H3C LS-5100-16P-SI-OVS-H3 Configuration Download Page 301

Page: 301 / 313

H3C Low-End Ethernet Switches Configuration Examples
ARP Attack Prevention

Chapter 2 Configuration Examples

2-8

2.2.2 Network Diagram

Figure 2-3

Network diagram for ARP attack prevention in authentication mode

2.2.3 Configuration Considerations

Install 802.1x client software on the hosts so that the hosts need to pass 802.1x

authentications before accessing the network.

Configure 802.1x and AAA on Switch A and Switch B.

Configure the gateway’s IP-to-MAC binding on the CAMS server which will

provide the binding to clients for preventing gateway spoofing attacks.

2.2.4 Configuration Procedures

I. Configure Switch A

# Create VLAN 10, and add Ethernet 1/0/1 through Ethernet 1/0/3 into VLAN 10.

<SwitchA> system-view

[SwitchA] vlan 10

[SwitchA-vlan10] port Ethernet 1/0/1 to Ethernet 1/0/3

[SwitchA-vlan10] quit

# Configure RADIUS scheme

cams

and specify a primary authentication server.

[SwitchA] radius scheme cams

[SwitchA-radius-cams] primary authentication 10.10.1.1

[SwitchA-radius-cams] accounting optional

Summary of Contents for LS-5100-16P-SI-OVS-H3

Page 1: ...g the DHCP Relay Agent 1 8 1 2 3 Configuring DHCP Snooping 1 9 Chapter 2 Configuration Examples 2 1 2 1 DHCP Server Configuration Example 2 1 2 1 1 Network Requirements 2 1 2 1 2 Network Diagram 2 2 2...

Page 2: ...document describes DHCP configuration and application on Ethernet switches in specific networking environments Based on the different roles played by the devices in the network the functions and appl...

Page 3: ...ng on the models the H3C low end switches can support part or all of the following DHCP functions DHCP server z DHCP server using global address pool interface address pool z IP address lease configur...

Page 4: ...perating principles and applications of the functions 1 2 1 Configuring the DHCP Server The DHCP server can be configured to assign IP addresses from a global or interface address pool These two confi...

Page 5: ...for DHCP clients domain name domain name Required By default no domain name is configured for DHCP clients Configure DNS server addresses for DHCP clients dns list ip address 1 8 Required By default...

Page 6: ...ient ID is bound to an IP address statically Note z To configure a static binding you need to specify the IP address and the MAC address or client ID z A static address pool can be configured with onl...

Page 7: ...t Option 82 dhcp server relay information enable Optional By default the DHCP server supports Option 82 2 Use the following commands to configure IP address allocation through the interface address po...

Page 8: ...Return to system view quit Specify the IP addresses to be excluded from automatic allocation dhcp server forbidden ip low ip address high ip address Optional By default all the IP addresses in an inte...

Page 9: ...s On multiple interfaces dhcp server netbios type b node h node m node p node interface interface type interface number to interface type interface number all Optional By default no NetBIOS node type...

Page 10: ...the DHCP server supports Option 82 1 2 2 Configuring the DHCP Relay Agent Use the following commands to configure the DHCP relay agent Table 1 4 Configure DHCP relay agent Operation Command Descripti...

Page 11: ...gy for the DHCP relay agent to handle request packets containing Option 82 dhcp relay information strategy drop keep replace Optional By default the strategy is replace Enter VLAN interface view inter...

Page 12: ...figuration Examples Chapter 1 DHCP Functions Overview 1 10 Operation Command Description Specify the port connected to the DHCP server as a trusted port dhcp snooping trust Optional By default all the...

Page 13: ...t with a lease period of two days and exclude the IP addresses of the DNS server WINS server and mail server from allocation z Assign IP addresses to the DNS server WINS server and the mail server in...

Page 14: ...re version Release 1510 are used in this example II Configuring DHCP server z Configure address allocation for the devices in the HQ Configure the IP address of VLAN interface10 on the DHCP server in...

Page 15: ...den ip 10 214 10 3 10 214 10 5 z Configure address allocation for the devices in the Branch Create a global address pool named br for the Branch and specify the range and lease period of the IP addres...

Page 16: ...n the HQ and serves as the DHCP server to assign IP addresses to the workstations in the Office branch The branches are connected to an IRF intelligent resilient framework Fabric that serves as the ce...

Page 17: ...HCP Option 82 so that the DHCP relay agent keeps the original filed unchanged upon receiving DHCP messages carrying Option 82 z Enable the DHCP server to support DHCP Option 82 so that it assigns the...

Page 18: ...nect four devices to form a Fabric for centralized management of the devices in the Fabric For details see related sections in the operation manuals for the S3600 series II Configuring the DHCP relay...

Page 19: ...witchA Vlan interface25 address check enable SwitchA Vlan interface25 quit Configure the address entry update interval on the DHCP relay agent SwitchA dhcp relay hand enable SwitchA dhcp security trac...

Page 20: ...ge lease period and the gateway address LAB system view LAB dhcp enable LAB dhcp server ip pool lab2 LAB dhcp lab2 network 192 168 19 0 255 255 255 0 LAB dhcp lab2 expired day 2 LAB dhcp lab2 gateway...

Page 21: ...Network diagram for DHCP snooping configuration Enable DHCP snooping and enable Option 82 support for DHCP snooping Snooping system view Snooping dhcp snooping Snooping dhcp snooping information enab...

Page 22: ...re 02080006 is a fixed value and 000fe234bc66 is the MAC address of the DHCP snooping device In this example IP addresses are assigned based on port number only Therefore on the DHCP server only a mat...

Page 23: ...dhcp pool dns server 192 168 100 2 Switch dhcp pool netbios name server 192 168 100 3 After the above mentioned configuration the DHCP server can automatically assign an IP address the gateway address...

Page 24: ...tion Examples Chapter 3 Related Documents 3 1 Chapter 3 Related Documents 3 1 Protocols and Standards z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z...

Page 25: ...ueue Scheduling Algorithm plus Congestion Avoidance plus Packet Priority Trust 2 4 2 3 1 Network Requirements 2 4 2 3 2 Network Diagram 2 4 2 3 3 Configuration Procedure 2 4 2 4 Configuration Example...

Page 26: ...ions on Ethernet switches in actual networking environments To satisfy different user needs the document covers various functions and applications like time based ACLs traffic policing priority re mar...

Page 27: ...odel Function S3600 EI S3600 SI S5600 S5100 EI S5100 SI S3100 SI Basic ACL z z z z z z Advanced ACL z z z z z z Layer 2 ACL z z z z User defined ACL z z z Software bas ed ACL referenced by upper layer...

Page 28: ...SI S5600 S5100 EI S5100 SI S3100 SI Local traffic mirroring z z z z Traffic measurement z z z z WEB Cache redirection z Note z means that the function is supported means that the function is not supp...

Page 29: ...port match order Define an ACL rule rule rule id permit deny rule string The parameters criteria available for rule string vary with ACL types For details refer to the corresponding command manual Con...

Page 30: ...4 to N 1 64 N is a natural number the switch takes the value N 1 64 Reference an ACL for traffic identification and re assign a priority to the matching packets traffic priority inbound outbound acl r...

Page 31: ...current port only z In the globally defined WRR or WFQ queue scheduling algorithm you can modify the weight or bandwidth in port view if the weight or bandwidth of each queue cannot satisfy the needs...

Page 32: ...rk topology Figure 2 1 shows the network topology of a company The environment is as follows z An S3600 switch serves as the central switch of the company The software version is Release 1510 z The de...

Page 33: ...lowed maximum rate is 20 Mbps The DSCP priority of such packets at rates higher than 20 Mbps is modified as EF z For the packets with the CoS priority of 5 that are sent by PC 2 the allowed maximum ra...

Page 34: ...riods H3C acl number 4010 H3C acl ethernetframe 4010 rule 0 permit cos 5 source 0012 0990 2241 ffff ffff ffff time range a002 H3C acl ethernetframe 4010 quit Apply rule 0 of ACL 3010 to the port Gigab...

Page 35: ...z Configure the port GigabitEthernet1 1 2 to use the WRR queue priority algorithm and configure the weight of outbound queues as 1 1 1 5 1 10 1 15 z Configure the queue with an index of 4 on the port...

Page 36: ...ling algorithm on the port GigabitEthernet1 1 2 and configure the weight of outbound queues as 1 1 1 5 1 10 1 15 H3C GigabitEthernet1 1 2 queue scheduler wrr 1 1 1 5 1 10 1 15 Configure the queue with...

Page 37: ...3 Configuration Procedure Configure a workday period H3C system view System View return to User View with Ctrl Z H3C time range a001 8 30 to 18 00 working day Configure non workday periods H3C time r...

Page 38: ...traffic statistic inbound ip group 3030 rule 1 Note The traffic redirect and traffic statistic commands work only with the permit rules in ACLs 2 5 Configuration Example of Local Traffic Mirroring 2 5...

Page 39: ...ored to inbound ip group 3010 rule 0 monitor interface H3C Ethernet1 0 1 quit H3C interface Ethernet 1 0 2 H3C Ethernet1 0 2 mirrored to inbound ip group 3010 rule 0 monitor interface Note The mirrore...

Page 40: ...her the egress port is tagged 8 When configuring a user defined ACL consider the following points for the offset length z All the packets that are processed by the switch internally have a VLAN tag On...

Page 41: ...ons that reference system ACL rules include z 802 1x function after 802 1x is enabled globally and on a port ACL rules are referenced to apply z Cluster function the function is enabled by default ACL...

Page 42: ...nt is 192 168 1 1 24 z The R D department gains access to the switch through the port Ethernet1 0 2 It belongs to VLAN 20 and the network segment is 192 168 2 1 24 z The administrative department gain...

Page 43: ...3 Configuration Procedure Create VLAN 10 for the market department and assign an IP address 192 168 1 1 to the VLAN interface 10 H3C system view System View return to User View with Ctrl Z H3C vlan 10...

Page 44: ...4 1 to the VLAN interface 40 H3C vlan 40 H3C vlan40 port Ethernet 1 0 4 H3C vlan30 quit H3C interface Vlan interface 40 H3C Vlan interface40 ip address 192 168 4 1 24 H3C Vlan interface40 quit Enable...

Page 45: ...ion in Port View 1 1 1 2 3 Precautions 1 2 Chapter 2 802 1X Configuration Commands 2 1 Chapter 3 Enterprise Network Access Authentication Configuration Example 3 1 3 1 Network Application Analysis 3 1...

Page 46: ...mple Keywords 802 1x and AAA Abstract This article introduces the application of 802 1x on Ethernet switches in real network environments and then presents detailed configurations of the 802 1x client...

Page 47: ...herefore port or user based access control comes into being 802 1x is a port based network access control protocol It is widely accepted by vendors service providers and end users for its low cost sup...

Page 48: ...ct only after the dot1x feature is enabled globally z You can configure dot1x parameters associated with Ethernet ports or devices before enabling dot1x However the configured dot1x parameters only ta...

Page 49: ...or configuration information on other devices refer to related manuals Table 2 1 802 1x configuration commands To do Use the command Remarks Enable 802 1x globally dot1x Required Disabled by default I...

Page 50: ...s of network application analysis Table 3 1 Network application analysis Network requirements Solution Access of users is controlled by authentication Enable 802 1x Users can only access VLAN 10 befor...

Page 51: ...ers H3C system view H3C radius scheme cams H3C radius cams primary authentication 192 168 1 19 H3C radius cams primary accounting 192 168 1 19 H3C radius cams secondary authentication 192 168 1 20 H3C...

Page 52: ...Enable dot1x in port view H3C Ethernet1 0 3 dot1x Use the display command to view the configuration associated with 802 1x and AAA parameters H3C display dot1x interface ethernet1 0 3 Global 802 1x pr...

Page 53: ...0 Error Packets 0 Controlled User s amount to 0 H3C display radius scheme cams SchemeName cams Index 1 Type extended Primary Auth IP 192 168 1 19 Port 1812 Primary Acct IP 192 168 1 19 Port 1813 Seco...

Page 54: ...guration of CAMS authentication authorization and accounting server consists of four parts z Creating an accounting policy z Adding a service z Adding an account user z Configuring the access device T...

Page 55: ...CAMS configuration console On the navigation tree select Charges Management Accounting Policy to enter the Accounting Policy Management page as shown in Figure 3 4 Figure 3 4 Accounting Policy Manage...

Page 56: ...dollars as shown in Figure 3 6 Figure 3 6 Accounting Attribute Settings Click OK A monthly payment accounting policy is created III Adding a service 1 Enter the Service Config page Log in the CAMS con...

Page 57: ...z VLAN Assignment VLAN 100 z Authentication Binding Bind user IP address and bind user MAC address Figure 3 8 Add Service Click OK A service type is added IV Adding an account user 1 Enter the Accoun...

Page 58: ...ce z Prepaid Money 100 dollars z Bind multiple IP address and MAC address enable z Online Limit 1 z Max Idle Time 20 minutes z Service Information abc Figure 3 10 Add Account Click OK An account user...

Page 59: ...e item to enter the Access Device Configuration page to modify access device configuration like IP address shared key and authentication and accounting ports Figure 3 12 Access Device Configuration VI...

Page 60: ...em Configuration page and click Validate Now to make the configuration take effect immediately Figure 3 15 Validate Now on System Management page 3 3 3 Configuring the Supplicant System You need to in...

Page 61: ...erprise Network Access Authentication Configuration Example 3 12 I Starting up H3C authentication client Figure 3 16 H3C authentication client II Creating a connection Right click the 802 1x Authentic...

Page 62: ...es Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example 3 13 Figure 3 17 Create an 802 1x connection III Configuring connection attributes Click Next to ente...

Page 63: ...Switches Configuration Examples Chapter 3 Enterprise Network Access Authentication Configuration Example 3 14 Figure 3 18 Set special properties Keep default settings and click OK The prompt page appe...

Page 64: ...s Chapter 3 Enterprise Network Access Authentication Configuration Example 3 15 Figure 3 19 Page prompting that a connection is created successfully IV Initiating the connection Double click the info...

Page 65: ...time 802 1x authentication cooperates with CAMS to complete accounting and real time monitoring To verify that the configuration of IP to MAC binding is taking effect check that users can be re authen...

Page 66: ...rs can access network resources without 802 1x authentication z Use the display dot1x command to verify 802 1x is enabled globally and on the specified ports z Use the display interface command to ver...

Page 67: ...2 2 2 Configuration Commands 2 2 2 3 Configuring an H3C Switch as an SSH Client 2 6 2 3 1 Configuration Procedure 2 7 2 3 2 Configuration Commands 2 7 Chapter 3 SSH Configuration Example 3 1 3 1 SSH C...

Page 68: ...Keywords SSH RSA Abstract This article introduces the application of SSH on the H3C low end Ethernet switches in real network environments and then presents detailed configurations of the involved SSH...

Page 69: ...nd against the man in the middle attacks SSH uses the client server mode by which the SSH server accepts the connection requests from SSH clients and provides authentication SSH clients can establish...

Page 70: ...SSH server For such configuration refer to the related user manual 1 3 2 Configuring an SSH Client I Using SSH client software There are many kinds of SSH client software such as PuTTY and OpenSSH Yo...

Page 71: ...Password authentication For detailed command refer to Password authentication Configure a public key manually copy the public key from the client public key file to the SSH server For detailed command...

Page 72: ...public command to display the RSA public key after creating RSA key pair through the corresponding commands z Manually copy the RSA public key to the SSH server Thus the SSH server has the same public...

Page 73: ...the SSH user ssh user username service type stelnet sftp all Optional stelnet by default Set SSH authentication timeout time ssh server timeout seconds Optional By default the timeout time is 60 seco...

Page 74: ...d with the ssh user authentication type command takes precedence Note For common configuration commands refer toTable 2 2 III Configuring the client RSA public key manually Table 2 4 Configure the cli...

Page 75: ...h user username assign rsa key keyname Required If you issue this command multiple times the last command overrides the previous ones Note For general configuration commands refer toTable 2 2 IV Impor...

Page 76: ...s an SSH Client When the device connects to the SSH server as an SSH client you can configure whether the device supports first time authentication z First time authentication means that when the SSH...

Page 77: ...o Disabling first time authentic ation and manually configurin g the server public key As shown inTable 2 6 you need to configure the server public key to the client in the case that the SSH client do...

Page 78: ..._group1 dh_exchange_group prefer_ctos_cipher des aes128 prefer_stoc_cipher des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required In this command you can...

Page 79: ...utomatically saves the public key Exit public key view and return to system view peer public key end Specify the host key name of the server ssh client server ip server name assign rsa key keyname Opt...

Page 80: ...SSH Server for secure data exchange The host runs SSH2 0 client software Password authentication is required II Network diagram Figure 3 1 Network diagram of SSH server configuration using password a...

Page 81: ...01 password simple abc H3C luser client001 service type ssh level 3 H3C luser client001 quit Specify the authentication method of user client001 as password H3C ssh user client001 authentication type...

Page 82: ...window select SSH under Connection The window as shown in Figure 3 3 appears Figure 3 3 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version z As s...

Page 83: ...SH connection between the host SSH client and the switch SSH Server for secure data exchange The host runs SSH2 0 client software RSA authentication is required II Network diagram Figure 3 5 Network d...

Page 84: ...e the authentication type of the SSH client named client 001 as RSA H3C ssh user client001 authentication type rsa Note Before performing the following steps you must generate an RSA public key pair u...

Page 85: ...tion Example 3 6 Figure 3 6 Generate a client key pair 1 Note While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 3 6 Otherw...

Page 86: ...Configuration Examples Chapter 3 SSH Configuration Example 3 7 Figure 3 7 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving t...

Page 87: ...pops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the private key private ppk in this case Figure 3 9 Generate a client k...

Page 88: ...es the SSH client software Putty version 0 58 as an example z Launch PuTTY exe to enter the following interface Figure 3 10 SSH client configuration interface 1 In the Host Name or IP address text box...

Page 89: ...nfiguration Examples Chapter 3 SSH Configuration Example 3 10 Figure 3 11 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version z Select Connection S...

Page 90: ...configuration interface 2 Click Browse to bring up the file selection window navigate to the private key file and click OK z From the window shown inFigure 3 12 click Open The following SSH client int...

Page 91: ...between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name for login is client001 and the SSH server s IP address is 10 165 87 136 Password authentication is required I...

Page 92: ...vel to 3 H3C local user client001 H3C luser client001 password simple abc H3C luser client001 service type ssh level 3 H3C luser client001 quit Configure the authentication type of user client001 as p...

Page 93: ...136 RSA authentication is required II Network diagram Figure 3 15 Network diagram of SSH client configuration when using publickey authentication III Configuration procedure 1 Configure Switch B Crea...

Page 94: ...key public key code begin RSA key code view return to last view with public key code end H3C rsa key code 3047 H3C rsa key code 0240 H3C rsa key code C8969B5A 132440F4 0BDB4E5E 40308747 804F608B H3C r...

Page 95: ...Omitted Note After generating an RSA key pair on the client you need to configure the RSA public key for the SSH server and finish the SSH server configuration before continuing to configure the SSH c...

Page 96: ...am Figure 3 16 Network diagram of SSH client configuration III Configuration procedure 1 Configure Switch B Create a VLAN interface on the switch and assign an IP address for it to serve as the destin...

Page 97: ...blic key end H3C rsa public key public key code begin RSA key code view return to last view with public key code end H3C rsa key code 3047 H3C rsa key code 0240 H3C rsa key code C8969B5A 132440F4 0BDB...

Page 98: ...203 010001 Omitted 2 Configure Switch A Create a VLAN interface on the switch and assign an IP address which serves as the SSH client s address in an SSH connection H3C system view H3C interface vlan...

Page 99: ...the public key name as Switch002 H3C rsa peer public key Switch002 RSA public key view return to System View with peer public key end H3C rsa public key public key code begin RSA key code view return...

Page 100: ...nt 10 165 87 136 assign rsa key Switch002 Establish the SSH connection to server 10 165 87 136 H3C ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165...

Page 101: ...BGP Confederation Configuration Example 2 9 2 1 6 BGP Route Reflector Configuration Example 2 11 2 1 7 BGP Path Selection Configuration Example 2 14 Chapter 3 Comprehensive Configuration Example 3 1...

Page 102: ...tents ii 3 4 1 Verifying the Configuration of Routing Policy and Static Routes 3 31 3 4 2 Verifying the BGP and IGP Interaction Configuration 3 32 3 4 3 Verifying the Route Backup Configuration 3 33 3...

Page 103: ...n addition periodic RIP updating multicasts or broadcasts consume many network resources III OSPF OSPF is complicated to configure and requires high performance CPU and memory It is applicable to medi...

Page 104: ...List Task Details Static route configuration 1 2 2 RIP configuration 1 2 3 OSPF configuration 1 2 4 BGP configuration 1 2 5 1 2 2 Static Route Configuration Table 1 3 Configure a static route Operati...

Page 105: ...o filter incoming outgoing routes Optional 1 2 3 VII Setting RIP preference Optional 1 2 3 VIII Enabling load sharing among interfaces Optional 1 2 3 IX Configuring RIP route control Configuring RIP t...

Page 106: ...ate packets rip work Optional By default all interfaces are allowed to send and receive RIP update packets III Specifying the RIP version on an interface Table 1 7 Specify the RIP version on an interf...

Page 107: ...P routes on this interface rip metricout value Optional By default the additional routing metric added for outgoing routes on an interface is 1 V Configuring RIP route summarization Table 1 9 Configur...

Page 108: ...advertised from a specified address filter policy acl number ip prefix ip prefix name export protocol process id Configure RIP to filter outgoing routes filter policy route policy route policy name e...

Page 109: ...cess id cost value route policy route policy name Required By default RIP does redistribute any route from other protocols XI Configuring RIP timers Table 1 15 Configure RIP timers Operation Command R...

Page 110: ...erface type interface number Set RIP 2 packet authentication mode rip authentication mo de simple password md5 rfc2453 key string rfc2082 key string key id Required If you specify to use MD5 authentic...

Page 111: ...eived routes Optional 1 2 4 VII Configuring OSPF interface cost Optional 1 2 4 VIII Configuring OSPF route priority Optional 1 2 4 IX Configuring the maximum number of OSPF ECMP routes Optional 1 2 4...

Page 112: ...work ip address wildcard mask Required By default an interface does not belong to any area II Configuring OSPF Area Attributes Table 1 22 Configure OSPF area attributes Operation Command Remarks Enter...

Page 113: ...d Remarks Enter system view system view Enter interface view interface interface type interface number Configure the network type of the OSPF interface ospf network type broadcast nbma p2mp unicast p2...

Page 114: ...abr summary ip address mask advertise not advertise Required This command takes effect only when it is configured on an ABR By default this function is disabled on an ABR Table 1 27 Configure ASBR ro...

Page 115: ...cost on the interface ospf cost value Optional By default the interface calculates the OSPF cost according to the current baud rate on it For a VLAN interface on the switch a fixed value of 10 is use...

Page 116: ...information of other protocols Configure OSPF to filter outgoing routes filter policy acl number ip prefix ip prefix name export protocol Optional By default OSPF does not filter advertised routes Ena...

Page 117: ...uter on the interface ospf timer dead seconds Optional By default the dead time for the OSPF neighboring router on a p2p or broadcast interface is 40 seconds and that for the OSPF neighboring router o...

Page 118: ...rks Enter system view system view Enter OSPF view ospf process id router id router id Disable OSPF packet transmission on a specified interface silent interface silent interface type silent interface...

Page 119: ...ill in the MTU field when transmitting DD packets ospf mtu enable Optional By default the MTU value is 0 when an interface transmits DD packets That is the actual MTU value of the interface is not fil...

Page 120: ...P TRAP messages by process ID 1 2 5 BGP Configuration Table 1 41 BGP configuration tasks Configuration task Remarks Related section Configuring Basic BGP Functions Required 1 2 5 I Importing routes Op...

Page 121: ...is disabled Specify the AS number for the BGP peers peer group name as number as number By default a peer is not assigned an AS number Assign a description string for a BGP peer a BGP peer group peer...

Page 122: ...mport the default route to the BGP routing table default route imported Optional By default BGP does not import default routes to BGP routing table Import and advertise routing information generated b...

Page 123: ...t route advertising peer group name default route advertise route policy route policy name Required By default a BGP router does not send default routes to a specified peer peer group V Configuring ro...

Page 124: ...ased BGP route filtering policy AS path ACL based BGP route filtering policy or IP prefix list based BGP route filtering policy is configured for a peer peer group VI Configure route advertisement fil...

Page 125: ...fix list to filter BGP routes to a peer group peer group name ip prefix ip prefix name export Required Not configured by default VII Disable BGP IGP Route Synchronization Table 1 7 Disable BGP IGP rou...

Page 126: ...Description Enter system view system view Enter BGP view bgp as number Configure the management preference of the exterior interior and local routes preference ebgp value ibgp value local value Optio...

Page 127: ...ed peer group name ip address allow as loop number Optional By default the number of local AS number occurrences allowed is 1 Assign an AS number for a peer group peer group name as number as number O...

Page 128: ...ame route update interva l seconds Optional By default the interval at which a peer group sends the same route update packet to IBGP peers is 15 seconds and to EBGP peers is 30 seconds Configure the n...

Page 129: ...r Create an EBGP peer group group group name external Configure the AS number of a peer group peer group name as number as number Create an EBGP peer group Add a peer to a peer group peer ip address g...

Page 130: ...roup XIII Configuring BGP RR Table 1 13 Configure BGP RR Operation Command Description Enter system view system view Enter BGP view bgp as number Configure the local router as the RR and configure the...

Page 131: ...Route Policy Configuration Table 1 15 Route Policy Configuration Configuration task Remarks Related section Configuring an ip prefix list Optional 1 2 6 I AS path list configuration Optional 1 2 6 II...

Page 132: ...em view system view Configure basic community list ip community list basic comm list number permit deny aa nn internet no export subconfed no advertise no export Optional By default no BGP community l...

Page 133: ...x name Optional By default no matching is performed on the address of routing information Define a rule to match the routing cost of routing information if match cost value Optional By default no matc...

Page 134: ...no export no advertise additive Optional Set next hop IP address for routing information apply ip next hop ip address Optional Set local preference of BGP routing information apply local preference lo...

Page 135: ...nts 1 Requirement analysis A small company requires any two nodes in its network communicate with each other The network should be simple and stable The customer hopes to make the best use of the exis...

Page 136: ...tic routes on Switch C SwitchC system view SwitchC ip route static 1 1 1 0 255 255 255 0 1 1 2 1 SwitchC ip route static 1 1 4 0 255 255 255 0 1 1 3 2 Configure the hosts Configure the default gateway...

Page 137: ...n II Configuration procedure Note Only RIP related configurations are described below Before performing the following configurations make sure that the data link layer works normally and the IP addres...

Page 138: ...environment assign proper priorities to interfaces 2 Network diagram Figure 2 3 shows the network diagram Device Interface IP address Router ID Interface priority Switch A Vlan int1 196 1 1 1 24 1 1 1...

Page 139: ...1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 Configure Switch D SwitchD system view SwitchD interface Vlan interface 1 SwitchD Vlan interface1 ip address 196 1 1 4 255 255 255 0 SwitchD Vlan interface1...

Page 140: ...k Configuration Examples I Network requirements 1 Requirement analysis Devices in the network run OSPF to realize interconnection The network is split into three areas one backbone area and two non ba...

Page 141: ...SwitchB system view SwitchB interface Vlan interface 1 SwitchB Vlan interface1 ip address 152 1 1 1 255 255 255 0 SwitchB Vlan interface1 quit SwitchB interface Vlan interface 2 SwitchB Vlan interface...

Page 142: ...area 0 0 0 1 quit SwitchA ospf 1 quit Configure Switch B SwitchB ospf 1 area 1 SwitchB ospf 1 area 0 0 0 1 vlink peer 1 1 1 1 SwitchB ospf 1 area 0 0 0 1 quit Display the OSPF routing table on Switch...

Page 143: ...ieve the goal 2 Network diagram Figure 2 5 shows the network diagram Device Interface IP address AS Switch A Vlan int 10 172 68 10 1 24 Vlan int 50 10 1 1 1 24 Switch B Vlan int 10 172 68 10 2 24 Swit...

Page 144: ...eer 172 68 10 1 group confed1001 as number 1001 SwitchB bgp group confed1003 external SwitchB bgp peer 172 68 10 3 group confed1003 as number 1003 Configure Switch C SwitchC system view SwitchC bgp 10...

Page 145: ...d active I internal D damped H history S aggregate suppressed Dest Mask Next Hop Med Local pref Origin Path I 8 1 1 0 24 156 10 1 2 0 100 IGP 1003 200 10 1 1 0 24 0 0 0 0 0 100 IGP Routes total 2 The...

Page 146: ...Vlan int 4 194 1 1 2 24 200 Figure 2 6 Network diagram for BGP route reflector configuration 3 Configuration plan z Run EBGP between the peers in AS 100 and AS 200 Advertise network 1 0 0 0 8 z Run IB...

Page 147: ...figure Switch C Configure the VLAN interface IP addresses SwitchC system view SwitchC interface Vlan interface 3 SwitchC Vlan interface3 ip address 193 1 1 1 255 255 255 0 SwitchC Vlan interface3 quit...

Page 148: ...quirement is to control the data forwarding path from AS 200 to AS 100 The following give two plans to meet the requirement z Use the MED attribute to control the forwarding path for packets from AS 2...

Page 149: ...dresses SwitchA system view SwitchA interface Vlan interface 2 SwitchA Vlan interface2 ip address 192 1 1 1 255 255 255 0 SwitchA Vlan interface2 quit SwitchA interface Vlan interface 3 SwitchA Vlan i...

Page 150: ...icy apply_med_50 to routing updates to the peer group ex193 the peer 193 1 1 2 and apply_med_100 to routing updates to the peer group ex192 the peer 192 1 1 2 SwitchA bgp 100 SwitchA bgp peer ex193 ro...

Page 151: ...chC ospf 1 area 0 0 0 0 network 193 1 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 network 195 1 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 quit SwitchC ospf 1 quit Enable BGP create a peer group and add...

Page 152: ...t the routes destined for 1 0 0 0 8 SwitchC acl number 2000 SwitchC acl basic 2000 rule permit source 1 0 0 0 0 255 255 255 SwitchC acl basic 2000 rule deny source any SwitchC acl basic 2000 quit Crea...

Page 153: ...Routing H3C Low End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples 2 19 the local preference is not set for route 1 0 0 0 on Switch B so the route uses the default value 100...

Page 154: ...istribution layer They provide access services for users The specific requirements are as follows z Fast convergence is required for AS 200 and AS 400 because their networks are quite large and compli...

Page 155: ...hen redistributing BGP routes for filtering z Run OSPF in AS 400 The device in AS 400 connecting to AS 100 runs both OSPF and BGP Apply a routing policy when redistributing BGP routes for filtering z...

Page 156: ...s or S5600 series Ethernet switches can serve as S100_1 S100_2 S400 S200 S300 z You can use other partially layer 3 capable switches as S300_B 3 1 3 Routing Protocols and Related Parameters on Devices...

Page 157: ...P to advertise route updates but does not receive route updates and use static routing to access the ISP BGP and IGP Interaction Configuration Example IGP and BGP share routes Apply a routing policy f...

Page 158: ...nfiguration z Configure S300 Run RIP on the interface with the IP address 206 1 4 0 S300 system view S300 rip S300 rip network 206 1 4 0 Disable RIPv2 route summarization S300 rip undo summary S300 ri...

Page 159: ...and 166 1 0 0 S300_B system view S300_B rip S300_B rip network 162 1 0 0 S300_B rip network 166 1 0 0 Disable RIPv2 route summarization S300_B rip undo summary S300_B rip quit Run RIPv2 on VLAN interf...

Page 160: ...its area ID as 0 S200 system view S200 ospf S200 ospf 1 area 0 S200 ospf 1 area 0 0 0 0 network 206 1 2 0 0 0 0 255 z Configure S200_0 Run OSPF on the interface connected to network 206 1 2 0 24 and...

Page 161: ...igure 3 4 Network diagram for AS 400 configuration z Configure S400 Run OSPF on the interface connected to network 206 1 6 0 24 and specify its area ID as 0 S400 system view S400 ospf S400 ospf 1 area...

Page 162: ...nt 23 196 2 3 3 24 400 Figure 3 5 Network diagram for BGP configuration z Configure S100_1 Configure the router ID of S100_1 as 1 1 1 1 S100_1 system view S100_1 router id 1 1 1 1 Enable BGP and speci...

Page 163: ...er 196 2 3 3 in AS 400 into peer group 400 S100_2 bgp peer 196 3 1 1 group 100 S100_2 bgp peer 196 2 2 2 group 300 as number 300 S100_2 bgp peer 196 2 3 3 group 400 as number 400 Advertise networks 19...

Page 164: ...00 Add peer 206 1 3 3 in AS 200 into peer group 200 S300 bgp peer 196 2 2 1 group 100 as number 100 S300 bgp peer 206 1 3 3 group 200 as number 200 Advertise networks 206 1 3 0 and 196 2 2 0 S300 bgp...

Page 165: ...00_B through RIP allow S300_B to advertise routes to S300_A and forbid S300_B to receive routes advertised by S300_A Packets from S300_B to S300_A are forwarded through the default route II Network di...

Page 166: ...apply a routing policy to redistribute routes with IP prefixes 162 1 1 0 24 162 1 2 0 24 162 1 3 0 24 162 1 4 0 24 166 1 3 0 24 and 166 1 4 0 24 only II Network diagram Figure 3 7 Network diagram for...

Page 167: ...66 1 4 0 24 S300 ip ip prefix rip_import index 10 permit 162 1 1 0 24 S300 ip ip prefix rip_import index 20 permit 162 1 2 0 24 S300 ip ip prefix rip_import index 30 permit 166 1 3 0 24 S300 ip ip pre...

Page 168: ...400 ospf S400 ospf 1 import route bgp route policy ospf_import 3 2 6 Route Backup Configuration Example I Network requirements As shown in Figure 3 8 implement route backup on S200_10 Run OSPF between...

Page 169: ...ination IP addresses as 162 1 1 0 24 and 162 1 2 0 24 Specify the next hop IP address as 166 1 5 1 and the default preference to 200 S300_A system view S300_A ip route static 162 1 1 0 255 255 255 0 1...

Page 170: ...24 162 1 4 1 24 300 S400_0 Vlan int 663 166 1 3 1 24 Vlan int 664 166 1 4 1 24 400 Figure 3 9 Network diagram for MED attribute configuration III Configuration procedure z Configure S100_1 Define a pr...

Page 171: ...policy as200 Set the MED value of the route matching prefix list as300_1 to 200 S100_1 route policy as200 permit node 30 S100_1 route policy if match ip prefix as300_1 S100_1 route policy apply cost 2...

Page 172: ...S100_2 route policy apply cost 200 S100_2 route policy quit Create node 20 with the permit matching mode in routing policy as300 Set the MED value of the route matching prefix list as200_2 to 200 S10...

Page 173: ...tion on Devices 3 3 1 Displaying the Whole Configuration on Devices I S100_1 S100_1 display current configuration sysname S100_1 router id 1 1 1 1 vlan 11 vlan 15 vlan 31 interface Vlan interface11 ip...

Page 174: ...cost 100 route policy as200 permit node 20 if match ip prefix as200_2 apply cost 100 route policy as200 permit node 30 if match ip prefix as300_1 apply cost 200 route policy as200 permit node 40 if m...

Page 175: ...5 255 255 0 interface Cascade1 2 1 interface Cascade1 2 2 undo fabric port Cascade1 2 1 enable undo fabric port Cascade1 2 2 enable interface NULL0 bgp 100 network 196 2 2 0 network 196 2 3 0 network...

Page 176: ...x as300_2 apply cost 100 route policy as300 permit node 50 if match ip prefix other ip ip prefix as200_1 index 10 permit 162 1 1 0 24 ip ip prefix as200_2 index 10 permit 162 1 2 0 24 ip ip prefix as3...

Page 177: ...number 100 group 300 external peer 206 1 3 2 group 300 as number 300 preference 200 200 200 ospf 1 import route bgp route policy ospf_import area 0 0 0 0 network 206 1 2 0 0 0 0 255 route policy ospf...

Page 178: ...1 1 1 255 255 255 0 ospf 1 area 0 0 0 10 network 166 1 1 0 0 0 0 255 area 0 0 0 0 network 206 1 2 0 0 0 0 255 V S200_10 S200_10 display current configuration sysname S200_10 vlan 621 to 622 vlan 661...

Page 179: ...0 0 0 0 255 network 166 1 1 0 0 0 0 255 ip route static 0 0 0 0 0 0 0 0 166 1 5 2 preference 200 VI S300 S300 display current configuration sysname S300 router id 3 1 1 1 vlan 13 vlan 14 vlan 22 inter...

Page 180: ...undo summary network 206 1 4 0 import route bgp route policy rip_import route policy rip_import permit node 10 if match ip prefix rip_import ip ip prefix rip_import index 10 permit 162 1 1 0 24 ip ip...

Page 181: ...ss 166 1 5 2 255 255 255 0 rip undo summary network 206 1 4 0 network 166 1 0 0 import route static ip route static 162 1 1 0 255 255 255 0 166 1 5 1 preference 200 ip route static 162 1 2 0 255 255 2...

Page 182: ...255 255 0 rip version 2 multicast rip undo summary network 166 1 0 0 network 162 1 0 0 filter policy 2000 import ip route static 0 0 0 0 0 0 0 0 166 1 2 1 preference 60 IX S400 S400 display current c...

Page 183: ...number 100 group 100_2 external peer 196 2 3 2 group 100_2 as number 100 preference 200 200 200 ospf 1 import route bgp route policy ospf_import area 0 0 0 0 network 206 1 6 0 0 0 0 255 route policy...

Page 184: ...5 255 0 ospf 1 area 0 0 1 44 network 166 1 3 0 0 0 0 255 network 166 1 4 0 0 0 0 255 area 0 0 0 0 network 206 1 6 0 0 0 0 255 3 4 Verifying the Configuration 3 4 1 Verifying the Configuration of Routi...

Page 185: ...1 6 3 Vlan interface16 162 1 2 0 24 O_ASE 150 1 206 1 6 3 Vlan interface16 162 1 3 0 24 O_ASE 150 1 206 1 6 3 Vlan interface16 162 1 4 0 24 O_ASE 150 1 206 1 6 3 Vlan interface16 166 1 3 0 24 DIRECT...

Page 186: ...0 24 O_ASE 150 1 166 1 1 1 Vlan interface661 166 1 1 0 24 DIRECT 0 0 166 1 1 2 Vlan interface661 166 1 1 2 32 DIRECT 0 0 127 0 0 1 InLoopBack0 166 1 3 0 24 O_ASE 150 1 166 1 1 1 Vlan interface661 166...

Page 187: ...Table public net Destination Mask Protocol Pre Cost Nexthop Interface 0 0 0 0 0 STATIC 200 0 166 1 5 2 Vlan interface665 127 0 0 0 8 DIRECT 0 0 127 0 0 1 InLoopBack0 127 0 0 1 32 DIRECT 0 0 127 0 0 1...

Page 188: ...TH starts with 100 and ends with 200 S400 ip as path acl 1 permit 100 200 Display the routes that match AS path ACL 1 S400 display bgp routing as path acl 1 Flags valid active I internal D damped H hi...

Page 189: ...ms S400_0 tracert a 166 1 3 1 162 1 3 1 traceroute to 162 1 3 1 162 1 3 1 30 hops max 40 bytes packet 1 206 1 6 3 10 ms 4 ms 3 ms 2 196 2 3 2 13 ms 3 ms 5 ms 3 196 2 2 2 12 ms 5 ms 3 ms 4 206 1 4 1 12...

Page 190: ...Example 2 1 2 1 1 Requirement Analysis 2 1 2 1 2 Configuration Plan 2 1 2 1 3 Network Diagram 2 2 2 1 4 Configuration Procedure 2 2 2 2 PIM SM plus IGMP plus IGMP Snooping Configuration Examples 2 8...

Page 191: ...espectively Multicast group filtering in IGMP and IGMP Snooping is mainly described for this scenario 2 Deployment of PIM SM plus IGMP with and without IGMP Snooping respectively Simulated joining is...

Page 192: ...y neighboring multicast router II PIM Protocol Independent Multicast PIM provides IP multicast forwarding by leveraging unicast routing tables generated by static routing or any unicast routing protoc...

Page 193: ...hich carry multicast source information between these MSDP peers thus to allow multicast traffic to flow between different PIM SM domains V IGMP Proxy When a multicast routing protocol such as PIM DM...

Page 194: ...e these tasks to configure IGMP Snooping Configuration task Remarks Enabling IGMP Snooping Required Configuring IGMP Snooping timers Optional Configuring fast leave processing Optional Configuring a m...

Page 195: ...Optional By default the aging time of the multicast group member port is 260 seconds III Configuring fast leave processing 1 Configure fast leave processing in system view Follow these steps to config...

Page 196: ...nfigure a multicast group filter igmp snooping group policy acl number vlan vlan list Required Disabled by default V Configuring the maximum number of multicast groups that can be joined on a port Fol...

Page 197: ...seconds Configure a source IP address for general query messages igmp snooping general query source ip current interface ip address Optional The system default is 0 0 0 0 1 3 2 Configuring IGMP Compl...

Page 198: ...lt Caution The following configurations in this chapter are implemented after multicast routing is enabled on the device and IGMP is enabled on the corresponding interface II Configuring IGMP version...

Page 199: ...y count igmp robust count robust value Optional The system default is two Configure the IGMP other querier present interval igmp timer other querier present seconds Optional The system default is 120...

Page 200: ...r in VLAN interface view To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface interface number Configure a multicast group filter igmp group p...

Page 201: ...mand Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure simulated joining igmp host join group address vlan vlan id Optional Disabled by...

Page 202: ...erve as an IGMP proxy make sure that the IP address is not the lowest on this subnet to prevent this interface from being elected as the IGMP querier on the subnet as this will result in failure of mu...

Page 203: ...im dm Required Configure the hello interval on the interface pim timer hello seconds Optional The system default is 30 seconds Configure a limit on the number of PIM neighbors on the interface pim nei...

Page 204: ...e a legal C RP address range crp policy acl number Optional You can define the related IP address ranges in an ACL No legal C RP address range is configured by default Configure to filter the register...

Page 205: ...SDP view msdp Required Create an MSDP peer connection peer peer address connect interface interface type interface number Required You need to configure related parameters on both devices between whic...

Page 206: ...system view system view Enter MSDP view msdp Add an MSDP peer in a mesh group peer peer address mesh group name Required An MSDP peer does not belong to any mesh group by default Note z Before groupin...

Page 207: ...tering multicast sources in SA messages Optional Configure a filtering rule for receiving or forwarding SA messages Optional 1 Configure the RP address in SA messages Follow these steps to configure t...

Page 208: ...default Enable the router to send SA requests to the designated MSDP peer peer peer address request sa enable Optional By default upon receiving a new Join message a router does not send an SA reques...

Page 209: ...w system view Enter MSDP view msdp Configure a filtering rule for receiving or forwarding SA messages peer peer address sa policy import export acl acl number Optional By default no filtering rule is...

Page 210: ...e uplink backup for the directly attached stub network N1 which comprises multicast receivers Host C and Host D 3 All the Layer 3 switches run RIP for unicast routing and run PIM DM for multicast rout...

Page 211: ...an int102 192 168 3 1 24 Ethernet1 0 2 Switch D Vlan int300 10 110 5 1 24 Ethernet1 0 1 Vlan int103 192 168 1 2 24 Ethernet1 0 2 Vlan int101 192 168 2 2 24 Ethernet1 0 3 Vlan int102 192 168 3 2 24 Eth...

Page 212: ...k 10 110 1 0 SwitchA rip quit The configuration on Switch B Switch C and Switch D is similar to the configuration on Switch A III Configuring the multicast protocols Enable IP multicast routing on Swi...

Page 213: ...1 1 1 from Source and start receiving the multicast data on Host A and take the following steps to verify the configurations made on the switches 1 Check whether the multicast stream can flow to Host...

Page 214: ...otal 1 entry Listed Matched 1 entry View the multicast group information that contains port information on Switch A SwitchA display mpm group Total 1 IP Group s Total 1 MAC Group s Vlan id 101 Total 0...

Page 215: ...1 1 1 on Switch E SwitchE system view SwitchE acl basic 2000 rule deny source 224 1 1 1 0 SwitchE acl basic 2000 rule permit source any SwitchE acl basic 2000 quit SwitchE igmp snooping group policy...

Page 216: ...d then display the multicast forwarding entries of Switch A Configure to filter the multicast group 224 1 1 1 on VLAN interface 100 of Switch A SwitchA system view SwitchA acl number 2000 SwitchA acl...

Page 217: ...le and stable reception of multicast data Switch B and Switch C provide uplink backup for the directly attached stub network N1 which comprises multicast receivers Host C and Host D 3 Configure the PI...

Page 218: ...2 Switch D Vlanint300 10 110 5 1 24 Ethernet1 0 1 Vlanint101 192 168 1 2 24 Ethernet1 0 2 Vlanint105 192 168 4 2 24 Ethernet1 0 3 Switch E Vlanint104 192 168 3 2 24 Ethernet1 0 3 Vlanint103 192 168 2...

Page 219: ...itches as per Figure 2 2 The detailed configuration steps are omitted here II Configuring the unicast routing protocol Configure a router ID and enable OSPF on Switch A SwitchA system view SwitchA rou...

Page 220: ...ese two switches Configure the group range to be served by the RP and configure a C BSR and a C RP on Switch D SwitchD system view SwitchD acl number 2005 SwitchD acl basic 2005 rule permit source 225...

Page 221: ...witch E SwitchE display pim neighbor Neighbor s Address Interface Name Uptime Expires 192 168 9 1 Vlan interface102 02 47 04 00 01 42 192 168 2 1 Vlan interface103 02 45 04 00 04 46 192 168 3 1 Vlan i...

Page 222: ...0 Protocol 0x1 IGMP never timeout Matched 1 S G entries 1 G entries 0 RP entry The information on Switch B and Switch C is similar to that on Switch A View PIM routing table entries on Switch D Switch...

Page 223: ...ntry 0 RP entry View the information about multicast group entries created by IGMP Snooping on Switch F SwitchF display igmp snooping group Total 1 IP Group s Total 1 MAC Group s Vlan id 100 Total 1 I...

Page 224: ...Configure Ethernet 1 0 21 as a simulated host to join multicast group 225 1 1 1 SwitchB system view SwitchB interface Vlan interface 200 SwitchB Vlan interface200 igmp host join 225 1 1 1 port Ethern...

Page 225: ...ut Layer 3 devices Switch C connects to the multicast source through Ethernet 1 0 3 At least one receiver is attached to Switch B and Switch C respectively 2 Enable IGMP Snooping on Switch A Switch B...

Page 226: ...g globally SwitchB system view SwitchB igmp snooping enable Enable IGMP Snooping ok Create VLAN 100 add Ethernet 1 0 1 through Ethernet 1 0 3 into VLAN 100 and then enable IGMP Snooping in this VLAN S...

Page 227: ...GMP packet statistics on Switch B SwitchB display igmp snooping statistics Received IGMP general query packet s number 16 Received IGMP specific query packet s number 3 Received IGMP V1 report packet...

Page 228: ...orts from the receivers View multicast group information on Switch A Switch A display igmp snooping group Total 1 IP Group s Total 1 MAC Group s Vlan id 100 Total 1 IP Group s Total 1 MAC Group s Rout...

Page 229: ...Requirements To enable communication between receivers and multicast sources in different PIM SM domains use MSDP to establish MSDP peering relationships between the RPs of different PIM SM domains so...

Page 230: ...Loop0 2 2 2 2 32 Vlan int101 192 168 1 1 24 Switch F Vlan int400 10 110 3 1 24 Loop0 1 1 1 1 32 Vlan int102 192 168 3 2 24 Loop0 3 3 3 3 32 SwitchG Vlan int100 10 110 10 1 24 Vlan int400 10 110 3 2 2...

Page 231: ...SM on each interface and enable IGMP on VLAN interface 200 SwitchA system view SwitchA multicast routing enable SwitchA interface vlan interface 100 SwitchA Vlan interface100 pim sm SwitchA Vlan inte...

Page 232: ...tchC pim SwitchC pim c bsr loopback 0 24 SwitchC pim c rp loopback 0 SwitchC pim quit The configuration on Switch D and Switch F is similar to the configuration on Switch C IV Configuring inter AS BGP...

Page 233: ...C display bgp peer Peer AS num Ver Queued Tx Msg Rx Msg Tx Up Down State 192 168 1 2 200 4 0 950 945 15 41 14 Established View the information about BGP peering relationships on Switch D SwitchD displ...

Page 234: ...t Count 192 168 1 2 Up 00 12 27 200 13 0 View the brief information about MSDP peering relationships on Switch D SwitchD display msdp brief MSDP Peer Brief Information Peer s Address State Up Down tim...

Page 235: ...messages none Sending SA Requests status disable Minimum TTL to forward SA with encapsulated data 0 SAs learned from this peer 0 SA cache maximum for the peer none Input queue size 0 Output queue siz...

Page 236: ...ation Guide 1 2 1 2 1 Configuring Basic VLAN Settings 1 2 1 2 2 Configuring Basic Settings of a VLAN Interface 1 4 1 2 3 Protocol VLAN Configuration 1 5 Chapter 2 Configuration Examples 2 1 2 1 VLAN C...

Page 237: ...ples Keywords VLAN 802 1q VLAN interface protocol VLAN Abstract This document introduces how VLAN of the H3C series Ethernet switches is applied and configured in practical networking implementations...

Page 238: ...S5600 z z z S5100 EI z z S3100 SI z S3100 52P z z Note z In the above table the solid dots z indicate that the corresponding models provide full support for the function the hollow dots indicate that...

Page 239: ...workgroups by assigning them to different VLANs Follow these steps to create a VLAN and perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VL...

Page 240: ...erface type interface number Configure the port type port link type access trunk hybrid Optional By defaults all ports are access ports For an access port port access vlan vlan id For a trunk port por...

Page 241: ...k mask length sub Required No IP address is assigned to any VLAN interface by default Configure the description of the current VLAN interface description text Optional By default the description of a...

Page 242: ...col VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Create a protocol template protocol vlan protocol index at ip ipx ethernetii llc raw snap mode etherne...

Page 243: ...about the protocol templates of the specified VLAN s display protocol vlan vlan vlan id to vlan id all Display information about the protocol templates of the protocol VLANs associated with the specif...

Page 244: ...nts use Windows Use VLANs to fulfill the following z Employees of the same department can communicate with each other while employees of different departments cannot z The R D department and the marke...

Page 245: ...tlines I Configuration on Switch A Figure 2 2 Network diagram for Switch A On Switch A assign the port connecting to the independent office area of the R D department and the port connecting to the in...

Page 246: ...must be the same on both Switch A and Switch B Configure the port connecting to Core Switch A to permit the frames of all existing VLANs to pass through with VLAN tags III Configuration on Core Switc...

Page 247: ...and Core Switch A to permit the frames of the VLAN created for the public servers to pass through besides the frames of the three departments As Core Switch B is the egress device for accessing the I...

Page 248: ...nfiguration procedure z Configure Switch A Create VLAN 100 VLAN 200 and VLAN 300 SwitchA system view SwitchA vlan 100 SwitchA vlan100 quit SwitchA vlan 200 SwitchA vlan200 quit SwitchA vlan 300 Switch...

Page 249: ...t link hybrid SwitchA Ethernet1 0 10 port hybrid vlan 100 300 untagged Associate Ethernet 1 0 10 with all the protocol templates of VLAN 100 and VLAN 300 SwitchA Ethernet1 0 10 port hybrid protocol vl...

Page 250: ...ration procedure is the same as that on Switch B Create VLAN interface 100 and assign it IP address 192 168 30 1 Use this address as the IP address of the gateway for the R D department Allocate IP ad...

Page 251: ...he configuration procedure is omitted here Create a VLAN interface on Core Switch B to forward traffic of the marketing department to the Internet and assign an IP address to the VLAN interface Assign...

Page 252: ...mmended to enable DHCP Snooping on Switch A and Switch B to monitor the IP addresses of clients For detailed information about DHCP Snooping configuration refer to the user manual of the S3600 series...

Page 253: ...VLAN H3C Low End Ethernet Switches Configuration Examples Chapter 3 Appendix 3 1 Chapter 3 Appendix 3 1 Protocols and Standards IEEE 802 1Q Virtual Bridged Local Area Networks...

Page 254: ...1 2 Configuring Voice VLAN 1 1 1 2 1 Configuring a Voice VLAN in automatic mode 1 1 1 2 2 Configuring a Voice VLAN in manual mode 1 2 Chapter 2 Configuration Examples 2 1 2 1 Voice VLAN Configuration...

Page 255: ...n Examples Abstract ii Voice VLAN Configuration Examples Keywords VLAN 802 1q voice VLAN Abstract This document introduces how voice VLAN of the H3C series Ethernet switches is applied and configured...

Page 256: ...ple For how to configure voice VLAN on other models refer to their accompanied operation manuals z The configuration example in this guide provides only basic configuration procedures For detailed inf...

Page 257: ...mode on the port voice vlan mode auto Optional Automatic mode applies by default 1 2 2 Configuring a Voice VLAN in manual mode Follow these steps to configure a voice VLAN in manual mode To do Use th...

Page 258: ...he port undo voice vlan mode auto Required Automatic mode applies by default Return to system view quit Enter VLAN view vlan vlan id Access port Assign the specified port s to the VLAN port interface...

Page 259: ...ed by within 100 minutes z Network requirements of the IP phones in the meeting rooms The company deploys IP phones in two meeting rooms The IP phone in meeting room 1 sends VLAN untagged voice traffi...

Page 260: ...resses automatically they should send an untagged DHCP request to the DHCP server for an IP address upon their startup When the DHCP server receives a request it responds with a temporary IP address a...

Page 261: ...r getting IP addresses within the voice VLAN configure VLAN 200 as the voice VLAN and configure the voice VLAN to operate in automatic mode on the port Thus the port can join exit the voice VLAN autom...

Page 262: ...Switch B the configuration on Ethernet 1 0 1 is different from that on Ethernet 1 0 2 z Ethernet 1 0 1 The IP phones connected to Ethernet 1 0 1 are configured with an IP address manually and they se...

Page 263: ...mode Access hybrid trunk VLAN400 pvid untagged Ethernet 1 0 2 Manual mode Trunk hybrid VLAN400 tagged GigabitEthernet 1 1 2 Trunk hybrid VLAN400 tagged In the following configuration Ethernet 1 0 1 i...

Page 264: ...net 1 0 3 and GigabitEthernet 1 0 4 to the two VLANs respectively thus achieving Layer 3 forwarding Table 2 3 lists the interface and port configurations on Switch A Table 2 3 Interface and port confi...

Page 265: ...ice VLAN on Ethernet 1 0 10 SwitchA Ethernet1 0 10 voice vlan enable Set the voice VLAN aging time to 100 minutes SwitchA Ethernet1 0 10 quit SwitchA voice vlan aging 100 Enable voice VLAN security mo...

Page 266: ...hernet1 0 2 voice vlan enable SwitchB Ethernet1 0 2 quit Add an OUI address 00e3 f200 0000 with the description of Meeting room1 globally SwitchB voice vlan mac address 00e3 f200 0000 mask ffff ff00 0...

Page 267: ...200 CoreSwitch Vlan interface200 dhcp select interface CoreSwitch Vlan interface200 quit CoreSwitch interface Vlan interface 400 CoreSwitch Vlan interface400 dhcp select interface Note For detailed i...

Page 268: ...Voice VLAN H3C Low End Ethernet Switches Configuration Examples Chapter 3 References 3 1 Chapter 3 References 3 1 Protocols and Standards IEEE 802 1Q Virtual Bridged Local Area Networks...

Page 269: ...net Switches 1 1 1 2 Configuration Guide 1 2 1 2 1 Configuring QinQ 1 2 1 2 2 Configuring Selective QinQ 1 3 Chapter 2 Configuration Examples 2 1 2 1 QinQ Configuration Example 2 1 2 1 1 Network Requi...

Page 270: ...ract ii QinQ Configuration Examples Keywords QinQ selective QinQ Abstract This document introduces how to use and configure QinQ also known as VLAN VPN and selective QinQ on the H3C series Ethernet sw...

Page 271: ...itches Feature right Model below QinQ Selective QinQ S3600 EI z z S3600 SI z z S5600 z z S5100 EI z z S5100 SI z S3100 SI z S3100 52P z Note z In the above table the symbol solid dots z indicate that...

Page 272: ...QinQ To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable QinQ vlan vpn enable Required Disabled by default For an acc...

Page 273: ...er outer VLAN tag priority mapping are disabled Display information about all QinQ enabled ports display port vlan vpn Available in any view 1 2 2 Configuring Selective QinQ Follow these steps to conf...

Page 274: ...QinQ H3C Low End Ethernet Switches Configuration Examples Chapter 1 QinQ Overview 1 4 Note QinQ and selective QinQ cannot be enabled on any port of a device with IRF Fabric enabled...

Page 275: ...c by VLAN as follows z Customer 1 high priority for traffic of CVLANs 20 through 100 normal priority for traffic of CVLANs 200 through 300 and low priority for traffic of CVLAN 400 z Customer 2 high p...

Page 276: ...to right in Figure 2 1 You can follow the same configuration idea to configure the devices for transmitting traffic from right to left I Configuration on the S3600 1 Figure 2 2 Configuration on the S...

Page 277: ...priority 200 300 to 101 normal priority 400 to 102 low priority Enable basic QinQ Untagged multicast traffic to VLAN 500 Set the TPID on the port to 9100 Ethernet 1 0 10 Configure inter VLAN MAC addr...

Page 278: ...ld change the TPID that the ports will use in the outer VLAN tags from 8100 the default to 9100 for interoperability sake II Configuration on S3600 2 Figure 2 3 Configuration on S3600 2 Configure Ethe...

Page 279: ...thernet1 0 10 vlan vpn enable Enable selective QinQ on Ethernet 1 0 10 to tag the received tagged traffic with an SVLAN ID based on the CVLAN ID S3600 1 Ethernet1 0 10 vlan vpn vid 100 S3600 1 Etherne...

Page 280: ...uit S3600 1 Ethernet1 0 20 vlan vpn vid 201 S3600 1 Ethernet1 0 20 vid 201 raw vlan id inbound 400 to 450 S3600 1 Ethernet1 0 20 vid 201 quit S3600 1 Ethernet1 0 20 vlan vpn vid 202 S3600 1 Ethernet1...

Page 281: ...inQ on the S3600 2 as you have done on the S3600 1 Note that Ethernet 1 0 15 of S3600 2 corresponds to Ethernet 1 0 10 of S3600 1 Ethernet 1 0 20 of S3600 2 corresponds to Ethernet 1 0 20 of S3600 1 E...

Page 282: ...rks 3 2 Reserved Protocol Type Values Because the position of the TPID field is the same as that of the protocol type field in a VLAN untagged frame you cannot set the TPID to any of the values in the...

Page 283: ...iguring ARP Attack Prevention 1 7 1 4 Device Models that Supports ARP Attack Prevention 1 8 Chapter 2 Configuration Examples 2 1 2 1 Configuration Example for ARP Attack Prevention in DHCP Snooping Mo...

Page 284: ...o implement ARP attack prevention in DHCP snooping mode or authentication mode on Ethernet switches so as to prevent ARP attacks including gateway spoofing spoofing gateway spoofing terminal user and...

Page 285: ...cenarios where static and dynamic IP address allocation methods coexist and it can only prevent gateway spoofing attacks In this solution you do not need to configure attack prevention on access switc...

Page 286: ...ay which then updates the IP to MAC binding of the client After that traffic from the gateway to the client is sent to the fake MAC address and the client cannot access the external network Gateway Sw...

Page 287: ...n attacker Host B forwards invalid ARP reply messages to Host A and Host C respectively causing the two hosts to update the MAC address corresponding to the peer IP address in their ARP tables with th...

Page 288: ...minal users and ARP MITM attacks from clients that obtain IP addresses dynamically DHCP snooping ARP attack detection Gateway spoofing spoofing gateway spoofing terminal users and ARP MITM attacks fro...

Page 289: ...attack detection 1 2 3 ARP Attack Detection H3C low end switches can deliver received ARP packets request or reply to the CPU and use DHCP snooping to verify the validity of the ARP packets as follow...

Page 290: ...the shut down port after the specified interval 1 2 5 Attack Prevention with the Support of a CAMS Server As shown in the following figure a Comprehensive Access Management Server CAMS as the service...

Page 291: ...le DHCP snooping dhcp snooping Required Disabled by default Enter Ethernet port view interface interface type interface number Configure an IP static binding entry ip source static binding ip address...

Page 292: ...cover enable Optional Disabled by default Configure ARP packet rate limit Configure the port state auto recovery interval arp protective down recover interval interval Optional By default when the por...

Page 293: ...view 1 9 Feature Device model DHCP snooping ARP attack detection IP static binding ARP packet rate limit S3600 SI Release 1602 z z z z S3100 EI Release 2104 z z z z S3100 52P Release 1602 z z z z Note...

Page 294: ...are located in Host area 1 which belongs to VLAN 10 and Host area 2 which belongs to VLAN 20 respectively and they are connected to the Gateway and the DHCP server through Switch A and Switch B respe...

Page 295: ...2 1 3 Configuration Considerations z Enable DHCP snooping on Switch A and Switch B and configure their ports connected to the DHCP server as a DHCP snooping trusted port z Configure an IP static bindi...

Page 296: ...1 0 1 through Ethernet 1 0 4 to VLAN 10 SwitchA system view SwitchA vlan 10 SwitchA vlan10 port Ethernet 1 0 1 to Ethernet 1 0 4 SwitchA vlan10 quit Configure the uplink port on Switch A Ethernet 1 0...

Page 297: ...0 2 arp rate limit enable SwitchA Ethernet1 0 2 arp rate limit 20 SwitchA Ethernet1 0 2 quit SwitchA interface Ethernet1 0 3 SwitchA Ethernet1 0 3 arp rate limit enable SwitchA Ethernet1 0 3 arp rate...

Page 298: ...2 quit SwitchB interface Ethernet1 0 3 SwitchB Ethernet1 0 3 arp rate limit enable SwitchB Ethernet1 0 3 arp rate limit 20 SwitchB Ethernet1 0 3 quit SwitchB interface Ethernet1 0 4 SwitchB Ethernet1...

Page 299: ...obtain valid IP addresses The trusted ports and the ports connected to DHCP clients must be in the same VLAN z A DHCP snooping table only records IP to MAC bindings of clients that have obtained IP ad...

Page 300: ...in Authentication Mode 2 2 1 Network Requirements In a campus network as shown in the following figure the hosts are connected to the gateway and servers through access switches The administrator need...

Page 301: ...A on Switch A and Switch B z Configure the gateway s IP to MAC binding on the CAMS server which will provide the binding to clients for preventing gateway spoofing attacks 2 2 4 Configuration Procedur...

Page 302: ...n default enable host Enable 802 1x globally SwitchA dot1x Enable 802 1x on Ethernet 1 0 2 SwitchA interface Ethernet1 0 2 SwitchA Ethernet1 0 2 dot1x SwitchA Ethernet1 0 2 quit Enable 802 1x on Ether...

Page 303: ...host Enable 802 1x globally SwitchB dot1x Enable 802 1x on Ethernet 1 0 2 Ethernet 1 0 3 and Ethernet 1 0 4 SwitchB interface Ethernet1 0 2 SwitchB Ethernet1 0 2 dot1x SwitchB Ethernet1 0 2 quit Switc...

Page 304: ...the RADIUS server CAMS 2 10 R0210 1 Enter the correct username and password on the login page to log in to the CAMS server 2 Create a service type Log in the CAMS server configuration page and then se...

Page 305: ...in the CAMS server configuration platform and then select User Management Account User from the navigation tree to enter the Account Management page as shown in the following figure Figure 2 6 Accoun...

Page 306: ...4 Configure an access device Log in the CAMS server configuration platform and then select System Management System Configuration from the navigation tree to enter the System Configuration page as sh...

Page 307: ...red information such as IP address and shared key for the access device as shown in the following figure Figure 2 9 Add Access Device page Click OK and the following dialog box appears Figure 2 10 Ope...

Page 308: ...shown in the following figure Figure 2 12 System Configuration page Select User Gateway Configuration and then click Modify Click Add to enter the Add Gateway Configuration page Take VLAN interface 1...

Page 309: ...H3C Low End Ethernet Switches Configuration Examples ARP Attack Prevention Chapter 2 Configuration Examples 2 16 Figure 2 14 Wizard page 2 Select 802 1x protocol Click Next...

Page 310: ...d Ethernet Switches Configuration Examples ARP Attack Prevention Chapter 2 Configuration Examples 2 17 Figure 2 15 Select 802 1x Select Common connection and then click Next Figure 2 16 Select Common...

Page 311: ...itches Configuration Examples ARP Attack Prevention Chapter 2 Configuration Examples 2 18 3 Specify the username and password Click Next Figure 2 17 Specify the username and password 4 Set the connect...

Page 312: ...et Switches Configuration Examples ARP Attack Prevention Chapter 2 Configuration Examples 2 19 Figure 2 18 Set the connection property 5 Complete the creation of the connection Figure 2 19 Complete co...

Page 313: ...nformation about gateways configured on the CAMS server may not be completely received by an access switch because the total number of configured gateways exceeds the upper limit supported by the swit...

Search results

Summary of Contents for LS-5100-16P-SI-OVS-H3

Reviews:

Related manuals for LS-5100-16P-SI-OVS-H3

Brands by name

Popular brands

H3C LS-5100-16P-SI-OVS-H3, Configuration

Search results

Summary of Contents for LS-5100-16P-SI-OVS-H3

Reviews:

Related manuals for LS-5100-16P-SI-OVS-H3

Brands by name

Popular brands