H3C S3610-28F Operation Manual Download Page 1507

Page: 1507 / 1547

Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches

Chapter 1 SSL Configuration

1-2

SSL change cipher spec protocol: Used for notification between a client and the

server that the subsequent packets are to be protected and transmitted based on

the newly negotiated cipher suite and key.

SSL alert protocol: Allowing a client and the server to send alert messages to each

other. An alert message contains the alert severity level and a description.

SSL record protocol: Fragmenting and compressing data to be transmitted,

calculating and adding MAC to the data, and encrypting the data before

transmitting it to the peer end.

1.2 SSL Configuration Task List

Different parameters are required on the SSL server and the SSL client.

Complete the following tasks to configure SSL:

Task

Remarks

Configuring an SSL Server Policy

Required

Configuring an SSL Client Policy

Optional

1.3 Configuring an SSL Server Policy

An SSL server policy is a set of SSL parameters for a server to use when booting up. An

SSL server policy takes effect only after it is associated with an application layer

protocol, HTTP protocol, for example.

1.3.1 Configuration Prerequisites

Before configuring an SSL server policy, you must configure a PKI (public key

infrastructure) domain.

1.3.2 Configuration Procedure

Follow these steps to configure an SSL server policy:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Create an SSL server
policy and enter its view

ssl server-policy
policy-name

Required

Specify a PKI domain for
the SSL server policy

pki-domain
domain-name

Required

By default, no PKI domain
is specified for an SSL
server policy.

«
...
1505
1506
1507
1508
1509
...
»

Summary of Contents for S3610-28F

Page 1: ...H3C S3610 S5510 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20081229 C 1 01 Product Version Release 5303...

Page 2: ...InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information i...

Page 3: ...hernet Switches Operation Manual Release 5303 is organized as follows Part Contents 0 Product Overview Introduces the system features service features and network application of the switches 1 Login I...

Page 4: ...3 IPv6 IS IS and IPv6 BGP 15 Multicast Protocol Introduces the multicast protocol related configurations 16 802 1x HABP MAC Authentication Introduces 802 1x HABP and MAC related configurations 17 AAA...

Page 5: ...and the related configuration 35 OAM Introduces ethernet OAM configuration 36 DLDP Introduces DLDP and the related configuration 37 RRPP Introduces RRPP and the related configuration 38 SSL HTTPS Intr...

Page 6: ...sign can be entered 1 to n times A line starting with the sign is comments II GUI conventions Convention Description Button names are inside angle brackets For example click OK Window names menu item...

Page 7: ...plications 4 1 4 1 H3C S3610 Series Ethernet Switches Networking Applications 4 1 4 1 1 Broadband Ethernet Access for Residential Communities 4 1 4 1 2 Application in Networks of Branches or Small to...

Page 8: ...product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version This manual serves the purpose of user guide only Unless otherwise noted all the infor...

Page 9: ...ries Ethernet Switches Chapter 1 Obtaining the Documentation 1 2 1 3 Software Release Notes With software upgrade new software features may be added You can acquire the information about the newly add...

Page 10: ...5303 For details refer to Table 2 1 Table 2 1 Added features in Release 5303 Features Location VLAN check 02 VLAN MAC Address Synchronization 04 QinQ BPDU Tunneling VLAN ignore Transparent BPDU Transm...

Page 11: ...itan area networks MANs and to meet the requirements at the access layer Supporting IPv4 IPv6 double stack they offer abundant service features and routing functionalities 3 2 Switch Models Table 3 1...

Page 12: ...ding ports on S3610 series Model Combo port Corresponding port 49 53 50 54 51 55 S3610 52M AC S3610 52M DC 52 56 Table 3 3 lists the models in the S5510 series Table 3 3 Models in the S5510 series Mod...

Page 13: ...eatures of S3610 S5510 series Ethernet switches Part Feature 01 Login z Logging into a switch through the Console port z Logging into a switch by using Telnet through an Ethernet port z Logging into a...

Page 14: ...t BPDU transmission z BPDU Tagging Function 10 IPv6 z IPv6 basic configuration z Ping IPv6 Traceroute IPv6 z Manual IPv6 tunnel z Configuring IPv4 compatible with the IPv6 tunnel z 6to4 tunnel z ISATA...

Page 15: ...i terminal access controller access control system HWTACACS 18 ARP z Configuring ARP entries manually z Gratuitous ARP z ARP source suppression z Proxy ARP 19 DHCP z DHCP server z DHCP relay z DHCP Sn...

Page 16: ...enter z System logs z Alarms in different severities z Debugging information output 30 System Maintaining and Debugging z Configuring command levels z Configuring online help for command lines z Confi...

Page 17: ...users and uplinked to a core Layer 3 switch through a GE extension module to connect to the MAN backbone MAN Backbone Core layer Distribution layer Community building access layer Corridor access laye...

Page 18: ...4 1 3 Application in Large Enterprise and Campus Networks In a large enterprise or campus network the H3C S3610 series are located at the convergence layer They are downlinked to Layer 2 switches S31...

Page 19: ...ies Server cluster PC PC Figure 4 3 H3C S3610 series application in large enterprise and campus network 4 1 4 IPv4 IPv6 Hybrid Networking Full IPv4 networking and full IPv6 networking are similar At t...

Page 20: ...ernet Switches Networking Applications 4 2 1 Broadband Ethernet Access for Residential Communities An H3C S5510 series Ethernet switch can operate on the distribution layer of a broadband MAN You can...

Page 21: ...n the branches of a small medium sized or large enterprises you can use H3C S5510 series Ethernet switches as the backbone layer devices In this case network devices can connect to an S5510 Ethernet s...

Page 22: ...layer devices in the networks of large enterprises and campus networks In this case you can connect an S5510 Ethernet switch to a backbone router or Layer 3 switches through its GigabitEthernet optic...

Page 23: ...networks are common This gives full play to the IPv4 IPv6 dual stack and IPv6 over IPv4 tunneling features provided by the H3C S5510 series and enables flexible networking IPv4 backbone Layer 3 switc...

Page 24: ...nfiguration with Authentication Mode Being Password 2 10 2 5 1 Configuration Procedure 2 10 2 5 2 Configuration Example 2 12 2 6 Console Port Login Configuration with Authentication Mode Being Scheme...

Page 25: ...1 Overview 7 1 7 2 Configuring Source IP Address for Telnet Service Packets 7 1 7 3 Displaying the source IP address Interface Specified for Telnet Packets 7 2 Chapter 8 Controlling Login Users 8 1 8...

Page 26: ...2 1 Supported User Interfaces S3610 S5510 series Ethernet switch supports two types of user interfaces AUX and VTY Table 1 1 Description on user interface User interface Applicable user Port used Des...

Page 27: ...is not locked by default Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Disconnect a specified user i...

Page 28: ...he screen length 0 command to disable the function to display information in pages Make terminal services available shell Optional By default terminal services are available in all user interfaces Set...

Page 29: ...nto an S3610 S5510 series Ethernet switch through its Console port only To log into an Ethernet switch through its Console port the related configuration of the user terminal must be in accordance wit...

Page 30: ...e Console port launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figu...

Page 31: ...sfully completes POST power on self test The prompt such as H3C appears after the user presses the Enter key z You can then configure the switch or check the information about the switch by executing...

Page 32: ...the AUX user interface Optional By default commands of level 3 are available to the users logging into the AUX user interface Define a shortcut key for aborting tasks Optional The default shortcut ke...

Page 33: ...urations for Different Authentication Modes Table 2 3 lists Console port login configurations for different authentication modes Table 2 3 Console port login configurations for different authenticatio...

Page 34: ...he user name and password of a local user are configured on the switch z The user name and password of a remote user are configured on the DADIUS server Refer to user manual of RADIUS server for more...

Page 35: ...nal The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are a...

Page 36: ...d level available to users logging into a switch depends on both the authentication mode none command and the user privilege level level command as listed in the following table Table 2 4 Determine th...

Page 37: ...user logging in through the Console port H3C ui aux0 authentication mode none Specify commands of level 2 are available to the user logging into the AUX user interface H3C ui aux0 user privilege level...

Page 38: ...ssword authentication Set the local password set authentication password cipher simple password Required Set the baud rate speed speed value Optional The default baud rate of an AUX port also the Cons...

Page 39: ...er size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a us...

Page 40: ...need to limit the Console user at the following aspects z The user is authenticated against the local password when logging in through the Console port z The local password is set to 123456 in plain t...

Page 41: ...user privilege level 2 Set the baud rate of the Console port to 19 200 bps H3C ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 H3C ui aux0 screen length 30 Set the ma...

Page 42: ...pecify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AA...

Page 43: ...ailable to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Define a shortcut key for...

Page 44: ...eout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is perf...

Page 45: ...mmand authorization Users logging into the Console port and pass AAA RADIUS or local authentication The user privilege level level command is executed and the service type terminal level level command...

Page 46: ...authentication password to 123456 in plain text H3C luser guest password simple 123456 Set the service type to Terminal Specify commands of level 2 are available to the user logging into the AUX user...

Page 47: ...f the AUX user interface to 6 minutes H3C ui aux0 idle timeout 6 After the above configuration to ensure a successful login the console user needs to change the corresponding configuration of the term...

Page 48: ...other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Note z After you log into the switch...

Page 49: ...hortcut key combination for aborting tasks is Ctrl C Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the scr...

Page 50: ...to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by defa...

Page 51: ...er interfaces Configure the protocols to be supported by the VTY user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the command...

Page 52: ...es You can use the idle timeout 0 command to disable the timeout function Note that if you configure not to authenticate the users the command level available to users logging into a switch depends on...

Page 53: ...ation procedure Enter system view and enable the Telnet service H3C system view H3C telnet server enable Enter VTY 0 user interface view H3C user interface vty 0 Configure not to authenticate Telnet u...

Page 54: ...o users logging into the user interface user privilege level level Optional By default commands of level 0 are available to users logging into VTY user interface Configure the protocol to be supported...

Page 55: ...er interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the...

Page 56: ...gram Figure 3 2 Network diagram for Telnet configuration with the authentication mode being password III Configuration procedure Enter system view and enable the Telnet service H3C system view H3C tel...

Page 57: ...al AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the ra...

Page 58: ...Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automatically executed when a user logs into a user...

Page 59: ...user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure to...

Page 60: ...command level Determined by the service type command The user privilege level level command is not executed and the service type command does not specify the available command level The user privilege...

Page 61: ...Configuration Example I Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0 z Configure the name of the loca...

Page 62: ...mode scheme Configure Telnet protocol is supported H3C ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 H3C ui vty0 screen length 30 Set the maximum number...

Page 63: ...to different authentication modes for them Refer to section 3 2 Telnet Configuration with Authentication Mode Being None section 3 3 Telnet Configuration with Authentication Mode Being Password and s...

Page 64: ...ut the commands Note z A Telnet connection will be terminated if you delete or modify the IP address of the VLAN interface in the Telnet session z By default commands of level 0 are available to Telne...

Page 65: ...switch operating as the Telnet client Step 3 Execute the following command on the switch operating as the Telnet client H3C telnet xxxx Where xxxx is the IP address or the host name of the switch ope...

Page 66: ...g into a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side...

Page 67: ...corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that z When you log in through the Console port using a modem the b...

Page 68: ...following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disab...

Page 69: ...ection by using modems Step 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 and Figure 4 3 Note t...

Page 70: ...such as H3C appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the following chapters for information about the configuration commands No...

Page 71: ...IP address of the management VLAN of the switch is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Rou...

Page 72: ...r PC and the switch as shown in the following figure Figure 5 1 Establish an HTTP connection between your PC and the switch Step 4 Log into the switch through IE Launch IE on the Web based network man...

Page 73: ...e this command in system view The Web server is started by default Start the Web server ip http enable Required Execute this command in system view 5 4 Displaying Web Users After the above configurati...

Page 74: ...MS and the agent To log into a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging into a switch through an NMS Item Requi...

Page 75: ...e switch is used to transmit packets between the Telnet client and the Telnet server This conceals the IP address of the actual interface used As a result external attacks are guarded and the security...

Page 76: ...e interface number Optional Not specified by default Note To perform the configurations listed in Table 7 1 and Table 7 2 make sure that z The IP address specified is that of the local device z The in...

Page 77: ...resses Through Layer 2 ACLs Section 8 2 4 Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Section 8 3 2 Controlling Network Management Users by Source I...

Page 78: ...d The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 8 2...

Page 79: ...g Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs which are numbered from 4000 to 4999 Refer to the ACL module for information about defining an ACL To do Use the command Rem...

Page 80: ...fig H3C acl basic 2000 rule 1 permit source 10 110 100 52 0 H3C acl basic 2000 rule 2 permit source 10 110 100 46 0 H3C acl basic 2000 rule 3 deny source any H3C acl basic 2000 quit Apply the ACL H3C...

Page 81: ...view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the...

Page 82: ...munity command take effect in the network management systems that adopt SNMPv1 or SNMPv2c Similarly as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP versions the speci...

Page 83: ...m the IP addresses of 10 110 100 52 and 10 110 100 46 to access the switch H3C snmp agent community read h3c acl 2000 H3C snmp agent group v2c h3cgroup acl 2000 H3C snmp agent usm user v2c h3cuser h3c...

Page 84: ...specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Required Quit to system view quit Apply the ACL to cont...

Page 85: ...olling Web users using ACLs III Configuration procedure Define a basic ACL H3C system view H3C acl number 2030 match order config H3C acl basic 2030 rule 1 permit source 10 110 100 52 0 H3C acl basic...

Page 86: ...iguring a Protocol Based VLAN 1 12 1 6 Configuring IP Subnet Based VLAN 1 13 1 6 1 Introduction 1 13 1 6 2 Configuring an IP Subnet Based VLAN 1 13 1 7 Displaying and Maintaining VLAN 1 14 1 8 VLAN Co...

Page 87: ...3 2 GVRP Configuration Task List 3 5 3 3 Configuring GVRP 3 5 3 3 1 Enabling GVRP 3 5 3 3 2 Configuring GARP Timers 3 6 3 4 Displaying and Maintaining GVRP 3 7 3 5 GVRP Configuration Examples 3 8 3 5...

Page 88: ...dium is shared in an Ethernet network performance may degrade as the number of hosts on the network is increasing If the number of the hosts in the network reaches a certain level problems caused by c...

Page 89: ...ance much easier and more flexible 1 1 2 VLAN Fundamental To enable packets being distinguished by the VLANs they belong to The VLAN tag fields used to identify VLANs are added to packets As common sw...

Page 90: ...length and with its value ranging from 0 to 4095 identifies the ID of the VLAN a packet belongs to As VLAN IDs of 0 and 4095 are reserved by the protocol the value of this field actually ranges from...

Page 91: ...create or remove reserved VLANs which are reserved for specific functions z Dynamic VLANs cannot be removed using the undo vlan command z If a VLAN has a QoS policy configured the VLAN cannot be remo...

Page 92: ...dress mask mask length sub Optional Not configured by default Specify the descriptive string for the VLAN interface description text Optional VLAN interface name is used by default for example Vlan in...

Page 93: ...id and Trunk port z A Hybrid port allows packets of multiple VLANs to be sent without the Tag label z A Trunk port only allows packets from the default VLAN to be sent without the Tag label II Default...

Page 94: ...the packet with the default VLAN ID z Receive the packet if the VLAN ID is the same as the default VLAN ID and the VLAN ID is in the list of permitted VLANs of the port z Receive the packet if the VLA...

Page 95: ...w Enter VLAN view vlan vlan id Required If the specified VLAN does not exist this command be created first creates the VLAN before entering its view Add an Access port to the current VLAN port interfa...

Page 96: ...emarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group n...

Page 97: ...ure the Hybrid port based VLAN To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group vie...

Page 98: ...sable VLAN check vlan check disable Enable VLAN check undo vlan check disable Configure either command as needed Enabled by default 1 5 Protocol Based VLAN Configuration 1 5 1 Introduction to Protocol...

Page 99: ...2 Configuring a Protocol Based VLAN Follow these steps to configure a protocol based VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Required If the speci...

Page 100: ...t set etype id in ethernetii etype etype id to 0x0800 0x809b 0x8137 or 0x86dd Otherwise the encapsulation format of the matching packets will be the same as that of the IPv4 IPX AppleTalk and IPv6 pac...

Page 101: ...oup view port group manual port group name aggregation agg id Use either command In Ethernet port view the subsequent configurations only apply to the current port in port group view the subsequent co...

Page 102: ...n any view Display the IP subnet based VLAN information and IP subnet index of specified ports display ip subnet vlan interface interface type interface number to interface type interface number all A...

Page 103: ...permit vlan 2 6 to 50 100 Please wait Done 2 Configure Device B following similar steps as that of Device A IV Verification Verifying the configuration of Device A is similar to that of Device B So o...

Page 104: ...ttles 0 CRC 0 frame 0 overruns 0 aborts ignored parity errors Output total packets bytes broadcasts multicasts pauses Output normal 0 packets 0 bytes 0 broadcasts 0 multicasts 0 pauses Output 0 output...

Page 105: ...traffic improving transmission priority and ensuring voice quality A device determines whether a received packet is a voice packet by checking its source MAC address Packets containing source MAC add...

Page 106: ...matically add the port into the Voice VLAN and apply ACL rules and configure the packet precedence An aging time can be configured for the voice VLAN The system will remove a port from the voice VLAN...

Page 107: ...ybrid not supported Access not supported Trunk supported provided that the default VLAN of the access port exists and is not the voice VLAN and that the access port belongs to the default VLAN Tagged...

Page 108: ...llowed to go through a certain port 2 1 2 Security Mode and Normal Mode for the Voice VLAN Ports that have the voice VLAN feature enabled can be divided into two modes based on their filtering mechani...

Page 109: ...efault OUI addresses of different vendors Enable the voice VLAN feature globally voice vlan vlan id enable Required Enter Ethernet port view interface interface type interface number Configure the por...

Page 110: ...erface interface type interface number Configure the working mode as manual undo voice vlan mode auto Required Disabled by default Access port Refer to Configuring an Access Port Based VLAN Trunk port...

Page 111: ...nd Maintaining Voice VLAN To do Use the command Remarks Display the voice VLAN state display voice vlan state Available in any view Display the OUI addresses currently supported by system display voic...

Page 112: ...0 0000 as the legal address of the voice VLAN DeviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 Enable the voice VLAN feature globally DeviceA voice vlan 2 enable Configure the voice V...

Page 113: ...00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current Voice VLAN state DeviceA display voice vlan state Voice VLAN status ENABL...

Page 114: ...eviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test Create VLAN 2 Enable voice VLAN feature for it DeviceA vlan 2 DeviceA vlan2 quit DeviceA voice vlan 2 enable Configure...

Page 115: ...ff ff00 0000 Cisco phone 0004 0d00 0000 ffff ff00 0000 Avaya phone 0011 2200 0000 ffff ff00 0000 test 0060 b900 0000 ffff ff00 0000 Philips NEC phone 00d0 1e00 0000 ffff ff00 0000 Pingtel phone 00e0 7...

Page 116: ...does not exist on a device as an entity GARP compliant participants are known as GARP applications One example is GVRP When a GARP participant is present on a port on your device the port is regarded...

Page 117: ...a join timer to set the sending interval If the first Join message is not acknowledged after the interval defined by the Join timer the GARP participant sends the second Join message z Leave timer St...

Page 118: ...th a particular multicast MAC address as destination Based on this address a device can identify to which GVRP application GVRP for example should a GARP PDU be delivered III GARP message format The f...

Page 119: ...local database about active VLAN members and through which port they can be reached It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information The VLA...

Page 120: ...ers Optional 3 3 Configuring GVRP 3 3 1 Enabling GVRP Follow these steps to enable GVRP on a trunk port To do Use the command Remarks Enter system view system view Enable GVRP globally gvrp Required G...

Page 121: ...iew interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name aggregation agg id Use either command In Ethernet port...

Page 122: ...ble in any view Display GARP timers for specified or all ports display garp timer interface interface list Available in any view Display the local VLAN information maintained by GVRP display gvrp loca...

Page 123: ...Configure port Ethernet 1 0 1 as a Trunk port allowing all VLANs to pass DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 port link type trunk DeviceA Ethernet1 0 1 port trunk permit vlan all E...

Page 124: ...work requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP registration on Device A and normal GVRP registration on Device B II Network diag...

Page 125: ...nk permit vlan all Enable GVRP on Ethernet 1 0 1 DeviceB Ethernet1 0 1 gvrp DeviceB Ethernet1 0 1 quit Create VLAN 3 a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN inform...

Page 126: ...t1 0 1 gvrp registration forbidden DeviceA Ethernet1 0 1 quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system view DeviceB gvrp Configure port Ether...

Page 127: ...Addressing 1 7 Chapter 2 IP Performance Configuration 2 1 2 1 IP Performance Overview 2 1 2 2 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network 2 1 2 2 1 Enablin...

Page 128: ...01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the...

Page 129: ...s 255 255 255 255 1 1 2 Special Case IP Addresses The following IP addresses are for special use and they cannot be used as host IP addresses z IP address with an all zero net ID Identifies a host on...

Page 130: ...l ones are not assignable to hosts The same is true of subnetting When designing your network you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts For example...

Page 131: ...command Remarks Enter system view system view Enter interface view interface interface type interface number Assign an IP address to the interface ip address ip address mask mask length sub Required N...

Page 132: ...ch z Set the switch as the gateway on all hosts II Network diagram Vlan int1 172 16 1 1 24 172 16 2 1 24 sub 172 16 1 0 24 172 16 1 2 24 172 16 2 0 24 172 16 2 2 24 Host A Host B Switch Figure 1 3 Net...

Page 133: ...4 Use the ping command to verify the connectivity between the switch and the hosts on the subnet 172 16 2 0 24 Switch ping 172 16 2 2 PING 172 16 2 2 56 data bytes press CTRL_C to break Reply from 172...

Page 134: ...splaying and Maintaining IP Addressing To do Use the command Remarks Display information about a specified or all Layer 3 interfaces display ip interface interface type interface number Display brief...

Page 135: ...MSS of the interface z Enabling the SYN Cookie feature and protection against Naptha attack z Configuring TCP timers z Configuring the TCP buffer size z Enabling ICMP error packets sending 2 2 Enablin...

Page 136: ...ed from receiving directed broadcasts 2 2 2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts To do Use...

Page 137: ...arding directed broadcasts III Configuration procedure z Configure Switch A Enable Switch A to receive directed broadcasts SwitchA system view SwitchA ip forward broadcast Configure IP addresses for V...

Page 138: ...SYN ACK message the originator returns an ACK message Thus the TCP connection is established Malicious attackers may mount SYN Flood attacks during TCP connection establishment Attackers send SYN mes...

Page 139: ...so as to exhaust the memory resource of the server As a result the server cannot process normal services The protection against Naptha attack reduces the risk of the server being attacked by accelera...

Page 140: ...r If no response packets are received within the synwait timer timeout the TCP connection is not successfully created z finwait timer When the TCP connection is in FIN_WAIT_2 state finwait timer will...

Page 141: ...irect packets to the source host and notify it to reselect a correct next hop router to send the subsequent packets if the following conditions are satisfied z The receiving and forwarding interfaces...

Page 142: ...ectly connected the device will send the source a source routing failure ICMP error packet z When forwarding a packet if the MTU of the sending interface is smaller than the packet but the packet has...

Page 143: ...intaining IP Performance To do Use the command Remarks Display current TCP connection state display tcp status Display TCP connection statistics display tcp statistics Display UDP statistics display u...

Page 144: ...hernet Switches Chapter 2 IP Performance Configuration 2 10 To do Use the command Remarks Clear statistics of IP packets reset ip statistics Clear statistics of TCP connections reset tcp statistics Cl...

Page 145: ...3 Configuring Selective QinQ 1 4 1 4 Configuring MAC Address Synchronization 1 5 1 5 Configuring the TPID to Be Used in the Outer Tag 1 6 1 6 QinQ Configuration Example 1 6 Chapter 2 BPDU Tunneling Co...

Page 146: ...stomer networks private networks so that the Ethernet frames will travel across the service provider s backbone network public network with double VLAN tags The inner VLAN tag is the customer network...

Page 147: ...AN VPN feature enabled on a port when a frame arrives at the port the switch will tag it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame is...

Page 148: ...ar vendor to allow interoperability with the devices of that vendor The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag To avoid problems in...

Page 149: ...ture allows adding different outer VLAN tags based on different inner VLAN tags With selective QinQ configured on a port the device will add different outer VLAN tags based on the inner VLAN tags fram...

Page 150: ...port for transmission When the returned packet arrives at the uplink port the switch searches the MAC address table of the outer VLAN for the packet s downlink MAC address but can find none As a resu...

Page 151: ...interface type interface number Enter Ethernet port view or port group view Enter interface group view port group manual port group name aggregation agg id Required Use either command Configurations...

Page 152: ...o each other through VLAN 2000 of the provider network II Network diagram Public Network VLAN1000 VLAN2000 TPID 0x8200 Customer A Customer B Customer C Provider A Provider B Eth1 0 1 Trunk Eth1 0 2 Ac...

Page 153: ...und 20 ProviderA Ethernet1 0 1 vid 2000 quit ProviderA Ethernet1 0 1 quit z Configuration on Ethernet 1 0 2 Configure VLAN 1000 as the default VLAN of the port ProviderA interface ethernet 1 0 2 Provi...

Page 154: ...AN 2000 as the default VLAN of the port ProviderB interface ethernet 1 0 2 ProviderB Ethernet1 0 2 port access vlan 2000 Enable basic QinQ so as to tag frames from VLAN 20 with an outer tag with the V...

Page 155: ...network This prevents each network from correctly calculating its spanning tree As a result when redundant links exist in a network data loops will unavoidably occur By allowing each network to have...

Page 156: ...s BPDU input output device BPDU input output device Service provider network Figure 2 1 Network hierarchy of BPDU tunneling z At the BPDU input side the device changes the destination MAC address of a...

Page 157: ...p Enable BPDU tunneling for the port s bpdu tunnel dot1q enable Required Disabled by default Note z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take eff...

Page 158: ...on the port s bpdu tunnel dot1q stp Required Disabled by default Note z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect z The BPDU tunneling fea...

Page 159: ...network access devices z Provider A Provider B and Provider C are service provider network access devices which are interconnected through configured trunk ports The configuration is required to satis...

Page 160: ...0 2 ProviderB Ethernet1 0 2 port access vlan 4 ProviderB Ethernet1 0 2 undo ntdp enable ProviderB Ethernet1 0 2 bpdu tunnel dot1q enable 3 Configuration on Provider C Configure BPDU transparent trans...

Page 161: ...Note When STP works stably on the customer network if Customer A acts as the root bridge the ports of Customer C and Customer D connected with Provider C can receive BPDUs from Customer A Since BPDU...

Page 162: ...atio for an Ethernet Port 1 6 1 1 7 Setting the Interval for Collecting Ethernet Port Statistics 1 6 1 1 8 Enabling the Forwarding of Jumbo Frames 1 7 1 1 9 Enabling Loopback Detection on an Ethernet...

Page 163: ...ptional Testing the Cable on an Ethernet Port Optional 1 1 1 Configuring a Combo Port I Introduction to Combo port A Combo port is formed by two Ethernet ports on the panel one of which is an optical...

Page 164: ...l ports refer to the installation manual 1 1 2 Performing Basic Ethernet port Configuration Three types of duplex modes are available to Ethernet ports z Full duplex mode full Ports operating in this...

Page 165: ...a small form factor pluggable SFP port that uses a 100 Mbps module the duplex mode can only be configured as full and the port rate can only be 100 Mbps for a SFP port that uses a 1000 Mbps module the...

Page 166: ...est the hardware functions of an Ethernet port To perform external loopback testing on an Ethernet port you need to install a loopback plug on the Ethernet port In this case packets sent from the port...

Page 167: ...n port groups A link aggregation port group is automatically created together with the creation of a link aggregation group and cannot be created by users through command line input Adding or deleting...

Page 168: ...group view port group manual port group name aggregation agg id Use either command If configured in Ethernet port view this feature takes effect on the current port only if configured in port group v...

Page 169: ...Port The purpose of loopback detection is to detect loops on a port When loopback detection is enabled on an Ethernet port the device will routinely check whether the ports have any external loopback...

Page 170: ...oopback detection on a given port is enabled only after the loopback detection enable command has been issued in both system view and the port view of the port z Loopback detection on all ports will b...

Page 171: ...Ethernet port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Test the current operating state of the cable connected to...

Page 172: ...nd Remarks Display the current ports of a specified type display port hybrid trunk Available in any view Display the information about a manual port group or all the port groups display port group man...

Page 173: ...umber of the ports an isolation group can contain is not limited Note z When a port in an aggregation group is configured as the ordinary port for some isolation group the other ports of the aggregati...

Page 174: ...Figure 2 1 Connectivity of layer 2 data between ports inside and outside an isolation group on a device supporting uplink port Note The arrows in the above figure indicate the transmission direction...

Page 175: ...k port port isolate uplink port group Required An isolation group has no uplink port by default Note z An isolation group can have only one uplink port When a user configures multiple ports as the upl...

Page 176: ...vice Add ports Ethernet 1 0 1 Ethernet 1 0 2 and Ethernet 1 0 3 to the isolation group Device system view Device interface ethernet 1 0 1 Device Ethernet1 0 1 port isolate enable Device Ethernet1 0 1...

Page 177: ...tion Manual Port Correlation Configuration H3C S3610 S5510 Series Ethernet Switches Chapter 2 Port Isolation Configuration 2 5 Group ID 1 Uplink port Ethernet1 0 4 Ethernet1 0 1 Ethernet1 0 2 Ethernet...

Page 178: ...aggregation 1 4 1 3 Load Sharing in a Link Aggregation Group 1 5 1 4 Service Loop Group 1 6 1 5 Aggregation Port Group 1 7 Chapter 2 Link Aggregation Configuration 2 1 2 1 Configuring Link Aggregation...

Page 179: ...sends LACPDUs to notify the remote system of its system LACP priority system MAC address port LACP priority port number and operational key Upon receipt of an LACPDU the remote system compares the re...

Page 180: ...rict priority SP queuing Weighted round robin WRR queuing Weighted fair queuing WFQ Port priority Port trust mode GVRP GVRP state on ports enabled or disabled GVRP registration type GARP timers Q in Q...

Page 181: ...rt with the highest priority in the up state as the reference port of the aggregation group Port priority descends in the following order full duplex high speed full duplex low speed half duplex high...

Page 182: ...port group where you can make configuration for all member ports When the configuration of some port in a manual aggregation group changes the system does not remove the aggregation instead it re set...

Page 183: ...static aggregation Like in a manual aggregation group in a static LACP aggregation group only ports with configurations consistent with those of the reference port can become selected These configura...

Page 184: ...e ID Caution The arrived broadcasts multicasts unknown unicasts may be distributed over different selected ports if they have different VLAN IDs source ports or source devices if they are only differe...

Page 185: ...rations Their configuration consistency requires administrative maintenance which is troublesome after you change some configuration To simplify configuration port groups are provided allowing you to...

Page 186: ...al Link Aggregation Group Follow these steps to create a manual aggregation group and add an Ethernet port to it To do Use the command Remarks Enter system view system view Create a manual aggregation...

Page 187: ...hanging system LACP priority can affect the selected unselected state of the ports in the group Create a static LACP aggregation group link aggregation group agg id mode static Required Enter Ethernet...

Page 188: ...ter port is unselected 2 1 3 Configuring an Aggregation Group Name Follow these steps to configure a name for an aggregation group To do Use the command Remarks Enter system view system view Configure...

Page 189: ...gation port group view port group aggregation agg id Caution In aggregation port group view you can configure aggregation related settings such as STP VLAN QoS GVRP Q in Q BPDU tunnel MAC address lear...

Page 190: ...guration Example I Network requirements Device A aggregates ports Ethernet 1 0 1 through Ethernet 1 0 3 to form one link connected to Device B and performs load sharing among these ports Create a tunn...

Page 191: ...s Ethernet 1 0 1 through Ethernet 1 0 3 to the group DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 port link aggregation group 1 DeviceA Ethernet1 0 1 interface ethernet 1 0 2 DeviceA Etherne...

Page 192: ...uction to MAC Address Table 1 1 1 2 Configuring MAC Address Table Management 1 2 1 2 1 Configuring MAC Address Entries 1 2 1 2 2 Configuring MAC Address Aging Timer 1 3 1 2 3 Configuring the Maximum N...

Page 193: ...ding Each entry in this table contains the MAC address of a connected device to which port this device is connected and to which VLAN the port belongs A MAC address table consists of two types of entr...

Page 194: ...d the frame will be dropped 4 Upon receipt of the response the device adds an entry in the MAC address table indicating from which port the frames destined for the MAC address should be sent 5 Forward...

Page 195: ...t 1 2 2 Configuring MAC Address Aging Timer The MAC address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted Set the aging ti...

Page 196: ...nter port group view port group aggregation agg id manual port group name Required Use either command to configure on a port or ports in a group Configure the maximum number of MAC addresses that can...

Page 197: ...dynamic MAC address entries z Add a static entry 000f e235 dc71 for port Ethernet 1 0 1 in VLAN 1 II Configuration procedure Add a static MAC address entry Sysname system view Sysname mac address stat...

Page 198: ...ard Overview 1 1 1 2 Configuring a Static Binding Entry 1 1 1 3 Configuring Port Filtering 1 2 1 4 Displaying IP Source Guard 1 2 1 5 IP Source Guard Configuration Examples 1 3 1 5 1 Static Binding En...

Page 199: ...illegal IP addresses and MAC addresses from traveling through improving the network security IP source guard filters packets based on two types of binding entries z IP port binding entry A port permit...

Page 200: ...guring Port Filtering Port filtering allows IP source guard to filter packets based on the MAC IP port binding entries created and maintained by DHCP snooping Follow these steps to configure port filt...

Page 201: ...e source IP address of 192 168 0 3 can pass z On port Ethernet 1 0 1 of Switch A only IP packets with the source MAC address of 00 01 02 03 04 06 and the source IP address of 192 168 0 1 can pass z On...

Page 202: ...rface ethernet 1 0 1 SwitchB Ethernet1 0 1 user bind ip address 192 168 0 1 mac address 0001 0203 0406 SwitchB Ethernet1 0 1 quit Configure port Ethernet 1 0 2 of Switch B to allow only IP packets wit...

Page 203: ...1 of Switch A to prevent attacks from clients using fake source IP addresses to the DHCP server Note For detailed configuration of DHCP Server refer to DHCP Configuration in this manual II Network di...

Page 204: ...cal with the dynamic entries that port Ethernet 1 0 1 has obtained SwitchA display dhcp snooping DHCP Snooping is enabled The client binding table for all untrusted ports Type D Dynamic S Static Type...

Page 205: ...Ports 1 29 1 3 11 Configuring Whether Ports Connect to Point to Point Links 1 30 1 3 12 Configuring the Mode a Port Uses to Recognize Send MSTP Packets 1 31 1 3 13 Enabling the Output of Port State T...

Page 206: ...on Example 1 46 1 9 Configuring Protection Functions 1 46 1 9 1 Configuration prerequisites 1 47 1 9 2 Enabling BPDU Guard 1 47 1 9 3 Enabling Root Guard 1 48 1 9 4 Enabling Loop Guard 1 49 1 9 5 Enab...

Page 207: ...e This avoids proliferation and infinite recycling of packets that would occur in a loop network and prevents deterioration of the packet processing capability of network devices caused by duplicate p...

Page 208: ...d bridge and designated port The following table describes a designated bridge and a designated port Table 1 1 Description of designated bridge and designated port Classification Designated bridge Des...

Page 209: ...STP works STP identifies the network topology by transmitting configuration BPDUs between network devices Configuration BPDUs contain sufficient information for network devices to complete the spanni...

Page 210: ...n BPDU Each device sends out its configuration BPDU and receives configuration BPDUs from other devices The process of selecting the optimum configuration BPDU is as follows Table 1 2 Selection of the...

Page 211: ...ssumes itself to be the root bridge with the root bridge ID being its own device ID By exchanging configuration BPDUs the devices compare one another s root bridge ID The device with the smallest root...

Page 212: ...U so that the port will only receive BPDUs but not send any and will not forward data Note When the network topology is stable only the root port and designated ports forward traffic while other ports...

Page 213: ...ration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the configuration received message and discards the received configuration BPDU...

Page 214: ...guration BPDU BP1 0 0 0 AP1 BP2 1 0 1 BP2 Device B z Device B compares the configuration BPDUs of all its ports and determines that the configuration BPDU of BP1 is the optimum configuration BPDU Then...

Page 215: ...AP2 Designated port CP2 0 10 2 CP2 z Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a...

Page 216: ...sends out this configuration BPDU through the designated port z If the configuration BPDU received on the designated port has a lower priority than the configuration BPDU of the local port the port w...

Page 217: ...propagated throughout the network z Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault free z Max age is a parameter u...

Page 218: ...ing tree 2 Features of MSTP The multiple spanning tree protocol MSTP overcomes the shortcomings of STP and RSTP In addition to support for rapid network convergence it also allows data flows of differ...

Page 219: ...apping configuration z They have the same MSTP revision level configuration and z They are physically linked with one another For example all the devices in region A0 in Figure 1 4 have the same MST r...

Page 220: ...s in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP For example the red lines in Figure 1 4 describe the CST 5...

Page 221: ...hird party s device that supports boundary port recognition the third party s device may malfunction in recognizing a boundary port 10 Roles of ports In the MSTP calculation process port roles include...

Page 222: ...vice C form a loop z Port 3 and port 4 of device D connect downstream to other MST regions 11 Port states In MSTP port states fall into the following tree z Forwarding the port learns MAC addresses an...

Page 223: ...oot bridge of the CIST MSTP generates an IST within each MST region through calculation and at the same time MSTP regards each MST region as a single device and generates a CST among these MST regions...

Page 224: ...onfigure MSTP Task Remarks Configuring an MST Region Required Specifying the Root Bridge or a Secondary Root Bridge Optional Configuring the Work Mode of MSTP Device Optional Configuring the Priority...

Page 225: ...al Configuring Leaf Nodes Enabling the MSTP Feature Required Performing mCheck Optional Configuring the VLAN Ignore Feature Optional Configuring Digest Snooping Optional Configuring No Agreement Check...

Page 226: ...Use either command All VLANs in an MST region are mapped to MST instance 0 by default Configure the MSTP revision level of the MST region revision level level Optional 0 by default Activate MST regio...

Page 227: ...ed to instance 1 and VLAN 20 through VLAN 30 to instance 2 Sysname system view Sysname stp region configuration Sysname mst region region name info Sysname mst region instance 1 vlan 2 to 10 Sysname m...

Page 228: ...ot bridge or a secondary root bridge of another instance However the same device cannot be the root bridge and a secondary root bridge in the same instance at the same time z There is one and only one...

Page 229: ...nable to recognize MSTP packets For hybrid networking with legacy STP devices and full interoperability with RSTP compliant devices MSTP supports three work modes STP compatible mode RSTP mode and MST...

Page 230: ...f the device z During root bridge selection if all devices in a spanning tree have the same priority the one with the lowest MAC address will be selected as the root bridge of the spanning tree II Con...

Page 231: ...20 by default Note A larger maximum hops setting means a larger size of the MST region Only the maximum hops configured on the regional root bridge can restrict the size of the MST region II Configura...

Page 232: ...r 6 1 3 7 Configuring Timers of MSTP MSTP involves three timers forward delay hello time and max age You can configure these three parameters for MSTP to calculate spanning trees I Configuration proce...

Page 233: ...dds to the device burden and causes waste of network resources We recommend that you use the default setting z If the max age time setting is too small the network devices will frequently launch spann...

Page 234: ...ning the timeout time I Configuration procedure Follow these steps to configure the timeout factor To do Use the command Remarks Enter system view system view Configure the timeout factor of the devic...

Page 235: ...transmission rate setting of a port is too big the port will send a large number of MSTP packets within each hello time thus using excessive network resources We recommend that you use the default se...

Page 236: ...rom another port it will become a non edge port again In this case you must reset the port before you can configure it to be an edge port again z If a port directly connects to a user terminal configu...

Page 237: ...t to point link Note z In the case of link aggregation every port in the aggregation group can be configured to connect to a point to point link If a port works in auto negotiation mode and the negoti...

Page 238: ...oup manual port group name aggregation agg id Required Use either command Configurations made in Ethernet interface view will take effect on the current port only configurations made in port group vie...

Page 239: ...t log all instance instance id Optional Whether this function is enabled by default depends on the specific device model 1 3 14 Enabling the MSTP Feature I Configuration procedure Follow these steps t...

Page 240: ...1 Configuring an MST Region Refer to Configuring an MST Region in the section about root bridge configuration 1 4 2 Configuring the Work Mode of MSTP Refer to Configuring the Work Mode of MSTP Device...

Page 241: ...es the default path cost for ports based on a private standard Follow these steps to specify a standard for the device to use when calculating the default path cost To do Use the command Remarks Enter...

Page 242: ...nk speed is the sum of the link speed values of the non blocked ports in the aggregated link II Configuring Path Costs of Ports Follow these steps to configure the path cost of ports To do Use the com...

Page 243: ...n different MST instances and the same port can play different roles in different MST instances so that data of different VLANs can be propagated along different physical paths thus implementing per V...

Page 244: ...onfiguring Whether Ports Connect to Point to Point Links in the section about root bridge configuration 1 4 9 Configuring the Mode a Port Uses to Recognize Send MSTP Packets Refer to Configuring the M...

Page 245: ...to perform global mCheck To do Use the command Remarks Enter system view system view Perform mCheck stp mcheck Required II Performing mCheck in Ethernet interface view Follow these steps to perform mC...

Page 246: ...the traffic of VLAN 2 to pass through Switch A and Switch B run MSTP Switch A is the root bridge and port A and port C on it are designated ports Port B on Switch B is the root port and port D is the...

Page 247: ...abled VLAN SwitchB display stp ignored vlan STP Ignored VLAN 2 1 7 Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the region related conf...

Page 248: ...nterface type interface number Enter Ethernet interface or port group view Enter port group view port group manual port group name aggregation agg id Required Use either command Configurations made in...

Page 249: ...bally and on associated ports to make it take effect It is recommended to enable the feature on all associated ports first and then globally making all configured ports take effect and disable the fea...

Page 250: ...s Both RSTP and MSTP switches can perform rapid transition operation on a designated port only when the port receives an agreement packet from the downstream switch The differences between RSTP and MS...

Page 251: ...to transit rapidly and can only change to the forwarding state after a period twice the Forward Delay In this case you can enable the No Agreement Check feature on the downstream device s port to perf...

Page 252: ...e A connects to a third party s device that has different MSTP implementation Both switches are in the same region z Another vendor s device is the regional root bridge and Device A is the downstream...

Page 253: ...nnect directly with user terminals such as PCs or file servers In this case the access ports are configured as edge ports to allow rapid transition of these ports When these ports receive configuratio...

Page 254: ...bridge may receive a configuration BPDU with a higher priority In this case the current legal root bridge will be superseded by another device causing undesired change of the network topology As a re...

Page 255: ...re depends on the specific device model z We recommend that you enable loop guard if your device supports this function By keeping receiving BPDUs from the upstream device a device can maintain the st...

Page 256: ...evice will receive a larger number of TC BPDUs within a short time and frequent deletion operations bring a big burden to the device and hazard network stability With the TC BPDU guard function enable...

Page 257: ...figure the function of transmitting BPDUs transparently To do Use the command Remarks Enter system view System view Enter port view interface interface type interface number Enable the function of tra...

Page 258: ...other VLAN to the MSTI z When CIST information does not need calculating you can use the stp bpdu tagged cist ignore command on the corresponding port to enable the function of ignoring CIST informat...

Page 259: ...e interface list Available in user view 1 13 MSTP Configuration Example 1 13 1 MSTP Configuration Example I Network requirements Configure MSTP so that packets of different VLANs are forwarded along d...

Page 260: ...Enter MST region view DeviceA system view DeviceA stp region configuration Configure the region name VLAN to instance mappings and revision level of the MST region DeviceA mst region region name exam...

Page 261: ...eviceB mst region instance 1 vlan 10 DeviceB mst region instance 3 vlan 30 DeviceB mst region instance 4 vlan 40 DeviceB mst region revision level 0 Activate MST region configuration manually DeviceB...

Page 262: ...MST instance 4 DeviceC stp instance 4 root primary View the MST region configuration information that has taken effect DeviceC display stp region configuration Oper configuration Format selector 0 Reg...

Page 263: ...ransparently I Network requirements z Switch A and Switch B are interconnected through a VPN network which permits only tagged packets to pass through z Ethernet 1 0 1 and Ethernet 1 0 2 of Switch A a...

Page 264: ...t 1 0 4 Switch B system view Switch B interface Ethernet1 0 3 Switch B Ethernet1 0 3 stp bpdu transparent forwarding Switch B Ethernet1 0 3 quit Switch B interface Ethernet1 0 4 Switch B Ethernet1 0 4...

Page 265: ...vlan 20 Switch A mst region active region configuration Switch A mst region quit Enable the function of tagging BPDUs on Ethernet 1 0 1 and Ethernet 1 0 2 of Switch A Switch A interface Ethernet 1 0...

Page 266: ...1 60 Enable the function of tagging BPDUs on Ethernet 1 0 3 and Ethernet 1 0 4 of Switch B Switch B interface Ethernet1 0 3 Switch B Ethernet1 0 3 stp bpdu tagged Switch B Ethernet1 0 3 quit Switch B...

Page 267: ...A Message 1 16 1 4 4 Configuring the Number of Attempts to Send an NS Message for DAD 1 19 1 5 Configuring PMTU Discovery 1 19 1 5 1 Configuring a Static PMTU for a Specified IPv6 Address 1 19 1 5 2 C...

Page 268: ...xample 3 7 3 4 Configuring Automatic IPv4 Compatible IPv6 Tunnel 3 10 3 4 1 Configuration Prerequisites 3 10 3 4 2 Configuration Procedure 3 11 3 4 3 Configuration Example 3 13 3 5 Configuring 6to4 Tu...

Page 269: ...ation z IPv6 Configuration Example z Troubleshooting IPv6 Basics Configuration Note The term router or the router icon in this document refers to a router in a generic sense or a Layer 3 Ethernet swit...

Page 270: ...rison between IPv4 packet header format and basic IPv6 packet header format II Adequate address space The source and destination IPv6 addresses are both 128 bits 16 bytes long IPv6 can provide 3 4 x 1...

Page 271: ...xchange between neighbor nodes on the same link The group of ICMPv6 messages takes the place of Address Resolution Protocol ARP message Internet Control Message Protocol version 4 ICMPv4 router discov...

Page 272: ...ss in any of the notations and prefix length is a decimal number indicating how many bits from the utmost left of an IPv6 address are the address prefix II IPv6 address classification IPv6 addresses f...

Page 273: ...ervice providers The type of address allows efficient route prefix aggregation to restrict the number of global routing entries z The link local address is used for communication between link local no...

Page 274: ...0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 unicast or anycast address V Interface identifier in IEEE EUI 64 format Interf...

Page 275: ...sage 136 When the link layer changes the local node initiates an NA message to notify neighbor nodes of the node information change Router solicitation RS message 133 After started a node sends an RS...

Page 276: ...A and unicasts an NA message containing its link layer address 3 Node A acquires the link layer address of node B from the NA message II Neighbor reachability detection After node A acquires the link...

Page 277: ...prefix discovery means that a node locates the neighboring routers and learns the prefix of the network where the host is located and other configuration parameters from the received RA message Statel...

Page 278: ...lect a better next hop to forward packets similar to the ICMP redirection function in IPv4 The gateway will send an IPv6 ICMP redirect message when the following conditions are satisfied z The receivi...

Page 279: ...the destination host is determined 1 1 5 Introduction to IPv6 DNS In the IPv6 network a Domain Name System DNS supporting IPv6 converts domain names into IPv6 addresses instead of IPv4 addresses Howe...

Page 280: ...1 2 IPv6 Basics Configuration Task List Complete the following tasks to perform IPv6 basics configuration Task Remarks Configuring Basic IPv6 Functions Required Configuring IPv6 NDP Optional Configur...

Page 281: ...e interface z Manual assignment IPv6 link local addresses can be assigned manually Follow these steps to configure an IPv6 unicast address To do Use the command Remarks Enter system view system view E...

Page 282: ...v6 address auto link local command However if an IPv6 site local address or aggregatable global unicast address is already configured for an interface the interface still has a link local address beca...

Page 283: ...e port number belongs to the VLAN specified by vlan id After a static neighbor entry is configured the device relates the VLAN interface to an IPv6 address to uniquely identify a static neighbor entry...

Page 284: ...me link can perform stateless autoconfiguration operations M flag This field determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses If the M flag is set to 1 hosts use t...

Page 285: ...ghbor reachable within the time of Reachable Time Follow these steps to configure parameters related to an RA message To do Use the command Remarks Enter system view system view Configure the current...

Page 286: ...onfiguration Set the O flag bit to 1 ipv6 nd autoconfig other flag Optional By default the O flag bit is set to 0 that is hosts acquire other information through stateless autoconfiguration Configure...

Page 287: ...ptional 1 by default When the value argument is set to 0 DAD is disabled 1 5 Configuring PMTU Discovery 1 5 1 Configuring a Static PMTU for a Specified IPv6 Address You can configure a static PMTU for...

Page 288: ...establishment fails z finwait timer When the IPv6 TCP connection status is FIN_WAIT_2 the finwait timer is triggered If no packet is received before the finwait timer expires the IPv6 TCP connection i...

Page 289: ...based on the HASH algorithm ipv6 fib loadbalance type hash based Configure the IPv6 FIB load sharing mode Configure the load sharing based on polling undo ipv6 fib loadbalance type hash based Optional...

Page 290: ...ed 1 8 2 Enable Sending of Multicast Echo Replies If hosts are capable of relying multicast echo requests Host A can attack Host B by sending an echo request with the source being Host B to a multicas...

Page 291: ...that you only need to enter some fields of a domain name and the system can automatically add the preset suffix for address resolution The system can support at most 10 DNS suffixes Follow these step...

Page 292: ...rface type interface number Display neighbor information display ipv6 neighbors ipv6 address all dynamic interface interface type interface number static vlan vlan id begin exclude include text Availa...

Page 293: ...IPv6 UDP packets reset udp ipv6 statistics Available in user view Note The display dns domain command is the same as the one of IPv4 DNS For details about the commands refer to DNS Commands 1 11 IPv6...

Page 294: ...v6 nd ra halt z Configuration on Switch B Enable the IPv6 packet forwarding function SwitchB system view SwitchB ipv6 Configure VLAN interface 2 to automatically generate a link local address SwitchB...

Page 295: ...s 2001 64 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF00 2 FF02 1 FF00 1 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 millisecond...

Page 296: ...k Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 1 hop limit 255 time 40 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 2 hop limit 255 time 70 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Seq...

Page 297: ...uration I Symptom The peer IPv6 address cannot be pinged II Solution z Use the display current configuration command in any view or the display this command in system view to check that the IPv6 packe...

Page 298: ...r an IPv6 node to be compatible with an IPv4 node is to maintain a complete IPv4 stack A network node that supports both IPv4 and IPv6 is called a dual stack node A dual stack node configured with an...

Page 299: ...to enable IPv4 IPv6 dual stack supporting by using the switch mode dual ipv4 ipv6 command Otherwise IPv6 packets cannot be forwarded even if dual stack is enabled 2 2 2 Configuring Dual Stack You must...

Page 300: ...format ipv6 address ipv6 address prefix le ngth eui 64 Use either command By default no local address or global unicast address is configured on an interface Automatically create an IPv6 link local ad...

Page 301: ...ver the network A tunnel is a virtual point to point connection In practice the virtual interface that supports only point to point connections is called tunnel interface One tunnel provides one chann...

Page 302: ...e device at the destination end decapsulates the packet if the destination address of the encapsulated packet is the device itself 4 The destination device forwards the packet according to the destina...

Page 303: ...are adopted at both ends of such a tunnel The address format is 0 0 0 0 0 0 a b c d 96 where a b c d represents an embedded IPv4 address The tunnel destination is automatically determined by the embe...

Page 304: ...IPv6 routers or between a host and an IPv6 router over an IPv4 network Figure 3 2 Principle of ISATAP tunnel IV Expedite termination For a tunnel packet arriving at the device if the source IP address...

Page 305: ...nnel 3 3 1 Configuration Prerequisites IP addresses are configured for interfaces such as the VLAN interface and loopback interface on the device These interfaces serve as the source interfaces of tun...

Page 306: ...Pv6 global unicast address or site local address is configured Specify the IPv6 manual tunnel mode tunnel protocol ipv6 ipv4 Required By default the tunnel mode is manual The same tunnel type should b...

Page 307: ...ext hop to the tunnel interface number or network address at the local end of the tunnel Such configurations must be performed at both ends of the tunnel z Before configuring dynamic routes you must e...

Page 308: ...1 0 2 SwitchA vlan100 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 168 100 1 255 255 255 0 SwitchA Vlan interface100 quit Configure a manual IPv6 tunnel SwitchA...

Page 309: ...otocol ipv6 ipv4 Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchB Tunnel0 aggregation group 1 IV Configuration verification After the above configurations di...

Page 310: ...hop limit 64 time 31 ms Reply from 3001 2 bytes 56 Sequence 2 hop limit 64 time 16 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 64 time 1 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 ti...

Page 311: ...dress ipv6 address ipv6 address link local Optional By default after an interface is configured with a local IPv6 address or global unicast address the link local address is generated automatically ip...

Page 312: ...el interface Configure the service loop group ID to be referenced by the tunnel interface aggregation group aggregation group id Required By default no link aggregation group ID is referenced Enable t...

Page 313: ...s the destination IP address of the packet instead of the IPv4 address of the tunnel destination and set the next hop to the tunnel interface number or network address at the local end of the tunnel S...

Page 314: ...an automatic IPv4 comptabile IPv6 tunnel SwitchA interface Tunnel 0 SwitchA Tunnel0 ipv6 address 2 1 1 1 96 SwitchA Tunnel0 source Vlan interface 100 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 auto tun...

Page 315: ...ress of the tunnel peer from Router A SwitchA ping ipv6 2 1 1 2 PING 2 1 1 2 56 data bytes press CTRL_C to break Reply from 2 1 1 2 bytes 56 Sequence 1 hop limit 255 time 219 ms Reply from 2 1 1 2 byt...

Page 316: ...length eui 64 Required Use either command By default no IPv6 global unicast address or site local address is configured for the tunnel interface ipv6 address auto link local Configure an IPv6 address...

Page 317: ...ace on a device the slot of the tunnel interface should be that of the source interface namely the interface sending packets In this way the forwarding efficiency can be improved z If the addresses of...

Page 318: ...for a 6to4 tunnel III Configuration procedure z Configuration on Switch A Enable IPv6 SwitchA system view SwitchA ipv6 Configure a link aggregation group Disable STP on the port before adding it into...

Page 319: ...urce vlan interface 100 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchA Tunnel0 quit Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchA Tunnel0 aggregat...

Page 320: ...he 6to4 tunnel SwitchB interface tunnel 0 SwitchB Tunnel0 ipv6 address 2002 0501 0101 1 64 SwitchB Tunnel0 source vlan interface 100 SwitchB Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchB Tunnel0 quit...

Page 321: ...uired By default the IPv6 forwarding function is disabled Create a tunnel interface and enter tunnel interface view interface tunnel number Required By default there is no tunnel interface on the devi...

Page 322: ...the tunnel source ip address interface type interface number Required By default no source address or interface is configured for the tunnel Reference a link aggregation group aggregation group aggreg...

Page 323: ...unnel interface number or network address at the local end of the tunnel Such a route must be configured at both ends of the tunnel z Before referencing a link aggregation group on the tunnel interfac...

Page 324: ...0 ipv6 address 2001 1 64 eui 64 Switch Tunnel0 source vlan interface 101 Switch Tunnel0 tunnel protocol ipv6 ipv4 isatap Configure the tunnel to reference link aggregation group 1 in tunnel interface...

Page 325: ...nterface 2 Automatic Tunneling Pseudo Interface Guid 48FCE3FC EC30 E50E F1A7 71172AEEE3AE does not use Neighbor Discovery uses Router Discovery routing preference 1 EUI 64 embedded IPv4 address 2 1 1...

Page 326: ...onfiguration of related parameters such as tunnel source address tunnel destination address and tunnel type the tunnel interface is still not up Solution Follow the steps below 1 The common cause is t...

Page 327: ...1 1 1 1 1 Routing 1 1 1 1 2 Routing Through a Routing Table 1 1 1 2 Routing Protocol Overview 1 3 1 2 1 Static Routing and Dynamic Routing 1 3 1 2 2 Classification of Dynamic Routing Protocols 1 3 1 2...

Page 328: ...through routers Upon receiving a packet a router finds an optimal route based on the destination address and forwards the packet to the next router in the path until the packet reaches the last router...

Page 329: ...rface is configured its address will be the IP address of the next hop z Priority for the route Routes to the same destination but having different nexthops may have different priorities and be found...

Page 330: ...able networks with simple topologies Its major drawback is that you must perform routing configuration again whenever the network topology changes it cannot adjust to network changes by itself Dynamic...

Page 331: ...d and calculated III Type of the destination address z Unicast routing protocols RIP OSPF BGP and IS IS z Multicast routing protocols PIM SM and PIM DM This chapter focuses on unicast routing protocol...

Page 332: ...n be configured with a different priority z IPv4 and IPv6 routes have their own respective routing tables 1 2 4 Load Balancing and Route Backup I Load balancing In multi route mode a routing protocol...

Page 333: ...bution mechanism For detailed information refer to the description about route redistribution in each routing protocol 1 3 Displaying and Maintaining a Routing Table To do Use the command Remarks Disp...

Page 334: ...v6 address prefix length longer match verbose Display routing information permitted by an IPv6 ACL display ipv6 routing table acl acl6 number verbose Display routing information permitted by an IPv6 p...

Page 335: ...onfiguring RIP Basic Functions 2 6 2 2 1 Configuration Prerequisites 2 6 2 2 2 Configuration Procedure 2 6 2 3 Configuring RIP Route Control 2 8 2 3 1 Configuring an Additional Routing Metric 2 8 2 3...

Page 336: ...1 Prerequisites 3 23 3 3 2 Configuration Procedure 3 23 3 4 Configuring OSPF Area Parameters 3 24 3 4 1 Prerequisites 3 24 3 4 2 Configuration Procedure 3 25 3 5 Configuring OSPF Network Types 3 25 3...

Page 337: ...Capability 3 42 3 8 2 Configuring the OSPF GR Helper 3 43 3 8 3 Triggering OSPF Graceful Restart 3 44 3 9 Displaying and Maintaining OSPF 3 45 3 10 OSPF Configuration Examples 3 46 3 10 1 Configuring...

Page 338: ...Host Name Mapping 4 31 4 5 8 Configuring IS IS Authentication 4 32 4 5 9 Configuring LSDB Overload Tag 4 33 4 5 10 Logging the Adjacency Changes 4 33 4 5 11 Enabling an Interface to Send Small Hello...

Page 339: ...eer Groups 5 34 5 7 3 Configuring BGP Community 5 35 5 7 4 Configuring a BGP Route Reflector 5 35 5 7 5 Configuring a BGP Confederation 5 36 5 8 Configuring BGP GR 5 37 5 9 Displaying and Maintaining...

Page 340: ...iguring a Routing Policy 6 6 6 4 1 Prerequisites 6 6 6 4 2 Creating a Routing Policy 6 6 6 4 3 Defining if match Clauses for the Routing Policy 6 7 6 4 4 Defining apply Clauses for the Routing Policy...

Page 341: ...usage of static routes can improve network performance and ensure bandwidth for important network applications The disadvantage of using static routes is that they cannot adapt to network topology ch...

Page 342: ...he destination address of the packet The system can find the corresponding link layer address and forward the packet only after the next hop address is specified When specifying the output interface n...

Page 343: ...reference preference value tag tag value description description text Configure a static route ip route static vpn instance s vpn instance name 1 6 dest address mask mask length gateway address bfd co...

Page 344: ...D session otherwise the BFD function cannot work To implement BFD with the echo packet mode the BFD function can work without the remote end needing to create any BFD session z If route oscillation oc...

Page 345: ...ch B SwitchB system view SwitchB ip route static 1 1 2 0 255 255 255 0 1 1 4 1 SwitchB ip route static 1 1 3 0 255 255 255 0 1 1 5 6 Configure a default route on Switch C SwitchC system view SwitchC i...

Page 346: ...the IP routing table of Switch B SwitchB display ip routing table Routing Tables Public Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface 1 1 2 0 24 Static 60 0 1 1 4 1 Vlan...

Page 347: ...applicable to complex networks RIP is still widely used in practical networking due to easier implementation configuration and maintenance than OSPF and IS IS 2 1 1 RIP Working Mechanism I Basic conce...

Page 348: ...ppressed state In the suppressed state only routes which come from the same neighbor and whose metric is less than 16 will be received by the router to replace unreachable routes z The garbage collect...

Page 349: ...t only RIPv1 protocol messages do not carry mask information which means it can only recognize routing information of natural networks such as Class A B C That is why RIPv1 does not support discontigu...

Page 350: ...r a host address z Metric Cost of the route II RIPv2 message format The format of RIPv2 message is similar with RIPv1 Figure 2 2 shows it Figure 2 2 RIPv2 Message Format The differences from RIPv1 are...

Page 351: ...entication is adopted Note z RFC 1723 only defines plain text authentication For information about MD5 authentication refer to RFC2082 RIPv2 MD5 Authentication z With RIPv1 you can configure the authe...

Page 352: ...work network address Required Disabled by default Note z If you make some RIP configurations in interface view before enabling RIP those configurations will take effect after RIP is enabled z RIP runs...

Page 353: ...sion otherwise it uses the RIP version configured on it z With RIPv1 configured an interface sends RIPv1 broadcasts and can receive RIPv1 broadcasts and RIPv1 unicasts z With RIPv2 configured a multic...

Page 354: ...ty for RIP z Configuring RIP Route Redistribution Before configuring RIP routing feature complete the following tasks z Configure an IP address for each interface and make sure all neighboring routers...

Page 355: ...le RIPv2 route automatic summarization if you want to advertise all subnet routes Follow these steps to enable RIPv2 route automatic summarization To do Use the command Remarks Enter system view Syste...

Page 356: ...case you can disable RIP from receiving host routes to save network resources Follow these steps to disable RIP from receiving host routes To do Use the command Remarks Enter system view System view E...

Page 357: ...ps to configure route filtering To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Configure the filtering of incoming routes filt...

Page 358: ...tional 100 by default 2 3 7 Configuring RIP Route Redistribution Follow these steps to configure RIP route redistribution To do Use the command Remarks Enter system view system view Enter RIP view rip...

Page 359: ...arbage collect timer are 30s 180s 120s and 120s respectively Note Based on network performance you need to make RIP timers of RIP routers identical to each other to avoid unnecessary traffic or route...

Page 360: ...rface number Enable poison reverse rip poison reverse Required Disabled by default 2 4 3 Configuring the Maximum Number of Load Balanced Routes Follow these steps to configure the maximum number of lo...

Page 361: ...e same network segment RIP discards the message For a message received on a serial interface RIP checks whether the source address of the message is the IP address of the peer interface If not RIP dis...

Page 362: ...t or multicast links you need to manually specify RIP neighbors If a specified neighbor is not directly connected you must disable source address check on incoming updates Follow these steps to specif...

Page 363: ...id vpn instance vpn instance name Display all active routes in RIP database display rip process id database Display RIP interface information display rip process id interface interface type interface...

Page 364: ...0 0 0 SwitchB rip 1 quit Display the RIP routing table of Switch A SwitchA display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 2 on Vlan inte...

Page 365: ...running on Switch B which communicates with Switch A through RIP100 and with Switch C through RIP 200 Configure route redistribution on Switch B letting the two RIP processes redistribute routes from...

Page 366: ...Switch C SwitchC system view SwitchC rip 200 SwitchC rip 200 network 3 0 0 0 SwitchC rip 200 network 4 0 0 0 SwitchC rip 200 network 5 0 0 0 SwitchC rip 200 version 2 SwitchC rip 200 undo summary Dis...

Page 367: ...0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 Configure an filtering policy to filter redistributed routes Define ACL 2000 and reference it to a filtering policy to filter routes redistributed from RI...

Page 368: ...ent configuration command to check RIP configuration z Use the display rip command to check whether some interface is disabled 2 7 2 Route Oscillation Occurred Symptom When all links work well route o...

Page 369: ...ute Control z Configuring OSPF Network Optimization z Configuring OSPF Graceful Restart z Displaying and Maintaining OSPF z OSPF Configuration Examples z Troubleshooting OSPF Configuration Note z The...

Page 370: ...et multicasting on some types of links 3 1 1 Basic Concepts I Autonomous System A set of routers using the same routing protocol to exchange routing information constitute an Autonomous System AS II O...

Page 371: ...eded LSAs to the neighbor z LSAck link state acknowledgment packet Acknowledges received LSU packets It contains the headers of received LSAs a packet can acknowledge multiple LSAs V LSA types OSPF se...

Page 372: ...o packet via the OSPF interface and the router that receives the hello packet checks parameters carried in the packet If parameters of the two routers match they become neighbors Adjacency A relations...

Page 373: ...long to one OSPF area 2 Area Border Router ABR An area border router belongs to more than two areas one of which must be the backbone area It connects the backbone area to a non backbone area The conn...

Page 374: ...ity to the backbone area z The backbone area itself must maintain connectivity In practice due to physical limitations the requirements may not be satisfied In this case configuring OSPF virtual links...

Page 375: ...stub area does not distribute Type 5 LSAs into the area so the routing table size and amount of routing information in this area are reduced significantly You can configure the stub area as a totally...

Page 376: ...o Area 1 Like stub areas virtual links cannot transit NSSA areas Figure 3 5 NSSA area VI Route summarization Route summarization An ABR or ASBR summarizes routes with the same prefix with a single rou...

Page 377: ...le with the cost of an OSPF internal route The cost from a router to the destination of the Type 1 external route the cost from the router to the corresponding ASBR the cost from the ASBR to the desti...

Page 378: ...networks are fully meshed non broadcast and multi access P2MP networks are not required to be fully meshed z It is required to elect the DR and BDR on NBMA networks while DR and BDR are not available...

Page 379: ...an interface determines its qualification for DR BDR election Interfaces attached to the network and having priorities higher than 0 are election candidates The election votes are hello packets Each...

Page 380: ...DD LSR LSU and LSAck respectively z Packet length Total length of the OSPF packet in bytes including the header z Router ID ID of the advertising router z Area ID ID of the area where the advertising...

Page 381: ...ed with the router s sending interface If two routers have different network masks they cannot become neighbors z HelloInterval Interval for sending hello packets If two routers have different interva...

Page 382: ...t to 1 if more DD Packets are to follow z MS Master Slave The Master Slave bit When set to 1 it indicates that the router is the master during the database exchange process Otherwise the router is the...

Page 383: ...Determined by LSA type z Advertising Router ID of the router that sent the LSA V LSU packet LSU Link State Update packets are used to send the requested LSAs to peers and each packet carries a collec...

Page 384: ...r as shown in the following figure Figure 3 15 LSA header format Major fields z LS age Time in seconds elapsed since the LSA was originated A LSA ages in the LSDB added by 1 per second but does not in...

Page 385: ...r of router links interfaces to the area described in the LSA z Link ID Determined by Link type z Link Data Determined by Link type z Type Link type A value of 1 indicates a point to point link to a r...

Page 386: ...ncluding the DR itself 3 Summary LSA Network summary LSAs Type 3 LSAs and ASBR summary LSAs Type 4 LSAs are originated by ABRs Other than the difference in the Link State ID field the format of type 3...

Page 387: ...oute the Link State ID is always set to Default Destination 0 0 0 0 and the Network Mask is set to 0 0 0 0 z Network Mask The IP address mask for the advertised destination z E External Metric The typ...

Page 388: ...eractions between different routing protocols Multiple OSPF processes can use the same RID An interface of a router can only belong to a single OSPF process II Authentication OSPF supports authenticat...

Page 389: ...e upon receiving the responses from neighbors After reestablishing a neighbor relationship the GR Restarter will synchronize the LSDB and exchange routing information with all adjacent GR capable neig...

Page 390: ...LSA Minimum Repeat Arrival Interval Optional Specifying the LSA Generation Interval Optional Disabling Interfaces from Sending OSPF Packets Optional Configuring Stub Routers Optional Configuring OSPF...

Page 391: ...nfigure an OSPF process to run in a specified VPN instance to configure an association between the two The configurations for routers in an area are performed on the area basis Wrong configurations ma...

Page 392: ...residing on the AS boundary you can configure them as stub areas to further reduce the size of routing tables on routers in these areas and the number of LSAs A stub area cannot redistribute routes a...

Page 393: ...lts to 1 Configure a virtual link vlink peer router id hello seconds retransmit seconds trans delay seconds dead seconds simple plain cipher password md5 hmac md5 key id plain cipher password Optional...

Page 394: ...neighboring nodes accessible with each other at network layer z OSPF basic functions 3 5 2 Configuring the OSPF Network Type for an Interface Follow these steps to configure the OSPF network type for...

Page 395: ...e type interface number Configure a router priority for the interface ospf dr priority priority Optional The default router priority is 1 Note The DR priority configured with the ospf dr priority comm...

Page 396: ...SPF areas on an ABR To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Enter OSPF area view area area id Require...

Page 397: ...by default Note Since OSPF is a link state based interior gateway protocol routing information is contained in LSAs However OSPF cannot filter LSAs Using the filter policy import command is to filter...

Page 398: ...e a bandwidth reference value To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Configure a bandwidth reference...

Page 399: ...process id router id router id vpn instance instance name Configure the maximum number of equivalent load balanced routes maximum load balancing maximum Optional 4 by default 3 6 8 Configuring a Prio...

Page 400: ...quired Not configured by default Configure OSPF to filter redistributed routes before advertisement filter policy acl number ip prefix ip prefix name export protocol process id Optional Not configured...

Page 401: ...rk Optimization You can optimize your OSPF network in the following ways z Change OSPF packet timers to adjust the OSPF network convergence speed and network load On low speed links you need to consid...

Page 402: ...and defaults to 30 seconds on P2MP and NBMA interfaces Specify the poll interval ospf timer poll seconds Optional The poll interval defaults to 120 seconds Specify the dead interval ospf timer dead se...

Page 403: ...nges frequently a large amount of network resources will be occupied reducing the working efficiency of routers You can adjust the SPF calculation interval for the network to reduce negative influence...

Page 404: ...1000 milliseconds Note The interval set with the lsa arrival interval command should be smaller or equal to the interval set with the lsa generation interval command 3 7 6 Specifying the LSA Generatio...

Page 405: ...esses can disable the same interface from sending OSPF packets Use of the silent interface command disables only the interfaces associated with the current process rather than interfaces associated wi...

Page 406: ...d Not configured by default Note A stub router has nothing to do with a stub area 3 7 9 Configuring OSPF Authentication By supporting packet authentication OSPF receives packets that pass the authenti...

Page 407: ...into DD Packets Generally when an interface sends a DD packet it adds 0 into the Interface MTU field of the DD packet rather than the interface MTU Follow these steps to add the interface MTU into DD...

Page 408: ...them compatible To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Required Make RFC1583 compatible rfc1583 com...

Page 409: ...techange viriftxretransmit virnbrstatechange Optional Enabled by default Enter OSPF view ospf process id router id router id vpn instance instance name Enable messages logging enable log config error...

Page 410: ...f opaque LSAs opaque capability enable Required Disabled by default Enable the IETF standard Graceful Restart capability for OSPF graceful restart ietf Optional Disabled by default Configure the Grace...

Page 411: ...l restart ietf command can act as a GR Restarter and GR Helper at the same time z A device not configured with the graceful restart ietf command can act as a GR Helper only 3 8 2 Configuring the OSPF...

Page 412: ...rigger OSPF Graceful Restart Ensure that these routers are enabled with the following capabilities first z LLS link local signaling z OOB out of band re synchronization z Opaque LSA advertisement z IE...

Page 413: ...eer statistics Display next hop information display ospf process id nexthop Display routing table information display ospf process id routing interface interface type interface number nexthop nexthop...

Page 414: ...process id redistribution Available in user view 3 10 OSPF Configuration Examples Note These examples only cover commands for OSPF configuration 3 10 1 Configuring OSPF Basic Functions I Network requi...

Page 415: ...spf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 192 168 0 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 area 2 SwitchB ospf 1 area 0 0 0 2 network 192 168 2 0 0 0 0 255 Swi...

Page 416: ...Normal State Full Mode Nbr is Slave Priority 1 DR 192 168 0 1 BDR 172 16 1 1 MTU 0 Dead timer due in 39 sec Neighbor is up for 00 07 32 Authentication Sequence 0 Display OSPF routing information on S...

Page 417: ...8 28 80000001 3124 Sum Net 192 168 0 0 192 168 0 1 630 28 80000001 1562 Display OSPF routing information on Switch D SwitchD display ospf routing OSPF Process 1 with Router ID 192 168 2 2 Routing Tabl...

Page 418: ...n between areas Switch D acts as the ASBR to redistribute routes static routes It is required to configure Area 1 as a Stub area reducing LSAs to this area without affecting route reachability II Netw...

Page 419: ...24 4687 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 1 0 24 1562 Stub 192 168 1 2 172 16 1 1 0 0 0 1 192 168 2 0 24 4686 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 0 0 24 3124 Inter are...

Page 420: ...24 1 Stub 172 16 1 1 172 16 1 1 0 0 0 1 172 17 1 0 24 68660 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 1 0 24 1562 Stub 192 168 1 2 172 16 1 1 0 0 0 1 192 168 2 0 24 68659 Inter area 192 168...

Page 421: ...one default external route 3 10 3 Configuring an OSPF NSSA Area I Network requirements The following figure shows an AS is split into three areas where all switches run OSPF Switch A and Switch B act...

Page 422: ...configure the nssa command with the keyword default route advertise no summary on Switch A an ABR to reduce the routing table size on NSSA routers On other NSSA routers using the nssa command is ok D...

Page 423: ...92 168 0 2 0 0 0 2 192 168 2 0 24 1562 Stub 192 168 2 2 172 17 1 1 0 0 0 2 192 168 0 0 24 3124 Inter area 192 168 2 1 192 168 0 2 0 0 0 2 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 1...

Page 424: ...Configure Switch A SwitchA system view Switch A router id 1 1 1 1 Switch A ospf Switch A ospf 1 area 0 Switch A ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 quit SwitchA...

Page 425: ...e Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 38 sec Neighbor is up for 00 01 31 Authentication Sequence 0 Router ID 3 3 3 3 Address 192 168 1 3 GR State Normal State Full Mode N...

Page 426: ...168 1 4 Vlan interface1 s neighbors Router ID 1 1 1 1 Address 192 168 1 1 GR State Normal State Full Mode Nbr is Slave Priority 100 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighb...

Page 427: ...mer due in 39 sec Neighbor is up for 00 01 40 Authentication Sequence 0 Router ID 2 2 2 2 Address 192 168 1 2 GR State Normal State 2 Way Mode None Priority 0 DR 192 168 1 1 BDR 192 168 1 3 MTU 0 Dead...

Page 428: ...interface OSPF Process 1 with Router ID 2 2 2 2 Interfaces Area 0 0 0 0 IP Address Type State Cost Pri DR BDR 192 168 1 2 Broadcast DROther 1 0 192 168 1 1 192 168 1 3 Note The interface state DROthe...

Page 429: ...ospf 1 area 1 SwitchA ospf 1 area 0 0 0 1 network 192 168 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 1 quit Configure Switch B SwitchB system view SwitchB ospf 1 router id 2 2 2 2 SwitchB ospf 1 area 1 S...

Page 430: ...0 0 0 1 quit SwitchA ospf 1 quit Configure Switch B SwitchB ospf 1 SwitchB ospf 1 area 1 SwitchB ospf 1 area 0 0 0 1 vlink peer 1 1 1 1 SwitchB ospf 1 area 0 0 0 1 quit Display OSPF routing informatio...

Page 431: ...h C Switch B Router ID 1 1 1 1 Router ID 2 2 2 2 Router ID 3 3 3 3 Figure 3 26 Network diagram for OSPF based GR configuration III Configuration procedure 1 Configure Switch A SwitchA system view Swit...

Page 432: ...SwitchC ospf 100 SwitchC ospf 100 enable link local signaling SwitchC ospf 100 enable out of band resynchronization SwitchC ospf 100 area 0 SwitchC ospf 100 area 0 0 0 0 network 192 1 1 0 0 0 0 255 Sw...

Page 433: ...other areas If a router connects to more than one area at least one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cannot receive ex...

Page 434: ...al use the ranges assuming the switch operate in the default mode When the switch operates in the IPv4 IPv6 dual stack or the MCE mode the value ranges of some parameters may vary For the operating mo...

Page 435: ...Link State Packet LSP Each IS can generate a LSP which contains all the link state information of the IS z Network Protocol Data Unit NPDU An NPDU is a network layer protocol packet in ISO which is eq...

Page 436: ...er ID the system ID in IS IS can be obtained in the following way z Extend each decimal number of the IP address to 3 digits by adding 0s from the left like 168 010 001 001 z Divide the extended IP ad...

Page 437: ...The Level 1 router only establishes the neighbor relationship with Level 1 and Level 1 2 routers in the same area The LSDB maintained by the Level 1 router contains the local area routing information...

Page 438: ...rea 1 is a set of Level 2 routers called backbone network The other four areas are non backbone networks connected to the backbone through Level 1 2 routers Figure 4 2 IS IS topology Figure 4 3 shows...

Page 439: ...type by configuring the routing hierarchy on the interface For example the level 1 interface can only establish Level 1 adjacency while the level 2 interface can only establish Level 2 adjacency By h...

Page 440: ...such as PPP HDLC Note For the Non Broadcast Multi Access NBMA network such as ATM you need to configure point to point or broadcast network on its configured subinterfaces IS IS does not run on Point...

Page 441: ...des can reduce LSPs the resources used by SPF and simplify the network topology Note On IS IS broadcast networks all routers are adjacent with each other The DIS is responsible for the synchronization...

Page 442: ...cific headers present in bytes z Version Protocol ID Extension Set to 1 0x01 z ID Length The length of the NSAP address and NET ID z R Reserved Set to 0 z PDU Type For detail information refer to Tabl...

Page 443: ...cast networks where the blue fields are the common header Figure 4 7 L1 L2 LAN IIH format z Reserved Circuit Type The first 6 bits are reserved with value 0 The last 2 bits indicates router types 00 m...

Page 444: ...me PDU length Local Circuit ID Variable length fields 1 ID length 2 2 1 Figure 4 8 P2P IIH format Instead of the priority and LAN ID fields in the LAN IIH the P2P IIH has a Local Circuit ID field IV L...

Page 445: ...nerated by the L1 L1 router only related with L1 LSP indicates that the router generating the LSP is connected with multiple areas z OL LSDB Overload Indicates that the LSDB is not complete because th...

Page 446: ...Level 2 PSNP CSNP covers the summary of all LSPs in the LSDB to synchronize the LSDB between neighboring routers On broadcast networks CSNP is sent by the DIS periodically 10s by default On point to...

Page 447: ...rotocol ID extension Length indicator Maximum area address R R PDU type No of Octets 1 1 1 1 1 1 1 1 PDU length Source ID Variable length fields 2 ID length 1 Figure 4 12 L1 L2 PSNP format VI CLV The...

Page 448: ...S process to work in concert with a group of interfaces This means that a router can run multiple IS IS processes and each process corresponds to a unique group of interfaces For routers supporting VP...

Page 449: ...r field allowing a maximum of only 256 fragments to be generated by an IS IS router limits the amount of link information that the IS IS router can advertise The LSP fragment extension feature allows...

Page 450: ...nk state information in the extended LSP fragments advertised by the virtual systems z Mode 2 This mode is recommended in a network where all the routers support LSP fragment extension In this mode al...

Page 451: ...z RFC 3373 Three Way Handshake for IS IS Point to Point Adjacencies z RFC 3567 Intermediate System to Intermediate System IS IS Cryptographic Authentication z RFC 3719 Recommendations for Interoperab...

Page 452: ...rface to Send Small Hello Packets Optional Tuning and Optimizing IS IS Network Enabling SNMP Trap Optional Configuring IS IS GR Optional 4 3 Configuring IS IS Basic Functions 4 3 1 Configuration Prere...

Page 453: ...sis circuit level level 1 level 1 2 level 2 Optional The default type is level 1 2 Note If a router s type is configured as Level 1 or Level 2 the type of interfaces must be the same which cannot be c...

Page 454: ...nk cost in descending order of interface costs z Interface cost Assign a link cost for a single interface z Global cost Assign a link cost for all interfaces z Automatically calculated cost Calculate...

Page 455: ...al IS IS cost circuit cost value level 1 level 2 Required Not specified by default III Enable automatic IS IS cost calculation Follow these steps to enable automatic IS IS cost calculation To do Use t...

Page 456: ...face cost is 40 if the interface bandwidth is in the range of 156 M to 622 M the interface cost is 30 if the interface bandwidth is in the range of 623 M to 2500 M the interface cost is 20 and the def...

Page 457: ...efault Note The cost of the summary route is the lowest cost among those summarized routes 4 4 6 Advertising a Default Route Follow these steps to advertise a default route To do Use the command Remar...

Page 458: ...view Enter IS IS view isis process id vpn instance vpn instance name Redistribute routes from another routing protocol import route isis process id ospf process id rip process id bgp allow ibgp direct...

Page 459: ...s from Level 2 to Level 1 Other routing policies specified for route reception and redistribution does not affect the route leaking 4 5 Tuning and Optimizing IS IS Network 4 5 1 Configuration Prerequi...

Page 460: ...interface view interface interface type interface number Specify the interval between hello packets isis timer hello seconds level 1 level 2 Optional 10 seconds by default Specify the number of hello...

Page 461: ...t applies to the level z On a point to point link if there is no response to a LSP sent by the local router within the specified retransmission interval the LSP is considered lost and the same LSP wil...

Page 462: ...LSP refresh interval timer lsp refresh seconds Optional 900 seconds by default Specify the maximum LSP aging time timer lsp max age seconds Optional 1200 seconds by default Specify LSP generation inte...

Page 463: ...ess enabled must not be less than 512 otherwise LSP fragment extension will not take effect z At least one virtual system needs to be configured for the router to generate extended LSP fragments 4 5 6...

Page 464: ...view system view Enter IS IS view isis process id vpn instance vpn instance name Assign a local host name is name sys name Required No name is assigned by default This command also enables the mappin...

Page 465: ...in order to authenticate neighbors All interfaces within a network must share the same authentication password at the same level Follow these steps to configure the authentication function To do Use...

Page 466: ...late a router from the IS IS network by setting the overload tag Follow these steps to configure the LSDB overload tag To do Use the command Remarks Enter system view system view Enter IS IS view isis...

Page 467: ...ce name Enable SNMP Trap is snmp traps enable Required Enabled by default 4 6 Configuring IS IS GR An ISIS restart may cause the termination of the adjacencies between a restarting router and its neig...

Page 468: ...these steps to configure GR on the GR Restarter and GR Helper respectively To do Use the command Remarks Enter system view system view Enable IS IS and enter IS IS view isis process id vpn instance vp...

Page 469: ...ilable in any view Display IS IS routing information display isis route ipv4 level 1 level 2 verbose process id vpn instance vpn instance name Available in any view Display SPF calculation log informa...

Page 470: ...D is in area 20 II Network diagram Figure 4 14 Network diagram for IS IS basic configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure IS IS Configure Sw...

Page 471: ...itchC interface vlan interface 300 SwitchC Vlan interface300 isis enable 1 SwitchC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 is level level 2 SwitchD...

Page 472: ...60 988 68 0 0 0 0000 0000 0002 00 00 0x00000008 0xe651 1189 68 0 0 0 0000 0000 0002 01 00 0x00000005 0xd2b3 1188 55 0 0 0 0000 0000 0003 00 00 0x00000014 0x194a 1190 111 1 0 0 0000 0000 0003 01 00 0x0...

Page 473: ...ATT P OL 0000 0000 0003 00 00 0x00000013 0xc73d 1003 100 0 0 0 0000 0000 0004 00 00 0x0000003c 0xd647 1194 84 0 0 0 0000 0000 0004 01 00 0x00000002 0xec96 1007 55 0 0 0 Self LSP Self LSP Extended ATT...

Page 474: ...10 NULL Vlan100 Direct D L 10 1 2 0 24 10 NULL Vlan200 Direct D L Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set ISIS 1 IPv4 Level 2 Forwarding Table IPV4 Destination IntCost Ext...

Page 475: ...in IS IS area 10 on a broadcast network Ethernet Switch A and Switch B are Level 1 2 switches Switch C is a Level 1 switch and Switch D is a Level 2 switch Change the DIS priority of Switch A to make...

Page 476: ...sis enable 1 SwitchC Vlan interface100 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 network entity 10 0000 0000 0004 00 SwitchD isis 1 is level level 2 SwitchD isis 1 quit...

Page 477: ...erfaces of Switch C SwitchC display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 Yes No Display information...

Page 478: ...System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 28s Type L2 L1L2 PRI 64 System Id 0000 0000 0004 Interface Vlan interface100 Circuit Id 0000 0000 00...

Page 479: ...for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No No Display information about IS IS neighbors and interfaces of Switch D SwitchD display isis peer...

Page 480: ...itches ensuring that Switch A Switch B and Switch C can communicate with each other at layer 3 and dynamic route update can be implemented among them with IS IS The configuration procedure is omitted...

Page 481: ...t Supported Total Number of Interfaces 1 Restart Status RESTARTING T3 Timer Status Remaining Time 65535 T2 Timer Status Remaining Time 59 Interface Vlan1 T1 Timer Status Remaining Time 1 RA Not Receiv...

Page 482: ...ent z The value ranges of the parameters of the commands in this manual use the ranges assuming the switch operate in the default mode When the switch operates in the IPv4 IPv6 dual stack or the MCE m...

Page 483: ...ation with other BGP speakers When a BGP speaker receives a new route or a route better than the current one from another AS it will advertise the route to all the other BGP speakers in the local AS B...

Page 484: ...2 BGP open message format z Version This 1 byte unsigned integer indicates the protocol version number of the message The current BGP version is 4 z My Autonomous System This 2 byte unsigned integer...

Page 485: ...al length of the Path Attributes field in bytes A value of 0 indicates that no Network Layer Reachability Information field is present in this Update message z Path Attributes List of path attributes...

Page 486: ...ust be recognized by all BGP routers and must be included in every update message Routing information error occurs without this attribute z Well known discretionary Can be recognized by all BGP router...

Page 487: ...command have the IGP attribute z EGP Has the second highest priority Routes obtained via EGP have the EGP attribute z incomplete Has the lowest priority The source of routes with this attribute is un...

Page 488: ...are the same As shown in the above figure the BGP router in AS50 gives priority to the route passing AS40 for sending information to the destination 8 0 0 0 In some applications you can apply a routin...

Page 489: ...ncing information refer to BGP Route Selection Figure 5 7 NEXT_HOP attribute 4 MED MULTI_EXIT_DISC The MED attribute is exchanged between two neighboring ASs each of which does not advertise the attri...

Page 490: ...that is selected according to LOCAL_PREF EBGP Router B Router A Router C Router D D 8 0 0 0 NEXT_HOP 3 1 1 1 LOCAL_PREF 200 IBGP IBGP IBGP EBGP 2 1 1 1 8 0 0 0 LOCAL_PREF 100 NEXT_HOP 2 1 1 1 LOCAL_PR...

Page 491: ...route with the smallest ORIGINATOR_ID z Select the route advertised by the router with the smallest Router ID Note z CLUSTER_IDs of route reflectors form a CLUSTER_LIST If a route reflector receives a...

Page 492: ...the same AS_PATH ORIGIN LOCAL_PREF and MED z BGP load balancing is applicable between EBGPs between IBGPs and between confederations z If multiple routes to the same destination are available BGP sel...

Page 493: ...P Synchronization The routing information synchronization between IBGP and IGP is for avoidance of giving wrong directions to routers outside of the local AS If a non BGP router works in an AS a packe...

Page 494: ...urs the routing protocol sends an update to its neighbor and then the neighbor needs to recalculate routes and modify the routing table Therefore frequent route flaps consume large bandwidth and CPU r...

Page 495: ...ed with identical commands The peer group feature simplifies configuration of this kind When a peer is added into a peer group the peer enjoys the same route update policy as the peer group to improve...

Page 496: ...s act as clients connecting to the route reflector The route reflector forwards reflects routing information between clients BGP connections between clients need not be established The router neither...

Page 497: ...ore bandwidth resources You can use related commands to disable route reflection in this case Note After route reflection is disabled between clients routes between a client and a non client can still...

Page 498: ...6 BGP GR Note For GR Graceful Restart information refer to BFD GR Configuration 1 To establish a BGP session with a peer a BGP GR Restarter sends an OPEN message with GR capability to the peer 2 Upon...

Page 499: ...tended attributes In BGP 4 the three types of attributes for IPv4 namely NLRI NEXT_HOP and AGGREGATOR contains the IP address of the speaker generating the summary route are all carried in updates To...

Page 500: ...Capability for BGP 4 z RFC2439 BGP Route Flap Damping z RFC1997 BGP Communities Attribute z RFC2796 BGP Route Reflection z RFC3065 Autonomous System Confederations for BGP z draft ietf idr restart 08...

Page 501: ...z Since BGP employs TCP you need to specify IP addresses of peers which may not be neighboring routers z Using logical links can also establish BGP peer relationships z In general IP addresses of loo...

Page 502: ...er change Optional Enabled by default Enable the logging of peer state changes for a peer or peer group peer group name ip address log change Optional Enabled by default Specify a preferred value for...

Page 503: ...h TCP connections to the peers when using the outbound interfaces of the best routes as the source interfaces z In general direct physical links should be available between EBGP peers If not you can u...

Page 504: ...a network to the BGP routing table network ip address mask mask length short cut route policy route policy name Optional Not injected by default Note z The ORIGIN attribute of routes redistributed usi...

Page 505: ...route summarization is configured by default Choose either as needed if both are configured the manual route summarization takes effect 5 4 4 Advertising a Default Route to a Peer or Peer Group Follo...

Page 506: ...rt Reference an AS path ACL to filter routing information to a peer peer group peer group name ip address as path acl as path acl number export Reference an IP prefix list to filer routing information...

Page 507: ...cy as needed If several filtering policies are configured they are applied in the following sequence z filter policy import z peer filter policy import z peer as path acl import z peer ip prefix impor...

Page 508: ...tem view Enter BGP view bgp as number Configure BGP route dampening dampening half life reachable half life unreachable reuse suppress ceiling route policy route policy name Optional Not configured by...

Page 509: ...t as med Optional Not enabled by default Enable the comparison of MED of routes from each AS bestroute compare med Optional Not enabled by default Configure the MED attribute Enable the comparison of...

Page 510: ...default the router takes AS_PATH as a factor for best route selection Specify a fake AS number for a peer peer group peer group name ip address fake as as number Optional Not specified by default This...

Page 511: ...s can only find the fake AS number z The peer substitute as command is used only in specific networking environments Inappropriate use of the command may cause routing loops 5 6 Tuning and Optimizing...

Page 512: ...figuring this task you have configured BGP basic functions 5 6 2 Configuration Procedure Follow these steps to tune and optimize BGP networks To do Use the command Remarks Enter system view system vie...

Page 513: ...policy peer group name ip address keep all routes Optional Not kept by default Return to user view return Perform manual soft reset on BGP connections refresh bgp all ip address group group name exter...

Page 514: ...Configuring a Large Scale BGP Network In a large scale BGP network configuration and maintenance become difficult due to large numbers of BGP peers In this case configuring peer groups makes managemen...

Page 515: ...roup name as number as number Configu re a pure EBGP peer group Add a peer into the group peer ip address group group name as number as number Optional You can add multiple peers into the group The sy...

Page 516: ...es advertised to a peer peer group peer group name ip address route policy route policy name export Required Not configured by default Note z When configuring BGP community you need to configure a rou...

Page 517: ...y one route reflector and the router ID is used to identify the cluster You can configure multiple route reflectors to improve network stability In this case you need to specify the same cluster ID fo...

Page 518: ...y act as a GR Helper Follow these steps to configure BGP GR To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable GR Capability for BGP graceful restart Requi...

Page 519: ...number Display BGP CIDR routing information display bgp routing table cidr Display BGP routing information matching the specified BGP community display bgp routing table community aa nn 1 13 no adver...

Page 520: ...Remarks Reset all BGP connections reset bgp all Reset the BGP connections to an AS reset bgp as number Reset the BGP connection to a peer reset bgp ip address flap info Reset all EBGP connections res...

Page 521: ...200 1 1 2 24 Vlan int500 9 1 2 2 24 Switch B Vlan int400 9 1 1 1 24 Switch C Vlan int500 9 1 2 1 24 Vlan int200 200 1 1 1 24 Vlan int300 9 1 3 2 24 Vlan int300 9 1 3 1 24 Figure 5 16 Network diagram f...

Page 522: ...P routing table SwitchA bgp network 8 0 0 0 SwitchA bgp quit Configure Switch B SwitchB bgp 65009 SwitchB bgp peer 200 1 1 2 as number 65008 SwitchB bgp quit Display BGP peer information on Switch B S...

Page 523: ...al s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 8 0 0 0 200 1 1 2 0 0 65008i Display the BGP routing table on Switch C SwitchC display bgp routing tab...

Page 524: ...Routes 4 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 8 0 0 0 2...

Page 525: ...or BGP and IGP synchronization III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF omitted 3 Configure the EBGP connection Configure Switch A SwitchA system vi...

Page 526: ...m BGP on Switch B SwitchB ospf SwitchB ospf 1 import route bgp SwitchB ospf 1 quit Display routing table information on Switch C SwitchC display ip routing table Routing Tables Public Destinations 7 R...

Page 527: ...1 bytes 56 Sequence 1 ttl 254 time 15 ms Reply from 9 1 2 1 bytes 56 Sequence 2 ttl 254 time 31 ms Reply from 9 1 2 1 bytes 56 Sequence 3 ttl 254 time 47 ms Reply from 9 1 2 1 bytes 56 Sequence 4 ttl...

Page 528: ...1 as number 65009 SwitchA bgp peer 200 1 2 1 as number 65009 Inject route 8 0 0 0 8 to BGP routing table SwitchA bgp network 8 0 0 0 255 0 0 0 SwitchA bgp quit Configure Switch B SwitchB system view...

Page 529: ...ilable and the one with the next hop being 200 1 1 1 is the optimal because the ID of Switch B is smaller 3 Configure loading balancing Configure Switch A SwitchA bgp 65008 SwitchA bgp balance 2 Switc...

Page 530: ...rf PrefVal Path Ogn 8 0 0 0 0 0 0 0 0 0 i 9 1 1 0 24 200 1 2 1 0 0 65009i 200 1 1 1 100 0 65009i From the above information you can find the route with the next hop 200 1 2 1 is the best route because...

Page 531: ...witchB bgp peer 200 1 2 1 as number 10 SwitchB bgp peer 200 1 3 2 as number 30 SwitchB bgp quit Configure Switch C SwitchC system view SwitchC bgp 30 SwitchC bgp router id 3 3 3 3 SwitchC bgp peer 200...

Page 532: ...oute policy comm_policy permit node 0 SwitchA route policy apply community no export SwitchA route policy quit Apply the routing policy SwitchA bgp 10 SwitchA bgp peer 200 1 2 2 route policy comm_poli...

Page 533: ...from Switch C II Network diagram Figure 5 20 Network diagram for BGP route reflector configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure BGP connectio...

Page 534: ...Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 2 reflect client SwitchC bgp peer 194 1 1 2 reflect client SwitchC bgp quit 4 Verify the above configuration Display the BGP routing table on Switch B...

Page 535: ...Vlan int400 Vlan int500 Vlan int100 Vlan int100 Vlan int200 Vlan int100 Vlan int100 Vlan int200 Device Interface IP address Device Interface IP address Switch A Vlan int100 200 1 1 1 24 Switch D Vlan...

Page 536: ...p quit Configure Switch C SwitchC system view SwitchC bgp 65003 SwitchC bgp router id 3 3 3 3 SwitchC bgp confederation id 200 SwitchC bgp confederation peer as 65001 65002 SwitchC bgp peer 10 1 2 1 a...

Page 537: ...router id 6 6 6 6 SwitchF bgp peer 200 1 1 1 as number 200 SwitchF bgp network 9 1 1 0 255 255 255 0 SwitchF bgp quit 5 Verify above configuration Display the routing table on Switch B SwitchB displa...

Page 538: ...display bgp routing table 9 1 1 0 BGP local router ID 4 4 4 4 Local AS number 65001 Paths 1 available 1 best BGP routing table entry information of 9 1 1 0 24 From 10 1 3 1 1 1 1 1 Relay Nexthop 0 0...

Page 539: ...lection configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF on Switch B C and D Configure Switch B SwitchB system view SwitchB ospf SwitchB ospf...

Page 540: ...SwitchB bgp quit Configure Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 1 as number 100 SwitchC bgp peer 195 1 1 1 as number 200 SwitchC bgp quit Configure Switch D SwitchD bgp 200 SwitchD bgp pe...

Page 541: ...es 2 BGP Local router ID is 194 1 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 1 0 0 0 193...

Page 542: ...roubleshooting BGP 5 11 1 No BGP Peer Relationship Established I Symptom Display BGP peer information using the display bgp peer command The state of the connection to a peer cannot become established...

Page 543: ...al IPv4 Routing H3C S3610 S5510 Series Ethernet Switches Chapter 5 BGP Configuration 5 62 7 Use the display tcp status command to check the TCP connection 8 Check whether an ACL disabling TCP port 179...

Page 544: ...tion to Routing Policy 6 1 1 Routing Policy and Policy Routing A routing policy is used on the router for route inspection filtering attributes modifying when routes are received advertised or redistr...

Page 545: ...ng information advertised by certain routers will be received An IP prefix list is identified by name Each IP prefix list can comprise multiple items and each item which is identified by an index numb...

Page 546: ...match clauses on a node is in logical AND relationship Only when the matching conditions specified by all the if match clauses on the node are satisfied can routing information pass the node The appl...

Page 547: ...tem Follow these steps to define an IPv4 prefix list To do Use the command Remarks Enter system view system view Define an IPv4 prefix list ip ip prefix ip prefix name index index number permit deny i...

Page 548: ...by number During matching the relation between items is logic OR that is if routing information matches one of these items it passes the community list Follow these steps to define a community list T...

Page 549: ...y can comprise multiple nodes each node contains z if match clauses Define the match criteria that routing information must satisfy The matching objects are some attributes of routing information z ap...

Page 550: ...ter routing information routing information that does not meet any node s conditions cannot pass the routing policy If all nodes of the routing policy are set using the deny keyword no routing informa...

Page 551: ...nterface number 1 1 6 Optional Not configured by default Match routes having the specified route type if match route type internal external type1 external type2 external type1or2 is is level 1 is is l...

Page 552: ...tribute for BGP routes apply community none additive community number 1 16 aa nn 1 16 internet no export subconfed no export no advertise additive Optional Not set by default Set a cost for routes app...

Page 553: ...Use the command Remarks Display BGP AS path ACL information display ip as path as path number Display BGP community list information display ip community list basic community list number adv communit...

Page 554: ...Network diagram for routing policy application to route redistribution III Configuration procedure 1 Specify IP addresses for interfaces omitted 2 Configure IS IS Configure Switch C SwitchC system vi...

Page 555: ...OSPF and redistribute routes from IS IS SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 import route isis 1...

Page 556: ...2002 SwitchB route policy apply tag 20 SwitchB route policy quit SwitchB route policy isis2ospf permit node 30 SwitchB route policy quit 6 Apply the routing policy to route redistribution Configure Sw...

Page 557: ...IPv4 Routing Information Filtering Failure I Symptom Filtering routing information failed while routing protocol runs normally II Analysis At least one item of the IP prefix list should be configured...

Page 558: ...D Basic Functions 1 6 1 3 1 Configuration Prerequisites 1 6 1 3 2 Configuration Procedure 1 6 1 4 Configuring BFD for Static Routing 1 7 1 5 Enabling BFD Trap 1 8 1 6 Displaying and Maintaining BFD 1...

Page 559: ...H synchronous digital hierarchy transmission system alarms z If no hardware detection signals are provided or failures cannot be detected through hardware detection signals the network uses the hello...

Page 560: ...sm After a BFD session is established if no BFD control packet is received from the neighbor within the BFD interval BFD sets the session state to down and notifies it to the protocol concerned Upon r...

Page 561: ...a BFD session is established unless a protocol needs to explicitly verify the connectivity Note z At present only the asynchronous mode is supported z At present BFD can be implemented in the Echo mo...

Page 562: ...future use z State Sta Current BFD session state Its value can be 0 for AdminDown 1 for Down 2 for Init and 3 for Up z Demand D If set to 1 it means the transmitting protocol wishes to operate in the...

Page 563: ...ltiple BFD sessions between two protocols z Your Discriminator It is the discriminator received from the corresponding remote protocol This field reflects the received value of My Discriminator or ret...

Page 564: ...2 Configuration Procedure Follow these steps to configure BFD session parameters To do Use the command Remarks Enter system view system view Specify a BFD session initiation mode bfd session init mode...

Page 565: ...with the local device as the nexthop and enable BFD on the peer device z Use echo packets to establish a session These echo messages use the local device interface address as the destination and are d...

Page 566: ...ly one end when the echo mode is used z For static route configuration refer to Static Routing Configuration in IPv4 Routing 1 5 Enabling BFD Trap Follow these steps to enable BFD trap To do Use the c...

Page 567: ...witch A and enable BFD on it Implement BFD through BFD echo packets SwitchA system view SwitchA bfd echo source ip 123 1 1 1 SwitchA interface vlan interface 10 SwitchA vlan interface10 bfd min echo r...

Page 568: ...information The neighbors will help the restarting device to update its routing information and to restore it to the state prior to the restart in minimal time The routing and forwarding remain highl...

Page 569: ...or a period as specified by the GR Time 2 3 Graceful Restart Communication Procedure Configure a device as GR Restarter in a network This device and its GR Helper must support GR or be GR capable Thus...

Page 570: ...restarting Figure 2 2 Restarting process for the GR Restarter As illustrated in Figure 2 2 The GR Helper detects that the GR Restarter has restarted its routing protocol and assumes that it will reco...

Page 571: ...4 the GR Restarter obtains the necessary topology and routing information from all its neighbors through the GR sessions between them and calculates its own routing table based on this information 2...

Page 572: ...RIPng Basic Functions 2 4 2 2 1 Configuration Prerequisites 2 4 2 2 2 Configuration Procedure 2 4 2 3 Configuring RIPng Route Control 2 5 2 3 1 Configuring an Additional Routing Metric 2 5 2 3 2 Confi...

Page 573: ...7 Configuring OSPFv3 Route Redistribution 3 9 3 6 Tuning and Optimizing an OSPFv3 Network 3 10 3 6 1 Prerequisites 3 10 3 6 2 Configuring OSPFv3 Timers 3 10 3 6 3 Configuring the DR Priority for an I...

Page 574: ...sing a Default Route to a Peer Peer Group 5 9 5 4 4 Configuring Route Distribution Policy 5 9 5 4 5 Configuring Route Reception Policy 5 10 5 4 6 Configuring IPv6 BGP and IGP Route Synchronization 5 1...

Page 575: ...6 2 1 Prerequisites 6 3 6 2 2 Defining an IPv6 Prefix List 6 3 6 2 3 Defining an AS Path List 6 4 6 2 4 Defining a Community List 6 4 6 2 5 Defining an Extended Community List 6 5 6 3 Configuring a R...

Page 576: ...e tunnel interfaces successfully 1 1 Introduction to IPv6 Static Routing Static routes are special routes that are manually configured by network administrators They work well in simple networks Confi...

Page 577: ...nfigure an IPv6 static route To do Use the commands Remarks Enter system view System view Configure an IPv6 static route ipv6 route static ipv6 address prefix length interface type interface number ne...

Page 578: ...nfigure IPv6 static routes Configure the default IPv6 static route on Switch A SwitchA system view SwitchA ipv6 SwitchA ipv6 route static 0 4 2 Configure two IPv6 static routes on Switch B SwitchB sys...

Page 579: ...64 Protocol Direct NextHop 1 1 Preference 0 Interface Vlan100 Cost 0 Destination 1 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination 4 64 Protocol Direct NextHop 4 1 Pr...

Page 580: ...g Configuration 1 5 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 5 hop limit 254 time 63 ms 3 1 ping statis...

Page 581: ...Multicast address RIPng uses FF02 9 as the link local multicast address z Destination Prefix 128 bit destination address prefix z Next hop 128 bit IPv6 address z Source address RIPng uses FE80 10 as t...

Page 582: ...d Each time a route entry is modified the routing time is set to 0 z Route tag Identifies the route used in routing policy to control routing information 2 1 2 RIPng Packet Format I Basic format A RIP...

Page 583: ...rom neighbors The receiving RIPng router processes RTEs in the request If there is only one RTE with the IPv6 prefix and prefix length both being 0 and with a metric value of 16 the RIPng router will...

Page 584: ...ce configurations such as assigning an IPv6 address 2 2 1 Configuration Prerequisites Before the configuration accomplish the following tasks first z Enable IPv6 packet forwarding z Configure an IP ad...

Page 585: ...he outbound additional metric is added to the metric of a sent route the route s metric in the routing table is not changed The inbound additional metric is added to the metric of a received route bef...

Page 586: ...ised routing information as needed For filtering outbound routes you can also specify a routing protocol from which to filter routing information redistributed Follow these steps to configure a RIPng...

Page 587: ...Optional By default the default metric of redistributed routes is 0 Redistribute routes from another routing protocol import route protocol process id allow ibgp cost cost route policy route policy n...

Page 588: ...the following defaults z 30 seconds for the update timer z 180 seconds for the timeout timer z 120 seconds for the suppress timer z 120 seconds for the garbage collect timer Note When adjusting RIPng...

Page 589: ...is set to 16 That is to say the route is unreachable Follow these steps to configure poison reverse To do Use the command Remarks Enter system view system view Enter interface view interface interface...

Page 590: ...y default 2 5 Displaying and Maintaining RIPng To do Use the command Remarks Display configuration information of a RIPng process display ripng process id Available in any view Display routes in the R...

Page 591: ...terface100 ripng 1 enable SwitchA Vlan interface100 quit SwitchA interface vlan interface 400 SwitchA Vlan interface400 ripng 1 enable SwitchA Vlan interface400 quit Configure Switch B SwitchB system...

Page 592: ...Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 6 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 3 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 11 Sec Dest 4 64 via FE80 20F E2FF...

Page 593: ...Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Peer FE80 20F E2...

Page 594: ...and compliant with RFC2740 OSPF for IPv6 Identical parts between OSPFv3 and OSPFv2 z 32 bits router ID and area ID z Packets Hello DD Data Description LSR Link State Request LSU Link State Update LSAc...

Page 595: ...nated by ABRs Area Border Routers and flooded throughout the LSA s associated area Each Inter Area Prefix LSA describes a route with IPv6 address prefix to a destination outside the area yet still ins...

Page 596: ...If no response is received after retransmission interval elapses the router will send again the LSA The retransmission interval must be longer than the round trip time of the LSA in between II LSA de...

Page 597: ...Costs for OSPFv3 Interfaces Optional Configuring the Maximum Number of OSPFv3 Load balanced Routes Optional Configuring a Priority for OSPFv3 Optional Configuring OSPFv3 Routing Information Management...

Page 598: ...tiple OSPFv3 processes you need to specify a router ID for each process z You need to specify a router ID manually which is necessary to make OSPFv3 work 3 4 Configuring OSPFv3 Area Parameters The stu...

Page 599: ...nnot delete an OSPFv3 area directly Only when you remove all configurations in area view and all interfaces attached to the area become down can the area be removed automatically z All routers attache...

Page 600: ...Prerequisites z Enable IPv6 packet forwarding z Configure OSPFv3 basic functions 3 5 2 Configuring OSPFv3 Route Summarization Follow these steps to configure route summarization between areas To do U...

Page 601: ...tered can be added into the local routing table 3 5 4 Configuring Link Costs for OSPFv3 Interfaces You can configure OSPFv3 link costs for interfaces to adjust routing calculation Follow these steps t...

Page 602: ...iew system view Enter OSPFv3 view ospfv3 process id Configure a priority for OSPFv3 preference ase route policy route policy name preference Optional By default the priority of OSPFv3 interval routes...

Page 603: ...However if the import route command is not configured executing the filter policy export command does not take effect 3 6 Tuning and Optimizing an OSPFv3 Network This section describes configurations...

Page 604: ...onfigure the LSA transmission delay ospfv3 trans delay seconds instance instance id Optional Defaults to 1 second Return to system view quit Enter OSPFv3 view ospfv3 process id Configure the SPF timer...

Page 605: ...check MTU in DD packets in order to improve efficiency Follow these steps to ignore MTU check for DD packets To do Use the command Remarks Enter system view system view Enter interface view interface...

Page 606: ...ent direct routes of the interface can still be advertised in Intra Area Prefix LSAs via other interfaces but other OSPFv3 packets cannot be advertised Therefore no neighboring relationship can be est...

Page 607: ...OSPFv3 neighbor information display ospfv3 process id area area id peer interface type interface number verbose peer router id Display OSPFv3 neighbor statistics display ospfv3 peer statistic Display...

Page 608: ...a 2 Switch A Vlan int100 2001 2 64 Vlan int100 2001 1 64 Vlan int300 2001 3 1 64 Vlan int200 2001 1 2 64 Switch C Vlan int400 2001 2 1 64 Vlan int400 2001 2 2 64 Switch B Vlan int200 2001 1 1 64 Switc...

Page 609: ...r id 3 3 3 3 SwitchC ospfv3 1 quit SwitchC interface vlan interface 100 SwitchC Vlan interface100 ospfv3 1 area 0 SwitchC Vlan interface100 quit SwitchC interface vlan interface 400 SwitchC Vlan inter...

Page 610: ...tance ID 4 4 4 4 1 Full DR 00 00 38 Vlan400 0 Display OSPFv3 routing table information on Switch D SwitchD display ospfv3 routing E1 Type 1 external route IA Inter area route I Intra area route E2 Typ...

Page 611: ...ute E2 Type 2 external route Seleted route OSPFv3 Router with ID 4 4 4 4 Process 1 Destination 0 Type IA Cost 11 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 64 Type IA Cost 2 NextHop...

Page 612: ...ected Interface Vlan400 3 8 2 Configuring OSPFv3 DR Election I Network requirements In the following figure z The priority of Switch A is 100 the highest priority on the network so it will be the DR z...

Page 613: ...tchB Vlan interface200 quit Configure Switch C SwitchC system view SwitchC ipv6 SwitchC ospfv3 SwitchC ospfv3 1 router id 3 3 3 3 SwitchC ospfv3 1 quit SwitchC interface vlan interface 100 SwitchC Vla...

Page 614: ...VLAN interface 100 as 100 on Switch A SwitchA interface Vlan interface 100 SwitchA Vlan interface100 ospfv3 dr priority 100 SwitchA Vlan interface100 quit Configure the DR priority of VLAN interface 2...

Page 615: ...0 4 4 4 4 1 Full DROther 00 00 37 Vlan200 0 Display neighbor information on Switch D You can find Switch A becomes the DR SwitchD display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri...

Page 616: ...st one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cannot receive external routes and all interfaces connected to the Stub area m...

Page 617: ...IS go to these sections for information you are interested in z Introduction to IPv6 IS IS z Configuring IPv6 IS IS Basic Functions z Configuring IPv6 IS IS Routing Information Control z Displaying an...

Page 618: ...lly z Configure IP addresses for interfaces and make sure all neighboring nodes are reachable z Enable IS IS 4 2 2 Configuration Procedure Follow these steps to configure the basic functions of IPv6 I...

Page 619: ...tional 15 by default Configure an IPv6 IS IS summary route ipv6 summary ipv6 prefix prefix length avoid feedback generate_null0_route level 1 level 1 2 level 2 tag tag Optional Not configured by defau...

Page 620: ...Optional 4 by default Note The ipv6 filter policy export command usually used in combination with the ipv6 import route command filters redistributed routes when advertising them to other routers If...

Page 621: ...is peer verbose process id vpn instance vpn instanc name Available in any view Display IPv6 IS IS routing information display isis route ipv6 level 1 level 2 verbose process id Available in any view D...

Page 622: ...e 4 1 Network diagram for IPv6 IS IS basic configuration III Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure IPv6 IS IS Configure Switch A SwitchA system view Swi...

Page 623: ...ce 200 SwitchC Vlan interface200 isis ipv6 enable 1 SwitchC Vlan interface200 quit SwitchC interface vlan interface 300 SwitchC Vlan interface300 isis ipv6 enable 1 SwitchC Vlan interface300 quit Conf...

Page 624: ...sic Functions z Controlling Route Distribution and Reception z Configuring IPv6 BGP Route Attributes z Tuning and Optimizing IPv6 BGP Networks z Configuring a Large Scale IPv6 BGP Network z Displaying...

Page 625: ...ishing TCP Connections Optional Allowing the establishment of a Non Direct EBGP connection Optional Configuring a Description for a Peer Peer Group Optional Disabling Session Establishment to a Peer P...

Page 626: ...onal 5 3 Configuring IPv6 BGP Basic Functions 5 3 1 Prerequisites Before configuring this task you need to z Specify IP addresses for interfaces z Enable IPv6 Note You need create a peer group before...

Page 627: ...er IPv6 address family view ipv6 family Add a local route into IPv6 BGP routing table network ipv6 address prefix length short cut route policy route policy name Required Not added by default 5 3 4 Co...

Page 628: ...ferred value refer to the peer ipv6 group name ipv6 address route policy route policy name import export command and the apply preferred value preferred value command 5 3 5 Specifying the Source Inter...

Page 629: ...s as the source interfaces 5 3 6 Allowing the establishment of a Non Direct EBGP connection Follow these steps to allow the establishment of EBGP connection to a non directly connected peer peer group...

Page 630: ...a Peer Peer Group Follow these steps to disable session establishment to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6...

Page 631: ...n and route dampening 5 4 1 Prerequisites Before configuring this task you have z Enabled the IPv6 function z Configured the IPv6 BGP basic functions 5 4 2 Configuring IPv6 BGP Route Redistribution Fo...

Page 632: ...up peer ipv6 group name ipv6 address default route advertise route policy route policy name Required Not advertised by default Note With the peer default route advertise command used the local router...

Page 633: ...iler routes advertised to a peer peer group peer ipv6 group name ipv6 address ipv6 prefix ipv6 prefix name export Required Not specified by default Note z Members of a peer group must have the same ou...

Page 634: ...upper limit of address prefixes imported from a peer peer group peer ipv6 group name ipv6 address route limit limit percentage Optional By default no limit on prefixes Note z Only routes passing the s...

Page 635: ...bgp as number Required Enter IPv6 address family view ipv6 family Configure IPv6 BGP route dampening parameters dampening half life reachable half life unreachable reuse suppress ceiling route policy...

Page 636: ...ult local preference value Optional The value defaults to 100 Advertise routes to a peer peer group with the local router as the next hop peer ipv6 group name ipv6 address next hop local Required By d...

Page 637: ...figured by default Prioritize MED values of routes from confederation peers bestroute med confederation Optional Not configured by default 5 5 4 Configuring the AS_PATH Attribute Follow these steps to...

Page 638: ...their holdtime values taking the shorter one as the common holdtime If the holdtime is 0 neither keepalive massage is sent nor holdtime is checked z IPv6 BGP connection soft reset After modifying a ro...

Page 639: ...onal The keepalive interval defaults to 60 seconds holdtime defaults to 180 seconds Configure the interval for sending the same update to a peer peer group peer ipv6 group name ipv6 address route upda...

Page 640: ...cy peer ipv6 group name ipv6 address keep all routes Optional Not saved by default Return to user view return Soft reset BGP connections manually refresh bgp ipv6 all ipv6 address group ipv6 group nam...

Page 641: ...peer group In a peer group all members enjoy a common policy Using the community attribute can make a set of IPv6 BGP routers in multiple ASs enjoy the same policy because sending of community betwee...

Page 642: ...p To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Not enabled by default Enter IPv6 address family view ipv6 family Create an EBGP peer group group ip...

Page 643: ...er group you need to create a peer and specify its AS number that can be different from AS numbers of other peers but you cannot specify AS number for the EBGP peer group 5 7 3 Configuring IPv6 BGP Co...

Page 644: ...BGP community you need to configure a routing policy to define the community attribute and apply the routing policy to route advertisement 5 7 4 Configuring an IPv6 BGP Route Reflector Follow these st...

Page 645: ...d routing information display bgp ipv6 network Display IPv6 BGP AS path information display bgp ipv6 paths as regular expression Display IPv6 BGP peer peer group information display bgp ipv6 peer ipv6...

Page 646: ...gth statistic Display IPv6 BGP routing information matching a regular expression display bgp ipv6 routing table regular expression as regular expression Display IPv6 BGP routing statistics display bgp...

Page 647: ...g figure are all IPv6 BGP switches Between Switch A and Switch B is an EBGP connection Switch B Switch C and Switch D are IBGP fully meshed II Network diagram Figure 5 1 IPv6 BGP basic configuration n...

Page 648: ...bgp ipv6 family SwitchD bgp af ipv6 peer 9 1 1 as number 65009 SwitchD bgp af ipv6 peer 9 2 1 as number 65009 SwitchD bgp af ipv6 quit SwitchD bgp quit 3 Configure the EBGP connection Configure Switch...

Page 649: ...state 2 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 9 3 1 4 65009 4 4 0 0 00 02 18 Established 9 2 2 4 65009 4 5 0 0 00 01 52 Established Switch A and B established an EBGP connection Switch...

Page 650: ...chB bgp ipv6 family SwitchB bgp af ipv6 peer 100 1 as number 100 SwitchB bgp af ipv6 peer 101 1 as number 200 SwitchB bgp af ipv6 peer 101 1 next hop local Configure Switch C SwitchC system view Switc...

Page 651: ...any two routers need to establish a TCP session using port 179 and exchange open messages successfully III Processing steps 1 Use the display current configuration command to verify the peer s AS num...

Page 652: ...filter routing information For example a router receives or advertises only routing information that matches the criteria of a routing policy a routing protocol redistributes routes from another prot...

Page 653: ...ute field to identify a community A community list specifies matching conditions based on the community attribute V Extended community list Extended community list extcommunity list applies to IPv6 BG...

Page 654: ...x list can comprise multiple items Each item specifies a matching address range in the form of network prefix which is identified by index number During matching the system compares the route to each...

Page 655: ...CL Follow these steps to define an AS path ACL To do Use the command Remarks Enter system view system view Define an AS path ACL ip as path as path number deny permit regular expression Required Not d...

Page 656: ...a Routing Policy A routing policy is used to filter routing information according to some attributes and modify some attributes of the routing information that matches the routing policy Match criter...

Page 657: ...can neither pass the node nor go to the next node If route information cannot match any if match clause of the node it will go to the next node for a match z When a routing policy is defined with more...

Page 658: ...t Match routes having specified outbound interface s if match interface interface type interface number 1 16 Optional Not configured by default Match routes having the specified route type if match ro...

Page 659: ...ttribute for IPv6 BGP routes apply community none additive community number 1 16 aa nn 1 16 internet no export subconfed no export no advertise additive Optional Not set by default Set a cost for rout...

Page 660: ...the Routing Policy To do Use the command Remarks Display IPv6 BGP AS path ACL information display ip as path as path number Display IPv6 BGP community list information display ip community list basic...

Page 661: ...view SwitchA ipv6 SwitchA interface vlan interface 100 SwitchA Vlan interface100 ipv6 address 10 1 32 SwitchA Vlan interface100 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 ipv6...

Page 662: ...ipng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 7D58 0 CA03 1 on Vlan interface 100 Dest 10 32 via FE80 7D58 0 CA03 1 cost 1 tag 0 A 18 Sec Dest 20 32 via FE80 7D58 0 CA03 1...

Page 663: ...ation failed while routing protocol runs normally II Analysis At least one item of the IPv6 prefix list should be configured as permit mode and at least one node of the Route policy should be configur...

Page 664: ...tocols and Standards 2 6 2 2 IGMP Snooping Configuration Task List 2 6 2 3 Configuring Basic Functions of IGMP Snooping 2 8 2 3 1 Configuration Prerequisites 2 8 2 3 2 Enabling IGMP Snooping 2 8 2 3 3...

Page 665: ...3 3 Configuring Basic Functions of MLD Snooping 3 7 3 3 1 Configuration Prerequisites 3 7 3 3 2 Enabling MLD Snooping 3 7 3 3 3 Configuring the Version of MLD Snooping 3 8 3 4 Configuring MLD Snooping...

Page 666: ...ents in IGMPv3 5 4 5 1 5 Protocols and Standards 5 6 5 2 IGMP Configuration Task List 5 6 5 3 Configuring Basic Functions of IGMP 5 7 5 3 1 Configuration Prerequisites 5 7 5 3 2 Enabling IGMP 5 7 5 3...

Page 667: ...M 6 30 6 4 1 PIM SSM Configuration Task List 6 30 6 4 2 Configuration Prerequisites 6 30 6 4 3 Enabling PIM SM 6 31 6 4 4 Configuring the SSM Group Range 6 31 6 5 Configuring PIM Common Information 6...

Page 668: ...Message Filtering Rule 7 15 7 5 5 Configuring SA Message Cache 7 16 7 6 Displaying and Maintaining MSDP 7 16 7 7 MSDP Configuration Examples 7 17 7 7 1 Example of Leveraging BGP Routes 7 17 7 7 2 Any...

Page 669: ...Multicast Forwarding Table Size 8 9 8 3 8 Tracing a Multicast Path 8 10 8 4 Displaying and Maintaining Multicast Routing and Forwarding 8 11 8 5 Configuration Examples 8 12 8 5 1 Multicast Static Rout...

Page 670: ...ue of point to multipoint data transmission By allowing high efficiency point to multipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the...

Page 671: ...the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information to each of these users This means a t...

Page 672: ...specific hosts moreover broadcast transmission is a significant usage of network resources III Multicast As discussed above the unicast and broadcast techniques are unable to provide point to multipo...

Page 673: ...tributed an increase of the number of hosts will not remarkably add to the network load z Over broadcast As multicast data is sent only to the receivers that need it multicast uses the network bandwid...

Page 674: ...or joins another group Note z A multicast source does not necessarily belong to a multicast group Namely a multicast source is not necessarily a multicast data receiver z A multicast source can send d...

Page 675: ...el uses a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources 1 3 Multic...

Page 676: ...s can be used by routing protocols and for topology searching protocol maintenance and so on Commonly used permanent group addresses are listed in Table 1 3 A packet destined for an address in this bl...

Page 677: ...ration Protocol DHCP server relay agent 224 0 0 13 All Protocol Independent Multicast PIM routers 224 0 0 14 Resource Reservation Protocol RSVP encapsulation 224 0 0 15 All Core Based Tree CBT routers...

Page 678: ...local scope 2 Link local scope 4 Admin local scope 5 Site local scope 6 7 9 through D Unassigned 8 Organization local scope E Global scope III Ethernet multicast MAC addresses When a unicast IP packe...

Page 679: ...As a result 32 multicast IPv4 addresses map to the same MAC address Therefore in Layer 2 multicast forwarding a device may receive some multicast data addressed for other IPv4 multicast groups and su...

Page 680: ...IGMP Snooping IGMP multicast VLAN PIM and MSDP are for IPv4 MLD Snooping MLD IPv6 multicast VLAN and IPv6 PIM are for IPv6 This section provides only general descriptions about applications and funct...

Page 681: ...ution trees within an AS so as to deliver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on th...

Page 682: ...extra burden on the Layer 3 device 1 4 Multicast Packet Forwarding Mechanism In a multicast model a multicast source sends information to the host group identified by the multicast group address in t...

Page 683: ...ng IGMP Snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups 2 1 1 Principle of IGMP Snooping By analyzing received IGMP messages a Layer...

Page 684: ...port A router port is a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or IGMP querier In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B a...

Page 685: ...ssages and actions Timer Description Message before expiry Action after expiry Router port aging timer For each router port the switch sets a timer initialized to the aging time of the route port IGMP...

Page 686: ...es z Upon receiving an IGMP query a multicast group member host responds with an IGMP report z When intended to join a multicast group a host sends an IGMP report to the multicast router to announce t...

Page 687: ...a group specific IGMP leave group message on a member port it first checks whether a forwarding table entry for that group exists and if one exists whether its outgoing port list contains that port z...

Page 688: ...ormal way 2 In only PIM is enabled on the switch z The switch broadcasts IGMP messages as unknown messages in the VLAN z Upon receiving a PIM hello message the switch will maintain the corresponding r...

Page 689: ...nfiguring Maximum Multicast Groups that Can Be Joined on a Port Optional Configuring an IGMP Snooping Policy Configuring Multicast Group Replacement Optional Note z Configurations made in IGMP Snoopin...

Page 690: ...Disabled by default Return to system view quit Enter VLAN view vlan vlan id Enable IGMP Snooping in the VLAN igmp snooping enable Required Disabled by default Note z IGMP Snooping must be enabled glob...

Page 691: ...atic Ports 2 4 Configuring IGMP Snooping Port Functions 2 4 1 Configuration Prerequisites Before configuring IGMP Snooping port functions complete the following tasks z Enable IGMP Snooping in the VLA...

Page 692: ...ts in a VLAN Follow these steps to configure aging timers for dynamic ports in a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure router port agi...

Page 693: ...oes not respond to queries from the IGMP querier when static G or S G joining is enabled or disabled on a port the port does not send an unsolicited IGMP report or an IGMP leave group message z Static...

Page 694: ...d by default Note z Each simulated host is equivalent to an independent host For example when receiving an IGMP query the simulated host corresponding to each configuration responds respectively z The...

Page 695: ...Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Required Use either command Enable...

Page 696: ...the Layer 2 switch will act as the IGMP Snooping querier to send IGMP queries thus allowing multicast forwarding entries to be established and maintained at the data link layer Follow these steps to e...

Page 697: ...queries the maximum response time equals to the IGMP last member query interval I Configuring IGMP queries and responses globally Follow these steps to configure IGMP queries and responses globally T...

Page 698: ...t forwarding entries from being correctly created at the data link layer and cause multicast traffic forwarding failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the a...

Page 699: ...n actual application when a user requests a multicast program the user s host initiates an IGMP report Upon receiving this report message the switch checks the report against the configured ACL rule I...

Page 700: ...ata refers to multicast data for which no entries exist in the IGMP Snooping forwarding table When the switch receives such multicast traffic z With the function of dropping unknown multicast data ena...

Page 701: ...ooping view igmp snooping Enable IGMP report suppression report aggregation Optional Enabled by default 2 6 5 Configuring Maximum Multicast Groups that Can Be Joined on a Port By configuring the maxim...

Page 702: ...xceed the number configured for the switch or the port In addition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically...

Page 703: ...o configure the maximum number of multicast groups allowed on a port refer to Configuring Maximum Multicast Groups that Can Be Joined on a Port before configuring multicast group replacement Otherwise...

Page 704: ...oins 2 8 IGMP Snooping Configuration Examples 2 8 1 Configuring Simulated Joining I Network requirements As shown in Figure 2 3 Router A connects to the multicast source through Ethernet 1 0 2 and to...

Page 705: ...et1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 100 assign Ethernet 1 0 1 through Ethernet 1 0 4 to thi...

Page 706: ...thernet 1 0 3 and Ethernet 1 0 4 of Switch A is listening to multicast streams that the multicast source 1 1 1 1 sends to the multicast group 224 1 1 1 0 0 0 0 224 1 1 1 2 8 2 Static Router Port Confi...

Page 707: ...nterrupted during this process II Network diagram Source 1 1 1 1 24 Router A IGMP querier Eth1 0 1 10 1 1 1 24 Eth1 0 2 1 1 1 2 24 Switch A Switch C Switch B Eth1 0 1 Eth1 0 2 Eth1 0 2 Host C Host B H...

Page 708: ...le SwitchA vlan100 quit Configure Ethernet 1 0 3 to be a static router port SwitchA interface ethernet 1 0 3 SwitchA Ethernet1 0 3 igmp snooping static router port vlan 100 SwitchA Ethernet1 0 3 quit...

Page 709: ...01 30 Eth1 0 3 S IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Attribute Host Port Host port s total 1 port Eth1 0 2 D 00 03 23 MAC group s MA...

Page 710: ...chA igmp snooping SwitchA igmp snooping quit Create VLAN 100 and add Ethernet 1 0 1 and Ethernet 1 0 2 to VLAN 100 SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 ethernet 1 0 2 Enable IGMP Snoop...

Page 711: ...this VLAN SwitchC vlan 100 SwitchC vlan100 port ethernet 1 0 1 to ethernet 1 0 3 SwitchC vlan100 igmp snooping enable 4 Verify the configuration View the IGMP message statistics on Switch C SwitchC v...

Page 712: ...Symptom Although a multicast group policy has been configured to allow hosts to join specific multicast groups the hosts can still receive multicast data addressed to other multicast groups II Analysi...

Page 713: ...S3610 S5510 Series Ethernet Switches Chapter 2 IGMP Snooping Configuration 2 31 whether this configuration conflicts with the configured multicast group policy If any conflict exists remove the port a...

Page 714: ...nooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups 3 1 1 Introduction to MLD Snooping By analyzing received MLD m...

Page 715: ...a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or MLD querier In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B are router ports The swit...

Page 716: ...before expiry Action after expiry Router port aging timer For each router port the switch sets a timer initialized to the aging time of the route port MLD general query of which the source address is...

Page 717: ...responds with an MLD report z When intended to join an IPv6 multicast group a host sends an MLD report to the multicast router to announce that it is interested in the multicast information addressed...

Page 718: ...h does not know whether any other hosts attached to the port are still listening to that IPv6 multicast group address the switch does not immediately removes the port from the outgoing port list of th...

Page 719: ...Optional Configuring Aging Timers for Dynamic Ports Optional Configuring Static Ports Optional Configuring Simulated Joining Optional Configuring MLD Snooping Port Functions Configuring Fast Leave Pro...

Page 720: ...he current port group For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet port view or port group view 3 3 Configuring Basic...

Page 721: ...looded in the VLAN z MLD Snooping version 2 can process MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view...

Page 722: ...ng timer of the port for that group expires If IPv6 multicast group memberships change frequently you can set a relatively small value for the member port aging timer and vice versa I Configuring agin...

Page 723: ...static group ipv6 group address source ip ipv6 source address vlan vlan id Required Disabled by default Configure the port s as static router port s mld snooping static router port vlan vlan id Requir...

Page 724: ...system view Enter Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Required Use eit...

Page 725: ...st Required Disabled by default II Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports To do Use the com...

Page 726: ...ending periodic MLD general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This...

Page 727: ...port to the corresponding IPv6 multicast group An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids burstiness of MLD traffic on th...

Page 728: ...ional 1 second by default Caution Make sure that the MLD query interval is greater than the maximum response time for MLD general queries otherwise undesired deletion of IPv6 multicast members may occ...

Page 729: ...available to different users In an actual application when a user requests a multicast program the user s host initiates an MLD report Upon receiving this report message the switch checks the report...

Page 730: ...ured by default namely hosts can join any IPv6 multicast group 3 6 3 Configuring Dropping Unknown IPv6 Multicast Data Unknown IPv6 multicast data refers to IPv6 multicast data for which no forwarding...

Page 731: ...k Follow these steps to configure MLD report suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregati...

Page 732: ...d the number configured for the switch or the port In addition in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automa...

Page 733: ...sure to configure the maximum number of IPv6 multicast groups allowed on a port refer to Configuring Maximum Multicast Groups that that Can Be Joined on a Port before configuring IPv6 multicast group...

Page 734: ...2 and to Switch A through Ethernet 1 0 1 Router A is the MLD querier on the subnet Perform the following configuration so that multicast data can be forwarded through Ethernet 1 0 3 and Ethernet 1 0...

Page 735: ...et 1 0 1 through Ethernet 1 0 4 to this VLAN and enable MLD Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 to ethernet 1 0 4 SwitchA vlan100 mld snooping enable SwitchA vlan...

Page 736: ...outer Port Configuration I Network requirements z As shown in Figure 3 4 Router A connects to an IPv6 multicast source Source through Ethernet 1 0 2 and to Switch A through Ethernet 1 0 1 z MLD is to...

Page 737: ...C Switch B Eth1 01 E t h 1 0 2 E t h 1 0 3 E t h 1 0 1 Eth1 0 2 E t h 1 0 1 Eth1 0 2 Host C Host B Host A Receiver Receiver E t h 1 0 3 E t h 1 0 4 Eth1 0 5 Figure 3 4 Network diagram for static rout...

Page 738: ...0 3 mld snooping static router port vlan 100 SwitchA Ethernet1 0 3 quit 4 Configure Switch B Enable MLD Snooping globally SwitchB system view SwitchB mld snooping SwitchB mld snooping quit Create VLA...

Page 739: ...1 D 00 01 30 Eth1 0 3 S IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Attribute Host Port Host port s total 1 port Eth1 0 2 D 00 03 23 MAC group s MAC...

Page 740: ...1 and Ethernet 1 0 2 to VLAN 100 SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 ethernet 1 0 2 Enable MLD Snooping in VLAN 100 and configure the MLD Snooping querier feature SwitchA vlan100 mld...

Page 741: ...Received MLD general queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 4 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right...

Page 742: ...st group policy is not correctly applied z Certain ports have been configured as static member ports of IPv6 multicasts groups and this configuration conflicts with the configured IPv6 multicast group...

Page 743: ...N This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 4 1 Before and after multicast VLAN is enabled on the Layer 2 device To solve this problem you...

Page 744: ...VLANs of the multicast VLAN must not be multicast VLANs z The VLANs to be configured as the sub VLANs of the multicast VLAN must not be sub VLANs of another multicast VLAN z The number of sub VLANs of...

Page 745: ...required on Switch A Router A is the IGMP querier z Switch A s Ethernet 1 0 1 belongs to VLAN 1024 Ethernet 1 0 2 through Ethernet 1 0 4 belong to VLAN 11 through VLAN 13 respectively and Host A thro...

Page 746: ...2 RouterA Ethernet1 0 2 pim dm RouterA Ethernet1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 11 and as...

Page 747: ...Operation Manual Multicast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 4 Multicast VLAN Configuration 4 5 SwitchA display multicast vlan multicast vlan 1024 s subvlan list Vlan 11 13...

Page 748: ...w As a TCP IP protocol responsible for IP multicast group member management the Internet Group Management Protocol IGMP is used by IP hosts to establish and maintain their multicast group memberships...

Page 749: ...ired to determine which router will act as the IGMP querier on the subnet In IGMPv1 the designated router DR elected by a multicast routing protocol such as PIM serves as the IGMP querier Note For mor...

Page 750: ...the G1 and G2 multicast forwarding entries exist on the IGMP router the router forwards the multicast data to the local subnet and then the receivers on the subnet receive the data As IGMPv1 does not...

Page 751: ...One of the remaining members if any on the subnet of the group being queried should send a membership report within the maximum response time set in the query messages 4 If the querier receives a mem...

Page 752: ...ed as S2 G Thus only multicast data from Source 1 will be delivered to Host B II Enhancements in query and report capabilities 1 Query message carrying the source addresses IGMPv3 supports not only ge...

Page 753: ...list z BLOCK indicates that the Source Address fields in this Group Record contain a list of the sources that the system no longer wishes to hear from for packets sent to the specified multicast addr...

Page 754: ...ing the basic functions of IGMP complete the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configure PIM DM or PIM...

Page 755: ...llow these steps to configure an IGMP version on an interface To do Use the command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configu...

Page 756: ...IGMP view are effective on all interfaces while configurations performed in Ethernet port view are effective on the current interface only z If the same feature is configured in both IGMP view and Et...

Page 757: ...essages are directly passed to the upper layer protocol no matter whether the IGMP messages carry the Router Alert option or not z To enhance the device performance and avoid unnecessary costs and als...

Page 758: ...et losses on a network Therefore a greater value of the robustness variable makes the IGMP querier more robust but results in a longer multicast group timeout time Upon receiving an IGMP query general...

Page 759: ...default Configure the IGMP last member query interval Last member query inte rval interval Optional 1 second by default Configure the other querier present interval timer other querier present interv...

Page 760: ...other querier present interval is greater than the IGMP query interval otherwise the IGMP querier may change frequently on the network z Make sure that the IGMP query interval is greater than the max...

Page 761: ...g entries of static joins Caution The reset igmp group command may cause an interruption of receivers reception of multicast data 5 6 IGMP Configuration Example I Network requirements z Receivers rece...

Page 762: ...e switches Ensure the network layer interoperation among Switch A Switch B and Switch C on the PIM network and dynamic update of routing information among the switches through a unicast routing protoc...

Page 763: ...iguration and running status on each switch interface For example View IGMP information on VLAN interface 200 of Switch B SwitchB display igmp interface vlan interface 200 Vlan interface200 10 110 2 1...

Page 764: ...ce is abnormal Typically this is because the shutdown command has been executed on the interface or the interface connection is incorrect or no correct IP address has been configured on the interface...

Page 765: ...rrent configuration command to view the IGMP configuration information on the interfaces 2 Carry out the display igmp interface command on all routers on the same subnet to check the IGMP related time...

Page 766: ...es generated by any unicast routing protocol such as routing information protocol RIP open shortest path first OSPF intermediate system to intermediate system IS IS or border gateway protocol BGP Inde...

Page 767: ...periodically that is pruned branches resume multicast forwarding when the pruned state times out and then data is re flooded down these branches and then are pruned again z When a new receiver on a pr...

Page 768: ...Then nodes without receivers downstream are pruned A router having no receivers downstream sends a prune message to the upstream node to tell the upstream node to delete the corresponding interface f...

Page 769: ...s a multicast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch The process is as follows 1 The node that needs to receive multicast data sends a...

Page 770: ...224 0 0 13 through the interface on which the packet was received The assert message contains the following information the multicast source address S the multicast group address G and the preference...

Page 771: ...d to a specific multicast group the router connected to this receiver sends a join message to the RP corresponding to that multicast group The path along which the message goes hop by hop to the RP fo...

Page 772: ...messages to the RP the DR at the multicast source side sends register messages to the RP Note z A DR is elected on a multi access subnet by means of comparison of the priorities and IP addresses carri...

Page 773: ...To lessen the RP burden and optimize the topological structure of the RPT each multicast group should have its own RP Therefore a bootstrap mechanism is needed for dynamic RP election For this purpose...

Page 774: ...en a receiver joins a multicast group G it uses an IGMP message to inform the directly connected DR 2 Upon getting the receiver information the DR sends a join message which is hop by hop forwarded to...

Page 775: ...gistration The purpose of multicast source registration is to inform the RP about the existence of the multicast source Figure 6 6 Multicast registration As shown in Figure 6 6 the multicast source re...

Page 776: ...r forwarding table and thus an SPT branch is established 2 Subsequently the receiver side DR sends a prune message hop by hop to the RP Upon receiving this prune message the RP forwards it toward the...

Page 777: ...cope region must be geographically independent of every other one as shown in Figure 6 7 Figure 6 7 Relationship between BSR admin scope regions and the global scope zone in geographic space BSR admin...

Page 778: ...al scope zone are as follows z The global scope zone and each BSR admin scope region have their own C RPs and BSR These devices are effective only in their respective admin scope regions Namely the BS...

Page 779: ...multicast source discovery protocol MSDP for discovering sources in other PIM domains Compared with the ASM model the SSM model only needs the support of IGMPv3 and some subsets of PIM SM The operatio...

Page 780: ...th the source S as its root and receivers as its leaves This SPT is the transmission channel in PIM SSM z If not the PIM SM process is followed the DR needs to send a G join message to the RP and a mu...

Page 781: ...er Before configuring PIM DM prepare the following data z The interval between state refresh messages z Minimum time to wait before receiving a new refresh message z TTL value of state refresh message...

Page 782: ...timeout of pruned interfaces the router directly connected with the multicast source periodically sends an S G state refresh message which is forwarded hop by hop along the initial multicast flooding...

Page 783: ...e refresh messages state refresh ttl ttl value Optional 255 by default 6 2 6 Configuring PIM DM Graft Retry Period In PIM DM graft is the only type of message that uses the acknowledgment mechanism In...

Page 784: ...a BSR Configuring global C BSR parameters Optional Configuring a static RP Optional Configuring a C RP Optional Enabling auto RP Optional Configuring an RP Configuring C RP timers Optional Configurin...

Page 785: ...SM enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors When deploying a PIM SM domain you are recommended to enable PIM SM on all int...

Page 786: ...as a C BSR make sure that router is PIM SM enabled The BSR election process is as follows z Initially every C BSR assumes itself to be the BSR of this PIM SM domain and uses its interface IP address a...

Page 787: ...address range and thus this kind of attacks can be prevented The above mentioned preventive measures can partially protect the security of BSRs in a network However if a legal BSR is controlled by an...

Page 788: ...s are elected from multitudinous C BSRs to serve different multicast groups The C RPs in a BSR admin scope region send C RP Adv messages to only the corresponding BSR The BSR summarizes the advertisem...

Page 789: ...s throughout the network periodically Any C BSR that receives a bootstrap message maintains the BSR state for a configurable period of time BSR state timeout during which no BSR election takes place W...

Page 790: ...er is manually configured the system will use the configured value Caution In configuration make sure that the bootstrap interval is smaller than the bootstrap timeout time 6 3 5 Configuring an RP An...

Page 791: ...lculate the mappings between specific group ranges and the corresponding RPs based on the RP set We recommend that you configure C RPs on backbone routers To guard against C RP spoofing you need to co...

Page 792: ...P auto rp enable Optional Disabled by default IV Configuring C RP timers To enable the BSR to distribute the RP set information within the PIM SM domain C RPs must periodically send C RP Adv messages...

Page 793: ...n the entire register messages However to reduce the workload of encapsulating data in register messages and for the sake of interoperability this method of checksum calculation is not recommended Whe...

Page 794: ...Optional 60 seconds by default Configure the probe time probe interval interval Optional 5 seconds by default Note Typically you need to configure the above mentioned parameters on the receiver side...

Page 795: ...carry out these configurations on the routers that may win the DR election and on the C RPs that may win RP elections 6 4 Configuring PIM SSM Note The PIM SSM model needs the support of IGMPv3 Therefo...

Page 796: ...routing multicast routing enable Required Disable by default Enter Ethernet port view interface interface type interface number Enable PIM SM pim sm Required Disabled by default Caution All the inter...

Page 797: ...member of a multicast group in the SSM group range sends an IGMPv1 or IGMPv2 report message the device does not trigger a G join 6 5 Configuring PIM Common Information Note For the configuration task...

Page 798: ...value z Prune delay global value interface level value z Prune override interval global value interface level value z Hello interval global value interface level value z Maximum delay between hello me...

Page 799: ...er times out if the router has received no hello message from a neighbor it assumes that this neighbor has expired or become unreachable You can configure this parameter on all routers in the PIM doma...

Page 800: ...hat the status of the upstream neighbor is lost or the upstream neighbor has changed In this case it triggers a join message for state update If you disable join suppression namely enable neighbor tra...

Page 801: ...onfiguring PIM Common Timers PIM routers discover PIM neighbors and maintain PIM neighboring relationships with other routers by periodically sending out hello messages Upon receiving a hello message...

Page 802: ...ime holdtime join prune interval Optional 210 seconds by default Configure the multicast source lifetime source lifetime interval Optional 210 seconds by default II Configuring PIM common timers on an...

Page 803: ...se the command Remarks Enter system view system view Enter PIM view pim Configure the maximum size of a join prune message jp pkt size packet size Optional 8 100 bytes by default Configure the maximum...

Page 804: ...ing table group address mask mask length mask source address mask mask length mask incoming interface interface type interface number register outgoing interface include exclude match interface type i...

Page 805: ...t 1 0 2 V l a n i n t 1 0 3 V l a n i n t 1 0 3 Device Interface IP address Device Interface IP address Switch A Vlan int100 10 110 1 1 24 Switch D Vlan int300 10 110 5 1 24 Vlan int103 192 168 1 1 2...

Page 806: ...and Switch C is similar to that on Switch A Enable IP multicast routing on Switch D and enable PIM DM on each interface SwitchD system view SwitchD multicast routing enable SwitchD interface vlan int...

Page 807: ...flooding Switches on the SPT path Switch A and Switch D have their S G entries Host A registers with Switch A and a G entry is generated on Switch A You can use the display pim routing table command...

Page 808: ...ulticast The receiver groups of different organizations form stub networks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the sparse mode not divided into...

Page 809: ...24 Figure 6 11 Network diagram for PIM SM domain configuration III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address...

Page 810: ...BSR and a C RP Configure the service scope of RP advertisements and the positions of the C BSR and C RP on Switch E SwitchE system view SwitchE acl number 2005 SwitchE acl basic 2005 rule permit sourc...

Page 811: ...rity 0 Hash mask length 30 State Elected Scope Not scoped Uptime 00 00 18 Next BSR message scheduled at 00 01 52 Candidate BSR Address 192 168 9 2 Priority 0 Hash mask length 30 State Pending Scope No...

Page 812: ...PIM routing table information on Switch A SwitchA display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 RP 192 168 9 2 Protocol pim sm Flag WC UpTime 00 13 46 Upstream interface Vlan interfa...

Page 813: ...l pim sm UpTime 00 13 16 Expires 00 03 22 6 7 3 PIM SSM Configuration Example I Network requirements z Receivers receive VOD information through multicast The receiver groups of different organization...

Page 814: ...2 2 24 Switch C Vlan int200 10 110 2 2 24 Vlan int102 192 168 9 2 24 Vlan int104 192 168 3 1 24 Vlan int105 192 168 4 1 24 Figure 6 12 Network diagram for PIM SSM configuration III Configuration proc...

Page 815: ...is also similar to that on Switch A except that it is not necessary to enable IGMP on the corresponding interfaces on these two switches 3 Configure the SSM group range Configure the SSM group range...

Page 816: ...100 232 1 1 1 Protocol pim ssm Flag UpTime 00 13 25 Upstream interface Vlan interface101 Upstream neighbor 192 168 1 2 RPF prime neighbor 192 168 1 2 Downstream interface s information Total number o...

Page 817: ...nabled on the router s RPF interface to the multicast source the router cannot create S G entries z When a multicast router receives a multicast packet it searches the existing unicast routing table f...

Page 818: ...onfigurations are correct 6 8 2 Multicast Data Abnormally Terminated on an Intermediate Router I Symptom An intermediate router can receive multicast data successfully but the data cannot reach the la...

Page 819: ...formation Use the display pim rp info command to check whether the RP information is consistent on all routers 3 Check the configuration of static RPs Use the display pim rp info command to check whet...

Page 820: ...RP and the BSR and whether a route is available between the RP and the BSR Make sure that each C RP has a unicast route to the BSR the BSR has a unicast route to each C RP and all the routers in the...

Page 821: ...ulticast source information in other PIM SM domains In the basic PIM SM mode a multicast source registers only with the RP in the local PIM SM domain and the multicast source information of a domain i...

Page 822: ...SM router MSDP peers created on PIM SM routers that assume different roles function differently 1 MSDP peers on RPs z Source side MSDP peer the MSDP peer nearest to the multicast source Source typica...

Page 823: ...ically elected from C RPs To enhance network robustness a PIM SM network typically has more than one C RP As the RP election result is unpredictable MSDP peering relationships should be built among al...

Page 824: ...e address S the multicast group address G and the address of the RP which has created this SA message namely RP 1 3 On MSDP peers each SA message is subject to a reverse path forwarding RPF check and...

Page 825: ...lies on RPs in other PIM SM domains The receivers can override the RPs in other domains and directly join the multicast source based SPT III RPF check rules for SA messages As shown in Figure 7 3 ther...

Page 826: ...SA message is from an MSDP peer RP 2 in the same AS and the MSDP peer is the next hop on the optimal path to the source side RP RP 3 accepts the message and forwards it to other peers RP 4 and RP 5 3...

Page 827: ...MSDP peers Anycast RP refers to such an application that enables load balancing and redundancy backup between two or more RPs within a PIM SM domain by configuring the same IP address for and establis...

Page 828: ...the SPT rooted at Source The significance of Anycast RP is as follows z Optimal RP path A multicast source registers with the nearest RP so that an SPT with the optimal path is built a receiver joins...

Page 829: ...st Messages Optional Configuring an SA Message Filtering Rule Optional Configuring SA Messages Related Parameters Configuring SA Message Cache Optional 7 3 Configuring Basic Functions of MSDP Note All...

Page 830: ...e local MSDP peer and that of the remote MSDP peer An MSDP peer connection must be created on both devices that are a pair of MSDP peers Follow these steps to create an MSDP peer connection To do Use...

Page 831: ...te the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring an MSD...

Page 832: ...or multiple MSDP peers you can create a mesh group with these MSDP peers Follow these steps to create an MSDP mesh group To do Use the command Remarks Enter system view system view Enter MSDP view msd...

Page 833: ...in the domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring SA message delivery prepare the following data z ACL as a filtering rule for SA request m...

Page 834: ...RPF check Follow these steps to configure the SA message content To do Use the command Remarks Enter system view system view Enter MSDP view msdp Enable encapsulation of a register message encap data...

Page 835: ...on in the SA messages z By configuring a filtering rule for receiving or forwarding SA messages you can enable the router to filter the S G forwarding entries to be advertised when receiving or forwar...

Page 836: ...s MSDP peer in the next cycle z If there is an SA message in the cache the router will obtain the information of all active sources directly from the SA message and join the corresponding SPT To prote...

Page 837: ...peer reset msdp statistics peer address Available in user view 7 7 MSDP Configuration Examples 7 7 1 Example of Leveraging BGP Routes I Network requirements z Two ISPs maintain their ASs AS 100 and AS...

Page 838: ...Figure 7 5 Network diagram for configuration leveraging BGP routes III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP addr...

Page 839: ...witch C 3 Configure the position of interface Loopback 0 C BSR and C RP Configure the position of Loopback 0 C BSR and C RP on Switch C SwitchC interface loopback 0 SwitchC LoopBack0 ip address 1 1 1...

Page 840: ...the information about BGP peering relationships on Switch C SwitchC display bgp peer BGP local router ID 1 1 1 1 Local AS number 100 Total number of peers 1 Peers in established state 1 Peer V AS Msg...

Page 841: ...1 1 1 1 32 192 168 1 1 0 0 100 i 2 2 2 2 32 192 168 3 2 0 100 0 3 3 3 3 32 0 0 0 0 0 0 192 168 1 0 0 0 0 0 0 0 192 168 1 1 0 0 100 192 168 1 1 32 0 0 0 0 0 0 192 168 1 2 32 0 0 0 0 0 0 192 168 1 1 0...

Page 842: ...ion about MSDP peering relationships on Switch D SwitchD display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 2 2 0 0 0 0 Peer s Address State Up Down time AS SA C...

Page 843: ...outgoing SA messages 0 0 Incoming outgoing SA requests 0 0 Incoming outgoing SA responses 0 0 Incoming outgoing data packets 0 0 7 7 2 Anycast RP Configuration Example I Network requirements z The PI...

Page 844: ...1 1 32 Loop0 2 2 2 2 32 Loop1 3 3 3 3 32 Loop1 4 4 4 4 32 Loop10 10 1 1 1 32 Loop10 10 1 1 1 32 Figure 7 6 Network diagram for anycast RP configuration III Configuration procedure 1 Configure the int...

Page 845: ...ce loopback 10 SwitchC LoopBack10 ip address 10 1 1 1 255 255 255 255 SwitchC LoopBack10 pim sm SwitchC LoopBack10 quit SwitchC pim SwitchC pim c bsr loopback 1 SwitchC pim c rp loopback 10 SwitchC pi...

Page 846: ...Vlan interface200 Protocol pim sm UpTime 00 03 32 Expires 4 Configure Loopback 0 and MSDP peers Configure an MSDP peer on Loopback 0 of Switch C SwitchC interface loopback 0 SwitchC LoopBack0 ip addre...

Page 847: ...ASs AS 100 and AS 200 respectively OSPF is running within each AS and BGP is running between the two ASs z PIM SM 1 belongs to AS 100 while PIM SM 2 and PIM SM 3 belong to AS 200 z Each PIM SM domain...

Page 848: ...nfiguration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 7 7 Detailed configu...

Page 849: ...ch D and Switch F is similar to the configuration on Switch C 3 Configure the position of interface Loopback 0 C BSR and C RP Configure the position of Loopback 0 C BSR and C RP on Switch C SwitchC ro...

Page 850: ...relationships between the switches If the command gives no output information a BGP peering relationship has not been established between the switches When the multicast source S1 sends multicast inf...

Page 851: ...er address configured on the router z If no route is available between the MSDP peers the TCP connection setup will also fail III Solution 1 Check that a route is available between the routers Carry o...

Page 852: ...tries with one another in the Anycast RP application II Analysis z In the Anycast RP application RPs in the same PIM SM domain are configured to be MSDP peers to achieve load balancing among the RPs z...

Page 853: ...Operation Manual Multicast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 7 MSDP Configuration 7 33 4 Verify that the C BSR address is different from the anycast RP address...

Page 854: ...ticast Routing and Forwarding In multicast implementations multicast routing and forwarding are implemented by three types of tables z Each multicast routing protocol has its own multicast routing tab...

Page 855: ...existing S G entry this means that the S G entry is correct but the packet arrived from a wrong path The packet is to be discarded z If the result of the RPF check shows that the RPF interface is not...

Page 856: ...the RPF interface and the RPF neighbor 2 Then the router selects one from these two optimal routes as the RPF route The selection is as follows z If configured to use the longest match principle the...

Page 857: ...et actually arrived The RPF check succeeds and the packet is forwarded 8 1 3 Multicast Static Routes If the topology structure of a multicast network is the same as that of a unicast network receivers...

Page 858: ...h B and then to Switch C 8 1 4 Multicast Traceroute The multicast traceroute utility is used to trace the path that a multicast stream flows down from the multicast source to the last hop router I Con...

Page 859: ...te a response packet and then sends the completed packet via unicast to the multicast traceroute querier 8 2 Configuration Task List Complete these tasks to configure multicast routing and forwarding...

Page 860: ...ry addresses even if configured on interfaces For details about primary and secondary IP addresses refer to IP Addressing and Performance Configuration 8 3 3 Configuring Multicast Static Routes Based...

Page 861: ...ing an interface by means of the interface type interface number command argument combination if the interface type of that router is Loopback or VLAN interface instead you can designate an RPF neighb...

Page 862: ...orward multicast packets including packets sent from the local device or receive multicast packets Follow these steps to configure a multicast forwarding range To do Use the command Remarks Enter syst...

Page 863: ...rding table size To do Use the command Remarks Enter system view system view Configure the maximum number of downstream nodes for a single route in the multicast forwarding table multicast forwarding...

Page 864: ...ss mask mask mask length group address mask mask mask length incoming interface interface type interface number register outgoing interface exclude include match interface type interface number regist...

Page 865: ...st forwarding table z When a forwarding entry is deleted from the multicast forwarding table the corresponding route entry will also be deleted from the multicast routing table 8 5 Configuration Examp...

Page 866: ...and subnet mask for each interface as per Figure 8 3 The detailed configuration steps are omitted here Enable OSPF on Switch A Switch B and Switch C Ensure the network layer interoperation among the s...

Page 867: ...RPF information about source 10 110 5 100 RPF interface Vlan interface100 RPF neighbor 10 110 1 1 Referenced route mask 10 110 5 0 24 Referenced route type igp Route selection rule preference preferre...

Page 868: ...specify the next hop address to configure the outgoing interface when you configure the multicast static route 4 Check that the multicast static route matches the specified routing protocol If a proto...

Page 869: ...cast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 8 Multicast Routing and Forwarding Configuration 8 16 3 In the case of PIM SM use the display current configuration command to check the...

Page 870: ...g a Guest VLAN 1 17 1 3 1 Configuration Prerequisites 1 17 1 3 2 Configuration Procedure 1 17 1 4 Displaying and Maintaining 802 1x 1 18 1 5 802 1x Configuration Example 1 18 1 6 Guest VLAN Configurat...

Page 871: ...4 2 1 MAC Authentication Timers 4 2 4 2 2 Quiet MAC Address 4 2 4 2 3 VLAN Assigning 4 3 4 2 4 ACL Assigning 4 3 4 3 Configuring MAC Authentication 4 3 4 3 1 Configuration Prerequisites 4 3 4 3 2 Conf...

Page 872: ...et as a common port access control mechanism As a port based network access control protocol 802 1x authenticates and controls accessing devices at the level of port A device connected to an 802 1x en...

Page 873: ...a Remote Authentication Dial in User Service RADIUS server maintains user information like username password VLAN that the user belongs to committed access rate CAR parameters priority and ACLs The ab...

Page 874: ...st the traffic from the supplicant Note Currently the devices support only denying the traffic from the supplicant 1 1 2 Operation of 802 1x The 802 1x authentication system employs the Extensible Aut...

Page 875: ...akes the value 0x888E z Protocol version Version of the EAPOL protocol supported by the EAPOL frame sender z Type Type of the EAPOL frame Table 1 1 shows the defined types of EAPOL frames Table 1 1 Ty...

Page 876: ...eld II EAP Packet Format An EAPOL frame of the type of EAP Packet carries an EAP packet in its Packet body field The format of the EAP packet is shown in Figure 1 4 Figure 1 4 EAP packet format z Code...

Page 877: ...bytes it can be fragmented and encapsulated into multiple EAP Message attributes Figure 1 6 Encapsulation format of the EAP Message attribute II Message Authenticator Figure 1 7 shows the encapsulatio...

Page 878: ...urity and PEAP Protected Extensible Authentication Protocol z EAP MD5 EAP MD5 authenticates the identity of a supplicant The RADIUS server sends an MD5 challenge through an EAP Request MD5 Challenge p...

Page 879: ...me and password the 802 1x client software generates an EAPOL Start frame and sends it to the authenticator to initiate an authentication process 2 Upon receiving the EAPOL Start frame the authenticat...

Page 880: ...o grant the access request of the supplicant After the supplicant gets online the authenticator periodically sends handshake requests to the supplicant to check whether the supplicant is still online...

Page 881: ...mode Different from the authentication process in EAP relay mode it is the authenticator that generates the random challenge for encrypting the user password information in EAP termination authenticat...

Page 882: ...e from the server it retransmits the request z Handshake timer handshake period After a supplicant passes authentication the authenticator sends to the supplicant handshake requests at this interval t...

Page 883: ...the message The device depending on the link type of the port used to log in adds the port to the assigned VLAN according to the following rules z If the port link type is Access the port leaves its...

Page 884: ...way as described in VLAN assigning When a supplicant added into the guest VLAN initiates another authentication process if the authentication is not successful the supplicant stays in the guest VLAN...

Page 885: ...t to lan access For detailed configuration of the RADIUS client refer to AAA RADIUS HWTACACS Configuration 1 2 2 Configuring 802 1x Globally Follow these steps to configure 802 1x globally To do Use t...

Page 886: ...xies globally dot1x supp proxy check logoff trap interface interface list Optional Disabled by default Note that z For 802 1x to take effect on a port you must enable it both globally in system view a...

Page 887: ...e the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the port access control mode for the port dot1x port control authorized...

Page 888: ...of RADIUS packets and sends the packets to the RADIUS server for authentication In this case you can configure the user name format command but it does not take effect For information about the user n...

Page 889: ...from a user side device include VLAN tags and 802 1x and guest VLAN are enabled on the access port you are recommended to configure different VLAN IDs for the Voice VLAN the default port VLAN and the...

Page 890: ...rver and to send real time accounting packets to the accounting server every 15 minutes z Specify the switch to remove the domain name from the username before passing the username to the RADIUS serve...

Page 891: ...r the device to exchange packets with the authentication server Sysname radius radius1 key authentication name Specify the shared key for the device to exchange packets with the accounting server Sysn...

Page 892: ...ame interface Ethernet 1 0 1 Sysname Ethernet1 0 1 dot1x Sysname Ethernet1 0 1 quit Set the port access control method Optional The default answers the requirement Sysname dot1x port method macbased i...

Page 893: ...AC Authentication H3C S3610 S5510 Series Ethernet Switches Chapter 1 802 1x Configuration 1 22 II Network diagrams Figure 1 11 Network diagram for guest VLAN configuration Figure 1 12 Network diagram...

Page 894: ...ey authentication abc Sysname radius 2000 key accounting abc Sysname radius 2000 user name format without domain Sysname radius 2000 quit Configure domain system and specify to use RADIUS scheme 2000...

Page 895: ...vlan 10 command in the following cases to verify whether the configured guest VLAN functions z When no users log in z When a user fails the authentication z When a user goes offline 1 7 ACL Assigning...

Page 896: ...sp 2000 authentication default radius scheme 2000 Sysname isp 2000 authorization default radius scheme 2000 Sysname isp 2000 accounting default radius scheme 2000 Sysname isp 2000 quit Configure ACL 3...

Page 897: ...Operation Manual 802 1x HABP MAC Authentication H3C S3610 S5510 Series Ethernet Switches Chapter 1 802 1x Configuration 1 26...

Page 898: ...nctions to implement fast deployment of EAD scheme To support the fast deployment of EAD schemes 802 1x provides the following two mechanisms 1 Limit on accessible network resources Before successful...

Page 899: ...onfigured by default Note z Currently MAC authentication and port security cannot work together with EAD fast deployment Once MAC authentication or port security is enabled globally the EAD fast deplo...

Page 900: ...t When there are a large number of users you can shorten the timeout time to improve the ACL usage efficiency Follow these steps to set the EAD rule timeout time To do Use the command Remarks Enter sy...

Page 901: ...rt EAD fast deployment Configure the IP addresses of the interfaces omitted Configure the free IP Sysname system view Sysname dot1x free ip 192 168 1 0 24 Configure the redirect URL for client softwar...

Page 902: ...ser the user is not redirected to the specified URL Analysis z The address is in the string format In this case the operating system of the host regards the string a website name and tries to have it...

Page 903: ...and MAC authentication allowing communication among switches HABP is built on the client server model Typically the HABP server sends HABP requests to the client periodically to collect the MAC addre...

Page 904: ...BP to work in client mode on a device connected to the administrative device Since HABP is enabled and works in client mode by default this configuration task is optional Follow these steps to configu...

Page 905: ...ion Dial In User Service RADIUS based MAC authentication z Local MAC authentication For detailed information about RADIUS authentication and local authentication refer to AAA RADIUS HWTACACS Configura...

Page 906: ...ers 4 2 Related Concepts 4 2 1 MAC Authentication Timers The following timers function in the process of MAC authentication z Offline detect timer At this interval the device checks to see whether an...

Page 907: ...the user can access those restricted network resources 4 2 4 ACL Assigning ACLs assigned by an authorization server are referred to as authorization ACLs which are designed to control access to netwo...

Page 908: ...Enter system view system view Enable MAC authentication globally mac authentication Required Disabled by default mac authentication interface interface list Enable MAC authentication for specified por...

Page 909: ...MAC authentication enabled port into an aggregation group nor enable MAC authentication on a port added into an aggregation group 4 4 Displaying and Maintaining MAC Authentication To do Use the comman...

Page 910: ...r aaa quit Configure ISP domain aabbcc net and specify to perform local authentication Device domain aabbcc net Device isp aabbcc net authentication lan access local Device isp aabbcc net quit Enable...

Page 911: ...cess 1 failed 0 Current online user number is 1 MAC ADDR Authenticate state AuthIndex 00e0 fc12 3456 MAC_AUTHENTICATOR_SUCCESS 29 4 5 2 RADIUS Based MAC Authentication Configuration Example I Network...

Page 912: ...eme 2000 Device isp 2000 quit Enable MAC authentication globally Device mac authentication Enable MAC authentication for port Ethernet 1 0 1 Device mac authentication interface ethernet 1 0 1 Specify...

Page 913: ...AC authentication to access the Internet z Configure the RADIUS server to assign ACL 3000 z Enable MAC authentication on port Ethernet 1 0 1 of the switch and configure ACL 3000 After the host passes...

Page 914: ...CL 3000 to deny packets destined for 10 0 0 1 Sysname acl number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Sysname acl adv 3000 quit Enable MAC authentication globally Sysname ma...

Page 915: ...Authentication Authorization Servers 1 23 1 4 3 Configuring the RADIUS Accounting Servers and Relevant Parameters 1 24 1 4 4 Setting the Shared Key for RADIUS Packets 1 26 1 4 5 Setting the Maximum Nu...

Page 916: ...aying and Maintaining RADIUS 1 39 1 6 3 Displaying and Maintaining HWTACACS 1 40 1 7 AAA RADIUS HWTACACS Configuration Examples 1 40 1 7 1 AAA for Telnet Users by a HWTACACS Server 1 40 1 7 2 AAA for...

Page 917: ...section covers these topics z Introduction to AAA z Introduction to ISP Domain z Introduction to RADIUS z Introduction to HWTACACS 1 1 1 Introduction to AAA Authentication Authorization and Accounting...

Page 918: ...after RADIUS authentication is successful The authorization information is carried in the RADIUS authentication response z HWTACACS authorization Users are authorized using a HWTACACS server III Acco...

Page 919: ...d remote user access are required For example it is often used for managing a large number of geographically dispersed dial in users that use Modems The RADIUS service involves three components z Prot...

Page 920: ...as PPP based PAP and CHAP II Basic message exchange process of RADIUS Information exchanged between the RADIUS client and the RADIUS server is authenticated through a shared key for security The RADIU...

Page 921: ...ue of Status Type being start 5 The RADIUS server returns a start accounting response Accounting Response 6 The subscriber accesses the network resources 7 The RADIUS client sends a stop accounting re...

Page 922: ...e accounting 5 Accounting Response From the server to the client The server sends to the client a packet of this type to notify that it has received the Accounting Request and has correctly recorded t...

Page 923: ...d IP Address 30 Called Station Id 9 Framed IP Netmask 31 Calling Station Id 10 Framed Routing 32 NAS Identifier 11 Filter ID 33 Proxy State 12 Framed MTU 34 Login LAT Service 13 Framed Compression 35...

Page 924: ...ferences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP Encrypts the entire packet except for the HWTACACS header Encrypts only the password...

Page 925: ...ation 1 9 Figure 1 5 Network diagram for a typical HWTACACS application II Basic message exchange process of HWTACACS The following takes Telnet user as an example to describe how HWTACACS performs us...

Page 926: ...to the HWTACACS server 2 The HWTACACS server sends back an authentication response requesting for the username Upon receiving the request the HWTACACS client asks the user for the username 3 After re...

Page 927: ...rver 11 The HWTACACS server sends back an accounting response indicating that it has received the start accounting request 12 When the user logs off the HWTACACS client sends a stop accounting request...

Page 928: ...garding RADIUS Servers Optional Configuring RADIUS Accounting on Optional Configuring an IP Address for the Security Policy Server Optional Enabling the Listening Port of the RADIUS Client Optional II...

Page 929: ...mplement authentication authorization and accounting For HWTACACS scheme configuration refer to Configuring HWTACACS 1 3 2 Creating an ISP Domain For the NAS each accessing user belongs to an ISP doma...

Page 930: ...ion function and specify the URL of the self service server for changing user password self service url disable enable url string Optional Disabled by default Note A self service RADIUS server for exa...

Page 931: ...cess modes or service types Follow these steps to configure an AAA authentication scheme for an ISP domain To do Use the command Remarks Enter system view system view Create an ISP domain and enter IS...

Page 932: ...he same level as authentication and accounting Its responsibility is to send authorization requests to the specified authorization server and to send authorization information to users authorized Auth...

Page 933: ...local none radius scheme radius scheme name local Optional local by default Specify the authorization scheme for command line users authorization command hwtacacs scheme hwtacacs scheme name Optional...

Page 934: ...with the authorization response message therefore you cannot specify a separate RADIUS server If you use RADIUS for authorization and authentication you must use the same scheme setting for authorizat...

Page 935: ...login hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Optional The default accounting scheme is used by default Note z With the accounting optional comman...

Page 936: ...user is configured by default Configure a password for the local user password cipher simple password Required Place the local user to the state of active or blocked state active block Optional When c...

Page 937: ...et attributes for a LAN access user attribute access limit max user number idle cut minute ip ip address location port slot number subslot number port number mac mac address vlan vlan id Optional If t...

Page 938: ...the level of the commands that a user can use after logging in depends on the priority of the user or the priority of user interface level as with other authentication methods For an SSH user using R...

Page 939: ...s In another words the attributes of a RADIUS scheme mainly include IP addresses of primary and secondary servers shared key and RADIUS server type Actually the RADIUS protocol configurations only set...

Page 940: ...r Optional The defaults are as follows 0 0 0 0 for the IP address and 1812 for the port Note z In practice you may specify two RADIUS servers as the primary and secondary authentication authorization...

Page 941: ...ddress and UDP port of the secondary RADIUS accounting server secondary accounting ip address port number Optional The defaults are as follows 0 0 0 0 for the IP address and 1813 for the port Enable t...

Page 942: ...ser when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request z The IP addresses of the primary and seconda...

Page 943: ...iew Create a RADIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Set the number of retransmission attempts of RADIUS packets retry retry times O...

Page 944: ...primary server fails the primary server turns into the state of block and the device turns to the secondary server In this case z If the secondary server is available the device triggers the primary...

Page 945: ...rver to the active state so that the secondary server can perform authentication If the secondary server is still in the blocked state the primary secondary switchover cannot take place z If one serve...

Page 946: ...to a RADIUS server z If a RADIUS scheme defines that the username is sent without the ISP domain name do not apply the RADIUS scheme to more than one ISP domain thus avoiding the confused situation wh...

Page 947: ...y default Set the quiet timer for the primary server timer quiet minutes Optional 5 minutes by default Set the real time accounting interval timer realtime accounting minutes Optional 12 minutes by de...

Page 948: ...ired Disabled by default Set the number of accounting on packet retransmission attempts accounting on enable send send times Optional 5 times by default Set the retransmission interval of accounting o...

Page 949: ...w these steps to enable the listening port of the RADIUS client To do Use the command Remarks Enter system view system view Enable the listening port of the RADIUS client radius client enable Optional...

Page 950: ...IP address and 49 for the TCP port Configure the IP address and port of the secondary HWTACACS authentication server secondary authentication ip address port number Required The defaults are as follo...

Page 951: ...ote z The IP addresses of the primary and secondary authorization servers cannot be the same Otherwise the configuration fails z You can remove an authorization server only when no active TCP connecti...

Page 952: ...cannot be the same Otherwise the configuration fails z You can remove an accounting server only when no active TCP connection for sending accounting packets is using it z Currently HWTACACS does not s...

Page 953: ...ACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the format of the username to be sent to a HWTACACS server user name format with domain without domain Op...

Page 954: ...stem view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Set the TACACS server response timeout timer timer response timeo...

Page 955: ...Display information about specified or all local users display local user domain isp name idle cut disable enable service type ftp lan access ssh telnet terminal state active block user name user nam...

Page 956: ...server name statistics Available in any view Display information about buffered stop accounting requests that get no responses display stop accounting buffer hwtacacs scheme hwtacacs scheme name Avail...

Page 957: ...resses of various interfaces omitted Enable the Telnet server on the switch Switch system view Switch telnet server enable Configure the switch to use AAA for Telnet users Switch user interface vty 0...

Page 958: ...s shown in Figure 1 8 configure the switch to provide local authentication HWTACACS authorization and RADIUS accounting services to Telnet users The user name and the password for Telnet users are bot...

Page 959: ...hentication mode scheme Switch ui vty0 4 quit Configure the HWTACACS scheme Switch hwtacacs scheme hwtac Switch hwtacacs hwtac primary authorization 10 1 1 2 49 Switch hwtacacs hwtac key authorization...

Page 960: ...and the RADIUS server 2 The username is not in the format of userid isp name or no default ISP domain is specified for the NAS 3 The user is not configured on the RADIUS server 4 The password of the...

Page 961: ...henticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization server and the accounting s...

Page 962: ...s 1 5 1 2 4 Enabling the ARP Entry Check 1 5 1 2 5 ARP Configuration Example 1 6 1 3 Configuring Gratuitous ARP 1 6 1 3 1 Introduction to Gratuitous ARP 1 6 1 3 2 Configuring Gratuitous ARP 1 7 1 4 Co...

Page 963: ...address of a host at the network layer To send a network layer packet to a destination host the device must know the data link layer address such as the MAC address of the destination host To this end...

Page 964: ...is being sent to 1 1 3 ARP Address Resolution Process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B as show in Figure 1 2 The resolution process is as...

Page 965: ...able contains ARP entries which fall into two categories dynamic and static 1 A dynamic entry is automatically created and maintained by ARP It can get aged be updated by a new ARP packet or be overwr...

Page 966: ...deleted and if non permanent and resolved will become unresolved Follow these steps to configure a static ARP entry To do Use the command Remarks Enter system view system view Configure a permanent st...

Page 967: ...them from the ARP mapping table You can adjust the aging time for dynamic ARP entries according to the actual network condition Follow these steps to set aging time for dynamic ARP entries To do Use t...

Page 968: ...t 1 0 10 of VLAN 10 II Configuration procedure Sysname system view Sysname arp check enable Sysname arp timer aging 10 Sysname vlan 10 Sysname vlan10 port Ethernet 1 0 10 Sysname vlan10 quit Sysname i...

Page 969: ...gratuitous arp learning enable Required Disabled by default 1 4 Configuring ARP Source Suppression 1 4 1 Introduction to ARP Source Suppression If a host attacks the device on a network by sending lar...

Page 970: ...play arp all dynamic static vlan vlan id interface interface type interface number verbose begin exclude include text count Available in any view Display the ARP entries for a specified IP address dis...

Page 971: ...lements Layer 3 communication between VLAN interfaces isolated at Layer 2 or located on different networks In one of the following cases you need to enable the local proxy ARP z Devices connected to d...

Page 972: ...face vlan id Available in any view 2 4 Proxy ARP Configuration Examples 2 4 1 Proxy ARP Configuration Example I Network requirements Host A and Host D have IP addresses of the same network segment Hos...

Page 973: ...168 20 99 255 255 255 0 Switch Vlan interface2 proxy arp enable Switch Vlan interface2 quit 2 4 2 Local Proxy ARP Configuration Example in Case of Port Isolation I Network requirements z Host A and Ho...

Page 974: ...3 quit Configure an IP address of VLAN interface 2 Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 10 100 255 255 0 0 Ping Host B on Host A to verify that the two hosts ca...

Page 975: ...Server on an Interface 2 4 2 5 Configuring an Address Pool for the DHCP Server 2 5 2 5 1 Configuration Task List 2 5 2 5 2 Creating a DHCP Address Pool 2 5 2 5 3 Configuring an Address Allocation Mod...

Page 976: ...iguration 3 9 3 5 DHCP Relay Agent Configuration Example 3 10 3 6 Troubleshooting DHCP Relay Agent Configuration 3 11 Chapter 4 DHCP Client Configuration 4 1 4 1 Introduction to DHCP Client 4 1 4 2 En...

Page 977: ...Operation Manual DHCP H3C S3610 S5510 Series Ethernet Switches Table of Contents iii 6 4 BOOTP Client Configuration Example 6 3...

Page 978: ...while with the wide application of wireless networks the frequent movement of laptops across networks requires that the IP addresses be changed accordingly Therefore related configurations on hosts be...

Page 979: ...assigned address to the client z Automatic allocation DHCP assigns a permanent IP address to a client z Dynamic allocation DHCP assigns an IP address to a client for a limited period of time which is...

Page 980: ...IP addresses offered by other DHCP servers are assignable to other clients 1 2 3 IP Address Lease Extension The IP address dynamically allocated by a DHCP server to a client has a lease After the leas...

Page 981: ...he BROADCAST B flag If this flag is set to 0 the DHCP server sent a reply back by unicast if this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field...

Page 982: ...n It specifies the DNS server IP address to be assigned to the client z Option 51 IP address lease option z Option 53 DHCP message type option It identifies the type of the DHCP message z Option 55 Pa...

Page 983: ...padding formats vary with vendors Currently the device supports two padding formats normal and verbose 1 Normal padding format The padding contents for sub options in the normal padding format are z s...

Page 984: ...t an IP address along with specified voice parameters from the DHCP server Option 184 involves the following sub options z Sub option 1 IP address of the primary network calling processor which is a s...

Page 985: ...apter 1 DHCP Overview 1 8 1 5 Protocols and Standards z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the B...

Page 986: ...tion Examples z Troubleshooting DHCP Server Configuration Note z The DHCP server configuration is supported only on VLAN interfaces and loopback interfaces The secondary IP address pool configuration...

Page 987: ...ild has no such configuration or z Overridden if the lower level child has such configuration Note The IP address lease does not enjoy the inheritance attribute II Principles for selecting an address...

Page 988: ...of the DHCP server resides to avoid wrong IP address allocation 2 1 3 IP Address Allocation Sequence A DHCP server assigns an IP address to a client according to the following sequence 1 The IP addres...

Page 989: ...he subaddress keyword is valid only when the server and client are on the same subnet If a DHCP relay agent exists in between regardless of subaddress the DHCP server will select an IP address from th...

Page 990: ...n Name Suffix for the Client Configuring DNS Servers for the Client Configuring WINS Servers and NetBIOS Node Type for the Client Configuring the BIMS Server Information for the Client Configuring Gat...

Page 991: ...en the client with the MAC address or ID requests an IP address the DHCP server will find the IP address from the binding for the client A DHCP address pool now supports only one static binding which...

Page 992: ...st be identical to the ID displayed by using the display dhcp client verbose command on the client Otherwise the client cannot obtain an IP address II Configuring dynamic address allocation You need t...

Page 993: ...ess pool on the DHCP server to provide the clients with the domain name suffix With this suffix assigned the client needs only input part of a domain name and the system will add the domain name suffi...

Page 994: ...node The b node client sends the destination name in a broadcast message The destination returns its IP address to the client after receiving the message z p peer to peer node The p node client sends...

Page 995: ...ure the BIMS server IP address port number and shared key in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool nam...

Page 996: ...then can initiate a call using parameters in Option 184 Follow these steps to configure option 184 parameters in the DHCP address pool To do Use the command Remarks Enter system view system view Enter...

Page 997: ...ration file To implement auto configuration you need to specify the IP address and name of a TFTP server and the bootfile name in the DHCP address pool on the DHCP server but you do not need to perfor...

Page 998: ...ess pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure a self defined DHCP option option code ascii ascii string hex...

Page 999: ...the DHCP address pool 2 6 2 Enabling Unauthorized DHCP Server Detection There are unauthorized DHCP servers on networks which reply DHCP clients with wrong IP addresses With this feature enabled when...

Page 1000: ...tion To do Use the command Remarks Enter system view system view Specify the number of ping packets dhcp server ping packets number Optional One ping packet by default The value 0 indicates that no pi...

Page 1001: ...Support Option 82 for related configuration details 2 8 Displaying and Maintaining the DHCP Server To do Use the command Remarks Display information about IP address conflicts display dhcp server conf...

Page 1002: ...9 DHCP Server Configuration Examples DHCP networking involves two types z The DHCP server and client are on the same subnet and exchange messages directly z The DHCP server and client are not on the...

Page 1003: ...ace 1 should be less than 122 and that of clients connected to VLAN interface 2 less than 124 II Network diagram Figure 2 1 DHCP network diagram III Configuration procedure Specify IP addresses for VL...

Page 1004: ...55 128 SwitchA dhcp pool 2 expired day 5 SwitchA dhcp pool 2 gateway list 10 1 1 254 2 10 Troubleshooting DHCP Server Configuration I Symptom A client s IP address obtained from the DHCP server confli...

Page 1005: ...figuration is supported only VLAN interfaces z DHCP Snooping must be disabled on the DHCP relay agent 3 1 Introduction to DHCP Relay Agent 3 1 1 Application Environment Since DHCP clients request IP a...

Page 1006: ...ocation Process The following describes the forwarding process on the DHCP relay agent Figure 3 2 DHCP relay agent work process As shown in the figure above the DHCP relay agent works as follows 1 Aft...

Page 1007: ...at The DHCP relay agent will Drop Random Drop the message Keep Random Forward the message without changing Option 82 normal Forward the message after replacing the original Option 82 with the Option 8...

Page 1008: ...se the command Remarks Enter system view system view Enter interface view Interface interface type interface number Enable the DHCP relay agent on the current interface dhcp select relay Required With...

Page 1009: ...servers and those of relay agent s interfaces cannot be on the same subnet Otherwise the client cannot obtain an IP address z A DHCP server group can correlate with one or multiple DHCP relay agent in...

Page 1010: ...can manually configure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses For avoidance of invalid IP address configuration you can configur...

Page 1011: ...ent uses the IP address of a client and the MAC address of the DHCP relay interface to regularly send a DHCP REQUEST message to the DHCP server z If the server returns a DHCP ACK message or does not r...

Page 1012: ...fter the recorded information of a DHCP server is cleared a new record will be put for the DHCP server 3 3 6 Configuring the DHCP Relay Agent to Support Option 82 I Prerequisites You need to complete...

Page 1013: ...n 82 is padded with the device name sysname of a node the device name must contain no spaces Otherwise the DHCP relay agent will drop the message 3 4 Displaying and Maintaining DHCP Relay Agent Config...

Page 1014: ...lients reside The IP address of VLAN interface 1 is 10 10 1 1 24 and IP address of VLAN interface 2 is 10 1 1 2 24 that communicates with the DHCP server 10 1 1 1 24 As shown in the figure below Switc...

Page 1015: ...t subnets routes in between must be reachable 3 6 Troubleshooting DHCP Relay Agent Configuration I Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent II Analysis...

Page 1016: ...to obtain an IP address 4 1 Introduction to DHCP Client With the DHCP client enabled on an interface the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP...

Page 1017: ...n will overwrite the previous configuration z After the DHCP client is enabled on an interface no secondary IP address is configurable for the interface z If the IP address assigned by the DHCP server...

Page 1018: ...address II Network diagram See Figure 2 1 III Configuration procedure The following is the configuration on Switch B shown in Figure 2 1 Enable the DHCP client on VLAN interface 1 SwitchB system view...

Page 1019: ...een the DHCP client and relay agent or between the DHCP client and server z The DHCP Snooping enabled device cannot be a DHCP server or DHCP relay agent z You are not recommended to enable the DHCP cl...

Page 1020: ...rator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent option Option 82 If DHCP snooping supports Option 82 it will handle a cl...

Page 1021: ...iew interface interface type interface number Specify the port as trusted dhcp snooping trust Required Untrusted by default Note z You need to specify the ports connected to the valid DHCP servers as...

Page 1022: ...me user defined node identifier Optional normal by default Note z To support Option 82 it is required to perform related configuration on both the DHCP server and the device enabled with DHCP Snooping...

Page 1023: ...dress bindings in DHCP REQUEST messages and DHCP ACK messages received from trusted ports z Switch B supports Option 82 After receiving a DHCP request from the client Switch B adds Option 82 padded in...

Page 1024: ...82 on Ethernet 1 0 2 SwitchB Ethernet1 0 2 dhcp snooping information format verbose node identifier sysname SwitchB Ethernet1 0 2 quit Configure DHCP Snooping to support Option 82 on Ethernet 1 0 3 Sw...

Page 1025: ...his section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards 6 1 1 BOOTP Application After you specify an interface of a device as a BOOTP client...

Page 1026: ...receives the request and searches the configuration file for the corresponding IP address according to the MAC address of the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP...

Page 1027: ...w 6 4 BOOTP Client Configuration Example I Network requirement Switch B s port belonging to VLAN 1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP II...

Page 1028: ...dure 2 1 2 1 2 Configuration Examples 2 2 2 2 Configuring a Basic IPv4 ACL 2 3 2 2 1 Configuration Prerequisites 2 3 2 2 2 Configuration Procedure 2 3 2 2 3 Configuration Examples 2 4 2 3 Configuring...

Page 1029: ...ples 3 3 3 3 Configuring an Advanced IPv6 ACL 3 3 3 3 1 Configuration Prerequisites 3 3 3 3 2 Configuration Procedure 3 3 3 3 3 Configuration Examples 3 5 3 4 Copying an IPv6 ACL 3 5 3 4 1 Configurati...

Page 1030: ...llegal users from accessing networks and to control network traffic and save network resources Access control lists ACL are often used to filter packets with configured matching rules ACLs are sets of...

Page 1031: ...ers the device denies all packets that do not match the ACL 1 2 IPv4 ACL This section covers these topics z IPv4 ACL Classification z IPv4 ACL Naming z IPv4 ACL Match Order z IP Fragments Filtering wi...

Page 1032: ...order in which they are configured z auto where depth first match is performed The term depth first match has different meanings for different types of ACLs I Depth first match for a basic IPv4 ACL T...

Page 1033: ...ows how your device performs depth first match in an Ethernet frame header ACL 1 Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the sourc...

Page 1034: ...other Layer 3 or Layer 4 protocol header fields Advanced ACLs are numbered 3000 through 3999 1 3 2 IPv6 ACL Naming When creating an IPv6 ACL you can specify a unique name for it Afterwards you can ide...

Page 1035: ...with the protocol carried on IPv6 specified prior to other rules 2 If two rules are present with the same protocol range look at source IPv6 address wildcard in addition Then compare packets against t...

Page 1036: ...takes effect only in specified time ranges Only after a time range is configured and the system time is within the time range can an ACL rule take effect Two types of time ranges are available z Peri...

Page 1037: ...mber 31 2004 23 59 you may use the time range test 12 00 to 14 00 wednesday from 00 00 01 01 2004 to 23 59 12 31 2004 command z You may create individual time ranges identified with the same name They...

Page 1038: ...view system view Create and enter basic IPv4 ACL view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when...

Page 1039: ...ed in an ACL If the match order for this ACL is auto rules are displayed in the depth first match order rather than by rule number Caution z You can modify the match order of an IPv4 ACL with the acl...

Page 1040: ...v4 ACL To do Use the command Remarks Enter system view system view Create and enter advanced IPv4 ACL view acl number acl number name acl name match order auto config Required The default match order...

Page 1041: ...rrent highest rule ID For example if the rule numbering step is 5 and the current highest rule ID is 28 the next rule will be numbered 30 For detailed information about step refer to the step command...

Page 1042: ...ange command first 2 4 2 Configuration Procedure Follow these steps to configure an Ethernet frame header ACL To do Use the command Remarks Enter system view system view Create and enter Ethernet fram...

Page 1043: ...p is 5 and the current highest rule ID is 28 the next rule will be numbered 30 For detailed information about step refer to the step command z You may use the display acl command to verify rules confi...

Page 1044: ...Prerequisites If you want to reference a time range to a rule define it with the time range command first 2 5 2 Configuration Procedure Follow these steps to configure a user defined ACL To do Use th...

Page 1045: ...atically assign rule IDs starting with 0 and increasing in rule numbering steps of five A rule ID thus assigned is greater than the current highest rule ID For example if the current highest rule ID i...

Page 1046: ...an existing IPv4 ACL to generate a new one of the same type acl copy source acl number name source acl name to dest acl number name dest acl name Required Caution z The source IPv4 ACL and the destin...

Page 1047: ...sident s office 192 168 2 0 24 192 168 3 0 24 192 168 1 0 24 Figure 2 1 Network diagram for IPv4 ACL configuration 2 8 3 Configuration Procedure 1 Create a time range for office hours Create a periodi...

Page 1048: ...match acl 3001 Switch classifier c_market quit Configure traffic behavior b_ market to deny matching packets Switch traffic behavior b_market Switch behavior b_market filter deny Switch behavior b_mar...

Page 1049: ...uring a Basic IPv6 ACL Basic IPv6 ACLs filter packets based on source IPv6 address They are numbered in the range 2000 to 2999 3 2 1 Configuration Prerequisites If you want to reference a time range t...

Page 1050: ...if the ACL match order is set to auto rather than config you cannot modify ACL rules z When defining ACL rules you need not assign them IDs The system can automatically assign rule IDs starting with 0...

Page 1051: ...00 named none 2 rules ACL s step is 5 rule 0 permit source 2030 5060 9050 64 rule 5 deny source FE80 5060 8050 96 3 3 Configuring an Advanced IPv6 ACL Advanced ACLs filter packets based on the source...

Page 1052: ...range time name Required To create multiple rules repeat this step Set a rule numbering step step step value Optional The default step is 5 Create an ACL description description text Optional By defau...

Page 1053: ...3 Configuration Examples Create IPv6 ACL 3000 to permit the TCP packets with the source address 2030 5060 9050 64 to pass Sysname system view Sysname acl ipv6 number 3000 Sysname acl6 adv 3000 rule p...

Page 1054: ...ame of the source IPv6 ACL 3 5 Displaying and Maintaining IPv6 ACLs To do Use the command Remarks Display information about a specified or all IPv6 ACLs display acl ipv6 acl6 number all name acl6 name...

Page 1055: ...ackets matching IPv6 ACL 2000 Switch traffic classifier c_rd Switch classifier c_rd if match acl ipv6 2000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch t...

Page 1056: ...address source TCP port and destination TCP port Then only the ACL rules that contain no other information items than the above ones can be applied correctly on the port for packet filtering QoS and...

Page 1057: ...smac sport tcp flag tos Create a flow template Create an extended flow template flow template flow template name extend start offset max value length max value ipv4 offset max value length max value...

Page 1058: ...ation MAC IP port binding selective QinQ and voice VLAN And also you are not recommended to use these functions after you apply a flow template on the port The S3610 and S5510 Series Ethernet Switches...

Page 1059: ...cos Service 802 1p COS field 0 service vlan id Service VLAN ID field 0 sip Source IP address field in IP head 0 sipv6 Source IPv6 address field in IPv6 head 0 smac Source MAC address field in ethernet...

Page 1060: ...eate basic flow template aaa Sysname system view Sysname flow template aaa basic customer cos smac customer vlan id Reference flow template aaa on interface Ethernet 1 0 1 Sysname interface Ethernet 1...

Page 1061: ...template interface Interface Ethernet1 0 1 user defined flow template basic name aaa index 1 total reference counts 1 fields smac customer vlan id customer cos Interface Ethernet1 0 2 user defined flo...

Page 1062: ...Traffic Classification 2 1 2 1 2 Priority 2 2 2 2 TP and TS Overview 2 5 2 3 Traffic Evaluation and the Token Bucket 2 5 2 3 1 Token bucket 2 5 2 3 2 Evaluating the traffic with the token bucket 2 6...

Page 1063: ...rerequisites 5 5 5 3 2 Configuration Procedure 5 5 5 3 3 Configuration Examples 5 5 5 4 Configuring Port Priority Trust Mode 5 6 5 4 1 Configuration Prerequisites 5 6 5 4 2 Configuration Procedure 5 6...

Page 1064: ...onfiguration Prerequisites 8 1 8 2 2 Configuration Procedure 8 2 8 3 Displaying and Maintaining VLAN Policy 8 2 8 4 VLAN Policy Configuration Examples 8 2 8 4 1 Network Requirements 8 2 8 4 2 Configur...

Page 1065: ...ermined by the order in which packets arrive All the packets share the resources of the network Network resources available to the packets completely depend on the time they arrive This service policy...

Page 1066: ...y need to be further improved 1 4 Occurrence and Influence of Congestion and the Countermeasures QoS issues that traditional networks face are mainly caused by congestion Congestion means reduced serv...

Page 1067: ...it cannot solve all the problems that cause network congestion A more effective way to solve network congestion problems is to enhance the function of the network layer in traffic control and resourc...

Page 1068: ...congestion avoidance mechanism will drop packets and regulate traffic to solve the overload of the network z TS TS is a traffic control measure to regulate the output rate of the traffic actively TS r...

Page 1069: ...ification is generally based on the information in the packet header and rarely based on the content of the packet The classification result is unlimited in range They can be a small range specified b...

Page 1070: ...he range of 0 to 15 z RFC2474 re defines the ToS field in the IP packet header which is called the DS field The first six bit 0 to bit 5 bits of the DS field indicate DSCP precedence in the range of 0...

Page 1071: ...CS class This class comes from the IP ToS field and includes eight subclasses z Best Effort BE class This class is a special class without any assurance in the CS class The AF class can be degraded to...

Page 1072: ...alue is 8100 and a 2 byte Tag Control Information TCI TPID is a new class defined by IEEE to indicate a packet with an 802 1Q tag Figure 2 3 describes the detailed contents of an 802 1Q tag header Fig...

Page 1073: ...ow obtains only the resources committed to it within a certain period of time network congestion due to excessive burst traffic can be avoided TP and TS are traffic control policies for limiting traff...

Page 1074: ...nd a number of tokens equivalent to the packet forwarding authority must be taken out otherwise this means too many tokens have been used the traffic is in excess of the specification 2 3 3 Complicate...

Page 1075: ...or a non conforming packet with a new DSCP precedence value and forwarding the packet 2 3 5 TS TS is a policy used to adjust the rate of outbound traffic actively A typical TS implementation is to co...

Page 1076: ...re queue based TS Configure TS on ports Configure TS for all traffic Configure TS on ports 2 4 1 Configuring TP TP configuration includes the following two tasks the first task is to define the charac...

Page 1077: ...ter system view Sysname system view Enter port view Sysname interface Ethernet 1 0 1 Configure TP parameters Sysname Ethernet1 0 1 qos car inbound acl 2000 cir 1000 red discard 2 4 2 Configuring TS TS...

Page 1078: ...w or port group view Enter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuration performed in Ethernet port view applies to the cu...

Page 1079: ...on 2 11 2 5 Displaying TP TS To do Use the command Remarks Display the configuration and statistics about TP on a port display qos car interface interface type interface number Display the configurati...

Page 1080: ...les You can use commands to define a series of rules to classify packets Additionally you can use commands to define the relationship among classification rules and and or z and The devices considers...

Page 1081: ...define the class as required for the policy to be associated with car Traffic filtering Use the if match match criteria command to define the class as required for the policy to be associated with fil...

Page 1082: ...ble forms of this argument Table 3 2 The form of the match criteria argument Form Description acl access list number Specifies an ACL to match packets The access list number argument is in the range 2...

Page 1083: ...nt IP precedence is in the range 0 to 7 protocol protocol name Specifies to match the packets of a specified protocol The protocol name argument can be IP IPv6 or Bittorrent The S3610 and S5510 series...

Page 1084: ...you want to define a primap behavior you need to define a priority mapping table as required Refer to Priority Mapping for more information I Configuration procedure Follow these steps to define a tra...

Page 1085: ...erface interface type interface number next hop ipv4 add ipv4 add ipv6 add interface type interface number ipv6 add interface type interface number Remark DSCP value for packets remark dscp dscp value...

Page 1086: ...lusive with the nest command II Configuration example 1 Network requirements Create a traffic behavior named test configuring TP action for it with the CAR being 100 kbps 2 Configuration procedure Ent...

Page 1087: ...t port view applies to the current port only The configuration performed in port group view applies to all the ports in the port group Apply an associated policy qos apply policy policy name inbound R...

Page 1088: ...about a class and the corresponding actions associated by a policy display qos policy user defined policy name classifier classifier name Display the information about the policies applied on a port d...

Page 1089: ...y cause the transmitting device to retransmit the packets because the lost packets time out which causes a malicious cycle The core of congestion management is how to schedule the resources and determ...

Page 1090: ...h are queue7 queue6 queue5 queue4 queue3 queue2 queue1 and queue0 Their priorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the prior...

Page 1091: ...50 30 10 10 50 30 10 and 10 corresponding to w7 w6 w5 w4 w3 w2 w1 and w0 respectively In this way the queue with the lowest priority can be assured of 5 Mbps of bandwidth at least thus avoiding the di...

Page 1092: ...p 2 The SP scheduling algorithm is adopted for WRR groups For example queue 0 queue 1 queue 2 and queue 3 are in WRR group 1 and queue 4 queue 5 queue 6 and queue 7 are in group 2 Round robin is perfo...

Page 1093: ...1 qos wrr 1 group 1 weight 2 Sysname Ethernet1 0 1 qos wrr 2 group 1 weight 4 Sysname Ethernet1 0 1 qos wrr 3 group 1 weight 6 Sysname Ethernet1 0 1 qos wrr 4 group 1 weight 8 Sysname Ethernet1 0 1 qo...

Page 1094: ...configuration performed in port group view applies to all the ports in the port group Configure SP queue scheduling qos wrr queue id group sp Required Configure WRR queue scheduling qos wrr queue id g...

Page 1095: ...0 1 qos wrr 1 group sp Sysname Ethernet1 0 1 qos wrr 2 group 1 weight 20 Sysname Ethernet1 0 1 qos wrr 3 group 1 weight 70 Sysname Ethernet1 0 1 qos wrr 4 group 1 weight 100 Sysname Ethernet1 0 1 qos...

Page 1096: ...higher the drop precedence the more likely a packet is dropped For packets without 802 1q tags the switch uses the priority of the receiving port as the 802 1p precedence of the received packets and...

Page 1097: ...cp lp mapping column lists the default target local precedence values available only for IP packets z The dscp dp mapping lists the default target drop precedence values available only for IP packets...

Page 1098: ...only when the priority mapping action is configured in the associated traffic behavior specified by a policy For the detailed information about configuring traffic behavior refer to section 3 4 3 Def...

Page 1099: ...quirements Modify the dot1p lp mapping table as those listed in Table 5 3 Table 5 3 The specified dot1p lp mapping 802 1p priority Local precedence 0 0 1 0 2 1 3 1 4 2 5 2 6 3 7 3 II Configuration pro...

Page 1100: ...2 Configuration Procedure Follow these steps to configure port priority To do Use the command Remarks Enter system view system view Enter port view interface interface type interface number Enter por...

Page 1101: ...face interface type interface number Enter port view or port group view Enter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuratio...

Page 1102: ...Mapping To do Use the command Remarks Display the information about a specified priority mapping table display qos map table dot1p lp dot1p dp dscp lp dscp dp dscp dot1p dscp dscp Display the priorit...

Page 1103: ...nism on the source end can maximize throughput and utilization rate of the network and minimize packet loss and delay I Traditional packet drop policy Tail drop is adopted in the traditional packet dr...

Page 1104: ...is avoided When packets in a TCP connection are dropped and sent at a low rate packets in other TCP connections are still sent at a high rate In this way packets in a part of connections are sent at a...

Page 1105: ...ort only Configuration performed in port group view applies to all the ports in the port group Enable WRED qos wred enable Required 6 2 3 Configuration Example I Network requirements Enable WRED on Et...

Page 1106: ...eue id length queue length 1 8 Required 6 3 3 Configuration Example I Network requirements Set the queue length of queue 1 and queue 3 to 8 and 32 on Ethernet 1 0 1 II Configuration procedure Enter sy...

Page 1107: ...defined in the aggregation CAR 7 2 Applying Aggregation CAR on Ports 7 2 1 Configuration Prerequisites z Parameter values of the aggregation CAR are determined z Ports where aggregation CAR is applie...

Page 1108: ...ter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuration performed in port view applies to the current port only Configuration pe...

Page 1109: ...Use the command Remarks Enter system view system view Enter traffic behavior view traffic behavior behavior name Required Reference aggregation CAR in the traffic behavior car name global car name Req...

Page 1110: ...ing Aggregation CAR To do Use the command Remarks Clear the statistics information of the specified aggregation CAR reset qos car name global car name Available in user view Display the configuration...

Page 1111: ...VLAN policies can facilitate the application and management of QoS policies on the switch VLAN policies are not effective on dynamic VLANs VLAN policies will not be applied to dynamic VLANs For exampl...

Page 1112: ...the QoS policy applied to the VLAN the port belongs to 8 3 Displaying and Maintaining VLAN Policy To do Use the command Remarks Display the VLAN policy display qos vlan policy name policy name vlan vl...

Page 1113: ...te a traffic behavior and enter traffic behavior view Sysname traffic behavior be1 Configure the traffic behavior Sysname behavior be1 car cir 64 Sysname behavior be1 quit Create a QoS policy and ente...

Page 1114: ...nt to a destination port that is a mirroring port z Mirroring to CPU The desired traffic on a mirrored port is replicated and sent to the CPU on the board of the port for further analysis z Mirroring...

Page 1115: ...ring group you cannot configure the two ports at the same time For the detailed information about local port mirroring group refer to the Port Mirroring module in this manual 9 2 2 Mirroring Traffic t...

Page 1116: ...figuring traffic mirroring to a port 9 4 2 Configuration Procedure Configure Switch Enter system view Sysname system view Configure basic IPv4 ACL 2000 to match packets with the source IP address 192...

Page 1117: ...qos policy 1 Sysname policy 1 classifier 1 behavior 1 Sysname policy 1 quit Apply the policy in the inbound direction of Ethernet1 0 1 Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 qos apply...

Page 1118: ...t Mirroring 1 2 1 1 3 Other Functions Supported by Port Mirroring 1 3 1 2 Configuring Local Port Mirroring 1 3 1 3 Configuring Remote Port Mirroring 1 5 1 3 1 Configuring a Remote Source Mirroring Gro...

Page 1119: ...g specified ports to the destination mirroring port As destination mirroring ports usually have data monitoring devices connected to them you can analyze the packets duplicated to the destination mirr...

Page 1120: ...are in the same local port mirroring group Packets passing through the source ports are duplicated and then are forwarded to the destination port II Remote port mirroring Remote port mirroring is ach...

Page 1121: ...group If yes the destination device forwards the packet to the monitoring device through the destination mirroring port Note z With the S3610 and S5510 series you can configure either one local mirror...

Page 1122: ...m view mirroring group group id monitor port monitor port id interface interface type interface number Add a port to the mirroring group as the destination port In interface view mirroring group group...

Page 1123: ...er mirroring group group id mirroring port both inbound outbound Add ports to the mirroring group as source ports In interface view quit You can add ports to a source port mirroring group in either sy...

Page 1124: ...or port only when it operates with the following settings being the defaults operation mode half duplex full duplex port speed MDI setting Conversely these settings cannot be modified once a port is c...

Page 1125: ...is a hybrid port port hybrid vlan rprobe vlan id tagged untagged Perform one of these three operations according to the port type Note z A destination port cannot be a member port of the current mirro...

Page 1126: ...and sent from the R D department and the marketing department through the data monitoring device Use the local port mirroring function to meet the requirement Perform the following configurations on S...

Page 1127: ...witch B connects to Ethernet 1 0 1 of Switch C z The data monitoring device is connected to Ethernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from Department 1 and 2 throu...

Page 1128: ...ng VLAN of the remote port mirroring group Add port Ethernet 1 0 1 and Ethernet1 0 2 to the remote port mirroring group as source ports Configure port Ethernet 1 0 4 as the reflector port SwitchA mirr...

Page 1129: ...witchC system view SwitchC interface Ethernet 1 0 1 SwitchC Ethernet1 0 1 port link type trunk SwitchC Ethernet1 0 1 port trunk permit vlan 2 SwitchC Ethernet1 0 1 quit Create a remote destination por...

Page 1130: ...1 12 1 3 8 Configuring Communication Between the Management Device and the Member Devices Within a Cluster 1 14 1 3 9 Configuring Cluster Member Management 1 14 1 4 Configuring the Member Devices 1 15...

Page 1131: ...aining Cluster Management z Cluster Management Configuration Examples 1 1 Cluster Management Overview 1 1 1 Cluster Management Definition A cluster is an aggregation of a group of communication device...

Page 1132: ...z Allowing simultaneous software upgrading and parameter configuring on multiple devices free of topology and distance limitations 1 1 2 Roles in a Cluster The devices in a cluster play different role...

Page 1133: ...e after being added to a cluster z A member device becomes a candidate device after it is removed from the cluster z A management device becomes a candidate device only after the cluster is removed 1...

Page 1134: ...ponding entry in the NDP table is updated otherwise only the holdtime of the entry is updated If no NDP information from the neighbor is received within the holdtime the corresponding entry is removed...

Page 1135: ...to control the speed of the NTDP topology collection request advertisement z Upon receiving an NTDP topology collection request the device does not forward it instead it waits for a period of time and...

Page 1136: ...nterval three times of the interval to send handshake packets it changes the status of the member device from Active to Connect Likewise if a member device fails to receive the handshake packets from...

Page 1137: ...and the member candidate devices Therefore z If the packets from the management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports includi...

Page 1138: ...agement Device Configuring Cluster Member Management Optional Enabling NDP Globally and for Specific Ports Optional Enabling NTDP Globally and for Specific Ports Optional Manually Collecting NTDP Info...

Page 1139: ...rmally you must enable NDP both globally and on the specified port z If the subtending port or the port connecting the management device to a member candidate device is a port of a member in an aggreg...

Page 1140: ...e port ntdp enable Optional NTDP is enabled on all ports by default Caution z For NTDP to work normally you must enable NTDP both globally and on the specified port z The NTDP function is mutually exc...

Page 1141: ...r hop delay time Optional 200 ms by default Configure the port delay to forward topology collection request ntdp timer port delay time Optional 20 ms by default 1 3 5 Manually Collecting NTDP Informat...

Page 1142: ...the routing table the candidate device will be added to and removed from the cluster repeatedly Caution z You can only specify a management VLAN before establishing a cluster After a device has been...

Page 1143: ...gn a name to it build name Required By default the device is not the management device II Automatically establishing a cluster In addition to establishing a cluster manually you are also provided with...

Page 1144: ...ement device and member devices communicate by sending handshake packets to maintain connection between them You can configure interval of sending handshake packets and the holdtime of a device on the...

Page 1145: ...ou can control them remotely on the management device For example you can reboot a member device that operates improperly and specify to delete the booting configuration file when the member device re...

Page 1146: ...nfigure manage and monitor the member devices through the management device You can manage member devices in a cluster through switching from the operation interface of the management device to that o...

Page 1147: ...ing management device and member devices of the cluster otherwise the switch may fail because of authentication failure z When you switch the management device to a member device if member n does not...

Page 1148: ...ins the MAC addresses of devices If a blacklist device is connected to network through another device not included in the blacklist the MAC address and access port of the latter are also included in t...

Page 1149: ...you can configure FTP TFTP server NM host and log host for the cluster on the management device z After you configure an FTP TFTP server for a cluster the members in the cluster access the FTP TFTP se...

Page 1150: ...er logging host ip address Required By default no log host is configured for a cluster Configure the SNMP NM host shared by the member devices in the cluster snmp host ip address community string read...

Page 1151: ...mation display cluster base topology mac address mac address member id member number View the current blacklist of the cluster display cluster black list View the information of candidate devices disp...

Page 1152: ...management device belongs to VLAN 2 whose interface IP address is 163 172 55 1 24 The network management interface of the management device is VLAN interface 2 VLAN 2 is the network management NM int...

Page 1153: ...r function Switch cluster enable 2 Configuring the management device Enable NDP globally and for the Ethernet 1 0 2 and Ethernet 1 0 3 ports Switch system view Switch ndp enable Switch interface Ether...

Page 1154: ...port connecting the management device to candidate devices as a Trunk port and allow packets from the management VLAN to pass Switch interface Ethernet 1 0 2 Switch Ethernet1 0 2 port link type trunk...

Page 1155: ...figure the network management interface aabbcc_0 Switch vlan 2 aabbcc_0 Switch vlan2 port Ethernet 1 0 1 aabbcc_0 Switch quit aabbcc_0 Switch interface vlan interface 2 aabbcc_0 Switch Vlan interface2...

Page 1156: ...s Ethernet Switches Table of Contents i Table of Contents Chapter 1 UDP Helper Configuration 1 1 1 1 Introduction to UDP Helper 1 1 1 2 Configuring UDP Helper 1 2 1 3 Displaying and Maintaining UDP He...

Page 1157: ...er functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward...

Page 1158: ...ble the forwarding of packets with the specified UDP destination port number s udp helper port port number dns netbios ds netbios ns tacacs tftp time Optional By default the UDP helper enabled device...

Page 1159: ...ers or the corresponding parameters For example udp helper port 53 and udp helper port dns specify the same UDP port number z When you view the configuration information by using the display current c...

Page 1160: ...itch A to the network segment 10 2 0 0 16 is available Enable Switch A to receive directed broadcasts SwitchA system view SwitchA ip forward broadcast Enable UDP Helper SwitchA udp helper enable Enabl...

Page 1161: ...Enabling SNMP Logging 1 5 1 4 Trap Configuration 1 6 1 4 1 Configuration Prerequisites 1 6 1 4 2 Configuration Procedure 1 6 1 5 Displaying and Maintaining SNMP 1 8 1 6 SNMP Configuration Example 1 9...

Page 1162: ...alizes automatic management of products from different manufacturers Offering only the basic set of functions SNMP makes the management tasks independent of both the physical features of the managed d...

Page 1163: ...will simply be discarded A community name performs a similar role as a key word and can be used to regulate access from NMS to Agent SNMPv3 offers an authentication that is implemented with a User Ba...

Page 1164: ...tion version all v1 v2c v3 Optional The defaults are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure an SNMP agent group snmp...

Page 1165: ...llows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Config ure directl y Config ure a comm unity name snmp agent community read write community n...

Page 1166: ...uring SNMP Logging 1 3 1 Introduction to SNMP Logging SNMP logs the GET and SET operations that NMS performs to SNMP Agent When the GET operation is performed Agent logs the IP address of NMS node nam...

Page 1167: ...nformation and the information center refer to the Information Center Configuration part of the manual 1 4 Trap Configuration SNMP Agent sends Traps to NMS to alert the latter of critical and importan...

Page 1168: ...ssion parameters Follow these steps to configure Trap To do Use the command Remarks Enter system view system view Configure target host attribute for Traps snmp agent target host trap address udp doma...

Page 1169: ...ent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent statistics Display t...

Page 1170: ...the SNMP agent group and SNMP agent user Sysname system view Sysname snmp agent community read public Sysname snmp agent community write private Sysname snmp agent mib view included internet 1 3 6 1 S...

Page 1171: ...ure the authentication mode authentication password privacy mode privacy password In addition the time out time and number of retries should also be configured The user can inquire and configure the s...

Page 1172: ...following log information is displayed on the terminal when NMS performs the GET operation to Agent Jan 1 02 49 40 566 2006 Sysname SNMP 6 GET seqNO 10 srcIP 1 1 1 2 op get node sysName 1 3 6 1 2 1 1...

Page 1173: ...e is a string of characters and the string contains characters not in the range of ASCII 0 to 127 or invisible characters the string is displayed in hexadecimal For example value 81 43 hex Note The sy...

Page 1174: ...or remote network devices in a more proactive and effective way It reduces traffic between network management station NMS and agent facilitating large network management RMON comprises two parts NMSs...

Page 1175: ...he private alarm group The events can be handled in one of the following ways z Logging events in the event log table z Sending traps to NMSs z Both logging and sending traps z No action II Alarm grou...

Page 1176: ...can cause an alarm event That is the rising alarm and falling alarm are alternate IV History group The history group controls the periodic statistical sampling of data such as bandwidth utilization n...

Page 1177: ...ry number buckets number interval sampling interval owner text Optional Create an entry in the statistics table rmon statistics entry number owner text Optional Exit Ethernet port view quit Create an...

Page 1178: ...ported by the device the entry will be created However the validated value of the buckets number argument corresponding with the entry is the history table size supported by the device Table 2 1 Restr...

Page 1179: ...on display rmon prialarm entry number Available in any view Display RMON events configuration information display rmon event entry number Available in any view Display RMON event log information displ...

Page 1180: ...of resources 0 Packets received according to length in octets 64 644 65 127 518 128 255 688 256 511 101 512 1023 3 1024 1518 0 Create an event to start logging after the event is triggered Sysname sy...

Page 1181: ...ring the Interface to Send NTP Messages 1 12 1 4 2 Disabling an Interface from Receiving NTP Messages 1 13 1 4 3 Configuring the Maximum Number of Dynamic Sessions Allowed 1 13 1 5 Configuring Access...

Page 1182: ...nchronizes timekeeping among distributed time servers and clients NTP runs over the User Datagram Protocol UDP using UDP port 123 The purpose of using NTP is to keep consistent timekeeping among all c...

Page 1183: ...d between the backup server and all the clients Advantages of NTP z NTP uses a stratum to describe the clock precision and is able to synchronize time among all devices within the network z NTP suppor...

Page 1184: ...m T2 z When the NTP message leaves Device B Device B timestamps it The timestamp is 11 00 02 am T3 z When Device A receives the NTP message the local time of Device A is 10 00 03 am T4 Up to now Devic...

Page 1185: ...refer to NTP clock synchronization messages A clock synchronization message is encapsulated in a UDP message in the format shown in Figure 1 2 Figure 1 2 Clock synchronization message format Main fie...

Page 1186: ...the primary reference source z Reference Identifier Identifier of the particular reference source z Reference Timestamp the local time at which the local clock was last set or corrected z Originate T...

Page 1187: ...mmetric active the device that receives this message automatically enters the symmetric passive mode and sends a reply with the Mode field in the message set to 2 symmetric passive By exchanging messa...

Page 1188: ...configured to the default NTP multicast address 224 0 1 1 with the Mode field in the messages set to 5 multicast mode Clients listen to the multicast messages from servers After a client receives the...

Page 1189: ...8 associations at the same time including static associations and dynamic associations A static association refers to an association that a user has manually created by using an NTP command while a dy...

Page 1190: ...ddress must be a host address rather than a broadcast address a multicast address or the IP address of the local clock z When the interface sending the NTP packet is specified by the source interface...

Page 1191: ...When the interface used to send NTP messages is specified by the source interface argument the source IP address of the NTP message will be configured as the primary IP address of the specified inter...

Page 1192: ...terface view interface interface type interface number Enter the interface used to send NTP broadcast messages Configure the device to work in the NTP broadcast server mode ntp service broadcast serve...

Page 1193: ...ew interface interface type interface number Enter the interface used to send NTP multicast message Configure the device to work in the NTP multicast server mode ntp service multicast server ip addres...

Page 1194: ...eiving NTP Messages To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Disable the interface from receiving NTP messages ntp ser...

Page 1195: ...peer device to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to the peer device From the highest NTP service access control...

Page 1196: ...cation function cannot be normally enabled z For the server client mode or symmetric mode you need to associate the specified authentication key on the client symmetric active peer if in the symmetric...

Page 1197: ...er ip address peer name authentication keyid keyid Required You can associate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted...

Page 1198: ...iate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server Note The procedure of c...

Page 1199: ...as the reference source with the stratum level of 2 DeviceA system view DeviceA ntp service refclock master 2 2 Configuration on Device B View the NTP status of Device B before clock synchronization...

Page 1200: ...session information of Device B which shows that an association has been set up between Device B and Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay dis...

Page 1201: ...n Device C after Device B is synchronized to Device A Specify the local clock as the reference source with the stratum level of 1 DeviceC system view DeviceC ntp service refclock master 1 Configure De...

Page 1202: ...association has been set up between Device B and Device C DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 245 3 0 1 31 127 127 1 0 2 15 64 24 10535 0 19...

Page 1203: ...ges through VLAN interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server 2 Configuration on Switch D Configure Switch D to work in the broadcast client mode...

Page 1204: ...witch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD display ntp service sessions...

Page 1205: ...ver mode and send multicast messages through VLAN interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service multicast server 2 Configuration on Switch D Configure Switch D to...

Page 1206: ...ource peer 3 selected 4 candidate 5 configured Total associations 1 3 Configuration on Switch B Because Switch A and Switch C are on different subnets you must enable IGMP on Switch B before Switch A...

Page 1207: ...itch C is 2 View the NTP session information of Switch A which shows that an association has been set up between Switch A and Switch C SwitchA display ntp service sessions source reference stra reach...

Page 1208: ...keyid 42 authentication mode md5 aNiceKey Specify the key as key as a trusted key DeviceB ntp service reliable authentication keyid 42 Specify Device A as the NTP server DeviceB ntp service unicast s...

Page 1209: ...B which shows that an association has been set up Device B and Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 63 64...

Page 1210: ...ation SwitchC ntp service authentication enable SwitchC ntp service authentication keyid 88 authentication mode md5 123456 SwitchC ntp service reliable authentication keyid 88 Specify Switch C as an N...

Page 1211: ...cy 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 8 31 ms Peer dispersion 34 30 ms Reference time 16 01 51 713 UTC Apr 20 2007...

Page 1212: ...in Name Resolution 1 1 1 2 Configuring Domain Name Resolution 1 3 1 2 1 Configuring Static Domain Name Resolution 1 3 1 2 2 Configuring Dynamic Domain Name Resolution 1 3 1 3 Displaying and Maintainin...

Page 1213: ...S server translate them into correct IP addresses There are two types of DNS services static and dynamic After a user specifies a name the device checks the local static name resolution table for an I...

Page 1214: ...fferent devices while the DNS server and the DNS client usually must run on different devices Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP...

Page 1215: ...ymbol Currently the device supports static and dynamic DNS services Note If an alias is configured for a domain name on the DNS server the device can resolve the alias into the IP address of the host...

Page 1216: ...do Use the command Remarks Display the static domain name resolution table display ip host Available in any view Display DNS server information display dns server dynamic Available in any view Display...

Page 1217: ...TRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 255 time 1 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 255 time 4 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 255 time 3 ms Reply from...

Page 1218: ...device and the host and configurations are done on both the device and the host For the IP addresses of the interfaces see Figure 1 3 z This configuration may vary with different DNS servers The foll...

Page 1219: ...NS Configuration 1 7 Figure 1 4 Create a zone Create a mapping between the host name and IP address Figure 1 5 Add a host In Figure 1 5 right click zone com and then select New Host to bring up a dial...

Page 1220: ...he ping host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS...

Page 1221: ...amic domain name resolution the user cannot get the correct IP address II Solution z Use the display dns dynamic host command to verify that the specified domain name is in the cache z If there is no...

Page 1222: ...onfiguration File for Next Startup 1 9 1 3 Displaying and Maintaining Device Configuration 1 10 Chapter 2 FTP Configuration 2 1 2 1 FTP Overview 2 1 2 1 1 Introduction to FTP 2 1 2 1 2 Implementation...

Page 1223: ...h the path excluded to indicate a file in the current path The filename can be 1 to 91 characters in length 1 1 File System Management This section covers these topics z File System Overview z Directo...

Page 1224: ...z The directory to be removed must be empty meaning before you remove a directory you must delete all the files and the subdirectory under this directory For file deletion refer to the delete command...

Page 1225: ...ew Enter system view system view Execute the batch file execute filename Optional Note You can create a file by copying or downloading or using the save command Caution z Empty the recycle bin timely...

Page 1226: ...of the second is cfb and so on z If storage device partitioning is supported on the device the name of the partition device is composed of the physical device name and partition number The serial num...

Page 1227: ...ta loss z quiet where the system does not do that in any cases To prevent undesirable consequence resulted from misoperations the alert mode is preferred To do Use the command Remarks Enter system vie...

Page 1228: ...figuration z Erasing the Startup Configuration File z Specifying a Configuration File for Next Startup z Backing up Restoring the Configuration File for Next Startup 1 2 1 Configuration File Overview...

Page 1229: ...tion You can modify the configuration on your device at the command line interface CLI To use the modified configuration for your subsequent startups you must save it using the save command as a confi...

Page 1230: ...the default path or enter a filename to specify a new path but the suffix of the filename must be cfg and the path must be the path of the storage device on the AMB active main board 1 2 3 Erasing th...

Page 1231: ...ation file for next startup through operations at the CLI TFTP is used for intercommunication between the device and the server The backup function enables you to backup a configuration file to the TF...

Page 1232: ...up command in user view to verify if the filename of the startup configuration file is the same with the filename argument and use the dir command to verify if the restored file exists 1 3 Displaying...

Page 1233: ...510 Series Ethernet Switches Chapter 1 File System Management Configuration 1 11 Note For detailed description of the display this and display current configuration commands refer to the System Mainta...

Page 1234: ...text file transmission 2 1 2 Implementation of FTP FTP adopts the server client model Your switch can function either as client or as server as shown in Figure 2 1 They work in the following way z Whe...

Page 1235: ...essfully access the FTP server You can specify one by configuring the source address of the packets of the FTP client to meet the requirement of the security policy of the FTP client You can configure...

Page 1236: ...iew quit Log onto the remote FTP server directly in user view ftp server address service port source interface interface type interface number ip source ip address ftp Log onto the remote FTP server i...

Page 1237: ...command Optional Enable information display in a detailed manner verbose Optional Enabled by default Use other username to relog after logging onto the FTP server successfully user username password O...

Page 1238: ...al to the disconnect command Disconnect with the FTP server and exit to user view bye Optional Terminate the connection with the remote FTP server and exit to user view quit Optional Available in FTP...

Page 1239: ...e to be downloaded Sysname dir Directory of flash 0 drw Dec 07 2005 10 00 57 filename 1 drw Jan 02 2006 14 27 51 logfile 2 rw 1216 Jan 02 2006 14 28 59 config cfg 3 rw 1216 Jan 02 2006 16 27 26 backup...

Page 1240: ...manual 2 3 Configuring the FTP Server 2 3 1 Configuring FTP Server Operating Parameters The FTP server uses two modes to update files when you upload files use the put command to the FTP server z In...

Page 1241: ...to the directories and associating the username and password with the account Follow these steps to configure authentication and authorization for FTP server To do Use the command Remarks Enter syste...

Page 1242: ...k directory and level commands and the AAA related configuration refer to the AAA RADIUS HWTACACS Configuration part of the manual 2 3 3 FTP Server Configuration Example I Network requirements z Use y...

Page 1243: ...drw Jan 02 2006 15 20 21 ftp 2540 KB total 2511 KB free Sysname delete unreserved flash back cfg 2 Configure the PC FTP Client Upload the startup file to the FTP server and save it under the root dir...

Page 1244: ...root directory For description of the corresponding command refer to the System Maintaining and Debugging part of the manual 2 4 Displaying and Maintaining FTP To do Use the command Remarks Display th...

Page 1245: ...ication Therefore it is more suitable where complex interaction is not needed between client and server TFTP uses the UDP port 69 for data transmission For TFTP basic operation refer to RFC 1350 In TF...

Page 1246: ...start up because the original system file is not overwritten This mode is securer but consumes more memory You are recommended to use the latter mode or use a filename not existing in the current dire...

Page 1247: ...er ip source ip address Optional A device uses the source address determined by the routing protocol to communicate with the TFTP server by default Return to user view quit Download or upload a file i...

Page 1248: ...ed for the client z On your device VLAN interface 1 is assigned an IP address 1 1 1 1 16 Make sure that the port connected to PC belongs to the same VLAN z TFTP a startup file from PC for upgrading an...

Page 1249: ...ory is available Sysname tftp 1 2 1 1 get aaa bin bbb bin Upload a configuration file config cfg to the TFTP server Sysname tftp 1 2 1 1 put config cfg configback cfg Specify the main startup file for...

Page 1250: ...ng to Output System Information to a Monitor Terminal 1 9 1 2 4 Setting to Output System Information to a Log Host 1 10 1 2 5 Setting to Output System Information to the Trap Buffer 1 11 1 2 6 Setting...

Page 1251: ...information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems Note By default the information center is enabl...

Page 1252: ...nformation of all severities will be output III Ten channels and six output directions of system information The system supports six information output directions including the console monitor logbuff...

Page 1253: ...ote Configurations for the six output directions function independently and take effect only after the information center is enabled IV Outputting system information by source module The system is com...

Page 1254: ...n exchange protocol module LAGG Link Aggregation module LINE Line module MSDP Multicast Source Discovery Protocol module MSTP Multiple Spanning Tree Protocol module NAT Network Address Translation mod...

Page 1255: ...all required in the above format z Before the priority may have or followed with a space indicating log alarm or debug information respectively Below is an example of the format of log information to...

Page 1256: ...vels based on its severity from 0 to 7 Refer to Table 1 1 for definition and description of these severity levels Note that there is a forward slash between the levels severity and digest fields VI Di...

Page 1257: ...o Table 1 2 for default channel names Configure the channel through which system information can be output to the console info center console channel channel number channel name Optional System inform...

Page 1258: ...ble d informat ional Enable d warning s Disable d debuggi ng Log buffer default all module s Enable d warning s Disable d debuggi ng Disable d debuggi ng SNMP NMS default all module s Disable d debugg...

Page 1259: ...nable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure...

Page 1260: ...terminal logging Optional Enabled by default Enable the display of trap information on a monitor terminal terminal trapping Optional Enabled by default 1 2 4 Setting to Output System Information to a...

Page 1261: ...ult Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which syst...

Page 1262: ...by default with channel 4 known as logbuffer as the default channel and a default buffer size of 512 Configure the output rules of the system information info center source module name default channel...

Page 1263: ...imestamp info center timestamp debugging log trap boot date none Optional The time stamp for log trap and debug information is date by default Note To ensure that system information can be output to t...

Page 1264: ...put will be displayed in a new line 1 3 Displaying and Maintaining Information Center To do Use the command Remarks Display channel information for a specified channel display channel channel number c...

Page 1265: ...severity higher than informational will be output to the log host z The source modules are ARP and IP II Network diagram Figure 1 1 Network diagram for outputting log information to a Unix log host II...

Page 1266: ...has similar configurations to the Unix operating systems implemented by other vendors Step 1 issue the following commands as a root user mkdir var log MyDevice touch var log MyDevice information Step...

Page 1267: ...higher than informational will be output to the log host z All modules can output log information II Network diagram Figure 1 2 Network diagram for outputting log information to a Linux log host III...

Page 1268: ...evice touch var log MyDevice information Step 2 Edit the file etc syslog conf as a root user and add the following selector action pair MyDevice configuration messages local7 info var log MyDevice inf...

Page 1269: ...ith a severity higher than informational will be output to the console z The source modules are ARP and IP II Network diagram Figure 1 3 Network diagram for sending log information to the console III...

Page 1270: ...te of a channel Enable system information output for the ARP and IP modules with information severity ranging from emergencies to informational Sysname info center source arp channel console log level...

Page 1271: ...5 Chapter 2 System Maintaining and Debugging 2 1 2 1 System Maintaining and Debugging Overview 2 1 2 1 1 Introduction to System Maintaining and Debugging 2 1 2 1 2 Introduction to System Debugging 2 2...

Page 1272: ...ering Exiting System View z Configuring the Device Name z Configuring the System Clock z Configuring a Banner z Configuring CLI Hotkeys z Configuring User Levels and Command Levels z Displaying and Ma...

Page 1273: ...user view II Displaying the system clock The system clock is displayed by system time stamp which is the same as that displayed by the display clock command The system clock is decided by the command...

Page 1274: ...time 3 00 2007 3 3 Display 03 00 00 zone time Sat 03 03 2007 If the original system clock is not in the summer time range the original system clock is displayed Configure clock summer time ss one off...

Page 1275: ...the summer time range date time is displayed Configure clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock t...

Page 1276: ...in the summer time range date time is displayed Configure clock timezone zone time add 1 clock summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 1 30 2008 1 1 Display 23 30 00 z...

Page 1277: ...re not part of the banner information In this case the input text together with the command keywords cannot exceed 510 characters The other is to input all the banner information in multiple lines by...

Page 1278: ...lines by default Display hotkeys display hotkey Available in any view Refer to Table 1 2 for hotkeys reserved by the system Note By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with com...

Page 1279: ...or to the leading character of the continuous string to the left Esc D Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor Esc F Moves the...

Page 1280: ...nage level 3 Manage FTP TFTP XMODEM and file system operation commands Follow these steps to configure user level and command level To do Use the command Remarks Switch the user level super level Opti...

Page 1281: ...1 1 7 Displaying and Maintaining Basic Configurations To do Use the command Remarks Display information on system version display version Display information on the system clock display clock Display...

Page 1282: ...d Lines z Display Features z History Command z Command Line Error Information z Edit Features 1 2 1 Introduction to CLI CLI is an interaction interface between devices and users Through CLI you can co...

Page 1283: ...le dir List files on a file system display Display current system information omitted 2 Enter a command and a separated by a space If is at the position of a keyword all the keywords are given with a...

Page 1284: ...unction Press Space when information display pauses Continues to display information of the next screen page Press Enter when information display pauses Continues to display information of the next li...

Page 1285: ...00X and XP Terminal or Telnet However the up arrow and down arrow keys are invalid in Windows 9X HyperTerminal because they are defined in a different way You can use Ctrl P and Ctrl N instead 1 2 5 C...

Page 1286: ...ght Backspace key Deletes the character to the left of the cursor and move the cursor back one character Left arrow key or Ctrl B The cursor moves one character space to the left Right arrow key or Ct...

Page 1287: ...If the network is functioning properly the destination device responds by sending an ICMP echo reply to the source device after receiving the ICMP echo request 3 If there is network failure the sourc...

Page 1288: ...a TTL expired ICMP message which gives the source device the address of the second router 5 The above process continues until the ultimate destination device is reached In this way the source device...

Page 1289: ...s For details refer to Information Center Configuration 2 2 System Maintaining and Debugging 2 2 1 System Maintaining To do Use the command Remarks ping ip a source ip c count f h ttl i interface type...

Page 1290: ...t parameter in the command when configuring the ping command z Only the directly connected segment address can be pinged if the outgoing interface is specified with the i argument 2 2 2 System Debuggi...

Page 1291: ...al debugging and terminal monitor commands refer to the Information Center Commands part of the manual 2 3 System Maintaining Example I Network requirements z The IP address of the destination device...

Page 1292: ...ng path The file name without a path consists of 1 to 91 characters 3 1 Device Management Overview Through the device management function you can view the current working state of a device configure r...

Page 1293: ...delay commands can reboot a device As a result the ongoing services will be interrupted Be careful to use these commands z If a primary boot file fails or does not exist the device cannot be rebooted...

Page 1294: ...e path of it to the root directory 3 2 3 Upgrading Boot ROM During the operation of the device you can use Boot ROM in the storage device to upgrade Boot ROM programs that are running on the device Fo...

Page 1295: ...card or logical interface is removed If you repeatedly insert and remove different subcards or interface cards to create or delete a large amount of logical interface the interface indexes will be use...

Page 1296: ...s Yes GBIC GigaBit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit small Form factor Pluggable Generally used for 10G Ethernet interfaces Yes No XENPAK 10 Gigab...

Page 1297: ...rd during device debugging or test The information includes name of the card device serial number and vendor name or vendor name specified III Diagnosing pluggable transceivers The system outputs alar...

Page 1298: ...n any view Display the usage of the memory of a device display memory Available in any view Display the power state of a device display power power id Available in any view Display the reboot type of...

Page 1299: ...iew FTP Server ftp server enable Set the FTP username to aaa and password to hello FTP Server local user aaa FTP Server luser aaa password cipher hello Configure the user to have access to the aaa dir...

Page 1300: ...get aaa bin ftp get boot btm Clear the FTP connection and return to user view ftp bye Device Upgrade the Boot ROM file of the device Device bootrom update file boot btm Specify the application progra...

Page 1301: ...DHCP Test 1 6 1 2 3 Configuring the FTP Test 1 8 1 2 4 Configuring the HTTP Test 1 11 1 2 5 Configuring the Jitter Test 1 13 1 2 6 Configuring the SNMP Query Test 1 16 1 2 7 Configuring the TCP Test 1...

Page 1302: ...twork quality analyzer is an enhanced Ping tool used for testing the performance of protocols running on networks Besides the Ping functions NQA can provide the following functions z Detecting the ava...

Page 1303: ...ltiple TCP or UDP listening services on the NQA server with each listening service corresponding to a specified destination address and port number 1 1 3 NQA Test Operation NQA can test multiple proto...

Page 1304: ...sponding services of this known port will be unavailable This section covers these topics z Configuring the ICMP Test z Configuring the DHCP Test z Configuring the FTP Test z Configuring the HTTP Test...

Page 1305: ...multiple VPNs you need to use this command to specify a VPN instance for test Specify the IP address of an interface as the source IP address of an ICMP test request packet source interface interface...

Page 1306: ...count 10 SwitchA nqa admin icmp timeout 5 Enable the ICMP test SwitchA nqa admin icmp test enable View the test results with the display nqa results command SwitchA nqa admin icmp display nqa results...

Page 1307: ...ration part of the manual II Configuration procedure Follow these steps to configure the DHCP test To do Use the command Remarks Enter system view system view Enable the NQA client nqa agent enable Re...

Page 1308: ...a admin dhcp test type dhcp SwitchA nqa admin dhcp source interface ethernet 1 0 Enable the DHCP test SwitchA nqa admin dhcp test enable View the test results with the display nqa results command Swit...

Page 1309: ...st To do Use the command Remarks Enter system view system view Enable the NQA client nqa agent enable Required Create an NQA test group and enter its view nqa admin name operation tag Set the test typ...

Page 1310: ...operation the file obtained from the FTP server will not be saved on the device either If there is no such file name file on the FTP server the FTP test will fail z When you perform a put operation a...

Page 1311: ...tion put SwitchA nqa admin ftp username admin SwitchA nqa admin ftp password nqa SwitchA nqa admin ftp filename config txt Enable the FTP test SwitchA nqa admin ftp test enable View the test results w...

Page 1312: ...e http Required Configure a destination address for a test destination ip ip address Required Here it is the IP address of the HTTP server Configure the HTTP operation type http operation get post Opt...

Page 1313: ...tchA nqa admin http test type http SwitchA nqa admin http destination ip 10 2 2 2 SwitchA nqa admin http http operation get SwitchA nqa admin http http string index htm HTTP 1 0 Enable the HTTP test S...

Page 1314: ...en sends it back to the source port After the source port receives the data packet the delay jitter can be calculated To improve the accuracy of the statistics results you must send multiple test pack...

Page 1315: ...QA test group and enter its view nqa admin name operation tag Set the test type to jitter test type jitter Required Configure a destination address for a test destination ip ip address Required The de...

Page 1316: ...to test the delay jitter of packet transmission between the local port Switch A and the specified destination port Switch B 2 Network diagram Figure 1 6 Network diagram for the jitter test 3 Configur...

Page 1317: ...o Sequence Error 0 Failures due to Internal Error 0 Failures due to Other Errors 0 Jitter result RTT Number 10 SD Maximal delay 4 DS Maximal delay 4 Min Positive SD 1 Min Positive DS 0 Max Positive SD...

Page 1318: ...estination ip ip address Required Configure common optional parameters Refer to Configuring Optional Parameters for NQA Tests Optional Enable the NQA test test enable Required View the test results di...

Page 1319: ...ew SwitchA nqa agent enable SwitchA nqa admin snmp SwitchA nqa admin snmp test type snmpquery SwitchA nqa admin snmp destination ip 10 2 2 2 Enable the SNMP query test SwitchA nqa admin snmp test enab...

Page 1320: ...ination port needs to be configured on the client but TCP port 7 used for listening needs to be configured on the server Even if a port is configured on the client the port does not take effect z For...

Page 1321: ...stening IP address on the NQA server Configure a destination port destination port port number If the test type is TCP Public no port needs to be configured If the test type is TCP Private a port must...

Page 1322: ...n tcpprivate test type tcpprivate SwitchA nqa admin tcpprivate destination ip 10 2 2 2 SwitchA nqa admin tcpprivate destination port 9000 Enable the TCP test SwitchA nqa admin tcpprivate test enable V...

Page 1323: ...lient but port 7 for listening needs to be configured on the server Even if a port is configured on the client the port does not take effect z For the UDP Private test a connection setup request is in...

Page 1324: ...P Private a port must be configured and it must be the listening port configured on the NQA server Configure the size of test packets sent datasize size Optional 100 bytes by default Configure a strin...

Page 1325: ...n udpprivate test type udpprivate SwitchA nqa admin udpprivate destination ip 10 2 2 2 SwitchA nqa admin udpprivate destination port 8000 Enable the TCP test SwitchA nqa admin udpprivate test enable V...

Page 1326: ...set up between the NQA client and the specified device and the DLSw function must be enabled on the specified device II Configuration procedure Follow these steps to configure the DLSw test To do Use...

Page 1327: ...hA nqa admin dlsw test type dlsw SwitchA nqa admin dlsw destination ip 10 2 2 2 Enable the DLSw test SwitchA nqa admin dlsw test enable View the test results with the display nqa results command Switc...

Page 1328: ...rap Delivery 1 3 1 Configuring Optional Parameters Common to NQA Follow these steps to configure optional parameters common to NQA To do Use the command Remarks Enter system view system view Configure...

Page 1329: ...e the NQA probe time out time timeout time Optional Three seconds by default If no response packet is received within the time out time of a request packet the probe fails Configure the maximum number...

Page 1330: ...invalid for the DHCP test Configure the source port of a test request packet source port port number Optional You can specify a port as the source port of a test request packet Otherwise the system a...

Page 1331: ...onfigure Trap To do Use the command Remarks Enter system view system view Create an NQA test group and enter its view nqa admin name operation tag Required Enable trap debugging to send a trap message...

Page 1332: ...he command Remarks Display history information of tests display nqa history admin name operation tag Available in any view Display the results of the last NQA jitter test display nqa jitter admin name...

Page 1333: ...s 1 14 1 2 7 Displaying and Maintaining VRRP for IPv4 1 15 1 3 Configuring VRRP for IPv6 1 15 1 3 1 VRRP for IPv6 Configuration Task List 1 15 1 3 2 Enabling Users to Ping Virtual IPv6 Addresses 1 15...

Page 1334: ...s that VRRP involves can only be VLAN interfaces unless otherwise specified 1 1 Introduction to VRRP 1 1 1 VRRP Overview Normally as shown in Figure 1 1 you can configure a default route with the gate...

Page 1335: ...default links without changing configurations such as dynamic routing protocols route discovery protocols when a device fails and prevent network interruption due to a single link failure There are t...

Page 1336: ...the master switch to act as the gateway and the other two are backup switches Caution z The IP address of the virtual router can be either an unused IP address on the segment where the standby group...

Page 1337: ...thentication mode in a network facing possible security problems A switch sending a packet fills the authentication key into the packet and the switch receiving the packet compares its local authentic...

Page 1338: ...case it regards itself as the master and sends VRRP advertisements to start a new master switch election in a standby group 1 1 4 Format of VRRP Packets VRRP uses multicast packets The switch acting...

Page 1339: ...d is 0 for any other authentication modes II IPv6 based VRRP packet format Version Type Virtual Rtr ID Priority Count IPv6 Addrs Auth Type Adver Int Checksum IPv6 address 1 Authentication data 1 Authe...

Page 1340: ...with that of its own If its priority is higher it becomes the master otherwise it remains a backup z In non preemption mode the switch in the standby group remains as a master or backup as long as the...

Page 1341: ...he state of listening If Switch A fails Switch B and Switch C will elect for the new master The new master takes over the forwarding task to provide services to hosts on the LAN II Load balancing You...

Page 1342: ...andby group 3 Switch C is the master Switch A and Switch B are the backups For load balancing among Switch A Switch B and Switch C hosts on the LAN need to be configured to use standby group 1 2 and 3...

Page 1343: ...tween Virtual IP Address and MAC Address After the virtual IP address of a standup group is associated with a MAC address the master switch takes the configured MAC address as the source MAC address o...

Page 1344: ...ual MAC address is associated with the virtual IP address by default Caution You should configure this function before creating a standby group Otherwise you cannot modify the mapping between the virt...

Page 1345: ...e effect z The virtual IP address of the virtual router can be either an unused IP address on the segment where the standby group resides or the IP address of an interface on a switch in the standby g...

Page 1346: ...terface interface type interface number Configure switch priority in the standby group vrrp vrid virtual router id priority priority value Optional 100 by default Configure the switch in the standby g...

Page 1347: ...de md5 simple key Optional Authentication is not performed by default Configure the time interval for the Master in the standby group to send VRRP advertisement vrrp vrid virtual router id timer adver...

Page 1348: ...onfigure VRRP for IPv6 Task Remarks Enabling Users to Ping Virtual IPv6 Addresses Optional Configuring the Association Between Virtual IPv6 Address and MAC Address Optional Creating Standby Group and...

Page 1349: ...r a standby group after the standby group is created and the virtual IPv6 address is associated with the virtual MAC address With such association adopted the hosts in the internal network need not up...

Page 1350: ...P standby group I Configuration prerequisites Before creating standby group and configuring virtual IPv6 address you should first configure the IPv6 address of the interface and ensure that the virtua...

Page 1351: ...an decide which switch in the standby group serves as the Master Follow these steps to configure standby group priority preemption mode and interface tracking To do Use the command Remarks Enter syste...

Page 1352: ...interface interface type interface number Configure the authentication mode and authentication key when the standby groups send and transmit VRRP packets vrrp ipv6 vrid virtual router id authenticatio...

Page 1353: ...mber vrid virtual router id Available in user view 1 4 IPv4 Based VRRP Configuration Examples This section provides these configuration examples z Single VRRP Standby Group Configuration Example z VRR...

Page 1354: ...SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 202 38 160 1 255 255 255 0 Create standby group 1 and set its virtual IP address to be 202 38 160 111 SwitchA Vlan interface2 vrrp...

Page 1355: ...n Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 5 Auth Type NONE Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 Display detailed informatio...

Page 1356: ...by Switch B 1 4 2 VRRP Interface Tracking Configuration Example I Network requirements z Host A needs to access Host B on the Internet using 202 38 160 111 24 as its default gateway z Switch A and Sw...

Page 1357: ...ation mode simple hello Set the interval for Master to send VRRP advertisement to five seconds SwitchA Vlan interface2 vrrp vrid 1 timer advertise 5 Set the interface to be tracked SwitchA Vlan interf...

Page 1358: ...witchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Backup Config Pr...

Page 1359: ...Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type SIMPLE TEXT Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5...

Page 1360: ...interface2 ip address 202 38 160 1 255 255 255 0 Create a standby group 1 and set its virtual IP address to 202 38 160 111 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Configure the p...

Page 1361: ...tailed information of the standby group on Switch A SwitchA Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1...

Page 1362: ...tch A in standby group 2 Switch A is the backup Switch B is the master and the host with the default gateway of 202 38 160 112 24 accesses the Internet through Switch B 1 5 IPv6 Based VRRP Configurati...

Page 1363: ...et 2 0 5 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ipv6 address fe80 1 link local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its v...

Page 1364: ...pv6 command to verify the configuration Display detailed information of standby group 1 on Switch A SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Vi...

Page 1365: ...Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Virtual MAC 0000 5e00 0201 Master IP FE8...

Page 1366: ...ink local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its virtual IP address to FE80 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the...

Page 1367: ...ipv6 vrid 1 authentication mode simple hello Set the VRRP advertisement interval to 500 centiseconds SwitchB Vlan interface2 vrrp ipv6 vrid 1 timer advertise 500 Set Switch B to work in preemption mo...

Page 1368: ...through Host B on Host A You can use the display vrrp ipv6 command to view the detailed information of the standby group If Switch A is in work but its interface VLAN interface 3 is not available the...

Page 1369: ...t becomes the backup Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B 1 5 3 Multiple VRRP Standby Group Configuration Example I Network requirements z In th...

Page 1370: ...witchB vlan2 port GigabitEthernet 2 0 5 SwitchB vlan2 quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 ipv6 address fe80 2 link local SwitchB Vlan interface2 ipv6 address 1 2 64 Create...

Page 1371: ...80 2 Display detailed information of the standby group on Switch B SwitchB Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vl...

Page 1372: ...requently Analysis This error is probably due to the inconsistent configuration of the other switch in the standby group or that a device is attempting to send illegitimate VRRP packets Solution z In...

Page 1373: ...Ethernet Switches Chapter 1 VRRP Configuration 1 40 III Symptom 3 Frequent VRRP state transition Analysis The VRRP advertisement interval is set too short Solution Increase the interval to sent VRRP a...

Page 1374: ...SSH Client 1 12 1 3 3 Configuring First time Authentication 1 12 1 3 4 Establishing a Connection Between SSH Client and Server 1 13 1 4 Displaying and Maintaining SSH 1 14 1 5 SSH Server Configuratio...

Page 1375: ...Operation Manual SSH H3C S3610 S5510 Series Ethernet Switches Table of Contents ii 2 3 6 Terminating the Connection to the Remote SFTP Server 2 6 2 4 SFTP Configuration Example 2 7...

Page 1376: ...e can not only work as an SSH server to support connections with SSH clients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Ca...

Page 1377: ...encryption and signature 1 1 3 SSH Operating Process The session establishment between an SSH client and the SSH server involves the following five stages Table 1 1 Stages in establishing a session be...

Page 1378: ...n z The server and the client send key algorithm negotiation packets to each other which include the supported public key algorithm list encryption algorithm list MAC algorithm list and compression al...

Page 1379: ...erver a public authentication request containing its user name public key and algorithm The server validates the public key If the public key is invalid the authentication fails otherwise the server g...

Page 1380: ...otherwise the server may not be able to perform the commands z If the text exceeds 2000 bytes you can upload the configuration file to the server and use the configuration file to restart the server...

Page 1381: ...ew system view Enter single user interface view or multi user interface view user interface type keyword number ending number Required Set the login authentication method to scheme authentication mode...

Page 1382: ...server host key is in the range 512 to 2048 bits With SSH2 however some clients require that the keys generated by the server must not be less than 768 bits II Exporting the RSA key pair You can displ...

Page 1383: ...key to a string coded using the PKCS standard Before importing the public key you must upload the public key file in binary to the server through FTP or TFTP Caution z When the device functions as th...

Page 1384: ...a public key file public key peer keyname import sshkey filename Required 1 2 6 Configuring an SSH User This configuration allows you to create an SSH user and specify the service type and authentica...

Page 1385: ...service type to stelnet or all on the server Otherwise the client will fail to log in successfully z The working folder of an SFTP user is subject to the user authentication method For a user using o...

Page 1386: ...t the SSH server can work with SSH1 x clients Set the RSA server key pair update interval ssh server rekey interval hours Optional 0 by default that is the RSA server key pair is not updated Set the S...

Page 1387: ...pe interface number Required By default the address of the interface decided by the routing is used to access the SSH server 1 3 3 Configuring First time Authentication When the device connects to the...

Page 1388: ...low these steps to disable first time authentication To do Use the command Remarks Enter system view system view Disable first time authentication support undo ssh client first time Optional By defaul...

Page 1389: ...yption algorithms and HMAC algorithms for them ssh2 ipv6 server port number prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group1...

Page 1390: ...re directly connected through the Ethernet interfaces z The host runs SSH client software to securely log on to the switch for configuration z Password authentication is used II Network diagram Figure...

Page 1391: ...mple aabbcc Switch luser client001 service type ssh level 3 Switch luser client001 quit Specify the service type for user client001 as Stelnet and the authentication method as password Switch ssh user...

Page 1392: ...onfiguration 1 17 Figure 1 3 SSH client configuration interface From the window shown in Figure 1 3 click Open The following SSH client interface appears If the connection is normal you will be prompt...

Page 1393: ...are directly connected through the Ethernet interfaces z The host runs SSH client software to securely log on to the switch for configuration z Publickey authentication is used the algorithm is RSA II...

Page 1394: ...and privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Note Before performing the following tasks you must generate an RSA key pair using the client software on the cli...

Page 1395: ...Configuration 1 20 Figure 1 6 Generate a client key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 7 Otherwise...

Page 1396: ...S5510 Series Ethernet Switches Chapter 1 SSH Configuration 1 21 Figure 1 7 Generate a client key pair 2 After the key pair is generated click Save public key to save the key in a file by entering a f...

Page 1397: ...ops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the key private in this case Figure 1 9 Generate a client key 4 Note Aft...

Page 1398: ...the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 1 10 SSH client configuration interface...

Page 1399: ...n 1 24 Figure 1 11 SSH client configuration interface 2 From the window shown in Figure 1 11 click Open The following SSH client interface appears If the connection is normal you will be prompted to e...

Page 1400: ...s shown in Figure 1 13 Switch A the SSH client needs to log on to Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the password is aabbcc Password aut...

Page 1401: ...chB luser client001 service type ssh level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication method as password SwitchB ssh user client001 se...

Page 1402: ...FA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD SwitchA pkey key code D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 SwitchA pkey key code E55B394A217DA38B6...

Page 1403: ...an RSA key pair and enable SSH server SwitchB system view SwitchB public key local create rsa SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client will use as t...

Page 1404: ...authentication type publickey assign publickey Switch001 2 Configure the SSH client Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan int...

Page 1405: ...guration 1 30 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n Copyright c 2004 2007 Hangzhou H3C Tech Co Ltd All rights reserved Without the owner s prio...

Page 1406: ...lso server as an SFTP client enabling a user to login from the device to a remote device for secure file transfer 2 2 Configuring an SFTP Server 2 2 1 Configuration Prerequisites z You have configured...

Page 1407: ...connection exceeds the specified threshold the system automatically tears the connection down so that a user cannot occupy a connection for nothing Follow these steps to configure the SFTP connection...

Page 1408: ...remote SFTP server and enter SFTP client view Follow these steps to enable the SFTP client To do Use the command Remarks Establish a connection to the remote IPv4 SFTP server and enter SFTP client vie...

Page 1409: ...a1 sha1 96 Required Execute the command in user view Change the working directory of the remote SFTP server cd remote path Optional Return to the upper level directory cdup Optional Display the curren...

Page 1410: ...in user view Change the name of a specified file on the SFTP server rename old name new name Optional Download a file from the remote server and save it locally get remote file local file Optional Up...

Page 1411: ...ist of all commands or the help information of an SFTP client command help all command name Required 2 3 6 Terminating the Connection to the Remote SFTP Server Follow these steps to terminate the conn...

Page 1412: ...chB public key local create rsa SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client uses as the destination for SSH connection SwitchB interface Vlan interface...

Page 1413: ...A Vlan interface1 quit SwitchA quit Establish a connection to the remote SFTP server and enter SFTP client view SwitchA sftp 192 168 0 1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abo...

Page 1414: ...ogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Rename directory new1 to new...

Page 1415: ...ig cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new...

Page 1416: ...e Exchange between a MCE and a Site 2 4 2 2 1 Configuring Route Exchange between a MCE and a Site 2 4 2 2 2 Configuring to Use Static Routes between a MCE and a Site 2 5 2 2 3 Configuring to Use RIP b...

Page 1417: ...ovides flexible networking modes excellent scalability and convenient support for MPLS QoS and MPLS TE Hence it is widely used The BGP MPLS VPN model consists of three kinds of devices z Customer edge...

Page 1418: ...ected rather than all VPN routing information on the provider network A P router maintains only routes to PEs It does not need to know anything about VPN routing information When VPN traffic travels o...

Page 1419: ...e Each VPN instance contains the VPN membership and routing rules of the corresponding site If a user at a site belongs to multiple VPNs at the same time the VPN instance of the site contains informat...

Page 1420: ...c IPv4 address prefix you make it a globally unique VPN IPv4 address prefix An RD can be related to an autonomous system AS number in which case it is the combination of an AS number and a discretiona...

Page 1421: ...through a CE as shown in Figure 1 1 With the users increasing demand for service segmentation and security a private network may be divided into multiple VPNs and the users of different VPN are usual...

Page 1422: ...to also to bind the interfaces sub interfaces to the VPNs on PE 1 in the same way as those on the MCE device The MCE device is connected to PE 1 through a trunk which permits packets of VLAN 2 and VLA...

Page 1423: ...cesses to VPN instances With the same binding configured on CE and site private network routes of different VPNs can be exchanged between CEs and sites through different RIP processes thus isolating a...

Page 1424: ...s for different VPN instances on each MCE It is recommended that a VPN be assigned the same route tag on multiple MCEs IV IS IS Similar to those in OSPF IS IS processes can be bound to VPN instances f...

Page 1425: ...t VPN routing information can be transmitted by performing relatively simple configurations between CE and PE such as importing the VPN routing entries on MCE devices to the routing table of the routi...

Page 1426: ...h to MCE Create a VPN instance Required See 2 1 3 Creating a VPN Instance Associate the VPN instance with an interface Required See 2 1 4 Associating an VPN Instance with an Interface Configure the ro...

Page 1427: ...onship between the VPN instance and a VPN Table 2 3 Create a VPN instance Operation Command Description Enter system view system view Create a VPN instance and enter VPN instance view ip vpn instance...

Page 1428: ...vertising VPN routes is as follows z When the switch learns a VPN route from a site and injects it into BGP BGP associates the route with a VPN target extended community attribute list which is normal...

Page 1429: ...N target specified for a VPN instance on the MCE device must be same as that specified for the VPN instance on the PE device 2 2 Configuring Route Exchange between a MCE and a Site 2 2 1 Configuring R...

Page 1430: ...rmal static route 2 2 3 Configuring to Use RIP between a MCE and a Site A RIP process can be bound to only one VPN instance RIP processes not bound to any VPN instances belong to the public network Ta...

Page 1431: ...ional By default the OSPF domain ID is 0 This operation is performed on the MCE device As for the corresponding configuration on the site you can just enable OSPF as usual Note z Router IDs of the pub...

Page 1432: ...ring to Use EBGP between a MCE and a Site 1 Configuration on the MCE device Table 2 11 Configure an MCE device Operation Command Description Enter system view system view Enter BGP view bgp as number...

Page 1433: ...TH attribute can be used for route loop detect With EBGP running between a MCE and a site the routes advertised by an MCE device to the site carry the local AS number So do the routes advertised by th...

Page 1434: ...E 2 3 1 Configuring Route Exchange between a MCE and a PE Table 2 13 Configure route exchange between a MCE and a PE Operation Description Related section Define a static route for a VPN instance See...

Page 1435: ...ion text Required By default for a static route the preference value is 60 the tag value is 0 and no description information is configured Set the default preference value of static routes ip route st...

Page 1436: ...e tag tag Required By default RIP does not import routes from other protocols 2 3 4 Configuring to Use OSPF between a MCE and a PE When configuring to use OSPF between a MCE and a PE you need to confi...

Page 1437: ...importing routes of other protocols you can specify the default cost value for the imported routes as well You can also apply filter policies for imported routes Table 2 17 Configure IS IS to import...

Page 1438: ...id med med value route policy route policy name Required The MCE device must import routes of the local site to the VPN routing table in order to advertise these routes to the PE device Apply a filter...

Page 1439: ...the BGP VPNv4 routing information of a specified VPN instance display bgp vpnv4 vpn instance vpn instance name routing table network address mask mask length longer prefixes as path acl as path acl nu...

Page 1440: ...displayed For information about the commands used to display routing protocol configuration see relevant chapters in the IPv4 Routing module of this manual 2 5 MCE Configuration Example 2 5 1 MCE Con...

Page 1441: ...the MCE device with the RD values of the two VPN instances being 10 1 and 20 1 Configure the VPN target values of the two VPN instances as 10 1 and 20 1 for both the import and export extended commun...

Page 1442: ...bled You can configure to use static routes between MCE and a site Configuration on VR1 Assume VR1 is an S3610 switch configure IP address 10 214 10 2 24 for the interface connecting to MCE and IP add...

Page 1443: ...0 VR2 rip 20 network 192 168 10 0 VR2 rip 20 network 10 0 0 0 Display the information about the routes of VPN2 on MCE MCE rip 20 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinat...

Page 1444: ...ss to VPN1 and set the OSPF domain ID to 10 MCE Ethernet1 0 3 quit MCE ospf 10 router id 101 101 10 1 vpn instance vpn1 MCE ospf 10 domain 10 Advertise the network segment 10 214 10 0 within Area0 and...

Page 1445: ...es the configuration PE display ip routing table vpn instance vpn2 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 6 Routes 6 Destination Mask Proto Pre Cost NextHop Interf...

Page 1446: ...e procedure of enabling OSPF in the two VPN instances and advertising the network segments is the same as that in normal OSPF and is omitted Create OSPF process 10 for MCE and bind OSPF process 10 to...

Page 1447: ...tHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 100 20 0 24 Direct 0 0 10 100 20 1 Vlan3 10 100 20 1 32 Direct 0 0 127 0 0 1 InLoop0 172 16 20 0 24...

Page 1448: ...100 10 2 Vlan2 For VPN2 perform the configurations similar to the above on MCE and PE to import the OSPF routing information of VPN2 to the EBGP routing table Configuration procedures are omitted here...

Page 1449: ...M Connection Establishment 1 2 1 1 3 Standards and Protocols 1 4 1 2 OAM Configuration 1 5 1 2 1 OAM Configuration Task List 1 5 1 2 2 Configuring Basic OAM Basic Functions 1 5 1 2 3 Configuring the P...

Page 1450: ...e last mile By enabling Ethernet OAM on two devices connected by a point to point connection you can monitor the link status of the link between the two devices Ethernet OAM provides the following fun...

Page 1451: ...Us are used for link monitoring They are sent as an alarm in case a failure occurs to the link connecting the local OAM entity and a remote OAM entity z Loopback control OAMPDUs are used for remote lo...

Page 1452: ...esponding to Loopback Control OAMPDUs Available if both sides operate in active OAM mode Available Transmitting organization specific OAMPDUs Available Available After an OAM connection is established...

Page 1453: ...radually The flag field defined in OAMPDUs allows an OAM entity to send error information to its peer It can identify the following link faults z Link Fault Peer link signal is lost z Dying Gasp An un...

Page 1454: ...view system view Enter Ethernet port view interface interface type interface number Set OAM operating mode oam mode active passive Optional The default is active OAM mode Enable OAM on the current por...

Page 1455: ...cond Configure the threshold for error frame event detection oam errored frame threshold threshold value Optional The default is 1 Configure the period for frame percentage error event detection oam e...

Page 1456: ...stem first uses the following expression to convert the period for frame percentage error event detection to the maximum number of 64 byte frames that can be transmitted through an Ethernet port in th...

Page 1457: ...is disabled all the ports involved will be shut down and then brought up z OAM loopback testing is disabled when you execute the undo oam enable command to disable OAM when you execute the undo oam l...

Page 1458: ...1 0 1 to operate in passive OAM mode and enable OAM for it DeviceA system view DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 oam mode passive DeviceA Ethernet1 0 1 oam enable DeviceA Ethernet...

Page 1459: ...stem view DeviceB interface ethernet 1 0 1 DeviceB Ethernet1 0 1 oam enable DeviceB Ethernet1 0 1 quit Display OAM link error event statistics DeviceB display oam link event remote Port Ethernet1 0 1...

Page 1460: ...DLDP Mode 1 11 1 2 3 Setting the Interval for Sending Advertisement Packets 1 11 1 2 4 Setting the DelayDown Timer 1 12 1 2 5 Setting the Port Shutdown Mode 1 13 1 2 6 Configuring DLDP Authentication...

Page 1461: ...DLDP z DLDP Configuration Example z Troubleshooting 1 1 Overview A special kind of links namely unidirectional links may occur in a network When a unidirectional link appears the local device can rec...

Page 1462: ...ut down the related port automatically or prompt users to take measures as configured to avoid network problems As a data link layer protocol DLDP cooperates with physical layer protocols to monitor t...

Page 1463: ...normally with all its neighbors in both directions or DLDP remains in active state for more than five seconds It is the normal state where no unidirectional link is detected Probe A device enters this...

Page 1464: ...r an enhanced detect is launched When the Echo waiting timer expires and no Echo packet is received from a neighbor device the link is set as a unidirectional link and the device transits to the Disab...

Page 1465: ...Inactive state when it detects a port down event When a device transits to this state the DelayDown timer is triggered The setting of the timer ranges from 1 to 5 in seconds A device in DelayDown sta...

Page 1466: ...DLDP mode however Port A tests Port B after the Entry timer concerning Port B expires Port A then transits to the Disable state if it receives no Echo packet from Port A when the Echo timer expires A...

Page 1467: ...ation In this mode before sending a packet the sending side encrypts the user configured password using MD5 algorithm assigns the digest to the Authentication field and sets the Authentication type fi...

Page 1468: ...no process is performed Flush packet Determines whether or not the local port is in Disable state If not removes the corresponding neighbor entry if any If the corresponding neighbor entry does not e...

Page 1469: ...he neighbor Processing procedure In normal mode no echo packet is received when the Echo timer expires In enhanced mode no echo packet is received when the enhanced timer expires DLDP transits to the...

Page 1470: ...DP State Optional Note that z DLDP works only when the link is up z To ensure unidirectional links can be detected make sure these settings are the same on the both sides DLDP state enabled disabled t...

Page 1471: ...d in Ethernet port view applies to the current port only The configuration performed in port group view applies to all the ports in the port group Enable DLDP dldp enable Required Disabled on a port b...

Page 1472: ...able DLDP to operate properly make sure the intervals for sending Advertisement packets on both sides of a link are the same 1 2 4 Setting the DelayDown Timer On some ports when the Tx line fails the...

Page 1473: ...t shutdown mode To do Use the command Remarks Enter system view system view Set port shutdown mode dldp unidirectional shutdown auto manual Optional auto by default Caution z On a port with both remot...

Page 1474: ...after you reset DLDP state for it That is it can be in Inactive state if the port is physically down or in Active state if the port is physically up after you reset DLDP state for it Caution z The co...

Page 1475: ...P state dldp reset Required 1 3 Displaying and Maintaining DLDP To do Use the command Remarks Display the DLDP configuration of a port display dldp interface type interface number Available in any vie...

Page 1476: ...viceA GigabitEthernet1 1 1 dldp enable DeviceA GigabitEthernet1 1 1 interface gigabitethernet 1 1 2 DeviceA GigabitEthernet1 1 2 dldp enable DeviceA GigabitEthernet1 1 2 quit Set the interval for send...

Page 1477: ...sable state and the links are down which means unidirectional links are detected and the two ports are thus shut down Reset DLDP state for the ports shut down by DLDP DeviceA dldp reset 2 Configuratio...

Page 1478: ...s Chapter 1 DLDP Configuration 1 18 z DLDP authentication modes passwords on Device A and Device B are not the same Solution Make sure the interval for sending Advertisement packets the authentication...

Page 1479: ...iguration Example 1 12 1 4 Configuring Transit Node 1 12 1 4 1 Configuration Procedure 1 12 1 4 2 Transit Node Configuration Example 1 13 1 5 Configuring Edge Node 1 14 1 5 1 Configuration Procedure 1...

Page 1480: ...aintaining RRPP z RRPP Typical Configuration Examples 1 1 RRPP Overview Rapid Ring Protection Protocol RRPP is an Ethernet ring specific link layer protocol It can not only prevent data loop from caus...

Page 1481: ...cially designed to transfer RRPP packets The ports accessing an RRPP ring on devices belong to the control VLAN of the ring and only these ports can join this VLAN IP address configuration is prohibit...

Page 1482: ...ll logically deny data VLANs and permit only the packets of the control VLANs z When an RRPP ring is in disconnect state the secondary port of the master node will permit data VLANs that is forward pa...

Page 1483: ...ring transits into disconnect state until the secondary port receives the Health packet again Note z In an RRPP domain a transit node learns the Hello timer value and the Fail timer value on the mast...

Page 1484: ...kets to examine the links of the primary ring between the edge node and the assistant edge node Major Fault Assistant edge node initiates Major Fault packets to notify the edge node of a failure when...

Page 1485: ...node Ring 2 Figure 1 3 Multi domain tangent rings There are two or more rings in the network topology and only one common node between rings In this case you need define an RRPP domain for each ring I...

Page 1486: ...s case you only need to define an RRPP domain and set one ring as the primary ring and other rings as subrings V Multi domain intersecting rings Device A Device B Device C Device D Device E Master nod...

Page 1487: ...domain is down Upon the receipt of a Link Down packet the master node releases the secondary port from blocking data VLAN while sending Common Flush FDB packet to notify all the transit nodes the edge...

Page 1488: ...ge port is activated only when the edge node ensures that no loop will be brought forth when the edge port is activated 1 1 5 Protocols and Standards Related standard RFC 3619 1 2 RRPP Configuration T...

Page 1489: ...n intersection common port and the two ports that access the same node to the same RRPP ring must not be configured as multi domain intersection common ports at the same time z When configuring multi...

Page 1490: ...figuration Procedure Follow these steps to configure master node To do Use the command Remarks Enter system view system view Create an RRPP domain and enter its view rrpp domain domain id Required Spe...

Page 1491: ...ary port and Ethernet 1 0 2 as the secondary port z Set the Hello timer value to 2 seconds and the Fail timer value to 7 seconds II Configuration procedure Sysname system view Sysname rrpp domain 1 Sy...

Page 1492: ...gured for an RRPP domain must be a new one z Control VLAN configuration is required for configuring an RRPP ring z To use the undo rrpp domain command to remove an RRPP domain you must ensure the RRPP...

Page 1493: ...d specify the primary port and the secondary port ring ring id node mode transit primary port interface type interface number secondary port interface type interface number level level value Required...

Page 1494: ...working requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit node of primary ring 1 in RRPP domain 1 Ethernet 1 0 1 as the primary...

Page 1495: ...mode transit primary port interface type interface number secondary port interface type interface number level level value Required Specify the current device as the assistant edge node of the subring...

Page 1496: ...6 2 Assistant Edge Node Configuration Example I Networking requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit node of primary r...

Page 1497: ...pical Configuration Examples This section covers these topics z Configuring Single Ring Topology z Configuring Intersecting Ring Topology 1 8 1 Configuring Single Ring Topology I Networking requiremen...

Page 1498: ...ng on the device z Enable the RRPP ring z Enable RRPP III Configuration procedure 1 Perform the following configuration on Device A Device A system view Device A rrpp domain 1 Device A rrpp domain1 co...

Page 1499: ...to view RRPP configuration 1 8 2 Configuring Single Domain Intersecting Ring Topology I Networking requirements z Device A Device B Device C and Device D constitute RRPP domain 1 z VLAN 4092 is the co...

Page 1500: ...omain z Specify the node mode of a device on an RRPP ring and the ports accessing the RRPP ring on the device z Enable these two RRPP rings z Enable RRPP III Configuration procedure 1 Perform the foll...

Page 1501: ...e common port ethernet 1 0 1 edge port ethernet 1 0 3 Device C rrpp domain1 ring 1 enable Device C rrpp domain1 ring 2 enable Device C rrpp domain1 quit Device C rrpp enable 4 Perform the following co...

Page 1502: ...et 1 0 2 is a multi domain intersection common port z Device C is a transit node on primary ring 1 in RRPP domain 1 and a transit node on primary ring 2 in RRPP domain 2 and Ethernet 1 0 2 is a multi...

Page 1503: ...g configuration on Device B Device B system view Device B rrpp domain 1 Device B rrpp domain1 control vlan 4090 Device B rrpp domain1 ring 1 node mode transit primary port ethernet 1 0 1 secondary por...

Page 1504: ...pp domain1 quit Device D rrpp enable 5 Perform the following configuration on Device E Device E system view Device E rrpp domain 2 Device E rrpp domain2 control vlan 4092 Device E rrpp domain2 ring 2...

Page 1505: ...licy 1 5 1 4 1 Configuration Prerequisites 1 5 1 4 2 Configuration Procedure 1 6 1 5 Displaying and Maintaining SSL 1 6 1 6 Troubleshooting SSL 1 6 1 6 1 SSL Handshake Failure 1 6 Chapter 2 HTTPS Conf...

Page 1506: ...d during the handshake phase z Authentication SSL supports authenticating both the server and the client through certificates with the authentication of the client being optional z Reliability SSL use...

Page 1507: ...server and the SSL client Complete the following tasks to configure SSL Task Remarks Configuring an SSL Server Policy Required Configuring an SSL Client Policy Optional 1 3 Configuring an SSL Server P...

Page 1508: ...t wait by default Set the maximum number of cached sessions and the caching timeout time session cachesize size timeout time Optional The defaults are as follows 500 for the maximum number of cached s...

Page 1509: ...name system view Sysname pki entity en Sysname pki entity en common name http server1 Sysname pki entity en fqdn ssl security com Sysname pki entity en quit Create a PKI domain and configure it Sysnam...

Page 1510: ...sname ip https ssl server policy myssl Enable HTTPS service Sysname ip https enable 4 Verify your configuration Launch IE on the host and enter https 10 1 1 1 in the address bar You should be able to...

Page 1511: ...refer cipher rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional rsa_rc4_128_md5 by default Specify the SSL protocol version for the SSL client policy version ssl3 0 tls1 0 Op...

Page 1512: ...m z If the SSL server has no certificate request one for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to...

Page 1513: ...yer SSL protocol The SSL protocol of HTTPS enhances the security of the device in the following ways z Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the...

Page 1514: ...cy policy name Required Not associated by default Note z If the ip https ssl server policy command is executed repeatedly the HTTPS service is only associated with the last specified SSL server policy...

Page 1515: ...ication process takes much time the SSL negotiation may fail and the HTTPS service cannot be started normally Therefore the ip https enable command must be executed for multiple times to ensure normal...

Page 1516: ...in at least one permit rule Otherwise no HTTPS client can log onto the device z For the configuration of an SSL server policy refer to PKI Configuration 2 6 Associating the HTTPS Service with an ACL A...

Page 1517: ...n this configuration example Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol SCEP component II Network diagram Figure 2 1 Network diagram for HTTPS configura...

Page 1518: ...y enable Switch ssl server policy myssl quit 3 Configure certificate access control policy Configure certificate attribute group Switch pki certificate attribute group mygroup1 Switch pki cert attribu...

Page 1519: ...s Chapter 2 HTTPS Configuration 2 7 Launch the IE explorer on Host and enter https 10 1 1 1 You can log onto Switch and control it Note z For details of PKI commands refer to PKI Commands z For detail...

Page 1520: ...in Auto Mode 1 8 1 5 2 Submitting a Certificate Request in Manual Mode 1 9 1 6 Retrieving a Certificate Manually 1 10 1 7 Configuring PKI Certificate Validation 1 11 1 8 Destroying a Local RSA Key Pai...

Page 1521: ...ion and public keys PKI allows users to request certificates use certificates and revoke certificates By leveraging digital certificates and relevant services like certificate distribution and blackli...

Page 1522: ...nd function an effective way for checking the validity of certificates A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degra...

Page 1523: ...es keys CRLs and logs while providing a simple query function LDAP is a protocol for accessing and managing PKI information An LDAP server stores user information and digital certificates from the RA...

Page 1524: ...n and issues a certificate 4 The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation service and notifies the entity that the certificate is successfull...

Page 1525: ...where www is a host name and whatever com a domain name z IP address of the entity z Locality where the entity resides z Organization to which the entity belongs z Unit of the entity in the organizati...

Page 1526: ...he data length of a certificate request If the entity DN in a certificate request goes beyond a certain limit the server does not respond to the certificate request 1 4 Configuring a PKI Domain Before...

Page 1527: ...deployed to store certificates and CRLs If this is the case you need to configure the IP address of the LDAP server z Fingerprint for root certificate validation Upon receiving the root certificate o...

Page 1528: ...No fingerprint is configured by default Note z Currently up to two PKI domains can be created on a device z The CA name is required only when you retrieve a CA certificate It is not used when in loca...

Page 1529: ...erating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the...

Page 1530: ...icate stored locally z When it is impossible to request a certificate from the CA through SCEP you can save the request information by using the pki request certificate domain command with the pkcs10...

Page 1531: ...cate and local certificate first z The pki retrieval certificate configuration will not be saved in the configuration file 1 7 Configuring PKI Certificate Validation A certificate needs to be validate...

Page 1532: ...eval crl domain domain name Required Verify the validity of a certificate pki validate certificate ca local domain domain name Required II Configuring CRL checking disabled PKI certificate validation...

Page 1533: ...ire you can destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Use the command Remarks Enter system view system v...

Page 1534: ...alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject nam...

Page 1535: ...ired when you use the Windows Server as the CA In this case when configuring the PKI domain you need to use the certificate request from ra command to specify that the entity requests a certificate fr...

Page 1536: ...iction configuration page of the CA server This includes selecting the proper extension profiles enabling the SCEP autovetting function and adding the IP address list for SCEP autovetting 3 Configure...

Page 1537: ...rsa certificate request entity aaa Configure the URL for the CRL distribution point Switch pki domain torsa crl url http 4 4 4 133 447 myca crl Switch pki domain torsa quit 3 Generate a local key pair...

Page 1538: ...Use the following command to view information about the local certificate acquired Switch display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 9A96A48F 9A509FD7 05F...

Page 1539: ...B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to view detailed information about the CA certificate and CRLs Refer to the parts related to display pki certificate...

Page 1540: ...rules The first rule defines that the DN of the subject name includes the string aabbcc and the second rule defines that the IP address of the certificate issuer is 10 0 0 1 Switch pki certificate att...

Page 1541: ...e Switch ip https certificate access control policy myacp Enable HTTPS service Switch ip https enable 1 13 Troubleshooting PKI 1 13 1 Failed to Retrieve a CA Certificate I Symptom Failed to retrieve a...

Page 1542: ...e required parameters of the entity DN are not configured III Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Regenerate a key pair z Specify a trus...

Page 1543: ...tches Chapter 1 PKI Configuration 1 23 III Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LADP server z Specify the U...

Page 1544: ...Operation Manual Appendix H3C S3610 S5510 Series Ethernet Switches Table of Contents i Table of Contents Appendix A Acronyms A 1...

Page 1545: ...ackup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DLDP Device Link Detection Protocol DR Designated Router...

Page 1546: ...Edge MIB Management Information Base N NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM O OAM Operation Administration and Maintenance...

Page 1547: ...ets Layer STP Spanning Tree Protocol T TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VL...

Search results

Summary of Contents for S3610-28F

Reviews:

Related manuals for S3610-28F

Brands by name

Popular brands

H3C S3610-28F, Operation Manual

Search results

Summary of Contents for S3610-28F

Reviews:

Related manuals for S3610-28F

Brands by name

Popular brands