA Operation and SSH Operation of this manual for information about AAA RADIUS and SSH 3 4 2 Configuration Example I Network requirements Assume current user logins through the console port and the user level is set to the administrator level level 3 Perform the following ...

Page 75: ...0 Sysname luser guest service type telnet level 2 Sysname luser guest quit Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 in the scheme mode Sysname ui vty0 authentication mode scheme Configure Telnet protocol is supported Sysname ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 Sysname ui...

Page 76: ... H3C appears as shown in the following figure Figure 3 5 The terminal window z Perform the following operations in the terminal window to assign IP address 202 38 160 92 24 to VLAN interface 1 of the switch Sysname system view Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 202 38 160 92 255 255 255 0 2 Perform Telnet related configuration on the switch Refer to Telnet Config...

Page 77: ...nd prompts for login password The CLI prompt such as Sysname appears if the password is correct If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later A H3C series Ethernet switch can accommodate up to five Telnet connections at same time 6 After successfully Telnetting to the swi...

Page 78: ...e telnet command and then configure it Figure 3 8 Network diagram for Telnetting to another switch from the current switch 1 Perform Telnet related configuration on the switch operating as the Telnet server Refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication Mode Being Scheme for...

Page 79: ...ch in this way you need to configure the administrator side and the switch properly as listed in the following table Table 4 1 Requirements for logging in to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the consol...

Page 80: ...he switch locally through its console port except that z When you log in through the console port using a modem the baud rate of the console port is usually set to a value lower than the transmission speed of the modem Otherwise packets may get lost z Other settings of the console port such as the check mode the stop bits and the data bits remain the default The configuration on the switch depends...

Page 81: ...cheme for more 2 Perform the following configuration to the modem directly connected to the switch Refer to Modem Configuration for related configuration 3 Connect your PC the modems and the switch as shown in Figure 4 1 Make sure the modems are properly connected to telephone lines Console port PSTN Telephone line Modem serial cable Telephone number of the romote end 82882285 Modem Modem Figure 4...

Page 82: ...anual Login H3C S5600 Series Ethernet Switches Chapter 5 Logging In Through the Web based Network Management System 4 4 Figure 4 2 Create a connection Figure 4 3 Set the telephone number Figure 4 4 Call the modem ...

Page 83: ... password is correct the prompt such as Sysname appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configuration commands Note If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI part for informati...

Page 84: ...ted configuration on both the switch and the PC operating as the network management terminal Table 5 1 Requirements for logging in to a switch through the Web based network management system Item Requirement The VLAN interface of the switch is assigned an IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Perfor...

Page 85: ... network management terminal your PC and enter the IP address of the management VLAN interface of the switch in the address bar Make sure the route between the Web based network management terminal and the switch is available 5 When the login authentication interface as shown in Figure 5 2 appears enter the user name and the password configured in step 2 and click Login to bring up the main page o...

Page 86: ...ader login text Required By default no login banner is configured 5 3 2 Configuration Example I Network requirements z A user logs in to the switch through Web z The banner page is desired when a user logs into the switch II Network diagram Figure 5 3 Network diagram for login banner configuration III Configuration Procedure Enter system view Sysname system view Configure the banner Welcome to be ...

Page 87: ... WEB Server Follow these steps to enable Disable the WEB Server To do Use the command Remarks Enter system view system view Enable the Web server ip http shutdown Required By default the Web server is enabled Disable the Web server undo ip http shutdown Required Note To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the cor...

Page 88: ...on To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is configured The route between the NMS and the switch is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protoco...

Page 89: ...h B from PC If devices in the segment 192 168 1 0 24 are not allowed to telnet to Switch B you can log in to Switch A an S5600 Ethernet switch first configure the source IP address of the Telnet service packets on Switch A as 192 168 2 5 and then log in to Switch B through Switch A 7 2 Configuring Source IP Address for Telnet Service Packets The feature of configuring source IP address for Telnet ...

Page 90: ...cified is that of a Layer 3 interface of the local device Otherwise the system prompts configuration failure z The source interface specified must exist Otherwise the system prompts configuration failure z Configuring the source interface of Telnet service packets equals configuring the IP address of this interface as the source IP address of the Telnet service packets z If a source IP address or ...

Page 91: ...Table 8 1 Ways to control different types of login users Login mode Control method Implementation Related section By source IP address Through basic ACL Controlling Telnet Users by Source IP Addresses By source and destination IP address Through advanced ACL Controlling Telnet Users by Source and Destination IP Addresses Telnet By source MAC address Through Layer 2 ACL Controlling Telnet Users by ...

Page 92: ...L view acl number acl number match order auto config As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id deny permit rule string Required Quit to system view quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by source IP addresses acl acl number inbound outbound Required The i...

Page 93: ...on IP addresses acl acl number inbound outbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 8 2 4 Controlling Telnet Users by Source MAC Addresses Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs which a...

Page 94: ...e switch II Network diagram Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Figure 8 1 Network diagram for controlling Telnet users using ACLs III Configuration procedure Define a basic ACL Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Apply the ACL Sysname user interface vty 0 4 Sysname ui vty0 4 acl...

Page 95: ...ntrolling actions permitting or denying 8 3 2 Controlling Network Management Users by Source IP Addresses Controlling network management users by source IP addresses is achieved by applying basic ACLs which are numbered from 2000 to 2999 Follow these steps to control network management users by source IP addresses To do Use the command Remarks Enter system view system view Create a basic ACL or en...

Page 96: ... ACL while configuring the SNMP user name snmp agent usm user v1 v2c user name group name acl acl number snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode des56 aes128 priv password acl acl number Required According to the SNMP version and configuration customs of NMS users you can reference an ACL when configuring community name group name o...

Page 97: ...ons You need to perform the following two operations to control Web users by source IP addresses z Defining an ACL z Applying the ACL to control Web users 8 4 1 Prerequisites The controlling policy against Web users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying 8 4 2 Controlling Web Users by Source IP Addresses Controlling Web us...

Page 98: ...the command Remarks Disconnect a Web user by force free web users all user id user id user name user name Required Available in user view 8 4 4 Configuration Example I Network requirements Only the Web users sourced from the IP address of 10 110 100 52 are permitted to access the switch II Network diagram Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Figure 8 3 Network diagram for co...

Page 99: ... Manual Login H3C S5600 Series Ethernet Switches Chapter 8 User Control 8 9 Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch Sysname ip http acl 2030 ...

Page 100: ...ents Chapter 1 Configuration File Management 1 1 1 1 Introduction to Configuration File 1 1 1 2 Configuration Task List 1 2 1 2 1 Saving the Current Configuration 1 3 1 2 2 Erasing the Startup Configuration File 1 4 1 2 3 Specifying a Configuration File for Next Startup 1 5 1 2 4 Displaying Switch Configuration 1 6 ...

Page 101: ...booting II Format of configuration file Configuration files are saved as text files for ease of reading They z Save configuration in the form of commands z Save only non default configuration settings z The commands are grouped into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line i...

Page 102: ...figuration file for next startup you can specify to use the main or backup configuration file IV Startup with the configuration file When booting the system chooses the configuration files following the rules below 1 If the main configuration file exists the switch initializes with this configuration 2 If the main configuration file does not exist but the backup configuration file exists the switc...

Page 103: ... saving process the switch initializes itself in the following two conditions when it starts up next time z If a configuration file with the extension cfg exists in the Flash the switch uses the configuration file to initialize itself when it starts up next time z If there is no cfg configuration file in the Flash but there is a configuration file with the extension cfgbak backup configuration fil...

Page 104: ...e conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance z If you use the save command after a fabric is formed on the switch the units in the fabric save their own startup configuration files automatically z The extension name of the configuration file must be cfg 1 2 2 Erasing the Startup Configuration File You can clear the configuration fil...

Page 105: ...e to be used for the next startup and configure the main backup attribute for the configuration file I Assigning main attribute to the startup configuration file z If you save the current configuration to the main configuration file the system will automatically set the file as the main startup configuration file z You can also use the startup saved configuration cfgfile main command to set the fi...

Page 106: ...nit id by linenum Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the switch display current configuration vlan vlan id by linenum Display the validated configuration in current view display this by linenum Display current configuration display current configuration configuration configuration type interface inter...

Page 107: ...ol Based VLAN 1 11 Chapter 2 VLAN Configuration 2 1 2 1 VLAN Configuration 2 1 2 1 1 VLAN Configuration Task List 2 1 2 1 2 Basic VLAN Configuration 2 1 2 1 3 Basic VLAN Interface Configuration 2 2 2 1 4 Displaying VLAN Configuration 2 3 2 2 Configuring a Port Based VLAN 2 3 2 2 1 Port Based VLAN Configuration Task List 2 3 2 2 2 Configuring the Link Type of an Ethernet Port 2 3 2 2 3 Assigning an...

Page 108: ...e packet The above scenarios could result in the following network problems z Large quantity of broadcast packets or unknown unicast packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolating broadcast domains is the solution for the above problems The trad...

Page 109: ...u can isolate them at Layer 2 To enable communication between VLANs routers or Layer 3 switches are required z Flexible virtual workgroup creation As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible 1 1 3 VLAN Fundamentals I VLAN tag To enable a Layer 2 switch to identify fram...

Page 110: ...canonical format value 1 indicates that the MAC addresses are encapsulated in non canonical format The field is set to 0 by default z The 12 bit VLAN ID field identifies the VLAN the frame belongs to The VLAN ID range is 0 to 4095 As 0 and 4095 are reserved by the protocol a VLAN ID actually ranges from 1 to 4094 Note The Ethernet II encapsulation format is used here Besides the Ethernet II encaps...

Page 111: ...VLAN are forwarded according to the VLAN s own MAC address forwarding table Currently the H3C S5600 series Ethernet switches adopt the IVL mode only For more information about the MAC address forwarding table refer to the MAC Address Forwarding Table Management part of the manual 1 1 4 VLAN Interface Hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 swi...

Page 112: ...s of Ethernet Ports The link type of an Ethernet port on the S5600 series can be one of the following z Access An access port can belong to only one VLAN and is generally connected to a user PC z Trunk A trunk port can belong to more than one VLAN It can forward packets for multiple VLANs and is generally connected to another switch z Hybrid A hybrid port can belong to more than one VLAN to forwar...

Page 113: ... an outgoing packet Receive the packet and tag the packet with the default VLAN tag z If the VLAN ID is just the default VLAN ID receive the packet z If the VLAN ID is not the default VLAN ID discard the packet Strip the tag from the packet and send the packet Table 1 2 Packet processing of a trunk port Processing of an incoming packet For an untagged packet For a tagged packet Processing of an ou...

Page 114: ...also known as protocol VLAN which is another way to classify VLANs Through the protocol based VLANs the switch can analyze the received packets carrying no VLAN tag on the port and match the packets with the user defined protocol template automatically according to different encapsulation formats and the values of specific fields If a packet is matched the switch will add a corresponding VLAN tag ...

Page 115: ...cket or an 802 2 802 3 packet according to the ranges of the two fields Note The H3C S5600 series switches recognize packets with the value of the type field being in the range 0x05DD to 0x05FF as 802 2 802 3 encapsulated packets II Extended encapsulation formats of 802 2 802 3 packets 802 2 802 3 packets have the following three extended encapsulation formats z 802 3 raw encapsulation only the le...

Page 116: ...col ID PID fields Figure 1 8 802 2 SNAP encapsulation format In 802 2 SNAP encapsulation format the values of the DSAP field and the SSAP field are always 0xAA and the value of the control field is always 3 The switch differentiates between 802 2 LLC encapsulation and 802 2 SNAP encapsulation according to the values of the DSAP field and the SSAP field Note When the OUI is 00 00 00 in 802 2 SNAP e...

Page 117: ... 802 3 Encapsulation DSAP SSAP value Match the DSAP SSAP value 802 2 LLC Encapsulation 802 3 raw Encapsulation 0x0600 0xFFFF 0x0000 to 0x05FF Both are AA Both are FF Control field Value is not 3 802 2 SNAP Encapsulation Match the type value Value is 3 Figure 1 9 Protocol identification procedure 1 3 4 Encapsulation Formats Table 1 4 lists the encapsulation formats supported by some protocols In br...

Page 118: ...rd templates and user defined templates z The standard template adopts the RFC defined packet encapsulation formats and values of some specific fields as the matching criteria z The user defined template adopts the user defined encapsulation formats and values of some specific fields as the matching criteria After configuring the protocol template you must add a port to the protocol based VLAN and...

Page 119: ...uration Optional Displaying VLAN Configuration Optional 2 1 2 Basic VLAN Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Create a VLAN and enter VLAN view vlan vlan id Required By default there is only one VLAN that is the default VLAN VLAN 1 Assign...

Page 120: ...perform basic VLAN interface configuration To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface Vlan interfac e vlan id Required By default there is no VLAN interface on a switch Specify the description string for the current VLAN interface description text Optional By default the description string of a VLAN interface is the n...

Page 121: ...n any view 2 2 Configuring a Port Based VLAN 2 2 1 Port Based VLAN Configuration Task List Complete these tasks to configure a port based VLAN Task Remarks Configuring the Link Type of an Ethernet Port Optional Assigning an Ethernet Port to a VLAN Required Configuring the Default VLAN for a Port Optional 2 2 2 Configuring the Link Type of an Ethernet Port Follow these steps to configure the link t...

Page 122: ...rface number Access port port access vlan vlan id Trunk port port trunk permit vlan vlan id list all Assign the port to one or multiple VLANs Hybrid port port hybrid vlan vlan id list tagged untagged Optional By default all Ethernet ports belong to VLAN 1 Note When assigning an access or hybrid port to a VLAN make sure the VLAN already exists 2 In VLAN view Follow these steps to assign one or mult...

Page 123: ...ptional VLAN 1 is the default VLAN by default Caution z After configuring the default VLAN for a trunk or hybrid port you need to use the port trunk permit command or the port hybrid vlan command to configure the port to allow traffic of the default VLAN to pass through Otherwise the port cannot forward traffic of the default VLAN nor can it receive VLAN untagged packets z The local and remote tru...

Page 124: ... Configuration procedure z Configure Switch A Create VLAN 100 specify its descriptive string as Dept1 and add GigabitEthernet 1 0 1 to VLAN 100 SwitchA system view SwitchA vlan 100 SwitchA vlan100 description Dept1 SwitchA vlan100 port GigabitEthernet 1 0 1 SwitchA vlan100 quit Create VLAN 200 and specify its descriptive string as Dept2 SwitchA vlan 200 SwitchA vlan200 description Dept2 SwitchA vl...

Page 125: ...abitEthernet 1 0 12 SwitchB vlan200 quit z Configure the link between Switch A and Switch B Because the link between Switch A and Switch B needs to transmit data of both VLAN 100 and VLAN 200 you can configure the ports at both ends of the link as trunk ports and permit packets of the two VLANs to pass through the two ports Configure GigabitEthernet 1 0 2 of Switch A SwitchA interface GigabitEther...

Page 126: ... before configuring the VLAN as a protocol based VLAN II Configuration procedure Follow these steps to configure the protocol template for a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the protocol template for the VLAN protocol vlan protocol index at ip ipx ethernetii llc raw snap mode ethernetii etype etype id llc dsap dsap id ssap ssap...

Page 127: ... that of snap packets To prevent two commands from processing packets of the same protocol type in different ways the system does not allow you to set both the dsap id and ssap id arguments to 0xFF 0xE0 or 0xAA z When you use the mode keyword to configure a user defined protocol template if you set the etype id argument for ethernetii or snap packets to 0x0800 0x8137 or 0x809B the matching packets...

Page 128: ...an id to vlan id all Display the protocol information and protocol indexes configured on the specified port display protocol vlan interface interface type interface number to interface type interface number all Available in any view 2 3 5 Protocol Based VLAN Configuration Example I Network requirements z As shown in Figure 2 2 Workroom connects to the LAN through port GigabitEthernet 1 0 10 on the...

Page 129: ...0 quit Switch vlan 200 Switch vlan200 port GigabitEthernet 1 0 12 Configure protocol templates for VLAN 200 and VLAN 100 matching AppleTalk protocol and IP protocol respectively Switch vlan200 protocol vlan at Switch vlan200 quit Switch vlan 100 Switch vlan100 protocol vlan ip To ensure the normal operation of IP network you need to configure a user defined protocol template for VLAN 100 to match ...

Page 130: ...1 0 10 port hybrid protocol vlan vlan 100 0 to 1 Switch GigabitEthernet1 0 10 port hybrid protocol vlan vlan 200 0 Display the associations between GigabitEthernet 1 0 10 and the VLAN protocol templates to verify your configuration Switch GigabitEthernet1 0 10 display protocol vlan interface GigabitEthernet 1 0 10 Interface GigabitEthernet1 0 10 VLAN ID Protocol Index Protocol Type 100 0 ip 100 1 ...

Page 131: ...IP Address Configuration Example II 1 5 Chapter 2 IP Performance Configuration 2 1 2 1 IP Performance Overview 2 1 2 1 1 Introduction to IP Performance Configuration 2 1 2 1 2 Introduction to FIB 2 1 2 2 Configuring IP Performance 2 1 2 2 1 IP Performance Configuration Task List 2 1 2 2 2 Configuring TCP Attributes 2 2 2 2 3 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Co...

Page 132: ... 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net ID The first several bits of the IP address defining a network also known as class bits z Host ID Identifies a host on a networ...

Page 133: ... IP addresses z IP address with an all zeros net ID Identifies a host on the local network For example IP address 0 0 0 16 indicates the host with a host ID of 16 on the local network z IP address with an all zeros host ID Identifies a network z IP address with an all ones host ID Identifies a directed broadcast address For example a packet with the destination address of 192 168 1 255 will be bro...

Page 134: ...ple a Class B network can accommodate 65 534 216 2 Of the two deducted Class B addresses one with an all ones host ID is the broadcast address and the other with an all zeros host ID is the network address hosts before being subnetted After you break it down into 512 29 subnets by using the first 9 bits of the host ID for the subnet you have only 7 bits for the host ID and thus have only 126 27 2 ...

Page 135: ... one is the primary IP address and the others are secondary IP addresses A newly specified primary IP address overwrites the previous one if there is any z The primary and secondary IP addresses of an interface cannot reside on the same network segment the IP address of a VLAN interface must not be on the same network segment as that of a loopback interface on a device z A VLAN interface cannot be...

Page 136: ...ss for VLAN interface 1 Switch system view Switch interface Vlan interface 1 Switch Vlan interface1 ip address 129 2 2 1 255 255 255 0 1 4 2 IP Address Configuration Example II I Network requirements As shown in Figure 1 4 VLAN interface 1 on a switch is connected to a LAN comprising two segments 172 16 1 0 24 and 172 16 2 0 24 To enable the hosts on the two network segments to communicate with th...

Page 137: ... 16 1 1 on the PCs attached to the subnet 172 16 1 0 24 and to 172 16 2 1 on the PCs attached to the subnet 172 16 2 0 24 Ping a host on the subnet 172 16 1 0 24 from the switch to check the connectivity Switch ping 172 16 1 2 PING 172 16 1 2 56 data bytes press CTRL_C to break Reply from 172 16 1 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 1 2 bytes 56 Sequence 2 ttl 255 time 27 ms...

Page 138: ...ytes press CTRL_C to break Reply from 172 16 2 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 5 ttl 255 time 26 ms 172 16 2 2 ping statistics 5 packet s transmitted 5 packet s receive...

Page 139: ...figuring TCP attributes z Enabling reception of directed broadcasts to a directly connected network z Disabling ICMP to send error packets 2 1 2 Introduction to FIB Every switch stores a forwarding information base FIB FIB is used to store the forwarding information of the switch and guide Layer 3 packet forwarding You can know the forwarding information of the switch through the FIB table Each FI...

Page 140: ...er Follow these steps to configure TCP attributes To do Use the command Remarks Enter system view system view Configure TCP synwait timer s timeout value tcp timer syn timeout time value Optional 75 seconds by default Configure TCP finwait timer s timeout value tcp timer fin timeout time value Optional 675 seconds by default Configure the size of TCP receive send buffer tcp window window size Opti...

Page 141: ...e of network abnormalities ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management Although sending ICMP error packets facilitate control and management it still has the following disadvantages z Sending a lot of ICMP packets will increase network traffic z If receiving a lot of malicious packets that caus...

Page 142: ... display ip socket socktype sock type task id socket id Display the forwarding information base FIB entries display fib Display the FIB entries matching the destination IP address display fib ip_address1 mask1 mask length1 ip_address2 mask2 mask length2 longer longer Display the FIB entries filtering through a specific ACL display fib acl number Display the FIB entries in the buffer which begin wi...

Page 143: ...I Network diagram Figure 2 1 Network diagram for enabling the reception of directed broadcast III Configuration procedure 1 Configure Switch A Enable Switch A to receive directed broadcasts SwitchA system view SwitchA ip forward broadcast Configure IP addresses for VLAN interface 3 and VLAN interface 2 SwitchA interface vlan interface 3 SwitchA Vlan interface3 ip address 1 1 1 2 24 SwitchA Vlan in...

Page 144: ...an interface 2 SwitchB Vlan interface2 ip address 2 2 2 1 24 After the above configurations if you ping the subnet broadcast address 2 2 2 255 on Host the ping packets can be received by VLAN interface 2 of Switch B However if you disable the ip forward broadcast command the ping packets cannot be received by the VLAN interface 2 of Switch B ...

Page 145: ... 1 5 Support for Voice VLAN on Various Ports 1 5 1 1 6 Security Mode of Voice VLAN 1 7 1 2 Voice VLAN Configuration 1 7 1 2 1 Configuration Prerequisites 1 7 1 2 2 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode 1 8 1 2 3 Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode 1 9 1 3 Displaying and Maintaining Voice VLAN 1 11 1 4 Voice VLAN Configu...

Page 146: ... into digital signals to enable them to be transmitted in IP based networks Used in conjunction with other voice devices IP phones can offer large capacity and low cost voice communication solutions As network devices IP phones need IP addresses to operate properly in a network An IP phone can acquire an IP address automatically or through manual configuration The following part describes how an I...

Page 147: ...uest for an IP address The message is broadcast in the default VLAN of the receiving port After receiving the DHCP request message DHCP Server 1 which resides in the default VLAN of the port receiving the message responds as follows z If DHCP Server 1 does not support Option 184 it returns the IP address assigned to the IP phone but ignores the other four special requests in the Option 184 field W...

Page 148: ... pass Note z An untagged packet carries no VLAN tag z A tagged packet carries the tag of a VLAN To set an IP address and a voice VLAN for an IP phone manually just make sure that the voice VLAN ID to be set is consistent with that of the switch and the NCP is reachable to the IP address to be set 1 1 2 How S5600 Series Switches Identify Voice Traffic S5600 series Ethernet switches determine whethe...

Page 149: ...N assignment mode for a port according to data traffic passing through the port I Processing mode of untagged packets sent by IP voice devices z Automatic voice VLAN assignment mode An S5600 Ethernet switch automatically adds a port connecting an IP voice device to the voice VLAN by learning the source MAC address in the untagged packet sent by the IP voice device when it is powered on The voice V...

Page 150: ...e device carries no VLAN tag the default VLAN of the port which the IP voice device is connected to must be configured as the voice VLAN In this case the 802 1x authentication is unavailable 1 1 5 Support for Voice VLAN on Various Ports Voice VLAN packets can be forwarded by access ports trunk ports and hybrid ports You can enable a trunk or hybrid port belonging to other VLANs to forward voice an...

Page 151: ...rt must be a voice VLAN and the access port is in the voice VLAN This can be done by adding the port to the voice VLAN manually Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagge d voice traffic Hybrid Supported Make sure the default VLAN of the port exists a...

Page 152: ...d VLANs whose traffic is permitted by the access port Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN Manual Hybrid Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the default VLAN and the voice VLAN is in the list of the tagged VLANs whose traf...

Page 153: ...ess Enable the voice VLAN security mode voice vlan security enable Optional By default the voice VLAN security mode is enabled Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1440 minutes Enable the voice VLAN function globally voice vlan vlan id enable Required Enter Ethernet port view interface interface type interface number Required Enable the voice ...

Page 154: ...changes in order to make the established voice connections work normally the system does not need to be triggered by the voice traffic to add the port in automatic voice VLAN assignment mode to the local devices as well as the IRF of the voice VLAN but does so immediately after the restart or the changes 1 2 3 Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode Follow these ...

Page 155: ...de on a port to manual undo voice vlan mode auto Required The default voice VLAN assignment mode on a port is automatic Quit to system view quit Enter VLAN view vlan vlan id Access port Add the port to the VLAN port interface list Enter port view interface interface type interface num Add the port to the VLAN port trunk permit vlan vlan id port hybrid vlan vlan id tagged untagged Required By defau...

Page 156: ...e dropped Therefore you are suggested not to transmit both voice data and service data in a voice VLAN If you have to do so make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication between H3C device and other vendor s voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors voice device Th...

Page 157: ...configure it as the voice VLAN with the aging timer being 100 minutes z The IP phone sends tagged packets It is connected to GigabitEthernet 1 0 1 a hybrid port with VLAN 6 being its default VLAN Set this port to operate in automatic voice VLAN assignment mode z You need to add a user defined OUI address 0011 2200 000 with the mask being ffff ff00 0000 and the description string being test II Netw...

Page 158: ... 1 and configure GigabitEthernet 1 0 1 to permit packets with the tag of VLAN 6 DeviceA GigabitEthernet1 0 1 port hybrid pvid vlan 6 DeviceA GigabitEthernet1 0 1 port hybrid vlan 6 tagged Enable the voice VLAN function on GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 voice vlan enable 1 4 2 Voice VLAN Configuration Example Manual Voice VLAN Assignment Mode I Network requirements Create a voic...

Page 159: ...0000 mask ffff ff00 0000 description test Create VLAN 2 and configure it as a voice VLAN DeviceA vlan 2 DeviceA vlan2 quit DeviceA voice vlan 2 enable Configure GigabitEthernet 1 0 1 to operate in manual voice VLAN assignment mode DeviceA interface GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 undo voice vlan mode auto Configure GigabitEthernet 1 0 1 as a hybrid port DeviceA GigabitEthernet1 ...

Page 160: ...3 6b00 0000 ffff ff00 0000 Cisco phone 000f e200 0000 ffff ff00 0000 H3C Aolynk phone 0011 2200 0000 ffff ff00 0000 test 00d0 1e00 0000 ffff ff00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3Com phone Display the status of the current voice VLAN DeviceA display voice vlan status Voice Vlan status ENABLE Voice Vlan ID 2 Voice Vlan security mode Secur...

Page 161: ...RP 1 1 1 1 1 GARP 1 1 1 1 2 GVRP 1 4 1 1 3 Protocol Specifications 1 5 1 2 GVRP Configuration 1 5 1 2 1 GVRP Configuration Tasks 1 5 1 2 2 Enabling GVRP 1 5 1 2 3 Configuring GVRP Timers 1 6 1 2 4 Configuring GVRP Port Registration Mode 1 7 1 3 Displaying and Maintaining GVRP 1 8 1 4 GVRP Configuration Example 1 8 1 4 1 GVRP Configuration Example 1 8 ...

Page 162: ...RP application entity is present on a port on your device this port is regarded a GARP application entity I GARP messages and timers 1 GARP messages GARP members communicate with each other through the messages exchanged between them The messages performing important functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be register...

Page 163: ...d for a specific period a second one is sent The period is determined by this timer z Leave When a GARP entity expects to deregister a piece of attribute information it sends out a Leave message Any GARP entity receiving this message starts its Leave timer and deregisters the attribute information if it does not receives a Join message again before the timer times out z LeaveAll Once a GARP entity...

Page 164: ...ities use specific multicast MAC addresses as their destination MAC addresses When receiving these packets the switch distinguishes them by their destination MAC addresses and delivers them to different GARP application for example GVRP for further processing III GARP message format The GARP packets are in the following format Figure 1 1 Format of GARP packets The following table describes the fie...

Page 165: ...on of GARP GARP VLAN registration protocol GVRP maintains dynamic VLAN registration information and propagates the information to the other switches through GARP With GVRP enabled on a device the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information including the information about the VLAN members the ports thr...

Page 166: ... VLAN 1 that is the port propagates only the information about VLAN 1 to the other GARP members 1 1 3 Protocol Specifications GVRP is defined in IEEE 802 1Q standard 1 2 GVRP Configuration 1 2 1 GVRP Configuration Tasks Complete the following tasks to configure GVRP Task Remarks Enabling GVRP Required Configuring GVRP Timers Optional Configuring GVRP Port Registration Mode Optional 1 2 2 Enabling ...

Page 167: ...All timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number Configure the Hold Join and Leave timers garp timer hold join leave timer value Optional By default the Hold Join and Leave timers are set to 10 20 and 60 centiseconds respectively Note that z The setting of each timer must...

Page 168: ...e This lower threshold is greater than twice the timeout time of the Join timer You can change the threshold by changing the timeout time of the Join timer This upper threshold is less than the timeout time of the LeaveAll timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can c...

Page 169: ...timer interface interface list Display GVRP statistics display gvrp statistics interface interface list Display the global GVRP status display gvrp status Clear GARP statistics reset garp statistics interface interface list Available in any view 1 4 GVRP Configuration Example 1 4 1 GVRP Configuration Example I Network requirements z Enable GVRP on all the switches in the network so that the VLAN c...

Page 170: ...RP on GigabitEthernet1 0 1 SwitchA GigabitEthernet1 0 1 gvrp SwitchA GigabitEthernet1 0 1 quit Configure GigabitEthernet1 0 2 to be a trunk port and to permit the packets of all the VLANs SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link type trunk SwitchA GigabitEthernet1 0 2 port trunk permit vlan all Enable GVRP on GigabitEthernet1 0 2 SwitchA GigabitEthernet1 0 2 g...

Page 171: ...quit 5 Configure Switch E Enable GVRP on Switch E which is similar to that of Switch A and is thus omitted Create VLAN 5 and VLAN 7 SwitchE vlan 5 SwitchE vlan5 quit SwitchE vlan 7 SwitchE vlan7 quit 6 Display the VLAN information dynamically registered on Switch A Switch B and Switch E Display the VLAN information dynamically registered on Switch A SwitchA display vlan dynamic Total 3 dynamic VLA...

Page 172: ...mic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch E SwitchE GigabitEthernet1 0 1 display vlan dynamic No dynamic vlans exist 8 Configure GigabitEthernet1 0 1 on Switch E to operate in forbidden GVRP registration mode and display the VLAN registration information dynamically registered on Switch A Switch B and Switch E Configure G...

Page 173: ...Operation Manual GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration 1 12 SwitchE display vlan dynamic No dynamic vlans exist ...

Page 174: ... to Other Ports 1 4 1 1 6 Configuring Loopback Detection for an Ethernet Port 1 5 1 1 7 Enabling Loopback Test 1 6 1 1 8 Enabling the System to Test Connected Cable 1 7 1 1 9 Configuring the Interval to Perform Statistical Analysis on Port Traffic 1 8 1 1 10 Enabling Giant Frame Statistics Function 1 8 1 1 11 Disabling Up Down Log Output on a Port 1 8 1 1 12 Configuring Storm Control on a Port 1 9...

Page 175: ...r details refer to section Displaying and Maintaining Basic Port Configuration z The port state change delay configuration is added to this manual For details refer to Setting the Port State Change Delay 1 1 Ethernet Port Configuration 1 1 1 Initially Configuring a Port Follow these steps to initially configure a port To do Use the command Remarks Enter system view system view Enter Ethernet port ...

Page 176: ...boframe enable command 1 1 2 Configuring Port Auto Negotiation Speed You can configure an auto negotiation speed for a port by using the speed auto command Take a 10 100 1000 Mbps port as an example z If you expect that 10 Mbps is the only available auto negotiation speed of the port you just need to configure speed auto 10 z If you expect that 10 Mbps and 100 Mbps are the available auto negotiati...

Page 177: ...c on individual ports When a type of incoming traffic exceeds the threshold you set the system drops the packets exceeding the traffic limit to reduce the traffic ratio of this type to the reasonable range so as to keep normal network service Follow these steps to limit traffic on port To do Use the command Remarks Enter system view system view Limit broadcast traffic received on each port broadca...

Page 178: ...n duplicate the configuration of a port to specific ports Specifically the following types of port configuration can be copied from one port to other ports VLAN configuration protocol based VLAN configuration LACP configuration QoS configuration GARP configuration STP configuration and initial port configuration z VALN configuration includes IDs of the VLANs allowed on the port and the default VLA...

Page 179: ...ck Detection for an Ethernet Port Loopback detection is used to monitor if loopback occurs on a switch port After you enable loopback detection on Ethernet ports the switch can monitor if external loopback occurs on them If there is a loopback port found the switch will put it under control z If loopback is found on an access port the system disables the port sends a Trap message to the client and...

Page 180: ...ack detection only on the default VLAN of the current trunk or hybrid port Caution z To enable loopback detection on a specific port you must use the loopback detection enable command in both system view and the specific port view z After you use the undo loopback detection enable command in system view loopback detection will be disabled on all ports 1 1 7 Enabling Loopback Test You can configure...

Page 181: ...oopback test Some ports do not support loopback test and corresponding prompts will be given when you perform loopback test on them 1 1 8 Enabling the System to Test Connected Cable You can enable the system to test the cable connected to a specific port The test result will be returned in five seconds The system can test these attributes of the cable Receive and transmit directions RX and TX shor...

Page 182: ... system view Enter Ethernet port view interface interface type interface number Set the interval to perform statistical analysis on port traffic flow interval interval Optional By default this interval is 300 seconds 1 1 10 Enabling Giant Frame Statistics Function The giant frame statistics function is used to ensure transmission of network traffic and to facilitate statistics and analysis of unus...

Page 183: ...ut is enabled 1 1 12 Configuring Storm Control on a Port The storm control function is used to control traffic received on an Ethernet port z With traffic upper and lower thresholds specified on a port the system periodically collects statistics about the broadcast multicast unicast traffic on the port Once it finds that a type of traffic exceeds the specified upper threshold it blocks this type o...

Page 184: ...constrain interval interval value Optional It is 10 seconds by default Note z If the fabric function is enabled on a port of a device you cannot configure the storm control function on all ports of the device z If the broadcast suppression command multicast suppression command or unicast suppression command is configured on a port you cannot configure the storm control function on the port and vic...

Page 185: ...t state change delay To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the port state change delay link delay delay time Required Defaults to 0 which indicates the port state changes without any delay Note The delay configured in this way does not take effect for ports in DLDP down state For information about the...

Page 186: ...ormation about a specified unit display unit unit id interface Available in any view Display port loopback detection information display loopback detection Available in any view Display the statistics on dropped packets display packet drop interface interface type interface number summary Available in any view Clear port statistics reset counters interface interface type interface type interface n...

Page 187: ... GigabitEthernet1 0 1 Set GigabitEthernet1 0 1 as a trunk port Sysname GigabitEthernet1 0 1 port link type trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of GigabitEthernet1 0 1 to 100 Sysname GigabitEthernet1 0 1 port trunk pvid vlan 100 1 3 Troubleshooti...

Page 188: ... Group 1 2 1 2 2 Static LACP Aggregation Group 1 3 1 2 3 Dynamic LACP Aggregation Group 1 4 1 3 Aggregation Group Categories 1 5 1 4 Link Aggregation Configuration 1 7 1 4 1 Configuring a Manual Aggregation Group 1 7 1 4 2 Configuring a Static LACP Aggregation Group 1 8 1 4 3 Configuring a Dynamic LACP Aggregation Group 1 9 1 4 4 Configuring a Description for an Aggregation Group 1 10 1 5 Displayi...

Page 189: ... Introduction to LACP Link Aggregation Control Protocol LACP is designed to implement dynamic link aggregation and deaggregation This protocol is based on IEEE802 3ad and uses link aggregation control protocol data units LACPDUs to interact with its peer With LACP enabled on a port LACP notifies the following information of the port to its peer by sending LACPDUs priority and MAC address of this s...

Page 190: ...tion type and GARP timer settings z VLAN VPN configuration including VLAN VPN state enabled disabled Set the TPID value for the port Enable the inner to outer tag priority replicating feature Note S5600 series Ethernet switches support cross device link aggregation if IRF fabric is enabled 1 2 Link Aggregation Classification Depending on different aggregation modes the following three types of lin...

Page 191: ...rts and others as unselected ports Among the selected ports in an aggregation group the one with smallest port number operates as the master port Other selected ports are the member ports III Requirements on ports for manual aggregation Generally there is no limit on the rate and duplex mode of the ports also including initially down port you want to add to a manual aggregation group 1 2 2 Static ...

Page 192: ...ferent from that of the master port to unselected state z There is a limit on the number of selected ports in an aggregation group Therefore if the number of the selected ports in an aggregation group exceeds the maximum number supported by the device those with lower port numbers operate as the selected ports and others as unselected ports 1 2 3 Dynamic LACP Aggregation Group I Introduction to dy...

Page 193: ...D will be considered as the preferred one 2 Compare port IDs port priority port number on the preferred device The comparison between two port IDs is as follows First compare the two port priorities then the two port numbers if the two port priorities are equal the port with the smallest port ID is the selected port and the left ports are unselected ports Note For an aggregation group z When the r...

Page 194: ...hers If the groups can gain the same speed the one with smallest master port number has higher priority than other groups When an aggregation group of higher priority appears the aggregation groups of lower priorities release their hardware resources For single port aggregation groups they can transceive packets normally without occupying aggregation resources Caution z A load sharing aggregation ...

Page 195: ... be added to an aggregation group z Ports where the IP MAC address binding is configured cannot be added to an aggregation group z Port security enabled ports cannot be added to an aggregation group z The port with Voice VLAN enabled cannot be added to an aggregation group z Do not add ports with the inter VLAN MAC address replicating function of the selective QinQ feature enabled to an aggregatio...

Page 196: ...cur z When you change a dynamic static group to a manual group the system will automatically disable LACP on the member ports When you change a dynamic group to a static group the system will remain the member ports LACP enabled 2 When a manual or static aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group 1 4 2 Configuring a Static LACP...

Page 197: ...2 of the local device to port 1 of the peer device Otherwise packets may be lost 1 4 3 Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP enabled ports The adding and removing of ports to from a dynamic aggregation group are automatically accomplished by LACP You need to enable LACP on the ports which you want to parti...

Page 198: ...een the aggregation peers and thus affect the selected unselected status of member ports in the dynamic aggregation group 1 4 4 Configuring a Description for an Aggregation Group To do Use the command Remarks Enter system view system view Configure a description for an aggregation group link aggregation group agg id description agg name Optional By default no description is configured for an aggre...

Page 199: ... type interface number Display local device ID display lacp system id Available in any view Clear LACP statistics about a specified port or port range reset lacp statistics interface interface type interface number to interface type interface number Available in user view 1 6 Link Aggregation Configuration Example 1 6 1 Ethernet Port Aggregation Configuration Example I Network requirements z Switc...

Page 200: ...oup 1 Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 port link aggregation group 1 2 Adopting static LACP aggregation mode Create static aggregation group 1 Sysname system view Sysname link aggregation group 1 mode static Add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to aggregation group 1 Sysname interface GigabitEthernet 1 0 1 Sysn...

Page 201: ...bitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 lacp enable Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 lacp enable Caution The three LACP enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration such as rate duplex mode and so on ...

Page 202: ...ches Table of Contents i Table of Contents Chapter 1 Port Isolation Configuration 1 1 1 1 Port Isolation Overview 1 1 1 2 Port Isolation Configuration 1 1 1 3 Displaying and Maintaining Port Isolation Configuration 1 2 1 4 Port Isolation Configuration Example 1 2 ...

Page 203: ...your network in a more flexible way and improve your network security Currently you can create only one isolation group on an S5600 Series Ethernet switch The number of Ethernet ports in an isolation group is not limited Note z An isolation group only isolates the member ports in it z Port isolation is independent of VLAN configuration 1 2 Port Isolation Configuration You can perform the following...

Page 204: ...p z S5600 series Ethernet switches support cross device port isolation if IRF fabric is enabled z For S5600 series Ethernet switches belonging to the same IRF Fabric the port isolation configuration performed on a port of a cross device aggregation group cannot be synchronized to the other ports of the aggregation group if the ports reside on other units That is to add multiple ports in a cross de...

Page 205: ...tem view System View return to User View with Ctrl Z Sysname interface GigabitEthernet1 0 2 Sysname GigabitEthernet1 0 2 port isolate Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 port isolate Sysname GigabitEthernet1 0 3 quit Sysname interface GigabitEthernet1 0 4 Sysname GigabitEthernet1 0 4 port isolate Sysname GigabitEthernet1 0 4 quit Sy...

Page 206: ... Setting the Port Security Mode 1 7 1 2 4 Configuring Port Security Features 1 8 1 2 5 Ignoring the Authorization Information from the RADIUS Server 1 10 1 2 6 Configuring Security MAC Addresses 1 10 1 3 Displaying and Maintaining Port Security Configuration 1 11 1 4 Port Security Configuration Example 1 12 1 4 1 Port Security Configuration Example 1 12 Chapter 2 Port Binding Configuration 2 1 2 1...

Page 207: ...that enable devices to learn legal source MAC addresses so that you can implement different network security management as needed With port security enabled packets whose source MAC addresses cannot be learned by your switch in a security mode are considered illegal packets The events that cannot pass 802 1x authentication or MAC authentication are considered illegal With port security enabled upo...

Page 208: ...scription Feature noRestriction In this mode access to the port is not restricted In this mode neither the NTK nor the intrusion protection feature is triggered autolearn In this mode the port automatically learns MAC addresses and changes them to security MAC addresses This security mode will automatically change to the secure mode after the amount of security MAC addresses on the port reaches th...

Page 209: ...o the userLoginSecure mode except that besides the packets of the single 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port When the port changes from the normal mode to this security mode the system automatically removes the existing dynamic authenticated MAC address entries on the port macAddressWit hRadius In this mod...

Page 210: ...sElseUserLoginSecure mode except that there can be more than one 802 1x authenticated user on the port macAddressAnd UserLoginSecur e In this mode a port firstly performs MAC authentication for a user and then performs 802 1x authentication for the user if the user passes MAC authentication The user can access the network after passing the two authentications In this mode up to one user can access...

Page 211: ...nfiguring intrusion protection Configuring Port Security Features Configuring the Trap feature Optional Choose one or more features as required Ignoring the Authorization Information from the RADIUS Server Optional Configuring Security MAC Addresses Optional 1 2 1 Enabling Port Security I Configuration Prerequisites Before enabling port security you need to disable 802 1x and MAC authentication gl...

Page 212: ... not support the quick EAD deployment feature in 802 1x z The port security feature does not support the guest VLAN feature in MAC authentication 1 2 2 Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed however cannot exceed the configured upper limit By setting the maximum nu...

Page 213: ... value index index value Optional In userLoginWithOUI mode a port supports one 802 1x user plus one user whose source MAC address has a specified OUI value Enter Ethernet port view interface interface type interface number Set the port security mode port security port mode autolearn mac and userlogin sec ure mac and userlogin sec ure ext mac authentication mac else userlogin sec ure mac else userl...

Page 214: ...d to restore the port security mode to noRestriction with the undo port security port mode command z The port security mode of autolearn is not supported on fabric devices If the port security port mode mode command has been executed on a port none of the following can be configured on the same port z Maximum number of MAC addresses that the port can learn z Reflector port for port mirroring z Fab...

Page 215: ...ntrusion protection is disabled Return to system view quit Set the timer during which the port remains disabled port security timer disableport timer Optional 20 seconds by default Note The port security timer disableport command is used in conjunction with the port security intrusion mode disableport temporarily command to set the length of time during which the port remains disabled Caution If y...

Page 216: ...RADIUS server Follow these steps to configure a port to ignore the authorization information from the RADIUS server To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Ignore the authorization information from the RADIUS server port security authorization ignore Required By default a port uses the authorization information ...

Page 217: ...is enabled z The maximum number of security MAC addresses allowed on the port is set z The security mode of the port is set to autolearn II Configuring a security MAC address Follow these steps to configure a security MAC address To do Use the command Remarks Enter system view system view In system view mac address security mac address interface interface type interface number vlan vlan id interfa...

Page 218: ... learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds II Network diagram Figure 1 1 Network diagram for port security configuration III Configuration procedure Enter system view Switch system view Enable port security Switch port security enable Enter GigabitEthernet1 0 1 port view Swi...

Page 219: ...nding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration 1 13 Switch GigabitEthernet1 0 1 port security intrusion mode disableport temporarily Switch GigabitEthernet1 0 1 quit Switch port security timer disableport 30 ...

Page 220: ... the port whose MAC address and IP address are identical with the bound MAC address and IP address This improves network security and enhances security monitoring 2 1 2 Configuring Port Binding Follow these steps to configure port binding To do Use the command Remarks Enter system view system view In system view am user bind mac addr mac address ip addr ip address interface interface type interfac...

Page 221: ... Example 2 3 1 Port Binding Configuration Example I Network requirements It is required to bind the MAC and IP addresses of Host A to GigabitEthernet 1 0 1 on Switch A so as to prevent malicious users from using the IP address they steal from Host A to access the network II Network diagram Figure 2 1 Network diagram for port binding configuration III Configuration procedure Configure Switch A as f...

Page 222: ...peration Manual Port Security Port Binding H3C S5600 Series Ethernet Switches Chapter 2 Port Binding Configuration 2 3 SwitchA GigabitEthernet1 0 1 am user bind mac addr 0001 0002 0003 ip addr 10 12 1 1 ...

Page 223: ...DP Fundamentals 1 2 1 2 1 DLDP Implementation 1 2 1 2 2 DLDP Status 1 6 1 2 3 DLDP Timers 1 7 1 2 4 DLDP Operating Mode 1 8 1 2 5 DLDP Neighbor State 1 8 1 2 6 Link Auto recovery Mechanism 1 9 1 3 DLDP Configuration 1 9 1 3 1 Performing Basic DLDP Configuration 1 9 1 3 2 Resetting DLDP State 1 11 1 3 3 Displaying and Maintaining DLDP 1 12 1 4 DLDP Configuration Example 1 12 ...

Page 224: ... problems such as loops in a Spanning Tree Protocol STP enabled network Unidirectional links can be caused by z Fiber cross connection as shown in Figure 1 1 z Fibers that are not connected or disconnected as shown in Figure 1 2 the hollow lines in which refer to fibers that are not connected or disconnected Device link detection protocol DLDP can detect the link status of an optical fiber cable o...

Page 225: ...hable ports z Even if both ends of links can work normally at the physical layer DLDP can detect whether these links are connected correctly and whether packets can be exchanged normally at both ends However the auto negotiation mechanism cannot implement this detection Note z In order for DLDP to detect fiber disconnection in one direction you need to configure the port to work in mandatory full ...

Page 226: ...al device Probe Probe packets are used to probe the existence of a neighbor Echo packets are required from the corresponding neighbor Probe packets carry the local port information Neighbor information is optional for probe packets A probe packet carrying neighbor information probes the specified neighbors A probe packet carrying no neighbor information probes all the neighbors Echo Response to pr...

Page 227: ...pon receiving a linkdown packet if the peer end operates in the enhanced mode it enters the disable state and sets the receiving port to the DLDP down state auto shutdown mode or gives an alarm to the user manual shutdown mode Recover Probe Recover probe packets are used to detect whether a link recovers to implement the port auto recovery mechanism Recover probe packets carry only the local port ...

Page 228: ...eady exists on the local device DLDP resets the aging timer of the entry Flush packet Removes the neighbor entry from the local device Creates the neighbor entry if it does not exist on the local device Probe packet Sends echo packets containing both neighbor and its own information to the peer Resets the aging timer of the entry if the neighbor entry already exists on the local device No Drops th...

Page 229: ...bled but the corresponding link is down Active DLDP is enabled and the link is up or an neighbor entry is cleared Advertisement All neighbors communicate normally in both directions or DLDP remains in active state for more than five seconds and enters this status It is a stable state where no unidirectional link is found Probe DHCP sends packets to check whether the link is a unidirectional It ena...

Page 230: ...imer is enabled When an advertisement packet is received from a neighbor the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode if no packet is received from the neighbor when the entry aging timer expires DLDP sends an advertisement packet with an RSY tag and deletes the neighbor entry In the enhanced mode if no packet is received from the neighbor whe...

Page 231: ...down timer expires Otherwise it removes the DLDP neighbor information and changes to the inactive state 1 2 4 DLDP Operating Mode DLDP can operate in two modes normal and enhanced Table 1 7 DLDP operating mode and neighbor entry aging DLDP operating mode DLDP detects whether neighbors exist or not when neighbor tables are aging The entry aging timer is enabled or not during neighbor entry aging Th...

Page 232: ...k is restored to a bidirectional link it is brought up by DLDP The detailed process is as follows 1 A port in the DLDP down state sends a recover probe packet every 2 seconds Recover probe packets carry only the local port information 2 Upon receiving a recover probe packet the peer end responds with a recover echo packet 3 Upon receiving a recover echo packet the local end checks to see if the ne...

Page 233: ...ectional link is detected dldp unidirectional shutdown auto manual Optional By default the handling mode is auto Set the DLDP operating mode dldp work mode enhance normal Optional By default DLDP works in normal mode Note the following when performing basic DLDP configuration z DLDP works only when the link is up z To ensure unidirectional links can be detected make sure DLDP is enabled on both si...

Page 234: ...ed by fiber cross connection and the other is caused by one fiber being not connected or being disconnected z When DLDP works in normal mode the system can identify unidirectional links caused by fiber cross connection z When the device is busy with services and the CPU utilization is high DLDP may issue mistaken reports You are recommended to configure the operating mode of DLDP as manual after u...

Page 235: ...rs between Switch A and Switch B are cross connected DLDP disconnects the unidirectional links after detecting them z After the fibers are connected correctly the ports shut down by DLDP are restored II Network diagram SwitchB SwitchA PC SwitchB SwitchA PC SwitchB SwitchA PC SwitchB SwitchA PC GE1 0 50 GE1 0 51 GE1 0 50 GE1 0 51 Figure 1 3 Network diagram for DLDP configuration III Configuration p...

Page 236: ...ote When two switches are connected through fibers in a crossed way two or three ports may be in the disable state and the rest in the inactive state When a fiber is connected to a device correctly on one end with the other end connected to no device z If the device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end is in the inactive...

Page 237: ...onfiguring MAC Address Table Management 1 5 1 2 1 MAC Address Table Management Configuration Task List 1 5 1 2 2 Configuring a MAC Address Entry 1 6 1 2 3 Setting the MAC Address Aging Timer 1 7 1 2 4 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 7 1 2 5 Enabling Destination MAC Address Triggered Update 1 8 1 2 6 Assigning MAC Addresses for Ethernet Ports 1 9 1 3 Displaying MAC Ad...

Page 238: ... Ethernet ports was introduced For more information refer to Assigning MAC Addresses for Ethernet Ports 1 1 Overview 1 1 1 Introduction to MAC Address Table An Ethernet switch is mainly used to forward packets at the data link layer that is transmit the packets to the corresponding ports according to the destination MAC address of the packets To forward packets quickly a switch maintains a MAC add...

Page 239: ...anual configuration z MAC address learning Generally the majority of MAC address entries are created and maintained through MAC address learning The following describes the MAC address learning process of a switch 1 As shown in Figure 1 1 User A and User B are both in VLAN 1 When User A communicates with User B the packet from User A needs to be transmitted to GigabitEthernet 1 0 1 At this time th...

Page 240: ...ensure that User B can receive the packet Figure 1 3 MAC address learning diagram 2 3 Because the switch broadcasts the packet both User B and User C can receive the packet However User C is not the destination device of the packet and therefore does not process the packet Normally User B will respond to User A as shown in Figure 1 4 When the response packet from User B is sent to GigabitEthernet ...

Page 241: ...the MAC address of User B Hence the switch still broadcasts the packets destined for User B z The switch learns only unicast addresses by using the MAC address learning mechanism but directly drops any packet with a broadcast source MAC address 1 1 3 Managing MAC Address Table I Aging of MAC address table To fully utilize a MAC address table which has a limited capacity the switch uses an aging me...

Page 242: ...h discards the packets destined for or originated from the MAC addresses contained in blackhole MAC address entries Table 1 1 lists the different types of MAC address entries and their characteristics Table 1 1 Characteristics of different types of MAC address entries MAC address entry Configuration method Aging time Reserved or not at reboot if the configuration is saved Static MAC address entry ...

Page 243: ... a MAC address entry mac address static dynamic blackhole mac address interface interface type interface number vlan vlan id Required Caution z When you add a MAC address entry the port specified by the interface argument must belong to the VLAN specified by the vlan argument in the command Otherwise the entry will not be added z If the VLAN specified by the vlan argument is a dynamic VLAN after a...

Page 244: ...z If the aging timer is set too short the switch may remove valid MAC address entries This decreases the forwarding performance of the switch Follow these steps to set aging time of MAC address entries To do Use the command Remarks Enter system view system view Set the MAC address aging timer mac address timer aging age no aging Required The default is 300 seconds Normally you are recommended to u...

Page 245: ...t the maximum number of MAC addresses the port can learn mac address max mac count count Required By default the number of the MAC addresses a port can learn is not limited Note If you have configured the maximum number of MAC addresses that a port can learn you cannot enable the MAC address authentication or port security functions on the port and vice versa 1 2 5 Enabling Destination MAC Address...

Page 246: ...ffecting the maintenance of the MAC address table To avoid the problem you are allowed to assign MAC addresses to the Ethernet ports on an S5600 series switch The idea is to assign a MAC address called the start port MAC address for the start Ethernet port that is GigabitEthernet 1 0 1 and each of the following ports uses the MAC address of the preceding port plus 1 as its MAC address For example ...

Page 247: ...abitEthernet 1 0 2 To prevent the switch from broadcasting packets destined for the server it is required to add the MAC address of the server to the MAC address table of the switch which then forwards packets destined for the server through GigabitEthernet 1 0 2 z The MAC address of the server is 000f e20f dc71 z Port GigabitEthernet 1 0 2 belongs to VLAN 1 II Configuration procedure Enter system...

Page 248: ...ual MAC Address Table Management H3C S5600 Series Ethernet Switches Chapter 1 MAC Address Table Management 1 11 000f e20f f116 1 Learned GigabitEthernet1 0 2 AGING 4 mac address es found on port GigabitEthernet1 0 2 ...

Page 249: ...guration 1 2 1 2 2 Auto Detect Implementation in Static Routing 1 3 1 2 3 Auto Detect Implementation in VRRP 1 3 1 2 4 Auto Detect Implementation in VLAN Interface Backup 1 4 1 3 Auto Detect Configuration Examples 1 5 1 3 1 Configuration Example for Auto Detect Implementation in Static Routing 1 5 1 3 2 Configuration Example for Auto Detect Implementation in VRRP 1 6 1 3 3 Configuration Example fo...

Page 250: ...s ICMP requests to the group and waits for the ICMP replies from the group based on the user defined policy which includes the number of ICMP requests and the timeout waiting for a reply Then according to the check result the switch determines whether to make the applications using the detected group take effect Currently the following features are used in conjunction with Auto Detect z Static rou...

Page 251: ... the group option and or Optional By default the and keyword is specified Set an interval between detecting operations timer loop interval Optional By default the detecting interval is 15 seconds Set the number of ICMP requests during a detecting operation retry retry times Optional By default the number is 2 Set a timeout waiting for an ICMP reply timer wait seconds Optional By default the timeou...

Page 252: ...group to a static route ip route static ip address mask mask length interface type interface number next hop preference preference value reject blackhole detect group group number Required 1 2 3 Auto Detect Implementation in VRRP You can enable Auto Detect on the master switch in a VRRP group use the Auto Detect function to detect the routes from the master switch to other networks and use the det...

Page 253: ... to ensure the data transmission In this case the Auto Detect function is implemented as follows z In normal situations that is when the detected group is reachable the standby VLAN interface is down and packets are transmitted through the active VLAN interface z When the link between the active VLAN interface and the destination faults that is the detected group is unreachable the system enables ...

Page 254: ...set to 1 z On switch A configure a static route to Switch C z Enable the static route when the detected group 8 is reachable z To ensure normal operating of the auto detect function configure a static route to Switch A on Switch C II Network diagram Figure 1 1 Network diagram for implementing the auto detect function in static route III Configuration procedure Configure the IP addresses of all the...

Page 255: ...ckets sourced from Host A and destined for Host B is forwarded by Switch A under normal situations z When the connection between Switch A and Switch C fails Switch B becomes the master in VRRP group 1 automatically and the link from Switch B to Host B the backup link is enabled II Network diagram 20 1 1 1 24 Host A Switch A Switch B Virtual IP address 192 168 1 10 24 Vlan int1 192 168 1 2 24 Vlan ...

Page 256: ...face1 vrrp vrid 1 track detect group 9 reduced 20 z Configure Switch B Enable VRRP on VLAN interface 1 and assign a virtual IP address to the VRRP group SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 vrrp vrid 1 virtual ip 192 168 1 10 Set the VRRP group priority of Switch B to 100 SwitchB Vlan interface1 vrrp vrid 1 priority 100 1 3 3 Configuration Example for Auto...

Page 257: ... SwitchA system view Create auto detected group 10 SwitchA detect group 10 Add the IP address of 10 1 1 4 to detected group 10 to detect the reachability of the IP address with the IP address of 192 168 1 2 as the next hop and the detecting number set to 1 SwitchA detect group 10 detect list 1 ip address 10 1 1 4 nexthop 192 168 1 2 SwitchA detect group 10 quit Specify to enable VLAN interface 2 w...

Page 258: ...ork 1 27 1 3 9 Configuring the MSTP Time related Parameters 1 28 1 3 10 Configuring the Timeout Time Factor 1 30 1 3 11 Configuring the Maximum Transmitting Rate on the Current Port 1 30 1 3 12 Configuring the Current Port as an Edge Port 1 32 1 3 13 Specifying Whether the Link Connected to a Port Is Point to point Link 1 33 1 3 14 Enabling MSTP 1 34 1 4 Configuring Leaf Nodes 1 36 1 4 1 Configura...

Page 259: ...roduction 1 48 1 7 2 Configuring Digest Snooping 1 48 1 8 Configuring Rapid Transition 1 50 1 8 1 Introduction 1 50 1 8 2 Configuring Rapid Transition 1 52 1 9 Configuring VLAN VPN Tunnel 1 53 1 9 1 Introduction 1 53 1 9 2 Configuring VLAN VPN tunnel 1 54 1 10 STP Maintenance Configuration 1 55 1 10 1 Introduction 1 55 1 10 2 Enabling Log Trap Output for Ports of MSTP Instance 1 55 1 10 3 Configur...

Page 260: ...ation z Displaying STP maintenance Refer to Displaying and Maintaining MSTP z Sending trap messages conforming to 802 1d standard Refer to Enabling Trap Messages Conforming to 802 1d Standard 1 1 STP Overview I Functions of STP Spanning tree protocol STP is a protocol conforming to IEEE 802 1d It aims to eliminate loops on data link layer in a local area network LAN Devices running this protocol d...

Page 261: ...Therefore the root bridge is not fixed Upon network convergence the root bridge generates and sends out configuration BPDUs periodically Other devices just forward the configuration BPDUs received This mechanism ensures the topological stability 2 Root port On a non root bridge device the root port is the port with the lowest path cost to the root bridge The root port is used for communicating wit...

Page 262: ...s Device B and the designated port is the port BP2 on Device B Figure 1 1 A schematic diagram of designated bridges and designated ports Note All the ports on the root bridge are designated ports 4 Path cost Path cost is a value used for measuring link capacity By comparing the path costs of different links STP selects the most robust links and blocks the other links to prune the network into a tr...

Page 263: ... of description the description and examples below involve only four parts of a configuration BPDU z Root bridge ID in the form of device priority z Root path cost z Designated bridge ID in the form of device priority z Designated port ID in the form of port name 1 Detailed calculation process of the STP algorithm z Initial state Upon initialization of a device each device generates a BPDU with it...

Page 264: ...ation BPDU that has the lowest root bridge ID has the highest priority z If all configuration BPDUs have the same root bridge ID they will be compared for their root path costs If the root path cost in a configuration BPDU plus the path cost corresponding to this port is S the configuration BPDU with the smallest S value has the highest priority z If all configuration BPDUs have the same root path...

Page 265: ... based on the comparison result z If the calculated configuration BPDU is superior this port will serve as the designated port and the configuration BPDU on the port will be replaced with the calculated configuration BPDU which will be sent out periodically z If the configuration BPDU on the port is superior the device stops updating the configuration BPDUs of the port and blocks the port so that ...

Page 266: ...ice The following table shows the initial state of each device Table 1 4 Initial state of each device Device Port name BPDU of port AP1 0 0 0 AP1 Device A AP2 0 0 0 AP2 BP1 1 0 1 BP1 Device B BP2 1 0 1 BP2 CP1 2 0 2 CP1 Device C CP2 2 0 2 CP2 z Comparison process and result on each device The following table shows the comparison process and result on each device ...

Page 267: ... the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 z Port BP2 receives the configuration BPDU of Device C 2 0 2 CP2 Device B finds that the configuration BPDU of the local port 1 0 1 BP2 is superior to the received configuration BPDU and discard...

Page 268: ... AP2 Designated port CP2 0 10 2 CP2 z Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device ...

Page 269: ...mer to time the configuration BPDU while it sends out this configuration BPDU through the designated port z If the configuration BPDU received on the designated port has a lower priority than the configuration BPDU of the local port the port will immediately sends out its better configuration BPDU in response z If a path becomes faulty the root port on this path will no longer receive new configur...

Page 270: ...be propagated throughout the entire network z Hello time the interval for sending hello packets Hello packets are used to check link state A switch sends hello packets to its neighboring devices at a regular interval the hello time to check whether the links are faulty z Max time lifetime of the configuration BPDUs stored in a switch A configuration BPDU that has expired is discarded by the switch...

Page 271: ...ng tree II Features of MSTP The multiple spanning tree protocol MSTP overcomes the shortcomings of STP and RSTP In addition to support for rapid network convergence it also allows data flows of different VLANs to be forwarded along their own paths thus providing a better load sharing mechanism for redundant links MSTP features the following z MSTP supports mapping VLANs to MST instances MSTIs by m...

Page 272: ...d to these switches These switches have the same region name the same VLAN to MSTI mapping configuration and the same MSTP revision level A switched network can contain multiple MST regions You can group multiple switches into one MST region by using the corresponding MSTP configuration commands As shown in Figure 1 4 all the switches in region A0 are of the same MST region related configuration i...

Page 273: ...twork that connects all MST regions in the network If you regard each MST region in the network as a switch then the CST is the spanning tree generated by STP or RSTP running on the switches VI CIST A CIST is the spanning tree in a switched network that connects all switches in the network It comprises the ISTs and the CST In Figure 1 4 the ISTs in the MST regions and the CST connecting the MST re...

Page 274: ...rt or master port z A backup port is the secondary port of a designated port and is used for rapid transition With the designated port being blocked the backup port becomes the new designated port fast and begins to forward data seamlessly When two ports of an MSTP enabled switch are interconnected the switch blocks one of the two ports to eliminate the loop that occurs The blocked port is the bac...

Page 275: ...rwarding state Ports in this state can forward user packets and receive send BPDU packets z Learning state Ports in this state can receive send BPDU packets but do not forward user packets z Discarding state Ports in this state can only receive BPDU packets Port roles and port states are not mutually dependent Table 1 6 lists possible combinations of port states and port roles Table 1 6 Combinatio...

Page 276: ...rt on it as a root with the root path cost being 0 the ID of the designated bridge being that of the switch and the designated port being itself 1 Each switch sends out its configuration BPDUs and operates in the following way when receiving a configuration BPDU on one of its ports from another switch z If the priority of the configuration BPDU is lower than that of the configuration BPDU of the p...

Page 277: ... then compares the calculated configuration BPDU with the original configuration BPDU received from the corresponding port on another switch If the latter takes precedence over the former the switch blocks the local port and keeps the port s configuration BPDU unchanged so that the port can only receive configuration messages and cannot forward packets Otherwise the switch sets the local port to t...

Page 278: ...iority of a switch cannot be changed after the switch is specified as the root bridge or a secondary root bridge Configuring How a Port Recognizes and Sends MSTP Packets Optional Configuring the MSTP Operation Mode Optional Configuring the Maximum Hop Count of an MST Region Optional Configuring the Network Diameter of the Switched Network Optional The default value is recommended Configuring the M...

Page 279: ...egion configuration Configure the name of the MST region region name name Required The default MST region name of a switch is its MAC address instance instance id vlan vlan list Configure the VLAN to MSTI mapping table for the MST region vlan mapping modulo modulo Required Both commands can be used to configure VLAN to MSTI mapping tables By default all VLANs in an MST region are mapped to MSTI 0 ...

Page 280: ...enabled switches are in the same region only when they have the same format selector a 802 1s defined protocol selector which is 0 by default and cannot be configured MST region name VLAN to MSTI mapping table and revision level z The H3C series support only the MST region name VLAN to MSTI mapping table and revision level Switches with the settings of these parameters being the same are assigned ...

Page 281: ...ime centi seconds Required II Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree To do Use the command Remarks Enter system view system view Specify the current switch as the secondary root bridge of a specified spanning tree stp instance instance id root secondary bridge diamet...

Page 282: ...bridges for the same MSTI on two or more switches using the stp root primary command z You can configure multiple secondary root bridges for one MSTI That is you can configure secondary root bridges for the same MSTI on two or more switches using the stp root secondary command z You can also configure the current switch as the root bridge by setting the priority of the switch to 0 Note that once a...

Page 283: ... 5 Configuring How a Port Recognizes and Sends MSTP Packets A port can be configured to recognize and send MSTP packets in the following modes z Automatic mode Ports in this mode determine the format of the MSTP packets to be sent according to the format of the received packets z Legacy mode Ports in this mode recognize send packets in legacy format z 802 1s mode Ports in this mode recognize send ...

Page 284: ...d Remarks Enter system view system view Configure how a port recognizes and sends MSTP packets stp interface interface type interface number compliance auto dot1s legacy Required By default a port recognizes and sends MSTP packets in the automatic mode That is it determines the format of packets to be sent according to the format of the packets received Follow these steps to configure how a port r...

Page 285: ... switches exist in a switched network you can use the stp mode rstp command to configure an MSTP enabled switch to operate in RSTP compatible mode z MSTP mode where the ports of a switch send MSTP BPDUs or STP BPDUs if the switch is connected to STP enabled switches to neighboring devices In this case the switch is MSTP capable I Configuration procedure Follow these steps to configure the MSTP ope...

Page 286: ...settings of their root bridges I Configuration procedure Follow these steps to configure the maximum hop count for an MST region To do Use the command Remarks Enter system view system view Configure the maximum hop count of the MST region stp max hops hops Required By default the maximum hop count of an MST region is 20 The bigger the maximum hop count the larger the MST region is Note that only t...

Page 287: ... to CIST it is invalid for MSTIs II Configuration example Configure the network diameter of the switched network to 6 Sysname system view Sysname stp bridge diameter 6 1 3 9 Configuring the MSTP Time related Parameters Three MSTP time related parameters exist forward delay hello time and max age You can configure the three parameters to control the process of spanning tree calculation I Configurat...

Page 288: ...network resources And a too small hello time parameter may result in duplicated configuration BPDUs being sent frequently which increases the work load of the switches and wastes network resources The default value is recommended z As for the max age parameter if it is too small network congestion may be falsely regarded as link failures which results in frequent spanning tree recalculation If it ...

Page 289: ...e and then initiates the spanning tree recalculation process Spanning trees may be recalculated even in a steady network if an upstream switch continues to be busy You can configure the timeout time factor to a larger number to avoid such cases Normally the timeout time can be four or more times of the hello time For a steady network the timeout time can be five to seven times of the hello time I ...

Page 290: ...um transmitting rate in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the maximum transmitting rate stp transmit limit packetnum Required The maximum transmitting rate of all Ethernet ports on a switch defaults to 10 As the maximum transmitting rate parameter determines the number of the c...

Page 291: ... view Follow these steps to configure a port as an edge port in system view To do Use the command Remarks Enter system view system view Configure the specified ports as edge ports stp interface interface list edged port enable Required By default all the Ethernet ports of a switch are non edge ports II Configure a port as an edge port in Ethernet port view Follow these steps to configure a port as...

Page 292: ... 1 stp edged port enable 1 3 13 Specifying Whether the Link Connected to a Port Is Point to point Link A point to point link directly connects two switches If the roles of the two ports at the two ends of a point to point link meet certain criteria the two ports can turn to the forwarding state rapidly by exchanging synchronization packets thus reducing the forward delay You can determine whether ...

Page 293: ...e same aggregation group z If an auto negotiating port operates in full duplex mode after negotiation you can configure the link of the port as a point to point link After you configure the link of a port as a point to point link the configuration applies to all the MSTIs the port belongs to If the actual physical link of a port is not a point to point link and you forcibly configure the link as a...

Page 294: ...arks Enter system view system view Enable MSTP stp enable Required MSTP is disabled by default Enter Ethernet port view interface interface type interface number Disable MSTP on the port stp disable Optional By default MSTP is enabled on all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not pa...

Page 295: ... and Sends MSTP Packets Optional Configuring the Timeout Time Factor Optional Configuring the Maximum Transmitting Rate on the Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priority Optional Specifying Whether the Link Connected to a Port Is Point to point Link Optional Not...

Page 296: ... a Port The path cost parameter reflects the rate of the link connected to the port For a port on an MSTP enabled switch the path cost may be different in different MSTIs You can enable flows of different VLANs to travel along different physical links by configuring appropriate path costs on ports so that VLAN based load balancing can be implemented Path cost of a port can be determined by the swi...

Page 297: ...95 2 000 000 1 000 000 666 666 500 000 2 000 1 800 1 600 1 400 100 Mbps Half duplex Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link 4 ports 19 15 15 15 200 000 100 000 66 666 50 000 200 180 160 140 1 000 Mbps Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link 4 ports 4 3 3 3 20 000 10 000 6 666 5 000 20 18 16 14 10 Gbps Full duplex Aggregated li...

Page 298: ...se the command Remarks Enter system view System view Enter Ethernet port view interface interface type interface number Configure the path cost for the port stp instance instance id cost cost Required An MSTP enabled switch can calculate path costs for all its ports automatically Changing the path cost of a port may change the role of the port and put it in state transition Executing the stp cost ...

Page 299: ...t In the same condition the port with the smallest port priority value becomes the root port A port on an MSTP enabled switch can have different port priorities and play different roles in different MSTIs This enables packets of different VLANs to be forwarded along different physical paths so that VLAN based load balancing can be implemented You can configure port priority in one of the following...

Page 300: ... system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 instance 1 port priority 16 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp instance 1 port priority 16 1 4 9 Specifying Whether the Link Connected to a Port Is a Point to point Link Refer to Specifying Whether the Link Connect...

Page 301: ...orm the mCheck operation in the following two ways I Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in system view To do Use the command Remarks Enter system view system view Perform the mCheck operation stp interface interface list mcheck Required II Perform the mCheck operation in Ethernet port view Follow these steps to perform the mCheck operatio...

Page 302: ... shut down in this way can only be restored by the administrator II Root guard A root bridge and its secondary root bridges must reside in the same region The root bridge of the CIST and its secondary root bridges are usually located in the high bandwidth core region Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge which caus...

Page 303: ...n enabled a switch performs a removing operation upon receiving a TC BPDU and triggers a timer set to 10 seconds by default at the same time Before the timer expires the switch only performs the removing operation for limited times up to six times by default regardless of the number of the TC BPDUs it receives Such a mechanism prevents a switch from being busy in removing the MAC address table and...

Page 304: ...nfiguring BPDU Guard I Configuration procedure Follow these steps to configure BPDU guard To do Use the command Remarks Enter system view system view Enable the BPDU guard function stp bpdu protection Required The BPDU guard function is disabled by default II Configuration example Enable the BPDU guard function Sysname system view Sysname stp bpdu protection 1 6 4 Configuring Root Guard I Configur...

Page 305: ...et 1 0 1 root protection 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp root protection 1 6 5 Configuring Loop Guard I Configuration procedure Follow these steps to configure loop guard To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interfa...

Page 306: ...can remove the MAC address table and ARP entries within each 10 seconds stp tc protection threshold number Optional III Configuration example Enable the TC BPDU attack guard function Sysname system view Sysname stp tc protection enable Set the maximum times for the switch to remove the MAC address table and ARP entries within 10 seconds to 5 Sysname system view Sysname stp tc protection threshold ...

Page 307: ...ST region related settings as the other switches in the MST region This problem can be overcome by implementing the digest snooping feature If a port on an S5600 Ethernet switch is connected to another manufacturer s switch that has the same MST region related configuration as its own but adopts a proprietary spanning tree protocol you can enable digest snooping on the port Then the S5600 Ethernet...

Page 308: ...igure digest snooping To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the digest snooping feature stp config digest snooping Required The digest snooping feature is disabled on a port by default Return to system view quit Enable the digest snooping feature globally stp config digest snooping Required The digest s...

Page 309: ... s switches adopting proprietary spanning tree protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to MSTI mapping table cannot be modified z The digest snooping feature is not applicable to boundary ports in an MST region z The digest snooping feature is not applicable to edge ports in an MST region 1 8 Configuring Rapid Transition 1 8 1 Introduction D...

Page 310: ...pport RSTP compatible mode the root port on the downstream switch receives no agreement packet from the upstream switch and thus sends no agreement packets to the upstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay Some other manufacturers switches adopt proprietary spanning...

Page 311: ...nother manufacturer s switch The former operates as the downstream switch and the latter operates as the upstream switch The network operates normally The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports Port 1 is the designated port The downstream H3C switch is running MSTP Port 2 is the root port ...

Page 312: ... 1 9 1 Introduction The VLAN VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks through which spanning trees can be generated across these customer networks and are independent of those of the service provider network As shown in Figure 1 9 the upper part is the service ...

Page 313: ... vpn tunnel Required The VLAN VPN tunnel function is disabled by default Enter Ethernet port view interface interface type interface number Make sure that you enter the Ethernet port view of the port for which you want to enable the VLAN VPN tunnel function Enable the VLAN VPN function for the Ethernet port vlan vpn enable Required By default the VLAN VPN function is disabled on all ports Note z T...

Page 314: ...for the ports of a specified instance stp instance instance id portlog Required By default log trap output is disabled for the ports of all instances Enable log trap output for the ports of all instances stp portlog all Required By default log trap output is disabled for the ports of all instances 1 10 3 Configuration Example Enable log trap output for the ports of instance 1 Sysname system view S...

Page 315: ... spanning trees of the current device display stp instance instance id interface interface list slot slot number brief Display region configuration display stp region configuration Display information about the ports that are shut down by STP protection display stp portdown Display information about the ports that are blocked by STP protection display stp abnormalport Display information about the...

Page 316: ...ch C is configured as the root bridge of MSTI 4 II Network diagram Figure 1 10 Network diagram for MSTP configuration Note The word permit shown in Figure 1 10 means the corresponding link permits packets of specific VLANs III Configuration procedure 1 Configure Switch A Enter MST region view Sysname system view Sysname stp region configuration Configure the region name VLAN to MSTI mapping table ...

Page 317: ...on manually Sysname mst region active region configuration Specify Switch B as the root bridge of MSTI 3 Sysname stp instance 3 root primary 3 Configure Switch C Enter MST region view Sysname system view Sysname stp region configuration Configure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instance 3 vlan 30 Sysname mst region inst...

Page 318: ...work diagram z Switch A and Switch B are the access devices for the customer networks z Switch C and Switch D are connected to each other through the configured trunk ports of the switches The VLAN VPN tunnel function is enabled in system view thus implementing transparent transmission between the customer networks and the service provider network II Network diagram Eth 1 0 1 Switch A Switch D Swi...

Page 319: ...on it Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 port access vlan 10 Sysname GigabitEthernet1 0 1 vlan vpn enable Sysname GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 as a trunk port Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 port link type trunk Add the trunk port to all VLANs Sysname GigabitEthernet1 0 2 port trunk permit vlan all ...

Page 320: ... port access vlan 10 Sysname GigabitEthernet1 0 2 stp disable Sysname GigabitEthernet1 0 2 quit Configure GigabitEthernet 1 0 1 as a trunk port Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 port link type trunk Add the trunk port to all VLANs Sysname GigabitEthernet1 0 1 port trunk permit vlan all ...

Page 321: ... Route 2 1 2 1 2 Default Route 2 2 2 2 Static Route Configuration 2 2 2 2 1 Configuration Prerequisites 2 2 2 2 2 Configuring a Static Route 2 2 2 3 Displaying and Maintaining Static Routes 2 3 2 4 Static Route Configuration Example 2 3 2 5 Troubleshooting a Static Route 2 5 Chapter 3 RIP Configuration 3 1 3 1 RIP Overview 3 1 3 1 1 Basic Concepts 3 1 3 1 2 RIP Startup and Operation 3 2 3 2 RIP Co...

Page 322: ...Interface 4 18 4 5 3 Configuring an NBMA P2MP Neighbor 4 19 4 5 4 Configuring the DR Priority on an OSPF Interface 4 19 4 6 OSPF Route Control 4 20 4 6 1 Configuration Prerequisites 4 20 4 6 2 Configuring OSPF Route Summarization 4 20 4 6 3 Configuring OSPF to Filter Received Routes 4 21 4 6 4 Configuring the OSPF Cost on an Interface 4 22 4 6 5 Configuring OSPF Route Priority 4 22 4 6 6 Configuri...

Page 323: ...Configuring the Way to Advertise Receive Routing Information 5 20 5 4 1 Configuration Prerequisites 5 20 5 4 2 Importing Routes 5 20 5 4 3 Configuring BGP Route Summarization 5 21 5 4 4 Enabling Default Route Advertising 5 22 5 4 5 Configuring BGP Route Distribution Filtering Policies 5 22 5 4 6 Configuring BGP Route Reception Filtering Policies 5 23 5 4 7 Disable BGP IGP Route Synchronization 5 2...

Page 324: ...licy 6 4 6 3 3 Defining if match Clauses and apply Clauses 6 5 6 4 IP Prefix Configuration 6 7 6 4 1 Configuration Prerequisites 6 7 6 4 2 Configuring an ip prefix list 6 7 6 5 AS Path List Configuration 6 8 6 6 Community List Configuration 6 8 6 7 Displaying IP Routing Policy 6 9 6 8 IP Routing Policy Configuration Example 6 9 6 8 1 Configuring to Filter Received Routing Information 6 9 6 8 2 Con...

Page 325: ...The last router on the route is responsible for delivering the packet to the destination host 1 1 2 Routing Table I Function The key for a router to forward packets is the routing table Each router maintains a routing table Each entry in this table contains an IP address that represents a host subnet and specifies which physical port on the router should be used to forward the packets destined for...

Page 326: ...multiple routes with different next hops to the same destination These routes may be discovered by different routing protocols or be manually configured static routes The one with the highest preference the smallest numerical value will be selected as the current optimal route According to different destinations routes fall into the following categories z Subnet route The destination is a subnet z...

Page 327: ...stable networks with simple topologies It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes Dynamic routing is based on dynamic routing protocols which can detect network topology changes and recalculate the routes accordingly Therefore dynamic routing is suitable for large networks It is comp...

Page 328: ...nation address z Unicast routing protocols RIP OSPF BGP and IS IS z Multicast routing protocols PIM SM and PIM DM This chapter focuses on unicast routing protocols For information on multicast routing protocols refer to the part discussing Multicast 1 2 3 Routing Protocols and Routing Priority Different routing protocols may find different routes including static routes to the same destination How...

Page 329: ...considered valid and are used to forward packets thus achieving load sharing II Route backup You can configure multiple routes to the same destination expecting the one with the highest priority to be the primary route and all the rest backup routes Route backup can help improve network reliability Automatic switching can happen between the primary route and a backup route Under normal circumstanc...

Page 330: ...ic ACL display ip routing table acl acl number verbose Display information about routes permitted by a prefix list display ip routing table ip prefix ip prefix name verbose Display routes to a specified destination display ip routing table ip address mask mask length longer match verbose Display routes to specified destinations display ip routing table ip address1 mask1 mask length1 ip address2 ma...

Page 331: ... make routers work normally Proper configuration and usage of static routes can improve network performance and ensure sufficient bandwidth for important applications When the network topology changes static routes may become unreachable because they cannot adapt themselves to the change automatically thus resulting in network interruption In this case the network administrator needs to modify the...

Page 332: ...ble the default route will be selected to forward the packet z If there is no default route the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source A default route can be manually configured or generated by some dynamic routing protocols such as OSPF and RIP 2 2 Static Route Configuration 2 2 1 Configuration Prerequisites Before...

Page 333: ...n Display the brief information of a routing table display ip routing table Display the detailed information of a routing table display ip routing table verbose Display the information of static routes display ip routing table protocol static inactive verbose Available in any view Delete all static routes delete static routes all Available in system view 2 4 Static Route Configuration Example I Ne...

Page 334: ...route or default route 1 Perform the following configurations on the switch Approach 1 Configure static routes on Switch A SwitchA system view SwitchA ip route static 1 1 3 0 255 255 255 0 1 1 2 2 SwitchA ip route static 1 1 4 0 255 255 255 0 1 1 2 2 SwitchA ip route static 1 1 5 0 255 255 255 0 1 1 2 2 Approach 2 Configure a static route on Switch A SwitchA system view SwitchA ip route static 0 0...

Page 335: ...1 4 1 Detailed configuration procedure is omitted Set the default gateway address of Host C to 1 1 1 1 Detailed configuration procedure is omitted Now all the hosts and switches in the figure can communicate with each other 2 5 Troubleshooting a Static Route Symptom The switch is not configured with a dynamic routing protocol Both the physical status and the link layer protocol status of an interf...

Page 336: ...0 to exchange routing information through UDP packets RIP uses hop count also called routing cost to measure the distance to a destination address In RIP the hop count from a router to its directly connected network is 0 and that to a network which can be reached through another router is 1 and so on To restrict the time to converge RIP prescribes that the cost is an integer ranging from 0 and 15 ...

Page 337: ...with the routing metric set to 16 If no update is announced for that route after the Garbage Collect timer expires the route will be deleted from the routing table IV Routing loops prevention RIP is a distance vector D V based routing protocol Since a RIP router advertises its own routing table to neighbors routing loops may occur RIP uses the following mechanisms to prevent routing loops z Counti...

Page 338: ...tional Configuring Basic RIP Functions Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional Disabling the router from receiving host routes Optional Configuring RIP to filter incoming outgoing routes Optional Setting RIP preference Optional Enabling load sharing among RIP interfaces Optional...

Page 339: ...iew can take effect only after RIP is enabled z RIP operates on the interfaces attached to a specified network segment When RIP is disabled on an interface it does not operate on the interface that is it neither receives sends routes on the interface nor forwards any interface route Therefore after RIP is enabled globally you must also specify its operating network segments to enable it on the cor...

Page 340: ...uting table by setting route summarization and disabling the receiving of host routes z Filter incoming and outgoing routes z Set the preference of RIP to change the preference order of routing protocols This order makes sense when more than one route to the same destination is discovered by multiple routing protocols z Redistribute external routes in an environment with multiple routing protocols...

Page 341: ...tion means that when the router advertises RIP updates different subnet routes in the same natural network segment can be aggregated into one route with a natural mask for transmission to another network segment This function is used to reduce the routing traffic on the network as well as the size of the routing table When it is necessary to advertise RIP route updates in a subnet disable the rout...

Page 342: ...routes Besides you can configure RIP to receive only the RIP packets from a specific neighbor Follow these steps to configure RIP to filter incoming outgoing routes To do Use the command Remarks Enter system view system view Enter RIP view rip filter policy acl number ip prefix ip prefix name gateway ip prefix name route policy route policy name import Configure RIP to filter incoming routes filte...

Page 343: ...Setting RIP preference Follow these steps to set RIP preference To do Use the command Remarks Enter system view system view Enter RIP view rip Set the RIP preference preference value Required 100 by default VI Enabling load sharing among RIP interfaces Follow these steps to enable load sharing among RIP interfaces To do Use the command Remarks Enter system view system view Enter RIP view rip Enabl...

Page 344: ... convergence speed of RIP network by adjusting RIP timers z Avoiding routing loops by configuring split horizon z Packet validation in network environments with high security requirements and z Configuring RIP to unicast RIP messages on interfaces with special requirements 3 5 1 Configuration Prerequisites Before adjusting RIP perform the following tasks z Configuring the network layer addresses o...

Page 345: ...view interface interface type interface number Enable split horizon rip split horizon Required Enabled by default Note Split horizon cannot be disabled on a point to point link III Configuring RIP 1 packet zero field check Follow these steps to configure RIP 1 packet zero field check To do Use the command Remarks Enter system view system view Enter RIP view rip Enable the check of the must be zero...

Page 346: ... simple password md5 rfc2082 key string key id rfc2453 key string Required If you specify to use MD5 authentication you must specify one of the following MD5 authentication types z rfc2453 this type supports the packet format defined in RFC 2453 z rfc2082 this type supports the packet format defined in RFC 2082 V Configuring RIP to unicast RIP packets Follow these steps to configure RIP to unicast...

Page 347: ...RIP can implement communication between any two nodes II Network diagram According to the network requirements the network topology is designed as shown in Figure 3 1 Switch A Switch B Switch C Vlan int 2 Ethernet Vlan int 4 Vlan int 3 Vlan int 1 Device Interface IP address Device Interface IP address Switch A Vlan int1 110 11 2 1 24 Switch B Vlan int1 110 11 2 2 24 Vlan int2 155 10 1 1 24 Vlan in...

Page 348: ...P SwitchC system view SwitchC rip SwitchC rip network 117 102 0 0 SwitchC rip network 110 11 2 0 3 8 Troubleshooting RIP Configuration 3 8 1 Failed to Receive RIP Updates I Symptom The Ethernet switch cannot receive any RIP update when the physical connection between the switch and the peer routing device is normal II Solution Check that z RIP is enabled by using the network command on the corresp...

Page 349: ...plicability OSPF supports various networks in size and even networks with up to several hundred routers z Fast convergence OSPF can transmit update packets immediately after the network topology changes so that the change can be synchronized in the autonomous system AS z Loop free Since OSPF calculates routes with the shortest path first algorithm according to the collected link states it guarante...

Page 350: ...ed directed graph z According to the weighted directed graph each router uses the shortest path first SPF algorithm to calculate the shortest path tree with itself as the root The tree shows the routes to the nodes in the autonomous system External routes are leaf nodes which are marked with the routers from which they are advertised to record information outside the AS The routing tables obtained...

Page 351: ...neighbors z DD packet When two routers synchronize their databases they use database description DD packets to describe their own LSDBs including the summary of each LSA The summary refers to the header of an LSA which uniquely identifies the LSA This reduces the size of traffic transmitted between the routers because the header of an LSA only occupies a small portion of the LSA With the header th...

Page 352: ... described by AS external LSAs 2 Type 7 LSAs In RFC 1587 OSPF NSSA Option Type 7 LSA a new LSA type is added As described in RFC 1587 Type 7 LSAs and Type 5 LSAs mainly differ in the following two ways z Type 7 LSAs are generated and advertised in an NSSA where Type 5 LSAs will not be generated or advertised z Type 7 LSAs can only be advertised in an NSSA area When Type 7 LSAs reach an ABR the ABR...

Page 353: ...k This will lower the network bandwidth utilization Even worse any change of the topology will cause all the routers on the network to re perform route calculation OSPF solves the above mentioned problem by dividing an AS into multiple areas Areas refer to groups into which routers are logically divided Each group is identified by an Area ID as shown in Figure 4 1 Figure 4 1 OSPF area partition On...

Page 354: ...outers 4 Autonomous system border router ASBR The router exchanging routing information with another AS is an ASBR which may not reside on the boundary of the AS It can be an internal router or area border router Area 1 Area 2 Area 3 Area 4 Backbone Router ASBR RIP RIP Internal Router ABR Area 0 Figure 4 2 OSPF router types 5 Type 7 LSAs translator A Type 7 LSAs translator takes effect on an ABR T...

Page 355: ... be satisfied In this case configuring OSPF virtual links is a solution 2 Virtual link A virtual link is established between two area border routers through a non backbone area and is configured on both ABRs to take effect The area that provides the non backbone area internal route for the virtual link is a transit area In the following figure Area 2 has no direct physical link to the backbone are...

Page 356: ... be a totally stub area z The stub command must be configured on routers in a totally stub area z A totally stub area cannot have an ASBR because AS external routes cannot be distributed into the stub area z Virtual links cannot transit totally stub areas V NSSA area Similar to a stub area an NSSA area imports no AS external LSA Type 5 LSA but can import Type 7 LSAs that are generated by the ASBR ...

Page 357: ...wing figure in Area 1 are three internal routes 19 1 1 0 24 19 1 2 0 24 and 19 1 3 0 24 By configuring route summarization on Router A the three routes are summarized with the route 19 1 0 0 16 that is advertised into Area 0 Figure 4 6 Route summarization OSPF has two types of route summarization 1 ABR route summarization To distribute routing information to other areas an ABR generates Type 3 LSA...

Page 358: ...he type2 external route is much bigger than the cost from the ASBR to an OSPF internal router Therefore the cost from the internal router to the destination of the type2 external route the cost from the ASBR to the destination of the type2 external route If two routes to the same destination have the same cost then take the cost from the router to the ASBR into consideration 4 1 5 OSPF Network Typ...

Page 359: ...non broadcast and multi accessible whereas a P2MP network is not necessarily fully connected z DR and BDR are required to be elected on an NBMA network but not on a P2MP network z NBMA is a default network type A P2MP network however must be compulsorily changed from another network type The more common practice is to change an NBMA network into a P2MP network z Since NBMA interfaces send packets ...

Page 360: ...blished The figure shows that with the DR BDR mechanism adopted seven adjacencies suffice among the five routers DR BDR DRother DRother DRother Figure 4 7 DR BDR II DR BDR election The DR and BDR in a network are elected by all routers rather than configured manually The DR priority of an interface determines its qualification for DR BDR election Interfaces attached to the network and having prior...

Page 361: ...ng protocols At present OSPF supports importing the routes of other dynamic routing protocols such as RIP and static routes as OSPF external routes into the AS to which the router belongs In addition OSPF supports advertising the routing information it discovered to other routing protocols z Packet authentication OSPF supports the authentication of the packets between neighboring routers in the sa...

Page 362: ...al Optional Disabling OSPF Packet Transmission on an Interface Optional Configuring OSPF Authentication Optional Configuring the MTU Field in DD Packets Optional Enabling OSPF Logging of Neighbor State Changes Optional OSPF Network Adjustment and Optimization Configuring OSPF Network Management Optional 4 3 Basic OSPF Configuration Before you can configure other OSPF features you must first enable...

Page 363: ...onfiguring an area and the network segments in the area You need to plan areas in an AS before performing the corresponding configurations on each router When configuring the routers in the same area please note that most configurations should be uniformly made based on the area Wrong configuration may disable information transmission between neighboring routers and even lead to congestion or self...

Page 364: ...e AS you can configure these areas as stub areas A stub area cannot redistribute any external route For this reason the concept of NSSA is introduced Type7 LSAs can be advertised in an NSSA Type7 LSAs are generated by ASBRs in the NSSA and will be transformed into Type 5 LSAs AS external LSAs whey reaching ABRs in the NSSA area which will then be advertised to other areas After area partition the ...

Page 365: ...nfigure a virtual link vlink peer router id hello seconds retransmit seconds trans delay seconds dead seconds simple password md5 keyid key Optional For a virtual link to take effect you need to use this command at both ends of the virtual link and ensure consistent configurations of the hello dead and other parameters at both ends Note z You must use the stub command on all the routers connected ...

Page 366: ...sic OSPF configuration 4 5 2 Configuring the Network Type of an OSPF Interface Follow these steps to configure the network type of an OSPF interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the network type of the OSPF interface ospf network type broadcast nbma p2mp unicast p2p Required By default the netwo...

Page 367: ...n right Follow these steps to configure NBMA P2MP neighbor To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Required Configure an NBMA P2MP neighbor peer ip address dr priority dr priority Required By default the priority for the neighbor of an NBMA interface is 1 4 5 4 Configuring the DR Priority on an OSPF Interface You can control t...

Page 368: ... priority is 0 to establish the adjacencies 4 6 OSPF Route Control Perform the following configurations to control the advertisement and reception of the routing information discovered by OSPF and import routing information discovered by other protocols 4 6 1 Configuration Prerequisites Before configuring OSPF route control perform the following tasks z Configuring the network layer addresses of i...

Page 369: ...mmarization of imported routes is disabled 4 6 3 Configuring OSPF to Filter Received Routes Follow these steps to configure OSPF to filter received routes To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure to filter the received routes filter policy acl number ip prefix ip prefix name gateway ip prefix name import Required By d...

Page 370: ...s routing protocols arises The system sets a priority for each routing protocol which you can change manually and when more than one route to the same destination is discovered by different protocols the system add the route discovered by the protocol with the highest priority to the routing table Follow these steps to configure OSPF route priority To do Use the command Remarks Enter system view s...

Page 371: ... value type value tag value route policy route policy name Required By default OSPF does not import the routing information of other protocols Configure OSPF to filter outgoing routes filter policy acl number ip prefix ip prefix name export protocol Optional By default OSPF does not filter advertised routes Enable OSPF to import the default route default route advertise always cost value type type...

Page 372: ... interfaces transmit LSAs z By Adjusting SPF calculation interval you can mitigate resource consumption caused by frequent network changes z In a network with high security requirements you can enable OSPF authentication to enhance OSPF network security z In addition OSPF supports network management You can configure the binding of the OSPF MIB with an OSPF process and configure the Trap message t...

Page 373: ...erval on the NBMA interface ospf timer poll seconds Optional 40 seconds by default Configure the dead time of the neighboring router on the interface ospf timer dead seconds Optional By default the dead time for the OSPF neighboring router on a p2p or broadcast interface is 40 seconds and that for the OSPF neighboring router on a p2mp or NBMA interface is 120 seconds Configure the interval for ret...

Page 374: ... the shortest paths need to be recalculated When the network changes frequently calculating the shortest paths immediately after LSDB changes will consume enormous resources and affect the operation efficiency of the router By adjusting the minimum SPF calculation interval you can lighten the negative affect caused by frequent network changes Follow these steps to configure the SPF calculation int...

Page 375: ...thout affecting the interface for any other process z After an OSPF interface is set to be in silent status the interface can still advertise its direct route However the Hello packets from the interface will be blocked and no adjacencies can be established on the interface This enhances OSPF networking adaptability thus reducing the consumption of system resources 4 7 6 Configuring OSPF Authentic...

Page 376: ...hentication passwords for all routers on a network segment must also be consistent 4 7 7 Configuring the MTU Field in DD Packets By default an interface uses value 0 instead of its actual MTU value when transmitting DD packets After the following configuration the actual interface MTU is filled in the MTU field in DD packets Follow these steps to configure to fill the MTU field when an interface t...

Page 377: ...w these steps to configure OSPF network management NM To do Use the command Remarks Enter system view system view Configure OSPF MIB binding ospf mib binding process id Optional By default OSPF MIB is bound to the first enabled OSPF process Enable OSPF Trap sending snmp agent trap enable ospf process id ifauthfail ifcfgerror ifrxbadpkt ifstatechange iftxretransmit lsdbapproachoverflow lsdboverflow...

Page 378: ...rmation display ospf process id peer brief statistics Display OSPF next hop information display ospf process id nexthop Display OSPF routing table display ospf process id routing Display OSPF virtual links display ospf process id vlink Display OSPF request list display ospf process id request queue Display OSPF retransmission list display ospf process id retrans queue Display the information about...

Page 379: ...h A Switch D Switch C Switch B Vlan int1 Vlan int1 Vlan int1 Vlan int1 Device Interface IP address Router ID Interface priority Switch A Vlan int1 196 1 1 1 24 1 1 1 1 100 Switch B Vlan int1 196 1 1 2 24 2 2 2 2 0 Switch C Vlan int1 196 1 1 3 24 3 3 3 3 2 Switch D Vlan int1 196 1 1 4 24 4 4 4 4 1 Figure 4 8 Network diagram for DR BDR election III Configuration procedure Configure Switch A SwitchA ...

Page 380: ...an interface1 quit SwitchD router id 4 4 4 4 SwitchD ospf SwitchD ospf 1 area 0 SwitchD ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 On Switch A run the display ospf peer command to display its OSPF peers Note that Switch A has three peers The state of each peer is full which means that adjacency is established between Switch A and each peer Switch A and Switch C must establish adjacencies with...

Page 381: ...g OSPF Virtual Link I Network requirements Devices in the network run OSPF to realize interconnection The network is split into three areas one backbone area and two non backbone areas Area 1 and Area 2 Area 2 has no direct connection to the backbone and it has to reach the backbone through Area 1 The customer hopes that Area 2 can interconnect with other two areas Based on the customer requiremen...

Page 382: ...dress 197 1 1 2 255 255 255 0 SwitchB Vlan interface2 quit SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 area 1 SwitchB ospf 1 area 0 0 0 1 network 197 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 1 vlink peer 3 3 3 3 Configure Switch C SwitchC system view SwitchC interface Vlan inte...

Page 383: ...type of network z If the network type of the interface on the local router is NBMA a neighbor must be specified by using the peer command III Solution Perform the following procedure 1 Use the display ip interface brief command to verify that the link layer works normally 2 Use the ping command to check network layer connectivity 3 Use the display ospf interface command to view the OSPF interface ...

Page 384: ...an NSSA area check that the NSSA attributes are configured for all routers in the area 7 Check that Stub or NSSA areas are not a transit area of any virtual link Virtual links cannot pass through a Stub or NSSA area III Solution Perform the following procedure 1 Use the display ospf peer command to view the OSPF neighbor status 2 Use the display ospf interface command to view the OSPF configuratio...

Page 385: ... a group of routers that adopt the same routing policy and belong to the same technical management department Four versions of BGP exist BGP 1 described in RFC1105 BGP 2 described in RFC1163 BGP 3 described in RFC1267 and BGP 4 described in RFC1771 As the actual internet exterior routing protocol standard BGP 4 is widely employed between internet service providers ISP BGP is featured by the follow...

Page 386: ...own as the peer of another BGP speaker if it exchanges messages with the latter A group of correlated peers can form a peer group BGP can operate on a router in one of the following forms z IBGP Internal BGP z EBGP External BGP When BGP runs inside an AS it is called interior BGP IBGP when BGP runs among different ASs it is called exterior BGP EBGP 5 1 1 BGP Message Type I Format of a BGP packet h...

Page 387: ...ue is 4 z My Autonomous System Local AS number By comparing this filed of both sides a router can determine whether the connection between itself and the BGP peer is of EBGP or IBGP z Hold time Hold time is to be determined when two BGP speakers negotiate for the connection between them The Hold times of two BGP peers are the same A BGP speaker considers the connection between itself and its BGP p...

Page 388: ...achable route list z Total Path Attribute Length Length in bytes of the Path Attributes field A value of 0 indicates that there is no Path Attributes filed in the message z Path Attributes Attributes list of all the paths related to NLRI Each path attribute is a TLV Type Length Value triplet In BGP loop avoidance routing and protocol extensions are implemented through these attribute values z NLRI...

Page 389: ...set z SAFI Subsequent address family identifier 5 1 2 BGP Route Attributes I Routes attributes classification BGP route attributes describe route so that BGP can filter and choose the routes In fact all the BGP route attributes can be classified into the following four categories z Well known mandatory attributes which can be identified by any BGP routers Route attributes of this type are carried ...

Page 390: ...h the network command z EGP BGP routes with their ORIGIN attributes being EGP are obtained through EGP z Incomplete BGP routes with their ORIGIN attributes being Incomplete have the least priority This value does not indicate that the BGP route is unreachable it means the source of the BGP route cannot be determined The ORIGIN attribute of a BGP route imported through the import route command is I...

Page 391: ...ed to choose and filter routes BGP chooses the routes containing less AS numbers with shorter path under the same circumstances For example in Figure 5 6 the BGP router in AS50 will choose the path passing through AS40 as the route to the router in AS 10 In some applications you can increase the number of AS numbers a BGP route contains through routing policy to control BGP routing in a flexible w...

Page 392: ...HOP attribute of the routing information But with load balancing enabled the NEXT_HOP attribute is changed when the BGP route is sent to a IBGP neighbor Figure 5 7 The NEXT_HOP attribute 4 MED MULTI_EXIT_DISC The MED attribute is only valid between two neighboring ASs The AS receiving this attribute will not advertise this attribute to a third AS The MED attribute is used to determine the optimal ...

Page 393: ...GP to compare MED values of routes coming from different ASs 5 LOCAL_PREF The LOCAL_PREF attribute is only valid among IBGP peers It is not advertised to other ASs It indicates the priority of a BGP router LOCAL_PREF attribute is used to determine the optimal route for traffic leaving an AS For multiple routes a BGP receives from different IBGP peers if they have the same destination address but d...

Page 394: ...this attribute can be advertised to all BGP peers z No_EXPORT Routes with this attribute cannot be sent to routers outside the local AS With the presence of the confederation routes of this kind cannot be advertised outside the confederation they can only be advertised in the sub ASs in the confederation For information about confederation refer to section 5 1 4 Problems in Large Scale BGP Network...

Page 395: ...outes to the new peer once a new BGP connection is established 5 1 4 Problems in Large Scale BGP Networks I Route summarization BGP routing tables in a large scale network may be huge in size Route summarization can largely diminish the size of a routing table Route summarization aggregates multiple routes to one route It enables a BGP router to replace multiple specific routes with one summary ro...

Page 396: ...ressed route is decreased by half in each specific period known as half life When the penalty value is decreased to a value less than the reuse threshold the route gets valid and is added to the routing table again At the same time the BGP router sends corresponding update packets to its BGP peers Figure 5 10 Diagram for BGP route dampening III Peer group Peer group is a set of peers that are the ...

Page 397: ...ting policy with more flexibility V Router reflector To ensure the connectivity among the IBGP peers in an AS you need to make the IBGP peers fully connected For an AS with the number of the routers in it being n you need to establish at least n n 1 2 IBGP connections to make them fully connected This requires large amount of network resources and CPU time if large amount of IBGP peers exist in th...

Page 398: ... to avoid routing loops Figure shows a cluster containing two RRs Route Reflector1 Route Reflector2 Client Client Client IBGP IBGP IBGP Cluster IBGP AS 65000 Figure 5 12 A cluster containing two RRs RR is unnecessary for clients that are already fully connected You can disable routing information reflection using corresponding commands provided by the switches Note The configuration to disable rou...

Page 399: ... BGP speaker The confederation ID which is usually the corresponding AS number uniquely identifies a confederation In Figure 5 13 AS 200 is a confederation ID The disadvantage of confederation is that when an AS changes from non confederation to confederation configurations are needed on the routers and the topology changes In a large scale BGP network router reflector and confederation can be use...

Page 400: ...which stands for multiprotocol reachable NLRI and is used to advertise reachable routes and next hop information z MP_UNREACH_NLRI which stands for multiprotocol unreachable NLRI and is used to withdraw unreachable routes The two attributes are all of the optional non transitive type Therefore BGP speakers that do not support multiple protocols ignore the information carried in the two attributes ...

Page 401: ...oute Dampening Optional Configuring BGP Route Attributes Optional Tuning and Optimizing a BGP Network Optional Configuring BGP Peer Group Required Configuring BGP Community Required Configuring BGP RR Optional Configuring a Large Scale BGP Network Configuring BGP Confederation Optional 5 3 Basic BGP Configuration This section describes basic BGP configuration Note As BGP is based on TCP connection...

Page 402: ...rwise noted refer to configuration in BGP view for information about the configuration in multicast address family view For information about the related commands refer to the command manual of this manual The following configurations are all for BGP view 5 3 3 Configuring Basic BGP Functions Follow these steps to configure basic BGP functions To do Use the command Remarks Enter system view system...

Page 403: ...blish EBGP connections You can configure the maximum hops of EBGP connection by specifying the hop count argument Note z To configure basic functions of BGP peer group you need to create the BGP peer group first Refer to section 5 7 2 Configuring BGP Peer Group for information about creating a BGP peer group z In order for route updating packets being sent even if problems occur on interfaces you ...

Page 404: ...information is available when you configure the way to advertise receive BGP routing information z The summarization mode and the summary route z Access list number z Filtering direction advertising receiving and the route policies to be adopted z Route dampening settings such as half life and the thresholds 5 4 2 Importing Routes With BGP employed an AS can send its interior routing information t...

Page 405: ...g BGP Route Summarization In a medium large sized BGP network you can reduce the number of the routes to be advertised to BGP peers through route summarization Route summarization means that subnet routes in a natural network are summarized with a natural network which is sent to other networks This function can reduce the number of routing updates advertised to peers and the sizes of peer routing...

Page 406: ...cy name suppress policy route policy name Required By default routes are not summarize d 5 4 4 Enabling Default Route Advertising Follow these steps to enable default rout advertising To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable default route advertising peer group name default route advertise Required By default a BGP router does not send default...

Page 407: ...CL based filtering policy for a peer group peer group name as path acl acl number export Filter the routing information to be advertised to a peer group IP prefix based BGP route filtering policy for a peer group peer group name ip prefix ip prefix name export Required By default a peer group has no peer group based ACL BGP route filtering policy AS path ACL based BGP route filtering policy or IP ...

Page 408: ...up peer group name ip address as path acl acl number import Filter the routing information received from a peer peer group Specify an IP prefix list based BGP route filtering policy for a peer peer group peer group name ip address ip prefix ip prefix name import Required By default no ACL based BGP route filtering policy AS path ACL based BGP route filtering policy or IP prefix list based BGP rout...

Page 409: ...the route in the previous time Once a route flaps it receives a certain penalty value When the penalty value reaches the suppression threshold this route is suppressed The penalty value decreases with time When the penalty value of a suppressed route decreases to the reuse threshold the route gets valid and is thus advertised again BGP dampening suppresses unstable routing information Suppressed r...

Page 410: ...ystem view system view Enter BGP view bgp as number Configure the management preference of the exterior interior and local routes preference ebgp value ibgp value local value Optional By default the management preference of the exterior interior and local routes is 256 256 and 130 Set the default local preference default local preference value Optional By default the local preference defaults to 1...

Page 411: ...ute information to IBGP peer groups Configure the number of local AS number occurrences allowed peer group name ip address allow as loop number Optional By default the number of local AS number occurrences allowed is 1 Assign an AS number for a peer group peer group name as number as number Optional By default the local AS number is not assigned to a peer group Configure the AS_PATH attribute Conf...

Page 412: ...work involves the following aspects 1 BGP clock BGP peers send Keepalive messages to each other periodically through the connections between them to make sure the connections operate properly If a router does not receive the Keepalive or any other message from its peer in a specific period know as Holdtime the router considers the BGP connection operates improperly and thus disconnects the BGP con...

Page 413: ...nly configures the MD5 authentication password for TCP connection and the authentication is performed by TCP If authentication fails the TCP connection cannot be established 5 6 1 Configuration Prerequisites Before adjusting the BGP clock enable basic BGP functions Before configuring BGP clock and authentication make sure the following information is available z Value of BGP timer z Interval for s...

Page 414: ...o limit on the number of route prefixes that can be learned from the BGP peer peer group return refresh bgp all ip address group group name multicast import export Optional system view Perform soft refreshment of BGP connection manually bgp as number Enter BGP view again Configure BGP to perform MD5 authentication when establishing TCP connection peer group name ip address password cipher simple p...

Page 415: ... of multiple BGP routers In an AS to ensure the connectivity among IBGP peers you need to set up full connection among them When there are too many IBGP peers it will cost a lot in establishing a full connection network Using RR or confederation can solve the problem In a large AS RR and confederation can be used simultaneously 5 7 1 Configuration Prerequisites Before configuring a large scale BGP...

Page 416: ... group Add a peer to a peer group peer ip address group group name as number as number Optional You can add multiple peers to the group The system automatically creates the peer in BGP view and specifies its AS number as the one of the peer group Create an EBGP peer group group group name external Create a hybrid EBGP peer group Add a peer to a peer group peer ip address group group name as number...

Page 417: ... policy name export Required By default no routing policy is specified for the routes exported to the peer group Caution z When configuring BGP community you must use a routing policy to define the specific COMMUNITY attribute and then apply the routing policy when a peer sends routing information z For configuration of routing policy refer to IP Routing Policy Configuration 5 7 4 Configuring BGP ...

Page 418: ...D of the RR is used to identify the cluster Configuring multiple RRs can improve the network stability If there are multiple RRs in a cluster use related command to configure the same cluster ID for them to avoid routing loopback 5 7 5 Configuring BGP Confederation Follow these steps to configure a BGP confederation To do Use the command Remarks Enter system view system view Enter BGP view bgp as ...

Page 419: ...nformation exported by BGP display bgp multicast network Display information about AS path display bgp paths as regular expression Display information about a BGP peer display bgp multicast peer ip address verbose Display information in the BGP routing table display bgp multicast routing ip address mask Display the route matching with the specific AS path ACL display bgp multicast routing as path ...

Page 420: ... network address mask statistic display bgp multicast routing peer ip address regular expression as regular expression Display routing information matching with the AS regular expression display bgp multicast routing regular expression as regular expression Display routing statistics of BGP display bgp multicast routing statistic 5 8 2 Resetting BGP Connections To validate any BGP routing policy o...

Page 421: ...n a large AS of a company As the number of IBGP peers increases rapidly in the AS more network resources for BGP communication are occupied The customer hopes to reduce IBGP peers to minimize the CPU and network resources consumption by BGP without affecting device performance Based on user requirements configure a BGP confederation to achieve the goal II Network diagram Figure 5 14 shows the netw...

Page 422: ...3 group confed1003 as number 1003 Configure Switch B SwitchB system view SwitchB bgp 1002 SwitchB bgp confederation id 100 SwitchB bgp confederation peer as 1001 1003 SwitchB bgp group confed1001 external SwitchB bgp peer 172 68 10 1 group confed1001 as number 1001 SwitchB bgp group confed1003 external SwitchB bgp peer 172 68 10 3 group confed1003 as number 1003 Configure Switch C SwitchC system v...

Page 423: ... diagram Switch A AS 100 VLAN int4 Switch C Switch B Switch D AS 200 Router Reflector VLAN int3 VLAN int2 VLAN int100 Device Interface IP address AS Switch A Vlan int 100 1 1 1 1 8 100 Vlan int 2 192 1 1 1 24 Switch B Vlan int 2 192 1 1 2 24 200 Vlan int 3 193 1 1 2 24 Switch C Vlan int 3 193 1 1 1 24 Vlan int 4 194 1 1 1 24 Switch D Vlan int 4 194 1 1 2 24 Figure 5 15 Network diagram for BGP RR c...

Page 424: ...address 193 1 1 2 255 255 255 0 SwitchB Vlan interface3 quit Configure a BGP peer SwitchB bgp 200 SwitchB bgp group ex external SwitchB bgp peer 192 1 1 1 group ex as number 100 SwitchB bgp group in internal SwitchB bgp peer 193 1 1 1 group in 3 Configure Switch C Configure VLAN interface IP addresses SwitchC system view SwitchC interface Vlan interface 3 SwitchC Vlan interface3 ip address 193 1 1...

Page 425: ...e existence of network 1 0 0 0 Use the display bgp routing command to display the BGP routing table on Switch D Note that Switch D knows the existence of network 1 0 0 0 too 5 9 3 Configuring BGP Path Selection I Network requirements A network consists of two ASs which run BGP to communicate with each other OSPF runs in one of them The requirement is to control the data forwarding path from AS 200...

Page 426: ... network interconnection z Run IBGP between Switch D and Switch B as well as between Switch D and Switch C z Apply a routing policy on Switch A to modify the MED attribute of the route to be advertised to AS 200 making the data forwarding path from Switch D to AS 100 as Switch D Switch C Switch A z Apply a routing policy on Switch C to modify the LOCAL_PREF attribute of the route to be advertised ...

Page 427: ...outing policy Set the MED value of the route matching ACL 2000 to 50 SwitchA route policy apply_med_50 permit node 10 SwitchA route policy if match acl 2000 SwitchA route policy apply cost 50 SwitchA route policy quit Create a routing policy named apply_med_100 and specify node 10 with the permit matching mode for the routing policy Set the MED value of the route matching ACL 2000 to 100 SwitchA r...

Page 428: ...B bgp 200 SwitchB bgp undo synchronization SwitchB bgp group ex external SwitchB bgp peer 192 1 1 1 group ex as number 100 SwitchB bgp group in internal SwitchB bgp peer 194 1 1 1 group in SwitchB bgp peer 195 1 1 2 group in 3 Configure Switch C Configure VLAN interface IP addresses SwitchC system view SwitchC interface Vlan interface 3 SwitchC Vlan interface3 ip address 193 1 1 2 255 255 255 0 Sw...

Page 429: ...95 1 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 network 4 0 0 0 0 255 255 255 SwitchD ospf 1 area 0 0 0 0 quit SwitchD ospf 1 quit Enable BGP create a peer group and add peers to the peer group SwitchD bgp 200 SwitchD bgp undo synchronization SwitchD bgp group in internal SwitchD bgp peer 195 1 1 2 group in SwitchD bgp peer 194 1 1 2 group in z To make the configuration take effect all BGP neighbor...

Page 430: ...nformation from the peer 193 1 1 1 SwitchC bgp 200 SwitchC bgp peer 193 1 1 1 route policy localpref import In this case because the LOCAL_PREF value of the route 1 0 0 0 learnt by Switch C is 200 which is greater than that of the route 1 0 0 0 learnt by Switch B Switch B does not configure the LOCAL_PREF attribute the default value is 100 Switch D still chooses the route 1 0 0 0 coming from Switc...

Page 431: ...he peer connect interface command is configured 4 If the neighbor is not physically directed check whether the peer ebgp max hop command is configured 5 Check whether there is an available route of the neighbor in the routing table 6 Use the ping a ip address command to check the TCP connection 7 Check whether you have disabled the ACL of TCP port 179 ...

Page 432: ...es such as reachability When a router distributes or receives routing information it may need to implement some policies to filter the routing information so as to receive or distribute only the routing information meeting given conditions A routing protocol RIP for example may need to import the routing information discovered by other protocols to enrich its routing knowledge While importing rout...

Page 433: ...contain multiple entries and each entry identified by an index number can independently specify the match range in the network prefix form An index number specifies the matching sequence in the IP prefix list There is an OR relationship between entries During the matching the router checks entries identified by index number in ascending order Once an entry is matched the IP prefix list filtering i...

Page 434: ...ask List Complete the following tasks to configure an IP routing policy Task Remarks Defining a Routing Policy Required Routing Policy Configuration Defining if match Clauses and apply Clauses Required IP Prefix Configuration Required AS Path List Configuration Required Community List Configuration Required 6 3 Routing Policy Configuration A routing policy is used to match given routing informatio...

Page 435: ...atches the rules for the node the apply clauses for the node will be executed and the test of the next node will not be taken If not however the route takes the test of the next node z The deny argument specifies the matching mode for a defined node in the routing policy to be in deny mode In this mode no apply clause is executed If a route satisfies all the if match clauses of the node no apply c...

Page 436: ...fix name Optional By default no matching is performed on the address of routing information Define a rule to match the cost of routes if match cost value Optional By default no matching is performed against the cost of routes Define a rule to match the next hop interface of routing information if match interface interface type interface number Optional By default no matching is performed on the ne...

Page 437: ...et local preference of BGP routing information apply local preference local preference Optional Apply a cost to routes satisfying matching rules apply cost value Optional By default no cost is applied to routes satisfying matching rules Set route cost type for routing information apply cost type internal external Optional Set route source of BGP routing information apply origin igp egp as number i...

Page 438: ...ing test against the node is successful and the actions can be the attribute settings of routing information 6 4 IP Prefix Configuration IP prefix plays a role similar to ACL and but is more flexible and easier to understand When IP prefix is applied to filtering routing information its matching object is the destination address information field of routing information 6 4 1 Configuration Prerequi...

Page 439: ...an be used to match the AS path field in BGP routing information to filter out the routing information that does not match Follow these steps to configure an AS path list To do Use the command Remarks Enter system view system view Configure AS path list ip as path acl acl number permit deny as regular expression Optional By default no AS path list is defined 6 6 Community List Configuration In BGP...

Page 440: ... list is defined 6 7 Displaying IP Routing Policy To do Use the command Remarks Display routing policy information display route policy route policy name Display IP prefix information display ip ip prefix ip prefix name Available in any view 6 8 IP Routing Policy Configuration Example 6 8 1 Configuring to Filter Received Routing Information I Network requirements Switch A communicates with Switch ...

Page 441: ...nterface100 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 ip address 12 0 0 1 255 0 0 0 SwitchA Vlan interface200 quit Configure three static routes SwitchA ip route static 20 0 0 0 255 0 0 0 12 0 0 2 SwitchA ip route static 30 0 0 0 255 0 0 0 12 0 0 2 SwitchA ip route static 40 0 0 0 255 0 0 0 12 0 0 2 Enable the OSPF protocol and specify the ID of the area to which the inte...

Page 442: ...255 0 0 0 SwitchB Vlan interface100 quit Enable the OSPF protocol and specify the ID of the area to which the interface belongs SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 0 0 0 0 255 255 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit z Display the OSPF routing table on Switch B and check if routing policy takes effect SwitchB displ...

Page 443: ...ces are distinguished by IP addresses If a fault occurs to the main link of one service dynamic backup can prevent service interruption II Network diagram According to the network requirements the network topology is designed as shown in Figure 6 2 Device Interface IP address Switch A Vlan int 2 2 2 2 1 8 Vlan int 3 3 3 3 254 8 Vlan int 10 1 1 1 254 8 Switch B Vlan int 3 3 3 3 253 8 Vlan int 6 6 6...

Page 444: ...A rip network 2 0 0 0 SwitchA rip network 3 0 0 0 2 Configure Switch B Create VLANs and configure IP addresses for the VLAN interfaces The configuration procedure is omitted Configure RIP SwitchB system view SwitchB rip SwitchB rip network 1 0 0 0 SwitchB rip network 3 0 0 0 SwitchB rip network 6 0 0 0 3 Configure Switch C Create VLANs and configure IP addresses for the VLAN interfaces The configu...

Page 445: ... prefix list 1 SwitchC route policy in permit node 30 SwitchC route policy if match interface Vlan interface6 SwitchC route policy if match ip prefix 1 SwitchC route policy apply cost 6 SwitchC route policy quit Create node 40 with the matching mode being permit in the routing policy Define if match clauses Apply the cost 5 to routes matching the outgoing interface VLAN interface 6 and prefix list...

Page 446: ...chC display ip routing table Routing Table public net Destination Mask Protocol Pre Cost Nexthop Interface 1 0 0 0 8 RIP 100 6 6 6 6 5 Vlan interface2 3 0 0 0 8 RIP 100 5 6 6 6 5 Vlan interface6 6 0 0 0 8 DIRECT 0 0 6 6 6 6 Vlan interface6 6 6 6 6 32 DIRECT 0 0 127 0 0 1 InLoopBack0 127 0 0 0 8 DIRECT 0 0 127 0 0 1 InLoopBack0 127 0 0 1 32 DIRECT 0 0 127 0 0 1 InLoopBack0 192 168 0 0 24 DIRECT 0 0...

Page 447: ...ibuted routes 6 9 Troubleshooting IP Routing Policy I Symptom The routing policy cannot filter routing information correctly when the routing protocol runs normally II Analysis The routing policy cannot filter routing information correctly in the following two cases z All nodes in the routing policy are in the deny mode z All entries in the IP prefix list are in the deny mode III Solution 1 Use th...

Page 448: ...there are a large number of routes especially OSPF routes and BGP routes in the routing table Normally routing information is stored in the memory of the switch While the size of the routing table increases the total memory of the switch remains unchanged unless the hardware is upgraded However upgrading may not always solve the problem To solve this problem the switches provide a mechanism to con...

Page 449: ...lue the switch automatically re establishes the OSPF or BGP connection z If the automatic protocol connection recovery function is disabled the switch will not reestablish the disconnected OSPF or BGP connection even when the free memory restores to a value larger than the safety value 7 2 Route Capacity Limitation Configuration Route capacity limitation configuration includes z Configuring the lo...

Page 450: ...y To do Use the command Remarks Enter system view system view Disable automatic protocol recovery memory auto establish disable Optional Enabled by default Note If automatic protocol recovery is disabled the OSPF or BGP connection will not recover even when the free memory exceeds the safety value Therefore take cautions when disabling the function 7 3 Displaying and Maintaining Route Capacity Lim...

Page 451: ...ation 2 1 2 1 1 Enabling Multicast Packet Buffering 2 1 2 1 2 Enabling Multicast Routing 2 2 2 1 3 Configuring Limit on the Number of Route Entries 2 3 2 1 4 Configuring Suppression on the Multicast Source Port 2 3 2 1 5 Clearing Multicast Forwarding and Routing Entries 2 4 2 1 6 Configuring a Multicast MAC Address Entry 2 4 2 1 7 Configuring Dropping Unknown Multicast Packets 2 5 2 1 8 Tracing a ...

Page 452: ... SPT Switchover 4 17 4 4 Configuring Common PIM Parameters 4 17 4 4 1 Configuring a Multicast Data Filter 4 18 4 4 2 Configuring the Hello Interval 4 18 4 4 3 Configuring PIM Neighbors 4 19 4 4 4 Configuring Multicast Source Lifetime 4 20 4 4 5 Clearing the Related PIM Entries 4 20 4 5 Displaying and Maintaining PIM 4 21 4 6 PIM Configuration Examples 4 21 4 6 1 PIM DM Configuration Example 4 21 4...

Page 453: ... 1 IGMP Snooping Overview 6 1 6 1 1 Principle of IGMP Snooping 6 1 6 1 2 Basic Concepts in IGMP Snooping 6 2 6 1 3 Work Mechanism of IGMP Snooping 6 3 6 2 Configuring IGMP Snooping 6 5 6 2 1 Enabling IGMP Snooping 6 6 6 2 2 Configuring the Version of IGMP Snooping 6 6 6 2 3 Configuring Timers 6 7 6 2 4 Configuring Fast Leave Processing 6 8 6 2 5 Configuring a Multicast Group Filter 6 9 6 2 6 Confi...

Page 454: ... Tag for Query Messages 1 1 Multicast Overview With the development of the Internet more and more interaction services such as data voice and video services are running on the networks In addition highly bandwidth and time critical services such as e commerce Web conference online auction video on demand VoD and tele education have come into being These services have higher requirements for inform...

Page 455: ...information when a large number of users need this information the server must send many pieces of information with the same content to the users Therefore the limited bandwidth becomes the bottleneck in information transmission This shows that unicast is not good for the transmission of a great deal of information 1 1 2 Information Transmission in the Broadcast Mode When you adopt broadcast the s...

Page 456: ...d Therefore broadcast is disadvantageous in transmitting data to specific users moreover broadcast occupies large bandwidth 1 1 3 Information Transmission in the Multicast Mode As described in the previous sections unicast is suitable for networks with sparsely distributed users whereas broadcast is suitable for networks with densely distributed users When the number of users requiring information...

Page 457: ...st are as follows z No matter how many receivers exist there is only one copy of the same multicast data flow on each link z With the multicast mode used to transmit information an increase of the number of users does not add to the network burden remarkably The advantages of multicast over broadcast are as follows z A multicast data flow can be sent only to the receiver that requires the data z M...

Page 458: ...to receive the multicast data that the source sends to the multicast group 4 The user turns off the TV set The receiver leaves the multicast group Note z A multicast source does not necessarily belong to a multicast group Namely a multicast source is not necessarily a multicast data receiver z A multicast source can send data to multiple multicast groups at the same time and multiple multicast sou...

Page 459: ...lticast group at any time II SFM model The SFM model is derived from the ASM model From the view of a sender the two models have the same multicast group membership architecture Functionally the SFM model is an extension of the ASM model In the SFM model the upper layer software checks the source address of received multicast packets so as to permit or deny multicast traffic from specific sources ...

Page 460: ...outing A router or switch transports packets from a multicast source to receivers by building a multicast distribution tree with multicast routes z Multicast application A multicast source must support multicast applications such as video conferencing The TCP IP protocol suite must support the function of sending and receiving multicast information 1 3 1 Multicast Address As receivers are multiple...

Page 461: ...he IP addresses of a permanent multicast group keep unchanged while the members of the group can be changed z There can be any number of or even zero members in a permanent multicast group z Those IP multicast addresses not assigned to permanent multicast groups can be used by temporary multicast groups Class D IP addresses range from 224 0 0 0 to 239 255 255 255 For details see Table 1 2 Table 1 ...

Page 462: ...224 0 0 13 All Protocol Independent Multicast PIM routers 224 0 0 14 Resource Reservation Protocol RSVP encapsulation 224 0 0 15 All core based tree CBT routers 224 0 0 16 The specified subnetwork bandwidth management SBM 224 0 0 17 All SBMS 224 0 0 18 Virtual Router Redundancy Protocol VRRP 224 0 0 19 to 224 0 0 255 Other protocols Note Like having reserved the private network segment 10 0 0 0 8 ...

Page 463: ...t MAC address 5 bits lost 25 bit MAC address prefix 23 bits mapped Figure 1 4 Multicast address mapping The high order four bits of the IP multicast address are 1110 representing the multicast ID Only 23 bits of the remaining 28 bits are mapped to a MAC address Thus five bits of the multicast IP address are lost As a result 32 IP multicast addresses are mapped to the same MAC address 1 3 2 Multica...

Page 464: ...d Layer 3 multicast devices 2 Multicast routing protocols A multicast routing protocol runs on Layer 3 multicast devices to establish and maintain multicast routes and forward multicast packets correctly and efficiently Multicast routes constitute a loop free data transmission path from a data source to multiple receivers namely a multicast distribution tree In the ASM model multicast routes come ...

Page 465: ...otocol Snooping IGMP Snooping are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP messages exchanged between the hosts and Layer 3 multicast devices thus effectively controlling the flooding of multicast data in a Layer 2 network 1 4 Multicast Packet Forwarding Mechanism In a multicast model a multicast source sends information to the h...

Page 466: ...ing table the multicast packet is subject to an RPF check z If the result of the RPF check shows that the RPF interface is the incoming interface of the existing S G entry this means that the S G entry is correct but the packet arrived from a wrong path and is to be discarded z If the result of the RPF check shows that the RPF interface is not the incoming interface of the existing S G entry this ...

Page 467: ...192 168 0 1 24 Receiver Receiver Router A Switch B Switch C Vlan int2 Vlan int1 Vlan int1 Vlan int2 Multicast packets Destination Mask IP Routing Table on Switch C 192 168 0 0 24 Interface Vlan int2 Figure 1 7 RPF check process z A multicast packet from Source arrives to VLAN interface 1 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C...

Page 468: ...imit on the Number of Route Entries Optional Configuring Suppression on the Multicast Source Port Optional Clearing Multicast Forwarding and Routing Entries Optional Configuring a Multicast MAC Address Entry Optional Configuring Dropping Unknown Multicast Packets Optional Tracing a Multicast Path Optional 2 1 1 Enabling Multicast Packet Buffering With the multicast packet buffering feature enabled...

Page 469: ...he system default is 100 Caution The multicast packet buffering feature should be enabled only before multicast routing is enabled 2 1 2 Enabling Multicast Routing Follow these steps to enable multicast routing To do Use the command Remarks Enter system view system view Enable multicast routing multicast routing enable Required Disabled by default Note To guard against attacks on any socket not in...

Page 470: ...1 4 Configuring Suppression on the Multicast Source Port Some users may deploy unauthorized multicast servers on the network This affects the use of network bandwidth and transmission of multicast data of authorized users by taking network resources You can configure multicast source port suppression on certain ports to prevent unauthorized multicast servers attached to these ports from sending mu...

Page 471: ...tistics information reset multicast forwarding table statistics all group address mask mask mask length source address mask mask mask length incoming interface interface type interface number Clear routing entries in the core multicast routing table reset multicast routing table all group address mask mask mask length source address mask mask mask length incoming interface interface type interface...

Page 472: ...s entry to be created already exists the system gives you a prompt z If you want to add a port to a multicast MAC address entry created through the mac address multicast command you need to remove the entry first create this entry again and then add the specified port to the forwarding ports of this entry z You cannot configure a multicast MAC address starting with 01005e on S5600 series switches ...

Page 473: ...he command Remarks Trace a multicast path mtracert source address last hop router address group address Required Available in any view 2 2 Displaying and Maintaining Common Multicast Configuration The information about the multicast forwarding table is mainly used for debugging Generally you can get the required information by checking the core multicast routing table Three kinds of tables affect ...

Page 474: ... type interface number register Available in any view Display the information about the multicast forwarding table display multicast forwarding table group address mask mask mask length source address mask mask mask length incoming interface interface type interface number register Available in any view Display multicast forward table information containing port information display mpm forwarding ...

Page 475: ...ships to immediately neighboring multicast routers 3 1 1 IGMP Versions So far there are three IGMP versions z IGMPv1 documented in RFC 1112 z IGMPv2 documented in RFC 2236 z IGMPv3 documented in RFC 3376 All IGMP versions support the any source multicast ASM model In addition IGMPv3 provides strong support to the source specific multicast SSM model 3 1 2 Work Mechanism of IGMPv1 IGMPv1 manages mul...

Page 476: ...he figure periodically multicasts IGMP queries with the destination address of 224 0 0 1 to all hosts and routers on the local subnet 2 Upon receiving a query message Host B or Host C the delay timer of whichever expires first sends an IGMP report to the multicast group address of G1 to announce its interest in G1 Assume it is Host B that sends the report message 3 Host C which is on the same subn...

Page 477: ...anism and Leave Group mechanism I Querier election mechanism In IGMPv1 the DR elected by the Layer 3 multicast routing protocol such as PIM serves as the querier among multiple routers on the same subnet In IGMPv2 an independent querier election mechanism is introduced The querier election process is as follows 1 Initially every IGMPv2 router assumes itself as the querier and sends IGMP general qu...

Page 478: ...ps of the group otherwise the querier will assume that no hosts on the subnet are still interested in multicast traffic to that group and will stop maintaining the memberships of the group 3 1 4 IGMP Proxy A lot of stub networks stub domains are involved in the application of a multicast routing protocol PIM DM for example over a large scaled network It is a hard work to configure and manage these...

Page 479: ...nterface 2 an IGMP join or IGMP leave message sent by the host it changes the source address of the IGMP information to the address of VLAN interface 1 33 33 33 2 and sends the information to VLAN interface 1 of Switch A For Switch A this works as if there is a host directly connected to VLAN interface 1 Similarly when Switch B receives the IGMP general or group specific query message from the Lay...

Page 480: ...Enable IGMP igmp enable Required Disabled by default Caution Before performing the following configurations described in this chapter you must enable multicast routing and enable IGMP on the specific interfaces 3 2 3 Configuring IGMP Version Follow these steps to configure IGMP version To do Use the command Remarks Enter system view system view Enter interface view interface interface type interfa...

Page 481: ...rval z If other hosts are interested in the group after receiving the IGMP group specific query message from the querier they must send IGMP report messages within the maximum response time specified in the query messages z If the IGMP querier receives IGMP report messages from other hosts within the period of robust value x lastmember queryinterval it will maintain the membership of the group z I...

Page 482: ...er system view system view Enter interface view interface interface type interface number Configure the query interval interval of sending general queries igmp timer query seconds Optional 60 seconds by default Configure the interval of sending IGMP group specific query messages igmp lastmember queryinterv al seconds Optional 1 second by default Configure the number of times of sending IGMP group ...

Page 483: ...ured limit on the number of joined multicast groups on the interface the device will remove the oldest entries automatically until the number of multicast groups on the interface conforms to the configured limit 3 2 6 Configuring a Multicast Group Filter A multicast router determines the group memberships in the specified subnet by analyzing the received IGMP reports To restrict the hosts on the n...

Page 484: ...nal No multicast group filter is configured by default The port must belong to the specified VLAN 3 2 7 Configuring Simulated Joining Generally hosts running IGMP respond to the IGMP query messages of the IGMP querier If hosts fail to respond for some reason the multicast router may consider that there is no member of the multicast group on the local subnet and remove the corresponding path To avo...

Page 485: ...e interface number VLAN interface view igmp host join group address port interface list Configure one or more ports in the VLAN as simulated member host s of the specified multicast group LoopBack interface view igmp host join group address Required Disabled by default II Configuring simulated joining in Ethernet port view Follow these steps to configure simulated joining in Ethernet port view To ...

Page 486: ... IGMP proxy interface If it is necessary to configure an IGMP querier interface as an IGMP proxy interface you must configure the port that belongs to the proxy interface and connects to the upstream multicast device as a static router port For details see Configuring a Static Router Port 3 2 9 Removing Joined IGMP Groups from an Interface You can remove all the joined multicast groups from a part...

Page 487: ...he group again 3 3 Displaying and Maintaining IGMP To do Use the command Remarks Display the membership information of the IGMP multicast group display igmp group group address interface interface type interface number Available in any view Display the IGMP configuration and running information of the interface display igmp interface interface type interface number Available in any view ...

Page 488: ...any unicast routing protocol such as Routing Information Protocol RIP open shortest path first OSPF Intermediate System to Intermediate System IS IS or Border Gateway Protocol BGP Independent of the unicast routing protocols running on the device multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes PIM uses the Reverse Path ...

Page 489: ...cally that is pruned branches resume multicast forwarding when the pruned state times out and then data is re flooded down these branches and then are pruned again z When a new receiver on a previously pruned branch joins a multicast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch Generally speaking the multicast forwarding path is a source t...

Page 490: ...es without receivers downstream are pruned A router having no receivers downstream sends a prune message to the upstream node to tell the upstream node to delete the corresponding interface from the outgoing interface list in the S G entry and stop forwarding subsequent packets addressed to that multicast group down to this node Note z An S G entry contains the multicast source address S multicast...

Page 491: ...cast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch The process is as follows 1 The node that need to receive multicast data sends a graft message hop by hop toward the source as a request to join the SPT again 2 Upon receiving this graft message the upstream node puts the interface on which the graft was received into the forwarding state a...

Page 492: ...rs 224 0 0 13 through the interface on which the packet was received The assert message contains the following information the multicast source address S the multicast group address G and the preference and metric of the unicast route to the source By comparing these parameters either Router A or Router B becomes the unique forwarder of the subsequent S G packets on the multi access subnet The com...

Page 493: ...nnected to this receiver sends a join message to the RP corresponding to that multicast group The path along which the message goes hop by hop to the RP forms a branch of the RPT z When a multicast source sends a multicast packet to a multicast group the router directly connected with the multicast source first registers the multicast source with the RP by sending a register message to the RP by u...

Page 494: ...n messages to the RP the DR at the multicast source side sends register messages to the RP Note z A DR is elected on a multi access subnet by means of comparison of the priorities and IP addresses carried in hello messages An elected DR is substantially meaningful to PIM SM PIM DM itself does not require a DR However if IGMPv1 runs on any multi access network in a PIM DM domain a DR must be electe...

Page 495: ... huge amount of multicast traffic needs to be forwarded through the RP To lessen the RP burden and optimize the topological structure of the RPT each multicast group should have its own RP Therefore a bootstrap mechanism is needed for dynamic RP election For this purpose a bootstrap router BSR should be configured As the administrative core of a PIM SM domain the BSR collects advertisement message...

Page 496: ...oins a multicast group G it uses an IGMP message to inform the directly connected DR 2 Upon getting the receiver information the DR sends a join message which is hop by hop forwarded to the RP corresponding to the multicast group 3 The routers along the path from the DR to the RP form an RPT branch Each router on this branch generates a G entry in its forwarding table The means any multicast sourc...

Page 497: ...checks whether it itself has receivers for that multicast group If not the router continues to forward the prune message to its upstream router V Multicast source registration The purpose of multicast source registration is to inform the RP about the existence of the multicast source Source Server Host A Host B Host C Receiver Receiver Multicast packets SPT Join message Register message RP DR Figu...

Page 498: ... the tree that has the shortest path upon receiving the first multicast packet along the RPT the receiver side DR initiates an RPT to SPT switchover process as follows 1 First the receiver side DR sends an S G join message hop by hop to the multicast source When the join message reaches the source side DR all the routers on the path have installed the S G entry in their forwarding table and thus a...

Page 499: ...e Registration Packets from DR to RP Optional Disabling RPT to SPT Switchover Optional 4 3 1 Enabling PIM SM With PIM SM enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors When deploying a PIM SM domain you are recommended to enable PIM SM on all interfaces of non border routers border routers are PIM enabled routers located on th...

Page 500: ...e command Remarks Enter system view system view Enter PIM view pim Configure a static RP static rp rp address acl number Optional No static RP by default II Configuring a C RP In a PIM SM domain you can configure routers that intend to become the RP as C RPs The BSR collects the C RP information by receiving the C RP Adv messages from C RPs or auto RP announcements from other routers and organizes...

Page 501: ...sible for collecting and advertising RP information in the PIM SM domain I Configuring a C BSR C BSRs should be configured on routers in the backbone network When configuring a router as a C BSR be sure to specify a PIM SM enabled interface on the router The BSR election process is summarized as follows z Initially every C BSR assumes itself to be the BSR of this PIM SM domain and uses its interfa...

Page 502: ...ically floods the network with bootstrap messages As a bootstrap message has a TTL value of 1 the whole network will not be affected as long as the neighbor router discards these bootstrap messages Therefore with a legal BSR address range configured on all routers in the entire network all these routers will discard bootstrap messages from out of the legal address range The above mentioned prevent...

Page 503: ...nfigure a PIM SM domain border pim bsr boundary Optional By default no PIM SM domain border is configured Caution After this feature is configured Bootstrap messages cannot pass the border However the other PIM messages can pass the domain border The network can be effectively divided into domains that use different BSRs 4 3 4 Filtering the Registration Packets from DR to RP Within a PIM SM domain...

Page 504: ... to SPT switchover process You can also disable RPT to SPT switchover through the configuration Follow these steps to disable RPT to SPT switchover To do Use the command Remarks Enter system view system view Enter PIM view pim Disable RPT to SPT switchover spt switch threshold infinity group policy acl number order order value Optional By default the device switches to the SPT immediately after it...

Page 505: ...ailable to receivers downstream to enhance data security on the other hand Follow these steps to configure a multicast data filter To do Use the command Remarks Enter system view system view Enter PIM view pim Configure a multicast group filter source policy acl number Optional No multicast data filter by default Caution z If you have configured a basic ACL the switch filters all the received mult...

Page 506: ...sult in router failure you can limit the number of PIM neighbors on the router interface However the total number of PIM neighbors of a router is defined by the system and you cannot modify it through commands You can define what Layer 3 switches can become PIM neighbors of the current interface by configuring a basic ACL Follow these steps to configure PIM neighbors To do Use the command Remarks ...

Page 507: ... entry reestablishment some data may be lost If the multicast source lifetime is appropriately lengthened when the data traffic has stopped the multicast data when arriving at the multicast switch again can be forwarded by the switch without the need of reestablishing the table entries This helps avoid data loss Follow these steps to configure multicast source lifetime To do Use the command Remark...

Page 508: ...ength mask source address mask mask length mask incoming interface interface type interface number null dense mode sparse mode Available in any view Display the information about PIM interfaces display pim interface interface type interface number Available in any view Display the information about PIM neighbor routers display pim neighbor interface interface type interface number Available in any...

Page 509: ...n t 1 0 2 V l a n i n t 1 0 2 V l a n i n t 1 0 3 V l a n i n t 1 0 3 Device Interface IP address Device Interface IP address Switch A Vlan int100 10 110 1 1 24 Switch D Vlan int300 10 110 5 1 24 Vlan int103 192 168 1 1 24 Vlan int103 192 168 1 2 24 Switch B Vlan int200 10 110 2 1 24 Vlan int101 192 168 2 2 24 Vlan int101 192 168 2 1 24 Vlan int102 192 168 3 2 24 Switch C Vlan int200 10 110 2 2 24...

Page 510: ... quit The configuration on Switch B and Switch C is similar to the configuration on Switch A Enable IP multicast routing on Switch D and enable PIM DM on each interface SwitchD system view SwitchD multicast routing enable SwitchD interface vlan interface 300 SwitchD Vlan interface300 pim dm SwitchD Vlan interface300 quit SwitchD interface vlan interface 103 SwitchD Vlan interface103 pim dm SwitchD...

Page 511: ...itch A View the PIM routing table information on Switch D SwitchD display pim routing table PIM DM Routing Table Total 1 S G entry 10 110 5 100 225 1 1 1 Protocol 0x40 PIMDM Flag 0xC SPT NEG_CACHE Uptime 00 00 23 Timeout in 187 sec Upstream interface Vlan interface300 RPF neighbor NULL Downstream interface list Vlan interface101 Protocol 0x200 SPT timeout in 147 sec Vlan interface103 Protocol 0x20...

Page 512: ...h B Switch C and Switch D and its VLAN interface 102 interface acts a C BSR and a C RP with the range of multicast groups served by the C RP being 225 1 1 0 24 II Network diagram Ethernet Ethernet Ethernet N1 N2 V l a n i n t 1 0 1 V l a n i n t 1 0 1 Device Interface IP address Device Interface IP address Switch A Vlanint100 10 110 1 1 24 Switch D Vlanint300 10 110 5 1 24 Vlanint101 192 168 1 1 2...

Page 513: ...ects Switch A to the stub network SwitchA system view SwitchA multicast routing enable SwitchA interface vlan interface 100 SwitchA Vlan interface100 igmp enable SwitchA Vlan interface100 pim sm SwitchA Vlan interface100 quit SwitchA interface vlan interface 101 SwitchA Vlan interface101 pim sm SwitchA Vlan interface101 quit SwitchA interface vlan interface 102 SwitchA Vlan interface102 pim sm Swi...

Page 514: ...iority 0 Mask Length 24 Expires 00 01 39 Local host is BSR Display RP information on Switch E SwitchE display pim rp info PIM SM RP SET information BSR is 192 168 9 2 Group MaskLen 225 1 1 0 24 RP 192 168 9 2 Version 2 Priority 0 Uptime 00 49 44 Expires 00 01 46 Display PIM routing table information on Switch A SwitchA display pim routing table PIM SM Routing Table Total 1 S G entries 1 G entries ...

Page 515: ...tocol 0x200 SPT timeout in 147 sec Vlan interface105 Protocol 0x200 SPT timeout in 145 sec Matched 1 S G entry 0 G entry 0 RP entry Display PIM routing table information on Switch E SwitchE display pim routing table PIM SM Routing Table Total 1 S G entry 1 G entry 0 RP entry 225 1 1 1 RP 192 168 9 2 Protocol 0x20 PIMSM Flag 0x2003 RPT WC NULL_IIF Uptime 00 02 34 Timeout in 176 sec Upstream interfa...

Page 516: ...e troubleshooting PIM z Because PIM SM needs the support of RP and BSR you must execute the display pim bsr info command to see whether BSR information exists If not you must check whether there is any unicast route to the BSR Then use the display pim rp info command to check whether the RP information is correct If RP information does not exist you must check whether there is any unicast route to...

Page 517: ...ction to MSDP Multicast Source Discovery Protocol MSDP is an inter domain multicast solution developed to address the interconnection of Protocol Independent Multicast sparse mode PIM SM domains It is used to discover multicast source information in other PIM SM domains In the basic PIM SM mode a multicast source registers only with the RP in the local PIM SM domain and the multicast source inform...

Page 518: ...p is formed where the RPs of different PIM SM domains are interconnected in series Relayed by these MSDP peers an SA message sent by an RP can be delivered to all other RPs Figure 5 1 Where MSDP peers are in the network As shown in Figure 5 1 an MSDP peer can be created on any PIM SM router MSDP peers created on PIM SM routers that assume different roles function differently 1 MSDP peers on RPs z ...

Page 519: ...n common PIM SM routers other than RPs Router A and Router B are MSDP peers on common multicast routers Such MSDP peers just forward received SA messages Note An RP is dynamically elected from C RPs To enhance network robustness a PIM SM network typically has more than one C RP As the RP election result is unpredictable MSDP peering relationships should be built among all C RPs so that the winner ...

Page 520: ...ds the SA messages to its MSDP peer An SA message contains the source address S the multicast group address G and the address of the RP which has created this SA message namely RP 1 3 On MSDP peers each SA message is subject to a Reverse Path Forwarding RPF check and multicast policy based filtering so that only SA messages that have arrived along the correct path and passed the filtering are rece...

Page 521: ...e an RP receives information form a multicast source it no longer relies on RPs in other PIM SM domains The receivers can override the RPs in other domains and directly join the multicast source based SPT III RPF check rules for SA messages As shown in Figure 5 3 there are five autonomous systems in the network AS 1 through AS 5 with IGP enabled on routers within each AS and EBGP as the interopera...

Page 522: ...age is from an MSDP peer RP 2 in the same AS and the MSDP peer is the next hop on the optimal path to the source side RP RP 3 accepts the message and forwards it to other peers RP 4 and RP 5 3 When RP 4 and RP 5 receive the SA message from RP 3 Because the SA message is from an MSDP peer RP 3 in the same mesh group RP 4 and RP 5 both accept the SA message but they do not forward the message to oth...

Page 523: ...lication that enables load balancing and redundancy backup between two or more RPs within a PIM SM domain by configuring the same IP address for and establishing MSDP peering relationships between these RPs As shown in Figure 5 4 within a PIM SM domain a multicast source sends multicast data to multicast group G and Receiver is a member of the multicast group To implement Anycast RP configure the ...

Page 524: ... rooted at Source The significance of Anycast RP is as follows z Optimal RP path A multicast source registers with the nearest RP so that an SPT with the optimal path is built a receiver joins the nearest RP so that an RPT with the optimal path is built z Load balancing between RPs Each RP just needs to maintain part of the source group information within the PIM SM domain and forward part of the ...

Page 525: ...tatic RPF peers function at the same time RPs in SA messages are filtered based on the configured prefix list and only the SA messages whose RP addresses pass the filtering are received If multiple static RPF peers using the same rp policy keyword are configured when any of the peers receives an SA message it will forward the SA message to other peers z None of the peers use the rp policy keyword ...

Page 526: ...e group On the other hand a mesh group member does not perform RPF check on SA messages from within the mesh group and does not forward the messages to other members of the mesh group This avoids SA message flooding since it is unnecessary to run BGP or MBGP between MSDP peers thus simplifying the RPF checking mechanism The sessions between MSDP peers can be terminated and reactivated sessions as ...

Page 527: ...e MSDP mesh group so that the peers are fully connected with one another in the mesh group Follow these steps to configure an MSDP mesh group To do Use the command Remarks Enter system view system view Enter MSDP view msdp Add an MSDP peer to a mesh group peer peer address mesh group name Required By default an MSDP peer does not belong to any mesh group Note z Before you configure an MSDP mesh gr...

Page 528: ...r some burst multicast data if the multicast data interval exceeds the SA message hold time the multicast data must be encapsulated in the SA message otherwise the receiver will never receive the multicast source information By default when a new receiver joins a router does not send any SA request message to its MSDP peer but has to wait for the next SA message This defers the reception of the mu...

Page 529: ...n SA Messages MSDP peers deliver SA messages to one another Upon receiving an SA message a router performs an RPF check on the message If the router finds that the remote RP address is the same as the local RP address it will discard the SA message In anycast RP application however you need to configure RPs with the same IP address on two or more routers in the same PIM SM domain and configure the...

Page 530: ...ystem view system view Enter MSDP view msdp Enable SA message caching mechanism cache sa enable Optional Enabled by default Configure the maximum number of SA messages that can be cached peer peer address sa cache maximum sa limit Optional The default is 2 048 5 4 4 Configuring the Transmission and Filtering of SA Request Messages After you enable the sending of SA request messages when a router r...

Page 531: ...outer receives all SA request messages from the MSDP peer 5 4 5 Configuring a Rule for Filtering the Multicast Sources of SA Messages An RP filters each registered source to control the information of active sources advertised in the SA message An MSDP peer can be configured to advertise only the S G entries in the multicast routing table that satisfy the filtering rule when the MSDP creates the S...

Page 532: ...ure ACL rules for filtering source IP addresses and group IP addresses An SA message carrying encapsulated data can reach the specified MSDP peer outside the domain only if the TTL in its IP header is greater than the threshold therefore you can control the forwarding range of SA messages that carry encapsulated data by configuring the TTL threshold Follow these steps to configure a rule for filte...

Page 533: ...ilable in user view Clear the statistics information of the specified MSDP peer without resetting the MSDP peer reset msdp statistics peer address Available in user view II Tracing the transmission path of an SA message over the network Follow these steps to trace the transmission path of an SA message over the network To do Use the command Remarks Trace the transmission path of an SA message over...

Page 534: ... 0 L o o p 2 0 Loop10 L o o p 2 0 L o o p 0 Receiver 1 Source 1 Switch A Switch B Switch C Switch D Switch E V l a n i n t 1 0 1 V l a n i n t 1 0 1 V l a n i n t 1 0 2 V l a n i n t 1 0 2 Vlan int100 V l a n i n t 1 0 3 V l a n i n t 1 0 3 V l a n i n t 1 0 4 V l a n i n t 1 0 4 Vlan int200 Receiver 2 Source 2 PIM SM MSDP peers Vlan int300 Vlan int400 Device Interface IP address Device Interface ...

Page 535: ...ost side interface VLAN interface 100 SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 100 SwitchB Vlan interface100 igmp enable SwitchB Vlan interface100 pim sm SwitchB Vlan interface100 quit SwitchB interface vlan interface 103 SwitchB Vlan interface103 pim sm SwitchB Vlan interface103 quit SwitchB interface Vlan interface 101 SwitchB Vlan interface101 pim sm...

Page 536: ... display msdp brief MSDP Peer Brief Information Peer s Address State Up Down time AS SA Count Reset Count 2 2 2 2 Up 00 48 21 2 0 View the brief MSDP peer information on Switch D SwitchD display msdp brief MSDP Peer Brief Information Peer s Address State Up Down time AS SA Count Reset Count 1 1 1 1 Up 00 50 22 2 0 When Source 1 10 110 5 100 24 sends multicast data to multicast group G 225 1 1 1 Re...

Page 537: ...state II Analysis An MSDP peer relationship between the locally configured connect interface interface address and the configured peer address is based on a TCP connection If the address of local connect interface interface is inconsistent with the peer address configured on the peer router no TCP connection can be established If there is no route between the two peers no TCP connection can be est...

Page 538: ...omain will be advertised Before the import source command is executed the system will send all S G entries in the local multicast domain If the MSDP fails to send the S G entries of the local multicast domain through SA messages verify that the import source command is configured correctly III Solution 1 Check the connectivity of the route between the routers Use the display ip routing table comma...

Page 539: ...nternet Group Management Protocol Snooping IGMP Snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups 6 1 1 Principle of IGMP Snooping By analyzing received IGMP messages a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings As shown in Fi...

Page 540: ...e 6 1 Before and after IGMP Snooping is enabled on Layer 2 device 6 1 2 Basic Concepts in IGMP Snooping I IGMP Snooping related ports As shown in Figure 6 2 Router A connects to the multicast source IGMP Snooping runs on Switch A and Switch B Host A and Host C are receiver hosts namely multicast group members Router A Switch A Switch B GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 Receiver Receiver Host...

Page 541: ... initialized to the aging time of the route port IGMP general query or PIM hello The switch removes this port from its router port list Member port aging timer When a port joins a multicast group the switch sets a timer for the port which is initialized to the member port aging time IGMP membership report The switch removes this port from the multicast group forwarding table 6 1 3 Work Mechanism o...

Page 542: ...ticast group still exist under non router ports the hosts will stop sending reports when they receive the message and this prevents the switch from knowing if members of that multicast group are still attached to these ports For the description of IGMP report suppression mechanism refer to Work Mechanism of IGMPv1 III When receiving a leave message When an IGMPv1 host leaves a multicast group the ...

Page 543: ...he member port before its aging timer expires as a response to the IGMP group specific query this means that no members of that multicast group still exist under the port the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires Caution After an Ethernet switch enables IGMP Snooping when it receives the IGMP leave message sent by a hos...

Page 544: ...Ns Caution z Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously they cannot run simultaneously on a VLAN or its corresponding VLAN interface z Before enabling IGMP Snooping in a VLAN be sure to enable IGMP Snooping globally in system view otherwise the IGMP Snooping settings will not take effect z If IGMP Snooping and VLAN VPN are enabled on a VLAN at t...

Page 545: ...addresses should be configured for different multicast sources because IGMPv3 Snooping cannot distinguish multicast data from different sources to the same multicast group 6 2 3 Configuring Timers This section describes how to configure the aging timer of the router port the aging timer of the multicast member ports and the query response timer Follow these steps to configure timers To do Use the ...

Page 546: ...em view Follow these steps to enable fast leave processing in system view To do Use the command Remarks Enter system view system view Enable fast leave processing igmp snooping fast leave vlan vlan list Required By default the fast leave processing feature is disabled II Enabling fast leave processing in Ethernet port view Follow these steps to enable fast leave processing in Ethernet view To do U...

Page 547: ...onfiguring a Multicast Group Filter On an IGMP Snooping enabled switch the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users In an actual application when a user requests a multicast program the user s host initiates an IGMP report Upon receiving this report message the switch checks the report against the ACL r...

Page 548: ...icast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function z The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified if one or more VLANs are specified the configuration takes effect on all ports in the specified VLAN s z The configuration performed in Ethernet port view takes ef...

Page 549: ...multicast packets 6 2 7 Configuring IGMP Snooping Querier In an IP multicast network running IGMP a multicast router is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called IGMP querier However a Layer 2 multi...

Page 550: ... 0 0 0 0 6 2 8 Suppressing Flooding of Unknown Multicast Traffic in a VLAN With IGMP Snooping enabled in a VLAN multicast traffic for unknown multicast groups is flooded within the VLAN by default This wastes network bandwidth and affects multicast forwarding efficiency With the unknown multicast flooding suppression function enabled when receiving a multicast packet for an unknown multicast group...

Page 551: ...st group I In Ethernet port view Follow these steps to configure a static multicast group member port in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the current port as a static member port for a multicast group in a VLAN multicast static group group address vlan vlan id Required By defa...

Page 552: ... port in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the current port as a static router port multicast static router port vlan vlan id Required By default no static router port is configured II In VLAN view Follow these steps to configure a static router port in VLAN view To do Use the ...

Page 553: ...r Configure the current port as a simulated multicast group member igmp host join group address source ip source address vlan vlan id Required Simulated joining is disabled by default Caution z Before configuring a simulated host enable IGMP Snooping in VLAN view first z The port to be configured must belong to the specified VLAN otherwise the configuration does not take effect z You can use the s...

Page 554: ...network bandwidth In an IGMP Snooping environment by configuring a multicast VLAN and adding ports to the multicast VLAN you can allow users in different VLANs to share the same multicast VLAN This saves bandwidth because multicast streams are transmitted only within the multicast VLAN In addition because the multicast VLAN is isolated from user VLANs this method also enhances the information secu...

Page 555: ...on the Layer 2 switch To do Use the command Remarks Enter system view system view Enable IGMP Snooping igmp snooping enable Enter VLAN view vlan vlan id Enable IGMP Snooping igmp snooping enable Required Enable multicast VLAN service type multicast Required Return to system view quit Enter Ethernet port view for the Layer 3 switch interface interface type interface number Define the port as a trun...

Page 556: ... a multicast VLAN the router port must be configured as a trunk port or a hybrid port that allows tagged packets to pass for the multicast VLAN Otherwise all the multicast member ports in this multicast VLAN cannot receive multicast packets z The multicast VLAN function and the VLAN mapping function cannot be configured at the same time 6 3 Displaying and Maintaining IGMP Snooping To do Use the co...

Page 557: ...icast data to the multicast group 224 1 1 1 Host A and Host B are receivers of the multicast group 224 1 1 1 II Network diagram Multicast packets Source Router A Switch A Receiver Receiver Host B Host A Host C 1 1 1 1 24 GE1 0 4 GE1 0 2 GE1 0 3 IGMP querier GE1 0 1 GE1 0 1 10 1 1 1 24 GE1 0 2 1 1 1 2 24 VLAN100 Figure 6 3 Network diagram for IGMP Snooping configuration III Configuration procedure ...

Page 558: ... snooping enable SwitchA vlan100 quit 4 Verify the configuration View the detailed information of the multicast group in VLAN 100 on Switch A SwitchA display igmp snooping group vlan100 Total 1 IP Group s Total 1 MAC Group s Vlan id 100 Total 1 IP Group s Total 1 MAC Group s Static Router port s Dynamic Router port s GigabitEthernet1 0 1 IP group s the following ip group s match to one mac group I...

Page 559: ... 2 switch z VLAN 2 contains GigabitEthernet 1 0 1 and VLAN 3 contains GigabitEthernet 1 0 2 z The default VLANs of GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 are VLAN 2 and VLAN 3 respectively z VLAN 10 contains GigabitEthernet 1 0 10 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 GigabitEthernet 1 0 10 is connected to Switch A z VLAN 10 is a multicast VLAN z GigabitEthernet 1 0 1 sends unta...

Page 560: ...ernet 1 0 1 SwitchA vlan20 quit SwitchA interface Vlan interface 20 SwitchA Vlan interface20 ip address 168 10 1 1 255 255 255 0 SwitchA Vlan interface20 pim dm SwitchA Vlan interface20 quit Configure VLAN 10 SwitchA vlan 10 SwitchA vlan10 quit Define GigabitEthernet 1 0 10 as a hybrid port add the port to VLAN 10 and configure the port to forward tagged packets for VLAN 10 SwitchA interface Gigab...

Page 561: ...lan 2 3 10 tagged SwitchB GigabitEthernet1 0 10 quit Define GigabitEthernet 1 0 1 as a hybrid port add the port to VLAN 2 and VLAN 10 configure the port to forward untagged packets for VLAN 2 and VLAN 10 and set VLAN 2 as the default VLAN of the port SwitchB interface GigabitEthernet 1 0 1 SwitchB GigabitEthernet1 0 1 port link type hybrid SwitchB GigabitEthernet1 0 1 port hybrid vlan 2 10 untagge...

Page 562: ...d globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time If it is only disabled on the corresponding VLAN use the igmp snooping enable command in VLAN view only to enable it on the corresponding VLAN 2 Multicast forwarding table set up by IGMP Snooping is wrong z Use the display igmp snooping group c...

Page 563: ...ng Proxy Checking 1 20 1 4 2 Configuring Client Version Checking 1 21 1 4 3 Enabling DHCP triggered Authentication 1 22 1 4 4 Configuring Guest VLAN 1 22 1 4 5 Configuring 802 1x Re Authentication 1 23 1 4 6 Configuring the 802 1x Re Authentication Timer 1 23 1 5 Displaying and Maintaining 802 1x Configuration 1 24 1 6 Configuration Example 1 24 1 6 1 802 1x Configuration Example 1 24 Chapter 2 Qu...

Page 564: ...ion 4 1 4 1 System Guard Overview 4 1 4 1 1 Guard Against IP Attacks 4 1 4 1 2 Guard Against TCN Attacks 4 1 4 1 3 Layer 3 Error Control 4 1 4 2 Configuring System Guard 4 1 4 2 1 Configuring System Guard Against IP Attacks 4 1 4 2 2 Configuring System Guard Against TCN Attacks 4 2 4 2 3 Enabling Layer 3 Error Control 4 3 4 3 Displaying and Maintaining System Guard Configuration 4 3 ...

Page 565: ... Advanced 802 1x Configuration z Displaying and Maintaining 802 1x Configuration z Configuration Example 1 1 Introduction to 802 1x The 802 1x protocol 802 1x for short was developed by IEEE802 LAN WAN committee to address security issues of wireless LANs It was then used in Ethernet as a common access control mechanism for LAN ports to address mainly authentication and security problems 802 1x is...

Page 566: ...L z The authenticator system is another entity residing at one end of a LAN segment It authenticates the connected supplicant systems The authenticator system is usually an 802 1x supported network device such as a H3C series switch It provides the port physical or logical for the supplicant system to access the LAN z The authentication server system is an entity that provides authentication servi...

Page 567: ...tate In this case no packets can pass through it z Controlled port and uncontrolled port are two properties of a port Packets reaching a port are visible to both the controlled port and uncontrolled port of the port III The valid direction of a controlled port When a controlled port is in unauthorized state you can configure it to be a unidirectional port which sends packets to supplicant systems ...

Page 568: ...passes the information about the supplicant system to the authenticator system The authenticator system in turn determines the state authorized or unauthorized of the controlled port according to the instructions accept or reject received from the RADIUS server 1 1 3 Encapsulation of EAPoL Messages I The format of an EAPoL packet EAPoL is a packet encapsulation format defined in 802 1x To enable E...

Page 569: ...upplicant system and the authenticator system EAP packets are encapsulated by RADIUS protocol to allow them successfully reach the authentication servers Network management related information such as alarming information is encapsulated in EAPoL Encapsulated ASF Alert packets which are terminated by authenticator systems II The format of an EAP packet For an EAPoL packet with the value of the Typ...

Page 570: ... a RADIUS protocol packet for EAP authentication Refer to the Introduction to RADIUS protocol section in the AAA Operation for information about the format of a RADIUS protocol packet The EAP message field whose format is shown in Figure 1 6 is used to encapsulate EAP packets The maximum size of the string field is 253 bytes EAP packets with their size larger than 253 bytes are fragmented and are ...

Page 571: ...ecurity and Protected Extensible Authentication Protocol PEAP are available in the EAP relay mode z EAP MD5 authenticates the supplicant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system which in turn encrypts the passwords using the MD5 keys z EAP TLS allows the supplicant system and the RADIUS server to check each other s security cer...

Page 572: ...2 1x client to initiate an access request by sending an EAPoL start packet to the switch with its user name and password provided The 802 1x client program then forwards the packet to the switch to start the authentication process z Upon receiving the authentication request packet the switch sends an EAP request identity packet to ask the 802 1x client for the user name z The 802 1x client respond...

Page 573: ... to allow the supplicant system to access the network z The supplicant system can also terminate the authenticated state by sending EAPoL Logoff packets to the switch The switch then changes the port state from accepted to rejected Note In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ...

Page 574: ...s that in the EAP relay mode except that the randomly generated key in the EAP terminating mode is generated by the switch and that it is the switch that sends the user name the randomly generated key and the supplicant system encrypted password to the RADIUS server for further authentication 1 1 5 Timers Used in 802 1x In 802 1 x authentication the following timers are used to ensure that the sup...

Page 575: ...em if the switch does not receive the response from the supplicant system when this timer times out z Transmission timer tx period This timer sets the tx period and is triggered by the switch in two cases The first case is when the client requests for authentication The switch sends a unicast request identity packet to a supplicant system and then triggers the transmission timer The switch sends a...

Page 576: ...stem but sends no Trap packets z Sends Trap packets without disconnecting the supplicant system This function needs the cooperation of 802 1x client and a CAMS server z The 802 1x client needs to be capable of detecting multiple network adapters proxies and IE proxies z The CAMS server is configured to disable the use of multiple network adapters proxies or IE proxies By default an 802 1x client p...

Page 577: ... enables supplicant systems that are not authenticated to upgrade their 802 1x client programs With this function enabled z The switch sends authentication triggering request EAP Request Identity packets to all the 802 1x enabled ports z After the maximum number retries have been made and there are still ports that have not sent any response back the switch will then add these ports to the guest V...

Page 578: ...the username and password any more z An authentication server running CAMS authenticates the username and password during re authentication of a user in the EAP authentication mode but does not in PAP or CHAP authentication mode PC Internet PC PC RADIUS Server Switch Figure 1 10 802 1x re authentication 802 1x re authentication can be enabled in one of the following two ways z The RADIUS server ha...

Page 579: ...n AAA scheme Local authentication RADIUS scheme 802 1x configuration Figure 1 11 802 1x configuration z 802 1x users use domain names to associate with the ISP domains configured on switches z Configure the AAA scheme a local authentication scheme or a RADIUS scheme to be adopted in the ISP domain z If you specify to use a local authentication scheme you need to configure the user names and passwo...

Page 580: ...lt 802 1x is disabled globally In system view dot1x interface interface list interface interface type interface number dot1x Enable 802 1x for specified ports In port view quit Required By default 802 1x is disabled on all ports In system view dot1x port control authorized force unauthorized force auto interface interface list interface interface type interface number dot1x port control authorized...

Page 581: ...uthentication method chap pap eap Optional By default a switch performs CHAP authentication in EAP terminating mode Enable online user handshaking dot1x handshake enable Optional By default online user handshaking is enabled Enter Ethernet port view interface interface type interface number Enable the handshake packet protection function dot1x handshake secure Optional By default the handshake pac...

Page 582: ...her or not a user is online z As clients that are not of H3C do not support the online user handshaking function switches cannot receive handshake acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online user handshaking function in this case z The handshake packet protection function requires the cooperation of the c...

Page 583: ... by default Set 802 1x timers dot1x timer handshake period handshake period value quiet period quiet period value server timeout server timeout value supp timeout supp timeout value tx period tx period value ver period ver period value Optional The settings of 802 1x timers are as follows 1 handsha ke perio d value 15 seconds 2 quiet per iod value 60 seconds 3 server ti meout v alue 100 seconds 4 ...

Page 584: ...detecting and so on z Client version checking configuration z DHCP triggered authentication z Guest VLAN configuration z 802 1x re authentication configuration z Configuration of the 802 1x re authentication timer You need to configure basic 802 1x functions before configuring the above 802 1x features 1 4 1 Configuring Proxy Checking Follow these steps to configure proxy checking To do Use the co...

Page 585: ...switch too by using the dot1x version check command 1 4 2 Configuring Client Version Checking Follow these steps to configure client version checking To do Use the command Remarks Enter system view system view In system view dot1x version check interface interface list interface interface type interface number dot1x version check Enable 802 1x client version checking In port view quit Required By ...

Page 586: ...ynamic IP addresses through DHCP Follow these steps to enable DHCP triggered authentication To do Use the command Remarks Enter system view system view Enable DHCP triggered authentication dot1x dhcp launch Required By default DHCP triggered authentication is disabled 1 4 4 Configuring Guest VLAN Follow these steps to configure guest VLAN To do Use the command Remarks Enter system view system view...

Page 587: ...t s In port view dot1x re authenticate Required By default 802 1x re authentication is disabled on a port Note z To enable 802 1x re authentication on a port you must first enable 802 1x globally and on the port z When re authenticating a user a switch goes through the complete authentication process It transmits the username and password of the user to the server The server may authenticate the u...

Page 588: ...the value of the Session timeout attribute field as the re authentication interval The following introduces how to configure the 802 1x re authentication timer on the switch Follow these steps to configure the re authentication interval To do Use the command Remarks Enter system view system view Configure a re authentication interval dot1x timer reauth period reauth period value Optional By defaul...

Page 589: ...f 10 11 1 1 operates as the primary authentication server and the secondary accounting server The other operates as the secondary authentication server and primary accounting server The password for the switch and the authentication RADIUS servers to exchange message is name And the password for the switch and the accounting RADIUS servers to exchange message is money The switch sends another pack...

Page 590: ... radius1 Assign IP addresses to the primary authentication and accounting RADIUS servers Sysname radius radius1 primary authentication 10 11 1 1 Sysname radius radius1 primary accounting 10 11 1 2 Assign IP addresses to the secondary authentication and accounting RADIUS server Sysname radius radius1 secondary authentication 10 11 1 2 Sysname radius radius1 secondary accounting 10 11 1 1 Set the pa...

Page 591: ... server is invalid specify to adopt the local authentication scheme Sysname isp aabbcc net scheme radius scheme radius1 local Specify the maximum number of users the user domain can accommodate to 30 Sysname isp aabbcc net access limit enable 30 Enable the idle disconnecting function and set the related parameters Sysname isp aabbcc net idle cut enable 20 2000 Sysname isp aabbcc net quit Set the d...

Page 592: ...ovides the forcible deployment of EAD clients with 802 1x authentication easing the work of EAD client deployment 2 1 2 Operation of Quick EAD Deployment Quick EAD deployment is achieved with the two functions restricted access and HTTP redirection I Restricted access Before passing 802 1x authentication a user is restricted through ACLs to a specific range of IP addresses or a specific server Ser...

Page 593: ...e 802 1x on the switch z Set the access mode to auto for 802 1x enabled ports 2 2 2 Configuration Procedure I Configuring a free IP range A free IP range is an IP range that users can access before passing 802 1x authentication Follow these steps to configure a free IP range To do Use the command Remarks Enter system view system view Configure the URL for HTTP redirection dot1x url url string Requ...

Page 594: ...ot support port security The configured free IP range cannot take effect if you enable port security II Setting the ACL timeout period The quick EAD deployment function depends on ACLs in restricting access of users failing authentication Each online user that has not passed authentication occupies a certain amount of ACL resources After a user passes authentication the occupied ACL resources will...

Page 595: ...2 3 Quick EAD Deployment Configuration Example I Network requirements A user connects to the switch directly The switch connects to the Web server and the Internet The user will be redirected to the Web server to download the authentication client and upgrade software when accessing the Internet through IE before passing authentication After passing authentication the user can access the Internet ...

Page 596: ...rmat other than the dotted decimal notation the user may not be redirected This is related with the operating system used on the PC In this case the PC considers the IP address string a name and tries to resolve the name If the resolution fails the PC will access a specific website Generally this address is not in dotted decimal notation As a result the PC cannot receive any ARP response and there...

Page 597: ...the 802 1x authentications when traveling between HABP enabled switches through which management devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible HABP is built on the client server model Typically the HABP server sends HABP requests to the client periodically to collect the MAC address es of the attached switch es The client...

Page 598: ...r an HABP server to send HABP request packets is 20 seconds 3 3 HABP Client Configuration HABP clients reside on switches attached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Follow these steps to configure an HABP client To do Use the command Remarks Enter system view syst...

Page 599: ...on Manual 802 1x and System Guard H3C S5600 Series Ethernet Switches Chapter 3 HABP Configuration 3 3 To do Use the command Remarks Display statistics on HABP packets display habp traffic Available in any view ...

Page 600: ...rwarding packets for that host z If the packets from the infected host need processing by the CPU the switch decreases the precedence of such packets and discards the packets already delivered to the CPU 4 1 2 Guard Against TCN Attacks System Guard monitors the rate at which TCN TC packets are received on the ports If a port receives an excessive number of TCN TC packets within a given period of t...

Page 601: ...shold is 30 record times threshold is 1 and isolate time is 3 Note The correlations among the arguments of the system guard ip detect threshold command can be clearly described with this example If you set ip record threshold record times threshold and isolate time to 30 1 and 3 respectively when the system detects successively three times that over 50 IP packets destined for an address other that...

Page 602: ...n a 10 second monitoring cycle the system will not send trap or log information in the next 10 second monitoring cycle 4 2 3 Enabling Layer 3 Error Control Follow these steps to enable Layer 3 error control To do Use the command Remarks Enter system view system view Enable Layer 3 error control system guard l3err enable Required Enabled by default 4 3 Displaying and Maintaining System Guard Config...

Page 603: ...2 2 3 Configuring RADIUS Accounting Servers 2 14 2 2 4 Configuring Shared Keys for RADIUS Messages 2 16 2 2 5 Configuring the Maximum Number of RADIUS Request Transmission Attempts 2 17 2 2 6 Configuring the Type of RADIUS Servers to be Supported 2 17 2 2 7 Configuring the Status of RADIUS Servers 2 18 2 2 8 Configuring the Attributes of Data to be Sent to RADIUS Servers 2 19 2 2 9 Configuring the...

Page 604: ...tion 2 33 2 5 AAA Configuration Examples 2 33 2 5 1 Remote RADIUS Authentication of Telnet SSH Users 2 33 2 5 2 Local Authentication of FTP Telnet Users 2 35 2 5 3 HWTACACS Authentication and Authorization of Telnet Users 2 36 2 6 Troubleshooting AAA 2 37 2 6 1 Troubleshooting RADIUS Configuration 2 37 2 6 2 Troubleshooting HWTACACS Configuration 2 38 Chapter 3 EAD Configuration 3 1 3 1 Introducti...

Page 605: ...fines what users can access the network z Authorization Defines what services can be available to the users who can access the network and z Accounting Defines how to charge the users who are using network resources Typically AAA operates in the client server model the client runs on the managed resources side while the server stores the user information Thus AAA is well scalable and can easily im...

Page 606: ...ization are combined together and authorization cannot be performed alone without authentication z HWTACACS authorization Users are authorized by a TACACS server 1 1 3 Accounting AAA supports the following accounting methods z None accounting No accounting is performed for users z Remote accounting User accounting is performed on a remote RADIUS or TACACS server 1 1 4 Introduction to ISP Domain An...

Page 607: ...n a computer or workstation at the center It stores and maintains user authentication information and network service access information z Client RADIUS Client runs on network access servers throughout the network RADIUS operates in the client server model z A switch acting as a RADIUS client passes user information to a specified RADIUS server and takes appropriate action such as establishing ter...

Page 608: ...age exchange procedure of RADIUS The basic message exchange procedure of RADIUS is as follows 1 The user enters the username and password 2 The RADIUS client receives the username and password and then sends an authentication request Access Request to the RADIUS server 3 The RADIUS server compares the received user information with that in the Users database to authenticate the user If the authent...

Page 609: ...following mechanisms timer management retransmission and backup server Figure 1 3 depicts the format of RADIUS messages Figure 1 3 RADIUS message format 1 The Code field one byte decides the type of RADIUS message as shown in Table 1 1 Table 1 1 Description on the major values of the Code field Code Message type Message description 1 Access Request Direction client server The client transmits this...

Page 610: ...for a previous request but remains unchanged for message retransmission 3 The Length field two bytes specifies the total length of the message including the Code Identifier Length Authenticator and Attributes fields The bytes beyond the length are regarded as padding and are ignored upon reception If a received message is shorter than what the Length field indicates it is discarded 4 The Authentic...

Page 611: ...AT Group 15 Login Service 37 Framed AppleTalk Link 16 Login TCP Port 38 Framed AppleTalk Network 17 unassigned 39 Framed AppleTalk Zone 18 Reply Message 40 59 reserved for accounting 19 Callback Number 60 CHAP Challenge 20 Callback ID 61 NAS Port Type 21 unassigned 62 Port Limit 22 Framed Route 63 Login LAT Port The RADIUS protocol has good scalability Attribute 26 Vender Specific defined in this ...

Page 612: ...ces between HWTACACS and RADIUS Table 1 3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP providing more reliable network transmission Adopts UDP Encrypts the entire message except the HWTACACS header Encrypts only the password field in authentication message Separates authentication from authorization For example you can use one TACACS server for authentication and another TACA...

Page 613: ...ACACS server Figure 1 5 Network diagram for a typical HWTACACS application II Basic message exchange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication authorization and accounting for a user Figure 1 6 illustrates the basic message exchange procedure ...

Page 614: ...ation start request to the TACACS server 2 The TACACS server returns an authentication response asking for the username Upon receiving the response the TACACS client requests the user for the username 3 After receiving the username from the user the TACACS client sends an authentication continuance message carrying the username 4 The TACACS server returns an authentication response asking for the ...

Page 615: ...returns an authorization response indicating that the user has passed the authorization 9 After receiving the response indicating an authorization success the TACACS client pushes the configuration interface of the switch to the user 10 The TACACS client sends an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the ac...

Page 616: ...reating an ISP Domain and Configuring Its Attributes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of the authentication methods z You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication Configuring Dynamic VLAN Ass...

Page 617: ...g the Attributes of a Local User Optional AAA configuration Cutting Down User Connections Forcibly Optional 2 1 1 Creating an ISP Domain and Configuring Its Attributes Follow these steps to create an ISP domain and configure its attributes To do Use the command Remarks Enter system view system view Configure the form of the delimiter between the username and the ISP domain name domain delimiter at...

Page 618: ...senger function is disabled Set the self service server location function self service url disable enable url string Optional By default the self service server location function is disabled Note that z On an S5600 series switch each access user belongs to an ISP domain You can configure up to 16 ISP domains on the switch When a user logs in if no ISP domain name is carried in the username the swi...

Page 619: ...ther networking devices such as switches in a network a CAMS server can implement the AAA functions and right management 2 1 2 Configuring an AAA Scheme for an ISP Domain You can configure either a combined AAA scheme or separate AAA schemes I Configuring a combined AAA scheme You can use the scheme command to specify an AAA scheme for an ISP domain Follow these steps to configure a combined AAA s...

Page 620: ...re is a key error or NAS IP error the local scheme is used z If you execute the scheme local or scheme none command to adopt local or none as the primary scheme the local authentication is performed or no authentication is performed In this case you cannot specify any RADIUS scheme or HWTACACS scheme at the same time z If you configure to use none as the primary scheme FTP users of the domain cann...

Page 621: ...rization scheme is configured Configure an accounting scheme for the ISP domain accounting none radius scheme radius scheme name hwtacacs scheme hwtacacs scheme name Optional By default no separate accounting scheme is configured Note z RADIUS scheme and local scheme do not support the separation of authentication and authorization Therefore pay attention when you make authentication and authoriza...

Page 622: ...sers to different VLANs according to the attributes assigned by the RADIUS server so as to control the network resources that different users can access Currently the switch supports the following two types of assigned VLAN IDs integer and string z Integer If the RADIUS authentication server assigns integer type of VLAN IDs you can set the VLAN assignment mode to integer on the switch this is also...

Page 623: ...integer VLAN ID the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range if it is the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID VLAN 1024 for example z To implement dynamic VLAN assignment on a port where both MSTP and 802 1x are enabled you must set the MSTP port to an edge port 2 1 4 Configuring the Attr...

Page 624: ...t network services Authorize the user to access specified type s of service service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the privilege level of the user level level Optional By default the privilege level of the user is 0 Configure the authorized VLAN for the local user authorization vlan string Req...

Page 625: ...evel that a user can access after login is determined by the level of the user interface z If the clients connected to a port have different authorized VLANs only the first client passing the MAC address authentication can be assigned with an authorized VLAN The switch will not assign authorized VLANs for subsequent users passing MAC address authentication In this case you are recommended to conne...

Page 626: ... Configuring RADIUS Authentication Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes of Data to be...

Page 627: ...er to the configuration of the RADIUS client The RADIUS service configuration is performed on a RADIUS scheme basis In an actual network environment you can either use a single RADIUS server or two RADIUS servers primary and secondary servers with the same configuration but different IP addresses in a RADIUS scheme After creating a new RADIUS scheme you should configure the IP address and UDP port...

Page 628: ...e steps to create a RADIUS scheme To do Use the command Remarks Enter system view system view Enable RADIUS authentication port radius client enable Optional By default RADIUS authentication port is enabled Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Note A RADIUS scheme can be re...

Page 629: ...not and cannot specify a separate RADIUS authorization server z In an actual network environment you can specify one server as both the primary and secondary authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary authentication authorization servers respectively z The IP address and port number of the primary authentication server used by the def...

Page 630: ...t buffering stop accounting buffe r enable Optional By default stop accounting request buffering is enabled Set the maximum number of transmission attempts of a buffered stop accounting request retry stop accounting retry times Optional By default the system tries at most 500 times to transmit a buffered stop accounting request Set the maximum allowed number of continuous real time accounting fail...

Page 631: ...er of continuously failed real time accounting requests to the RADIUS server reaches the set maximum number the switch cuts down the user connection z The IP address and port number of the primary accounting server of the default RADIUS scheme system are 127 0 0 1 and 1646 respectively z Currently RADIUS does not support the accounting of FTP users 2 2 4 Configuring Shared Keys for RADIUS Messages...

Page 632: ...or the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires If the switch gets no answer after it has tried the maximum number of times to transmit the request the switch considers that the request fails Follow these steps to configure the maximum transmission attempts of a RADIUS request To do Use the command Remarks Enter sy...

Page 633: ... the Status of RADIUS Servers For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails to communicate with the primary server due to some server trouble the switch will turn to the secondary server and exchange messages with the secondary server After the primary server remains in the block state for a set time set by...

Page 634: ... on server state secondary authentication block active Set the status of the secondary RADIUS accounting server state secondary accounting block active Optional By default the RADIUS servers specified with IP addresses in the RADIUS scheme are all in the active state 2 2 8 Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these steps to configure the attributes of data to be s...

Page 635: ... for outgoing RADIUS flows are byte and one packet respectively Set the MAC address format of the Calling Station Id Type 31 field in RADIUS packets calling station id mode mode1 mode2 lowercase uppercase Optional By default the MAC address format is XXXX XXXX XXXX in lowercase RADIUS scheme view nas ip ip address Set the source IP address of outgoing RADIUS messages System view radius nas ip ip a...

Page 636: ... may occur the RADIUS server regards two different users having the same name but belonging to different ISP domains as the same user because the usernames sent to it are the same z In the default RADIUS scheme system ISP domain names are removed from usernames by default z The purpose of setting the MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the swi...

Page 637: ...uthentication authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server z The switch supports IP addresses and shared keys for up to 16 network access servers NAS That is when acting as the local RADIUS server the switch can provide authentication service to up to...

Page 638: ...an set the real time accounting interval After the setting the switch periodically sends online users accounting information to RADIUS server at the set interval Follow these steps to set timers for RADIUS servers To do Use the command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system ha...

Page 639: ...thorization and accounting server is CAMS In an environment that a CAMS server is used to implement AAA functions if the switch reboots after an exclusive user a user whose concurrent online number is set to 1 on the CAMS gets authenticated and authorized and begins being charged the switch will give a prompt that the user has already been online when the user re logs into the network before the C...

Page 640: ...he Accounting On message any more Note The switch can automatically generate the main attributes NAS ID NAS IP address and session ID contained in Accounting On messages However you can also manually configure the NAS IP address with the nas ip command If you choose to manually configure the attribute be sure to configure an appropriate valid IP address If this attribute is not configured the swit...

Page 641: ...ptional Configuring the TACACS server Refer to the configuration of TACACS servers 2 3 1 Creating a HWTACACS Scheme The HWTACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to create a HWTACACS scheme To do Use the command Remarks Enter system view system vie...

Page 642: ... port number of the secondary TACACS authentication server secondary authentication ip address port Optional By default the IP address of the secondary authentication server is 0 0 0 0 and the port number is 0 Caution z You are not allowed to configure the same IP address for both primary and secondary authentication servers If you do this the system will prompt that the configuration fails z You ...

Page 643: ...o this the system will prompt that the configuration fails z You can remove a server only when it is not used by any active TCP connection for sending authorization messages 2 3 4 Configuring TACACS Accounting Servers Follow these steps to configure TACACS accounting servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwta...

Page 644: ...figuring Shared Keys for HWTACACS Messages When using a TACACS server as an AAA server you can set a key to improve the communication security between the switch and the TACACS server The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties The two parties verify the validity of the HWTACACS messages received from each other by...

Page 645: ...s data flow format packet giga packet kilo packet mega packet one packet Optional By default in a TACACS scheme the data unit and packet unit for outgoing HWTACACS flows are byte and one packet respectively HWTACACS scheme view nas ip ip address Set the source IP address of outgoing HWTACACS messages System view hwtacacs nas ip ip address Optional By default no source IP address is set the IP addr...

Page 646: ...s Optional By default the switch must wait five minutes before it can restore the status of the primary server to active Set the real time accounting interval timer realtime accounting minutes Optional By default the real time accounting interval is 12 minutes Caution z To control the interval at which users are charge in real time you can set the real time accounting interval After the setting th...

Page 647: ...r name user name Display information about local users display local user domain isp name idle cut disable enable vlan vlan id service type ftp lan access ssh telnet terminal state active block user name user name Available in any view 2 4 2 Displaying and Maintaining RADIUS Protocol Configuration To do Use the command Remarks Display RADIUS message statistics about local RADIUS server display loc...

Page 648: ...mes display hwtacacs hwtacacs scheme name statistics Display buffered non response stop accounting requests display stop accounting buffer hwtacacs scheme hwtacacs scheme name Available in any view Clear HWTACACS message statistics reset hwtacacs statistics accounting authentication authorization all Delete buffered non response stop accounting requests reset stop accounting buffer hwtacacs scheme...

Page 649: ...he RADIUS server set the shared key it uses to exchange messages with the switch to aabbcc set the authentication port number and add Telnet usernames and login passwords The Telnet usernames added to the RADIUS server must be in the format of userid isp name if you have configured the switch to include domain names in the usernames to be sent to the RADIUS server in the RADIUS scheme II Network d...

Page 650: ...the switch by a name in the format of userid cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain 2 5 2 Local Authentication of FTP Telnet Users Note The configuration procedure for local authentication of FTP users is similar to that for Telnet users The following text only takes Telnet users as example to describe the configuration procedure...

Page 651: ...o z Change the server IP address and the UDP port number of the authentication server to 127 0 0 1 and 1645 respectively in the configuration step Configure a RADIUS scheme in Remote RADIUS Authentication of Telnet SSH Users z Enable the local RADIUS server function set the IP address and shared key for the network access server to 127 0 0 1 and aabbcc respectively z Configure local users 2 5 3 HW...

Page 652: ...ation aabbcc Sysname hwtacacs hwtac user name format without domain Sysname hwtacacs hwtac quit Configure the domain name of the HWTACACS scheme to hwtac Sysname domain hwtacacs Sysname isp hwtacacs scheme hwtacacs scheme hwtac 2 6 Troubleshooting AAA 2 6 1 Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP IP protocol suite This protocol prescrib...

Page 653: ... the switch and the RADIUS server is disconnected blocked Take measures to make the links connected unblocked z None or incorrect RADIUS server IP address is set on the switch Be sure to set a correct RADIUS server IP address z One or all AAA UDP port settings are incorrect Be sure to set the same UDP port numbers as those on the RADIUS server Symptom 3 The user passes the authentication and gets ...

Page 654: ...alidity of the session control packets it receives according to the source IP addresses of the packets It regards only those packets sourced from authentication or security policy server as valid z Dynamically adjusts the VLAN rate packet scheduling priority and Access Control List ACL for user terminals according to session control packets whereby to control the access rights of users dynamically...

Page 655: ...users such as username user type and password For local authentication you need to configure these attributes on the switch for remote authentication you need to configure these attributes on the AAA sever z Configuring a RADIUS scheme z Configuring the IP address of the security policy server z Associating the ISP domain with the RADIUS scheme EAD is commonly used in RADIUS authentication environ...

Page 656: ...2 to communicate with the server z Configure the authentication server type to extended z Configure the encryption password for exchanging messages between the switch and RADIUS server to expert z Configure the IP address 10 110 91 166 of the security policy server II Network diagram Figure 3 2 EAD configuration III Configuration procedure Configure 802 1x on the switch Refer to Configuring 802 1x...

Page 657: ...3 4 Sysname radius cams server type extended Configure the IP address of the security policy server Sysname radius cams security policy server 10 110 91 166 Associate the domain with the RADIUS scheme Sysname radius cams quit Sysname domain system Sysname isp system radius scheme cams ...

Page 658: ...hapter 1 Web Authentication Configuration 1 1 1 1 Introduction to Web Authentication 1 1 1 2 Web Authentication Configuration 1 1 1 2 1 Configuration Prerequisites 1 1 1 2 2 Configuring Web Authentication 1 1 1 3 Displaying and Maintaining Web Authentication 1 3 1 4 Web Authentication Configuration Example 1 3 ...

Page 659: ...tware With Web authentication enabled before a user passes the Web authentication it cannot access any network except that it can access the authentication page or some free IP addresses After the user passes the Web authentication it can access any reachable networks 1 2 Web Authentication Configuration 1 2 1 Configuration Prerequisites Configure an ISP domain and an AAA RADIUS scheme for the dom...

Page 660: ... Web authentication on a port quit Required Disabled on port by default Set a free IP address range that can be accessed by users before Web authentication web authentication free ip ip address mask length mask Optional No such address range by default Set an authentication free user web authentication free user ip ip address mac mac address Optional No such user by default Forcibly log out the sp...

Page 661: ...tion is mutually exclusive with functions that depend on ACLs such as IP filtering ARP intrusion detection QoS and port binding z After a user gets online in shared access method if you configure an authentication free user whose IP address and MAC address are the same as those of the online user the online user will be forced to get offline 1 3 Displaying and Maintaining Web Authentication To do ...

Page 662: ... Sysname system view Sysname web authentication web server ip 10 10 10 10 port 8080 Configure a free IP address range so that the user can access free resources before it passes the Web authentication Sysname web authentication free ip 10 20 20 1 24 Enable Web authentication on GigabitEthernet 1 0 1 and set the user access method to designated Sysname interface GigabitEthernet 1 0 1 Sysname Gigabi...

Page 663: ... Reference scheme radius1 in domain aabbcc net Sysname isp aabbcc net scheme radius scheme radius1 Enable Web authentication globally It is recommended to take this step as the last step so as to avoid the case that a valid user cannot access the network due to that some other related configurations are not finished Sysname web authentication enable Now Web authentication takes effect Before the u...

Page 664: ...ts 1 2 1 2 1 MAC Address Authentication Timers 1 2 1 2 2 Quiet MAC Address 1 3 1 3 Configuring Basic MAC Address Authentication Functions 1 3 1 4 MAC Address Authentication Enhanced Function Configuration 1 5 1 4 1 MAC Address Authentication Enhanced Function Configuration Task List 1 5 1 4 2 Configuring a Guest VLAN 1 5 1 4 3 Configuring the Maximum Number of MAC Address Authentication Users Allo...

Page 665: ...uration z MAC Address Authentication Configuration Examples 1 1 MAC Address Authentication Overview MAC address authentication provides a way for authenticating users based on ports and MAC addresses without requiring any client software to be installed on the hosts Once detecting a new MAC address it initiates the authentication process During authentication the user does not need to enter userna...

Page 666: ...ess user while the password may be the MAC address of the user or the fixed password configured which is used depends on your configuration Hyphens must or must not be included depending on the format configured with the mac authentication authmode usernameasmacaddress usernameformat command otherwise the authentication will fail z In fixed mode all users MAC addresses are automatically mapped to ...

Page 667: ... Basic MAC Address Authentication Functions Follow these steps to configure basic MAC address authentication functions To do Use the command Remarks Enter system view system view Enable MAC address authentication globally mac authentication Required Disabled by default In system view mac authentication interface interface list interface interface type interface number mac authentication Enable MAC...

Page 668: ...y default Configure the MAC address authentication timers mac authentication timer offline detect offline detect value quiet quiet value server timeout server timeout value Optional The default timeout values are as follows 300 seconds for offline detect timer 60 seconds for quiet timer and 100 seconds for server timeout timer Caution z If MAC address authentication is enabled on a port you cannot...

Page 669: ...ting configuration tasks in Configuring Basic MAC Address Authentication Functions for a switch this switch can authenticate access users according to their MAC addresses or according to fixed user names and passwords The switch will not learn MAC addresses of the clients failing in the authentication into its local MAC address table thus prevent illegal users from accessing the network In some ca...

Page 670: ...onnected to an existing port failed to pass authentication the switch adds the port to the Guest VLAN Therefore the Guest VLAN can separate unauthenticated users on an access port When it comes to a trunk port or a hybrid port if a packet itself has a VLAN tag and be in the VLAN that the port allows to pass the packet will be forwarded perfectly without the influence of the Guest VLAN That is pack...

Page 671: ...and then configure a new Guest VLAN for this port z 802 1x authentication cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC address authentication does not take effect when port security is enabled 1 4 3 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port You can configure the maximum number of MAC address authentica...

Page 672: ...thentication Configuration To do Use the command Remarks Display global or on port information about MAC address authentication display mac authentication interface interface list Available in any view Clear the statistics of global or on port MAC address authentication reset mac authentication statistics interface interface type interface number Available in user view 1 6 MAC Address Authenticati...

Page 673: ...8 f6 44 c1 z Set the service type to lan access Sysname luser 00 0d 88 f6 44 c1 service type lan access Sysname luser 00 0d 88 f6 44 c1 quit Add an ISP domain named aabbcc net Sysname domain aabbcc net New Domain added Specify to perform local authentication Sysname isp aabbcc net scheme local Sysname isp aabbcc net quit Specify aabbcc net as the ISP domain for MAC address authentication Sysname m...

Page 674: ...cedure of VRRP 1 7 1 1 6 Periodical sending of ARP packets in a VRRP Group 1 8 1 2 VRRP Configuration 1 8 1 2 1 Configuring Basic VRRP Functions 1 8 1 2 2 Configuring Advanced VRRP Functions 1 9 1 3 Displaying and Maintaining VRRP 1 11 1 4 VRRP Configuration Examples 1 12 1 4 1 Single VRRP Group Configuration 1 12 1 4 2 VRRP Tracking Interface Configuration 1 15 1 4 3 Multiple VRRP Group Configura...

Page 675: ... VRRP information is added to this manual Refer to Displaying and Maintaining VRRP for details 1 1 VRRP Overview As shown in Figure 1 1 the following occasions may occur in a stable network z All the hosts in a network set the same gateway as their next hop whose IP address is also known as the next hop address of the default route for example the next hop address of the default route is 10 100 10...

Page 676: ... above through separating physical devices and logical devices In LANs with multicast or broadcast capabilities such as Ethernet VRRP can avoid single point failure through establishing backup links without modifying the configuration of dynamic routing protocols and router discovery protocols 1 1 1 Introduction to VRRP Group VRRP allows you to combine a group of LAN switches including a master an...

Page 677: ...emaining switches are backups The master in a VRRP group is the one currently with the highest priority Switch priority ranges from 0 to 255 a larger number indicates a higher switch priority Note that only 1 through 254 are available to users Switch priorities 0 and 255 are reserved for special uses and the IP address owner respectively When a switch acts as the IP address owner its priority is a...

Page 678: ...tting it The receiver then compares the authentication key of the packet with the locally configured one If they are the same the packet will be taken as a true and legal one Otherwise it will be regarded illegal and discarded z md5 MD5 authentication In a vulnerable network the authentication type can be set to md5 The switch then uses the authentication type provided in the Authentication Header...

Page 679: ...not respond to the ping operations so that you cannot use the ping command to check the network connectivity and whether the configuration of the IP address of a virtual router is successful For S5600 series Ethernet switches you can specify whether the switches in a VRRP group respond to the ping operations destined for the virtual router IP addresses III Mapping relationship between virtual rout...

Page 680: ...p it uses Refer to device specification for details 1 1 3 VRRP Timer There are two types of VRRP timer the VRRP advertisement interval timer and the VRRP preemption delay timer I VRRP advertisement interval timer z The master advertises its normal operation state to the switches within the VRRP group by sending VRRP packets once in each specified interval determined by the adver interval argument ...

Page 681: ...es the priority of the backup tracking the interface become higher and thus the backup becomes the new master II Port tracking function of the VRRP group When a physical port of the master goes down if you want the specified backup to become the master you can use the port tracking function With this function enabled for the VRRP group z If the tracked physical port of the master goes down the pri...

Page 682: ...rtual router there are two cases z If the IP address of the virtual router corresponds to a virtual MAC address the source MAC address in the gratuitous ARP packet will be the virtual MAC address z If the IP address of the virtual router corresponds to an actual MAC address the source MAC address in the gratuitous ARP packet will be the VLAN interface s MAC address of the master in the VRRP group ...

Page 683: ...ity Optional 100 by default Note It is not recommended to configure features related to VRRP group on the Layer 3 interface of a remote probe VLAN Otherwise packet mirroring may be affected 1 2 2 Configuring Advanced VRRP Functions Complete these tasks to configure advanced VRRP functions Task Remarks Configuring the preemptive mode and preemption delay for a switch Optional Configuring VRRP authe...

Page 684: ... the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure a virtual router IP address vrrp vrid virtual router id virtual ip virtual address Required Configure the authentication type and authentication key vrrp vrid virtual router id authentication mode authentication type authentication key Optional No authentication is performed by d...

Page 685: ...face interface type interface number Enable the port tracking function vrrp vlan interface vlan id vrid virtual router id track reduced value reduced Required By default the port priority decreases by 10 Note z The port to be tracked can be in the VLAN which the VLAN interface of the VRRP group belongs to z Up to eight ports can be tracked simultaneously through the port tracking function 1 3 Disp...

Page 686: ...visit host B on the Internet The information about the VRRP group is as follows z VRRP group ID 1 z Virtual router IP address 202 38 160 111 24 z Master Switch A z Backup Switch B z Preemptive mode enabled Table 1 1 Network description Switch Ethernet port connecting to Host A IP address of the VLAN interface Switch priority in the VRRP group Preemptive mode LSW A GigabitEthernet 1 0 6 202 38 160 ...

Page 687: ...iguration procedure z Configure Switch A Configure VLAN 3 LSW A system view LSW A vlan 3 LSW A vlan3 port GigabitEthernet1 0 10 LSW A vlan3 quit LSW A interface Vlan interface 3 LSW A Vlan interface3 ip address 10 100 10 2 255 255 255 0 LSW A Vlan interface3 quit Configure VLAN 2 LSW A vlan 2 LSW A vlan2 port GigabitEthernet 1 0 6 LSW A vlan2 quit LSW A interface Vlan interface 2 LSW A Vlan interf...

Page 688: ...ernet1 0 10 LSW B vlan3 quit LSW B interface Vlan interface 3 LSW B Vlan interface3 ip address 10 100 10 3 255 255 255 0 LSW B Vlan interface3 quit Configure VLAN 2 LSW B vlan 2 LSW B Vlan2 port GigabitEthernet 1 0 5 LSW B vlan2 quit LSW B interface Vlan interface 2 LSW B Vlan interface2 ip address 202 38 160 2 255 255 255 0 LSW B Vlan interface2 quit Enable a VRRP group to respond to ping operati...

Page 689: ...e can function as a gateway when the interface on Switch A and connecting to Internet does not function properly This can be implemented by enabling the VLAN interface tracking function The VRRP group ID is set to 1 with configurations of authorization key and timer II Network diagram LSW A Host B LSW B Vlan int3 10 100 10 2 24 Vlan int2 202 38 160 1 24 Vlan int2 202 38 160 2 24 202 38 160 3 24 10...

Page 690: ...the priority for the VRRP group LSW A Vlan interface2 vrrp vrid 1 priority 110 Set the authentication type for the VRRP group to md5 and the password to abc123 LSW A Vlan interface2 vrrp vrid 1 authentication mode md5 abc123 Configure the master to send VRRP packets every 5 seconds LSW A Vlan interface2 vrrp vrid 1 timer advertise 5 Set the tracked VLAN interface LSW A Vlan interface2 vrrp vrid 1 ...

Page 691: ...ctions as the gateway but when VLAN interface 3 on Switch A goes down its priority will be reduced by 30 lower than that of Switch B so that Switch B will preempt the master for gateway services instead When VLAN interface 3 recovers switch A will resume its gateway function as the master 1 4 3 Multiple VRRP Group Configuration I Network requirements A switch can function as a backup of multiple V...

Page 692: ...3 24 Figure 1 5 Network diagram for multiple VRRP group configuration III Configuration procedure z Configure Switch A Configure VLAN 3 LSW A system view LSW A vlan 3 LSW A vlan3 port GigabitEthernet1 0 10 LSW A vlan3 quit LSW A interface Vlan interface 3 LSW A Vlan interface3 ip address 10 100 10 2 255 255 255 0 LSW A Vlan interface3 quit Configure VLAN 2 LSW A vlan 2 LSW A vlan2 port GigabitEthe...

Page 693: ...AN 2 LSW B vlan 2 LSW B vlan2 port GigabitEthernet 1 0 6 LSW B vlan2 quit LSW B interface Vlan interface 2 LSW B Vlan interface2 ip address 202 38 160 2 255 255 255 0 Create VRRP group 1 LSW B Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Create VRRP group 2 LSW B Vlan interface2 vrrp vrid 2 virtual ip 202 38 160 112 Set the priority for VRRP group 2 LSW B Vlan interface2 vrrp vrid 2 prior...

Page 694: ...ers new master being determined in the VRRP group 1 II Network diagram Vlan int3 10 100 10 2 24 Master Network Layer 2 Switch Backup Actual IP address Virtual IP address 202 38 160 111 24 Virtual IP address 202 38 160 111 24 Vlan int2 202 38 160 1 24 Actual IP address Vlan int2 202 38 160 2 24 Figure 1 6 Network diagram for VRRP port tracking configuration III Configuration procedure z Configure t...

Page 695: ... of the inconsistent configuration of the switches within the VRRP group or the attempt of other devices sending illegal VRRP packets z The first possible fault can be solved through modifying the configuration z The second possibility is caused by the malicious attempt of some devices non technical measures should be taken to solve the problem II Symptom 2 More than one master existing within a V...

Page 696: ...es Chapter 1 VRRP Configuration 1 22 III Symptom 3 VRRP state of a switch changing repeatedly Such problems occur when the VRRP group timer interval is too short They can be solved through prolonging the interval or configuring the preemption delay period ...

Page 697: ... Rate Limit Function 1 9 1 3 Configuring Gratuitous ARP 1 10 1 4 Displaying and Debugging ARP 1 11 1 5 ARP Configuration Examples 1 11 1 5 1 ARP Basic Configuration Example 1 11 1 5 2 ARP Attack Detection and Packet Rate Limit Configuration Example 1 12 Chapter 2 Proxy ARP Configuration 2 1 2 1 Proxy ARP Overview 2 1 2 1 1 Introduction to Proxy ARP 2 1 2 1 2 Work Mechanism of Proxy ARP 2 1 2 2 Con...

Page 698: ...imit z The periodical sending of gratuitous ARP packets feature is added For details refer to section Introduction to Gratuitous ARP z The proxy ARP feature is added For details refer to Proxy ARP Configuration 1 1 Introduction to ARP 1 1 1 ARP Function Address Resolution Protocol ARP is used to resolve an IP address into a data link layer address An IP address is the address of a host at the netw...

Page 699: ... bits Protocol type 16 bits Length of hardware address Length of protocol address Operator 16 bits Hardware address of the sender IP address of the sender Hardware address of the receiver IP address of the receiver Figure 1 1 ARP message format Table 1 1 describes the fields of an ARP packet Table 1 1 Description on the fields of an ARP packet Field Description Hardware Type Type of the hardware i...

Page 700: ...e In an Ethernet the MAC addresses of two hosts must be available for the two hosts to communicate with each other Each host in an Ethernet maintains an ARP table where the latest used IP address to MAC address mapping entries are stored S5600 series Ethernet switches provide the display arp command to display the information about ARP mapping entries ARP entries in an S5600 series Ethernet switch...

Page 701: ...ero MAC address Because the ARP request is sent in broadcast mode all hosts on this subnet can receive the request but only the requested host namely Host B will process the request 3 Host B compares its own IP address with the destination IP address in the ARP request If they are the same Host B saves the source IP address and source MAC address into its ARP mapping table encapsulates its MAC add...

Page 702: ...dle attack II ARP attack detection To guard against the man in the middle attacks launched by hackers or attackers S5600 series Ethernet switches support the ARP attack detection function All ARP both request and response packets passing through the switch are redirected to the CPU which checks the validity of all the ARP packets by using the DHCP snooping table or the manually configured IP bindi...

Page 703: ...t on the CPU With this function enabled on a port the switch will count the ARP packets received on the port within each second If the number of ARP packets received on the port per second exceeds the preconfigured value the switch considers that the port is attacked by ARP packets In this case the switch will shut down the port As the port does not receive any packet the switch is protected from ...

Page 704: ...C address the source MAC address in the gratuitous ARP packet will be the virtual MAC address z If the IP address of the virtual router corresponds to an actual MAC address the source MAC address in the gratuitous ARP packet will be the VLAN interface s MAC address of the master switch in the VRRP backup group 1 2 Configuring ARP 1 2 1 Configuring ARP Basic Functions Follow these steps to configur...

Page 705: ...g ARP Attack Detection Follow these steps to configure the ARP attack detection function To do Use the command Remarks Enter system view system view Enable DHCP snooping dhcp snooping Required Disabled by default Enter Ethernet port view interface interface type interface number Specify the current port as a trusted port dhcp snooping trust Required By default after DHCP snooping is enabled all po...

Page 706: ...ving port the ARP packet cannot pass the ARP attack detection based on the IP to MAC bindings z Generally the uplink port of a switch is configured as a trusted port z Before enabling ARP restricted forwarding make sure you have enabled ARP attack detection and configured ARP trusted ports z You are not recommended to configure ARP attack detection on the ports of a fabric or an aggregation group ...

Page 707: ... Note z You need to enable the port state auto recovery feature before you can configure the port state auto recovery interval z You are not recommended to configure the ARP packet rate limit function on the ports of a fabric or an aggregation group 1 3 Configuring Gratuitous ARP Follow these steps to configure gratuitous ARP To do Use the command Remarks Enter system view system view Enable the g...

Page 708: ...ails 1 4 Displaying and Debugging ARP To do Use the command Remarks Display specific ARP mapping table entries display arp static dynamic ip address Display the ARP mapping entries related to a specified string in a specified way display arp dynamic static begin include exclude regular expression Display the number of the ARP entries of a specified type display arp count dynamic static begin inclu...

Page 709: ...1 5 2 ARP Attack Detection and Packet Rate Limit Configuration Example I Network requirements As shown in Figure 1 4 GigabitEthernet 1 0 1 of Switch A connects to DHCP Server GigabitEthernet 1 0 2 connects to Client A GigabitEthernet 1 0 3 connects to Client B GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 belong to VLAN 1 z Enable DHCP snooping on Switch A and specify Gigab...

Page 710: ...ection trust SwitchA GigabitEthernet1 0 1 quit Enable ARP attack detection on all ports in VLAN 1 SwitchA vlan 1 SwitchA vlan1 arp detection enable SwitchA vlan1 quit Enable the ARP packet rate limit function on GigabitEthernet 1 0 2 and set the maximum ARP packet rate allowed on the port to 20 pps SwitchA interface GigabitEthernet1 0 2 SwitchA GigabitEthernet1 0 2 arp rate limit enable SwitchA Gi...

Page 711: ...uration 1 14 SwitchA GigabitEthernet1 0 3 arp rate limit 50 SwitchA GigabitEthernet1 0 3 quit Configure the port state auto recovery function and set the recovery interval to 200 seconds SwitchA arp protective down recover enable SwitchA arp protective down recover interval 200 ...

Page 712: ...pear as if they on the same physical network to users 2 1 2 Work Mechanism of Proxy ARP Figure 2 1 Work mechanism of proxy ARP As shown in Figure 2 1 Host A and Host D are on different sub networks When Host A 192 168 0 22 16 needs to send packets to Host D 192 168 1 30 16 because the mask of the two hosts are both 16 bits Host A regards Host D to be on its directly connected sub network and thus ...

Page 713: ...itch and then the switch forwards the packets in Layer 3 to Host D so as to realize the Layer 3 connectivity between Host A and Host D 2 2 Configuring Proxy ARP Follow these steps to configure proxy ARP To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Enable proxy ARP arp proxy enable Required Disabled by default Display the pro...

Page 714: ... 192 168 0 27 24 Switch Vlan interface3 quit Configure the IP address of VLAN interface 4 to be 192 168 1 27 24 Switch interface Vlan interface 4 Switch Vlan interface4 ip address 192 168 1 27 24 Switch Vlan interface4 quit Enter VLAN interface 3 view and enable proxy ARP on it Switch interface Vlan interface 3 Switch Vlan interface3 arp proxy enable Switch Vlan interface3 quit Enter VLAN interfac...

Page 715: ...ram for Proxy ARP configuration in port isolation application III Configuration procedure 1 Configure Switch B Add GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 into an isolation group disabling Host A and Host B from communicating with each other at Layer 2 For details about port isolation refer to the part discussing port isolation SwitchB system view SwitchB interface GigabitEthernet1 0 2 Swi...

Page 716: ...Operation Manual ARP H3C S5600 Series Ethernet Switches Chapter 2 Proxy ARP Configuration 2 5 SwitchA Vlan interface1 quit ...

Page 717: ...ices to be the Layer 2 devices The state machine of Resilient ARP has six states which are Initialize LisentForL3Master L3Master L3slave L2Master and L2slave L3Master sends Resilient ARP packets periodically to notify other fabrics that the local fabric is in the Layer 3 state Resilient ARP implements the system state switching by sending receiving Resilient ARP packets periodically so as to deter...

Page 718: ...ough which Resilient packets are sent whereas all the VLAN interfaces can receive Resilient ARP packets 3 3 Resilient ARP Configuration Example I Network requirements There are four units in an IRF network unit 1 to unit 4 Unit 1 and unit 3 connect to another switch Switch through link aggregation If the connection between unit 1 and unit 3 and the connection between unit 2 and unit 4 break off th...

Page 719: ...Resilient ARP Configuration 3 3 III Configuration procedure Enable the Resilient ARP function Sysname system view Sysname resilient arp enable Configure the Resilient ARP packets to be sent through the VLAN interface 2 Sysname resilient arp interface Vlan interface 2 ...

Page 720: ...an Address Allocation Mode for the Global Address Pool 2 8 2 4 5 Configuring a Domain Name Suffix for the DHCP Client 2 11 2 4 6 Configuring DNS Servers for the DHCP Client 2 11 2 4 7 Configuring WINS Servers for the DHCP Client 2 12 2 4 8 Configuring Gateways for the DHCP Client 2 13 2 4 9 Configuring BIMS Server Information for the DHCP Client 2 14 2 4 10 Configuring Option 184 Parameters for th...

Page 721: ... 2 38 2 11 Troubleshooting a DHCP Server 2 40 Chapter 3 DHCP Relay Agent Configuration 3 1 3 1 Introduction to DHCP Relay Agent 3 1 3 1 1 Usage of DHCP Relay Agent 3 1 3 1 2 DHCP Relay Agent Fundamentals 3 1 3 1 3 Option 82 Support on DHCP Relay Agent 3 2 3 2 Configuring the DHCP Relay Agent 3 4 3 2 1 DHCP Relay Agent Configuration Task List 3 4 3 2 2 Enabling DHCP 3 4 3 2 3 Correlating a DHCP Ser...

Page 722: ...n to DHCP Packet Rate Limit 5 1 5 2 Configuring DHCP Packet Rate Limit 5 1 5 2 1 Configuring DHCP Packet Rate Limit 5 1 5 2 2 Configuring Port State Auto Recovery 5 2 5 3 Rate Limit Configuration Example 5 3 Chapter 6 DHCP BOOTP Client Configuration 6 1 6 1 Introduction to DHCP Client 6 1 6 2 Introduction to BOOTP Client 6 1 6 3 Configuring a DHCP BOOTP Client 6 2 6 3 1 DHCP Client Configuration E...

Page 723: ...g and Configuring IP Filtering z The DHCP packet rate limit function is added in this manual For details refer to DHCP Packet Rate Limit Configuration 1 1 Introduction to DHCP With networks getting larger in size and more complicated in structure lack of available IP addresses becomes the common situation the network administrators have to face and network configuration becomes a tough task for th...

Page 724: ... for an IP address again at the expiration of the period This policy applies to most clients 1 2 2 Obtaining IP Addresses Dynamically A DHCP client undergoes the following four phases to dynamically obtain an IP address from a DHCP server 1 Discover In this phase the DHCP client tries to find a DHCP server by broadcasting a DHCP DISCOVER packet 2 Offer In this phase the DHCP server offers an IP ad...

Page 725: ...erwise the client sends a DHCP DECLINE message to the server and requests an IP address again z If there are multiple DHCP servers IP addresses offered by other DHCP servers are assignable to other clients 1 2 3 Updating IP Address Lease After a DHCP server dynamically assigns an IP address to a DHCP client the IP address keeps valid only within a specified lease time and will be reclaimed by the ...

Page 726: ...DHCP relay agents which a DHCP packet passes For each DHCP relay agent that the DHCP request packet passes the field value increases by 1 z xid Random number that the client selects when it initiates a request The number is used to identify an address requesting process z secs Elapsed time after the DHCP client initiates a DHCP request z flags The first bit is the broadcast response flag bit used ...

Page 727: ...variable length fields including packet type valid lease time IP address of a DNS server and IP address of the WINS server 1 4 Protocol Specification Protocol specifications related to DHCP include z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the Bootstrap Protocol z RFC3046 DHCP Relay Agent Information...

Page 728: ...ing a DHCP Server Note Currently the interface related DHCP server configurations can only be made on VLAN interfaces 2 1 Introduction to DHCP Server 2 1 1 Usage of DHCP Server Generally DHCP servers are used in the following networks to assign IP addresses z Large sized networks where manual configuration method bears heavy load and is difficult to manage the whole network in centralized way z Ne...

Page 729: ...address pool The address pools of a DHCP server are hierarchically organized in a tree like structure The root holds the IP address of the natural network segment the branches hold the subnet IP addresses and the leaves holds the IP addresses that are manually bound to specific clients The address pools that are of the same level are sorted by their configuration precedence order Such a structure ...

Page 730: ...n address pool where an IP address is statically bound to the MAC address or ID of the client the DHCP server will select this address pool and assign the statically bound IP address to the client 2 Otherwise the DHCP server observes the following principles to select a dynamic address pool z If the client and the server reside in the same network segment the smallest address pool that contains th...

Page 731: ...ies out all functions of a DHCP server Those running on the slave units only operate as the backup tasks of the one running on the master unit z When a slave unit receives a DHCP REQUEST packet it redirects the packet to the DHCP server on the master unit which returns a DHCP ACK or DHCP NAK packet to the DHCP client and at the same time backs up the related information to the slave units In this ...

Page 732: ...ceive any packets When the IRF system restores to a Layer 3 device due to being merged into a new IRF system it adopts the configurations on the new IRF system And you need to perform DHCP server configurations if the new IRF system does not have DHCP server related configurations z In an IRF system the UDP HELPER function must be enabled on the DHCP servers that are in fabric state 2 2 DHCP Serve...

Page 733: ...unction is configured UDP port 67 and UDP port 68 ports are enabled z After DHCP is disabled with the undo dhcp enable command even if the DHCP server or DHCP relay function is configured UDP port 67 and UDP port 68 ports will be disabled 2 4 Configuring the Global Address Pool Based DHCP Server 2 4 1 Configuration Task List Complete the following tasks to configure the global address pool based D...

Page 734: ...ns IP addresses in the global address pool to the DHCP clients Follow these steps to configure the global address pool mode on interface s To do Use the command Remarks Enter system view system view interface interface type interface number dhcp select global Configure the current interface quit Configure the specified interface s or all the interfaces to operate in global address pool mode Config...

Page 735: ...e DHCP clients When such a DHCP client requests an IP address the DHCP server searches for the IP address corresponding to the MAC address of the DHCP client and assigns the IP address to the DHCP client When some DHCP clients send DHCP DISCOVER packets to the DHCP server to apply for IP addresses they construct client IDs and add them in the DHCP DISCOVER packets If the bindings of client IDs and...

Page 736: ...al DHCP address pool if the static bind ip address command the static bind mac address command or the static bind client identifier is executed repeatedly the new configuration overwrites the previous one z The IP address to be statically bound cannot be an interface IP address of the DHCP server otherwise static binding does not take effect z A client can permanently use the statically bound IP a...

Page 737: ...ool are the same Lease time is not inherited that is to say the lease time of a child address pool is not affected by the configuration of the parent address pool Follow these steps to configure the dynamic IP address allocation mode To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Set the IP address segment whose IP address are...

Page 738: ... together with an IP address to the DHCP client With this suffix assigned the client needs only input part of the domain name and the system will add the domain name suffix for name resolution For details about DNS refer to DNS Operation in this manual Follow these steps to configure a domain name suffix for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP add...

Page 739: ...S nodes fall into the following four categories z B node Nodes of this type establish their mappings through broadcasting The character b stands for the word broadcast The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node After receiving the broadcast packet the destination node returns its IP address to the ...

Page 740: ...ent you don t need to specify any WINS server address 2 4 8 Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers hosts outside the current network segment After you configure gateway addresses on a DHCP server the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them You can configure gateway addresses ...

Page 741: ...n to be assigned to the DHCP client bims server ip ip address port port number sharekey key Required By default no BIMS server information is configured 2 4 10 Configuring Option 184 Parameters for the Client with Voice Service Option 184 is a reserved option and the information it carries can be customized You can define four sub options for this option after enabling the DHCP server Thus besides...

Page 742: ...ed by sub option 2 of Option 184 acts as the backup of the NCP server The NCP server specified by this option is used only when the IP address carried by the NCP IP sub option is unreachable or invalid The AS IP sub option takes effect only when sub option 1 that is the NCP IP sub option is defined Voice VLAN Configuration sub option 3 The voice VLAN configuration sub option carries the ID of the ...

Page 743: ...For the configurations specifying to add sub option 2 sub option 3 and sub option 4 in the response packets to take effect you need to configure the DHCP server to add sub option 1 III Mechanism of using Option 184 on DHCP server The DHCP server encapsulates the information for Option 184 to carry in the response packets sent to the DHCP clients Supposing that the DHCP clients are on the same segm...

Page 744: ...onfig as ip ip address Optional Not specified by default Configure the voice VLAN voice config voice vlan vlan id disable enable Optional Not configured by default Specify the failover IP address voice config fail over ip address dialer string Optional No failover IP address is specified by default Note Specify an IP address for the network calling processor before performing other configuration 2...

Page 745: ...such information to complete auto configuration Follow these steps to configure the TFTP server and bootfile name for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Specify the TFTP server tftp server ip address ip address Optional Not specified by default Specify the name of the TFTP server tftp server domain ...

Page 746: ...pool have been assigned the DHCP server picks IP addresses from the global interface address pool containing the network segment of the interface address pool and assigns them to the DHCP clients As a result the IP addresses obtained from global address pools and those obtained from interface address pools are not on the same network segment so the clients cannot communicate with each other Theref...

Page 747: ...configured at the same time Configuring a Domain Name Suffix for the DHCP Client Optional Configuring DNS Servers for the DHCP Client Optional Configuring WINS Servers for the DHCP Client Optional Configuring BIMS Server Information for the DHCP Client Optional Configuring Option 184 Parameters for the Client with Voice Service Optional Configuring the TFTP Server and Bootfile Name for the DHCP Cl...

Page 748: ... port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled z UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled The corresponding implementation is as follows z After a DHCP interface address pool is created by executing the dhcp select interface command UDP port 67 and UDP port 68 ports used by DHCP are enabled z After a DHCP interface address pool is dele...

Page 749: ...ses must be in the same network segment z There is no limit to the number of IP addresses statically bound in an interface address pool but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment z An IP address can be statically bound to only one MAC address or one client ID A MAC address or client ID can be bound with only one IP ad...

Page 750: ...re the lease time Configure multiple interfaces in system view dhcp server expired day day hour hour minute minute unlimited interface interface type interface number to interface type interface number all Optional The default lease time is one day Specify the IP addresses that are not dynamically assigned dhcp server forbidden ip low ip address high ip address Optional By default all IP addresses...

Page 751: ...address pool quit Configu re a domain name suffix for the clients In multiple interface address pools in system view dhcp server domain name domain name all interface interface type interface number to interface type interface number Required Not configured by default 2 5 5 Configuring DNS Servers for the DHCP Client If a client accesses a host on the Internet through domain name DNS is needed to ...

Page 752: ... eight WINS addresses for a DHCP address pool Host name to IP address mappings are needed for DHCP clients communicating through the NetBIOS protocol According to the way to establish the mapping NetBIOS nodes fall into the following four categories z B node Nodes of this type establish their mappings through broadcasting The character b stands for the word broadcast The source node obtains the IP...

Page 753: ...rface number to interface type interface number all Required By default no WINS server address is configured interface interface type interface number dhcp server netbios type b node h node m node p node Configure the current interface quit Configure a NetBIOS node type for DHCP clients Configure multiple interfaces in system view dhcp server netbios type b node h node m node p node interface inte...

Page 754: ...ith Voice Service Follow these steps to configure Option 184 parameters for the client with voice service To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify the primary network calling processor dhcp server voice config ncp ip ip address Required Not specified by default Specify the backup network calling processor dhc...

Page 755: ...e config voice vlan vlan id disable enable all interface interface type interface number to interface type interface number Optional Not specified by default Configure Option 184 in multiple interface address pools Specify the failover IP address dhcp server voice config fail over ip address dialer string all interface interface type interface number to interface type interface number Optional Not...

Page 756: ...erface number Specify the TFTP server name dhcp server tftp server domain name domain name all interface interface type interface number Specify the IP address and name of the TFTP server and the bootfile name in the specified interface address pool Specify the bootfile name dhcp server bootfile name bootfile name all interface interface type interface number Optional Not specified by default 2 5 ...

Page 757: ...self defined DHCP options because such configuration may affect the DHCP operation process 2 6 Configuring DHCP Server Security Functions DHCP security configuration is needed to ensure the security of DHCP service 2 6 1 Prerequisites Before configuring DHCP security you should first complete the DHCP server configuration either global address pool based or interface address pool based DHCP server...

Page 758: ...ltiple DHCP clients simultaneously you can configure a DHCP server to detect an IP address before it assigns the address to a DHCP client The DHCP server pings the IP address to be assigned using ICMP If the server gets a response within the specified period the server will ping another IP address otherwise the server will ping the IP addresses once again until the specified number of ping packets...

Page 759: ... DHCP server sends an Accounting START packet to a specified RADIUS server The RADIUS server processes the packet makes a record and sends a response to the DHCP server z Once releasing a lease the DHCP server sends an Accounting STOP packet to the RADIUS server The RADIUS server processes the packet stops the recording for the DHCP client and sends a response to the DHCP server A lease can be rel...

Page 760: ...on 82 after the DHCP server receives packets containing Option 82 the DHCP server adds Option 82 into the responses when assigning IP addresses and other configuration information to the clients If a DHCP server is configured to ignore Option 82 after the DHCP server receives packets containing Option 82 the DHCP server will not add Option 82 into the responses when assigning IP addresses and othe...

Page 761: ...interface interface type interface number all Available in any view Clear IP address conflict statistics reset dhcp server conflict all ip ip address Clear dynamic address binding information reset dhcp server ip in use ip ip address pool pool name interface interface type interface number all Clear the statistics on a DHCP server reset dhcp server statistics Available in user view Note Executing ...

Page 762: ...aabbcc com DNS server address 10 1 1 2 and gateway address 10 1 1 254 and there is no WINS server address Note If you use the inheriting relation of parent and child address pools make sure that the number of the assigned IP addresses does not exceed the number of the IP addresses in the child address pool otherwise extra IP addresses will be obtained from the parent address pool and the attribute...

Page 763: ... SwitchA dhcp server forbidden ip 10 1 1 2 SwitchA dhcp server forbidden ip 10 1 1 4 SwitchA dhcp server forbidden ip 10 1 1 126 SwitchA dhcp server forbidden ip 10 1 1 254 Configure DHCP address pool 0 including address range domain name suffix of the clients and domain name server address SwitchA dhcp server ip pool 0 SwitchA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 SwitchA dhcp pool 0 do...

Page 764: ...ient requests the DHCP server for all sub options of Option 184 An H3C series switch operates as the DHCP server The Option 184 support function is configured for a global DHCP address pool The sub options of Option 184 are as follows z NCP IP 3 3 3 3 z AS IP 2 2 2 2 z Voice VLAN configuration voice VLAN enabled voice VLAN ID 3 z Fail over routing IP address 1 1 1 1 dialer string 99 II Network dia...

Page 765: ...work 10 1 1 1 mask 255 255 255 0 Sysname dhcp pool 123 voice config ncp ip 3 3 3 3 Sysname dhcp pool 123 voice config as ip 2 2 2 2 Sysname dhcp pool 123 voice config voice vlan 3 enable Sysname dhcp pool 123 voice config fail over 1 1 1 1 99 2 10 3 DHCP Accounting Configuration Example I Network requirements z The DHCP server connects to a DHCP client and a RADIUS server respectively through Giga...

Page 766: ... 1 0 1 Sysname GigabitEthernet1 0 1 port access vlan 2 Sysname GigabitEthernet1 0 1 quit Enter GigabitEthernet 1 0 2 port view and add the port to VLAN 3 Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 port access vlan 3 Sysname GigabitEthernet1 0 2 quit Enter VLAN 2 interface view and assign the IP address 10 1 1 1 24 to the VLAN interface Sysname interface Vlan interface 2 S...

Page 767: ...cts are usually caused by IP addresses that are manually configured on hosts III Solution z Disconnect the DHCP client from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network with the conflicting IP address as the destination and an enough timeout time z The IP address is manually configured on a host if y...

Page 768: ...to DHCP Relay Agent 3 1 1 Usage of DHCP Relay Agent Since the packets are broadcasted in the process of obtaining IP addresses DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment that is you need to deploy at least one DHCP server for each network segment which is far from economical DHCP relay agent is designed to address this problem It ena...

Page 769: ...he sending mode is decided by the flag filed in the client s DHCP DISCOVER packet refer to section DHCP Packet Format for details 3 1 3 Option 82 Support on DHCP Relay Agent I Introduction to Option 82 Option 82 is the relay agent information option in the DHCP message It records the location information of the DHCP client With this option the administrator can locate the DHCP client to further im...

Page 770: ...elay agent is similar to that for the client to obtain an IP address from a DHCP server directly The following are the mechanism of Option 82 support on DHCP relay agent 1 Upon receiving a DHCP request the DHCP relay agent checks whether the packet contains Option 82 and processes the packet accordingly z If the request packet contains Option 82 the DHCP relay agent processes the packet depending ...

Page 771: ...erent manufacturers 3 2 Configuring the DHCP Relay Agent Note If a switch belongs to an IRF fabric you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent 3 2 1 DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent Task Remarks Enabling DHCP Required Correlating a DHCP Server Group with a Relay Agent Interface R...

Page 772: ...dhcp server groupNo ip ip address 1 8 Required By default no DHCP server IP address is configured in a DHCP server group interface interface type interface number Map an interface to a DHCP server group dhcp server groupNo Required By default a VLAN interface is not mapped to any DHCP server group Note To improve security and avoid malicious attack to the unused SOCKETs S5600 Ethernet switches pro...

Page 773: ...t also supports static bindings which means you can manually configure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses The purpose of the address checking function on DHCP relay agent is to prevent unauthorized users from statically configuring IP addresses to access external networks With this function enabled a DHCP relay agent inhibi...

Page 774: ...y the DHCP cannot be updated in time You can solve this problem by enabling the DHCP relay agent handshake function and configuring the dynamic client address entry updating interval After the handshake function is enabled the DHCP relay agent sends the handshake packet the DHCP REQUEST packet periodically to the DHCP server using a client s IP address and its own MAC address z If the DHCP relay a...

Page 775: ... any DHCP unauthorized servers Follow these steps to enable unauthorized DHCP server detection To do Use the command Remarks Enter system view system view Enable unauthorized DHCP server detection dhcp server detect Required Disabled by default Note With the unauthorized DHCP server detection enabled the relay agent will log all DHCP servers including authorized ones and each server is recorded on...

Page 776: ... strategy to process the request packets containing Option 82 However if other strategies are configured before then enabling the 82 support on the DHCP relay agent will not change the configured strategies z To enable Option 82 you need to perform the corresponding configuration on the DHCP server and the DHCP relay agent 3 3 Displaying and Maintaining DHCP Relay Agent Configuration To do Use the...

Page 777: ... figure below Switch A forwards messages between DHCP clients and the DHCP server to assign IP addresses in subnet 10 10 1 0 24 to the clients II Network diagram Switch B DHCP server Switch A DHCP relay DHCP client DHCP client DHCP client DHCP client Vlan int2 10 1 1 2 24 Vlan int1 10 10 1 1 24 Vlan int2 10 1 1 1 24 Figure 3 4 Network diagram for DHCP relay agent III Configuration procedure Create...

Page 778: ...nabling debugging and checking the information about debugging and interface state You can display the information by executing the corresponding display command III Solution z Check if DHCP is enabled on the DHCP server and the DHCP relay agent z Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server z Check if a reachable route is conf...

Page 779: ... function of the DHCP relay agent operating at the network layer z Switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer When an unauthorized DHCP server exists in the network a DHCP client may obtains an illegal IP address To ensure that the DHCP clients obtain IP addresses from valid DHCP servers you can specify a port to be a trusted port or an u...

Page 780: ...me format of Option 82 There is no specification for what should be padded in Option 82 Manufacturers can pad it as required By default the sub options of Option 82 for S5600 Series Ethernet Switches enabled with DHCP snooping are padded as follows z sub option 1 circuit ID sub option Padded with the port index smaller than the physical port number by 1 and VLAN ID of the port that received the cl...

Page 781: ...0 Series Ethernet Switches support Option 82 in the standard format Refer to Figure 4 4 and Figure 4 5 for the standard format of the sub options with the default padding contents In the standard format the Circuit ID or Remote ID sub option does not contain the two byte type and length fields of the circuit ID or remote ID Figure 4 4 Standard format of the circuit ID sub option Figure 4 5 Standar...

Page 782: ...ion is configured Forward the packet after replacing the remote ID sub option of the original Option 82 with the configured remote ID sub option in ASCII format When receiving a DHCP client s request without Option 82 the DHCP snooping device will add the option field with the configured sub option and then forward the packet For details see Table 4 2 Table 4 2 Ways of handling a DHCP packet witho...

Page 783: ...t packets cause high CPU usage rate As a result the CPU cannot work normally z The switch can filter invalid IP packets through the DHCP snooping table and IP static binding table I DHCP snooping table After DHCP snooping is enabled on a switch a DHCP snooping table is generated It is used to record IP addresses obtained from the DHCP server MAC addresses the number of the port through which a cli...

Page 784: ...e IP address and source MAC address in the packet and the number of the port that receives the packet are consistent with entries in the DHCP snooping table or static binding table the switch regards the packet as a valid packet and forwards it otherwise the switch drops it directly 4 2 Configuring DHCP Snooping 4 2 1 Configuring DHCP Snooping Follow these steps to configure DHCP snooping To do Us...

Page 785: ...g to different units of the fabric otherwise the switch cannot record DHCP snooping entries although the clients can obtain IP addresses z You are not recommended to configure both the DHCP snooping and selective Q in Q function on the switch which may result in the DHCP snooping to function abnormally 4 2 2 Configuring DHCP Snooping to Support Option 82 Note Enable DHCP snooping and specify trust...

Page 786: ...e Optional The default handling policy is replace Enter Ethernet port view interface interface type interface number Configure a handling policy for requests that contain Option 82 received on the specified interface dhcp snooping information strategy drop keep replace Optional The default policy is replace Note If a handling policy is configured on a port this configuration overrides the globally...

Page 787: ...ID or remote ID sub option the format of the sub option is ASCII instead of the one specified with the dhcp snooping information format command IV Configuring the circuit ID sub option Follow these steps to configure the circuit ID sub option To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the circuit ID sub o...

Page 788: ... all interfaces You can configure Option 82 as the system name sysname of the device or any customized character string in the ASCII format z In Ethernet port view the remote ID takes effect only on the current interface You can configure Option 82 as any customized character string in the ASCII format for different VLANs That is to say you can add different configuration rules for packets from di...

Page 789: ...d to configure the primary and member ports respectively When Option 82 is added however the remote ID is subject to the one configured on the primary port z The remote ID configured on a port will neither be synchronized in the case of port aggregation nor support IRF VI Configuring the padding format for Option 82 Follow these steps to configure the padding format for Option 82 To do Use the com...

Page 790: ...y is configured after the dynamic entry is recorded the static entry overwrites the dynamic entry if the static entry is configured before DHCP snooping is enabled no DHCP client can obtain the IP address of the static entry that is the dynamic DHCP snooping entry cannot be generated z The VLAN ID of the IP static binding configured on a port is the VLAN ID of the port 4 3 DHCP Snooping Configurat...

Page 791: ...GigabitEthernet 1 0 5 as the trusted port Switch interface GigabitEthernet1 0 5 Switch GigabitEthernet1 0 5 dhcp snooping trust Switch GigabitEthernet1 0 5 quit Enable DHCP snooping Option 82 support Switch dhcp snooping information enable Set the remote ID sub option in Option 82 to the system name sysname of the DHCP snooping device Switch dhcp snooping information remote id sysname Set the circ...

Page 792: ...oping trusted port z Enable IP filtering on GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 to prevent attacks to the server from clients using fake source IP addresses z Create static binding entries on the switch so that Host A using a fixed IP address can access external networks II Network diagram Switch DHCP Snooping Host A IP 1 1 1 1 MAC 0001 0001 0001 GE1 0 2 Client C ...

Page 793: ...1 0 4 Switch GigabitEthernet1 0 4 ip check source ip address mac address Switch GigabitEthernet1 0 4 quit Create static binding entries on GigabitEthernet 1 0 2 of the switch Switch interface GigabitEthernet1 0 2 Switch GigabitEthernet1 0 2 ip source static binding ip address 1 1 1 1 mac address 0001 0001 0001 4 4 Displaying DHCP Snooping Configuration To do Use the command Remarks Display the use...

Page 794: ...the device CPU For details about ARP packet rate limit refer to ARP Operation in this manual The following describes only the DHCP packet rate limit function After DHCP packet rate limit is enabled on an Ethernet port the switch counts the number of DHCP packets received on this port per second If the number of DHCP packets received per second exceeds the specified value packets are passing the po...

Page 795: ...very function is disabled Set the port state auto recovery interval dhcp protective down recover interval interval Optional The port state auto recovery interval is 300 seconds Note z Enable the port state auto recovery function before setting the auto recovery interval z You are not recommended to configure DHCP packet rate limit on the ports of an aggregation group 5 2 2 Configuring Port State A...

Page 796: ... maximum DHCP packet rate allowed on the port to 100 pps z Set the port state auto recovery interval to 30 seconds on the switch II Networking diagram GE1 0 1 DHCP server DHCP snooping GE1 0 11 GE1 0 2 ClientA ClientB Figure 5 1 Network diagram for DHCP packet rate limit configuration III Configuration procedure Enable DHCP snooping on the switch Switch system view Switch dhcp snooping Specify Gig...

Page 797: ...nfiguration 5 4 Sysname interface GigabitEthernet 1 0 11 Enable DHCP packet rate limit on GigabitEthernet 1 0 11 Sysname GigabitEthernet1 0 11 dhcp rate limit enable Set the maximum DHCP packet rate allowed on GigabitEthernet 1 0 11 to 100 pps Sysname GigabitEthernet1 0 11 dhcp rate limit 100 ...

Page 798: ...r you specify an interface as a Bootstrap Protocol BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to configure a BOOTP parameter file for each BOOTP client on the BOOTP server The parameter file contains information such as MAC address and IP address of a BOOTP client...

Page 799: ...ently an S5600 Ethernet switch functioning as the DHCP client can use an IP address for 24 days at most That is the DHCP client can obtain an address lease for no more than 24 days even though the DHCP server offers a longer lease period z If a switch belongs to an IRF fabric you need to enable the UDP Helper function on the switch before configuring its VLAN interfaces to obtain IP addresses thro...

Page 800: ...3 2 BOOTP Client Configuration Example I Network requirement Switch B s port belonging to VLAN1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP II Network diagram See Figure 2 1 III Configuration procedure The following describes only the configuration on Switch B serving as a client Configure VLAN interface 1 to dynamically obtain an IP address f...

Page 801: ...r 2 ACL 1 9 1 2 5 Configuring User defined ACL 1 10 1 2 6 Applying ACLs on Ports 1 12 1 2 7 Applying ACLs to a VLAN 1 12 1 3 Displaying and Maintaining ACL Configuration 1 13 1 4 Examples for Upper layer Software Referencing ACLs 1 13 1 4 1 Example for Controlling Telnet Login Users by Source IP 1 13 1 4 2 Example for Controlling Web Login Users by Source IP 1 14 1 5 Examples for Applying ACLs to ...

Page 802: ...ring data packets can prevent a network from being accessed by unauthorized users efficiently while controlling network traffic and saving network resources Access Control Lists ACLs are often used to filter packets with configured matching rules Upon receiving a packet the switch compares the packet with the rules of the ACL applied on the current port to permit or discard the packet The rules of...

Page 803: ...he more the number of zeros in the wildcard mask the higher the match priority 2 Fragment keyword A rule with the fragment keyword is prior to others 3 If the above two conditions are identical the earlier configured rule applies II Depth first match order for rules of an advanced ACL 1 Protocol range A rule which has specified the types of the protocols carried by IP is prior to others 2 Range of...

Page 804: ... to be forwarded II Being referenced by upper level software ACLs can also be used to filter and classify the packets to be processed by software In this case the rules in an ACL can be matched in one of the following two ways z config where rules in an ACL are matched in the order defined by the user z auto where the rules in an ACL are matched in the order determined by the system namely the dep...

Page 805: ...nfiguring Advanced ACL Required Configuring Layer 2 ACL Required Configuring User defined ACL Required Applying ACLs on Ports Required Applying ACLs to a VLAN Required 1 2 1 Configuring Time Range Time ranges can be used to filter packets You can specify a time range for each rule in an ACL A time range based ACL takes effect only in specified time ranges Only after a time range is configured and ...

Page 806: ...ctive only when the system time is within one of the absolute time sections z If both a periodic time section and an absolute time section are defined in a time range the time range is active only when the periodic time range and the absolute time range are both matched Assume that a time range contains an absolute time section ranging from 00 00 January 1 2004 to 23 59 December 31 2004 and a peri...

Page 807: ...ion procedure Follow these steps to define a basic ACL rule To do Use the command Remarks Enter system view system view Create an ACL and enter basic ACL view acl number acl number match order auto config Required config by default Define an ACL rule rule rule id deny permit rule string Required For information about rule string refer to ACL Command Configure a description string to the ACL descri...

Page 808: ...ep is 1 rule 0 deny source 192 168 0 1 0 1 2 3 Configuring Advanced ACL An advanced ACL can filter packets by their source and destination IP addresses the protocols carried by IP and protocol specific features such as TCP UDP source and destination ports ICMP message type and message code An advanced ACL can be numbered from 3000 to 3999 Note that ACL 3998 and ACL 3999 cannot be configured becaus...

Page 809: ...modify any existent rule otherwise the system prompts error information z If you do not specify the rule id argument when creating an ACL rule the rule will be numbered automatically If the ACL has no rules the rule is numbered 0 otherwise the number of the rule will be the greatest rule number plus one If the current greatest rule number is 65534 however the system will display an error message a...

Page 810: ... based Layer 2 ACL rule you need to create the corresponding time ranges first For information about time range configuration refer to Configuring Time Range z The settings to be specified in the rule such as source and destination MAC addresses VLAN priorities and Layer 2 protocol types are determined II Configuration procedure Follow these steps to define a Layer 2 ACL rule To do Use the command...

Page 811: ...ng 3 Sysname system view Sysname acl number 4000 Sysname acl ethernetframe 4000 rule deny cos 3 source 000d 88f5 97ed ffff ffff ffff dest 0011 4301 991e ffff ffff ffff Display the configuration information of ACL 4000 Sysname acl ethernetframe 4000 display acl 4000 Ethernet frame ACL 4000 1 rule Acl s step is 1 rule 0 deny cos excellent effort source 000d 88f5 97ed ffff ffff ffff dest 0011 4301 99...

Page 812: ... combinations will replace all of the original ones z If you do not specify the rule id argument when creating an ACL rule the rule will be numbered automatically If the ACL has no rules the rule is numbered 0 otherwise the number of the rule will be the greatest rule number plus one If the current greatest rule number is 65534 however the system will display an error message and you need to speci...

Page 813: ... view interface interface type interface number Apply an ACL on the port packet filter inbound acl rule Required For information about acl rule refer to ACL Commands III Configuration example Apply ACL 2000 on GigabitEthernet 1 0 1 to filter inbound packets Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 packet filter inbound ip group 2000 1 2 7 Applying AC...

Page 814: ...d Maintaining ACL Configuration To do Use the command Remarks Display a configured ACL or all the ACLs display acl all acl number Display a time range or all the time ranges display time range all time name Display information about packet filtering display packet filter interface interface type interface number unitid unit id Display information about ACL resources display drv module qacl qacl_re...

Page 815: ...100 52 0 Sysname acl basic 2000 quit Reference ACL 2000 on VTY user interface to control Telnet login users Sysname user interface vty 0 4 Sysname ui vty0 4 acl 2000 inbound 1 4 2 Example for Controlling Web Login Users by Source IP I Network requirements Apply an ACL to permit Web users with the source IP address of 10 110 100 46 to log in to the switch through HTTP II Network diagram Switch PC 1...

Page 816: ...ply an ACL on GigabitEthernet 1 0 1 to deny packets with the source IP address of 10 1 1 1 from 8 00 to 18 00 everyday II Network diagram Figure 1 3 Network diagram for basic ACL configuration III Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 daily Define ACL 2000 to filter packets with the ...

Page 817: ... a periodic time range that is active from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 working day Define ACL 3000 to filter packets destined for wage query server Sysname acl number 3000 Sysname acl adv 3000 rule 1 deny ip destination 192 168 1 2 0 time range test Sysname acl adv 3000 quit Apply ACL 3000 on GigabitEthernet 1 0 1 Sysname interface GigabitEthern...

Page 818: ...0011 ffff ffff ffff dest 0011 0011 0012 ffff ffff ffff time range test Sysname acl ethernetframe 4000 quit Apply ACL 4000 on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 packet filter inbound link group 4000 1 5 4 User defined ACL Configuration Example I Network requirements As shown in Figure 1 6 PC 1 and PC 2 are connected to the switch through Ethern...

Page 819: ...et frame c0a80001 is the hexadecimal form of 192 168 0 1 and 36 is the source IP address field offset of the internally processed ARP packet Sysname acl number 5000 Sysname acl user 5000 rule 1 deny 0806 ffff 20 c0a80001 ffffffff 36 time range test Apply ACL 5000 on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 packet filter inbound user group 5000 1 5 5...

Page 820: ...I Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 in working days Sysname system view Sysname time range test 8 00 to 18 00 working day Define an ACL to deny packets destined for the database server Sysname acl number 3000 Sysname acl adv 3000 rule 1 deny ip destination 192 168 1 2 0 time range test Sysname acl adv 3000 quit Apply ACL 3000 to VLAN 10 Sysname ...

Page 821: ...d Traffic Accounting 1 14 1 3 11 Burst 1 14 1 3 12 Traffic mirroring 1 15 1 4 QoS Configuration 1 15 1 4 1 Configuring Priority Trust Mode 1 15 1 4 2 Configuring the Mapping between 802 1p Priority and Local Precedence 1 16 1 4 3 Setting the Priority of Protocol Packets 1 17 1 4 4 Marking Packet Priority 1 18 1 4 5 Configuring Traffic Policing 1 20 1 4 6 Configuring Line Rate 1 21 1 4 7 Configurin...

Page 822: ...2 QoS Profile Configuration 2 1 2 1 Overview 2 1 2 1 1 Introduction to QoS Profile 2 1 2 1 2 QoS Profile Application Mode 2 1 2 2 QoS Profile Configuration Task List 2 2 2 2 1 Configuring a QoS Profile 2 2 2 2 2 Applying a QoS Profile 2 3 2 3 Displaying and Maintaining QoS Profile Configuration 2 4 2 4 Configuration Example 2 5 2 4 1 QoS Profile Configuration Example 2 5 ...

Page 823: ...e section Marking Packet Priority z Redirecting traffic to an aggregation group and removing outer VLAN tags when redirecting traffic to the specified port aggregation group For details see section Traffic Redirecting z The burst function For details see section Burst 1 1 Overview 1 1 1 Introduction to QoS Quality of Service QoS is a concept concerning service demand and supply It reflects the abi...

Page 824: ...he Internet as a platform for their services and for data transmission Besides the traditional applications such as WWW E mail and FTP new services are developed on the Internet such as tele education telemedicine video telephone videoconference and Video on Demand VoD Enterprise users expect to connect their regional branches together using VPN techniques for coping with daily business for instan...

Page 825: ... rate usually to the input capability of the receiving device to avoid packet drop and port congestion Traffic shaping is usually applied in the outbound direction of a port z Congestion management handles resource competition during network congestion Generally it adds packets to queues first and then forwards the packets by using a scheduling algorithm Congestion management is usually applied in...

Page 826: ...fied ACL z Priority marking z Traffic policing z Traffic redirecting z VLAN Mapping z Traffic accounting z Traffic mirroring z For information about priority marking refer to Priority Marking z For information about traffic policing refer to Traffic Policing z For information about traffic redirecting refer to Traffic Redirecting z For information about VLAN Mapping refer to VLAN Mapping z For inf...

Page 827: ...n the type of service ToS field in IP packet header can be used to identify packets of different priorities The network administrator can also define traffic classification policies to identify packets by the combination of source address destination address MAC address IP protocol or the port number of an application Normally traffic classification is done by checking the information carried in p...

Page 828: ...e processed according to their DSCP values z Expedited Forwarding EF class In this class packets can be forwarded regardless of link share of other traffic The class is suitable for preferential services with low delay low packet loss ratio low jitter and assured bandwidth such as virtual leased line z Assured forwarding AF class This class is further divided into four subclasses AF1 2 3 4 and a s...

Page 829: ...00 cs5 48 110000 cs6 56 111000 cs7 0 000000 be default 2 802 1p priority 802 1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2 Figure 1 3 An Ethernet frame with an 802 1Q tag header As shown in the figure above the 4 byte 802 1Q tag header consists of the tag protocol identifier TPID t...

Page 830: ...defined in detail in the 802 1p specifications 3 Local precedence Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds to one of the eight hardware output queues Packets with the highest local precedence are processed preferentially As local precedence is used only for internal queuing a packet does not carry it after leaving...

Page 831: ...precedence corresponding to the port priority of the receiving port in the 802 1p to local precedence mapping table and assigns the local precedence to the packet z Trusting packet priority In this mode the switch searches for the local precedence corresponding to the 802 1p priority of the packet in the 802 1p to local precedence mapping table and assigns the local precedence to the packet Table ...

Page 832: ...ontinuous burst packets if the traffic of each user is not limited The traffic of each user must be limited in order to make better use of the limited network resources and provide better service for more users For example traffic can be limited to get only its committed resources during a time period to avoid network congestion caused by excessive bursts Traffic policing is a kind of traffic cont...

Page 833: ...he capacity of the token bucket namely the maximum traffic size that is permitted in each burst It is generally set to committed burst size CBS The set burst size must be greater than the maximum packet length One evaluation is performed on each arriving packet In each evaluation if the number of tokens in the bucket is enough the traffic is conforming to the specification and you must take away s...

Page 834: ...tokens in the token bucket otherwise they will be dropped Compared to traffic policing line rate applies to all the packets passing a port It is a simpler solution if you want to limit the rate of all the packets passing a port 1 3 7 Traffic Redirecting Traffic redirecting identifies traffic using ACLs and redirects the matched packets to CPU the specified ports aggregation group By traffic redire...

Page 835: ...iorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the priority order from high to low When the queue with higher priority is empty packets in the queue with lower priority are sent You can put critical service packets into the queues with higher priority and put non critical service such as e mail packets into the queues with lower...

Page 836: ...5 Mbps 100 Mbps 1 5 5 3 3 1 1 1 1 bandwidth at least and the disadvantage of SP queue scheduling that the packets in queues with lower priority may not get service for a long time is avoided Another advantage of WRR queue is that though the queues are scheduled in order the service time for each queue is not fixed that is to say if a queue is empty the next queue will be scheduled In this way the ...

Page 837: ...ring module of this manual 1 4 QoS Configuration Complete the following tasks to configure QoS Task Remarks Configuring Priority Trust Mode Optional Configuring the Mapping between 802 1p Priority and Local Precedence Optional Setting the Priority of Protocol Packets Optional Marking Packet Priority Optional Configuring Traffic Policing Optional Configuring Line Rate Optional Configuring Traffic R...

Page 838: ...onfigure to trust packet priority priority trust Required By default the switch trusts port priority III Configuration example Configure to trust port priority on GigabitEthernet 1 0 1 and set the priority of GigabitEthernet 1 0 1 to 7 Sysname system view Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 priority 7 Configure to trust packet priority on GigabitEthernet 1 0 1 Sysna...

Page 839: ...p local prec cos4 map local prec cos5 map local prec cos6 map local prec cos7 map local prec Required III Configuration example Configure these mappings between 802 1p priority and local precedence 0 to 2 1 to 3 2 to 4 3 to 1 4 to 7 5 to 0 6 to 5 and 7 to 6 Then display the configuration Sysname system view Sysname qos cos local precedence map 2 3 4 1 7 0 5 6 Sysname display qos cos local preceden...

Page 840: ...dence 3 Sysname display protocol priority Protocol icmp IP Precedence flash 3 1 4 4 Marking Packet Priority Refer to section Priority Marking for information about marking packet priority Marking packet priority can be implemented in the following two ways z Through traffic policing When configuring traffic policing you can define the action of marking the DSCP precedence for packets exceeding the...

Page 841: ... ipprec local precedence pre value Required Refer to the command manual for information about the acl rule argument Follow these steps to configure priority marking on a VLAN To do Use the command Remarks Enter system view system view Mark the priorities for the packets belonging to a VLAN and matching specific ACL rules traffic priority vlan vlan id inbound acl rule dscp dscp value ip precedence ...

Page 842: ...nformation about defining ACL rules z The rate limit for traffic policing and the actions for the packets exceeding the rate limit have been determined z The ports that need this configuration have been determined II Configuration procedure Follow these steps to configure traffic policing To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type ...

Page 843: ... exceed remark dscp 56 1 4 6 Configuring Line Rate Refer to section Line Rate for information about line rate I Configuration prerequisites z The port on which line rate configuration is to be performed has been determined z The target rate has been determined II Configuration procedure Follow these steps to configure line rate To do Use the command Remarks Enter system view system view Enter Ethe...

Page 844: ...fer to the ACL module of this manual for information about defining ACL rules z The traffic redirecting destination has been determined z The ports that need this configuration have been determined II Configuration procedure Follow these steps to configure traffic redirecting To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface num...

Page 845: ...or an aggregation group Do not specify the untagged keyword in a ring network or a network with multiple uplink ports Refer to the VLAN VPN module of this manual for information about selective QinQ III Configuration example GigabitEthernet 1 0 1 is connected to the 10 1 1 0 24 network segment Redirect all the packets from the 10 1 1 0 24 network segment to GigabitEthernet 1 0 7 Sysname system vie...

Page 846: ... 1 0 1 to set the VLAN ID to 1001 for packets matching Layer 2 ACL 4000 Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 traffic remark vlanid inbound link group 4000 remark vlan 1001 1 4 9 Configuring Queue Scheduling Refer to section Queue Scheduling for information about queue scheduling I Configuration prerequisites The algorithm for queue scheduling to ...

Page 847: ...ight queue5 weight queue6 weight queue7 weight Required By default the queue scheduling algorithm adopted on all the ports is WRR The default weights of the eight output queues of a port are 1 2 3 4 5 9 13 and 15 in the order queue 0 through queue 7 A port of an S5600 Ethernet switch supports eight output queues SP and WRR queue scheduling algorithms are available With WRR adopted if you set the w...

Page 848: ... for this port in the corresponding Ethernet port view The new weight or bandwidth value takes effect only on the port z The display queue scheduler command cannot display the queue weight or bandwidth value specified in Ethernet port view III Configuration example Adopt WRR for queue scheduling setting the weights of the output queues to 2 2 3 3 4 4 5 and 5 in the order queue 0 through queue 7 Th...

Page 849: ...ation example GigabitEthernet 1 0 1 is connected to the 10 1 1 0 24 network segment Perform traffic accounting on the packets sourced from the 10 1 1 0 24 network segment Clear the traffic statistics Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1...

Page 850: ...ple Enable the burst function Sysname system view Sysname burst mode enable 1 4 12 Configuring Traffic Mirroring Refer to section Traffic mirroring for information about traffic mirroring I Configuration prerequisites z The ACL rules for traffic classification have been defined Refer to the ACL module of this manual for information about defining ACL rules z The source mirroring ports have been de...

Page 851: ...et port view monitor port Required Use either approach Note For information about the mirroring group monitor port command and the monitor port command refer to the part talking about mirroring III Configuration example Assume that GigabitEthernet 1 0 1 is connected to the 10 1 1 0 24 network segment Duplicate the packets from network segment 10 1 1 0 24 to the destination mirroring port GigabitEt...

Page 852: ...g configuration display qos interface interface type interface number unit id traffic redirect Display VLAN mapping configuration display qos interface interface type interface number unit id traffic remark vlanid Display queue scheduling configuration display queue scheduler Display traffic accounting configuration display qos interface interface type interface number unit id traffic statistic Di...

Page 853: ...GE1 0 3 Figure 1 8 Network diagram for traffic policing and rate limiting configuration III Configuration procedure 1 Define an ACL for traffic classification Create ACL 2000 and enter basic ACL view Sysname system view Sysname acl number 2000 Define a rule for the packets with 192 168 0 1 as the source IP address Sysname acl basic 2000 rule permit source 192 168 0 1 0 Sysname acl basic 2000 quit ...

Page 854: ...of the switch Configure priority marking and queue scheduling on the switch to mark traffic flows accessing Server 1 Server 2 and Server 3 with different priorities respectively and assign the three traffic flows to different queues for scheduling II Network diagram Figure 1 9 Network diagram for priority marking and queue scheduling configuration III Configuration procedure 1 Define an ACL for tr...

Page 855: ... 1 6 3 VLAN Mapping Configuration Example I Network requirements Two customer networks are connected to the public network through Switch A and Switch B Configure the VLAN mapping function on the switches to enable the hosts on the two customer networks to communicate through public network VLANs z Switch A provides network access for terminal devices in VLAN 100 and VLAN 200 through GigabitEthern...

Page 856: ...tem view SwitchA vlan 100 SwitchA vlan100 quit SwitchA vlan 200 SwitchA vlan200 quit SwitchA vlan 500 SwitchA vlan500 quit SwitchA vlan 600 SwitchA vlan600 quit Configure GigabitEthernet 1 0 11 of Switch A as a trunk port and configure its default VLAN as VLAN 100 Assign GigabitEthernet 1 0 11 to VLAN 100 and VLAN 500 Configure GigabitEthernet 1 0 12 in the same way SwitchA interface GigabitEthern...

Page 857: ...ts from VLAN 100 ACL 4001 to permit packets from VLAN 200 ACL 4002 to permit packets from VLAN 500 and ACL 4003 to permit packets from VLAN 600 SwitchA acl number 4000 SwitchA acl ethernetframe 4000 rule permit source 100 SwitchA quit SwitchA acl number 4001 SwitchA acl ethernetframe 4001 rule permit source 200 SwitchA quit SwitchA acl number 4002 SwitchA acl ethernetframe 4002 rule permit source ...

Page 858: ...n in Figure 1 11 z The marketing department is connected to GigabitEthernet 1 0 1 of the switch The IP address segment for the hosts of the marketing department is 192 168 1 0 25 and the hosts access the Internet through the switch z The R D department is connected to GigabitEthernet 1 0 2 of the switch The IP address segment for the hosts of the R D department is 192 168 2 0 25 and the hosts acce...

Page 859: ...mit the traffic of the hosts in the marketing department during the specified time range Switch acl number 2000 Switch acl basic 2000 rule permit source 192 168 1 0 0 0 0 127 time range trname Switch acl basic 2000 quit Configure to mirror traffic matching ACL 2000 to GigabitEthernet 1 0 3 Switch interface GigabitEthernet 1 0 1 Switch GigabitEthernet1 0 1 mirrored to inbound ip group 2000 monitor ...

Page 860: ...001 Switch acl basic 2001 rule permit source 192 168 2 0 0 0 0 127 time range trname Switch acl basic 2001 quit Configure to redirect traffic matching ACL 2001 to GigabitEthernet 1 0 3 Switch interface GigabitEthernet 1 0 2 Switch GigabitEthernet1 0 2 traffic redirect inbound ip group 2001 interface GigabitEthernet 1 0 3 ...

Page 861: ...S configuration performed for the host Currently a QoS profile can contain configurations concerning packet filtering traffic policing and priority marking 2 1 2 QoS Profile Application Mode I Dynamic application mode A QoS profile can be applied dynamically to a user or a group of users passing 802 1x authentication To apply QoS profiles dynamically a user name to QoS profile mapping table is req...

Page 862: ...file Configuration Task List Complete the following tasks to configure QoS profile Operation Description Configuring a QoS Profile Required Applying a QoS Profile Optional 2 2 1 Configuring a QoS Profile I Configuration prerequisites z The ACL rules used for traffic classification are defined Refer to the ACL module of this manual for information about defining ACL rules z The type and number of a...

Page 863: ...value Optional 2 2 2 Applying a QoS Profile You can configure to apply a QoS profile dynamically or simply apply a QoS profile manually I Configuration prerequisites z To configure to apply a QoS profile dynamically make sure 802 1x is enabled both globally and on the port and the authentication mode is determined For information about 802 1x refer to the 802 1x and System Guard module of this man...

Page 864: ...sed the mode to apply a QoS profile must be configured as port based Follow these steps to apply a QoS profile manually To do Use the command Remarks Enter system view system view In system view apply qos profile profile name interface interface list Enter Ethernet port view interface interface type interface number Apply a QoS profile to specific ports In Ethernet port view Apply a QoS profile to...

Page 865: ...all the outbound IP packets of the user to 128 kbps and configuring to drop the packets exceeding the target packet rate II Network diagram User Switch Network AAA Server GE1 0 1 Figure 2 1 Network diagram for QoS profile configuration III Configuration procedure 1 Configuration on the AAA server Configure the user authentication information and the matching relationship between the user name and ...

Page 866: ...test net and specify radius1 as your RADIUS server group Sysname domain test net Sysname isp test net radius scheme radius1 Sysname isp test net quit Create ACL 3000 to permit IP packets destined for any IP address Sysname acl number 3000 Sysname acl adv 3000 rule 1 permit ip destination any Sysname acl adv 3000 quit Define a QoS profile named example to limit the rate of matched packets to 128 kb...

Page 867: ...oring 1 1 1 1 2 Remote Port Mirroring 1 2 1 1 3 Traffic Mirroring 1 3 1 2 Mirroring Configuration 1 4 1 2 1 Configuring Local Port Mirroring 1 4 1 2 2 Configuring Remote Port Mirroring 1 5 1 3 Displaying and Maintaining Port Mirroring 1 9 1 4 Mirroring Configuration Examples 1 9 1 4 1 Local Port Mirroring Configuration Example 1 9 1 4 2 Remote Port Mirroring Configuration Example 1 11 ...

Page 868: ...e port where packets are duplicated is called the source mirroring port or monitored port and the port to which duplicated packets are sent is called the destination mirroring port or the monitor port as shown in the following figure PC Data detection device Network Source mirroring port Destination mirroring port Figure 1 1 Mirroring The S5600 series Ethernet switches support three types of port ...

Page 869: ...re 1 2 Remote port mirroring application The switches involved in remote port mirroring function as follows z Source switch The source switch is the device where the monitored port is located It copies traffic passing through the monitored port to the reflector port The reflector port then transmits the traffic to an intermediate switch if any or destination switch through the remote probe VLAN z ...

Page 870: ...witch side and the destination switch side Trunk port Receives remote mirrored packets Destination switch Destination port Receives packets forwarded from the trunk port and transmits the packets to the data detection device Caution z Do not configure a default VLAN a management VLAN or a dynamic VLAN as the remote probe VLAN z Configure all ports connecting the devices in the remote probe VLAN as...

Page 871: ...g can be configured and the two kinds of ports cannot both exist z When you mirror packets sent by ports on an expansion module the packets from a port on the front panel to the expansion module cannot be mirrored if the monitor port is not on the expansion module Refer to the installation manual for the introduction to the front panel and expansion module 1 2 1 Configuring Local Port Mirroring I ...

Page 872: ...itor port Use either approach The configurations in the two views have the same effect When configuring local port mirroring note that z You need to configure the source and destination ports for the local port mirroring to take effect z The source port and the destination port cannot be a fabric port or a member port of an existing mirroring group besides the destination port cannot be a member p...

Page 873: ...p mirroring group group id remote source Required Configure source port s for the remote source mirroring group mirroring group group id mirroring port mirroring port list both inbound outbound Required Configure the reflector port for the remote source mirroring group mirroring group group id reflector port reflector port Required Configure the remote probe VLAN for the remote source mirroring gr...

Page 874: ...rm configurations on the intermediate switch To do Use the command Remarks Enter system view system view Create a VLAN and enter VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN Configure the current VLAN as the remote probe VLAN remote probe vlan enable Required Return to system view quit Enter the view of the Ethernet port connecting to the source switch destination switch or ot...

Page 875: ...equired By default the port type is Access Configure trunk port to permit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required Return to system view quit Create a remote destination mirroring group mirroring group group id remote destination Required Configure the destination port for the remote destination mirroring group mirroring group group id monitor port mo...

Page 876: ...ort Mirroring Configuration Example I Network requirements The departments of a company connect to each other through S5600 Ethernet switches z Research and Development R D department is connected to Switch C through GigabitEthernet 1 0 1 z Marketing department is connected to Switch C through GigabitEthernet 1 0 2 z Data detection device is connected to Switch C through GigabitEthernet 1 0 3 The ...

Page 877: ...figure the source ports and destination port for the local mirroring group Sysname mirroring group 1 mirroring port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 both Sysname mirroring group 1 monitor port GigabitEthernet 1 0 3 Display configuration information about local mirroring group 1 Sysname display mirroring group 1 mirroring group 1 type local status active mirroring port GigabitEthernet1 0...

Page 878: ...ta detection device Use the remote port mirroring function to meet the requirement Perform the following configurations z Use Switch A as the source switch Switch B as the intermediate switch and Switch C as the destination switch z On Switch A create a remote source mirroring group configure VLAN 10 as the remote probe VLAN ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as the source ports...

Page 879: ...irroring group 1 remote probe vlan 10 Configure GigabitEthernet 1 0 3 as trunk port allowing packets of VLAN 10 to pass Sysname interface GigabitEthernet 1 0 3 Sysname GigabitEthernet1 0 3 port link type trunk Sysname GigabitEthernet1 0 3 port trunk permit vlan 10 Sysname GigabitEthernet1 0 3 quit Display configuration information about remote source mirroring group 1 Sysname display mirroring gro...

Page 880: ...mote probe VLAN Sysname vlan 10 Sysname vlan10 remote probe vlan enable Sysname vlan10 quit Configure the destination port and remote probe VLAN for the remote destination mirroring group Sysname mirroring group 1 monitor port GigabitEthernet 1 0 2 Sysname mirroring group 1 remote probe vlan 10 Configure GigabitEthernet 1 0 1 as the trunk port allowing packets of VLAN 10 to pass Sysname interface ...

Page 881: ...1 2 1 IRF Fabric Configuration Task List 1 6 1 2 2 Specifying the Fabric Port of a Switch 1 6 1 2 3 Setting a Unit ID for a Switch 1 7 1 2 4 Assigning a Unit Name to a Switch 1 9 1 2 5 Assigning an IRF Fabric Name to a Switch 1 9 1 2 6 Configuring IRF Automatic Fabric for a Switch 1 9 1 3 Displaying and Maintaining IRF Fabric 1 10 1 4 IRF Fabric Configuration Example 1 11 1 4 1 Network Requirement...

Page 882: ...network 1 1 1 Establishment of an IRF Fabric I Topology and connections of an IRF fabric An IRF fabric typically has a ring topology structure As shown in Figure 1 1 each S5600 switch uses two special ports on the rear panel to connect with two other switches in the fabric The two ports are called fabric ports in general UP port and DOWN port respectively the other ports of the switch which are av...

Page 883: ...ascade ports on its rear panel can be configured as the fabric ports The two cascade ports are z UP port Cascade 1 2 1 z DOWN port Cascade 1 2 2 III FTM As the basis of the IRF function the Fabric Topology Management FTM program manages and maintains the entire topology of a fabric With fabric ports configured the FTM program releases device information of the device through the fabric ports The d...

Page 884: ...am detects the necessary conditions for forming a fabric one by one and displays the detection results You can use the display ftm information command to view the detection information for the fabric checking the running status of the fabric or analyzing the problems Table 1 1 lists the status and solution of the problems Table 1 1 Status and solution Status Analysis Solution normal temporary redu...

Page 885: ... device or manually change the fabric name to add the device to the fabric H3C S5600 series switches provide the IRF automatic fabric function which enables the device to automatically download the software and change the fabric name thus reducing the manual maintenance workload With IRF automatic fabric enabled if inconsistency in software version or fabric name occurs when a switch is added to a...

Page 886: ...ed by IRF In normal cases a fabric can be considered as a single device You can manage the entire fabric by logging onto any device in the fabric with different logging modes The devices in the fabric synchronize their configurations by exchanging packets thus ensuring stability of the fabric FTM program uses Unit ID or device ID to distinguish between the devices in a fabric when you manage them ...

Page 887: ...ruptions resulted from single port failure Based on link aggregation DLA provides a more reliable solution with which you can select ports on different devices to form an aggregation port group In this way single port failure can be avoided and network reliability can be greatly improved because the fabric can communicate with the destination network through ports on other devices in case a single...

Page 888: ...ame time to ensure that the client can successfully obtain an IP address Since this configuration can be automatically synchronized to the entire fabric you can perform it on only one unit For the configuration of the UDP Helper function refer to the UDP Helper part of this manual 1 2 3 Setting a Unit ID for a Switch On the switches that support automatic numbering FTM will automatically number th...

Page 889: ...t to change the unit ID If you choose to change the existing unit ID is replaced and the priority is set to 5 Then you can use the fabric save unit id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one z If auto numbering is selected the system sets the unit priority to 10 You can use the fabric save unit id command to save the modified...

Page 890: ...ssign a unit name to a switch set unit unit id name unit name Required 1 2 5 Assigning an IRF Fabric Name to a Switch Only the switches with the same IRF fabric name can form an IRF fabric Follow these steps to assign a fabric name to a switch To do Use the command Remarks Enter system view system view Assign a fabric name to the switch sysname sysname Optional By default the IRF fabric name is H3...

Page 891: ...nize the configurations from Master and restart repeatedly because the configurations on the device are lost after the device automatically downloads the software and restarts Note When fabric works normally you can configure the whole fabric as an individual device As a fabric is comprised of multiple devices busy working state may occur due to data transmission between devices or synchronous exe...

Page 892: ...3 4 z Unit names unit 1 unit 2 unit 3 unit 4 z Fabric name hello 1 4 2 Network Diagram Figure 1 4 Network diagram for forming an IRF fabric 1 4 3 Configuration Procedure 1 Configure Switch A Configure fabric ports H3C system view H3C fabric port Cascade 1 2 1 enable H3C fabric port Cascade 1 2 2 enable Configure the unit name as Unit 1 H3C set unit 1 name Unit1 Configure the fabric name as hello H...

Page 893: ...1 IRF Fabric Configuration 1 12 Set the unit ID to 2 H3C change unit id 2 to 2 Configure the unit name as Unit 2 H3C set unit 1 name unit2 Configure the fabric name as hello H3C sysname hello Configurations on Switch C and Switch D are similar with the above configurations ...

Page 894: ...ist 1 11 1 2 1 Configuring the Management Device 1 11 1 2 2 Configuring Member Devices 1 16 1 2 3 Managing a Cluster through the Management Device 1 19 1 2 4 Configuring the Enhanced Cluster Features 1 20 1 3 Displaying and Maintaining Cluster Configuration 1 23 1 4 Cluster Configuration Examples 1 23 1 4 1 Basic Cluster Configuration Example 1 23 1 4 2 Network Management Interface Configuration E...

Page 895: ...ntralized way Cluster management is implemented through Huawei Group Management Protocol HGMP HGMP version 2 HGMPv2 is used at present A switch in a cluster plays one of the following three roles z Management device z Member device z Candidate device A cluster comprises of a management device and multiple member devices To manage the devices in a cluster you need only to configure an external IP a...

Page 896: ...h the management device without the need to log onto them one by one z It provides the topology discovery and display function which assists in monitoring and maintaining the network z It allows you to configure and upgrade multiple switches at the same time z It enables you to manage your remotely devices conveniently regardless of network topology and physical distance z It saves IP address reso...

Page 897: ...s the cluster Management device also supports FTP server and SNMP host proxy z Processes the commands issued by users through the public network Member device Normally a member device is not assigned an external IP address z Members of a cluster z Discovers the information about its neighbors processes the commands forwarded by the management device and reports log The member devices of a luster a...

Page 898: ...evice becomes a candidate device only after the cluster is removed Note After you create a cluster on an S5600 switch the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster The interval for a management device to collect network topology information is determined by the NTDP timer If you do not want the candidate switches to be add...

Page 899: ...wing neighbor information device ID port full half duplex mode product version the Boot ROM version and so on z An NDP enabled device maintains an NDP neighbor table Each entry in the NDP table can automatically ages out You can also clear the current NDP information manually to have neighbor information collected again z An NDP enabled device regularly broadcasts NDP packet through all its active...

Page 900: ...he neighbor devices z The neighbor devices perform the same operation until the NTDP topology collection request is propagated to all the devices within the specified hops When an NTDP topology collection request is propagated in the network it is received and forwarded by large numbers of network devices which may cause network congestion and the management device busy processing of the NTDP topo...

Page 901: ...rk topology so as to manage and monitor network devices z Before performing any cluster related configuration task you need to enable the cluster function first Note On the management device you need to enable the cluster function and configure cluster parameters On the member candidate devices however you only need to enable the cluster function so that they can be managed by the management devic...

Page 902: ...ree times of the interval to send handshake packets the state of the member device will also be changed from Active to Connect z If the management device receives a handshake packet or management packet from a member device that is in Connect state within the information holdtime it changes the state of the member device to Active otherwise it changes the state of the member device in Connect stat...

Page 903: ...ment device and the member candidate devices Therefore z If the packets of management VLAN are not permitted on a candidate device port connecting to the management device the candidate device cannot be added to the cluster In this case you can enable the packets of the management VLAN to be permitted on the port through the management VLAN auto negotiation function z Packets of the management VLA...

Page 904: ...ing ARP entry of the IP address to find out the corresponding MAC address and VLAN ID and thus find out the port connected with the downstream switch 2 After finding out the port connected with the downstream switch the switch will send a multicast packet with the VLAN ID and specified hops to the port Upon receiving the packet the downstream switch compares its own MAC address with the destinatio...

Page 905: ...ches play You also need to configure the related functions preparing for the communication between devices within the cluster Complete the following tasks to configure cluster Task Remarks Configuring the Management Device Required Configuring Member Devices Required Managing a Cluster through the Management Device Optional Configuring the Enhanced Cluster Features Optional 1 2 1 Configuring the M...

Page 906: ...s z When you create a cluster by using the build or auto build command UDP port 40000 is opened at the same time z When you remove a cluster by using the undo build or undo cluster enable command UDP port 40000 is closed at the same time II Enabling NDP globally and on specific ports Follow these steps to enable NDP globally and on specific ports To do Use the command Remarks Enter system view sys...

Page 907: ...DP globally ntdp enable Required Enabled by default Enter Ethernet port view interface interface type interface number Enable NTDP on the Ethernet port ntdp enable Required Enabled by default V Configuring NTDP related parameters Follow these steps to configure NTDP related parameters To do Use the command Remarks Enter system view system view Configure the range to collect topology information nt...

Page 908: ...ster enable Required By default the cluster function is enabled VII Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode as described below 1 Establishing a cluster and configuring cluster parameters in manual mode Follow these steps to establish a cluster and configure cluster parameters in manual mode To ...

Page 909: ... default the interval to send handshake packets is 10 seconds 2 Establish a cluster in automatic mode Follow these steps to establish a cluster in automatic mode To do Use the command Remarks Enter system view system view Enter cluster view cluster Configure the IP address range for the cluster ip pool administrator ip address ip mask ip mask length Required Start automatic cluster establishment a...

Page 910: ...or the cluster snmp host ip address Optional By default no shared SNMP host is configured IX Configuring the network management interface for a cluster 1 Configuration prerequisites z The cluster switches are properly connected z The shared servers are properly connected to the management switch 2 Configuration procedure Follow these steps to configure the network management interface for a cluste...

Page 911: ... to a member device and its UDP port 40000 is opened at the same time z When you execute the auto build command on the management device to have the system automatically add candidate devices to a cluster the candidate devices change to member devices and their UDP port 40000 is opened at the same time z When you execute the administrator address command on a device the device s UDP port 40000 is ...

Page 912: ...Enter system view system view Enable NTDP globally ntdp enable Required Enter Ethernet port view interface interface type interface number Enable NTDP on the port ntdp enable Required IV Enabling the cluster function Follow these steps to enable the cluster function To do Use the command Remarks Enter system view system view Enable the cluster function globally cluster enable Optional By default t...

Page 913: ...emarks Enter system view system view Enter cluster view cluster Add a candidate device to the cluster add member member number mac address H H H password password Optional Remove a member device from the cluster delete member member number Optional Reboot a specified member device reboot member member number mac address H H H eraseflash Optional Return to system view quit Return to user view quit ...

Page 914: ... cluster in a tree structure The output formats include z Display the tree structure three layers above or below the specified node z Display the topology between two connected nodes Note The topology information is saved as topology top in the Flash memory to the administrative device You cannot specify the file name manually 2 Cluster device blacklist function To ensure stability and security of...

Page 915: ...ress member id member id administrator Required Save the standard topology to the Flash memory of the administrative device topology save to local flash Required Restore the standard topology from the Flash memory of the administrative device topology restore from local flash Optional Display the detailed information about a single device display ntdp single device mac address mac address Display ...

Page 916: ...Use the command Remarks Enter system view system view Enter cluster view cluster Add the MAC address of a specified device to the cluster blacklist black list add mac mac address Optional By default the cluster blacklist is empty Delete the specified MAC address from the cluster blacklist black list delete mac mac address Optional Delete a device from the cluster add this device to the cluster bla...

Page 917: ...rbose Display status and statistics information about the cluster display cluster Display information about the candidate devices of the cluster display cluster candidates mac address H H H verbose Display information about the member devices of the cluster display cluster members member number verbose Available in any view Clear the statistics on NDP ports reset ndp statistics interface port list...

Page 918: ...he devices in the cluster share the same FTP server and TFTP server z The FTP server and TFTP server use the same IP address 63 172 55 1 z The NMS and logging host use the same IP address 69 172 55 4 II Network diagram Figure 1 4 Network diagram for HGMP cluster configuration III Configuration procedure 1 Configure the member devices taking one member as an example Enable NDP globally and on Ether...

Page 919: ...t1 0 1 undo ntdp enable Sysname GigabitEthernet1 0 1 quit Enable NDP on GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 ndp enable Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet 1 0 3 Sysname GigabitEthernet1 0 3 ndp enable Sysname GigabitEthernet1 0 3 quit Set the hold time of NDP information to 200 seconds ...

Page 920: ...Name and build the cluster Sysname cluster build aaa aaa_0 Sysname cluster Add the attached two switches to the cluster aaa_0 Sysname cluster add member 1 mac address 000f e201 0011 aaa_0 Sysname cluster add member 17 mac address 000f e201 0012 Set the holdtime of member device information to 100 seconds aaa_0 Sysname cluster holdtime 100 Set the interval between sending handshake packets to 10 se...

Page 921: ... on the management device to switch to member device view to maintain and manage a member device After that you can execute the cluster switch to administrator command to return to management device view z In addition you can execute the reboot member member number mac address H H H eraseflash command on the management device to reboot a member device For detailed information about these operation...

Page 922: ...ew and configure VLAN 3 as the management VLAN Sysname system view Sysname management vlan 3 Add GigabitEthernet 1 0 1 to VLAN 3 Sysname vlan 3 Sysname vlan3 port GigabitEthernet 1 0 1 Sysname vlan3 quit Set the IP address of VLAN interface 3 to 192 168 5 30 Sysname interface Vlan interface 3 Sysname Vlan interface3 ip address 192 168 5 30 255 255 255 0 Sysname Vlan interface3 quit Add GigabitEthe...

Page 923: ...and build the cluster Sysname cluster build aaa aaa_0 Sysname cluster Configure VLAN interface 2 as the network management interface aaa_0 Sysname cluster aaa_0 Sysname cluster nm interface Vlan interface 2 1 4 3 Enhanced Cluster Feature Configuration Example I Network requirements z The cluster operates properly z Add the device with the MAC address 0001 2034 a0e5 to the cluster blacklist that is...

Page 924: ... device Member device 1 Figure 1 6 Network diagram for the enhanced cluster feature configuration III Configuration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034 a0e5 Backup the current topology aaa_0 Sysname cluster topology accept all save to local flash ...

Page 925: ...ng the PoE Mode on a Port 1 5 1 2 6 Configuring the PD Compatibility Detection Function 1 5 1 2 7 Configuring PoE Over Temperature Protection on the Switch 1 6 1 2 8 Upgrading the PSE Processing Software Online 1 6 1 2 9 Upgrading the PSE Processing Software of Fabric Switches Online 1 7 1 2 10 Displaying PoE Configuration 1 8 1 3 PoE Configuration Example 1 8 1 3 1 PoE Configuration Example 1 8 C...

Page 926: ... implement power supply and data transmission simultaneously I Advantages of PoE z Reliability The centralized power supply provides backup convenience unified management and safety z Easy connection Network terminals only require an Ethernet cable but no external power supply z Standard PoE conforms to the 802 3af standard and uses a globally uniform power interfaces z Bright application prospect...

Page 927: ...nput is adopted for the switch the maximum total power that can be provided is 300 W The switch can determine whether to supply power to the next remote PD it detects depending on its available power z When DC power input is adopted for the switch it is capable of supplying full power to all of the 24 48 ports that is 15 400 mW for each port and the total power is 369 6 W 739 2 W z The PSE process...

Page 928: ...nabling the PoE Feature on a Port Required Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection Function Optional Configuring PoE Over Temperature Protection on the Switch Optional Upgrading the PSE Processing Software Online Optional Upgrading the PSE P...

Page 929: ... PoE Management Mode and PoE Priority of a Port When a switch is close to its full load in supplying power you can adjust the power supply of the switch through the cooperation of the PoE management mode and the port PoE priority settings S5600 series switches support two PoE management modes auto and manual The auto mode is adopted by default z auto When the switch is close to its full load in su...

Page 930: ...ed low by default 1 2 5 Setting the PoE Mode on a Port PoE mode of a port falls into two types signal mode and spare mode z Signal mode DC power is carried over the data pairs 1 2 3 and 6 of category 3 5 twisted pairs z Spare mode DC power is carried over the spare pairs 4 5 7 and 8 of category 3 5 twisted pairs Currently S5600 series Ethernet switches do not support the spare mode After the PoE f...

Page 931: ...ow these steps to configure PoE over temperature protection on the switch To do Use the command Remarks Enter system view system view Enable PoE over temperature protection on the switch poe temperature protection enable Optional Enabled by default Note z When the internal temperature of the switch decreases from X X 65 C or X 149 F to Y 60 C Y 65 C or 140 F Y 149 F the switch still keeps the PoE ...

Page 932: ...pgrade the PSE processing software z When the online upgrading procedure is interrupted for some unexpected reason for example the device restarts due to some errors if the upgrade in full mode fails after restart you must upgrade in full mode after power off and restart of the device and then restart the device manually In this way the former PoE configuration is restored 1 2 9 Upgrading the PSE ...

Page 933: ... temperature protection Available in any view 1 3 PoE Configuration Example 1 3 1 PoE Configuration Example I Network requirements Switch A is an S5600 series Ethernet switch supporting PoE Switch B can be PoE powered z The GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 ports of Switch A are connected to Switch B and an AP respectively the GigabitEthernet 1 0 8 port is intended to be connected wi...

Page 934: ...Ethernet1 0 1 poe max power 12000 SwitchA GigabitEthernet1 0 1 quit Enable the PoE feature on GigabitEthernet 1 0 2 and set the PoE maximum output power of GigabitEthernet 1 0 2 to 2500 mW SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 poe enable SwitchA GigabitEthernet1 0 2 poe max power 2500 SwitchA GigabitEthernet1 0 2 quit Enable the PoE feature on GigabitEthernet 1 0 8 a...

Page 935: ... H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration 1 10 Enable the PD compatibility detect of the switch to allow the switch to supply power to the devices noncompliant with the 802 3af standard SwitchA poe legacy enable ...

Page 936: ... A PoE profile is a set of PoE configurations including multiple PoE features Features of PoE profile z Various PoE profiles can be created PoE policy configurations applicable to different user groups are stored in the corresponding PoE profiles These PoE profiles can be applied to the ports used by the corresponding user groups z When users connect a PD to a PoE profile enabled port the PoE conf...

Page 937: ...existing PoE profile to the specified Ethernet port In Ethernet port view Apply the existing PoE profile to the port apply poe profile profile name Use either approach Note the following during the configuration 1 When the apply poe profile command is used to apply a PoE profile to a port some PoE features in the PoE profile can be applied successfully while some cannot PoE profiles are applied to...

Page 938: ...out the PoE profiles created on the switch display poe profile all profile interface interface type interface number name profile name Available in any view 2 4 PoE Profile Configuration Example 2 4 1 PoE Profile Application Example I Network requirements Switch A is an S5600 series Ethernet switch supporting PoE GigabitEthernet 1 0 1 through GigabitEthernet 1 0 10 of Switch A are used by users of...

Page 939: ... In Profile 1 add the PoE policy configuration applicable to GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 ports for users of group A SwitchA poe profile Profile1 poe enable SwitchA poe profile Profile1 poe mode signal SwitchA poe profile Profile1 poe priority critical SwitchA poe profile Profile1 poe max power 3000 SwitchA poe profile Profile1 quit Display detailed configuration information...

Page 940: ...gh SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe enable poe priority high Apply the configured Profile 1 to GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 ports SwitchA apply poe profile Profile1 interface GigabitEthernet1 0 1...

Page 941: ...tents i Table of Contents Chapter 1 UDP Helper Configuration 1 1 1 1 Introduction to UDP Helper 1 1 1 2 Configuring UDP Helper 1 2 1 3 Displaying and Maintaining UDP Helper 1 3 1 4 UDP Helper Configuration Example 1 3 1 4 1 Cross Network Computer Search Through UDP Helper 1 3 ...

Page 942: ...elay specified UDP packets In other words UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the...

Page 943: ... steps to configure UDP Helper To do Use the command Remarks Enter system view system view Enable UDP Helper udp helper enable Required Disabled by default Specify a UDP port number udp helper port port number dns netbios ds netbios ns tacacs tftp time Optional By default the device enabled with UDP Helper forwards the broadcast packets containing any of the six port numbers 53 138 137 49 69 and 3...

Page 944: ...rt 53 and udp helper port dns specify the same port z You can specify up to 20 destination server addresses on a VLAN interface z If UDP Helper is enabled after a destination server is configured for a VLAN interface the broadcasts from interfaces belonging to the VLAN and having a matching UDP port will be unicast to the destination server 1 3 Displaying and Maintaining UDP Helper To do Use the c...

Page 945: ...name system view Sysname ip forward broadcast Enable UDP Helper on Switch A Sysname udp helper enable Configure the switch to forward broadcasts containing the destination UDP port number 137 By default the device enabled with UDP Helper forwards the broadcasts containing the destination UDP port number 137 Sysname udp helper port 137 Specify the destination server IP address on Vlan interface 1 S...

Page 946: ...nfiguring Trap Related Functions 1 6 1 3 1 Configuring Basic Trap Functions 1 6 1 3 2 Configuring Extended Trap Function 1 7 1 4 Enabling Logging for Network Management 1 8 1 5 Displaying SNMP 1 9 1 6 SNMP Configuration Example 1 9 1 6 1 SNMP Configuration Example 1 9 Chapter 2 RMON Configuration 2 1 2 1 Introduction to RMON 2 1 2 1 1 Working Mechanism of RMON 2 1 2 1 2 Commonly Used RMON Groups 2...

Page 947: ... 1 1 SNMP Overview The Simple Network Management Protocol SNMP is used for ensuring the transmission of the management information between any two network nodes In this way network administrators can easily retrieve and modify the information about any node on the network In the meantime they can locate faults promptly and implement the fault diagnosis capacity planning and report generating As SN...

Page 948: ...is used to define the relationship between SNMP NMS and SNMP agent Community name functions as password It can limit accesses made by SNMP NMS to SNMP agent You can perform the following community name related configuration z Specifying MIB view that a community can access z Set the permission for a community to access an MIB object to be read only or read write Communities with read only permissi...

Page 949: ...RFC 1213 RFC 1493 BRIDGE MIB RFC 2675 RIP MIB RFC 1724 RMON MIB RFC 2819 Ethernet MIB RFC 2665 OSPF MIB RFC 1253 Public MIB IF MIB RFC 1573 Private MIB DHCP MIB QACL MIB MSTP MIB VLAN MIB IPV6 ADDRESS MIB MIRRORGROUP MIB QINQ MIB 802 x MIB HGMP MIB NTP MIB Device management Interface management 1 2 Configuring Basic SNMP Functions SNMPv3 configuration is quite different from that of SNMPv1 and SNM...

Page 950: ...agent community read write community name acl acl number mib view view name Set an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number Set a communi ty name and access permissi on Indirect configu ration Add a user to an SNMP group snmp agent usm user v1 v2c user name group name acl acl number Required z You can set an SNMP...

Page 951: ...o configure SNMP agent Set system information and specify to enable SNMPv3 on the switch snmp agent sys info contact sys contact location sys location version v1 v2c v3 all Optional By default the contact information for system maintenance is Hangzhou H3C Technologies Co Ltd the system location is Hangzhou China and the SNMP version is SNMPv3 Set an SNMP group snmp agent group v3 group name authen...

Page 952: ...ame oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 Note An S5600 Ethernet switch provides the following functions to prevent attacks through unused UDP ports z Executing the snmp agent command or any of the commands used to configure SNMP agent enables the SNMP agent and at the same opens UDP port 161 used by SNMP agents and the UDP port used by SNMP trap re...

Page 953: ... a port is enabled to send all types of traps Set the destination for traps snmp agent target host trap address udp domain ip address udp port port number params securityname security string v1 v2c v3 authentication privacy Required Set the source address for traps snmp agent trap source interface type interface number Optional Set the size of the queue used to hold the traps to be sent to the des...

Page 954: ...Enter system view system view Enable logging for network management snmp agent log set operation get operation all Optional Disabled by default Note z When SNMP logging is enabled on a device SNMP logs are output to the information center of the device With the output destinations of the information center set the output destinations of SNMP logs will be decided z The severity level of SNMP logs i...

Page 955: ...p name Display trap list information display snmp agent trap list Display the currently configured community name display snmp agent community read write Display the currently configured MIB view display snmp agent mib view exclude include viewname view name Available in any view 1 6 SNMP Configuration Example 1 6 1 SNMP Configuration Example I Network requirements z An NMS and Switch A SNMP agent...

Page 956: ...word to passmd5 z encryption protocol to AES z encryption password to cfb128cfb128 Sysname snmp agent group v3 managev3group privacy write view internet Sysname snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode aes128 cfb128cfb128 Set the VLAN interface 2 as the interface used by NMS Add port GigabitEthernet 1 0 2 which is to be used for network managem...

Page 957: ...rd authentication When you use H3C s QuidView NMS you need to set user names and choose the security level in Quidview Authentication Parameter For each security level you need to set authorization mode authorization password encryption mode encryption password and so on In addition you need to set timeout time and maximum retry times You can query and configure an Ethernet switch through the NMS ...

Page 958: ...riod of time and the total number of packets successfully sent to a specific host z RMON is fully based on SNMP architecture It is compatible with the current SNMP implementations z RMON enables SNMP to monitor remote network devices more effectively and actively thus providing a satisfactory means of monitoring remote subnets z With RMON implemented the communication traffic between NMS and SNMP ...

Page 959: ... and extended alarm group to trigger alarms You can specify a network device to act in one of the following ways in response to an event z Logging the event z Sending traps to the NMS z Logging the event and sending traps to the NMS z No processing II Alarm group RMON alarm management enables monitoring on specific alarm variables such as the statistics of a port When the value of a monitored vari...

Page 960: ...e data of a specific port periodically V Statistics group Statistics group contains the statistics of each monitored port on a switch An entry in a statistics group is an accumulated value counting from the time when the statistics group is created The statistics include the number of the following items collisions packets with Cyclic Redundancy Check CRC errors undersize or oversize packets broad...

Page 961: ...event entry1 falling_threshold threshold value2 event entry2 entrytype forever cycle cycle period owner text Optional Before adding an extended alarm entry you need to use the rmon event command to define the event to be referenced by the extended alarm entry Enter Ethernet port view interface interface type interface number Add a history entry rmon history entry number buckets number interval sam...

Page 962: ...figuration Example I Network requirements z The switch to be tested is connected to a remote NMS through the Internet Ensure that the SNMP agents are correctly configured before performing RMON configuration z Create an entry in the extended alarm table to monitor the information of statistics on the Ethernet port if the change rate of which exceeds the set threshold the alarm events will be trigg...

Page 963: ...s reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 Display the RMON extended alarm entry numbered 2 Sysname display rmon prialarm 2 Prialarm table ...

Page 964: ... 4 1 Configuration Prerequisites 1 12 1 4 2 Configuration Procedure 1 12 1 5 Configuring NTP Authentication 1 12 1 5 1 Configuration Prerequisites 1 13 1 5 2 Configuration Procedure 1 14 1 6 Configuring Optional NTP Parameters 1 15 1 6 1 Configuring an Interface on the Local Switch to Send NTP Messages 1 16 1 6 2 Configuring the Number of Dynamic Sessions Allowed on the Local Switch 1 16 1 6 3 Dis...

Page 965: ...nly be synchronized by other clock sources but also serve as a clock source to synchronize other clocks Besides it can synchronize or be synchronized by other systems by exchanging NTP messages 1 1 1 Applications of NTP As setting the system time manually in a network with many devices leads to a lot of workload and cannot ensure accuracy it is unfeasible for an administrator to perform the operat...

Page 966: ... the unsynchronized state and cannot serve as a reference clock z The local clock of an S5600 Ethernet switch cannot be set as a reference clock It can serve as a reference clock source to synchronize the clock of other devices only after it is synchronized 1 1 2 Implementation Principle of NTP Figure 1 1 shows the implementation principle of NTP Ethernet switch A Device A is connected to Ethernet...

Page 967: ...T1 identifying when it is sent z When the message arrives at Device B Device B inserts its own timestamp 11 00 01 am T2 into the packet z When the NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z When Device A receives the NTP message the local time of Device A is 10 00 03am T4 At this time Device A has enough information to calculate the following tw...

Page 968: ...ymmetric peer mode Passive peer Clock synchronization request packet Synchronize Network Active peer Works in passive peer mode automatically In peer mode both sides can be synchronized to each other Response packet Figure 1 3 Symmetric peer mode In the symmetric peer mode the local S5600 Ethernet switch serves as the symmetric active peer and sends clock synchronization request first while the re...

Page 969: ...C S5600 series Ethernet switches NTP implementation mode Configuration on S5600 series switches Server client mode Configure the local S5600 Ethernet switch to work in the NTP client mode In this mode the remote server serves as the local time server while the local switch serves as the client Symmetric peer mode Configure the local S5600 switch to work in NTP symmetric peer mode In this mode the ...

Page 970: ...600 Ethernet switch to work in NTP multicast client mode In this mode the local switch receives multicast NTP messages through the VLAN interface configured on the switch Caution z When an H3C S5600 Ethernet switch works in server mode or symmetric passive mode you need not to perform related configurations on this switch but do that on the client or the symmetric active peer z The NTP server mode...

Page 971: ...UDP port 123 is opened only when the NTP feature is enabled z UDP port 123 is closed as the NTP feature is disabled These functions are implemented as follows z Execution of one of the ntp service unicast server ntp service unicast peer ntp service broadcast client ntp service broadcast server ntp service multicast client and ntp service multicast server commands enables the NTP feature and opens ...

Page 972: ...he source IP address of the NTP message will be configured as the primary IP address of the specified interface z A switch can act as a server to synchronize the clock of other switches only after its clock has been synchronized If the clock of a server has a stratum level lower than or equal to that of a client s clock the client will not synchronize its clock to the server s z You can configure ...

Page 973: ...pecified interface z Typically the clock of at least one of the symmetric active and symmetric passive peers should be synchronized first otherwise the clock synchronization will not proceed z You can configure multiple symmetric passive peers for the local switch by repeating the ntp service unicast peer command The clock of the peer with the smallest stratum will be chosen to synchronize with th...

Page 974: ...adcast client mode To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the switch to work in the NTP broadcast client mode ntp service broadcast client Required Not configured by default 1 3 4 Configuring NTP Multicast Mode For switches working in the multicast mode you need to configure both the server and clients The mu...

Page 975: ... version number Required Not configured by default II Configuring a switch to work in the multicast client mode Follow these steps to configure a switch to work in the NTP multicast client mode To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the switch to work in the NTP multicast client mode ntp service multicast cli...

Page 976: ...device receives an NTP request it will perform an access control right match in this order and use the first matched right 1 4 1 Configuration Prerequisites Prior to configuring the NTP service access control right to the local switch for peer devices you need to create and configure an ACL associated with the access control right For the configuration of ACL refer to ACL Configuration in Security...

Page 977: ...nfiguring NTP authentication z If the NTP authentication function is not enabled on the client the clock of the client can be synchronized to a server no matter whether the NTP authentication function is enabled on the server assuming that other related configurations are properly performed z For the NTP authentication function to take effect a trusted key needs to be configured on both the client...

Page 978: ...t mode ntp service unicast server remote ip server name authentication keyid key id Associ ate the specifi ed key with the corres pondin g NTP server Configure on the symmetric activ e peer in the symmetric peer mode ntp service unicast peer remote ip peer name authentication keyid key id Required For the client in the NTP broadcast multicast mode you just need to associate the specified key with ...

Page 979: ...ociate the specified key with the correspon ding broadcast multicast client Configure on the NTP multicast server ntp service multicast server authentication keyid key id z In NTP broadcast server mode and NTP multicast server mode you need to associate the specified key with the corresponding broadcast multicast client z You can associate an NTP broadcast multicast client with an authentication k...

Page 980: ...c Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time including static associations and dynamic associations A static association refers to an association that a user has manually created by using an NTP command while a dynamic association is a temporary association created by the system during operation A dynamic association will be removed...

Page 981: ...w these steps to disable an interface from receiving NTP messages To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Disable an interface from receiving NTP messages ntp service in interface disable Required By default a VLAN interface receives NTP messages 1 7 Displaying NTP Configuration To do Use the command Remarks Display the...

Page 982: ...n III Configuration procedure Perform the following configurations on Device B View the NTP status of Device B before synchronization DeviceB display ntp service status Clock status unsynchronized Clock stratum 16 Reference clock ID none Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer dispersion ...

Page 983: ... NTP sessions of Device B You can see that Device B establishes a connection with Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 1 64 1 350 1 15 1 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 1 8 2 Configuring NTP Symmetric Peer Mode I Network requirements z The l...

Page 984: ...ice C as the peer of Device B DeviceB ntp service unicast peer 3 0 1 33 Device C and Device B are symmetric peers after the above configuration Device B works in symmetric active mode while Device C works in symmetric passive mode Because the stratum level of the local clock of Device B is 1 and that of Device C is 3 the clock of Device C is synchronized to that of Device B View the status of Devi...

Page 985: ...4 3 12 9 2 7 25 3 0 1 31 127 127 1 0 2 1 64 1 4408 6 38 7 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 1 8 3 Configuring NTP Broadcast Mode I Network requirements z The local clock of Device C is set as the NTP master clock with a stratum level of 2 Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through...

Page 986: ...LAN interface 2 Because Device A and Device C do not share the same network segment Device A cannot receive broadcast messages from Device C while Device D is synchronized to Device C after receiving broadcast messages from Device C View the NTP status of Device D after the clock synchronization DeviceD display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 3...

Page 987: ...and advertise multicast NTP messages through VLAN interface 2 z Device A and Device D are two S5600 Ethernet switches Configure Device A and Device D to work in the NTP multicast client mode and listen to multicast messages through their own VLAN interface 2 II Network diagram Vlan int2 1 0 1 31 24 Vlan int2 3 0 1 31 24 Vlan int2 3 0 1 32 24 Device A Device B Device C Device D Figure 1 9 Network d...

Page 988: ...ulticast messages from Device C View the NTP status of Device D after the clock synchronization DeviceD display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 ...

Page 989: ... 1 Configure Device B Enter system view DeviceB system view Enable the NTP authentication function DeviceB ntp service authentication enable Configure an MD5 authentication key with the key ID being 42 and the key being aNiceKey DeviceB ntp service authentication keyid 42 authentication mode md5 aNiceKey Specify the key 42 as a trusted key DeviceB ntp service reliable authentication keyid 42 Assoc...

Page 990: ...tum 3 Reference clock ID 1 0 1 11 Nominal frequence 100 0000 Hz Actual frequence 100 1000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that the clock of Device B is synchronized to that of Device A with a clock stratum level of 3 one st...

Page 991: ... 8 Assigning a Public Key to an SSH User 1 13 1 3 9 Exporting the RSA or DSA Public Key 1 13 1 4 Configuring the SSH Client 1 14 1 4 1 SSH Client Configuration Task List 1 14 1 4 2 Configuring an SSH Client that Runs SSH Client Software 1 15 1 4 3 Configuring an SSH Client Assumed by an SSH2 Capable Switch 1 22 1 5 Displaying and Maintaining SSH Configuration 1 26 1 6 Comparison of SSH Commands wi...

Page 992: ... 1 SSH Overview 1 1 1 Introduction to SSH Secure Shell SSH is a protocol that provides secure remote login and other security services in insecure network environments In an SSH connection data are encrypted before being sent out and decrypted after they reach the destination This prevents attacks such as plain text password interception Besides SSH also provides powerful user authentication funct...

Page 993: ...is usually classified into symmetric key algorithm and asymmetric key algorithm 1 1 3 Asymmetric Key Algorithm Asymmetric key algorithm means that a key pair exists at both ends The key pair consists of a private key and a public key The public key is effective for both ends while the private key is effective only for the local end Normally you cannot use the private key through the public key Asy...

Page 994: ...o connection requests from clients z The client sends a TCP connection request to the server After the TCP connection is established the server sends the first packet to the client which includes a version identification string in the format of SSH primary protocol version number secondary protocol version number software version number The primary and secondary protocol version numbers constitute...

Page 995: ...the authentication type is password the content is the password z The server starts to authenticate the user If authentication fails the server sends an authentication failure message to the client which contains the list of methods used for a new authentication process z The client selects an authentication type from the method list to perform authentication again z The above process repeats unti...

Page 996: ...nd establishes a session V Data exchange In this stage the server and the client exchanges data in this way z The client encrypts and sends the command to be executed to the server z The server decrypts and executes the command and then encrypts and sends the result to the client z The client decrypts and displays the result on the terminal 1 2 SSH Server and Client Configuration Task List Many de...

Page 997: ...erver should support By default the SSH server is compatible with SSH1 clients Key Generating Destroying Key Pairs Required Creating an SSH User and Specifying an Authentication Type Required Authentication Specifying a Service Type for an SSH User Optional By default an SSH user can use the service type of stelnet Configuring the Public Key of a Client on the Server z Not necessary when the authe...

Page 998: ...f one or more user interfaces user interface vty first number last number Configure the authentication mode as scheme authentication mode scheme command authorization Required By default the user interface authentication mode is password Specify the supported protocol s protocol inbound all ssh telnet Optional By default both Telnet and SSH are supported Caution z If you have configured a user int...

Page 999: ... of SSH authentication retry attempts ssh server authentication retrie s times Optional By default the number of SSH authentication retry attempts is 3 Set the RSA server key update interval ssh server rekey interval hours Optional By default the system does not update the RSA server keys Configure a login header header shell text Optional By default no login header is configured Specify a source ...

Page 1000: ... an SSH client to log in successfully When generating a key pair you will be prompted to enter the key length in bits which is between 512 and 2048 The default length is 1024 In case a key pair already exists the system will ask whether to replace the existing key pair Table 1 5 Follow these steps to create or destroy key pairs To do Use the command Remarks Enter system view system view Generate a...

Page 1001: ... be greater than or equal to 768 Therefore a local key pair of more than 768 bits is recommended 1 3 5 Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type for it Specifying an authentication type for a new user is a must to get the user login Table 1 6 Follow these steps to configure an SSH user and specify an authenticat...

Page 1002: ...server And the user can use its username and password configured on the remote server to access the network z Under the publickey authentication mode the level of commands available to a logged in SSH user can be configured using the user privilege level command on the server and all the users with this authentication mode will enjoy this level z Under the password or password publickey authentica...

Page 1003: ...r case you can manually copy the client s public key to the server In the latter case the system automatically converts the format of the public key generated by the client to complete the configuration on the server but the client s public key should be transferred from the client to the server beforehand through FTP TFTP Table 1 8 Follow these steps to configure the public key of a client manual...

Page 1004: ...ser Caution This configuration task is unnecessary if the SSH user s authentication mode is password For the publickey authentication mode you must specify the client s public key on the server for authentication Table 1 10 Follow these steps to assign a public key for an SSH user To do Use the command Remarks Enter system view system view Assign a public key to an SSH user ssh user username assig...

Page 1005: ...key format can be SSH1 SSH2 and OpenSSH 1 4 Configuring the SSH Client The configurations required on the SSH client are related to the authentication mode that the SSH server uses In addition if an SSH client does not support first time authentication you need to configure the public key of the server on the client so that the client can authenticate the server 1 4 1 SSH Client Configuration Task...

Page 1006: ...Server Required Selecting a protocol for remote connection Required Selecting an SSH version Required Opening an SSH connection with password authentication Required for password authentication unnecessary for publickey authentication Opening an SSH connection with publickey authentication Required for publickey authentication unnecessary for password authentication Note z Selecting the protocol f...

Page 1007: ...enerate a client key run PuTTYGen exe and select from the Parameters area the type of key you want to generate either SSH 2 RSA or SSH 2 DSA then click Generate Figure 1 2 Generate a client key 1 Note that while generating the key pair you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1 3 Otherwise the process bar stops moving and ...

Page 1008: ...thernet Switches Chapter 1 SSH Configuration 1 17 Figure 1 3 Generate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key ...

Page 1009: ...ate key A warning window pops up to prompt you whether to save the private key without any precaution Click Yes and enter the name of the file for saving the private key private in this case to save the private key Figure 1 5 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse and select the public key file and then click Convert ...

Page 1010: ...on Manual SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration 1 19 Figure 1 6 Generate the client keys 5 II Specifying the IP address of the Server Launch PuTTY exe The following window appears ...

Page 1011: ...box enter the IP address of the server Note that there must be a route available between the IP address of the server and the client III Selecting a protocol for remote connection As shown in Figure 1 7 select SSH under Protocol IV Selecting an SSH version From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 8 appears ...

Page 1012: ...re supports DES algorithm negotiation ssh2 V Opening an SSH connection with password authentication From the window shown in Figure 1 8 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection To log out enter the quit command VI Opening an SSH connection with publickey authentication If a user nee...

Page 1013: ...prompted for a username Once passing the authentication the user can log in to the server 1 4 3 Configuring an SSH Client Assumed by an SSH2 Capable Switch Table 1 14 Complete the following tasks to configure an SSH client that is assumed by an SSH2 capable switch Task Remarks Configuring the SSH client for publickey authentication z Not necessary when the authentication mode is password z Require...

Page 1014: ...SH client you can configure whether the device supports first time authentication z With first time authentication enabled an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time and it will save the host public key on the client for use in subsequent authentications z With first time authentication disab...

Page 1015: ...ickey keyname Required III Specifying a source IP address interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to use to access the SSH server This feature improves the service manageability Table 1 17 Follow these steps to specify a source IP address interface for the SSH client To do Use the command Remarks Enter system view s...

Page 1016: ... md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required In this command you can also specify the preferred key exchange algorithm encryption algorithms and HMAC algorithms between the server and client HMAC Hash based message authentication code Note that The identity key keyword is unnecessary in password authentication and optional in public key authentication Note When logging into the SS...

Page 1017: ... keys and SSH servers saved on a client display ssh server info Available in any view 1 6 Comparison of SSH Commands with the Same Functions After the SSH protocol supports the DSA asymmetric key algorithm some SSH configuration commands are changed For the sake of SSH configuration compatibility the original commands are still supported Table 1 19 lists both the original commands and current comm...

Page 1018: ...ssh user username authentication type publickey Note z After the RSA key pair is generated the display rsa local key pair public command displays two public keys the host public key and server public key when the switch is working in SSH1 compatible mode but only one public key the host public key when the switch is working in SSH2 mode z The result of the display rsa local key pair public command...

Page 1019: ...requisite to SSH login Generate RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch ui vty0 4 quit Create local client client001 and set the...

Page 1020: ...e network segment Configure the SSH client software to establish a connection to the SSH server Take SSH client software Putty version 0 58 as an example 1 Run PuTTY exe to enter the following configuration interface Figure 1 11 SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH server 2 From the category on the left pane of the window select...

Page 1021: ...name client001 and password abc Once authentication succeeds you will log in to the server 1 7 2 When Switch Acts as Server for Password and RADIUS Authentication I Network requirements As shown in Figure 1 13 an SSH connection is required between the host SSH client and the switch SSH server for secure data exchange Password authentication is required z The host runs SSH2 0 client software to est...

Page 1022: ...rm and select System Management System Configuration from the navigation tree In the System Configuration window click Modify of the Access Device item and then click Add to enter the Add Access Device window and perform the following configurations z Specify the IP address of the switch as 192 168 1 70 z Set both the shared keys for authentication and accounting packets to expert z Select LAN Acc...

Page 1023: ...k Add to enter the Add Account window and perform the following configurations z Add a user named hello and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 15 Add an account for device management 2 Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the IP ad...

Page 1024: ...eme Switch radius scheme rad Switch radius rad accounting optional Switch radius rad primary authentication 10 1 1 1 1812 Switch radius rad key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme radius scheme rad Switch isp bbb quit Configure...

Page 1025: ...TTY exe to enter the following configuration interface Figure 1 16 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the SSH server z From the category on the left pane of the window select Connection SSH The window as shown in Figure 1 17 appears ...

Page 1026: ...you can access after login is authorized by the CAMS server You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 1 15 1 7 3 When Switch Acts as Server for Password and HWTACACS Authentication I Network requirements As shown in Figure 1 18 an SSH connection is required between the host SSH client and the switch SSH server for secure data e...

Page 1027: ...system view Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 1 70 255 255 255 0 Switch Vlan interface2 quit Caution Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user inter...

Page 1028: ...ication for the user Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 1 1 in this case for the SSH client This IP address and that of the VLAN interface on the switch must be in the same network segment Configure the SSH client software to establish a connection to the SSH server Take SSH client software Putty Version 0 58 as an exam...

Page 1029: ...ver The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS server configuration manuals 1 7 4 When Switch Acts as Server for Publickey Authentication I Network requirements As shown in Figure 1 21 establish an SSH connection between the host SSH client and the switch SSH Server for...

Page 1030: ... interface1 ip address 192 168 0 1 255 255 255 0 Switch Vlan interface1 quit Note Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enab...

Page 1031: ...SSH server through FTP or TFTP For details refer to Configuring the SSH Client Import the client s public key named Switch001 from file public Switch public key peer Switch001 import sshkey public Assign the public key Switch001 to client client001 Switch ssh user client001 assign publickey Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair 1 Run ...

Page 1032: ... mouse continuously and keep the mouse off the green process bar shown in Figure 1 23 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 1 23 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case ...

Page 1033: ...s up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the private key private ppk in this case Figure 1 25 Generate a client key pair 4 Note After a public key pair is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the...

Page 1034: ...th the SSH server 2 Launch PuTTY exe to enter the following interface Figure 1 26 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the server 3 From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 27 appears ...

Page 1035: ...Series Ethernet Switches Chapter 1 SSH Configuration 1 44 Figure 1 27 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears ...

Page 1036: ...If the connection is normal you will be prompted to enter the username 1 7 5 When Switch Acts as Client for Password Authentication I Network requirements As shown in Figure 1 29 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name for login is client001 and the SSH server s IP address is 10 165 87 136 Password authentication is req...

Page 1037: ... user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 and set the authentication password to abc the login protocol to SSH and user command privilege level to 3 SwitchB local user client001 SwitchB luser client001 password simple abc SwitchB luser clien...

Page 1038: ...thout the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB 1 7 6 When Switch Acts as Client for Publickey Authentication I Network requirements As shown in Figure 1 30 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name is client001 and the SSH server s IP address is 10 165 87 136 Publick...

Page 1039: ...terface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 SwitchB ui vty0 4 user privilege level 3 SwitchB ui vty0 4 quit Specify the authentication type of user client001 as publickey SwitchB ssh user client001 authentication type publickey Note Before doing the following ...

Page 1040: ...blic key local export dsa ssh2 Switch001 Note After the key pair is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 identity key dsa Username client001 Trying 10 165 87 136 Press CTRL K to abort Co...

Page 1041: ... supported III Configuration procedure z Configure Switch B Create a VLAN interface on the switch and assign an IP address for it to serve as the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Note Generating the RSA and DSA key pairs on the server is prerequisite to SSH lo...

Page 1042: ...ey Switch001 to user client001 SwitchB ssh user client001 assign publickey Switch001 Export the generated DSA host public key pair to a file named Switch002 SwitchB public key local export dsa ssh2 Switch002 Note When first time authentication is not supported you must first generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH cl...

Page 1043: ...002 and then upload the file to the SSH client through FTP or TFTP For details refer to the above part Configure Switch B Import the public key pair named Switch002 from the file Switch002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connection to server 10...

Page 1044: ...1 1 3 Directory Operations 1 2 1 1 4 File Operations 1 3 1 1 5 Flash Memory Operations 1 4 1 1 6 Prompt Mode Configuration 1 4 1 1 7 File System Configuration Examples 1 5 1 2 File Attribute Configuration 1 6 1 2 1 Introduction to File Attributes 1 6 1 2 2 Booting with the Startup File 1 7 1 2 3 Configuring File Attributes 1 8 1 3 Configuration File Backup and Restoration 1 9 1 3 1 Introduction to...

Page 1045: ... File Attribute Configuration z Configuration File Backup and Restoration 1 1 File System Configuration 1 1 1 Introduction to File System To facilitate management on the switch memory S5600 series Ethernet switches provide the file system function allowing you to access and manage the files and directories You can create remove copy or delete a file through command lines and you can manage files u...

Page 1046: ...directory of the Flash on the current unit is flash text txt z To access a file in the current directory enter the path name or file name directly For example to access file text txt in the current directory you can directly input the file name text txt as the file URL 1 1 3 Directory Operations The file system provides directory related functions such as z Creating deleting a directory z Displayi...

Page 1047: ...pecifying the unreserved keyword Available in user view Restore a file in the recycle bin undelete file url Optional Available in user view Delete a file from the recycle bin reset recycle bin file url force reset recycle bin fabric Optional Available in user view Upgrade the software of the whole fabric update fabric file name Optional Available in user view Rename a file rename fileurl source fi...

Page 1048: ...bric command after all traffic flows are stopped z The dir all command displays the files in the recycle bin in square brackets z If the configuration files are deleted the switch adopts the null configuration when it starts up next time 1 1 5 Flash Memory Operations Follow these steps to perform Flash memory operations To do Use the command Remarks Format the Flash memory format device Required A...

Page 1049: ... 01 1970 00 07 03 test bin 2 rwh 4 Apr 01 2000 23 55 49 snmpboots 3 rwh 428 Apr 02 2000 00 47 30 hostkey 4 rwh 572 Apr 02 2000 00 47 38 serverkey 5 rw 1220 Apr 02 2000 00 06 57 song cfg 6 rw 5026103 Jan 01 1970 00 04 34 testv1r1 bin 7 rwh 88 Apr 01 2000 23 55 53 private data txt 8 rw 1376 Apr 02 2000 01 56 28 config cfg 15367 KB total 4634 KB free with main attribute b with backup attribute b with...

Page 1050: ...unit1 flash test Directory of unit1 flash test 1 rw 1376 Apr 04 2000 04 50 30 1 cfg 15367 KB total 2025 KB free with main attribute b with backup attribute b with both main and backup attribute 1 2 File Attribute Configuration 1 2 1 Introduction to File Attributes The following three startup files support file attribute configuration z App files An app file is an executable file with bin as the ex...

Page 1051: ...and one Web file with the main attribute in the Flash memory If a newly created file is configured to be with the main attribute the existing file with the main attribute in the Flash memory will lose its main attribute This circumstance also applies to the file with the backup attribute in the Flash memory File operations and file attribute operations are independent For example if you delete a f...

Page 1052: ...he file used for the next startup of a switch and change the main or backup attribute of the file Follow these steps to configure file attributes To do Use the command Remarks Configure the app file with the main attribute for the next startup boot boot loader file url fabric Optional Available in user view Configure the app file with the backup attribute for the next startup boot boot loader back...

Page 1053: ...estoration 1 3 1 Introduction to Configuration File Backup and Restoration Formerly you can only back up and restore the configuration file of the units one by one in a fabric system By using the configuration file backup and restoration feature you can easily back up and restore the configuration files in the whole fabric as well as in a specific unit In the backup process the system first saves ...

Page 1054: ...me filename cfg Optional Available in user view Back up the current configuration of the whole fabric system backup fabric current configuration to dest addr dest hostname filename cfg Optional Available in user view Restore the startup configuration of a specified unit restore unit unit id startup configuration from source addr source hostname filename cfg Optional Available in user view Restore ...

Page 1055: ...Client 1 8 1 2 3 Configuration Example A Switch Operating as an FTP Server 1 11 1 2 4 FTP Banner Display Configuration Example 1 14 1 2 5 FTP Configuration A Switch Operating as an FTP Client 1 15 1 3 SFTP Configuration 1 17 1 3 1 SFTP Configuration A Switch Operating as an SFTP Server 1 17 1 3 2 SFTP Configuration A Switch Operating as an SFTP Client 1 19 1 3 3 SFTP Configuration Example 1 21 Cha...

Page 1056: ...mit files Before World Wide Web comes into being files are transferred through command lines and the most popular application is FTP At present although E mail and Web are the usual methods for file transmission FTP still has its strongholds As an application layer protocol FTP is used for file transfer between remote server and local client FTP uses TCP ports 20 and 21 for data transfer and contr...

Page 1057: ...he switch and the PC z With an S5600 series Ethernet switch serving as an FTP server the seven segment digital LED on the front panel of the switch rotates clockwise when an FTP client is uploading files to the FTP server the S5600 switch and stops rotating when the file uploading is finished as shown in Figure 1 1 z With an S5600 series Ethernet switch serving as an FTP client the seven segment d...

Page 1058: ...source IP address for an FTP client Optional 1 2 1 FTP Configuration A Switch Operating as an FTP Server I Creating an FTP user Configure the user name and password for the FTP user and set the service type to FTP To use FTP services a user must provide a user name and password for being authenticated by the FTP server Only users that pass the authentication have access to the FTP server Follow th...

Page 1059: ...e space on the FTP server z When you log in to a Fabric consisting of multiple switches through an FTP client after the FTP client passes authentication you can log in to the master device of the Fabric z You cannot access an H3C S5600 series switch operating as an FTP server through Microsoft Internet Explorer To do so use other client software Note To protect unused sockets against attacks the S...

Page 1060: ...ed interface or the specified IP address Note Source interface refers to the existing VLAN interface or Loopback interface on the device Source IP address refers to the IP address configured for the interface on the device Each source interface corresponds to a source IP address Therefore specifying a source interface for the FTP server is the same as specifying the IP address of this interface as...

Page 1061: ...ommand to specify the private IP address of the cluster as the source IP address of the FTP server Otherwise FTP does not take effect V Disconnecting a specified user On the FTP server you can disconnect a specified user from the FTP server to secure the network Follow these steps to disconnect a specified user To do Use the command Remarks Enter system view system view On the FTP server disconnec...

Page 1062: ...lient and an FTP server is established and correct user name and password are provided the FTP server outputs the configured shell banner to the FTP client terminal Figure 1 3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server To do Use the command Remarks Enter system view system view Configure a login banner header login text Configure a she...

Page 1063: ...an FTP Client I Basic configurations on an FTP client By default a switch can operate as an FTP client In this case you can connect the switch to the FTP server to perform FTP related operations such as creating removing a directory by executing commands on the switch Follow these steps to perform basic configurations on an FTP client To do Use the command Remarks Enter FTP client view ftp cluster...

Page 1064: ...server pwd Create a directory on the remote FTP server mkdir pathname Remove a directory on the remote FTP server rmdir pathname Delete a specified file delete remotefile Optional dir remotefile localfile Query a specified file on the FTP server ls remotefile localfile Optional If no file name is specified all the files in the current directory are displayed The difference between these two comman...

Page 1065: ...urn to user view bye Display the online help about a specified command concerning FTP remotehelp protocol command Optional Enable the verbose function verbose Optional Enabled by default II Specifying the source interface and source IP address for an FTP client You can specify the source interface and source IP address for a switch acting as an FTP client so that it can connect to a remote FTP ser...

Page 1066: ...e interface source IP address set for one connection is prior to the fixed source interface source IP address set for each connection That is for a connection between an FTP client and an FTP server if you specify the source interface source IP address used for the connection this time and the specified source interface source IP address is different from the fixed one the former will be used for ...

Page 1067: ... FTP You can log in to a switch through the Console port or by telnetting the switch See the Login module for detailed information Configure the FTP username as switch the password as hello and the service type as FTP Sysname Sysname system view Sysname ftp server enable Sysname local user switch Sysname luser switch password simple hello Sysname luser switch service type ftp 2 Configure the PC FT...

Page 1068: ...ows When you log in to the FTP server through another FTP client refer to the corresponding instructions for operation description Caution z If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you hav...

Page 1069: ... username switch and the password hello has been configured on the FTP server z The IP addresses 1 1 1 1 for a VLAN interface on the switch and 2 2 2 2 for the PC have been configured Ensure that a route exists between the switch and the PC z Configure the login banner of the switch as login banner appears and the shell banner as shell banner appears II Network diagram Figure 1 5 Network diagram f...

Page 1070: ... FTP client and a remote PC as an FTP server The switch application named switch bin is stored on the PC Download it to the switch through FTP and use the boot boot loader command to specify switch bin as the application for next startup Reboot the switch to upgrade the switch application and then upload the switch configuration file named config cfg to directory switch of the PC to back up the co...

Page 1071: ... use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make room for the file to be uploaded you can only delete download them through the Boot ROM menu Connect to the FTP server using the ftp command in user view You need to provide the IP address of the FTP server the user name and the passw...

Page 1072: ... Debugging module of this manual 1 3 SFTP Configuration Complete the following tasks to configure SFTP Task Remarks Enabling an SFTP server Required Configuring connection idle time Optional SFTP Configuration A Switch Operating as an SFTP Server Supported SFTP client software Basic configurations on an SFTP client SFTP Configuration A Switch Operating as an SFTP Client Specifying the source inter...

Page 1073: ...n Follow these steps to configure connection idle time To do Use the command Remarks Enter system view system view Configure the connection idle time for the SFTP server ftp timeout time out value Optional 10 minutes by default III Supported SFTP client software An H3C S5600 series Ethernet switch operating as an SFTP server can interoperate with SFTP client software including SSH Tectia Client v4...

Page 1074: ...ue to timeout Similarly when you delete a large file from the server you are recommended to set the client packet timeout time to over 600 seconds 1 3 2 SFTP Configuration A Switch Operating as an SFTP Client I Basic configurations on an SFTP client By default a switch can operate as an SFTP client In this case you can connect the switch to the SFTP server to perform SFTP related operations such a...

Page 1075: ...e path Query a specified file on the SFTP server ls a l remote path Optional If no file name is provided all the files in the current directory are displayed The difference between these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can display only the file name and directory Download a remote file from the SFTP server get...

Page 1076: ...ollow these steps to specify the source interface or source IP address for an SFTP client To do Use the command Remarks Enter system view system view Specify an interface as the source interface of the specified SFTP client sftp source interface interface type interface number Specify an IP address as the source IP address of the specified SFTP client sftp source ip ip address Use either command N...

Page 1077: ... switch as SSH Sysname ui vty0 4 protocol inbound ssh Sysname ui vty0 4 quit Create a local user client001 Sysname local user client001 Sysname luser client001 password simple abc Sysname luser client001 service type ssh Sysname luser client001 quit Configure the authentication mode as password Authentication timeout time retry number and update time of the server key adopt the default values Sysn...

Page 1078: ...roup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub rwxrwxrwx 1 noone nogroup 0 Sep 01 08 00 z Received status End of file Received status Success sftp client delete z The following files will be deleted z Are you sure to delete it Y N y This operation may take a long time Plea...

Page 1079: ...cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Received status End of file Received status Success Download the file pubkey2 from the server and rename it as public sftp client get pubkey2 public This ...

Page 1080: ...ne nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk Received status End of file Received status Success sftp client Exit SFTP sftp client quit Bye Sysname ...

Page 1081: ...TP server and receives acknowledgement packets from the TFTP server An H3C S5600 series Ethernet switch can act as a TFTP client only When an S5600 series Ethernet switch serving as a TFTP client downloads files from the TFTP server the seven segment digital LED on the front panel of the switch rotates clockwise and it stops rotating when the file downloading is finished as shown in Figure 1 1 Whe...

Page 1082: ...ration A Switch Operating as a TFTP Client I Basic configurations on a TFTP client By default a switch can operate as a TFTP client In this case you can connect the switch to the TFTP server to perform TFTP related operations such as creating removing a directory by executing commands on the switch Follow these steps to perform basic configurations on a TFTP client To do Use the command Remarks Do...

Page 1083: ...terface type interface number get source file dest file put source file url dest file Optional Not specified by default Specify the source IP address used for the current connection tftp tftp server source ip ip address get source file dest file put source file url dest file Optional Not specified by default Enter system view system view Specify an interface as the source interface a TFTP client u...

Page 1084: ...erface or source IP address for the TFTP client at one time That is only one of the commands tftp source interface and tftp source ip can be effective at one time If both commands are configured the one configured later will overwrite the original one 2 2 2 TFTP Configuration Example I Network requirements A switch operates as a TFTP client and a PC as the TFTP server The application named switch ...

Page 1085: ...h the Boot ROM menu Enter system view Sysname system view Sysname Configure the IP address of a VLAN interface on the switch to be 1 1 1 1 and ensure that the port through which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 1 1 1 1 255 255 255 0 Sysname Vlan interface1 ...

Page 1086: ...S5600 Series Ethernet Switches Chapter 2 TFTP Configuration 2 6 Note For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual ...

Page 1087: ...Time Zone 1 9 1 2 4 Setting to Output System Information to the Console 1 10 1 2 5 Setting to Output System Information to a Monitor Terminal 1 12 1 2 6 Setting to Output System Information to a Log Host 1 14 1 2 7 Setting to Output System Information to the Trap Buffer 1 16 1 2 8 Setting to Output System Information to the Log Buffer 1 16 1 2 9 Setting to Output System Information to the SNMP NMS...

Page 1088: ... 1 1 1 Introduction to Information Center Acting as the system information hub information center classifies and manages system information Together with the debugging function the debugging command information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems The information center of the system has the fol...

Page 1089: ... severities will be output III Ten channels and six output directions of system information The system supports six information output directions including the Console Monitor terminal monitor logbuffer loghost trapbuffer and SNMP The system supports ten channels The channels 0 through 5 have their default channel names and are associated with six output directions by default Both the channel name...

Page 1090: ...t specified Receives log trap and debugging information Note Configurations for the six output directions function independently and take effect only after the information center is enabled IV Outputting system information by source module The system information can be classified by source module and then filtered Some module names and description are shown in Table 1 3 Table 1 3 Source module nam...

Page 1091: ...egation module LINE Terminal line module MSTP Multiple spanning tree protocol module MTRACE Multicast traceroute query module NAT Network address translation module NDP Neighbor discovery protocol module NTDP Network topology discovery protocol module NTP Network time protocol module OSPF Open shortest path first module PKI Public key infrastructure module RDS Radius module RMON Remote monitor mod...

Page 1092: ...t destinations z If the output destination is console monitor terminal logbuffer trapbuffer or SNMP the system information is in the following format timestamp sysname module level digest unitid content Note z The space the forward slash and the colon are all required in the above format z Before timestamp may have or followed with a space indicating log alarm or debugging information respectively...

Page 1093: ...al7 with the value being 23 the value of local6 is 22 that of local5 is 21 and so on z severity the information level ranges from 1 to 8 Table 1 1 details the value and meaning associated with each severity Note that the priority field appears only when the information has been sent to the log host II Timestamp Timestamp records the time when system information is generated to allow users to check...

Page 1094: ...formation That is you can know the Greenwich standard time of each switch in the network based on the UTC record in the time stamp To add UTC time zone to the time stamp in the information center output information you must z Set the local time zone z Set the time stamp format in the output destination of the information center to date z Configure to add UTC time zone to the output information Aft...

Page 1095: ...g host z If the character string ends with l it indicates the log information z If the character string ends with t it indicates the trap information z If the character string ends with d it indicates the debugging information IX Source This field indicates the source of the information such as the source IP address of the log sender This field is optional and is displayed only when the output des...

Page 1096: ...se steps to configure synchronous information output To do Use the command Remarks Enter system view system view Enable synchronous information output info center synchronous Required Disabled by default Note z If the system information is output before you input any information following the current command line prompt the system does not echo any command line prompt after the system information ...

Page 1097: ...d By default no UTC time zone is displayed in the output information 1 2 4 Setting to Output System Information to the Console I Setting to output system information to the console Follow these steps to set to output system information to the console To do Use the command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable syste...

Page 1098: ...o enable debugging for the corresponding modules Table 1 4 Default output rules for different output directions LOG TRAP DEBUG Output direction Modules allowed Enabl ed dis abled Severi ty Enable d disab led Severit y Enable d disab led Severit y Console default all modules Enabl ed warnin gs Enable d debuggi ng Enable d debuggi ng Monitor terminal default all modules Enabl ed warnin gs Enable d d...

Page 1099: ...nal logging Optional Enabled by default Enable trap information terminal display function terminal trapping Optional Enabled by default Note Make sure that the debugging log trap information terminal display function is enabled use the terminal monitor command before you enable the corresponding terminal display function by using the terminal debugging terminal logging or terminal trapping command...

Page 1100: ... that of the debugging output information is boot Note z When there are multiple Telnet users or dumb terminal users they share some configuration parameters including module filter language and severity level threshold In this case change to any such parameter made by one user will also be reflected on all other user terminals z To view debugging information of specific modules you need to set th...

Page 1101: ...ou enable the corresponding terminal display function by using the terminal debugging terminal logging or terminal trapping command 1 2 6 Setting to Output System Information to a Log Host Follow these steps to set to output system information to a log host To do Use the command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enabl...

Page 1102: ...l channel number channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of the time stamp to be sent to the log host info center timestamp loghost date no year date none Optional By default the time stamp format of the information output to the log host is date Note z After the switches form a fabric you ...

Page 1103: ...ter source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of time stamp in the output information info center timestamp log trap debugging boot date none Optional By default the time stamp format of the output trap information is date 1 2 8 Setting to Outpu...

Page 1104: ...MP NMS To do Use the command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable information output to the SNMP NMS info center snmp channel channel number channel name Optional By default the switch outputs trap information to SNMP through channel 5 Configure the output rules of system information info center source modu name d...

Page 1105: ... include regular expression Display the summary information recorded in the log buffer display logbuffer summary level severity Display the status of trap buffer and the information recorded in the trap buffer display trapbuffer unit unit id size buffersize Available in any view Clear information recorded in the log buffer reset logbuffer unit unit id Clear information recorded in the trap buffer ...

Page 1106: ... state off 2 Configure the log host The operations here are performed on SunOS 4 0 The operations on other manufacturers Unix operation systems are similar Step 1 Execute the following commands as the super user root user mkdir var log Switch touch var log Switch information Step 2 Edit the file etc syslog conf as the super user root user to add the following selector action pairs Switch configura...

Page 1107: ...slog conf you can sort information precisely for filtering 1 4 2 Log Output to a Linux Log Host I Network requirements The switch sends the following log information to the Linux log host whose IP address is 202 38 1 10 All modules log information with severity higher than errors II Network diagram Figure 1 2 Network diagram for log output to a Linux log host III Configuration procedure 1 Configur...

Page 1108: ... No space is permitted at the end of the file name z The device name facility and received log information severity specified in file etc syslog conf must be the same with those corresponding parameters configured in commands info center loghost and info center source Otherwise log information may not be output to the log host normally Step 3 After the log file information is created and the file ...

Page 1109: ...work diagram for log output to the console III Configuration procedure Enable the information center Switch system view Switch info center enable Disable the function of outputting information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules to output log information with severity level higher than...

Page 1110: ...of the information center II Network diagram Figure 1 4 Network diagram III Configuration procedure Name the local time zone z8 and configure it to be eight hours ahead of UTC time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch info center timestamp log...

Page 1111: ...ling Disabling System Debugging 2 2 2 3 2 Displaying Debugging Status 2 4 2 3 3 Displaying Operating Information about Modules in System 2 4 Chapter 3 Network Connectivity Test 3 1 3 1 Network Connectivity Test 3 1 3 1 1 ping 3 1 3 1 2 tracert 3 1 Chapter 4 Device Management 4 1 4 1 Introduction to Device Management 4 1 4 2 Device Management Configuration 4 1 4 2 1 Device Management Configuration ...

Page 1112: ...uggable Transceivers z The configuration of toggling the display language of the command line interface CLI between English and Chinese is deleted Traditionally switch software is loaded through a serial port This approach is slow time consuming and cannot be used for remote loading To resolve these problems the TFTP and FTP modules are introduced into the switch With these modules you can load do...

Page 1113: ...lly Before loading the software make sure that your terminal is correctly connected to the switch Note The loading process of the Boot ROM software is the same as that of the host software except that during the former process you should press 6 or Ctrl U and Enter after entering the BOOT menu and the system gives different prompts The following text mainly describes the Boot ROM loading process 1...

Page 1114: ...le from flash 5 Modify bootrom password 6 Enter bootrom upgrade menu 7 Skip current configuration file 8 Set bootrom password recovery 9 Set switch startup mode 0 Reboot Enter your choice 0 9 1 2 2 Loading by XModem through Console Port I Introduction to XModem XModem protocol is a file transfer protocol that is widely used due to its simplicity and high stability The XModem protocol transfers fil...

Page 1115: ...rotocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Step 2 Press 3 in the above menu to download the Boot ROM using XModem The system displays the following setting menu for download baudrate Please select your download baudrate 1 9600 2 19200 3 38400 4 57600 5 115200 0 Return Enter your choice 0 5 Step 3 Choose an appropriate baudrate for downloading For ...

Page 1116: ...owing are configurations on PC Take the HyperTerminal in Windows 2000 as an example Step 4 Choose File Properties in HyperTerminal click Configure in the pop up dialog box and then select the baudrate of 115200 bps in the Console port configuration dialog box that appears as shown in Figure 1 1 Figure 1 2 Figure 1 1 Properties dialog box ...

Page 1117: ...isconnect button to disconnect the HyperTerminal from the switch and then click the Connect button to reconnect the HyperTerminal to the switch as shown in Figure 1 3 Figure 1 3 Connect and disconnect buttons Note The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following informati...

Page 1118: ...n in Figure 1 4 Select the software file that you need to load to the switch and set the protocol to XModem Figure 1 4 Send file dialog box Step 8 Click Send The system displays the page as shown in Figure 1 5 Figure 1 5 Sending file page Step 9 After the sending process completes the system displays the following information Loading CCCCCCCCCC done Step 10 Reset HyperTerminal s baudrate to 9600 b...

Page 1119: ... Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Step 2 Enter 3 in the above menu to load the host software by using XModem The subsequent steps are the same as those for loading the Boot ROM except that the system gives the prompt for host software loading instead of Boot ROM loading Note You can also use the xmodem get command to load host software through the Console p...

Page 1120: ...onnect the switch through the Console port to the configuration PC Note You can use one PC as both the configuration device and the TFTP server Step 2 Run the TFTP server program on the TFTP server and specify the path of the program to be downloaded Caution TFTP server program is not provided with the H3C Series Ethernet Switches Step 3 Run the HyperTerminal program on the configuration PC Start ...

Page 1121: ...completion the system displays the following information Loading done Bootrom updating done III Loading host software Follow these steps to load the host software Step 1 Select 1 in BOOT Menu and press Enter The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Step 2 Ente...

Page 1122: ...port to the FTP server and connect the switch through the Console port to the configuration PC Note You can use one computer as both configuration device and FTP server Step 2 Run the FTP server program on the FTP server configure an FTP user name and password and copy the program file to the specified FTP directory Step 3 Run the HyperTerminal program on the configuration PC Start the switch Then...

Page 1123: ... software Step 1 Select 1 in BOOT Menu and press Enter The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Enter 2 in the above menu to download the host software using FTP The subsequent steps are the same as those for loading the Boot ROM except for that the system giv...

Page 1124: ... to the switch Figure 1 8 Remote loading using FTP Client Step 1 Download the program to the switch using FTP commands Sysname ftp 10 1 1 1 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User none abc 331 Give me your password please Password 230 Logged in successfully ftp get switch btm ftp bye Note When using different FTP server softwa...

Page 1125: ... The loading of Boot ROM and host software takes effect only after you restart the switch with the reboot command z If the space of the Flash memory is not enough you can delete the unused files in the Flash memory before software downloading For information about deleting files refer to File System Management part of this manual z Ensure the power supply during software loading II Loading Procedu...

Page 1126: ...name Vlan interface1 ip address 192 168 0 28 255 255 255 0 Step 3 Enable FTP service on the switch and configure the FTP user name to test and password to pass Sysname Vlan interface1 quit Sysname ftp server enable Sysname local user test New local user added Sysname luser test password simple pass Sysname luser test service type ftp Step 4 Enable FTP client software on the PC Refer to Figure 1 10...

Page 1127: ...Software Loading 1 16 Figure 1 11 Enter Boot ROM directory Step 6 Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file switch btm to the switch as shown in Figure 1 13 ...

Page 1128: ...ill update Bootrom on unit 1 Continue Y N y Upgrading Bootrom please wait Upgrade Bootrom succeeded Sysname reboot After the switch restarts the file switch btm is used as the Boot ROM It indicates that the Boot ROM loading is finished 2 Loading host software Loading the host software is the same as loading the Boot ROM program except that the file to be downloaded is the host software file and th...

Page 1129: ...ware refer to the corresponding user guide before operation z Only the configuration steps concerning loading are listed here For detailed description on the corresponding configuration commands refer to FTP SFTP TFTP part of this manual 1 3 2 Remote Loading Using TFTP The remote loading using TFTP is similar to that using FTP The only difference is that TFTP is used to load software to the switch...

Page 1130: ... YYYY Required Execute this command in user view The default value is 23 55 00 04 01 2000 when the system starts up Set the local time zone clock timezone zone name add minus HH MM SS Optional Execute this command in user view By default it is the UTC time zone Set the name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offse...

Page 1131: ...of the system display version Display the information about users logging onto the switch display users all Available in any view 2 3 Debugging the System 2 3 1 Enabling Disabling System Debugging The device provides various debugging functions For the majority of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The following tw...

Page 1132: ...ly used way to output debugging information You can also output debugging information to other directions For details refer to Information Center Operation You can use the following commands to enable the two switches Follow these steps to enable debugging and terminal display for a specific module To do Use the command Remarks Enable system debugging for specific module debugging module name debu...

Page 1133: ...Operating Information about Modules in System When an Ethernet switch is in trouble you may need to view a lot of operating information to locate the problem Each functional module has its corresponding operating information display command s You can use the command here to display the current operating information about the modules in the system for troubleshooting your system To do Use the comma...

Page 1134: ...ayed Otherwise the number of data bytes packet serial number time to live TTL and response time of the response packet are displayed z Final statistics including the numbers of sent packets and received response packets the irresponsive packet percentage and the minimum average and maximum values of response time 3 1 2 tracert You can use the tracert command to trace the gateways that a packet pas...

Page 1135: ...P TTL timeout message in order to offer the path that the packet passed through to the destination To do Use the command Remarks View the gateways that a packet passes from the source host to the destination tracert a source ip f first ttl m max ttl p port q num packet w timeout string You can execute the tracert command in any view ...

Page 1136: ...unning status of the system z Specify the APP to be used at the next reboot z Update the Boot ROM z Update the host software of the switches in the Fabric z Load Hot Patch z Identifying and Diagnosing Pluggable Transceivers 4 2 Device Management Configuration 4 2 1 Device Management Configuration Task list Complete the following tasks to configure device management Task Remarks Rebooting the Ether...

Page 1137: ...eboot the Ethernet switch reboot unit unit id Available in user view 4 2 3 Scheduling a Reboot on the Switch After you schedule a reboot on the switch the switch will reboot at the specified time Follow these steps to schedule a reboot on the switch To do Use the command Remarks Schedule a reboot on the switch and set the reboot date and time schedule reboot at hh mm mm dd yyyy yyyy mm dd Optional...

Page 1138: ...network has a high CPU usage requirement you can disable this function to release your CPU resources 4 2 5 Specifying the APP to be Used at Reboot APP is the host software of the switch If multiple APPs exist in the Flash memory you can use the command here to specify the one that will be used when the switch reboots Use the following command to specify the APP to be used at reboot To do Use the c...

Page 1139: ...m dynamically Patches can be added to a patch file incrementally That is any subsequent patch file contains all the patches for fixing errors in the previous patch file besides the patches for fixing the current errors In this way all the system errors found can be fixed once and for all by loading the latest patch file In the device a patch can be in one of the following four states z IDLE The pa...

Page 1140: ...on To do Use the command Remarks Enter system view system view Load a patch file patch load filename Required Activate patches patch activate Required Run patches patch run Optional Delete patches patch delete Optional Note the following 1 Make sure that you set the file transfer mode to binary before you upload a patch file through FTP or TFTP to the flash memory of the device otherwise patch fil...

Page 1141: ...n Table 4 1 Table 4 1 Commonly used pluggable transceivers Transceiver type Applied environment Whether can be an optical transceiver Whether can be an electrical transceiver SFP Small Form factor Pluggable Generally used for 100M 1000M Ethernet interfaces or POS 155M 622M 2 5G interfaces Yes Yes GBIC GigaBit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit s...

Page 1142: ...d permanent configuration data or archive information which is written to the storage device of a card during device debugging or test The information includes name of the card device serial number and vendor name or vendor name specified III Diagnosing pluggable transceivers The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers Optical transcei...

Page 1143: ...m diagnostic information or save system diagnostic information to a file with the extension diag into the Flash memory display diagnostic information Display enabled debugging on a specified switch or all switches in the fabric display debugging fabric unit unit id interface interface type interface number module name Display enabled debugging on all switches in the fabric by modules display debug...

Page 1144: ...to the switch II Network diagram Figure 4 2 Network diagram for FTP configuration III Configuration procedure 1 Configure the following FTP server related parameters on the PC an FTP user with the username as switch and password as hello who is authorized with the read write right on the directory Switch on the PC The detailed configuration is omitted here 2 On the switch configure a level 3 telne...

Page 1145: ...p get boot btm 7 Execute the quit command to terminate the FTP connection and return to user view ftp quit Sysname 8 Upgrade the Boot ROM Sysname boot bootrom boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded 9 Specify the downloaded program as the host software to be adopted when the switch starts next time Sysname boot boot lo...

Page 1146: ...Operation Manual System Maintenance and Debugging H3C S5600 Series Ethernet Switches Chapter 4 Device Management 4 11 This will reboot device Continue Y N y ...

Page 1147: ...VLAN VPN 1 4 Chapter 2 Selective QinQ Configuration 2 1 2 1 Selective QinQ Overview 2 1 2 1 1 Selective QinQ Overview 2 1 2 1 2 MAC Address Replicating 2 3 2 2 Selective QinQ Configuration 2 4 2 2 1 Selective QinQ Configuration Task List 2 4 2 2 2 Enabling the Selective QinQ Feature for a Port 2 4 2 2 3 Enabling the Inter VLAN MAC Address Replicating Feature 2 5 2 3 Selective QinQ Configuration Ex...

Page 1148: ...e service provider in specific ways establish dedicated tunnels for user traffic on public network devices and thus improve data security VLAN VPN feature is a simple yet flexible Layer 2 tunneling technology It tags private network packets with outer VLAN tags thus enabling the packets to be transmitted through the service providers backbone networks with both inner and outer VLAN tags In public ...

Page 1149: ...N With the VLAN VPN feature enabled no matter whether or not a received packet already carries a VLAN tag the switch will tag the received packet with the default VLAN tag of the receiving port and add the source MAC address to the MAC address table of the default VLAN When a packet reaches a VLAN VPN enabled port z If the packet already carries a VLAN tag the packet becomes a dual tagged packet z...

Page 1150: ...listed in the above table For information about IRF fabric refer to IRF Fabric Configuration in this manual 1 2 2 Enabling the VLAN VPN Feature for a Port Follow these steps to enable the VLAN VPN feature for a port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the VLAN VPN feature on the port vlan vpn enable R...

Page 1151: ...ort priority configured for the current port gets invalid after you enable the inner to outer tag priority replicating feature z The inner to outer tag priority replicating feature is mutually exclusive with the inner to outer tag priority mapping feature 1 3 Displaying and Maintaining VLAN VPN Configuration To do Use the command Remarks Display the VLAN VPN configurations of all the ports display...

Page 1152: ...onfigure Switch A Enable the VLAN VPN feature on GigabitEthernet 1 0 11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag SwitchA system view SwitchA vlan 1040 SwitchA vlan1040 port GigabitEthernet 1 0 11 SwitchA vlan1040 quit SwitchA interface GigabitEthernet 1 0 11 SwitchA GigabitEthernet1 0 11 vlan vpn enable SwitchA GigabitEthernet1 0 11 quit...

Page 1153: ...emoved during transmission z In this example both GigabitEthernet1 0 11 of Switch A and GigabitEthernet1 0 21 of Switch B are access ports In cases where the ports are trunk ports or hybrid ports you need to configure the two ports to remove the outer VLAN tags before transmitting packets of VLAN 1040 Refer to VLAN in this manual for detailed configuration z Configure the devices in the public net...

Page 1154: ...4 After the packet reaches Switch B it is forwarded through GigabitEthernet1 0 21 of Switch B As the port belongs to VLAN 1040 and is an access port the outer VLAN tag the tag of VLAN 1040 of the packet is removed before the packet is forwarded which restores the packet to a packet tagged with only the private VLAN tag and enables it to be forwarded to its destination networks 5 It is the same cas...

Page 1155: ...n enhanced application of the VLAN VPN feature With the selective QinQ feature you can configure inner to outer VLAN tag mapping according to which you can add different outer VLAN tags to the packets with different inner VLAN tags The selective QinQ feature makes the service provider network structure more flexible You can classify the terminal users on the port connecting to the access layer dev...

Page 1156: ...outer tag mapping feature are enabled on the port connecting Switch A to these users the port will add different outer VLAN tags to the packets according to their inner VLAN tags For example you can configure to add the tag of VLAN 1002 to the packets of IP telephone users in VLAN 201 to VLAN 300 and forward the packets to the VoIP device which is responsible for processing IP telephone services T...

Page 1157: ...dress table of its default VLAN VLAN 2 When a response packet is returned to the device from VLAN 4 of the service provider network the device searches the outbound port for MAC A in the MAC address table of VLAN 4 However because the corresponding entry is not added to the MAC address table of VLAN 4 this packet is considered to be a unicast packet with unknown destination MAC address As a result...

Page 1158: ...a Port The following configurations are required for the selective QinQ feature z Enabling the VLAN VPN feature on the current port z Configuring the current port to permit packets of specific VLANs the VLANs whose tags are to be used as the outer VLAN tags are required Follow these steps to enable the selective QinQ feature To do Use the command Remarks Enter system view system view Enter Etherne...

Page 1159: ...on VLAN If the configuration needs to be modified you need to remove the existing configuration first z With the inter VLAN MAC address replicating feature disabled all the MAC address entries that the destination VLAN learns from the other VLANs through this function are removed z MAC address entries obtained through the inter VLAN MAC address replicating feature cannot be removed manually To rem...

Page 1160: ...200 Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200 That is packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000 z Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users for the purpose of using QoS policies to guarantee higher priority for voice traffic z To reduce b...

Page 1161: ...GigabitEthernet1 0 3 port hybrid pvid vlan 5 SwitchA GigabitEthernet1 0 3 port hybrid vlan 5 1000 1200 untagged Enable the VLAN VPN feature on GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 vlan vpn enable Enable the selective QinQ feature on GigabitEthernet 1 0 3 to tag packets of VLAN 100 through VLAN 108 with the tag of VLAN 1000 as the outer VLAN tag and tag packets of VLAN 200 through VLA...

Page 1162: ...witchB vlan 1000 SwitchB vlan1000 quit SwitchB vlan 1200 SwitchB vlan1200 quit SwitchB vlan 12 to 13 Configure GigabitEthernet 1 0 11 as a hybrid port and configure GigabitEthernet 1 0 11 not to remove VLAN tags when forwarding packets of VLAN 12 VLAN 13 VLAN 1000 and VLAN 1200 SwitchB system view SwitchB interface GigabitEthernet 1 0 11 SwitchB GigabitEthernet1 0 11 port link type hybrid SwitchB ...

Page 1163: ...e inter VLAN MAC address replicating feature on GigabitEthernet 1 0 12 and GigabitEthernet 1 0 13 The configuration on Switch B is similar to that on Switch A and is thus omitted Note z The port configuration on Switch B is only an example for a specific network requirement The key to this example is to enable the ports to receive and forward packets of specific VLANs So you can also configure the...

Page 1164: ...oops Huawei group management protocol HGMP is used for managing network topology and devices in a network When multiple branch networks of an organization are connected together through a public network you can combine the corresponding network nodes into one so as to maintain the branch networks as a whole This requires the packets of some of the user s Layer 2 protocol packets be transmitted acr...

Page 1165: ... BPDU tunnel feature on the edge devices at both ends of the service provider network Figure 3 1 BPDU Tunnel network hierarchy z When a BPDU packet coming from a customer network reaches an edge device in the service provider network the edge device changes the destination MAC address carried in the packet from a protocol specific MAC address to a private multicast MAC address which can be defined...

Page 1166: ...address 15 FCS Figure 3 3 The structure of a BPDU packet after it enters a BPDU tunnel Caution To prevent the devices in the service provider network from processing the tunnel packets as other protocol packets the MAC address of a tunnel packet must be a multicast address uniquely assigned to the BPDU tunnel in the service provider network 3 2 BPDU Tunnel Configuration You can establish BPDU tunn...

Page 1167: ...properly 3 2 2 Configuring a BPDU Tunnel Follow these steps to configure a BPDU tunnel To do Use the command Remarks Enter system view system view Configure a private multicast MAC address for packets transmitted along the tunnel bpdu tunnel tunnel dmac mac address Optional By default the destination MAC address for packets transmitted along a BPDU tunnel is 010f e200 0003 Enter Ethernet port view...

Page 1168: ...TDP are not enabled on any port in an aggregation group before enabling the service provider network to use aggregation group to transmit HGMP packets through BPDU tunnels z The bpdu tunnel cdp command is mutually exclusive with the voice vlan legacy command Refer to Voice VLAN part of this manual for details z If a BPDU tunnel enabled port receives a tunnel packet from the customer s network erro...

Page 1169: ...thernet1 0 1 Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp disable Enable the BPDU tunnel feature for STP BPDUs on GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 bpdu tunnel stp Enable the VLAN VPN feature on GigabitEthernet1 0 1 and use VLAN 100 to transmit user data packets through BPDU tunnels Sysname GigabitEthernet1 0 1 port access vlan 100 Sy...

Page 1170: ...bpdu tunnel stp Enable VLAN VPN and use VLAN 100 to transmit user data packets through BPDU tunnels Sysname GigabitEthernet1 0 4 port access vlan 100 Sysname GigabitEthernet1 0 4 vlan vpn enable Configure the destination MAC address for the packets transmitted in the tunnel Sysname GigabitEthernet1 0 4 quit Sysname bpdu tunnel tunnel dmac 010f e233 8b22 Configure GigabitEthernet1 0 3 as a trunk po...

Page 1171: ...rs 1 2 1 2 HWPing Configuration 1 5 1 2 1 HWPing Server Configuration 1 5 1 2 2 HWPing Client Configuration 1 5 1 2 3 Displaying HWPing Configuration 1 20 1 3 HWPing Configuration Examples 1 20 1 3 1 ICMP Test 1 20 1 3 2 DHCP Test 1 22 1 3 3 FTP Test 1 24 1 3 4 HTTP Test 1 26 1 3 5 Jitter Test 1 28 1 3 6 SNMP Test 1 30 1 3 7 TCP Test Tcpprivate Test on the Specified Ports 1 32 1 3 8 UDP Test Udppr...

Page 1172: ...er and the response time of various services You need to configure HWPing client and sometimes the corresponding HWPing servers as well to perform various HWPing tests All HWPing tests are initiated by HWPing client and you can view the test results on HWPing client only When performing a HWPing test you need to configure a HWPing test group on the HWPing client A HWPing test group is a set of HWP...

Page 1173: ...te test z These types of tests need the cooperation of the HWPing client and HWPing server z Do not perform a TCP UDP or jitter test on a well known port ports with a number ranging from 1 to 1023 or on a port with a port number greater than 50000 Otherwise your HWPing test may fail or the service corresponding to the well known port may become unavailable 1 1 3 HWPing Test Parameters You need to ...

Page 1174: ...ich will be used by the server as the destination port number of response packets Test type test type z You can use HWPing to test a variety of protocols see Table 1 1 for details z To perform a type of test you must first create a test group of this type One test group can be of only one HWPing test type z If you modify the test type of a test group using the test type command the parameter setti...

Page 1175: ...be transferred between HWPing client and FTP server Number of jitter test packets to be sent per probe jitter packetnum z Jitter test is used to collect statistics about delay jitter in UDP packet transmission z In a jitter probe the HWPing client sends a series of packets to the HWPing server at regular intervals you can set the interval Once receiving such a packet the HWPing server marks it wit...

Page 1176: ...and Remarks Enter system view system view Enable the HWPing server function hwping server enable Required Disabled by default Configure a UDP listening service hwping server udpecho ip address port num Required for UDP and jitter tests By default no UDP listening service is configured Configure a TCP listening service hwping server tcpconnect ip address port num Required for TCP tests By default n...

Page 1177: ...st on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test type test type icmp Optional By default the test type ...

Page 1178: ...ble in any view 2 Configuring DHCP test on HWPing client Follow these steps to configure DHCP test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no te...

Page 1179: ... the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test type test type ftp Required By default the test type is ICMP Configure the destination IP address destination ip ip address Required By defa...

Page 1180: ...nfigure an FTP login username username name Configure an FTP login password password password Required By default neither username nor password is configured Configure a file name for the FTP operation filename file name Required By default no file name is configured for the FTP operation Start the test test enable Required Display test results display hwping results admin name operation tag Requi...

Page 1181: ...gure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source port is configured Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records that can be saved history records number Optional By...

Page 1182: ...ion tag Required You can execute the command in any view 5 Configuring jitter test on HWPing client Follow these steps to configure jitter test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator...

Page 1183: ...ry records that can be saved history records number Optional By default the maximum number is 50 Configure the packet size datasize size Optional By default the packet size is 68 bytes Configure the automatic test interval frequency interval Optional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Option...

Page 1184: ...t group is configured Configure the test type test type snmpquery Required By default the test type is ICMP Configure the destination IP address destination ip ip address Required By default no destination address is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By de...

Page 1185: ...HWPing client Follow these steps to configure TCP test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test ty...

Page 1186: ...P address source ip ip address Optional By default the source IP address is not specified Configure the source port source port port number Optional By default no source port is specified Configure the number of probes per test count times Optional By default one probe is made per time Configure the automatic test interval frequency interval Optional By default the automatic test interval is zero ...

Page 1187: ...r system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test type test type udpprivate udppublic Required By default the test type is ICMP Configure the destination addr...

Page 1188: ...re the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source port is specified Configure the number of probes per test count times Optional By default one probe is made per test Configure the maximum number of history records that can be saved history records number Optional By d...

Page 1189: ...is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test type test type dns Required By default the test type is ICMP Configure the source IP address source ip ip address Optional By default no source IP address is specified Configure the number of probes per test count times Optional By def...

Page 1190: ... send Trap messages Trap messages are generated regardless of whether the HWPing test succeeds or fails You can specify whether to output Trap messages by enabling disabling Trap sending Follow these steps to configure the HWPing client to send Trap messages To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWP...

Page 1191: ... Display the results of the latest test display hwping results administrator name operation tag Available in any view 1 3 HWPing Configuration Examples 1 3 1 ICMP Test I Network requirements An H3C S5600 series Ethernet switch serves as the HWPing client A HWPing ICMP test between the switch and another switch uses ICMP to test the round trip time RTT for packets generated by the HWPing client to ...

Page 1192: ...ator icmp history records 5 Display test results Sysname hwping administrator icmp display hwping results administrator icmp HWPing entry admin administrator tag icmp test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 3 6 3 Square Sum of Round Trip Time 145 Last succeeded test time 2000 4 2 20 55 12 3 Extend result SD Maxim...

Page 1193: ...e DHCP server on Switch B For specific configuration of DHCP server refer to the DHCP part of the manual z Configure HWPing Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to DHCP Sysname Hwping administrator dhcp Configure the test type as dhcp Sysname hwping administra...

Page 1194: ...nce errors 0 Drop operation number 0 Other operation errors 0 Sysname hwping administrator dhcp display hwping history administrator dhcp HWPing entry admin administrator tag dhcp history record Index Response Status LastRC Time 1 1018 1 0 2000 04 03 09 51 30 9 2 1037 1 0 2000 04 03 09 51 22 9 3 1024 1 0 2000 04 03 09 51 18 9 4 1027 1 0 2000 04 03 09 51 06 8 5 1018 1 0 2000 04 03 09 51 00 8 6 1020...

Page 1195: ...I Configuration procedure z Configure FTP Server Switch B Configure FTP server on Switch B For specific configuration of FTP server refer to the FTP SFTP TFTP part of the manual z Configure HWPing Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to FTP Sysname hwping admi...

Page 1196: ...peration times 10 Receive response times 10 Min Max Average Round Trip Time 3245 15891 12157 Square Sum of Round Trip Time 1644458573 Last complete test time 2000 4 3 4 0 34 6 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop oper...

Page 1197: ...ivity and the time required to download a file from the HTTP server after the connection to the server is established II Network diagram Figure 1 5 Network diagram for the HTTP test III Configuration procedure z Configure HTTP Server Use Windows 2003 Server as the HTTP server For HTTP server configuration refer to the related instruction on Windows 2003 Server configuration z Configure HWPing Clie...

Page 1198: ...2000 4 2 20 41 50 4 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Http result DNS Resolve Time 0 HTTP Operation Time 675 DNS Resolve Min Time 0 HTTP Test Total Time 748 DNS Resolve M...

Page 1199: ... DNS server to resolve the host name into an IP address which is the destination IP address of this HTTP test 1 3 5 Jitter Test I Network requirements Both the HWPing client and the HWPing server are H3C S5600 series Ethernet switches Perform a HWPing jitter test between the two switches to test the delay jitter of the UDP packets exchanged between this end HWPing client and the specified destinat...

Page 1200: ...p count 10 Set the probe timeout time to 30 seconds Sysname hwping administrator Jitter timeout 30 Start the test Sysname hwping administrator Jitter test enable Display test results Sysname hwping administrator Jitter display hwping results administrator Jitter HWPing entry admin administrator tag Jitter test result Destination ip address 10 2 2 2 Send operation times 100 Receive response times 1...

Page 1201: ...y administrator Jitter HWPing entry admin administrator tag Jitter history record Index Response Status LastRC Time 1 274 1 0 2000 04 02 08 14 58 2 2 278 1 0 2000 04 02 08 14 57 9 3 280 1 0 2000 04 02 08 14 57 6 4 279 1 0 2000 04 02 08 14 57 3 5 280 1 0 2000 04 02 08 14 57 1 6 270 1 0 2000 04 02 08 14 56 8 7 275 1 0 2000 04 02 08 14 56 5 8 263 1 0 2000 04 02 08 14 56 2 9 270 1 0 2000 04 02 08 14 5...

Page 1202: ...example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual z Configure HWPing Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to snmp Sysname Hwping administrator snmp Configure the test type as snmp Sysn...

Page 1203: ...sname hwping administrator snmp display hwping history administrator snmp HWPing entry admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19 9 5 9 1 0 2000 04 03 08 57 19 9 6 11 1 0 2000 04 03 08 57 19 9 7 10 1 0 2000 04 03 08 57 19 9 8 10 1 0 2000 04 03...

Page 1204: ...o administrator and test tag to tcpprivate Sysname Hwping administrator tcpprivate Configure the test type as tcpprivate Sysname hwping administrator tcpprivate test type tcpprivate Configure the IP address of the HWPing server as 10 2 2 2 Sysname hwping administrator tcpprivate destination ip 10 2 2 2 Configure the destination port on the HWPing server Sysname hwping administrator tcpprivate dest...

Page 1205: ...ay hwping history administrator tcpprivate HWPing entry admin administrator tag tcpprivate history record Index Response Status LastRC Time 1 4 1 0 2000 04 02 08 26 02 9 2 5 1 0 2000 04 02 08 26 02 8 3 4 1 0 2000 04 02 08 26 02 8 4 5 1 0 2000 04 02 08 26 02 7 5 4 1 0 2000 04 02 08 26 02 7 6 5 1 0 2000 04 02 08 26 02 6 7 6 1 0 2000 04 02 08 26 02 6 8 7 1 0 2000 04 02 08 26 02 5 9 5 1 0 2000 04 02 0...

Page 1206: ...udpprivate Sysname Hwping administrator udpprivate Configure the test type as udpprivate Sysname hwping administrator udpprivate test type udpprivate Configure the IP address of the HWPing server as 10 2 2 2 Sysname hwping administrator udpprivate destination ip 10 2 2 2 Configure the destination port on the HWPing server Sysname hwping administrator udpprivate destination port 8000 Configure to m...

Page 1207: ...ng entry admin administrator tag udpprivate history record Index Response Status LastRC Time 1 11 1 0 2000 04 02 08 29 45 5 2 12 1 0 2000 04 02 08 29 45 4 3 11 1 0 2000 04 02 08 29 45 4 4 11 1 0 2000 04 02 08 29 45 4 5 11 1 0 2000 04 02 08 29 45 4 6 11 1 0 2000 04 02 08 29 45 4 7 10 1 0 2000 04 02 08 29 45 3 8 10 1 0 2000 04 02 08 29 45 3 9 10 1 0 2000 04 02 08 29 45 3 10 11 1 0 2000 04 02 08 29 4...

Page 1208: ...re to resolve the domain name www test com Sysname hwping administrator dns dns resolve target www test com Configure to make 10 probes per test Sysname hwping administrator dns count 10 Set the probe timeout time to 5 seconds Sysname hwping administrator dns timeout 5 Start the test Sysname hwping administrator dns test enable Display test results Sysname hwping administrator dns display hwping r...

Page 1209: ...or dns display hwping history administrator dns HWPing entry admin administrator tag dns history record Index Response Status LastRC Time 1 10 1 0 2006 11 28 11 50 40 9 2 10 1 0 2006 11 28 11 50 40 9 3 10 1 0 2006 11 28 11 50 40 9 4 7 1 0 2006 11 28 11 50 40 9 5 8 1 0 2006 11 28 11 50 40 9 6 6 1 0 2006 11 28 11 50 40 9 7 8 1 0 2006 11 28 11 50 40 9 8 9 1 0 2006 11 28 11 50 40 9 9 9 1 0 2006 11 28 ...

Page 1210: ...uring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time 1 17 1 2 6 Configuring the Hop Limit of ICMPv6 Reply Packets 1 17 1 2 7 Configuring IPv6 DNS 1 18 1 2 8 Displaying and Maintaining IPv6 1 19 1 3 IPv6 Configuration Example 1 20 1 3 1 IPv6 Unicast Address Configuration 1 20 Chapter 2 IPv6 Application Configuration 2 1 2 1 Introduction to IPv6 Application 2 1 2 2 Config...

Page 1211: ... Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits 1 1 1 IPv6 Features I Header format simplification IPv6 cuts down some IPv4 header fields or moves them to extension head...

Page 1212: ...uration To simplify the host configuration IPv6 supports stateful address configuration and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from the server for example DHCP server z Stateless address configuration means that the host automatically configures an IPv6 address and related information based on its own ...

Page 1213: ... IPv6 enhances the flexibility greatly to provide scalability for IP while improving the processing efficiency The Options field in IPv4 packets contains only 40 bytes while the size of IPv6 extension headers is restricted by that of IPv6 packets 1 1 2 Introduction to IPv6 Address I IPv6 addresses An IPv6 address is represented as a series of 16 bit hexadecimals separated by colons An IPv6 address...

Page 1214: ...v6 addresses mainly fall into three types unicast address multicast address and anycast address z Unicast address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast address is delivered to the interface identified by that address z Multicast address An identifier for a set of interfaces typically belonging to different nodes similar to an IPv4 multic...

Page 1215: ...rs This type of address allows efficient routing aggregation to restrict the number of global routing entries z The link local address is used in the neighbor discovery protocol and the stateless autoconfiguration process Routers must not forward any packets with link local source or destination addresses to other links z IPv6 unicast site local addresses are similar to private IPv4 addresses Rout...

Page 1216: ...esponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 address V Interface identifier in IEEE EUI 64 format Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be uni...

Page 1217: ...ions of ICMPv6 messages used by the NDP Table 1 3 Types and functions of ICMPv6 messages ICMPv6 message Function Used to acquire the link layer address of a neighbor Used to verify whether the neighbor is reachable Neighbor solicitation NS message Used to perform a duplicate address detection Used to respond to a neighbor solicitation message Neighbor advertisement NA message When the link layer a...

Page 1218: ...ckets Note z H3C S5600 Series Ethernet Switches do not support the RS RA or Redirect message z Of the above mentioned IPv6 NDP functions H3C S5600 Series Ethernet Switches support the following three functions address resolution neighbor unreachability detection and duplicate address detection The subsequent sections present a detailed description of these three functions and relevant configuratio...

Page 1219: ...r node B node A can verify whether node B is reachable according to NS and NA messages 1 Node A sends an NS message whose destination address is the IPv6 address of node B 2 If node A receives an NA message from node B node A considers that node B is reachable Otherwise node B is unreachable III Duplicate address detection After a node acquires an IPv6 address it should perform the duplicate addre...

Page 1220: ...er can convert domain names into IPv4 addresses or IPv6 addresses In this way the DNS server has the functions of both IPv6 DNS and IPv4 DNS 1 1 5 Protocols and Standards Protocol specifications related to IPv6 include z RFC 1881 IPv6 Address Allocation Management z RFC 1887 An Architecture for IPv6 Unicast Address Allocation z RFC 1981 Path MTU Discovery for IP version 6 z RFC 2375 IPv6 Multicast...

Page 1221: ...te local addresses and global unicast addresses can be configured in either of the following ways z EUI 64 format When the EUI 64 format is adopted to form IPv6 addresses the IPv6 address prefix of an interface is the configured prefix and the interface identifier is derived from the link layer address of the interface z Manual configuration IPv6 site local addresses or global unicast addresses ar...

Page 1222: ...4 Use either command By default no site local address or global unicast address is configured for an interface Note that the prefix specified by the prefix length argument in an EUI 64 address cannot exceed 64 bits in length Automatically generate a link local address ipv6 address auto link local Configure an IPv6 link local address Manually assign a link local address for an interface ipv6 addres...

Page 1223: ...ocal address will not take effect and the link local address of an interface is still the manually assigned one If the manually assigned link local address is deleted the automatically generated link local address takes effect z You must have carried out the ipv6 address auto link local command before you carry out the undo ipv6 address auto link local command However if an IPv6 site local address...

Page 1224: ...amically learn When the number of dynamically learned neighbors reaches the threshold the interface will stop learning neighbor information Follow these steps to configure the maximum number of neighbors dynamically learned To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynami...

Page 1225: ... You can configure the interval for sending NS messages Follow these steps to configure the NS interval To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Specify the NS interval ipv6 nd ns retrans timer value Optional 1 000 milliseconds by default V Configuring the neighbor reachable timeout time on an interface After a ...

Page 1226: ...wait timer When a SYN packet is sent the synwait timer is triggered If no response packet is received before the synwait timer expires the IPv6 TCP connection establishment fails z finwait timer When the IPv6 TCP connection status is FIN_WAIT_2 the finwait timer is triggered If no packet is received before the finwait timer expires the IPv6 TCP connection is terminated If FIN packets are received ...

Page 1227: ...packet is sent the number of tokens in a token bucket decreases by 1 If the number of the IPv6 ICMP error packets that are continuously sent out reaches the capacity of the token bucket the subsequent IPv6 ICMP error packets cannot be sent out until new tokens are put into the token bucket based on the specified update frequency Follow these steps to configure the maximum number of IPv6 ICMP error...

Page 1228: ...f you want to use the dynamic domain name function you can use the following command to enable the dynamic domain name resolution function In addition you should configure a DNS server so that a query request message can be sent to the correct server for resolution The system can support at most six DNS servers You can configure a domain name suffix so that you only need to enter some fields of a ...

Page 1229: ...ynamic host Display DNS server information display dns server dynamic Display the FIB entries display ipv6 fib Display the mapping between host name and IPv6 address display ipv6 host Display the brief IPv6 information of an interface display ipv6 interface interface type interface number brief Display neighbor information display ipv6 neighbors ipv6 address all dynamic interface interface type in...

Page 1230: ... reset ipv6 statistics Clear the statistics of all IPv6 TCP packets reset tcp ipv6 statistics Clear the statistics of all IPv6 UDP packets reset udp ipv6 statistics Available in user view Note The display dns domain and display dns server commands are the same as those of IPv4 DNS For details about the commands refer to DNS Operation in this manual 1 3 IPv6 Configuration Example 1 3 1 IPv6 Unicast...

Page 1231: ...s 3001 1 64 2 Configure Switch B Configure an automatically generated link local address for the interface VLAN interface 2 SwitchA system view SwitchB interface Vlan interface 2 SwitchB Vlan interface2 ipv6 address auto link local Configure an EUI 64 address for the interface VLAN interface 2 SwitchB Vlan interface2 ipv6 address 2001 64 eui 64 Configure a global unicast address for the interface ...

Page 1232: ...01 2 subnet is 3001 64 Joined group address es FF02 1 FF00 2 FF02 1 FF00 1 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses On Switch A ping the link local address EUI 64 address and global unicast address of Switch B If the configurations are correct ...

Page 1233: ...2FF FE00 1 56 data bytes press CTRL_C to break Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 1 hop limit 255 time 40 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 2 hop limit 255 time 70 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 3 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 4 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequ...

Page 1234: ...ches Chapter 1 IPv6 Configuration 1 24 bytes 56 Sequence 4 hop limit 255 time 70 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 255 time 60 ms 3001 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 50 60 70 ms ...

Page 1235: ...upported on H3C S5600 Series Ethernet Switches are z Ping z Traceroute z TFTP z Telnet 2 2 Configuring IPv6 Application 2 2 1 IPv6 Ping The ping ipv6 command is commonly used for testing the reachability of a host This command sends an ICMPv6 message to the destination host and records the time for the response message to be received For details about the ping command refer to System Maintenance a...

Page 1236: ...an IP datagram with the Hop Limit of 1 z If the first hop device receiving the datagram reads the Hop Limit of 1 it will discard the packet and return an ICMP timeout error message Thus the source can get the first device s address in the route z The source sends a datagram with the Hop Limit of 2 and the second hop device returns an ICMP timeout error message The source gets the second device s a...

Page 1237: ... steps to download or upload files to TFTP servers To do Use the command Remarks Download Upload files from TFTP server tftp ipv6 remote system i interface type interface number get put source filename destination filename Required Available in user view Caution When you use the tftp ipv6 command to connect to the TFTP server you must specify the i keyword if the destination address is a link loca...

Page 1238: ...ace number port number Required Available in user view Caution When you use the telnet ipv6 command to connect to the Telnet server you must specify the i keyword if the destination address is a link local address II Displaying and maintaining IPv6 Telnet To do Use the command Remarks Display the use information of the users who have logged in display users all Available in any view 2 3 IPv6 Appli...

Page 1239: ...guration procedure Note You need configure IPv6 address at the switch s and server s interfaces and ensure that the route between the switch and the server is accessible before the following configuration Ping SWB s IPv6 address from SWA SWA ping ipv6 3003 1 PING 3003 1 64 data bytes press CTRL_C to break Reply from 3003 1 bytes 56 Sequence 1 hop limit 64 time 110 ms Reply from 3003 1 bytes 56 Seq...

Page 1240: ...loads a file from TFTP server 3001 3 SWA tftp ipv6 3001 3 get filetoget flash filegothere File will be transferred in binary mode Downloading file from remote tftp server please wait TFTP 13 bytes received in 1 243 second s File downloaded successfully SWA Connect to Telnet server 3001 2 SWA telnet ipv6 3001 2 Trying 3001 2 Press CTRL K to abort Connected to 3001 2 Telnet Server 2 4 Troubleshootin...

Page 1241: ...s included in the tracert ipv6 command is used by an application on the host If yes you need to use the tracert ipv6 command with an unreachable UDP port 2 4 3 Unable to Run TFTP I Symptom Unable to download and upload files by performing TFTP operations II Solution z Check that the route between the device and the TFTP server is up z Check that the file system of the device is usable You can chec...

Page 1242: ... Domain Name Resolution 1 2 1 2 Configuring Domain Name Resolution 1 3 1 2 1 Configuring Static Domain Name Resolution 1 3 1 2 2 Configuring Dynamic Domain Name Resolution 1 3 1 3 Displaying and Maintaining DNS 1 4 1 4 DNS Configuration Examples 1 4 1 4 1 Static Domain Name Resolution Configuration Example 1 4 1 4 2 Dynamic Domain Name Resolution Configuration Example 1 5 1 5 Troubleshooting DNS 1...

Page 1243: ...able and meaningful domain names in some applications and let the DNS server resolve it into correct IP addresses There are two types of DNS services static and dynamic Each time the DNS server receives a name query it checks its static DNS database before looking up the dynamic DNS database Reduction of the searching time in the dynamic DNS database would increase efficiency Some frequently used ...

Page 1244: ... between user program DNS client and DNS server The resolver and cache comprise the DNS client The user program and DNS client run on the same device while the DNS server and the DNS client usually run on different devices Dynamic domain name resolution allows the DNS client to store latest mappings between name and IP address in the dynamic domain name cache of the DNS client There is no need to ...

Page 1245: ...tic Domain Name Resolution Follow these steps to configure static domain name resolution To do Use the command Remarks Enter system view system view Configure a mapping between a host name and an IP address ip host hostname ip address Required No IP address is assigned to a host name by default Note The IP address you assign to a host name last time will overwrite the previous one if there is any ...

Page 1246: ... server dynamic Display the DNS suffixes display dns domain dynamic Display the information in the dynamic domain name cache display dns dynamic host Display the DNS resolution result nslookup type ptr ip address a domain name Available in any view Clear the information in the dynamic domain name cache reset dns dynamic host Available in user view 1 4 DNS Configuration Examples 1 4 1 Static Domain...

Page 1247: ... ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 127 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 4 ttl 127 time 5 ms Reply from 10 1 1 2 bytes 56 Sequence 5 ttl 127 time 3 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 2 3 5 ms 1 4 2 Dynamic Domain Name Resolution Configurat...

Page 1248: ...dress 2 1 1 2 for the DNS server Sysname dns server 2 1 1 2 Configure com as the DNS suffix Sysname dns domain com Execute the ping host command on Switch to verify that the communication between Switch and Host is normal and that the corresponding IP address is 3 1 1 1 Sysname ping host Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56...

Page 1249: ...ost command to check that the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specified domain name exists in the cache but the IP address is incorrect check that the DNS client has the correct IP address of the DNS server z Check that the mapping between ...

Page 1250: ...5 1 2 4 Precautions 1 6 1 3 Displaying and Maintaining Smart Link 1 7 1 4 Smart Link Configuration Example 1 7 1 4 1 Implementing Link Redundancy Backup 1 7 Chapter 2 Monitor Link Configuration 2 1 2 1 Introduction to Monitor Link 2 1 2 1 1 How Monitor Link Works 2 2 2 2 Configuring Monitor Link 2 3 2 2 1 Configuration Task List 2 3 2 2 2 Creating a Monitor Link Group 2 3 2 2 3 Configuring the Upl...

Page 1251: ...nvergence time Smart Link can achieve active standby link redundancy backup and fast convergence to meet the user demand Smart Link has the following features z Active standby backup for dual uplink networking z Simple configuration and operation 1 1 1 Basic Concepts in Smart Link I Smart link group A smart link group consists of two member ports one master port and one slave port Normally only on...

Page 1252: ...updated throughout the network In this case the smart link group sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries V Control VLAN for sending flush messages This control VLAN sends flush messages When link switching occurs the device Switch A in Figure 1 1 broadcasts flush messages in this control VLAN VI Control VLAN for receiving flush message...

Page 1253: ... in the network may be out of date In order to guarantee correct packet transmission you must enable the Smart Link device to send flush messages to notify the other devices in the network to refresh their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of identifying flush messages from the smart link group and refreshing MAC forwarding entries and A...

Page 1254: ...ved from the specified control VLAN Required 1 2 2 Configuring a Smart Link Device A Smart Link device refers to a device on which Smart Link is enabled and a smart link group is configured and that sends flush messages from the specified control VLAN A member port of a smart link group can be either an Ethernet port or a manually configured or static LACP aggregation group You can configure a por...

Page 1255: ...s in the specified control VLAN flush enable control vlan vlan id Optional By default no control VLAN for sending flush messages is specified 1 2 3 Configuring Associated Devices An associated device mentioned in this document refers to a device that supports Smart Link and locally configured to process flush messages received from the specified control VLAN so as to work with the corresponding Sm...

Page 1256: ...r for a smart link group and a monitor link group at the same time 2 STP cannot be enabled on the member ports of a smart link group An STP enabled port or a link aggregation group with an STP enabled port cannot serve as a member port for a smart link group 3 A smart link monitor link group with members cannot be deleted 4 Smart Link Monitor Link is mutually exclusive with remote port mirroring 5...

Page 1257: ...sh messages must be manually configured for each port in the aggregation group 12 The VLAN configured as a control VLAN to send and receive flush messages must exist You cannot directly remove the control VLAN When a dynamic VLAN is configured as the control VLAN for the smart link group this VLAN will become a static VLAN and the prompt information is displayed 1 3 Displaying and Maintaining Smar...

Page 1258: ...hernet port view Disable STP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 stp disable SwitchA GigabitEthernet1 0 1 quit SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 stp disable Return to system view SwitchA GigabitEthernet1 0 2 quit Create smart link group 1 and enter the corresponding smart link gro...

Page 1259: ...t link flush enable control vlan 1 port GigabitEthernet 1 0 2 3 Enable the function of processing flush messages received from VLAN 1 on Switch D Enter system view SwitchD system view Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 SwitchD smart link flush enable control vlan 1 port GigabitEthernet 1 0 2 4 Enable the function of processing flush messa...

Page 1260: ...n of Smart Link A monitor Link consists of an uplink port and one or multiple downlink ports When the link for the uplink port of a monitor link group fails all the downlink ports in the monitor link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 2 1 Network diagram for a monitor link group implementation As shown in Figur...

Page 1261: ...itor link group when the link for the uplink port GigabitEthernet 1 0 1 on Switch C fails the links in the smart link group are not switched because the link for the master port GigabitEthernet 1 0 1 of Switch A configured with smart link group operates normally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of GigabitEthernet 1 0 1 z If Switch C is confi...

Page 1262: ...a monitor link group and configure member ports for it A monitor link group consists of an uplink port and one or multiple downlink ports The uplink port can be a manually configured or static LACP link aggregation group an Ethernet port or a smart link group The downlink ports can be manually configured link aggregation groups or static LACP link aggregation groups or Ethernet ports 2 2 1 Configu...

Page 1263: ...specified smart link group as the uplink port of the monitor link group smart link group group id uplink Monitor link group view port interface type interface number uplink quit interface interface type interface number Configure the uplink port for the monitor link group Configure the specified Ethernet port as the uplink port of the monitor link group Ethernet port view port monitor link group g...

Page 1264: ...n z A smart link monitor link group with members cannot be deleted A smart link group as a monitor link group member cannot be deleted z The smart link monitor link function and the port mirroring function are incompatible with each other z If a single port is specified as a smart link monitor link group member do not use the lacp enable command on the port or add the port to another dynamic link ...

Page 1265: ...I Network diagram BLOCK Switch A Switch B GE1 0 1 GE1 0 2 Switch C Switch D Switch E GE1 0 1 GE1 0 2 GE1 0 3 Server GE1 0 2 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 3 GE1 0 11 GE1 0 10 PC 1 PC 4 PC 3 PC 2 Figure 2 3 Network diagram for Monitor Link configuration III Configuration procedure 1 Enable Smart Link on Switch A and Switch B to implement link redundancy backup Perform the following configuration on ...

Page 1266: ...procedure on Switch D is the same as that performed on Switch C Enter system view SwitchC system view Create monitor link group 1 and enter monitor link group view SwitchC monitor link group 1 Configure GigabitEthernet 1 0 1 as the uplink port of the monitor link group and GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as the downlink ports SwitchC mtlk group1 port GigabitEthernet 1 0 1 uplink Sw...

Page 1267: ...n Manual Smart Link Monitor Link H3C S5600 Series Ethernet Switches Chapter 2 Monitor Link Configuration 2 8 SwitchE smart link flush enable control vlan 1 port GigabitEthernet 1 0 10 to GigabitEthernet 1 0 11 ...

Page 1268: ...able of Contents Chapter 1 Access Management Configuration 1 1 1 1 Access Management Overview 1 1 1 2 Configuring Access Management 1 2 1 3 Access Management Configuration Examples 1 3 1 3 1 Access Management Configuration Example 1 3 1 3 2 Combining Access Management with Port Isolation 1 4 ...

Page 1269: ...hrough Layer 2 switches and the access switches provide external network accesses for the client PCs through their upstream links In the network shown in Figure 1 1 Switch A is an access switch Switch B is a Layer 2 switch Switch A Switch B GE1 0 1 PC1_1 PC1_2 PC1_n PC2 PC3 Internet Organization 1 Figure 1 1 Typical Ethernet access networking scenario The access management function aims to manage ...

Page 1270: ...ort must be in the same network segment as the IP address of the VLAN where the port belongs to interface 1 2 Configuring Access Management Follow these steps to configure access management To do Use the command Remarks Enter system view system view Enable access management function am enable Required By default the system disables the access management function Enable access management trap am tr...

Page 1271: ...o allow only the hosts with their IP addresses in the access management address pool of a port to access external networks do not configure static ARP entries for IP addresses not in the IP address pool 1 3 Access Management Configuration Examples 1 3 1 Access Management Configuration Example I Network requirements Client PCs are connected to the external network through Switch A an Ethernet switc...

Page 1272: ...ress of VLAN interface 1 to 202 10 20 200 24 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 202 10 20 200 24 Sysname Vlan interface1 quit Configure the access management IP address pool on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 am ip pool 202 10 20 1 20 1 3 2 Combining Access Management with Port Isolation I Network require...

Page 1273: ...am Switch A Switch B GE1 0 1 PC1_1 PC1_2 PC1_20 Internet 202 10 20 1 24 202 10 20 20 24 Switch C GE1 0 2 PC2_1 PC2_2 PC2_37 Organization 2 Organization 1 202 10 20 25 24 202 10 20 50 24 202 10 20 55 24 202 10 20 65 24 Vlan int1 202 10 20 200 24 Figure 1 3 Network diagram for combining access management and port isolation III Configuration procedure Perform the following configuration on Switch A F...

Page 1274: ... pool 202 10 20 1 20 Add GigabitEthernet 1 0 1 to the port isolation group Sysname GigabitEthernet1 0 1 port isolate Sysname GigabitEthernet1 0 1 quit Configure the access management IP address pool on GigabitEthernet 1 0 2 Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 am ip pool 202 10 20 25 26 202 10 20 55 11 Add GigabitEthernet 1 0 2 to the port isolation group Sysname Gi...

Page 1275: ...Operation Manual Appendix H3C S5600 Series Ethernet Switches Table of Contents i Table of Contents Appendix A Acronyms A 1 ...

Page 1276: ...uter BGP Border Gateway Protocol C CIDR Classless Inter Domain Routing CLI Command Line Interface CoS Class of Service D DDM Distributed Device Management DLA Distributed Link Aggregation DLDP Device Link Detection Protocol DRR Distributed Resilient Routing DHCP Dynamic Host Configuration Protocol DNS Domain Name System DR Designated Router D V Distance Vector Routing Algorithm E EAD Endpoint Admi...

Page 1277: ... Protocol IGP Interior Gateway Protocol IP Internet Protocol IRF Intelligent Resilient Framework L LSA Link State Advertisement LSDB Link State DataBase M MAC Medium Access Control MIB Management Information Base N NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NTP Network Time Protocol O OSPF Open Shortest Path First P PIM Protocol Independent Multicas...

Page 1278: ...STP Rapid Spanning Tree Protocol S SNMP Simple Network Management Protocol SP Strict Priority SSH Secure Shell STP Spanning Tree Protocol T TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand VRRP Virtual Router Redundancy Protocol W WRR Weighted Round Rob...

Reviews:

No comments